18097442731

Committed 29 Sep 2025 12:46PM UTC coverage: 79.573% (+0.04%) from 79.529%

Build # 18097442731

Build Type

Pull #70

github

Committed by

CyberDuck79

Commit Message

refactor: extract writeMetadataFile helper to reduce metadata writing duplication

- Add writeMetadataFile() helper function for consistent JSON metadata writing
- Replace duplicate json.Marshal + os.WriteFile patterns in remote.go
- Reduces code duplication in template and remote metadata handling

Pull Request Pull Request #70: Phase 2: Implement separated targets and remotes configurations

Run Details

592 of 686 new or added lines in 9 files covered. (86.3%)

24 existing lines in 5 files now uncovered.

2758 of 3466 relevant lines covered (79.57%)

11.37 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

85.86

/internal/config/security.go

package config

import (
        "fmt"
        "net/url"
        "os"
        "path/filepath"
        "strings"
        "time"

        "github.com/CyberDuck79/duckfile/internal/log"
        "gopkg.in/yaml.v3"
)

// SecurityConfig holds comprehensive security configuration loaded from
// environment variables, CLI flags, or configuration files to prevent supply-chain attacks.
// BuildSecurityConfigWithPrecedence builds a security configuration using enhanced precedence system.
// Precedence order (highest to lowest):
// 1. 🔒 Signed Security Config Files (tamper-proof, highest)
// 2. ⚡ CLI flags (high precedence when no signed config)
// 3. 🌍 Environment variables (system-level control)
// 4. 📄 Unsigned Security Config Files (lower to prevent bypass)
// 5. 🔓 No restrictions (backward compatibility)rity settings are kept separate from duck.yaml to prevent attackers
// from modifying both targets and security policies in the same commit.
type SecurityConfig struct {
        // Existing host restriction fields
        AllowedHosts []string `yaml:"allowedHosts,omitempty"`
        DeniedHosts  []string `yaml:"deniedHosts,omitempty"`
        StrictMode   bool     `yaml:"strictMode,omitempty"` // Fail if no restrictions are configured
        Source       string   `yaml:"source,omitempty"`     // "signed", "env", "cli", "unsigned", "none" for audit trail

        // NEW: Digital signature fields
        Signature *DigitalSignature `yaml:"signature,omitempty"`

        // NEW: Policy enforcement
        Enforcement *PolicyEnforcement `yaml:"enforcement,omitempty"`

        // NEW: File permission validation
        FilePermissions *FilePermissionPolicy `yaml:"filePermissions,omitempty"`

        // NEW: Metadata for audit trails
        Metadata *SecurityMetadata `yaml:"metadata,omitempty"`

        // NEW: Source tracking for precedence
        SourceFile string `yaml:"sourceFile,omitempty"` // Path to config file if loaded from file
        IsSigned   bool   `yaml:"isSigned,omitempty"`   // Whether this config was verified with a valid signature
        Version    int    `yaml:"version,omitempty"`    // Configuration version
}

// DigitalSignature holds signature verification information
type DigitalSignature struct {
        Algorithm string `yaml:"algorithm"` // "ed25519"
        KeyID     string `yaml:"keyId"`     // Key identifier for lookup
        Signature string `yaml:"signature"` // base64-encoded signature
}

// PolicyEnforcement defines security policy enforcement rules
type PolicyEnforcement struct {
        ForceChecksumValidation bool `yaml:"forceChecksumValidation"` // Fail if template has no checksum
        ForceCommitTracking     bool `yaml:"forceCommitTracking"`     // Fail if trackCommitHash=false
        DisableAutoUpdate       bool `yaml:"disableAutoUpdate"`       // Override autoUpdateOnChange settings
        StrictPolicyMode        bool `yaml:"strictPolicyMode"`        // Require security config to exist
        EnforceFilePermissions  bool `yaml:"enforceFilePermissions"`  // Validate file permissions according to policy
}

// FilePermissionPolicy defines file permission validation rules
type FilePermissionPolicy struct {
        EnforceOwnership         bool `yaml:"enforceOwnership"`         // Require proper ownership (root for system files)
        EnforceReadOnly          bool `yaml:"enforceReadOnly"`          // Require read-only permissions
        AllowGroupWrite          bool `yaml:"allowGroupWrite"`          // Allow group write permissions
        RequireSecureDirectories bool `yaml:"requireSecureDirectories"` // Parent dirs must be secure
}

