+40

api/tangled/repocheckPushAllowed.go

Reviewed

··· 1 1 + // Code generated by cmd/lexgen (see Makefile's lexgen); DO NOT EDIT. 2 2 + 3 3 + package tangled 4 4 + 5 5 + // schema: sh.tangled.repo.checkPushAllowed 6 6 + 7 7 + import ( 8 8 + "context" 9 9 + 10 10 + "github.com/bluesky-social/indigo/lex/util" 11 11 + ) 12 12 + 13 13 + const ( 14 14 + RepoCheckPushAllowedNSID = "sh.tangled.repo.checkPushAllowed" 15 15 + ) 16 16 + 17 17 + // RepoCheckPushAllowed_Output is the output of a sh.tangled.repo.checkPushAllowed call. 18 18 + type RepoCheckPushAllowed_Output struct { 19 19 + // allowed: Whether the key's owner may push to the repo. 20 20 + Allowed bool `json:"allowed" cborgen:"allowed"` 21 21 + // did: DID the key resolved to, if a match was found. 22 22 + Did *string `json:"did,omitempty" cborgen:"did,omitempty"` 23 23 + } 24 24 + 25 25 + // RepoCheckPushAllowed calls the XRPC method "sh.tangled.repo.checkPushAllowed". 26 26 + // 27 27 + // key: Public key in OpenSSH authorized_keys format. 28 28 + // repo: A repo DID. 29 29 + func RepoCheckPushAllowed(ctx context.Context, c util.LexClient, key string, repo string) (*RepoCheckPushAllowed_Output, error) { 30 30 + var out RepoCheckPushAllowed_Output 31 31 + 32 32 + params := map[string]interface{}{} 33 33 + params["key"] = key 34 34 + params["repo"] = repo 35 35 + if err := c.LexDo(ctx, util.Query, "", "sh.tangled.repo.checkPushAllowed", params, nil, &out); err != nil { 36 36 + return nil, err 37 37 + } 38 38 + 39 39 + return &out, nil 40 40 + }

+5 -1

flake.nix

Reviewed

··· 466 466 program = 467 467 (pkgs.writeShellApplication { 468 468 name = "lexgen"; 469 469 + runtimeInputs = [pkgs.stdenv.cc]; 469 470 text = '' 470 471 if ! command -v lexgen > /dev/null; then 471 472 echo "error: must be executed from devshell" 472 473 exit 1 473 474 fi 475 475 + 476 476 + # pin CC to a glibc gcc so a stray musl cc cant mess up CGO 477 477 + export CC=${pkgs.stdenv.cc}/bin/cc 474 478 475 479 rootDir=$(jj --ignore-working-copy root || git rev-parse --show-toplevel) || (echo "error: can't find repo root?"; exit 1) 476 480 cd "$rootDir" ··· 482 486 find api/tangled/*.go -not -name "cbor_gen.go" -exec \ 483 487 sed -i '/^func.*\(MarshalCBOR\|UnmarshalCBOR\)/,/^}/ s/^/\/\/ /' {} + 484 488 ${pkgs.gotools}/bin/goimports -w api/tangled/* 485 485 - CGO_ENABLED=0 go run ./cmd/cborgen/ 489 489 + CGO_ENABLED=1 go run ./cmd/cborgen/ 486 490 lexgen --build-file lexicon-build-config.json lexicons 487 491 rm api/tangled/*.bak 488 492 '';

