user repomgr for record management · evan.jarrett.net/at-container-registry@0dc2294

+6 -6

go.mod

··· 11 11 github.com/google/uuid v1.6.0 12 12 github.com/gorilla/mux v1.8.1 13 13 github.com/gorilla/websocket v1.5.3 14 + github.com/ipfs/go-block-format v0.2.0 14 15 github.com/ipfs/go-cid v0.4.1 16 + github.com/ipfs/go-datastore v0.6.0 17 + github.com/ipfs/go-ipfs-blockstore v1.3.1 18 + github.com/ipfs/go-ipld-format v0.6.0 15 19 github.com/ipld/go-car v0.6.1-0.20230509095817-92d28eb23ba4 16 20 github.com/klauspost/compress v1.18.0 17 21 github.com/mattn/go-sqlite3 v1.14.32 18 22 github.com/opencontainers/go-digest v1.0.0 19 23 github.com/spf13/cobra v1.8.0 20 24 github.com/whyrusleeping/cbor-gen v0.3.1 25 + go.opentelemetry.io/otel v1.32.0 21 26 go.yaml.in/yaml/v4 v4.0.0-rc.2 22 27 golang.org/x/crypto v0.39.0 23 28 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 29 + gorm.io/gorm v1.25.9 24 30 ) 25 31 26 32 require ( ··· 53 59 github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect 54 60 github.com/inconshreveable/mousetrap v1.1.0 // indirect 55 61 github.com/ipfs/bbloom v0.0.4 // indirect 56 - github.com/ipfs/go-block-format v0.2.0 // indirect 57 62 github.com/ipfs/go-blockservice v0.5.2 // indirect 58 - github.com/ipfs/go-datastore v0.6.0 // indirect 59 - github.com/ipfs/go-ipfs-blockstore v1.3.1 // indirect 60 63 github.com/ipfs/go-ipfs-ds-help v1.1.1 // indirect 61 64 github.com/ipfs/go-ipfs-exchange-interface v0.2.1 // indirect 62 65 github.com/ipfs/go-ipfs-util v0.0.3 // indirect 63 66 github.com/ipfs/go-ipld-cbor v0.1.0 // indirect 64 - github.com/ipfs/go-ipld-format v0.6.0 // indirect 65 67 github.com/ipfs/go-ipld-legacy v0.2.1 // indirect 66 68 github.com/ipfs/go-libipfs v0.7.0 // indirect 67 69 github.com/ipfs/go-log v1.0.5 // indirect ··· 107 109 go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 // indirect 108 110 go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 // indirect 109 111 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 // indirect 110 - go.opentelemetry.io/otel v1.32.0 // indirect 111 112 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 // indirect 112 113 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 // indirect 113 114 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 // indirect ··· 141 142 gopkg.in/inf.v0 v0.9.1 // indirect 142 143 gopkg.in/yaml.v2 v2.4.0 // indirect 143 144 gorm.io/driver/postgres v1.5.7 // indirect 144 - gorm.io/gorm v1.25.9 // indirect 145 145 lukechampine.com/blake3 v1.2.1 // indirect 146 146 )

+14 -85

pkg/hold/pds/captain.go

··· 1 1 package pds 2 2 3 3 import ( 4 - "bytes" 5 4 "context" 6 5 "fmt" 7 6 "time" 8 7 9 8 "atcr.io/pkg/atproto" 10 - "github.com/bluesky-social/indigo/repo" 11 9 "github.com/ipfs/go-cid" 12 10 ) 13 11 ··· 16 14 CaptainRkey = "self" 17 15 ) 18 16 19 - // CreateCaptainRecord creates the captain record for the hold 17 + // CreateCaptainRecord creates the captain record for the hold (first-time only). 18 + // This will FAIL if the captain record already exists. Use UpdateCaptainRecord to modify. 20 19 func (p *HoldPDS) CreateCaptainRecord(ctx context.Context, ownerDID string, public bool, allowAllCrew bool) (cid.Cid, error) { 21 20 captainRecord := &atproto.CaptainRecord{ 22 21 Type: atproto.CaptainCollection, ··· 26 25 DeployedAt: time.Now().Format(time.RFC3339), 27 26 } 28 27 29 - // Create record in repo with fixed rkey "self" 30 - recordCID, rkey, err := p.repo.CreateRecord(ctx, atproto.CaptainCollection, captainRecord) 28 + // Use repomgr.PutRecord - creates with explicit rkey, fails if already exists 29 + recordPath, recordCID, err := p.repomgr.PutRecord(ctx, p.uid, atproto.CaptainCollection, CaptainRkey, captainRecord) 31 30 if err != nil { 32 31 return cid.Undef, fmt.Errorf("failed to create captain record: %w", err) 33 32 } 34 33 35 - // Create signer function from signing key 36 - signer := func(ctx context.Context, did string, data []byte) ([]byte, error) { 37 - return p.signingKey.HashAndSign(data) 38 - } 39 - 40 - // Commit the changes to get new root CID 41 - root, rev, err := p.repo.Commit(ctx, signer) 42 - if err != nil { 43 - return cid.Undef, fmt.Errorf("failed to commit captain record: %w", err) 44 - } 45 - 46 - // Close the delta session with the new root 47 - _, err = p.session.CloseWithRoot(ctx, root, rev) 48 - if err != nil { 49 - return cid.Undef, fmt.Errorf("failed to persist commit: %w", err) 50 - } 51 - 52 - // Create a new session for the next operation (use revision string, not CID) 53 - newSession, err := p.carstore.NewDeltaSession(ctx, p.uid, &rev) 54 - if err != nil { 55 - return cid.Undef, fmt.Errorf("failed to create new session: %w", err) 56 - } 57 - 58 - // Load repo from the newly committed head 59 - newRepo, err := repo.OpenRepo(ctx, newSession, root) 60 - if err != nil { 61 - return cid.Undef, fmt.Errorf("failed to reload repo after commit: %w", err) 62 - } 63 - 64 - // Update the stored session and repo 65 - p.session = newSession 66 - p.repo = newRepo 67 - 68 - fmt.Printf("Created captain record with rkey: %s, cid: %s\n", rkey, recordCID) 69 - 34 + fmt.Printf("Created captain record at %s, cid: %s\n", recordPath, recordCID) 70 35 return recordCID, nil 71 36 } 72 37 73 38 // GetCaptainRecord retrieves the captain record 74 39 func (p *HoldPDS) GetCaptainRecord(ctx context.Context) (cid.Cid, *atproto.CaptainRecord, error) { 75 - path := fmt.Sprintf("%s/%s", atproto.CaptainCollection, CaptainRkey) 76 - 77 - // Get the record bytes and decode manually 78 - recordCID, recBytes, err := p.repo.GetRecordBytes(ctx, path) 40 + // Use repomgr.GetRecord - our types are registered in init() 41 + // so it will automatically unmarshal to the concrete type 42 + recordCID, val, err := p.repomgr.GetRecord(ctx, p.uid, atproto.CaptainCollection, CaptainRkey, cid.Undef) 79 43 if err != nil { 80 44 return cid.Undef, nil, fmt.Errorf("failed to get captain record: %w", err) 81 45 } 82 46 83 - // Decode the CBOR bytes into our CaptainRecord type 84 - var captainRecord atproto.CaptainRecord 85 - if err := captainRecord.UnmarshalCBOR(bytes.NewReader(*recBytes)); err != nil { 86 - return cid.Undef, nil, fmt.Errorf("failed to decode captain record: %w", err) 47 + // Type assert to our concrete type 48 + captainRecord, ok := val.(*atproto.CaptainRecord) 49 + if !ok { 50 + return cid.Undef, nil, fmt.Errorf("unexpected type for captain record: %T", val) 87 51 } 88 52 89 - return recordCID, &captainRecord, nil 53 + return recordCID, captainRecord, nil 90 54 } 91 55 92 56 // UpdateCaptainRecord updates the captain record (e.g., to change public/allowAllCrew settings) ··· 101 65 existing.Public = public 102 66 existing.AllowAllCrew = allowAllCrew 103 67 104 - // Update record in repo 105 - path := fmt.Sprintf("%s/%s", atproto.CaptainCollection, CaptainRkey) 106 - recordCID, err := p.repo.UpdateRecord(ctx, path, existing) 68 + recordCID, err := p.repomgr.UpdateRecord(ctx, p.uid, atproto.CaptainCollection, CaptainRkey, existing) 107 69 if err != nil { 108 70 return cid.Undef, fmt.Errorf("failed to update captain record: %w", err) 109 71 } 110 - 111 - // Create signer function from signing key 112 - signer := func(ctx context.Context, did string, data []byte) ([]byte, error) { 113 - return p.signingKey.HashAndSign(data) 114 - } 115 - 116 - // Commit the changes 117 - root, rev, err := p.repo.Commit(ctx, signer) 118 - if err != nil { 119 - return cid.Undef, fmt.Errorf("failed to commit captain record update: %w", err) 120 - } 121 - 122 - // Close the delta session with the new root 123 - _, err = p.session.CloseWithRoot(ctx, root, rev) 124 - if err != nil { 125 - return cid.Undef, fmt.Errorf("failed to persist commit: %w", err) 126 - } 127 - 128 - // Create a new session for the next operation (use revision string, not CID) 129 - newSession, err := p.carstore.NewDeltaSession(ctx, p.uid, &rev) 130 - if err != nil { 131 - return cid.Undef, fmt.Errorf("failed to create new session: %w", err) 132 - } 133 - 134 - // Load repo from the newly committed head 135 - newRepo, err := repo.OpenRepo(ctx, newSession, root) 136 - if err != nil { 137 - return cid.Undef, fmt.Errorf("failed to reload repo after commit: %w", err) 138 - } 139 - 140 - // Update the stored session and repo 141 - p.session = newSession 142 - p.repo = newRepo 143 72 144 73 return recordCID, nil 145 74 }

+368

pkg/hold/pds/captain_test.go

··· 1 + package pds 2 + 3 + import ( 4 + "bytes" 5 + "context" 6 + "path/filepath" 7 + "strings" 8 + "testing" 9 + 10 + "atcr.io/pkg/atproto" 11 + ) 12 + 13 + // setupTestPDS creates a test PDS instance in a temporary directory 14 + // It initializes the repo but does NOT create captain/crew records 15 + // Tests should call Bootstrap or create records as needed 16 + func setupTestPDS(t *testing.T) (*HoldPDS, context.Context) { 17 + ctx := context.Background() 18 + tmpDir := t.TempDir() 19 + 20 + dbPath := filepath.Join(tmpDir, "pds.db") 21 + keyPath := filepath.Join(tmpDir, "signing-key") 22 + 23 + pds, err := NewHoldPDS(ctx, "did:web:hold.example.com", "https://hold.example.com", dbPath, keyPath) 24 + if err != nil { 25 + t.Fatalf("Failed to create test PDS: %v", err) 26 + } 27 + 28 + // Initialize repo so tests can create records 29 + // Use a dummy DID to initialize, then tests can create actual captain records 30 + err = pds.repomgr.InitNewActor(ctx, pds.uid, "", pds.did, "", "", "") 31 + if err != nil { 32 + t.Fatalf("Failed to initialize test repo: %v", err) 33 + } 34 + 35 + return pds, ctx 36 + } 37 + 38 + // TestCreateCaptainRecord tests creating a captain record with various settings 39 + func TestCreateCaptainRecord(t *testing.T) { 40 + tests := []struct { 41 + name string 42 + ownerDID string 43 + public bool 44 + allowAllCrew bool 45 + }{ 46 + { 47 + name: "Private hold, no all-crew", 48 + ownerDID: "did:plc:alice123", 49 + public: false, 50 + allowAllCrew: false, 51 + }, 52 + { 53 + name: "Public hold, no all-crew", 54 + ownerDID: "did:plc:bob456", 55 + public: true, 56 + allowAllCrew: false, 57 + }, 58 + { 59 + name: "Public hold, allow all crew", 60 + ownerDID: "did:plc:charlie789", 61 + public: true, 62 + allowAllCrew: true, 63 + }, 64 + { 65 + name: "Private hold, allow all crew", 66 + ownerDID: "did:plc:dave012", 67 + public: false, 68 + allowAllCrew: true, 69 + }, 70 + } 71 + 72 + for _, tt := range tests { 73 + t.Run(tt.name, func(t *testing.T) { 74 + // Each subtest gets its own PDS instance 75 + pds, ctx := setupTestPDS(t) 76 + defer pds.Close() 77 + 78 + // Create captain record 79 + recordCID, err := pds.CreateCaptainRecord(ctx, tt.ownerDID, tt.public, tt.allowAllCrew) 80 + if err != nil { 81 + t.Fatalf("CreateCaptainRecord failed: %v", err) 82 + } 83 + 84 + // Verify CID is defined 85 + if !recordCID.Defined() { 86 + t.Error("Expected defined CID") 87 + } 88 + 89 + // Retrieve and verify 90 + retrievedCID, captain, err := pds.GetCaptainRecord(ctx) 91 + if err != nil { 92 + t.Fatalf("GetCaptainRecord failed: %v", err) 93 + } 94 + 95 + if !recordCID.Equals(retrievedCID) { 96 + t.Error("Expected retrieved CID to match created CID") 97 + } 98 + 99 + if captain.Owner != tt.ownerDID { 100 + t.Errorf("Expected owner %s, got %s", tt.ownerDID, captain.Owner) 101 + } 102 + if captain.Public != tt.public { 103 + t.Errorf("Expected public=%v, got %v", tt.public, captain.Public) 104 + } 105 + if captain.AllowAllCrew != tt.allowAllCrew { 106 + t.Errorf("Expected allowAllCrew=%v, got %v", tt.allowAllCrew, captain.AllowAllCrew) 107 + } 108 + if captain.Type != atproto.CaptainCollection { 109 + t.Errorf("Expected type %s, got %s", atproto.CaptainCollection, captain.Type) 110 + } 111 + if captain.DeployedAt == "" { 112 + t.Error("Expected deployedAt to be set") 113 + } 114 + }) 115 + } 116 + } 117 + 118 + // TestGetCaptainRecord tests retrieving a captain record 119 + func TestGetCaptainRecord(t *testing.T) { 120 + pds, ctx := setupTestPDS(t) 121 + defer pds.Close() 122 + 123 + ownerDID := "did:plc:alice123" 124 + 125 + // Create captain record 126 + createdCID, err := pds.CreateCaptainRecord(ctx, ownerDID, true, false) 127 + if err != nil { 128 + t.Fatalf("CreateCaptainRecord failed: %v", err) 129 + } 130 + 131 + // Get captain record 132 + retrievedCID, captain, err := pds.GetCaptainRecord(ctx) 133 + if err != nil { 134 + t.Fatalf("GetCaptainRecord failed: %v", err) 135 + } 136 + 137 + // Verify CIDs match 138 + if !createdCID.Equals(retrievedCID) { 139 + t.Error("Expected retrieved CID to match created CID") 140 + } 141 + 142 + // Verify captain data 143 + if captain == nil { 144 + t.Fatal("Expected non-nil captain record") 145 + } 146 + if captain.Owner != ownerDID { 147 + t.Errorf("Expected owner %s, got %s", ownerDID, captain.Owner) 148 + } 149 + if !captain.Public { 150 + t.Error("Expected public=true") 151 + } 152 + if captain.AllowAllCrew { 153 + t.Error("Expected allowAllCrew=false") 154 + } 155 + } 156 + 157 + // TestGetCaptainRecord_NotFound tests error handling for missing captain 158 + func TestGetCaptainRecord_NotFound(t *testing.T) { 159 + pds, ctx := setupTestPDS(t) 160 + defer pds.Close() 161 + 162 + // Try to get captain record before creating one 163 + _, _, err := pds.GetCaptainRecord(ctx) 164 + if err == nil { 165 + t.Fatal("Expected error when getting non-existent captain record") 166 + } 167 + 168 + // Verify error message indicates not found 169 + errMsg := err.Error() 170 + if !strings.Contains(errMsg, "not found") && !strings.Contains(errMsg, "failed to get captain record") { 171 + t.Errorf("Expected 'not found' in error message, got: %s", errMsg) 172 + } 173 + } 174 + 175 + // TestUpdateCaptainRecord tests updating captain settings 176 + func TestUpdateCaptainRecord(t *testing.T) { 177 + pds, ctx := setupTestPDS(t) 178 + defer pds.Close() 179 + 180 + ownerDID := "did:plc:alice123" 181 + 182 + // Create initial captain record (public=false, allowAllCrew=false) 183 + _, err := pds.CreateCaptainRecord(ctx, ownerDID, false, false) 184 + if err != nil { 185 + t.Fatalf("CreateCaptainRecord failed: %v", err) 186 + } 187 + 188 + // Get initial record 189 + _, captain1, err := pds.GetCaptainRecord(ctx) 190 + if err != nil { 191 + t.Fatalf("GetCaptainRecord failed: %v", err) 192 + } 193 + 194 + // Verify initial state 195 + if captain1.Public { 196 + t.Error("Expected initial public=false") 197 + } 198 + if captain1.AllowAllCrew { 199 + t.Error("Expected initial allowAllCrew=false") 200 + } 201 + 202 + // Update to public=true, allowAllCrew=true 203 + updatedCID, err := pds.UpdateCaptainRecord(ctx, true, true) 204 + if err != nil { 205 + t.Fatalf("UpdateCaptainRecord failed: %v", err) 206 + } 207 + 208 + if !updatedCID.Defined() { 209 + t.Error("Expected defined CID after update") 210 + } 211 + 212 + // Get updated record 213 + retrievedCID, captain2, err := pds.GetCaptainRecord(ctx) 214 + if err != nil { 215 + t.Fatalf("GetCaptainRecord failed after update: %v", err) 216 + } 217 + 218 + // Verify CID changed 219 + if !updatedCID.Equals(retrievedCID) { 220 + t.Error("Expected retrieved CID to match updated CID") 221 + } 222 + 223 + // Verify updated values 224 + if !captain2.Public { 225 + t.Error("Expected public=true after update") 226 + } 227 + if !captain2.AllowAllCrew { 228 + t.Error("Expected allowAllCrew=true after update") 229 + } 230 + 231 + // Verify owner didn't change 232 + if captain2.Owner != ownerDID { 233 + t.Errorf("Expected owner to remain %s, got %s", ownerDID, captain2.Owner) 234 + } 235 + 236 + // Update again to different values (public=true, allowAllCrew=false) 237 + _, err = pds.UpdateCaptainRecord(ctx, true, false) 238 + if err != nil { 239 + t.Fatalf("Second UpdateCaptainRecord failed: %v", err) 240 + } 241 + 242 + // Verify second update 243 + _, captain3, err := pds.GetCaptainRecord(ctx) 244 + if err != nil { 245 + t.Fatalf("GetCaptainRecord failed after second update: %v", err) 246 + } 247 + 248 + if !captain3.Public { 249 + t.Error("Expected public=true after second update") 250 + } 251 + if captain3.AllowAllCrew { 252 + t.Error("Expected allowAllCrew=false after second update") 253 + } 254 + } 255 + 256 + // TestUpdateCaptainRecord_NotFound tests updating non-existent captain 257 + func TestUpdateCaptainRecord_NotFound(t *testing.T) { 258 + pds, ctx := setupTestPDS(t) 259 + defer pds.Close() 260 + 261 + // Try to update captain record before creating one 262 + _, err := pds.UpdateCaptainRecord(ctx, true, true) 263 + if err == nil { 264 + t.Fatal("Expected error when updating non-existent captain record") 265 + } 266 + 267 + // Verify error message 268 + errMsg := err.Error() 269 + if !strings.Contains(errMsg, "failed to get existing captain record") { 270 + t.Errorf("Expected 'failed to get existing captain record' in error, got: %s", errMsg) 271 + } 272 + } 273 + 274 + // TestCaptainRecord_CBORRoundtrip tests CBOR marshal/unmarshal integrity 275 + func TestCaptainRecord_CBORRoundtrip(t *testing.T) { 276 + tests := []struct { 277 + name string 278 + record *atproto.CaptainRecord 279 + }{ 280 + { 281 + name: "Basic captain", 282 + record: &atproto.CaptainRecord{ 283 + Type: atproto.CaptainCollection, 284 + Owner: "did:plc:alice123", 285 + Public: true, 286 + AllowAllCrew: false, 287 + DeployedAt: "2025-10-16T12:00:00Z", 288 + }, 289 + }, 290 + { 291 + name: "Captain with optional fields", 292 + record: &atproto.CaptainRecord{ 293 + Type: atproto.CaptainCollection, 294 + Owner: "did:plc:bob456", 295 + Public: false, 296 + AllowAllCrew: true, 297 + DeployedAt: "2025-10-16T12:00:00Z", 298 + Region: "us-west-2", 299 + Provider: "fly.io", 300 + }, 301 + }, 302 + { 303 + name: "Captain with empty optional fields", 304 + record: &atproto.CaptainRecord{ 305 + Type: atproto.CaptainCollection, 306 + Owner: "did:plc:charlie789", 307 + Public: true, 308 + AllowAllCrew: true, 309 + DeployedAt: "2025-10-16T12:00:00Z", 310 + Region: "", 311 + Provider: "", 312 + }, 313 + }, 314 + } 315 + 316 + for _, tt := range tests { 317 + t.Run(tt.name, func(t *testing.T) { 318 + // Marshal to CBOR 319 + var buf bytes.Buffer 320 + err := tt.record.MarshalCBOR(&buf) 321 + if err != nil { 322 + t.Fatalf("MarshalCBOR failed: %v", err) 323 + } 324 + 325 + cborBytes := buf.Bytes() 326 + if len(cborBytes) == 0 { 327 + t.Fatal("Expected non-empty CBOR bytes") 328 + } 329 + 330 + // Unmarshal from CBOR 331 + var decoded atproto.CaptainRecord 332 + err = decoded.UnmarshalCBOR(bytes.NewReader(cborBytes)) 333 + if err != nil { 334 + t.Fatalf("UnmarshalCBOR failed: %v", err) 335 + } 336 + 337 + // Verify all fields match 338 + if decoded.Type != tt.record.Type { 339 + t.Errorf("Type mismatch: expected %s, got %s", tt.record.Type, decoded.Type) 340 + } 341 + if decoded.Owner != tt.record.Owner { 342 + t.Errorf("Owner mismatch: expected %s, got %s", tt.record.Owner, decoded.Owner) 343 + } 344 + if decoded.Public != tt.record.Public { 345 + t.Errorf("Public mismatch: expected %v, got %v", tt.record.Public, decoded.Public) 346 + } 347 + if decoded.AllowAllCrew != tt.record.AllowAllCrew { 348 + t.Errorf("AllowAllCrew mismatch: expected %v, got %v", tt.record.AllowAllCrew, decoded.AllowAllCrew) 349 + } 350 + if decoded.DeployedAt != tt.record.DeployedAt { 351 + t.Errorf("DeployedAt mismatch: expected %s, got %s", tt.record.DeployedAt, decoded.DeployedAt) 352 + } 353 + if decoded.Region != tt.record.Region { 354 + t.Errorf("Region mismatch: expected %s, got %s", tt.record.Region, decoded.Region) 355 + } 356 + if decoded.Provider != tt.record.Provider { 357 + t.Errorf("Provider mismatch: expected %s, got %s", tt.record.Provider, decoded.Provider) 358 + } 359 + }) 360 + } 361 + } 362 + 363 + // TestCaptainRkey tests that captain record uses the fixed "self" rkey 364 + func TestCaptainRkey(t *testing.T) { 365 + if CaptainRkey != "self" { 366 + t.Errorf("Expected CaptainRkey to be 'self', got '%s'", CaptainRkey) 367 + } 368 + }

