feat(tfstated): implement HTTP basic auth
This commit is contained in:
parent
4020344eda
commit
3d8812fbd0
18 changed files with 245 additions and 58 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -1,4 +1,4 @@
|
|||
tfstate
|
||||
tfstated
|
||||
tfstate.db
|
||||
tfstate.db-shm
|
||||
tfstate.db-wal
|
||||
|
|
|
@ -11,20 +11,22 @@ import (
|
|||
func TestDelete(t *testing.T) {
|
||||
tests := []struct {
|
||||
method string
|
||||
auth bool
|
||||
uri url.URL
|
||||
body io.Reader
|
||||
expect string
|
||||
status int
|
||||
msg string
|
||||
}{
|
||||
{"DELETE", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
|
||||
{"DELETE", url.URL{Path: "/non_existent_delete"}, nil, "", http.StatusNotFound, "non existent"},
|
||||
{"POST", url.URL{Path: "/test_delete"}, strings.NewReader("the_test_delete"), "", http.StatusOK, "/test_delete"},
|
||||
{"DELETE", url.URL{Path: "/test_delete"}, nil, "", http.StatusOK, "/test_delete"},
|
||||
{"DELETE", url.URL{Path: "/test_delete"}, nil, "", http.StatusNotFound, "/test_delete"},
|
||||
{"DELETE", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
|
||||
{"DELETE", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
|
||||
{"DELETE", true, url.URL{Path: "/non_existent_delete"}, nil, "", http.StatusNotFound, "non existent"},
|
||||
{"POST", true, url.URL{Path: "/test_delete"}, strings.NewReader("the_test_delete"), "", http.StatusOK, "/test_delete"},
|
||||
{"DELETE", true, url.URL{Path: "/test_delete"}, nil, "", http.StatusOK, "/test_delete"},
|
||||
{"DELETE", true, url.URL{Path: "/test_delete"}, nil, "", http.StatusNotFound, "/test_delete"},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
|
||||
runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
|
||||
if err != nil {
|
||||
t.Fatalf("failed %s with error: %+v", tt.method, err)
|
||||
} else if r.StatusCode != tt.status {
|
||||
|
|
|
@ -11,19 +11,21 @@ import (
|
|||
func TestGet(t *testing.T) {
|
||||
tests := []struct {
|
||||
method string
|
||||
auth bool
|
||||
uri url.URL
|
||||
body io.Reader
|
||||
expect string
|
||||
status int
|
||||
msg string
|
||||
}{
|
||||
{"GET", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
|
||||
{"GET", url.URL{Path: "/non_existent_get"}, strings.NewReader(""), "", http.StatusOK, "non existent"},
|
||||
{"POST", url.URL{Path: "/test_get"}, strings.NewReader("the_test_get"), "", http.StatusOK, "/test_get"},
|
||||
{"GET", url.URL{Path: "/test_get"}, nil, "the_test_get", http.StatusOK, "/test_get"},
|
||||
{"GET", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
|
||||
{"GET", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
|
||||
{"GET", true, url.URL{Path: "/non_existent_get"}, strings.NewReader(""), "", http.StatusOK, "non existent"},
|
||||
{"POST", true, url.URL{Path: "/test_get"}, strings.NewReader("the_test_get"), "", http.StatusOK, "/test_get"},
|
||||
{"GET", true, url.URL{Path: "/test_get"}, nil, "the_test_get", http.StatusOK, "/test_get"},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
|
||||
runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
|
||||
if err != nil {
|
||||
t.Fatalf("failed %s with error: %+v", tt.method, err)
|
||||
} else if r.StatusCode != tt.status {
|
||||
|
|
|
@ -7,7 +7,7 @@ import (
|
|||
)
|
||||
|
||||
func TestHealthz(t *testing.T) {
|
||||
runHTTPRequest("GET", &url.URL{Path: "/healthz"}, nil, func(r *http.Response, err error) {
|
||||
runHTTPRequest("GET", false, &url.URL{Path: "/healthz"}, nil, func(r *http.Response, err error) {
|
||||
if err != nil {
|
||||
t.Fatalf("failed healthcheck with error: %+v", err)
|
||||
} else if r.StatusCode != http.StatusOK {
|
||||
|
|
|
@ -11,24 +11,26 @@ import (
|
|||
func TestLock(t *testing.T) {
|
||||
tests := []struct {
|
