-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathadmin.go
More file actions
180 lines (167 loc) · 5.11 KB
/
admin.go
File metadata and controls
180 lines (167 loc) · 5.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
package main
import (
"crypto/subtle"
"encoding/json"
"log"
"net/http"
"os"
"path/filepath"
"strings"
"sync"
"time"
)
// ─── Admin config ─────────────────────────────────────────────────────────────
type AdminConfig struct {
AdminToken string `json:"admin_token,omitempty"` // secret token for admin endpoints; empty = admin disabled
RWPaths []string `json:"rw_paths"` // vault-relative paths that allow writes, e.g. "pessoal/agents/hermes/skills"
}
type server struct {
vaultsDir string
appdataDir string
idx *NoteIndex
static http.Handler
cfgMu sync.RWMutex
cfg AdminConfig
shares *ShareStore
shutdown chan struct{}
}
func (s *server) configPath() string {
return filepath.Join(s.appdataDir, "config.json")
}
func (s *server) loadConfig() {
data, err := os.ReadFile(s.configPath())
if err != nil {
return // no config yet → empty (all writes blocked by default)
}
s.cfgMu.Lock()
defer s.cfgMu.Unlock()
_ = json.Unmarshal(data, &s.cfg)
}
func (s *server) saveConfig() error {
s.cfgMu.RLock()
data, err := json.MarshalIndent(s.cfg, "", " ")
s.cfgMu.RUnlock()
if err != nil {
return err
}
tmp := s.configPath() + ".tmp"
if err := os.WriteFile(tmp, data, 0600); err != nil {
return err
}
return os.Rename(tmp, s.configPath())
}
// isWritable returns true if vault+path is under one of the configured RW paths.
// rw_paths are vault-rooted, e.g. "pessoal" (whole vault) or "pessoal/agents/hermes/skills" (subfolder).
// vault is e.g. "pessoal"; path is vault-relative e.g. "agents/hermes/skills/foo.md".
func (s *server) isWritable(vault, path string) bool {
s.cfgMu.RLock()
defer s.cfgMu.RUnlock()
full := vault + "/" + path
for _, rw := range s.cfg.RWPaths {
rw = strings.TrimSuffix(rw, "/")
if rw == vault || // whole vault writable
full == rw || // exact match
strings.HasPrefix(full, rw+"/") { // under rw dir
return true
}
}
return false
}
// ─── Admin handlers ───────────────────────────────────────────────────────────
func (s *server) requireAdminToken(w http.ResponseWriter, r *http.Request) bool {
s.cfgMu.RLock()
token := s.cfg.AdminToken
s.cfgMu.RUnlock()
if token == "" {
errResponse(w, 403, "admin not configured")
return false
}
headerToken := r.Header.Get("X-Admin-Token")
if subtle.ConstantTimeCompare([]byte(headerToken), []byte(token)) != 1 {
log.Printf("admin: invalid token from %s", r.RemoteAddr)
errResponse(w, 403, "unauthorized")
return false
}
return true
}
// handleWritablePaths exposes only the rw_paths list (no admin token).
// The list isn't sensitive — knowing which vaults/folders are writable
// only confirms what the writes themselves would already reveal. Lets
// the SPA disable write-related UI (paste-append, edit toggle, etc.)
// without needing the admin token.
func (s *server) handleWritablePaths(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
errResponse(w, 405, "method not allowed")
return
}
s.cfgMu.RLock()
paths := make([]string, len(s.cfg.RWPaths))
copy(paths, s.cfg.RWPaths)
s.cfgMu.RUnlock()
jsonResponse(w, map[string][]string{"rw_paths": paths})
}
func (s *server) handleAdminConfig(w http.ResponseWriter, r *http.Request) {
if !s.requireAdminToken(w, r) {
return
}
switch r.Method {
case http.MethodGet:
s.cfgMu.RLock()
cfg := s.cfg
s.cfgMu.RUnlock()
jsonResponse(w, cfg)
case http.MethodPost:
// Limit body to 32KB
r.Body = http.MaxBytesReader(w, r.Body, 32<<10)
var incoming AdminConfig
dec := json.NewDecoder(r.Body)
dec.DisallowUnknownFields()
if err := dec.Decode(&incoming); err != nil {
errResponse(w, 400, "invalid json")
return
}
s.cfgMu.Lock()
// Merge: keep existing token unless explicitly set
if incoming.AdminToken != "" {
s.cfg.AdminToken = incoming.AdminToken
}
// Validate RWPaths — reject .. and absolute paths
for _, p := range incoming.RWPaths {
if strings.Contains(p, "..") || filepath.IsAbs(p) {
s.cfgMu.Unlock()
errResponse(w, 400, "invalid rw_path")
return
}
}
s.cfg.RWPaths = incoming.RWPaths
s.cfgMu.Unlock()
if err := s.saveConfig(); err != nil {
log.Printf("saveConfig error: %v", err)
errResponse(w, 500, "failed to save config")
return
}
jsonResponse(w, s.cfg)
default:
errResponse(w, 405, "method not allowed")
}
}
// handleHealth returns a lightweight health check.
func (s *server) handleHealth(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
w.Write([]byte(`{"status":"ok"}`))
}
func (s *server) handleAdminRestart(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
errResponse(w, 405, "method not allowed")
return
}
if !s.requireAdminToken(w, r) {
return
}
jsonResponse(w, map[string]string{"status": "restarting"})
go func() {
time.Sleep(200 * time.Millisecond)
close(s.shutdown)
}()
}