knotserver/internal.go at op/xpvqrxksuswy · tangled.org/core

Monorepo for Tangled tangled.org
core / knotserver / internal.go
at op/xpvqrxksuswy 16 kB View raw
Anirudh Oppiliappan knotserver/git: compute changed files between commits and wire into workflow compiler 15d ago
  1package knotserver
  2
  3import (
  4	"context"
  5	"encoding/json"
  6	"fmt"
  7	"log/slog"
  8	"net"
  9	"net/http"
 10	"net/url"
 11	"os"
 12	"path"
 13	"path/filepath"
 14	"strings"
 15
 16	securejoin "github.com/cyphar/filepath-securejoin"
 17	"github.com/go-chi/chi/v5"
 18	"github.com/go-chi/chi/v5/middleware"
 19	"github.com/go-git/go-git/v5/plumbing"
 20	"tangled.org/core/api/tangled"
 21	"tangled.org/core/eventstream"
 22	"tangled.org/core/hook"
 23	"tangled.org/core/idresolver"
 24	"tangled.org/core/knotserver/config"
 25	"tangled.org/core/knotserver/db"
 26	"tangled.org/core/knotserver/git"
 27	"tangled.org/core/log"
 28	"tangled.org/core/notifier"
 29	"tangled.org/core/rbac"
 30	"tangled.org/core/tid"
 31	"tangled.org/core/workflow"
 32)
 33
 34type InternalHandle struct {
 35	db  *db.DB
 36	c   *config.Config
 37	e   *rbac.Enforcer
 38	l   *slog.Logger
 39	n   *notifier.Notifier
 40	res *idresolver.Resolver
 41}
 42
 43func (h *InternalHandle) PushAllowed(w http.ResponseWriter, r *http.Request) {
 44	user := r.URL.Query().Get("user")
 45	repo := r.URL.Query().Get("repo")
 46
 47	if user == "" || repo == "" {
 48		w.WriteHeader(http.StatusBadRequest)
 49		return
 50	}
 51
 52	ok, err := h.e.IsPushAllowed(user, rbac.ThisServer, repo)
 53	if err != nil || !ok {
 54		w.WriteHeader(http.StatusForbidden)
 55		return
 56	}
 57
 58	w.WriteHeader(http.StatusNoContent)
 59}
 60
 61func (h *InternalHandle) InternalKeys(w http.ResponseWriter, r *http.Request) {
 62	keys, err := h.db.GetAllPublicKeys()
 63	if err != nil {
 64		writeError(w, err.Error(), http.StatusInternalServerError)
 65		return
 66	}
 67
 68	data := make([]map[string]interface{}, 0)
 69	for _, key := range keys {
 70		j := key.JSON()
 71		data = append(data, j)
 72	}
 73	writeJSON(w, data)
 74}
 75
 76// response in text/plain format
 77// the body will be qualified repository path on success/push-denied
 78// or an error message when process failed
 79func (h *InternalHandle) Guard(w http.ResponseWriter, r *http.Request) {
 80	l := h.l.With("handler", "Guard")
 81
 82	var (
 83		incomingUser = r.URL.Query().Get("user")
 84		repo         = r.URL.Query().Get("repo")
 85		gitCommand   = r.URL.Query().Get("gitCmd")
 86	)
 87
 88	if incomingUser == "" || repo == "" || gitCommand == "" {
 89		w.WriteHeader(http.StatusBadRequest)
 90		l.Error("invalid request", "incomingUser", incomingUser, "repo", repo, "gitCommand", gitCommand)
 91		fmt.Fprintln(w, "invalid internal request")
 92		return
 93	}
 94
 95	components := strings.Split(strings.TrimPrefix(strings.Trim(repo, "'"), "/"), "/")
 96	l.Info("command components", "components", components)
 97
 98	var rbacResource string
 99	var diskRelative string
100
101	switch {
102	case len(components) == 1 && strings.HasPrefix(components[0], "did:"):
103		repoDid := components[0]
104		repoPath, _, _, lookupErr := h.db.ResolveRepoDIDOnDisk(h.c.Repo.ScanPath, repoDid)
105		if lookupErr != nil {
106			w.WriteHeader(http.StatusNotFound)
107			l.Error("repo DID not found", "repoDid", repoDid, "err", lookupErr)
108			fmt.Fprintln(w, "repo not found")
109			return
110		}
111		rbacResource = repoDid
112		rel, relErr := filepath.Rel(h.c.Repo.ScanPath, repoPath)
