234 lines
5.3 KiB
Go
234 lines
5.3 KiB
Go
package repo
|
|
|
|
//go:generate mockgen -destination mock_repo_test.go -package repo code.gitea.io/sdk/gitea Client
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"slices"
|
|
"strings"
|
|
"time"
|
|
|
|
"git.polynom.me/rio/internal/constants"
|
|
"git.polynom.me/rio/internal/context"
|
|
"git.polynom.me/rio/internal/gitea"
|
|
|
|
"github.com/patrickmn/go-cache"
|
|
log "github.com/sirupsen/logrus"
|
|
)
|
|
|
|
var (
|
|
ForbiddenHeaders = []string{
|
|
"content-length",
|
|
"content-type",
|
|
"date",
|
|
"location",
|
|
"strict-transport-security",
|
|
"set-cookie",
|
|
}
|
|
)
|
|
|
|
var (
|
|
pathCache = cache.New(1*time.Hour, 1*time.Hour)
|
|
|
|
// Caching the existence of an user
|
|
userCache = cache.New(24*time.Hour, 12*time.Hour)
|
|
)
|
|
|
|
type PageCacheEntry struct {
|
|
Repository gitea.Repository
|
|
Path string
|
|
}
|
|
|
|
func makePageCacheKey(domain, path string) string {
|
|
return domain + "/" + path
|
|
}
|
|
|
|
func lookupRepositoryAndCache(username, reponame, branchName, host, domain, path, cname string, giteaClient *gitea.GiteaClient) (*gitea.Repository, error) {
|
|
log.Debugf("CNAME: %s", cname)
|
|
log.Debugf("Looking up repository %s/%s", username, reponame)
|
|
repo, err := giteaClient.GetRepository(username, reponame)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if !giteaClient.HasBranch(username, reponame, branchName) {
|
|
return nil, errors.New("Specified branch does not exist")
|
|
}
|
|
|
|
// Check if the CNAME file matches
|
|
if cname != "" {
|
|
log.Debug("Checking CNAME")
|
|
file, _, err := giteaClient.GetFile(
|
|
username,
|
|
reponame,
|
|
constants.PagesBranch,
|
|
"CNAME",
|
|
nil,
|
|
)
|
|
if err != nil {
|
|
log.Errorf(
|
|
"Could not verify CNAME of %s/%s@%s: %v\n",
|
|
username,
|
|
reponame,
|
|
constants.PagesBranch,
|
|
err,
|
|
)
|
|
return nil, err
|
|
}
|
|
|
|
cnameContent := strings.Trim(
|
|
string(file[:]),
|
|
"\n",
|
|
)
|
|
|
|
log.Debugf("CNAME Content: %s", cnameContent)
|
|
if cnameContent != host {
|
|
log.Warnf("CNAME mismatch: Repo '%s', Host '%s'", cnameContent, host)
|
|
return nil, errors.New("CNAME mismatch")
|
|
}
|
|
}
|
|
|
|
// Cache data
|
|
pathCache.Set(
|
|
makePageCacheKey(domain, path),
|
|
PageCacheEntry{
|
|
repo,
|
|
path,
|
|
},
|
|
cache.DefaultExpiration,
|
|
)
|
|
return &repo, nil
|
|
}
|
|
|
|
// host is the domain name we're accessed from. cname is the domain that host is pointing
|
|
// if, if we're accessed via a CNAME. If not, then cname is "".
