julien.rbrt.fr / tangled-core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom
tangled-core / appview / state / state.go
at push-sssuxsytslts 11 kB view raw
1package state 2 3import ( 4 "context" 5 "fmt" 6 "log" 7 "log/slog" 8 "net/http" 9 "strings" 10 "time" 11 12 comatproto "github.com/bluesky-social/indigo/api/atproto" 13 lexutil "github.com/bluesky-social/indigo/lex/util" 14 securejoin "github.com/cyphar/filepath-securejoin" 15 "github.com/go-chi/chi/v5" 16 "github.com/posthog/posthog-go" 17 "tangled.sh/tangled.sh/core/api/tangled" 18 "tangled.sh/tangled.sh/core/appview" 19 "tangled.sh/tangled.sh/core/appview/cache" 20 "tangled.sh/tangled.sh/core/appview/cache/session" 21 "tangled.sh/tangled.sh/core/appview/config" 22 "tangled.sh/tangled.sh/core/appview/db" 23 "tangled.sh/tangled.sh/core/appview/notify" 24 "tangled.sh/tangled.sh/core/appview/oauth" 25 "tangled.sh/tangled.sh/core/appview/pages" 26 posthogService "tangled.sh/tangled.sh/core/appview/posthog" 27 "tangled.sh/tangled.sh/core/appview/reporesolver" 28 "tangled.sh/tangled.sh/core/eventconsumer" 29 "tangled.sh/tangled.sh/core/idresolver" 30 "tangled.sh/tangled.sh/core/jetstream" 31 "tangled.sh/tangled.sh/core/knotclient" 32 tlog "tangled.sh/tangled.sh/core/log" 33 "tangled.sh/tangled.sh/core/rbac" 34 "tangled.sh/tangled.sh/core/tid" 35) 36 37type State struct { 38 db *db.DB 39 notifier notify.Notifier 40 oauth *oauth.OAuth 41 enforcer *rbac.Enforcer 42 pages *pages.Pages 43 sess *session.SessionStore 44 idResolver *idresolver.Resolver 45 posthog posthog.Client 46 jc *jetstream.JetstreamClient 47 config *config.Config 48 repoResolver *reporesolver.RepoResolver 49 knotstream *eventconsumer.Consumer 50 spindlestream *eventconsumer.Consumer 51} 52 53func Make(ctx context.Context, config *config.Config) (*State, error) { 54 d, err := db.Make(config.Core.DbPath) 55 if err != nil { 56 return nil, fmt.Errorf("failed to create db: %w", err) 57 } 58 59 enforcer, err := rbac.NewEnforcer(config.Core.DbPath) 60 if err != nil { 61 return nil, fmt.Errorf("failed to create enforcer: %w", err) 62 } 63 64 res, err := idresolver.RedisResolver(config.Redis.ToURL()) 65 if err != nil { 66 log.Printf("failed to create redis resolver: %v", err) 67 res = idresolver.DefaultResolver() 68 } 69 70 pgs := pages.NewPages(config, res) 71 72 cache := cache.New(config.Redis.Addr) 73 sess := session.New(cache) 74 75 oauth := oauth.NewOAuth(config, sess) 76 77 posthog, err := posthog.NewWithConfig(config.Posthog.ApiKey, posthog.Config{Endpoint: config.Posthog.Endpoint}) 78 if err != nil { 79 return nil, fmt.Errorf("failed to create posthog client: %w", err) 80 } 81 82 repoResolver := reporesolver.New(config, enforcer, res, d) 83 84 wrapper := db.DbWrapper{d} 85 jc, err := jetstream.NewJetstreamClient( 86 config.Jetstream.Endpoint, 87 "appview", 88 []string{ 89 tangled.GraphFollowNSID, 90 tangled.FeedStarNSID, 91 tangled.PublicKeyNSID, 92 tangled.RepoArtifactNSID, 93 tangled.ActorProfileNSID, 94 tangled.SpindleMemberNSID, 95 tangled.SpindleNSID, 96 tangled.StringNSID, 97 }, 98 nil, 99 slog.Default(), 100 wrapper, 101 false, 102 103 // in-memory filter is inapplicalble to appview so 104 // we'll never log dids anyway. 105 false, 106 ) 107 if err != nil { 108 return nil, fmt.Errorf("failed to create jetstream client: %w", err) 109 } 110 111 ingester := appview.Ingester{ 112 Db: wrapper, 113 Enforcer: enforcer, 114 IdResolver: res, 115 Config: config, 116 Logger: tlog.New("ingester"), 117 } 118 err = jc.StartJetstream(ctx, ingester.Ingest()) 119 if err != nil { 120 return nil, fmt.Errorf("failed to start jetstream watcher: %w", err) 121 } 122 123 knotstream, err := Knotstream(ctx, config, d, enforcer, posthog) 124 if err != nil { 125 return nil, fmt.Errorf("failed to start knotstream consumer: %w", err) 126 } 127 knotstream.Start(ctx) 128 129 spindlestream, err := Spindlestream(ctx, config, d, enforcer) 130 if err != nil { 131 return nil, fmt.Errorf("failed to start spindlestream consumer: %w", err) 132 } 133 spindlestream.Start(ctx) 134 135 var notifiers []notify.Notifier 136 if !config.Core.Dev { 137 notifiers = append(notifiers, posthogService.NewPosthogNotifier(posthog)) 138 } 139 notifier := notify.NewMergedNotifier(notifiers...) 