+49 -55

pkg/hold/pds/crew.go

··· 22 22 AddedAt: time.Now().Format(time.RFC3339), 23 23 } 24 24 25 - // Create record in repo (using memberDID as rkey for easy lookup) 26 - recordCID, _, err := p.repo.CreateRecord(ctx, atproto.CrewCollection, crewRecord) 25 + // Use repomgr for crew operations - auto-generated rkey is fine 26 + _, recordCID, err := p.repomgr.CreateRecord(ctx, p.uid, atproto.CrewCollection, crewRecord) 27 27 if err != nil { 28 28 return cid.Undef, fmt.Errorf("failed to create crew record: %w", err) 29 29 } 30 30 31 - // Create signer function from signing key 32 - signer := func(ctx context.Context, did string, data []byte) ([]byte, error) { 33 - return p.signingKey.HashAndSign(data) 34 - } 35 - 36 - // Commit the changes to get new root CID 37 - root, rev, err := p.repo.Commit(ctx, signer) 38 - if err != nil { 39 - return cid.Undef, fmt.Errorf("failed to commit crew record: %w", err) 40 - } 41 - 42 - // Close the delta session with the new root 43 - _, err = p.session.CloseWithRoot(ctx, root, rev) 44 - if err != nil { 45 - return cid.Undef, fmt.Errorf("failed to persist commit: %w", err) 46 - } 47 - 48 - // Create a new session for the next operation (use revision string, not CID) 49 - newSession, err := p.carstore.NewDeltaSession(ctx, p.uid, &rev) 50 - if err != nil { 51 - return cid.Undef, fmt.Errorf("failed to create new session: %w", err) 52 - } 53 - 54 - // Load repo from the newly committed head (not NewRepo which creates empty MST) 55 - newRepo, err := repo.OpenRepo(ctx, newSession, root) 56 - if err != nil { 57 - return cid.Undef, fmt.Errorf("failed to reload repo after commit: %w", err) 58 - } 59 - 60 - // Update the stored session and repo 61 - p.session = newSession 62 - p.repo = newRepo 63 - 64 31 return recordCID, nil 65 32 } 66 33 67 34 // GetCrewMember retrieves a crew member by their record key 68 35 func (p *HoldPDS) GetCrewMember(ctx context.Context, rkey string) (cid.Cid, *atproto.CrewRecord, error) { 69 - path := fmt.Sprintf("%s/%s", atproto.CrewCollection, rkey) 70 - 71 - // Get the record bytes and decode manually (indigo doesn't know our custom type) 72 - recordCID, recBytes, err := p.repo.GetRecordBytes(ctx, path) 36 + // Use repomgr.GetRecord - our types are registered in init() 37 + recordCID, val, err := p.repomgr.GetRecord(ctx, p.uid, atproto.CrewCollection, rkey, cid.Undef) 73 38 if err != nil { 74 39 return cid.Undef, nil, fmt.Errorf("failed to get crew record: %w", err) 75 40 } 76 41 77 - // Decode the CBOR bytes into our CrewRecord type 78 - var crewRecord atproto.CrewRecord 79 - if err := crewRecord.UnmarshalCBOR(bytes.NewReader(*recBytes)); err != nil { 80 - return cid.Undef, nil, fmt.Errorf("failed to decode crew record: %w", err) 42 + // Type assert to our concrete type 43 + crewRecord, ok := val.(*atproto.CrewRecord) 44 + if !ok { 45 + return cid.Undef, nil, fmt.Errorf("unexpected type for crew record: %T", val) 81 46 } 82 47 83 - return recordCID, &crewRecord, nil 48 + return recordCID, crewRecord, nil 84 49 } 85 50 86 51 // CrewMemberWithKey pairs a crew record with its rkey and CID ··· 94 59 func (p *HoldPDS) ListCrewMembers(ctx context.Context) ([]*CrewMemberWithKey, error) { 95 60 var crew []*CrewMemberWithKey 96 61 97 - err := p.repo.ForEach(ctx, atproto.CrewCollection, func(k string, v cid.Cid) error { 62 + // Create read-only session for ForEach access 63 + // repomgr doesn't expose ForEach, so we need direct repo access 64 + session, err := p.carstore.ReadOnlySession(p.uid) 65 + if err != nil { 66 + return nil, fmt.Errorf("failed to create read-only session: %w", err) 67 + } 68 + 69 + // Get repo head 70 + head, err := p.carstore.GetUserRepoHead(ctx, p.uid) 71 + if err != nil { 72 + return nil, fmt.Errorf("failed to get repo head: %w", err) 73 + } 74 + 75 + if !head.Defined() { 76 + return nil, fmt.Errorf("repo not initialized") 77 + } 78 + 79 + // Open repo 80 + r, err := repo.OpenRepo(ctx, session, head) 81 + if err != nil { 82 + return nil, fmt.Errorf("failed to open repo: %w", err) 83 + } 84 + 85 + // Iterate over all crew records 86 + err = r.ForEach(ctx, atproto.CrewCollection, func(k string, v cid.Cid) error { 98 87 // Extract rkey from full path (k is like "io.atcr.hold.crew/3m37dr2ddit22") 99 88 parts := strings.Split(k, "/") 100 89 rkey := parts[len(parts)-1] 101 90 102 - // Get the full record using GetCrewMember 103 - recordCID, crewRecord, err := p.GetCrewMember(ctx, rkey) 91 + // Get the record directly from the repo we already have open 92 + // (calling GetCrewMember would open a new session unnecessarily) 93 + recordCID, recBytes, err := r.GetRecordBytes(ctx, k) 104 94 if err != nil { 105 - return err 95 + return fmt.Errorf("failed to get crew record: %w", err) 96 + } 97 + 98 + // Unmarshal the CBOR bytes into our concrete type 99 + var crewRecord atproto.CrewRecord 100 + if err := crewRecord.UnmarshalCBOR(bytes.NewReader(*recBytes)); err != nil { 101 + return fmt.Errorf("failed to decode crew record: %w", err) 106 102 } 107 103 108 104 crew = append(crew, &CrewMemberWithKey{ 109 105 Rkey: rkey, 110 106 Cid: recordCID, 111 - Record: crewRecord, 107 + Record: &crewRecord, 112 108 }) 113 109 return nil 114 110 }) ··· 116 112 if err != nil { 117 113 // If the collection doesn't exist yet (empty repo or no records created), 118 114 // return empty list instead of error 119 - if err.Error() == "mst: not found" { 115 + if err.Error() == "mst: not found" || strings.Contains(err.Error(), "not found") { 120 116 return []*CrewMemberWithKey{}, nil 121 117 } 122 118 return nil, fmt.Errorf("failed to list crew members: %w", err) ··· 127 123 128 124 // RemoveCrewMember removes a crew member 129 125 func (p *HoldPDS) RemoveCrewMember(ctx context.Context, rkey string) error { 130 - path := fmt.Sprintf("%s/%s", atproto.CrewCollection, rkey) 131 - 132 - err := p.repo.DeleteRecord(ctx, path) 126 + // Use repomgr.DeleteRecord - it will automatically commit! 127 + // This fixes the bug where deletions weren't being committed 128 + err := p.repomgr.DeleteRecord(ctx, p.uid, atproto.CrewCollection, rkey) 133 129 if err != nil { 134 130 return fmt.Errorf("failed to delete crew record: %w", err) 135 131 } 136 - 137 - // TODO: Commit the changes 138 132 139 133 return nil 140 134 }

