patch of WIP: OIDC Authenticated Pipelines · round #0 · pull #454 · tangled.org/core

.gitignore

+2 -3

nix/pkgs/genjwks.nix

···

       1
       1
        
       {

     

       2
       2
       -
         gitignoreSource,

     

       2
       2
       +
         src,

     

       3
       3
        
         buildGoApplication,

     

       4
       4
        
         modules,

     

       5
       5
        
       }:

     

       6
       6
        
       buildGoApplication {

     

       7
       7
        
         pname = "genjwks";

     

       8
       8
        
         version = "0.1.0";

     

       9
       9
       -
         src = gitignoreSource ../..;

     

       10
       10
       -
         inherit modules;

     

       9
       9
       +
         inherit src modules;

     

       11
       10
        
         subPackages = ["cmd/genjwks"];

     

       12
       11
        
         doCheck = false;

     

       13
       12
        
         CGO_ENABLED = 0;

+2 -3

nix/pkgs/knot-unwrapped.nix

···

       2
       2
        
         buildGoApplication,

     

       3
       3
        
         modules,

     

       4
       4
        
         sqlite-lib,

     

       5
       5
       -
         gitignoreSource,

     

       5
       5
       +
         src,

     

       6
       6
        
       }:

     

       7
       7
        
       buildGoApplication {

     

       8
       8
        
         pname = "knot";

     

       9
       9
        
         version = "0.1.0";

     

       10
       10
       -
         src = gitignoreSource ../..;

     

       11
       11
       -
         inherit modules;

     

       10
       10
       +
         inherit src modules;

     

       12
       11
        
       

     

       13
       12
        
         doCheck = false;

     

       14
       13

+2 -3

nix/pkgs/spindle.nix

···

       2
       2
        
         buildGoApplication,

     

       3
       3
        
         modules,

     

       4
       4
        
         sqlite-lib,

     

       5
       5
       -
         gitignoreSource,

     

       5
       5
       +
         src,

     

       6
       6
        
       }:

     

       7
       7
        
       buildGoApplication {

     

       8
       8
        
         pname = "spindle";

     

       9
       9
        
         version = "0.1.0";

     

       10
       10
       -
         src = gitignoreSource ../..;

     

       11
       11
       -
         inherit modules;

     

       10
       10
       +
         inherit src modules;

     

       12
       11
        
       

     

       13
       12
        
         doCheck = false;

     

       14
       13

nix/gomod2nix.toml

···

       66
       66
        
         [mod."github.com/cloudflare/circl"]

     

       67
       67
        
           version = "v1.6.2-0.20250618153321-aa837fd1539d"

     

       68
       68
        
           hash = "sha256-0s/i/XmMcuvPQ+qK9OIU5KxwYZyLVXRtdlYvIXRJT3Y="

     

       69
       69
       +
         [mod."github.com/cloudflare/cloudflare-go"]

     

       70
       70
       +
           version = "v0.115.0"

     

       71
       71
       +
           hash = "sha256-jezmDs6IsHA4rag7DzcHDfDgde0vU4iKgCN9+0XDViw="

     

       69
       72
        
         [mod."github.com/containerd/errdefs"]

     

       70
       73
        
           version = "v1.0.0"

     

       71
       74
        
           hash = "sha256-wMZGoeqvRhuovYCJx0Js4P3qFCNTZ/6Atea/kNYoPMI="

     
···

       169
       172
        
         [mod."github.com/golang/mock"]

     

       170
       173
        
           version = "v1.6.0"

     

       171
       174
        
           hash = "sha256-fWdnMQisRbiRzGT3ISrUHovquzLRHWvcv1JEsJFZRno="

     

       175
       175
       +
         [mod."github.com/google/go-querystring"]

     

       176
       176
       +
           version = "v1.1.0"

     

       177
       177
       +
           hash = "sha256-itsKgKghuX26czU79cK6C2n+lc27jm5Dw1XbIRgwZJY="

     

       172
       178
        
         [mod."github.com/google/uuid"]

     

       173
       179
        
           version = "v1.6.0"

     

       174
       180
        
           hash = "sha256-VWl9sqUzdOuhW0KzQlv0gwwUQClYkmZwSydHG2sALYw="

+22

nix/modules/spindle.nix

···

       54
       54
        
                   example = "did:plc:qfpnj4og54vl56wngdriaxug";

     

       55
       55
        
                   description = "DID of owner (required)";

     

       56
       56
        
                 };

     

       57
       57
       +
       

     

       58
       58
       +
                 secrets = {

     

       59
       59
       +
                   provider = mkOption {

     

       60
       60
       +
                     type = types.str;

     

       61
       61
       +
                     default = "sqlite";

     

       62
       62
       +
                     description = "Backend to use for secret management, valid options are 'sqlite', and 'openbao'.";

     

       63
       63
       +
                   };

     

       64
       64
       +
       

     

       65
       65
       +
                   openbao = {

     

       66
       66
       +
                     proxyAddr = mkOption {

     

       67
       67
       +
                       type = types.str;

     

       68
       68
       +
                       default = "http://127.0.0.1:8200";

     

       69
       69
       +
                     };

     

       70
       70
       +
                     mount = mkOption {

     

       71
       71
       +
                       type = types.str;

     

       72
       72
       +
                       default = "spindle";

     

       73
       73
       +
                     };

     

       74
       74
       +
                   };

     

       75
       75
       +
                 };

     

       57
       76
        
               };

     

       58
       77
        
       

     

       59
       78
        
               pipelines = {

     
···

       89
       108
        
                   "SPINDLE_SERVER_JETSTREAM=${cfg.server.jetstreamEndpoint}"

     

       90
       109
        
                   "SPINDLE_SERVER_DEV=${lib.boolToString cfg.server.dev}"

     

       91
       110
        
                   "SPINDLE_SERVER_OWNER=${cfg.server.owner}"

     

       111
       111
       +
                   "SPINDLE_SERVER_SECRETS_PROVIDER=${cfg.server.secrets.provider}"

     

       112
       112
       +
                   "SPINDLE_SERVER_SECRETS_OPENBAO_PROXY_ADDR=${cfg.server.secrets.openbao.proxyAddr}"

     

       113
       113
       +
                   "SPINDLE_SERVER_SECRETS_OPENBAO_MOUNT=${cfg.server.secrets.openbao.mount}"

     

       92
       114
        
                   "SPINDLE_PIPELINES_NIXERY=${cfg.pipelines.nixery}"

     

       93
       115
        
                   "SPINDLE_PIPELINES_WORKFLOW_TIMEOUT=${cfg.pipelines.workflowTimeout}"

     

       94
       116
        
                 ];

appview/ingester.go

···

       387
       387
        
       		if err != nil {

     

       388
       388
        
       			return fmt.Errorf("failed to update ACLs: %w", err)

     

       389
       389
        
       		}

     

       390
       390
       +
       

     

       391
       391
       +
       		l.Info("added spindle member")

     

       390
       392
        
       	case models.CommitOperationDelete:

     

       391
       393
        
       		rkey := e.Commit.RKey

     

       392
       394
        
       

     
···

       433
       435
        
       		if err = i.Enforcer.E.SavePolicy(); err != nil {

     

       434
       436
        
       			return fmt.Errorf("failed to save ACLs: %w", err)

     

       435
       437
        
       		}

     

       438
       438
       +
       

     

       439
       439
       +
       		l.Info("removed spindle member")

     

       436
       440
        
       	}

     

       437
       441
        
       

     

       438
       442
        
       	return nil

+4 -4

appview/spindles/spindles.go

···

       619
       619
        
       

     

       620
       620
        
       	if string(spindles[0].Owner) != user.Did {

     

       621
       621
        
       		l.Error("unauthorized", "user", user.Did, "owner", spindles[0].Owner)

     

       622
       622
       -
       		s.Pages.Notice(w, noticeId, "Failed to add member, unauthorized attempt.")

     

       622
       622
       +
       		s.Pages.Notice(w, noticeId, "Failed to remove member, unauthorized attempt.")

     

       623
       623
        
       		return

     

       624
       624
        
       	}

     

       625
       625
        
       

     

       626
       626
        
       	member := r.FormValue("member")

     

       627
       627
        
       	if member == "" {

     

       628
       628
        
       		l.Error("empty member")

     

       629
       629
       -
       		s.Pages.Notice(w, noticeId, "Failed to add member, empty form.")

     

       629
       629
       +
       		s.Pages.Notice(w, noticeId, "Failed to remove member, empty form.")

     

       630
       630
        
       		return

     

       631
       631
        
       	}

     

       632
       632
        
       	l = l.With("member", member)

     
···

       634
       634
        
       	memberId, err := s.IdResolver.ResolveIdent(r.Context(), member)

     

       635
       635
        
       	if err != nil {

     

       636
       636
        
       		l.Error("failed to resolve member identity to handle", "err", err)

     

       637
       637
       -
       		s.Pages.Notice(w, noticeId, "Failed to add member, identity resolution failed.")

     

       637
       637
       +
       		s.Pages.Notice(w, noticeId, "Failed to remove member, identity resolution failed.")

     

       638
       638
        
       		return

     

       639
       639
        
       	}

     

       640
       640
        
       	if memberId.Handle.IsInvalidHandle() {

     

       641
       641
        
       		l.Error("failed to resolve member identity to handle")

     

       642
       642
       -
       		s.Pages.Notice(w, noticeId, "Failed to add member, identity resolution failed.")

     

       642
       642
       +
       		s.Pages.Notice(w, noticeId, "Failed to remove member, identity resolution failed.")

     

       643
       643
        
       		return

     

       644
       644
        
       	}

     

       645
       645

+15

spindle/db/db.go

···

       45
       45
        
       			unique(owner, name)

     

       46
       46
        
       		);

     

       47
       47
        
       

     

       48
       48
       +
       		create table if not exists spindle_members (

     

       49
       49
       +
       			-- identifiers for the record

     

       50
       50
       +
       			id integer primary key autoincrement,

     

       51
       51
       +
       			did text not null,

     

       52
       52
       +
       			rkey text not null,

     

       53
       53
       +
       

     

       54
       54
       +
       			-- data

     

       55
       55
       +
       			instance text not null,

     

       56
       56
       +
       			subject text not null,

     

       57
       57
       +
       			created text not null default (strftime('%Y-%m-%dT%H:%M:%SZ', 'now')),

     

       58
       58
       +
       

     

       59
       59
       +
       			-- constraints

     

       60
       60
       +
       			unique (did, instance, subject)

     

       61
       61
       +
       		);

     

       62
       62
       +
       

     

       48
       63
        
       		-- status event for a single workflow

     

       49
       64
        
       		create table if not exists events (

     

       50
       65
        
       			rkey text not null,

+59

spindle/db/member.go

···

       1
       1
       +
       package db

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"time"

     

       5
       5
       +
       

     

       6
       6
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       7
       7
       +
       )

     

       8
       8
       +
       

     

       9
       9
       +
       type SpindleMember struct {

     

       10
       10
       +
       	Id       int

     

       11
       11
       +
       	Did      syntax.DID // owner of the record

     

       12
       12
       +
       	Rkey     string     // rkey of the record

     

       13
       13
       +
       	Instance string

     

       14
       14
       +
       	Subject  syntax.DID // the member being added

     

       15
       15
       +
       	Created  time.Time

     

       16
       16
       +
       }

     

       17
       17
       +
       

     

       18
       18
       +
       func AddSpindleMember(db *DB, member SpindleMember) error {

     

       19
       19
       +
       	_, err := db.Exec(

     

       20
       20
       +
       		`insert or ignore into spindle_members (did, rkey, instance, subject) values (?, ?, ?, ?)`,

     

       21
       21
       +
       		member.Did,

     

       22
       22
       +
       		member.Rkey,

     

       23
       23
       +
       		member.Instance,

     

       24
       24
       +
       		member.Subject,

     

       25
       25
       +
       	)

     

       26
       26
       +
       	return err

     

       27
       27
       +
       }

     

       28
       28
       +
       

     

       29
       29
       +
       func RemoveSpindleMember(db *DB, owner_did, rkey string) error {

     

       30
       30
       +
       	_, err := db.Exec(

     

       31
       31
       +
       		"delete from spindle_members where did = ? and rkey = ?",

     

       32
       32
       +
       		owner_did,

     

       33
       33
       +
       		rkey,

     

       34
       34
       +
       	)