||||
method string
|
||||
auth bool
|
||||
uri url.URL
|
||||
body io.Reader
|
||||
expect string
|
||||
status int
|
||||
msg string
|
||||
}{
|
||||
{"LOCK", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
|
||||
{"LOCK", url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
|
||||
{"LOCK", url.URL{Path: "/non_existent_lock"}, strings.NewReader("{}"), "", http.StatusBadRequest, "invalid lock data on non existent state"},
|
||||
{"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
|
||||
{"GET", url.URL{Path: "/test_lock"}, nil, "", http.StatusOK, "/test_lock"},
|
||||
{"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"\"}"), "", http.StatusBadRequest, "invalid lock data on already locked state"},
|
||||
{"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on already locked state"},
|
||||
{"POST", url.URL{Path: "/test_lock", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_lock"), "", http.StatusOK, "/test_lock"},
|
||||
{"GET", url.URL{Path: "/test_lock"}, nil, "the_test_lock", http.StatusOK, "/test_lock"},
|
||||
{"LOCK", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
|
||||
{"LOCK", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
|
||||
{"LOCK", true, url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
|
||||
{"LOCK", true, url.URL{Path: "/non_existent_lock"}, strings.NewReader("{}"), "", http.StatusBadRequest, "invalid lock data on non existent state"},
|
||||
{"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
|
||||
{"GET", true, url.URL{Path: "/test_lock"}, nil, "", http.StatusOK, "/test_lock"},
|
||||
{"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"\"}"), "", http.StatusBadRequest, "invalid lock data on already locked state"},
|
||||
{"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on already locked state"},
|
||||
{"POST", true, url.URL{Path: "/test_lock", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_lock"), "", http.StatusOK, "/test_lock"},
|
||||
{"GET", true, url.URL{Path: "/test_lock"}, nil, "the_test_lock", http.StatusOK, "/test_lock"},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
|
||||
runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
|
||||
if err != nil {
|
||||
t.Fatalf("failed %s with error: %+v", tt.method, err)
|
||||
} else if r.StatusCode != tt.status {
|
||||
|
|
|
@ -52,6 +52,10 @@ func run(
|
|||
db.SetVersionsHistoryLimit(n)
|
||||
}
|
||||
|
||||
if err := db.InitAdminAccount(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
mux := http.NewServeMux()
|
||||
addRoutes(
|
||||
mux,
|
||||
|
|
|
@ -19,6 +19,7 @@ var baseURI = url.URL{
|
|||
Scheme: "http",
|
||||
}
|
||||
var db *database.DB
|
||||
var password string
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
ctx := context.Background()
|
||||
|
@ -58,6 +59,13 @@ func TestMain(m *testing.M) {
|
|||
os.Exit(1)
|
||||
}
|
||||
|
||||
admin, err := db.LoadAccountByUsername("admin")
|
||||
if err != nil {
|
||||
fmt.Fprintf(os.Stderr, "%+v\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
password = admin.Password
|
||||
|
||||
ret := m.Run()
|
||||
|
||||
cancel()
|
||||
|
@ -71,7 +79,7 @@ func TestMain(m *testing.M) {
|
|||
os.Exit(ret)
|
||||
}
|
||||
|
||||
func runHTTPRequest(method string, uriRef *url.URL, body io.Reader, testFunc func(*http.Response, error)) {
|
||||
func runHTTPRequest(method string, auth bool, uriRef *url.URL, body io.Reader, testFunc func(*http.Response, error)) {
|
||||
uri := baseURI.ResolveReference(uriRef)
|
||||
client := http.Client{}
|
||||
req, err := http.NewRequest(method, uri.String(), body)
|
||||
|
@ -79,6 +87,9 @@ func runHTTPRequest(method string, uriRef *url.URL, body io.Reader, testFunc fun
|
|||
testFunc(nil, fmt.Errorf("failed to create request: %w", err))
|