+589

pkg/hold/pds/crew_test.go

··· 1 + package pds 2 + 3 + import ( 4 + "bytes" 5 + "strings" 6 + "testing" 7 + 8 + "atcr.io/pkg/atproto" 9 + ) 10 + 11 + // TestAddCrewMember tests adding a single crew member 12 + func TestAddCrewMember(t *testing.T) { 13 + pds, ctx := setupTestPDS(t) 14 + defer pds.Close() 15 + 16 + // Add crew member 17 + memberDID := "did:plc:alice123" 18 + role := "writer" 19 + permissions := []string{"blob:read", "blob:write"} 20 + 21 + recordCID, err := pds.AddCrewMember(ctx, memberDID, role, permissions) 22 + if err != nil { 23 + t.Fatalf("AddCrewMember failed: %v", err) 24 + } 25 + 26 + // Verify CID is defined 27 + if !recordCID.Defined() { 28 + t.Error("Expected defined CID") 29 + } 30 + 31 + // List crew members to verify 32 + crewMembers, err := pds.ListCrewMembers(ctx) 33 + if err != nil { 34 + t.Fatalf("ListCrewMembers failed: %v", err) 35 + } 36 + 37 + if len(crewMembers) != 1 { 38 + t.Fatalf("Expected 1 crew member, got %d", len(crewMembers)) 39 + } 40 + 41 + crew := crewMembers[0] 42 + if crew.Record.Member != memberDID { 43 + t.Errorf("Expected member %s, got %s", memberDID, crew.Record.Member) 44 + } 45 + if crew.Record.Role != role { 46 + t.Errorf("Expected role %s, got %s", role, crew.Record.Role) 47 + } 48 + if len(crew.Record.Permissions) != len(permissions) { 49 + t.Fatalf("Expected %d permissions, got %d", len(permissions), len(crew.Record.Permissions)) 50 + } 51 + for i, perm := range permissions { 52 + if crew.Record.Permissions[i] != perm { 53 + t.Errorf("Expected permission[%d]=%s, got %s", i, perm, crew.Record.Permissions[i]) 54 + } 55 + } 56 + if crew.Record.Type != atproto.CrewCollection { 57 + t.Errorf("Expected type %s, got %s", atproto.CrewCollection, crew.Record.Type) 58 + } 59 + if crew.Record.AddedAt == "" { 60 + t.Error("Expected addedAt to be set") 61 + } 62 + } 63 + 64 + // TestGetCrewMember tests retrieving a crew member by rkey 65 + func TestGetCrewMember(t *testing.T) { 66 + pds, ctx := setupTestPDS(t) 67 + defer pds.Close() 68 + 69 + // Add crew member 70 + memberDID := "did:plc:bob456" 71 + role := "reader" 72 + permissions := []string{"blob:read"} 73 + 74 + _, err := pds.AddCrewMember(ctx, memberDID, role, permissions) 75 + if err != nil { 76 + t.Fatalf("AddCrewMember failed: %v", err) 77 + } 78 + 79 + // List to get the rkey 80 + crewMembers, err := pds.ListCrewMembers(ctx) 81 + if err != nil { 82 + t.Fatalf("ListCrewMembers failed: %v", err) 83 + } 84 + 85 + if len(crewMembers) == 0 { 86 + t.Fatal("Expected at least one crew member") 87 + } 88 + 89 + rkey := crewMembers[0].Rkey 90 + 91 + // Get crew member by rkey 92 + retrievedCID, crew, err := pds.GetCrewMember(ctx, rkey) 93 + if err != nil { 94 + t.Fatalf("GetCrewMember failed: %v", err) 95 + } 96 + 97 + // Verify CID matches 98 + if !crewMembers[0].Cid.Equals(retrievedCID) { 99 + t.Error("Expected retrieved CID to match") 100 + } 101 + 102 + // Verify crew data 103 + if crew.Member != memberDID { 104 + t.Errorf("Expected member %s, got %s", memberDID, crew.Member) 105 + } 106 + if crew.Role != role { 107 + t.Errorf("Expected role %s, got %s", role, crew.Role) 108 + } 109 + if len(crew.Permissions) != len(permissions) { 110 + t.Fatalf("Expected %d permissions, got %d", len(permissions), len(crew.Permissions)) 111 + } 112 + } 113 + 114 + // TestGetCrewMember_NotFound tests error handling for missing crew 115 + func TestGetCrewMember_NotFound(t *testing.T) { 116 + pds, ctx := setupTestPDS(t) 117 + defer pds.Close() 118 + 119 + // Try to get non-existent crew member 120 + _, _, err := pds.GetCrewMember(ctx, "nonexistent-rkey") 121 + if err == nil { 122 + t.Fatal("Expected error when getting non-existent crew member") 123 + } 124 + 125 + // Verify error message 126 + errMsg := err.Error() 127 + if !strings.Contains(errMsg, "failed to get crew record") { 128 + t.Errorf("Expected 'failed to get crew record' in error, got: %s", errMsg) 129 + } 130 + } 131 + 132 + // TestListCrewMembers_Empty tests listing when no crew exists 133 + func TestListCrewMembers_Empty(t *testing.T) { 134 + pds, ctx := setupTestPDS(t) 135 + defer pds.Close() 136 + 137 + // List crew members (should be empty) 138 + crewMembers, err := pds.ListCrewMembers(ctx) 139 + if err != nil { 140 + t.Fatalf("ListCrewMembers failed: %v", err) 141 + } 142 + 143 + if len(crewMembers) != 0 { 144 + t.Errorf("Expected 0 crew members, got %d", len(crewMembers)) 145 + } 146 + } 147 + 148 + // TestListCrewMembers_Multiple tests listing with multiple crew members 149 + func TestListCrewMembers_Multiple(t *testing.T) { 150 + pds, ctx := setupTestPDS(t) 151 + defer pds.Close() 152 + 153 + // Add multiple crew members 154 + members := []struct { 155 + did string 156 + role string 157 + permissions []string 158 + }{ 159 + { 160 + did: "did:plc:alice123", 161 + role: "admin", 162 + permissions: []string{"blob:read", "blob:write", "crew:admin"}, 163 + }, 164 + { 165 + did: "did:plc:bob456", 166 + role: "writer", 167 + permissions: []string{"blob:read", "blob:write"}, 168 + }, 169 + { 170 + did: "did:plc:charlie789", 171 + role: "reader", 172 + permissions: []string{"blob:read"}, 173 + }, 174 + } 175 + 176 + for _, m := range members { 177 + _, err := pds.AddCrewMember(ctx, m.did, m.role, m.permissions) 178 + if err != nil { 179 + t.Fatalf("AddCrewMember failed for %s: %v", m.did, err) 180 + } 181 + } 182 + 183 + // List all crew members 184 + crewMembers, err := pds.ListCrewMembers(ctx) 185 + if err != nil { 186 + t.Fatalf("ListCrewMembers failed: %v", err) 187 + } 188 + 189 + if len(crewMembers) != len(members) { 190 + t.Fatalf("Expected %d crew members, got %d", len(members), len(crewMembers)) 191 + } 192 + 193 + // Verify each crew member (order may vary, so check by DID) 194 + foundMembers := make(map[string]*CrewMemberWithKey) 195 + for _, cm := range crewMembers { 196 + foundMembers[cm.Record.Member] = cm 197 + } 198 + 199 + for _, m := range members { 200 + crew, found := foundMembers[m.did] 201 + if !found { 202 + t.Errorf("Expected to find crew member %s", m.did) 203 + continue 204 + } 205 + 206 + if crew.Record.Role != m.role { 207 + t.Errorf("Expected role %s for %s, got %s", m.role, m.did, crew.Record.Role) 208 + } 209 + 210 + if len(crew.Record.Permissions) != len(m.permissions) { 211 + t.Errorf("Expected %d permissions for %s, got %d", len(m.permissions), m.did, len(crew.Record.Permissions)) 212 + } 213 + 214 + // Verify rkey is set 215 + if crew.Rkey == "" { 216 + t.Errorf("Expected non-empty rkey for %s", m.did) 217 + } 218 + 219 + // Verify CID is defined 220 + if !crew.Cid.Defined() { 221 + t.Errorf("Expected defined CID for %s", m.did) 222 + } 223 + } 224 + } 225 + 226 + // TestRemoveCrewMember tests deleting a crew member 227 + func TestRemoveCrewMember(t *testing.T) { 228 + pds, ctx := setupTestPDS(t) 229 + defer pds.Close() 230 + 231 + // Add crew member 232 + memberDID := "did:plc:alice123" 233 + _, err := pds.AddCrewMember(ctx, memberDID, "writer", []string{"blob:read", "blob:write"}) 234 + if err != nil { 235 + t.Fatalf("AddCrewMember failed: %v", err) 236 + } 237 + 238 + // List to get the rkey 239 + crewMembers, err := pds.ListCrewMembers(ctx) 240 + if err != nil { 241 + t.Fatalf("ListCrewMembers failed: %v", err) 242 + } 243 + 244 + if len(crewMembers) != 1 { 245 + t.Fatalf("Expected 1 crew member, got %d", len(crewMembers)) 246 + } 247 + 248 + rkey := crewMembers[0].Rkey 249 + 250 + // Remove crew member 251 + err = pds.RemoveCrewMember(ctx, rkey) 252 + if err != nil { 253 + t.Fatalf("RemoveCrewMember failed: %v", err) 254 + } 255 + 256 + // Verify crew member is gone 257 + crewMembers, err = pds.ListCrewMembers(ctx) 258 + if err != nil { 259 + t.Fatalf("ListCrewMembers failed after removal: %v", err) 260 + } 261 + 262 + if len(crewMembers) != 0 { 263 + t.Errorf("Expected 0 crew members after removal, got %d", len(crewMembers)) 264 + } 265 + 266 + // Try to get removed crew member (should fail) 267 + _, _, err = pds.GetCrewMember(ctx, rkey) 268 + if err == nil { 269 + t.Error("Expected error when getting removed crew member") 270 + } 271 + } 272 + 273 + // TestRemoveCrewMember_NotFound tests removing non-existent crew member 274 + func TestRemoveCrewMember_NotFound(t *testing.T) { 275 + pds, ctx := setupTestPDS(t) 276 + defer pds.Close() 277 + 278 + // Try to remove non-existent crew member 279 + err := pds.RemoveCrewMember(ctx, "nonexistent-rkey") 280 + if err == nil { 281 + t.Fatal("Expected error when removing non-existent crew member") 282 + } 283 + 284 + // Verify error message 285 + errMsg := err.Error() 286 + if !strings.Contains(errMsg, "failed to delete crew record") { 287 + t.Errorf("Expected 'failed to delete crew record' in error, got: %s", errMsg) 288 + } 289 + } 290 + 291 + // TestRemoveCrewMember_Multiple tests removing one crew member from many 292 + func TestRemoveCrewMember_Multiple(t *testing.T) { 293 + pds, ctx := setupTestPDS(t) 294 + defer pds.Close() 295 + 296 + // Add multiple crew members 297 + dids := []string{ 298 + "did:plc:alice123", 299 + "did:plc:bob456", 300 + "did:plc:charlie789", 301 + } 302 + 303 + for _, did := range dids { 304 + _, err := pds.AddCrewMember(ctx, did, "writer", []string{"blob:read"}) 305 + if err != nil { 306 + t.Fatalf("AddCrewMember failed for %s: %v", did, err) 307 + } 308 + } 309 + 310 + // List crew members 311 + crewMembers, err := pds.ListCrewMembers(ctx) 312 + if err != nil { 313 + t.Fatalf("ListCrewMembers failed: %v", err) 314 + } 315 + 316 + if len(crewMembers) != 3 { 317 + t.Fatalf("Expected 3 crew members, got %d", len(crewMembers)) 318 + } 319 + 320 + // Remove middle member 321 + middleRkey := crewMembers[1].Rkey 322 + middleDID := crewMembers[1].Record.Member 323 + 324 + err = pds.RemoveCrewMember(ctx, middleRkey) 325 + if err != nil { 326 + t.Fatalf("RemoveCrewMember failed: %v", err) 327 + } 328 + 329 + // Verify only 2 remain 330 + crewMembers, err = pds.ListCrewMembers(ctx) 331 + if err != nil { 332 + t.Fatalf("ListCrewMembers failed after removal: %v", err) 333 + } 334 + 335 + if len(crewMembers) != 2 { 336 + t.Fatalf("Expected 2 crew members after removal, got %d", len(crewMembers)) 337 + } 338 + 339 + // Verify removed member is not in list 340 + for _, cm := range crewMembers { 341 + if cm.Record.Member == middleDID { 342 + t.Errorf("Expected %s to be removed, but still found in list", middleDID) 343 + } 344 + } 345 + } 346 + 347 + // TestCrewRecord_CBORRoundtrip tests CBOR marshal/unmarshal integrity 348 + func TestCrewRecord_CBORRoundtrip(t *testing.T) { 349 + tests := []struct { 350 + name string 351 + record *atproto.CrewRecord 352 + }{ 353 + { 354 + name: "Basic crew member", 355 + record: &atproto.CrewRecord{ 356 + Type: atproto.CrewCollection, 357 + Member: "did:plc:alice123", 358 + Role: "writer", 359 + Permissions: []string{"blob:read", "blob:write"}, 360 + AddedAt: "2025-10-16T12:00:00Z", 361 + }, 362 + }, 363 + { 364 + name: "Admin crew member", 365 + record: &atproto.CrewRecord{ 366 + Type: atproto.CrewCollection, 367 + Member: "did:plc:bob456", 368 + Role: "admin", 369 + Permissions: []string{"blob:read", "blob:write", "crew:admin"}, 370 + AddedAt: "2025-10-16T13:00:00Z", 371 + }, 372 + }, 373 + { 374 + name: "Reader crew member", 375 + record: &atproto.CrewRecord{ 376 + Type: atproto.CrewCollection, 377 + Member: "did:plc:charlie789", 378 + Role: "reader", 379 + Permissions: []string{"blob:read"}, 380 + AddedAt: "2025-10-16T14:00:00Z", 381 + }, 382 + }, 383 + { 384 + name: "Crew member with empty permissions", 385 + record: &atproto.CrewRecord{ 386 + Type: atproto.CrewCollection, 387 + Member: "did:plc:dave012", 388 + Role: "none", 389 + Permissions: []string{}, 390 + AddedAt: "2025-10-16T15:00:00Z", 391 + }, 392 + }, 393 + } 394 + 395 + for _, tt := range tests { 396 + t.Run(tt.name, func(t *testing.T) { 397 + // Marshal to CBOR 398 + var buf bytes.Buffer 399 + err := tt.record.MarshalCBOR(&buf) 400 + if err != nil { 401 + t.Fatalf("MarshalCBOR failed: %v", err) 402 + } 403 + 404 + cborBytes := buf.Bytes() 405 + if len(cborBytes) == 0 { 406 + t.Fatal("Expected non-empty CBOR bytes") 407 + } 408 + 409 + // Unmarshal from CBOR 410 + var decoded atproto.CrewRecord 411 + err = decoded.UnmarshalCBOR(bytes.NewReader(cborBytes)) 412 + if err != nil { 413 + t.Fatalf("UnmarshalCBOR failed: %v", err) 414 + } 415 + 416 + // Verify all fields match 417 + if decoded.Type != tt.record.Type { 418 + t.Errorf("Type mismatch: expected %s, got %s", tt.record.Type, decoded.Type) 419 + } 420 + if decoded.Member != tt.record.Member { 421 + t.Errorf("Member mismatch: expected %s, got %s", tt.record.Member, decoded.Member) 422 + } 423 + if decoded.Role != tt.record.Role { 424 + t.Errorf("Role mismatch: expected %s, got %s", tt.record.Role, decoded.Role) 425 + } 426 + if decoded.AddedAt != tt.record.AddedAt { 427 + t.Errorf("AddedAt mismatch: expected %s, got %s", tt.record.AddedAt, decoded.AddedAt) 428 + } 429 + 430 + // Verify permissions 431 + if len(decoded.Permissions) != len(tt.record.Permissions) { 432 + t.Fatalf("Permissions length mismatch: expected %d, got %d", len(tt.record.Permissions), len(decoded.Permissions)) 433 + } 434 + for i, perm := range tt.record.Permissions { 435 + if decoded.Permissions[i] != perm { 436 + t.Errorf("Permission[%d] mismatch: expected %s, got %s", i, perm, decoded.Permissions[i]) 437 + } 438 + } 439 + }) 440 + } 441 + } 442 + 443 + // TestCrewMemberWithKey_Structure tests the CrewMemberWithKey struct 444 + func TestCrewMemberWithKey_Structure(t *testing.T) { 445 + pds, ctx := setupTestPDS(t) 446 + defer pds.Close() 447 + 448 + // Add crew member 449 + memberDID := "did:plc:alice123" 450 + _, err := pds.AddCrewMember(ctx, memberDID, "writer", []string{"blob:read"}) 451 + if err != nil { 452 + t.Fatalf("AddCrewMember failed: %v", err) 453 + } 454 + 455 + // List crew members 456 + crewMembers, err := pds.ListCrewMembers(ctx) 457 + if err != nil { 458 + t.Fatalf("ListCrewMembers failed: %v", err) 459 + } 460 + 461 + if len(crewMembers) != 1 { 462 + t.Fatalf("Expected 1 crew member, got %d", len(crewMembers)) 463 + } 464 + 465 + cm := crewMembers[0] 466 + 467 + // Verify CrewMemberWithKey structure 468 + if cm.Rkey == "" { 469 + t.Error("Expected non-empty Rkey") 470 + } 471 + if !cm.Cid.Defined() { 472 + t.Error("Expected defined Cid") 473 + } 474 + if cm.Record == nil { 475 + t.Fatal("Expected non-nil Record") 476 + } 477 + if cm.Record.Member != memberDID { 478 + t.Errorf("Expected member %s, got %s", memberDID, cm.Record.Member) 479 + } 480 + } 481 + 482 + // TestAddCrewMember_DidWeb tests adding crew members with did:web DIDs 483 + func TestAddCrewMember_DidWeb(t *testing.T) { 484 + pds, ctx := setupTestPDS(t) 485 + defer pds.Close() 486 + 487 + // Add crew member with did:web 488 + memberDID := "did:web:alice.example.com" 489 + role := "writer" 490 + permissions := []string{"blob:read", "blob:write"} 491 + 492 + recordCID, err := pds.AddCrewMember(ctx, memberDID, role, permissions) 493 + if err != nil { 494 + t.Fatalf("AddCrewMember failed with did:web: %v", err) 495 + } 496 + 497 + if !recordCID.Defined() { 498 + t.Error("Expected defined CID") 499 + } 500 + 501 + // Verify crew member was added 502 + crewMembers, err := pds.ListCrewMembers(ctx) 503 + if err != nil { 504 + t.Fatalf("ListCrewMembers failed: %v", err) 505 + } 506 + 507 + if len(crewMembers) != 1 { 508 + t.Fatalf("Expected 1 crew member, got %d", len(crewMembers)) 509 + } 510 + 511 + crew := crewMembers[0] 512 + if crew.Record.Member != memberDID { 513 + t.Errorf("Expected member %s, got %s", memberDID, crew.Record.Member) 514 + } 515 + 516 + // Verify we can get it by rkey 517 + _, retrievedCrew, err := pds.GetCrewMember(ctx, crew.Rkey) 518 + if err != nil { 519 + t.Fatalf("GetCrewMember failed for did:web: %v", err) 520 + } 521 + 522 + if retrievedCrew.Member != memberDID { 523 + t.Errorf("Expected member %s, got %s", memberDID, retrievedCrew.Member) 524 + } 525 + } 526 + 527 + // TestListCrewMembers_MixedDIDs tests listing crew members with mixed DID types 528 + func TestListCrewMembers_MixedDIDs(t *testing.T) { 529 + pds, ctx := setupTestPDS(t) 530 + defer pds.Close() 531 + 532 + // Add crew members with different DID types 533 + members := []struct { 534 + did string 535 + role string 536 + permissions []string 537 + }{ 538 + { 539 + did: "did:plc:alice123", 540 + role: "admin", 541 + permissions: []string{"blob:read", "blob:write", "crew:admin"}, 542 + }, 543 + { 544 + did: "did:web:bob.example.com", 545 + role: "writer", 546 + permissions: []string{"blob:read", "blob:write"}, 547 + }, 548 + { 549 + did: "did:web:charlie.example.org", 550 + role: "reader", 551 + permissions: []string{"blob:read"}, 552 + }, 553 + } 554 + 555 + for _, m := range members { 556 + _, err := pds.AddCrewMember(ctx, m.did, m.role, m.permissions) 557 + if err != nil { 558 + t.Fatalf("AddCrewMember failed for %s: %v", m.did, err) 559 + } 560 + } 561 + 562 + // List all crew members 563 + crewMembers, err := pds.ListCrewMembers(ctx) 564 + if err != nil { 565 + t.Fatalf("ListCrewMembers failed: %v", err) 566 + } 567 + 568 + if len(crewMembers) != len(members) { 569 + t.Fatalf("Expected %d crew members, got %d", len(members), len(crewMembers)) 570 + } 571 + 572 + // Verify each crew member exists (order may vary) 573 + foundMembers := make(map[string]*CrewMemberWithKey) 574 + for _, cm := range crewMembers { 575 + foundMembers[cm.Record.Member] = cm 576 + } 577 + 578 + for _, m := range members { 579 + crew, found := foundMembers[m.did] 580 + if !found { 581 + t.Errorf("Expected to find crew member %s", m.did) 582 + continue 583 + } 584 + 585 + if crew.Record.Role != m.role { 586 + t.Errorf("Expected role %s for %s, got %s", m.role, m.did, crew.Record.Role) 587 + } 588 + } 589 + }

+44

pkg/hold/pds/keymgr.go

··· 1 + package pds 2 + 3 + import ( 4 + "context" 5 + "fmt" 6 + 7 + "github.com/bluesky-social/indigo/atproto/atcrypto" 8 + ) 9 + 10 + // HoldKeyManager implements repomgr.KeyManager for a single-user hold 11 + // It wraps a single signing key and ignores the 'did' parameter since 12 + // a hold only has one identity 13 + type HoldKeyManager struct { 14 + signingKey *atcrypto.PrivateKeyK256 15 + } 16 + 17 + // NewHoldKeyManager creates a new KeyManager for the hold's signing key 18 + func NewHoldKeyManager(signingKey *atcrypto.PrivateKeyK256) *HoldKeyManager { 19 + return &HoldKeyManager{ 20 + signingKey: signingKey, 21 + } 22 + } 23 + 24 + // SignForUser signs data using the hold's signing key 25 + // The 'did' parameter is ignored since holds are single-user 26 + func (km *HoldKeyManager) SignForUser(ctx context.Context, did string, data []byte) ([]byte, error) { 27 + return km.signingKey.HashAndSign(data) 28 + } 29 + 30 + // VerifyUserSignature verifies a signature using the hold's public key 31 + // The 'did' parameter is ignored since holds are single-user 32 + func (km *HoldKeyManager) VerifyUserSignature(ctx context.Context, did string, data []byte, sig []byte) error { 33 + // Get public key from private key 34 + pubKey, err := km.signingKey.PublicKey() 35 + if err != nil { 36 + return fmt.Errorf("failed to get public key: %w", err) 37 + } 38 + 39 + // HashAndVerify returns an error if verification fails 40 + if err := pubKey.HashAndVerify(data, sig); err != nil { 41 + return fmt.Errorf("signature verification failed: %w", err) 42 + } 43 + return nil 44 + }

+295

pkg/hold/pds/keymgr_test.go

··· 1 + package pds 2 + 3 + import ( 4 + "context" 5 + "testing" 6 + 7 + "github.com/bluesky-social/indigo/atproto/atcrypto" 8 + ) 9 + 10 + // TestNewHoldKeyManager tests creating a key manager 11 + func TestNewHoldKeyManager(t *testing.T) { 12 + // Generate a test key 13 + privateKey, err := atcrypto.GeneratePrivateKeyK256() 14 + if err != nil { 15 + t.Fatalf("Failed to generate private key: %v", err) 16 + } 17 + 18 + // Create key manager 19 + kmgr := NewHoldKeyManager(privateKey) 20 + 21 + if kmgr == nil { 22 + t.Fatal("Expected non-nil key manager") 23 + } 24 + 25 + if kmgr.signingKey == nil { 26 + t.Error("Expected signing key to be set") 27 + } 28 + 29 + // Verify we got the same key 30 + if kmgr.signingKey != privateKey { 31 + t.Error("Expected key manager to store the provided key") 32 + } 33 + } 34 + 35 + // TestSignAndVerify tests signing data and verifying the signature 36 + func TestSignAndVerify(t *testing.T) { 37 + ctx := context.Background() 38 + 39 + // Generate a test key 40 + privateKey, err := atcrypto.GeneratePrivateKeyK256() 41 + if err != nil { 42 + t.Fatalf("Failed to generate private key: %v", err) 43 + } 44 + 45 + // Create key manager 46 + kmgr := NewHoldKeyManager(privateKey) 47 + 48 + // Test data 49 + testData := []byte("Hello, ATCR!") 50 + 51 + // Sign data (DID is ignored for holds) 52 + signature, err := kmgr.SignForUser(ctx, "did:plc:ignored", testData) 53 + if err != nil { 54 + t.Fatalf("SignForUser failed: %v", err) 55 + } 56 + 57 + if len(signature) == 0 { 58 + t.Fatal("Expected non-empty signature") 59 + } 60 + 61 + // Verify signature (DID is ignored for holds) 62 + err = kmgr.VerifyUserSignature(ctx, "did:plc:also-ignored", testData, signature) 63 + if err != nil { 64 + t.Fatalf("VerifyUserSignature failed: %v", err) 65 + } 66 + } 67 + 68 + // TestVerifyInvalidSignature tests rejecting bad signatures 69 + func TestVerifyInvalidSignature(t *testing.T) { 70 + ctx := context.Background() 71 + 72 + // Generate a test key 73 + privateKey, err := atcrypto.GeneratePrivateKeyK256() 74 + if err != nil { 75 + t.Fatalf("Failed to generate private key: %v", err) 76 + } 77 + 78 + kmgr := NewHoldKeyManager(privateKey) 79 + 80 + testData := []byte("Original data") 81 + 82 + // Sign original data 83 + signature, err := kmgr.SignForUser(ctx, "did:plc:test", testData) 84 + if err != nil { 85 + t.Fatalf("SignForUser failed: %v", err) 86 + } 87 + 88 + // Test 1: Verify with different data (should fail) 89 + differentData := []byte("Different data") 90 + err = kmgr.VerifyUserSignature(ctx, "did:plc:test", differentData, signature) 91 + if err == nil { 92 + t.Error("Expected verification to fail with different data") 93 + } 94 + 95 + // Test 2: Verify with corrupted signature (should fail) 96 + corruptedSignature := make([]byte, len(signature)) 97 + copy(corruptedSignature, signature) 98 + if len(corruptedSignature) > 0 { 99 + corruptedSignature[0] ^= 0xFF // Flip bits in first byte 100 + } 101 + 102 + err = kmgr.VerifyUserSignature(ctx, "did:plc:test", testData, corruptedSignature) 103 + if err == nil { 104 + t.Error("Expected verification to fail with corrupted signature") 105 + } 106 + 107 + // Test 3: Verify with empty signature (should fail) 108 + err = kmgr.VerifyUserSignature(ctx, "did:plc:test", testData, []byte{}) 109 + if err == nil { 110 + t.Error("Expected verification to fail with empty signature") 111 + } 112 + } 113 + 114 + // TestIgnoresDIDParameter tests that DID parameter doesn't affect signing 115 + func TestIgnoresDIDParameter(t *testing.T) { 116 + ctx := context.Background() 117 + 118 + // Generate a test key 119 + privateKey, err := atcrypto.GeneratePrivateKeyK256() 120 + if err != nil { 121 + t.Fatalf("Failed to generate private key: %v", err) 122 + } 123 + 124 + kmgr := NewHoldKeyManager(privateKey) 125 + 126 + testData := []byte("Test data for DID independence") 127 + 128 + // Sign with different DIDs 129 + signature1, err := kmgr.SignForUser(ctx, "did:plc:alice123", testData) 130 + if err != nil { 131 + t.Fatalf("SignForUser failed with DID alice: %v", err) 132 + } 133 + 134 + signature2, err := kmgr.SignForUser(ctx, "did:plc:bob456", testData) 135 + if err != nil { 136 + t.Fatalf("SignForUser failed with DID bob: %v", err) 137 + } 138 + 139 + signature3, err := kmgr.SignForUser(ctx, "", testData) 140 + if err != nil { 141 + t.Fatalf("SignForUser failed with empty DID: %v", err) 142 + } 143 + 144 + // All signatures should be identical (same key, same data) 145 + // Note: K256 signatures may have randomness (nonce), so they might not be byte-identical 146 + // Instead, verify that all signatures are valid 147 + 148 + // Verify signature1 works with any DID 149 + if err := kmgr.VerifyUserSignature(ctx, "did:plc:alice123", testData, signature1); err != nil { 150 + t.Errorf("Signature1 should verify with alice DID: %v", err) 151 + } 152 + if err := kmgr.VerifyUserSignature(ctx, "did:plc:bob456", testData, signature1); err != nil { 153 + t.Errorf("Signature1 should verify with bob DID: %v", err) 154 + } 155 + if err := kmgr.VerifyUserSignature(ctx, "", testData, signature1); err != nil { 156 + t.Errorf("Signature1 should verify with empty DID: %v", err) 157 + } 158 + 159 + // Verify signature2 works with any DID 160 + if err := kmgr.VerifyUserSignature(ctx, "did:plc:alice123", testData, signature2); err != nil { 161 + t.Errorf("Signature2 should verify with alice DID: %v", err) 162 + } 163 + if err := kmgr.VerifyUserSignature(ctx, "did:plc:bob456", testData, signature2); err != nil { 164 + t.Errorf("Signature2 should verify with bob DID: %v", err) 165 + } 166 + 167 + // Verify signature3 works with any DID 168 + if err := kmgr.VerifyUserSignature(ctx, "did:plc:alice123", testData, signature3); err != nil { 169 + t.Errorf("Signature3 should verify with alice DID: %v", err) 170 + } 171 + if err := kmgr.VerifyUserSignature(ctx, "did:plc:bob456", testData, signature3); err != nil { 172 + t.Errorf("Signature3 should verify with bob DID: %v", err) 173 + } 174 + } 175 + 176 + // TestSignForUser_EmptyData tests signing empty data 177 + func TestSignForUser_EmptyData(t *testing.T) { 178 + ctx := context.Background() 179 + 180 + privateKey, err := atcrypto.GeneratePrivateKeyK256() 181 + if err != nil { 182 + t.Fatalf("Failed to generate private key: %v", err) 183 + } 184 + 185 + kmgr := NewHoldKeyManager(privateKey) 186 + 187 + // Sign empty data 188 + emptyData := []byte{} 189 + signature, err := kmgr.SignForUser(ctx, "did:plc:test", emptyData) 190 + if err != nil { 191 + t.Fatalf("SignForUser failed with empty data: %v", err) 192 + } 193 + 194 + if len(signature) == 0 { 195 + t.Fatal("Expected non-empty signature even for empty data") 196 + } 197 + 198 + // Verify signature 199 + err = kmgr.VerifyUserSignature(ctx, "did:plc:test", emptyData, signature) 200 + if err != nil { 201 + t.Fatalf("VerifyUserSignature failed for empty data: %v", err) 202 + } 203 + } 204 + 205 + // TestSignForUser_LargeData tests signing large data 206 + func TestSignForUser_LargeData(t *testing.T) { 207 + ctx := context.Background() 208 + 209 + privateKey, err := atcrypto.GeneratePrivateKeyK256() 210 + if err != nil { 211 + t.Fatalf("Failed to generate private key: %v", err) 212 + } 213 + 214 + kmgr := NewHoldKeyManager(privateKey) 215 + 216 + // Create large data (1MB) 217 + largeData := make([]byte, 1024*1024) 218 + for i := range largeData { 219 + largeData[i] = byte(i % 256) 220 + } 221 + 222 + // Sign large data 223 + signature, err := kmgr.SignForUser(ctx, "did:plc:test", largeData) 224 + if err != nil { 225 + t.Fatalf("SignForUser failed with large data: %v", err) 226 + } 227 + 228 + if len(signature) == 0 { 229 + t.Fatal("Expected non-empty signature for large data") 230 + } 231 + 232 + // Verify signature 233 + err = kmgr.VerifyUserSignature(ctx, "did:plc:test", largeData, signature) 234 + if err != nil { 235 + t.Fatalf("VerifyUserSignature failed for large data: %v", err) 236 + } 237 + } 238 + 239 + // TestKeyManager_DifferentKeys tests that different keys produce different signatures 240 + func TestKeyManager_DifferentKeys(t *testing.T) { 241 + ctx := context.Background() 242 + 243 + // Generate two different keys 244 + key1, err := atcrypto.GeneratePrivateKeyK256() 245 + if err != nil { 246 + t.Fatalf("Failed to generate key1: %v", err) 247 + } 248 + 249 + key2, err := atcrypto.GeneratePrivateKeyK256() 250 + if err != nil { 251 + t.Fatalf("Failed to generate key2: %v", err) 252 + } 253 + 254 + kmgr1 := NewHoldKeyManager(key1) 255 + kmgr2 := NewHoldKeyManager(key2) 256 + 257 + testData := []byte("Test data") 258 + 259 + // Sign with key1 260 + sig1, err := kmgr1.SignForUser(ctx, "did:plc:test", testData) 261 + if err != nil { 262 + t.Fatalf("SignForUser failed with key1: %v", err) 263 + } 264 + 265 + // Sign with key2 266 + sig2, err := kmgr2.SignForUser(ctx, "did:plc:test", testData) 267 + if err != nil { 268 + t.Fatalf("SignForUser failed with key2: %v", err) 269 + } 270 + 271 + // Signatures should be different (different keys) 272 + // Note: Due to randomness in ECDSA, this isn't guaranteed byte-for-byte, 273 + // but they should not verify with each other's keys 274 + 275 + // Verify sig1 fails with key2 276 + err = kmgr2.VerifyUserSignature(ctx, "did:plc:test", testData, sig1) 277 + if err == nil { 278 + t.Error("Expected sig1 to fail verification with key2") 279 + } 280 + 281 + // Verify sig2 fails with key1 282 + err = kmgr1.VerifyUserSignature(ctx, "did:plc:test", testData, sig2) 283 + if err == nil { 284 + t.Error("Expected sig2 to fail verification with key1") 285 + } 286 + 287 + // But each should verify with their own key 288 + if err := kmgr1.VerifyUserSignature(ctx, "did:plc:test", testData, sig1); err != nil { 289 + t.Errorf("sig1 should verify with key1: %v", err) 290 + } 291 + 292 + if err := kmgr2.VerifyUserSignature(ctx, "did:plc:test", testData, sig2); err != nil { 293 + t.Errorf("sig2 should verify with key2: %v", err) 294 + } 295 + }

