1
0
Fork 0
mirror of https://git.sr.ht/~sircmpwn/core-go synced 2024-09-09 11:42:36 +02:00
Commit graph

162 commits

Author SHA1 Message Date
Conrad Hoffmann
3c1346e6bb config: allow spreading config over multiple files
This is the Go-equivalent to
https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/47657

This commit enables spreading the config in /etc/sr.ht - and, crucially,
_only_ in /etc/sr.ht - over multiple .ini files.

If a file config.ini is found (either in current or parent directory, or
/etc/sr.ht) it (and only it) is loaded and any other ini files are
ignored. To utilize multiple configs, they must be in /etc/sr.ht, and
none of them must be called config.ini.

Spreading the config over multiple files will make it much easier to
create containerized versions, where e.g. different secrets can be made
available in different files, but rendering it all into one big file
would require some preprocessing.
2024-04-11 16:40:34 +02:00
Drew DeVault
bd40a71a93 auth: add auth.IPAddress
With support for X-Forwarded-For
2024-02-18 12:43:38 +01:00
Simon Ser
88dff0eae2 auth/middleware: set WWW-Authenticate header field
See RFC 6750 section 3.
2024-02-13 10:40:52 +01:00
Simon Ser
942e19c351 s3: add Enabled 2024-02-02 12:08:06 +01:00
Simon Ser
864816cfbc client: rename Execute to Do
583d0b1bcb ("client/graphql: handle GraphQL errors") changed
Execute behavior by wrapping the result into a struct with "data"
and "errors" fields. This is a breaking change, but it's hard to
spot when upgrading core-go because it won't cause a compilation
error.

Rename Execute to Do to break the build and force callers to update
accordingly.
2024-01-24 11:50:42 +01:00
Simon Ser
23808bb099 auth: add RequireMiddleware
Same as Middleware, but requires auth for all requests. Will be
useful to drop hacks from pages.sr.ht.
2024-01-24 11:12:17 +01:00
Simon Ser
d99f0983a0 s3: add [objects]s3-insecure
Disables TLS. Useful for local development.
2024-01-24 10:53:31 +01:00
Simon Ser
e81358e299 s3: add NewClient and URL
Centralizes the logic to create an S3 client and get the base URL.
2024-01-24 10:53:26 +01:00
Simon Ser
1063e5b6ec email: make PGP private key optional
Services other than meta.sr.ht don't really have a use for the
private PGP key.

Add a CanPGPSign method so that meta.sr.ht can emit a warning or
error when the PGP key is missing.
2024-01-24 10:45:40 +01:00
Simon Ser
583d0b1bcb client/graphql: handle GraphQL errors
Instead of leaving it up to the caller to check for GraphQL errors,
centralize in core-go.
2024-01-24 10:40:29 +01:00
Simon Ser
a88277c1bc email: improve mail.ParseAddress error message 2024-01-18 17:19:58 +01:00
Simon Ser
453dcaefd6 server/directives: disambiguate AnonInternal error message
AUTH_INTERNAL won't work with AnonInternal.
2024-01-09 11:49:19 +01:00
Simon Ser
53966da2d8 Drop gqlparser v1 dependency
Only use v2 throughout the repository.
2023-12-07 14:14:28 +01:00
Conrad Hoffmann
2e7ac4ecfd Update and simplify build manifest
Alpine 3.14 uses Go 1.16, but go.mod says 1.17. Also, no external
repository should be required for core-go.
2023-12-04 21:27:31 +01:00
Conrad Hoffmann
cd87849358 webhooks: skip webhooks with expired credentials
The documentation states [1]:

> When the original authentication method becomes invalid (such as the
> expiration of or revocation of an OAuth 2.0 bearer token), the
> webhook is disabled.

However, this is currently not the case. Expired webhooks are indeed
filtered out in virtually all GraphQL queries (by means of core-go's
FilterWebhooks [2]), so users cannot see or delete them. They are _not_
filtered out upon scheduling, however. This commit fixes that.

