kot.pink / core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom
core / spindle / xrpc / add_secret.go
at push-vynsusnqpmus 2.4 kB view raw
1package xrpc 2 3import ( 4 "encoding/json" 5 "fmt" 6 "net/http" 7 8 "github.com/bluesky-social/indigo/api/atproto" 9 "github.com/bluesky-social/indigo/atproto/syntax" 10 "github.com/bluesky-social/indigo/xrpc" 11 securejoin "github.com/cyphar/filepath-securejoin" 12 "tangled.sh/tangled.sh/core/api/tangled" 13 "tangled.sh/tangled.sh/core/rbac" 14 "tangled.sh/tangled.sh/core/spindle/secrets" 15) 16 17func (x *Xrpc) AddSecret(w http.ResponseWriter, r *http.Request) { 18 l := x.Logger 19 fail := func(e XrpcError) { 20 l.Error("failed", "kind", e.Tag, "error", e.Message) 21 writeError(w, e, http.StatusBadRequest) 22 } 23 24 actorDid, ok := r.Context().Value(ActorDid).(syntax.DID) 25 if !ok { 26 fail(MissingActorDidError) 27 return 28 } 29 30 var data tangled.RepoAddSecret_Input 31 if err := json.NewDecoder(r.Body).Decode(&data); err != nil { 32 fail(GenericError(err)) 33 return 34 } 35 36 if err := secrets.ValidateKey(data.Key); err != nil { 37 fail(GenericError(err)) 38 return 39 } 40 41 // unfortunately we have to resolve repo-at here 42 repoAt, err := syntax.ParseATURI(data.Repo) 43 if err != nil { 44 fail(InvalidRepoError(data.Repo)) 45 return 46 } 47 48 // resolve this aturi to extract the repo record 49 ident, err := x.Resolver.ResolveIdent(r.Context(), repoAt.Authority().String()) 50 if err != nil || ident.Handle.IsInvalidHandle() { 51 fail(GenericError(fmt.Errorf("failed to resolve handle: %w", err))) 52 return 53 } 54 55 xrpcc := xrpc.Client{Host: ident.PDSEndpoint()} 56 resp, err := atproto.RepoGetRecord(r.Context(), &xrpcc, "", tangled.RepoNSID, repoAt.Authority().String(), repoAt.RecordKey().String()) 57 if err != nil { 58 fail(GenericError(err)) 59 return 60 } 61 62 repo := resp.Value.Val.(*tangled.Repo) 63 didPath, err := securejoin.SecureJoin(repo.Owner, repo.Name) 64 if err != nil { 65 fail(GenericError(err)) 66 return 67 } 68 69 if ok, err := x.Enforcer.IsSettingsAllowed(actorDid.String(), rbac.ThisServer, didPath); !ok || err != nil { 70 l.Error("insufficent permissions", "did", actorDid.String()) 71 writeError(w, AccessControlError(actorDid.String()), http.StatusUnauthorized) 72 return 73 } 74 75 secret := secrets.UnlockedSecret{ 76 Repo: secrets.DidSlashRepo(didPath), 77 Key: data.Key, 78 Value: data.Value, 79 CreatedBy: actorDid, 80 } 81 err = x.Vault.AddSecret(secret) 82 if err != nil { 83 l.Error("failed to add secret to vault", "did", actorDid.String(), "err", err) 84 writeError(w, GenericError(err), http.StatusInternalServerError) 85 return 86 } 87 88 w.WriteHeader(http.StatusOK) 89}