||||
return
|
||||
}
|
||||
if auth {
|
||||
req.SetBasicAuth("admin", password)
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
testFunc(nil, fmt.Errorf("failed to do request: %w\n", err))
|
||||
|
|
|
@ -6,6 +6,7 @@ import (
|
|||
"net/http"
|
||||
|
||||
"git.adyxax.org/adyxax/tfstated/pkg/database"
|
||||
"git.adyxax.org/adyxax/tfstated/pkg/model"
|
||||
)
|
||||
|
||||
func handlePost(db *database.DB) http.Handler {
|
||||
|
@ -24,7 +25,8 @@ func handlePost(db *database.DB) http.Handler {
|
|||
_ = errorResponse(w, http.StatusBadRequest, err)
|
||||
return
|
||||
}
|
||||
if idMismatch, err := db.SetState(r.URL.Path, data, id); err != nil {
|
||||
account := r.Context().Value("account").(*model.Account)
|
||||
if idMismatch, err := db.SetState(r.URL.Path, account.Id, data, id); err != nil {
|
||||
if idMismatch {
|
||||
_ = errorResponse(w, http.StatusConflict, err)
|
||||
} else {
|
||||
|
|
|
@ -11,31 +11,33 @@ import (
|
|||
func TestPost(t *testing.T) {
|
||||
tests := []struct {
|
||||
method string
|
||||
auth bool
|
||||
uri url.URL
|
||||
body io.Reader
|
||||
expect string
|
||||
status int
|
||||
msg string
|
||||
}{
|
||||
{"POST", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
|
||||
{"POST", url.URL{Path: "/test_post"}, nil, "", http.StatusBadRequest, "without a body"},
|
||||
{"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post"), "", http.StatusOK, "without lock ID in query string"},
|
||||
{"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
|
||||
{"POST", url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post2"), "", http.StatusConflict, "with a lock ID on an unlocked state"},
|
||||
{"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
|
||||
{"LOCK", url.URL{Path: "/test_post"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "/test_post"},
|
||||
{"POST", url.URL{Path: "/test_post", RawQuery: "ID=ffffffff-ffff-ffff-ffff-ffffffffffff"}, strings.NewReader("the_test_post3"), "", http.StatusConflict, "with a wrong lock ID on a locked state"},
|
||||
{"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
|
||||
{"POST", url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post4"), "", http.StatusOK, "with a correct lock ID on a locked state"},
|
||||
{"GET", url.URL{Path: "/test_post"}, nil, "the_test_post4", http.StatusOK, "/test_post"},
|
||||
{"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post5"), "", http.StatusOK, "without lock ID in query string on a locked state"},
|
||||
{"GET", url.URL{Path: "/test_post"}, nil, "the_test_post5", http.StatusOK, "/test_post"},
|
||||
{"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post6"), "", http.StatusOK, "another post just to make sure the history limit works"},
|
||||
{"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post7"), "", http.StatusOK, "another post just to make sure the history limit works"},
|
||||
{"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post8"), "", http.StatusOK, "another post just to make sure the history limit works"},
|
||||
{"POST", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
|
||||
{"POST", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
|
||||
{"POST", true, url.URL{Path: "/test_post"}, nil, "", http.StatusBadRequest, "without a body"},
|
||||
{"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post"), "", http.StatusOK, "without lock ID in query string"},
|
||||
{"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
|
||||
{"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post2"), "", http.StatusConflict, "with a lock ID on an unlocked state"},
|
||||
{"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
|
||||
{"LOCK", true, url.URL{Path: "/test_post"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "/test_post"},
