add security

dadav · Mar 4, 2024 · d7767e0 · d7767e0
1 parent ce09145
commit d7767e0
Show file tree

Hide file tree

Showing 6 changed files with 106 additions and 36 deletions.
diff --git a/README.md b/README.md
@@ -99,6 +99,8 @@ modulesdir: /opt/gorge/modules
 no-cache: false
 # Port to bind the webservice to.
 port: 8080
+# The jwt secret used in the protected endpoint validation
+jwt-secret: changeme
 ```
 
 Via environment:
@@ -117,6 +119,7 @@ GORGE_IMPORT_PROXIED_RELEASES=false
 GORGE_MODULESDIR=/opt/gorge/modules
 GORGE_NO_CACHE=false
 GORGE_PORT=8080
+GORGE_JWT_SECRET=changeme
 ```
 
 ## 🐛 Security

diff --git a/cmd/serve.go b/cmd/serve.go
@@ -55,7 +55,10 @@ You can also enable the caching functionality to speed things up.`,
 			log.Log.Fatalf("Invalid backend: %s", config.Backend)
 		}
 
-		backend.ConfiguredBackend.LoadModules()
+		err := backend.ConfiguredBackend.LoadModules()
+		if err != nil {
+			log.Log.Fatal(err)
+		}
 
 		if config.ApiVersion == "v3" {
 			moduleService := v3.NewModuleOperationsApi()
@@ -66,7 +69,7 @@ You can also enable the caching functionality to speed things up.`,
 			r := chi.NewRouter()
 
 			// Logger should come before any middleware that modifies the response
-			r.Use(middleware.Logger)
+			// r.Use(middleware.Logger)
 			// Recoverer should also be pretty high in the middleware stack
 			r.Use(middleware.Recoverer)
 			r.Use(middleware.RealIP)

diff --git a/internal/v3/api/module.go b/internal/v3/api/module.go
@@ -22,24 +22,25 @@ func NewModuleOperationsApi() *ModuleOperationsApi {
 	return &ModuleOperationsApi{}
 }
 
+type DeleteModule500Response struct {
+	Message string   `json:"message,omitempty"`
+	Errors  []string `json:"errors,omitempty"`
+}
+
 // DeleteModule - Delete module
 func (s *ModuleOperationsApi) DeleteModule(ctx context.Context, moduleSlug string, reason string) (gen.ImplResponse, error) {
-	// TODO: Uncomment the next line to return response Response(204, {}) or use other options such as http.Ok ...
-	// return Response(204, nil),nil
-
-	// TODO: Uncomment the next line to return response Response(400, GetFile400Response{}) or use other options such as http.Ok ...
-	// return Response(400, GetFile400Response{}), nil
-
-	// TODO: Uncomment the next line to return response Response(401, GetUserSearchFilters401Response{}) or use other options such as http.Ok ...
-	// return Response(401, GetUserSearchFilters401Response{}), nil
-
-	// TODO: Uncomment the next line to return response Response(403, DeleteUserSearchFilter403Response{}) or use other options such as http.Ok ...
-	// return Response(403, DeleteUserSearchFilter403Response{}), nil
-
-	// TODO: Uncomment the next line to return response Response(404, GetFile404Response{}) or use other options such as http.Ok ...
-	// return Response(404, GetFile404Response{}), nil
+	err := backend.ConfiguredBackend.DeleteModuleBySlug(moduleSlug)
+	if err == nil {
+		return gen.Response(204, nil), nil
+	}
 
-	return gen.Response(http.StatusNotImplemented, nil), errors.New("DeleteModule method not implemented")
+	return gen.Response(
+		500,
+		DeleteModule500Response{
+			Message: err.Error(),
+			Errors:  []string{err.Error()},
+		},
+	), nil
 }
 
 // DeprecateModule - Deprecate module

diff --git a/internal/v3/api/release.go b/internal/v3/api/release.go
@@ -58,27 +58,25 @@ func (s *ReleaseOperationsApi) AddRelease(ctx context.Context, addReleaseRequest
 	}), nil
 }
 
+type DeleteRelease500Response struct {
+	Message string   `json:"message,omitempty"`
+	Errors  []string `json:"errors,omitempty"`
+}
+
 // DeleteRelease - Delete module release
 func (s *ReleaseOperationsApi) DeleteRelease(ctx context.Context, releaseSlug string, reason string) (gen.ImplResponse, error) {
-	// TODO - update DeleteRelease with the required logic for this service method.
-	// Add api_release_operations_service.go to the .openapi-generator-ignore to avoid overwriting this service implementation when updating open api generation.
-
-	// TODO: Uncomment the next line to return response Response(204, {}) or use other options such as http.Ok ...
-	// return Response(204, nil),nil
-
-	// TODO: Uncomment the next line to return response Response(400, GetFile400Response{}) or use other options such as http.Ok ...
-	// return Response(400, GetFile400Response{}), nil
-
-	// TODO: Uncomment the next line to return response Response(401, GetUserSearchFilters401Response{}) or use other options such as http.Ok ...
-	// return Response(401, GetUserSearchFilters401Response{}), nil
-
-	// TODO: Uncomment the next line to return response Response(403, DeleteUserSearchFilter403Response{}) or use other options such as http.Ok ...
-	// return Response(403, DeleteUserSearchFilter403Response{}), nil
-
-	// TODO: Uncomment the next line to return response Response(404, GetFile404Response{}) or use other options such as http.Ok ...
-	// return Response(404, GetFile404Response{}), nil
+	err := backend.ConfiguredBackend.DeleteReleaseBySlug(releaseSlug)
+	if err == nil {
+		return gen.Response(204, nil), nil
+	}
 
