feat: init

service/repo/deploy_keys.rs

@@ -0,0 +1,174 @@
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+use crate::error::AppError;
+use crate::models::common::{KeyType, Role};
+use crate::models::repos::RepoDeployKey;
+use crate::service::RepoService;
+use crate::session::Session;
+
+use super::util::{clamp_limit_offset, ensure_affected, required_text};
+
+#[derive(Deserialize, Serialize, Clone, Debug, utoipa::ToSchema)]
+pub struct AddDeployKeyParams {
+    pub title: String,
+    pub public_key: String,
+    pub key_type: String,
+    pub read_only: Option<bool>,
+}
+
+impl RepoService {
+    pub async fn repo_deploy_keys(
+        &self,
+        ctx: &Session,
+        wk_name: &str,
+        repo_name: &str,
+        limit: i64,
+        offset: i64,
+    ) -> Result<Vec<RepoDeployKey>, AppError> {
+        let user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
+        let repo = self.resolve_repo(wk_name, repo_name).await?;
+        let repo_id = repo.id;
+        self.ensure_repo_role_at_least(user_uid, &repo, Role::Admin)
+            .await?;
+        let (limit, offset) = clamp_limit_offset(limit, offset);
+        sqlx::query_as::<_, RepoDeployKey>(
+            "SELECT id, repo_id, title, public_key, fingerprint_sha256, key_type, read_only, last_used_at, expires_at, revoked_at, created_by, created_at, updated_at FROM repo_deploy_key WHERE repo_id = $1 AND revoked_at IS NULL ORDER BY created_at DESC LIMIT $2 OFFSET $3",
+        )
+        .bind(repo_id)
+        .bind(limit)
+        .bind(offset)
+        .fetch_all(self.ctx.db.reader())
+        .await
+        .map_err(AppError::Database)
+    }
+
+    pub async fn repo_add_deploy_key(
+        &self,
+        ctx: &Session,
+        wk_name: &str,
+        repo_name: &str,
+        params: AddDeployKeyParams,
+    ) -> Result<RepoDeployKey, AppError> {
+        let user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
+        let repo = self.resolve_repo(wk_name, repo_name).await?;
+        let repo_id = repo.id;
+        self.ensure_repo_role_at_least(user_uid, &repo, Role::Admin)
+            .await?;
+
+        let title = required_text(params.title, "title")?;
+        let public_key = required_text(params.public_key, "public_key")?;
+        let key_type = params
+            .key_type
+            .trim()
+            .parse::<KeyType>()
+            .map_err(|_| AppError::BadRequest("invalid key_type".into()))?;
+        if key_type == KeyType::Unknown {
+            return Err(AppError::BadRequest("invalid key_type".into()));
+        }
+
+        use base64::Engine;
+        let decoded = base64::engine::general_purpose::STANDARD
+            .decode(public_key.trim())
+            .unwrap_or_else(|_| public_key.as_bytes().to_vec());
+        let fingerprint = super::deploy_keys::sha256_hex(&decoded);
+
+        let existing = sqlx::query_scalar::<_, bool>(
+            "SELECT EXISTS(SELECT 1 FROM repo_deploy_key WHERE fingerprint_sha256 = $1 AND repo_id = $2 AND revoked_at IS NULL LIMIT 1)",
+        )
+        .bind(&fingerprint)
+        .bind(repo_id)
+        .fetch_one(self.ctx.db.reader())
+        .await
+        .map_err(AppError::Database)?;
+
+        if existing {
+            return Err(AppError::Conflict("deploy key already exists".into()));
+        }
+
+        let now = chrono::Utc::now();
+        let mut txn = self
+            .ctx
+            .db
+            .writer()
+            .begin()
+            .await
+            .map_err(|_| AppError::TxnError)?;
+        sqlx::query("SET LOCAL app.current_user_id = $1")
+            .bind(user_uid)
+            .execute(&mut *txn)
+            .await
+            .map_err(AppError::Database)?;
+
+        let key = sqlx::query_as::<_, RepoDeployKey>(
+            "INSERT INTO repo_deploy_key (id, repo_id, title, public_key, fingerprint_sha256, key_type, \
+             read_only, created_by, created_at, updated_at) \
+             VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $9) RETURNING id, repo_id, title, public_key, fingerprint_sha256, key_type, read_only, last_used_at, expires_at, revoked_at, created_by, created_at, updated_at",
+        )
+        .bind(Uuid::now_v7())
+        .bind(repo_id)
+        .bind(title)
+        .bind(&public_key)
+        .bind(&fingerprint)
+        .bind(key_type)
+        .bind(params.read_only.unwrap_or(true))
+        .bind(user_uid)
+        .bind(now)
+        .fetch_one(&mut *txn)
+        .await
+        .map_err(AppError::Database)?;
+
+        txn.commit().await.map_err(|_| AppError::TxnError)?;
+        Ok(key)
+    }
+
+    pub async fn repo_delete_deploy_key(
+        &self,
+        ctx: &Session,
+        wk_name: &str,
+        repo_name: &str,
+        key_id: Uuid,
+    ) -> Result<(), AppError> {
+        let user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
+        let repo = self.resolve_repo(wk_name, repo_name).await?;
+        let repo_id = repo.id;
+        self.ensure_repo_role_at_least(user_uid, &repo, Role::Admin)
+            .await?;
+        let now = chrono::Utc::now();
+
+        let mut txn = self
+            .ctx
+            .db
+            .writer()
+            .begin()
+            .await
+            .map_err(|_| AppError::TxnError)?;
+        sqlx::query("SET LOCAL app.current_user_id = $1")
+            .bind(user_uid)
+            .execute(&mut *txn)
+            .await
+            .map_err(AppError::Database)?;
+
+        let result = sqlx::query(
+            "UPDATE repo_deploy_key SET revoked_at = $1, updated_at = $1 WHERE id = $2 AND repo_id = $3 AND revoked_at IS NULL",
+        )
+        .bind(now)
+        .bind(key_id)
+        .bind(repo_id)
+        .execute(&mut *txn)
+        .await
+        .map_err(AppError::Database)?;
+        ensure_affected(result.rows_affected(), "key not found")?;
+
+        txn.commit().await.map_err(|_| AppError::TxnError)?;
+        Ok(())
+    }
+}
+
+pub fn sha256_hex(data: &[u8]) -> String {
+    use sha2::Digest;
+    sha2::Sha256::digest(data)
+        .iter()
+        .map(|b| format!("{b:02x}"))
+        .collect()
+}