+41

knotserver/db/pubkeys.go

Reviewed

··· 4 4 "database/sql" 5 5 "log/slog" 6 6 "strconv" 7 7 + "strings" 7 8 "time" 8 9 9 10 "github.com/bluesky-social/indigo/atproto/syntax" 11 11 + "golang.org/x/crypto/ssh" 10 12 "tangled.org/core/api/tangled" 11 13 ) 12 14 ··· 41 43 logger.Warn("skipping public key with empty key value", "did", pk.Did, "rkey", pk.Rkey) 42 44 return nil 43 45 } 46 46 + 47 47 + canonical, ok := normalizePublicKey(pk.Key) 48 48 + if !ok { 49 49 + logger.Warn("skipping malformed public key", "did", pk.Did, "rkey", pk.Rkey) 50 50 + return nil 51 51 + } 52 52 + pk.Key = canonical 44 53 45 54 if pk.CreatedAt == "" { 46 55 pk.CreatedAt = time.Now().Format(time.RFC3339) ··· 107 116 "key": pk.Key, 108 117 "createdAt": pk.CreatedAt, 109 118 } 119 119 + } 120 120 + 121 121 + func normalizePublicKey(key string) (string, bool) { 122 122 + parsed, comment, _, _, err := ssh.ParseAuthorizedKey([]byte(key)) 123 123 + if err != nil { 124 124 + return "", false 125 125 + } 126 126 + 127 127 + canonical := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(parsed))) 128 128 + if comment != "" { 129 129 + canonical += " " + comment 130 130 + } 131 131 + 132 132 + return canonical, true 133 133 + } 134 134 + 135 135 + func (d *DB) DidForPublicKey(offered ssh.PublicKey) (syntax.DID, bool, error) { 136 136 + prefix := strings.TrimSpace(string(ssh.MarshalAuthorizedKey(offered))) 137 137 + 138 138 + var did syntax.DID 139 139 + err := d.db.QueryRow( 140 140 + `select did from public_keys where key = ? or key like ? limit 1`, 141 141 + prefix, prefix+" %", 142 142 + ).Scan(&did) 143 143 + if err == sql.ErrNoRows { 144 144 + return "", false, nil 145 145 + } 146 146 + if err != nil { 147 147 + return "", false, err 148 148 + } 149 149 + 150 150 + return did, true, nil 110 151 } 111 152 112 153 func (d *DB) GetAllPublicKeys() ([]PublicKey, error) {

+3 -3

knotserver/db/pubkeys_test.go

Reviewed

··· 10 10 const ( 11 11 didBoltless = "did:plc:boltless" 12 12 didAkshay = "did:plc:akshay" 13 13 - keyShared = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAISharedSharedSharedSharedSharedSharedShar01" 14 14 - keyRotated = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIRotatedRotatedRotatedRotatedRotatedRot02" 15 15 - keyOther = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtherOtherOtherOtherOtherOtherOtherOth03" 13 13 + keyShared = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwwmlNQEh5NdGL4ERWj3uXWXylXsB8fPnO5frkl2sps" 14 14 + keyRotated = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAj/UuveywM4LZdjbcsH5LVmXhu8VX5jdUR6UdEQFGBo" 15 15 + keyOther = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqWLXSkuE6AUkAwXThOsudIGqMV/u4ZnE8yTd6DSpoR" 16 16 ) 17 17 18 18 func TestUpsertPublicKey_GlobalUniqueness(t *testing.T) {

+2 -2

knotserver/keys/keys_test.go

Reviewed

··· 19 19 20 20 const ( 21 21 didBoltless = "did:plc:boltless" 22 22 - keyAlpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlphaAlphaAlphaAlphaAlphaAlphaAlphaAlpha01" 23 23 - keyBravo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABravoBravoBravoBravoBravoBravoBravoBravo02" 22 22 + keyAlpha = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWubjgc3IM/zqjpWQJSig6l6iFyaDx7HWTiWlasjcM" 23 23 + keyBravo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMax5MnG4RGoxp0TlaEj8mcFhZZp13cdIIvO8s4a6KZ2" 24 24 ) 25 25 26 26 func TestFetchAndStore_EmptyResponseDoesNotWipe(t *testing.T) {

