summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Dessaux2024-11-14 01:34:29 +0100
committerJulien Dessaux2024-11-14 01:34:29 +0100
commit3d8812fbd0091d2ef636949628c52bf9f48617a6 (patch)
tree00755c8903497ad7abaaffffbbaa4a37fdf41a03
parentchore(tfstated): rename state "name" to "path" for consistency (diff)
downloadtfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.gz
tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.bz2
tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.zip
feat(tfstated): implement HTTP basic auth
Diffstat (limited to '')
-rw-r--r--.gitignore2
-rw-r--r--cmd/tfstated/delete_test.go14
-rw-r--r--cmd/tfstated/get_test.go12
-rw-r--r--cmd/tfstated/healthz_test.go2
-rw-r--r--cmd/tfstated/lock_test.go22
-rw-r--r--cmd/tfstated/main.go4
-rw-r--r--cmd/tfstated/main_test.go13
-rw-r--r--cmd/tfstated/post.go4
-rw-r--r--cmd/tfstated/post_test.go36
-rw-r--r--cmd/tfstated/routes.go12
-rw-r--r--cmd/tfstated/unlock_test.go18
-rw-r--r--go.mod2
-rw-r--r--go.sum2
-rw-r--r--pkg/basic_auth/middleware.go39
-rw-r--r--pkg/database/accounts.go88
-rw-r--r--pkg/database/sql/000_init.sql13
-rw-r--r--pkg/database/states.go7
-rw-r--r--pkg/model/account.go13
18 files changed, 245 insertions, 58 deletions
diff --git a/.gitignore b/.gitignore
index 8bdbc77..122fc54 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-tfstate
+tfstated
tfstate.db
tfstate.db-shm
tfstate.db-wal
diff --git a/cmd/tfstated/delete_test.go b/cmd/tfstated/delete_test.go
index 970fbcf..cbc0d55 100644
--- a/cmd/tfstated/delete_test.go
+++ b/cmd/tfstated/delete_test.go
@@ -11,20 +11,22 @@ import (
func TestDelete(t *testing.T) {
tests := []struct {
method string
+ auth bool
uri url.URL
body io.Reader
expect string
status int
msg string
}{
- {"DELETE", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
- {"DELETE", url.URL{Path: "/non_existent_delete"}, nil, "", http.StatusNotFound, "non existent"},
- {"POST", url.URL{Path: "/test_delete"}, strings.NewReader("the_test_delete"), "", http.StatusOK, "/test_delete"},
- {"DELETE", url.URL{Path: "/test_delete"}, nil, "", http.StatusOK, "/test_delete"},
- {"DELETE", url.URL{Path: "/test_delete"}, nil, "", http.StatusNotFound, "/test_delete"},
+ {"DELETE", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
+ {"DELETE", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
+ {"DELETE", true, url.URL{Path: "/non_existent_delete"}, nil, "", http.StatusNotFound, "non existent"},
+ {"POST", true, url.URL{Path: "/test_delete"}, strings.NewReader("the_test_delete"), "", http.StatusOK, "/test_delete"},
+ {"DELETE", true, url.URL{Path: "/test_delete"}, nil, "", http.StatusOK, "/test_delete"},
+ {"DELETE", true, url.URL{Path: "/test_delete"}, nil, "", http.StatusNotFound, "/test_delete"},
}
for _, tt := range tests {
- runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
+ runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
if err != nil {
t.Fatalf("failed %s with error: %+v", tt.method, err)
} else if r.StatusCode != tt.status {
diff --git a/cmd/tfstated/get_test.go b/cmd/tfstated/get_test.go
index 5ffcfd0..274522b 100644
--- a/cmd/tfstated/get_test.go
+++ b/cmd/tfstated/get_test.go
@@ -11,19 +11,21 @@ import (
func TestGet(t *testing.T) {
tests := []struct {
method string
+ auth bool
uri url.URL
body io.Reader
expect string
status int
msg string
}{
- {"GET", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
- {"GET", url.URL{Path: "/non_existent_get"}, strings.NewReader(""), "", http.StatusOK, "non existent"},
- {"POST", url.URL{Path: "/test_get"}, strings.NewReader("the_test_get"), "", http.StatusOK, "/test_get"},
- {"GET", url.URL{Path: "/test_get"}, nil, "the_test_get", http.StatusOK, "/test_get"},
+ {"GET", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
+ {"GET", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
+ {"GET", true, url.URL{Path: "/non_existent_get"}, strings.NewReader(""), "", http.StatusOK, "non existent"},
