diff options
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/basic_auth/middleware.go | 39 | ||||
-rw-r--r-- | pkg/database/accounts.go | 88 | ||||
-rw-r--r-- | pkg/database/sql/000_init.sql | 13 | ||||
-rw-r--r-- | pkg/database/states.go | 7 | ||||
-rw-r--r-- | pkg/model/account.go | 13 |
5 files changed, 157 insertions, 3 deletions
diff --git a/pkg/basic_auth/middleware.go b/pkg/basic_auth/middleware.go new file mode 100644 index 0000000..108124f --- /dev/null +++ b/pkg/basic_auth/middleware.go @@ -0,0 +1,39 @@ +package basic_auth + +import ( + "context" + "net/http" + "time" + + "git.adyxax.org/adyxax/tfstated/pkg/database" +) + +func Middleware(db *database.DB) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + username, password, ok := r.BasicAuth() + if !ok { + w.Header().Set("WWW-Authenticate", `Basic realm="tfstated", charset="UTF-8"`) + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return + } + account, err := db.LoadAccountByUsername(username) + if err != nil { + http.Error(w, "Internal Server Error", http.StatusInternalServerError) + return + } + if password != account.Password { + http.Error(w, "Forbidden", http.StatusForbidden) + return + } + now := time.Now().UTC() + _, err = db.Exec(`UPDATE accounts SET last_login = ? WHERE id = ?`, now.Unix(), account.Id) + if err != nil { + http.Error(w, "Internal Server Error", http.StatusInternalServerError) + return + } + ctx := context.WithValue(r.Context(), "account", account) + next.ServeHTTP(w, r.WithContext(ctx)) + }) + } +} diff --git a/pkg/database/accounts.go b/pkg/database/accounts.go new file mode 100644 index 0000000..7902371 --- /dev/null +++ b/pkg/database/accounts.go @@ -0,0 +1,88 @@ +package database + +import ( + "database/sql" + "fmt" + "log/slog" + "time" + + "git.adyxax.org/adyxax/tfstated/pkg/model" + "go.n16f.net/uuid" +) + +func (db *DB) LoadAccountByUsername(username string) (*model.Account, error) { + account := model.Account{ + Username: username, + } + var ( + encryptedPassword []byte + created int64 + lastLogin int64 + ) + err := db.QueryRow( + `SELECT id, password, is_admin, created, last_login, settings + FROM accounts + WHERE username = ?;`, + username, + ).Scan(&account.Id, + &encryptedPassword, + &account.IsAdmin, + &created, + &lastLogin, + &account.Settings, + ) + if err != nil { + return nil, err + } + password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword) + if err != nil { + return nil, err + } + account.Password = string(password) + account.Created = time.Unix(created, 0) + account.LastLogin = time.Unix(lastLogin, 0) + return &account, nil +} + +func (db *DB) InitAdminAccount() error { + tx, err := db.Begin() + if err != nil { + return err + } + defer func() { + if err != nil { + _ = tx.Rollback() + } + }() + var hasAdminAccount bool + if err = tx.QueryRowContext(db.ctx, `SELECT EXISTS (SELECT 1 FROM accounts WHERE is_admin);`).Scan(&hasAdminAccount); err != nil { + return fmt.Errorf("failed to select if there is an admin account in the database: %w", err) + } + if hasAdminAccount { + tx.Rollback() + } else { + var password uuid.UUID + if err = password.Generate(uuid.V4); err != nil { + return fmt.Errorf("failed to generate initial admin password: %w", err) + } + var encryptedPassword []byte + encryptedPassword, err = db.dataEncryptionKey.EncryptAES256([]byte(password.String())) + if err != nil { + return fmt.Errorf("failed to encrypt initial admin password: %w", err) + } + if _, err = tx.ExecContext(db.ctx, + `INSERT INTO accounts(username, password, is_admin) + VALUES ("admin", :password, TRUE) + ON CONFLICT DO UPDATE SET password = :password + WHERE username = "admin";`, + sql.Named("password", encryptedPassword), + ); err != nil { + return fmt.Errorf("failed to set initial admin password: %w", err) + } + err = tx.Commit() + if err == nil { + slog.Info("Generated an initial admin password, please change it or delete the admin account after your first login", "password", password.String()) + } + } + return err +} diff --git a/pkg/database/sql/000_init.sql b/pkg/database/sql/000_init.sql index ab40746..c56473f 100644 --- a/pkg/database/sql/000_init.sql +++ b/pkg/database/sql/000_init.sql @@ -2,6 +2,17 @@ CREATE TABLE schema_version ( version INTEGER NOT NULL ) STRICT; +CREATE TABLE accounts ( + id INTEGER PRIMARY KEY, + username TEXT NOT NULL, + password BLOB NOT NULL, + is_admin INTEGER NOT NULL DEFAULT FALSE, + created INTEGER NOT NULL DEFAULT (unixepoch()), + last_login INTEGER NOT NULL DEFAULT (unixepoch()), + settings TEXT +) STRICT; +CREATE UNIQUE INDEX accounts_username on accounts(username); + CREATE TABLE states ( id INTEGER PRIMARY KEY, path TEXT NOT NULL, @@ -11,9 +22,11 @@ CREATE UNIQUE INDEX states_path on states(path); CREATE TABLE versions ( id INTEGER PRIMARY KEY, + account_id INTEGER NOT NULL, state_id INTEGER, data BLOB, lock TEXT, created INTEGER DEFAULT (unixepoch()), + FOREIGN KEY(account_id) REFERENCES accounts(id) ON DELETE CASCADE FOREIGN KEY(state_id) REFERENCES states(id) ON DELETE CASCADE ) STRICT; diff --git a/pkg/database/states.go b/pkg/database/states.go index d1e9c7d..4f0ce58 100644 --- a/pkg/database/states.go +++ b/pkg/database/states.go @@ -43,7 +43,7 @@ func (db *DB) GetState(path string) ([]byte, error) { } // returns true in case of id mismatch -func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) { +func (db *DB) SetState(path string, accountID int, data []byte, lockID string) (bool, error) { encryptedData, err := db.dataEncryptionKey.EncryptAES256(data) if err != nil { return false, err @@ -82,10 +82,11 @@ func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) { return true, err } _, err = tx.ExecContext(db.ctx, - `INSERT INTO versions(state_id, data, lock) - SELECT :stateID, :data, lock + `INSERT INTO versions(account_id, state_id, data, lock) + SELECT :accountID, :stateID, :data, lock FROM states WHERE states.id = :stateID;`, + sql.Named("accountID", accountID), sql.Named("stateID", stateID), sql.Named("data", encryptedData)) if err != nil { diff --git a/pkg/model/account.go b/pkg/model/account.go new file mode 100644 index 0000000..cbb6407 --- /dev/null +++ b/pkg/model/account.go @@ -0,0 +1,13 @@ +package model + +import "time" + +type Account struct { + Id int + Username string + Password string + IsAdmin bool + Created time.Time + LastLogin time.Time + Settings any +} |