Persistent tokens and hook deletion

.travis.yml

@@ -6,6 +6,7 @@ sudo: required
 matrix:
   include:
     - go: "1.10.x"
+    - go: "1.11.x"
     - go: tip
   allow_failures:
     - go: tip

Dockerfile

@@ -27,7 +27,7 @@ VOLUME ["/gin-valid/"]
 ENV GINVALIDHOME /gin-valid/
 ENV GIN_CONFIG_DIR /gin-valid/config/client
 
-COPY ./gin-valid /usr/local/bin/.
-
 ENTRYPOINT gin-valid --config=/config/cfg.json
 EXPOSE 3033
+
+COPY ./gin-valid /usr/local/bin/.

config/config.go

@@ -15,9 +15,10 @@ type Directories struct {
 	Temp   string `json:"temp"`
 	Result string `json:"result"`
 	Log    string `json:"log"`
+	Tokens string `json:"tokens"`
 }
 
-// Denotations provide any freuquently used file names or other denotations
+// Denotations provide any frequently used file names or other denotations
 // e.g. validation result files, badge or result folder names.
 type Denotations struct {
 	LogFile              string `json:"logfile"`
@@ -69,6 +70,7 @@ var defaultCfg = ServerCfg{
 		Temp:   filepath.Join(os.Getenv("GINVALIDHOME"), "tmp"),
 		Log:    filepath.Join(os.Getenv("GINVALIDHOME"), "log"),
 		Result: filepath.Join(os.Getenv("GINVALIDHOME"), "results"),
+		Tokens: filepath.Join(os.Getenv("GINVALIDHOME"), "tokens"),
 	},
 	Denotations{
 		LogFile:              "ginvalid.log",

main.go

@@ -42,6 +42,7 @@ func registerRoutes(r *mux.Router) {
 	r.HandleFunc("/login", web.Login)
 	r.HandleFunc("/repos/{user}", web.ListRepos)
 	r.HandleFunc("/repos/{user}/{repo}/{validator}/enable", web.EnableHook)
+	r.HandleFunc("/repos/{user}/{repo}/{hookid}/disable", web.DisableHook)
 	r.HandleFunc("/repos/{user}/{repo}/hooks", web.ShowRepo)
 }
 
@@ -100,6 +101,8 @@ func main() {
 		config.Set(srvcfg)
 	}
 
+	// TODO: Create missing directories defined in cfg
+
 	err = log.Init()
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "[Error] opening logfile '%s'\n", err.Error())

resources/templates/repolist.go

@@ -1,7 +1,7 @@
 package templates
 
 // TODO: Stable access order of Hooks map
-// TODO: Map .ToLower func into this template to lowercase the $key in the URL
+// TODO: Map .ToLower func into this template to lowercase the $hookname in the URL
 const RepoList = `
 	{{ define "content" }}
 	<br/><br/>
@@ -10,9 +10,9 @@ const RepoList = `
 	{{ $repopath := .FullName }}
 	<div><b><a href=/repos/{{ $repopath }}/hooks>{{ $repopath }}</a></b></div>
 	<div><b>Active validators</b>:<br>
-	{{ range $key, $value := .Hooks }}
-		{{ if $value }}
-		{{ $key }}: <a href="/results/{{ $key }}/{{ $repopath }}">results</a><br>
+	{{ range $hookname, $hook := .Hooks }}
+		{{ if eq $hook.State 0 }}
+			{{ $hookname }}: <a href="/results/{{ $hookname }}/{{ $repopath }}">results</a><br>
 		{{ end }}
 	{{ end }}
 	</div>
@@ -23,19 +23,19 @@ const RepoList = `
 	{{ end }}
 `
 