     

       35
       35
       +
       	return err

     

       36
       36
       +
       }

     

       37
       37
       +
       

     

       38
       38
       +
       func GetSpindleMember(db *DB, did, rkey string) (*SpindleMember, error) {

     

       39
       39
       +
       	query :=

     

       40
       40
       +
       		`select id, did, rkey, instance, subject, created

     

       41
       41
       +
       		from spindle_members

     

       42
       42
       +
       		where did = ? and rkey = ?`

     

       43
       43
       +
       

     

       44
       44
       +
       	var member SpindleMember

     

       45
       45
       +
       	var createdAt string

     

       46
       46
       +
       	err := db.QueryRow(query, did, rkey).Scan(

     

       47
       47
       +
       		&member.Id,

     

       48
       48
       +
       		&member.Did,

     

       49
       49
       +
       		&member.Rkey,

     

       50
       50
       +
       		&member.Instance,

     

       51
       51
       +
       		&member.Subject,

     

       52
       52
       +
       		&createdAt,

     

       53
       53
       +
       	)

     

       54
       54
       +
       	if err != nil {

     

       55
       55
       +
       		return nil, err

     

       56
       56
       +
       	}

     

       57
       57
       +
       

     

       58
       58
       +
       	return &member, nil

     

       59
       59
       +
       }

+39 -4

spindle/ingester.go

···

       5
       5
        
       	"encoding/json"

     

       6
       6
        
       	"errors"

     

       7
       7
        
       	"fmt"

     

       8
       8
       +
       	"time"

     

       8
       9
        
       

     

       9
       10
        
       	"tangled.sh/tangled.sh/core/api/tangled"

     

       10
       11
        
       	"tangled.sh/tangled.sh/core/eventconsumer"

     

       11
       12
        
       	"tangled.sh/tangled.sh/core/idresolver"

     

       12
       13
        
       	"tangled.sh/tangled.sh/core/rbac"

     

       14
       14
       +
       	"tangled.sh/tangled.sh/core/spindle/db"

     

       13
       15
        
       

     

       14
       16
        
       	comatproto "github.com/bluesky-social/indigo/api/atproto"

     

       15
       17
        
       	"github.com/bluesky-social/indigo/atproto/identity"

     
···

       50
       52
        
       }

     

       51
       53
        
       

     

       52
       54
        
       func (s *Spindle) ingestMember(_ context.Context, e *models.Event) error {

     

       53
       53
       -
       	did := e.Did

     

       54
       55
        
       	var err error

     

       56
       56
       +
       	did := e.Did

     

       57
       57
       +
       	rkey := e.Commit.RKey

     

       55
       58
        
       

     

       56
       59
        
       	l := s.l.With("component", "ingester", "record", tangled.SpindleMemberNSID)

     

       57
       60
        
       

     
···

       66
       69
        
       		}

     

       67
       70
        
       

     

       68
       71
        
       		domain := s.cfg.Server.Hostname

     

       69
       69
       -
       		if s.cfg.Server.Dev {

     

       70
       70
       -
       			domain = s.cfg.Server.ListenAddr

     

       71
       71
       -
       		}

     

       72
       72
        
       		recordInstance := record.Instance

     

       73
       73
        
       

     

       74
       74
        
       		if recordInstance != domain {

     
···

       82
       82
        
       			return fmt.Errorf("failed to enforce permissions: %w", err)

     

       83
       83
        
       		}

     

       84
       84
        
       

     

       85
       85
       +
       		if err := db.AddSpindleMember(s.db, db.SpindleMember{

     

       86
       86
       +
       			Did:      syntax.DID(did),

     

       87
       87
       +
       			Rkey:     rkey,

     

       88
       88
       +
       			Instance: recordInstance,

     

       89
       89
       +
       			Subject:  syntax.DID(record.Subject),

     

       90
       90
       +
       			Created:  time.Now(),

     

       91
       91
       +
       		}); err != nil {

     

       92
       92
       +
       			l.Error("failed to add member", "error", err)

     

       93
       93
       +
       			return fmt.Errorf("failed to add member: %w", err)

     

       94
       94
       +
       		}

     

       95
       95
       +
       

     

       85
       96
        
       		if err := s.e.AddSpindleMember(rbacDomain, record.Subject); err != nil {

     

       86
       97
        
       			l.Error("failed to add member", "error", err)

     

       87
       98
        
       			return fmt.Errorf("failed to add member: %w", err)

     
···

       96
       107
        
       

     

       97
       108
        
       		return nil

     

       98
       109
        
       

     

       110
       110
       +
       	case models.CommitOperationDelete:

     

       111
       111
       +
       		record, err := db.GetSpindleMember(s.db, did, rkey)

     

       112
       112
       +
       		if err != nil {

     

       113
       113
       +
       			l.Error("failed to find member", "error", err)

     

       114
       114
       +
       			return fmt.Errorf("failed to find member: %w", err)

     

       115
       115
       +
       		}

     

       116
       116
       +
       

     

       117
       117
       +
       		if err := db.RemoveSpindleMember(s.db, did, rkey); err != nil {

     

       118
       118
       +
       			l.Error("failed to remove member", "error", err)

     

       119
       119
       +
       			return fmt.Errorf("failed to remove member: %w", err)

     

       120
       120
       +
       		}

     

       121
       121
       +
       

     

       122
       122
       +
       		if err := s.e.RemoveSpindleMember(rbacDomain, record.Subject.String()); err != nil {

     

       123
       123
       +
       			l.Error("failed to add member", "error", err)

     

       124
       124
       +
       			return fmt.Errorf("failed to add member: %w", err)

     

       125
       125
       +
       		}

     

       126
       126
       +
       		l.Info("added member from firehose", "member", record.Subject)

     

       127
       127
       +
       

     

       128
       128
       +
       		if err := s.db.RemoveDid(record.Subject.String()); err != nil {

     

       129
       129
       +
       			l.Error("failed to add did", "error", err)

     

       130
       130
       +
       			return fmt.Errorf("failed to add did: %w", err)

     

       131
       131
       +
       		}

     

       132
       132
       +
       		s.jc.RemoveDid(record.Subject.String())

     

       133
       133
       +
       

     

       99
       134
        
       	}

     

       100
       135
        
       	return nil

     

       101
       136
        
       }

+1 -1

nix/pkgs/lexgen.nix

···

       7
       7
        
         version = "0.1.0";

     

       8
       8
        
         src = indigo;

     

       9
       9
        
         subPackages = ["cmd/lexgen"];

     

       10
       10
       -
         vendorHash = "sha256-pGc29fgJFq8LP7n/pY1cv6ExZl88PAeFqIbFEhB3xXs=";

     

       10
       10
       +
         vendorHash = "sha256-VbDrcN4r5b7utRFQzVsKgDsVgdQLSXl7oZ5kdPA/huw=";

     

       11
       11
        
         doCheck = false;

     

       12
       12
        
       }

appview/config/config.go

···

       16
       16
        
       	AppviewHost             string `env:"APPVIEW_HOST, default=https://tangled.sh"`

     

       17
       17
        
       	Dev                     bool   `env:"DEV, default=false"`

     

       18
       18
        
       	DisallowedNicknamesFile string `env:"DISALLOWED_NICKNAMES_FILE"`

     

       19
       19
       +
       

     

       20
       20
       +
       	// temporarily, to add users to default spindle

     

       21
       21
       +
       	AppPassword string `env:"APP_PASSWORD"`

     

       19
       22
        
       }

     

       20
       23
        
       

     

       21
       24
        
       type OAuthConfig struct {

+141

appview/oauth/handler/handler.go

···

       1
       1
        
       package oauth

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"bytes"

     

       5
       5
       +
       	"context"

     

       4
       6
        
       	"encoding/json"

     

       5
       7
        
       	"fmt"

     

       6
       8
        
       	"log"

     

       7
       9
        
       	"net/http"

     

       8
       10
        
       	"net/url"

     

       9
       11
        
       	"strings"

     

       12
       12
       +
       	"time"

     

       10
       13
        
       

     

       11
       14
        
       	"github.com/go-chi/chi/v5"

     

       12
       15
        
       	"github.com/gorilla/sessions"

     

       13
       16
        
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       14
       17
        
       	"github.com/posthog/posthog-go"

     

       15
       18
        
       	"tangled.sh/icyphox.sh/atproto-oauth/helpers"

     

       19
       19
       +
       	tangled "tangled.sh/tangled.sh/core/api/tangled"

     

       16
       20
        
       	sessioncache "tangled.sh/tangled.sh/core/appview/cache/session"

     

       17
       21
        
       	"tangled.sh/tangled.sh/core/appview/config"

     

       18
       22
        
       	"tangled.sh/tangled.sh/core/appview/db"

     
···

       23
       27
        
       	"tangled.sh/tangled.sh/core/idresolver"

     

       24
       28
        
       	"tangled.sh/tangled.sh/core/knotclient"

     

       25
       29
        
       	"tangled.sh/tangled.sh/core/rbac"

     

       30
       30
       +
       	"tangled.sh/tangled.sh/core/tid"

     

       26
       31
        
       )

     

       27
       32
        
       

     

       28
       33
        
       const (

     
···

       294
       299
        
       

     

       295
       300
        
       	log.Println("session saved successfully")

     

       296
       301
        
       	go o.addToDefaultKnot(oauthRequest.Did)

     

       302
       302
       +
       	go o.addToDefaultSpindle(oauthRequest.Did)

     

       297
       303
        
       

     

       298
       304
        
       	if !o.config.Core.Dev {

     

       299
       305
        
       		err = o.posthog.Enqueue(posthog.Capture{

     
···

       332
       338
        
       	return pubKey, nil

     

       333
       339
        
       }

     

       334
       340
        
       

     

       341
       341
       +
       func (o *OAuthHandler) addToDefaultSpindle(did string) {

     

       342
       342
       +
       	// use the tangled.sh app password to get an accessJwt

     

       343
       343
       +
       	// and create an sh.tangled.spindle.member record with that

     

       344
       344
       +
       

     

       345
       345
       +
       	defaultSpindle := "spindle.tangled.sh"

     

       346
       346
       +
       	appPassword := o.config.Core.AppPassword

     

       347
       347
       +
       

     

       348
       348
       +
       	spindleMembers, err := db.GetSpindleMembers(

     

       349
       349
       +
       		o.db,

     

       350
       350
       +
       		db.FilterEq("instance", "spindle.tangled.sh"),

     

       351
       351
       +
       		db.FilterEq("subject", did),

     

       352
       352
       +
       	)

     

       353
       353
       +
       	if err != nil {

     

       354
       354
       +
       		log.Printf("failed to get spindle members for did %s: %v", did, err)

     

       355
       355
       +
       		return

     

       356
       356
       +
       	}

     

       357
       357
       +
       

     

       358
       358
       +
       	if len(spindleMembers) != 0 {

     

       359
       359
       +
       		log.Printf("did %s is already a member of the default spindle", did)

     

       360
       360
       +
       		return

     

       361
       361
       +
       	}

     

       362
       362
       +
       

     

       363
       363
       +
       	// TODO: hardcoded tangled handle and did for now

     

       364
       364
       +
       	tangledHandle := "tangled.sh"

     

       365
       365
       +
       	tangledDid := "did:plc:wshs7t2adsemcrrd4snkeqli"

     

       366
       366
       +
       

     

       367
       367
       +
       	if appPassword == "" {

     

       368
       368
       +
       		log.Println("no app password configured, skipping spindle member addition")

     

       369
       369
       +
       		return

     

       370
       370
       +
       	}

     

       371
       371
       +
       

     

       372
       372
       +
       	log.Printf("adding %s to default spindle", did)

     

       373
       373
       +
       

     

       374
       374
       +
       	resolved, err := o.idResolver.ResolveIdent(context.Background(), tangledDid)

     

       375
       375
       +
       	if err != nil {

     

       376
       376
       +
       		log.Printf("failed to resolve tangled.sh DID %s: %v", tangledDid, err)

     

       377
       377
       +
       		return

     

       378
       378
       +
       	}

     

       379
       379
       +
       

     

       380
       380
       +
       	pdsEndpoint := resolved.PDSEndpoint()

     

       381
       381
       +
       	if pdsEndpoint == "" {

     

       382
       382
       +
       		log.Printf("no PDS endpoint found for tangled.sh DID %s", tangledDid)

     

       383
       383
       +
       		return

     

