security sections are fully functional

2026-05-07 15:06:45 +02:00
parent 5e60b814ed
commit 53aa5cbbf5
20 changed files with 946 additions and 41 deletions
@@ -60,18 +60,41 @@ func (h *GitHTTPHandler) ServeGit(w http.ResponseWriter, r *http.Request) {
 	}

 	// Authenticate and enforce permission checks.
+	// Priority: user account → deploy key → anonymous (public repos only).
 	var authedUser string
-	user, authed := h.basicAuth(r)
-	if authed {
-		authedUser = user
-		// Push requires write or admin permission.
-		if service == "git-receive-pack" && !HasPermission(h.db, &repo, user, "write") {
-			http.Error(w, "forbidden: you do not have write access to this repository", http.StatusForbidden)
-			return
-		}
-		// Pull on a private repo requires at least read permission.
-		if repo.IsPrivate && !HasPermission(h.db, &repo, user, "read") {
-			http.Error(w, "forbidden: you do not have read access to this repository", http.StatusForbidden)
+	var authedReadOnly bool
+
+	if _, p, hasAuth := r.BasicAuth(); hasAuth {
+		if user, ok := h.basicAuth(r); ok {
+			authedUser = user
+			// User account: enforce member permissions.
+			if service == "git-receive-pack" && !HasPermission(h.db, &repo, user, "write") {
+				http.Error(w, "forbidden: you do not have write access to this repository", http.StatusForbidden)
+				return
+			}
+			if repo.IsPrivate && !HasPermission(h.db, &repo, user, "read") {
+				http.Error(w, "forbidden: you do not have read access to this repository", http.StatusForbidden)
+				return
+			}
+		} else if rdOnly, ok := AuthenticateDeployKey(h.db, repo.ID, p); ok {
+			// Deploy key: the password field carries the raw token; username is ignored.
+			authedUser = "deploy-key"
+			authedReadOnly = rdOnly
+			if service == "git-receive-pack" && rdOnly {
+				http.Error(w, "forbidden: this deploy key is read-only", http.StatusForbidden)
+				return
+			}
+		} else if _, repoID, hasWrite, ok := LookupAccessToken(h.db, p); ok && repoID == repo.ID {
+			// Access token used as git credential (username ignored, password = token).
+			authedUser = "access-token"
+			if service == "git-receive-pack" && !hasWrite {
+				http.Error(w, "forbidden: this access token has read-only scope", http.StatusForbidden)
+				return
+			}
+		} else {
+			// Credentials provided but invalid.
+			w.Header().Set("WWW-Authenticate", `Basic realm="ForgeBucket"`)
+			http.Error(w, "invalid credentials", http.StatusUnauthorized)
 			return
 		}
 	} else if service == "git-receive-pack" || repo.IsPrivate {
@@ -79,6 +102,7 @@ func (h *GitHTTPHandler) ServeGit(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "authentication required", http.StatusUnauthorized)
 		return
 	}
+	_ = authedReadOnly

 	// Build PATH_INFO: /{reponame}.git/{suffix}
 	// Strip the /{owner}/{repoGit} prefix from the raw URL path to get the suffix.
@@ -0,0 +1,179 @@
+package handlers
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"xorm.io/xorm"
+
+	"github.com/forgeo/forgebucket/internal/api/middleware"
+	"github.com/forgeo/forgebucket/internal/models"
+)
+
+type DeployKeyHandler struct{ db *xorm.Engine }
+
+func NewDeployKeyHandler(db *xorm.Engine) *DeployKeyHandler { return &DeployKeyHandler{db: db} }
+
+// generateToken produces a prefixed random token and its SHA-256 hex hash.
+func generateToken(prefix string) (raw, hash string, err error) {
+	b := make([]byte, 32)
+	if _, err = rand.Read(b); err != nil {
+		return
+	}
+	raw = prefix + base64.RawURLEncoding.EncodeToString(b)
+	sum := sha256.Sum256([]byte(raw))
+	hash = hex.EncodeToString(sum[:])
+	return
+}
+
+func sha256Hex(s string) string {
+	sum := sha256.Sum256([]byte(s))
+	return hex.EncodeToString(sum[:])
+}
+
+type deployKeyResponse struct {
+	ID        int64  `json:"id"`
+	Title     string `json:"title"`
+	ReadOnly  bool   `json:"readOnly"`
+	CreatedAt string `json:"createdAt"`
+	// Token is only populated on creation; empty on subsequent list calls.
