Fmt

Author: augustuswm

Cargo.lock

@@ -4,7 +4,7 @@ members = [
   "parse-rfd",
   "rfd-api",
   "rfd-cli",
-  "rfd-data",
+  "rfd-data", "rfd-github",
   "rfd-model",
   "rfd-processor",
   "rfd-redirect",

Cargo.toml

@@ -25,11 +25,15 @@ hyper-rustls = { workspace = true }
 jsonwebtoken = { workspace = true }
 meilisearch-sdk = { workspace = true }
 oauth2 = { workspace = true }
+octorust = { workspace = true }
 partial-struct = { workspace = true }
 rand = { workspace = true, features = ["std"] }
 rand_core = { workspace = true, features = ["std"] }
 regex = { workspace = true }
 reqwest = { workspace = true }
+reqwest-middleware = { workspace = true }
+reqwest-retry = { workspace = true }
+reqwest-tracing = { workspace = true }
 ring = { workspace = true }
 rfd-data = { path = "../rfd-data" }
 rfd-model = { path = "../rfd-model" }

rfd-api/Cargo.toml

@@ -33,6 +33,7 @@ pub struct AppConfig {
     pub spec: Option<SpecConfig>,
     pub authn: AuthnProviders,
     pub search: SearchConfig,
+    pub services: ServicesConfig,
 }
 
 #[derive(Debug)]
@@ -144,6 +145,24 @@ pub struct SearchConfig {
     pub index: String,
 }
 
+#[derive(Debug, Deserialize)]
+pub struct ServicesConfig {
+    pub github: GitHubAuthConfig,
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(untagged)]
+pub enum GitHubAuthConfig {
+    Installation {
+        app_id: i64,
+        installation_id: i64,
+        private_key: String,
+    },
+    User {
+        token: String,
+    },
+}
+
 impl AppConfig {
     pub fn new(config_sources: Option<Vec<String>>) -> Result<Self, ConfigError> {
         let mut config = Config::builder()

rfd-api/src/config.rs

@@ -9,6 +9,11 @@ use hyper::{client::HttpConnector, Body, Client};
 use hyper_rustls::{HttpsConnector, HttpsConnectorBuilder};
 use jsonwebtoken::jwk::JwkSet;
 use oauth2::CsrfToken;
+use octorust::{
+    auth::{Credentials, InstallationTokenGenerator, JWTCredentials},
+    http_cache::NoCache,
+    Client as GitHubClient,
+};
 use partial_struct::partial;
 use rfd_model::{
     schema_ext::{ContentFormat, LoginAttemptState, Visibility},
@@ -23,8 +28,12 @@ use rfd_model::{
     AccessGroup, AccessToken, ApiUser, ApiUserProvider, InvalidValueError, Job, LinkRequest,
     LoginAttempt, Mapper, NewAccessGroup, NewAccessToken, NewApiKey, NewApiUser,
     NewApiUserProvider, NewJob, NewLinkRequest, NewLoginAttempt, NewMapper, NewOAuthClient,
-    NewOAuthClientRedirectUri, NewOAuthClientSecret, OAuthClient, OAuthClientRedirectUri,
-    OAuthClientSecret, Rfd,
+    NewOAuthClientRedirectUri, NewOAuthClientSecret, NewRfdRevision, OAuthClient,
+    OAuthClientRedirectUri, OAuthClientSecret, Rfd, RfdRevision,
+};
+use rsa::{
+    pkcs1::{DecodeRsaPrivateKey, EncodeRsaPrivateKey},
+    RsaPrivateKey,
 };
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
@@ -45,7 +54,7 @@ use crate::{
         key::{RawApiKey, SignedApiKey},
         AuthError, AuthToken, Signer,
     },
-    config::{AsymmetricKey, JwtConfig, SearchConfig},
+    config::{AsymmetricKey, GitHubAuthConfig, JwtConfig, SearchConfig, ServicesConfig},
     endpoints::login::{
         oauth::{
             ClientType, OAuthProvider, OAuthProviderError, OAuthProviderFn, OAuthProviderName,
@@ -118,6 +127,7 @@ pub struct ApiContext {
     pub secrets: SecretContext,
     pub oauth_providers: HashMap<OAuthProviderName, Box<dyn OAuthProviderFn>>,
     pub search: SearchContext,
+    pub github: GitHubClient,
 }
 
 pub struct JwtContext {
@@ -218,13 +228,28 @@ impl ApiContext {
         jwt: JwtConfig,
         keys: Vec<AsymmetricKey>,
         search: SearchConfig,
+        services: ServicesConfig,
     ) -> Result<Self, AppError> {
         let mut jwt_signers = vec![];
 
         for key in &keys {
             jwt_signers.push(JwtSigner::new(&key).await.unwrap())
         }
 