|
||||
{"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=ffffffff-ffff-ffff-ffff-ffffffffffff"}, strings.NewReader("the_test_post3"), "", http.StatusConflict, "with a wrong lock ID on a locked state"},
|
||||
{"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
|
||||
{"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post4"), "", http.StatusOK, "with a correct lock ID on a locked state"},
|
||||
{"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post4", http.StatusOK, "/test_post"},
|
||||
{"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post5"), "", http.StatusOK, "without lock ID in query string on a locked state"},
|
||||
{"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post5", http.StatusOK, "/test_post"},
|
||||
{"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post6"), "", http.StatusOK, "another post just to make sure the history limit works"},
|
||||
{"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post7"), "", http.StatusOK, "another post just to make sure the history limit works"},
|
||||
{"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post8"), "", http.StatusOK, "another post just to make sure the history limit works"},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
|
||||
runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
|
||||
if err != nil {
|
||||
t.Fatalf("failed %s with error: %+v", tt.method, err)
|
||||
} else if r.StatusCode != tt.status {
|
||||
|
|
|
@ -3,6 +3,7 @@ package main
|
|||
import (
|
||||
"net/http"
|
||||
|
||||
"git.adyxax.org/adyxax/tfstated/pkg/basic_auth"
|
||||
"git.adyxax.org/adyxax/tfstated/pkg/database"
|
||||
)
|
||||
|
||||
|
@ -12,9 +13,10 @@ func addRoutes(
|
|||
) {
|
||||
mux.Handle("GET /healthz", handleHealthz())
|
||||
|
||||
mux.Handle("DELETE /", handleDelete(db))
|
||||
mux.Handle("GET /", handleGet(db))
|
||||
mux.Handle("LOCK /", handleLock(db))
|
||||
mux.Handle("POST /", handlePost(db))
|
||||
mux.Handle("UNLOCK /", handleUnlock(db))
|
||||
basicAuth := basic_auth.Middleware(db)
|
||||
mux.Handle("DELETE /", basicAuth(handleDelete(db)))
|
||||
mux.Handle("GET /", basicAuth(handleGet(db)))
|
||||
mux.Handle("LOCK /", basicAuth(handleLock(db)))
|
||||
mux.Handle("POST /", basicAuth(handlePost(db)))
|
||||
mux.Handle("UNLOCK /", basicAuth(handleUnlock(db)))
|
||||
}
|
||||
|
|
|
@ -11,22 +11,24 @@ import (
|
|||
func TestUnlock(t *testing.T) {
|
||||
tests := []struct {
|
||||
method string
|
||||
auth bool
|
||||
uri url.URL
|
||||
body io.Reader
|
||||
expect string
|
||||
status int
|
||||
msg string
|
||||
}{
|
||||
{"UNLOCK", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
|
||||
{"UNLOCK", url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
|
||||
{"UNLOCK", url.URL{Path: "/non_existent_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on non existent state"},
|
||||
{"LOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
|
||||
{"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF\"}"), "", http.StatusConflict, "valid but wrong lock data on a locked state"},
|
||||
{"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid and correct lock data on a locked state"},
|
||||
{"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid and correct lock data on a now unlocked state"},
|
||||
{"UNLOCK", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
|
||||
{"UNLOCK", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
|
||||
{"UNLOCK", true, url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
|
||||
{"UNLOCK", true, url.URL{Path: "/non_existent_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on non existent state"},
|
||||
{"LOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
|
||||