       384
       384
       +
       	}

     

       385
       385
       +
       

     

       386
       386
       +
       	sessionPayload := map[string]string{

     

       387
       387
       +
       		"identifier": tangledHandle,

     

       388
       388
       +
       		"password":   appPassword,

     

       389
       389
       +
       	}

     

       390
       390
       +
       	sessionBytes, err := json.Marshal(sessionPayload)

     

       391
       391
       +
       	if err != nil {

     

       392
       392
       +
       		log.Printf("failed to marshal session payload: %v", err)

     

       393
       393
       +
       		return

     

       394
       394
       +
       	}

     

       395
       395
       +
       

     

       396
       396
       +
       	sessionURL := pdsEndpoint + "/xrpc/com.atproto.server.createSession"

     

       397
       397
       +
       	sessionReq, err := http.NewRequestWithContext(context.Background(), "POST", sessionURL, bytes.NewBuffer(sessionBytes))

     

       398
       398
       +
       	if err != nil {

     

       399
       399
       +
       		log.Printf("failed to create session request: %v", err)

     

       400
       400
       +
       		return

     

       401
       401
       +
       	}

     

       402
       402
       +
       	sessionReq.Header.Set("Content-Type", "application/json")

     

       403
       403
       +
       

     

       404
       404
       +
       	client := &http.Client{Timeout: 30 * time.Second}

     

       405
       405
       +
       	sessionResp, err := client.Do(sessionReq)

     

       406
       406
       +
       	if err != nil {

     

       407
       407
       +
       		log.Printf("failed to create session: %v", err)

     

       408
       408
       +
       		return

     

       409
       409
       +
       	}

     

       410
       410
       +
       	defer sessionResp.Body.Close()

     

       411
       411
       +
       

     

       412
       412
       +
       	if sessionResp.StatusCode != http.StatusOK {

     

       413
       413
       +
       		log.Printf("failed to create session: HTTP %d", sessionResp.StatusCode)

     

       414
       414
       +
       		return

     

       415
       415
       +
       	}

     

       416
       416
       +
       

     

       417
       417
       +
       	var session struct {

     

       418
       418
       +
       		AccessJwt string `json:"accessJwt"`

     

       419
       419
       +
       	}

     

       420
       420
       +
       	if err := json.NewDecoder(sessionResp.Body).Decode(&session); err != nil {

     

       421
       421
       +
       		log.Printf("failed to decode session response: %v", err)

     

       422
       422
       +
       		return

     

       423
       423
       +
       	}

     

       424
       424
       +
       

     

       425
       425
       +
       	record := tangled.SpindleMember{

     

       426
       426
       +
       		LexiconTypeID: "sh.tangled.spindle.member",

     

       427
       427
       +
       		Subject:       did,

     

       428
       428
       +
       		Instance:      defaultSpindle,

     

       429
       429
       +
       		CreatedAt:     time.Now().Format(time.RFC3339),

     

       430
       430
       +
       	}

     

       431
       431
       +
       

     

       432
       432
       +
       	recordBytes, err := json.Marshal(record)

     

       433
       433
       +
       	if err != nil {

     

       434
       434
       +
       		log.Printf("failed to marshal spindle member record: %v", err)

     

       435
       435
       +
       		return

     

       436
       436
       +
       	}

     

       437
       437
       +
       

     

       438
       438
       +
       	payload := map[string]interface{}{

     

       439
       439
       +
       		"repo":       tangledDid,

     

       440
       440
       +
       		"collection": tangled.SpindleMemberNSID,

     

       441
       441
       +
       		"rkey":       tid.TID(),

     

       442
       442
       +
       		"record":     json.RawMessage(recordBytes),

     

       443
       443
       +
       	}

     

       444
       444
       +
       

     

       445
       445
       +
       	payloadBytes, err := json.Marshal(payload)

     

       446
       446
       +
       	if err != nil {

     

       447
       447
       +
       		log.Printf("failed to marshal request payload: %v", err)

     

       448
       448
       +
       		return

     

       449
       449
       +
       	}

     

       450
       450
       +
       

     

       451
       451
       +
       	url := pdsEndpoint + "/xrpc/com.atproto.repo.putRecord"

     

       452
       452
       +
       	req, err := http.NewRequestWithContext(context.Background(), "POST", url, bytes.NewBuffer(payloadBytes))

     

       453
       453
       +
       	if err != nil {

     

       454
       454
       +
       		log.Printf("failed to create HTTP request: %v", err)

     

       455
       455
       +
       		return

     

       456
       456
       +
       	}

     

       457
       457
       +
       

     

       458
       458
       +
       	req.Header.Set("Content-Type", "application/json")

     

       459
       459
       +
       	req.Header.Set("Authorization", "Bearer "+session.AccessJwt)

     

       460
       460
       +
       

     

       461
       461
       +
       	resp, err := client.Do(req)

     

       462
       462
       +
       	if err != nil {

     

       463
       463
       +
       		log.Printf("failed to add user to default spindle: %v", err)

     

       464
       464
       +
       		return

     

       465
       465
       +
       	}

     

       466
       466
       +
       	defer resp.Body.Close()

     

       467
       467
       +
       

     

       468
       468
       +
       	if resp.StatusCode != http.StatusOK {

     

       469
       469
       +
       		log.Printf("failed to add user to default spindle: HTTP %d", resp.StatusCode)

     

       470
       470
       +
       		return

     

       471
       471
       +
       	}

     

       472
       472
       +
       

     

       473
       473
       +
       	log.Printf("successfully added %s to default spindle", did)

     

       474
       474
       +
       }

     

       475
       475
       +
       

     

       335
       476
        
       func (o *OAuthHandler) addToDefaultKnot(did string) {

     

       336
       477
        
       	defaultKnot := "knot1.tangled.sh"

     

       337
       478

+1 -1

appview/signup/signup.go

···

       219
       219
        
       		err = s.cf.CreateDNSRecord(r.Context(), dns.Record{

     

       220
       220
        
       			Type:    "TXT",

     

       221
       221
        
       			Name:    "_atproto." + username,

     

       222
       222
       -
       			Content: "did=" + did,

     

       222
       222
       +
       			Content: fmt.Sprintf(`"did=%s"`, did),

     

       223
       223
        
       			TTL:     6400,

     

       224
       224
        
       			Proxied: false,

     

       225
       225
        
       		})

+1 -1

spindle/secrets/openbao.go

···

       132
       132
        
       		return ErrKeyNotFound

     

       133
       133
        
       	}

     

       134
       134
        
       

     

       135
       135
       -
       	err = v.client.KVv2(v.mountPath).Delete(ctx, secretPath)

     

       135
       135
       +
       	err = v.client.KVv2(v.mountPath).DeleteMetadata(ctx, secretPath)

     

       136
       136
        
       	if err != nil {

     

       137
       137
        
       		return fmt.Errorf("failed to delete secret from openbao: %w", err)

     

       138
       138
        
       	}

+1 -1

docs/knot-hosting.md

···

       89
       89
        
       systemctl start knotserver

     

       90
       90
        
       ```

     

       91
       91
        
       

     

       92
       92
       -
       The last step is to configure a reverse proxy like Nginx or Caddy to front yourself

     

       92
       92
       +
       The last step is to configure a reverse proxy like Nginx or Caddy to front your

     

       93
       93
        
       knot. Here's an example configuration for Nginx:

     

       94
       94
        
       

     

       95
       95
        
       ```

+1 -1

docs/spindle/openbao.md

···

       114
       114
        
       ROLE_ID=$(bao read -field=role_id auth/approle/role/spindle/role-id)

     

       115
       115
        
       

     

       116
       116
        
       # Generate secret ID

     

       117
       117
       -
       SECRET_ID=$(bao write -field=secret_id auth/approle/role/spindle/secret-id)

     

       117
       117
       +
       SECRET_ID=$(bao write -f -field=secret_id auth/approle/role/spindle/secret-id)

     

       118
       118
        
       

     

       119
       119
        
       echo "Role ID: $ROLE_ID"

     

       120
       120
        
       echo "Secret ID: $SECRET_ID"

+9 -10

docs/hacking.md

···

       56
       56
        
       `nixosConfiguration` to do so.

     

       57
       57
        
       

     

       58
       58
        
       To begin, head to `http://localhost:3000/knots` in the browser

     

       59
       59
       -
       and generate a knot secret. Replace the existing secret in

     

       60
       60
       -
       `nix/vm.nix` (`KNOT_SERVER_SECRET`) with the newly generated

     

       61
       61
       -
       secret.

     

       59
       59
       +
       and generate a knot secret. Set `$TANGLED_KNOT_SECRET` to it,

     

       60
       60
       +
       ideally in a `.envrc` with [direnv](https://direnv.net) so you

     

       61
       61
       +
       don't lose it.

     

       62
       62
        
       

     

       63
       63
        
       You can now start a lightweight NixOS VM using

     

       64
       64
        
       `nixos-shell` like so:

     
···

       91
       91
        
       

     

       92
       92
        
       ## running a spindle

     

       93
       93
        
       

     

       94
       94
       -
       Be sure to change the `owner` field for the spindle in

     

       95
       95
       -
       `nix/vm.nix` to your own DID. The above VM should already

     

       96
       96
       -
       be running a spindle on `localhost:6555`. You can head to

     

       97
       97
       -
       the spindle dashboard on `http://localhost:3000/spindles`,

     

       98
       98
       -
       and register a spindle with hostname `localhost:6555`. It

     

       99
       99
       -
       should instantly be verified. You can then configure each

     

       100
       100
       -
       repository to use this spindle and run CI jobs.

     

       94
       94
       +
       Be sure to set `$TANGLED_SPINDLE_OWNER` to your own DID.

     

       95
       95
       +
       The above VM should already be running a spindle on `localhost:6555`.

     

       96
       96
       +
       You can head to the spindle dashboard on `http://localhost:3000/spindles`,

     

       97
       97
       +
       and register a spindle with hostname `localhost:6555`. It should instantly

     

       98
       98
       +
       be verified. You can then configure each repository to use this spindle

     

       99
       99
       +
       and run CI jobs.

     

       101
       100
        
       

     

       102
       101
        
       Of interest when debugging spindles:

     

       103
       102

+1 -1

nix/vm.nix

···

       53
       53
        
                 ];

     

       54
       54
        
               };

     

       55
       55
        
               services.getty.autologinUser = "root";

     

       56
       56
       -
               environment.systemPackages = with pkgs; [curl vim git];

     

       56
       56
       +
               environment.systemPackages = with pkgs; [curl vim git sqlite litecli];

     

       57
       57
        
               systemd.tmpfiles.rules = let

     

       58
       58
        
                 u = config.services.tangled-knot.gitUser;

     

       59
       59
        
                 g = config.services.tangled-knot.gitUser;

+2 -2

appview/db/db.go

···

       728
       728
        
       	kind := rv.Kind()

     

       729
       729
        
       

     

       730
       730
        
       	// if we have `FilterIn(k, [1, 2, 3])`, compile it down to `k in (?, ?, ?)`

     

       731
       731
       -
       	if kind == reflect.Slice || kind == reflect.Array {

     

       731
       731
       +
       	if (kind == reflect.Slice && rv.Type().Elem().Kind() != reflect.Uint8) || kind == reflect.Array {

     

       732
       732
        
       		if rv.Len() == 0 {

     

       733
       733
        
       			// always false

     

       734
       734
        
       			return "1 = 0"

     
···

       748
       748
        
       func (f filter) Arg() []any {

     

       749
       749
        
       	rv := reflect.ValueOf(f.arg)

     

       750
       750
        
       	kind := rv.Kind()

     

       751
       751
       -
       	if kind == reflect.Slice || kind == reflect.Array {

     

       751
       751
       +
       	if (kind == reflect.Slice && rv.Type().Elem().Kind() != reflect.Uint8) || kind == reflect.Array {

     

       752
       752
        
       		if rv.Len() == 0 {

     

       753
       753
        
       			return nil

     

       754
       754
        
       		}

+3 -2

appview/pages/templates/repo/tree.html

···

       61
       61
        
       

     

       62
       62
        
                 {{ if .IsFile }}

     

       63
       63
        
                   {{ $icon = "file" }}

     

       64
       64
       -
                   {{ $iconStyle = "size-4" }}

     

       64
       64
       +
                   {{ $iconStyle = "flex-shrink-0 size-4" }}

