Add git commit companion files rule

.github/workflows/DevelopServerDeploy.yml

@@ -67,6 +67,7 @@ jobs:
     - name: Start
       run: |
         docker run -d --name wikigdrive-develop \
+          --cpu-period=100000 --cpu-quota=800000 --memory=8192m \
           --restart unless-stopped \
           --network nginx \
           --tmpfs /tmp \

apps/ui/src/components/GitSettings.vue

@@ -36,6 +36,11 @@
               <textarea class="form-control" rows="6" placeholder="Deploy key" readonly :value="public_key" @click="copyEmail"></textarea>
             </div>
           </div>
+
+          <div class="form-group">
+            <label>Git commit companion files rule</label>
+            <input class="form-control" v-model="user_config.companion_files_rule" />
+          </div>
         </div>
         <div class="card-footer">
           <div class="btn-group">

package.json

@@ -67,6 +67,7 @@
     "website"
   ],
   "dependencies": {
+    "@nyariv/sandboxjs": "0.8.23",
     "@opentelemetry/core": "1.28.0",
     "@opentelemetry/api": "1.3.0",
     "@opentelemetry/context-zone": "1.8.0",

src/containers/google_folder/UserConfigService.ts

@@ -43,6 +43,7 @@ export class UserConfig {
   fm_without_version?: boolean;
   actions_yaml?: string;
   rewrite_rules?: RewriteRule[];
+  companion_files_rule?: string;
 }
 
 const DEFAULT_CONFIG: UserConfig = {
@@ -90,7 +91,9 @@ export class UserConfigService {
     if (!this.config.rewrite_rules || this.config.rewrite_rules.length === 0) {
       this.config.rewrite_rules = DEFAULT_REWRITE_RULES;
     }
-
+    if (!this.config.companion_files_rule) {
+      this.config.companion_files_rule = '(file.path == "content/navigation.md") || (file.path == "content/toc.md") || (commit.id && file.redirectTo == commit.id) || (commit.redirectTo == file.id && file.id)';
+    }
     return this.config;
   }
 

src/containers/job/JobManagerContainer.ts

@@ -3,6 +3,8 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { randomUUID } from 'node:crypto';
 
+import Sandbox from '@nyariv/sandboxjs';
+
 import {Container, ContainerConfig, ContainerEngine} from '../../ContainerEngine.ts';
 import {FileId} from '../../model/model.ts';
 import {GoogleFolderContainer} from '../google_folder/GoogleFolderContainer.ts';
@@ -703,6 +705,70 @@ export class JobManagerContainer extends Container {
     const gitScanner = new GitScanner(logger, transformedFileSystem.getRealPath(), '[email protected]');
     await gitScanner.initialize();
 
+    const googleFileSystem = await this.filesService.getSubFileService(driveId, '');
+    const userConfigService = new UserConfigService(googleFileSystem);
+    const userConfig = await userConfigService.load();
+
+    const contentFileService = await getContentFileService(transformedFileSystem, userConfigService);
+    const markdownTreeProcessor = new MarkdownTreeProcessor(contentFileService);
+    await markdownTreeProcessor.load();
+
+    if (userConfig.companion_files_rule) {
+      gitScanner.setCompanionFileResolver(async (filePath: string) => {
+        if (!filePath.endsWith('.md')) {
+          return [];
+        }
+
+        let subdir = (userConfigService.config.transform_subdir || '')
+          .replace(/^\//, '')
+          .replace(/\/$/, '');
+        if (subdir.length > 0) {
+          subdir += '/';
+        }
+
+        filePath = filePath
+          .replace(/^\//, '')
+          .substring(subdir.length);
+
+        const tuple = await markdownTreeProcessor.findByPath('/' + filePath);
+
+        const treeItem = tuple[0];
+        if (!treeItem) {
+          return [];
+        }
+
+        const retVal: Set<string> = new Set();
+
+        const sandbox = new Sandbox.default();
+        const exec = sandbox.compile('return ' + (userConfig.companion_files_rule || 'false'));
+
+        await markdownTreeProcessor.walkTree((treeNode) => {
+          const commit = {
+            path: subdir + treeItem.path.replace(/^\//, ''),
+            id: treeItem.id,
+            fileName: treeItem.fileName,
+            mimeType: treeItem.mimeType,
+            redirectTo: treeItem.redirectTo
+          };
+          const file = {
+            path: subdir + treeNode.path.replace(/^\//, ''),
+            id: treeNode.id,
+            fileName: treeNode.fileName,
+            mimeType: treeNode.mimeType,
+            redirectTo: treeNode.redirectTo
+          };
+
+          const result = exec({ commit, file }).run();
+
+          if (result) {
+            retVal.add(file.path);
+          }
+          return false;
+        });
+        return Array.from(retVal);
+      });
+    }
+
     await gitScanner.commit(message, filePaths, user);
 
     await this.schedule(driveId, {

src/containers/server/auth.ts

@@ -63,31 +63,31 @@ interface JwtDecryptedPayload extends GoogleUser {
   driveId: string;
 }
 
