tenseleyflow/shithub / cda85ba

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	org, ok := h.resolveAPIOrg(w, r, chi.URLParam(r, "org"))

+	if !ok {

+		return

+	}

+	if !h.requireAPIOrgOwner(w, r, org) {

+	if !h.requireAPIOrgOwner(w, r, org) {

+		return

+	}

+	if !h.requireAPIOrgOwner(w, r, org) {

+		return

+	}

+	if !h.requireAPIOrgOwner(w, r, org) {

+		return

+	}

+	if !h.requireOrgFeature(w, r, org, entitlements.FeatureOrgActionsSecrets, "Organization Actions secrets") {

+		return

+	}

+	if !h.requireAPIOrgOwner(w, r, org) {

+		return

+	}

+	"strconv"

+	"time"

+	"github.com/tenseleyFlow/shithub/internal/billing"

+	"github.com/tenseleyFlow/shithub/internal/orgs"

+func (e *secretsTestEnv) seedOrg(t *testing.T, slug string) int64 {

+	t.Helper()

+	org, err := orgs.Create(context.Background(), orgs.Deps{Pool: e.pool}, orgs.CreateParams{

+		Slug:            slug,

+		DisplayName:     slug,

+		CreatedByUserID: e.userID,

+	})

+	if err != nil {

+		t.Fatalf("create org: %v", err)

+	}

+	return org.ID

+}

+

+func (e *secretsTestEnv) activateTeamPlan(t *testing.T, orgID int64) {

+	t.Helper()

+	now := time.Now().UTC().Truncate(time.Second)

+	_, err := billing.ApplySubscriptionSnapshot(context.Background(), billing.Deps{Pool: e.pool}, billing.SubscriptionSnapshot{

+		OrgID:                    orgID,

+		Plan:                     billing.PlanTeam,

+		Status:                   billing.SubscriptionStatusActive,

+		StripeSubscriptionID:     "sub_api_actions_" + strconv.FormatInt(orgID, 10),

+		StripeSubscriptionItemID: "si_api_actions_" + strconv.FormatInt(orgID, 10),

+		CurrentPeriodStart:       now,

+		CurrentPeriodEnd:         now.Add(30 * 24 * time.Hour),

+		LastWebhookEventID:       "evt_api_actions_" + strconv.FormatInt(orgID, 10),

+	})

+	if err != nil {

+		t.Fatalf("activate team plan: %v", err)

+	}

+}

+

+func (e *secretsTestEnv) encryptedSecretBody(t *testing.T) []byte {

+	t.Helper()

+	pubReq := httptest.NewRequest(http.MethodGet, "/api/v1/repos/alice/demo/actions/secrets/public-key", nil)

+	pubReq.Header.Set("Authorization", "Bearer "+e.tokenRO)

+	pubRR := httptest.NewRecorder()

+	e.router.ServeHTTP(pubRR, pubReq)

+	if pubRR.Code != http.StatusOK {

+		t.Fatalf("public key status: got %d; body=%s", pubRR.Code, pubRR.Body.String())

+	}

+	var pk apiSecretsPublicKey

+	if err := json.Unmarshal(pubRR.Body.Bytes(), &pk); err != nil {

+		t.Fatalf("decode public key: %v", err)

+	}

+	pubBytes, err := base64.StdEncoding.DecodeString(pk.Key)

+	if err != nil {

+		t.Fatalf("decode public key bytes: %v", err)

+	}

+	var pubKey [32]byte

+	copy(pubKey[:], pubBytes)

+

+	sealed, err := box.SealAnonymous(nil, []byte("org-secret-value"), &pubKey, rand.Reader)

+	if err != nil {

+		t.Fatalf("SealAnonymous: %v", err)

+	}

+	body, _ := json.Marshal(map[string]string{

+		"encrypted_value": base64.StdEncoding.EncodeToString(sealed),

+		"key_id":          pk.KeyID,

+	})

+	return body

+}

+

+

+func TestActionsSecrets_OrgPutRequiresTeamEntitlement(t *testing.T) {

+	env := newSecretsTestEnv(t)

+	orgID := env.seedOrg(t, "acme")

+	body := env.encryptedSecretBody(t)

