feat: readonly fs support, policy built in temp

4 files changed, 70 insertions, 12 deletions

diff --git a/internal/admin/model.go b/internal/admin/model.go
index fef73ca..ee65045 100644
--- a/internal/admin/model.go
+++ b/internal/admin/model.go
@@ -127,6 +127,27 @@ func loadLocalFile(path string) ([]byte, error) {
 	return configBytes, nil
 }
 
+// setupPolicyFile
+func setupPolicyFile(src string) (string, error) {
+	workingPolicyFile, err := os.CreateTemp("", "go-git-server-policy")
+	if err != nil {
+		return "", fmt.Errorf("coudn't read base policy %w", err)
+	}
+	defer workingPolicyFile.Close()
+	basePolicy, err := os.ReadFile(src)
+	if err != nil {
+		return "", fmt.Errorf("coudn't read base policy %w", err)
+	}
+	written, err := workingPolicyFile.Write(basePolicy)
+	if err != nil {
+		return "", fmt.Errorf("encountered error writting policy %w", err)
+	}
+	if written == 0 {
+		return "", fmt.Errorf("nothing was written")
+	}
+	return workingPolicyFile.Name(), nil
+}
+
 // loadServerConfig configPath should be the absolutepath to the configmap if it's not in a repo
 func loadServerConfig(mgmtRepo bool, baseDir, configPath string) (*ServerRepos, error) {
 	var (
diff --git a/internal/admin/model_test.go b/internal/admin/model_test.go
index 6f8531d..b73280a 100644
--- a/internal/admin/model_test.go
+++ b/internal/admin/model_test.go
@@ -328,3 +328,28 @@ bare = true
 		t.Fatal("expected git export magic to be created, but does not exist")
 	}
 }
+
+func TestSetupPolicyFile(t *testing.T) {
+	tempDir := t.TempDir()
+	fOrig, err := os.Create(filepath.Join(tempDir, "origpolicy.csv"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	testContents := []byte("stuff")
+	_, err = fOrig.Write(testContents)
+	if err != nil {
+		t.Fatal(err)
+	}
+	fOrig.Close()
+	workingPolicy, err := setupPolicyFile(fOrig.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	contentBytes, err := os.ReadFile(workingPolicy)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(contentBytes, testContents) {
+		t.Fatalf("found %s expected %s", contentBytes, testContents)
+	}
+}
diff --git a/internal/admin/service.go b/internal/admin/service.go
index 182c153..bcf42f9 100644
--- a/internal/admin/service.go
+++ b/internal/admin/service.go
@@ -63,7 +63,11 @@ func (s *Servicer) InitServer() error {
 
 // NewService create a new admin service, load config, and generate policies
 func NewService(modelPath, policyPath, serverConfigPath, reposDir string, mgmtRepo bool) (*Servicer, error) {
-	enf, err := casbin.NewSyncedEnforcer(modelPath, policyPath)
+	workingPolicyPath, err := setupPolicyFile(policyPath)
+	if err != nil {
+		return &Servicer{}, err
+	}
+	enf, err := casbin.NewSyncedEnforcer(modelPath, workingPolicyPath)
 	if err != nil {
 		return &Servicer{}, fmt.Errorf("Couldn't load the enforcer encountered the following error: %w", err)
 	}
diff --git a/internal/admin/service_test.go b/internal/admin/service_test.go
index bbdab85..13a0007 100644
--- a/internal/admin/service_test.go
+++ b/internal/admin/service_test.go
@@ -5,7 +5,6 @@ import (
 	"log"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"
 )
 
@@ -97,12 +96,16 @@ func TestInitServer(t *testing.T) {
 		// stuff
 		svc.Reload()
 		// check policy file to make sure it was saved
-		data, err := os.ReadFile(destPolicyFile)
-		if err != nil {
-			t.Fatal(err)
+		expectedPolicies := [][]string{
+			{"role:maintainers", "/thisismynewrepo/info/refs", "GET"},
+			{"role:maintainers", "/thisismynewrepo/git-upload-pack", "POST"},
+			{"role:maintainers", "/thisismynewrepo/git-receive-pack", "POST"},
 		}
-		if !strings.Contains(string(data), "thisismynewrepo") {
-			t.Fatal("expected to find test new repo but didn't")
+		for _, policy := range expectedPolicies {
+			if !svc.HasPolicy(policy[0], policy[1], policy[2]) {
+				t.Log("policy not found", policy)
+				t.Fail()
+			}
 		}
 	})
 	t.Run("test reload config err", func(t *testing.T) {
@@ -121,12 +124,16 @@ func TestInitServer(t *testing.T) {
 		// stuff
 		svc.Reload()
 		// check policy file to make sure it wasn't saved
-		data, err := os.ReadFile(destPolicyFile)
-		if err != nil {
-			log.Fatal(err)
+		expectedPolicies := [][]string{
+			{"role:admin", "/mgmt/info/refs", "GET"},
+			{"role:admin", "/mgmt/git-upload-pack", "POST"},
+			{"role:admin", "/mgmt/git-receive-pack", "POST"},
 		}
-		if !strings.Contains(string(data), "mgmt") {
-			log.Fatal("expected to mgmt repo but didn't in policy")
+		for _, policy := range expectedPolicies {
+			if !svc.HasPolicy(policy[0], policy[1], policy[2]) {
+				t.Log("policy not found", policy)
+				t.Fail()
+			}
 		}
 	})
 	t.Run("test an unitialized server config", func(t *testing.T) {
@@ -139,6 +146,7 @@ func TestInitServer(t *testing.T) {
 			true)
 		if svc.Conf.Name != "default config" {
 			log.Fatalf("found %s expected 'default config'", svc.Conf.Name)
+			t.Fail()
 		}
 	})
 }