kot.pink / core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom
core / appview / state / state.go
at push-pwqwlvnsqtqr 11 kB view raw
1package state 2 3import ( 4 "context" 5 "fmt" 6 "log" 7 "log/slog" 8 "net/http" 9 "strings" 10 "time" 11 12 comatproto "github.com/bluesky-social/indigo/api/atproto" 13 lexutil "github.com/bluesky-social/indigo/lex/util" 14 securejoin "github.com/cyphar/filepath-securejoin" 15 "github.com/go-chi/chi/v5" 16 "github.com/posthog/posthog-go" 17 "tangled.sh/tangled.sh/core/api/tangled" 18 "tangled.sh/tangled.sh/core/appview" 19 "tangled.sh/tangled.sh/core/appview/cache" 20 "tangled.sh/tangled.sh/core/appview/cache/session" 21 "tangled.sh/tangled.sh/core/appview/config" 22 "tangled.sh/tangled.sh/core/appview/db" 23 "tangled.sh/tangled.sh/core/appview/notify" 24 "tangled.sh/tangled.sh/core/appview/oauth" 25 "tangled.sh/tangled.sh/core/appview/pages" 26 posthogService "tangled.sh/tangled.sh/core/appview/posthog" 27 "tangled.sh/tangled.sh/core/appview/reporesolver" 28 "tangled.sh/tangled.sh/core/eventconsumer" 29 "tangled.sh/tangled.sh/core/idresolver" 30 "tangled.sh/tangled.sh/core/jetstream" 31 "tangled.sh/tangled.sh/core/knotclient" 32 tlog "tangled.sh/tangled.sh/core/log" 33 "tangled.sh/tangled.sh/core/rbac" 34 "tangled.sh/tangled.sh/core/tid" 35) 36 37type State struct { 38 db *db.DB 39 notifier notify.Notifier 40 oauth *oauth.OAuth 41 enforcer *rbac.Enforcer 42 pages *pages.Pages 43 sess *session.SessionStore 44 idResolver *idresolver.Resolver 45 posthog posthog.Client 46 jc *jetstream.JetstreamClient 47 config *config.Config 48 repoResolver *reporesolver.RepoResolver 49 knotstream *eventconsumer.Consumer 50 spindlestream *eventconsumer.Consumer 51} 52 53func Make(ctx context.Context, config *config.Config) (*State, error) { 54 d, err := db.Make(config.Core.DbPath) 55 if err != nil { 56 return nil, fmt.Errorf("failed to create db: %w", err) 57 } 58 59 enforcer, err := rbac.NewEnforcer(config.Core.DbPath) 60 if err != nil { 61 return nil, fmt.Errorf("failed to create enforcer: %w", err) 62 } 63 64 res, err := idresolver.RedisResolver(config.Redis.ToURL()) 65 if err != nil { 66 log.Printf("failed to create redis resolver: %v", err) 67 res = idresolver.DefaultResolver() 68 } 69 70 pgs := pages.NewPages(config, res) 71 72 cache := cache.New(config.Redis.Addr) 73 sess := session.New(cache) 74 75 oauth := oauth.NewOAuth(config, sess) 76 77 posthog, err := posthog.NewWithConfig(config.Posthog.ApiKey, posthog.Config{Endpoint: config.Posthog.Endpoint}) 78 if err != nil { 79 return nil, fmt.Errorf("failed to create posthog client: %w", err) 80 } 81 82 repoResolver := reporesolver.New(config, enforcer, res, d) 83 84 wrapper := db.DbWrapper{d} 85 jc, err := jetstream.NewJetstreamClient( 86 config.Jetstream.Endpoint, 87 "appview", 88 []string{ 89 tangled.GraphFollowNSID, 90 tangled.FeedStarNSID, 91 tangled.PublicKeyNSID, 92 tangled.RepoArtifactNSID, 93 tangled.ActorProfileNSID, 94 tangled.SpindleMemberNSID, 95 tangled.SpindleNSID, 96 tangled.StringNSID, 97 }, 98 nil, 99 slog.Default(), 100 wrapper, 101 false, 102 103 // in-memory filter is inapplicalble to appview so 104 // we'll never log dids anyway. 105 false, 106 ) 107 if err != nil { 108 return nil, fmt.Errorf("failed to create jetstream client: %w", err) 109 } 110 111 ingester := appview.Ingester{ 112 Db: wrapper, 113 Enforcer: enforcer, 114 IdResolver: res, 115 Config: config, 116 Logger: tlog.New("ingester"), 117 } 118 err = jc.StartJetstream(ctx, ingester.Ingest()) 119 if err != nil { 120 return nil, fmt.Errorf("failed to start jetstream watcher: %w", err) 121 } 122 123 knotstream, err := Knotstream(ctx, config, d, enforcer, posthog) 124 if err != nil { 125 return nil, fmt.Errorf("failed to start knotstream consumer: %w", err) 126 } 127 knotstream.Start(ctx) 128 129 spindlestream, err := Spindlestream(ctx, config, d, enforcer) 130 if err != nil { 131 return nil, fmt.Errorf("failed to start spindlestream consumer: %w", err) 132 } 133 spindlestream.Start(ctx) 134 135 var notifiers []notify.Notifier 136 if !config.Core.Dev { 137 notifiers = append(notifiers, posthogService.NewPosthogNotifier(posthog)) 138 } 139 notifier := notify.NewMergedNotifier(notifiers...) 