+

+	req := httptest.NewRequest(http.MethodPut, "/api/v1/orgs/acme/actions/secrets/MY_TOKEN", bytes.NewReader(body))

+	req.Header.Set("Authorization", "Bearer "+env.tokenRW)

+	req.Header.Set("Content-Type", "application/json")

+	rr := httptest.NewRecorder()

+	env.router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusPaymentRequired {

+		t.Fatalf("free org PUT: got %d, want 402; body=%s", rr.Code, rr.Body.String())

+	}

+	var count int

+	if err := env.pool.QueryRow(context.Background(), `SELECT count(*) FROM workflow_secrets WHERE org_id = $1`, orgID).Scan(&count); err != nil {

+		t.Fatalf("count org secrets: %v", err)

+	}

+	if count != 0 {

+		t.Fatalf("free org secret count=%d, want 0", count)

+	}

+

+	env.activateTeamPlan(t, orgID)

+	req = httptest.NewRequest(http.MethodPut, "/api/v1/orgs/acme/actions/secrets/MY_TOKEN", bytes.NewReader(body))

+	req.Header.Set("Authorization", "Bearer "+env.tokenRW)

+	req.Header.Set("Content-Type", "application/json")

+	rr = httptest.NewRecorder()

+	env.router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusNoContent {

+		t.Fatalf("team org PUT: got %d, want 204; body=%s", rr.Code, rr.Body.String())

+	}

+}

+

+func TestActionsSecrets_OrgDeleteAllowedWithoutTeamEntitlement(t *testing.T) {

+	env := newSecretsTestEnv(t)

+	orgID := env.seedOrg(t, "acme")

+	if err := (secrets.Deps{Pool: env.pool, Box: env.secretBox}).Set(context.Background(), secrets.OrgScope(orgID), "OLD_TOKEN", []byte("legacy"), env.userID); err != nil {

+		t.Fatalf("seed org secret: %v", err)

+	}

+

+	req := httptest.NewRequest(http.MethodDelete, "/api/v1/orgs/acme/actions/secrets/OLD_TOKEN", nil)

+	req.Header.Set("Authorization", "Bearer "+env.tokenRW)

+	rr := httptest.NewRecorder()

+	env.router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusNoContent {

+		t.Fatalf("delete: got %d, want 204; body=%s", rr.Code, rr.Body.String())

+	}

+}

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	if !h.requireAPIOrgOwner(w, r, org) {

+		return

+	}

+	if !h.requireAPIOrgOwner(w, r, org) {

+		return

+	}

+	if !h.requireAPIOrgOwner(w, r, org) {

+		return

+	}

+	if !h.requireOrgFeature(w, r, org, entitlements.FeatureOrgActionsVariables, "Organization Actions variables") {

+		return

+	}

+	if !h.requireAPIOrgOwner(w, r, org) {

+		return

+	}

+	if !h.requireOrgFeature(w, r, org, entitlements.FeatureOrgActionsVariables, "Organization Actions variables") {

+		return

+	}

+	if !h.requireAPIOrgOwner(w, r, org) {

+		return

+	}

+	"context"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/variables"

+

+func TestActionsVariables_OrgWritesRequireTeamEntitlement(t *testing.T) {

+	env := newSecretsTestEnv(t)

+	orgID := env.seedOrg(t, "acme")

+

+	body, _ := json.Marshal(map[string]string{"name": "API_URL", "value": "https://api.example"})

+	req := httptest.NewRequest(http.MethodPost, "/api/v1/orgs/acme/actions/variables", bytes.NewReader(body))

+	req.Header.Set("Authorization", "Bearer "+env.tokenRW)

+	req.Header.Set("Content-Type", "application/json")

+	rr := httptest.NewRecorder()

+	env.router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusPaymentRequired {

+		t.Fatalf("free org create: got %d, want 402; body=%s", rr.Code, rr.Body.String())

+	}

+	var count int

+	if err := env.pool.QueryRow(context.Background(), `SELECT count(*) FROM actions_variables WHERE org_id = $1`, orgID).Scan(&count); err != nil {

+		t.Fatalf("count org variables: %v", err)

+	}

+	if count != 0 {

+		t.Fatalf("free org variable count=%d, want 0", count)

+	}

+

+	env.activateTeamPlan(t, orgID)

