todo

.gitignore

@@ -11,3 +11,4 @@ ui/render
 server/public/ui/**/.*.html
 **/*.ctmpl.html
 server/public/ui/render
+server/releasedata

crawler/gitlab.sh

@@ -32,7 +32,6 @@ gitlab() (
       blob="$(urlencode "$blob")"
 
       local path="api/v4/projects/$project/repository/files/$blob/raw"
-		log "url: https://gitlab-app.eng.qops.net/$path (blob=$blob, project=$project)"
       echo "https://gitlab-app.eng.qops.net/$path"
 	}
 
@@ -73,7 +72,6 @@ gitlab() (
       root="${root#tree/}"
 		root="$(echo "$root" | sed 's/^[^\/]*//')"
 		root="${root#/}"
-		log project=$project, root=$root, url=$url
       echo "$project"
       echo "$root"
    }

crawler/gitlab_wiki.sh

@@ -6,8 +6,9 @@ gitlab_wiki() (
    }
 
 	human_url() {
-		log "not impl: human url: $@"
-		exit 1
+		local url="${1%/}"
+		url="${url%%#*}"
+		echo "$url/$(echo "$2" | base64 --decode)"
 	}
 
 	_host() {
@@ -25,7 +26,7 @@ gitlab_wiki() (
 		project="${project%/-/}"
 		project="${project#/}"
 		project="${project%/}"
-		echo "$project"
+		echo "${project%%#*}"
 	}
 
 	_blob() {
@@ -36,7 +37,7 @@ gitlab_wiki() (
 		local blob="${path#*/wikis}"
 		blob="${blob#/}"
 		blob="${blob%/}"
-		echo "$blob"
+		echo "${blob%%#*}"
 	}
 
    get() {

crawler/main.sh

@@ -95,6 +95,8 @@ crawl_with() {
 	local content="$(echo "$json" | jq -r .content)"
 	local crawlable_source="$(extract_crawlable_source "$content")"
 
+	notes put "$pid" "$(notes meta "$pid" | jq -r .Meta.Title)" "$crawlable_source"
+
 	local expanded=($($backend expand "$crawlable_source"))
 
 	log purge $crawlable_source:
@@ -102,7 +104,7 @@ crawl_with() {
 		notes del "$subid"
 	done
 
-	log expand $crawlable_source:"$expanded"
+	log expand $crawlable_source:"${#expanded[@]}: ${expanded[@]}"
 	notes_mkdir_p() {
 		local id="$1"
 		local subtitle="${2%/}"
@@ -148,8 +150,9 @@ crawl_with() {
 			echo "$sum"
 		)"
 		ID="${ID%/}"
-		if [ "${#expanded[@]}" == 1 ]; then
+		if [ "${#expanded[@]}" -lt 2 ]; then
 			ID="$pid"
+			TITLE="$(notes meta "$ID" | jq -r .Meta.Title)"
 			CONTENT="$(printf "%s\n\n%s", "$crawlable_source" "$CONTENT")"
 		fi
 		log "	$ID ($TITLE): ${#CONTENT}"

server/.dockerignore

@@ -0,0 +1,3 @@
+.*
+**/.*
+**/*.sw*

server/Dockerfile

@@ -0,0 +1,32 @@
+FROM registry-app.eng.qops.net:5001/imported/alpine:3.15 as certs
+RUN apk update && apk add --no-cache ca-certificates
+
+FROM registry-app.eng.qops.net:5001/imported/alpine:3.15 as encoder
+WORKDIR /main
+RUN apk update && apk add --no-cache gpg gpg-agent
+ARG KEY=""
+COPY ./releasedata ./releasedata
+RUN cat ./releasedata/users.yaml \
+	| gpg --batch --no-tty --passphrase="$KEY" --cipher-algo AES256 --symmetric -z 0 \
+	> ./users.yaml.gpg
+
+FROM registry-app.eng.qops.net:5001/imported/alpine:3.15 as runner
+RUN apk update && apk --no-cache upgrade && apk add --no-cache bash gpg gpg-agent
+WORKDIR /main
+COPY --from=certs /etc/ssl/certs /etc/ssl/certs
+COPY --from=encoder /main/users.yaml.gpg ./
+
+COPY ./exec-server ./
+COPY ./public ./public
+RUN test -e /main/exec-server
+RUN test -d /main/public
+RUN mkdir -p /var/log /main/public/files /main/public/media
+
+ENV GOPATH=""
+VOLUME /main/public/files
+VOLUME /main/public/media
+ENV COOKIE_SECRET=""
+ENV KEY=""
+RUN echo 'cat /main/users.yaml.gpg | gpg --batch --no-tty --passphrase="$KEY" --decrypt > /main/users.yaml && /main/exec-server "$@"' > /main/entrypoint.sh
+ENTRYPOINT ["bash", "/main/entrypoint.sh"]
+CMD []