|
|
func RepoFromPath(username, host, cname, path string, giteaClient *gitea.GiteaClient) (*gitea.Repository, string, error) {
|
|
domain := host
|
|
|
|
// Guess the repository
|
|
key := makePageCacheKey(domain, path)
|
|
entry, found := pathCache.Get(key)
|
|
if found {
|
|
pageEntry := entry.(PageCacheEntry)
|
|
return &pageEntry.Repository, pageEntry.Path, nil
|
|
}
|
|
|
|
// Allow specifying the repository name in the TXT record
|
|
reponame := ""
|
|
if cname != "" {
|
|
repoLookup, err := giteaClient.LookupRepoTXT(host)
|
|
if err == nil && repoLookup != "" {
|
|
log.Infof(
|
|
"TXT lookup for %s resulted in choosing repository %s",
|
|
host,
|
|
repoLookup,
|
|
)
|
|
reponame = repoLookup
|
|
}
|
|
}
|
|
|
|
pathParts := strings.Split(path, "/")
|
|
log.Debugf("reponame='%s' len(pathParts)='%d'", reponame, len(pathParts))
|
|
if reponame == "" && len(pathParts) > 1 {
|
|
log.Debugf("Trying repository %s", pathParts[0])
|
|
modifiedPath := strings.Join(pathParts[1:], "/")
|
|
repo, err := lookupRepositoryAndCache(
|
|
username,
|
|
pathParts[0],
|
|
constants.PagesBranch,
|
|
host,
|
|
domain,
|
|
modifiedPath,
|
|
cname,
|
|
giteaClient,
|
|
)
|
|
if err == nil {
|
|
return repo, modifiedPath, nil
|
|
}
|
|
}
|
|
|
|
if reponame == "" {
|
|
reponame = domain
|
|
}
|
|
log.Debugf("Trying repository %s/%s", username, reponame)
|
|
repo, err := lookupRepositoryAndCache(
|
|
username,
|
|
reponame,
|
|
constants.PagesBranch,
|
|
host,
|
|
domain,
|
|
path,
|
|
cname,
|
|
giteaClient,
|
|
)
|
|
return repo, path, err
|
|
}
|
|
|
|
// Checks if the username exists as an organisation or an user on the Gitea
|
|
// instance, so that an attacker can't just request certificates for random
|
|
// usernames.
|
|
func CanRequestCertificate(username string, giteaClient *gitea.GiteaClient) bool {
|
|
if _, found := userCache.Get(username); found {
|
|
return true
|
|
}
|
|
|
|
hasUser := giteaClient.HasUser(username)
|
|
if hasUser {
|
|
userCache.Set(username, true, cache.DefaultExpiration)
|
|
}
|
|
return hasUser
|
|
}
|
|
|
|
func filterHeaders(headers map[string]string) map[string]string {
|
|
newHeaders := make(map[string]string)
|
|
|
|
for key, value := range headers {
|
|
if slices.Contains[[]string, string](ForbiddenHeaders, strings.ToLower(key)) {
|
|
continue
|
|
}
|
|
|
|
newHeaders[key] = value
|
|
}
|
|
|
|
return newHeaders
|
|
}
|
|
|
|
func GetRepositoryInformation(owner, repoName string, ctx *context.GlobalContext) *context.RepositoryInformation {
|
|
res := ctx.Cache.GetRepositoryInformation(owner, repoName)
|
|
if res != nil {
|
|
return res
|
|
}
|
|
|
|
fetchedConfig, _, err := ctx.Gitea.GetFile(
|
|
owner,
|
|
repoName,
|
|
constants.PagesBranch,
|
|
"rio.json",
|
|
nil,
|
|
)
|
|
if err != nil {
|
|
log.Errorf("Failed to request rio.json for %s/%s:%v", owner, repoName, err)
|
|
return nil
|
|
}
|
|
|
|
var payload map[string]interface{}
|
|
err = json.Unmarshal(fetchedConfig, &payload)
|
|
if err != nil {
|
|
log.Errorf("Failed to unmarshal rio.json for %s/%s:%v", owner, repoName, err)
|
|
return nil
|
|
}
|
|
|
|
headers, found := payload["headers"]
|
|
if !found {
|
|
log.Warnf("Did not find headers key in rio.json for %s/%s", owner, repoName)
|
|
headers = make(map[string]string)
|
|
}
|
|
|
|
info := context.RepositoryInformation{
|
|
Headers: filterHeaders(headers.(map[string]string)),
|
|
}
|
|
ctx.Cache.SetRepositoryInformation(owner, repoName, info)
|
|
return &info
|
|
}
|