     

       65
       65
        
                 {{ end }}

     

       66
       66
        
                 <a href="{{ $link }}" class="{{ $linkstyle }}">

     

       67
       67
        
                   <div class="flex items-center gap-2">

     

       68
       68
       -
                     {{ i $icon $iconStyle }}{{ .Name }}

     

       68
       68
       +
                     {{ i $icon $iconStyle }}

     

       69
       69
       +
                     <span class="truncate">{{ .Name }}</span>

     

       69
       70
        
                   </div>

     

       70
       71
        
                 </a>

     

       71
       72
        
               </div>

+23

nix/pkgs/appview-static-files.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         runCommandLocal,

     

       3
       3
       +
         htmx-src,

     

       4
       4
       +
         htmx-ws-src,

     

       5
       5
       +
         lucide-src,

     

       6
       6
       +
         inter-fonts-src,

     

       7
       7
       +
         ibm-plex-mono-src,

     

       8
       8
       +
         sqlite-lib,

     

       9
       9
       +
         tailwindcss,

     

       10
       10
       +
         src,

     

       11
       11
       +
       }:

     

       12
       12
       +
       runCommandLocal "appview-static-files" {} ''

     

       13
       13
       +
         mkdir -p $out/{fonts,icons} && cd $out

     

       14
       14
       +
         cp -f ${htmx-src} htmx.min.js

     

       15
       15
       +
         cp -f ${htmx-ws-src} htmx-ext-ws.min.js

     

       16
       16
       +
         cp -rf ${lucide-src}/*.svg icons/

     

       17
       17
       +
         cp -f ${inter-fonts-src}/web/InterVariable*.woff2 fonts/

     

       18
       18
       +
         cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 fonts/

     

       19
       19
       +
         cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 fonts/

     

       20
       20
       +
         # tailwindcss -c $src/tailwind.config.js -i $src/input.css -o tw.css won't work

     

       21
       21
       +
         # for whatever reason (produces broken css), so we are doing this instead

     

       22
       22
       +
         cd ${src} && ${tailwindcss}/bin/tailwindcss -i input.css -o $out/tw.css

     

       23
       23
       +
       ''

appview/strings/strings.go

···

       99
       99
        
       		w.WriteHeader(http.StatusInternalServerError)

     

       100
       100
        
       		return

     

       101
       101
        
       	}

     

       102
       102
       +
       	if len(strings) < 1 {

     

       103
       103
       +
       		l.Error("string not found")

     

       104
       104
       +
       		s.Pages.Error404(w)

     

       105
       105
       +
       		return

     

       106
       106
       +
       	}

     

       102
       107
        
       	if len(strings) != 1 {

     

       103
       108
        
       		l.Error("incorrect number of records returned", "len(strings)", len(strings))

     

       104
       109
        
       		w.WriteHeader(http.StatusInternalServerError)

-168

appview/pages/templates/repo/settings.html

···

       1
       1
       -
       {{ define "title" }}settings &middot; {{ .RepoInfo.FullName }}{{ end }}

     

       2
       2
       -
       

     

       3
       3
       -
       {{ define "repoContent" }}

     

       4
       4
       -
         {{ template "collaboratorSettings" . }}

     

       5
       5
       -
         {{ template "branchSettings" . }}

     

       6
       6
       -
         {{ template "dangerZone" . }}

     

       7
       7
       -
         {{ template "spindleSelector" . }}

     

       8
       8
       -
         {{ template "spindleSecrets" . }}

     

       9
       9
       -
       {{ end }}

     

       10
       10
       -
       

     

       11
       11
       -
       {{ define "collaboratorSettings" }}

     

       12
       12
       -
         <header class="font-bold text-sm mb-4 uppercase dark:text-white">

     

       13
       13
       -
           Collaborators

     

       14
       14
       -
         </header>

     

       15
       15
       -
       

     

       16
       16
       -
         <div id="collaborator-list" class="flex flex-col gap-2 mb-2">

     

       17
       17
       -
           {{ range .Collaborators }}

     

       18
       18
       -
           <div id="collaborator" class="mb-2">

     

       19
       19
       -
             <a

     

       20
       20
       -
               href="/{{ didOrHandle .Did .Handle }}"

     

       21
       21
       -
               class="no-underline hover:underline text-black dark:text-white"

     

       22
       22
       -
               >

     

       23
       23
       -
               {{ didOrHandle .Did .Handle }}

     

       24
       24
       -
             </a>

     

       25
       25
       -
               <div>

     

       26
       26
       -
                 <span class="text-sm text-gray-500 dark:text-gray-400">

     

       27
       27
       -
                   {{ .Role }}

     

       28
       28
       -
                 </span>

     

       29
       29
       -
               </div>

     

       30
       30
       -
           </div>

     

       31
       31
       -
           {{ end }}

     

       32
       32
       -
         </div>

     

       33
       33
       -
       

     

       34
       34
       -
         {{ if .RepoInfo.Roles.CollaboratorInviteAllowed }}

     

       35
       35
       -
           <form

     

       36
       36
       -
             hx-put="/{{ $.RepoInfo.FullName }}/settings/collaborator"

     

       37
       37
       -
             class="group"

     

       38
       38
       -
           >

     

       39
       39
       -
             <label for="collaborator" class="dark:text-white">

     

       40
       40
       -
               add collaborator

     

       41
       41
       -
             </label>

     

       42
       42
       -
             <input

     

       43
       43
       -
               type="text"

     

       44
       44
       -
               id="collaborator"

     

       45
       45
       -
               name="collaborator"

     

       46
       46
       -
               required

     

       47
       47
       -
               class="dark:bg-gray-700 dark:text-white"

     

       48
       48
       -
               placeholder="enter did or handle">

     

       49
       49
       -
             <button class="btn my-2 flex gap-2 items-center dark:text-white dark:hover:bg-gray-700" type="text">

     

       50
       50
       -
               <span>add</span>

     

       51
       51
       -
               {{ i "loader-circle" "w-4 h-4 animate-spin hidden group-[.htmx-request]:inline" }}

     

       52
       52
       -
             </button>

     

       53
       53
       -
           </form>

     

       54
       54
       -
         {{ end }}

     

       55
       55
       -
       {{ end }}

     

       56
       56
       -
       

     

       57
       57
       -
       {{ define "dangerZone" }}

     

       58
       58
       -
         {{ if .RepoInfo.Roles.RepoDeleteAllowed }}

     

       59
       59
       -
           <form

     

       60
       60
       -
               hx-confirm="Are you sure you want to delete this repository?"

     

       61
       61
       -
               hx-delete="/{{ $.RepoInfo.FullName }}/settings/delete"

     

       62
       62
       -
               class="mt-6"

     

       63
       63
       -
             hx-indicator="#delete-repo-spinner">

     

       64
       64
       -
             <label for="branch">delete repository</label>

     

       65
       65
       -
             <button class="btn my-2 flex items-center" type="text">

     

       66
       66
       -
                 <span>delete</span>

     

       67
       67
       -
                 <span id="delete-repo-spinner" class="group">

     

       68
       68
       -
                   {{ i "loader-circle" "ml-2 w-4 h-4 animate-spin hidden group-[.htmx-request]:inline" }}

     

       69
       69
       -
                 </span>

     

       70
       70
       -
             </button>

     

       71
       71
       -
             <span>

     

       72
       72
       -
               Deleting a repository is irreversible and permanent.

     

       73
       73
       -
             </span>

     

       74
       74
       -
           </form>

     

       75
       75
       -
         {{ end }}

     

       76
       76
       -
       {{ end }}

     

       77
       77
       -
       

     

       78
       78
       -
       {{ define "branchSettings" }}

     

       79
       79
       -
         <form hx-put="/{{ $.RepoInfo.FullName }}/settings/branches/default" class="mt-6 group">

     

       80
       80
       -
           <label for="branch">default branch</label>

     

       81
       81
       -
           <div class="flex gap-2 items-center">

     

       82
       82
       -
             <select id="branch" name="branch" required class="p-1 border border-gray-200 bg-white dark:bg-gray-800 dark:text-white dark:border-gray-700">

     

       83
       83
       -
               <option value="" disabled selected >

     

       84
       84
       -
                 Choose a default branch

     

       85
       85
       -
               </option>

     

       86
       86
       -
               {{ range .Branches }}

     

       87
       87
       -
                 <option value="{{ .Name }}" class="py-1" {{ if .IsDefault }}selected{{ end }} >

     

       88
       88
       -
                   {{ .Name }}

     

       89
       89
       -
                 </option>

     

       90
       90
       -
               {{ end }}

     

       91
       91
       -
             </select>

     

       92
       92
       -
             <button class="btn my-2 flex gap-2 items-center" type="submit">

     

       93
       93
       -
               <span>save</span>

     

       94
       94
       -
               {{ i "loader-circle" "w-4 h-4 animate-spin hidden group-[.htmx-request]:inline" }}

     

       95
       95
       -
             </button>

     

       96
       96
       -
           </div>

     

       97
       97
       -
         </form>

     

       98
       98
       -
       {{ end }}

     

       99
       99
       -
       

     

       100
       100
       -
       {{ define "spindleSelector" }}

     

       101
       101
       -
         {{ if .RepoInfo.Roles.IsOwner }}

     

       102
       102
       -
         <form hx-post="/{{ $.RepoInfo.FullName }}/settings/spindle" class="mt-6 group" >

     

       103
       103
       -
           <label for="spindle">spindle</label>

     

       104
       104
       -
           <div class="flex gap-2 items-center">

     

       105
       105
       -
             <select id="spindle" name="spindle" required class="p-1 border border-gray-200 bg-white dark:bg-gray-800 dark:text-white dark:border-gray-700">

     

       106
       106
       -
               <option value="" selected >

     

       107
       107
       -
                 None

     

       108
       108
       -
               </option>

     

       109
       109
       -
               {{ range .Spindles }}

     

       110
       110
       -
                 <option value="{{ . }}" class="py-1" {{ if eq . $.CurrentSpindle }}selected{{ end }}>

     

       111
       111
       -
                   {{ . }}

     

       112
       112
       -
                 </option>

     

       113
       113
       -
               {{ end }}

     

       114
       114
       -
             </select>

     

       115
       115
       -
             <button class="btn my-2 flex gap-2 items-center" type="submit">

     

       116
       116
       -
               <span>save</span>

     

       117
       117
       -
               {{ i "loader-circle" "w-4 h-4 animate-spin hidden group-[.htmx-request]:inline" }}

     

       118
       118
       -
             </button>

     

       119
       119
       -
           </div>

     

       120
       120
       -
         </form>

     

       121
       121
       -
         {{ end }}

     

       122
       122
       -
       {{ end }}

     

       123
       123
       -
       

     

       124
       124
       -
       {{ define "spindleSecrets" }}

     

       125
       125
       -
         {{ if $.CurrentSpindle }}

     

       126
       126
       -
           <header class="font-bold text-sm mb-4 uppercase dark:text-white">

     

       127
       127
       -
             Secrets

     

       128
       128
       -
           </header>

     

       129
       129
       -
       

     

       130
       130
       -
           <div id="secret-list" class="flex flex-col gap-2 mb-2">

     

       131
       131
       -
             {{ range $idx, $secret := .Secrets }}

     

       132
       132
       -
              {{ with $secret }}

     

       133
       133
       -
                <div id="secret-{{$idx}}" class="mb-2">

     

       134
       134
       -
                  {{ .Key }} created on {{ .CreatedAt }} by {{ .CreatedBy }}

     

       135
       135
       -
                </div>

     

       136
       136
       -
              {{ end }}

     

       137
       137
       -
             {{ end }}

     

       138
       138
       -
           </div>

     

       139
       139
       -
           <form

     

       140
       140
       -
               hx-put="/{{ $.RepoInfo.FullName }}/settings/secrets"

     

       141
       141
       -
               class="mt-6"

     

       142
       142
       -
               hx-indicator="#add-secret-spinner">

     

       143
       143
       -
               <label for="key">secret key</label>

     

       144
       144
       -
               <input

     

       145
       145
       -
                   type="text"

     

       146
       146
       -
                   id="key"

     

       147
       147
       -
                   name="key"

     

       148
       148
       -
                   required

     

       149
       149
       -
                   class="dark:bg-gray-700 dark:text-white"

     

       150
       150
       -
                   placeholder="SECRET_KEY" />

     