+ {"POST", true, url.URL{Path: "/test_get"}, strings.NewReader("the_test_get"), "", http.StatusOK, "/test_get"},
+ {"GET", true, url.URL{Path: "/test_get"}, nil, "the_test_get", http.StatusOK, "/test_get"},
}
for _, tt := range tests {
- runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
+ runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
if err != nil {
t.Fatalf("failed %s with error: %+v", tt.method, err)
} else if r.StatusCode != tt.status {
diff --git a/cmd/tfstated/healthz_test.go b/cmd/tfstated/healthz_test.go
index c4860c4..10d237b 100644
--- a/cmd/tfstated/healthz_test.go
+++ b/cmd/tfstated/healthz_test.go
@@ -7,7 +7,7 @@ import (
)
func TestHealthz(t *testing.T) {
- runHTTPRequest("GET", &url.URL{Path: "/healthz"}, nil, func(r *http.Response, err error) {
+ runHTTPRequest("GET", false, &url.URL{Path: "/healthz"}, nil, func(r *http.Response, err error) {
if err != nil {
t.Fatalf("failed healthcheck with error: %+v", err)
} else if r.StatusCode != http.StatusOK {
diff --git a/cmd/tfstated/lock_test.go b/cmd/tfstated/lock_test.go
index fa454be..22f5890 100644
--- a/cmd/tfstated/lock_test.go
+++ b/cmd/tfstated/lock_test.go
@@ -11,24 +11,26 @@ import (
func TestLock(t *testing.T) {
tests := []struct {
method string
+ auth bool
uri url.URL
body io.Reader
expect string
status int
msg string
}{
- {"LOCK", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
- {"LOCK", url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
- {"LOCK", url.URL{Path: "/non_existent_lock"}, strings.NewReader("{}"), "", http.StatusBadRequest, "invalid lock data on non existent state"},
- {"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
- {"GET", url.URL{Path: "/test_lock"}, nil, "", http.StatusOK, "/test_lock"},
- {"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"\"}"), "", http.StatusBadRequest, "invalid lock data on already locked state"},
- {"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on already locked state"},
- {"POST", url.URL{Path: "/test_lock", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_lock"), "", http.StatusOK, "/test_lock"},
- {"GET", url.URL{Path: "/test_lock"}, nil, "the_test_lock", http.StatusOK, "/test_lock"},
+ {"LOCK", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
+ {"LOCK", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
+ {"LOCK", true, url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
+ {"LOCK", true, url.URL{Path: "/non_existent_lock"}, strings.NewReader("{}"), "", http.StatusBadRequest, "invalid lock data on non existent state"},
+ {"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
+ {"GET", true, url.URL{Path: "/test_lock"}, nil, "", http.StatusOK, "/test_lock"},
+ {"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"\"}"), "", http.StatusBadRequest, "invalid lock data on already locked state"},
+ {"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on already locked state"},
+ {"POST", true, url.URL{Path: "/test_lock", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_lock"), "", http.StatusOK, "/test_lock"},
+ {"GET", true, url.URL{Path: "/test_lock"}, nil, "the_test_lock", http.StatusOK, "/test_lock"},
}
for _, tt := range tests {
- runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
+ runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
if err != nil {
t.Fatalf("failed %s with error: %+v", tt.method, err)
} else if r.StatusCode != tt.status {
diff --git a/cmd/tfstated/main.go b/cmd/tfstated/main.go
index 722ec82..e6c6272 100644
--- a/cmd/tfstated/main.go
+++ b/cmd/tfstated/main.go
@@ -52,6 +52,10 @@ func run(
db.SetVersionsHistoryLimit(n)
}
+ if err := db.InitAdminAccount(); err != nil {
+ return err
+ }
+
mux := http.NewServeMux()
addRoutes(
mux,
diff --git a/cmd/tfstated/main_test.go b/cmd/tfstated/main_test.go
index c52b924..3ad1d7e 100644
--- a/cmd/tfstated/main_test.go
+++ b/cmd/tfstated/main_test.go
@@ -19,6 +19,7 @@ var baseURI = url.URL{
