Increasing coverage of ACL / Permissions

.github/workflows/deploy.yml

@@ -0,0 +1,81 @@
+name: Syftbox Deploy
+
+# This workflow deploys Syftbox to development and staging environments.
+# For production releases, use the release.yml workflow instead.
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to deploy to'
+        required: true
+        default: 'dev'
+        type: choice
+        options:
+          - dev
+          - stage
+
+jobs:
+  build-and-deploy:
+    # Build and deploy to target environment
+    runs-on: macos-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.21'
+
+      - name: Install just
+        uses: taiki-e/install-action@just
+
+      - name: Install GoReleaser
+        run: |
+          brew install --cask goreleaser/tap/goreleaser
+          goreleaser --version
+
+      - name: Setup toolchain
+        run: just setup-toolchain
+
+      - name: Setup SSH
+        run: |
+          mkdir -p ~/.ssh
+
+          # Use environment-specific SSH private key
+          case "${{ inputs.environment }}" in
+            "dev")
+              echo "${{ secrets.SSH_PRIVATE_KEY_DEV }}" > ~/.ssh/id_rsa
+              ssh-keyscan -H ${{ secrets.SSH_HOST_DEV }} >> ~/.ssh/known_hosts
+              ;;
+            "stage")
+              echo "${{ secrets.SSH_PRIVATE_KEY_STAGE }}" > ~/.ssh/id_rsa
+              ssh-keyscan -H ${{ secrets.SSH_HOST_STAGE }} >> ~/.ssh/known_hosts
+              ;;
+            *)
+              echo "Unknown environment: ${{ inputs.environment }}"
+              exit 1
+              ;;
+          esac
+
+          chmod 700 ~/.ssh
+          chmod 600 ~/.ssh/id_rsa
+
+      - name: Deploy to ${{ inputs.environment }}
+        run: |
+          case "${{ inputs.environment }}" in
+            "dev")
+              REMOTE="${{ secrets.SSH_USER_DEV }}@${{ secrets.SSH_HOST_DEV }}"
+              ;;
+            "stage")
+              REMOTE="${{ secrets.SSH_USER_STAGE }}@${{ secrets.SSH_HOST_STAGE }}"
+              ;;
+            *)
+              echo "Unknown environment: ${{ inputs.environment }}"
+              exit 1
+              ;;
+          esac
+
+          just deploy $REMOTE

.github/workflows/release.yml

@@ -0,0 +1,131 @@
+name: Syftbox Release
+
+# This workflow creates a new release and deploys to production.
+# For dev/stage deployments, use the deploy.yml workflow instead.
+
+on:
+  workflow_dispatch:
+    inputs:
+      version_type:
+        description: 'Version type for the release'
+        required: true
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+jobs:
+  version:
+    # Handle version bumping and tagging
+    runs-on: macos-latest
+    outputs:
+      version: ${{ steps.bump-version.outputs.version }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Required for svu to work properly with git history
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.21'
+
+      - name: Install just
+        uses: taiki-e/install-action@just
+
+      - name: Install svu
+        run: go install github.com/caarlos0/svu@latest
+
+      - name: Install jq
+        run: brew install jq
+
+      - name: Setup git config
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          git config user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
+          git config user.name "$(gh api /users/${GITHUB_ACTOR} | jq .name -r)"
+
+      - name: Show current version
+        run: |
+          echo "Current version information:"
+          just show-version
+
+      - name: Bump version
+        id: bump-version
+        run: |
+          echo "Releasing version for production deployment..."
+          just release ${{ inputs.version_type }}
+          version=$(git describe --tags --abbrev=0)
+          echo "version=${version}" >> $GITHUB_OUTPUT
+
+      - name: Push version changes
+        run: |
+          # Set a new remote URL using HTTPS with the github token
+          git remote set-url origin https://x-access-token:${{ github.token }}@github.com/${{ github.repository }}.git
+
+          # Push the current branch to the remote repo
+          git push origin
+
+          # Push the tag to the remote repo
+          git push origin --tags
+
+      - name: Show new version
+        run: |
+          echo "New version information:"
+          just show-version
+
+  build-and-deploy:
+    needs: version
+    # Build and deploy to production
+    runs-on: macos-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.21'
+
+      - name: Install just
+        uses: taiki-e/install-action@just
+
+      - name: Install GoReleaser
+        run: |
+          brew install --cask goreleaser/tap/goreleaser
+          goreleaser --version
+
+      - name: Setup toolchain
+        run: just setup-toolchain
+
+      - name: Setup SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY_PROD }}" > ~/.ssh/id_rsa
+          ssh-keyscan -H ${{ secrets.SSH_HOST_PROD }} >> ~/.ssh/known_hosts
+          chmod 600 ~/.ssh/id_rsa
+          chmod 700 ~/.ssh
+
+      - name: Deploy to production
+        run: |
+          REMOTE="${{ secrets.SSH_USER_PROD }}@${{ secrets.SSH_HOST_PROD }}"
+          just deploy $REMOTE
+
+      - name: Create release
+        uses: ncipollo/release-action@v1
+        with:
+          tag: ${{ needs.version.outputs.version }}
+          name: ${{ needs.version.outputs.version }}
+          draft: true
+          allowUpdates: true
+          omitBodyDuringUpdate: true
+          makeLatest: true
+          generateReleaseNotes: true
+          artifacts: |
+            releases/*.tar.gz
+            releases/*.zip

