nolith.dev / tangled-core
forked from tangled.org/core
Monorepo for Tangled
fork atom
tangled-core / spindle / xrpc / list_secrets.go
at local-dev 90 lines 2.5 kB view raw
nolith.dev idresolver: add PDSClient() helper to reduce duplication
fc5a00ee
1package xrpc 2 3import ( 4 "encoding/json" 5 "fmt" 6 "net/http" 7 "time" 8 9 "github.com/bluesky-social/indigo/api/atproto" 10 "github.com/bluesky-social/indigo/atproto/syntax" 11 securejoin "github.com/cyphar/filepath-securejoin" 12 "tangled.org/core/api/tangled" 13 "tangled.org/core/rbac" 14 "tangled.org/core/spindle/secrets" 15 xrpcerr "tangled.org/core/xrpc/errors" 16) 17 18func (x *Xrpc) ListSecrets(w http.ResponseWriter, r *http.Request) { 19 l := x.Logger 20 fail := func(e xrpcerr.XrpcError) { 21 l.Error("failed", "kind", e.Tag, "error", e.Message) 22 writeError(w, e, http.StatusBadRequest) 23 } 24 25 actorDid, ok := r.Context().Value(ActorDid).(syntax.DID) 26 if !ok { 27 fail(xrpcerr.MissingActorDidError) 28 return 29 } 30 31 repoParam := r.URL.Query().Get("repo") 32 if repoParam == "" { 33 fail(xrpcerr.GenericError(fmt.Errorf("empty params"))) 34 return 35 } 36 37 // unfortunately we have to resolve repo-at here 38 repoAt, err := syntax.ParseATURI(repoParam) 39 if err != nil { 40 fail(xrpcerr.InvalidRepoError(repoParam)) 41 return 42 } 43 44 // resolve this aturi to extract the repo record 45 ident, pdsClient, err := x.Resolver.PDSClient(r.Context(), repoAt.Authority().String()) 46 if err != nil { 47 fail(xrpcerr.GenericError(err)) 48 return 49 } 50 51 resp, err := atproto.RepoGetRecord(r.Context(), pdsClient, "", tangled.RepoNSID, repoAt.Authority().String(), repoAt.RecordKey().String()) 52 if err != nil { 53 fail(xrpcerr.GenericError(err)) 54 return 55 } 56 57 repo := resp.Value.Val.(*tangled.Repo) 58 didPath, err := securejoin.SecureJoin(ident.DID.String(), repo.Name) 59 if err != nil { 60 fail(xrpcerr.GenericError(err)) 61 return 62 } 63 64 if ok, err := x.Enforcer.IsSettingsAllowed(actorDid.String(), rbac.ThisServer, didPath); !ok || err != nil { 65 l.Error("insufficent permissions", "did", actorDid.String()) 66 writeError(w, xrpcerr.AccessControlError(actorDid.String()), http.StatusUnauthorized) 67 return 68 } 69 70 ls, err := x.Vault.GetSecretsLocked(r.Context(), secrets.DidSlashRepo(didPath)) 71 if err != nil { 72 l.Error("failed to get secret from vault", "did", actorDid.String(), "err", err) 73 writeError(w, xrpcerr.GenericError(err), http.StatusInternalServerError) 74 return 75 } 76 77 var out tangled.RepoListSecrets_Output 78 for _, l := range ls { 79 out.Secrets = append(out.Secrets, &tangled.RepoListSecrets_Secret{ 80 Repo: repoAt.String(), 81 Key: l.Key, 82 CreatedAt: l.CreatedAt.Format(time.RFC3339), 83 CreatedBy: l.CreatedBy.String(), 84 }) 85 } 86 87 w.Header().Set("Content-Type", "application/json") 88 w.WriteHeader(http.StatusOK) 89 json.NewEncoder(w).Encode(out) 90}