-function signToken(payload: JwtDecryptedPayload, jwtSecret: string): string {
+async function signToken(payload: JwtDecryptedPayload, jwtSecret: string): Promise<string> {
   const expiresIn = 365 * 24 * 3600;
 
   const encrypted: JwtEncryptedPayload = {
     sub: payload.id,
     name: payload.name,
     email: payload.email,
-    gat: encrypt(payload.google_access_token, jwtSecret),
-    grt: payload.google_refresh_token ? encrypt(payload.google_refresh_token, jwtSecret) : undefined,
+    gat: await encrypt(payload.google_access_token, jwtSecret),
+    grt: payload.google_refresh_token ? await encrypt(payload.google_refresh_token, jwtSecret) : undefined,
     ged: payload.google_expiry_date,
     driveId: payload.driveId
   };
 
   return jsonwebtoken.sign(encrypted, jwtSecret, { expiresIn });
 }
 
-function verifyToken(accessCookie: string, jwtSecret: string): JwtDecryptedPayload {
+async function verifyToken(accessCookie: string, jwtSecret: string): Promise<JwtDecryptedPayload> {
   const encrypted: JwtEncryptedPayload = <JwtEncryptedPayload>jsonwebtoken.verify(accessCookie, jwtSecret);
 
   return {
     id: encrypted.sub,
     name: encrypted.name,
     email: encrypted.email,
-    google_access_token: decrypt(encrypted.gat, process.env.JWT_SECRET),
-    google_refresh_token: encrypted.grt ? decrypt(encrypted.grt, process.env.JWT_SECRET) : undefined,
+    google_access_token: await decrypt(encrypted.gat, process.env.JWT_SECRET),
+    google_refresh_token: encrypted.grt ? await decrypt(encrypted.grt, process.env.JWT_SECRET) : undefined,
     google_expiry_date: encrypted.ged,
     driveId: encrypted.driveId
   };
@@ -247,7 +247,7 @@ export async function getAuth(req: Request, res: Response, next) {
     if (driveId) {
       const drive = await googleDriveService.getDrive(await authClient.getAccessToken(), driveId);
       if (drive.id) {
-        const accessToken = signToken({
+        const accessToken = await signToken({
           ...googleUser,
           ...await authClient.getAuthData(),
           driveId: driveId
@@ -257,7 +257,7 @@ export async function getAuth(req: Request, res: Response, next) {
         return;
       }
     } else {
-      const accessToken = signToken({
+      const accessToken = await signToken({
         ...googleUser,
         ...await authClient.getAuthData(),
         driveId: driveId
@@ -296,7 +296,7 @@ async function decodeAuthenticateInfo(req, res, next) {
   const jwtSecret = process.env.JWT_SECRET;
 
   try {
-    const decoded = verifyToken(req.cookies.accessToken, jwtSecret);
+    const decoded = await verifyToken(req.cookies.accessToken, jwtSecret);
     if (!decoded.id) {
       return next(redirError(req, 'No jwt.sub'));
     }
@@ -321,7 +321,7 @@ async function decodeAuthenticateInfo(req, res, next) {
         return next(redirError(req, 'Unauthorized to read drive: ' + driveId));
       }
 
-      const accessToken: string = signToken({
+      const accessToken: string = await signToken({
         ...decoded,
         ...await authClient.getAuthData(),
         driveId: driveId

src/containers/server/routes/ConfigController.ts

@@ -13,6 +13,7 @@ export interface ConfigBody {
     config_toml?: string;
     transform_subdir?: string;
     rewrite_rules_yaml?: string;
+    companion_files_rule?: string;
     hugo_theme: HugoTheme;
     auto_sync: boolean;
     use_google_markdowns: boolean;
@@ -98,6 +99,9 @@ export class ConfigController extends Controller {
     if (body.config?.rewrite_rules_yaml) {
       userConfigService.config.rewrite_rules = yaml.load(body.config?.rewrite_rules_yaml);
     }
+    if (body.config?.companion_files_rule) {
+      userConfigService.config.companion_files_rule = body.config?.companion_files_rule;
+    }
     let modified = false;
     if ('string' === typeof body.config?.transform_subdir) {
       let trimmed = body.config?.transform_subdir.trim();

src/git/GitScanner.ts

@@ -45,6 +45,7 @@ interface ExecOpts {
 
 export class GitScanner {
   private logger: Logger;
+  private companionFileResolver: (filePath: string) => Promise<string[]> = async () => ([]);
 
   constructor(logger: Logger, public readonly rootPath: string, private email: string) {
     this.logger = logger.child({ filename: __filename });
@@ -201,10 +202,26 @@ export class GitScanner {
     return retValArr;
   }
 
