eliaskohout/ax
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

move src file to seperate direcotry

Browse Source
This commit is contained in:
Elias Kohout
2026-04-01 22:29:20 +02:00
parent 228cefb921
commit e42397cc7a
30 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/service/api_client.go
+136
View File
@@ -0,0 +1,136 @@
package service
import (
"axolotl/models"
"bytes"
"encoding/json"
"fmt"
"net/http"
"net/url"
)
type apiClient struct {
base string
user string
http *http.Client
}
func (c *apiClient) User() string { return c.user }
func (c *apiClient) do(method, path string, body any) (*http.Response, error) {
var buf bytes.Buffer
if body != nil {
if err := json.NewEncoder(&buf).Encode(body); err != nil {
return nil, err
}
}
req, err := http.NewRequest(method, c.base+path, &buf)
if err != nil {
return nil, err
}
if err := c.setAuth(req); err != nil {
return nil, err
}
if body != nil {
req.Header.Set("Content-Type", "application/json")
}
return c.http.Do(req)
}
// setAuth attaches either a Bearer token (when a session exists) or the
// X-Ax-User header (no session / non-OIDC servers).
func (c *apiClient) setAuth(req *http.Request) error {
sess, err := LoadSession()
if err != nil || sess == nil || sess.Token == "" {
req.Header.Set("X-Ax-User", c.user)
return nil
}
req.Header.Set("Authorization", "Bearer "+sess.Token)
return nil
}
func apiDecode[T any](resp *http.Response) (T, error) {
var v T
defer resp.Body.Close()
if resp.StatusCode >= 400 {
var e struct{ Error string }
json.NewDecoder(resp.Body).Decode(&e)
return v, fmt.Errorf("%s", e.Error)
}
return v, json.NewDecoder(resp.Body).Decode(&v)
}
func (c *apiClient) GetByID(id string) (*models.Node, error) {
resp, err := c.do("GET", "/nodes/"+id, nil)
if err != nil {
return nil, err
}
return apiDecode[*models.Node](resp)
}
func (c *apiClient) List(filter ListFilter) ([]*models.Node, error) {
q := url.Values{}
for _, r := range filter.Rels {
if r.Target == "" {
q.Add("rel", string(r.Type))
} else {
q.Add("rel", string(r.Type)+":"+r.Target)
}
}
path := "/nodes"
if len(q) > 0 {
path += "?" + q.Encode()
}
resp, err := c.do("GET", path, nil)
if err != nil {
return nil, err
}
return apiDecode[[]*models.Node](resp)
}
func (c *apiClient) Add(input AddInput) (*models.Node, error) {
resp, err := c.do("POST", "/nodes", input)
if err != nil {
return nil, err
}
return apiDecode[*models.Node](resp)
}
func (c *apiClient) Update(id string, input UpdateInput) (*models.Node, error) {
resp, err := c.do("PATCH", "/nodes/"+id, input)
if err != nil {
return nil, err
}
return apiDecode[*models.Node](resp)
}
func (c *apiClient) Delete(id string) error {
resp, err := c.do("DELETE", "/nodes/"+id, nil)
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode >= 400 {
var e struct{ Error string }
json.NewDecoder(resp.Body).Decode(&e)
return fmt.Errorf("%s", e.Error)
}
return nil
}
func (c *apiClient) ListUsers() ([]*models.Node, error) {
resp, err := c.do("GET", "/users", nil)
if err != nil {
return nil, err
}
return apiDecode[[]*models.Node](resp)
}
func (c *apiClient) AddUser(name string) (*models.Node, error) {
resp, err := c.do("POST", "/users", map[string]string{"name": name})
if err != nil {
return nil, err
}
return apiDecode[*models.Node](resp)
}
src/service/config.go
+37
View File
@@ -0,0 +1,37 @@
package service
type Alias struct {
Name string `json:"name"`
Command string `json:"command"`
Description string `json:"description,omitempty"`
}
type ServerConfig struct {
Host string `json:"host"`
Port int `json:"port"`
}
type OIDCConfig struct {
Issuer string `json:"issuer"`
ClientID string `json:"client_id"`
ClientSecret string `json:"client_secret"`
// PublicURL is the externally reachable base URL of this server, used to
// construct the OIDC redirect URI (e.g. "https://ax.example.com:7000").
PublicURL string `json:"public_url"`
UserClaim string `json:"user_claim"` // default "preferred_username"
}
type Config interface {
GetUser() string
SetUser(username string) error
GetAlias(name string) (*Alias, error)
SetAlias(alias *Alias) error
DeleteAlias(name string) error
ListAliases() ([]*Alias, error)
GetServerConfig() ServerConfig
// GetRemoteConfig returns the remote server address and whether remote mode is enabled.
