patch of guard,knotserver/internal: move guard logic to internal server · round #0 · pull #772 · tangled.org/core

+36 -67

guard/guard.go

···

       12
       12
        
       	"os/exec"

     

       13
       13
        
       	"strings"

     

       14
       14
        
       

     

       15
       15
       -
       	"github.com/bluesky-social/indigo/atproto/identity"

     

       16
       15
        
       	securejoin "github.com/cyphar/filepath-securejoin"

     

       17
       16
        
       	"github.com/urfave/cli/v3"

     

       18
       18
       -
       	"tangled.org/core/idresolver"

     

       19
       19
       -
       	"tangled.org/core/knotserver/config"

     

       20
       17
        
       	"tangled.org/core/log"

     

       21
       18
        
       )

     

       22
       19
        
       

     
···

       58
       55
        
       func Run(ctx context.Context, cmd *cli.Command) error {

     

       59
       56
        
       	l := log.FromContext(ctx)

     

       60
       57
        
       

     

       61
       61
       -
       	c, err := config.Load(ctx)

     

       62
       62
       -
       	if err != nil {

     

       63
       63
       -
       		return fmt.Errorf("failed to load config: %w", err)

     

       64
       64
       -
       	}

     

       65
       65
       -
       

     

       66
       58
        
       	incomingUser := cmd.String("user")

     

       67
       59
        
       	gitDir := cmd.String("git-dir")

     

       68
       60
        
       	logPath := cmd.String("log-path")

     
···

       99
       91
        
       		"command", sshCommand,

     

       100
       92
        
       		"client", clientIP)

     

       101
       93
        
       

     

       94
       94
       +
       	// TODO: greet user with their resolved handle instead of did

     

       102
       95
        
       	if sshCommand == "" {

     

       103
       96
        
       		l.Info("access denied: no interactive shells", "user", incomingUser)

     

       104
       97
        
       		fmt.Fprintf(os.Stderr, "Hi @%s! You've successfully authenticated.\n", incomingUser)

     
···

       113
       106
        
       	}

     

       114
       107
        
       

     

       115
       108
        
       	gitCommand := cmdParts[0]

     

       116
       116
       -
       

     

       117
       117
       -
       	// did:foo/repo-name or

     

       118
       118
       -
       	// handle/repo-name or

     

       119
       119
       -
       	// any of the above with a leading slash (/)

     

       120
       120
       -
       

     

       121
       121
       -
       	components := strings.Split(strings.TrimPrefix(strings.Trim(cmdParts[1], "'"), "/"), "/")

     

       122
       122
       -
       	l.Info("command components", "components", components)

     

       123
       123
       -
       

     

       124
       124
       -
       	if len(components) != 2 {

     

       125
       125
       -
       		l.Error("invalid repo format", "components", components)

     

       126
       126
       -
       		fmt.Fprintln(os.Stderr, "invalid repo format, needs <user>/<repo> or /<user>/<repo>")

     

       127
       127
       -
       		os.Exit(-1)

     

       128
       128
       -
       	}

     

       129
       129
       -
       

     

       130
       130
       -
       	didOrHandle := components[0]

     

       131
       131
       -
       	identity := resolveIdentity(ctx, c, l, didOrHandle)

     

       132
       132
       -
       	did := identity.DID.String()

     

       133
       133
       -
       	repoName := components[1]

     

       134
       134
       -
       	qualifiedRepoName, _ := securejoin.SecureJoin(did, repoName)

     

       109
       109
       +
       	repoPath := cmdParts[1]

     

       135
       110
        
       

     

       136
       111
        
       	validCommands := map[string]bool{

     

       137
       112
        
       		"git-receive-pack":   true,

     
···

       144
       119
        
       		return fmt.Errorf("access denied: invalid git command")

     

       145
       120
        
       	}

     

       146
       121
        
       

     

       147
       147
       -
       	if gitCommand != "git-upload-pack" {

     

       148
       148
       -
       		if !isPushPermitted(l, incomingUser, qualifiedRepoName, endpoint) {

