alexei.dolgolyov/tiny-forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7641c0de1209b9ce62fc587006a2c4a544525b56
tiny-forge/internal/staticsite/gitlab_provider.go
T
alexei.dolgolyov 7733e64b08 feat(gitops): config-as-code via .tinyforge.yml for repo-backed workloads 
A dockerfile or static workload can opt in to reading its deploy config from a
.tinyforge.yml in its own repo. Tinyforge fetches the file, shows field-level
drift vs the live config, and an admin applies it with an explicit Sync. The
repo becomes the source of truth for the declared fields. Manual-sync only;
no auto-apply on deploy, no multi-workload reconcile, no create/delete in v1.

Scope is deliberately source-aware and source_config-resident: dockerfile
declares port/healthcheck/deploy_strategy, static declares deploy_strategy.
The file never carries repo coords or secrets (those stay in the encrypted
DB), which keeps credentials out of the repo.

Backend:
- internal/gitops: Spec/ParseSpec (KnownFields rejects unknown keys), a
  source-aware ApplyPlan/BuildPlan, MergeAndValidate (omitted-field-preserving
  deep merge + validate-the-merged-result-then-commit — never a partial
  config), declared-only Drift with normalization, and Fetch with
  ok/no_file/fetch_failed/invalid statuses and token-redacted messages.
- staticsite: DownloadFile added to GitProvider + Gitea/GitHub/GitLab impls,
  reusing each provider's SSRF-safe client; 64 KiB cap; ErrFileNotFound.
- store: 4 additive gitops_* columns + setters (disjoint from UpdateWorkload
  so the edit-form save and a sync never clobber each other).
- api: GET /workloads/{id}/gitops (status + raw + live drift + managed_fields),
  PUT /gitops (admin, enable/path, traversal-safe), POST /gitops/sync (admin,
  per-workload locked read->merge->validate->write, audited to event_log).

Frontend:
- GitOpsPanel.svelte: status pill, a purpose-built field-level drift view,
  .tinyforge.yml preview, enable ToggleSwitch, Sync via ConfirmDialog; all five
  statuses handled, admin affordances gated on the real viewer role.
- GitOps-managed badge (list + detail hero) and a read-only edit-form banner.
- api.ts fetchers + types; i18n apps.detail.gitops.* (en + ru parity).

Built phase-by-phase with an adversarial plan review (caught 5 design flaws
pre-implementation) and an independent review per phase (go / security / ts /
final) — all APPROVE, 0 CRITICAL/HIGH. docs/gitops.md documents the schema and
what's intentionally out of v1. Plan: plans/gitops/.
2026-06-21 23:32:02 +03:00

