kot.pink / core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom
core / appview / state / state.go
at push-wpkykovtqxnx 11 kB view raw
1package state 2 3import ( 4 "context" 5 "fmt" 6 "log" 7 "log/slog" 8 "net/http" 9 "strings" 10 "time" 11 12 comatproto "github.com/bluesky-social/indigo/api/atproto" 13 lexutil "github.com/bluesky-social/indigo/lex/util" 14 securejoin "github.com/cyphar/filepath-securejoin" 15 "github.com/go-chi/chi/v5" 16 "github.com/posthog/posthog-go" 17 "tangled.sh/tangled.sh/core/api/tangled" 18 "tangled.sh/tangled.sh/core/appview" 19 "tangled.sh/tangled.sh/core/appview/cache" 20 "tangled.sh/tangled.sh/core/appview/cache/session" 21 "tangled.sh/tangled.sh/core/appview/config" 22 "tangled.sh/tangled.sh/core/appview/db" 23 "tangled.sh/tangled.sh/core/appview/notify" 24 "tangled.sh/tangled.sh/core/appview/oauth" 25 "tangled.sh/tangled.sh/core/appview/pages" 26 posthogService "tangled.sh/tangled.sh/core/appview/posthog" 27 "tangled.sh/tangled.sh/core/appview/reporesolver" 28 "tangled.sh/tangled.sh/core/eventconsumer" 29 "tangled.sh/tangled.sh/core/idresolver" 30 "tangled.sh/tangled.sh/core/jetstream" 31 "tangled.sh/tangled.sh/core/knotclient" 32 tlog "tangled.sh/tangled.sh/core/log" 33 "tangled.sh/tangled.sh/core/rbac" 34 "tangled.sh/tangled.sh/core/tid" 35) 36 37type State struct { 38 db *db.DB 39 notifier notify.Notifier 40 oauth *oauth.OAuth 41 enforcer *rbac.Enforcer 42 pages *pages.Pages 43 sess *session.SessionStore 44 idResolver *idresolver.Resolver 45 posthog posthog.Client 46 jc *jetstream.JetstreamClient 47 config *config.Config 48 repoResolver *reporesolver.RepoResolver 49 knotstream *eventconsumer.Consumer 50 spindlestream *eventconsumer.Consumer 51} 52 53func Make(ctx context.Context, config *config.Config) (*State, error) { 54 d, err := db.Make(config.Core.DbPath) 55 if err != nil { 56 return nil, fmt.Errorf("failed to create db: %w", err) 57 } 58 59 enforcer, err := rbac.NewEnforcer(config.Core.DbPath) 60 if err != nil { 61 return nil, fmt.Errorf("failed to create enforcer: %w", err) 62 } 63 64 res, err := idresolver.RedisResolver(config.Redis.ToURL()) 65 if err != nil { 66 log.Printf("failed to create redis resolver: %v", err) 67 res = idresolver.DefaultResolver() 68 } 69 70 pgs := pages.NewPages(config, res) 71 72 cache := cache.New(config.Redis.Addr) 73 sess := session.New(cache) 74 75 oauth := oauth.NewOAuth(config, sess) 76 77 posthog, err := posthog.NewWithConfig(config.Posthog.ApiKey, posthog.Config{Endpoint: config.Posthog.Endpoint}) 78 if err != nil { 79 return nil, fmt.Errorf("failed to create posthog client: %w", err) 80 } 81 82 repoResolver := reporesolver.New(config, enforcer, res, d) 83 84 wrapper := db.DbWrapper{d} 85 jc, err := jetstream.NewJetstreamClient( 86 config.Jetstream.Endpoint, 87 "appview", 88 []string{ 89 tangled.GraphFollowNSID, 90 tangled.FeedStarNSID, 91 tangled.PublicKeyNSID, 92 tangled.RepoArtifactNSID, 93 tangled.ActorProfileNSID, 94 tangled.SpindleMemberNSID, 95 tangled.SpindleNSID, 96 tangled.StringNSID, 97 }, 98 nil, 99 slog.Default(), 100 wrapper, 101 false, 102 103 // in-memory filter is inapplicalble to appview so 104 // we'll never log dids anyway. 105 false, 106 ) 107 if err != nil { 108 return nil, fmt.Errorf("failed to create jetstream client: %w", err) 109 } 110 111 ingester := appview.Ingester{ 112 Db: wrapper, 113 Enforcer: enforcer, 114 IdResolver: res, 115 Config: config, 116 Logger: tlog.New("ingester"), 117 } 118 err = jc.StartJetstream(ctx, ingester.Ingest()) 119 if err != nil { 120 return nil, fmt.Errorf("failed to start jetstream watcher: %w", err) 121 } 122 123 knotstream, err := Knotstream(ctx, config, d, enforcer, posthog) 124 if err != nil { 125 return nil, fmt.Errorf("failed to start knotstream consumer: %w", err) 126 } 127 knotstream.Start(ctx) 128 129 spindlestream, err := Spindlestream(ctx, config, d, enforcer) 130 if err != nil { 131 return nil, fmt.Errorf("failed to start spindlestream consumer: %w", err) 132 } 133 spindlestream.Start(ctx) 134 135 var notifiers []notify.Notifier 136 if !config.Core.Dev { 137 notifiers = append(notifiers, posthogService.NewPosthogNotifier(posthog)) 138 } 139 notifier := notify.NewMergedNotifier(notifiers...) 