kot.pink
1package state
2
3import (
4 "context"
5 "fmt"
6 "log"
7 "log/slog"
8 "net/http"
9 "strings"
10 "time"
11
12 comatproto "github.com/bluesky-social/indigo/api/atproto"
13 lexutil "github.com/bluesky-social/indigo/lex/util"
14 securejoin "github.com/cyphar/filepath-securejoin"
15 "github.com/go-chi/chi/v5"
16 "github.com/posthog/posthog-go"
17 "tangled.sh/tangled.sh/core/api/tangled"
18 "tangled.sh/tangled.sh/core/appview"
19 "tangled.sh/tangled.sh/core/appview/cache"
20 "tangled.sh/tangled.sh/core/appview/cache/session"
21 "tangled.sh/tangled.sh/core/appview/config"
22 "tangled.sh/tangled.sh/core/appview/db"
23 "tangled.sh/tangled.sh/core/appview/notify"
24 "tangled.sh/tangled.sh/core/appview/oauth"
25 "tangled.sh/tangled.sh/core/appview/pages"
26 posthog_service "tangled.sh/tangled.sh/core/appview/posthog"
27 "tangled.sh/tangled.sh/core/appview/reporesolver"
28 "tangled.sh/tangled.sh/core/eventconsumer"
29 "tangled.sh/tangled.sh/core/idresolver"
30 "tangled.sh/tangled.sh/core/jetstream"
31 "tangled.sh/tangled.sh/core/knotclient"
32 tlog "tangled.sh/tangled.sh/core/log"
33 "tangled.sh/tangled.sh/core/rbac"
34 "tangled.sh/tangled.sh/core/tid"
35)
36
37type State struct {
38 db *db.DB
39 notifier notify.Notifier
40 oauth *oauth.OAuth
41 enforcer *rbac.Enforcer
42 pages *pages.Pages
43 sess *session.SessionStore
44 idResolver *idresolver.Resolver
45 posthog posthog.Client
46 jc *jetstream.JetstreamClient
47 config *config.Config
48 repoResolver *reporesolver.RepoResolver
49 knotstream *eventconsumer.Consumer
50 spindlestream *eventconsumer.Consumer
51}
52
53func Make(ctx context.Context, config *config.Config) (*State, error) {
54 d, err := db.Make(config.Core.DbPath)
55 if err != nil {
56 return nil, fmt.Errorf("failed to create db: %w", err)
57 }
58
59 enforcer, err := rbac.NewEnforcer(config.Core.DbPath)
60 if err != nil {
61 return nil, fmt.Errorf("failed to create enforcer: %w", err)
62 }
63
64 pgs := pages.NewPages(config)
65
66 res, err := idresolver.RedisResolver(config.Redis.ToURL())
67 if err != nil {
68 log.Printf("failed to create redis resolver: %v", err)
69 res = idresolver.DefaultResolver()
70 }
71
72 cache := cache.New(config.Redis.Addr)
73 sess := session.New(cache)
74
75 oauth := oauth.NewOAuth(config, sess)
76
77 posthog, err := posthog.NewWithConfig(config.Posthog.ApiKey, posthog.Config{Endpoint: config.Posthog.Endpoint})
78 if err != nil {
79 return nil, fmt.Errorf("failed to create posthog client: %w", err)
80 }
81
82 repoResolver := reporesolver.New(config, enforcer, res, d)
83
84 wrapper := db.DbWrapper{d}
85 jc, err := jetstream.NewJetstreamClient(
86 config.Jetstream.Endpoint,
87 "appview",
88 []string{
89 tangled.GraphFollowNSID,
90 tangled.FeedStarNSID,
91 tangled.PublicKeyNSID,
92 tangled.RepoArtifactNSID,
93 tangled.ActorProfileNSID,
94 tangled.SpindleMemberNSID,
95 tangled.SpindleNSID,
96 },
97 nil,
98 slog.Default(),
99 wrapper,
100 false,
101
102 // in-memory filter is inapplicalble to appview so
103 // we'll never log dids anyway.
104 false,
105 )
106 if err != nil {
107 return nil, fmt.Errorf("failed to create jetstream client: %w", err)
108 }
109
110 ingester := appview.Ingester{
111 Db: wrapper,
112 Enforcer: enforcer,
113 IdResolver: res,
114 Config: config,
115 Logger: tlog.New("ingester"),
116 }
117 err = jc.StartJetstream(ctx, ingester.Ingest())
118 if err != nil {
119 return nil, fmt.Errorf("failed to start jetstream watcher: %w", err)
120 }
121
122 knotstream, err := Knotstream(ctx, config, d, enforcer, posthog)
123 if err != nil {
124 return nil, fmt.Errorf("failed to start knotstream consumer: %w", err)
125 }
126 knotstream.Start(ctx)
127
128 spindlestream, err := Spindlestream(ctx, config, d, enforcer)
129 if err != nil {
130 return nil, fmt.Errorf("failed to start spindlestream consumer: %w", err)
131 }
132 spindlestream.Start(ctx)
133
134 var notifiers []notify.Notifier
135 if !config.Core.Dev {
136 notifiers = append(notifiers, posthog_service.NewPosthogNotifier(posthog))
137 }
138 notifier := notify.NewMergedNotifier(notifiers...)