README.md

@@ -1,6 +1,27 @@
 # SyftBox
 
-## Quickstart
+SyftBox is an open-source protocol that enables developers and organizations to build, deploy, and federate privacy-preserving computations seamlessly across a network. Unlock the ability to run computations on distributed datasets without centralizing data—preserving security while gaining valuable insights.
+
+Read the [documentation](https://www.syftbox.net) for more details.
+
+> [!WARNING]
+> This project is a rewrite of the [original Python version](https://github.com/OpenMined/syft). Consequently, the linked documentation may not fully reflect the current implementation.
+
+## Quick Start
+
+Using the GUI, from https://github.com/OpenMined/SyftUI/releases
+
+On macOS and Linux.
+```
+curl -fsSL https://syftbox.net/install.sh | sh
+```
+
+On Windows using Powershell
+```
+powershell -ExecutionPolicy ByPass -c "irm https://syftbox.net/install.ps1 | iex"
+```
+
+## Contributing
 
 ### Install Go
 Follow the official [Go installation guide](https://golang.org/doc/install) to set up Go on your system.
@@ -26,29 +47,4 @@ Verify your setup by running the tests:
 just test
 ```
 
-
-SyftBox is an open-source protocol that enables developers and organizations to build, deploy, and federate privacy-preserving computations seamlessly across a network. Unlock the ability to run computations on distributed datasets without centralizing data—preserving security while gaining valuable insights.
-
-Read the [documentation](https://syftbox-documentation.openmined.org/get-started) for more details.
-
-> [!WARNING]
-> This project is a rewrite of the [original Python version](https://github.com/OpenMined/syft). Consequently, the linked documentation may not fully reflect the current implementation.
-
-## Installation
-
-Using the GUI, from https://github.com/OpenMined/SyftUI/releases
-
-
-On macOS and Linux.
-```
-curl -fsSL https://syftboxdev.openmined.org/install.sh | sh
-```
-
-On Windows using Powershell
-```
-powershell -ExecutionPolicy ByPass -c "irm https://syftboxdev.openmined.org/install.ps1 | iex"
-```
-
-## Contributing
-
-See the [development guide](./DEVELOPMENT.md) to get started
+See the [development guide](./DEVELOPMENT.md) for more details

cmd/client/main.go

@@ -22,9 +22,7 @@ import (
 )
 
 var (
-	home, _     = os.UserHomeDir()
-	oldProdURL  = "syftbox.openmined.org"
-	oldStageURL = "syftboxstage.openmined.org"
+	home, _ = os.UserHomeDir()
 )
 
 var rootCmd = &cobra.Command{
@@ -166,11 +164,9 @@ func loadConfig(cmd *cobra.Command) (*config.Config, error) {
 		return nil, fmt.Errorf("config read: %w", err)
 	}
 
-	// perform migrations
 	// this will error out because a re-auth with server will be required
-	if strings.Contains(cfg.ServerURL, oldProdURL) ||
-		strings.Contains(cfg.ServerURL, oldStageURL) {
-		return nil, fmt.Errorf("legacy config detected. please run `syftbox login` to re-authenticate")
+	if strings.Contains(cfg.ServerURL, "openmined.org") {
+		return nil, fmt.Errorf("legacy server detected. run `syftbox login` to re-authenticate")
 	}
 
 	return cfg, nil

cmd/client/main_test.go

@@ -12,7 +12,7 @@ import (
 
 func TestLoadConfigEnv(t *testing.T) {