server/README.md

@@ -1,9 +1,19 @@
-## running with docker
+## Using File Auth
 
-d1=${d1:-$(mktemp -d)}
-d2=${d2:-$(mktemp -d)}
-docker run \
-	-v $d1:/main/public/files \
-	-v $d2:/main/public/media \
-	-p 3004:3004 \
-	--rm -it registry-app.eng.qops.net:5001/bel/work-notes:latest
+1. Build a linux binary with `GOOS=linux CGO_ENABLED=0 go build -o ./exec-server -a -installsuffix cgo -ldflags "-s -w"`
+1. Add your usernames, passwords, groups to `releasedata/users.yaml`
+1. {one time} Generate and store an encryption `KEY` in Vault+Lastpass
+1. Build a Docker image with `docker build -t registry-app.eng.qops.net:5001/breel/work-notes:latest --build-arg KEY='{{INSERT YOUR KEY HERE}}' .`
+1. Push with `docker push registry-app.eng.qops.net:5001/breel/work-notes:latest`
+1. Run like `docker run -v /mnt/files:/main/public/files -v /mnt/media:/main/public/media -e KEY='{{INSERT YOUR KEY HERE}}' -e COOKIE_SECRET='{{INSERT ANOTHER KEY HERE}}' -p 3005:3005 --rm -it registry-app.eng.qops.net:5001/breel/work-notes:latest -auth ./users.yaml -p 3005`
+
+### `users.yaml` Format
+
+```yaml
+users:
+  breel:
+    password: breel
+    groups:
+    - g1
+    - g2
+```

server/auth.go

@@ -0,0 +1,61 @@
+package main
+
+import (
+	"errors"
+	"io/ioutil"
+
+	yaml "gopkg.in/yaml.v2"
+)
+
+type auth interface {
+	Login(string, string) (bool, error)
+	Groups(string) ([]string, error)
+}
+
+type FileAuth struct {
+	path string
+}
+
+type fileAuthContent struct {
+	Users map[string]struct {
+		Password string
+		Groups   []string
+	}
+}
+
+func NewFileAuth(path string) FileAuth {
+	return FileAuth{path: path}
+}
+
+func (fileAuth FileAuth) Login(u, p string) (bool, error) {
+	content, err := fileAuth.load()
+	if err != nil {
+		return false, err
+	}
+	entry, ok := content.Users[u]
+	return ok && entry.Password == p, nil
+}
+
+func (fileAuth FileAuth) Groups(u string) ([]string, error) {
+	content, err := fileAuth.load()
+	if err != nil {
+		return nil, err
+	}
+	entry, ok := content.Users[u]
+	if !ok {
+		return nil, errors.New("invalid user")
+	}
+	return entry.Groups, nil
+}
+
+func (fileAuth FileAuth) load() (fileAuthContent, error) {
+	var fileAuthContent fileAuthContent
+	b, err := ioutil.ReadFile(fileAuth.path)
+	if err != nil {
+		return fileAuthContent, err
+	}
+	if err := yaml.Unmarshal(b, &fileAuthContent); err != nil {
+		return fileAuthContent, err
+	}
+	return fileAuthContent, nil
+}

server/auth_test.go

@@ -0,0 +1,118 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"testing"
+)
+
+func TestFileAuth(t *testing.T) {
+	user := "username"
+	passw := "password"
+	g := "group"
+	emptyp := func() string {
+		d := t.TempDir()
+		f, err := ioutil.TempFile(d, "login.yaml.*")
+		if err != nil {
+			t.Fatal(err)
+		}
+		f.Close()
+		return path.Join(d, f.Name())
+	}
+	goodp := func() string {
+		p := emptyp()
+		if err := ensureAndWrite(p, []byte(fmt.Sprintf(`{
+			"users": {
+				%q: {
+					"password": %q,
+					"groups": [%q]
+				}
+			}
+		}`, user, passw, g))); err != nil {
+			t.Fatal(err)
+		}
+		return p
+	}
+
+	t.Run("no file", func(t *testing.T) {
+		p := emptyp()
+		os.Remove(p)
+		fa := NewFileAuth(p)
+		if _, err := fa.Login(user, passw); err == nil {
+			t.Fatal(err)
+		}
+	})
+
+	t.Run("bad file", func(t *testing.T) {
+		p := emptyp()
+		if err := ensureAndWrite(p, []byte(`{"hello:}`)); err != nil {
+			t.Fatal(err)
+		}
+		fa := NewFileAuth(p)
+		if _, err := fa.Login(user, passw); err == nil {
+			t.Fatal(err)
+		}
+	})
+
+	t.Run("bad user", func(t *testing.T) {
+		p := goodp()
+		fa := NewFileAuth(p)
+		if ok, err := fa.Login("bad"+user, passw); err != nil {
+			t.Fatal(err)
+		} else if ok {
+			t.Fatal(ok)
+		}
+	})
+
+	t.Run("bad pass", func(t *testing.T) {
+		p := goodp()
+		fa := NewFileAuth(p)
+		if ok, err := fa.Login(user, "bad"+passw); err != nil {
+			t.Fatal(err)
+		} else if ok {
+			t.Fatal(ok)
+		}
+	})
+
+	t.Run("good load", func(t *testing.T) {
+		p := goodp()
+		fa := NewFileAuth(p)
+		got, err := fa.load()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(got.Users) != 1 {
+			t.Error(got.Users)
+		}
+		if entry, ok := got.Users[user]; !ok {
+			t.Error(ok)
+		} else if entry.Password != passw {
+			t.Error(entry)
+		} else if len(entry.Groups) != 1 {
+			t.Error(entry.Groups)
+		} else if entry.Groups[0] != g {
+			t.Error(entry.Groups)
+		}
+	})
+
+	t.Run("good", func(t *testing.T) {
+		p := goodp()
+		b, _ := ioutil.ReadFile(p)
+		t.Logf("goodp: %s: %s", p, b)
+		fa := NewFileAuth(p)
+		if ok, err := fa.Login(user, passw); err != nil {
+			t.Fatal(err)
+		} else if !ok {
+			t.Fatal(ok)
+		}
+		if groups, err := fa.Groups(user); err != nil {
+			t.Fatal(err)
+		} else if len(groups) != 1 {
+			t.Fatal(groups)
+		} else if groups[0] != g {
+			t.Fatal(groups)
+		}
+	})
+}