139
140 state := &State{
141 d,
142 notifier,
143 oauth,
144 enforcer,
145 pgs,
146 sess,
147 res,
148 posthog,
149 jc,
150 config,
151 repoResolver,
152 knotstream,
153 spindlestream,
154 }
155
156 return state, nil
157}
158
159func (s *State) Timeline(w http.ResponseWriter, r *http.Request) {
160 user := s.oauth.GetUser(r)
161
162 timeline, err := db.MakeTimeline(s.db)
163 if err != nil {
164 log.Println(err)
165 s.pages.Notice(w, "timeline", "Uh oh! Failed to load timeline.")
166 }
167
168 var didsToResolve []string
169 for _, ev := range timeline {
170 if ev.Repo != nil {
171 didsToResolve = append(didsToResolve, ev.Repo.Did)
172 if ev.Source != nil {
173 didsToResolve = append(didsToResolve, ev.Source.Did)
174 }
175 }
176 if ev.Follow != nil {
177 didsToResolve = append(didsToResolve, ev.Follow.UserDid, ev.Follow.SubjectDid)
178 }
179 if ev.Star != nil {
180 didsToResolve = append(didsToResolve, ev.Star.StarredByDid, ev.Star.Repo.Did)
181 }
182 }
183
184 resolvedIds := s.idResolver.ResolveIdents(r.Context(), didsToResolve)
185 didHandleMap := make(map[string]string)
186 for _, identity := range resolvedIds {
187 if !identity.Handle.IsInvalidHandle() {
188 didHandleMap[identity.DID.String()] = fmt.Sprintf("@%s", identity.Handle.String())
189 } else {
190 didHandleMap[identity.DID.String()] = identity.DID.String()
191 }
192 }
193
194 s.pages.Timeline(w, pages.TimelineParams{
195 LoggedInUser: user,
196 Timeline: timeline,
197 DidHandleMap: didHandleMap,
198 })
199
200 return
201}
202
203func (s *State) Keys(w http.ResponseWriter, r *http.Request) {
204 user := chi.URLParam(r, "user")
205 user = strings.TrimPrefix(user, "@")
206
207 if user == "" {
208 w.WriteHeader(http.StatusBadRequest)
209 return
210 }
211
212 id, err := s.idResolver.ResolveIdent(r.Context(), user)
213 if err != nil {
214 w.WriteHeader(http.StatusInternalServerError)
215 return
216 }
217
218 pubKeys, err := db.GetPublicKeysForDid(s.db, id.DID.String())
219 if err != nil {
220 w.WriteHeader(http.StatusNotFound)
221 return
222 }
223
224 if len(pubKeys) == 0 {
225 w.WriteHeader(http.StatusNotFound)
226 return
227 }
228
229 for _, k := range pubKeys {
230 key := strings.TrimRight(k.Key, "\n")
231 w.Write([]byte(fmt.Sprintln(key)))
232 }
233}
234
235func validateRepoName(name string) error {
236 // check for path traversal attempts
237 if name == "." || name == ".." ||
238 strings.Contains(name, "/") || strings.Contains(name, "\\") {
239 return fmt.Errorf("Repository name contains invalid path characters")
240 }
241
242 // check for sequences that could be used for traversal when normalized
243 if strings.Contains(name, "./") || strings.Contains(name, "../") ||
244 strings.HasPrefix(name, ".") || strings.HasSuffix(name, ".") {
245 return fmt.Errorf("Repository name contains invalid path sequence")
246 }
247
248 // then continue with character validation
249 for _, char := range name {
250 if !((char >= 'a' && char <= 'z') ||
251 (char >= 'A' && char <= 'Z') ||
252 (char >= '0' && char <= '9') ||
253 char == '-' || char == '_' || char == '.') {
254 return fmt.Errorf("Repository name can only contain alphanumeric characters, periods, hyphens, and underscores")
255 }
256 }
257
258 // additional check to prevent multiple sequential dots
259 if strings.Contains(name, "..") {
260 return fmt.Errorf("Repository name cannot contain sequential dots")
261 }
262
263 // if all checks pass
264 return nil
265}
266
267func (s *State) NewRepo(w http.ResponseWriter, r *http.Request) {
268 switch r.Method {
269 case http.MethodGet:
270 user := s.oauth.GetUser(r)
271 knots, err := s.enforcer.GetKnotsForUser(user.Did)
272 if err != nil {
273 s.pages.Notice(w, "repo", "Invalid user account.")
