zhenyi
420dedbc1e
- Add IM service modules: audit, channel roles, custom emojis, forum tags, integrations, invitations, repo links, slash commands, stages, voice, webhooks - Add PR service modules: review requests, templates - Add repo service modules: contributors, release assets, git extras (archive, branch rename, commit extras, diff/merge, tag, tree) - Add user service: social (follow/block) - Add internal auth service - Update existing service modules with expanded functionality - Remove deleted IM modules: articles, delivery trace, drafts, follows, messages, polls, presence, reactions, threads
173 lines
5.7 KiB
Rust
173 lines
5.7 KiB
Rust
use serde::{Deserialize, Serialize};
|
|
use uuid::Uuid;
|
|
|
|
use crate::error::AppError;
|
|
use crate::models::common::{KeyType, Role};
|
|
use crate::models::repos::RepoDeployKey;
|
|
use crate::service::RepoService;
|
|
use crate::session::Session;
|
|
|
|
use super::util::{clamp_limit_offset, ensure_affected, required_text, set_local_user_id};
|
|
|
|
#[derive(Deserialize, Serialize, Clone, Debug, utoipa::ToSchema)]
|
|
pub struct AddDeployKeyParams {
|
|
pub title: String,
|
|
pub public_key: String,
|
|
pub key_type: String,
|
|
pub read_only: Option<bool>,
|
|
}
|
|
|
|
impl RepoService {
|
|
pub async fn repo_deploy_keys(
|
|
&self,
|
|
ctx: &Session,
|
|
wk_name: &str,
|
|
repo_name: &str,
|
|
limit: i64,
|
|
offset: i64,
|
|
) -> Result<Vec<RepoDeployKey>, AppError> {
|
|
let user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
|
|
let repo = self.resolve_repo(wk_name, repo_name).await?;
|
|
let repo_id = repo.id;
|
|
self.ensure_repo_role_at_least(user_uid, &repo, Role::Admin)
|
|
.await?;
|
|
let (limit, offset) = clamp_limit_offset(limit, offset);
|
|
sqlx::query_as::<_, RepoDeployKey>(
|
|
"SELECT id, repo_id, title, public_key, fingerprint_sha256, key_type, read_only, last_used_at, expires_at, revoked_at, created_by, created_at, updated_at FROM repo_deploy_key WHERE repo_id = $1 AND revoked_at IS NULL ORDER BY created_at DESC LIMIT $2 OFFSET $3",
|
|
)
|
|
.bind(repo_id)
|
|
.bind(limit)
|
|
.bind(offset)
|
|
.fetch_all(self.ctx.db.reader())
|
|
.await
|
|
.map_err(AppError::Database)
|
|
}
|
|
|
|
pub async fn repo_add_deploy_key(
|
|
&self,
|
|
ctx: &Session,
|
|
wk_name: &str,
|
|
repo_name: &str,
|
|
params: AddDeployKeyParams,
|
|
) -> Result<RepoDeployKey, AppError> {
|
|
let user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
|
|
let repo = self.resolve_repo(wk_name, repo_name).await?;
|
|
let repo_id = repo.id;
|
|
self.ensure_repo_role_at_least(user_uid, &repo, Role::Admin)
|
|
.await?;
|
|
|
|
let title = required_text(params.title, "title")?;
|
|
let public_key = required_text(params.public_key, "public_key")?;
|
|
let key_type = params
|
|
.key_type
|
|
.trim()
|
|
.parse::<KeyType>()
|
|
.map_err(|_| AppError::BadRequest("invalid key_type".into()))?;
|
|
if key_type == KeyType::Unknown {
|
|
return Err(AppError::BadRequest("invalid key_type".into()));