       151
       151
       -
               <label for="value">secret value</label>

     

       152
       152
       -
               <input

     

       153
       153
       -
                   type="text"

     

       154
       154
       -
                   id="value"

     

       155
       155
       -
                   name="value"

     

       156
       156
       -
                   required

     

       157
       157
       -
                   class="dark:bg-gray-700 dark:text-white"

     

       158
       158
       -
                   placeholder="SECRET VALUE" />

     

       159
       159
       -
       

     

       160
       160
       -
             <button class="btn my-2 flex items-center" type="text">

     

       161
       161
       -
                 <span>add</span>

     

       162
       162
       -
                 <span id="add-secret-spinner" class="group">

     

       163
       163
       -
                   {{ i "loader-circle" "ml-2 w-4 h-4 animate-spin hidden group-[.htmx-request]:inline" }}

     

       164
       164
       -
                 </span>

     

       165
       165
       -
             </button>

     

       166
       166
       -
           </form>

     

       167
       167
       -
         {{ end }}

     

       168
       168
       -
       {{ end }}

+5 -1

appview/pages/templates/repo/pipelines/workflow.html

···

       19
       19
        
       

     

       20
       20
        
       {{ define "sidebar" }}

     

       21
       21
        
         {{ $active := .Workflow }}

     

       22
       22
       +
       

     

       23
       23
       +
         {{ $activeTab := "bg-white dark:bg-gray-700 drop-shadow-sm" }}

     

       24
       24
       +
         {{ $inactiveTab := "bg-gray-100 dark:bg-gray-800" }}

     

       25
       25
       +
       

     

       22
       26
        
         {{ with .Pipeline }}

     

       23
       27
        
           {{ $id := .Id }}

     

       24
       28
        
           <div class="sticky top-2 grid grid-cols-1 rounded border border-gray-200 dark:border-gray-700 divide-y divide-gray-200 dark:divide-gray-700">

     

       25
       29
        
             {{ range $name, $all := .Statuses }}

     

       26
       30
        
             <a href="/{{ $.RepoInfo.FullName }}/pipelines/{{ $id }}/workflow/{{ $name }}" class="no-underline hover:no-underline hover:bg-gray-100/25 hover:dark:bg-gray-700/25">

     

       27
       31
        
               <div

     

       28
       28
       -
                 class="flex gap-2 items-center justify-between p-2 {{ if eq $name $active }}bg-gray-100/50 dark:bg-gray-700/50{{ end }}">

     

       32
       32
       +
                 class="flex gap-2 items-center justify-between p-2 {{ if eq $name $active }} {{ $activeTab }} {{ else }} {{ $inactiveTab }} {{ end }}">

     

       29
       33
        
                 {{ $lastStatus := $all.Latest }}

     

       30
       34
        
                 {{ $kind := $lastStatus.Status.String }}

     

       31
       35

+242 -2

api/tangled/cbor_gen.go

···

       3923
       3923
        
       	}

     

       3924
       3924
        
       

     

       3925
       3925
        
       	cw := cbg.NewCborWriter(w)

     

       3926
       3926
       -
       	fieldCount := 3

     

       3926
       3926
       +
       	fieldCount := 4

     

       3927
       3927
        
       

     

       3928
       3928
        
       	if t.Environment == nil {

     

       3929
       3929
        
       		fieldCount--

     

       3930
       3930
        
       	}

     

       3931
       3931
        
       

     

       3932
       3932
       +
       	if t.Oidcs_tokens == nil {

     

       3933
       3933
       +
       		fieldCount--

     

       3934
       3934
       +
       	}

     

       3935
       3935
       +
       

     

       3932
       3936
        
       	if _, err := cw.Write(cbg.CborEncodeMajorType(cbg.MajMap, uint64(fieldCount))); err != nil {

     

       3933
       3937
        
       		return err

     

       3934
       3938
        
       	}

     
···

       4007
       4011
        
       

     

       4008
       4012
        
       		}

     

       4009
       4013
        
       	}

     

       4014
       4014
       +
       

     

       4015
       4015
       +
       	// t.Oidcs_tokens ([]*tangled.Pipeline_Step_Oidcs_tokens_Elem) (slice)

     

       4016
       4016
       +
       	if t.Oidcs_tokens != nil {

     

       4017
       4017
       +
       

     

       4018
       4018
       +
       		if len("oidcs_tokens") > 1000000 {

     

       4019
       4019
       +
       			return xerrors.Errorf("Value in field \"oidcs_tokens\" was too long")

     

       4020
       4020
       +
       		}

     

       4021
       4021
       +
       

     

       4022
       4022
       +
       		if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("oidcs_tokens"))); err != nil {

     

       4023
       4023
       +
       			return err

     

       4024
       4024
       +
       		}

     

       4025
       4025
       +
       		if _, err := cw.WriteString(string("oidcs_tokens")); err != nil {

     

       4026
       4026
       +
       			return err

     

       4027
       4027
       +
       		}

     

       4028
       4028
       +
       

     

       4029
       4029
       +
       		if len(t.Oidcs_tokens) > 8192 {

     

       4030
       4030
       +
       			return xerrors.Errorf("Slice value in field t.Oidcs_tokens was too long")

     

       4031
       4031
       +
       		}

     

       4032
       4032
       +
       

     

       4033
       4033
       +
       		if err := cw.WriteMajorTypeHeader(cbg.MajArray, uint64(len(t.Oidcs_tokens))); err != nil {

     

       4034
       4034
       +
       			return err

     

       4035
       4035
       +
       		}

     

       4036
       4036
       +
       		for _, v := range t.Oidcs_tokens {

     

       4037
       4037
       +
       			if err := v.MarshalCBOR(cw); err != nil {

     

       4038
       4038
       +
       				return err

     

       4039
       4039
       +
       			}

     

       4040
       4040
       +
       

     

       4041
       4041
       +
       		}

     

       4042
       4042
       +
       	}

     

       4010
       4043
        
       	return nil

     

       4011
       4044
        
       }

     

       4012
       4045
        
       

     
···

       4035
       4068
        
       

     

       4036
       4069
        
       	n := extra

     

       4037
       4070
        
       

     

       4038
       4038
       -
       	nameBuf := make([]byte, 11)

     

       4071
       4071
       +
       	nameBuf := make([]byte, 12)

     

       4039
       4072
        
       	for i := uint64(0); i < n; i++ {

     

       4040
       4073
        
       		nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 1000000)

     

       4041
       4074
        
       		if err != nil {

     
···

       4122
       4155
        
       

     

       4123
       4156
        
       				}

     

       4124
       4157
        
       			}

     

       4158
       4158
       +
       			// t.Oidcs_tokens ([]*tangled.Pipeline_Step_Oidcs_tokens_Elem) (slice)

     

       4159
       4159
       +
       		case "oidcs_tokens":

     

       4160
       4160
       +
       

     

       4161
       4161
       +
       			maj, extra, err = cr.ReadHeader()

     

       4162
       4162
       +
       			if err != nil {

     

       4163
       4163
       +
       				return err

     

       4164
       4164
       +
       			}

     

       4165
       4165
       +
       

     

       4166
       4166
       +
       			if extra > 8192 {

     

       4167
       4167
       +
       				return fmt.Errorf("t.Oidcs_tokens: array too large (%d)", extra)

     

       4168
       4168
       +
       			}

     

       4169
       4169
       +
       

     

       4170
       4170
       +
       			if maj != cbg.MajArray {

     

       4171
       4171
       +
       				return fmt.Errorf("expected cbor array")

     

       4172
       4172
       +
       			}

     

       4173
       4173
       +
       

     

       4174
       4174
       +
       			if extra > 0 {

     

       4175
       4175
       +
       				t.Oidcs_tokens = make([]*Pipeline_Step_Oidcs_tokens_Elem, extra)

     

       4176
       4176
       +
       			}

     

       4177
       4177
       +
       

     

       4178
       4178
       +
       			for i := 0; i < int(extra); i++ {

     

       4179
       4179
       +
       				{

     

       4180
       4180
       +
       					var maj byte

     

       4181
       4181
       +
       					var extra uint64

     

       4182
       4182
       +
       					var err error

     

       4183
       4183
       +
       					_ = maj

     

       4184
       4184
       +
       					_ = extra

     

       4185
       4185
       +
       					_ = err

     

       4186
       4186
       +
       

     

       4187
       4187
       +
       					{

     

       4188
       4188
       +
       

     

       4189
       4189
       +
       						b, err := cr.ReadByte()

     

       4190
       4190
       +
       						if err != nil {

     

       4191
       4191
       +
       							return err

     

       4192
       4192
       +
       						}

     

       4193
       4193
       +
       						if b != cbg.CborNull[0] {

     

       4194
       4194
       +
       							if err := cr.UnreadByte(); err != nil {

     

       4195
       4195
       +
       								return err

     

       4196
       4196
       +
       							}

     

       4197
       4197
       +
       							t.Oidcs_tokens[i] = new(Pipeline_Step_Oidcs_tokens_Elem)

     

       4198
       4198
       +
       							if err := t.Oidcs_tokens[i].UnmarshalCBOR(cr); err != nil {

     

       4199
       4199
       +
       								return xerrors.Errorf("unmarshaling t.Oidcs_tokens[i] pointer: %w", err)

     

       4200
       4200
       +
       							}

     

       4201
       4201
       +
       						}

     

       4202
       4202
       +
       

     

       4203
       4203
       +
       					}

     

       4204
       4204
       +
       

     

       4205
       4205
       +
       				}

     

       4206
       4206
       +
       			}

     

       4207
       4207
       +
       

     

       4208
       4208
       +
       		default:

     

       4209
       4209
       +
       			// Field doesn't exist on this type, so ignore it

     

       4210
       4210
       +
       			if err := cbg.ScanForLinks(r, func(cid.Cid) {}); err != nil {

     

       4211
       4211
       +
       				return err

     

       4212
       4212
       +
       			}

     

       4213
       4213
       +
       		}

     

       4214
       4214
       +
       	}

     

       4215
       4215
       +
       

     

       4216
       4216
       +
       	return nil

     

       4217
       4217
       +
       }

     

       4218
       4218
       +
       func (t *Pipeline_Step_Oidcs_tokens_Elem) MarshalCBOR(w io.Writer) error {

     

       4219
       4219
       +
       	if t == nil {

     

       4220
       4220
       +
       		_, err := w.Write(cbg.CborNull)

     

       4221
       4221
       +
       		return err

     

       4222
       4222
       +
       	}

     

       4223
       4223
       +
       

     

       4224
       4224
       +
       	cw := cbg.NewCborWriter(w)

     

       4225
       4225
       +
       	fieldCount := 2

     

       4226
       4226
       +
       

     

       4227
       4227
       +
       	if t.Aud == nil {

     

       4228
       4228
       +
       		fieldCount--

     

       4229
       4229
       +
       	}

     

       4230
       4230
       +
       

     

       4231
       4231
       +
       	if _, err := cw.Write(cbg.CborEncodeMajorType(cbg.MajMap, uint64(fieldCount))); err != nil {

     

       4232
       4232
       +
       		return err

     

       4233
       4233
       +
       	}

     

       4234
       4234
       +
       

     

       4235
       4235
       +
       	// t.Aud (string) (string)

     

       4236
       4236
       +
       	if t.Aud != nil {

     

       4237
       4237
       +
       

     

       4238
       4238
       +
       		if len("aud") > 1000000 {

     

       4239
       4239
       +
       			return xerrors.Errorf("Value in field \"aud\" was too long")

     

       4240
       4240
       +
       		}

     

       4241
       4241
       +
       

     

       4242
       4242
       +
       		if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("aud"))); err != nil {

     

       4243
       4243
       +
       			return err

     

       4244
       4244
       +
       		}

     

       4245
       4245
       +
       		if _, err := cw.WriteString(string("aud")); err != nil {

     

       4246
       4246
       +
       			return err

     

       4247
       4247
       +
       		}

     

       4248
       4248
       +
       

     

       4249
       4249
       +
       		if t.Aud == nil {

     

       4250
       4250
       +
       			if _, err := cw.Write(cbg.CborNull); err != nil {

     

       4251
       4251
       +
       				return err

     

       4252
       4252
       +
       			}

     

       4253
       4253
       +
       		} else {

     

       4254
       4254
       +
       			if len(*t.Aud) > 1000000 {

     