+	Token string `json:"token,omitempty"`
+}
+
+func (h *DeployKeyHandler) lookupRepo(w http.ResponseWriter, r *http.Request) (*models.Repository, *models.User, bool) {
+	ownerName := chi.URLParam(r, "owner")
+	repoName := chi.URLParam(r, "repo")
+	var owner models.User
+	if found, _ := h.db.Where("username = ?", ownerName).Get(&owner); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return nil, nil, false
+	}
+	var repo models.Repository
+	if found, _ := h.db.Where("owner_id = ? AND name = ?", owner.ID, repoName).Get(&repo); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return nil, nil, false
+	}
+	return &repo, &owner, true
+}
+
+func (h *DeployKeyHandler) canManage(repo *models.Repository, callerID int64) bool {
+	if callerID == repo.OwnerID {
+		return true
+	}
+	var m models.RepoMember
+	found, _ := h.db.Where("repo_id = ? AND user_id = ? AND permission = 'admin'", repo.ID, callerID).Get(&m)
+	return found
+}
+
+func (h *DeployKeyHandler) List(w http.ResponseWriter, r *http.Request) {
+	repo, _, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	var keys []models.RepoDeployKey
+	h.db.Where("repo_id = ?", repo.ID).OrderBy("created_at desc").Find(&keys)
+	resp := make([]deployKeyResponse, 0, len(keys))
+	for _, k := range keys {
+		resp = append(resp, deployKeyResponse{
+			ID:        k.ID,
+			Title:     k.Title,
+			ReadOnly:  k.ReadOnly,
+			CreatedAt: k.CreatedAt.Format(time.RFC3339),
+		})
+	}
+	jsonOK(w, resp)
+}
+
+func (h *DeployKeyHandler) Create(w http.ResponseWriter, r *http.Request) {
+	repo, _, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.canManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage access keys", http.StatusForbidden)
+		return
+	}
+
+	var body struct {
+		Title    string `json:"title"`
+		ReadOnly bool   `json:"readOnly"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil || body.Title == "" {
+		jsonError(w, "title is required", http.StatusBadRequest)
+		return
+	}
+
+	raw, hash, err := generateToken("fbdk_")
+	if err != nil {
+		jsonError(w, "could not generate token", http.StatusInternalServerError)
+		return
+	}
+
+	key := &models.RepoDeployKey{
+		RepoID:    repo.ID,
+		Title:     body.Title,
+		TokenHash: hash,
+		ReadOnly:  body.ReadOnly,
+	}
+	if _, err := h.db.Insert(key); err != nil {
+		jsonError(w, "could not save key", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(deployKeyResponse{
+		ID:        key.ID,
+		Title:     key.Title,
+		ReadOnly:  key.ReadOnly,
+		CreatedAt: key.CreatedAt.Format(time.RFC3339),
+		Token:     raw,
+	})
+}
+
+func (h *DeployKeyHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	repo, _, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.canManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage access keys", http.StatusForbidden)
+		return
+	}
+
+	keyID, err := strconv.ParseInt(chi.URLParam(r, "keyID"), 10, 64)
+	if err != nil {
+		jsonError(w, "invalid key ID", http.StatusBadRequest)
+		return
+	}
+	h.db.Where("id = ? AND repo_id = ?", keyID, repo.ID).Delete(&models.RepoDeployKey{})
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// AuthenticateDeployKey checks if the given raw token is a valid deploy key for the repo.
+// Returns (readOnly, ok).
+func AuthenticateDeployKey(db *xorm.Engine, repoID int64, rawToken string) (readOnly bool, ok bool) {
+	if len(rawToken) < 5 {
+		return false, false
+	}
+	hash := sha256Hex(rawToken)
+	var key models.RepoDeployKey
+	found, _ := db.Where("repo_id = ? AND token_hash = ?", repoID, hash).Get(&key)
+	if !found {
+		return false, false
+	}
+	// Update last_used
+	now := time.Now()
+	key.LastUsed = &now
+	db.ID(key.ID).Cols("last_used_at").Update(&key)
+	return key.ReadOnly, true
+}
@@ -0,0 +1,193 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"xorm.io/xorm"
+
+	"github.com/forgeo/forgebucket/internal/api/middleware"
+	"github.com/forgeo/forgebucket/internal/models"
+)
+
+type AccessTokenHandler struct{ db *xorm.Engine }
+
+func NewAccessTokenHandler(db *xorm.Engine) *AccessTokenHandler {
+	return &AccessTokenHandler{db: db}
+}
+
+type accessTokenResponse struct {
+	ID        int64   `json:"id"`
+	Title     string  `json:"title"`
+	Scopes    string  `json:"scopes"`
+	ExpiresAt *string `json:"expiresAt"`
+	CreatedAt string  `json:"createdAt"`
+	Token     string  `json:"token,omitempty"` // only on creation
+}
+
+func (h *AccessTokenHandler) lookupRepo(w http.ResponseWriter, r *http.Request) (*models.Repository, bool) {