// SecurityMetadata holds audit trail information
type SecurityMetadata struct {
        CreatedBy string    `yaml:"createdBy"`
        CreatedAt time.Time `yaml:"createdAt"`
        Purpose   string    `yaml:"purpose"`
        Version   int       `yaml:"version,omitempty"`
}

// SecurityConfigFile represents a discovered security configuration file
type SecurityConfigFile struct {
        Path       string
        Type       SecurityFileType
        Exists     bool
        Readable   bool
        HasSigFile bool // Whether a corresponding .sig file exists
}

// SecurityFileType indicates the type and precedence of a security config file
type SecurityFileType int

const (
        SecurityFileTypeSystem  SecurityFileType = iota // /etc/duckfile/security.yaml
        SecurityFileTypeUser                            // ~/.duckfile/security.yaml, ~/.config/duckfile/security.yaml
        SecurityFileTypeProject                         // ./.duckfile/security.yaml
)

// DiscoverSecurityConfigs discovers security configuration files in the standard hierarchy.
// Returns files in precedence order (highest to lowest):
// 1. System-wide: /etc/duckfile/security.{yaml,yml}
// 2. User-specific: ~/.duckfile/security.{yaml,yml}, ~/.config/duckfile/security.{yaml,yml}
// 3. Project-specific: ./.duckfile/security.yaml
func DiscoverSecurityConfigs() ([]*SecurityConfigFile, error) {
        var configs []*SecurityConfigFile

        // 1. System-wide configurations (highest precedence for signed configs)
        systemPaths := []string{
                "/etc/duckfile/security.yaml",
                "/etc/duckfile/security.yml",
        }

        for _, path := range systemPaths {
                if config := checkSecurityConfigFile(path, SecurityFileTypeSystem); config != nil {
                        configs = append(configs, config)
                }
        }

        // 2. User-specific configurations
        homeDir, err := os.UserHomeDir()
        if err == nil {
                userPaths := []string{
                        homeDir + "/.duckfile/security.yaml",
                        homeDir + "/.duckfile/security.yml",
                        homeDir + "/.config/duckfile/security.yaml",
                        homeDir + "/.config/duckfile/security.yml",
                }

                for _, path := range userPaths {
                        if config := checkSecurityConfigFile(path, SecurityFileTypeUser); config != nil {
                                configs = append(configs, config)
                        }
                }
        }

        // 3. Project-specific configurations (lowest precedence)
        projectPaths := []string{
                "./.duckfile/security.yaml",
                "./.duckfile/security.yml",
        }

        for _, path := range projectPaths {
                if config := checkSecurityConfigFile(path, SecurityFileTypeProject); config != nil {
                        configs = append(configs, config)
                }
        }

        return configs, nil
}

// DiscoverSecurityConfigsInDir discovers security configuration files relative to a specific directory.
// This is primarily for testing purposes.
func DiscoverSecurityConfigsInDir(baseDir string) ([]*SecurityConfigFile, error) {
        var configs []*SecurityConfigFile

        // 1. System-wide configurations (highest precedence for signed configs)
        systemPaths := []string{
                "/etc/duckfile/security.yaml",
                "/etc/duckfile/security.yml",
        }

        for _, path := range systemPaths {
                if config := checkSecurityConfigFile(path, SecurityFileTypeSystem); config != nil {
                        configs = append(configs, config)
                }
        }

        // 2. User-specific configurations
        homeDir, err := os.UserHomeDir()
        if err == nil {
                userPaths := []string{
                        homeDir + "/.duckfile/security.yaml",
                        homeDir + "/.duckfile/security.yml",
                        homeDir + "/.config/duckfile/security.yaml",
                        homeDir + "/.config/duckfile/security.yml",
                }

                for _, path := range userPaths {
                        if config := checkSecurityConfigFile(path, SecurityFileTypeUser); config != nil {
                                configs = append(configs, config)
                        }
                }
        }

