feat(tfstated): implement HTTP basic auth

author: Julien Dessaux 2024-11-14 01:34:29 +0100
committer: Julien Dessaux 2024-11-14 01:34:29 +0100
commit: 3d8812fbd0091d2ef636949628c52bf9f48617a6 (patch)
tree: 00755c8903497ad7abaaffffbbaa4a37fdf41a03 /pkg/database
parent: chore(tfstated): rename state "name" to "path" for consistency (diff)
download: tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.gz
tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.bz2
tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.zip
3 files changed, 105 insertions, 3 deletions
diff --git a/pkg/database/accounts.go b/pkg/database/accounts.go
new file mode 100644
index 0000000..7902371
--- /dev/null
+++ b/pkg/database/accounts.go
@@ -0,0 +1,88 @@
+package database
+
+import (
+	"database/sql"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"git.adyxax.org/adyxax/tfstated/pkg/model"
+	"go.n16f.net/uuid"
+)
+
+func (db *DB) LoadAccountByUsername(username string) (*model.Account, error) {
+	account := model.Account{
+		Username: username,
+	}
+	var (
+		encryptedPassword []byte
+		created           int64
+		lastLogin         int64
+	)
+	err := db.QueryRow(
+		`SELECT id, password, is_admin, created, last_login, settings
+           FROM accounts
+           WHERE username = ?;`,
+		username,
+	).Scan(&account.Id,
+		&encryptedPassword,
+		&account.IsAdmin,
+		&created,
+		&lastLogin,
+		&account.Settings,
+	)
+	if err != nil {
+		return nil, err
+	}
+	password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword)
+	if err != nil {
+		return nil, err
+	}
+	account.Password = string(password)
+	account.Created = time.Unix(created, 0)
+	account.LastLogin = time.Unix(lastLogin, 0)
+	return &account, nil
+}
+
+func (db *DB) InitAdminAccount() error {
+	tx, err := db.Begin()
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err != nil {
+			_ = tx.Rollback()
+		}
+	}()
+	var hasAdminAccount bool
+	if err = tx.QueryRowContext(db.ctx, `SELECT EXISTS (SELECT 1 FROM accounts WHERE is_admin);`).Scan(&hasAdminAccount); err != nil {
+		return fmt.Errorf("failed to select if there is an admin account in the database: %w", err)
+	}
+	if hasAdminAccount {
+		tx.Rollback()
+	} else {
+		var password uuid.UUID
+		if err = password.Generate(uuid.V4); err != nil {
+			return fmt.Errorf("failed to generate initial admin password: %w", err)
+		}
+		var encryptedPassword []byte
+		encryptedPassword, err = db.dataEncryptionKey.EncryptAES256([]byte(password.String()))
+		if err != nil {
+			return fmt.Errorf("failed to encrypt initial admin password: %w", err)
+		}
+		if _, err = tx.ExecContext(db.ctx,
+			`INSERT INTO accounts(username, password, is_admin)
+		       VALUES ("admin", :password, TRUE)
+		       ON CONFLICT DO UPDATE SET password = :password
+		         WHERE username = "admin";`,
+			sql.Named("password", encryptedPassword),
+		); err != nil {
+			return fmt.Errorf("failed to set initial admin password: %w", err)
+		}
+		err = tx.Commit()
+		if err == nil {
+			slog.Info("Generated an initial admin password, please change it or delete the admin account after your first login", "password", password.String())
+		}
+	}
+	return err
+}
diff --git a/pkg/database/sql/000_init.sql b/pkg/database/sql/000_init.sql
index ab40746..c56473f 100644
--- a/pkg/database/sql/000_init.sql
+++ b/pkg/database/sql/000_init.sql
@@ -2,6 +2,17 @@ CREATE TABLE schema_version (
   version INTEGER NOT NULL
 ) STRICT;
 
+CREATE TABLE accounts (
+  id INTEGER PRIMARY KEY,
+  username TEXT NOT NULL,
+  password BLOB NOT NULL,
+  is_admin INTEGER NOT NULL DEFAULT FALSE,
+  created INTEGER NOT NULL DEFAULT (unixepoch()),
+  last_login INTEGER NOT NULL DEFAULT (unixepoch()),
+  settings TEXT
+) STRICT;
+CREATE UNIQUE INDEX accounts_username on accounts(username);
+
 CREATE TABLE states (
   id INTEGER PRIMARY KEY,
   path TEXT NOT NULL,
@@ -11,9 +22,11 @@ CREATE UNIQUE INDEX states_path on states(path);
 
 CREATE TABLE versions (
   id INTEGER PRIMARY KEY,
+  account_id INTEGER NOT NULL,
   state_id INTEGER,
   data BLOB,
   lock TEXT,
   created INTEGER DEFAULT (unixepoch()),
+  FOREIGN KEY(account_id) REFERENCES accounts(id) ON DELETE CASCADE
   FOREIGN KEY(state_id) REFERENCES states(id) ON DELETE CASCADE
 ) STRICT;
diff --git a/pkg/database/states.go b/pkg/database/states.go
index d1e9c7d..4f0ce58 100644
--- a/pkg/database/states.go
+++ b/pkg/database/states.go
@@ -43,7 +43,7 @@ func (db *DB) GetState(path string) ([]byte, error) {
 }
 
 // returns true in case of id mismatch
-func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) {
+func (db *DB) SetState(path string, accountID int, data []byte, lockID string) (bool, error) {
 	encryptedData, err := db.dataEncryptionKey.EncryptAES256(data)
 	if err != nil {
 		return false, err
@@ -82,10 +82,11 @@ func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) {
 		return true, err
 	}
 	_, err = tx.ExecContext(db.ctx,
-		`INSERT INTO versions(state_id, data, lock)
-           SELECT :stateID, :data, lock
+		`INSERT INTO versions(account_id, state_id, data, lock)
+           SELECT :accountID, :stateID, :data, lock
              FROM states
              WHERE states.id = :stateID;`,
+		sql.Named("accountID", accountID),
 		sql.Named("stateID", stateID),
 		sql.Named("data", encryptedData))
 	if err != nil {
author	Julien Dessaux	2024-11-14 01:34:29 +0100
committer	Julien Dessaux	2024-11-14 01:34:29 +0100
commit	3d8812fbd0091d2ef636949628c52bf9f48617a6 (patch)
tree	00755c8903497ad7abaaffffbbaa4a37fdf41a03 /pkg/database
parent	chore(tfstated): rename state "name" to "path" for consistency (diff)
download	tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.gz tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.tar.bz2 tfstated-3d8812fbd0091d2ef636949628c52bf9f48617a6.zip