       4255
       4255
       +
       				return xerrors.Errorf("Value in field t.Aud was too long")

     

       4256
       4256
       +
       			}

     

       4257
       4257
       +
       

     

       4258
       4258
       +
       			if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(*t.Aud))); err != nil {

     

       4259
       4259
       +
       				return err

     

       4260
       4260
       +
       			}

     

       4261
       4261
       +
       			if _, err := cw.WriteString(string(*t.Aud)); err != nil {

     

       4262
       4262
       +
       				return err

     

       4263
       4263
       +
       			}

     

       4264
       4264
       +
       		}

     

       4265
       4265
       +
       	}

     

       4266
       4266
       +
       

     

       4267
       4267
       +
       	// t.Name (string) (string)

     

       4268
       4268
       +
       	if len("name") > 1000000 {

     

       4269
       4269
       +
       		return xerrors.Errorf("Value in field \"name\" was too long")

     

       4270
       4270
       +
       	}

     

       4271
       4271
       +
       

     

       4272
       4272
       +
       	if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len("name"))); err != nil {

     

       4273
       4273
       +
       		return err

     

       4274
       4274
       +
       	}

     

       4275
       4275
       +
       	if _, err := cw.WriteString(string("name")); err != nil {

     

       4276
       4276
       +
       		return err

     

       4277
       4277
       +
       	}

     

       4278
       4278
       +
       

     

       4279
       4279
       +
       	if len(t.Name) > 1000000 {

     

       4280
       4280
       +
       		return xerrors.Errorf("Value in field t.Name was too long")

     

       4281
       4281
       +
       	}

     

       4282
       4282
       +
       

     

       4283
       4283
       +
       	if err := cw.WriteMajorTypeHeader(cbg.MajTextString, uint64(len(t.Name))); err != nil {

     

       4284
       4284
       +
       		return err

     

       4285
       4285
       +
       	}

     

       4286
       4286
       +
       	if _, err := cw.WriteString(string(t.Name)); err != nil {

     

       4287
       4287
       +
       		return err

     

       4288
       4288
       +
       	}

     

       4289
       4289
       +
       	return nil

     

       4290
       4290
       +
       }

     

       4291
       4291
       +
       

     

       4292
       4292
       +
       func (t *Pipeline_Step_Oidcs_tokens_Elem) UnmarshalCBOR(r io.Reader) (err error) {

     

       4293
       4293
       +
       	*t = Pipeline_Step_Oidcs_tokens_Elem{}

     

       4294
       4294
       +
       

     

       4295
       4295
       +
       	cr := cbg.NewCborReader(r)

     

       4296
       4296
       +
       

     

       4297
       4297
       +
       	maj, extra, err := cr.ReadHeader()

     

       4298
       4298
       +
       	if err != nil {

     

       4299
       4299
       +
       		return err

     

       4300
       4300
       +
       	}

     

       4301
       4301
       +
       	defer func() {

     

       4302
       4302
       +
       		if err == io.EOF {

     

       4303
       4303
       +
       			err = io.ErrUnexpectedEOF

     

       4304
       4304
       +
       		}

     

       4305
       4305
       +
       	}()

     

       4306
       4306
       +
       

     

       4307
       4307
       +
       	if maj != cbg.MajMap {

     

       4308
       4308
       +
       		return fmt.Errorf("cbor input should be of type map")

     

       4309
       4309
       +
       	}

     

       4310
       4310
       +
       

     

       4311
       4311
       +
       	if extra > cbg.MaxLength {

     

       4312
       4312
       +
       		return fmt.Errorf("Pipeline_Step_Oidcs_tokens_Elem: map struct too large (%d)", extra)

     

       4313
       4313
       +
       	}

     

       4314
       4314
       +
       

     

       4315
       4315
       +
       	n := extra

     

       4316
       4316
       +
       

     

       4317
       4317
       +
       	nameBuf := make([]byte, 4)

     

       4318
       4318
       +
       	for i := uint64(0); i < n; i++ {

     

       4319
       4319
       +
       		nameLen, ok, err := cbg.ReadFullStringIntoBuf(cr, nameBuf, 1000000)

     

       4320
       4320
       +
       		if err != nil {

     

       4321
       4321
       +
       			return err

     

       4322
       4322
       +
       		}

     

       4323
       4323
       +
       

     

       4324
       4324
       +
       		if !ok {

     

       4325
       4325
       +
       			// Field doesn't exist on this type, so ignore it

     

       4326
       4326
       +
       			if err := cbg.ScanForLinks(cr, func(cid.Cid) {}); err != nil {

     

       4327
       4327
       +
       				return err

     

       4328
       4328
       +
       			}

     

       4329
       4329
       +
       			continue

     

       4330
       4330
       +
       		}

     

       4331
       4331
       +
       

     

       4332
       4332
       +
       		switch string(nameBuf[:nameLen]) {

     

       4333
       4333
       +
       		// t.Aud (string) (string)

     

       4334
       4334
       +
       		case "aud":

     

       4335
       4335
       +
       

     

       4336
       4336
       +
       			{

     

       4337
       4337
       +
       				b, err := cr.ReadByte()

     

       4338
       4338
       +
       				if err != nil {

     

       4339
       4339
       +
       					return err

     

       4340
       4340
       +
       				}

     

       4341
       4341
       +
       				if b != cbg.CborNull[0] {

     

       4342
       4342
       +
       					if err := cr.UnreadByte(); err != nil {

     

       4343
       4343
       +
       						return err

     

       4344
       4344
       +
       					}

     

       4345
       4345
       +
       

     

       4346
       4346
       +
       					sval, err := cbg.ReadStringWithMax(cr, 1000000)

     

       4347
       4347
       +
       					if err != nil {

     

       4348
       4348
       +
       						return err

     

       4349
       4349
       +
       					}

     

       4350
       4350
       +
       

     

       4351
       4351
       +
       					t.Aud = (*string)(&sval)

     

       4352
       4352
       +
       				}

     

       4353
       4353
       +
       			}

     

       4354
       4354
       +
       			// t.Name (string) (string)

     

       4355
       4355
       +
       		case "name":

     

       4356
       4356
       +
       

     

       4357
       4357
       +
       			{

     

       4358
       4358
       +
       				sval, err := cbg.ReadStringWithMax(cr, 1000000)

     

       4359
       4359
       +
       				if err != nil {

     

       4360
       4360
       +
       					return err

     

       4361
       4361
       +
       				}

     

       4362
       4362
       +
       

     

       4363
       4363
       +
       				t.Name = string(sval)

     

       4364
       4364
       +
       			}

     

       4125
       4365
        
       

     

       4126
       4366
        
       		default:

     

       4127
       4367
        
       			// Field doesn't exist on this type, so ignore it

+9 -3

api/tangled/tangledpipeline.go

···

       63
       63
        
       

     

       64
       64
        
       // Pipeline_Step is a "step" in the sh.tangled.pipeline schema.

     

       65
       65
        
       type Pipeline_Step struct {

     

       66
       66
       -
       	Command     string           `json:"command" cborgen:"command"`

     

       67
       67
       -
       	Environment []*Pipeline_Pair `json:"environment,omitempty" cborgen:"environment,omitempty"`

     

       68
       68
       -
       	Name        string           `json:"name" cborgen:"name"`

     

       66
       66
       +
       	Command      string                             `json:"command" cborgen:"command"`

     

       67
       67
       +
       	Environment  []*Pipeline_Pair                   `json:"environment,omitempty" cborgen:"environment,omitempty"`

     

       68
       68
       +
       	Name         string                             `json:"name" cborgen:"name"`

     

       69
       69
       +
       	Oidcs_tokens []*Pipeline_Step_Oidcs_tokens_Elem `json:"oidcs_tokens,omitempty" cborgen:"oidcs_tokens,omitempty"`

     

       70
       70
       +
       }

     

       71
       71
       +
       

     

       72
       72
       +
       type Pipeline_Step_Oidcs_tokens_Elem struct {

     

       73
       73
       +
       	Aud  *string `json:"aud,omitempty" cborgen:"aud,omitempty"`

     

       74
       74
       +
       	Name string  `json:"name" cborgen:"name"`

     

       69
       75
        
       }

     

       70
       76
        
       

     

       71
       77
        
       // Pipeline_TriggerMetadata is a "triggerMetadata" in the sh.tangled.pipeline schema.

cmd/gen.go

···

       34
       34
        
       		tangled.Pipeline_PushTriggerData{},

     

       35
       35
        
       		tangled.PipelineStatus{},

     

       36
       36
        
       		tangled.Pipeline_Step{},

     

       37
       37
       +
       		tangled.Pipeline_Step_Oidcs_tokens_Elem{},

     

       37
       38
        
       		tangled.Pipeline_TriggerMetadata{},

     

       38
       39
        
       		tangled.Pipeline_TriggerRepo{},

     

       39
       40
        
       		tangled.Pipeline_Workflow{},

+17

lexicons/pipeline/pipeline.json

···

       241
       241
        
                   "type": "ref",

     

       242
       242
        
                   "ref": "#pair"

     

       243
       243
        
                 }

     

       244
       244
       +
               },

     

       245
       245
       +
               "oidcs_tokens": {

     

       246
       246
       +
                 "type": "array",

     

       247
       247
       +
                 "items": {

     

       248
       248
       +
                   "type": "object",

     

       249
       249
       +
                   "required": [

     

       250
       250
       +
                     "name"

     

       251
       251
       +
                   ],

     

       252
       252
       +
                   "properties": {

     

       253
       253
       +
                     "name": {

     

       254
       254
       +
                       "type": "string"

     

       255
       255
       +
                     },

     

       256
       256
       +
                     "aud": {

     

       257
       257
       +
                       "type": "string"

     

       258
       258
       +
                     }

     

       259
       259
       +
                   }

     

       260
       260
       +
                 }

     

       244
       261
        
               }

     

       245
       262
        
             }

     

       246
       263
        
           },

+15 -3

spindle/engine/engine.go

···

       25
       25
        
       	"tangled.sh/tangled.sh/core/spindle/config"

     

       26
       26
        
       	"tangled.sh/tangled.sh/core/spindle/db"

     

       27
       27
        
       	"tangled.sh/tangled.sh/core/spindle/models"

     

       28
       28
       +
       	"tangled.sh/tangled.sh/core/spindle/oidc"

     

       28
       29
        
       	"tangled.sh/tangled.sh/core/spindle/secrets"

     

       29
       30
        
       )

     

       30
       31
        
       

     
···

       41
       42
        
       	n      *notifier.Notifier

     

       42
       43
        
       	cfg    *config.Config

     

       43
       44
        
       	vault  secrets.Manager

     

       45
       45
       +
       	oidc   oidc.OidcTokenGenerator

     

       44
       46
        
       

     

       45
       47
        
       	cleanupMu sync.Mutex

     

       46
       48
        
       	cleanup   map[string][]cleanupFunc

     

       47
       49
        
       }

     

       48
       50
        
       

     

       49
       49
       -
       func New(ctx context.Context, cfg *config.Config, db *db.DB, n *notifier.Notifier, vault secrets.Manager) (*Engine, error) {

     

       51
       51
       +
       func New(ctx context.Context, cfg *config.Config, db *db.DB, n *notifier.Notifier, vault secrets.Manager, oidc *oidc.OidcTokenGenerator) (*Engine, error) {

     

       50
       52
        
       	dcli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())

     

       51
       53
        
       	if err != nil {

     

       52
       54
        
       		return nil, err

     
···

       61
       63
        
       		n:      n,

     

       62
       64
        
       		cfg:    cfg,

     

       63
       65
        
       		vault:  vault,

     

       66
       66
       +
       		oidc:   *oidc,

     

       64
       67
        
       	}

     

       65
       68
        
       

     

       66
       69
        
       	e.cleanup = make(map[string][]cleanupFunc)

     
···

       124
       127
        
       			ctx, cancel := context.WithTimeout(ctx, workflowTimeout)

     

       125
       128
        
       			defer cancel()

     

       126
       129
        
       

     

       127
       127
       -
       			err = e.StartSteps(ctx, wid, w, allSecrets)

     

       130
       130
       +
       			err = e.StartSteps(ctx, wid, w, allSecrets, pipeline, pipelineId)

     

       128
       131
        
       			if err != nil {

     

       129
       132
        
       				if errors.Is(err, ErrTimedOut) {

     

       130
       133
        
       					dbErr := e.db.StatusTimeout(wid, e.n)

     
···

       202
       205
        
       // ONLY marks pipeline as failed if container's exit code is non-zero.