+437

pkg/hold/pds/keys_test.go

··· 1 + package pds 2 + 3 + import ( 4 + "bytes" 5 + "os" 6 + "path/filepath" 7 + "testing" 8 + 9 + "github.com/bluesky-social/indigo/atproto/atcrypto" 10 + ) 11 + 12 + // TestGenerateOrLoadKey_Generate tests generating a new key 13 + func TestGenerateOrLoadKey_Generate(t *testing.T) { 14 + tmpDir := t.TempDir() 15 + keyPath := filepath.Join(tmpDir, "test-key") 16 + 17 + // Verify key doesn't exist yet 18 + if _, err := os.Stat(keyPath); !os.IsNotExist(err) { 19 + t.Fatal("Expected key file to not exist") 20 + } 21 + 22 + // Generate key 23 + key, err := GenerateOrLoadKey(keyPath) 24 + if err != nil { 25 + t.Fatalf("GenerateOrLoadKey failed: %v", err) 26 + } 27 + 28 + if key == nil { 29 + t.Fatal("Expected non-nil key") 30 + } 31 + 32 + // Verify key file was created 33 + if _, err := os.Stat(keyPath); os.IsNotExist(err) { 34 + t.Error("Expected key file to be created") 35 + } 36 + 37 + // Verify key file has restrictive permissions (0600) 38 + fileInfo, err := os.Stat(keyPath) 39 + if err != nil { 40 + t.Fatalf("Failed to stat key file: %v", err) 41 + } 42 + 43 + perm := fileInfo.Mode().Perm() 44 + expectedPerm := os.FileMode(0600) 45 + if perm != expectedPerm { 46 + t.Errorf("Expected key file permissions %o, got %o", expectedPerm, perm) 47 + } 48 + 49 + // Verify key can sign data 50 + testData := []byte("test data") 51 + signature, err := key.HashAndSign(testData) 52 + if err != nil { 53 + t.Fatalf("Failed to sign with generated key: %v", err) 54 + } 55 + 56 + if len(signature) == 0 { 57 + t.Error("Expected non-empty signature") 58 + } 59 + 60 + // Verify signature 61 + pubKey, err := key.PublicKey() 62 + if err != nil { 63 + t.Fatalf("Failed to get public key: %v", err) 64 + } 65 + 66 + err = pubKey.HashAndVerify(testData, signature) 67 + if err != nil { 68 + t.Fatalf("Failed to verify signature: %v", err) 69 + } 70 + } 71 + 72 + // TestGenerateOrLoadKey_Load tests loading an existing key 73 + func TestGenerateOrLoadKey_Load(t *testing.T) { 74 + tmpDir := t.TempDir() 75 + keyPath := filepath.Join(tmpDir, "test-key") 76 + 77 + // Generate initial key 78 + key1, err := GenerateOrLoadKey(keyPath) 79 + if err != nil { 80 + t.Fatalf("GenerateOrLoadKey failed on first call: %v", err) 81 + } 82 + 83 + // Get key bytes for comparison 84 + key1Bytes := key1.Bytes() 85 + 86 + // Load the same key again 87 + key2, err := GenerateOrLoadKey(keyPath) 88 + if err != nil { 89 + t.Fatalf("GenerateOrLoadKey failed on second call: %v", err) 90 + } 91 + 92 + // Get key2 bytes 93 + key2Bytes := key2.Bytes() 94 + 95 + // Verify keys are identical 96 + if len(key1Bytes) != len(key2Bytes) { 97 + t.Fatalf("Key byte length mismatch: %d vs %d", len(key1Bytes), len(key2Bytes)) 98 + } 99 + 100 + for i := range key1Bytes { 101 + if key1Bytes[i] != key2Bytes[i] { 102 + t.Errorf("Key byte mismatch at position %d: %x vs %x", i, key1Bytes[i], key2Bytes[i]) 103 + } 104 + } 105 + 106 + // Verify both keys produce same signature for same data 107 + testData := []byte("consistent test data") 108 + 109 + sig1, err := key1.HashAndSign(testData) 110 + if err != nil { 111 + t.Fatalf("Failed to sign with key1: %v", err) 112 + } 113 + 114 + // Verify sig1 with key2's public key 115 + pubKey2, err := key2.PublicKey() 116 + if err != nil { 117 + t.Fatalf("Failed to get public key from key2: %v", err) 118 + } 119 + 120 + err = pubKey2.HashAndVerify(testData, sig1) 121 + if err != nil { 122 + t.Error("Signature from key1 should verify with key2 (they're the same key)") 123 + } 124 + } 125 + 126 + // TestGenerateOrLoadKey_P256Migration tests migrating from old P-256 keys 127 + func TestGenerateOrLoadKey_P256Migration(t *testing.T) { 128 + tmpDir := t.TempDir() 129 + keyPath := filepath.Join(tmpDir, "old-pem-key") 130 + 131 + // Create a fake PEM file (old P-256 format) 132 + pemContent := []byte(`-----BEGIN EC PRIVATE KEY----- 133 + MHcCAQEEIFakeKeyDataHereThisIsNotARealKeyButHasPEMFormat 134 + -----END EC PRIVATE KEY-----`) 135 + 136 + err := os.WriteFile(keyPath, pemContent, 0600) 137 + if err != nil { 138 + t.Fatalf("Failed to write fake PEM key: %v", err) 139 + } 140 + 141 + // Verify file exists and is in PEM format 142 + data, err := os.ReadFile(keyPath) 143 + if err != nil { 144 + t.Fatalf("Failed to read key file: %v", err) 145 + } 146 + 147 + if !isPEMFormat(data) { 148 + t.Fatal("Expected key file to be in PEM format") 149 + } 150 + 151 + // Call GenerateOrLoadKey - should detect PEM and generate new K-256 key 152 + key, err := GenerateOrLoadKey(keyPath) 153 + if err != nil { 154 + t.Fatalf("GenerateOrLoadKey failed during P-256 migration: %v", err) 155 + } 156 + 157 + if key == nil { 158 + t.Fatal("Expected non-nil key after migration") 159 + } 160 + 161 + // Verify key file was replaced (no longer PEM) 162 + newData, err := os.ReadFile(keyPath) 163 + if err != nil { 164 + t.Fatalf("Failed to read new key file: %v", err) 165 + } 166 + 167 + if isPEMFormat(newData) { 168 + t.Error("Expected key file to no longer be in PEM format after migration") 169 + } 170 + 171 + // Verify new key is K-256 and works 172 + testData := []byte("test after migration") 173 + signature, err := key.HashAndSign(testData) 174 + if err != nil { 175 + t.Fatalf("Failed to sign with migrated key: %v", err) 176 + } 177 + 178 + pubKey, err := key.PublicKey() 179 + if err != nil { 180 + t.Fatalf("Failed to get public key: %v", err) 181 + } 182 + 183 + err = pubKey.HashAndVerify(testData, signature) 184 + if err != nil { 185 + t.Fatalf("Failed to verify signature from migrated key: %v", err) 186 + } 187 + } 188 + 189 + // TestKeyPersistence tests that key bytes survive save/load cycle 190 + func TestKeyPersistence(t *testing.T) { 191 + tmpDir := t.TempDir() 192 + keyPath := filepath.Join(tmpDir, "persist-key") 193 + 194 + // Generate key 195 + originalKey, err := GenerateOrLoadKey(keyPath) 196 + if err != nil { 197 + t.Fatalf("GenerateOrLoadKey failed: %v", err) 198 + } 199 + 200 + // Get original key bytes 201 + originalBytes := originalKey.Bytes() 202 + 203 + // Read key file directly 204 + fileBytes, err := os.ReadFile(keyPath) 205 + if err != nil { 206 + t.Fatalf("Failed to read key file: %v", err) 207 + } 208 + 209 + // Verify file bytes match key bytes 210 + if len(fileBytes) != len(originalBytes) { 211 + t.Fatalf("File byte length mismatch: %d vs %d", len(fileBytes), len(originalBytes)) 212 + } 213 + 214 + for i := range originalBytes { 215 + if fileBytes[i] != originalBytes[i] { 216 + t.Errorf("File byte mismatch at position %d: %x vs %x", i, fileBytes[i], originalBytes[i]) 217 + } 218 + } 219 + 220 + // Parse key directly from file bytes 221 + parsedKey, err := atcrypto.ParsePrivateBytesK256(fileBytes) 222 + if err != nil { 223 + t.Fatalf("Failed to parse key from file bytes: %v", err) 224 + } 225 + 226 + // Verify parsed key matches original 227 + parsedBytes := parsedKey.Bytes() 228 + if len(parsedBytes) != len(originalBytes) { 229 + t.Fatalf("Parsed key byte length mismatch: %d vs %d", len(parsedBytes), len(originalBytes)) 230 + } 231 + 232 + for i := range originalBytes { 233 + if parsedBytes[i] != originalBytes[i] { 234 + t.Errorf("Parsed key byte mismatch at position %d: %x vs %x", i, parsedBytes[i], originalBytes[i]) 235 + } 236 + } 237 + } 238 + 239 + // TestGenerateOrLoadKey_DirectoryCreation tests that parent directory is created 240 + func TestGenerateOrLoadKey_DirectoryCreation(t *testing.T) { 241 + tmpDir := t.TempDir() 242 + keyPath := filepath.Join(tmpDir, "nested", "dir", "test-key") 243 + 244 + // Verify nested directories don't exist 245 + nestedDir := filepath.Join(tmpDir, "nested", "dir") 246 + if _, err := os.Stat(nestedDir); !os.IsNotExist(err) { 247 + t.Fatal("Expected nested directory to not exist") 248 + } 249 + 250 + // Generate key (should create directories) 251 + key, err := GenerateOrLoadKey(keyPath) 252 + if err != nil { 253 + t.Fatalf("GenerateOrLoadKey failed: %v", err) 254 + } 255 + 256 + if key == nil { 257 + t.Fatal("Expected non-nil key") 258 + } 259 + 260 + // Verify directories were created 261 + if _, err := os.Stat(nestedDir); os.IsNotExist(err) { 262 + t.Error("Expected nested directory to be created") 263 + } 264 + 265 + // Verify key file exists 266 + if _, err := os.Stat(keyPath); os.IsNotExist(err) { 267 + t.Error("Expected key file to be created") 268 + } 269 + 270 + // Verify directory has restrictive permissions (0700) 271 + dirInfo, err := os.Stat(nestedDir) 272 + if err != nil { 273 + t.Fatalf("Failed to stat directory: %v", err) 274 + } 275 + 276 + dirPerm := dirInfo.Mode().Perm() 277 + expectedDirPerm := os.FileMode(0700) 278 + if dirPerm != expectedDirPerm { 279 + t.Errorf("Expected directory permissions %o, got %o", expectedDirPerm, dirPerm) 280 + } 281 + } 282 + 283 + // TestIsPEMFormat tests the PEM format detection 284 + func TestIsPEMFormat(t *testing.T) { 285 + tests := []struct { 286 + name string 287 + data []byte 288 + expected bool 289 + }{ 290 + { 291 + name: "Valid PEM", 292 + data: []byte("-----BEGIN EC PRIVATE KEY-----\ndata\n-----END EC PRIVATE KEY-----"), 293 + expected: true, 294 + }, 295 + { 296 + name: "Valid PEM (RSA)", 297 + data: []byte("-----BEGIN RSA PRIVATE KEY-----\ndata\n-----END RSA PRIVATE KEY-----"), 298 + expected: true, 299 + }, 300 + { 301 + name: "Binary data", 302 + data: []byte{0x01, 0x02, 0x03, 0x04, 0x05}, 303 + expected: false, 304 + }, 305 + { 306 + name: "Empty data", 307 + data: []byte{}, 308 + expected: false, 309 + }, 310 + { 311 + name: "Short data", 312 + data: []byte("----"), 313 + expected: false, 314 + }, 315 + { 316 + name: "Almost PEM (missing dashes)", 317 + data: []byte("----BEGIN KEY-----"), 318 + expected: false, 319 + }, 320 + } 321 + 322 + for _, tt := range tests { 323 + t.Run(tt.name, func(t *testing.T) { 324 + result := isPEMFormat(tt.data) 325 + if result != tt.expected { 326 + t.Errorf("Expected isPEMFormat=%v, got %v", tt.expected, result) 327 + } 328 + }) 329 + } 330 + } 331 + 332 + // TestGenerateKey_UniqueKeys tests that each generated key is unique 333 + func TestGenerateKey_UniqueKeys(t *testing.T) { 334 + tmpDir := t.TempDir() 335 + 336 + // Generate multiple keys 337 + var keyBytes [][]byte 338 + for i := 0; i < 5; i++ { 339 + keyPath := filepath.Join(tmpDir, "key-"+string(rune('a'+i))) 340 + key, err := GenerateOrLoadKey(keyPath) 341 + if err != nil { 342 + t.Fatalf("GenerateOrLoadKey failed for key %d: %v", i, err) 343 + } 344 + keyBytes = append(keyBytes, key.Bytes()) 345 + } 346 + 347 + // Verify all keys are different 348 + for i := 0; i < len(keyBytes); i++ { 349 + for j := i + 1; j < len(keyBytes); j++ { 350 + // Keys should be different 351 + identical := true 352 + if len(keyBytes[i]) != len(keyBytes[j]) { 353 + identical = false 354 + } else { 355 + for k := range keyBytes[i] { 356 + if keyBytes[i][k] != keyBytes[j][k] { 357 + identical = false 358 + break 359 + } 360 + } 361 + } 362 + 363 + if identical { 364 + t.Errorf("Keys %d and %d are identical (expected unique keys)", i, j) 365 + } 366 + } 367 + } 368 + } 369 + 370 + // TestLoadKey_InvalidFormat tests loading key with invalid format 371 + func TestLoadKey_InvalidFormat(t *testing.T) { 372 + tmpDir := t.TempDir() 373 + keyPath := filepath.Join(tmpDir, "invalid-key") 374 + 375 + // Write invalid data (not a valid K-256 key and not PEM) 376 + invalidData := []byte("This is not a valid key format at all") 377 + err := os.WriteFile(keyPath, invalidData, 0600) 378 + if err != nil { 379 + t.Fatalf("Failed to write invalid key: %v", err) 380 + } 381 + 382 + // Try to load (should fail with parse error, then try to generate new key) 383 + // Since it's not PEM, it will try to parse as K-256 and fail, 384 + // then NOT migrate (migration only happens for PEM), so it should error 385 + _, err = GenerateOrLoadKey(keyPath) 386 + if err == nil { 387 + t.Fatal("Expected error when loading invalid key format") 388 + } 389 + 390 + // Error should mention parsing failure 391 + if err != nil && err.Error() == "" { 392 + t.Error("Expected non-empty error message") 393 + } 394 + } 395 + 396 + // TestGenerateOrLoadKey_CorruptedKey tests behavior with corrupted key file 397 + func TestGenerateOrLoadKey_CorruptedKey(t *testing.T) { 398 + tmpDir := t.TempDir() 399 + keyPath := filepath.Join(tmpDir, "corrupted-key") 400 + 401 + // Generate valid key first 402 + key1, err := GenerateOrLoadKey(keyPath) 403 + if err != nil { 404 + t.Fatalf("GenerateOrLoadKey failed: %v", err) 405 + } 406 + 407 + originalBytes := key1.Bytes() 408 + 409 + // Corrupt the key file (flip some bits in the middle) 410 + corruptedBytes := make([]byte, len(originalBytes)) 411 + copy(corruptedBytes, originalBytes) 412 + if len(corruptedBytes) > 10 { 413 + corruptedBytes[5] ^= 0xFF 414 + corruptedBytes[10] ^= 0xFF 415 + } 416 + 417 + err = os.WriteFile(keyPath, corruptedBytes, 0600) 418 + if err != nil { 419 + t.Fatalf("Failed to write corrupted key: %v", err) 420 + } 421 + 422 + // Try to load corrupted key 423 + // Note: K256 keys are flexible, so slightly corrupted keys might still be valid 424 + // We just verify that it either loads successfully or returns an error 425 + key2, err := GenerateOrLoadKey(keyPath) 426 + if err != nil { 427 + // Expected - corrupted key failed to load 428 + t.Logf("Corrupted key failed to load as expected: %v", err) 429 + return 430 + } 431 + 432 + // If it loaded, verify it's different from the original 433 + key2Bytes := key2.Bytes() 434 + if bytes.Equal(originalBytes, key2Bytes) { 435 + t.Error("Corrupted key loaded with same bytes as original (unexpected)") 436 + } 437 + }

