commit 0ad3d7fdb9f69bc22b2ef6a839cad55864d73ea9 · notnite.com/core

+93 -9

appview/state/signer.go

···

       1
       1
        
       package state

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"bytes"

     

       4
       5
        
       	"crypto/hmac"

     

       5
       6
        
       	"crypto/sha256"

     

       6
       7
        
       	"encoding/hex"

     

       8
       8
       +
       	"encoding/json"

     

       9
       9
       +
       	"fmt"

     

       7
       10
        
       	"net/http"

     

       11
       11
       +
       	"net/url"

     

       8
       12
        
       	"time"

     

       9
       13
        
       )

     

       10
       14
        
       

     

       11
       15
        
       type SignerTransport struct {

     

       12
       16
        
       	Secret string

     

       13
       13
       -
       }

     

       14
       14
       -
       

     

       15
       15
       -
       func SignedClient(secret string) *http.Client {

     

       16
       16
       -
       	return &http.Client{

     

       17
       17
       -
       		Timeout: 5 * time.Second,

     

       18
       18
       -
       		Transport: SignerTransport{

     

       19
       19
       -
       			Secret: secret,

     

       20
       20
       -
       		},

     

       21
       21
       -
       	}

     

       22
       17
        
       }

     

       23
       18
        
       

     

       24
       19
        
       func (s SignerTransport) RoundTrip(req *http.Request) (*http.Response, error) {

     
···

       31
       26
        
       	req.Header.Set("X-Timestamp", timestamp)

     

       32
       27
        
       	return http.DefaultTransport.RoundTrip(req)

     

       33
       28
        
       }

     

       29
       29
       +
       

     

       30
       30
       +
       type SignedClient struct {

     

       31
       31
       +
       	Secret string

     

       32
       32
       +
       	Url    *url.URL

     

       33
       33
       +
       	client *http.Client

     

       34
       34
       +
       }

     

       35
       35
       +
       

     

       36
       36
       +
       func NewSignedClient(domain, secret string) (*SignedClient, error) {

     

       37
       37
       +
       	client := &http.Client{

     

       38
       38
       +
       		Timeout: 5 * time.Second,

     

       39
       39
       +
       		Transport: SignerTransport{

     

       40
       40
       +
       			Secret: secret,

     

       41
       41
       +
       		},

     

       42
       42
       +
       	}

     

       43
       43
       +
       

     

       44
       44
       +
       	url, err := url.Parse(fmt.Sprintf("http://%s", domain))

     

       45
       45
       +
       	if err != nil {

     

       46
       46
       +
       		return nil, err

     

       47
       47
       +
       	}

     

       48
       48
       +
       

     

       49
       49
       +
       	signedClient := &SignedClient{

     

       50
       50
       +
       		Secret: secret,

     

       51
       51
       +
       		client: client,

     

       52
       52
       +
       		Url:    url,

     

       53
       53
       +
       	}

     

       54
       54
       +
       

     

       55
       55
       +
       	return signedClient, nil

     

       56
       56
       +
       }

     

       57
       57
       +
       

     

       58
       58
       +
       func (s *SignedClient) newRequest(method, endpoint string, body []byte) (*http.Request, error) {

     

       59
       59
       +
       	return http.NewRequest(method, s.Url.JoinPath(endpoint).String(), bytes.NewReader(body))

     

       60
       60
       +
       }

     

       61
       61
       +
       

     

       62
       62
       +
       func (s *SignedClient) Init(did string, keys []string) (*http.Response, error) {

     

       63
       63
       +
       	const (

     

       64
       64
       +
       		Method   = "POST"

     

       65
       65
       +
       		Endpoint = "/init"

     

       66
       66
       +
       	)

     

       67
       67
       +
       

     

       68
       68
       +
       	body, _ := json.Marshal(map[string]interface{}{

     

       69
       69
       +
       		"did":  did,

     

       70
       70
       +
       		"keys": keys,

     