GetRemoteConfig() (ServerConfig, bool)
// GetOIDCConfig returns the OIDC configuration and whether OIDC is enabled.
GetOIDCConfig() (OIDCConfig, bool)
Save() error
}
src/service/config_file.go
+189
View File
@@ -0,0 +1,189 @@
package service
import (
"encoding/json"
"errors"
"os"
"os/user"
"path/filepath"
"slices"
)
type fileConfig struct {
path string
User string `json:"user"`
UserAliases []*Alias `json:"aliases"`
Serve ServerConfig `json:"serve"`
Remote ServerConfig `json:"remote"`
OIDC OIDCConfig `json:"oidc"`
}
var defaultAliases = []*Alias{
{Name: "mine", Command: "list --assignee $me --type issue --status open", Description: "Show open issues assigned to you"},
{Name: "due", Command: "list --type issue --status open", Description: "Show open issues"},
{Name: "inbox", Command: "list --mention $me", Description: "Show your inbox"},
}
func LoadConfigFile() (Config, error) {
path, err := findConfigPath()
if err != nil {
return nil, err
}
return loadConfig(path)
}
func loadConfig(path string) (*fileConfig, error) {
fc := &fileConfig{path: path, UserAliases: []*Alias{}}
data, err := os.ReadFile(path)
if err != nil {
if !os.IsNotExist(err) {
return nil, err
}
} else {
if err := json.Unmarshal(data, fc); err != nil {
return nil, err
}
}
return fc, nil
}
func findConfigPath() (string, error) {
dir, err := filepath.Abs(".")
if err != nil {
return "", err
}
for {
p := filepath.Join(dir, ".axconfig")
if _, err := os.Stat(p); err == nil {
return p, nil
}
if parent := filepath.Dir(dir); parent == dir {
break
} else {
dir = parent
}
}
home, err := os.UserHomeDir()
if err != nil {
return "", err
}
return filepath.Join(home, ".config", "ax", "config.json"), nil
}
func (c *fileConfig) GetUser() string {
if c.User != "" {
return c.User
}
if u := os.Getenv("AX_USER"); u != "" {
return u
}
if u, err := user.Current(); err == nil {
return u.Username
}
return "unknown"
}
func (c *fileConfig) SetUser(username string) error {
c.User = username
return c.Save()
}
func (c *fileConfig) GetAlias(name string) (*Alias, error) {
for _, a := range c.UserAliases {
if a.Name == name {
return a, nil
}
}
for _, a := range defaultAliases {
if a.Name == name {
return a, nil
}
}
return nil, errors.New("alias not found")
}
func (c *fileConfig) SetAlias(alias *Alias) error {
for i, a := range c.UserAliases {
if a.Name == alias.Name {
c.UserAliases[i] = alias
return c.Save()
}
}
c.UserAliases = append(c.UserAliases, alias)
return c.Save()
}
func (c *fileConfig) DeleteAlias(name string) error {
for i, a := range c.UserAliases {
if a.Name == name {
c.UserAliases = slices.Delete(c.UserAliases, i, i+1)
return c.Save()
}
}
for _, a := range defaultAliases {
if a.Name == name {
return errors.New("cannot delete default alias")
}
}
return errors.New("alias not found")
}
func (c *fileConfig) ListAliases() ([]*Alias, error) {
seen := make(map[string]bool)
var result []*Alias
for _, a := range c.UserAliases {
result = append(result, a)
seen[a.Name] = true
}
for _, a := range defaultAliases {
if !seen[a.Name] {
result = append(result, a)
}
}
return result, nil
}
func (c *fileConfig) GetOIDCConfig() (OIDCConfig, bool) {
if c.OIDC.Issuer == "" {
return OIDCConfig{}, false
}
cfg := c.OIDC
if cfg.UserClaim == "" {
cfg.UserClaim = "preferred_username"
}
return cfg, true
}
func (c *fileConfig) GetRemoteConfig() (ServerConfig, bool) {
if c.Remote.Host == "" {
return ServerConfig{}, false
}
port := c.Remote.Port
if port == 0 {
port = 7000
}
return ServerConfig{Host: c.Remote.Host, Port: port}, true
}
func (c *fileConfig) GetServerConfig() ServerConfig {
host := c.Serve.Host
if host == "" {
host = "localhost"
}
port := c.Serve.Port
if port == 0 {
port = 7000
}
return ServerConfig{Host: host, Port: port}
}
func (c *fileConfig) Save() error {
if err := os.MkdirAll(filepath.Dir(c.path), 0755); err != nil {
return err
}
data, err := json.MarshalIndent(c, "", " ")
if err != nil {
return err
}
return os.WriteFile(c.path, data, 0644)
}
src/service/node_service.go
+100
View File
@@ -0,0 +1,100 @@
package service
import (
"axolotl/models"
"axolotl/store"
"fmt"
"net/http"
)
// NodeService is the single entry point for all node operations.