140 141 state := &State{ 142 d, 143 notifier, 144 oauth, 145 enforcer, 146 pgs, 147 sess, 148 res, 149 posthog, 150 jc, 151 config, 152 repoResolver, 153 knotstream, 154 spindlestream, 155 } 156 157 return state, nil 158} 159 160func (s *State) Favicon(w http.ResponseWriter, r *http.Request) { 161 w.Header().Set("Content-Type", "image/svg+xml") 162 w.Header().Set("Cache-Control", "public, max-age=31536000") // one year 163 w.Header().Set("ETag", `"favicon-svg-v1"`) 164 165 if match := r.Header.Get("If-None-Match"); match == `"favicon-svg-v1"` { 166 w.WriteHeader(http.StatusNotModified) 167 return 168 } 169 170 s.pages.Favicon(w) 171} 172 173func (s *State) TermsOfService(w http.ResponseWriter, r *http.Request) { 174 user := s.oauth.GetUser(r) 175 s.pages.TermsOfService(w, pages.TermsOfServiceParams{ 176 LoggedInUser: user, 177 }) 178} 179 180func (s *State) PrivacyPolicy(w http.ResponseWriter, r *http.Request) { 181 user := s.oauth.GetUser(r) 182 s.pages.PrivacyPolicy(w, pages.PrivacyPolicyParams{ 183 LoggedInUser: user, 184 }) 185} 186 187func (s *State) Timeline(w http.ResponseWriter, r *http.Request) { 188 user := s.oauth.GetUser(r) 189 190 timeline, err := db.MakeTimeline(s.db) 191 if err != nil { 192 log.Println(err) 193 s.pages.Notice(w, "timeline", "Uh oh! Failed to load timeline.") 194 } 195 196 s.pages.Timeline(w, pages.TimelineParams{ 197 LoggedInUser: user, 198 Timeline: timeline, 199 }) 200} 201 202func (s *State) Keys(w http.ResponseWriter, r *http.Request) { 203 user := chi.URLParam(r, "user") 204 user = strings.TrimPrefix(user, "@") 205 206 if user == "" { 207 w.WriteHeader(http.StatusBadRequest) 208 return 209 } 210 211 id, err := s.idResolver.ResolveIdent(r.Context(), user) 212 if err != nil { 213 w.WriteHeader(http.StatusInternalServerError) 214 return 215 } 216 217 pubKeys, err := db.GetPublicKeysForDid(s.db, id.DID.String()) 218 if err != nil { 219 w.WriteHeader(http.StatusNotFound) 220 return 221 } 222 223 if len(pubKeys) == 0 { 224 w.WriteHeader(http.StatusNotFound) 225 return 226 } 227 228 for _, k := range pubKeys { 229 key := strings.TrimRight(k.Key, "\n") 230 w.Write([]byte(fmt.Sprintln(key))) 231 } 232} 233 234func validateRepoName(name string) error { 235 // check for path traversal attempts 236 if name == "." || name == ".." || 237 strings.Contains(name, "/") || strings.Contains(name, "\\") { 238 return fmt.Errorf("Repository name contains invalid path characters") 239 } 240 241 // check for sequences that could be used for traversal when normalized 242 if strings.Contains(name, "./") || strings.Contains(name, "../") || 243 strings.HasPrefix(name, ".") || strings.HasSuffix(name, ".") { 244 return fmt.Errorf("Repository name contains invalid path sequence") 245 } 246 247 // then continue with character validation 248 for _, char := range name { 249 if !((char >= 'a' && char <= 'z') || 250 (char >= 'A' && char <= 'Z') || 251 (char >= '0' && char <= '9') || 252 char == '-' || char == '_' || char == '.') { 253 return fmt.Errorf("Repository name can only contain alphanumeric characters, periods, hyphens, and underscores") 254 } 255 } 256 257 // additional check to prevent multiple sequential dots 258 if strings.Contains(name, "..") { 259 return fmt.Errorf("Repository name cannot contain sequential dots") 260 } 261 262 // if all checks pass 263 return nil 264} 265 266func (s *State) NewRepo(w http.ResponseWriter, r *http.Request) { 267 switch r.Method { 268 case http.MethodGet: 269 user := s.oauth.GetUser(r) 270 knots, err := s.enforcer.GetKnotsForUser(user.Did) 271 if err != nil { 272 s.pages.Notice(w, "repo", "Invalid user account.") 273 return 274 } 275 276 s.pages.NewRepo(w, pages.NewRepoParams{ 277 LoggedInUser: user, 278 Knots: knots, 279 }) 280 281 case http.MethodPost: 282 user := s.oauth.GetUser(r) 283 284 domain := r.FormValue("domain") 285 if domain == "" { 286 s.pages.Notice(w, "repo", "Invalid form submission&mdash;missing knot domain.") 