        // 3. Project-specific configurations (lowest precedence) - relative to baseDir
        projectPaths := []string{
                filepath.Join(baseDir, ".duckfile", "security.yaml"),
                filepath.Join(baseDir, ".duckfile", "security.yml"),
        }

        for _, path := range projectPaths {
                if config := checkSecurityConfigFile(path, SecurityFileTypeProject); config != nil {
                        configs = append(configs, config)
                }
        }

        return configs, nil
}

// checkSecurityConfigFile checks if a security config file exists and is readable
func checkSecurityConfigFile(path string, fileType SecurityFileType) *SecurityConfigFile {
        config := &SecurityConfigFile{
                Path: path,
                Type: fileType,
        }

        // Check if main config file exists and is readable
        if info, err := os.Stat(path); err == nil && !info.IsDir() {
                config.Exists = true

                // Test readability
                if file, err := os.Open(path); err == nil {
                        config.Readable = true
                        file.Close() //nolint:errcheck
                }
        }

        // Check for corresponding signature file
        sigPath := path + ".sig"
        if _, err := os.Stat(sigPath); err == nil {
                config.HasSigFile = true
        }

        // Only return config if the main file exists
        if config.Exists {
                return config
        }
        return nil
}

// LoadSecurityConfigFromFile loads and parses a security configuration from a YAML file
// with optional signature verification
// loadSignatureData attempts to load signature data for a config file
func loadSignatureData(configPath string) ([]byte, bool, error) {
        sigPath := configPath + ".sig"
        if _, err := os.Stat(sigPath); err != nil {
                return nil, false, nil // No signature file
        }

        signature, err := LoadSignatureFromFile(sigPath)
        if err != nil {
                return nil, false, fmt.Errorf("failed to load signature for %s: %w", configPath, err)
        }

        return signature, true, nil
}

// verifyConfigSignature verifies the signature of a security config
func verifyConfigSignature(configData []byte, signature []byte, config *SecurityConfig, path string) error {
        if config.Signature == nil {
                return fmt.Errorf("signature file exists but config has no signature metadata in %s", path)
        }

        // Load the public key for verification
        publicKey, err := LoadPublicKey(config.Signature.KeyID)
        if err != nil {
                return fmt.Errorf("failed to load public key for verification of %s: %w", path, err)
        }

        // Verify the signature
        if err := VerifySignature(configData, signature, publicKey); err != nil {
                return fmt.Errorf("signature verification failed for %s: %w", path, err)
        }

        return nil
}

// validateConfigFilePermissions validates file permissions if enforcement is enabled
func validateConfigFilePermissions(config *SecurityConfig, path string) error {
        if config.Enforcement == nil || !config.Enforcement.EnforceFilePermissions || config.FilePermissions == nil {
                return nil // No validation needed
        }

        configFile := &SecurityConfigFile{
                Path:   path,
                Type:   DetermineSecurityFileType(path),
                Exists: true,
        }

        permResult, err := ValidateFilePermissions(configFile, config.FilePermissions)
        if err != nil {
                return fmt.Errorf("failed to validate file permissions for %s: %w", path, err)
        }

        if !permResult.Valid {
                issues := append(permResult.Issues, permResult.ParentDirIssues...)
                return fmt.Errorf("file permission validation failed for %s: %v", path, issues)
        }

        return nil
}

func LoadSecurityConfigFromFile(path string) (*SecurityConfig, error) {
        // Read the configuration file
        configData, err := os.ReadFile(path)
        if err != nil {
                return nil, fmt.Errorf("failed to read security config file %s: %w", path, err)
        }

        // Load signature data if available
        signature, isSigned, err := loadSignatureData(path)
        if err != nil {
                return nil, err
        }

        // Parse the YAML configuration
        var config SecurityConfig
        if err := yaml.Unmarshal(configData, &config); err != nil {
                return nil, fmt.Errorf("failed to parse security config YAML from %s: %w", path, err)
        }

        // Set basic metadata
        config.SourceFile = path
        config.IsSigned = isSigned
        if config.Version == 0 {
                config.Version = 1 // Default to version 1 if not specified
        }

        // Handle signature verification
        if isSigned {
                if err := verifyConfigSignature(configData, signature, &config, path); err != nil {
                        return nil, err
                }
                config.Source = "signed"
        } else {
                config.Source = "unsigned"
        }

