forked from
tangled.org/core
Mirror of @tangled.org/core. Running on a Raspberry Pi Zero 2 (Please be gentle).
repoguard: resolve handle to did and compare that to parent directory
+32
-17
+29
-14
cmd/repoguard/main.go
+29
-14
cmd/repoguard/main.go
···
1
1
package main
2
2
3
3
import (
4
+
"context"
4
5
"flag"
5
6
"fmt"
6
7
"log"
7
8
"os"
8
9
"os/exec"
10
+
"path"
9
11
"path/filepath"
10
12
"strings"
11
13
"time"
14
+
15
+
"github.com/icyphox/bild/routes/auth"
12
16
)
13
17
14
18
var (
···
62
58
}
63
59
64
60
gitCommand := cmdParts[0]
65
-
repoName := strings.Trim(cmdParts[1], "'")
61
+
62
+
// example.com/repo
63
+
handlePath := strings.Trim(cmdParts[1], "'")
64
+
repoName := handleToDID(handlePath)
66
65
67
66
validCommands := map[string]bool{
68
67
"git-receive-pack": true,
···
76
69
exitWithLog("access denied: invalid git command")
77
70
}
78
71
79
-
if !isAllowedUser(*allowedUser, repoName) {
80
-
exitWithLog("access denied: user not allowed")
72
+
did := path.Dir(repoName)
73
+
if gitCommand != "git-upload-pack" {
74
+
if !isAllowedUser(*allowedUser, did) {
75
+
exitWithLog("access denied: user not allowed")
76
+
}
81
77
}
82
78
83
79
fullPath := filepath.Join(*baseDirFlag, repoName)
···
109
99
"repo": repoName,
110
100
"success": true,
111
101
})
102
+
}
103
+
104
+
func handleToDID(handlePath string) string {
105
+
handle := path.Dir(handlePath)
106
+
107
+
ident, err := auth.ResolveIdent(context.Background(), handle)
108
+
if err != nil {
109
+
exitWithLog(fmt.Sprintf("error resolving handle: %v", err))
110
+
}
111
+
112
+
// did:plc:foobarbaz/repo
113
+
didPath := filepath.Join(ident.DID.String(), path.Base(handlePath))
114
+
115
+
return didPath
112
116
}
113
117
114
118
func initLogger() {
···
166
142
}
167
143
}
168
144
169
-
func isAllowedUser(user, repoPath string) bool {
170
-
fullPath := filepath.Join(*baseDirFlag, repoPath)
171
-
didPath := filepath.Join(fullPath, "did")
172
-
173
-
didBytes, err := os.ReadFile(didPath)
174
-
if err != nil {
175
-
return false
176
-
}
177
-
178
-
allowedUser := strings.TrimSpace(string(didBytes))
179
-
return allowedUser == user
145
+
func isAllowedUser(user, did string) bool {
146
+
return user == did
180
147
}
+3
-3
routes/auth/auth.go
+3
-3
routes/auth/auth.go
···
21
21
return &Auth{store}
22
22
}
23
23
24
-
func resolveIdent(ctx context.Context, arg string) (*identity.Identity, error) {
24
+
func ResolveIdent(ctx context.Context, arg string) (*identity.Identity, error) {
25
25
id, err := syntax.ParseAtIdentifier(arg)
26
26
if err != nil {
27
27
return nil, err
···
57
57
58
58
func (a *Auth) CreateInitialSession(w http.ResponseWriter, r *http.Request, username, appPassword string) (AtSessionCreate, error) {
59
59
ctx := r.Context()
60
-
resolved, err := resolveIdent(ctx, username)
60
+
resolved, err := ResolveIdent(ctx, username)
61
61
if err != nil {
62
62
return AtSessionCreate{}, fmt.Errorf("invalid handle: %s", err)
63
63
}
···
118
118
return nil, fmt.Errorf("user is not authenticated")
119
119
}
120
120
121
-
return resolveIdent(r.Context(), did)
121
+
return ResolveIdent(r.Context(), did)
122
122
}