Scheme: "http",
}
var db *database.DB
+var password string
func TestMain(m *testing.M) {
ctx := context.Background()
@@ -58,6 +59,13 @@ func TestMain(m *testing.M) {
os.Exit(1)
}
+ admin, err := db.LoadAccountByUsername("admin")
+ if err != nil {
+ fmt.Fprintf(os.Stderr, "%+v\n", err)
+ os.Exit(1)
+ }
+ password = admin.Password
+
ret := m.Run()
cancel()
@@ -71,7 +79,7 @@ func TestMain(m *testing.M) {
os.Exit(ret)
}
-func runHTTPRequest(method string, uriRef *url.URL, body io.Reader, testFunc func(*http.Response, error)) {
+func runHTTPRequest(method string, auth bool, uriRef *url.URL, body io.Reader, testFunc func(*http.Response, error)) {
uri := baseURI.ResolveReference(uriRef)
client := http.Client{}
req, err := http.NewRequest(method, uri.String(), body)
@@ -79,6 +87,9 @@ func runHTTPRequest(method string, uriRef *url.URL, body io.Reader, testFunc fun
testFunc(nil, fmt.Errorf("failed to create request: %w", err))
return
}
+ if auth {
+ req.SetBasicAuth("admin", password)
+ }
resp, err := client.Do(req)
if err != nil {
testFunc(nil, fmt.Errorf("failed to do request: %w\n", err))
diff --git a/cmd/tfstated/post.go b/cmd/tfstated/post.go
index cf788d4..718fed7 100644
--- a/cmd/tfstated/post.go
+++ b/cmd/tfstated/post.go
@@ -6,6 +6,7 @@ import (
"net/http"
"git.adyxax.org/adyxax/tfstated/pkg/database"
+ "git.adyxax.org/adyxax/tfstated/pkg/model"
)
func handlePost(db *database.DB) http.Handler {
@@ -24,7 +25,8 @@ func handlePost(db *database.DB) http.Handler {
_ = errorResponse(w, http.StatusBadRequest, err)
return
}
- if idMismatch, err := db.SetState(r.URL.Path, data, id); err != nil {
+ account := r.Context().Value("account").(*model.Account)
+ if idMismatch, err := db.SetState(r.URL.Path, account.Id, data, id); err != nil {
if idMismatch {
_ = errorResponse(w, http.StatusConflict, err)
} else {
diff --git a/cmd/tfstated/post_test.go b/cmd/tfstated/post_test.go
index fd66dc4..71e5143 100644
--- a/cmd/tfstated/post_test.go
+++ b/cmd/tfstated/post_test.go
@@ -11,31 +11,33 @@ import (
func TestPost(t *testing.T) {
tests := []struct {
method string
+ auth bool
uri url.URL
body io.Reader
expect string
status int
msg string
}{
- {"POST", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
- {"POST", url.URL{Path: "/test_post"}, nil, "", http.StatusBadRequest, "without a body"},
- {"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post"), "", http.StatusOK, "without lock ID in query string"},
- {"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
- {"POST", url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post2"), "", http.StatusConflict, "with a lock ID on an unlocked state"},
- {"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
- {"LOCK", url.URL{Path: "/test_post"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "/test_post"},
- {"POST", url.URL{Path: "/test_post", RawQuery: "ID=ffffffff-ffff-ffff-ffff-ffffffffffff"}, strings.NewReader("the_test_post3"), "", http.StatusConflict, "with a wrong lock ID on a locked state"},
- {"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
- {"POST", url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post4"), "", http.StatusOK, "with a correct lock ID on a locked state"},
- {"GET", url.URL{Path: "/test_post"}, nil, "the_test_post4", http.StatusOK, "/test_post"},
- {"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post5"), "", http.StatusOK, "without lock ID in query string on a locked state"},
- {"GET", url.URL{Path: "/test_post"}, nil, "the_test_post5", http.StatusOK, "/test_post"},
- {"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post6"), "", http.StatusOK, "another post just to make sure the history limit works"},
- {"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post7"), "", http.StatusOK, "another post just to make sure the history limit works"},
- {"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post8"), "", http.StatusOK, "another post just to make sure the history limit works"},