        // Validate file permissions if required
        if err := validateConfigFilePermissions(&config, path); err != nil {
                return nil, err
        }

        return &config, nil
}

// BuildSecurityConfigWithPrecedence implements the enhanced precedence system
// Precedence order (highest to lowest):
// 1. 🔒 Signed Security Config Files (tamper-proof, highest)
// 2. ⚡ CLI flags (high precedence when no signed config)
// 3. 🌍 Environment variables (system-level control)
// 4. 📄 Unsigned Security Config Files (lower to prevent bypass)
// 5. 🔓 No restrictions (backward compatibility)
func BuildSecurityConfigWithPrecedence(cliAllowed []string, cliDenied []string, cliStrict bool) (*SecurityConfig, error) {
        // Discover available security config files
        configFiles, err := DiscoverSecurityConfigs()
        if err != nil {
                return nil, fmt.Errorf("failed to discover security config files: %w", err)
        }

        // Separate signed and unsigned files
        var signedConfigs []*SecurityConfig
        var unsignedConfigs []*SecurityConfig

        for _, configFile := range configFiles {
                if !configFile.Exists || !configFile.Readable {
                        continue
                }

                config, err := LoadSecurityConfigFromFile(configFile.Path)
                if err != nil {
                        // Log error but continue with other configs for resilience
                        log.Debugf("Failed to load security config from %s: %v", configFile.Path, err)
                        continue
                }

                if config.IsSigned {
                        signedConfigs = append(signedConfigs, config)
                } else {
                        unsignedConfigs = append(unsignedConfigs, config)
                }
        }

        // 1. Check for signed configurations first (highest precedence)
        if len(signedConfigs) > 0 {
                // Use the first signed config (they were discovered in precedence order)
                // Signed configs cannot be overridden - they represent the highest authority
                return signedConfigs[0], nil
        }

        // 2. CLI flags (high precedence when no signed config exists)
        if len(cliAllowed) > 0 || len(cliDenied) > 0 || cliStrict {
                cliConfig := &SecurityConfig{
                        AllowedHosts: cliAllowed,
                        DeniedHosts:  cliDenied,
                        StrictMode:   cliStrict,
                        Source:       "cli",
                        Version:      1,
                }

                return cliConfig, nil
        }

        // 3. Environment variables (system-level control)
        envConfig := LoadSecurityConfigFromEnv()
        if envConfig.Source != "none" {
                return envConfig, nil
        }

        // 4. Unsigned config files (lower precedence to prevent bypass)
        if len(unsignedConfigs) > 0 {
                return unsignedConfigs[0], nil
        }

        // 5. No restrictions (backward compatibility)
        return &SecurityConfig{
                Source:  "none",
                Version: 1,
        }, nil
}

// BuildSecurityConfigWithFiles implements the original precedence system for backward compatibility
// Precedence order (highest to lowest):
// 1. Signed Security Config Files (tamper-proof, highest)
// 2. CLI flags (high precedence when no signed config)
// 3. Environment variables (system-level control)
// 4. Unsigned Security Config Files (lower to prevent bypass)
// 5. No restrictions (backward compatibility)
func BuildSecurityConfigWithFiles(cliAllowed []string, cliDenied []string, cliStrict bool) (*SecurityConfig, error) {
        return BuildSecurityConfigWithPrecedence(cliAllowed, cliDenied, cliStrict)
}

// MergeSecurityConfigs merges multiple security configurations with precedence rules
// Higher precedence configs override lower precedence ones for specific fields
// copyStringSlice creates a copy of a string slice
func copyStringSlice(src []string) []string {
        if len(src) == 0 {
                return nil
        }
        dst := make([]string, len(src))
        copy(dst, src)
        return dst
}

// createBaseConfig creates the initial merged config from the first configuration
func createBaseConfig(baseConfig *SecurityConfig) *SecurityConfig {
        return &SecurityConfig{
                AllowedHosts:    copyStringSlice(baseConfig.AllowedHosts),
                DeniedHosts:     copyStringSlice(baseConfig.DeniedHosts),
                StrictMode:      baseConfig.StrictMode,
                Source:          baseConfig.Source,
                SourceFile:      baseConfig.SourceFile,
                IsSigned:        baseConfig.IsSigned,
                Signature:       baseConfig.Signature,
                Enforcement:     baseConfig.Enforcement,
                FilePermissions: baseConfig.FilePermissions,
                Metadata:        baseConfig.Metadata,
                Version:         baseConfig.Version,
        }
}