// All data-model integrity rules are enforced here; callers cannot produce
// invalid state by interacting with this interface alone.
//
// Every NodeService instance is bound to a specific user (see User()).
// GetNodeService returns an error when no user is configured.
type NodeService interface {
// User returns the name/ID of the user this service instance acts on behalf of.
User() string
// Query
GetByID(id string) (*models.Node, error)
List(filter ListFilter) ([]*models.Node, error)
// Lifecycle
Add(input AddInput) (*models.Node, error)
Update(id string, input UpdateInput) (*models.Node, error)
Delete(id string) error
// User management
AddUser(name string) (*models.Node, error)
ListUsers() ([]*models.Node, error)
}
// AddInput describes a new node to create.
// Rels may contain tag rels (Target == ""), property rels (Target == "",
// Type is "prefix::value"), and edge rels (Target is a node name or ID).
// The service applies defaults (type=issue, status=open for issues) and validates.
type AddInput struct {
Title string
Content string
DueDate string
Rels []RelInput
}
// UpdateInput describes changes to apply to an existing node.
// AddRels and RemoveRels accept both tag rels (Target == "") and edge rels.
// Setting _status::done in AddRels is rejected when the node has open blockers.
// Adding assignee or in_namespace rels replaces the previous single target.
type UpdateInput struct {
Title *string
Content *string
DueDate *string // nil = no change; pointer to "" = clear due date
AddRels []RelInput
RemoveRels []RelInput
}
// ListFilter specifies which nodes to return. Empty slices are ignored.
// Tag filters (Target == "") match by rel_name prefix.
// Edge filters (Target != "") are resolved to node IDs.
type ListFilter struct {
Rels []RelInput
}
// RelInput is a typed, directed rel with a target that may be a name or node ID.
// Target == "" means this is a tag or property rel (no target node).
type RelInput struct {
Type models.RelType
Target string // name or node ID; the service resolves names. Empty = tag rel.
}
func InitNodeService(path string) error {
return store.InitSQLiteStore(path)
}
func GetNodeService(cfg Config) (NodeService, error) {
user := cfg.GetUser()
if user == "" {
return nil, fmt.Errorf("no user configured: run 'ax user set <username>' first")
}
if rc, ok := cfg.GetRemoteConfig(); ok {
base := fmt.Sprintf("http://%s:%d", rc.Host, rc.Port)
return &apiClient{base: base, user: user, http: &http.Client{}}, nil
}
st, err := store.FindAndOpenSQLiteStore()
if err != nil {
return nil, err
}
return &nodeServiceImpl{store: st, userID: user}, nil
}
func GetNodeServiceForUser(user string) (NodeService, error) {
if user == "" {
return nil, fmt.Errorf("user is required")
}
st, err := store.FindOrInitSQLiteStore()
if err != nil {
return nil, err
}
return &nodeServiceImpl{store: st, userID: user}, nil
}
src/service/node_service_impl.go
+834
View File
@@ -0,0 +1,834 @@
package service
import (
"axolotl/models"
"axolotl/store"
"fmt"
"maps"
"regexp"
"slices"
"strings"
"time"
)
type nodeServiceImpl struct {
store store.Store
userID string
}
var mentionRegex = regexp.MustCompile(`@([a-z0-9_]+)`)
func mentions(t string) []string {
seen := make(map[string]bool)
for _, m := range mentionRegex.FindAllStringSubmatch(t, -1) {
seen[m[1]] = true
}
return slices.Collect(maps.Keys(seen))
}
func (s *nodeServiceImpl) User() string { return s.userID }
// --- Permission model ---
//
// Four levels (inclusive: higher includes lower):
// 1 can_read visible in list/show
// 2 can_create_rel can create non-permission relations between nodes
// 3 can_write can update/delete a node
// 4 has_ownership sole owner; deletion cascades to owned nodes
//
// Permissions are transitive: if A has level L on B, and B has level M on C,
// then A has level min(L, M) on C. Computed by BFS from the user's own node.
// Users have self-ownership (has_ownership → self), so BFS starts at level 4.
//
// Rules for adding edge rels in Add/Update:
// Non-perm rel A → B : need can_create_rel on A, can_read on B
// Perm rel A --perm_P→ B : need perm_P on B (resource owner grants to any subject)
// Ownership A --has_ownership→ B : need has_ownership on B + can_create_rel on A
// → also removes existing ownership rels pointing to B
//
// Field/tag changes and rel removals require can_write on the node.
const (
permRead = 1
permCreateRel = 2
permWrite = 3
permOwnership = 4
)
// isReferenceRel returns true for rels that point to "identity" nodes (users, namespaces).
// For these rels, the target only needs can_read (not can_create_rel), because users and
// namespaces are globally readable and any node can reference them.
func isReferenceRel(t models.RelType) bool {
switch t {
case models.RelAssignee, models.RelCreated, models.RelMentions, models.RelInNamespace:
return true
}
return false
}
// permRelLevels maps permission rel types to their numeric level.
var permRelLevels = map[models.RelType]int{
models.RelCanRead: permRead,
models.RelCanCreateRel: permCreateRel,
models.RelCanWrite: permWrite,
models.RelHasOwnership: permOwnership,
}
type permContext struct {
levels map[string]int
}
func (pc *permContext) level(nodeID string) int { return pc.levels[nodeID] }
func (pc *permContext) canRead(nodeID string) bool { return pc.levels[nodeID] >= permRead }
func (pc *permContext) canCreateRel(nodeID string) bool { return pc.levels[nodeID] >= permCreateRel }
func (pc *permContext) canWrite(nodeID string) bool { return pc.levels[nodeID] >= permWrite }
func (pc *permContext) hasOwnership(nodeID string) bool { return pc.levels[nodeID] >= permOwnership }
// getPermContext builds a permContext by BFS from the current user's node,
// following permission rels and taking the minimum level along each path.
// User and namespace nodes are made globally readable after the BFS.
// If the user node doesn't exist yet, returns an empty permContext (no access);
// Add operations still work because unresolved targets skip the permission check.
func (s *nodeServiceImpl) getPermContext() (*permContext, error) {
userNodeID, err := s.resolveIDByNameAndType(s.store, s.userID, "user")
if err != nil {
return nil, err
}
pc := &permContext{levels: make(map[string]int)}
if userNodeID == "" {
return pc, nil // user not bootstrapped yet; Add will auto-create user node
}
type entry struct {
nodeID string
level int
}
// Start at the user's own node at ownership level (users have self-ownership).
queue := []entry{{userNodeID, permOwnership}}
for len(queue) > 0 {
curr := queue[0]
queue = queue[1:]
if pc.levels[curr.nodeID] >= curr.level {
continue // already reached at a higher or equal level
}
pc.levels[curr.nodeID] = curr.level
node, err := s.store.GetNode(curr.nodeID)
if err != nil {
continue // node may have been deleted; skip
}
for relType, pLevel := range permRelLevels {
for _, tgt := range node.Relations[string(relType)] {
eff := curr.level
if pLevel < eff {
eff = pLevel
}
if eff > pc.levels[tgt] {
queue = append(queue, entry{tgt, eff})
}
}
}
}
// User and namespace nodes are globally readable (they represent identities,
// and anyone can reference or assign to them).
for _, nodeType := range []string{"user", "namespace"} {
nodes, _ := s.store.FindNodes([]*models.Rel{{Type: models.RelType("_type::" + nodeType), Target: ""}})
for _, n := range nodes {
if pc.levels[n.ID] < permRead {
pc.levels[n.ID] = permRead
}
}
}
return pc, nil
}
// --- Validation ---
var (
validTypes = map[string]bool{"issue": true, "note": true, "user": true, "namespace": true}
validStatuses = map[string]bool{"open": true, "done": true}
validPrios = map[string]bool{"high": true, "medium": true, "low": true}
)
// validateRels checks that any _ -prefixed rel names are known system properties
// and that their values are valid. Users may not define custom _ -prefixed rels.
func validateRels(rels []RelInput) error {
for _, r := range rels {
name := string(r.Type)
if !strings.HasPrefix(name, "_") {
continue
}
if v, ok := strings.CutPrefix(name, "_type::"); ok {
if !validTypes[v] {
return fmt.Errorf("invalid type %q: must be one of issue, note, user, namespace", v)
}
} else if v, ok := strings.CutPrefix(name, "_status::"); ok {
if !validStatuses[v] {
return fmt.Errorf("invalid status %q: must be one of open, done", v)
}
} else if v, ok := strings.CutPrefix(name, "_prio::"); ok {
if !validPrios[v] {
return fmt.Errorf("invalid priority %q: must be one of high, medium, low", v)
}
} else {
return fmt.Errorf("invalid relation %q: custom _ prefix not allowed", name)
}
}
return nil
}
// --- Query ---
func (s *nodeServiceImpl) GetByID(id string) (*models.Node, error) {
n, err := s.store.GetNode(id)
if err != nil {
return nil, err
}
pc, err := s.getPermContext()
if err != nil {
return nil, err
}
if !pc.canRead(id) {
return nil, fmt.Errorf("permission denied: no read access to node %s", id)
}
return n, nil
}
func (s *nodeServiceImpl) List(filter ListFilter) ([]*models.Node, error) {
var storeFilters []*models.Rel
for _, ri := range filter.Rels {
if ri.Target == "" {
storeFilters = append(storeFilters, &models.Rel{Type: ri.Type, Target: ""})
} else {
id, ok := s.lookupRelTarget(ri.Type, ri.Target)
if !ok {
return nil, nil
}
storeFilters = append(storeFilters, &models.Rel{Type: ri.Type, Target: id})
}
}
nodes, err := s.store.FindNodes(storeFilters)
if err != nil {
return nil, err
}
pc, err := s.getPermContext()
if err != nil {
return nil, err
}
var result []*models.Node
for _, n := range nodes {
if pc.canRead(n.ID) {
result = append(result, n)
}
}
return result, nil
}
// --- Lifecycle ---
func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
// Build tag set from tag rels (Target == ""), applying property-replacement semantics.
tmp := models.NewNode()
for _, r := range input.Rels {
if r.Target == "" {
tmp.AddTag(string(r.Type))
}
}
// Apply defaults.
if tmp.GetProperty("type") == "" {
tmp.AddTag("_type::issue")
}
if tmp.GetProperty("type") == "issue" && tmp.GetProperty("status") == "" {
tmp.AddTag("_status::open")
}
// Validate all rels (including the resolved default tags).
tagRels := make([]RelInput, len(tmp.Tags))
for i, t := range tmp.Tags {
tagRels[i] = RelInput{Type: models.RelType(t)}
}
if err := validateRels(append(tagRels, input.Rels...)); err != nil {
return nil, err
}
// Permission checks for edge rels.
pc, err := s.getPermContext()
if err != nil {
return nil, err
}
for _, ri := range input.Rels {
if ri.Target == "" {
continue // tag rel, no target to check
}
targetID, found := s.lookupRelTarget(ri.Type, ri.Target)
if !found {
continue // will be auto-created; skip check
}
permLevel, isPerm := permRelLevels[ri.Type]
switch {
case ri.Type == models.RelHasOwnership:
if !pc.hasOwnership(targetID) {
return nil, fmt.Errorf("permission denied: no ownership of %q to transfer", ri.Target)
}
case isPerm:
if pc.level(targetID) < permLevel {
return nil, fmt.Errorf("permission denied: cannot grant %s on %q", ri.Type, ri.Target)
}
default:
// Non-perm rel: source is the new node (creator gets ownership = can_create_rel).
// Target: reference rels (assignee/mentions/in_namespace) need can_read; others need can_create_rel.
if isReferenceRel(ri.Type) {
if !pc.canRead(targetID) {
return nil, fmt.Errorf("permission denied: no read access to %q", ri.Target)
}
} else {
if !pc.canCreateRel(targetID) {
return nil, fmt.Errorf("permission denied: no create_rel access to %q", ri.Target)
}
}
}
}
hasNamespace := false
for _, ri := range input.Rels {
if ri.Type == models.RelInNamespace && ri.Target != "" {
hasNamespace = true
}
}
id, err := s.store.GenerateID()
if err != nil {
return nil, err
}
err = s.store.Transaction(func(st store.Store) error {
now := time.Now().UTC().Format(time.RFC3339)
if err := st.AddNode(id, input.Title, input.Content, input.DueDate, now, now); err != nil {
return err
}
// Store tag rels.
for _, t := range tmp.Tags {
if err := st.AddRel(id, t, ""); err != nil {
return err
}
}
// Mentions.
for _, m := range mentions(input.Title + " " + input.Content) {
userID, err := s.resolveUserRef(st, m)
if err != nil {
return err
}
if err := st.AddRel(id, string(models.RelMentions), userID); err != nil {
return err
}
}
// Edge rels.
hasCreated := false
for _, ri := range input.Rels {
if ri.Target == "" {
continue // already stored as tag
}
if ri.Type == models.RelCreated {
hasCreated = true
}
resolved, err := s.resolveRelTarget(st, ri)
if err != nil {
return err
}
if ri.Type == models.RelHasOwnership {
// Ownership transfer: remove existing owner of the target.
existingOwners, _ := st.FindNodes([]*models.Rel{{Type: models.RelHasOwnership, Target: resolved}})
for _, owner := range existingOwners {
st.RemoveRel(owner.ID, string(models.RelHasOwnership), resolved) //nolint:errcheck
}
}
if err := st.AddRel(id, string(ri.Type), resolved); err != nil {
return err
}
}
// Default namespace.
if !hasNamespace {
nsID, err := s.resolveNamespaceRef(st, s.userID)
if err != nil {
return err
}
if err := st.AddRel(id, string(models.RelInNamespace), nsID); err != nil {
return err
}
}
// Default created.
if !hasCreated {
userID, err := s.resolveUserRef(st, s.userID)
if err != nil {
return err
}
if err := st.AddRel(id, string(models.RelCreated), userID); err != nil {
return err
}
}
// Grant creator ownership of the new node.
creatorID, err := s.resolveUserRef(st, s.userID)
if err != nil {
return err
}
if err := st.AddRel(creatorID, string(models.RelHasOwnership), id); err != nil {
return err
}
// Namespace bootstrap: when creating a namespace node directly, apply the
// same setup as ensureNamespace — self in_namespace and creator ownership.
if tmp.GetProperty("type") == "namespace" {
if !hasNamespace {
// Replace the default namespace rel (user's ns) with self-reference.
userNsID, _ := s.resolveIDByNameAndType(st, s.userID, "namespace")
if userNsID != "" {
if err := st.RemoveRel(id, string(models.RelInNamespace), userNsID); err != nil {
return err
}
}
if err := st.AddRel(id, string(models.RelInNamespace), id); err != nil {
return err
}
}
// Creator already gets ownership via the block above; nothing more to do.
}
return nil
})
if err != nil {
return nil, err
}
return s.store.GetNode(id)
}
func (s *nodeServiceImpl) Update(id string, input UpdateInput) (*models.Node, error) {
// Validate rels before doing any I/O.
if err := validateRels(input.AddRels); err != nil {
return nil, err
}
// --- Permission checks ---
pc, err := s.getPermContext()
if err != nil {
return nil, err
}
// Field/tag changes and rel removals require can_write on the node.
needsWrite := input.Title != nil || input.Content != nil || input.DueDate != nil
for _, ri := range input.AddRels {
if ri.Target == "" {
needsWrite = true
break
}
}
if len(input.RemoveRels) > 0 {
needsWrite = true
}
if needsWrite && !pc.canWrite(id) {
return nil, fmt.Errorf("permission denied: no write access to node %s", id)
}
// Check each edge rel being added.
for _, ri := range input.AddRels {
if ri.Target == "" {
continue // tag — handled above
}
permLevel, isPerm := permRelLevels[ri.Type]
targetID, found := s.lookupRelTarget(ri.Type, ri.Target)
switch {
case ri.Type == models.RelHasOwnership:
if !found {
return nil, fmt.Errorf("ownership target %q not found", ri.Target)
}
if !pc.hasOwnership(targetID) {
return nil, fmt.Errorf("permission denied: no ownership of %q to transfer", ri.Target)
}
if !pc.canCreateRel(id) {
return nil, fmt.Errorf("permission denied: no create_rel access to node %s", id)
}
case isPerm:
// Perm rel: need perm_P on target; no check on source.
if found && pc.level(targetID) < permLevel {
return nil, fmt.Errorf("permission denied: insufficient permission on %q to grant %s", ri.Target, ri.Type)
}
default:
// Non-perm rel: need can_create_rel on source.
// Target: reference rels (assignee/mentions/in_namespace) need can_read; others need can_create_rel.
if !pc.canCreateRel(id) {
return nil, fmt.Errorf("permission denied: no create_rel access to node %s", id)
}
if found {
if isReferenceRel(ri.Type) {
if !pc.canRead(targetID) {
return nil, fmt.Errorf("permission denied: no read access to %s target %q", ri.Type, ri.Target)
}
} else {
if !pc.canCreateRel(targetID) {
return nil, fmt.Errorf("permission denied: no create_rel access to %s target %q", ri.Type, ri.Target)
}
}
}
}
}
// Enforce blocking constraint before allowing status=done.
for _, r := range input.AddRels {
if r.Target == "" && string(r.Type) == "_status::done" {
if err := s.checkBlockers(id); err != nil {
return nil, err
}
break
}
}
err = s.store.Transaction(func(st store.Store) error {
current, err := st.GetNode(id)
if err != nil {
return err
}
title, content, dueDate := current.Title, current.Content, current.DueDate
if input.Title != nil {
title = *input.Title
}
if input.Content != nil {
content = *input.Content
}
if input.DueDate != nil {
dueDate = *input.DueDate
}
now := time.Now().UTC().Format(time.RFC3339)
if err := st.UpdateNode(id, title, content, dueDate, now); err != nil {
return err
}
// Compute new tag set using the model's AddTag/RemoveTag to preserve
// property-prefix replacement semantics.
tmp := models.NewNode()
for _, t := range current.Tags {
tmp.AddTag(t)
}
for _, r := range input.AddRels {
if r.Target == "" {
tmp.AddTag(string(r.Type))
}
}
for _, r := range input.RemoveRels {
if r.Target == "" {
tmp.RemoveTag(string(r.Type))
}
}
currentTags, newTags := current.Tags, tmp.Tags
for _, t := range currentTags {
if !slices.Contains(newTags, t) {
if err := st.RemoveRel(id, t, ""); err != nil {
return err
}
}
}
for _, t := range newTags {
if !slices.Contains(currentTags, t) {
if err := st.AddRel(id, t, ""); err != nil {
return err
}
}
}
// Sync mention edges when title or content changed.
if input.Title != nil || input.Content != nil {
if err := s.syncMentions(st, id, current, title, content); err != nil {
return err
}
}
currentRels := current.Relations
for _, ri := range input.AddRels {
if ri.Target == "" {
continue // already handled as tag
}
resolved, err := s.resolveRelTarget(st, ri)
if err != nil {
return err
}
// Single-value relations replace the previous target.
if ri.Type == models.RelAssignee || ri.Type == models.RelInNamespace {
for _, oldTgt := range currentRels[string(ri.Type)] {
if err := st.RemoveRel(id, string(ri.Type), oldTgt); err != nil {
return err
}
}
}
// Ownership transfer: enforce single-owner constraint.
if ri.Type == models.RelHasOwnership {
existingOwners, _ := st.FindNodes([]*models.Rel{{Type: models.RelHasOwnership, Target: resolved}})
for _, owner := range existingOwners {
st.RemoveRel(owner.ID, string(models.RelHasOwnership), resolved) //nolint:errcheck
}
}
if err := st.AddRel(id, string(ri.Type), resolved); err != nil {
return err
}
}
for _, ri := range input.RemoveRels {
if ri.Target == "" {
continue // already handled as tag
}
resolved, err := s.resolveRelTarget(st, ri)
if err != nil {
return err
}
if err := st.RemoveRel(id, string(ri.Type), resolved); err != nil {
return err
}
}
return nil
})
if err != nil {
return nil, err
}
return s.store.GetNode(id)
}
func (s *nodeServiceImpl) Delete(id string) error {
pc, err := s.getPermContext()
if err != nil {
return err
}
if !pc.canWrite(id) {
return fmt.Errorf("permission denied: no write access to node %s", id)
}
return s.store.Transaction(func(st store.Store) error {
return s.cascadeDelete(st, id, make(map[string]bool))
})
}
// cascadeDelete deletes id and all nodes it owns (recursively).
// visited prevents infinite loops from ownership cycles.
func (s *nodeServiceImpl) cascadeDelete(st store.Store, id string, visited map[string]bool) error {
if visited[id] {
return nil
}
visited[id] = true
node, err := st.GetNode(id)
if err != nil {
return err
}
// Capture owned node IDs before deleting (DeleteNode cascades the rels).
ownedIDs := make([]string, len(node.Relations[string(models.RelHasOwnership)]))
copy(ownedIDs, node.Relations[string(models.RelHasOwnership)])
if err := st.DeleteNode(id); err != nil {
return err
}
for _, ownedID := range ownedIDs {
if ownedID == id {
continue // skip self-ownership
}
s.cascadeDelete(st, ownedID, visited) //nolint:errcheck — node may already be gone
}
return nil
}
// --- User management ---
func (s *nodeServiceImpl) AddUser(name string) (*models.Node, error) {
var id string
err := s.store.Transaction(func(st store.Store) error {
var err error
id, err = s.ensureUser(st, name)
return err
})
if err != nil {
return nil, err
}
return s.store.GetNode(id)
}
func (s *nodeServiceImpl) ListUsers() ([]*models.Node, error) {
return s.store.FindNodes([]*models.Rel{{Type: "_type::user", Target: ""}})
}
// --- Internal helpers ---
func (s *nodeServiceImpl) checkBlockers(id string) error {
blockers, err := s.store.FindNodes([]*models.Rel{{Type: models.RelBlocks, Target: id}})
if err != nil {
return err
}
var blocking []string
for _, b := range blockers {
if b.GetProperty("status") == "open" {
blocking = append(blocking, b.ID)
}
}
if len(blocking) > 0 {
return fmt.Errorf("cannot close: blocked by %v", blocking)
}
return nil
}
func (s *nodeServiceImpl) syncMentions(st store.Store, id string, current *models.Node, newTitle, newContent string) error {
existingMentionIDs := make(map[string]bool)
for _, uid := range current.Relations[string(models.RelMentions)] {
existingMentionIDs[uid] = true
}
mentionedUserIDs := make(map[string]bool)
for _, m := range mentions(newTitle + " " + newContent) {
userID, err := s.resolveUserRef(st, m)
if err != nil {
return err
}
mentionedUserIDs[userID] = true
if !existingMentionIDs[userID] {
if err := st.AddRel(id, string(models.RelMentions), userID); err != nil {
return err
}
}
}
for uid := range existingMentionIDs {
if !mentionedUserIDs[uid] {
if err := st.RemoveRel(id, string(models.RelMentions), uid); err != nil {
return err
}
}
}
return nil
}
// resolveRelTarget resolves a RelInput target to a node ID, auto-creating users
// and namespaces as needed. Use only inside a transaction.
func (s *nodeServiceImpl) resolveRelTarget(st store.Store, ri RelInput) (string, error) {
switch ri.Type {
case models.RelAssignee, models.RelCreated, models.RelMentions:
return s.resolveUserRef(st, ri.Target)
case models.RelInNamespace:
return s.resolveNamespaceRef(st, ri.Target)
default:
// Permission rels and all other edge rels expect raw node IDs.
return ri.Target, nil
}
}
// lookupRelTarget resolves a filter target to a node ID without creating anything.
// Returns ("", false) when the target doesn't exist.
func (s *nodeServiceImpl) lookupRelTarget(relType models.RelType, target string) (string, bool) {
if exists, _ := s.store.NodeExists(target); exists {
return target, true
}
var nodeType string
switch relType {
case models.RelAssignee, models.RelCreated, models.RelMentions:
nodeType = "user"
case models.RelInNamespace:
nodeType = "namespace"
default:
// Permission rels and other edge rels use raw node IDs.
return "", false
}
id, err := s.resolveIDByNameAndType(s.store, target, nodeType)
if err != nil || id == "" {
return "", false
}
return id, true
}
// resolveIDByNameAndType finds a node by title and _type property without creating it.
func (s *nodeServiceImpl) resolveIDByNameAndType(st store.Store, title, nodeType string) (string, error) {
nodes, err := st.FindNodes([]*models.Rel{{Type: models.RelType("_type::" + nodeType), Target: ""}})
if err != nil {
return "", err
}
for _, n := range nodes {
if n.Title == title {
return n.ID, nil
}
}
return "", nil
}
func (s *nodeServiceImpl) resolveUserRef(st store.Store, ref string) (string, error) {
if exists, _ := st.NodeExists(ref); exists {
return ref, nil
}
return s.ensureUser(st, ref)
}
func (s *nodeServiceImpl) ensureUser(st store.Store, username string) (string, error) {
userID, err := s.resolveIDByNameAndType(st, username, "user")
if err != nil {
return "", err
}
if userID != "" {
return userID, nil
}
id, err := st.GenerateID()
if err != nil {
return "", err
}
now := time.Now().UTC().Format(time.RFC3339)
if err := st.AddNode(id, username, "", "", now, now); err != nil {
return "", err
}
if err := st.AddRel(id, "_type::user", ""); err != nil {
return "", err
}
// Users have self-ownership by default.
if err := st.AddRel(id, string(models.RelHasOwnership), id); err != nil {
return "", err
}
return id, nil
}
func (s *nodeServiceImpl) resolveNamespaceRef(st store.Store, ref string) (string, error) {
if exists, _ := st.NodeExists(ref); exists {
return ref, nil
}
return s.ensureNamespace(st, ref)
}
func (s *nodeServiceImpl) ensureNamespace(st store.Store, name string) (string, error) {
nsID, err := s.resolveIDByNameAndType(st, name, "namespace")
if err != nil {
return "", err
}
if nsID != "" {
return nsID, nil
}
id, err := st.GenerateID()
if err != nil {
return "", err
}
now := time.Now().UTC().Format(time.RFC3339)
if err := st.AddNode(id, name, "", "", now, now); err != nil {
return "", err
}
if err := st.AddRel(id, "_type::namespace", ""); err != nil {
return "", err
}
if err := st.AddRel(id, string(models.RelInNamespace), id); err != nil {
return "", err
}
userID, err := s.resolveUserRef(st, s.userID)
if err != nil {
return "", err
}
if err := st.AddRel(id, string(models.RelCreated), userID); err != nil {
return "", err
}
// Creator owns the namespace.
if err := st.AddRel(userID, string(models.RelHasOwnership), id); err != nil {
return "", err
}
return id, nil
}
src/service/session.go
+67
View File
@@ -0,0 +1,67 @@
package service
import (
"encoding/json"
"os"
"path/filepath"
)
// Session holds the server-issued token returned by POST /auth/poll.
// The ax server owns the full OIDC flow; the client only needs this token.
type Session struct {
Token string `json:"token"`
}
func sessionPath() (string, error) {
home, err := os.UserHomeDir()
if err != nil {
return "", err
}
return filepath.Join(home, ".config", "ax", "session.json"), nil
}
func LoadSession() (*Session, error) {
path, err := sessionPath()
if err != nil {
return nil, err
}
data, err := os.ReadFile(path)
if err != nil {
if os.IsNotExist(err) {
return nil, nil
}
return nil, err
}
var s Session
if err := json.Unmarshal(data, &s); err != nil {
return nil, err
}
return &s, nil
}
func SaveSession(s *Session) error {
path, err := sessionPath()
if err != nil {
return err
}
if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
return err
}
data, err := json.MarshalIndent(s, "", " ")
if err != nil {
return err
}
return os.WriteFile(path, data, 0600)
}
func ClearSession() error {
path, err := sessionPath()
if err != nil {
return err
}
err = os.Remove(path)
if os.IsNotExist(err) {
return nil
}
return err
}