The symptoms of this are that active webhooks may simply not be run - if
a user has both an expired and a valid, active webhook for some event,
the scheduling will retrieve both, fail on the expired one, and stop
processing, without any feedback to the user who scheduled the hooks.

This is a problem across all services, so core-go seems like the best
place to fix this.

[1]: https://man.sr.ht/graphql.md#webhook-authentication
[2]: https://git.sr.ht/~sircmpwn/core-go/tree/master/item/webhooks/config.go#L74,81
2023-12-04 21:14:55 +01:00
Simon Ser
d2ad494f23 Migrate to chi v5
v1 is not maintained anymore.
2023-11-30 11:31:36 +01:00
Simon Ser
3902e4bd25 database: don't panic on context.DeadlineExceeded
Checking context.Cancelled is not enough, I also see the same issue
with context.DeadlineExceeded:

    panic: Transaction error: driver: bad connection
    Closure error: context deadline exceeded

    goroutine 66664 [running]:
    git.sr.ht/~sircmpwn/core-go/database.WithTx({0x5578e1847a58, 0xc0002c44e0}, 0x50?, 0xc000285f38)
            git.sr.ht/~sircmpwn/core-go@v0.0.0-20231129165057-e7b8e02696a1/database/middleware.go:74 +0x2ce
    git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders.fetchUsersByID.func1({0xc0002cf190, 0x1, 0x1})
            git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders/middleware.go:34 +0x118
    git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders.(*usersByIDLoaderBatch).end(...)
            git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders/usersbyidloader_gen.go:222
    git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders.(*usersByIDLoaderBatch).startTimer(0xc00044a360, 0xc00042d380)
            git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders/usersbyidloader_gen.go:218 +0xe7
    created by git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders.(*usersByIDLoaderBatch).keyIndex
            git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders/usersbyidloader_gen.go:191 +0x119
2023-11-30 11:31:27 +01:00
Conrad Hoffmann
86ad9b5a00 server/email: use go-message for address parsing
No need to additionally depend on net/mail
2023-11-30 11:28:12 +01:00
Simon Ser
e7b8e02696 database: print both errors in WithTx
Make it easier to debug panics by printing both errors instead of
sending one of them to /dev/null.
2023-11-29 17:50:57 +01:00
Simon Ser
7f5f70710c database/middleware: fix error value used in panic
We were checking txErr, but panic'ing with err.

Fixes: a06a624789 ("database: don't panic with ErrBadConn")
2023-10-24 12:18:34 +02:00
Simon Ser
cfae7baecb Upgrade dependencies 2023-10-04 15:46:32 +02:00
Simon Ser
72c2f060eb database: specify field name for graphql.CollectedField
Newer versions of the graphql package add new fields to this struct.
This results in errors:

    database/ql.go:40:4: too few values in struct literal of type graphql.CollectedField
    database/ql.go:71:4: too few values in struct literal of type graphql.CollectedField
2023-10-04 15:46:31 +02:00
наб
bf4fe19c01 email: EnqueueStd: set Content-Type with charset=UTF-8 instead of just text/plain
Mails are now
	--11d2cbf164a9ae0dfbb310faf818762607dcfd20aa74e07c7be0eec1458d
	Mime-Version: 1.0
	Content-Transfer-Encoding: quoted-printable
	Content-Type: text/plain; charset=UTF-8

	=D1=82=D1=80=D1=83=D0=BF=D0=B08

	--=20
	View on the web: http://192.168.1.101:5003/~nab2/trupa/8
	--11d2cbf164a9ae0dfbb310faf818762607dcfd20aa74e07c7be0eec1458d
	Content-Type: application/pgp-signature

	-----BEGIN PGP MESSAGE-----

	wnUEARYIACcFAmUavj0JkKdioLsBS5scFiEE+ts/9LaoXcZuSmrHp2KguwFLmxwA
	AIm9AP9KB4cZyiby7jiiRMRESDeJXrdb4kNqyA3D3nVOt14bKgD/UiDfUKE1MwiV
	pOqj/S0wiJdChKW52zRAkwuQ7PtKkgI=
	=AiY9
	-----END PGP MESSAGE-----
	--11d2cbf164a9ae0dfbb310faf818762607dcfd20aa74e07c7be0eec1458d--
which is correct, and decodes correctly in neomutt.