     

       149
       149
       -
       			l.Error("access denied: user not allowed",

     

       150
       150
       -
       				"did", incomingUser,

     

       151
       151
       -
       				"reponame", qualifiedRepoName)

     

       152
       152
       -
       			fmt.Fprintln(os.Stderr, "access denied: user not allowed")

     

       153
       153
       -
       			os.Exit(-1)

     

       154
       154
       -
       		}

     

       122
       122
       +
       	// qualify repo path from internal server which holds the knot config

     

       123
       123
       +
       	qualifiedRepoPath, err := guardAndQualifyRepo(l, endpoint, incomingUser, repoPath, gitCommand)

     

       124
       124
       +
       	if err != nil {

     

       125
       125
       +
       		l.Error("failed to run guard", "err", err)

     

       126
       126
       +
       		fmt.Fprintln(os.Stderr, err)

     

       127
       127
       +
       		os.Exit(1)

     

       155
       128
        
       	}

     

       156
       129
        
       

     

       157
       157
       -
       	fullPath, _ := securejoin.SecureJoin(gitDir, qualifiedRepoName)

     

       130
       130
       +
       	fullPath, _ := securejoin.SecureJoin(gitDir, qualifiedRepoPath)

     

       158
       131
        
       

     

       159
       132
        
       	l.Info("processing command",

     

       160
       133
        
       		"user", incomingUser,

     

       161
       134
        
       		"command", gitCommand,

     

       162
       162
       -
       		"repo", repoName,

     

       135
       135
       +
       		"repo", repoPath,

     

       163
       136
        
       		"fullPath", fullPath,

     

       164
       137
        
       		"client", clientIP)

     

       165
       138
        
       

     
···

       183
       156
        
       	gitCmd.Stdin = os.Stdin

     

       184
       157
        
       	gitCmd.Env = append(os.Environ(),

     

       185
       158
        
       		fmt.Sprintf("GIT_USER_DID=%s", incomingUser),

     

       186
       186
       -
       		fmt.Sprintf("GIT_USER_PDS_ENDPOINT=%s", identity.PDSEndpoint()),

     

       187
       159
        
       	)

     

       188
       160
        
       

     

       189
       161
        
       	if err := gitCmd.Run(); err != nil {

     
···

       195
       167
        
       	l.Info("command completed",

     

       196
       168
        
       		"user", incomingUser,

     

       197
       169
        
       		"command", gitCommand,

     

       198
       198
       -
       		"repo", repoName,

     

       170
       170
       +
       		"repo", repoPath,

     

       199
       171
        
       		"success", true)

     

       200
       172
        
       

     

       201
       173
        
       	return nil

     

       202
       174
        
       }

     

       203
       175
        
       

     

       204
       204
       -
       func resolveIdentity(ctx context.Context, c *config.Config, l *slog.Logger, didOrHandle string) *identity.Identity {

     

       205
       205
       -
       	resolver := idresolver.DefaultResolver(c.Server.PlcUrl)

     

       206
       206
       -
       	ident, err := resolver.ResolveIdent(ctx, didOrHandle)

     

       207
       207
       -
       	if err != nil {

     

       208
       208
       -
       		l.Error("Error resolving handle", "error", err, "handle", didOrHandle)

     

       209
       209
       -
       		fmt.Fprintf(os.Stderr, "error resolving handle: %v\n", err)

     

       210
       210
       -
       		os.Exit(1)

     

       211
       211
       -
       	}

     

       212
       212
       -
       	if ident.Handle.IsInvalidHandle() {

     

       213
       213
       -
       		l.Error("Error resolving handle", "invalid handle", didOrHandle)

     

       214
       214
       -
       		fmt.Fprintf(os.Stderr, "error resolving handle: invalid handle\n")

     

       215
       215
       -
       		os.Exit(1)

     

       216
       216
       -
       	}

     

       217
       217
       -
       	return ident

     

       218
       218
       -
       }

     