       71
       71
       +
       	})

     

       72
       72
       +
       

     

       73
       73
       +
       	req, err := s.newRequest(Method, Endpoint, body)

     

       74
       74
       +
       	if err != nil {

     

       75
       75
       +
       		return nil, err

     

       76
       76
       +
       	}

     

       77
       77
       +
       

     

       78
       78
       +
       	return s.client.Do(req)

     

       79
       79
       +
       }

     

       80
       80
       +
       

     

       81
       81
       +
       func (s *SignedClient) NewRepo(did, repoName string) (*http.Response, error) {

     

       82
       82
       +
       	const (

     

       83
       83
       +
       		Method   = "PUT"

     

       84
       84
       +
       		Endpoint = "/repo/new"

     

       85
       85
       +
       	)

     

       86
       86
       +
       

     

       87
       87
       +
       	body, _ := json.Marshal(map[string]interface{}{

     

       88
       88
       +
       		"did":  did,

     

       89
       89
       +
       		"name": repoName,

     

       90
       90
       +
       	})

     

       91
       91
       +
       

     

       92
       92
       +
       	req, err := s.newRequest(Method, Endpoint, body)

     

       93
       93
       +
       	if err != nil {

     

       94
       94
       +
       		return nil, err

     

       95
       95
       +
       	}

     

       96
       96
       +
       

     

       97
       97
       +
       	return s.client.Do(req)

     

       98
       98
       +
       }

     

       99
       99
       +
       

     

       100
       100
       +
       func (s *SignedClient) AddMember(did string, keys []string) (*http.Response, error) {

     

       101
       101
       +
       	const (

     

       102
       102
       +
       		Method   = "PUT"

     

       103
       103
       +
       		Endpoint = "/member/add"

     

       104
       104
       +
       	)

     

       105
       105
       +
       

     

       106
       106
       +
       	body, _ := json.Marshal(map[string]interface{}{

     

       107
       107
       +
       		"did":  did,

     

       108
       108
       +
       		"keys": keys,

     

       109
       109
       +
       	})

     

       110
       110
       +
       

     

       111
       111
       +
       	req, err := s.newRequest(Method, Endpoint, body)

     

       112
       112
       +
       	if err != nil {

     

       113
       113
       +
       		return nil, err

     

       114
       114
       +
       	}

     

       115
       115
       +
       

     

       116
       116
       +
       	return s.client.Do(req)

     

       117
       117
       +
       }

+43 -30

appview/state/state.go

···

       1
       1
        
       package state

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       -
       	"bytes"

     

       5
       4
        
       	"crypto/hmac"

     

       6
       5
        
       	"crypto/sha256"

     

       7
       6
        
       	"encoding/hex"

     

       8
       8
       -
       	"encoding/json"

     

       9
       7
        
       	"fmt"

     

       10
       8
        
       	"log"

     

       11
       9
        
       	"net/http"

     

       10
       10
       +
       	"path/filepath"

     

       12
       11
        
       	"strings"

     

       13
       12
        
       	"time"

     

       14
       13
        
       

     
···

       234
       233
        
       	}

     

       235
       234
        
       	log.Println("checking ", domain)

     

       236
       235
        
       

     

       237
       237
       -
       	url := fmt.Sprintf("http://%s/init", domain)

     

       238
       238
       -
       

     

       239
       239
       -
       	body, _ := json.Marshal(map[string]interface{}{

     

       240
       240
       -
       		"did":  user.Did,

     

       241
       241
       -
       		"keys": []string{},

     

       242
       242
       -
       	})

     

       243
       243
       -
       	pingRequest, err := http.NewRequest("POST", url, bytes.NewBuffer(body))

     

       236
       236
       +
       	secret, err := s.db.GetRegistrationKey(domain)

     

       244
       237
        
       	if err != nil {

     

       245
       245
       -
       		log.Println("failed to build ping request", err)