287 return 288 } 289 290 repoName := r.FormValue("name") 291 if repoName == "" { 292 s.pages.Notice(w, "repo", "Repository name cannot be empty.") 293 return 294 } 295 296 if err := validateRepoName(repoName); err != nil { 297 s.pages.Notice(w, "repo", err.Error()) 298 return 299 } 300 301 defaultBranch := r.FormValue("branch") 302 if defaultBranch == "" { 303 defaultBranch = "main" 304 } 305 306 description := r.FormValue("description") 307 308 ok, err := s.enforcer.E.Enforce(user.Did, domain, domain, "repo:create") 309 if err != nil || !ok { 310 s.pages.Notice(w, "repo", "You do not have permission to create a repo in this knot.") 311 return 312 } 313 314 existingRepo, err := db.GetRepo(s.db, user.Did, repoName) 315 if err == nil && existingRepo != nil { 316 s.pages.Notice(w, "repo", fmt.Sprintf("A repo by this name already exists on %s", existingRepo.Knot)) 317 return 318 } 319 320 secret, err := db.GetRegistrationKey(s.db, domain) 321 if err != nil { 322 s.pages.Notice(w, "repo", fmt.Sprintf("No registration key found for knot %s.", domain)) 323 return 324 } 325 326 client, err := knotclient.NewSignedClient(domain, secret, s.config.Core.Dev) 327 if err != nil { 328 s.pages.Notice(w, "repo", "Failed to connect to knot server.") 329 return 330 } 331 332 rkey := tid.TID() 333 repo := &db.Repo{ 334 Did: user.Did, 335 Name: repoName, 336 Knot: domain, 337 Rkey: rkey, 338 Description: description, 339 } 340 341 xrpcClient, err := s.oauth.AuthorizedClient(r) 342 if err != nil { 343 s.pages.Notice(w, "repo", "Failed to write record to PDS.") 344 return 345 } 346 347 createdAt := time.Now().Format(time.RFC3339) 348 atresp, err := xrpcClient.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{ 349 Collection: tangled.RepoNSID, 350 Repo: user.Did, 351 Rkey: rkey, 352 Record: &lexutil.LexiconTypeDecoder{ 353 Val: &tangled.Repo{ 354 Knot: repo.Knot, 355 Name: repoName, 356 CreatedAt: createdAt, 357 Owner: user.Did, 358 }}, 359 }) 360 if err != nil { 361 log.Printf("failed to create record: %s", err) 362 s.pages.Notice(w, "repo", "Failed to announce repository creation.") 363 return 364 } 365 log.Println("created repo record: ", atresp.Uri) 366 367 tx, err := s.db.BeginTx(r.Context(), nil) 368 if err != nil { 369 log.Println(err) 370 s.pages.Notice(w, "repo", "Failed to save repository information.") 371 return 372 } 373 defer func() { 374 tx.Rollback() 375 err = s.enforcer.E.LoadPolicy() 376 if err != nil { 377 log.Println("failed to rollback policies") 378 } 379 }() 380 381 resp, err := client.NewRepo(user.Did, repoName, defaultBranch) 382 if err != nil { 383 s.pages.Notice(w, "repo", "Failed to create repository on knot server.") 384 return 385 } 386 387 switch resp.StatusCode { 388 case http.StatusConflict: 389 s.pages.Notice(w, "repo", "A repository with that name already exists.") 390 return 391 case http.StatusInternalServerError: 392 s.pages.Notice(w, "repo", "Failed to create repository on knot. Try again later.") 393 case http.StatusNoContent: 394 // continue 395 } 396 397 repo.AtUri = atresp.Uri 398 err = db.AddRepo(tx, repo) 399 if err != nil { 400 log.Println(err) 401 s.pages.Notice(w, "repo", "Failed to save repository information.") 402 return 403 } 404 405 // acls 406 p, _ := securejoin.SecureJoin(user.Did, repoName) 407 err = s.enforcer.AddRepo(user.Did, domain, p) 408 if err != nil { 409 log.Println(err) 410 s.pages.Notice(w, "repo", "Failed to set up repository permissions.") 411 return 412 } 413 414 err = tx.Commit() 415 if err != nil { 416 log.Println("failed to commit changes", err) 417 http.Error(w, err.Error(), http.StatusInternalServerError) 418 return 419 } 420 421 err = s.enforcer.E.SavePolicy() 422 if err != nil { 423 log.Println("failed to update ACLs", err) 424 http.Error(w, err.Error(), http.StatusInternalServerError) 425 return 426 } 427 428 s.notifier.NewRepo(r.Context(), repo) 429 430 s.pages.HxLocation(w, fmt.Sprintf("/@%s/%s", user.Handle, repoName)) 431 return 432 } 433}