       219
       219
       -
       

     

       220
       220
       -
       func isPushPermitted(l *slog.Logger, user, qualifiedRepoName, endpoint string) bool {

     

       221
       221
       -
       	u, _ := url.Parse(endpoint + "/push-allowed")

     

       176
       176
       +
       // runs guardAndQualifyRepo logic

     

       177
       177
       +
       func guardAndQualifyRepo(l *slog.Logger, endpoint, incomingUser, repo, gitCommand string) (string, error) {

     

       178
       178
       +
       	u, _ := url.Parse(endpoint + "/guard")

     

       222
       179
        
       	q := u.Query()

     

       223
       223
       -
       	q.Add("user", user)

     

       224
       224
       -
       	q.Add("repo", qualifiedRepoName)

     

       180
       180
       +
       	q.Add("user", incomingUser)

     

       181
       181
       +
       	q.Add("repo", repo)

     

       182
       182
       +
       	q.Add("gitCmd", gitCommand)

     

       225
       183
        
       	u.RawQuery = q.Encode()

     

       226
       184
        
       

     

       227
       227
       -
       	req, err := http.Get(u.String())

     

       185
       185
       +
       	resp, err := http.Get(u.String())

     

       228
       186
        
       	if err != nil {

     

       229
       229
       -
       		l.Error("Error verifying permissions", "error", err)

     

       230
       230
       -
       		fmt.Fprintf(os.Stderr, "error verifying permissions: %v\n", err)

     

       231
       231
       -
       		os.Exit(1)

     

       187
       187
       +
       		return "", err

     

       232
       188
        
       	}

     

       189
       189
       +
       	defer resp.Body.Close()

     

       190
       190
       +
       

     

       191
       191
       +
       	l.Info("Running guard", "url", u.String(), "status", resp.Status)

     

       233
       192
        
       

     

       234
       234
       -
       	l.Info("Checking push permission",

     

       235
       235
       -
       		"url", u.String(),

     

       236
       236
       -
       		"status", req.Status)

     

       193
       193
       +
       	body, err := io.ReadAll(resp.Body)

     

       194
       194
       +
       	if err != nil {

     

       195
       195
       +
       		return "", err

     

       196
       196
       +
       	}

     

       197
       197
       +
       	text := string(body)

     

       237
       198
        
       

     

       238
       238
       -
       	return req.StatusCode == http.StatusNoContent

     

       199
       199
       +
       	switch resp.StatusCode {

     

       200
       200
       +
       	case http.StatusOK:

     

       201
       201
       +
       		return text, nil

     

       202
       202
       +
       	case http.StatusForbidden:

     

       203
       203
       +
       		l.Error("access denied: user not allowed", "did", incomingUser, "reponame", text)

     

       204
       204
       +
       		return text, errors.New("access denied: user not allowed")

     

       205
       205
       +
       	default:

     

       206
       206
       +
       		return "", errors.New(text)

     

       207
       207
       +
       	}

     

       239
       208
        
       }

+61

knotserver/internal.go

···

       68
       68
        
       	writeJSON(w, data)

     

       69
       69
        
       }

     

       70
       70
        
       

     

       71
       71
       +
       // response in text/plain format

     

       72
       72
       +
       // the body will be qualified repository path on success/push-denied

     

       73
       73
       +
       // or an error message when process failed

     

       74
       74
       +
       func (h *InternalHandle) Guard(w http.ResponseWriter, r *http.Request) {

     

       75
       75
       +
       	l := h.l.With("handler", "PostReceiveHook")

     

       76
       76
       +
       

     

       77
       77
       +
       	var (

     

       78
       78
       +
       		incomingUser = r.URL.Query().Get("user")

     

       79
       79
       +
       		repo         = r.URL.Query().Get("repo")

     

       80
       80
       +
       		gitCommand   = r.URL.Query().Get("gitCmd")

     

       81
       81
       +
       	)

     

       82
       82
       +
       

     

