package repo //go:generate mockgen -destination mock_repo_test.go -package repo code.gitea.io/sdk/gitea Client import ( "encoding/json" "errors" "slices" "strings" "git.polynom.me/rio/internal/constants" "git.polynom.me/rio/internal/context" "git.polynom.me/rio/internal/gitea" log "github.com/sirupsen/logrus" ) var ( ForbiddenHeaders = []string{ "content-length", "content-type", "date", "location", "strict-transport-security", "set-cookie", } ) func lookupRepositoryAndCache(username, reponame, branchName, host, domain, path, cname string, ctx *context.GlobalContext) (*gitea.Repository, error) { log.Debugf("CNAME: %s", cname) log.Debugf("Looking up repository %s/%s", username, reponame) repo, err := ctx.Gitea.GetRepository(username, reponame) if err != nil { return nil, err } if !ctx.Gitea.HasBranch(username, reponame, branchName) { return nil, errors.New("Specified branch does not exist") } // Check if the CNAME file matches if cname != "" { log.Debug("Checking CNAME") repoInfo := GetRepositoryInformation(username, reponame, ctx) if repoInfo == nil { log.Warn("Repository does not contain a rio.json file") return nil, errors.New("No CNAME available in repository") } log.Debugf("CNAME Content: \"%s\"", repoInfo.CNAME) if repoInfo.CNAME != host { log.Warnf("CNAME mismatch: Repo '%s', Host '%s'", repoInfo.CNAME, host) return nil, errors.New("CNAME mismatch") } } // Cache data ctx.Cache.SetRepositoryPath( domain, path, context.RepositoryPathInformation{ Repository: repo, Path: path, }, ) return &repo, nil } // host is the domain name we're accessed from. cname is the domain that host is pointing // if, if we're accessed via a CNAME. If not, then cname is "". func RepoFromPath(username, host, cname, path string, ctx *context.GlobalContext) (*gitea.Repository, string, error) { domain := host // Guess the repository entry := ctx.Cache.GetRepositoryPath(domain, path) if entry != nil { return &entry.Repository, entry.Path, nil } // Allow specifying the repository name in the TXT record reponame := "" if cname != "" { repoLookup, err := ctx.Gitea.LookupRepoTXT(host) if err == nil && repoLookup != "" { log.Infof( "TXT lookup for %s resulted in choosing repository %s", host, repoLookup, ) reponame = repoLookup } } pathParts := strings.Split(path, "/") log.Debugf("reponame='%s' len(pathParts)='%d'", reponame, len(pathParts)) if reponame == "" && len(pathParts) > 1 { log.Debugf("Trying repository %s", pathParts[0]) modifiedPath := strings.Join(pathParts[1:], "/") repo, err := lookupRepositoryAndCache( username, pathParts[0], constants.PagesBranch, host, domain, modifiedPath, cname, ctx, ) if err == nil { return repo, modifiedPath, nil } } if reponame == "" { reponame = domain } log.Debugf("Trying repository %s/%s", username, reponame) repo, err := lookupRepositoryAndCache( username, reponame, constants.PagesBranch, host, domain, path, cname, ctx, ) return repo, path, err } // Checks if the username exists as an organisation or an user on the Gitea // instance, so that an attacker can't just request certificates for random // usernames. func CanRequestCertificate(username string, ctx *context.GlobalContext) bool { found := ctx.Cache.GetUser(username) if found { return true } hasUser := ctx.Gitea.HasUser(username) if hasUser { ctx.Cache.SetUser(username) } return hasUser } func filterHeaders(headers map[string]string) map[string]string { newHeaders := make(map[string]string) for key, value := range headers { if slices.Contains[[]string, string](ForbiddenHeaders, strings.ToLower(key)) { continue } newHeaders[key] = value } return newHeaders } func GetRepositoryInformation(owner, repoName string, ctx *context.GlobalContext) *context.RepositoryInformation { res := ctx.Cache.GetRepositoryInformation(owner, repoName) if res != nil { return res } fetchedConfig, _, err := ctx.Gitea.GetFile( owner, repoName, constants.PagesBranch, "rio.json", nil, ) if err != nil { log.Errorf("Failed to request rio.json for %s/%s:%v", owner, repoName, err) return nil } var payload map[string]interface{} err = json.Unmarshal(fetchedConfig, &payload) if err != nil { log.Errorf("Failed to unmarshal rio.json for %s/%s:%v", owner, repoName, err) return nil } headers, found := payload["headers"] if !found { log.Warnf("Did not find headers key in rio.json for %s/%s", owner, repoName) headers = make(map[string]string) } cname, found := payload["CNAME"] if found { switch cname.(type) { case string: // NOOP default: log.Warnf("CNAME attribute is not a string for %s/%s", owner, repoName) cname = "" } } else { cname = "" } info := context.RepositoryInformation{ Headers: filterHeaders(headers.(map[string]string)), CNAME: cname.(string), } ctx.Cache.SetRepositoryInformation(owner, repoName, info) return &info }