140 141 state := &State{ 142 d, 143 notifier, 144 oauth, 145 enforcer, 146 pgs, 147 sess, 148 res, 149 posthog, 150 jc, 151 config, 152 repoResolver, 153 knotstream, 154 spindlestream, 155 } 156 157 return state, nil 158} 159 160func (s *State) TermsOfService(w http.ResponseWriter, r *http.Request) { 161 user := s.oauth.GetUser(r) 162 s.pages.TermsOfService(w, pages.TermsOfServiceParams{ 163 LoggedInUser: user, 164 }) 165} 166 167func (s *State) PrivacyPolicy(w http.ResponseWriter, r *http.Request) { 168 user := s.oauth.GetUser(r) 169 s.pages.PrivacyPolicy(w, pages.PrivacyPolicyParams{ 170 LoggedInUser: user, 171 }) 172} 173 174func (s *State) Timeline(w http.ResponseWriter, r *http.Request) { 175 user := s.oauth.GetUser(r) 176 177 timeline, err := db.MakeTimeline(s.db) 178 if err != nil { 179 log.Println(err) 180 s.pages.Notice(w, "timeline", "Uh oh! Failed to load timeline.") 181 } 182 183 s.pages.Timeline(w, pages.TimelineParams{ 184 LoggedInUser: user, 185 Timeline: timeline, 186 }) 187} 188 189func (s *State) Keys(w http.ResponseWriter, r *http.Request) { 190 user := chi.URLParam(r, "user") 191 user = strings.TrimPrefix(user, "@") 192 193 if user == "" { 194 w.WriteHeader(http.StatusBadRequest) 195 return 196 } 197 198 id, err := s.idResolver.ResolveIdent(r.Context(), user) 199 if err != nil { 200 w.WriteHeader(http.StatusInternalServerError) 201 return 202 } 203 204 pubKeys, err := db.GetPublicKeysForDid(s.db, id.DID.String()) 205 if err != nil { 206 w.WriteHeader(http.StatusNotFound) 207 return 208 } 209 210 if len(pubKeys) == 0 { 211 w.WriteHeader(http.StatusNotFound) 212 return 213 } 214 215 for _, k := range pubKeys { 216 key := strings.TrimRight(k.Key, "\n") 217 w.Write([]byte(fmt.Sprintln(key))) 218 } 219} 220 221func validateRepoName(name string) error { 222 // check for path traversal attempts 223 if name == "." || name == ".." || 224 strings.Contains(name, "/") || strings.Contains(name, "\\") { 225 return fmt.Errorf("Repository name contains invalid path characters") 226 } 227 228 // check for sequences that could be used for traversal when normalized 229 if strings.Contains(name, "./") || strings.Contains(name, "../") || 230 strings.HasPrefix(name, ".") || strings.HasSuffix(name, ".") { 231 return fmt.Errorf("Repository name contains invalid path sequence") 232 } 233 234 // then continue with character validation 235 for _, char := range name { 236 if !((char >= 'a' && char <= 'z') || 237 (char >= 'A' && char <= 'Z') || 238 (char >= '0' && char <= '9') || 239 char == '-' || char == '_' || char == '.') { 240 return fmt.Errorf("Repository name can only contain alphanumeric characters, periods, hyphens, and underscores") 241 } 242 } 243 244 // additional check to prevent multiple sequential dots 245 if strings.Contains(name, "..") { 246 return fmt.Errorf("Repository name cannot contain sequential dots") 247 } 248 249 // if all checks pass 250 return nil 251} 252 253func (s *State) NewRepo(w http.ResponseWriter, r *http.Request) { 254 switch r.Method { 255 case http.MethodGet: 256 user := s.oauth.GetUser(r) 257 knots, err := s.enforcer.GetKnotsForUser(user.Did) 258 if err != nil { 259 s.pages.Notice(w, "repo", "Invalid user account.") 260 return 261 } 262 263 s.pages.NewRepo(w, pages.NewRepoParams{ 264 LoggedInUser: user, 265 Knots: knots, 266 }) 267 268 case http.MethodPost: 269 user := s.oauth.GetUser(r) 270 271 domain := r.FormValue("domain") 272 if domain == "" { 273 s.pages.Notice(w, "repo", "Invalid form submission&mdash;missing knot domain.") 