       83
       83
       +
       	if incomingUser == "" || repo == "" || gitCommand == "" {

     

       84
       84
       +
       		w.WriteHeader(http.StatusBadRequest)

     

       85
       85
       +
       		l.Error("invalid request", "incomingUser", incomingUser, "repo", repo, "gitCommand", gitCommand)

     

       86
       86
       +
       		fmt.Fprintln(w, "invalid internal request")

     

       87
       87
       +
       		return

     

       88
       88
       +
       	}

     

       89
       89
       +
       

     

       90
       90
       +
       	// did:foo/repo-name or

     

       91
       91
       +
       	// handle/repo-name or

     

       92
       92
       +
       	// any of the above with a leading slash (/)

     

       93
       93
       +
       	components := strings.Split(strings.TrimPrefix(strings.Trim(repo, "'"), "/"), "/")

     

       94
       94
       +
       	l.Info("command components", "components", components)

     

       95
       95
       +
       

     

       96
       96
       +
       	if len(components) != 2 {

     

       97
       97
       +
       		w.WriteHeader(http.StatusBadRequest)

     

       98
       98
       +
       		l.Error("invalid repo format", "components", components)

     

       99
       99
       +
       		fmt.Fprintln(w, "invalid repo format, needs <user>/<repo> or /<user>/<repo>")

     

       100
       100
       +
       		return

     

       101
       101
       +
       	}

     

       102
       102
       +
       	repoOwner := components[0]

     

       103
       103
       +
       	repoName := components[1]

     

       104
       104
       +
       

     

       105
       105
       +
       	resolver := idresolver.DefaultResolver(h.c.Server.PlcUrl)

     

       106
       106
       +
       

     

       107
       107
       +
       	repoOwnerIdent, err := resolver.ResolveIdent(r.Context(), repoOwner)

     

       108
       108
       +
       	if err != nil || repoOwnerIdent.Handle.IsInvalidHandle() {

     

       109
       109
       +
       		l.Error("Error resolving handle", "handle", repoOwner, "err", err)

     

       110
       110
       +
       		w.WriteHeader(http.StatusInternalServerError)

     

       111
       111
       +
       		fmt.Fprintf(w, "error resolving handle: invalid handle\n")

     

       112
       112
       +
       		return

     

       113
       113
       +
       	}

     

       114
       114
       +
       	repoOwnerDid := repoOwnerIdent.DID.String()

     

       115
       115
       +
       

     

       116
       116
       +
       	qualifiedRepo, _ := securejoin.SecureJoin(repoOwnerDid, repoName)

     

       117
       117
       +
       

     

       118
       118
       +
       	if gitCommand == "git-receive-pack" {

     

       119
       119
       +
       		ok, err := h.e.IsPushAllowed(incomingUser, rbac.ThisServer, qualifiedRepo)

     

       120
       120
       +
       		if err != nil || !ok {

     

       121
       121
       +
       			w.WriteHeader(http.StatusForbidden)

     

       122
       122
       +
       			fmt.Fprint(w, repo)

     

       123
       123
       +
       			return

     

       124
       124
       +
       		}

     

       125
       125
       +
       	}

     

       126
       126
       +
       

     

       127
       127
       +
       	w.WriteHeader(http.StatusOK)

     

       128
       128
       +
       	fmt.Fprint(w, qualifiedRepo)

     

       129
       129
       +
       }

     

       130
       130
       +
       

     

       71
       131
        
       type PushOptions struct {

     

       72
       132
        
       	skipCi    bool

     

       73
       133
        
       	verboseCi bool

     
···

       366
       426
        
       

     

       367
       427
        
       	r.Get("/push-allowed", h.PushAllowed)

     

       368
       428
        
       	r.Get("/keys", h.InternalKeys)

     

       429
       429
       +
       	r.Get("/guard", h.Guard)

     

       369
       430
        
       	r.Post("/hooks/post-receive", h.PostReceiveHook)

     

       370
       431
        
       	r.Mount("/debug", middleware.Profiler())

     

       371
       432