spindle/xrpc/add_secret.go at dwn/spindle-microvm · tangled.org/core

Monorepo for Tangled tangled.org
core / spindle / xrpc / add_secret.go
at dwn/spindle-microvm 2.6 kB View raw
Lewis spindle: key repos and collabs on repoDID 6w ago
 1package xrpc
 2
 3import (
 4	"encoding/json"
 5	"fmt"
 6	"net/http"
 7	"time"
 8
 9	"github.com/bluesky-social/indigo/api/atproto"
10	"github.com/bluesky-social/indigo/atproto/syntax"
11	"github.com/bluesky-social/indigo/xrpc"
12	"tangled.org/core/api/tangled"
13	"tangled.org/core/rbac"
14	"tangled.org/core/spindle/secrets"
15	xrpcerr "tangled.org/core/xrpc/errors"
16)
17
18func (x *Xrpc) AddSecret(w http.ResponseWriter, r *http.Request) {
19	l := x.Logger
20	fail := func(e xrpcerr.XrpcError) {
21		l.Error("failed", "kind", e.Tag, "error", e.Message)
22		writeError(w, e, http.StatusBadRequest)
23	}
24
25	actorDid, ok := r.Context().Value(ActorDid).(syntax.DID)
26	if !ok {
27		fail(xrpcerr.MissingActorDidError)
28		return
29	}
30
31	var data tangled.RepoAddSecret_Input
32	if err := json.NewDecoder(r.Body).Decode(&data); err != nil {
33		fail(xrpcerr.GenericError(err))
34		return
35	}
36
37	if err := secrets.ValidateKey(data.Key); err != nil {
38		fail(xrpcerr.GenericError(err))
39		return
40	}
41
42	// unfortunately we have to resolve repo-at here
43	repoAt, err := syntax.ParseATURI(data.Repo)
44	if err != nil {
45		fail(xrpcerr.InvalidRepoError(data.Repo))
46		return
47	}
48
49	// resolve this aturi to extract the repo record
50	ident, err := x.Resolver.ResolveIdent(r.Context(), repoAt.Authority().String())
51	if err != nil || ident.Handle.IsInvalidHandle() {
52		fail(xrpcerr.GenericError(fmt.Errorf("failed to resolve handle: %w", err)))
53		return
54	}
55
56	xrpcc := xrpc.Client{Host: ident.PDSEndpoint()}
57	resp, err := atproto.RepoGetRecord(r.Context(), &xrpcc, "", tangled.RepoNSID, repoAt.Authority().String(), repoAt.RecordKey().String())
58	if err != nil {
59		fail(xrpcerr.GenericError(err))
60		return
61	}
62
63	repoRec, ok := resp.Value.Val.(*tangled.Repo)
64	if !ok {
65		fail(xrpcerr.RepoNotFoundError)
66		return
67	}
68	if repoRec.RepoDid == nil || *repoRec.RepoDid == "" {
69		fail(xrpcerr.GenericError(fmt.Errorf("repo record %s has no repoDid", repoAt)))
70		return
71	}
72	repoDid := *repoRec.RepoDid
73
74	if ok, err := x.Enforcer.IsSettingsAllowed(actorDid.String(), rbac.ThisServer, repoDid); !ok || err != nil {
75		l.Error("insufficient permissions", "did", actorDid.String())
76		writeError(w, xrpcerr.AccessControlError(actorDid.String()), http.StatusUnauthorized)
77		return
78	}
79
80	secret := secrets.UnlockedSecret{
81		Repo:      secrets.RepoIdentifier(repoDid),
82		Key:       data.Key,
83		Value:     data.Value,
84		CreatedAt: time.Now(),
85		CreatedBy: actorDid,
86	}
87	err = x.Vault.AddSecret(r.Context(), secret)
88	if err != nil {
89		l.Error("failed to add secret to vault", "did", actorDid.String(), "err", err)
90		writeError(w, xrpcerr.GenericError(err), http.StatusInternalServerError)
91		return
92	}
93
94	w.WriteHeader(http.StatusOK)
95}
Configure Feed

Configure Feed