+	ownerName := chi.URLParam(r, "owner")
+	repoName := chi.URLParam(r, "repo")
+	var owner models.User
+	if found, _ := h.db.Where("username = ?", ownerName).Get(&owner); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return nil, false
+	}
+	var repo models.Repository
+	if found, _ := h.db.Where("owner_id = ? AND name = ?", owner.ID, repoName).Get(&repo); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return nil, false
+	}
+	return &repo, true
+}
+
+func (h *AccessTokenHandler) canManage(repo *models.Repository, callerID int64) bool {
+	if callerID == repo.OwnerID {
+		return true
+	}
+	var m models.RepoMember
+	found, _ := h.db.Where("repo_id = ? AND user_id = ? AND permission = 'admin'", repo.ID, callerID).Get(&m)
+	return found
+}
+
+func (h *AccessTokenHandler) List(w http.ResponseWriter, r *http.Request) {
+	repo, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	var tokens []models.RepoAccessToken
+	h.db.Where("repo_id = ?", repo.ID).OrderBy("created_at desc").Find(&tokens)
+	resp := make([]accessTokenResponse, 0, len(tokens))
+	for _, t := range tokens {
+		var exp *string
+		if t.ExpiresAt != nil {
+			s := t.ExpiresAt.Format("2006-01-02")
+			exp = &s
+		}
+		resp = append(resp, accessTokenResponse{
+			ID:        t.ID,
+			Title:     t.Title,
+			Scopes:    t.Scopes,
+			ExpiresAt: exp,
+			CreatedAt: t.CreatedAt.Format(time.RFC3339),
+		})
+	}
+	jsonOK(w, resp)
+}
+
+func (h *AccessTokenHandler) Create(w http.ResponseWriter, r *http.Request) {
+	repo, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.canManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage access tokens", http.StatusForbidden)
+		return
+	}
+
+	var body struct {
+		Title     string `json:"title"`
+		Scopes    string `json:"scopes"`    // "read" | "read,write"
+		ExpiresAt string `json:"expiresAt"` // "2026-12-31" or ""
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil || body.Title == "" {
+		jsonError(w, "title is required", http.StatusBadRequest)
+		return
+	}
+	if body.Scopes == "" {
+		body.Scopes = "read"
+	}
+
+	var expiresAt *time.Time
+	if body.ExpiresAt != "" {
+		t, err := time.Parse("2006-01-02", body.ExpiresAt)
+		if err != nil {
+			jsonError(w, "invalid expiresAt format; use YYYY-MM-DD", http.StatusBadRequest)
+			return
+		}
+		t = t.UTC()
+		expiresAt = &t
+	}
+
+	raw, hash, err := generateToken("fbat_")
+	if err != nil {
+		jsonError(w, "could not generate token", http.StatusInternalServerError)
+		return
+	}
+
+	token := &models.RepoAccessToken{
+		RepoID:    repo.ID,
+		CreatorID: callerID,
+		Title:     body.Title,
+		TokenHash: hash,
+		Scopes:    body.Scopes,
+		ExpiresAt: expiresAt,
+	}
+	if _, err := h.db.Insert(token); err != nil {
+		jsonError(w, "could not save token", http.StatusInternalServerError)
+		return
+	}
+
+	var exp *string
+	if expiresAt != nil {
+		s := expiresAt.Format("2006-01-02")
+		exp = &s
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(accessTokenResponse{
+		ID:        token.ID,
+		Title:     token.Title,
+		Scopes:    token.Scopes,
+		ExpiresAt: exp,
+		CreatedAt: token.CreatedAt.Format(time.RFC3339),
+		Token:     raw,
+	})
+}
+
+func (h *AccessTokenHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	repo, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.canManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage access tokens", http.StatusForbidden)
+		return
+	}
+
+	tokenID, err := strconv.ParseInt(chi.URLParam(r, "tokenID"), 10, 64)
+	if err != nil {
+		jsonError(w, "invalid token ID", http.StatusBadRequest)
+		return
+	}
+	h.db.Where("id = ? AND repo_id = ?", tokenID, repo.ID).Delete(&models.RepoAccessToken{})
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// LookupAccessToken validates a Bearer token and returns the creator's userID.
+// Returns (userID, repoID, hasWrite, ok).
+func LookupAccessToken(db *xorm.Engine, rawToken string) (userID, repoID int64, hasWrite bool, ok bool) {
+	if !strings.HasPrefix(rawToken, "fbat_") {
+		return
+	}
+	hash := sha256Hex(rawToken)
+	var t models.RepoAccessToken
+	found, _ := db.Where("token_hash = ?", hash).Get(&t)
+	if !found {
+		return
+	}
+	if t.ExpiresAt != nil && t.ExpiresAt.Before(time.Now()) {
+		return
+	}
+	now := time.Now()
+	t.LastUsed = &now
+	db.ID(t.ID).Cols("last_used_at").Update(&t)
+	hasWrite = strings.Contains(t.Scopes, "write")
+	return t.CreatorID, t.RepoID, hasWrite, true
+}