     

       238
       238
       +
       		log.Printf("no key found for domain %s: %s\n", domain, err)

     

       246
       239
        
       		return

     

       247
       240
        
       	}

     

       248
       241
        
       

     

       249
       249
       -
       	secret, err := s.db.GetRegistrationKey(domain)

     

       242
       242
       +
       	client, err := NewSignedClient(domain, secret)

     

       250
       243
        
       	if err != nil {

     

       251
       251
       -
       		log.Printf("no key found for domain %s: %s\n", domain, err)

     

       252
       252
       -
       		return

     

       244
       244
       +
       		log.Println("failed to create client to ", domain)

     

       253
       245
        
       	}

     

       254
       254
       -
       	client := SignedClient(secret)

     

       255
       246
        
       

     

       256
       256
       -
       	resp, err := client.Do(pingRequest)

     

       247
       247
       +
       	resp, err := client.Init(user.Did, []string{})

     

       257
       248
        
       	if err != nil {

     

       258
       249
        
       		w.Write([]byte("no dice"))

     

       259
       250
        
       		log.Println("domain was unreachable after 5 seconds")

     
···

       338
       329
        
       

     

       339
       330
        
       	var members []string

     

       340
       331
        
       	if reg.Registered != nil {

     

       341
       341
       -
       		members, err = s.enforcer.E.GetUsersForRole("server:member", domain)

     

       332
       332
       +
       		members, err = s.enforcer.GetUserByRole("server:member", domain)

     

       342
       333
        
       		if err != nil {

     

       343
       334
        
       			w.Write([]byte("failed to fetch member list"))

     

       344
       335
        
       			return

     

       345
       336
        
       		}

     

       346
       337
        
       	}

     

       347
       338
        
       

     

       348
       348
       -
       	ok, err := s.enforcer.E.HasGroupingPolicy(user.Did, "server:owner", domain)

     

       339
       339
       +
       	ok, err := s.enforcer.IsServerOwner(user.Did, domain)

     

       349
       340
        
       	isOwner := err == nil && ok

     

       350
       341
        
       

     

       351
       342
        
       	p := pages.KnotParams{

     
···

       382
       373
        
       	}

     

       383
       374
        
       

     

       384
       375
        
       	// list all members for this domain

     

       385
       385
       -
       	memberDids, err := s.enforcer.E.GetUsersForRole("server:member", domain)

     

       376
       376
       +
       	memberDids, err := s.enforcer.GetUserByRole("server:member", domain)

     

       386
       377
        
       	if err != nil {

     

       387
       378
        
       		w.Write([]byte("failed to fetch member list"))

     

       388
       379
        
       		return

     
···

       433
       424
        
       		log.Printf("failed to create record: %s", err)

     

       434
       425
        
       		return

     

       435
       426
        
       	}

     

       427
       427
       +
       	log.Println("created atproto record: ", resp.Uri)

     

       436
       428
        
       

     

       437
       437
       -
       	log.Println("created atproto record: ", resp.Uri)

     

       429
       429
       +
       	secret, err := s.db.GetRegistrationKey(domain)

     

       430
       430
       +
       	if err != nil {

     

       431
       431
       +
       		log.Printf("no key found for domain %s: %s\n", domain, err)

     

       432
       432
       +
       		return

     

       433
       433
       +
       	}

     

       434
       434
       +
       

     

       435
       435
       +
       	ksClient, err := NewSignedClient(domain, secret)

     

       436
       436
       +
       	if err != nil {

     

       437
       437
       +
       		log.Println("failed to create client to ", domain)

     

       438
       438
       +
       		return

     

       439
       439
       +
       	}

     

       440
       440
       +
       

     

       441
       441
       +
       	ksResp, err := ksClient.AddMember(memberIdent.DID.String(), []string{})

     

       442
       442
       +
       	if err != nil {

     

       443
       443
       +
       		log.Printf("failet to make request to %s: %s", domain, err)