+	req = httptest.NewRequest(http.MethodPost, "/api/v1/orgs/acme/actions/variables", bytes.NewReader(body))

+	req.Header.Set("Authorization", "Bearer "+env.tokenRW)

+	req.Header.Set("Content-Type", "application/json")

+	rr = httptest.NewRecorder()

+	env.router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusCreated {

+		t.Fatalf("team org create: got %d, want 201; body=%s", rr.Code, rr.Body.String())

+	}

+}

+

+func TestActionsVariables_OrgUpdateBlockedButDeleteAllowedWithoutTeam(t *testing.T) {

+	env := newSecretsTestEnv(t)

+	orgID := env.seedOrg(t, "acme")

+	if err := (variables.Deps{Pool: env.pool}).Set(context.Background(), variables.OrgScope(orgID), "API_URL", "https://api.example", env.userID); err != nil {

+		t.Fatalf("seed org variable: %v", err)

+	}

+

+	updateBody, _ := json.Marshal(map[string]string{"value": "https://api.example/v2"})

+	req := httptest.NewRequest(http.MethodPatch, "/api/v1/orgs/acme/actions/variables/API_URL", bytes.NewReader(updateBody))

+	req.Header.Set("Authorization", "Bearer "+env.tokenRW)

+	req.Header.Set("Content-Type", "application/json")

+	rr := httptest.NewRecorder()

+	env.router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusPaymentRequired {

+		t.Fatalf("free org update: got %d, want 402; body=%s", rr.Code, rr.Body.String())

+	}

+

+	req = httptest.NewRequest(http.MethodDelete, "/api/v1/orgs/acme/actions/variables/API_URL", nil)

+	req.Header.Set("Authorization", "Bearer "+env.tokenRW)

+	rr = httptest.NewRecorder()

+	env.router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusNoContent {

+		t.Fatalf("free org delete: got %d, want 204; body=%s", rr.Code, rr.Body.String())

+	}

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package api

+

+import (

+	"net/http"

+

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	"github.com/tenseleyFlow/shithub/internal/orgs"

+	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+func (h *Handlers) requireAPIOrgOwner(w http.ResponseWriter, r *http.Request, org orgsdb.Org) bool {

+	auth := middleware.PATAuthFromContext(r.Context())

+	if auth.UserID == 0 {

+		writeAPIError(w, http.StatusUnauthorized, "unauthenticated")

+		return false

+	}

+	if auth.IsSuspended {

+		writeAPIError(w, http.StatusForbidden, "account is suspended")

+		return false

+	}

+	if auth.IsSiteAdmin {

+		return true

+	}

+

+	odeps := orgs.Deps{Pool: h.d.Pool, Logger: h.d.Logger}

+	isMember, err := orgs.IsMember(r.Context(), odeps, org.ID, auth.UserID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "api: org member check", "org_id", org.ID, "error", err)

+		writeAPIError(w, http.StatusInternalServerError, "authorization failed")

+		return false

+	}

+	if !isMember {

+		writeAPIError(w, http.StatusNotFound, "org not found")

+		return false

+	}

+

+	isOwner, err := orgs.IsOwner(r.Context(), odeps, org.ID, auth.UserID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "api: org owner check", "org_id", org.ID, "error", err)

+		writeAPIError(w, http.StatusInternalServerError, "authorization failed")

+		return false

+	}

+	if !isOwner {

+		writeAPIError(w, http.StatusForbidden, "organization owner access required")

+		return false

+	}

+	return true

+}

+

+func (h *Handlers) requireOrgFeature(w http.ResponseWriter, r *http.Request, org orgsdb.Org, feature entitlements.Feature, label string) bool {

+	decision, err := entitlements.CheckOrgFeature(r.Context(), entitlements.Deps{Pool: h.d.Pool}, org.ID, feature)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "api: org entitlement check", "org_id", org.ID, "feature", feature, "error", err)

+		writeAPIError(w, http.StatusInternalServerError, "entitlement check failed")

+		return false

+	}

+	if !decision.Allowed {

+		banner := decision.UpgradeBanner(label, org.Slug)

+		writeAPIError(w, banner.StatusCode, banner.Message)

+		return false

+	}

+	return true

+}