// mergeConfigOverrides applies a config's overrides to the merged result
func mergeConfigOverrides(merged *SecurityConfig, override *SecurityConfig) {
        // Override host lists if provided
        if len(override.AllowedHosts) > 0 {
                merged.AllowedHosts = copyStringSlice(override.AllowedHosts)
        }
        if len(override.DeniedHosts) > 0 {
                merged.DeniedHosts = copyStringSlice(override.DeniedHosts)
        }

        // Always override boolean and core fields
        merged.StrictMode = override.StrictMode
        merged.Source = override.Source

        // Override optional fields if present
        if override.SourceFile != "" {
                merged.SourceFile = override.SourceFile
        }
        if override.IsSigned {
                merged.IsSigned = override.IsSigned
        }
        if override.Signature != nil {
                merged.Signature = override.Signature
        }
        if override.Enforcement != nil {
                merged.Enforcement = override.Enforcement
        }
        if override.FilePermissions != nil {
                merged.FilePermissions = override.FilePermissions
        }
        if override.Metadata != nil {
                merged.Metadata = override.Metadata
        }
        if override.Version > 0 {
                merged.Version = override.Version
        }
}

func MergeSecurityConfigs(configs ...*SecurityConfig) *SecurityConfig {
        if len(configs) == 0 {
                return &SecurityConfig{
                        Source:  "none",
                        Version: 1,
                }
        }

        // Create base configuration from first config
        merged := createBaseConfig(configs[0])

        // Apply subsequent configs with precedence rules
        for i := 1; i < len(configs); i++ {
                mergeConfigOverrides(merged, configs[i])
        }

        return merged
}

// GetSecurityConfigPrecedenceInfo returns detailed information about the effective configuration precedence
// loadFileBasedConfigs discovers and loads file-based security configurations
func loadFileBasedConfigs() (map[string]*SecurityConfig, error) {
        sources := make(map[string]*SecurityConfig)

        configFiles, err := DiscoverSecurityConfigs()
        if err != nil {
                return nil, fmt.Errorf("failed to discover security config files: %w", err)
        }

        for _, configFile := range configFiles {
                if !configFile.Exists || !configFile.Readable {
                        continue
                }

                config, err := LoadSecurityConfigFromFile(configFile.Path)
                if err != nil {
                        continue
                }

                if config.IsSigned {
                        sources["signed"] = config
                        break // Use first signed config found
                } else {
                        if sources["unsigned"] == nil {
                                sources["unsigned"] = config
                        }
                }
        }

        return sources, nil
}

// createCLIConfig creates a security config from CLI arguments if any are provided
func createCLIConfig(cliAllowed []string, cliDenied []string, cliStrict bool) *SecurityConfig {
        if len(cliAllowed) > 0 || len(cliDenied) > 0 || cliStrict {
                return &SecurityConfig{
                        AllowedHosts: cliAllowed,
                        DeniedHosts:  cliDenied,
                        StrictMode:   cliStrict,
                        Source:       "cli",
                        Version:      1,
                }
        }
        return nil
}

// determineEffectiveConfig applies precedence rules to determine the active config
func determineEffectiveConfig(sources map[string]*SecurityConfig) (*SecurityConfig, string) {
        // Apply precedence rules: signed > cli > env > unsigned > none
        if sources["signed"] != nil {
                return sources["signed"], "signed"
        }
        if sources["cli"] != nil {
                return sources["cli"], "cli"
        }
        if sources["env"] != nil {
                return sources["env"], "env"
        }
        if sources["unsigned"] != nil {
                return sources["unsigned"], "unsigned"
        }

        // Default fallback
        return &SecurityConfig{
                Source:  "none",
                Version: 1,
        }, "none"
}

func GetSecurityConfigPrecedenceInfo(cliAllowed []string, cliDenied []string, cliStrict bool) (*SecurityConfigPrecedenceInfo, error) {
        info := &SecurityConfigPrecedenceInfo{
                Sources: make(map[string]*SecurityConfig),
        }

        // Load file-based configurations
        fileSources, err := loadFileBasedConfigs()
        if err != nil {
                return nil, err
        }

        // Merge file sources into info
        for key, config := range fileSources {
                info.Sources[key] = config
        }

