julien.rbrt.fr / tangled-core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom
tangled-core / spindle / xrpc / add_secret.go
at 59f43eb13d25f5c66618a43baf236bd7dfb72513 2.6 kB view raw
1package xrpc 2 3import ( 4 "encoding/json" 5 "fmt" 6 "net/http" 7 "time" 8 9 "github.com/bluesky-social/indigo/api/atproto" 10 "github.com/bluesky-social/indigo/atproto/syntax" 11 "github.com/bluesky-social/indigo/xrpc" 12 securejoin "github.com/cyphar/filepath-securejoin" 13 "tangled.org/core/api/tangled" 14 "tangled.org/core/rbac" 15 "tangled.org/core/spindle/secrets" 16 xrpcerr "tangled.org/core/xrpc/errors" 17) 18 19func (x *Xrpc) AddSecret(w http.ResponseWriter, r *http.Request) { 20 l := x.Logger 21 fail := func(e xrpcerr.XrpcError) { 22 l.Error("failed", "kind", e.Tag, "error", e.Message) 23 writeError(w, e, http.StatusBadRequest) 24 } 25 26 actorDid, ok := r.Context().Value(ActorDid).(syntax.DID) 27 if !ok { 28 fail(xrpcerr.MissingActorDidError) 29 return 30 } 31 32 var data tangled.RepoAddSecret_Input 33 if err := json.NewDecoder(r.Body).Decode(&data); err != nil { 34 fail(xrpcerr.GenericError(err)) 35 return 36 } 37 38 if err := secrets.ValidateKey(data.Key); err != nil { 39 fail(xrpcerr.GenericError(err)) 40 return 41 } 42 43 // unfortunately we have to resolve repo-at here 44 repoAt, err := syntax.ParseATURI(data.Repo) 45 if err != nil { 46 fail(xrpcerr.InvalidRepoError(data.Repo)) 47 return 48 } 49 50 // resolve this aturi to extract the repo record 51 ident, err := x.Resolver.ResolveIdent(r.Context(), repoAt.Authority().String()) 52 if err != nil || ident.Handle.IsInvalidHandle() { 53 fail(xrpcerr.GenericError(fmt.Errorf("failed to resolve handle: %w", err))) 54 return 55 } 56 57 xrpcc := xrpc.Client{Host: ident.PDSEndpoint()} 58 resp, err := atproto.RepoGetRecord(r.Context(), &xrpcc, "", tangled.RepoNSID, repoAt.Authority().String(), repoAt.RecordKey().String()) 59 if err != nil { 60 fail(xrpcerr.GenericError(err)) 61 return 62 } 63 64 repo := resp.Value.Val.(*tangled.Repo) 65 didPath, err := securejoin.SecureJoin(ident.DID.String(), repo.Name) 66 if err != nil { 67 fail(xrpcerr.GenericError(err)) 68 return 69 } 70 71 if ok, err := x.Enforcer.IsSettingsAllowed(actorDid.String(), rbac.ThisServer, didPath); !ok || err != nil { 72 l.Error("insufficent permissions", "did", actorDid.String()) 73 writeError(w, xrpcerr.AccessControlError(actorDid.String()), http.StatusUnauthorized) 74 return 75 } 76 77 secret := secrets.UnlockedSecret{ 78 Repo: secrets.DidSlashRepo(didPath), 79 Key: data.Key, 80 Value: data.Value, 81 CreatedAt: time.Now(), 82 CreatedBy: actorDid, 83 } 84 err = x.Vault.AddSecret(r.Context(), secret) 85 if err != nil { 86 l.Error("failed to add secret to vault", "did", actorDid.String(), "err", err) 87 writeError(w, xrpcerr.GenericError(err), http.StatusInternalServerError) 88 return 89 } 90 91 w.WriteHeader(http.StatusOK) 92}