kot.pink / core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom
core / spindle / xrpc / add_secret.go
at push-wpkykovtqxnx 2.5 kB view raw
1package xrpc 2 3import ( 4 "encoding/json" 5 "fmt" 6 "net/http" 7 "time" 8 9 "github.com/bluesky-social/indigo/api/atproto" 10 "github.com/bluesky-social/indigo/atproto/syntax" 11 "github.com/bluesky-social/indigo/xrpc" 12 securejoin "github.com/cyphar/filepath-securejoin" 13 "tangled.sh/tangled.sh/core/api/tangled" 14 "tangled.sh/tangled.sh/core/rbac" 15 "tangled.sh/tangled.sh/core/spindle/secrets" 16) 17 18func (x *Xrpc) AddSecret(w http.ResponseWriter, r *http.Request) { 19 l := x.Logger 20 fail := func(e XrpcError) { 21 l.Error("failed", "kind", e.Tag, "error", e.Message) 22 writeError(w, e, http.StatusBadRequest) 23 } 24 25 actorDid, ok := r.Context().Value(ActorDid).(syntax.DID) 26 if !ok { 27 fail(MissingActorDidError) 28 return 29 } 30 31 var data tangled.RepoAddSecret_Input 32 if err := json.NewDecoder(r.Body).Decode(&data); err != nil { 33 fail(GenericError(err)) 34 return 35 } 36 37 if err := secrets.ValidateKey(data.Key); err != nil { 38 fail(GenericError(err)) 39 return 40 } 41 42 // unfortunately we have to resolve repo-at here 43 repoAt, err := syntax.ParseATURI(data.Repo) 44 if err != nil { 45 fail(InvalidRepoError(data.Repo)) 46 return 47 } 48 49 // resolve this aturi to extract the repo record 50 ident, err := x.Resolver.ResolveIdent(r.Context(), repoAt.Authority().String()) 51 if err != nil || ident.Handle.IsInvalidHandle() { 52 fail(GenericError(fmt.Errorf("failed to resolve handle: %w", err))) 53 return 54 } 55 56 xrpcc := xrpc.Client{Host: ident.PDSEndpoint()} 57 resp, err := atproto.RepoGetRecord(r.Context(), &xrpcc, "", tangled.RepoNSID, repoAt.Authority().String(), repoAt.RecordKey().String()) 58 if err != nil { 59 fail(GenericError(err)) 60 return 61 } 62 63 repo := resp.Value.Val.(*tangled.Repo) 64 didPath, err := securejoin.SecureJoin(repo.Owner, repo.Name) 65 if err != nil { 66 fail(GenericError(err)) 67 return 68 } 69 70 if ok, err := x.Enforcer.IsSettingsAllowed(actorDid.String(), rbac.ThisServer, didPath); !ok || err != nil { 71 l.Error("insufficent permissions", "did", actorDid.String()) 72 writeError(w, AccessControlError(actorDid.String()), http.StatusUnauthorized) 73 return 74 } 75 76 secret := secrets.UnlockedSecret{ 77 Repo: secrets.DidSlashRepo(didPath), 78 Key: data.Key, 79 Value: data.Value, 80 CreatedAt: time.Now(), 81 CreatedBy: actorDid, 82 } 83 err = x.Vault.AddSecret(r.Context(), secret) 84 if err != nil { 85 l.Error("failed to add secret to vault", "did", actorDid.String(), "err", err) 86 writeError(w, GenericError(err), http.StatusInternalServerError) 87 return 88 } 89 90 w.WriteHeader(http.StatusOK) 91}