{"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF\"}"), "", http.StatusConflict, "valid but wrong lock data on a locked state"},
|
||||
{"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid and correct lock data on a locked state"},
|
||||
{"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid and correct lock data on a now unlocked state"},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
|
||||
runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
|
||||
if err != nil {
|
||||
t.Fatalf("failed %s with error: %+v", tt.method, err)
|
||||
} else if r.StatusCode != tt.status {
|
||||
|
|
2
go.mod
2
go.mod
|
@ -3,3 +3,5 @@ module git.adyxax.org/adyxax/tfstated
|
|||
go 1.23.3
|
||||
|
||||
require github.com/mattn/go-sqlite3 v1.14.24
|
||||
|
||||
require go.n16f.net/uuid v0.0.0-20240707135755-e4fd26b968ad // indirect
|
||||
|
|
2
go.sum
2
go.sum
|
@ -1,2 +1,4 @@
|
|||
github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
|
||||
github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
|
||||
go.n16f.net/uuid v0.0.0-20240707135755-e4fd26b968ad h1:QYbHaaFqx6hMor1L6iMSmyhMFvXQXhKaNk9nefug07M=
|
||||
go.n16f.net/uuid v0.0.0-20240707135755-e4fd26b968ad/go.mod h1:hvPEWZmyP50in1DH72o5vUvoXFFyfRU6oL+p2tAcbgU=
|
||||
|
|
39
pkg/basic_auth/middleware.go
Normal file
39
pkg/basic_auth/middleware.go
Normal file
|
@ -0,0 +1,39 @@
|
|||
package basic_auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"git.adyxax.org/adyxax/tfstated/pkg/database"
|
||||
)
|
||||
|
||||
func Middleware(db *database.DB) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
username, password, ok := r.BasicAuth()
|
||||
if !ok {
|
||||
w.Header().Set("WWW-Authenticate", `Basic realm="tfstated", charset="UTF-8"`)
|
||||
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
account, err := db.LoadAccountByUsername(username)
|
||||
if err != nil {
|
||||
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
if password != account.Password {
|
||||
http.Error(w, "Forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
now := time.Now().UTC()
|
||||
_, err = db.Exec(`UPDATE accounts SET last_login = ? WHERE id = ?`, now.Unix(), account.Id)
|
||||
if err != nil {
|
||||
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
ctx := context.WithValue(r.Context(), "account", account)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
}
|
||||
}
|
88
pkg/database/accounts.go
Normal file
88
pkg/database/accounts.go
Normal file
|
@ -0,0 +1,88 @@
|
|||
package database
|
||||
|
||||
import (
|
||||
"database/sql"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"time"
|
||||
|
||||
"git.adyxax.org/adyxax/tfstated/pkg/model"
|
||||
"go.n16f.net/uuid"
|
||||
)
|
||||
|
||||
func (db *DB) LoadAccountByUsername(username string) (*model.Account, error) {
|
||||
account := model.Account{
|
||||
Username: username,
|
||||
}
|
||||
var (
|
||||
encryptedPassword []byte
|
||||
created int64
|
||||
lastLogin int64
|
||||
)
|
||||
err := db.QueryRow(
|
||||
`SELECT id, password, is_admin, created, last_login, settings
|
||||
FROM accounts
|
||||
WHERE username = ?;`,
|
||||
username,
|
||||
).Scan(&account.Id,
|
||||
&encryptedPassword,
|
||||
&account.IsAdmin,
|
||||
&created,
|
||||
&lastLogin,
|
||||
&account.Settings,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
account.Password = string(password)
|
||||
account.Created = time.Unix(created, 0)
|
||||
account.LastLogin = time.Unix(lastLogin, 0)
|
||||
return &account, nil
|
||||
}
|
||||
|
||||
func (db *DB) InitAdminAccount() error {
|
||||
tx, err := db.Begin()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer func() {
|
||||
if err != nil {
|
||||
_ = tx.Rollback()
|
||||
}
|
||||
}()
|
||||
var hasAdminAccount bool
|
||||