|
|
}
|
|
|
|
use base64::Engine;
|
|
let decoded = base64::engine::general_purpose::STANDARD
|
|
.decode(public_key.trim())
|
|
.unwrap_or_else(|_| public_key.as_bytes().to_vec());
|
|
let fingerprint = super::deploy_keys::sha256_hex(&decoded);
|
|
|
|
let existing = sqlx::query_scalar::<_, bool>(
|
|
"SELECT EXISTS(SELECT 1 FROM repo_deploy_key WHERE fingerprint_sha256 = $1 AND repo_id = $2 AND revoked_at IS NULL LIMIT 1)",
|
|
)
|
|
.bind(&fingerprint)
|
|
.bind(repo_id)
|
|
.fetch_one(self.ctx.db.reader())
|
|
.await
|
|
.map_err(AppError::Database)?;
|
|
|
|
if existing {
|
|
return Err(AppError::Conflict("deploy key already exists".into()));
|
|
}
|
|
|
|
let now = chrono::Utc::now();
|
|
let mut txn = self
|
|
.ctx
|
|
.db
|
|
.writer()
|
|
.begin()
|
|
.await
|
|
.map_err(|_| AppError::TxnError)?;
|
|
sqlx::query(set_local_user_id(user_uid))
|
|
.execute(&mut *txn)
|
|
.await
|
|
.map_err(AppError::Database)?;
|
|
|
|
let key = sqlx::query_as::<_, RepoDeployKey>(
|
|
"INSERT INTO repo_deploy_key (id, repo_id, title, public_key, fingerprint_sha256, key_type, \
|
|
read_only, created_by, created_at, updated_at) \
|
|
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $9) RETURNING id, repo_id, title, public_key, fingerprint_sha256, key_type, read_only, last_used_at, expires_at, revoked_at, created_by, created_at, updated_at",
|
|
)
|
|
.bind(Uuid::now_v7())
|
|
.bind(repo_id)
|
|
.bind(title)
|
|
.bind(&public_key)
|
|
.bind(&fingerprint)
|
|
.bind(key_type)
|
|
.bind(params.read_only.unwrap_or(true))
|
|
.bind(user_uid)
|
|
.bind(now)
|
|
.fetch_one(&mut *txn)
|
|
.await
|
|
.map_err(AppError::Database)?;
|
|
|
|
txn.commit().await.map_err(|_| AppError::TxnError)?;
|
|
Ok(key)
|
|
}
|
|
|
|
pub async fn repo_delete_deploy_key(
|
|
&self,
|
|
ctx: &Session,
|
|
wk_name: &str,
|
|
repo_name: &str,
|
|
key_id: Uuid,
|
|
) -> Result<(), AppError> {
|
|
let user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
|
|
let repo = self.resolve_repo(wk_name, repo_name).await?;
|
|
let repo_id = repo.id;
|
|
self.ensure_repo_role_at_least(user_uid, &repo, Role::Admin)
|
|
.await?;
|
|
let now = chrono::Utc::now();
|
|
|
|
let mut txn = self
|
|
.ctx
|
|
.db
|
|
.writer()
|
|
.begin()
|
|
.await
|
|
.map_err(|_| AppError::TxnError)?;
|
|
sqlx::query(set_local_user_id(user_uid))
|
|
.execute(&mut *txn)
|
|
.await
|
|
.map_err(AppError::Database)?;
|
|
|
|
let result = sqlx::query(
|
|
"UPDATE repo_deploy_key SET revoked_at = $1, updated_at = $1 WHERE id = $2 AND repo_id = $3 AND revoked_at IS NULL",
|
|
)
|
|
.bind(now)
|
|
.bind(key_id)
|
|
.bind(repo_id)
|
|
.execute(&mut *txn)
|
|
.await
|
|
.map_err(AppError::Database)?;
|
|
ensure_affected(result.rows_affected(), "key not found")?;
|
|
|
|
txn.commit().await.map_err(|_| AppError::TxnError)?;
|
|
Ok(())
|
|
}
|
|
}
|
|
|
|
pub fn sha256_hex(data: &[u8]) -> String {
|
|
use sha2::Digest;
|
|
sha2::Sha256::digest(data)
|
|
.iter()
|
|
.map(|b| format!("{b:02x}"))
|
|
.collect()
|
|
}
|