     

       444
       444
       +
       	}

     

       445
       445
       +
       

     

       446
       446
       +
       	if ksResp.StatusCode != http.StatusNoContent {

     

       447
       447
       +
       		w.Write([]byte(fmt.Sprint("knotserver failed to add member: ", err)))

     

       448
       448
       +
       		return

     

       449
       449
       +
       	}

     

       438
       450
        
       

     

       439
       451
        
       	err = s.enforcer.AddMember(domain, memberIdent.DID.String())

     

       440
       452
        
       	if err != nil {

     
···

       481
       493
        
       			return

     

       482
       494
        
       		}

     

       483
       495
        
       

     

       484
       484
       -
       		client := SignedClient(secret)

     

       485
       485
       -
       		url := fmt.Sprintf("http://%s/repo/new", domain)

     

       486
       486
       -
       		body, _ := json.Marshal(map[string]interface{}{

     

       487
       487
       -
       			"did":  user.Did,

     

       488
       488
       -
       			"name": repoName,

     

       489
       489
       -
       		})

     

       490
       490
       -
       		createRepoRequest, err := http.NewRequest("PUT", url, bytes.NewReader(body))

     

       496
       496
       +
       		client, err := NewSignedClient(domain, secret)

     

       497
       497
       +
       		if err != nil {

     

       498
       498
       +
       			log.Println("failed to create client to ", domain)

     

       499
       499
       +
       		}

     

       491
       500
        
       

     

       492
       492
       -
       		resp, err := client.Do(createRepoRequest)

     

       493
       493
       -
       

     

       501
       501
       +
       		resp, err := client.NewRepo(user.Did, repoName)

     

       494
       502
        
       		if err != nil {

     

       495
       503
        
       			log.Println("failed to send create repo request", err)

     

       496
       504
        
       			return

     

       497
       505
        
       		}

     

       498
       498
       -
       

     

       499
       506
        
       		if resp.StatusCode != http.StatusNoContent {

     

       500
       507
        
       			log.Println("server returned ", resp.StatusCode)

     

       501
       508
        
       			return

     
···

       507
       514
        
       			Name: repoName,

     

       508
       515
        
       			Knot: domain,

     

       509
       516
        
       		}

     

       510
       510
       -
       

     

       511
       517
        
       		err = s.db.AddRepo(repo)

     

       512
       518
        
       		if err != nil {

     

       513
       519
        
       			log.Println("failed to add repo to db", err)

     

       520
       520
       +
       			return

     

       521
       521
       +
       		}

     

       522
       522
       +
       

     

       523
       523
       +
       		// acls

     

       524
       524
       +
       		err = s.enforcer.AddRepo(user.Did, domain, filepath.Join(user.Did, repoName))

     

       525
       525
       +
       		if err != nil {

     

       526
       526
       +
       			log.Println("failed to set up acls", err)

     

       514
       527
        
       			return

     

       515
       528
        
       		}

     

       516
       529

+1 -1

knotserver/handler.go

···

       92
       92
        
       

     

       93
       93
        
       	r.Route("/member", func(r chi.Router) {

     

       94
       94
        
       		r.Use(h.VerifySignature)

     

       95
       95
       -
       		r.Put("/add", h.NewRepo)

     

       95
       95
       +
       		r.Put("/add", h.AddMember)

     

       96
       96
        
       	})

     

       97
       97
        
       

     

       98
       98
        
       	// Initialize the knot with an owner and public key.

