spindle/xrpc/list_secrets.go at 19d42e3e628c7e405a25e4abc1b8e94bfdf46e72 · tangled.org/core

Monorepo for Tangled tangled.org
core / spindle / xrpc / list_secrets.go
at 19d42e3e628c7e405a25e4abc1b8e94bfdf46e72 2.7 kB View raw
Lewis spindle: key repos and collabs on repoDID 6w ago
 1package xrpc
 2
 3import (
 4	"encoding/json"
 5	"fmt"
 6	"net/http"
 7	"time"
 8
 9	"github.com/bluesky-social/indigo/api/atproto"
10	"github.com/bluesky-social/indigo/atproto/syntax"
11	"github.com/bluesky-social/indigo/xrpc"
12	"tangled.org/core/api/tangled"
13	"tangled.org/core/rbac"
14	"tangled.org/core/spindle/secrets"
15	xrpcerr "tangled.org/core/xrpc/errors"
16)
17
18func (x *Xrpc) ListSecrets(w http.ResponseWriter, r *http.Request) {
19	l := x.Logger
20	fail := func(e xrpcerr.XrpcError) {
21		l.Error("failed", "kind", e.Tag, "error", e.Message)
22		writeError(w, e, http.StatusBadRequest)
23	}
24
25	actorDid, ok := r.Context().Value(ActorDid).(syntax.DID)
26	if !ok {
27		fail(xrpcerr.MissingActorDidError)
28		return
29	}
30
31	repoParam := r.URL.Query().Get("repo")
32	if repoParam == "" {
33		fail(xrpcerr.GenericError(fmt.Errorf("empty params")))
34		return
35	}
36
37	// unfortunately we have to resolve repo-at here
38	repoAt, err := syntax.ParseATURI(repoParam)
39	if err != nil {
40		fail(xrpcerr.InvalidRepoError(repoParam))
41		return
42	}
43
44	// resolve this aturi to extract the repo record
45	ident, err := x.Resolver.ResolveIdent(r.Context(), repoAt.Authority().String())
46	if err != nil || ident.Handle.IsInvalidHandle() {
47		fail(xrpcerr.GenericError(fmt.Errorf("failed to resolve handle: %w", err)))
48		return
49	}
50
51	xrpcc := xrpc.Client{Host: ident.PDSEndpoint()}
52	resp, err := atproto.RepoGetRecord(r.Context(), &xrpcc, "", tangled.RepoNSID, repoAt.Authority().String(), repoAt.RecordKey().String())
53	if err != nil {
54		fail(xrpcerr.GenericError(err))
55		return
56	}
57
58	repoRec, ok := resp.Value.Val.(*tangled.Repo)
59	if !ok {
60		fail(xrpcerr.RepoNotFoundError)
61		return
62	}
63	if repoRec.RepoDid == nil || *repoRec.RepoDid == "" {
64		fail(xrpcerr.GenericError(fmt.Errorf("repo record %s has no repoDid", repoAt)))
65		return
66	}
67	repoDid := *repoRec.RepoDid
68
69	if ok, err := x.Enforcer.IsSettingsAllowed(actorDid.String(), rbac.ThisServer, repoDid); !ok || err != nil {
70		l.Error("insufficient permissions", "did", actorDid.String())
71		writeError(w, xrpcerr.AccessControlError(actorDid.String()), http.StatusUnauthorized)
72		return
73	}
74
75	ls, err := x.Vault.GetSecretsLocked(r.Context(), secrets.RepoIdentifier(repoDid))
76	if err != nil {
77		l.Error("failed to get secret from vault", "did", actorDid.String(), "err", err)
78		writeError(w, xrpcerr.GenericError(err), http.StatusInternalServerError)
79		return
80	}
81
82	var out tangled.RepoListSecrets_Output
83	for _, l := range ls {
84		out.Secrets = append(out.Secrets, &tangled.RepoListSecrets_Secret{
85			Repo:      repoAt.String(),
86			Key:       l.Key,
87			CreatedAt: l.CreatedAt.Format(time.RFC3339),
88			CreatedBy: l.CreatedBy.String(),
89		})
90	}
91
92	w.Header().Set("Content-Type", "application/json")
93	w.WriteHeader(http.StatusOK)
94	json.NewEncoder(w).Encode(out)
95}
Configure Feed

Configure Feed