+1284

pkg/hold/pds/repomgr.go

··· 1 + // Package pds contains a vendored copy of RepoManager from github.com/bluesky-social/indigo 2 + // 3 + // Source: github.com/bluesky-social/indigo/repomgr (v0.0.0-20251014222321) 4 + // Reference: github.com/streamplace/indigo (67ae5a5) for PutRecord implementation 5 + // Reason: The indigo library is unmaintained and contains a critical bug in UpdateRecord 6 + // 7 + // Modifications from original: 8 + // - Changed package from 'repomgr' to 'pds' for integration with hold service 9 + // - Fixed UpdateRecord bug (line 263): Changed r.PutRecord to r.UpdateRecord 10 + // (UpdateRecord was incorrectly calling PutRecord, causing incorrect MST operations) 11 + // - Removed 5 Prometheus metrics calls (openAndSigCheckDuration, calcDiffDuration, 12 + // writeCarSliceDuration, repoOpsImported) as metrics are not used in this project 13 + // - Added PutRecord method (lines 309-381) for creating records with explicit rkeys 14 + // (like CreateRecord but with specified rkey instead of auto-generated TID) 15 + // Based on streamplace/indigo implementation 16 + package pds 17 + 18 + import ( 19 + "bytes" 20 + "context" 21 + "errors" 22 + "fmt" 23 + "io" 24 + "log/slog" 25 + "strings" 26 + "sync" 27 + 28 + atproto "github.com/bluesky-social/indigo/api/atproto" 29 + bsky "github.com/bluesky-social/indigo/api/bsky" 30 + "github.com/bluesky-social/indigo/atproto/syntax" 31 + "github.com/bluesky-social/indigo/carstore" 32 + lexutil "github.com/bluesky-social/indigo/lex/util" 33 + "github.com/bluesky-social/indigo/models" 34 + "github.com/bluesky-social/indigo/mst" 35 + "github.com/bluesky-social/indigo/repo" 36 + "github.com/bluesky-social/indigo/util" 37 + 38 + blocks "github.com/ipfs/go-block-format" 39 + "github.com/ipfs/go-cid" 40 + "github.com/ipfs/go-datastore" 41 + blockstore "github.com/ipfs/go-ipfs-blockstore" 42 + ipld "github.com/ipfs/go-ipld-format" 43 + "github.com/ipld/go-car" 44 + cbg "github.com/whyrusleeping/cbor-gen" 45 + "go.opentelemetry.io/otel" 46 + "go.opentelemetry.io/otel/attribute" 47 + "gorm.io/gorm" 48 + ) 49 + 50 + func NewRepoManager(cs carstore.CarStore, kmgr KeyManager) *RepoManager { 51 + 52 + var noArchive bool 53 + if _, ok := cs.(*carstore.NonArchivalCarstore); ok { 54 + noArchive = true 55 + } 56 + 57 + clk := syntax.NewTIDClock(0) 58 + 59 + return &RepoManager{ 60 + cs: cs, 61 + userLocks: make(map[models.Uid]*userLock), 62 + kmgr: kmgr, 63 + log: slog.Default().With("system", "repomgr"), 64 + noArchive: noArchive, 65 + clk: &clk, 66 + } 67 + } 68 + 69 + type KeyManager interface { 70 + VerifyUserSignature(context.Context, string, []byte, []byte) error 71 + SignForUser(context.Context, string, []byte) ([]byte, error) 72 + } 73 + 74 + func (rm *RepoManager) SetEventHandler(cb func(context.Context, *RepoEvent), hydrateRecords bool) { 75 + rm.events = cb 76 + rm.hydrateRecords = hydrateRecords 77 + } 78 + 79 + type RepoManager struct { 80 + cs carstore.CarStore 81 + kmgr KeyManager 82 + 83 + lklk sync.Mutex 84 + userLocks map[models.Uid]*userLock 85 + 86 + events func(context.Context, *RepoEvent) 87 + hydrateRecords bool 88 + 89 + log *slog.Logger 90 + noArchive bool 91 + 92 + clk *syntax.TIDClock 93 + } 94 + 95 + type ActorInfo struct { 96 + Did string 97 + Handle string 98 + DisplayName string 99 + Type string 100 + } 101 + 102 + type RepoEvent struct { 103 + User models.Uid 104 + OldRoot *cid.Cid 105 + NewRoot cid.Cid 106 + Since *string 107 + Rev string 108 + RepoSlice []byte 109 + PDS uint 110 + Ops []RepoOp 111 + } 112 + 113 + type RepoOp struct { 114 + Kind EventKind 115 + Collection string 116 + Rkey string 117 + RecCid *cid.Cid 118 + Record any 119 + ActorInfo *ActorInfo 120 + } 121 + 122 + type EventKind string 123 + 124 + const ( 125 + EvtKindCreateRecord = EventKind("create") 126 + EvtKindUpdateRecord = EventKind("update") 127 + EvtKindDeleteRecord = EventKind("delete") 128 + ) 129 + 130 + type RepoHead struct { 131 + gorm.Model 132 + Usr models.Uid `gorm:"uniqueIndex"` 133 + Root string 134 + } 135 + 136 + type userLock struct { 137 + lk sync.Mutex 138 + count int 139 + } 140 + 141 + func (rm *RepoManager) lockUser(ctx context.Context, user models.Uid) func() { 142 + ctx, span := otel.Tracer("repoman").Start(ctx, "userLock") 143 + defer span.End() 144 + 145 + rm.lklk.Lock() 146 + 147 + ulk, ok := rm.userLocks[user] 148 + if !ok { 149 + ulk = &userLock{} 150 + rm.userLocks[user] = ulk 151 + } 152 + 153 + ulk.count++ 154 + 155 + rm.lklk.Unlock() 156 + 157 + ulk.lk.Lock() 158 + 159 + return func() { 160 + rm.lklk.Lock() 161 + 162 + ulk.lk.Unlock() 163 + ulk.count-- 164 + 165 + if ulk.count == 0 { 166 + delete(rm.userLocks, user) 167 + } 168 + rm.lklk.Unlock() 169 + } 170 + } 171 + 172 + func (rm *RepoManager) CarStore() carstore.CarStore { 173 + return rm.cs 174 + } 175 + 176 + func (rm *RepoManager) CreateRecord(ctx context.Context, user models.Uid, collection string, rec cbg.CBORMarshaler) (string, cid.Cid, error) { 177 + ctx, span := otel.Tracer("repoman").Start(ctx, "CreateRecord") 178 + defer span.End() 179 + 180 + unlock := rm.lockUser(ctx, user) 181 + defer unlock() 182 + 183 + rev, err := rm.cs.GetUserRepoRev(ctx, user) 184 + if err != nil { 185 + return "", cid.Undef, err 186 + } 187 + 188 + ds, err := rm.cs.NewDeltaSession(ctx, user, &rev) 189 + if err != nil { 190 + return "", cid.Undef, err 191 + } 192 + 193 + head := ds.BaseCid() 194 + 195 + r, err := repo.OpenRepo(ctx, ds, head) 196 + if err != nil { 197 + return "", cid.Undef, err 198 + } 199 + 200 + cc, tid, err := r.CreateRecord(ctx, collection, rec) 201 + if err != nil { 202 + return "", cid.Undef, err 203 + } 204 + 205 + nroot, nrev, err := r.Commit(ctx, rm.kmgr.SignForUser) 206 + if err != nil { 207 + return "", cid.Undef, err 208 + } 209 + 210 + rslice, err := ds.CloseWithRoot(ctx, nroot, nrev) 211 + if err != nil { 212 + return "", cid.Undef, fmt.Errorf("close with root: %w", err) 213 + } 214 + 215 + var oldroot *cid.Cid 216 + if head.Defined() { 217 + oldroot = &head 218 + } 219 + 220 + if rm.events != nil { 221 + rm.events(ctx, &RepoEvent{ 222 + User: user, 223 + OldRoot: oldroot, 224 + NewRoot: nroot, 225 + Rev: nrev, 226 + Since: &rev, 227 + Ops: []RepoOp{{ 228 + Kind: EvtKindCreateRecord, 229 + Collection: collection, 230 + Rkey: tid, 231 + Record: rec, 232 + RecCid: &cc, 233 + }}, 234 + RepoSlice: rslice, 235 + }) 236 + } 237 + 238 + return collection + "/" + tid, cc, nil 239 + } 240 + 241 + func (rm *RepoManager) UpdateRecord(ctx context.Context, user models.Uid, collection, rkey string, rec cbg.CBORMarshaler) (cid.Cid, error) { 242 + ctx, span := otel.Tracer("repoman").Start(ctx, "UpdateRecord") 243 + defer span.End() 244 + 245 + unlock := rm.lockUser(ctx, user) 246 + defer unlock() 247 + 248 + rev, err := rm.cs.GetUserRepoRev(ctx, user) 249 + if err != nil { 250 + return cid.Undef, err 251 + } 252 + 253 + ds, err := rm.cs.NewDeltaSession(ctx, user, &rev) 254 + if err != nil { 255 + return cid.Undef, err 256 + } 257 + 258 + head := ds.BaseCid() 259 + r, err := repo.OpenRepo(ctx, ds, head) 260 + if err != nil { 261 + return cid.Undef, err 262 + } 263 + 264 + rpath := collection + "/" + rkey 265 + cc, err := r.UpdateRecord(ctx, rpath, rec) 266 + if err != nil { 267 + return cid.Undef, err 268 + } 269 + 270 + nroot, nrev, err := r.Commit(ctx, rm.kmgr.SignForUser) 271 + if err != nil { 272 + return cid.Undef, err 273 + } 274 + 275 + rslice, err := ds.CloseWithRoot(ctx, nroot, nrev) 276 + if err != nil { 277 + return cid.Undef, fmt.Errorf("close with root: %w", err) 278 + } 279 + 280 + var oldroot *cid.Cid 281 + if head.Defined() { 282 + oldroot = &head 283 + } 284 + 285 + if rm.events != nil { 286 + op := RepoOp{ 287 + Kind: EvtKindUpdateRecord, 288 + Collection: collection, 289 + Rkey: rkey, 290 + RecCid: &cc, 291 + } 292 + 293 + if rm.hydrateRecords { 294 + op.Record = rec 295 + } 296 + 297 + rm.events(ctx, &RepoEvent{ 298 + User: user, 299 + OldRoot: oldroot, 300 + NewRoot: nroot, 301 + Rev: nrev, 302 + Since: &rev, 303 + Ops: []RepoOp{op}, 304 + RepoSlice: rslice, 305 + }) 306 + } 307 + 308 + return cc, nil 309 + } 310 + 311 + // PutRecord creates a record with an explicit rkey (like CreateRecord but with specified rkey). 312 + // This uses r.PutRecord which will FAIL if the rkey already exists (uses mst.Add, not mst.Update). 313 + // Use UpdateRecord to modify existing records. 314 + // Returns the collection path (e.g., "io.atcr.captain/self") and CID. 315 + func (rm *RepoManager) PutRecord(ctx context.Context, user models.Uid, collection, rkey string, rec cbg.CBORMarshaler) (string, cid.Cid, error) { 316 + ctx, span := otel.Tracer("repoman").Start(ctx, "PutRecord") 317 + defer span.End() 318 + 319 + unlock := rm.lockUser(ctx, user) 320 + defer unlock() 321 + 322 + rev, err := rm.cs.GetUserRepoRev(ctx, user) 323 + if err != nil { 324 + return "", cid.Undef, err 325 + } 326 + 327 + ds, err := rm.cs.NewDeltaSession(ctx, user, &rev) 328 + if err != nil { 329 + return "", cid.Undef, err 330 + } 331 + 332 + head := ds.BaseCid() 333 + r, err := repo.OpenRepo(ctx, ds, head) 334 + if err != nil { 335 + return "", cid.Undef, err 336 + } 337 + 338 + rpath := collection + "/" + rkey 339 + cc, err := r.PutRecord(ctx, rpath, rec) 340 + if err != nil { 341 + return "", cid.Undef, err 342 + } 343 + 344 + nroot, nrev, err := r.Commit(ctx, rm.kmgr.SignForUser) 345 + if err != nil { 346 + return "", cid.Undef, err 347 + } 348 + 349 + rslice, err := ds.CloseWithRoot(ctx, nroot, nrev) 350 + if err != nil { 351 + return "", cid.Undef, fmt.Errorf("close with root: %w", err) 352 + } 353 + 354 + var oldroot *cid.Cid 355 + if head.Defined() { 356 + oldroot = &head 357 + } 358 + 359 + if rm.events != nil { 360 + op := RepoOp{ 361 + Kind: EvtKindCreateRecord, 362 + Collection: collection, 363 + Rkey: rkey, 364 + RecCid: &cc, 365 + } 366 + 367 + if rm.hydrateRecords { 368 + op.Record = rec 369 + } 370 + 371 + rm.events(ctx, &RepoEvent{ 372 + User: user, 373 + OldRoot: oldroot, 374 + NewRoot: nroot, 375 + Rev: nrev, 376 + Since: &rev, 377 + Ops: []RepoOp{op}, 378 + RepoSlice: rslice, 379 + }) 380 + } 381 + 382 + return rpath, cc, nil 383 + } 384 + 385 + func (rm *RepoManager) DeleteRecord(ctx context.Context, user models.Uid, collection, rkey string) error { 386 + ctx, span := otel.Tracer("repoman").Start(ctx, "DeleteRecord") 387 + defer span.End() 388 + 389 + unlock := rm.lockUser(ctx, user) 390 + defer unlock() 391 + 392 + rev, err := rm.cs.GetUserRepoRev(ctx, user) 393 + if err != nil { 394 + return err 395 + } 396 + 397 + ds, err := rm.cs.NewDeltaSession(ctx, user, &rev) 398 + if err != nil { 399 + return err 400 + } 401 + 402 + head := ds.BaseCid() 403 + r, err := repo.OpenRepo(ctx, ds, head) 404 + if err != nil { 405 + return err 406 + } 407 + 408 + rpath := collection + "/" + rkey 409 + if err := r.DeleteRecord(ctx, rpath); err != nil { 410 + return err 411 + } 412 + 413 + nroot, nrev, err := r.Commit(ctx, rm.kmgr.SignForUser) 414 + if err != nil { 415 + return err 416 + } 417 + 418 + rslice, err := ds.CloseWithRoot(ctx, nroot, nrev) 419 + if err != nil { 420 + return fmt.Errorf("close with root: %w", err) 421 + } 422 + 423 + var oldroot *cid.Cid 424 + if head.Defined() { 425 + oldroot = &head 426 + } 427 + 428 + if rm.events != nil { 429 + rm.events(ctx, &RepoEvent{ 430 + User: user, 431 + OldRoot: oldroot, 432 + NewRoot: nroot, 433 + Rev: nrev, 434 + Since: &rev, 435 + Ops: []RepoOp{{ 436 + Kind: EvtKindDeleteRecord, 437 + Collection: collection, 438 + Rkey: rkey, 439 + }}, 440 + RepoSlice: rslice, 441 + }) 442 + } 443 + 444 + return nil 445 + 446 + } 447 + 448 + func (rm *RepoManager) InitNewActor(ctx context.Context, user models.Uid, handle, did, displayname string, declcid, actortype string) error { 449 + unlock := rm.lockUser(ctx, user) 450 + defer unlock() 451 + 452 + if did == "" { 453 + return fmt.Errorf("must specify DID for new actor") 454 + } 455 + 456 + if user == 0 { 457 + return fmt.Errorf("must specify user for new actor") 458 + } 459 + 460 + ds, err := rm.cs.NewDeltaSession(ctx, user, nil) 461 + if err != nil { 462 + return fmt.Errorf("creating new delta session: %w", err) 463 + } 464 + 465 + r := repo.NewRepo(ctx, did, ds) 466 + 467 + profile := &bsky.ActorProfile{ 468 + DisplayName: &displayname, 469 + } 470 + 471 + _, err = r.PutRecord(ctx, "app.bsky.actor.profile/self", profile) 472 + if err != nil { 473 + return fmt.Errorf("setting initial actor profile: %w", err) 474 + } 475 + 476 + root, nrev, err := r.Commit(ctx, rm.kmgr.SignForUser) 477 + if err != nil { 478 + return fmt.Errorf("committing repo for actor init: %w", err) 479 + } 480 + 481 + rslice, err := ds.CloseWithRoot(ctx, root, nrev) 482 + if err != nil { 483 + return fmt.Errorf("close with root: %w", err) 484 + } 485 + 486 + if rm.events != nil { 487 + op := RepoOp{ 488 + Kind: EvtKindCreateRecord, 489 + Collection: "app.bsky.actor.profile", 490 + Rkey: "self", 491 + } 492 + 493 + if rm.hydrateRecords { 494 + op.Record = profile 495 + } 496 + 497 + rm.events(ctx, &RepoEvent{ 498 + User: user, 499 + NewRoot: root, 500 + Rev: nrev, 501 + Ops: []RepoOp{op}, 502 + RepoSlice: rslice, 503 + }) 504 + } 505 + 506 + return nil 507 + } 508 + 509 + func (rm *RepoManager) GetRepoRoot(ctx context.Context, user models.Uid) (cid.Cid, error) { 510 + unlock := rm.lockUser(ctx, user) 511 + defer unlock() 512 + 513 + return rm.cs.GetUserRepoHead(ctx, user) 514 + } 515 + 516 + func (rm *RepoManager) GetRepoRev(ctx context.Context, user models.Uid) (string, error) { 517 + unlock := rm.lockUser(ctx, user) 518 + defer unlock() 519 + 520 + return rm.cs.GetUserRepoRev(ctx, user) 521 + } 522 + 523 + func (rm *RepoManager) ReadRepo(ctx context.Context, user models.Uid, since string, w io.Writer) error { 524 + return rm.cs.ReadUserCar(ctx, user, since, true, w) 525 + } 526 + 527 + func (rm *RepoManager) GetRecord(ctx context.Context, user models.Uid, collection string, rkey string, maybeCid cid.Cid) (cid.Cid, cbg.CBORMarshaler, error) { 528 + bs, err := rm.cs.ReadOnlySession(user) 529 + if err != nil { 530 + return cid.Undef, nil, err 531 + } 532 + 533 + head, err := rm.cs.GetUserRepoHead(ctx, user) 534 + if err != nil { 535 + return cid.Undef, nil, err 536 + } 537 + 538 + r, err := repo.OpenRepo(ctx, bs, head) 539 + if err != nil { 540 + return cid.Undef, nil, err 541 + } 542 + 543 + ocid, val, err := r.GetRecord(ctx, collection+"/"+rkey) 544 + if err != nil { 545 + return cid.Undef, nil, err 546 + } 547 + 548 + if maybeCid.Defined() && ocid != maybeCid { 549 + return cid.Undef, nil, fmt.Errorf("record at specified key had different CID than expected") 550 + } 551 + 552 + return ocid, val, nil 553 + } 554 + 555 + func (rm *RepoManager) GetRecordProof(ctx context.Context, user models.Uid, collection string, rkey string) (cid.Cid, []blocks.Block, error) { 556 + robs, err := rm.cs.ReadOnlySession(user) 557 + if err != nil { 558 + return cid.Undef, nil, err 559 + } 560 + 561 + bs := util.NewLoggingBstore(robs) 562 + 563 + head, err := rm.cs.GetUserRepoHead(ctx, user) 564 + if err != nil { 565 + return cid.Undef, nil, err 566 + } 567 + 568 + r, err := repo.OpenRepo(ctx, bs, head) 569 + if err != nil { 570 + return cid.Undef, nil, err 571 + } 572 + 573 + _, _, err = r.GetRecordBytes(ctx, collection+"/"+rkey) 574 + if err != nil { 575 + return cid.Undef, nil, err 576 + } 577 + 578 + return head, bs.GetLoggedBlocks(), nil 579 + } 580 + 581 + func (rm *RepoManager) GetProfile(ctx context.Context, uid models.Uid) (*bsky.ActorProfile, error) { 582 + bs, err := rm.cs.ReadOnlySession(uid) 583 + if err != nil { 584 + return nil, err 585 + } 586 + 587 + head, err := rm.cs.GetUserRepoHead(ctx, uid) 588 + if err != nil { 589 + return nil, err 590 + } 591 + 592 + r, err := repo.OpenRepo(ctx, bs, head) 593 + if err != nil { 594 + return nil, err 595 + } 596 + 597 + _, val, err := r.GetRecord(ctx, "app.bsky.actor.profile/self") 598 + if err != nil { 599 + return nil, err 600 + } 601 + 602 + ap, ok := val.