back interdiff of round #6 and #5

nix: knot: pass config to knot guard #700

closed
opened by boltless.me targeting master from sandboxed-atmosphere

this is a temporary fix. ideal solution would be introducing json file configuration or serving ssh server by our own instead of relying on sshd

Signed-off-by: Seongmin Lee git@boltless.me

options
unified split
files
guard
guard.go
knotserver
internal.go
nix
modules
knot.nix
REVERTED
nix/modules/knot.nix
··· 157 157 ''; 158 158 }; 159 159 160 - # TODO: abstract this to share same env table with systemd.services.knot 161 - environment.variables = { 162 - "KNOT_REPO_SCAN_PATH" = cfg.repo.scanPath; 163 - "KNOT_REPO_MAIN_BRANCH" = cfg.repo.mainBranch; 164 - "APPVIEW_ENDPOINT" = cfg.appviewEndpoint; 165 - "KNOT_SERVER_INTERNAL_LISTEN_ADDR" = cfg.server.internalListenAddr; 166 - "KNOT_SERVER_LISTEN_ADDR" = cfg.server.listenAddr; 167 - "KNOT_SERVER_DB_PATH" = cfg.server.dbPath; 168 - "KNOT_SERVER_HOSTNAME" = cfg.server.hostname; 169 - "KNOT_SERVER_PLC_URL" = cfg.server.plcUrl; 170 - "KNOT_SERVER_JETSTREAM_ENDPOINT" = cfg.server.jetstreamEndpoint; 171 - "KNOT_SERVER_OWNER" = cfg.server.owner; 172 - }; 173 160 environment.etc."ssh/keyfetch_wrapper" = { 174 161 mode = "0555"; 175 162 text = ''
NEW
guard/guard.go
··· 12 12 "os/exec" 13 13 "strings" 14 14 15 - "github.com/bluesky-social/indigo/atproto/identity" 16 15 securejoin "github.com/cyphar/filepath-securejoin" 17 16 "github.com/urfave/cli/v3" 18 - "tangled.org/core/idresolver" 19 - "tangled.org/core/knotserver/config" 20 17 "tangled.org/core/log" 21 18 ) 22 19 ··· 58 55 func Run(ctx context.Context, cmd *cli.Command) error { 59 56 l := log.FromContext(ctx) 60 57 61 - c, err := config.Load(ctx) 62 - if err != nil { 63 - return fmt.Errorf("failed to load config: %w", err) 64 - } 65 - 66 58 incomingUser := cmd.String("user") 67 59 gitDir := cmd.String("git-dir") 68 60 logPath := cmd.String("log-path") ··· 99 91 "command", sshCommand, 100 92 "client", clientIP) 101 93 94 + // TODO: greet user with their resolved handle instead of did 102 95 if sshCommand == "" { 103 96 l.Info("access denied: no interactive shells", "user", incomingUser) 104 97 fmt.Fprintf(os.Stderr, "Hi @%s! You've successfully authenticated.\n", incomingUser) ··· 113 106 } 114 107 115 108 gitCommand := cmdParts[0] 116 - 117 - // did:foo/repo-name or 118 - // handle/repo-name or 119 - // any of the above with a leading slash (/) 120 - 121 - components := strings.Split(strings.TrimPrefix(strings.Trim(cmdParts[1], "'"), "/"), "/") 122 - l.Info("command components", "components", components) 123 - 124 - if len(components) != 2 { 125 - l.Error("invalid repo format", "components", components) 126 - fmt.Fprintln(os.Stderr, "invalid repo format, needs <user>/<repo> or /<user>/<repo>") 127 - os.Exit(-1) 128 - } 129 - 130 - didOrHandle := components[0] 131 - identity := resolveIdentity(ctx, c, l, didOrHandle) 132 - did := identity.DID.String() 133 - repoName := components[1] 134 - qualifiedRepoName, _ := securejoin.SecureJoin(did, repoName) 109 + repoPath := cmdParts[1] 135 110 136 111 validCommands := map[string]bool{ 137 112 "git-receive-pack": true, ··· 143 118 fmt.Fprintln(os.Stderr, "access denied: invalid git command") 144 119 return fmt.Errorf("access denied: invalid git command") 145 120 } 146 - 147 - if gitCommand != "git-upload-pack" { 148 - if !isPushPermitted(l, incomingUser, qualifiedRepoName, endpoint) { 149 - l.Error("access denied: user not allowed", 150 - "did", incomingUser, 151 - "reponame", qualifiedRepoName) 152 - fmt.Fprintln(os.Stderr, "access denied: user not allowed") 153 - os.Exit(-1) 154 - } 121 + 122 + // qualify repo path from internal server which holds the knot config 123 + qualifiedRepoPath, err := guardAndQualifyRepo(l, endpoint, incomingUser, repoPath, gitCommand) 124 + if err != nil { 125 + l.Error("failed to run guard", "err", err) 126 + fmt.Fprintln(os.Stderr, err) 127 + os.Exit(1) 155 128 } 156 129 157 - fullPath, _ := securejoin.SecureJoin(gitDir, qualifiedRepoName) 130 + fullPath, _ := securejoin.SecureJoin(gitDir, qualifiedRepoPath) 158 131 159 132 l.Info("processing command", 160 133 "user", incomingUser, 161 134 "command", gitCommand, 162 - "repo", repoName, 135 + "repo", repoPath, 163 136 "fullPath", fullPath, 164 137 "client", clientIP) 165 138 ··· 183 156 gitCmd.Stdin = os.Stdin 184 157 gitCmd.Env = append(os.Environ(), 185 158 fmt.Sprintf("GIT_USER_DID=%s", incomingUser), 186 - fmt.Sprintf("GIT_USER_PDS_ENDPOINT=%s", identity.PDSEndpoint()), 187 159 ) 188 160 189 161 if err := gitCmd.Run(); err != nil { ··· 195 167 l.Info("command completed", 196 168 "user", incomingUser, 197 169 "command", gitCommand, 198 - "repo", repoName, 170 + "repo", repoPath, 199 171 "success", true) 200 172 201 173 return nil 202 174 } 203 175 204 - func resolveIdentity(ctx context.Context, c *config.Config, l *slog.Logger, didOrHandle string) *identity.Identity { 205 - resolver := idresolver.DefaultResolver(c.Server.PlcUrl) 206 - ident, err := resolver.ResolveIdent(ctx, didOrHandle) 207 - if err != nil { 208 - l.Error("Error resolving handle", "error", err, "handle", didOrHandle) 209 - fmt.Fprintf(os.Stderr, "error resolving handle: %v\n", err) 210 - os.Exit(1) 211 - } 212 - if ident.Handle.IsInvalidHandle() { 213 - l.Error("Error resolving handle", "invalid handle", didOrHandle) 214 - fmt.Fprintf(os.Stderr, "error resolving handle: invalid handle\n") 215 - os.Exit(1) 216 - } 217 - return ident 218 - } 219 - 220 - func isPushPermitted(l *slog.Logger, user, qualifiedRepoName, endpoint string) bool { 221 - u, _ := url.Parse(endpoint + "/push-allowed") 176 + // runs guardAndQualifyRepo logic 177 + func guardAndQualifyRepo(l *slog.Logger, endpoint, incomingUser, repo, gitCommand string) (string, error) { 178 + u, _ := url.Parse(endpoint + "/guard") 222 179 q := u.Query() 223 - q.Add("user", user) 224 - q.Add("repo", qualifiedRepoName) 180 + q.Add("user", incomingUser) 181 + q.Add("repo", repo) 182 + q.Add("gitCmd", gitCommand) 225 183 u.RawQuery = q.Encode() 226 184 227 - req, err := http.Get(u.String()) 185 + resp, err := http.Get(u.String()) 228 186 if err != nil { 229 - l.Error("Error verifying permissions", "error", err) 230 - fmt.Fprintf(os.Stderr, "error verifying permissions: %v\n", err) 231 - os.Exit(1) 187 + return "", err 232 188 } 189 + defer resp.Body.Close() 190 + 191 + l.Info("Running guard", "url", u.String(), "status", resp.Status) 