server/authenticate.go

@@ -0,0 +1,251 @@
+package main
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"hash/crc32"
+	"log"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+var cookieSecret = os.Getenv("COOKIE_SECRET")
+
+type User struct {
+	User   string
+	Group  string
+	Groups []string
+}
+
+func (user User) Is(other User) bool {
+	for i := range user.Groups {
+		if i >= len(other.Groups) || user.Groups[i] != other.Groups[i] {
+			return false
+		}
+	}
+	return user.User == other.User &&
+		user.Group == other.Group &&
+		len(user.Groups) == len(other.Groups)
+}
+
+type Cookie struct {
+	Hash  string
+	Salt  string
+	Value string
+}
+
+func (server *Server) authenticate(w http.ResponseWriter, r *http.Request) (*Server, bool, error) {
+	if done, err := server.parseLogin(w, r); err != nil {
+		log.Printf("error parsing login: %v", err)
+		return nil, false, err
+	} else if done {
+		log.Printf("login rendered body")
+		return nil, true, nil
+	}
+
+	if ok, err := needsLogin(r); err != nil {
+		log.Printf("error checking if login needed: %v", err)
+		return nil, false, err
+	} else if ok {
+		log.Printf("needs login")
+		promptLogin(w)
+		return nil, true, nil
+	}
+
+	if done, err := changeNamespace(w, r); err != nil {
+		return nil, false, err
+	} else if done {
+		return nil, true, nil
+	}
+
+	user, _ := loginCookie(r)
+	return server.WithUser(user.User, user.Group, user.Groups), false, nil
+}
+
+func promptLogin(w http.ResponseWriter) {
+	w.Header().Set("WWW-Authenticate", "Basic")
+	w.WriteHeader(http.StatusUnauthorized)
+}
+
+func (server *Server) parseLogin(w http.ResponseWriter, r *http.Request) (bool, error) {
+	username, password, ok := r.BasicAuth()
+	if !ok {
+		return false, nil
+	}
+
+	ok, err := server.auth.Login(username, password)
+	if err != nil {
+		return false, err
+	}
+	if !ok {
+		promptLogin(w)
+		return true, nil
+	}
+
+	groups, err := server.auth.Groups(username)
+	if err != nil {
+		return false, err
+	}
+	if len(groups) == 0 {
+		return false, errors.New("user has no groups")
+	}
+
+	user := User{
+		User:   username,
+		Groups: groups,
+		Group:  groups[0],
+	}
+
+	olduser, _ := loginCookie(r)
+	for i := range groups {
+		if groups[i] == olduser.Group {
+			user.Group = olduser.Group
+		}
+	}
+	log.Printf("%+v => %+v", olduser, user)
+
+	setLoginCookie(w, r, user)
+	return false, nil
+}
+
+func changeNamespace(w http.ResponseWriter, r *http.Request) (bool, error) {
+	want := r.URL.Query().Get("namespace")
+	if want == "" {
+		return false, nil
+	}
+
+	user, ok := loginCookie(r)
+	if !ok {
+		promptLogin(w)
+		return true, nil
+	}
+
+	if user.Group == want {
+		return false, nil
+	}
+	for i := range user.Groups {
+		if want == user.Groups[i] {
+			user.Group = want
+			setLoginCookie(w, r, user)
+			return false, nil
+		}
+	}
+	return false, nil
+}
+
+func needsLogin(r *http.Request) (bool, error) {
+	user, ok := loginCookie(r)
+	if !ok {
+		return true, nil
+	}
+	for i := range user.Groups {
+		if user.Group == user.Groups[i] {
+			return false, nil
+		}
+	}
+	return true, nil
+}
+
+func setLoginCookie(w http.ResponseWriter, r *http.Request, user User) {
+	cookie := &http.Cookie{
+		Name:    "login",
+		Value:   encodeUserCookie(user),
+		Expires: time.Now().Add(time.Hour * 24),
+		Path:    "/",
+	}
+	if was, ok := requestLoginCookie(r); !ok || !was.Is(user) {
+		w.Header().Set("Set-Cookie", cookie.String())
+	}
+	log.Printf("setting login cookie: %+v", user)
+	*r = *r.WithContext(context.WithValue(r.Context(), "LOGIN_COOKIE", cookie.Value))
+}
+
+func loginCookie(r *http.Request) (User, bool) {
+	if v := r.Context().Value("LOGIN_COOKIE"); v != nil {
+		log.Printf("login cookie from ctx")
+		return decodeUserCookie(v.(string))
+	}
+	return requestLoginCookie(r)
+}
+
+func requestLoginCookie(r *http.Request) (User, bool) {
+	c, ok := getCookie("login", r)
+	log.Printf("request login cookie: %v, %v", c, ok)
+	if !ok {
+		return User{}, false
+	}
+	return decodeUserCookie(c)
+}
+
+func getCookie(key string, r *http.Request) (string, bool) {
+	var cookie *http.Cookie
+	cookies := r.Cookies()
+	for i := range cookies {
+		if cookies[i].Name == key && (cookies[i].Expires.IsZero() || time.Now().Before(cookies[i].Expires)) {
+			cookie = cookies[i]
+		}
+	}
+	if cookie == nil {
+		return "", false
+	}
+	return cookie.Value, cookie.Expires.IsZero() || time.Now().Before(cookie.Expires)
+}
+
+func decodeUserCookie(raw string) (User, bool) {
+	decoded, ok := decodeCookie(raw)
+	if !ok {
+		return User{}, ok
+	}
+	var user User
+	err := json.Unmarshal([]byte(decoded), &user)
+	return user, err == nil
+}
+
+func encodeUserCookie(user User) string {
+	b, err := json.Marshal(user)
+	if err != nil {
+		panic(err)
+	}
+	return encodeCookie(string(b))
+}
+
+func encodeCookie(s string) string {
+	cookie := Cookie{
+		Salt:  uuid.New().String(),
+		Value: s,
+	}
+	hash := crc32.NewIEEE()
+	hash.Write([]byte(cookieSecret))
+	hash.Write([]byte(cookie.Salt))
+	hash.Write([]byte(cookie.Value))
+	cookie.Hash = base64.StdEncoding.EncodeToString(hash.Sum(nil))
+	b, err := json.Marshal(cookie)
+	if err != nil {
+		panic(err)
+	}
+	return base64.StdEncoding.EncodeToString(b)
+}
+
+func decodeCookie(s string) (string, bool) {
+	b, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return "", false
+	}
+	var cookie Cookie
+	if err := json.Unmarshal(b, &cookie); err != nil {
+		return "", false
+	}
+	hash := crc32.NewIEEE()
+	hash.Write([]byte(cookieSecret))
+	hash.Write([]byte(cookie.Salt))
+	hash.Write([]byte(cookie.Value))
+	if got := base64.StdEncoding.EncodeToString(hash.Sum(nil)); cookie.Hash != got {
+		return "", false
+	}
+	return cookie.Value, true
+}

