From 3d8812fbd0091d2ef636949628c52bf9f48617a6 Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Thu, 14 Nov 2024 01:34:29 +0100 Subject: feat(tfstated): implement HTTP basic auth --- .gitignore | 2 +- cmd/tfstated/delete_test.go | 14 ++++--- cmd/tfstated/get_test.go | 12 +++--- cmd/tfstated/healthz_test.go | 2 +- cmd/tfstated/lock_test.go | 22 ++++++----- cmd/tfstated/main.go | 4 ++ cmd/tfstated/main_test.go | 13 ++++++- cmd/tfstated/post.go | 4 +- cmd/tfstated/post_test.go | 36 +++++++++--------- cmd/tfstated/routes.go | 12 +++--- cmd/tfstated/unlock_test.go | 18 +++++---- go.mod | 2 + go.sum | 2 + pkg/basic_auth/middleware.go | 39 +++++++++++++++++++ pkg/database/accounts.go | 88 +++++++++++++++++++++++++++++++++++++++++++ pkg/database/sql/000_init.sql | 13 +++++++ pkg/database/states.go | 7 ++-- pkg/model/account.go | 13 +++++++ 18 files changed, 245 insertions(+), 58 deletions(-) create mode 100644 pkg/basic_auth/middleware.go create mode 100644 pkg/database/accounts.go create mode 100644 pkg/model/account.go diff --git a/.gitignore b/.gitignore index 8bdbc77..122fc54 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -tfstate +tfstated tfstate.db tfstate.db-shm tfstate.db-wal diff --git a/cmd/tfstated/delete_test.go b/cmd/tfstated/delete_test.go index 970fbcf..cbc0d55 100644 --- a/cmd/tfstated/delete_test.go +++ b/cmd/tfstated/delete_test.go @@ -11,20 +11,22 @@ import ( func TestDelete(t *testing.T) { tests := []struct { method string + auth bool uri url.URL body io.Reader expect string status int msg string }{ - {"DELETE", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"}, - {"DELETE", url.URL{Path: "/non_existent_delete"}, nil, "", http.StatusNotFound, "non existent"}, - {"POST", url.URL{Path: "/test_delete"}, strings.NewReader("the_test_delete"), "", http.StatusOK, "/test_delete"}, - {"DELETE", url.URL{Path: "/test_delete"}, nil, "", http.StatusOK, "/test_delete"}, - {"DELETE", url.URL{Path: "/test_delete"}, nil, "", http.StatusNotFound, "/test_delete"}, + {"DELETE", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"}, + {"DELETE", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"}, + {"DELETE", true, url.URL{Path: "/non_existent_delete"}, nil, "", http.StatusNotFound, "non existent"}, + {"POST", true, url.URL{Path: "/test_delete"}, strings.NewReader("the_test_delete"), "", http.StatusOK, "/test_delete"}, + {"DELETE", true, url.URL{Path: "/test_delete"}, nil, "", http.StatusOK, "/test_delete"}, + {"DELETE", true, url.URL{Path: "/test_delete"}, nil, "", http.StatusNotFound, "/test_delete"}, } for _, tt := range tests { - runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) { + runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) { if err != nil { t.Fatalf("failed %s with error: %+v", tt.method, err) } else if r.StatusCode != tt.status { diff --git a/cmd/tfstated/get_test.go b/cmd/tfstated/get_test.go index 5ffcfd0..274522b 100644 --- a/cmd/tfstated/get_test.go +++ b/cmd/tfstated/get_test.go @@ -11,19 +11,21 @@ import ( func TestGet(t *testing.T) { tests := []struct { method string + auth bool uri url.URL body io.Reader expect string status int msg string }{ - {"GET", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"}, - {"GET", url.URL{Path: "/non_existent_get"}, strings.NewReader(""), "", http.StatusOK, "non existent"}, - {"POST", url.URL{Path: "/test_get"}, strings.NewReader("the_test_get"), "", http.StatusOK, "/test_get"}, - {"GET", url.URL{Path: "/test_get"}, nil, "the_test_get", http.StatusOK, "/test_get"}, + {"GET", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"}, + {"GET", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"}, + {"GET", true, url.URL{Path: "/non_existent_get"}, strings.NewReader(""), "", http.StatusOK, "non existent"}, + {"POST", true, url.URL{Path: "/test_get"}, strings.NewReader("the_test_get"), "", http.StatusOK, "/test_get"}, + {"GET", true, url.URL{Path: "/test_get"}, nil, "the_test_get", http.StatusOK, "/test_get"}, } for _, tt := range tests { - runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) { + runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) { if err != nil { t.Fatalf("failed %s with error: %+v", tt.method, err) } else if r.StatusCode != tt.status { diff --git a/cmd/tfstated/healthz_test.go