+57

knotserver/xrpc/check_push_allowed.go

Reviewed

··· 1 1 + package xrpc 2 2 + 3 3 + import ( 4 4 + "net/http" 5 5 + "strings" 6 6 + 7 7 + "golang.org/x/crypto/ssh" 8 8 + "tangled.org/core/api/tangled" 9 9 + "tangled.org/core/rbac" 10 10 + xrpcerr "tangled.org/core/xrpc/errors" 11 11 + ) 12 12 + 13 13 + func (x *Xrpc) CheckPushAllowed(w http.ResponseWriter, r *http.Request) { 14 14 + repo := strings.TrimSpace(r.URL.Query().Get("repo")) 15 15 + keyStr := r.URL.Query().Get("key") 16 16 + 17 17 + if !strings.HasPrefix(repo, "did:") || keyStr == "" { 18 18 + writeError(w, xrpcerr.NewXrpcError( 19 19 + xrpcerr.WithTag("InvalidRequest"), 20 20 + xrpcerr.WithMessage("repo (a repo DID) and key are required"), 21 21 + ), http.StatusBadRequest) 22 22 + return 23 23 + } 24 24 + 25 25 + offered, _, _, _, err := ssh.ParseAuthorizedKey([]byte(keyStr)) 26 26 + if err != nil { 27 27 + writeError(w, xrpcerr.NewXrpcError( 28 28 + xrpcerr.WithTag("InvalidRequest"), 29 29 + xrpcerr.WithMessage("malformed public key"), 30 30 + ), http.StatusBadRequest) 31 31 + return 32 32 + } 33 33 + 34 34 + did, ok, err := x.Db.DidForPublicKey(offered) 35 35 + if err != nil { 36 36 + x.Logger.Error("failed to look up public key", "error", err) 37 37 + x.writeJson(w, tangled.RepoCheckPushAllowed_Output{Allowed: false}) 38 38 + return 39 39 + } 40 40 + if !ok { 41 41 + // unknown key, not an error, just not allowed 42 42 + x.writeJson(w, tangled.RepoCheckPushAllowed_Output{Allowed: false}) 43 43 + return 44 44 + } 45 45 + 46 46 + didStr := did.String() 47 47 + 48 48 + allowed, err := x.Enforcer.IsPushAllowed(didStr, rbac.ThisServer, repo) 49 49 + if err != nil { 50 50 + x.Logger.Error("enforcer error", "did", didStr, "repo", repo, "error", err) 51 51 + allowed = false 52 52 + } 53 53 + 54 54 + out := tangled.RepoCheckPushAllowed_Output{Allowed: allowed} 55 55 + out.Did = &didStr 56 56 + x.writeJson(w, out) 57 57 + }

+1

knotserver/xrpc/xrpc.go

Reviewed

··· 84 84 r.Get("/"+tangled.RepoArchiveNSID, x.RepoArchive) 85 85 r.Get("/"+tangled.RepoLanguagesNSID, x.RepoLanguages) 86 86 r.Get("/"+tangled.RepoListCollaboratorsNSID, x.ListCollaborators) 87 87 + r.Get("/"+tangled.RepoCheckPushAllowedNSID, x.CheckPushAllowed) 87 88 88 89 // knot query endpoints (no auth required) 89 90 r.Get("/"+tangled.KnotListKeysNSID, x.ListKeys)

+53

lexicons/repo/checkPushAllowed.json

Reviewed

··· 1 1 + { 2 2 + "lexicon": 1, 3 3 + "id": "sh.tangled.repo.checkPushAllowed", 4 4 + "defs": { 5 5 + "main": { 6 6 + "type": "query", 7 7 + "description": "Check whether the holder of a public key is allowed to push to a repo.", 8 8 + "parameters": { 9 9 + "type": "params", 10 10 + "required": ["repo", "key"], 11 11 + "properties": { 12 12 + "repo": { 13 13 + "type": "string", 14 14 + "description": "A repo DID." 15 15 + }, 16 16 + "key": { 17 17 + "type": "string", 18 18 + "maxLength": 4096, 19 19 + "description": "Public key in OpenSSH authorized_keys format." 20 20 + } 21 21 + } 22 22 + }, 23 23 + "output": { 24 24 + "encoding": "application/json", 25 25 + "schema": { 26 26 + "type": "object", 27 27 + "required": ["allowed"], 28 28 + "properties": { 29 29 + "allowed": { 30 30 + "type": "boolean", 31 31 + "description": "Whether the key's owner may push to the repo." 32 32 + }, 33 33 + "did": { 34 34 + "type": "string", 35 35 + "format": "did", 36 36 + "description": "DID the key resolved to, if a match was found." 37 37 + } 38 38 + } 39 39 + } 40 40 + }, 41 41 + "errors": [ 42 42 + { 43 43 + "name": "RepoNotFound", 44 44 + "description": "The repo could not be resolved on this knot." 45 45 + }, 46 46 + { 47 47 + "name": "InvalidRequest", 48 48 + "description": "Missing or malformed parameters." 49 49 + } 50 50 + ] 51 51 + } 52 52 + } 53 53 + }