gitks/service/repo/deploy_keys.rs

use serde::{Deserialize, Serialize};
use uuid::Uuid;

use crate::error::AppError;
use crate::models::common::{KeyType, Role};
use crate::models::repos::RepoDeployKey;
use crate::service::RepoService;
use crate::session::Session;

use super::util::{clamp_limit_offset, ensure_affected, required_text, set_local_user_id};

#[derive(Deserialize, Serialize, Clone, Debug, utoipa::ToSchema)]
pub struct AddDeployKeyParams {
    pub title: String,
    pub public_key: String,
    pub key_type: String,
    pub read_only: Option<bool>,
}

impl RepoService {
    pub async fn repo_deploy_keys(
        &self,
        ctx: &Session,
        wk_name: &str,
        repo_name: &str,
        limit: i64,
        offset: i64,
    ) -> Result<Vec<RepoDeployKey>, AppError> {
        let user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
        let repo = self.resolve_repo(wk_name, repo_name).await?;
        let repo_id = repo.id;
        self.ensure_repo_role_at_least(user_uid, &repo, Role::Admin)
            .await?;
        let (limit, offset) = clamp_limit_offset(limit, offset);
        sqlx::query_as::<_, RepoDeployKey>(
            "SELECT id, repo_id, title, public_key, fingerprint_sha256, key_type, read_only, last_used_at, expires_at, revoked_at, created_by, created_at, updated_at FROM repo_deploy_key WHERE repo_id = $1 AND revoked_at IS NULL ORDER BY created_at DESC LIMIT $2 OFFSET $3",
        )
        .bind(repo_id)
        .bind(limit)
        .bind(offset)
        .fetch_all(self.ctx.db.reader())
        .await
        .map_err(AppError::Database)
    }

    pub async fn repo_add_deploy_key(
        &self,
        ctx: &Session,
        wk_name: &str,
        repo_name: &str,
        params: AddDeployKeyParams,
    ) -> Result<RepoDeployKey, AppError> {
        let user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
        let repo = self.resolve_repo(wk_name, repo_name).await?;
        let repo_id = repo.id;
        self.ensure_repo_role_at_least(user_uid, &repo, Role::Admin)
            .await?;

        let title = required_text(params.title, "title")?;
        let public_key = required_text(params.public_key, "public_key")?;
        let key_type = params
            .key_type
            .trim()
            .parse::<KeyType>()
            .map_err(|_| AppError::BadRequest("invalid key_type".into()))?;
        if key_type == KeyType::Unknown {
            return Err(AppError::BadRequest("invalid key_type".into()));
        }

        use base64::Engine;
        let decoded = base64::engine::general_purpose::STANDARD
            .decode(public_key.trim())
            .unwrap_or_else(|_| public_key.as_bytes().to_vec());
        let fingerprint = super::deploy_keys::sha256_hex(&decoded);

        let existing = sqlx::query_scalar::<_, bool>(
            "SELECT EXISTS(SELECT 1 FROM repo_deploy_key WHERE fingerprint_sha256 = $1 AND repo_id = $2 AND revoked_at IS NULL LIMIT 1)",
        )
        .bind(&fingerprint)
        .bind(repo_id)
        .fetch_one(self.ctx.db.reader())
        .await
        .map_err(AppError::Database)?;

        if existing {
            return Err(AppError::Conflict("deploy key already exists".into()));
        }

        let now = chrono::Utc::now();
        let mut txn = self
            .ctx
            .db
            .writer()
            .begin()
            .await
            .map_err(|_| AppError::TxnError)?;
        sqlx::query(set_local_user_id(user_uid))
            .execute(&mut *txn)
            .await
            .map_err(AppError::Database)?;

        let key = sqlx::query_as::<_, RepoDeployKey>(
            "INSERT INTO repo_deploy_key (id, repo_id, title, public_key, fingerprint_sha256, key_type, \
             read_only, created_by, created_at, updated_at) \
             VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $9) RETURNING id, repo_id, title, public_key, fingerprint_sha256, key_type, read_only, last_used_at, expires_at, revoked_at, created_by, created_at, updated_at",
        )
        .bind(Uuid::now_v7())
        .bind(repo_id)
        .bind(title)
        .bind(&public_key)
        .bind(&fingerprint)
        .bind(key_type)
        .bind(params.read_only.unwrap_or(true))
        .bind(user_uid)
        .bind(now)
        .fetch_one(&mut *txn)
        .await
        .map_err(AppError::Database)?;

        txn.commit().await.map_err(|_| AppError::TxnError)?;
        Ok(key)
    }

    pub async fn repo_delete_deploy_key(
        &self,
        ctx: &Session,
        wk_name: &str,
        repo_name: &str,
        key_id: Uuid,
    ) -> Result<(), AppError> {
        let user_uid = ctx.user().ok_or(AppError::Unauthorized)?;
        let repo = self.resolve_repo(wk_name, repo_name).await?;
        let repo_id = repo.id;
        self.ensure_repo_role_at_least(user_uid, &repo, Role::Admin)
            .await?;
        let now = chrono::Utc::now();

        let mut txn = self
            .ctx
            .db
            .writer()
            .begin()
            .await
            .map_err(|_| AppError::TxnError)?;
        sqlx::query(set_local_user_id(user_uid))
            .execute(&mut *txn)
            .await
            .map_err(AppError::Database)?;

        let result = sqlx::query(
            "UPDATE repo_deploy_key SET revoked_at = $1, updated_at = $1 WHERE id = $2 AND repo_id = $3 AND revoked_at IS NULL",
        )
        .bind(now)
        .bind(key_id)
        .bind(repo_id)
        .execute(&mut *txn)
        .await
        .map_err(AppError::Database)?;
        ensure_affected(result.rows_affected(), "key not found")?;

        txn.commit().await.map_err(|_| AppError::TxnError)?;
        Ok(())
    }
}

pub fn sha256_hex(data: &[u8]) -> String {
    use sha2::Digest;
    sha2::Sha256::digest(data)
        .iter()
        .map(|b| format!("{b:02x}"))
        .collect()
}