server/authenticate_test.go

@@ -0,0 +1,361 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"path"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+func TestEncodeDecodeCookie(t *testing.T) {
+	newTestServer(t)
+
+	for i := 0; i < 5; i++ {
+		value := uuid.New().String()
+		encoded := encodeCookie(value)
+		for j := 0; j < 5; j++ {
+			decoded, ok := decodeCookie(encoded)
+			if !ok || decoded != value {
+				t.Errorf("value=%s, encoded=%s, decoded=%s", value, encoded, decoded)
+			}
+		}
+	}
+}
+
+func TestEncodeDecodeUserCookie(t *testing.T) {
+	newTestServer(t)
+
+	user := User{
+		User:   "abc",
+		Groups: []string{"def", "ghi"},
+	}
+	encoded := encodeUserCookie(user)
+	decoded, ok := decodeUserCookie(encoded)
+	if !ok {
+		t.Fatal(ok)
+	}
+	if fmt.Sprint(user) != fmt.Sprint(decoded) {
+		t.Fatal(user, decoded)
+	}
+}
+
+func TestGetCookie(t *testing.T) {
+	r := httptest.NewRequest(http.MethodGet, "/", nil)
+	r.AddCookie(&http.Cookie{
+		Name:    "abc",
+		Value:   "def",
+		Expires: time.Now().Add(time.Hour),
+	})
+	got, _ := getCookie("abc", r)
+	if got != "def" {
+		t.Fatal(r.Cookies(), got)
+	}
+}
+
+func TestGetSetLoginCookie(t *testing.T) {
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest(http.MethodGet, "/", nil)
+	user := User{User: "a", Groups: []string{"g"}}
+
+	setLoginCookie(w, r, user)
+	if w.Header().Get("Set-Cookie") == "" {
+		t.Error(w.Header())
+	}
+
+	got, ok := loginCookie(r)
+	if !ok {
+		t.Error(ok)
+	}
+	if fmt.Sprint(user) != fmt.Sprint(got) {
+		t.Error(user, got)
+	}
+}
+
+func TestChangeNamespace(t *testing.T) {
+	newTestServer(t)
+	user := User{
+		User:   "user",
+		Groups: []string{"group", "othergroup"},
+		Group:  "group",
+	}
+
+	t.Run("noop", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		w := httptest.NewRecorder()
+		done, err := changeNamespace(w, r)
+		if err != nil {
+			t.Error(err)
+		}
+		if done {
+			t.Error(done)
+		}
+	})
+
+	t.Run("change to ``", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/?namespace=", nil)
+		w := httptest.NewRecorder()
+		done, err := changeNamespace(w, r)
+		if err != nil {
+			t.Error(err)
+		}
+		if done {
+			t.Error(done)
+		}
+	})
+
+	t.Run("change to bad", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/?namespace=never", nil)
+		w := httptest.NewRecorder()
+		setLoginCookie(w, r, user)
+		done, err := changeNamespace(w, r)
+		if err != nil {
+			t.Error(err)
+		}
+		if done {
+			t.Error(done)
+		}
+		user, ok := loginCookie(r)
+		if !ok {
+			t.Error(ok)
+		}
+		if user.Group == "never" {
+			t.Error("change namespace acknowledged bad change")
+		}
+	})
+
+	t.Run("change without login", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/?namespace="+user.Group, nil)
+		w := httptest.NewRecorder()
+		done, err := changeNamespace(w, r)
+		if err != nil {
+			t.Error(err)
+		}
+		if !done {
+			t.Error(done)
+		}
+	})
+
+	t.Run("change to same", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/?namespace="+user.Group, nil)
+		w := httptest.NewRecorder()
+		setLoginCookie(w, r, user)
+		done, err := changeNamespace(w, r)
+		if err != nil {
+			t.Error(err)
+		}
+		if done {
+			t.Error(done)
+		}
+	})
+
+	t.Run("change to ok", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/?namespace="+user.Groups[1], nil)
+		w := httptest.NewRecorder()
+		setLoginCookie(w, r, user)
+		done, err := changeNamespace(w, r)
+		if err != nil {
+			t.Error(err)
+		}
+		if done {
+			t.Error(done)
+		}
+		user, ok := loginCookie(r)
+		if !ok {
+			t.Error(ok)
+		}
+		if user.Group != user.Groups[1] {
+			t.Error(user.Group)
+		}
+		if w.Header().Get("Set-Cookie") == "" {
+			t.Error(w.Header())
+		}
+	})
+}
+
+func TestNeedsLogin(t *testing.T) {
+	w := httptest.NewRecorder()
+	user := User{User: "user", Groups: []string{"group0", "group1"}, Group: "group0"}
+
+	t.Run("no login provided", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		if ok, err := needsLogin(r); err != nil {
+			t.Fatal(err)