        // Add CLI config if provided
        if cliConfig := createCLIConfig(cliAllowed, cliDenied, cliStrict); cliConfig != nil {
                info.Sources["cli"] = cliConfig
        }

        // Add environment config if available
        envConfig := LoadSecurityConfigFromEnv()
        if envConfig.Source != "none" {
                info.Sources["env"] = envConfig
        }

        // Determine effective configuration
        info.EffectiveConfig, info.EffectiveSource = determineEffectiveConfig(info.Sources)

        return info, nil
}

// SecurityConfigPrecedenceInfo provides detailed information about configuration precedence
type SecurityConfigPrecedenceInfo struct {
        Sources         map[string]*SecurityConfig
        EffectiveConfig *SecurityConfig
        EffectiveSource string
} // LoadSecurityConfigFromEnv loads security configuration from environment variables.
// Environment variables used:
//   - DUCK_ALLOWED_HOSTS: comma-separated list of allowed hostnames
//   - DUCK_DENIED_HOSTS: comma-separated list of denied hostnames
//   - DUCK_STRICT_MODE: "true" to fail if no restrictions are configured
func LoadSecurityConfigFromEnv() *SecurityConfig {
        cfg := &SecurityConfig{
                Source:  "none",
                Version: 1,
        }

        // Parse DUCK_ALLOWED_HOSTS
        if allowedEnv := strings.TrimSpace(os.Getenv("DUCK_ALLOWED_HOSTS")); allowedEnv != "" {
                cfg.AllowedHosts = parseHostList(allowedEnv)
                cfg.Source = "env"
        }

        // Parse DUCK_DENIED_HOSTS
        if deniedEnv := strings.TrimSpace(os.Getenv("DUCK_DENIED_HOSTS")); deniedEnv != "" {
                cfg.DeniedHosts = parseHostList(deniedEnv)
                cfg.Source = "env"
        }

        // Parse DUCK_STRICT_MODE
        if strictEnv := strings.TrimSpace(os.Getenv("DUCK_STRICT_MODE")); strictEnv != "" {
                cfg.StrictMode = strings.ToLower(strictEnv) == "true"
                if cfg.Source == "none" {
                        cfg.Source = "env"
                }
        }

        return cfg
}

// BuildSecurityConfig creates a security configuration with CLI flag precedence.
// CLI flags override environment variables. Only creates a CLI config when
// meaningful values are provided (non-empty slices or strict mode enabled).
func BuildSecurityConfig(cliAllowed []string, cliDenied []string, cliStrict bool) *SecurityConfig {
        // Only use CLI configuration if meaningful values are provided
        // (non-empty host lists or strict mode explicitly enabled)
        if len(cliAllowed) > 0 || len(cliDenied) > 0 || cliStrict {
                return &SecurityConfig{
                        AllowedHosts: cliAllowed,
                        DeniedHosts:  cliDenied,
                        StrictMode:   cliStrict,
                        Source:       "cli",
                        Version:      1, // Current configuration version
                }
        }

        // No meaningful CLI flags provided - fallback to environment variables
        envConfig := LoadSecurityConfigFromEnv()
        envConfig.Version = 1 // Ensure version is set
        return envConfig
}

// ValidateRepoAccess validates that a repository URL is allowed by the security policy.
// Returns an error if the repository host is denied or not in the allow list.
func ValidateRepoAccess(repoURL string, securityCfg *SecurityConfig) error {
        if securityCfg == nil {
                return fmt.Errorf("security configuration is nil")
        }

        // Extract hostname from repository URL
        host, err := extractHostFromGitURL(repoURL)
        if err != nil {
                return fmt.Errorf("failed to parse repository URL %q: %w", repoURL, err)
        }

        // In strict mode, fail if no restrictions are configured
        if securityCfg.StrictMode && len(securityCfg.AllowedHosts) == 0 && len(securityCfg.DeniedHosts) == 0 {
                return fmt.Errorf("strict mode enabled but no host restrictions configured (source: %s)", securityCfg.Source)
        }

        // Deny list takes precedence - check first
        for _, denied := range securityCfg.DeniedHosts {
                if matchHost(host, denied) {
                        return fmt.Errorf("repository host %q is explicitly denied (source: %s, denied hosts: %v)",
                                host, securityCfg.Source, securityCfg.DeniedHosts)
                }
        }