+ {"POST", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
+ {"POST", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
+ {"POST", true, url.URL{Path: "/test_post"}, nil, "", http.StatusBadRequest, "without a body"},
+ {"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post"), "", http.StatusOK, "without lock ID in query string"},
+ {"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
+ {"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post2"), "", http.StatusConflict, "with a lock ID on an unlocked state"},
+ {"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
+ {"LOCK", true, url.URL{Path: "/test_post"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "/test_post"},
+ {"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=ffffffff-ffff-ffff-ffff-ffffffffffff"}, strings.NewReader("the_test_post3"), "", http.StatusConflict, "with a wrong lock ID on a locked state"},
+ {"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"},
+ {"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post4"), "", http.StatusOK, "with a correct lock ID on a locked state"},
+ {"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post4", http.StatusOK, "/test_post"},
+ {"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post5"), "", http.StatusOK, "without lock ID in query string on a locked state"},
+ {"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post5", http.StatusOK, "/test_post"},
+ {"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post6"), "", http.StatusOK, "another post just to make sure the history limit works"},
+ {"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post7"), "", http.StatusOK, "another post just to make sure the history limit works"},
+ {"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post8"), "", http.StatusOK, "another post just to make sure the history limit works"},
}
for _, tt := range tests {
- runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
+ runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
if err != nil {
t.Fatalf("failed %s with error: %+v", tt.method, err)
} else if r.StatusCode != tt.status {
diff --git a/cmd/tfstated/routes.go b/cmd/tfstated/routes.go
index e2700d2..019bb76 100644
--- a/cmd/tfstated/routes.go
+++ b/cmd/tfstated/routes.go
@@ -3,6 +3,7 @@ package main
import (
"net/http"
+ "git.adyxax.org/adyxax/tfstated/pkg/basic_auth"
"git.adyxax.org/adyxax/tfstated/pkg/database"
)
@@ -12,9 +13,10 @@ func addRoutes(
) {
mux.Handle("GET /healthz", handleHealthz())
- mux.Handle("DELETE /", handleDelete(db))
- mux.Handle("GET /", handleGet(db))
- mux.Handle("LOCK /", handleLock(db))
- mux.Handle("POST /", handlePost(db))
- mux.Handle("UNLOCK /", handleUnlock(db))
+ basicAuth := basic_auth.Middleware(db)
+ mux.Handle("DELETE /", basicAuth(handleDelete(db)))
+ mux.Handle("GET /", basicAuth(handleGet(db)))
+ mux.Handle("LOCK /", basicAuth(handleLock(db)))
+ mux.Handle("POST /", basicAuth(handlePost(db)))
+ mux.Handle("UNLOCK /", basicAuth(handleUnlock(db)))
}
diff --git a/cmd/tfstated/unlock_test.go b/cmd/tfstated/unlock_test.go
index f5af5f7..e8c14cc 100644
--- a/cmd/tfstated/unlock_test.go
+++ b/cmd/tfstated/unlock_test.go
@@ -11,22 +11,24 @@ import (
func TestUnlock(t *testing.T) {
tests := []struct {
method string
+ auth bool
uri url.URL
body io.Reader
expect string
status int
msg string
}{
- {"UNLOCK", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
- {"UNLOCK", url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
- {"UNLOCK", url.URL{Path: "/non_existent_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on non existent state"},
- {"LOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
- {"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF\"}"), "", http.StatusConflict, "valid but wrong lock data on a locked state"},
- {"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid and correct lock data on a locked state"},
- {"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid and correct lock data on a now unlocked state"},
+ {"UNLOCK", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"},
+ {"UNLOCK", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"},
+ {"UNLOCK", true, url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"},
+ {"UNLOCK", true, url.URL{Path: "/non_existent_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on non existent state"},
+ {"LOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"},
+ {"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF\"}"), "", http.StatusConflict, "valid but wrong lock data on a locked state"},
+ {"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid and correct lock data on a locked state"},
+ {"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid and correct lock data on a now unlocked state"},
}
for _, tt := range tests {
- runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) {
+ runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) {
if err != nil {
t.Fatalf("failed %s with error: %+v", tt.method, err)
} else if r.StatusCode != tt.status {
diff --git a/go.mod b/go.mod
index a8c3b29..0455251 100644
--- a/go.mod
+++ b/go.mod
@@ -3,3 +3,5 @@ module git.adyxax.org/adyxax/tfstated
go 1.23.3
require github.com/mattn/go-sqlite3 v1.14.24
+
+require go.n16f.net/uuid v0.0.0-20240707135755-e4fd26b968ad // indirect
diff --git a/go.sum b/go.sum
index 9dcdc9b..1d07d2a 100644
--- a/go.sum
+++ b/go.sum
@@ -1,2 +1,4 @@
github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+go.n16f.net/uuid v0.0.0-20240707135755-e4fd26b968ad h1:QYbHaaFqx6hMor1L6iMSmyhMFvXQXhKaNk9nefug07M=
+go.n16f.net/uuid v0.0.0-20240707135755-e4fd26b968ad/go.mod h1:hvPEWZmyP50in1DH72o5vUvoXFFyfRU6oL+p2tAcbgU=
diff --git a/pkg/basic_auth/middleware.go b/pkg/basic_auth/middleware.go
new file mode 100644
index 0000000..108124f
--- /dev/null
+++ b/pkg/basic_auth/middleware.go
@@ -0,0 +1,39 @@
+package basic_auth
+
+import (
+ "context"
+ "net/http"
+ "time"
+
+ "git.adyxax.org/adyxax/tfstated/pkg/database"
+)
+
+func Middleware(db *database.DB) func(http.Handler) http.Handler {
+ return func(next http.Handler) http.Handler {
+ return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ username, password, ok := r.BasicAuth()
+ if !ok {
+ w.Header().Set("WWW-Authenticate", `Basic realm="tfstated", charset="UTF-8"`)
+ http.Error(w, "Unauthorized", http.StatusUnauthorized)
+ return
+ }
+ account, err := db.LoadAccountByUsername(username)
+ if err != nil {
+ http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+ return
+ }
+ if password != account.Password {
+ http.Error(w, "Forbidden", http.StatusForbidden)
+ return
+ }
+ now := time.Now().UTC()
+ _, err = db.Exec(`UPDATE accounts SET last_login = ? WHERE id = ?`, now.Unix(), account.Id)
+ if err != nil {
+ http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+ return
+ }
+ ctx := context.WithValue(r.Context(), "account", account)
+ next.ServeHTTP(w, r.WithContext(ctx))
+ })
+ }
+}
diff --git a/pkg/database/accounts.go b/pkg/database/accounts.go
new file mode 100644
index 0000000..7902371
--- /dev/null
+++ b/pkg/database/accounts.go
@@ -0,0 +1,88 @@
+package database
+
+import (
+ "database/sql"
+ "fmt"
+ "log/slog"
+ "time"
+
+ "git.adyxax.org/adyxax/tfstated/pkg/model"
+ "go.n16f.net/uuid"
+)
+
+func (db *DB) LoadAccountByUsername(username string) (*model.Account, error) {
+ account := model.Account{
+ Username: username,
+ }
+ var (
+ encryptedPassword []byte
+ created int64
+ lastLogin int64
+ )
+ err := db.QueryRow(
+ `SELECT id, password, is_admin, created, last_login, settings
+ FROM accounts
+ WHERE username = ?;`,
+ username,
+ ).Scan(&account.Id,
+ &encryptedPassword,
+ &account.IsAdmin,
+ &created,
+ &lastLogin,
+ &account.Settings,
+ )
+ if err != nil {
+ return nil, err
+ }
+ password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword)
+ if err != nil {