     

       203
       206
        
       // All other errors are bubbled up.

     

       204
       207
        
       // Fixed version of the step execution logic

     

       205
       205
       -
       func (e *Engine) StartSteps(ctx context.Context, wid models.WorkflowId, w models.Workflow, secrets []secrets.UnlockedSecret) error {

     

       208
       208
       +
       func (e *Engine) StartSteps(ctx context.Context, wid models.WorkflowId, w models.Workflow, secrets []secrets.UnlockedSecret, pipeline *models.Pipeline, pipelineId models.PipelineId) error {

     

       206
       209
        
       	workflowEnvs := ConstructEnvs(w.Environment)

     

       207
       210
        
       	for _, s := range secrets {

     

       208
       211
        
       		workflowEnvs.AddEnv(s.Key, s.Value)

     
···

       222
       225
        
       		envs.AddEnv("HOME", workspaceDir)

     

       223
       226
        
       		e.l.Debug("envs for step", "step", step.Name, "envs", envs.Slice())

     

       224
       227
        
       

     

       228
       228
       +
       		for _, t := range step.OidcTokens {

     

       229
       229
       +
       			token, err := e.oidc.CreateToken(t, pipelineId, pipeline.RepoOwner, pipeline.RepoName)

     

       230
       230
       +
       			if err != nil {

     

       231
       231
       +
       				e.l.Error("failed to get OIDC token", "error", err, "token", t.Name)

     

       232
       232
       +
       				return fmt.Errorf("getting OIDC token: %w", err)

     

       233
       233
       +
       			}

     

       234
       234
       +
       			envs.AddEnv(t.Name, token)

     

       235
       235
       +
       		}

     

       236
       236
       +
       

     

       225
       237
        
       		hostConfig := hostConfig(wid)

     

       226
       238
        
       		resp, err := e.docker.ContainerCreate(ctx, &container.Config{

     

       227
       239
        
       			Image:      w.Image,

+14

spindle/models/pipeline.go

···

       18
       18
        
       	Name        string

     

       19
       19
        
       	Environment map[string]string

     

       20
       20
        
       	Kind        StepKind

     

       21
       21
       +
       	OidcTokens  []OidcToken

     

       21
       22
        
       }

     

       22
       23
        
       

     

       23
       24
        
       type StepKind int

     
···

       29
       30
        
       	StepKindUser

     

       30
       31
        
       )

     

       31
       32
        
       

     

       33
       33
       +
       type OidcToken struct {

     

       34
       34
       +
       	Name string

     

       35
       35
       +
       	Aud  *string

     

       36
       36
       +
       }

     

       37
       37
       +
       

     

       32
       38
        
       type Workflow struct {

     

       33
       39
        
       	Steps       []Step

     

       34
       40
        
       	Environment map[string]string

     
···

       60
       66
        
       			sstep.Name = tstep.Name

     

       61
       67
        
       			sstep.Kind = StepKindUser

     

       62
       68
        
       			swf.Steps = append(swf.Steps, sstep)

     

       69
       69
       +
       

     

       70
       70
       +
       			sstep.OidcTokens = make([]OidcToken, 0, len(tstep.Oidcs_tokens))

     

       71
       71
       +
       			for _, ttoken := range tstep.Oidcs_tokens {

     

       72
       72
       +
       				sstep.OidcTokens = append(sstep.OidcTokens, OidcToken{

     

       73
       73
       +
       					Name: ttoken.Name,

     

       74
       74
       +
       					Aud:  ttoken.Aud,

     

       75
       75
       +
       				})

     

       76
       76
       +
       			}

     

       63
       77
        
       		}

     

       64
       78
        
       		swf.Name = twf.Name

     

       65
       79
        
       		swf.Environment = workflowEnvToMap(twf.Environment)

+329

spindle/oidc/oidc.go

···

       1
       1
       +
       package oidc

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"crypto/ecdsa"

     

       5
       5
       +
       	"crypto/elliptic"

     

       6
       6
       +
       	"crypto/rand"

     

       7
       7
       +
       	"encoding/json"

     

       8
       8
       +
       	"fmt"

     

       9
       9
       +
       	"log/slog"

     

       10
       10
       +
       	"net/http"

     

       11
       11
       +
       	"time"

     

       12
       12
       +
       

     

       13
       13
       +
       	"github.com/lestrrat-go/jwx/v2/jwa"

     

       14
       14
       +
       	"github.com/lestrrat-go/jwx/v2/jwk"

     

       15
       15
       +
       	"github.com/lestrrat-go/jwx/v2/jwt"

     

       16
       16
       +
       	"tangled.sh/tangled.sh/core/spindle/models"

     

       17
       17
       +
       )

     

       18
       18
       +
       

     

       19
       19
       +
       const JWKSPath = "/.well-known/jwks.json"

     

       20
       20
       +
       

     

       21
       21
       +
       // OidcKeyPair represents an OIDC key pair with both private and public keys

     

       22
       22
       +
       type OidcKeyPair struct {

     

       23
       23
       +
       	privateKey *ecdsa.PrivateKey

     

       24
       24
       +
       	publicKey  *ecdsa.PublicKey

     

       25
       25
       +
       	keyID      string

     

       26
       26
       +
       	jwkKey     jwk.Key

     

       27
       27
       +
       }

     

       28
       28
       +
       

     

       29
       29
       +
       // OidcTokenGenerator handles OIDC token generation and key management with rotation

     

       30
       30
       +
       type OidcTokenGenerator struct {

     

       31
       31
       +
       	currentKeyPair *OidcKeyPair

     

       32
       32
       +
       	nextKeyPair    *OidcKeyPair

     

       33
       33
       +
       	l              *slog.Logger

     

       34
       34
       +
       	issuer         string

     

       35
       35
       +
       }

     

       36
       36
       +
       

     

       37
       37
       +
       // NewOidcTokenGenerator creates a new OIDC token generator with in-memory key management

     

       38
       38
       +
       func NewOidcTokenGenerator(issuer string) (*OidcTokenGenerator, error) {

     

       39
       39
       +
       	// Create new keys

     

       40
       40
       +
       	currentKeyPair, err := NewOidcKeyPair()

     

       41
       41
       +
       	if err != nil {

     

       42
       42
       +
       		return nil, fmt.Errorf("failed to generate initial current key pair: %w", err)

     

       43
       43
       +
       	}

     

       44
       44
       +
       

     

       45
       45
       +
       	return &OidcTokenGenerator{

     

       46
       46
       +
       		issuer:         issuer,

     

       47
       47
       +
       		currentKeyPair: currentKeyPair,

     

       48
       48
       +
       	}, nil

     

       49
       49
       +
       }

     

       50
       50
       +
       

     

       51
       51
       +
       // NewOidcKeyPair generates a new ECDSA key pair for OIDC token signing

     

       52
       52
       +
       func NewOidcKeyPair() (*OidcKeyPair, error) {

     

       53
       53
       +
       	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

     

       54
       54
       +
       	if err != nil {

     

       55
       55
       +
       		return nil, fmt.Errorf("failed to generate ECDSA key: %w", err)

     

       56
       56
       +
       	}

     

       57
       57
       +
       

     

       58
       58
       +
       	keyID := fmt.Sprintf("spindle-%d", time.Now().Unix())

     

       59
       59
       +
       

     

       60
       60
       +
       	// Create JWK from the private key

     

       61
       61
       +
       	jwkKey, err := jwk.FromRaw(privKey)

     

       62
       62
       +
       	if err != nil {

     

       63
       63
       +
       		return nil, fmt.Errorf("failed to create JWK from private key: %w", err)

     

       64
       64
       +
       	}

     

       65
       65
       +
       

     

       66
       66
       +
       	// Set the key ID

     

       67
       67
       +
       	if err := jwkKey.Set(jwk.KeyIDKey, keyID); err != nil {

     

       68
       68
       +
       		return nil, fmt.Errorf("failed to set key ID: %w", err)

     

       69
       69
       +
       	}

     

       70
       70
       +
       

     

       71
       71
       +
       	// Set algorithm

     

       72
       72
       +
       	if err := jwkKey.Set(jwk.AlgorithmKey, jwa.ES256); err != nil {

     

       73
       73
       +
       		return nil, fmt.Errorf("failed to set algorithm: %w", err)

     

       74
       74
       +
       	}

     

       75
       75
       +
       

     

       76
       76
       +
       	// Set usage

     

       77
       77
       +
       	if err := jwkKey.Set(jwk.KeyUsageKey, "sig"); err != nil {

     

       78
       78
       +
       		return nil, fmt.Errorf("failed to set key usage: %w", err)

     

       79
       79
       +
       	}

     

       80
       80
       +
       

     

       81
       81
       +
       	return &OidcKeyPair{

     

       82
       82
       +
       		privateKey: privKey,

     

       83
       83
       +
       		publicKey:  &privKey.PublicKey,

     

       84
       84
       +
       		keyID:      keyID,

     

       85
       85
       +
       		jwkKey:     jwkKey,

     

       86
       86
       +
       	}, nil

     

       87
       87
       +
       }

     

       88
       88
       +
       

     

       89
       89
       +
       // LoadOidcKeyPair loads an existing key pair from JWK JSON

     

       90
       90
       +
       func LoadOidcKeyPair(jwkJSON []byte) (*OidcKeyPair, error) {

     

       91
       91
       +
       	jwkKey, err := jwk.ParseKey(jwkJSON)

     

       92
       92
       +
       	if err != nil {

     

       93
       93
       +
       		return nil, fmt.Errorf("failed to parse JWK: %w", err)

     

       94
       94
       +
       	}

     

       95
       95
       +
       

     

       96
       96
       +
       	var privKey *ecdsa.PrivateKey

     

       97
       97
       +
       	if err := jwkKey.Raw(&privKey); err != nil {

     

       98
       98
       +
       		return nil, fmt.Errorf("failed to extract private key: %w", err)

     

       99
       99
       +
       	}

     

       100
       100
       +
       

     

       101
       101
       +
       	keyID, ok := jwkKey.Get(jwk.KeyIDKey)

     

       102
       102
       +
       	if !ok {

     

       103
       103
       +
       		return nil, fmt.Errorf("JWK missing key ID")

     

       104
       104
       +
       	}

     

       105
       105
       +
       

     

       106
       106
       +
       	keyIDStr, ok := keyID.(string)

     

       107
       107
       +
       	if !ok {

     

       108
       108
       +
       		return nil, fmt.Errorf("JWK key ID is not a string")

     

       109
       109
       +
       	}

     

       110
       110
       +
       

     

       111
       111
       +
       	return &OidcKeyPair{

     

       112
       112
       +
       		privateKey: privKey,

     

       113
       113
       +
       		publicKey:  &privKey.PublicKey,

     

       114
       114
       +
       		keyID:      keyIDStr,

     

       115
       115
       +
       		jwkKey:     jwkKey,

     

       116
       116
       +
       	}, nil

     

       117
       117
       +
       }

     

       118
       118
       +
       

     

       119
       119
       +
       // GetKeyID returns the key ID

     

       120
       120
       +
       func (k *OidcKeyPair) GetKeyID() string {

     

       121
       121
       +
       	return k.keyID

     

       122
       122
       +
       }

     

       123
       123
       +
       

     

       124
       124
       +
       // RotateKeys performs key rotation: generates new next key, moves next to current

     

       125
       125
       +
       func (g *OidcTokenGenerator) RotateKeys() error {

     

       126
       126
       +
       	// Generate a new key pair for the next key

     

       127
       127
       +
       	newNextKeyPair, err := NewOidcKeyPair()

     

       128
       128
       +
       	if err != nil {

     

       129
       129
       +
       		return fmt.Errorf("failed to generate new next key pair: %w", err)

     

       130
       130
       +
       	}

     

       131
       131
       +
       

     

       132
       132
       +
       	// Perform rotation: next becomes current, new key becomes next

     

       133
       133
       +
       	g.currentKeyPair = g.nextKeyPair

     

       134
       134
       +
       	g.nextKeyPair = newNextKeyPair

     

       135
       135
       +
       

     

       136
       136
       +
       	// If we don't have a current key (first time setup), use the new key

     

       137
       137
       +
       	if g.currentKeyPair == nil {

     

       138
       138
       +
       		g.currentKeyPair = newNextKeyPair

     