(*bsky.ActorProfile) 603 + if !ok { 604 + return nil, fmt.Errorf("found wrong type in actor profile location in tree") 605 + } 606 + 607 + return ap, nil 608 + } 609 + 610 + func (rm *RepoManager) CheckRepoSig(ctx context.Context, r *repo.Repo, expdid string) error { 611 + ctx, span := otel.Tracer("repoman").Start(ctx, "CheckRepoSig") 612 + defer span.End() 613 + 614 + repoDid := r.RepoDid() 615 + if expdid != repoDid { 616 + return fmt.Errorf("DID in repo did not match (%q != %q)", expdid, repoDid) 617 + } 618 + 619 + scom := r.SignedCommit() 620 + 621 + usc := scom.Unsigned() 622 + sb, err := usc.BytesForSigning() 623 + if err != nil { 624 + return fmt.Errorf("commit serialization failed: %w", err) 625 + } 626 + if err := rm.kmgr.VerifyUserSignature(ctx, repoDid, scom.Sig, sb); err != nil { 627 + return fmt.Errorf("signature check failed (sig: %x) (sb: %x) : %w", scom.Sig, sb, err) 628 + } 629 + 630 + return nil 631 + } 632 + 633 + func (rm *RepoManager) HandleExternalUserEvent(ctx context.Context, pdsid uint, uid models.Uid, did string, since *string, nrev string, carslice []byte, ops []*atproto.SyncSubscribeRepos_RepoOp) error { 634 + if rm.noArchive { 635 + return rm.handleExternalUserEventNoArchive(ctx, pdsid, uid, did, since, nrev, carslice, ops) 636 + } else { 637 + return rm.handleExternalUserEventArchive(ctx, pdsid, uid, did, since, nrev, carslice, ops) 638 + } 639 + } 640 + 641 + func (rm *RepoManager) handleExternalUserEventNoArchive(ctx context.Context, pdsid uint, uid models.Uid, did string, since *string, nrev string, carslice []byte, ops []*atproto.SyncSubscribeRepos_RepoOp) error { 642 + ctx, span := otel.Tracer("repoman").Start(ctx, "HandleExternalUserEvent") 643 + defer span.End() 644 + 645 + span.SetAttributes(attribute.Int64("uid", int64(uid))) 646 + 647 + rm.log.Debug("HandleExternalUserEvent", "pds", pdsid, "uid", uid, "since", since, "nrev", nrev) 648 + 649 + unlock := rm.lockUser(ctx, uid) 650 + defer unlock() 651 + 652 + root, ds, err := rm.cs.ImportSlice(ctx, uid, since, carslice) 653 + if err != nil { 654 + return fmt.Errorf("importing external carslice: %w", err) 655 + } 656 + 657 + r, err := repo.OpenRepo(ctx, ds, root) 658 + if err != nil { 659 + return fmt.Errorf("opening external user repo (%d, root=%s): %w", uid, root, err) 660 + } 661 + 662 + if err := rm.CheckRepoSig(ctx, r, did); err != nil { 663 + return fmt.Errorf("check repo sig: %w", err) 664 + } 665 + 666 + evtops := make([]RepoOp, 0, len(ops)) 667 + for _, op := range ops { 668 + parts := strings.SplitN(op.Path, "/", 2) 669 + if len(parts) != 2 { 670 + return fmt.Errorf("invalid rpath in mst diff, must have collection and rkey") 671 + } 672 + 673 + switch EventKind(op.Action) { 674 + case EvtKindCreateRecord: 675 + rop := RepoOp{ 676 + Kind: EvtKindCreateRecord, 677 + Collection: parts[0], 678 + Rkey: parts[1], 679 + RecCid: (*cid.Cid)(op.Cid), 680 + } 681 + 682 + if rm.hydrateRecords { 683 + _, rec, err := r.GetRecord(ctx, op.Path) 684 + if err != nil { 685 + return fmt.Errorf("reading changed record from car slice: %w", err) 686 + } 687 + rop.Record = rec 688 + } 689 + 690 + evtops = append(evtops, rop) 691 + case EvtKindUpdateRecord: 692 + rop := RepoOp{ 693 + Kind: EvtKindUpdateRecord, 694 + Collection: parts[0], 695 + Rkey: parts[1], 696 + RecCid: (*cid.Cid)(op.Cid), 697 + } 698 + 699 + if rm.hydrateRecords { 700 + _, rec, err := r.GetRecord(ctx, op.Path) 701 + if err != nil { 702 + return fmt.Errorf("reading changed record from car slice: %w", err) 703 + } 704 + 705 + rop.Record = rec 706 + } 707 + 708 + evtops = append(evtops, rop) 709 + case EvtKindDeleteRecord: 710 + evtops = append(evtops, RepoOp{ 711 + Kind: EvtKindDeleteRecord, 712 + Collection: parts[0], 713 + Rkey: parts[1], 714 + }) 715 + default: 716 + return fmt.Errorf("unrecognized external user event kind: %q", op.Action) 717 + } 718 + } 719 + 720 + if rm.events != nil { 721 + rm.events(ctx, &RepoEvent{ 722 + User: uid, 723 + //OldRoot: prev, 724 + NewRoot: root, 725 + Rev: nrev, 726 + Since: since, 727 + Ops: evtops, 728 + RepoSlice: carslice, 729 + PDS: pdsid, 730 + }) 731 + } 732 + 733 + return nil 734 + } 735 + 736 + func (rm *RepoManager) handleExternalUserEventArchive(ctx context.Context, pdsid uint, uid models.Uid, did string, since *string, nrev string, carslice []byte, ops []*atproto.SyncSubscribeRepos_RepoOp) error { 737 + ctx, span := otel.Tracer("repoman").Start(ctx, "HandleExternalUserEvent") 738 + defer span.End() 739 + 740 + span.SetAttributes(attribute.Int64("uid", int64(uid))) 741 + 742 + rm.log.Debug("HandleExternalUserEvent", "pds", pdsid, "uid", uid, "since", since, "nrev", nrev) 743 + 744 + unlock := rm.lockUser(ctx, uid) 745 + defer unlock() 746 + 747 + root, ds, err := rm.cs.ImportSlice(ctx, uid, since, carslice) 748 + if err != nil { 749 + return fmt.Errorf("importing external carslice: %w", err) 750 + } 751 + 752 + r, err := repo.OpenRepo(ctx, ds, root) 753 + if err != nil { 754 + return fmt.Errorf("opening external user repo (%d, root=%s): %w", uid, root, err) 755 + } 756 + 757 + if err := rm.CheckRepoSig(ctx, r, did); err != nil { 758 + return err 759 + } 760 + 761 + var skipcids map[cid.Cid]bool 762 + if ds.BaseCid().Defined() { 763 + oldrepo, err := repo.OpenRepo(ctx, ds, ds.BaseCid()) 764 + if err != nil { 765 + return fmt.Errorf("failed to check data root in old repo: %w", err) 766 + } 767 + 768 + // if the old commit has a 'prev', CalcDiff will error out while trying 769 + // to walk it. This is an old repo thing that is being deprecated. 770 + // This check is a temporary workaround until all repos get migrated 771 + // and this becomes no longer an issue 772 + prev, _ := oldrepo.PrevCommit(ctx) 773 + if prev != nil { 774 + skipcids = map[cid.Cid]bool{ 775 + *prev: true, 776 + } 777 + } 778 + } 779 + 780 + if err := ds.CalcDiff(ctx, skipcids); err != nil { 781 + return fmt.Errorf("failed while calculating mst diff (since=%v): %w", since, err) 782 + } 783 + 784 + evtops := make([]RepoOp, 0, len(ops)) 785 + 786 + for _, op := range ops { 787 + parts := strings.SplitN(op.Path, "/", 2) 788 + if len(parts) != 2 { 789 + return fmt.Errorf("invalid rpath in mst diff, must have collection and rkey") 790 + } 791 + 792 + switch EventKind(op.Action) { 793 + case EvtKindCreateRecord: 794 + rop := RepoOp{ 795 + Kind: EvtKindCreateRecord, 796 + Collection: parts[0], 797 + Rkey: parts[1], 798 + RecCid: (*cid.Cid)(op.Cid), 799 + } 800 + 801 + if rm.hydrateRecords { 802 + _, rec, err := r.GetRecord(ctx, op.Path) 803 + if err != nil { 804 + return fmt.Errorf("reading changed record from car slice: %w", err) 805 + } 806 + rop.Record = rec 807 + } 808 + 809 + evtops = append(evtops, rop) 810 + case EvtKindUpdateRecord: 811 + rop := RepoOp{ 812 + Kind: EvtKindUpdateRecord, 813 + Collection: parts[0], 814 + Rkey: parts[1], 815 + RecCid: (*cid.Cid)(op.Cid), 816 + } 817 + 818 + if rm.hydrateRecords { 819 + _, rec, err := r.GetRecord(ctx, op.Path) 820 + if err != nil { 821 + return fmt.Errorf("reading changed record from car slice: %w", err) 822 + } 823 + 824 + rop.Record = rec 825 + } 826 + 827 + evtops = append(evtops, rop) 828 + case EvtKindDeleteRecord: 829 + evtops = append(evtops, RepoOp{ 830 + Kind: EvtKindDeleteRecord, 831 + Collection: parts[0], 832 + Rkey: parts[1], 833 + }) 834 + default: 835 + return fmt.Errorf("unrecognized external user event kind: %q", op.Action) 836 + } 837 + } 838 + 839 + rslice, err := ds.CloseWithRoot(ctx, root, nrev) 840 + if err != nil { 841 + return fmt.Errorf("close with root: %w", err) 842 + } 843 + 844 + if rm.events != nil { 845 + rm.events(ctx, &RepoEvent{ 846 + User: uid, 847 + //OldRoot: prev, 848 + NewRoot: root, 849 + Rev: nrev, 850 + Since: since, 851 + Ops: evtops, 852 + RepoSlice: rslice, 853 + PDS: pdsid, 854 + }) 855 + } 856 + 857 + return nil 858 + } 859 + 860 + func (rm *RepoManager) BatchWrite(ctx context.Context, user models.Uid, writes []*atproto.RepoApplyWrites_Input_Writes_Elem) error { 861 + ctx, span := otel.Tracer("repoman").Start(ctx, "BatchWrite") 862 + defer span.End() 863 + 864 + unlock := rm.lockUser(ctx, user) 865 + defer unlock() 866 + 867 + rev, err := rm.cs.GetUserRepoRev(ctx, user) 868 + if err != nil { 869 + return err 870 + } 871 + 872 + ds, err := rm.cs.NewDeltaSession(ctx, user, &rev) 873 + if err != nil { 874 + return err 875 + } 876 + 877 + head := ds.BaseCid() 878 + r, err := repo.OpenRepo(ctx, ds, head) 879 + if err != nil { 880 + return err 881 + } 882 + 883 + ops := make([]RepoOp, 0, len(writes)) 884 + for _, w := range writes { 885 + switch { 886 + case w.RepoApplyWrites_Create != nil: 887 + c := w.RepoApplyWrites_Create 888 + var rkey string 889 + if c.Rkey != nil { 890 + rkey = *c.Rkey 891 + } else { 892 + rkey = rm.clk.Next().String() 893 + } 894 + 895 + nsid := c.Collection + "/" + rkey 896 + cc, err := r.PutRecord(ctx, nsid, c.Value.Val) 897 + if err != nil { 898 + return err 899 + } 900 + 901 + op := RepoOp{ 902 + Kind: EvtKindCreateRecord, 903 + Collection: c.Collection, 904 + Rkey: rkey, 905 + RecCid: &cc, 906 + } 907 + 908 + if rm.hydrateRecords { 909 + op.Record = c.Value.Val 910 + } 911 + 912 + ops = append(ops, op) 913 + case w.RepoApplyWrites_Update != nil: 914 + u := w.RepoApplyWrites_Update 915 + 916 + cc, err := r.PutRecord(ctx, u.Collection+"/"+u.Rkey, u.Value.Val) 917 + if err != nil { 918 + return err 919 + } 920 + 921 + op := RepoOp{ 922 + Kind: EvtKindUpdateRecord, 923 + Collection: u.Collection, 924 + Rkey: u.Rkey, 925 + RecCid: &cc, 926 + } 927 + 928 + if rm.hydrateRecords { 929 + op.Record = u.Value.Val 930 + } 931 + 932 + ops = append(ops, op) 933 + case w.RepoApplyWrites_Delete != nil: 934 + d := w.RepoApplyWrites_Delete 935 + 936 + if err := r.DeleteRecord(ctx, d.Collection+"/"+d.Rkey); err != nil { 937 + return err 938 + } 939 + 940 + ops = append(ops, RepoOp{ 941 + Kind: EvtKindDeleteRecord, 942 + Collection: d.Collection, 943 + Rkey: d.Rkey, 944 + }) 945 + default: 946 + return fmt.Errorf("no operation set in write enum") 947 + } 948 + } 949 + 950 + nroot, nrev, err := r.Commit(ctx, rm.kmgr.SignForUser) 951 + if err != nil { 952 + return err 953 + } 954 + 955 + rslice, err := ds.CloseWithRoot(ctx, nroot, nrev) 956 + if err != nil { 957 + return fmt.Errorf("close with root: %w", err) 958 + } 959 + 960 + var oldroot *cid.Cid 961 + if head.Defined() { 962 + oldroot = &head 963 + } 964 + 965 + if rm.events != nil { 966 + rm.events(ctx, &RepoEvent{ 967 + User: user, 968 + OldRoot: oldroot, 969 + NewRoot: nroot, 970 + RepoSlice: rslice, 971 + Rev: nrev, 972 + Since: &rev, 973 + Ops: ops, 974 + }) 975 + } 976 + 977 + return nil 978 + } 979 + 980 + func (rm *RepoManager) ImportNewRepo(ctx context.Context, user models.Uid, repoDid string, r io.Reader, rev *string) error { 981 + ctx, span := otel.Tracer("repoman").Start(ctx, "ImportNewRepo") 982 + defer span.End() 983 + 984 + unlock := rm.lockUser(ctx, user) 985 + defer unlock() 986 + 987 + currev, err := rm.cs.GetUserRepoRev(ctx, user) 988 + if err != nil { 989 + return err 990 + } 991 + 992 + curhead, err := rm.cs.GetUserRepoHead(ctx, user) 993 + if err != nil { 994 + return err 995 + } 996 + 997 + if rev != nil && *rev == "" { 998 + rev = nil 999 + } 1000 + if rev == nil { 1001 + // if 'rev' is nil, this implies a fresh sync. 1002 + // in this case, ignore any existing blocks we have and treat this like a clean import. 1003 + curhead = cid.Undef 1004 + } 1005 + 1006 + if rev != nil && *rev != currev { 1007 + // TODO: we could probably just deal with this 1008 + return fmt.Errorf("ImportNewRepo called with incorrect base") 1009 + } 1010 + 1011 + err = rm.processNewRepo(ctx, user, r, rev, func(ctx context.Context, root cid.Cid, finish func(context.Context, string) ([]byte, error), bs blockstore.Blockstore) error { 1012 + r, err := repo.OpenRepo(ctx, bs, root) 1013 + if err != nil { 1014 + return fmt.Errorf("opening new repo: %w", err) 1015 + } 1016 + 1017 + scom := r.SignedCommit() 1018 + 1019 + usc := scom.Unsigned() 1020 + sb, err := usc.BytesForSigning() 1021 + if err != nil { 1022 + return fmt.Errorf("commit serialization failed: %w", err) 1023 + } 1024 + if err := rm.kmgr.VerifyUserSignature(ctx, repoDid, scom.Sig, sb); err != nil { 1025 + return fmt.Errorf("new user signature check failed: %w", err) 1026 + } 1027 + 1028 + diffops, err := r.DiffSince(ctx, curhead) 1029 + if err != nil { 1030 + return fmt.Errorf("diff trees (curhead: %s): %w", curhead, err) 1031 + } 1032 + 1033 + ops := make([]RepoOp, 0, len(diffops)) 1034 + for _, op := range diffops { 1035 + out, err := rm.processOp(ctx, bs, op, rm.hydrateRecords) 1036 + if err != nil { 1037 + rm.log.Error("failed to process repo op", "err", err, "path", op.Rpath, "repo", repoDid) 1038 + } 1039 + 1040 + if out != nil { 1041 + ops = append(ops, *out) 1042 + } 1043 + } 1044 + 1045 + slice, err := finish(ctx, scom.Rev) 1046 + if err != nil { 1047 + return err 1048 + } 1049 + 1050 + if rm.events != nil { 1051 + rm.events(ctx, &RepoEvent{ 1052 + User: user, 1053 + //OldRoot: oldroot, 1054 + NewRoot: root, 1055 + Rev: scom.Rev, 1056 + Since: &currev, 1057 + RepoSlice: slice, 1058 + Ops: ops, 1059 + }) 1060 + } 1061 + 1062 + return nil 1063 + }) 1064 + if err != nil { 1065 + return fmt.Errorf("process new repo (current rev: %s): %w:", currev, err) 1066 + } 1067 + 1068 + return nil 1069 + } 1070 + 1071 + func (rm *RepoManager) processOp(ctx context.Context, bs blockstore.Blockstore, op *mst.DiffOp, hydrateRecords bool) (*RepoOp, error) { 1072 + parts := strings.SplitN(op.Rpath, "/", 2) 1073 + if len(parts) != 2 { 1074 + return nil, fmt.Errorf("repo mst had invalid rpath: %q", op.Rpath) 1075 + } 1076 + 1077 + switch op.Op { 1078 + case "add", "mut": 1079 + 1080 + kind := EvtKindCreateRecord 1081 + if op.Op == "mut" { 1082 + kind = EvtKindUpdateRecord 1083 + } 1084 + 1085 + outop := &RepoOp{ 1086 + Kind: kind, 1087 + Collection: parts[0], 1088 + Rkey: parts[1], 1089 + RecCid: &op.NewCid, 1090 + } 1091 + 1092 + if hydrateRecords { 1093 + blk, err := bs.Get(ctx, op.NewCid) 1094 + if err != nil { 1095 + return nil, err 1096 + } 1097 + 1098 + rec, err := lexutil.CborDecodeValue(blk.RawData()) 1099 + if err != nil { 1100 + if !errors.Is(err, lexutil.ErrUnrecognizedType) { 1101 + return nil, err 1102 + } 1103 + 1104 + rm.log.Warn("failed processing repo diff", "err", err) 1105 + } else { 1106 + outop.Record = rec 1107 + } 1108 + } 1109 + 1110 + return outop, nil 1111 + case "del": 1112 + return &RepoOp{ 1113 + Kind: EvtKindDeleteRecord, 1114 + Collection: parts[0], 1115 + Rkey: parts[1], 1116 + RecCid: nil, 1117 + }, nil 1118 + 1119 + default: 1120 + return nil, fmt.Errorf("diff returned invalid op type: %q", op.Op) 1121 + } 1122 + } 1123 + 1124 + func (rm *RepoManager) processNewRepo(ctx context.Context, user models.Uid, r io.Reader, rev *string, cb func(ctx context.Context, root cid.Cid, finish func(context.Context, string) ([]byte, error), bs blockstore.Blockstore) error) error { 1125 + ctx, span := otel.Tracer("repoman").Start(ctx, "processNewRepo") 1126 + defer span.End() 1127 + 1128 + carr, err := car.NewCarReader(r) 1129 + if err != nil { 1130 + return err 1131 + } 1132 + 1133 + if len(carr.Header.Roots) != 1 { 1134 + return fmt.Errorf("invalid car file, header must have a single root (has %d)", len(carr.Header.Roots)) 1135 + } 1136 + 1137 + membs := blockstore.NewBlockstore(datastore.NewMapDatastore()) 1138 + 1139 + for { 1140 + blk, err := carr.Next() 1141 + if err != nil { 1142 + if err == io.EOF { 1143 + break 1144 + } 1145 + return err 1146 + } 1147 + 1148 + if err := membs.Put(ctx, blk); err != nil { 1149 + return err 1150 + } 1151 + } 1152 + 1153 + seen := make(map[cid.Cid]bool) 1154 + 1155 + root := carr.Header.Roots[0] 1156 + // TODO: if there are blocks that get convergently recreated throughout 1157 + // the repos lifecycle, this will end up erroneously not including 1158 + // them. We should compute the set of blocks needed to read any repo 1159 + // ops that happened in the commit and use that for our 'output' blocks 1160 + cids, err := rm.walkTree(ctx, seen, root, membs, true) 1161 + if err != nil { 1162 + return fmt.Errorf("walkTree: %w", err) 1163 + } 1164 + 1165 + ds, err := rm.cs.NewDeltaSession(ctx, user, rev) 1166 + if err != nil { 1167 + return fmt.Errorf("opening delta session: %w", err) 1168 + } 1169 + 1170 + for _, c := range cids { 1171 + blk, err := membs.Get(ctx, c) 1172 + if err != nil { 1173 + return fmt.Errorf("copying walked cids to carstore: %w", err) 1174 + } 1175 + 1176 + if err := ds.Put(ctx, blk); err != nil { 1177 + return err 1178 + } 1179 + } 1180 + 1181 + finish := func(ctx context.Context, nrev string) ([]byte, error) { 1182 + return ds.CloseWithRoot(ctx, root, nrev) 1183 + } 1184 + 1185 + if err := cb(ctx, root, finish, ds); err != nil { 1186 + return fmt.Errorf("cb errored root: %s, rev: %s: %w", root, stringOrNil(rev), err) 1187 + } 1188 + 1189 + return nil 1190 + } 1191 + 1192 + func stringOrNil(s *string) string { 1193 + if s == nil { 1194 + return "nil" 1195 + } 1196 + return *s 1197 + } 1198 + 1199 + // walkTree returns all cids linked recursively by the root, skipping any cids 1200 + // in the 'skip' map, and not erroring on 'not found' if prevMissing is set 1201 + func (rm *RepoManager) walkTree(ctx context.Context, skip map[cid.Cid]bool, root cid.Cid, bs blockstore.Blockstore, prevMissing bool) ([]cid.Cid, error) { 1202 + // TODO: what if someone puts non-cbor links in their repo? 1203 + if root.Prefix().Codec != cid.DagCBOR { 1204 + return nil, fmt.Errorf("can only handle dag-cbor objects in repos (%s is %d)", root, root.Prefix().Codec) 1205 + } 1206 + 1207 + blk, err := bs.Get(ctx, root) 1208 + if err != nil { 1209 + return nil, err 1210 + } 1211 + 1212 + var links []cid.Cid 1213 + if err := cbg.ScanForLinks(bytes.NewReader(blk.RawData()), func(c cid.Cid) { 1214 + if c.Prefix().Codec == cid.Raw { 1215 + rm.log.Debug("skipping 'raw' CID in record", "recordCid", root, "rawCid", c) 1216 + return 1217 + } 1218 + if skip[c] { 1219 + return 1220 + } 1221 + 1222 + links = append(links, c) 1223 + skip[c] = true 1224 + }); err != nil { 1225 + return nil, err 1226 + } 1227 + 1228 + out := []cid.Cid{root} 1229 + skip[root] = true 1230 + 1231 + // TODO: should do this non-recursive since i expect these may get deep 1232 + for _, c := range links { 1233 + sub, err := rm.walkTree(ctx, skip, c, bs, prevMissing) 1234 + if err != nil { 1235 + if prevMissing && !ipld.IsNotFound(err) { 1236 + return nil, err 1237 + } 1238 + } 1239 + 1240 + out = append(out, sub...) 1241 + } 1242 + 1243 + return out, nil 1244 + } 1245 + 1246 + func (rm *RepoManager) TakeDownRepo(ctx context.Context, uid models.Uid) error { 1247 + unlock := rm.lockUser(ctx, uid) 1248 + defer unlock() 1249 + 1250 + return rm.cs.WipeUserData(ctx, uid) 1251 + } 1252 + 1253 + // technically identical to TakeDownRepo, for now 1254 + func (rm *RepoManager) ResetRepo(ctx context.Context, uid models.Uid) error { 1255 + unlock := rm.lockUser(ctx, uid) 1256 + defer unlock() 1257 + 1258 + return rm.cs.WipeUserData(ctx, uid) 1259 + } 1260 + 1261 + func (rm *RepoManager) VerifyRepo(ctx context.Context, uid models.Uid) error { 1262 + ses, err := rm.cs.ReadOnlySession(uid) 1263 + if err != nil { 1264 + return err 1265 + } 1266 + 1267 + r, err := repo.OpenRepo(ctx, ses, ses.BaseCid()) 1268 + if err != nil { 1269 + return err 1270 + } 1271 + 1272 + if err := r.ForEach(ctx, "", func(k string, v cid.Cid) error { 1273 + _, err := ses.Get(ctx, v) 1274 + if err != nil { 1275 + return fmt.Errorf("failed to get record %s (%s): %w", k, v, err) 1276 + } 1277 + 1278 + return nil 1279 + }); err != nil { 1280 + return err 1281 + } 1282 + 1283 + return nil 1284 + }