 	t.Setenv("SYFTBOX_EMAIL", "test@example.com")
-	t.Setenv("SYFTBOX_SERVER_URL", "https://test.openmined.org")
+	t.Setenv("SYFTBOX_SERVER_URL", "https://test.syftbox.net")
 	t.Setenv("SYFTBOX_CLIENT_URL", "http://localhost:7938")
 	t.Setenv("SYFTBOX_APPS_ENABLED", "true")
 	t.Setenv("SYFTBOX_REFRESH_TOKEN", "test-refresh-token")
@@ -34,7 +34,7 @@ func TestLoadConfigEnv(t *testing.T) {
 	require.NoError(t, err)
 
 	assert.Equal(t, "test@example.com", cfg.Email)
-	assert.Equal(t, "https://test.openmined.org", cfg.ServerURL)
+	assert.Equal(t, "https://test.syftbox.net", cfg.ServerURL)
 	assert.Equal(t, "http://localhost:7938", cfg.ClientURL)
 	assert.Equal(t, true, cfg.AppsEnabled)
 	assert.Equal(t, "test-refresh-token", cfg.RefreshToken)
@@ -55,7 +55,7 @@ func TestLoadConfigJSON(t *testing.T) {
 {
 	"email": "test@example.com",
 	"data_dir": "/tmp/syftbox-test-json",
-	"server_url": "https://test-json.openmined.org",
+	"server_url": "https://test-json.syftbox.net",
 	"client_url": "http://localhost:8080",
 	"refresh_token": "test-refresh-token-json",
 	"access_token": "test-access-token-json"
@@ -78,7 +78,7 @@ func TestLoadConfigJSON(t *testing.T) {
 	require.Equal(t, dummyConfigFile, cfg.Path)
 	assert.Equal(t, "test@example.com", cfg.Email)
 	assert.Equal(t, "/tmp/syftbox-test-json", cfg.DataDir)
-	assert.Equal(t, "https://test-json.openmined.org", cfg.ServerURL)
+	assert.Equal(t, "https://test-json.syftbox.net", cfg.ServerURL)
 	assert.Equal(t, "http://localhost:8080", cfg.ClientURL)
 	assert.Equal(t, "test-refresh-token-json", cfg.RefreshToken)
 	assert.Equal(t, "test-access-token-json", cfg.AccessToken) // can read, but not persist!

cmd/server/main.go

@@ -32,7 +32,6 @@ const (
 
 var (
 	dotenvLoaded bool
-	prodEnv      bool
 )
 
 var rootCmd = &cobra.Command{
@@ -84,19 +83,31 @@ func init() {
 	} else {
 		dotenvLoaded = true
 	}
-
-	prodEnv = os.Getenv("SYFTBOX_ENV") == "PROD"
 }
 
 func main() {
 	// Setup logger
-	var handler slog.Handler
-	if prodEnv {
-		handler = slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
+	logger := slog.New(setupHandler())
+	slog.SetDefault(logger)
+
+	// Setup root context with signal handling
+	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer stop()
+
+	// server go brr
+	if err := rootCmd.ExecuteContext(ctx); err != nil {
+		os.Exit(1)
+	}
+}
+
+func setupHandler() slog.Handler {
+	switch os.Getenv("SYFTBOX_ENV") {
+	case "PROD", "STAGE":
+		return slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
 			Level: slog.LevelDebug,
 		})
-	} else {
-		handler = tint.NewHandler(os.Stdout, &tint.Options{
+	default:
+		return tint.NewHandler(os.Stdout, &tint.Options{
 			Level:      slog.LevelDebug,
 			AddSource:  true,
 			TimeFormat: time.DateTime,
@@ -108,17 +119,6 @@ func main() {
 			},
 		})
 	}
-	logger := slog.New(handler)
-	slog.SetDefault(logger)
-
-	// Setup root context with signal handling
-	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
-	defer stop()
-
-	// server go brr
-	if err := rootCmd.ExecuteContext(ctx); err != nil {
-		os.Exit(1)
-	}
 }
 
 // loadConfig initializes viper, reads config file/env vars, and maps values to config