commit dee839bf3ad8a03dce3d82d57943684976047b6b · veryroundbird.house/core

+3 -2

knotserver/ingester.go

···

       21
       21
        
       	"tangled.sh/tangled.sh/core/knotserver/db"

     

       22
       22
        
       	"tangled.sh/tangled.sh/core/knotserver/git"

     

       23
       23
        
       	"tangled.sh/tangled.sh/core/log"

     

       24
       24
       +
       	"tangled.sh/tangled.sh/core/rbac"

     

       24
       25
        
       	"tangled.sh/tangled.sh/core/workflow"

     

       25
       26
        
       )

     

       26
       27
        
       

     
···

       46
       47
        
       		return fmt.Errorf("domain mismatch: %s != %s", record.Domain, h.c.Server.Hostname)

     

       47
       48
        
       	}

     

       48
       49
        
       

     

       49
       49
       -
       	ok, err := h.e.E.Enforce(did, ThisServer, ThisServer, "server:invite")

     

       50
       50
       +
       	ok, err := h.e.E.Enforce(did, rbac.ThisServer, rbac.ThisServer, "server:invite")

     

       50
       51
        
       	if err != nil || !ok {

     

       51
       52
        
       		l.Error("failed to add member", "did", did)

     

       52
       53
        
       		return fmt.Errorf("failed to enforce permissions: %w", err)

     

       53
       54
        
       	}

     

       54
       55
        
       

     

       55
       55
       -
       	if err := h.e.AddKnotMember(ThisServer, record.Subject); err != nil {

     

       56
       56
       +
       	if err := h.e.AddKnotMember(rbac.ThisServer, record.Subject); err != nil {

     

       56
       57
        
       		l.Error("failed to add member", "error", err)

     

       57
       58
        
       		return fmt.Errorf("failed to add member: %w", err)

     

       58
       59
        
       	}

+1 -1

knotserver/internal.go

···

       38
       38
        
       		return

     

       39
       39
        
       	}

     

       40
       40
        
       

     

       41
       41
       -
       	ok, err := h.e.IsPushAllowed(user, ThisServer, repo)

     

       41
       41
       +
       	ok, err := h.e.IsPushAllowed(user, rbac.ThisServer, repo)

     

       42
       42
        
       	if err != nil || !ok {

     

       43
       43
        
       		w.WriteHeader(http.StatusForbidden)

     

       44
       44
        
       		return

+6 -5

knotserver/routes.go

···

       29
       29
        
       	"tangled.sh/tangled.sh/core/knotserver/db"

     

       30
       30
        
       	"tangled.sh/tangled.sh/core/knotserver/git"

     

       31
       31
        
       	"tangled.sh/tangled.sh/core/patchutil"

     

       32
       32
       +
       	"tangled.sh/tangled.sh/core/rbac"

     

       32
       33
        
       	"tangled.sh/tangled.sh/core/types"

     

       33
       34
        
       )

     

       34
       35
        
       

     
···

       674
       675
        
       	}

     

       675
       676
        
       

     

       676
       677
        
       	// add perms for this user to access the repo

     

       677
       677
       -
       	err = h.e.AddRepo(did, ThisServer, relativeRepoPath)

     

       678
       678
       +
       	err = h.e.AddRepo(did, rbac.ThisServer, relativeRepoPath)

     

       678
       679
        
       	if err != nil {

     

       679
       680
        
       		l.Error("adding repo permissions", "error", err.Error())

     

       680
       681
        
       		writeError(w, err.Error(), http.StatusInternalServerError)

     
···

       892
       893
        
       	}

     

       893
       894
        
       

     

       894
       895
        
       	// add perms for this user to access the repo

     

       895
       895
       -
       	err = h.e.AddRepo(did, ThisServer, relativeRepoPath)

     

       896
       896
       +
       	err = h.e.AddRepo(did, rbac.ThisServer, relativeRepoPath)

     

       896
       897
        
       	if err != nil {

     

       897
       898
        
       		l.Error("adding repo permissions", "error", err.Error())

     

       898
       899
        
       		writeError(w, err.Error(), http.StatusInternalServerError)

     
···

       1146
       1147
        
       	}

     

       1147
       1148
        
       	h.jc.AddDid(did)

     

       1148
       1149
        
       

     

       1149
       1149
       -
       	if err := h.e.AddKnotMember(ThisServer, did); err != nil {

     

       1150
       1150
       +
       	if err := h.e.AddKnotMember(rbac.ThisServer, did); err != nil {

     

       1150
       1151
        
       		l.Error("adding member", "error", err.Error())

     

       1151
       1152
        
       		writeError(w, err.Error(), http.StatusInternalServerError)

     

       1152
       1153
        
       		return

     
···

       1184
       1185
        
       	h.jc.AddDid(data.Did)

     

       1185
       1186
        
       

     

       1186
       1187
        
       	repoName, _ := securejoin.SecureJoin(ownerDid, repo)

     

       1187
       1187
       -
       	if err := h.e.AddCollaborator(data.Did, ThisServer, repoName); err != nil {

     

       1188
       1188
       +
       	if err := h.e.AddCollaborator(data.Did, rbac.ThisServer, repoName); err != nil {

     

       1188
       1189
        
       		l.Error("adding repo collaborator", "error", err.Error())

     

       1189
       1190
        
       		writeError(w, err.Error(), http.StatusInternalServerError)

     

       1190
       1191
        
       		return

     
···

       1281
       1282
        
       	}

     

       1282
       1283
        
       	h.jc.AddDid(data.Did)

     

       1283
       1284
        
       

     

       1284
       1284
       -
       	if err := h.e.AddKnotOwner(ThisServer, data.Did); err != nil {

     

       1285
       1285
       +
       	if err := h.e.AddKnotOwner(rbac.ThisServer, data.Did); err != nil {

     

       1285
       1286
        
       		l.Error("adding owner", "error", err.Error())

     

       1286
       1287
        
       		writeError(w, err.Error(), http.StatusInternalServerError)

     

       1287
       1288
        
       		return

-5

knotserver/util.go

···

       8
       8
        
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       9
       9
        
       	securejoin "github.com/cyphar/filepath-securejoin"

     

       10
       10
        
       	"github.com/go-chi/chi/v5"

     

       11
       11
       -
       	"github.com/microcosm-cc/bluemonday"

     

       12
       11
        
       )

     

       13
       13
       -
       

     

       14
       14
       -
       func sanitize(content []byte) []byte {

     

       15
       15
       -
       	return bluemonday.UGCPolicy().SanitizeBytes([]byte(content))

     

       16
       16
       -
       }

     

       17
       12
        
       

     

       18
       13
        
       func didPath(r *http.Request) string {

     

       19
       14
        
       	did := chi.URLParam(r, "did")

+4

rbac/rbac.go

···

       11
       11
        
       )

     

       12
       12
        
       

     

       13
       13
        
       const (

     

       14
       14
       +
       	ThisServer = "thisserver" // resource identifier for local rbac enforcement

     

       15
       15
       +
       )

     

       16
       16
       +
       

     

       17
       17
       +
       const (

     

       14
       18
        
       	Model = `

     

       15
       19
        
       [request_definition]

     

       16
       20
        
       r = sub, dom, obj, act