        // If allow list is configured, host must be in it
        if len(securityCfg.AllowedHosts) > 0 {
                for _, allowed := range securityCfg.AllowedHosts {
                        if matchHost(host, allowed) {
                                return nil // Explicitly allowed
                        }
                }
                return fmt.Errorf("repository host %q is not in allowed hosts %v (source: %s)",
                        host, securityCfg.AllowedHosts, securityCfg.Source)
        }

        // No restrictions configured and not in strict mode - allow all
        return nil
}

// extractHostFromGitURL extracts the hostname from various Git URL formats:
//   - HTTPS: https://github.com/user/repo.git
//   - SSH: git@github.com:user/repo.git
//   - SSH with port: ssh://git@github.com:22/user/repo.git
//   - For testing: simple hostnames like "stub", "local", etc. are returned as-is
//
// parseHTTPSURL extracts hostname from HTTPS/HTTP URLs
func parseHTTPSURL(repoURL string) (string, error) {
        u, err := url.Parse(repoURL)
        if err != nil {
                return "", fmt.Errorf("invalid HTTP(S) URL: %w", err)
        }
        if u.Host == "" {
                return "", fmt.Errorf("no host in HTTP(S) URL")
        }
        return u.Host, nil
}

// parseSSHURL extracts hostname from ssh:// URLs
func parseSSHURL(repoURL string) (string, error) {
        u, err := url.Parse(repoURL)
        if err != nil {
                return "", fmt.Errorf("invalid SSH URL: %w", err)
        }
        if u.Host == "" {
                return "", fmt.Errorf("no host in SSH URL")
        }
        return u.Host, nil
}

// parseSCPStyleURL extracts hostname from SCP-style SSH URLs (git@github.com:user/repo.git)
func parseSCPStyleURL(repoURL string) (string, error) {
        // Split on @ to get user and host:path parts
        parts := strings.SplitN(repoURL, "@", 2)
        if len(parts) != 2 {
                return "", fmt.Errorf("invalid SCP-style SSH URL format")
        }

        // Split host:path part on first colon
        hostPart := strings.SplitN(parts[1], ":", 2)
        if len(hostPart) != 2 {
                return "", fmt.Errorf("invalid SCP-style SSH URL format: missing colon after host")
        }

        host := strings.TrimSpace(hostPart[0])
        if host == "" {
                return "", fmt.Errorf("empty hostname in SCP-style SSH URL")
        }

        return host, nil
}

func extractHostFromGitURL(repoURL string) (string, error) {
        repoURL = strings.TrimSpace(repoURL)
        if repoURL == "" {
                return "", fmt.Errorf("empty repository URL")
        }

        // For testing: allow simple hostnames/stub URLs
        if !strings.Contains(repoURL, "://") && !strings.Contains(repoURL, "@") {
                // Simple hostname like "stub", "local", "r1", etc. used in tests
                return repoURL, nil
        }

        // Handle HTTPS/HTTP URLs
        if strings.HasPrefix(repoURL, "https://") || strings.HasPrefix(repoURL, "http://") {
                return parseHTTPSURL(repoURL)
        }

        // Handle SSH URLs with ssh:// scheme
        if strings.HasPrefix(repoURL, "ssh://") {
                return parseSSHURL(repoURL)
        }

        // Handle SCP-style SSH URLs: git@github.com:user/repo.git
        if strings.Contains(repoURL, "@") && strings.Contains(repoURL, ":") {
                return parseSCPStyleURL(repoURL)
        }

        return "", fmt.Errorf("unsupported URL format: must be HTTPS, HTTP, ssh://, or SCP-style SSH")
} // matchHost checks if a hostname matches a pattern.
// For now, only exact matches are supported. Future versions could add wildcard support.
func matchHost(host, pattern string) bool {
        return strings.EqualFold(strings.TrimSpace(host), strings.TrimSpace(pattern))
}

// parseHostList parses a comma-separated list of hostnames, trimming whitespace.
func parseHostList(hostList string) []string {
        if hostList == "" {
                return nil
        }

        hosts := strings.Split(hostList, ",")
        result := make([]string, 0, len(hosts))

        for _, host := range hosts {
                if trimmed := strings.TrimSpace(host); trimmed != "" {
                        result = append(result, trimmed)
                }
        }

        return result
}

CyberDuck79 / duckfile / 18097442731

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous