Add token_type and token_branches and record both in the database

flatpak · Nov 2, 2023 · 195f7d5 · 195f7d5
1 parent fc2cdc1
commit 195f7d5
Show file tree

Hide file tree

Showing 7 changed files with 55 additions and 2 deletions.
diff --git a/migrations/2023-11-02-171702_build_token_type_and_branches/down.sql b/migrations/2023-11-02-171702_build_token_type_and_branches/down.sql
@@ -0,0 +1,2 @@
+ALTER TABLE builds DROP COLUMN token_type;
+ALTER TABLE builds DROP COLUMN token_branches;
diff --git a/migrations/2023-11-02-171702_build_token_type_and_branches/up.sql b/migrations/2023-11-02-171702_build_token_type_and_branches/up.sql
@@ -0,0 +1,2 @@
+ALTER TABLE builds ADD token_type TEXT NULL;
+ALTER TABLE builds ADD token_branches TEXT[] NULL;
diff --git a/src/api/build.rs b/src/api/build.rs
@@ -144,13 +144,34 @@ async fn create_build_async(
         "-".to_string()
     };
 
+    let token_type = if let Some(ref claims) = req.get_claims() {
+        claims.token_type.clone()
+    } else {
+        None
+    };
+
+    let token_branches = if let Some(ref claims) = req.get_claims() {
+        Some(
+            claims
+                .branches
+                .iter()
+                .filter(|s| !s.is_empty())
+                .map(|s| s.clone())
+                .collect(),
+        )
+    } else {
+        None
+    };
+
     let build = db
         .new_build(NewBuild {
             repo: args.repo.clone(),
             app_id: args.app_id.clone(),
             public_download,
             build_log_url: args.build_log_url.clone(),
             token_name: Some(token_name),
+            token_type,
+            token_branches,
         })
         .await?;
     let build_repo_path = config.build_repo_base.join(build.id.to_string());
@@ -568,6 +589,8 @@ pub fn token_subset(
                         claims.repos
                     }
                 },
+                branches: claims.branches.clone(),
+                token_type: claims.token_type.clone(),
                 exp: new_exp,
             };
             return match jwt::encode(

diff --git a/src/bin/gentoken.rs b/src/bin/gentoken.rs
@@ -16,6 +16,8 @@ struct Claims {
     prefixes: Vec<String>,
     repos: Vec<String>,
     exp: i64,
+    token_type: String,
+    branches: Vec<String>,
 }
 
 fn read_secret(filename: String) -> io::Result<String> {
@@ -40,7 +42,8 @@ fn main() {
     let mut scope: Vec<String> = vec![];
     let mut prefixes: Vec<String> = vec![];
     let mut repos: Vec<String> = vec![];
-
+    let mut token_type: String = "app".to_string();
+    let mut branches: Vec<String> = vec![];
     {
         let mut ap = ArgumentParser::new();
         ap.set_description("Generate token for flat-manager.");
@@ -79,6 +82,13 @@ fn main() {
             Store,
             "Duration for key in seconds (default 1 year)",
         );
+        ap.refer(&mut token_type)
+            .add_option(&["--token-type"], Store, "Token type");
+        ap.refer(&mut branches).add_option(
+            &["--branch"],
+            List,
+            "Add branch (default if none: ['stable']",
+        );
         ap.parse_args_or_exit();
     }
 
@@ -102,6 +112,10 @@ fn main() {
         repos = vec!["".to_string()];
     }
 
+    if branches.is_empty() {
+        branches = vec!["stable".to_string()];
+    }
+
     if let Some(s) = secret {
         secret_contents = s;
     } else if let Some(filename) = secret_file {
@@ -130,6 +144,8 @@ fn main() {
         repos,
         name: name.clone(),
         exp: Utc::now().timestamp() + duration,
+        token_type,
+        branches,
     };
 
     if verbose {

diff --git a/src/models.rs b/src/models.rs
@@ -14,6 +14,8 @@ pub struct NewBuild {
     pub public_download: bool,
     pub build_log_url: Option<String>,
     pub token_name: Option<String>,
+    pub token_type: Option<String>,
+    pub token_branches: Option<Vec<String>>,
 }
 
 #[derive(Identifiable, Serialize, Queryable, Debug, Eq, PartialEq)]
@@ -36,6 +38,8 @@ pub struct Build {
     pub public_download: bool,
     pub build_log_url: Option<String>,
     pub token_name: Option<String>,
+    pub token_type: Option<String>,
+    pub token_branches: Option<Vec<String>>,
 }
 
 #[derive(Deserialize, Debug, Eq, PartialEq)]

diff --git a/src/schema.rs b/src/schema.rs
@@ -26,6 +26,8 @@ diesel::table! {
         public_download -> Bool,
         build_log_url -> Nullable<Text>,
         token_name -> Nullable<Text>,
+        token_type -> Nullable<Text>,
+        token_branches -> Nullable<Array<Text>>,
     }
 }
 

diff --git a/src/tokens.rs b/src/tokens.rs
@@ -57,6 +57,7 @@ impl Display for ClaimsScope {
  * is not verified). */
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Claims {
+    pub name: Option<String>,
     pub sub: String, // "build", "build/N", user id for repo tokens, or "" for certain management tokens
     pub exp: i64,
     pub jti: Option<String>, // an unique ID for the token, for revocation.
@@ -69,7 +70,10 @@ pub struct Claims {
     pub apps: Vec<String>, // like prefixes, but only exact matches
     #[serde(default)]
     pub repos: Vec<String>, // list of repo names or a '' for match all
-    pub name: Option<String>, // for debug/logs only
+    #[serde(default)]
+    pub branches: Vec<String>, // list of allowed branches or a '' for match all
+    #[serde(default)]
+    pub token_type: Option<String>, // "app" to require at least one app ref
 }
 
 pub trait ClaimsValidator {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		ALTER TABLE builds DROP COLUMN token_type;
		ALTER TABLE builds DROP COLUMN token_branches;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		ALTER TABLE builds ADD token_type TEXT NULL;
		ALTER TABLE builds ADD token_branches TEXT[] NULL;