-	return gen.Response(http.StatusNotImplemented, nil), errors.New("DeleteRelease method not implemented")
+	return gen.Response(
+		500,
+		DeleteRelease500Response{
+			Message: err.Error(),
+			Errors:  []string{err.Error()},
+		},
+	), nil
 }
 
 func ReleaseToModule(releaseSlug string) string {

diff --git a/internal/v3/backend/filesystem.go b/internal/v3/backend/filesystem.go
@@ -17,6 +17,7 @@ import (
 	"time"
 
 	"github.com/dadav/gorge/internal/config"
+	"github.com/dadav/gorge/internal/log"
 	"github.com/dadav/gorge/internal/model"
 	gen "github.com/dadav/gorge/pkg/gen/v3/openapi"
 	"golang.org/x/mod/semver"
@@ -185,6 +186,7 @@ func (s *FilesystemBackend) AddRelease(releaseData []byte) (*gen.Release, error)
 			module.CurrentRelease = gen.ModuleCurrentRelease(*release)
 		}
 	}
+	s.Releases[metadata.Name] = append(s.Releases[metadata.Name], release)
 
 	releaseFile := fmt.Sprintf("%s.tar.gz", releaseSlug)
 	releaseFilePath := fmt.Sprintf("%s/%s/%s", config.ModulesDir, metadata.Name, releaseFile)
@@ -244,12 +246,68 @@ func (s *FilesystemBackend) GetReleaseBySlug(slug string) (*gen.Release, error)
 	return nil, errors.New("release not found")
 }
 
-func (s *FilesystemBackend) LoadModules() error {
+func (s *FilesystemBackend) DeleteModuleBySlug(slug string) error {
+	s.muModules.Lock()
+	s.muReleases.Lock()
+	defer s.muModules.Unlock()
+	defer s.muReleases.Unlock()
+
+	modulePath := filepath.Join(config.ModulesDir, slug)
+	err := os.RemoveAll(modulePath)
+	if err != nil {
+		return err
+	}
+
+	delete(s.Releases, slug)
+	delete(s.Modules, slug)
+
+	return nil
+}
+
+func (s *FilesystemBackend) DeleteReleaseBySlug(slug string) error {
 	s.muModules.Lock()
 	s.muReleases.Lock()
 	defer s.muModules.Unlock()
 	defer s.muReleases.Unlock()
 
+	for module, releases := range s.Releases {
+		newReleases := []*gen.Release{}
+		for _, release := range releases {
+			if release.Slug == slug {
+				releasePath := filepath.Join(config.ModulesDir, release.Module.Slug, fmt.Sprintf("%s.tar.gz", slug))
+				err := os.Remove(releasePath)
+				if err != nil {
+					return err
+				}
+			} else {
+				newReleases = append(newReleases, release)
+			}
+		}
+		s.Releases[module] = newReleases
+
+		newAbbrReleases := []gen.ReleaseAbbreviated{}
+		for _, abbrRelease := range s.Modules[module].Releases {
+			if abbrRelease.Slug != slug {
+				newAbbrReleases = append(newAbbrReleases, abbrRelease)
+			}
+		}
+		s.Modules[module].Releases = newAbbrReleases
+
+		if s.Modules[module].CurrentRelease.Slug == slug {
+			latestReleaseVersion := findLatestVersion(s.Modules[module].Releases)
+			for _, modRelease := range s.Releases[module] {
+				if modRelease.Version == latestReleaseVersion {
+					s.Modules[module].CurrentRelease = gen.ModuleCurrentRelease(*modRelease)
+					break
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+func (s *FilesystemBackend) LoadModules() error {
 	s.Modules = make(map[string]*gen.Module)
 	s.Releases = make(map[string][]*gen.Release)
 
@@ -262,6 +320,7 @@ func (s *FilesystemBackend) LoadModules() error {
 			return nil
 		}
 
+		log.Log.Debugf("Reading %s\n", path)
 		releaseBytes, err := os.ReadFile(path)
 		if err != nil {
 			return err

diff --git a/internal/v3/backend/interface.go b/internal/v3/backend/interface.go
@@ -20,4 +20,10 @@ type Backend interface {
 
 	// AddRelease adds a new release
 	AddRelease(data []byte) (*gen.Release, error)
+
+	// DeleteModuleBySlug deletes a module
+	DeleteModuleBySlug(slug string) error
+
+	// DeleteReleaseBySlug deletes a release by slug
+	DeleteReleaseBySlug(slug string) error
 }