if err = tx.QueryRowContext(db.ctx, `SELECT EXISTS (SELECT 1 FROM accounts WHERE is_admin);`).Scan(&hasAdminAccount); err != nil {
|
||||
return fmt.Errorf("failed to select if there is an admin account in the database: %w", err)
|
||||
}
|
||||
if hasAdminAccount {
|
||||
tx.Rollback()
|
||||
} else {
|
||||
var password uuid.UUID
|
||||
if err = password.Generate(uuid.V4); err != nil {
|
||||
return fmt.Errorf("failed to generate initial admin password: %w", err)
|
||||
}
|
||||
var encryptedPassword []byte
|
||||
encryptedPassword, err = db.dataEncryptionKey.EncryptAES256([]byte(password.String()))
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to encrypt initial admin password: %w", err)
|
||||
}
|
||||
if _, err = tx.ExecContext(db.ctx,
|
||||
`INSERT INTO accounts(username, password, is_admin)
|
||||
VALUES ("admin", :password, TRUE)
|
||||
ON CONFLICT DO UPDATE SET password = :password
|
||||
WHERE username = "admin";`,
|
||||
sql.Named("password", encryptedPassword),
|
||||
); err != nil {
|
||||
return fmt.Errorf("failed to set initial admin password: %w", err)
|
||||
}
|
||||
err = tx.Commit()
|
||||
if err == nil {
|
||||
slog.Info("Generated an initial admin password, please change it or delete the admin account after your first login", "password", password.String())
|
||||
}
|
||||
}
|
||||
return err
|
||||
}
|
|
@ -2,6 +2,17 @@ CREATE TABLE schema_version (
|
|||
version INTEGER NOT NULL
|
||||
) STRICT;
|
||||
|
||||
CREATE TABLE accounts (
|
||||
id INTEGER PRIMARY KEY,
|
||||
username TEXT NOT NULL,
|
||||
password BLOB NOT NULL,
|
||||
is_admin INTEGER NOT NULL DEFAULT FALSE,
|
||||
created INTEGER NOT NULL DEFAULT (unixepoch()),
|
||||
last_login INTEGER NOT NULL DEFAULT (unixepoch()),
|
||||
settings TEXT
|
||||
) STRICT;
|
||||
CREATE UNIQUE INDEX accounts_username on accounts(username);
|
||||
|
||||
CREATE TABLE states (
|
||||
id INTEGER PRIMARY KEY,
|
||||
path TEXT NOT NULL,
|
||||
|
@ -11,9 +22,11 @@ CREATE UNIQUE INDEX states_path on states(path);
|
|||
|
||||
CREATE TABLE versions (
|
||||
id INTEGER PRIMARY KEY,
|
||||
account_id INTEGER NOT NULL,
|
||||
state_id INTEGER,
|
||||
data BLOB,
|
||||
lock TEXT,
|
||||
created INTEGER DEFAULT (unixepoch()),
|
||||
FOREIGN KEY(account_id) REFERENCES accounts(id) ON DELETE CASCADE
|
||||
FOREIGN KEY(state_id) REFERENCES states(id) ON DELETE CASCADE
|
||||
) STRICT;
|
||||
|
|
|
@ -43,7 +43,7 @@ func (db *DB) GetState(path string) ([]byte, error) {
|
|||
}
|
||||
|
||||
// returns true in case of id mismatch
|
||||
func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) {
|
||||
func (db *DB) SetState(path string, accountID int, data []byte, lockID string) (bool, error) {
|
||||
encryptedData, err := db.dataEncryptionKey.EncryptAES256(data)
|
||||
if err != nil {
|
||||
return false, err
|
||||
|
@ -82,10 +82,11 @@ func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) {
|
|||
return true, err
|
||||
}
|
||||
_, err = tx.ExecContext(db.ctx,
|
||||
`INSERT INTO versions(state_id, data, lock)
|
||||
SELECT :stateID, :data, lock
|
||||
`INSERT INTO versions(account_id, state_id, data, lock)
|
||||
SELECT :accountID, :stateID, :data, lock
|
||||
FROM states
|
||||
WHERE states.id = :stateID;`,
|
||||
sql.Named("accountID", accountID),
|
||||
sql.Named("stateID", stateID),
|
||||
sql.Named("data", encryptedData))
|
||||
if err != nil {
|
||||
|
|
13
pkg/model/account.go
Normal file
13
pkg/model/account.go
Normal file
|
@ -0,0 +1,13 @@
|
|||
package model
|
||||
|
||||
import "time"
|
||||
|
||||
type Account struct {
|
||||
Id int
|
||||
Username string
|
||||
Password string
|
||||
IsAdmin bool
|
||||
Created time.Time
|
||||
LastLogin time.Time
|
||||
Settings any
|
||||
}
|
Loading…
Add table
Reference in a new issue