113		if relErr != nil {
114			w.WriteHeader(http.StatusInternalServerError)
115			l.Error("failed to compute relative path", "repoPath", repoPath, "err", relErr)
116			fmt.Fprintln(w, "internal error")
117			return
118		}
119		diskRelative = rel
120
121	case len(components) == 2:
122		repoOwner := components[0]
123		ownerIdent, resolveErr := h.res.ResolveAtIdentifier(r.Context(), repoOwner)
124		if resolveErr != nil {
125			l.Error("error resolving owner", "owner", repoOwner, "err", resolveErr)
126			w.WriteHeader(http.StatusInternalServerError)
127			fmt.Fprintf(w, "error resolving owner: invalid did or handle\n")
128			return
129		}
130		ownerDid := ownerIdent.DID
131		repoName := components[1]
132		repoDid, didErr := h.db.GetRepoDid(ownerDid.String(), repoName)
133		var repoPath string
134		if didErr == nil {
135			var lookupErr error
136			repoPath, _, _, lookupErr = h.db.ResolveRepoDIDOnDisk(h.c.Repo.ScanPath, repoDid)
137			if lookupErr != nil {
138				w.WriteHeader(http.StatusNotFound)
139				l.Error("repo not found on disk", "repoDid", repoDid, "err", lookupErr)
140				fmt.Fprintln(w, "repo not found")
141				return
142			}
143			rbacResource = repoDid
144		} else {
145			legacyPath, joinErr := securejoin.SecureJoin(h.c.Repo.ScanPath, filepath.Join(ownerDid.String(), repoName))
146			if joinErr != nil {
147				w.Header().Set("Content-Type", "text/plain; charset=UTF-8")
148				w.WriteHeader(http.StatusNotFound)
149				fmt.Fprint(w, "repo not found\n")
150				return
151			}
152			if _, statErr := os.Stat(legacyPath); statErr != nil {
153				l.Info("legacy repo path missing, checking rename history", "owner", ownerDid, "name", repoName)
154				w.Header().Set("Content-Type", "text/plain; charset=UTF-8")
155				w.WriteHeader(http.StatusNotFound)
156				fmt.Fprint(w, "repo not found\n")
157				return
158			}
159			repoPath = legacyPath
160			rbacResource = ownerDid.String() + "/" + repoName
161		}
162		rel, relErr := filepath.Rel(h.c.Repo.ScanPath, repoPath)
163		if relErr != nil {
164			w.WriteHeader(http.StatusInternalServerError)
165			l.Error("failed to compute relative path", "repoPath", repoPath, "err", relErr)
166			fmt.Fprintln(w, "internal error")
167			return
168		}
169		diskRelative = rel
170
171	default:
172		w.WriteHeader(http.StatusBadRequest)
173		l.Error("invalid repo format", "components", components)
174		fmt.Fprintln(w, "invalid repo format, needs <user>/<repo>, /<user>/<repo>, or <repo-did>")
175		return
176	}
177
178	if gitCommand == "git-receive-pack" {
179		ok, err := h.e.IsPushAllowed(incomingUser, rbac.ThisServer, rbacResource)
180		if err != nil || !ok {
181			w.WriteHeader(http.StatusForbidden)
182			fmt.Fprint(w, repo)
183			return
184		}
185	}
186
187	w.WriteHeader(http.StatusOK)
188	fmt.Fprint(w, diskRelative)
189}
190
191type PushOptions struct {
192	skipCi    bool
193	verboseCi bool
194}
195
196func (h *InternalHandle) PostReceiveHook(w http.ResponseWriter, r *http.Request) {
197	l := h.l.With("handler", "PostReceiveHook")
198
199	gitAbsoluteDir := r.Header.Get("X-Git-Dir")
200	gitRelativeDir, err := filepath.Rel(h.c.Repo.ScanPath, gitAbsoluteDir)
201	if err != nil {
202		l.Error("failed to calculate relative git dir", "scanPath", h.c.Repo.ScanPath, "gitAbsoluteDir", gitAbsoluteDir)
203		w.WriteHeader(http.StatusInternalServerError)
204		return
205	}
206
207	var repoDid string
208	var ownerDid, repoName string
209
210	if strings.HasPrefix(gitRelativeDir, "did:") {
211		repoDid = gitRelativeDir