274 return
275 }
276
277 s.pages.NewRepo(w, pages.NewRepoParams{
278 LoggedInUser: user,
279 Knots: knots,
280 })
281
282 case http.MethodPost:
283 user := s.oauth.GetUser(r)
284
285 domain := r.FormValue("domain")
286 if domain == "" {
287 s.pages.Notice(w, "repo", "Invalid form submission—missing knot domain.")
288 return
289 }
290
291 repoName := r.FormValue("name")
292 if repoName == "" {
293 s.pages.Notice(w, "repo", "Repository name cannot be empty.")
294 return
295 }
296
297 if err := validateRepoName(repoName); err != nil {
298 s.pages.Notice(w, "repo", err.Error())
299 return
300 }
301
302 defaultBranch := r.FormValue("branch")
303 if defaultBranch == "" {
304 defaultBranch = "main"
305 }
306
307 description := r.FormValue("description")
308
309 ok, err := s.enforcer.E.Enforce(user.Did, domain, domain, "repo:create")
310 if err != nil || !ok {
311 s.pages.Notice(w, "repo", "You do not have permission to create a repo in this knot.")
312 return
313 }
314
315 existingRepo, err := db.GetRepo(s.db, user.Did, repoName)
316 if err == nil && existingRepo != nil {
317 s.pages.Notice(w, "repo", fmt.Sprintf("A repo by this name already exists on %s", existingRepo.Knot))
318 return
319 }
320
321 secret, err := db.GetRegistrationKey(s.db, domain)
322 if err != nil {
323 s.pages.Notice(w, "repo", fmt.Sprintf("No registration key found for knot %s.", domain))
324 return
325 }
326
327 client, err := knotclient.NewSignedClient(domain, secret, s.config.Core.Dev)
328 if err != nil {
329 s.pages.Notice(w, "repo", "Failed to connect to knot server.")
330 return
331 }
332
333 rkey := tid.TID()
334 repo := &db.Repo{
335 Did: user.Did,
336 Name: repoName,
337 Knot: domain,
338 Rkey: rkey,
339 Description: description,
340 }
341
342 xrpcClient, err := s.oauth.AuthorizedClient(r)
343 if err != nil {
344 s.pages.Notice(w, "repo", "Failed to write record to PDS.")
345 return
346 }
347
348 createdAt := time.Now().Format(time.RFC3339)
349 atresp, err := xrpcClient.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{
350 Collection: tangled.RepoNSID,
351 Repo: user.Did,
352 Rkey: rkey,
353 Record: &lexutil.LexiconTypeDecoder{
354 Val: &tangled.Repo{
355 Knot: repo.Knot,
356 Name: repoName,
357 CreatedAt: createdAt,
358 Owner: user.Did,
359 }},
360 })
361 if err != nil {
362 log.Printf("failed to create record: %s", err)
363 s.pages.Notice(w, "repo", "Failed to announce repository creation.")
364 return
365 }
366 log.Println("created repo record: ", atresp.Uri)
367
368 tx, err := s.db.BeginTx(r.Context(), nil)
369 if err != nil {
370 log.Println(err)
371 s.pages.Notice(w, "repo", "Failed to save repository information.")
372 return
373 }
374 defer func() {
375 tx.Rollback()
376 err = s.enforcer.E.LoadPolicy()
377 if err != nil {
378 log.Println("failed to rollback policies")
379 }
380 }()
381
382 resp, err := client.NewRepo(user.Did, repoName, defaultBranch)
383 if err != nil {
384 s.pages.Notice(w, "repo", "Failed to create repository on knot server.")
385 return
386 }
387
388 switch resp.StatusCode {
389 case http.StatusConflict:
390 s.pages.Notice(w, "repo", "A repository with that name already exists.")
391 return
392 case http.StatusInternalServerError:
393 s.pages.Notice(w, "repo", "Failed to create repository on knot. Try again later.")
394 case http.StatusNoContent:
395 // continue
396 }
397
398 repo.AtUri = atresp.Uri
399 err = db.AddRepo(tx, repo)
400 if err != nil {
401 log.Println(err)
402 s.pages.Notice(w, "repo", "Failed to save repository information.")
403 return
404 }
405
406 // acls
407 p, _ := securejoin.SecureJoin(user.Did, repoName)
408 err = s.enforcer.AddRepo(user.Did, domain, p)
409 if err != nil {
410 log.Println(err)
411 s.pages.Notice(w, "repo", "Failed to set up repository permissions.")
412 return
413 }
414
415 err = tx.Commit()
416 if err != nil {
417 log.Println("failed to commit changes", err)
418 http.Error(w, err.Error(), http.StatusInternalServerError)
419 return
420 }
421
422 err = s.enforcer.E.SavePolicy()
423 if err != nil {
424 log.Println("failed to update ACLs", err)
425 http.Error(w, err.Error(), http.StatusInternalServerError)
426 return
427 }
428
429 s.notifier.NewRepo(r.Context(), repo)
430
431 s.pages.HxLocation(w, fmt.Sprintf("/@%s/%s", user.Handle, repoName))
432 return
433 }
434}