+ return nil, err
+ }
+ account.Password = string(password)
+ account.Created = time.Unix(created, 0)
+ account.LastLogin = time.Unix(lastLogin, 0)
+ return &account, nil
+}
+
+func (db *DB) InitAdminAccount() error {
+ tx, err := db.Begin()
+ if err != nil {
+ return err
+ }
+ defer func() {
+ if err != nil {
+ _ = tx.Rollback()
+ }
+ }()
+ var hasAdminAccount bool
+ if err = tx.QueryRowContext(db.ctx, `SELECT EXISTS (SELECT 1 FROM accounts WHERE is_admin);`).Scan(&hasAdminAccount); err != nil {
+ return fmt.Errorf("failed to select if there is an admin account in the database: %w", err)
+ }
+ if hasAdminAccount {
+ tx.Rollback()
+ } else {
+ var password uuid.UUID
+ if err = password.Generate(uuid.V4); err != nil {
+ return fmt.Errorf("failed to generate initial admin password: %w", err)
+ }
+ var encryptedPassword []byte
+ encryptedPassword, err = db.dataEncryptionKey.EncryptAES256([]byte(password.String()))
+ if err != nil {
+ return fmt.Errorf("failed to encrypt initial admin password: %w", err)
+ }
+ if _, err = tx.ExecContext(db.ctx,
+ `INSERT INTO accounts(username, password, is_admin)
+ VALUES ("admin", :password, TRUE)
+ ON CONFLICT DO UPDATE SET password = :password
+ WHERE username = "admin";`,
+ sql.Named("password", encryptedPassword),
+ ); err != nil {
+ return fmt.Errorf("failed to set initial admin password: %w", err)
+ }
+ err = tx.Commit()
+ if err == nil {
+ slog.Info("Generated an initial admin password, please change it or delete the admin account after your first login", "password", password.String())
+ }
+ }
+ return err
+}
diff --git a/pkg/database/sql/000_init.sql b/pkg/database/sql/000_init.sql
index ab40746..c56473f 100644
--- a/pkg/database/sql/000_init.sql
+++ b/pkg/database/sql/000_init.sql
@@ -2,6 +2,17 @@ CREATE TABLE schema_version (
version INTEGER NOT NULL
) STRICT;
+CREATE TABLE accounts (
+ id INTEGER PRIMARY KEY,
+ username TEXT NOT NULL,
+ password BLOB NOT NULL,
+ is_admin INTEGER NOT NULL DEFAULT FALSE,
+ created INTEGER NOT NULL DEFAULT (unixepoch()),
+ last_login INTEGER NOT NULL DEFAULT (unixepoch()),
+ settings TEXT
+) STRICT;
+CREATE UNIQUE INDEX accounts_username on accounts(username);
+
CREATE TABLE states (
id INTEGER PRIMARY KEY,
path TEXT NOT NULL,
@@ -11,9 +22,11 @@ CREATE UNIQUE INDEX states_path on states(path);
CREATE TABLE versions (
id INTEGER PRIMARY KEY,
+ account_id INTEGER NOT NULL,
state_id INTEGER,
data BLOB,
lock TEXT,
created INTEGER DEFAULT (unixepoch()),
+ FOREIGN KEY(account_id) REFERENCES accounts(id) ON DELETE CASCADE
FOREIGN KEY(state_id) REFERENCES states(id) ON DELETE CASCADE
) STRICT;
diff --git a/pkg/database/states.go b/pkg/database/states.go
index d1e9c7d..4f0ce58 100644
--- a/pkg/database/states.go
+++ b/pkg/database/states.go
@@ -43,7 +43,7 @@ func (db *DB) GetState(path string) ([]byte, error) {
}
// returns true in case of id mismatch
-func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) {
+func (db *DB) SetState(path string, accountID int, data []byte, lockID string) (bool, error) {
encryptedData, err := db.dataEncryptionKey.EncryptAES256(data)
if err != nil {
return false, err
@@ -82,10 +82,11 @@ func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) {
return true, err
}
_, err = tx.ExecContext(db.ctx,
- `INSERT INTO versions(state_id, data, lock)
- SELECT :stateID, :data, lock
+ `INSERT INTO versions(account_id, state_id, data, lock)
+ SELECT :accountID, :stateID, :data, lock
FROM states
WHERE states.id = :stateID;`,
+ sql.Named("accountID", accountID),
sql.Named("stateID", stateID),
sql.Named("data", encryptedData))
if err != nil {
diff --git a/pkg/model/account.go b/pkg/model/account.go
new file mode 100644
index 0000000..cbb6407
--- /dev/null
+++ b/pkg/model/account.go
@@ -0,0 +1,13 @@
+package model
+
+import "time"
+
+type Account struct {
+ Id int
+ Username string
+ Password string
+ IsAdmin bool
+ Created time.Time
+ LastLogin time.Time
+ Settings any
+}