212		var err error
213		ownerDid, repoName, err = h.db.GetRepoKeyOwner(repoDid)
214		if err != nil {
215			l.Error("failed to resolve repo DID from git dir", "repoDid", repoDid, "err", err)
216			w.WriteHeader(http.StatusBadRequest)
217			return
218		}
219	} else {
220		components := strings.SplitN(gitRelativeDir, "/", 2)
221		if len(components) != 2 {
222			l.Error("invalid git dir, expected repo DID or owner/repo", "gitRelativeDir", gitRelativeDir)
223			w.WriteHeader(http.StatusBadRequest)
224			return
225		}
226		ownerDid = components[0]
227		repoName = components[1]
228		var didErr error
229		repoDid, didErr = h.db.GetRepoDid(ownerDid, repoName)
230		if didErr != nil {
231			l.Error("failed to resolve repo DID from legacy path", "gitRelativeDir", gitRelativeDir, "err", didErr)
232			w.WriteHeader(http.StatusBadRequest)
233			return
234		}
235	}
236
237	gitUserDid := r.Header.Get("X-Git-User-Did")
238
239	lines, err := git.ParsePostReceive(r.Body)
240	if err != nil {
241		l.Error("failed to parse post-receive payload", "err", err)
242		// non-fatal
243	}
244
245	// extract any push options
246	pushOptionsRaw := r.Header.Values("X-Git-Push-Option")
247	pushOptions := PushOptions{}
248	for _, option := range pushOptionsRaw {
249		if option == "skip-ci" || option == "ci-skip" {
250			pushOptions.skipCi = true
251		}
252		if option == "verbose-ci" || option == "ci-verbose" {
253			pushOptions.verboseCi = true
254		}
255	}
256
257	resp := hook.HookResponse{
258		Messages: make([]string, 0),
259	}
260
261	for _, line := range lines {
262		err := h.insertRefUpdate(line, gitUserDid, ownerDid, repoDid)
263		if err != nil {
264			l.Error("failed to insert op", "err", err, "line", line, "did", gitUserDid, "repo", gitRelativeDir)
265		}
266
267		err = h.emitPullRequestLink(&resp.Messages, line, ownerDid, repoName, repoDid)
268		if err != nil {
269			l.Error("failed to reply with pull request link", "err", err, "line", line, "did", gitUserDid, "repo", gitRelativeDir)
270		}
271
272		err = h.triggerPipeline(&resp.Messages, line, gitUserDid, ownerDid, repoName, repoDid, pushOptions)
273		if err != nil {
274			l.Error("failed to trigger pipeline", "err", err, "line", line, "did", gitUserDid, "repo", gitRelativeDir)
275		}
276	}
277
278	writeJSON(w, resp)
279}
280
281func (h *InternalHandle) insertRefUpdate(line git.PostReceiveLine, gitUserDid, ownerDid, repoDid string) error {
282	refUpdate := tangled.GitRefUpdate{
283		OldSha:       line.OldSha.String(),
284		NewSha:       line.NewSha.String(),
285		Ref:          line.Ref,
286		CommitterDid: gitUserDid,
287		OwnerDid:     &ownerDid,
288		Repo:         repoDid,
289		Meta:         nil,
290	}
291
292	if !line.NewSha.IsZero() {
293		repoPath, _, _, resolveErr := h.db.ResolveRepoDIDOnDisk(h.c.Repo.ScanPath, repoDid)
294		if resolveErr != nil {
295			return fmt.Errorf("failed to resolve repo on disk: %w", resolveErr)
296		}
297
298		gr, err := git.Open(repoPath, line.Ref)
299		if err != nil {
300			return fmt.Errorf("failed to open git repo at ref %s: %w", line.Ref, err)
301		}
302
303		meta, err := gr.RefUpdateMeta(line)
304		if err != nil {
305			return fmt.Errorf("failed to get ref update metadata: %w", err)
306		}
307
308		refUpdate.Meta = new(tangled.GitRefUpdate_Meta)
309		*refUpdate.Meta = meta.AsRecord()
310	}
311
312	eventJson, err := json.Marshal(refUpdate)
313	if err != nil {
314		return err
315	}
316
317	event := eventstream.Event{
318		Rkey:      tid.TID(),
319		Nsid:      tangled.GitRefUpdateNSID,