+        let http = reqwest::Client::builder()
+            .build()
+            .map_err(AppError::ClientConstruction)?;
+        let retry_policy =
+            reqwest_retry::policies::ExponentialBackoff::builder().build_with_max_retries(3);
+        let client = reqwest_middleware::ClientBuilder::new(http)
+            // Trace HTTP requests. See the tracing crate to make use of these traces.
+            .with(reqwest_tracing::TracingMiddleware::default())
+            // Retry failed requests.
+            .with(reqwest_retry::RetryTransientMiddleware::new_with_policy(
+                retry_policy,
+            ))
+            .build();
+
         Ok(Self {
             https_client: hyper::Client::builder().build(
                 HttpsConnectorBuilder::new()
@@ -269,6 +294,33 @@ impl ApiContext {
             search: SearchContext {
                 client: SearchClient::new(search.host, search.index, search.key),
             },
+            github: match services.github {
+                GitHubAuthConfig::Installation {
+                    app_id,
+                    installation_id,
+                    private_key,
+                } => GitHubClient::custom(
+                    "rfd-api",
+                    Credentials::InstallationToken(InstallationTokenGenerator::new(
+                        installation_id,
+                        JWTCredentials::new(
+                            app_id,
+                            RsaPrivateKey::from_pkcs1_pem(&private_key)?
+                                .to_pkcs1_der()?
+                                .to_bytes()
+                                .to_vec(),
+                        )?,
+                    )),
+                    client,
+                    Box::new(NoCache),
+                ),
+                GitHubAuthConfig::User { token } => GitHubClient::custom(
+                    "rfd-api",
+                    Credentials::Token(token.to_string()),
+                    client,
+                    Box::new(NoCache),
+                ),
+            },
         })
     }
 
@@ -668,6 +720,67 @@ impl ApiContext {
         }
     }
 
+    #[instrument(skip(self, caller))]
+    pub async fn get_rfd_revision(
+        &self,
+        caller: &ApiCaller,
+        rfd_number: i32,
+        sha: Option<String>,
+    ) -> ResourceResult<RfdRevision, StoreError> {
+        if caller.any(&[
+            &ApiPermission::GetRfd(rfd_number),
+            &ApiPermission::GetRfdsAll,
+        ]) {
+            let rfds = RfdStore::list(
+                &*self.storage,
+                RfdFilter::default().rfd_number(Some(vec![rfd_number])),
+                &ListPagination::default().limit(1),
+            )
+            .await
+            .to_resource_result()?;
+            if let Some(rfd) = rfds.into_iter().nth(0) {
+                let latest_revision = RfdRevisionStore::list(
+                    &*self.storage,
+                    RfdRevisionFilter::default()
+                        .rfd(Some(vec![rfd.id]))
+                        .sha(sha.map(|sha| vec![sha])),
+                    &ListPagination::default().limit(1),
+                )
+                .await
+                .to_resource_result()?;
+
+                match latest_revision.into_iter().nth(0) {
+                    Some(revision) => Ok(revision),
+                    None => Err(ResourceError::DoesNotExist),
+                }
+            } else {
+                Err(ResourceError::DoesNotExist)
+            }
+        } else {
+            resource_restricted()
+        }
+    }
+
+    #[instrument(skip(self, caller))]
+    pub async fn update_rfd_content<'a>(
+        &self,
+        caller: &ApiCaller,
+        rfd_number: i32,
+        revision: NewRfdRevision,
+    ) -> ResourceResult<RfdRevision, StoreError> {
+        if caller.any(&[
+            &ApiPermission::UpdateRfd(rfd_number),
+            &ApiPermission::UpdateRfdsAll,
+        ]) {
+            let revision = RfdRevisionStore::upsert(&*self.storage, revision)
+                .await
+                .to_resource_result()?;
+            Ok(revision)
+        } else {
+            resource_restricted()
+        }
+    }
+
     #[instrument(skip(self, caller))]
     pub async fn update_rfd_visibility(
         &self,
@@ -1885,7 +1998,7 @@ pub(crate) mod test_mocks {
     use w_api_permissions::Caller;
 
     use crate::{
-        config::{JwtConfig, SearchConfig},
+        config::{GitHubAuthConfig, JwtConfig, SearchConfig, ServicesConfig},
         endpoints::login::oauth::{google::GoogleOAuthProvider, OAuthProviderName},
         permissions::ApiPermission,
         util::tests::mock_key,
@@ -1904,6 +2017,11 @@ pub(crate) mod test_mocks {
                 mock_key(),
             ],
             SearchConfig::default(),
+            ServicesConfig {
+                github: GitHubAuthConfig::User {
+                    token: String::default(),
+                },
+            },
         )
         .await
         .unwrap();