140 141 state := &State{ 142 d, 143 notifier, 144 oauth, 145 enforcer, 146 pgs, 147 sess, 148 res, 149 posthog, 150 jc, 151 config, 152 repoResolver, 153 knotstream, 154 spindlestream, 155 } 156 157 return state, nil 158} 159 160func (s *State) Favicon(w http.ResponseWriter, r *http.Request) { 161 w.Header().Set("Content-Type", "image/svg+xml") 162 w.Header().Set("Cache-Control", "public, max-age=31536000") // one year 163 w.Header().Set("ETag", `"favicon-svg-v1"`) 164 165 if match := r.Header.Get("If-None-Match"); match == `"favicon-svg-v1"` { 166 w.WriteHeader(http.StatusNotModified) 167 return 168 } 169 170 s.pages.Favicon(w) 171} 172 173func (s *State) TermsOfService(w http.ResponseWriter, r *http.Request) { 174 user := s.oauth.GetUser(r) 175 s.pages.TermsOfService(w, pages.TermsOfServiceParams{ 176 LoggedInUser: user, 177 }) 178} 179 180func (s *State) PrivacyPolicy(w http.ResponseWriter, r *http.Request) { 181 user := s.oauth.GetUser(r) 182 s.pages.PrivacyPolicy(w, pages.PrivacyPolicyParams{ 183 LoggedInUser: user, 184 }) 185} 186 187func (s *State) Timeline(w http.ResponseWriter, r *http.Request) { 188 user := s.oauth.GetUser(r) 189 190 timeline, err := db.MakeTimeline(s.db) 191 if err != nil { 192 log.Println(err) 193 s.pages.Notice(w, "timeline", "Uh oh! Failed to load timeline.") 194 } 195 196 s.pages.Timeline(w, pages.TimelineParams{ 197 LoggedInUser: user, 198 Timeline: timeline, 199 }) 200} 201 202func (s *State) Keys(w http.ResponseWriter, r *http.Request) { 203 user := chi.URLParam(r, "user") 204 user = strings.TrimPrefix(user, "@") 205 206 if user == "" { 207 w.WriteHeader(http.StatusBadRequest) 208 return 209 } 210 211 id, err := s.idResolver.ResolveIdent(r.Context(), user) 212 if err != nil { 213 w.WriteHeader(http.StatusInternalServerError) 214 return 215 } 216 217 pubKeys, err := db.GetPublicKeysForDid(s.db, id.DID.String()) 218 if err != nil { 219 w.WriteHeader(http.StatusNotFound) 220 return 221 } 222 223 if len(pubKeys) == 0 { 224 w.WriteHeader(http.StatusNotFound) 225 return 226 } 227 228 for _, k := range pubKeys { 229 key := strings.TrimRight(k.Key, "\n") 230 w.Write([]byte(fmt.Sprintln(key))) 231 } 232} 233 234func validateRepoName(name string) error { 235 // check for path traversal attempts 236 if name == "." || name == ".." || 237 strings.Contains(name, "/") || strings.Contains(name, "\\") { 238 return fmt.Errorf("Repository name contains invalid path characters") 239 } 240 241 // check for sequences that could be used for traversal when normalized 242 if strings.Contains(name, "./") || strings.Contains(name, "../") || 243 strings.HasPrefix(name, ".") || strings.HasSuffix(name, ".") { 244 return fmt.Errorf("Repository name contains invalid path sequence") 245 } 246 247 // then continue with character validation 248 for _, char := range name { 249 if !((char >= 'a' && char <= 'z') || 250 (char >= 'A' && char <= 'Z') || 251 (char >= '0' && char <= '9') || 252 char == '-' || char == '_' || char == '.') { 253 return fmt.Errorf("Repository name can only contain alphanumeric characters, periods, hyphens, and underscores") 254 } 255 } 256 257 // additional check to prevent multiple sequential dots 258 if strings.Contains(name, "..") { 259 return fmt.Errorf("Repository name cannot contain sequential dots") 260 } 261 262 // if all checks pass 263 return nil 264} 265 266func stripGitExt(name string) string { 267 return strings.TrimSuffix(name, ".git") 268} 269 270func (s *State) NewRepo(w http.ResponseWriter, r *http.Request) { 271 switch r.Method { 272 case http.MethodGet: 273 user := s.oauth.GetUser(r) 274 knots, err := s.enforcer.GetKnotsForUser(user.Did) 275 if err != nil { 276 s.pages.Notice(w, "repo", "Invalid user account.") 277 return 278 } 279 280 s.pages.NewRepo(w, pages.NewRepoParams{ 281 LoggedInUser: user, 282 Knots: knots, 283 }) 284 285 case http.MethodPost: 286 user := s.oauth.GetUser(r) 287 288 domain := r.FormValue("domain") 289 if domain == "" { 290 s.pages.Notice(w, "repo", "Invalid form submission&mdash;missing knot domain.") 