1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
/// Announcement Policy - Repository announcement validation
///
/// Handles validation of NIP-34 repository announcements (kind 30617)
/// according to GRASP-01 specification.
use nostr_relay_builder::prelude::{Alphabet, Event, Filter, Kind, PublicKey, SingleLetterTag};
use super::PolicyContext;
use crate::config::Config;
use crate::nostr::events::{validate_announcement, RepositoryAnnouncement};
/// Result of announcement policy evaluation
#[derive(Debug, Clone, PartialEq)]
pub enum AnnouncementResult {
/// Accept: Event lists our service (GRASP-01 compliant)
Accept,
/// Accept as maintainer: Event accepted via maintainer exception (multi-maintainer)
AcceptMaintainer,
/// Accept as archive: Event accepted via GRASP-05 archive whitelist (read-only)
AcceptArchive,
/// Reject: Event fails validation with reason
Reject(String),
}
/// Policy for validating repository announcements
#[derive(Clone)]
pub struct AnnouncementPolicy {
ctx: PolicyContext,
config: Config,
}
impl AnnouncementPolicy {
pub fn new(ctx: PolicyContext, config: Config) -> Self {
Self { ctx, config }
}
/// Validate a repository announcement event
///
/// Returns `Accept` if the announcement lists the service properly,
/// `AcceptMaintainer` if accepted via maintainer exception,
/// `AcceptArchive` if accepted via GRASP-05 archive config,
/// or `Reject` with reason.
pub async fn validate(&self, event: &Event) -> AnnouncementResult {
// First, try validation (GRASP-01 + GRASP-05)
let validation_result = validate_announcement(event, &self.config);
match validation_result {
AnnouncementResult::Reject(reason) => {
// Validation failed - check maintainer exception
// GRASP-01 Exception: Accept announcements from recursive maintainers
match RepositoryAnnouncement::from_event(event.clone()) {
Ok(announcement) => {
match self
.is_maintainer_in_any_announcement(
&announcement.identifier,
&event.pubkey,
)
.await
{
Ok(true) => AnnouncementResult::AcceptMaintainer,
Ok(false) => AnnouncementResult::Reject(reason),
Err(_) => {
// Fail-secure: reject on database errors
AnnouncementResult::Reject(reason)
}
}
}
Err(_) => AnnouncementResult::Reject(reason),
}
}
// Accept, AcceptArchive, or AcceptMaintainer - return as-is
result => result,
}
}
/// Create a bare git repository if it doesn't exist
/// Path format: <git_data_path>/<npub>/<identifier>.git
pub fn ensure_bare_repository(
&self,
announcement: &RepositoryAnnouncement,
) -> Result<(), String> {
let repo_path = self.ctx.git_data_path.join(announcement.repo_path());
// Check if repository already exists
if repo_path.exists() {
tracing::debug!("Repository already exists at {}", repo_path.display());
return Ok(());
}
// Create parent directory (npub directory)
let parent = repo_path
.parent()
.ok_or_else(|| format!("Invalid repository path: {}", repo_path.display()))?;
std::fs::create_dir_all(parent)
.map_err(|e| format!("Failed to create directory {}: {}", parent.display(), e))?;
// Initialize bare repository using git command
let output = std::process::Command::new("git")
.args(["init", "--bare", repo_path.to_str().unwrap()])
.output()
.map_err(|e| format!("Failed to execute git init: {}", e))?;
if !output.status.success() {
let stderr = String::from_utf8_lossy(&output.stderr);
return Err(format!("git init failed: {}", stderr));
}
tracing::info!("Created bare repository at {}", repo_path.display());
Ok(())
}
/// Check if a pubkey is listed as a maintainer in any announcement for this identifier
///
/// A pubkey is considered a maintainer if:
/// 1. They are the owner (pubkey) of an accepted announcement with this identifier, OR
/// 2. They are listed in the maintainers tag of ANY announcement with this identifier
///
/// This enables accepting announcements from maintainers even when they don't list
/// this GRASP server, for maintainer chain discovery and GRASP-02 sync.
async fn is_maintainer_in_any_announcement(
&self,
identifier: &str,
author: &PublicKey,
) -> Result<bool, String> {
// Query all announcements with this identifier that are already in the database
let filter = Filter::new().kind(Kind::GitRepoAnnouncement).custom_tag(
SingleLetterTag::lowercase(Alphabet::D),
identifier.to_string(),
);
let announcements: Vec<Event> = match self.ctx.database.query(filter).await {
Ok(events) => events.into_iter().collect(),
Err(e) => return Err(format!("Database query failed: {}", e)),
};
if announcements.is_empty() {
// No existing announcements for this identifier - author cannot be a maintainer
return Ok(false);
}
let author_hex = author.to_hex();
// Check each announcement to see if author is listed as a maintainer
for event in &announcements {
// Check if author is the owner of this announcement
if event.pubkey == *author {
return Ok(true);
}
// Check if author is listed in the maintainers tag
if let Ok(announcement) = RepositoryAnnouncement::from_event(event.clone()) {
if announcement.maintainers.contains(&author_hex) {
return Ok(true);
}
}
}
Ok(false)
}
}
|