back round 0 view raw

appview: relax auth requirement on artifact download #579

merged

opened by

oppi.li 3 months ago targeting master from push-rlorkkyzokzr

Signed-off-by: oppiliappan me@oppi.li

options

unified split

Changed files

+42 -17

appview

repo

artifact.go

router.go

+40 -14

appview/repo/artifact.go

···

       4
        
       	"context"

     

       5
        
       	"encoding/json"

     

       6
        
       	"fmt"

     

       0
        
       
     

       7
        
       	"log"

     

       8
        
       	"net/http"

     

       9
        
       	"net/url"

     
···

       133
        
       	})

     

       134
        
       }

     

       135
        
       

     

       136
       -
       // TODO: proper statuses here on early exit

     

       137
        
       func (rp *Repo) DownloadArtifact(w http.ResponseWriter, r *http.Request) {

     

       138
       -
       	tagParam := chi.URLParam(r, "tag")

     

       139
       -
       	filename := chi.URLParam(r, "file")

     

       140
        
       	f, err := rp.repoResolver.Resolve(r)

     

       141
        
       	if err != nil {

     

       142
        
       		log.Println("failed to get repo and knot", err)

     

       0
        
       
     

       143
        
       		return

     

       144
        
       	}

     

       145
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       146
        
       	tag, err := rp.resolveTag(r.Context(), f, tagParam)

     

       147
        
       	if err != nil {

     

       148
        
       		log.Println("failed to resolve tag", err)

     
···

       150
        
       		return

     

       151
        
       	}

     

       152
        
       

     

       153
       -
       	client, err := rp.oauth.AuthorizedClient(r)

     

       154
       -
       	if err != nil {

     

       155
       -
       		log.Println("failed to get authorized client", err)

     

       156
       -
       		return

     

       157
       -
       	}

     

       158
       -
       

     

       159
        
       	artifacts, err := db.GetArtifact(

     

       160
        
       		rp.db,

     

       161
        
       		db.FilterEq("repo_at", f.RepoAt()),

     
···

       164
        
       	)

     

       165
        
       	if err != nil {

     

       166
        
       		log.Println("failed to get artifacts", err)

     

       0
        
       
     

       167
        
       		return

     

       168
        
       	}

     

       0
        
       
     

       169
        
       	if len(artifacts) != 1 {

     

       170
       -
       		log.Printf("too many or too little artifacts found")

     

       0
        
       
     

       171
        
       		return

     

       172
        
       	}

     

       173
        
       

     

       174
        
       	artifact := artifacts[0]

     

       175
        
       

     

       176
       -
       	getBlobResp, err := client.SyncGetBlob(r.Context(), artifact.BlobCid.String(), artifact.Did)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       177
        
       	if err != nil {

     

       178
       -
       		log.Println("failed to get blob from pds", err)

     

       0
        
       
     

       179
        
       		return

     

       180
        
       	}

     

       0
        
       
     

       181
        
       

     

       182
       -
       	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%q", filename))

     

       183
       -
       	w.Write(getBlobResp)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       184
        
       }

     

       185
        
       

     

       186
        
       // TODO: proper statuses here on early exit

···

       4
        
       	"context"

     

       5
        
       	"encoding/json"

     

       6
        
       	"fmt"

     

       7
       +
       	"io"

     

       8
        
       	"log"

     

       9
        
       	"net/http"

     

       10
        
       	"net/url"

     
···

       134
        
       	})

     

       135
        
       }

     

       136
        
       

     

       0
        
       
     

       137
        
       func (rp *Repo) DownloadArtifact(w http.ResponseWriter, r *http.Request) {

     

       0
        
       
     

       0
        
       
     

       138
        
       	f, err := rp.repoResolver.Resolve(r)

     

       139
        
       	if err != nil {

     

       140
        
       		log.Println("failed to get repo and knot", err)

     

       141
       +
       		http.Error(w, "failed to resolve repo", http.StatusInternalServerError)

     

       142
        
       		return

     

       143
        
       	}

     

       144
        
       

     

       145
       +
       	tagParam := chi.URLParam(r, "tag")

     

       146
       +
       	filename := chi.URLParam(r, "file")

     

       147
       +
       

     

       148
        
       	tag, err := rp.resolveTag(r.Context(), f, tagParam)

     

       149
        
       	if err != nil {

     

       150
        
       		log.Println("failed to resolve tag", err)

     
···

       152
        
       		return

     

       153
        
       	}

     

       154
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       155
        
       	artifacts, err := db.GetArtifact(

     

       156
        
       		rp.db,

     

       157
        
       		db.FilterEq("repo_at", f.RepoAt()),

     
···

       160
        
       	)

     

       161
        
       	if err != nil {

     

       162
        
       		log.Println("failed to get artifacts", err)

     

       163
       +
       		http.Error(w, "failed to get artifact", http.StatusInternalServerError)

     

       164
        
       		return

     

       165
        
       	}

     

       166
       +
       

     

       167
        
       	if len(artifacts) != 1 {

     

       168
       +
       		log.Printf("too many or too few artifacts found")

     

       169
       +
       		http.Error(w, "artifact not found", http.StatusNotFound)

     

       170
        
       		return

     

       171
        
       	}

     

       172
        
       

     

       173
        
       	artifact := artifacts[0]

     

       174
        
       

     

       175
       +
       	ownerPds := f.OwnerId.PDSEndpoint()

     

       176
       +
       	url, _ := url.Parse(fmt.Sprintf("%s/xrpc/com.atproto.sync.getBlob", ownerPds))

     

       177
       +
       	q := url.Query()

     

       178
       +
       	q.Set("cid", artifact.BlobCid.String())

     

       179
       +
       	q.Set("did", artifact.Did)

     

       180
       +
       	url.RawQuery = q.Encode()

     

       181
       +
       

     

       182
       +
       	req, err := http.NewRequest(http.MethodGet, url.String(), nil)

     

       183
        
       	if err != nil {

     

       184
       +
       		log.Println("failed to create request", err)

     

       185
       +
       		http.Error(w, "failed to create request", http.StatusInternalServerError)

     

       186
        
       		return

     

       187
        
       	}

     

       188
       +
       	req.Header.Set("Content-Type", "application/json")

     

       189
        
       

     

       190
       +
       	resp, err := http.DefaultClient.Do(req)

     

       191
       +
       	if err != nil {

     

       192
       +
       		log.Println("failed to make request", err)

     

       193
       +
       		http.Error(w, "failed to make request to PDS", http.StatusInternalServerError)

     

       194
       +
       		return

     

       195
       +
       	}

     

       196
       +
       	defer resp.Body.Close()

     

       197
       +
       

     

       198
       +
       	// copy status code and relevant headers from upstream response

     

       199
       +
       	w.WriteHeader(resp.StatusCode)

     

       200
       +
       	for key, values := range resp.Header {

     

       201
       +
       		for _, v := range values {

     

       202
       +
       			w.Header().Add(key, v)

     

       203
       +
       		}

     

       204
       +
       	}

     

       205
       +
       

     

       206
       +
       	// stream the body directly to the client

     

       207
       +
       	if _, err := io.Copy(w, resp.Body); err != nil {

     

       208
       +
       		log.Println("error streaming response to client:", err)

     

       209
       +
       	}

     

       210
        
       }

     

       211
        
       

     

       212
        
       // TODO: proper statuses here on early exit

+2 -3

appview/repo/router.go

···

       21
        
       	r.Route("/tags", func(r chi.Router) {

     

       22
        
       		r.Get("/", rp.RepoTags)

     

       23
        
       		r.Route("/{tag}", func(r chi.Router) {

     

       24
       -
       			r.Use(middleware.AuthMiddleware(rp.oauth))

     

       25
       -
       			// require auth to download for now

     

       26
        
       			r.Get("/download/{file}", rp.DownloadArtifact)

     

       27
        
       

     

       28
        
       			// require repo:push to upload or delete artifacts

     
···

       30
        
       			// additionally: only the uploader can truly delete an artifact

     

       31
        
       			// (record+blob will live on their pds)

     

       32
        
       			r.Group(func(r chi.Router) {

     

       33
       -
       				r.With(mw.RepoPermissionMiddleware("repo:push"))

     

       0
        
       
     

       34
        
       				r.Post("/upload", rp.AttachArtifact)

     

       35
        
       				r.Delete("/{file}", rp.DeleteArtifact)

     

       36
        
       			})

···

       21
        
       	r.Route("/tags", func(r chi.Router) {

     

       22
        
       		r.Get("/", rp.RepoTags)

     

       23
        
       		r.Route("/{tag}", func(r chi.Router) {

     

       0
        
       
     

       0
        
       
     

       24
        
       			r.Get("/download/{file}", rp.DownloadArtifact)

     

       25
        
       

     

       26
        
       			// require repo:push to upload or delete artifacts

     
···

       28
        
       			// additionally: only the uploader can truly delete an artifact

     

       29
        
       			// (record+blob will live on their pds)

     

       30
        
       			r.Group(func(r chi.Router) {

     

       31
       +
       				r.Use(middleware.AuthMiddleware(rp.oauth))

     

       32
       +
       				r.Use(mw.RepoPermissionMiddleware("repo:push"))

     

       33
        
       				r.Post("/upload", rp.AttachArtifact)

     

       34
        
       				r.Delete("/{file}", rp.DeleteArtifact)

     

       35
        
       			})