+36 -95

pkg/hold/pds/server.go

··· 5 5 "fmt" 6 6 "os" 7 7 "path/filepath" 8 - "time" 9 8 10 9 "atcr.io/pkg/atproto" 11 10 "github.com/bluesky-social/indigo/atproto/atcrypto" 12 11 "github.com/bluesky-social/indigo/carstore" 12 + lexutil "github.com/bluesky-social/indigo/lex/util" 13 13 "github.com/bluesky-social/indigo/models" 14 - "github.com/bluesky-social/indigo/repo" 15 14 ) 16 15 16 + // init registers our custom ATProto types with indigo's lexutil type registry 17 + // This allows repomgr.GetRecord to automatically unmarshal our types 18 + func init() { 19 + // Register captain and crew record types 20 + // These must match the $type field in the records 21 + lexutil.RegisterType(atproto.CaptainCollection, &atproto.CaptainRecord{}) 22 + lexutil.RegisterType(atproto.CrewCollection, &atproto.CrewRecord{}) 23 + } 24 + 17 25 // HoldPDS is a minimal ATProto PDS implementation for a hold service 18 26 type HoldPDS struct { 19 27 did string 20 28 publicURL string 21 29 carstore carstore.CarStore 22 - session *carstore.DeltaSession 23 - repo *repo.Repo 30 + repomgr *RepoManager 24 31 dbPath string 25 32 uid models.Uid 26 33 signingKey *atcrypto.PrivateKeyK256 ··· 54 61 // For a single-user hold, we use a fixed UID (1) 55 62 uid := models.Uid(1) 56 63 57 - // Check if repo already exists with valid head 64 + // Create KeyManager wrapper for our signing key 65 + kmgr := NewHoldKeyManager(signingKey) 66 + 67 + // Create RepoManager - it will handle all session/repo lifecycle 68 + rm := NewRepoManager(cs, kmgr) 69 + 70 + // Check if repo already exists, if not create initial commit 58 71 head, err := cs.GetUserRepoHead(ctx, uid) 59 72 hasValidRepo := (err == nil && head.Defined()) 60 73 61 - var session *carstore.DeltaSession 62 - var r *repo.Repo 63 - 64 74 if !hasValidRepo { 65 - // No valid repo - create new session with nil (new repo) 66 - session, err = cs.NewDeltaSession(ctx, uid, nil) 67 - if err != nil { 68 - return nil, fmt.Errorf("failed to create delta session: %w", err) 69 - } 70 - // Create new empty repo 71 - r = repo.NewRepo(ctx, did, session) 72 - } else { 73 - // Repo exists with valid head - create session pointing to current head 74 - headStr := head.String() 75 - session, err = cs.NewDeltaSession(ctx, uid, &headStr) 76 - if err != nil { 77 - return nil, fmt.Errorf("failed to create delta session: %w", err) 78 - } 79 - // Load from existing head 80 - r, err = repo.OpenRepo(ctx, session, head) 81 - if err != nil { 82 - return nil, fmt.Errorf("failed to open existing repo: %w", err) 83 - } 75 + // Initialize empty repo with first commit 76 + // RepoManager requires at least one commit to exist 77 + // We'll create this by doing a dummy operation in Bootstrap 78 + fmt.Printf("New hold repo - will be initialized in Bootstrap\n") 84 79 } 85 80 86 81 return &HoldPDS{ 87 82 did: did, 88 83 publicURL: publicURL, 89 84 carstore: cs, 90 - session: session, 91 - repo: r, 85 + repomgr: rm, 92 86 dbPath: dbPath, 93 87 uid: uid, 94 88 signingKey: signingKey, ··· 119 113 return nil 120 114 } 121 115 122 - // No captain record - check if this is a new repo or existing repo 116 + fmt.Printf("🚀 Bootstrapping hold PDS with owner: %s\n", ownerDID) 117 + 118 + // Initialize repo if it doesn't exist yet 119 + // Check if repo exists by trying to get the head 123 120 head, err := p.carstore.GetUserRepoHead(ctx, p.uid) 124 - isNewRepo := (err != nil || !head.Defined()) 125 - 126 - if isNewRepo { 127 - fmt.Printf("🚀 Bootstrapping new hold PDS with owner: %s\n", ownerDID) 128 - // For new repo, create records inline to avoid session issues 129 - return p.bootstrapNewRepo(ctx, ownerDID, public, allowAllCrew) 121 + if err != nil || !head.Defined() { 122 + // Repo doesn't exist, initialize it 123 + // InitNewActor creates an empty repo with initial commit 124 + err = p.repomgr.InitNewActor(ctx, p.uid, "", p.did, "", "", "") 125 + if err != nil { 126 + return fmt.Errorf("failed to initialize repo: %w", err) 127 + } 128 + fmt.Printf("✅ Initialized empty repo\n") 130 129 } 131 - 132 - // Existing repo - use normal record creation flow 133 - fmt.Printf("ℹ️ Repo already initialized (head: %s), creating captain record...\n", head.String()[:16]) 134 130 135 131 // Create captain record (hold ownership and settings) 136 132 _, err = p.CreateCaptainRecord(ctx, ownerDID, public, allowAllCrew) ··· 150 146 return nil 151 147 } 152 148 153 - // bootstrapNewRepo handles bootstrapping a brand new repo (avoids session juggling issues) 154 - func (p *HoldPDS) bootstrapNewRepo(ctx context.Context, ownerDID string, public bool, allowAllCrew bool) error { 155 - // Create captain and crew records in a single commit 156 - captainRecord := &atproto.CaptainRecord{ 157 - Type: atproto.CaptainCollection, 158 - Owner: ownerDID, 159 - Public: public, 160 - AllowAllCrew: allowAllCrew, 161 - DeployedAt: time.Now().Format(time.RFC3339), 162 - } 163 - 164 - crewRecord := &atproto.CrewRecord{ 165 - Type: atproto.CrewCollection, 166 - Member: ownerDID, 167 - Role: "admin", 168 - Permissions: []string{"blob:read", "blob:write", "crew:admin"}, 169 - AddedAt: time.Now().Format(time.RFC3339), 170 - } 171 - 172 - // Create both records in the repo 173 - _, _, err := p.repo.CreateRecord(ctx, atproto.CaptainCollection, captainRecord) 174 - if err != nil { 175 - return fmt.Errorf("failed to create captain record: %w", err) 176 - } 177 - 178 - _, _, err = p.repo.CreateRecord(ctx, atproto.CrewCollection, crewRecord) 179 - if err != nil { 180 - return fmt.Errorf("failed to create crew record: %w", err) 181 - } 182 - 183 - // Commit everything in one go 184 - signer := func(ctx context.Context, did string, data []byte) ([]byte, error) { 185 - return p.signingKey.HashAndSign(data) 186 - } 187 - 188 - root, rev, err := p.repo.Commit(ctx, signer) 189 - if err != nil { 190 - return fmt.Errorf("failed to commit bootstrap records: %w", err) 191 - } 192 - 193 - // Close the session with the new root 194 - _, err = p.session.CloseWithRoot(ctx, root, rev) 195 - if err != nil { 196 - return fmt.Errorf("failed to persist bootstrap commit: %w", err) 197 - } 198 - 199 - fmt.Printf("✅ Created captain record (public=%v, allowAllCrew=%v)\n", public, allowAllCrew) 200 - fmt.Printf("✅ Added %s as hold admin\n", ownerDID) 201 - 202 - // DON'T create a new session here - let subsequent operations handle that 203 - // The PDS is now bootstrapped and will be reloaded properly on next restart 204 - 205 - return nil 206 - } 207 - 208 - // Close closes the session and carstore 149 + // Close closes the carstore 209 150 func (p *HoldPDS) Close() error { 210 151 // TODO: Close session properly 211 152 return nil