       139
       139
       +
       		// Generate another new key for next

     

       140
       140
       +
       		g.nextKeyPair, err = NewOidcKeyPair()

     

       141
       141
       +
       		if err != nil {

     

       142
       142
       +
       			return fmt.Errorf("failed to generate next key pair for first setup: %w", err)

     

       143
       143
       +
       		}

     

       144
       144
       +
       	}

     

       145
       145
       +
       

     

       146
       146
       +
       	return nil

     

       147
       147
       +
       }

     

       148
       148
       +
       

     

       149
       149
       +
       func (g *OidcTokenGenerator) GetCurrentKeyID() string {

     

       150
       150
       +
       	if g.currentKeyPair == nil {

     

       151
       151
       +
       		return ""

     

       152
       152
       +
       	}

     

       153
       153
       +
       	return g.currentKeyPair.GetKeyID()

     

       154
       154
       +
       }

     

       155
       155
       +
       

     

       156
       156
       +
       // GetNextKeyID returns the next key's ID

     

       157
       157
       +
       func (g *OidcTokenGenerator) GetNextKeyID() string {

     

       158
       158
       +
       	if g.nextKeyPair == nil {

     

       159
       159
       +
       		return ""

     

       160
       160
       +
       	}

     

       161
       161
       +
       	return g.nextKeyPair.GetKeyID()

     

       162
       162
       +
       }

     

       163
       163
       +
       

     

       164
       164
       +
       // HasKeys returns true if the generator has at least a current key

     

       165
       165
       +
       func (g *OidcTokenGenerator) HasKeys() bool {

     

       166
       166
       +
       	return g.currentKeyPair != nil

     

       167
       167
       +
       }

     

       168
       168
       +
       

     

       169
       169
       +
       // OidcClaims represents the claims in an OIDC token

     

       170
       170
       +
       type OidcClaims struct {

     

       171
       171
       +
       	// Standard JWT claims

     

       172
       172
       +
       	Issuer    string `json:"iss"`

     

       173
       173
       +
       	Subject   string `json:"sub"`

     

       174
       174
       +
       	Audience  string `json:"aud"`

     

       175
       175
       +
       	ExpiresAt int64  `json:"exp"`

     

       176
       176
       +
       	NotBefore int64  `json:"nbf"`

     

       177
       177
       +
       	IssuedAt  int64  `json:"iat"`

     

       178
       178
       +
       	JWTID     string `json:"jti"`

     

       179
       179
       +
       }

     

       180
       180
       +
       

     

       181
       181
       +
       // CreateToken creates a signed JWT token for the given OidcToken and pipeline context

     

       182
       182
       +
       func (g *OidcTokenGenerator) CreateToken(

     

       183
       183
       +
       	oidcToken models.OidcToken,

     

       184
       184
       +
       	pipelineId models.PipelineId,

     

       185
       185
       +
       	repoOwner, repoName string,

     

       186
       186
       +
       ) (string, error) {

     

       187
       187
       +
       	now := time.Now()

     

       188
       188
       +
       	exp := now.Add(5 * time.Minute)

     

       189
       189
       +
       

     

       190
       190
       +
       	// Determine audience - use the provided audience or default to issuer

     

       191
       191
       +
       	audience := fmt.Sprintf(g.issuer)

     

       192
       192
       +
       	if oidcToken.Aud != nil && *oidcToken.Aud != "" {

     

       193
       193
       +
       		audience = *oidcToken.Aud

     

       194
       194
       +
       	}

     

       195
       195
       +
       

     

       196
       196
       +
       	pipelineUri := pipelineId.AtUri()

     

       197
       197
       +
       

     

       198
       198
       +
       	// Create claims

     

       199
       199
       +
       	claims := OidcClaims{

     

       200
       200
       +
       		Issuer: g.issuer,

     

       201
       201
       +
       		// Hardcode the did as did:web of the issuer. At some point knots will have their own DIDs which will be used here

     

       202
       202
       +
       		Subject:   pipelineUri.String(),

     

       203
       203
       +
       		Audience:  audience,

     

       204
       204
       +
       		ExpiresAt: exp.Unix(),

     

       205
       205
       +
       		NotBefore: now.Unix(),

     

       206
       206
       +
       		IssuedAt:  now.Unix(),

     

       207
       207
       +
       		// Repo owner, name, and id should be global unique but we add timestamp to ensure uniqueness

     

       208
       208
       +
       		JWTID: fmt.Sprintf("%s/%s-%s-%d", repoOwner, repoName, pipelineUri.RecordKey(), now.Unix()),

     

       209
       209
       +
       	}

     

       210
       210
       +
       

     

       211
       211
       +
       	// Create JWT token

     

       212
       212
       +
       	token := jwt.New()

     

       213
       213
       +
       

     

       214
       214
       +
       	// Set all claims

     

       215
       215
       +
       	if err := token.Set(jwt.IssuerKey, claims.Issuer); err != nil {

     

       216
       216
       +
       		return "", fmt.Errorf("failed to set issuer: %w", err)

     

       217
       217
       +
       	}

     

       218
       218
       +
       	if err := token.Set(jwt.SubjectKey, claims.Subject); err != nil {

     

       219
       219
       +
       		return "", fmt.Errorf("failed to set subject: %w", err)

     

       220
       220
       +
       	}

     

       221
       221
       +
       	if err := token.Set(jwt.AudienceKey, claims.Audience); err != nil {

     

       222
       222
       +
       		return "", fmt.Errorf("failed to set audience: %w", err)

     

       223
       223
       +
       	}

     

       224
       224
       +
       	if err := token.Set(jwt.ExpirationKey, claims.ExpiresAt); err != nil {

     

       225
       225
       +
       		return "", fmt.Errorf("failed to set expiration: %w", err)

     

       226
       226
       +
       	}

     

       227
       227
       +
       	if err := token.Set(jwt.NotBeforeKey, claims.NotBefore); err != nil {

     

       228
       228
       +
       		return "", fmt.Errorf("failed to set not before: %w", err)

     

       229
       229
       +
       	}

     

       230
       230
       +
       	if err := token.Set(jwt.IssuedAtKey, claims.IssuedAt); err != nil {

     

       231
       231
       +
       		return "", fmt.Errorf("failed to set issued at: %w", err)

     

       232
       232
       +
       	}

     

       233
       233
       +
       	if err := token.Set(jwt.JwtIDKey, claims.JWTID); err != nil {

     

       234
       234
       +
       		return "", fmt.Errorf("failed to set JWT ID: %w", err)

     

       235
       235
       +
       	}

     

       236
       236
       +
       

     

       237
       237
       +
       	// Sign the token with the current key

     

       238
       238
       +
       	if g.currentKeyPair == nil {

     

       239
       239
       +
       		return "", fmt.Errorf("no current key pair available for signing")

     

       240
       240
       +
       	}

     

       241
       241
       +
       	signedToken, err := jwt.Sign(token, jwt.WithKey(jwa.ES256, g.currentKeyPair.jwkKey))

     

       242
       242
       +
       	if err != nil {

     

       243
       243
       +
       		return "", fmt.Errorf("failed to sign token: %w", err)

     

       244
       244
       +
       	}

     

       245
       245
       +
       

     

       246
       246
       +
       	return string(signedToken), nil

     

       247
       247
       +
       }

     

       248
       248
       +
       

     

       249
       249
       +
       // JWKSHandler serves the JWKS endpoint as an HTTP handler

     

       250
       250
       +
       func (g *OidcTokenGenerator) JWKSHandler(w http.ResponseWriter, r *http.Request) {

     

       251
       251
       +
       	var keys []jwk.Key

     

       252
       252
       +
       

     

       253
       253
       +
       	// Add current key if available

     

       254
       254
       +
       	if g.currentKeyPair != nil {

     

       255
       255
       +
       		pubJWK, err := jwk.PublicKeyOf(g.currentKeyPair.jwkKey)

     

       256
       256
       +
       		if err != nil {

     

       257
       257
       +
       			http.Error(w, fmt.Sprintf("failed to extract current public key from JWK: %v", err), http.StatusInternalServerError)

     

       258
       258
       +
       			return

     

       259
       259
       +
       		}

     

       260
       260
       +
       		keys = append(keys, pubJWK)

     

       261
       261
       +
       	}

     

       262
       262
       +
       

     

       263
       263
       +
       	// Add next key if available

     

       264
       264
       +
       	if g.nextKeyPair != nil {

     

       265
       265
       +
       		pubJWK, err := jwk.PublicKeyOf(g.nextKeyPair.jwkKey)

     

       266
       266
       +
       		if err != nil {

     

       267
       267
       +
       			http.Error(w, fmt.Sprintf("failed to extract next public key from JWK: %v", err), http.StatusInternalServerError)

     

       268
       268
       +
       			return

     

       269
       269
       +
       		}

     

       270
       270
       +
       		keys = append(keys, pubJWK)

     

       271
       271
       +
       	}

     

       272
       272
       +
       

     

       273
       273
       +
       	if len(keys) == 0 {

     

       274
       274
       +
       		http.Error(w, "no keys available for JWKS", http.StatusInternalServerError)

     

       275
       275
       +
       		return

     

       276
       276
       +
       	}

     

       277
       277
       +
       

     

       278
       278
       +
       	jwks := map[string]interface{}{

     

       279
       279
       +
       		"keys": keys,

     

       280
       280
       +
       	}

     

       281
       281
       +
       

     

       282
       282
       +
       	w.Header().Set("Content-Type", "application/json")

     

       283
       283
       +
       	if err := json.NewEncoder(w).Encode(jwks); err != nil {

     

       284
       284
       +
       		http.Error(w, fmt.Sprintf("failed to encode JWKS: %v", err), http.StatusInternalServerError)

     

       285
       285
       +
       	}

     

       286
       286
       +
       }

     

       287
       287
       +
       

     

       288
       288
       +
       // DiscoveryHandler serves the OIDC discovery endpoint for JWKS

     

       289
       289
       +
       func (g *OidcTokenGenerator) DiscoveryHandler(w http.ResponseWriter, r *http.Request) {

     

       290
       290
       +
       	claimsSupported := []string{

     

       291
       291
       +
       		"iss",

     

       292
       292
       +
       		"sub",

     

       293
       293
       +
       		"aud",

     

       294
       294
       +
       		"exp",

     

       295
       295
       +
       		"nbf",

     

       296
       296
       +
       		"iat",

     

       297
       297
       +
       		"jti",

     

       298
       298
       +
       	}

     

       299
       299
       +
       

     

       300
       300
       +
       	responseTypesSupported := []string{

     

       301
       301
       +
       		"id_token",

     

       302
       302
       +
       	}

     

       303
       303
       +
       

     

       304
       304
       +
       	subjectTypesSupported := []string{

     

       305
       305
       +
       		"public",

     

       306
       306
       +
       	}

     

       307
       307
       +
       

     

       308
       308
       +
       	idTokenSigningAlgValuesSupported := []string{

     

       309
       309
       +
       		jwa.RS256.String(),

     

       310
       310
       +
       	}

     

       311
       311
       +
       

     

       312
       312
       +
       	scopesSupported := []string{

     

       313
       313
       +
       		"openid",

     

       314
       314
       +
       	}

     

       315
       315
       +
       

     

       316
       316
       +
       	discovery := map[string]interface{}{

     

       317
       317
       +
       		"issuer":                                g.issuer,

     

       318
       318
       +
       		"jwks_uri":                              fmt.Sprintf("%s%s", g.issuer, JWKSPath),

     

       319
       319
       +
       		"claims_supported":                      claimsSupported,

     

       320
       320
       +
       		"response_types_supported":              responseTypesSupported,

     

       321
       321
       +
       		"subject_types_supported":               subjectTypesSupported,

     

       322
       322
       +
       		"id_token_signing_alg_values_supported": idTokenSigningAlgValuesSupported,

     

       323
       323
       +
       		"scopes_supported":                      scopesSupported,

     

       324
       324
       +
       	}

     

       325
       325
       +
       	w.Header().Set("Content-Type", "application/json")

     

       326
       326
       +
       	if err := json.NewEncoder(w).Encode(discovery); err != nil {

     

       327
       327
       +
       		http.Error(w, fmt.Sprintf("failed to encode discovery document: %v", err), http.StatusInternalServerError)

     

       328
       328
       +
       	}

     

       329
       329
       +
       }