-// TODO: Map .ToLower func into this template to lowercase the $key in the URL
+// TODO: Map .ToLower func into this template to lowercase the $hookname in the URL
 const RepoPage = `
 	{{ define "content" }}
 	<br/><br/>
 	<div>
 	<div><b>{{.FullName}}</b></div>
 	<div><b>Available validators</b>:<br>
-	{{ range $key, $value := .Hooks }}
-		{{ $key }}
-		{{ if $value }}
-		[Enabled] <a href="/repos/{{$.FullName}}/{{ $key }}/disable">disable</a>
+	{{ range $hookname, $hook := .Hooks }}
+		{{ $hookname }}
+		{{ if eq $hook.State 0 }}
+			[Enabled] <a href="/repos/{{$.FullName}}/{{ $hook.ID }}/disable">disable</a>
 		{{ else }}
-		[Disabled] <a href="/repos/{{$.FullName}}/{{ $key }}/enable">enable</a>
+			[Disabled] <a href="/repos/{{$.FullName}}/{{ $hookname }}/enable">enable</a>
 		{{ end }}
 		<br>
 	{{ end }}

run

@@ -8,7 +8,7 @@ go build
 docker build --tag=ginvalid .
 
 # copy init server data to live location
-srvdata="/tmp/gin-valid-data-${RANDOM}"
+srvdata="/tmp/gin-valid-data-$(date +'%s')"
 cp -a "./srvdata/." "${srvdata}"
 
 configdir="${srvdata}/config"

web/hooks.go

@@ -8,9 +8,11 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"strconv"
 	"strings"
 
 	"github.com/G-Node/gin-cli/ginclient"
+	gweb "github.com/G-Node/gin-cli/web"
 	"github.com/G-Node/gin-valid/config"
 	"github.com/G-Node/gin-valid/helpers"
 	"github.com/G-Node/gin-valid/log"
@@ -26,35 +28,58 @@ func EnableHook(w http.ResponseWriter, r *http.Request) {
 	user := vars["user"]
 	repo := vars["repo"]
 	validator := strings.ToLower(vars["validator"])
-	cfg := config.Read()
-	cookiename := cfg.Settings.CookieName
-	sessionid, err := r.Cookie(cookiename)
+	ut, err := getSessionOrRedirect(w, r)
+	if err != nil {
+		log.Write("[Info] %s: Redirecting to login", err.Error())
+		return
+	}
+	if !helpers.SupportedValidator(validator) {
+		fail(w, http.StatusNotFound, "unsupported validator")
+		return
+	}
+	repopath := fmt.Sprintf("%s/%s", user, repo)
+	err = createValidHook(repopath, validator, ut)
 	if err != nil {
-		msg := fmt.Sprintf("Hook creation failed: unauthorised")
-		fail(w, http.StatusUnauthorized, msg)
+		// TODO: Check if failure is for other reasons and maybe return 500 instead
+		fail(w, http.StatusUnauthorized, err.Error())
 		return
 	}
+	http.Redirect(w, r, fmt.Sprintf("/repos/%s", ut.Username), http.StatusFound)
+}
 
-	session, ok := sessions[sessionid.Value]
-	if !ok {
-		msg := fmt.Sprintf("Hook creation failed: unauthorised")
-		fail(w, http.StatusUnauthorized, msg)
+func DisableHook(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "GET" {
 		return
 	}
-	if !helpers.SupportedValidator(validator) {
-		fail(w, http.StatusNotFound, "unsupported validator")
+	vars := mux.Vars(r)
+	user := vars["user"]
+	repo := vars["repo"]
+	hookidstr := vars["hookid"]
+
+	hookid, err := strconv.Atoi(hookidstr)
+	if err != nil {
+		// bad hook ID (not a number): throw a generic 404
+		fail(w, http.StatusNotFound, "not found")
 		return
 	}
+
+	ut, err := getSessionOrRedirect(w, r)
+	if err != nil {
+		log.Write("[Info] %s: Redirecting to login", err.Error())
+		return
+	}
+
 	repopath := fmt.Sprintf("%s/%s", user, repo)
-	err = createValidHook(repopath, validator, session)
+	err = deleteValidHook(repopath, hookid, ut)
 	if err != nil {
+		// TODO: Check if failure is for other reasons and maybe return 500 instead
 		fail(w, http.StatusUnauthorized, err.Error())
 		return
 	}
-	http.Redirect(w, r, fmt.Sprintf("/repos/%s", session.Username), http.StatusFound)
+	http.Redirect(w, r, fmt.Sprintf("/repos/%s", ut.Username), http.StatusFound)
 }
 