+8 -3

knotserver/jetstream.go

···

       7
       7
        
       	"io"

     

       8
       8
        
       	"log"

     

       9
       9
        
       	"net/http"

     

       10
       10
       -
       	"path"

     

       10
       10
       +
       	"net/url"

     

       11
       11
        
       	"strings"

     

       12
       12
        
       	"time"

     

       13
       13
        
       

     
···

       66
       66
        
       }

     

       67
       67
        
       

     

       68
       68
        
       func (h *Handle) fetchAndAddKeys(did string) {

     

       69
       69
       -
       	resp, err := http.Get(path.Join(h.c.AppViewEndpoint, did))

     

       69
       69
       +
       	keysEndpoint, err := url.JoinPath(h.c.AppViewEndpoint, "keys", did)

     

       70
       70
       +
       	if err != nil {

     

       71
       71
       +
       		log.Printf("error building endpoint url: %s: %v", did, err)

     

       72
       72
       +
       		return

     

       73
       73
       +
       	}

     

       74
       74
       +
       

     

       75
       75
       +
       	resp, err := http.Get(keysEndpoint)

     

       70
       76
        
       	if err != nil {

     

       71
       77
        
       		log.Printf("error getting keys for %s: %v", did, err)

     

       72
       78
        
       		return

     
···

       112
       118
        
       }

     

       113
       119
        
       

     

       114
       120
        
       func (h *Handle) processMessages(messages <-chan []byte) {

     

       115
       115
       -
       	log.Println("waiting for knot to be initialized")

     

       116
       121
        
       	<-h.init

     

       117
       122
        
       	log.Println("initalized jetstream watcher")

     

       118
       123

+31

rbac/rbac.go

···

       3
       3
        
       import (

     

       4
       4
        
       	"database/sql"

     

       5
       5
        
       	"path"

     

       6
       6
       +
       	"strings"

     

       6
       7
        
       

     

       7
       8
        
       	sqladapter "github.com/Blank-Xu/sql-adapter"

     

       8
       9
        
       	"github.com/casbin/casbin/v2"

     
···

       98
       99
        
       		{"server:owner", domain, repo, "repo:delete"}, // server owner can delete any repo

     

       99
       100
        
       	})

     

       100
       101
        
       	return err

     

       102
       102
       +
       }

     

       103
       103
       +
       

     

       104
       104
       +
       func (e *Enforcer) GetUserByRole(role, domain string) ([]string, error) {

     

       105
       105
       +
       	var membersWithoutRoles []string

     

       106
       106
       +
       

     

       107
       107
       +
       	// this includes roles too, casbin does not differentiate.

     

       108
       108
       +
       	// the filtering criteria is to remove strings not starting with `did:`

     

       109
       109
       +
       	members, err := e.E.Enforcer.GetImplicitUsersForRole(role, domain)

     

       110
       110
       +
       	for _, m := range members {

     

       111
       111
       +
       		if strings.HasPrefix(m, "did:") {

     

       112
       112
       +
       			membersWithoutRoles = append(membersWithoutRoles, m)

     

       113
       113
       +
       		}

     

       114
       114
       +
       	}

     

       115
       115
       +
       	if err != nil {

     

       116
       116
       +
       		return nil, err

     

       117
       117
       +
       	}

     

       118
       118
       +
       

     

       119
       119
       +
       	return membersWithoutRoles, nil

     

       120
       120
       +
       }

     

       121
       121
       +
       

     

       122
       122
       +
       func (e *Enforcer) isRole(user, role, domain string) (bool, error) {

     

       123
       123
       +
       	return e.E.HasGroupingPolicy(user, role, domain)

     

       124
       124
       +
       }

     

       125
       125
       +
       

     

       126
       126
       +
       func (e *Enforcer) IsServerOwner(user, domain string) (bool, error) {

     

       127
       127
       +
       	return e.isRole(user, "server:owner", domain)

     

       128
       128
       +
       }

     

       129
       129
       +
       

     

       130
       130
       +
       func (e *Enforcer) IsServerMember(user, domain string) (bool, error) {

     

       131
       131
       +
       	return e.isRole(user, "server:member", domain)

     

       101
       132
        
       }

     

       102
       133
        
       

     

       103
       134
        
       // keyMatch2Func is a wrapper for keyMatch2 to make it compatible with Casbin