+		} else if !ok {
+			t.Fatal(ok)
+		}
+	})
+
+	t.Run("no namespace provided", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		u2 := user
+		u2.Group = ""
+		setLoginCookie(w, r, u2)
+		if ok, err := needsLogin(r); err != nil {
+			t.Fatal(err)
+		} else if !ok {
+			t.Fatal(ok)
+		}
+	})
+
+	t.Run("cookie tampered", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		setLoginCookie(w, r, user)
+		cookieSecret += "modified"
+		if ok, err := needsLogin(r); err != nil {
+			t.Fatal(err)
+		} else if !ok {
+			t.Fatal(ok)
+		}
+	})
+
+	t.Run("bad namespace", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		u2 := user
+		u2.Group = "teehee"
+		setLoginCookie(w, r, u2)
+		if ok, err := needsLogin(r); err != nil {
+			t.Fatal(err)
+		} else if !ok {
+			t.Fatal(ok)
+		}
+	})
+
+	t.Run("ok", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		setLoginCookie(w, r, user)
+		if ok, err := needsLogin(r); err != nil {
+			t.Fatal(err)
+		} else if ok {
+			t.Fatal(ok)
+		}
+	})
+}
+
+func TestServerParseLogin(t *testing.T) {
+	server := newTestServer(t)
+
+	t.Run("no basic auth", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		if done, err := server.parseLogin(w, r); done || err != nil {
+			t.Fatal(done, err)
+		}
+		if w.Code == http.StatusUnauthorized {
+			t.Error(w.Code)
+		}
+	})
+
+	t.Run("bad basic auth", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		r.SetBasicAuth("junk", "junk")
+		if done, err := server.parseLogin(w, r); !done || err != nil {
+			t.Fatal(done, err)
+		}
+		if w.Code != http.StatusUnauthorized {
+			t.Error(w.Code)
+		}
+	})
+
+	t.Run("ok", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		r.SetBasicAuth("user", "passw")
+		if done, err := server.parseLogin(w, r); done || err != nil {
+			t.Fatal(done, err)
+		}
+		if w.Code == http.StatusUnauthorized {
+			t.Error(w.Code)
+		}
+		if len(w.Header()["Set-Cookie"]) != 1 {
+			t.Error(w.Header())
+		}
+		if user, ok := loginCookie(r); !ok || user.User != "user" || user.Groups[0] != "group" || user.Groups[1] != "othergroup" {
+			t.Error(user)
+		}
+	})
+}
+
+func TestServerAuthenticate(t *testing.T) {
+	server := newTestServer(t)
+
+	t.Run("ok: already logged in", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		setLoginCookie(httptest.NewRecorder(), r, User{User: "user", Group: "othergroup", Groups: []string{"group", "othergroup"}})
+		s2, done, err := server.authenticate(nil, r)
+		if err != nil {
+			t.Error(err)
+		}
+		if done {
+			t.Error(done)
+		}
+		if server == s2 {
+			t.Error(done)
+		}
+		if server.user != nil {
+			t.Error(server.user)
+		}
+		if s2.user == nil {
+			t.Error(s2.user)
+		}
+		if s2.user.User != "user" {
+			t.Error(s2.user)
+		}
+		if s2.user.Group != "othergroup" {
+			t.Error(s2.user)
+		}
+		if fmt.Sprint(s2.user.Groups) != fmt.Sprint([]string{"group", "othergroup"}) {
+			t.Error(s2.user)
+		}
+	})
+
+	t.Run("ok: basic auth", func(t *testing.T) {
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		w := httptest.NewRecorder()
+		r.SetBasicAuth("user", "passw")
+		s2, done, err := server.authenticate(w, r)
+		if err != nil {
+			t.Error(err)
+		}
+		if done {
+			t.Error(done)
+		}
+		if server == s2 {
+			t.Error(done)
+		}
+		if server.user != nil {
+			t.Error(server.user)
+		}
+		if s2.user == nil {
+			t.Error(s2.user)
+		}
+		if s2.user.User != "user" {
+			t.Error(s2.user)
+		}
+		if s2.user.Group != "group" {
+			t.Error(s2.user)
+		}
+		if fmt.Sprint(s2.user.Groups) != fmt.Sprint([]string{"group", "othergroup"}) {
+			t.Error(s2.user)
+		}
+		if w.Code != http.StatusOK {
+			t.Error(w.Code)
+		}
+		if len(w.Header()["Set-Cookie"]) != 1 {
+			t.Error(w.Header())
+		}
+	})
+}
+
+func newTestServer(t *testing.T) *Server {
+	cookieSecret = uuid.New().String()
+	p := path.Join(t.TempDir(), "auth.yaml")
+	ensureAndWrite(p, []byte(`{"users":{"user":{"password":"passw", "groups":["group", "othergroup"]}}}`))
+	return &Server{
+		auth: NewFileAuth(p),
+	}
+}

server/go.mod

@@ -3,8 +3,8 @@ module ezmded
 go 1.17
 
 require (
+	github.com/gomarkdown/markdown v0.0.0-20220114203417-14399d5448c4
 	github.com/google/uuid v1.3.0
-	go.mongodb.org/mongo-driver v1.7.2
 	gopkg.in/yaml.v2 v2.4.0
 	local/args v0.0.0-00010101000000-000000000000
 	local/gziphttp v0.0.0-00010101000000-000000000000
@@ -12,11 +12,6 @@ require (
 	local/simpleserve v0.0.0-00010101000000-000000000000
 )
 
-require (
-	github.com/go-stack/stack v1.8.0 // indirect
-	github.com/gomarkdown/markdown v0.0.0-20220114203417-14399d5448c4 // indirect
-)
-
 replace local/args => ../../../../args
 
 replace local/logb => ../../../../logb

server/go.sum

@@ -18,14 +18,12 @@ github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghf
 github.com/coreos/bbolt v0.0.0-20180318001526-af9db2027c98/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/cpuguy83/go-md2man v1.0.8/go.mod h1:N6JayAiVKtlHSnuTCeuLSQVs75hb8q+dYQLjr7cDsKY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/djherbis/times v1.1.0/go.mod h1:CGMZlo255K5r4Yw0b9RRfFQpM2y7uOmxg4jm9HsaVf8=
 github.com/dropbox/dropbox-sdk-go-unofficial v5.4.0+incompatible/go.mod h1:lr+LhMM3F6Y3lW1T9j2U5l7QeuWm87N9+PPXo3yH4qY=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/fairlyblank/md2min v0.0.0-20171213131418-39cd6e9904ac/go.mod h1:QAobgT+CwT/SRphqV6Jrz5jt3wkW9Q72QNquEvh6dLk=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0=
 github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY=
@@ -60,7 +58,6 @@ github.com/gomarkdown/markdown v0.0.0-20210208175418-bda154fe17d8/go.mod h1:aii0
 github.com/gomarkdown/markdown v0.0.0-20220114203417-14399d5448c4 h1:6GlsnS3GQYfrJZTJEUsheoyLE6kLXQJDvQKIKxgL/9Q=
 github.com/gomarkdown/markdown v0.0.0-20220114203417-14399d5448c4/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA=
 github.com/gomodule/redigo v1.8.5/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
-github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -115,7 +112,6 @@ github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.8.3/go.mod h1:NxmoDg/QLVWluQDUYG7XBZTLUpKeFa8e3aMf1BfjyHk=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rfjakob/eme v0.0.0-20171028163933-2222dbd4ba46/go.mod h1:U2bmx0hDj8EyDdcxmD5t3XHDnBFnyNNc22n1R4008eM=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -143,11 +139,9 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
 github.com/t3rm1n4l/go-mega v0.0.0-20190205172012-55a226cf41da/go.mod h1:XWL4vDyd3JKmJx+hZWUVgCNmmhZ2dTBcaNDcxH465s0=
-github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/xanzy/ssh-agent v0.2.0/go.mod h1:0NyE30eGUDliuLEHJgYte/zncp2zdTStcOnWhgSqHD8=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
@@ -156,7 +150,6 @@ github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6
 github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
 github.com/yuin/goldmark v1.3.4-0.20210326114109-75d8cce5b78c/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yunify/qingstor-sdk-go v2.2.15+incompatible/go.mod h1:w6wqLDQ5bBTzxGJ55581UrSwLrsTAsdo9N6yX/8d9RY=
-go.mongodb.org/mongo-driver v1.7.2 h1:pFttQyIiJUHEn50YfZgC9ECjITMT44oiN36uArf/OFg=
 go.mongodb.org/mongo-driver v1.7.2/go.mod h1:Q4oFMbo1+MSNqICAdYMlC/zSTrwCogR4R8NzkI+yfU8=
 golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -213,5 +206,4 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

server/main.go

@@ -1,23 +1,52 @@
 package main
 
 import (
+	"errors"
 	"local/args"
+	"log"
 	"net/http"
+	"os"
+	"path"
 	"strconv"
+	"strings"
 )
 
 func main() {
 	as := args.NewArgSet()
 	as.Append(args.INT, "p", "port to listen on", 3004)
 	as.Append(args.STRING, "d", "root dir with /index.html and /media and /files", "./public")
+	as.Append(args.STRING, "auth", "auth mode [none, path/to/some.yaml, ldap", "none")
 	if err := as.Parse(); err != nil {
 		panic(err)
 	}
-	s := NewServer(as.GetString("d"))
+	auth, err := authFactory(as.GetString("auth"))
+	if err != nil {
+		panic(err)
+	}
+	s := NewServer(as.GetString("d"), auth)
 	if err := s.Routes(); err != nil {
 		panic(err)
 	}
+	log.Printf("listening on %v with %s", as.GetInt("p"), as.GetString("auth"))
 	if err := http.ListenAndServe(":"+strconv.Itoa(as.GetInt("p")), s); err != nil {
 		panic(err)
 	}
 }
+
+func authFactory(key string) (auth, error) {
+	switch path.Base(strings.ToLower(key)) {
+	case "none", "":
+		return nil, nil
+	case "ldap":
+		return nil, errors.New("not impl ldap auth")
+	}
+	stat, err := os.Stat(key)
+	if os.IsNotExist(err) {
+		return nil, errors.New("looks like auth path does not exist")
+	} else if err != nil {
+		return nil, err
+	} else if stat.IsDir() {
+		return nil, errors.New("looks like auth path is a dir")
+	}
+	return NewFileAuth(key), nil
+}

server/public/ui/files.ctmpl

@@ -2,12 +2,12 @@
 <!DOCTYPE html>
 <html>
 	<header>
-		<title>id={{ .This.ID }}, {{ .This.Title }}</title>
+		<title>{{ .This.Title }}</title>
 		{{ template "_import" }}
 	</header>
 	<body class="fullscreen tb_fullscreen lr_fullscreen" style="position: absolute">
 		<div class="rows" style="height: inherit;">
-			{{ template "_searchbar" }}
+			{{ template "_topbar" . }}
 			<div class="columns thic_flex tb_buffer" style="height: calc(100% - 4rem);">
 				{{ template "_filetree" . }}
 				<div class="thic_flex lr_fullscreen" style="margin-left: 1em; width: 5px;">

server/public/ui/render.go

@@ -36,6 +36,7 @@ func main() {
 		return oneT
 	}
 	data := map[string]interface{}{
+		"Namespaces": []string{"datastore", "dp-orchestration"},
 		"This": map[string]interface{}{
 			"ID":       "id00/id11",
 			"Title":    "title id11",

server/public/ui/search.ctmpl

@@ -7,7 +7,7 @@
 	</header>
 	<body class="fullscreen tb_fullscreen lr_fullscreen" style="position: absolute">
 		<div class="rows" style="height: inherit;">
-         {{ template "_searchbar" }}
+			{{ template "_topbar" . }}
 			<div class="columns thic_flex tb_buffer" style="height: calc(100% - 4rem);">
             {{ template "_filetree" . }}
 				<div class="thic_flex lr_fullscreen" style="margin-left: 1em; width: 5px;">

server/public/ui/templates/_about.ctmpl

@@ -32,6 +32,16 @@
 			<li>Create a file that just contains "https://gitlab.com/my/repo/-/tree/master/README.md" or "https://docs.google.com/docs/my-doc/edit", wait some time, and now it's an updating version of that doc</li>
 			<li>Create a file that just contains "https://gitlab.com/my/repo/-/tree/master/runbooks", wait some time, and now it's an updating version of all those docs</li>
 		</ul>
+
+		<h3>Butt how do I use it?</h3>
+		<div>
+			<ol>
+				<li>Make or edit a file</li>
+				<li>The first line is a link to Gitlab or Google</li>
+				<li>Save</li>
+				<li>Wait</li>
+			</ol>
+		</div>
 	</div>
 
 	<h2>I got a bone to pick with you!!! Who are you exactly?</h2>

server/public/ui/templates/_editor.ctmpl

@@ -5,10 +5,15 @@
 	#easyMDEwrap {
 		flex-grow: 1;
 	}
+	.CodeMirror {
+		min-height: 7em;
+	}
 	.CodeMirror-scroll, .CodeMirror-sizer {
-		min-height: 10px !important;
 		height: auto !important;
 	}
+	.CodeMirror-sizer {
+		min-height: 10rem !important;
+	}
 	#article {
 		display: flex;
 		flex-direction: column;

server/public/ui/templates/_namespace.ctmpl

@@ -0,0 +1,16 @@
+{{ define "_namespace" }}
+	<script>
+		function setNamespace() {
+			document.getElementById("namespace").disabled = true
+			window.location.href = `${window.location.protocol}`+"//"+`${window.location.host}/ui/files?namespace=${document.getElementById("namespace").value}`
+		}
+	</script>
+	{{ $cur := .Namespace }}
+	{{ if .Namespaces }}
+		<select id="namespace" onload="markNamespace()" onchange="setNamespace()" style="max-width: 7rem;">
+			{{ range .Namespaces }}
+				<option {{ if eq $cur . }}selected{{ end }}>{{ . }}</option>
+			{{ end }}
+		</select>
+	{{ end }}
+{{ end }}

server/public/ui/templates/_searchbar.ctmpl

@@ -1,5 +1,5 @@
 {{ define "_searchbar" }}
-<form class="columns" action="/ui/search" method="GET">
+<form class="columns thic_flex" action="/ui/search" method="GET">
 	<input class="thic_flex" type="text" name="q" placeholder="space delimited search regexp"/>
 	<input class="info lil_btn" type="submit" value="search"/>
 </form>

server/public/ui/templates/_topbar.ctmpl

@@ -0,0 +1,6 @@
+{{ define "_topbar" }}
+			<div class="columns lr_fullscreen">
+				{{ template "_namespace" . }}
+				{{ template "_searchbar" . }}
+			</div>
+{{ end }}

server/server.go

@@ -28,16 +28,29 @@ import (
 type Server struct {
 	router *router.Router
 	root   string
+	auth   auth
+	user   *User
 }
 
-func NewServer(root string) *Server {
+func NewServer(root string, auth auth) *Server {
 	return &Server{
-		router: router.New(),
-		root:   root,
+		root: root,
+		auth: auth,
 	}
 }
 
+func (server *Server) WithUser(user, group string, groups []string) *Server {
+	s2 := *server
+	s2.user = &User{
+		User:   user,
+		Group:  group,
+		Groups: groups,
+	}
+	return &s2
+}
+
 func (server *Server) Routes() error {
+	server.router = router.New()
 	wildcard := func(s string) string {
 		return strings.TrimSuffix(s, "/") + "/" + router.Wildcard
 	}
@@ -56,7 +69,6 @@ func (server *Server) Routes() error {
 		"/ui/search":               server.uiSearchHandler,
 		wildcards("/ui/files"):     server.uiFilesHandler,
 	} {
-		log.Printf("listening for %s", path)
 		if err := server.router.Add(path, server.tryCatchHttpHandler(handler)); err != nil {
 			return err
 		}
@@ -65,6 +77,22 @@ func (server *Server) Routes() error {
 }
 
 func (server *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if server.auth != nil {
+		s2, done, err := server.authenticate(w, r)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		if done {
+			return
+		}
+		if s2 != nil {
+			server = s2
+		}
+	}
+	if err := server.Routes(); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
 	server.router.ServeHTTP(w, r)
 }
 
@@ -235,11 +263,20 @@ func (server *Server) uiSearchHandler(w http.ResponseWriter, r *http.Request) er
 		return err
 	}
 	return t.Lookup("search").Execute(w, map[string]interface{}{
-		"Results": data,
-		"Tree":    string(branchesJSON),
+		"Results":    data,
+		"Tree":       string(branchesJSON),
+		"Namespaces": server.getUser().Groups,
+		"Namespace":  server.getUser().Group,
 	})
 }
 
+func (server *Server) getUser() User {
+	if server.user != nil {
+		return *server.user
+	}
+	return User{}
+}
+
 func (server *Server) uiFilesHandler(w http.ResponseWriter, r *http.Request) error {
 	id := NewID(strings.TrimPrefix(r.URL.Path, "/ui/files"))
 	t, err := server.uiSubTemplates()
@@ -289,7 +326,9 @@ func (server *Server) uiFilesHandler(w http.ResponseWriter, r *http.Request) err
 			"PID":      id.Pop().String(),
 			"PTitle":   parent.Meta.Title,
 		},
-		"Tree": string(branchesJSON),
+		"Tree":       string(branchesJSON),
+		"Namespaces": server.getUser().Groups,
+		"Namespace":  server.getUser().Group,
 	}
 	return t.Lookup("files").Execute(w, data)
 }
@@ -327,7 +366,7 @@ func (server *Server) rootHandler(w http.ResponseWriter, r *http.Request) error
 }
 
 func (server *Server) tree() Tree {
-	return NewTree(path.Join(server.root, "files"))
+	return NewTree(path.Join(server.root, "files", server.getUser().Group))
 }
 
 func (server *Server) diskMediaPath(id string) string {

server/server_test.go

@@ -12,7 +12,7 @@ import (
 )
 
 func TestServerRoutes(t *testing.T) {
-	server := NewServer(t.TempDir())
+	server := NewServer(t.TempDir(), nil)
 	if err := server.Routes(); err != nil {
 		t.Fatal(err)
 	}
@@ -153,7 +153,7 @@ func TestServerRoutes(t *testing.T) {
 }
 
 func TestServerPutTreeGetFile(t *testing.T) {
-	server := NewServer(t.TempDir())
+	server := NewServer(t.TempDir(), nil)
 	if err := server.Routes(); err != nil {
 		t.Fatal(err)
 	}

server/testdata/users.yaml

@@ -0,0 +1,6 @@
+users:
+  breel:
+    password: breel
+    groups:
+    - g1
+    - g2

todo.yaml

@@ -1,20 +1,28 @@
 todo:
-- /ui/files is an about page over a redir
-- gitlab wiki original links are empty
-- /ui/files does not redir in b1
+- create fileauth login file
+- secret for cookie encrypt+decrypt
+- secrets
+- team-specific deployment;; prob grab a VM
 - mark generated via meta so other files in the dir can be created, deleted, replaced safely
 - links like `/Smoktests` in user-files home wiki don't rewrite
 - map fullURLScraped->internalURL for relative links sometimes
-- anchors on gitlab wikis at least are bad
-- min-height for easymde
-- use `meta` so no need for extra level for explicit single files
+- LDAP login
 - scrape odo
 - rewrite links if available to local
-- table of contents
 - anchor per line
 - anchor links work
 - ui; last updated; 2022.02.01T12:34:56
 done:
+- encrypt files at docker build time, put decrypt key in vault
+- gitlab/-/blob/about.md does NOT map to exactly 1 file
+- crawler does NOT modify title cause readme.md everywhere
+- use `meta` so no need for extra level for explicit single files
+- table of contents
+- min-height for easymde
+- /ui/files does not redir in b1
+- anchors on gitlab wikis at least are bad
+- gitlab wiki original links are empty
+- /ui/files is an about page over a redir
 - use `read-only` for autogenerated things;; could skip easymde and make google docs much faster
 - new line after original link
 - scrape gslide