324 lines
9.1 KiB
Go
Raw Blame History

package staticsite
import (
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"os"
"path/filepath"
"strings"
"time"
)
// GitLabProvider implements GitProvider for GitLab repositories.
type GitLabProvider struct {
apiBase string // e.g., "https://gitlab.com/api/v4"
rawBase string // e.g., "https://gitlab.com"
token string
httpClient *http.Client
}
// NewGitLabProvider creates a new GitLab provider.
// baseURL should be "https://gitlab.com" or a self-hosted GitLab URL.
func NewGitLabProvider(baseURL, token string) *GitLabProvider {
base := strings.TrimRight(baseURL, "/")
return &GitLabProvider{
apiBase: base + "/api/v4",
rawBase: base,
token: token,
httpClient: NewSafeHTTPClient(60 * time.Second),
}
}
func (g *GitLabProvider) Name() string { return "gitlab" }
// projectPath returns the URL-encoded project path (owner/repo → owner%2Frepo).
func projectPath(owner, repo string) string {
return url.PathEscape(owner + "/" + repo)
}
func (g *GitLabProvider) ListRepos(ctx context.Context, query string) ([]RepoInfo, error) {
var allRepos []RepoInfo
page := 1
for {
apiURL := fmt.Sprintf("%s/projects?membership=true&per_page=100&page=%d&order_by=last_activity_at", g.apiBase, page)
if query != "" {
apiURL += "&search=" + url.QueryEscape(query)
}
body, err := g.doGet(ctx, apiURL)
if err != nil {
return nil, fmt.Errorf("list repos: %w", err)
}
var projects []struct {
PathWithNamespace string `json:"path_with_namespace"`
Name string `json:"name"`
Description string `json:"description"`
Visibility string `json:"visibility"`
WebURL string `json:"web_url"`
Namespace struct {
Path string `json:"path"`
} `json:"namespace"`
}
if err := json.Unmarshal(body, &projects); err != nil {
return nil, fmt.Errorf("decode repos: %w", err)
}
for _, p := range projects {
allRepos = append(allRepos, RepoInfo{
Owner: p.Namespace.Path,
Name: p.Name,
FullName: p.PathWithNamespace,
Description: p.Description,
Private: p.Visibility != "public",
HTMLURL: p.WebURL,
})
}
if len(projects) < 100 {
break
}
page++
}
return allRepos, nil
}
func (g *GitLabProvider) TestConnection(ctx context.Context, owner, repo string) error {
apiURL := fmt.Sprintf("%s/projects/%s", g.apiBase, projectPath(owner, repo))
_, err := g.doGet(ctx, apiURL)
return err
}
// SetCommitStatus reports a deploy status on a commit via GitLab's commit-
// status API. GitLab's state vocabulary differs (pending/running/success/
// failed/canceled), so failure AND error both map to "failed". The status
// metadata (name/target_url/description) is passed as query parameters,
// which is how GitLab's POST .../statuses/{sha} endpoint accepts them.
func (g *GitLabProvider) SetCommitStatus(ctx context.Context, owner, repo, sha string, status CommitStatus, targetURL, description string) error {
q := url.Values{}
q.Set("state", gitlabState(status))
q.Set("name", commitStatusContext)
if targetURL != "" {
q.Set("target_url", targetURL)
}
if description != "" {
q.Set("description", truncateDescription(description))
}
apiURL := fmt.Sprintf("%s/projects/%s/statuses/%s?%s",
g.apiBase, projectPath(owner, repo), url.PathEscape(sha), q.Encode())
// No JSON body — all fields ride as query params. Reuse postJSON for
// the SSRF-safe POST + 2xx handling; an empty body is valid here.
if err := postJSON(ctx, g.httpClient, apiURL, nil, g.setAuth); err != nil {
return fmt.Errorf("set commit status: %w", err)
}
return nil
}
// gitlabState maps a provider-agnostic CommitStatus onto GitLab's API
// vocabulary. GitLab has no "failure"/"error" split — both map to
// "failed".
func gitlabState(status CommitStatus) string {
switch status {
case CommitStatusSuccess:
return "success"
case CommitStatusFailure, CommitStatusError:
return "failed"
default:
return "pending"
}
}
func (g *GitLabProvider) ListBranches(ctx context.Context, owner, repo string) ([]string, error) {
var allBranches []string
page := 1
for {
apiURL := fmt.Sprintf("%s/projects/%s/repository/branches?per_page=100&page=%d",
g.apiBase, projectPath(owner, repo), page)
body, err := g.doGet(ctx, apiURL)
if err != nil {
return nil, fmt.Errorf("list branches: %w", err)
}
var branches []struct {
Name string `json:"name"`
}
if err := json.Unmarshal(body, &branches); err != nil {
return nil, fmt.Errorf("decode branches: %w", err)
}
for _, b := range branches {
allBranches = append(allBranches, b.Name)
}
if len(branches) < 100 {