Fixes: https://lists.sr.ht/~sircmpwn/sr.ht-discuss/%3C4uxbrlspm45s5i4bhhmqgmry374i22oqcxedtowda5zrzd7bpf2%405pyosds5owty%3E
2023-10-04 15:45:50 +02:00
Simon Ser
a06a624789 database: don't panic with ErrBadConn
Sometimes we're panic'ing like so:

    panic: driver: bad connection

    goroutine 9333 [running]:
    git.sr.ht/~sircmpwn/core-go/database.WithTx({0x561c2e623478, 0xc0002b6ed0}, 0x50?, 0xc00025ff38)
    	git.sr.ht/~sircmpwn/core-go@v0.0.0-20230816134313-65b1657b30a1/database/middleware.go:57 +0x1fc
    git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders.fetchUsersByID.func1({0xc0002d80f0, 0x1, 0x1})
    	git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders/middleware.go:34 +0x118
    git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders.(*usersByIDLoaderBatch).end(...)
    	git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders/usersbyidloader_gen.go:222
    git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders.(*usersByIDLoaderBatch).startTimer(0xc0004e5380, 0xc0000e5140)
    	git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders/usersbyidloader_gen.go:218 +0xe7
    created by git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders.(*usersByIDLoaderBatch).keyIndex
    	git.sr.ht/~sircmpwn/builds.sr.ht/api/loaders/usersbyidloader_gen.go:191 +0x119

I believe this is a pq bug, see the linked bug report. Stop
panic'ing in that case.
2023-10-04 15:45:40 +02:00
Simon Ser
d83af997da auth: make DecodeGrants return an error
We'll use this function to validate grants passed in via
builds.sr.ht manifests.
2023-10-04 15:45:28 +02:00
Simon Ser
65b1657b30 auth: add AuthContext.Access
Same logic as server.Access, but lower-level. Useful to check for
a permission not covered by the GraphQL schema @access directives
(such as builds.sr.ht secrets).
2023-08-16 15:43:13 +02:00
Simon Ser
a941162edd server/email: don't panic in EmailRecover
A panic in here is not great, because this function is supposed to
be the panic handler. Let's just log the error instead.
2023-08-16 12:04:05 +02:00
Simon Ser
1fd2476d29 server/email: log missing mail::error-to, treat empty string as unset
Log a message when mail::error-to is unset, just in case the admin
forgot to set it. Don't try to parse an email address if error-to
is set to the empty string (the default value in the default config
file).
2023-08-16 12:04:03 +02:00
Simon Ser
2f23941546 server/email: simplify and cleanup
- Only print the error once
- Remove unnecessary var
- Use debug.Stack instead of hand-rolled logic
- Ignore json.Marshal errors in a simpler way
2023-08-16 12:03:59 +02:00
Simon Ser
30cea5cc3a server: fix error message on missing grant in Access
The error returned when a token is missing a required grant would
be "Access denied for invalid auth method" which is confusing.
Fix this with a more accurate error message.
2023-07-07 09:57:41 +02:00
Simon Ser
43a2be15d5 database/middleware: don't use sql.Conn in WithTx
We can just use sql.DB instead of sql.Conn here. Simplifies the
code and reduces the risk of getting "bad connection" errors.
2023-06-13 11:27:53 +02:00
Drew DeVault
6f6bb872c5 auth: add /query/external/* to anonymous whitelist 2023-06-07 09:07:53 +02:00
Adnan Maolood
083cb1606a redis: Update style
To match the s3 middleware.
2023-06-01 12:30:14 +02:00
Adnan Maolood
156c5e2649 s3: Import middleware from pages.sr.ht
Closes: https://todo.sr.ht/~sircmpwn/pages.sr.ht/19
2023-06-01 12:30:12 +02:00
Simon Ser
89b1b48997 auth/middleware: make auth scheme case-insensitive
According to RFC 7235 section 2.1, the auth scheme is
case-insensitive.
2023-04-11 16:11:00 +02:00
Simon Ser
209e1a8698 database/middleware: do not recover/panic in defer
defer always runs after a panic. There is no need to recover and
re-panic, we can just unconditionally tx.Rollback() (it will
silently error out if the transaction has already been committed or
rolled back).