320		EventJson: eventJson,
321	}
322
323	return h.db.InsertEvent(event, h.n)
324}
325
326func (h *InternalHandle) triggerPipeline(
327	clientMsgs *[]string,
328	line git.PostReceiveLine,
329	gitUserDid string,
330	ownerDid string,
331	repoName string,
332	repoDid string,
333	pushOptions PushOptions,
334) error {
335	if pushOptions.skipCi {
336		return nil
337	}
338
339	repoPath, _, _, resolveErr := h.db.ResolveRepoDIDOnDisk(h.c.Repo.ScanPath, repoDid)
340	if resolveErr != nil {
341		return fmt.Errorf("failed to resolve repo on disk: %w", resolveErr)
342	}
343
344	gr, err := git.Open(repoPath, line.Ref)
345	if err != nil {
346		return err
347	}
348
349	workflowDir, err := gr.FileTree(context.Background(), workflow.WorkflowDir)
350	if err != nil {
351		return err
352	}
353
354	var pipeline workflow.RawPipeline
355	for _, e := range workflowDir {
356		if !e.IsFile() {
357			continue
358		}
359
360		fpath := filepath.Join(workflow.WorkflowDir, e.Name)
361		contents, err := gr.RawContent(fpath)
362		if err != nil {
363			continue
364		}
365
366		pipeline = append(pipeline, workflow.RawWorkflow{
367			Name:     e.Name,
368			Contents: contents,
369		})
370	}
371
372	defaultBranch, _ := gr.FindMainBranch()
373
374	trigger := tangled.Pipeline_PushTriggerData{
375		Ref:    line.Ref,
376		OldSha: line.OldSha.String(),
377		NewSha: line.NewSha.String(),
378	}
379
380	triggerRepo := &tangled.Pipeline_TriggerRepo{
381		Did:           ownerDid,
382		Knot:          h.c.Server.Hostname,
383		Repo:          &repoName,
384		RepoDid:       &repoDid,
385		DefaultBranch: defaultBranch,
386	}
387
388	changedFiles, err := gr.ChangedFilesBetween(line.OldSha.String(), line.NewSha.String())
389	if err != nil {
390		return fmt.Errorf("getting changed files: %w", err)
391	}
392
393	compiler := workflow.Compiler{
394		Trigger: tangled.Pipeline_TriggerMetadata{
395			Kind: string(workflow.TriggerKindPush),
396			Push: &trigger,
397			Repo: triggerRepo,
398		},
399		ChangedFiles: changedFiles,
400	}
401
402	cp := compiler.Compile(compiler.Parse(pipeline))
403	eventJson, err := json.Marshal(cp)
404	if err != nil {
405		return err
406	}
407
408	for _, e := range compiler.Diagnostics.Errors {
409		*clientMsgs = append(*clientMsgs, e.String())
410	}
411
412	if pushOptions.verboseCi {
413		if compiler.Diagnostics.IsEmpty() {
414			*clientMsgs = append(*clientMsgs, "success: pipeline compiled with no diagnostics")
415		}
416
417		for _, w := range compiler.Diagnostics.Warnings {
418			*clientMsgs = append(*clientMsgs, w.String())
419		}
420	}
421
422	// do not run empty pipelines
423	if cp.Workflows == nil {
424		return nil
425	}
426
427	event := eventstream.Event{
428		Rkey:      tid.TID(),
429		Nsid:      tangled.PipelineNSID,
430		EventJson: eventJson,
431	}
432
433	if h.c.LogsAddr != "" {
434		host, port, err := net.SplitHostPort(h.c.LogsAddr)
435		if err == nil {
436			*clientMsgs = append(*clientMsgs, "→  Browse CI logs in your terminal:")
437			*clientMsgs = append(*clientMsgs, fmt.Sprintf("   ssh -t -p %s %s %s %s", port, host, repoDid, line.NewSha))
438		}
439	}
440
441	return h.db.InsertEvent(event, h.n)
442}
443
444func (h *InternalHandle) emitPullRequestLink(
445	clientMsgs *[]string,
446	line git.PostReceiveLine,
447	ownerDid string,
448	repoName string,
449	repoDid string,
450) error {
451	if line.NewSha.IsZero() {
452		return nil
453	}
454
455	// the ref was not updated to a new hash, don't reply with the link
456	//
457	// NOTE: do we need this?