+  async resolveCompanionFiles(filePaths: string[]): Promise<string[]> {
+    const retVal = [];
+    for (const filePath of filePaths) {
+      retVal.push(filePath);
+      try {
+        retVal.push(...(await this.companionFileResolver(filePath) || []));
+      } catch (err) {
+        this.logger.warn('Error evaluating companion files: ' + err.message);
+        break;
+      }
+    }
+    return retVal;
+  }
+
   async commit(message: string, selectedFiles: string[], committer: Commiter): Promise<string> {
     selectedFiles = selectedFiles.map(fileName => fileName.startsWith('/') ? fileName.substring(1) : fileName)
       .filter(fileName => !!fileName);
 
+    selectedFiles = await this.resolveCompanionFiles(selectedFiles);
+
     const addedFiles: string[] = [];
     const removedFiles: string[] = [];
 
@@ -964,4 +981,9 @@ export class GitScanner {
   async removeCached(filePath: string) {
     await this.exec(`git rm --cached ${filePath}`);
   }
+
+  setCompanionFileResolver(resolver: (filePath: string) => Promise<string[]>) {
+    this.companionFileResolver = resolver;
+  }
+
 }

src/google/GoogleAuthService.ts

@@ -1,28 +1,47 @@
-import crypto from 'node:crypto';
-import {Buffer} from 'node:buffer';
+import * as base64 from './base64.ts';
 
 // https://stackoverflow.com/questions/19641783/google-drive-api-username-password-authentication#19643080
 // https://developers.google.com/identity/protocols/OAuth2ServiceAccount
-const IV = '5383165476e1c2e3';
-export function encrypt(val: string, key: string) {
-  key = Buffer.from(key).toString('hex').substring(0, 32);
-  const cipher = crypto.createCipheriv('aes-256-cbc', key, IV);
-  const encrypted = cipher.update(val, 'utf8', 'hex');
-  const final = encrypted + cipher.final('hex');
-  const buffer = Buffer.from(final, 'hex');
-  return buffer.toString('base64');
+
+const IV: ArrayBuffer = new TextEncoder().encode('5383165476e1c2e3').slice(0, 16);
+
+export async function encrypt(val: string, keyString: string) {
+  const key = await crypto.subtle.importKey(
+    'raw', new TextEncoder().encode(keyString).slice(0, 16), {   //this is the algorithm options
+      name: 'AES-CBC',
+    },
+    false,
+    ['encrypt', 'decrypt']
+  );
+
+  const encrypted = await crypto.subtle.encrypt({
+    name: 'AES-CBC',
+    iv: IV, // @TODO: Don't re-use initialization vectors! Always generate a new iv every time your encrypt!
+  }, key, new TextEncoder().encode(val));
+
+  return base64.fromUint8Array(new Uint8Array(encrypted));
 }
 
-export function decrypt(encrypted: string, key: string) {
+export async function decrypt(encrypted: string, keyString: string) {
   if (!encrypted) {
     return null;
   }
-  key = Buffer.from(key).toString('hex').substring(0, 32);
-  const buffer = Buffer.from(encrypted, 'base64');
-  const decipher = crypto.createDecipheriv('aes-256-cbc', key, IV);
-  const decrypted = decipher.update(buffer.toString('hex'), 'hex', 'utf8');
-  const f = decrypted + decipher.final('utf8');
-  return f;
+
+  const key = await crypto.subtle.importKey(
+    'raw',
+    new TextEncoder().encode(keyString).slice(0, 16), { //this is the algorithm options
+      name: 'AES-CBC',
+    },
+    false,
+    ['encrypt', 'decrypt']
+  );
+
+  const decrypted =  await crypto.subtle.decrypt({
+    name: 'AES-CBC',
+    iv: IV,
+  }, key, base64.toUint8Array(encrypted));
+
+  return new TextDecoder().decode(decrypted);
 }
 
 export interface TokenInfo {