break
}
page++
}
return allBranches, nil
}
func (g *GitLabProvider) GetLatestCommitSHA(ctx context.Context, owner, repo, branch string) (string, error) {
apiURL := fmt.Sprintf("%s/projects/%s/repository/branches/%s",
g.apiBase, projectPath(owner, repo), url.PathEscape(branch))
body, err := g.doGet(ctx, apiURL)
if err != nil {
return "", fmt.Errorf("get branch: %w", err)
}
var result struct {
Commit struct {
ID string `json:"id"`
} `json:"commit"`
}
if err := json.Unmarshal(body, &result); err != nil {
return "", fmt.Errorf("decode branch: %w", err)
}
return result.Commit.ID, nil
}
func (g *GitLabProvider) ListTree(ctx context.Context, owner, repo, branch string) ([]FolderEntry, error) {
var allEntries []FolderEntry
page := 1
for {
apiURL := fmt.Sprintf("%s/projects/%s/repository/tree?ref=%s&recursive=true&per_page=100&page=%d",
g.apiBase, projectPath(owner, repo), url.QueryEscape(branch), page)
body, err := g.doGet(ctx, apiURL)
if err != nil {
return nil, fmt.Errorf("list tree: %w", err)
}
var entries []struct {
Path string `json:"path"`
Type string `json:"type"` // "blob" or "tree"
}
if err := json.Unmarshal(body, &entries); err != nil {
return nil, fmt.Errorf("decode tree: %w", err)
}
for _, e := range entries {
allEntries = append(allEntries, FolderEntry{
Path: e.Path,
IsDir: e.Type == "tree",
})
}
if len(entries) < 100 {
break
}
page++
}
return allEntries, nil
}
func (g *GitLabProvider) DownloadFolder(ctx context.Context, owner, repo, branch, folderPath, destDir string) error {
entries, err := g.ListTree(ctx, owner, repo, branch)
if err != nil {
return fmt.Errorf("list tree: %w", err)
}
folderPath = strings.TrimPrefix(folderPath, "/")
folderPath = strings.TrimSuffix(folderPath, "/")
prefix := folderPath + "/"
for _, entry := range entries {
if entry.IsDir {
continue
}
if !strings.HasPrefix(entry.Path, prefix) {
continue
}
relativePath := strings.TrimPrefix(entry.Path, prefix)
localPath := filepath.Join(destDir, filepath.FromSlash(relativePath))
// Path-traversal defense: reject tree entries whose resolved
// path escapes destDir (e.g. `../etc/passwd` smuggled through
// a hostile self-hosted GitLab).
cleanDest := filepath.Clean(destDir)
if cleanRel := filepath.Clean(localPath); cleanRel != cleanDest &&
!strings.HasPrefix(cleanRel, cleanDest+string(os.PathSeparator)) {
return fmt.Errorf("rejecting tree entry outside dest: %s", relativePath)
}
// GitLab raw file URL: {base}/{owner}/{repo}/-/raw/{branch}/{path}
// Each segment is path-escaped to match projectPath()'s shape and
// to refuse traversal sequences supplied via the request.
fileURL := fmt.Sprintf("%s/%s/%s/-/raw/%s/%s",
g.rawBase,
url.PathEscape(owner),
url.PathEscape(repo),
url.PathEscape(branch),
entry.Path)
if err := downloadFileHTTP(ctx, g.httpClient, fileURL, localPath, g.setAuth); err != nil {
return fmt.Errorf("download %s: %w", relativePath, err)
}
}
return nil
}
// DownloadFile fetches a single file's raw bytes via GitLab's raw endpoint,
// capped at maxBytes. Returns ErrFileNotFound on a 404. owner/repo/ref are
// path-escaped; the file path is passed through verbatim to preserve its `/`
// separators (a `..` segment is harmless — the bytes are only parsed in
// memory, never written to disk, so there is no local-traversal sink).
func (g *GitLabProvider) DownloadFile(ctx context.Context, owner, repo, ref, path string, maxBytes int64) ([]byte, error) {
p := strings.TrimPrefix(path, "/")
fileURL := fmt.Sprintf("%s/%s/%s/-/raw/%s/%s",
g.rawBase,
url.PathEscape(owner),
url.PathEscape(repo),
url.PathEscape(ref),
p)
return getFileBytes(ctx, g.httpClient, fileURL, maxBytes, g.setAuth)
}
func (g *GitLabProvider) doGet(ctx context.Context, apiURL string) ([]byte, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, apiURL, nil)
if err != nil {
return nil, fmt.Errorf("create request: %w", err)
}
g.setAuth(req)
req.Header.Set("Accept", "application/json")
resp, err := g.httpClient.Do(req)
if err != nil {
return nil, fmt.Errorf("execute request: %w", err)
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("read response: %w", err)
}
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("unexpected status %d: %s", resp.StatusCode, string(body))
}
return body, nil
}
func (g *GitLabProvider) setAuth(req *http.Request) {
if g.token != "" {
req.Header.Set("PRIVATE-TOKEN", g.token)
}
}
Reference in New Issue View Git Blame Copy Permalink