-func validateHookSecret(data []byte, secret string) bool {
+func checkHookSecret(data []byte, secret string) bool {
 	cfg := config.Read()
 	hooksecret := cfg.Settings.HookSecret
 	sig := hmac.New(sha256.New, []byte(hooksecret))
@@ -63,20 +88,19 @@ func validateHookSecret(data []byte, secret string) bool {
 	return signature == secret
 }
 
-func createValidHook(repopath string, validator string, session *usersession) error {
+func createValidHook(repopath string, validator string, usertoken gweb.UserToken) error {
 	// TODO: AVOID DUPLICATES:
 	//   - If it's already hooked and we have it on record, do nothing
 	//   - If it's already hooked, but we don't know about it, check if it's valid and don't recreate
 	log.Write("Adding %s hook to %s\n", validator, repopath)
 
-	gvconfig := config.Read()
+	cfg := config.Read()
 	client := ginclient.New(serveralias)
-	client.UserToken = session.UserToken
+	client.UserToken = usertoken
 	hookconfig := make(map[string]string)
-	cfg := config.Read()
 	hooksecret := cfg.Settings.HookSecret
 
-	host := fmt.Sprintf("%s:%s", gvconfig.Settings.RootURL, gvconfig.Settings.Port)
+	host := fmt.Sprintf("%s:%s", cfg.Settings.RootURL, cfg.Settings.Port)
 	u, err := url.Parse(host)
 	u.Path = path.Join(u.Path, "validate", validator, repopath)
 	hookconfig["url"] = u.String()
@@ -90,35 +114,40 @@ func createValidHook(repopath string, validator string, session *usersession) er
 	}
 	res, err := client.Post(fmt.Sprintf("/api/v1/repos/%s/hooks", repopath), data)
 	if err != nil {
-		log.Write("[error] failed to post: %s\n", err.Error())
+		log.Write("[error] failed to post: %s", err.Error())
 		return fmt.Errorf("Hook creation failed: %s", err.Error())
 	}
 	defer res.Body.Close()
 
 	if res.StatusCode != http.StatusCreated {
-		log.Write("[error] non-OK response: %s\n", res.Status)
+		log.Write("[error] non-OK response: %s", res.Status)
 		return fmt.Errorf("Hook creation failed: %s", res.Status)
 	}
-	hookregs[repopath] = session.UserToken
-	return nil
+
+	// link user token to repository name so we can use it for validation
+	return linkToRepo(usertoken.Username, repopath)
 }
 
-func deleteValidHook(repopath string, id int) {
+func deleteValidHook(repopath string, id int, usertoken gweb.UserToken) error {
 	log.Write("Deleting %d from %s\n", id, repopath)
 
 	client := ginclient.New(serveralias)
-	err := client.LoadToken()
-	if err != nil {
-		log.Write("[error] failed to load token %s\n", err.Error())
-		return
-	}
+	client.UserToken = usertoken
+
 	res, err := client.Delete(fmt.Sprintf("/api/v1/repos/%s/hooks/%d", repopath, id))
 	if err != nil {
-		log.Write("[error] bad response from server %s\n", err.Error())
-		return
+		log.Write("[error] bad response from server %s", err.Error())
+		return err
 	}
 	defer res.Body.Close()
-	// fmt.Printf("Got response: %s\n", res.Status)
-	// bdy, _ := ioutil.ReadAll(res.Body)
-	// fmt.Println(string(bdy))
+	log.Write("[info] removed hook for %s", repopath)
+
+	log.Write("[info] removing repository -> token link")
+	err = rmTokenRepoLink(repopath)
+	if err != nil {
+		log.Write("[error] failed to delete token link: %s", err.Error())
+		// don't fail
+	}
+
+	return nil
 }

web/pkg.go

@@ -5,18 +5,6 @@ and disabling hooks on the GIN server running the validation.
 */
 package web
 
