summaryrefslogtreecommitdiff
path: root/pkg/database
diff options
context:
space:
mode:
authorJulien Dessaux2024-11-14 01:34:29 +0100
committerJulien Dessaux2024-11-14 01:34:29 +0100
commit3d8812fbd0091d2ef636949628c52bf9f48617a6 (patch)
tree00755c8903497ad7abaaffffbbaa4a37fdf41a03 /pkg/database
parentchore(tfstated): rename state "name" to "path" for consistency (diff)
downloadtfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.gz
tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.bz2
tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.zip
feat(tfstated): implement HTTP basic auth
Diffstat (limited to '')
-rw-r--r--pkg/database/accounts.go88
-rw-r--r--pkg/database/sql/000_init.sql13
-rw-r--r--pkg/database/states.go7
3 files changed, 105 insertions, 3 deletions
diff --git a/pkg/database/accounts.go b/pkg/database/accounts.go
new file mode 100644
index 0000000..7902371
--- /dev/null
+++ b/pkg/database/accounts.go
@@ -0,0 +1,88 @@
+package database
+
+import (
+ "database/sql"
+ "fmt"
+ "log/slog"
+ "time"
+
+ "git.adyxax.org/adyxax/tfstated/pkg/model"
+ "go.n16f.net/uuid"
+)
+
+func (db *DB) LoadAccountByUsername(username string) (*model.Account, error) {
+ account := model.Account{
+ Username: username,
+ }
+ var (
+ encryptedPassword []byte
+ created int64
+ lastLogin int64
+ )
+ err := db.QueryRow(
+ `SELECT id, password, is_admin, created, last_login, settings
+ FROM accounts
+ WHERE username = ?;`,
+ username,
+ ).Scan(&account.Id,
+ &encryptedPassword,
+ &account.IsAdmin,
+ &created,
+ &lastLogin,
+ &account.Settings,
+ )
+ if err != nil {
+ return nil, err
+ }
+ password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword)
+ if err != nil {
+ return nil, err
+ }
+ account.Password = string(password)
+ account.Created = time.Unix(created, 0)
+ account.LastLogin = time.Unix(lastLogin, 0)
+ return &account, nil
+}
+
+func (db *DB) InitAdminAccount() error {
+ tx, err := db.Begin()
+ if err != nil {
+ return err
+ }
+ defer func() {
+ if err != nil {
+ _ = tx.Rollback()
+ }
+ }()
+ var hasAdminAccount bool
+ if err = tx.QueryRowContext(db.ctx, `SELECT EXISTS (SELECT 1 FROM accounts WHERE is_admin);`).Scan(&hasAdminAccount); err != nil {
+ return fmt.Errorf("failed to select if there is an admin account in the database: %w", err)
+ }
+ if hasAdminAccount {
+ tx.Rollback()
+ } else {
+ var password uuid.UUID
+ if err = password.Generate(uuid.V4); err != nil {
+ return fmt.Errorf("failed to generate initial admin password: %w", err)
+ }
+ var encryptedPassword []byte
+ encryptedPassword, err = db.dataEncryptionKey.EncryptAES256([]byte(password.String()))
+ if err != nil {
+ return fmt.Errorf("failed to encrypt initial admin password: %w", err)
+ }
+ if _, err = tx.ExecContext(db.ctx,
+ `INSERT INTO accounts(username, password, is_admin)
+ VALUES ("admin", :password, TRUE)
+ ON CONFLICT DO UPDATE SET password = :password
+ WHERE username = "admin";`,
+ sql.Named("password", encryptedPassword),
+ ); err != nil {
+ return fmt.Errorf("failed to set initial admin password: %w", err)
+ }
+ err = tx.Commit()
+ if err == nil {
+ slog.Info("Generated an initial admin password, please change it or delete the admin account after your first login", "password", password.String())
+ }
+ }
+ return err
+}
diff --git a/pkg/database/sql/000_init.sql b/pkg/database/sql/000_init.sql
index ab40746..c56473f 100644
--- a/pkg/database/sql/000_init.sql
+++ b/pkg/database/sql/000_init.sql
@@ -2,6 +2,17 @@ CREATE TABLE schema_version (
version INTEGER NOT NULL
) STRICT;
+CREATE TABLE accounts (
+ id INTEGER PRIMARY KEY,
+ username TEXT NOT NULL,
+ password BLOB NOT NULL,
+ is_admin INTEGER NOT NULL DEFAULT FALSE,
+ created INTEGER NOT NULL DEFAULT (unixepoch()),
+ last_login INTEGER NOT NULL DEFAULT (unixepoch()),
+ settings TEXT
+) STRICT;
+CREATE UNIQUE INDEX accounts_username on accounts(username);
+
CREATE TABLE states (
id INTEGER PRIMARY KEY,
path TEXT NOT NULL,
@@ -11,9 +22,11 @@ CREATE UNIQUE INDEX states_path on states(path);
CREATE TABLE versions (
id INTEGER PRIMARY KEY,
+ account_id INTEGER NOT NULL,
state_id INTEGER,
data BLOB,
lock TEXT,
created INTEGER DEFAULT (unixepoch()),
+ FOREIGN KEY(account_id) REFERENCES accounts(id) ON DELETE CASCADE
FOREIGN KEY(state_id) REFERENCES states(id) ON DELETE CASCADE
) STRICT;
diff --git a/pkg/database/states.go b/pkg/database/states.go
index d1e9c7d..4f0ce58 100644
--- a/pkg/database/states.go
+++ b/pkg/database/states.go
@@ -43,7 +43,7 @@ func (db *DB) GetState(path string) ([]byte, error) {
}
// returns true in case of id mismatch
-func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) {
+func (db *DB) SetState(path string, accountID int, data []byte, lockID string) (bool, error) {
encryptedData, err := db.dataEncryptionKey.EncryptAES256(data)
if err != nil {
return false, err
@@ -82,10 +82,11 @@ func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) {
return true, err
}
_, err = tx.ExecContext(db.ctx,
- `INSERT INTO versions(state_id, data, lock)
- SELECT :stateID, :data, lock
+ `INSERT INTO versions(account_id, state_id, data, lock)
+ SELECT :accountID, :stateID, :data, lock
FROM states
WHERE states.id = :stateID;`,
+ sql.Named("accountID", accountID),
sql.Named("stateID", stateID),
sql.Named("data", encryptedData))
if err != nil {