233 192 234 - l.Info("Checking push permission", 235 - "url", u.String(), 236 - "status", req.Status) 193 + body, err := io.ReadAll(resp.Body) 194 + if err != nil { 195 + return "", err 196 + } 197 + text := string(body) 237 198 238 - return req.StatusCode == http.StatusNoContent 199 + switch resp.StatusCode { 200 + case http.StatusOK: 201 + return text, nil 202 + case http.StatusForbidden: 203 + l.Error("access denied: user not allowed", "did", incomingUser, "reponame", text) 204 + return text, errors.New("access denied: user not allowed") 205 + default: 206 + return "", errors.New(text) 207 + } 239 208 }
NEW
knotserver/internal.go
··· 67 67 writeJSON(w, data) 68 68 } 69 69 70 + // response in text/plain format 71 + // the body will be qualified repository path on success/push-denied 72 + // or an error message when process failed 73 + func (h *InternalHandle) Guard(w http.ResponseWriter, r *http.Request) { 74 + l := h.l.With("handler", "PostReceiveHook") 75 + 76 + var ( 77 + incomingUser = r.URL.Query().Get("user") 78 + repo = r.URL.Query().Get("repo") 79 + gitCommand = r.URL.Query().Get("gitCmd") 80 + ) 81 + 82 + if incomingUser == "" || repo == "" || gitCommand == "" { 83 + w.WriteHeader(http.StatusBadRequest) 84 + l.Error("invalid request", "incomingUser", incomingUser, "repo", repo, "gitCommand", gitCommand) 85 + fmt.Fprintln(w, "invalid internal request") 86 + return 87 + } 88 + 89 + // did:foo/repo-name or 90 + // handle/repo-name or 91 + // any of the above with a leading slash (/) 92 + components := strings.Split(strings.TrimPrefix(strings.Trim(repo, "'"), "/"), "/") 93 + l.Info("command components", "components", components) 94 + 95 + if len(components) != 2 { 96 + w.WriteHeader(http.StatusBadRequest) 97 + l.Error("invalid repo format", "components", components) 98 + fmt.Fprintln(w, "invalid repo format, needs <user>/<repo> or /<user>/<repo>") 99 + return 100 + } 101 + repoOwner := components[0] 102 + repoName := components[1] 103 + 104 + resolver := idresolver.DefaultResolver(h.c.Server.PlcUrl) 105 + 106 + repoOwnerIdent, err := resolver.ResolveIdent(r.Context(), repoOwner) 107 + if err != nil || repoOwnerIdent.Handle.IsInvalidHandle() { 108 + l.Error("Error resolving handle", "handle", repoOwner, "err", err) 109 + w.WriteHeader(http.StatusInternalServerError) 110 + fmt.Fprintf(w, "error resolving handle: invalid handle\n") 111 + return 112 + } 113 + repoOwnerDid := repoOwnerIdent.DID.String() 114 + 115 + qualifiedRepo, _ := securejoin.SecureJoin(repoOwnerDid, repoName) 116 + 117 + if gitCommand == "git-receive-pack" { 118 + ok, err := h.e.IsPushAllowed(incomingUser, rbac.ThisServer, qualifiedRepo) 119 + if err != nil || !ok { 120 + w.WriteHeader(http.StatusForbidden) 121 + fmt.Fprint(w, repo) 122 + return 123 + } 124 + } 125 + 126 + w.WriteHeader(http.StatusOK) 127 + fmt.Fprint(w, qualifiedRepo) 128 + } 129 + 70 130 type PushOptions struct { 71 131 skipCi bool 72 132 verboseCi bool ··· 330 390 331 391 r.Get("/push-allowed", h.PushAllowed) 332 392 r.Get("/keys", h.InternalKeys) 393 + r.Get("/guard", h.Guard) 333 394 r.Post("/hooks/post-receive", h.PostReceiveHook) 334 395 r.Mount("/debug", middleware.Profiler()) 335 396