458	if line.NewSha == line.OldSha {
459		return nil
460	}
461
462	pushedRef := plumbing.ReferenceName(line.Ref)
463	if !pushedRef.IsBranch() {
464		return nil
465	}
466
467	if !line.OldSha.IsZero() {
468		return nil
469	}
470
471	repoPath, _, _, resolveErr := h.db.ResolveRepoDIDOnDisk(h.c.Repo.ScanPath, repoDid)
472	if resolveErr != nil {
473		return fmt.Errorf("failed to resolve repo on disk: %w", resolveErr)
474	}
475
476	gr, err := git.PlainOpen(repoPath)
477	if err != nil {
478		return err
479	}
480
481	remote, err := gr.Remote()
482	if err != nil {
483		return fmt.Errorf("checking for upstream remote: %w", err)
484	}
485
486	defaultBranch, err := gr.FindMainBranch()
487	if err != nil {
488		return err
489	}
490
491	pushedBranch := pushedRef.Short()
492
493	// pushing to default branch
494	if pushedBranch == defaultBranch {
495		return nil
496	}
497
498	userIdent, err := h.res.ResolveIdent(context.Background(), ownerDid)
499	user := ownerDid
500	if err == nil {
501		user = userIdent.Handle.String()
502	}
503
504	pullURL, err := h.createPullURL(h.c.AppViewEndpoint, remote, user, ownerDid, repoName, pushedBranch, defaultBranch)
505	if err != nil {
506		return err
507	}
508
509	ZWS := "\u200B"
510	*clientMsgs = append(*clientMsgs, ZWS)
511	*clientMsgs = append(*clientMsgs, "→  Open pull request:")
512	*clientMsgs = append(*clientMsgs, "   "+pullURL)
513	*clientMsgs = append(*clientMsgs, ZWS)
514	return nil
515}
516
517func (h *InternalHandle) createPullURL(appviewURL, remote, user, ownerDID, repoName, pushedBranch, defaultBranch string) (string, error) {
518	if remote != "" {
519		return h.createForkPullURL(appviewURL, remote, ownerDID, repoName, pushedBranch, defaultBranch)
520	}
521
522	query := url.Values{}
523
524	query.Set("source", "branch")
525	query.Set("sourceBranch", pushedBranch)
526	query.Set("targetBranch", defaultBranch)
527
528	basePath, err := url.JoinPath(appviewURL, user, repoName, "pulls", "new")
529	if err != nil {
530		return "", err
531	}
532	pullURL := basePath + "?" + query.Encode()
533	return pullURL, nil
534}
535
536func (h *InternalHandle) createForkPullURL(appviewURL, remote, ownerDID, repoName, pushedBranch, defaultBranch string) (string, error) {
537	query := url.Values{}
538
539	query.Set("fork", fmt.Sprintf("%s/%s", ownerDID, repoName))
540	query.Set("source", "fork")
541	query.Set("sourceBranch", pushedBranch)
542	query.Set("targetBranch", defaultBranch)
543
544	repoPath, err := h.getRemoteOwnerRepoNamePath(remote)
545	if err != nil {
546		return "", err
547	}
548
549	basePath, err := url.JoinPath(appviewURL, repoPath, "pulls", "new")
550	if err != nil {
551		return "", err
552	}
553	pullURL := basePath + "?" + query.Encode()
554	return pullURL, nil
555}
556
557func (h *InternalHandle) getRemoteOwnerRepoNamePath(remote string) (string, error) {
558	u, err := url.Parse(remote)
559	if err != nil {
560		return "", fmt.Errorf("invalid remote: %w", err)
561	}
562
563	if u.Scheme != "file" {
564		return u.Path, nil
565	}
566
567	repoDid := path.Base(u.String())
568
569	owner, name, err := h.db.GetRepoKeyOwner(repoDid)
570	if err != nil {
571		return "", err
572	}
573
574	return fmt.Sprintf("%s/%s", owner, name), nil
575}
576
577func Internal(ctx context.Context, c *config.Config, db *db.DB, e *rbac.Enforcer, n *notifier.Notifier, res *idresolver.Resolver) http.Handler {
578	r := chi.NewRouter()
579	l := log.FromContext(ctx)
580	l = log.SubLogger(l, "internal")
581
582	h := InternalHandle{
583		db:  db,
584		c:   c,
585		e:   e,
586		l:   l,
587		n:   n,
588		res: res,
589	}
590
591	r.Get("/push-allowed", h.PushAllowed)
592	r.Get("/keys", h.InternalKeys)
593	r.Get("/guard", h.Guard)
594	r.Post("/hooks/post-receive", h.PostReceiveHook)
595	r.Mount("/debug", middleware.Profiler())
596
597	return r
598}
Configure Feed

Configure Feed