274 return 275 } 276 277 repoName := r.FormValue("name") 278 if repoName == "" { 279 s.pages.Notice(w, "repo", "Repository name cannot be empty.") 280 return 281 } 282 283 if err := validateRepoName(repoName); err != nil { 284 s.pages.Notice(w, "repo", err.Error()) 285 return 286 } 287 288 defaultBranch := r.FormValue("branch") 289 if defaultBranch == "" { 290 defaultBranch = "main" 291 } 292 293 description := r.FormValue("description") 294 295 ok, err := s.enforcer.E.Enforce(user.Did, domain, domain, "repo:create") 296 if err != nil || !ok { 297 s.pages.Notice(w, "repo", "You do not have permission to create a repo in this knot.") 298 return 299 } 300 301 existingRepo, err := db.GetRepo(s.db, user.Did, repoName) 302 if err == nil && existingRepo != nil { 303 s.pages.Notice(w, "repo", fmt.Sprintf("A repo by this name already exists on %s", existingRepo.Knot)) 304 return 305 } 306 307 secret, err := db.GetRegistrationKey(s.db, domain) 308 if err != nil { 309 s.pages.Notice(w, "repo", fmt.Sprintf("No registration key found for knot %s.", domain)) 310 return 311 } 312 313 client, err := knotclient.NewSignedClient(domain, secret, s.config.Core.Dev) 314 if err != nil { 315 s.pages.Notice(w, "repo", "Failed to connect to knot server.") 316 return 317 } 318 319 rkey := tid.TID() 320 repo := &db.Repo{ 321 Did: user.Did, 322 Name: repoName, 323 Knot: domain, 324 Rkey: rkey, 325 Description: description, 326 } 327 328 xrpcClient, err := s.oauth.AuthorizedClient(r) 329 if err != nil { 330 s.pages.Notice(w, "repo", "Failed to write record to PDS.") 331 return 332 } 333 334 createdAt := time.Now().Format(time.RFC3339) 335 atresp, err := xrpcClient.RepoPutRecord(r.Context(), &comatproto.RepoPutRecord_Input{ 336 Collection: tangled.RepoNSID, 337 Repo: user.Did, 338 Rkey: rkey, 339 Record: &lexutil.LexiconTypeDecoder{ 340 Val: &tangled.Repo{ 341 Knot: repo.Knot, 342 Name: repoName, 343 CreatedAt: createdAt, 344 Owner: user.Did, 345 }}, 346 }) 347 if err != nil { 348 log.Printf("failed to create record: %s", err) 349 s.pages.Notice(w, "repo", "Failed to announce repository creation.") 350 return 351 } 352 log.Println("created repo record: ", atresp.Uri) 353 354 tx, err := s.db.BeginTx(r.Context(), nil) 355 if err != nil { 356 log.Println(err) 357 s.pages.Notice(w, "repo", "Failed to save repository information.") 358 return 359 } 360 defer func() { 361 tx.Rollback() 362 err = s.enforcer.E.LoadPolicy() 363 if err != nil { 364 log.Println("failed to rollback policies") 365 } 366 }() 367 368 resp, err := client.NewRepo(user.Did, repoName, defaultBranch) 369 if err != nil { 370 s.pages.Notice(w, "repo", "Failed to create repository on knot server.") 371 return 372 } 373 374 switch resp.StatusCode { 375 case http.StatusConflict: 376 s.pages.Notice(w, "repo", "A repository with that name already exists.") 377 return 378 case http.StatusInternalServerError: 379 s.pages.Notice(w, "repo", "Failed to create repository on knot. Try again later.") 380 case http.StatusNoContent: 381 // continue 382 } 383 384 repo.AtUri = atresp.Uri 385 err = db.AddRepo(tx, repo) 386 if err != nil { 387 log.Println(err) 388 s.pages.Notice(w, "repo", "Failed to save repository information.") 389 return 390 } 391 392 // acls 393 p, _ := securejoin.SecureJoin(user.Did, repoName) 394 err = s.enforcer.AddRepo(user.Did, domain, p) 395 if err != nil { 396 log.Println(err) 397 s.pages.Notice(w, "repo", "Failed to set up repository permissions.") 398 return 399 } 400 401 err = tx.Commit() 402 if err != nil { 403 log.Println("failed to commit changes", err) 404 http.Error(w, err.Error(), http.StatusInternalServerError) 405 return 406 } 407 408 err = s.enforcer.E.SavePolicy() 409 if err != nil { 410 log.Println("failed to update ACLs", err) 411 http.Error(w, err.Error(), http.StatusInternalServerError) 412 return 413 } 414 415 s.notifier.NewRepo(r.Context(), repo) 416 417 s.pages.HxLocation(w, fmt.Sprintf("/@%s/%s", user.Handle, repoName)) 418 return 419 } 420}