This fixes the stack trace of the panic being incorrect. It points
to this function instead of the real culprit.
2023-04-11 14:59:51 +02:00
Simon Ser
1f6fac1dda go mod tidy
Fixes the following error when running `go test`:

    ../../go/pkg/mod/github.com/prometheus/client_golang@v1.14.0/prometheus/internal/metric.go:19:2: missing go.sum entry for module providing package github.com/prometheus/client_model/go (imported by github.com/prometheus/client_golang/prometheus); to add:
    	go get github.com/prometheus/client_golang/prometheus@v1.14.0
2023-04-11 14:59:51 +02:00
Simon Ser
ca47b9fe14 server/directives: handle auth.AUTH_ANON_INTERNAL in Access 2023-03-13 14:56:28 +01:00
Conrad Hoffmann
78b6f7232a email: remove content headers of passed-in message
The email has already been parsed according to the headers, but they are
still present. However, signing or encrypting the email will change the
content format, so remove any such headers before continuing.
2023-03-07 09:36:00 +01:00
Drew DeVault
144fc447a3 server: register SQL collector
Missed this step
2023-01-31 16:47:08 +01:00
Drew DeVault
fa27910a94 Add prometheus SQL connection stats
Also updates the prometheus client_go library
2023-01-31 16:38:04 +01:00
Dennis Schön
5752486235 auth: fix invalid json tag in InternalAuth 2022-12-19 13:20:59 +01:00
Dennis Schön
2fd72e9f66 email: handle error from Enqueue() in EnqueueStd() 2022-12-19 13:20:50 +01:00
Conrad Hoffmann
b1540a2277 Update pq (Postgres driver) to latest version 2022-11-25 13:19:16 +01:00
Adnan Maolood
3e69641ef3 auth: Use canonical user IDs
When adding users to the database, use the canonical user ID from
meta.sr.ht.
2022-10-25 10:24:58 +02:00
Simon Ser
bb33e3e749 email/worker: add more context to errors
For instance, failure to open the private PGP key would just fail
with an unhelpful "panic: open : no such file or directory" error.
2022-09-22 10:50:05 +02:00
Conrad Hoffmann
8110e635b5 database: add helpers to fetch all columns
The current solution of fetching columns based on the GraphQL context
has some limits. While probably not the solution for all use-cases, it
sometimes can be desirable to simply fetch all columns from the database
when retrieving objects.

This commit adds two simple functions doing just that. They can be used
when building SQL queries, like

    query := database.SelectAll(new(model.Email))

and

    rows.Scan(database.ScanAll(&email)...)
2022-09-22 10:49:54 +02:00
Drew DeVault
12000f491a Revert "auth: Use canonical user IDs"
This reverts commit 6c1036e270.
2022-08-29 14:31:41 +02:00
Conrad Hoffmann
236879ae0b Run go fmt 2022-08-29 11:03:46 +02:00
Adnan Maolood
6c1036e270 auth: Use canonical user IDs
When adding users to the database, use the canonical user ID from
meta.sr.ht.
2022-07-28 12:14:56 +02:00