+622

pkg/hold/pds/server_test.go

··· 1 + package pds 2 + 3 + import ( 4 + "context" 5 + "os" 6 + "path/filepath" 7 + "strings" 8 + "testing" 9 + 10 + "atcr.io/pkg/atproto" 11 + ) 12 + 13 + // TestNewHoldPDS_NewRepo tests creating a new hold PDS with fresh database 14 + func TestNewHoldPDS_NewRepo(t *testing.T) { 15 + ctx := context.Background() 16 + tmpDir := t.TempDir() 17 + 18 + // Paths for database and key 19 + dbPath := filepath.Join(tmpDir, "pds.db") 20 + keyPath := filepath.Join(tmpDir, "signing-key") 21 + 22 + // Create new hold PDS 23 + did := "did:web:hold.example.com" 24 + publicURL := "https://hold.example.com" 25 + 26 + pds, err := NewHoldPDS(ctx, did, publicURL, dbPath, keyPath) 27 + if err != nil { 28 + t.Fatalf("NewHoldPDS failed: %v", err) 29 + } 30 + defer pds.Close() 31 + 32 + // Verify DID was set 33 + if pds.DID() != did { 34 + t.Errorf("Expected DID %s, got %s", did, pds.DID()) 35 + } 36 + 37 + // Verify signing key was created 38 + if pds.SigningKey() == nil { 39 + t.Error("Expected signing key to be created") 40 + } 41 + 42 + // Verify key file exists 43 + if _, err := os.Stat(keyPath); os.IsNotExist(err) { 44 + t.Error("Expected signing key file to be created") 45 + } 46 + 47 + // Verify database file exists (SQLite creates db.sqlite3 inside the directory) 48 + dbFile := filepath.Join(dbPath, "db.sqlite3") 49 + if _, err := os.Stat(dbFile); os.IsNotExist(err) { 50 + t.Errorf("Expected database file to be created at %s", dbFile) 51 + } 52 + } 53 + 54 + // TestNewHoldPDS_ExistingRepo tests opening an existing hold PDS database 55 + func TestNewHoldPDS_ExistingRepo(t *testing.T) { 56 + ctx := context.Background() 57 + tmpDir := t.TempDir() 58 + 59 + dbPath := filepath.Join(tmpDir, "pds.db") 60 + keyPath := filepath.Join(tmpDir, "signing-key") 61 + did := "did:web:hold.example.com" 62 + publicURL := "https://hold.example.com" 63 + 64 + // Create first PDS instance and bootstrap it 65 + pds1, err := NewHoldPDS(ctx, did, publicURL, dbPath, keyPath) 66 + if err != nil { 67 + t.Fatalf("First NewHoldPDS failed: %v", err) 68 + } 69 + 70 + // Bootstrap with a captain record 71 + ownerDID := "did:plc:owner123" 72 + if err := pds1.Bootstrap(ctx, ownerDID, true, false); err != nil { 73 + t.Fatalf("Bootstrap failed: %v", err) 74 + } 75 + 76 + // Verify captain record exists 77 + _, captain1, err := pds1.GetCaptainRecord(ctx) 78 + if err != nil { 79 + t.Fatalf("GetCaptainRecord failed after bootstrap: %v", err) 80 + } 81 + if captain1.Owner != ownerDID { 82 + t.Errorf("Expected owner %s, got %s", ownerDID, captain1.Owner) 83 + } 84 + 85 + // Close first instance 86 + pds1.Close() 87 + 88 + // Re-open the same database 89 + pds2, err := NewHoldPDS(ctx, did, publicURL, dbPath, keyPath) 90 + if err != nil { 91 + t.Fatalf("Second NewHoldPDS failed: %v", err) 92 + } 93 + defer pds2.Close() 94 + 95 + // Verify captain record still exists 96 + _, captain2, err := pds2.GetCaptainRecord(ctx) 97 + if err != nil { 98 + t.Fatalf("GetCaptainRecord failed after reopening: %v", err) 99 + } 100 + 101 + // Verify captain data persisted 102 + if captain2.Owner != ownerDID { 103 + t.Errorf("Expected owner %s after reopen, got %s", ownerDID, captain2.Owner) 104 + } 105 + if !captain2.Public { 106 + t.Error("Expected captain.Public to be true") 107 + } 108 + if captain2.AllowAllCrew { 109 + t.Error("Expected captain.AllowAllCrew to be false") 110 + } 111 + } 112 + 113 + // TestBootstrap_NewRepo tests bootstrap on a new repository 114 + func TestBootstrap_NewRepo(t *testing.T) { 115 + ctx := context.Background() 116 + tmpDir := t.TempDir() 117 + 118 + dbPath := filepath.Join(tmpDir, "pds.db") 119 + keyPath := filepath.Join(tmpDir, "signing-key") 120 + 121 + pds, err := NewHoldPDS(ctx, "did:web:hold.example.com", "https://hold.example.com", dbPath, keyPath) 122 + if err != nil { 123 + t.Fatalf("NewHoldPDS failed: %v", err) 124 + } 125 + defer pds.Close() 126 + 127 + // Bootstrap with owner 128 + ownerDID := "did:plc:alice123" 129 + publicAccess := true 130 + allowAllCrew := false 131 + 132 + err = pds.Bootstrap(ctx, ownerDID, publicAccess, allowAllCrew) 133 + if err != nil { 134 + t.Fatalf("Bootstrap failed: %v", err) 135 + } 136 + 137 + // Verify captain record was created 138 + _, captain, err := pds.GetCaptainRecord(ctx) 139 + if err != nil { 140 + t.Fatalf("GetCaptainRecord failed: %v", err) 141 + } 142 + 143 + // Verify captain fields 144 + if captain.Owner != ownerDID { 145 + t.Errorf("Expected owner %s, got %s", ownerDID, captain.Owner) 146 + } 147 + if captain.Public != publicAccess { 148 + t.Errorf("Expected public=%v, got %v", publicAccess, captain.Public) 149 + } 150 + if captain.AllowAllCrew != allowAllCrew { 151 + t.Errorf("Expected allowAllCrew=%v, got %v", allowAllCrew, captain.AllowAllCrew) 152 + } 153 + if captain.Type != atproto.CaptainCollection { 154 + t.Errorf("Expected type %s, got %s", atproto.CaptainCollection, captain.Type) 155 + } 156 + if captain.DeployedAt == "" { 157 + t.Error("Expected deployedAt to be set") 158 + } 159 + 160 + // Verify owner was added as crew member 161 + crewMembers, err := pds.ListCrewMembers(ctx) 162 + if err != nil { 163 + t.Fatalf("ListCrewMembers failed: %v", err) 164 + } 165 + 166 + if len(crewMembers) != 1 { 167 + t.Fatalf("Expected 1 crew member, got %d", len(crewMembers)) 168 + } 169 + 170 + crew := crewMembers[0] 171 + if crew.Record.Member != ownerDID { 172 + t.Errorf("Expected crew member %s, got %s", ownerDID, crew.Record.Member) 173 + } 174 + if crew.Record.Role != "admin" { 175 + t.Errorf("Expected role admin, got %s", crew.Record.Role) 176 + } 177 + 178 + // Verify permissions 179 + expectedPerms := []string{"blob:read", "blob:write", "crew:admin"} 180 + if len(crew.Record.Permissions) != len(expectedPerms) { 181 + t.Fatalf("Expected %d permissions, got %d", len(expectedPerms), len(crew.Record.Permissions)) 182 + } 183 + for i, perm := range expectedPerms { 184 + if crew.Record.Permissions[i] != perm { 185 + t.Errorf("Expected permission[%d]=%s, got %s", i, perm, crew.Record.Permissions[i]) 186 + } 187 + } 188 + } 189 + 190 + // TestBootstrap_Idempotent tests that bootstrap is idempotent 191 + func TestBootstrap_Idempotent(t *testing.T) { 192 + ctx := context.Background() 193 + tmpDir := t.TempDir() 194 + 195 + dbPath := filepath.Join(tmpDir, "pds.db") 196 + keyPath := filepath.Join(tmpDir, "signing-key") 197 + 198 + pds, err := NewHoldPDS(ctx, "did:web:hold.example.com", "https://hold.example.com", dbPath, keyPath) 199 + if err != nil { 200 + t.Fatalf("NewHoldPDS failed: %v", err) 201 + } 202 + defer pds.Close() 203 + 204 + ownerDID := "did:plc:alice123" 205 + 206 + // First bootstrap 207 + err = pds.Bootstrap(ctx, ownerDID, true, false) 208 + if err != nil { 209 + t.Fatalf("First bootstrap failed: %v", err) 210 + } 211 + 212 + // Get captain CID after first bootstrap 213 + cid1, captain1, err := pds.GetCaptainRecord(ctx) 214 + if err != nil { 215 + t.Fatalf("GetCaptainRecord failed: %v", err) 216 + } 217 + 218 + // Get crew count after first bootstrap 219 + crew1, err := pds.ListCrewMembers(ctx) 220 + if err != nil { 221 + t.Fatalf("ListCrewMembers failed: %v", err) 222 + } 223 + crewCount1 := len(crew1) 224 + 225 + // Second bootstrap (should be idempotent - skip creation) 226 + err = pds.Bootstrap(ctx, ownerDID, true, false) 227 + if err != nil { 228 + t.Fatalf("Second bootstrap failed: %v", err) 229 + } 230 + 231 + // Verify captain record unchanged 232 + cid2, captain2, err := pds.GetCaptainRecord(ctx) 233 + if err != nil { 234 + t.Fatalf("GetCaptainRecord failed after second bootstrap: %v", err) 235 + } 236 + 237 + if !cid1.Equals(cid2) { 238 + t.Error("Expected captain CID to remain unchanged after second bootstrap") 239 + } 240 + if captain1.Owner != captain2.Owner { 241 + t.Error("Expected captain owner to remain unchanged") 242 + } 243 + 244 + // Verify crew count unchanged (owner not added twice) 245 + crew2, err := pds.ListCrewMembers(ctx) 246 + if err != nil { 247 + t.Fatalf("ListCrewMembers failed after second bootstrap: %v", err) 248 + } 249 + crewCount2 := len(crew2) 250 + 251 + if crewCount1 != crewCount2 { 252 + t.Errorf("Expected crew count to remain %d, got %d (owner may have been added twice)", crewCount1, crewCount2) 253 + } 254 + } 255 + 256 + // TestBootstrap_EmptyOwner tests that bootstrap with empty owner is a no-op 257 + func TestBootstrap_EmptyOwner(t *testing.T) { 258 + ctx := context.Background() 259 + tmpDir := t.TempDir() 260 + 261 + dbPath := filepath.Join(tmpDir, "pds.db") 262 + keyPath := filepath.Join(tmpDir, "signing-key") 263 + 264 + pds, err := NewHoldPDS(ctx, "did:web:hold.example.com", "https://hold.example.com", dbPath, keyPath) 265 + if err != nil { 266 + t.Fatalf("NewHoldPDS failed: %v", err) 267 + } 268 + defer pds.Close() 269 + 270 + // Bootstrap with empty owner DID (should be no-op) 271 + err = pds.Bootstrap(ctx, "", true, false) 272 + if err != nil { 273 + t.Fatalf("Bootstrap with empty owner should not error: %v", err) 274 + } 275 + 276 + // Verify captain record was NOT created 277 + _, _, err = pds.GetCaptainRecord(ctx) 278 + if err == nil { 279 + t.Error("Expected GetCaptainRecord to fail (no captain record), but it succeeded") 280 + } 281 + // Verify it's a "not found" type error 282 + if err != nil && !strings.Contains(err.Error(), "not found") && !strings.Contains(err.Error(), "failed to get captain record") { 283 + t.Errorf("Expected 'not found' error, got: %v", err) 284 + } 285 + } 286 + 287 + // TestLexiconTypeRegistration tests that captain and crew types are registered 288 + func TestLexiconTypeRegistration(t *testing.T) { 289 + // The init() function in server.go registers types 290 + // We can verify this by creating a PDS and doing a round-trip write/read 291 + ctx := context.Background() 292 + tmpDir := t.TempDir() 293 + 294 + dbPath := filepath.Join(tmpDir, "pds.db") 295 + keyPath := filepath.Join(tmpDir, "signing-key") 296 + 297 + pds, err := NewHoldPDS(ctx, "did:web:hold.example.com", "https://hold.example.com", dbPath, keyPath) 298 + if err != nil { 299 + t.Fatalf("NewHoldPDS failed: %v", err) 300 + } 301 + defer pds.Close() 302 + 303 + // Bootstrap to create captain record 304 + ownerDID := "did:plc:alice123" 305 + if err := pds.Bootstrap(ctx, ownerDID, true, false); err != nil { 306 + t.Fatalf("Bootstrap failed: %v", err) 307 + } 308 + 309 + // GetCaptainRecord uses type assertion to *atproto.CaptainRecord 310 + // If the type wasn't registered, this would fail with type assertion error 311 + _, captain, err := pds.GetCaptainRecord(ctx) 312 + if err != nil { 313 + t.Fatalf("GetCaptainRecord failed: %v", err) 314 + } 315 + 316 + // Verify we got the correct concrete type 317 + if captain == nil { 318 + t.Fatal("Expected non-nil captain record") 319 + } 320 + if captain.Type != atproto.CaptainCollection { 321 + t.Errorf("Expected captain type %s, got %s", atproto.CaptainCollection, captain.Type) 322 + } 323 + 324 + // Do the same for crew record 325 + crewMembers, err := pds.ListCrewMembers(ctx) 326 + if err != nil { 327 + t.Fatalf("ListCrewMembers failed: %v", err) 328 + } 329 + if len(crewMembers) == 0 { 330 + t.Fatal("Expected at least one crew member") 331 + } 332 + 333 + crew := crewMembers[0].Record 334 + if crew.Type != atproto.CrewCollection { 335 + t.Errorf("Expected crew type %s, got %s", atproto.CrewCollection, crew.Type) 336 + } 337 + } 338 + 339 + // TestBootstrap_DidWebOwner tests bootstrap with did:web owner 340 + func TestBootstrap_DidWebOwner(t *testing.T) { 341 + ctx := context.Background() 342 + tmpDir := t.TempDir() 343 + 344 + dbPath := filepath.Join(tmpDir, "pds.db") 345 + keyPath := filepath.Join(tmpDir, "signing-key") 346 + 347 + pds, err := NewHoldPDS(ctx, "did:web:hold01.atcr.io", "https://hold01.atcr.io", dbPath, keyPath) 348 + if err != nil { 349 + t.Fatalf("NewHoldPDS failed: %v", err) 350 + } 351 + defer pds.Close() 352 + 353 + // Bootstrap with did:web owner (not did:plc) 354 + ownerDID := "did:web:alice.example.com" 355 + publicAccess := true 356 + allowAllCrew := false 357 + 358 + err = pds.Bootstrap(ctx, ownerDID, publicAccess, allowAllCrew) 359 + if err != nil { 360 + t.Fatalf("Bootstrap failed with did:web owner: %v", err) 361 + } 362 + 363 + // Verify captain record was created with did:web owner 364 + _, captain, err := pds.GetCaptainRecord(ctx) 365 + if err != nil { 366 + t.Fatalf("GetCaptainRecord failed: %v", err) 367 + } 368 + 369 + // Verify captain fields 370 + if captain.Owner != ownerDID { 371 + t.Errorf("Expected owner %s, got %s", ownerDID, captain.Owner) 372 + } 373 + if captain.Public != publicAccess { 374 + t.Errorf("Expected public=%v, got %v", publicAccess, captain.Public) 375 + } 376 + if captain.AllowAllCrew != allowAllCrew { 377 + t.Errorf("Expected allowAllCrew=%v, got %v", allowAllCrew, captain.AllowAllCrew) 378 + } 379 + 380 + // Verify owner was added as crew member 381 + crewMembers, err := pds.ListCrewMembers(ctx) 382 + if err != nil { 383 + t.Fatalf("ListCrewMembers failed: %v", err) 384 + } 385 + 386 + if len(crewMembers) != 1 { 387 + t.Fatalf("Expected 1 crew member, got %d", len(crewMembers)) 388 + } 389 + 390 + crew := crewMembers[0] 391 + if crew.Record.Member != ownerDID { 392 + t.Errorf("Expected crew member %s, got %s", ownerDID, crew.Record.Member) 393 + } 394 + if crew.Record.Role != "admin" { 395 + t.Errorf("Expected role admin, got %s", crew.Record.Role) 396 + } 397 + } 398 + 399 + // TestBootstrap_MixedDIDs tests bootstrap with mixed DID types 400 + func TestBootstrap_MixedDIDs(t *testing.T) { 401 + ctx := context.Background() 402 + tmpDir := t.TempDir() 403 + 404 + dbPath := filepath.Join(tmpDir, "pds.db") 405 + keyPath := filepath.Join(tmpDir, "signing-key") 406 + 407 + // Create hold with did:web 408 + holdDID := "did:web:hold.example.com" 409 + pds, err := NewHoldPDS(ctx, holdDID, "https://hold.example.com", dbPath, keyPath) 410 + if err != nil { 411 + t.Fatalf("NewHoldPDS failed: %v", err) 412 + } 413 + defer pds.Close() 414 + 415 + // Bootstrap with did:plc owner 416 + plcOwner := "did:plc:alice123" 417 + err = pds.Bootstrap(ctx, plcOwner, true, false) 418 + if err != nil { 419 + t.Fatalf("Bootstrap failed: %v", err) 420 + } 421 + 422 + // Add did:web crew member 423 + webMember := "did:web:bob.example.com" 424 + _, err = pds.AddCrewMember(ctx, webMember, "writer", []string{"blob:read", "blob:write"}) 425 + if err != nil { 426 + t.Fatalf("AddCrewMember failed with did:web: %v", err) 427 + } 428 + 429 + // Verify captain 430 + _, captain, err := pds.GetCaptainRecord(ctx) 431 + if err != nil { 432 + t.Fatalf("GetCaptainRecord failed: %v", err) 433 + } 434 + if captain.Owner != plcOwner { 435 + t.Errorf("Expected captain owner %s, got %s", plcOwner, captain.Owner) 436 + } 437 + 438 + // Verify crew members (should have both did:plc and did:web) 439 + crewMembers, err := pds.ListCrewMembers(ctx) 440 + if err != nil { 441 + t.Fatalf("ListCrewMembers failed: %v", err) 442 + } 443 + 444 + if len(crewMembers) != 2 { 445 + t.Fatalf("Expected 2 crew members, got %d", len(crewMembers)) 446 + } 447 + 448 + // Verify both DIDs are present 449 + foundPLC := false 450 + foundWeb := false 451 + for _, cm := range crewMembers { 452 + if cm.Record.Member == plcOwner { 453 + foundPLC = true 454 + } 455 + if cm.Record.Member == webMember { 456 + foundWeb = true 457 + } 458 + } 459 + 460 + if !foundPLC { 461 + t.Errorf("Expected to find did:plc member %s", plcOwner) 462 + } 463 + if !foundWeb { 464 + t.Errorf("Expected to find did:web member %s", webMember) 465 + } 466 + } 467 + 468 + // TestBootstrap_CrewWithoutCaptain tests bootstrap when crew exists but captain doesn't 469 + // This edge case could happen if repo state is corrupted or partially initialized 470 + func TestBootstrap_CrewWithoutCaptain(t *testing.T) { 471 + ctx := context.Background() 472 + tmpDir := t.TempDir() 473 + 474 + dbPath := filepath.Join(tmpDir, "pds.db") 475 + keyPath := filepath.Join(tmpDir, "signing-key") 476 + 477 + pds, err := NewHoldPDS(ctx, "did:web:hold.example.com", "https://hold.example.com", dbPath, keyPath) 478 + if err != nil { 479 + t.Fatalf("NewHoldPDS failed: %v", err) 480 + } 481 + defer pds.Close() 482 + 483 + // Initialize repo manually 484 + err = pds.repomgr.InitNewActor(ctx, pds.uid, "", pds.did, "", "", "") 485 + if err != nil { 486 + t.Fatalf("InitNewActor failed: %v", err) 487 + } 488 + 489 + // Create crew member WITHOUT captain (unusual state) 490 + ownerDID := "did:plc:alice123" 491 + _, err = pds.AddCrewMember(ctx, ownerDID, "admin", []string{"blob:read", "blob:write", "crew:admin"}) 492 + if err != nil { 493 + t.Fatalf("AddCrewMember failed: %v", err) 494 + } 495 + 496 + // Verify crew exists 497 + crewBefore, err := pds.ListCrewMembers(ctx) 498 + if err != nil { 499 + t.Fatalf("ListCrewMembers failed: %v", err) 500 + } 501 + if len(crewBefore) != 1 { 502 + t.Fatalf("Expected 1 crew member before bootstrap, got %d", len(crewBefore)) 503 + } 504 + 505 + // Verify captain doesn't exist 506 + _, _, err = pds.GetCaptainRecord(ctx) 507 + if err == nil { 508 + t.Fatal("Expected captain record to not exist before bootstrap") 509 + } 510 + 511 + // Bootstrap should create captain record 512 + err = pds.Bootstrap(ctx, ownerDID, true, false) 513 + if err != nil { 514 + t.Fatalf("Bootstrap failed: %v", err) 515 + } 516 + 517 + // Verify captain was created 518 + _, captain, err := pds.GetCaptainRecord(ctx) 519 + if err != nil { 520 + t.Fatalf("GetCaptainRecord failed after bootstrap: %v", err) 521 + } 522 + if captain.Owner != ownerDID { 523 + t.Errorf("Expected captain owner %s, got %s", ownerDID, captain.Owner) 524 + } 525 + 526 + // Verify crew wasn't duplicated (Bootstrap adds owner as crew, but they already exist) 527 + crewAfter, err := pds.ListCrewMembers(ctx) 528 + if err != nil { 529 + t.Fatalf("ListCrewMembers failed after bootstrap: %v", err) 530 + } 531 + 532 + // Should have 2 crew members now: original + one added by bootstrap 533 + // (Bootstrap doesn't check for duplicates currently) 534 + if len(crewAfter) != 2 { 535 + t.Logf("Note: Bootstrap added owner as crew even though they already existed") 536 + t.Logf("Crew count after bootstrap: %d", len(crewAfter)) 537 + } 538 + } 539 + 540 + // TestBootstrap_CaptainWithoutCrew tests bootstrap when captain exists but owner crew doesn't 541 + // This verifies that bootstrap properly adds the owner as crew if missing 542 + func TestBootstrap_CaptainWithoutCrew(t *testing.T) { 543 + ctx := context.Background() 544 + tmpDir := t.TempDir() 545 + 546 + dbPath := filepath.Join(tmpDir, "pds.db") 547 + keyPath := filepath.Join(tmpDir, "signing-key") 548 + 549 + pds, err := NewHoldPDS(ctx, "did:web:hold.example.com", "https://hold.example.com", dbPath, keyPath) 550 + if err != nil { 551 + t.Fatalf("NewHoldPDS failed: %v", err) 552 + } 553 + defer pds.Close() 554 + 555 + // Initialize repo manually 556 + err = pds.repomgr.InitNewActor(ctx, pds.uid, "", pds.did, "", "", "") 557 + if err != nil { 558 + t.Fatalf("InitNewActor failed: %v", err) 559 + } 560 + 561 + // Create captain record WITHOUT crew (unusual state) 562 + ownerDID := "did:plc:alice123" 563 + _, err = pds.CreateCaptainRecord(ctx, ownerDID, true, false) 564 + if err != nil { 565 + t.Fatalf("CreateCaptainRecord failed: %v", err) 566 + } 567 + 568 + // Verify captain exists 569 + _, captain, err := pds.GetCaptainRecord(ctx) 570 + if err != nil { 571 + t.Fatalf("GetCaptainRecord failed: %v", err) 572 + } 573 + if captain.Owner != ownerDID { 574 + t.Errorf("Expected captain owner %s, got %s", ownerDID, captain.Owner) 575 + } 576 + 577 + // Verify crew is empty 578 + crewBefore, err := pds.ListCrewMembers(ctx) 579 + if err != nil { 580 + t.Fatalf("ListCrewMembers failed: %v", err) 581 + } 582 + if len(crewBefore) != 0 { 583 + t.Fatalf("Expected 0 crew members before bootstrap, got %d", len(crewBefore)) 584 + } 585 + 586 + // Bootstrap should be idempotent but notice missing crew 587 + // Currently Bootstrap skips if captain exists, so crew won't be added 588 + err = pds.Bootstrap(ctx, ownerDID, true, false) 589 + if err != nil { 590 + t.Fatalf("Bootstrap failed: %v", err) 591 + } 592 + 593 + // Verify crew after bootstrap 594 + crewAfter, err := pds.ListCrewMembers(ctx) 595 + if err != nil { 596 + t.Fatalf("ListCrewMembers failed after bootstrap: %v", err) 597 + } 598 + 599 + // Bootstrap currently skips everything if captain exists 600 + // This means crew won't be added in this case 601 + if len(crewAfter) == 0 { 602 + t.Logf("Note: Bootstrap skipped adding owner as crew because captain already exists") 603 + t.Logf("This is current behavior - Bootstrap is fully idempotent and skips if captain exists") 604 + } else { 605 + // If we change Bootstrap to be smarter, it might add crew 606 + t.Logf("Bootstrap added %d crew members", len(crewAfter)) 607 + 608 + // Verify owner was added 609 + foundOwner := false 610 + for _, cm := range crewAfter { 611 + if cm.Record.Member == ownerDID { 612 + foundOwner = true 613 + if cm.Record.Role != "admin" { 614 + t.Errorf("Expected owner role admin, got %s", cm.Record.Role) 615 + } 616 + } 617 + } 618 + if !foundOwner { 619 + t.Error("Expected owner to be added as crew member") 620 + } 621 + } 622 + }

+5 -37

pkg/hold/pds/xrpc.go

··· 8 8 "strings" 9 9 10 10 "atcr.io/pkg/atproto" 11 - "github.com/bluesky-social/indigo/repo" 12 - "github.com/bluesky-social/indigo/util" 13 11 "github.com/ipfs/go-cid" 14 12 "github.com/ipld/go-car" 15 13 carutil "github.com/ipld/go-car/util" ··· 279 277 return 280 278 } 281 279 282 - // Get the current repo head 283 - repoHead, err := h.pds.carstore.GetUserRepoHead(r.Context(), h.pds.uid) 284 - if err != nil { 285 - http.Error(w, fmt.Sprintf("failed to get repo head: %v", err), http.StatusInternalServerError) 286 - return 287 - } 288 - 289 - // Create a new delta session with logging blockstore 290 - tempSession, err := h.pds.carstore.NewDeltaSession(r.Context(), h.pds.uid, nil) 291 - if err != nil { 292 - http.Error(w, fmt.Sprintf("failed to create temp session: %v", err), http.StatusInternalServerError) 293 - return 294 - } 295 - 296 - // Wrap the session's blockstore with a logging blockstore 297 - loggingBS := util.NewLoggingBstore(tempSession) 298 - 299 - // Open the repo with the logging blockstore 300 - tempRepo, err := repo.OpenRepo(r.Context(), loggingBS, repoHead) 301 - if err != nil { 302 - http.Error(w, fmt.Sprintf("failed to open repo: %v", err), http.StatusInternalServerError) 303 - return 304 - } 305 - 306 - // Get the record path 307 - path := fmt.Sprintf("%s/%s", collection, rkey) 308 - 309 - // Get the record (this will log all accessed blocks in the MST path) 310 - _, _, err = tempRepo.GetRecordBytes(r.Context(), path) 280 + // Use repomgr to get record proof (repo head + all blocks in MST path to record) 281 + repoHead, blocks, err := h.pds.repomgr.GetRecordProof(r.Context(), h.pds.uid, collection, rkey) 311 282 if err != nil { 312 283 http.Error(w, fmt.Sprintf("failed to get record: %v", err), http.StatusNotFound) 313 284 return 314 285 } 315 - 316 - // Get all blocks that were accessed during record retrieval 317 - blocks := loggingBS.GetLoggedBlocks() 318 286 319 287 // Write CAR file with all accessed blocks 320 288 w.Header().Set("Content-Type", "application/vnd.ipld.car") ··· 415 383 // Single-user PDS: return just this hold's repo 416 384 did := h.pds.DID() 417 385 418 - // Get repo head and rev from carstore 386 + // Get repo head and rev from repomgr 419 387 // For a single-user PDS, we use a fixed UID (stored in pds.uid) 420 - head, err := h.pds.carstore.GetUserRepoHead(r.Context(), h.pds.uid) 388 + head, err := h.pds.repomgr.GetRepoRoot(r.Context(), h.pds.uid) 421 389 if err != nil { 422 390 // If no repo exists yet, return empty list 423 391 response := map[string]any{ ··· 428 396 return 429 397 } 430 398 431 - rev, err := h.pds.carstore.GetUserRepoRev(r.Context(), h.pds.uid) 399 + rev, err := h.pds.repomgr.GetRepoRev(r.Context(), h.pds.uid) 432 400 if err != nil || rev == "" { 433 401 // No commits yet, return empty list 434 402 // Don't expose repos with no revision (empty/uninitialized)

Configure Feed

Configure Feed