291 return 292 } 293 294 repoName := r.FormValue("name") 295 if repoName == "" { 296 s.pages.Notice(w, "repo", "Repository name cannot be empty.") 297 return 298 } 299 300 if err := validateRepoName(repoName); err != nil { 301 s.pages.Notice(w, "repo", err.Error()) 302 return 303 } 304 305 repoName = stripGitExt(repoName) 306 307 defaultBranch := r.FormValue("branch") 308 if defaultBranch == "" { 309 defaultBranch = "main" 310 } 311 312 description := r.FormValue("description") 313 314 ok, err := s.enforcer.E.Enforce(user.Did, domain, domain, "repo:create") 315 if err != nil || !ok { 316 s.pages.Notice(w, "repo", "You do not have permission to create a repo in this knot.") 317 return 318 } 319 320 existingRepo, err := db.GetRepo(s.db, user.Did, repoName) 321 if err == nil && existingRepo != nil { 322 s.pages.Notice(w, "repo", fmt.Sprintf("A repo by this name already exists on %s", existingRepo.Knot)) 323 return 324 } 325 326 secret, err := db.GetRegistrationKey(s.db, domain) 327 if err != nil { 328 s.pages.Notice(w, "repo", fmt.Sprintf("No registration key found for knot %s.", domain)) 329 return 330 } 331 332 client, err := knotclient.NewSignedClient(domain, secret, s.config.Core.Dev) 333 if err != nil { 334 s.pages.Notice(w, "repo", "Failed to connect to knot server.") 335 return 336 } 337 338 rkey := tid.TID() 339 repo := &db.Repo{ 340 Did: user.Did, 341 Name: repoName, 342 Knot: domain, 343 Rkey: rkey, 344 Description: description, 345 } 346 347 xrpcClient, err := s.oauth.AuthorizedClient(r) 348 if err != nil { 349 s.pages.Notice(w, "repo", "Failed to write record to PDS.") 350 return 351 } 352 353 createdAt := time.Now().Format(time.RFC3339) 354 atresp, err := xrpcClient.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{ 355 Collection: tangled.RepoNSID, 356 Repo: user.Did, 357 Rkey: rkey, 358 Record: &lexutil.LexiconTypeDecoder{ 359 Val: &tangled.Repo{ 360 Knot: repo.Knot, 361 Name: repoName, 362 CreatedAt: createdAt, 363 Owner: user.Did, 364 }}, 365 }) 366 if err != nil { 367 log.Printf("failed to create record: %s", err) 368 s.pages.Notice(w, "repo", "Failed to announce repository creation.") 369 return 370 } 371 log.Println("created repo record: ", atresp.Uri) 372 373 tx, err := s.db.BeginTx(r.Context(), nil) 374 if err != nil { 375 log.Println(err) 376 s.pages.Notice(w, "repo", "Failed to save repository information.") 377 return 378 } 379 defer func() { 380 tx.Rollback() 381 err = s.enforcer.E.LoadPolicy() 382 if err != nil { 383 log.Println("failed to rollback policies") 384 } 385 }() 386 387 resp, err := client.NewRepo(user.Did, repoName, defaultBranch) 388 if err != nil { 389 s.pages.Notice(w, "repo", "Failed to create repository on knot server.") 390 return 391 } 392 393 switch resp.StatusCode { 394 case http.StatusConflict: 395 s.pages.Notice(w, "repo", "A repository with that name already exists.") 396 return 397 case http.StatusInternalServerError: 398 s.pages.Notice(w, "repo", "Failed to create repository on knot. Try again later.") 399 case http.StatusNoContent: 400 // continue 401 } 402 403 err = db.AddRepo(tx, repo) 404 if err != nil { 405 log.Println(err) 406 s.pages.Notice(w, "repo", "Failed to save repository information.") 407 return 408 } 409 410 // acls 411 p, _ := securejoin.SecureJoin(user.Did, repoName) 412 err = s.enforcer.AddRepo(user.Did, domain, p) 413 if err != nil { 414 log.Println(err) 415 s.pages.Notice(w, "repo", "Failed to set up repository permissions.") 416 return 417 } 418 419 err = tx.Commit() 420 if err != nil { 421 log.Println("failed to commit changes", err) 422 http.Error(w, err.Error(), http.StatusInternalServerError) 423 return 424 } 425 426 err = s.enforcer.E.SavePolicy() 427 if err != nil { 428 log.Println("failed to update ACLs", err) 429 http.Error(w, err.Error(), http.StatusInternalServerError) 430 return 431 } 432 433 s.notifier.NewRepo(r.Context(), repo) 434 435 s.pages.HxLocation(w, fmt.Sprintf("/@%s/%s", user.Handle, repoName)) 436 return 437 } 438}