-import gweb "github.com/G-Node/gin-cli/web"
-
 const (
 	serveralias = "gin"
 )
-
-var (
-	sessions = make(map[string]*usersession)
-	hookregs = make(map[string]gweb.UserToken)
-)
-
-type usersession struct {
-	sessionID string
-	gweb.UserToken
-}

web/token.go

@@ -0,0 +1,101 @@
+package web
+
+import (
+	"encoding/base32"
+	"encoding/gob"
+	"os"
+	"path/filepath"
+
+	gweb "github.com/G-Node/gin-cli/web"
+	"github.com/G-Node/gin-valid/config"
+	"github.com/G-Node/gin-valid/log"
+)
+
+// saveToken writes a token to disk using the username as filename.
+// The location is defined by config.Dir.Tokens.
+func saveToken(ut gweb.UserToken) error {
+	cfg := config.Read()
+	filename := filepath.Join(cfg.Dir.Tokens, ut.Username)
+	tokenfile, err := os.Create(filename)
+	defer tokenfile.Close()
+	if err != nil {
+		return err
+	}
+	encoder := gob.NewEncoder(tokenfile)
+	return encoder.Encode(ut)
+}
+
+// getTokenByUsername reads a token from disk using the username as filename.
+// The location is defined by config.Dir.Tokens.
+func getTokenByUsername(username string) (gweb.UserToken, error) {
+	cfg := config.Read()
+	filename := filepath.Join(cfg.Dir.Tokens, username)
+	return loadToken(filename)
+}
+
+// loadToken loads a token from the provided path
+func loadToken(path string) (gweb.UserToken, error) {
+	ut := gweb.UserToken{}
+	tokenfile, err := os.Open(path)
+	if err != nil {
+		log.Write("[Error] Failed to load token from %s", path)
+		return ut, err
+	}
+	defer tokenfile.Close()
+
+	decoder := gob.NewDecoder(tokenfile)
+	err = decoder.Decode(&ut)
+	return ut, err
+}
+
+// linkToSession links a sessionID to a user's token.
+func linkToSession(username string, sessionid string) error {
+	cfg := config.Read()
+	tokendir := cfg.Dir.Tokens
+	utfile := filepath.Join(tokendir, username)
+	sidfile := filepath.Join(tokendir, "by-sessionid", b32(sessionid))
+	return os.Symlink(utfile, sidfile)
+}
+
+// getTokenBySession loads a user's access token using the session ID found in
+// the user's cookie store.
+func getTokenBySession(sessionid string) (gweb.UserToken, error) {
+	cfg := config.Read()
+	tokendir := cfg.Dir.Tokens
+	filename := filepath.Join(tokendir, "by-sessionid", b32(sessionid))
+	return loadToken(filename)
+}
+
+// linkToRepo links a repository name to a user's token.
+// This token will be used for cloning a repository to run a validator when a
+// web hook is triggered.
+func linkToRepo(username string, repopath string) error {
+	cfg := config.Read()
+	tokendir := cfg.Dir.Tokens
+	utfile := filepath.Join(tokendir, username)
+	sidfile := filepath.Join(tokendir, "by-repo", b32(repopath))
+	return os.Symlink(utfile, sidfile)
+}
+
+// getTokenByRepo loads a user's access token using a repository path.
+func getTokenByRepo(repopath string) (gweb.UserToken, error) {
+	cfg := config.Read()
+	tokendir := cfg.Dir.Tokens
+	filename := filepath.Join(tokendir, "by-repo", b32(repopath))
+	return loadToken(filename)
+}
+
+// rmTokenRepoLink deletes a repository -> token link, removing our ability to
+// clone the repository.
+func rmTokenRepoLink(repopath string) error {
+	cfg := config.Read()
+	tokendir := cfg.Dir.Tokens
+	filename := filepath.Join(tokendir, "by-repo", b32(repopath))
+	return os.Remove(filename)
+}
+
+// b32 encodes a string to base 32. Use this to make strings such as IDs or
+// repopaths filename friendly.
+func b32(s string) string {
+	return base32.StdEncoding.EncodeToString([]byte(s))
+}