security sections are fully functional

2026-05-07 15:06:45 +02:00
parent 5e60b814ed
commit 53aa5cbbf5
20 changed files with 946 additions and 41 deletions
@@ -0,0 +1,179 @@
+package handlers
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"xorm.io/xorm"
+
+	"github.com/forgeo/forgebucket/internal/api/middleware"
+	"github.com/forgeo/forgebucket/internal/models"
+)
+
+type DeployKeyHandler struct{ db *xorm.Engine }
+
+func NewDeployKeyHandler(db *xorm.Engine) *DeployKeyHandler { return &DeployKeyHandler{db: db} }
+
+// generateToken produces a prefixed random token and its SHA-256 hex hash.
+func generateToken(prefix string) (raw, hash string, err error) {
+	b := make([]byte, 32)
+	if _, err = rand.Read(b); err != nil {
+		return
+	}
+	raw = prefix + base64.RawURLEncoding.EncodeToString(b)
+	sum := sha256.Sum256([]byte(raw))
+	hash = hex.EncodeToString(sum[:])
+	return
+}
+
+func sha256Hex(s string) string {
+	sum := sha256.Sum256([]byte(s))
+	return hex.EncodeToString(sum[:])
+}
+
+type deployKeyResponse struct {
+	ID        int64  `json:"id"`
+	Title     string `json:"title"`
+	ReadOnly  bool   `json:"readOnly"`
+	CreatedAt string `json:"createdAt"`
+	// Token is only populated on creation; empty on subsequent list calls.
+	Token string `json:"token,omitempty"`
+}
+
+func (h *DeployKeyHandler) lookupRepo(w http.ResponseWriter, r *http.Request) (*models.Repository, *models.User, bool) {
+	ownerName := chi.URLParam(r, "owner")
+	repoName := chi.URLParam(r, "repo")
+	var owner models.User
+	if found, _ := h.db.Where("username = ?", ownerName).Get(&owner); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return nil, nil, false
+	}
+	var repo models.Repository
+	if found, _ := h.db.Where("owner_id = ? AND name = ?", owner.ID, repoName).Get(&repo); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return nil, nil, false
+	}
+	return &repo, &owner, true
+}
+
+func (h *DeployKeyHandler) canManage(repo *models.Repository, callerID int64) bool {
+	if callerID == repo.OwnerID {
+		return true
+	}
+	var m models.RepoMember
+	found, _ := h.db.Where("repo_id = ? AND user_id = ? AND permission = 'admin'", repo.ID, callerID).Get(&m)
+	return found
+}
+
+func (h *DeployKeyHandler) List(w http.ResponseWriter, r *http.Request) {
+	repo, _, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	var keys []models.RepoDeployKey
+	h.db.Where("repo_id = ?", repo.ID).OrderBy("created_at desc").Find(&keys)
+	resp := make([]deployKeyResponse, 0, len(keys))
+	for _, k := range keys {
+		resp = append(resp, deployKeyResponse{
+			ID:        k.ID,
+			Title:     k.Title,
+			ReadOnly:  k.ReadOnly,
+			CreatedAt: k.CreatedAt.Format(time.RFC3339),
+		})
+	}
+	jsonOK(w, resp)
+}
+
+func (h *DeployKeyHandler) Create(w http.ResponseWriter, r *http.Request) {
+	repo, _, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.canManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage access keys", http.StatusForbidden)
+		return
+	}
+
+	var body struct {
+		Title    string `json:"title"`
+		ReadOnly bool   `json:"readOnly"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil || body.Title == "" {
+		jsonError(w, "title is required", http.StatusBadRequest)
+		return
+	}
+
+	raw, hash, err := generateToken("fbdk_")
+	if err != nil {
+		jsonError(w, "could not generate token", http.StatusInternalServerError)
+		return
+	}
+
+	key := &models.RepoDeployKey{
+		RepoID:    repo.ID,
+		Title:     body.Title,
+		TokenHash: hash,
+		ReadOnly:  body.ReadOnly,
+	}
+	if _, err := h.db.Insert(key); err != nil {
+		jsonError(w, "could not save key", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(deployKeyResponse{
+		ID:        key.ID,
+		Title:     key.Title,
+		ReadOnly:  key.ReadOnly,
+		CreatedAt: key.CreatedAt.Format(time.RFC3339),
+		Token:     raw,
+	})
+}
+
+func (h *DeployKeyHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	repo, _, ok := h.lookupRepo(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.canManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage access keys", http.StatusForbidden)
+		return
+	}
+
+	keyID, err := strconv.ParseInt(chi.URLParam(r, "keyID"), 10, 64)
+	if err != nil {
+		jsonError(w, "invalid key ID", http.StatusBadRequest)
+		return
+	}
+	h.db.Where("id = ? AND repo_id = ?", keyID, repo.ID).Delete(&models.RepoDeployKey{})
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// AuthenticateDeployKey checks if the given raw token is a valid deploy key for the repo.
+// Returns (readOnly, ok).
+func AuthenticateDeployKey(db *xorm.Engine, repoID int64, rawToken string) (readOnly bool, ok bool) {
+	if len(rawToken) < 5 {
+		return false, false
+	}
+	hash := sha256Hex(rawToken)
+	var key models.RepoDeployKey
+	found, _ := db.Where("repo_id = ? AND token_hash = ?", repoID, hash).Get(&key)
+	if !found {
+		return false, false
+	}
+	// Update last_used
+	now := time.Now()
+	key.LastUsed = &now
+	db.ID(key.ID).Cols("last_used_at").Update(&key)
+	return key.ReadOnly, true
+}