From 023838345ddb751e3b7143e87f0c123fc2703eac Mon Sep 17 00:00:00 2001
From: tjpcc <tjp@ctrl-c.club>
Date: Fri, 8 Sep 2023 14:54:56 -0600
Subject: support an env var for allowlisting uploaders by cert fingerprint

---
 routes.go | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

(limited to 'routes.go')

diff --git a/routes.go b/routes.go
index 59e6ff4..0683924 100644
--- a/routes.go
+++ b/routes.go
@@ -2,7 +2,11 @@ package main
 
 import (
 	"context"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/hex"
 	"os"
+	"sort"
 	"strings"
 
 	sr "tildegit.org/tjp/sliderule"
@@ -20,7 +24,7 @@ func geminiRouter(conf config) sr.Handler {
 	router.Route(
 		"/*",
 		gemini.GeminiOnly(true)(sr.FallthroughHandler(
-			fs.TitanUpload(tlsauth.Allow, conf.geminiRoot)(postUploadRedirect),
+			fs.TitanUpload(tlsAuth(conf.uploaderFingerprints), conf.geminiRoot)(postUploadRedirect),
 			fs.GeminiFileHandler(fsys),
 			fs.GeminiDirectoryDefault(fsys, "index.gmi"),
 			fs.GeminiDirectoryListing(fsys, nil),
@@ -41,3 +45,24 @@ var postUploadRedirect = sr.HandlerFunc(func(ctx context.Context, request *sr.Re
 	u.Scheme = "gemini"
 	return gemini.Redirect(u.String())
 })
+
+func tlsAuth(uploaders []string) tlsauth.Approver {
+	sort.Strings(uploaders)
+
+	return func(cert *x509.Certificate) bool {
+		raw := sha256.Sum256(cert.Raw)
+		user := hex.EncodeToString(raw[:])
+
+		_, found := sort.Find(len(uploaders), func(i int) int {
+			switch {
+			case uploaders[i] < user:
+				return 1
+			case uploaders[i] == user:
+				return 0
+			default:
+				return -1
+			}
+		})
+		return found
+	}
+}
-- 
cgit v1.2.3