b/cmd/tfstated/healthz_test.go index c4860c4..10d237b 100644 --- a/cmd/tfstated/healthz_test.go +++ b/cmd/tfstated/healthz_test.go @@ -7,7 +7,7 @@ import ( ) func TestHealthz(t *testing.T) { - runHTTPRequest("GET", &url.URL{Path: "/healthz"}, nil, func(r *http.Response, err error) { + runHTTPRequest("GET", false, &url.URL{Path: "/healthz"}, nil, func(r *http.Response, err error) { if err != nil { t.Fatalf("failed healthcheck with error: %+v", err) } else if r.StatusCode != http.StatusOK { diff --git a/cmd/tfstated/lock_test.go b/cmd/tfstated/lock_test.go index fa454be..22f5890 100644 --- a/cmd/tfstated/lock_test.go +++ b/cmd/tfstated/lock_test.go @@ -11,24 +11,26 @@ import ( func TestLock(t *testing.T) { tests := []struct { method string + auth bool uri url.URL body io.Reader expect string status int msg string }{ - {"LOCK", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"}, - {"LOCK", url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"}, - {"LOCK", url.URL{Path: "/non_existent_lock"}, strings.NewReader("{}"), "", http.StatusBadRequest, "invalid lock data on non existent state"}, - {"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"}, - {"GET", url.URL{Path: "/test_lock"}, nil, "", http.StatusOK, "/test_lock"}, - {"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"\"}"), "", http.StatusBadRequest, "invalid lock data on already locked state"}, - {"LOCK", url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on already locked state"}, - {"POST", url.URL{Path: "/test_lock", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_lock"), "", http.StatusOK, "/test_lock"}, - {"GET", url.URL{Path: "/test_lock"}, nil, "the_test_lock", http.StatusOK, "/test_lock"}, + {"LOCK", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"}, + {"LOCK", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"}, + {"LOCK", true, url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"}, + {"LOCK", true, url.URL{Path: "/non_existent_lock"}, strings.NewReader("{}"), "", http.StatusBadRequest, "invalid lock data on non existent state"}, + {"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"}, + {"GET", true, url.URL{Path: "/test_lock"}, nil, "", http.StatusOK, "/test_lock"}, + {"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"\"}"), "", http.StatusBadRequest, "invalid lock data on already locked state"}, + {"LOCK", true, url.URL{Path: "/test_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on already locked state"}, + {"POST", true, url.URL{Path: "/test_lock", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_lock"), "", http.StatusOK, "/test_lock"}, + {"GET", true, url.URL{Path: "/test_lock"}, nil, "the_test_lock", http.StatusOK, "/test_lock"}, } for _, tt := range tests { - runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) { + runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) { if err != nil { t.Fatalf("failed %s with error: %+v", tt.method, err) } else if r.StatusCode != tt.status { diff --git a/cmd/tfstated/main.go b/cmd/tfstated/main.go index 722ec82..e6c6272 100644 --- a/cmd/tfstated/main.go +++ b/cmd/tfstated/main.go @@ -52,6 +52,10 @@ func run( db.SetVersionsHistoryLimit(n) } + if err := db.InitAdminAccount(); err != nil { + return err + } + mux := http.NewServeMux() addRoutes( mux, diff --git a/cmd/tfstated/main_test.go b/cmd/tfstated/main_test.go index c52b924..3ad1d7e 100644 --- a/cmd/tfstated/main_test.go +++ b/cmd/tfstated/main_test.go @@ -19,6 +19,7 @@ var baseURI = url.URL{ Scheme: "http", } var db *database.DB +var password string func TestMain(m *testing.M) { ctx := context.Background() @@ -58,6 +59,13 @@ func TestMain(m *testing.M) { os.Exit(1) } + admin, err := db.LoadAccountByUsername("admin") + if err != nil { + fmt.Fprintf(os.Stderr, "%+v\n", err) + os.Exit(1) + } + password = admin.Password + ret := m.Run() cancel() @@ -71,7 +79,7 @@ func TestMain(m *testing.M) { os.Exit(ret) } -func runHTTPRequest(method string, uriRef *url.URL, body io.Reader, testFunc func(*http.Response, error)) { +func runHTTPRequest(method string, auth bool, uriRef *url.URL, body io.Reader, testFunc func(*http.Response, error)) { uri := baseURI.ResolveReference(uriRef) client := http.Client{} req, err := http.NewRequest(method, uri.String(), body) @@ -79,6 +87,9 @@ func runHTTPRequest(method string, uriRef *url.URL, body io.Reader, testFunc fun testFunc(nil, fmt.Errorf("failed to create request: %w", err)) return } + if auth { + req.SetBasicAuth("admin", password) + } resp, err := client.Do(req) if err != nil { testFunc(nil, fmt.Errorf("failed to do request: %w\n", err)) diff --git a/cmd/tfstated/post.go b/cmd/tfstated/post.go index cf788d4..718fed7 100644 --- a/cmd/tfstated/post.go +++ b/cmd/tfstated/post.go @@ -6,6 +6,7 @@ import ( "net/http" "git.adyxax.org/adyxax/tfstated/pkg/database" + "git.adyxax.org/adyxax/tfstated/pkg/model" ) func handlePost(db *database.DB) http.Handler { @@ -24,7 +25,8 @@ func handlePost(db *database.DB) http.Handler { _ = errorResponse(w, http.StatusBadRequest, err) return } - if idMismatch, err := db.SetState(r.URL.Path, data, id); err != nil { + account := r.Context().Value("account").(*model.Account) + if idMismatch, err := db.SetState(r.URL.Path, account.Id, data, id); err != nil { if idMismatch { _ = errorResponse(w, http.StatusConflict, err) } else { diff --git a/cmd/tfstated/post_test.go b/cmd/tfstated/post_test.go index fd66dc4..71e5143 100644 --- a/cmd/tfstated/post_test.go +++ b/cmd/tfstated/post_test.go @@ -11,31 +11,33 @@ import ( func TestPost(t *testing.T) { tests := []struct { method string + auth bool uri url.URL body io.Reader expect string status int msg string }{ - {"POST", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"}, - {"POST", url.URL{Path: "/test_post"}, nil, "", http.StatusBadRequest, "without a body"}, - {"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post"), "", http.StatusOK, "without lock ID in query string"}, - {"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"}, - {"POST", url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post2"), "", http.StatusConflict, "with a lock ID on an unlocked state"}, - {"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"}, - {"LOCK", url.URL{Path: "/test_post"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "/test_post"}, - {"POST", url.URL{Path: "/test_post", RawQuery: "ID=ffffffff-ffff-ffff-ffff-ffffffffffff"}, strings.NewReader("the_test_post3"), "", http.StatusConflict, "with a wrong lock ID on a locked state"}, - {"GET", url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"}, - {"POST", url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post4"), "", http.StatusOK, "with a correct lock ID on a locked state"}, - {"GET", url.URL{Path: "/test_post"}, nil, "the_test_post4", http.StatusOK, "/test_post"}, - {"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post5"), "", http.StatusOK, "without lock ID in query string on a locked state"}, - {"GET", url.URL{Path: "/test_post"}, nil, "the_test_post5", http.StatusOK, "/test_post"}, - {"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post6"), "", http.StatusOK, "another post just to make sure the history limit works"}, - {"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post7"), "", http.StatusOK, "another post just to make sure the history limit works"}, - {"POST", url.URL{Path: "/test_post"}, strings.NewReader("the_test_post8"), "", http.StatusOK, "another post just to make sure the history limit works"}, + {"POST", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"}, + {"POST", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"}, + {"POST", true, url.URL{Path: "/test_post"}, nil, "", http.StatusBadRequest, "without a body"}, + {"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post"), "", http.StatusOK, "without lock ID in query string"}, + {"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"}, + {"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post2"), "", http.StatusConflict, "with a lock ID on an unlocked state"}, + {"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"}, + {"LOCK", true, url.URL{Path: "/test_post"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "/test_post"}, + {"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=ffffffff-ffff-ffff-ffff-ffffffffffff"}, strings.NewReader("the_test_post3"), "", http.StatusConflict, "with a wrong lock ID on a locked state"}, + {"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post", http.StatusOK, "/test_post"}, + {"POST", true, url.URL{Path: "/test_post", RawQuery: "ID=00000000-0000-0000-0000-000000000000"}, strings.NewReader("the_test_post4"), "", http.StatusOK, "with a correct lock ID on a locked state"}, + {"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post4", http.StatusOK, "/test_post"}, + {"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post5"), "", http.StatusOK, "without lock ID in query string on a locked state"}, + {"GET", true, url.URL{Path: "/test_post"}, nil, "the_test_post5", http.StatusOK, "/test_post"}, + {"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post6"), "", http.StatusOK, "another post just to make sure the history limit works"}, + {"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post7"), "", http.StatusOK, "another post just to make sure the history limit works"}, + {"POST", true, url.URL{Path: "/test_post"}, strings.NewReader("the_test_post8"), "", http.StatusOK, "another post just to make sure the history limit works"}, } for _, tt := range tests { - runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) { + runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) { if err != nil { t.Fatalf("failed %s with error: %+v", tt.method, err) } else if r.StatusCode != tt.status { diff --git a/cmd/tfstated/routes.go b/cmd/tfstated/routes.go index e2700d2..019bb76 100644 --- a/cmd/tfstated/routes.go +++ b/cmd/tfstated/routes.go @@ -3,6 +3,7 @@ package main import ( "net/http" + "git.adyxax.org/adyxax/tfstated/pkg/basic_auth" "git.adyxax.org/adyxax/tfstated/pkg/database" ) @@ -12,9 +13,10 @@ func addRoutes( ) { mux.Handle("GET /healthz", handleHealthz()) - mux.Handle("DELETE /", handleDelete(db)) - mux.Handle("GET /", handleGet(db)) - mux.Handle("LOCK /", handleLock(db)) - mux.Handle("POST /", handlePost(db)) - mux.Handle("UNLOCK /", handleUnlock(db)) + basicAuth := basic_auth.Middleware(db) + mux.Handle("DELETE /", basicAuth(handleDelete(db))) + mux.Handle("GET /", basicAuth(handleGet(db))) + mux.Handle("LOCK /", basicAuth(handleLock(db))) + mux.Handle("POST /", basicAuth(handlePost(db))) + mux.Handle("UNLOCK /", basicAuth(handleUnlock(db))) } diff --git a/cmd/tfstated/unlock_test.go b/cmd/tfstated/unlock_test.go index f5af5f7..e8c14cc 100644 --- a/cmd/tfstated/unlock_test.go +++ b/cmd/tfstated/unlock_test.go @@ -11,22 +11,24 @@ import ( func TestUnlock(t *testing.T) { tests := []struct { method string + auth bool uri url.URL body io.Reader expect string status int msg string }{ - {"UNLOCK", url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"}, - {"UNLOCK", url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"}, - {"UNLOCK", url.URL{Path: "/non_existent_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on non existent state"}, - {"LOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"}, - {"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF\"}"), "", http.StatusConflict, "valid but wrong lock data on a locked state"}, - {"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid and correct lock data on a locked state"}, - {"UNLOCK", url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid and correct lock data on a now unlocked state"}, + {"UNLOCK", false, url.URL{Path: "/"}, nil, "", http.StatusUnauthorized, "/"}, + {"UNLOCK", true, url.URL{Path: "/"}, nil, "", http.StatusBadRequest, "/"}, + {"UNLOCK", true, url.URL{Path: "/non_existent_lock"}, nil, "", http.StatusBadRequest, "no lock data on non existent state"}, + {"UNLOCK", true, url.URL{Path: "/non_existent_lock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid lock data on non existent state"}, + {"LOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid lock data on non existent state should create it empty"}, + {"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF\"}"), "", http.StatusConflict, "valid but wrong lock data on a locked state"}, + {"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusOK, "valid and correct lock data on a locked state"}, + {"UNLOCK", true, url.URL{Path: "/test_unlock"}, strings.NewReader("{\"ID\":\"00000000-0000-0000-0000-000000000000\"}"), "", http.StatusConflict, "valid and correct lock data on a now unlocked state"}, } for _, tt := range tests { - runHTTPRequest(tt.method, &tt.uri, tt.body, func(r *http.Response, err error) { + runHTTPRequest(tt.method, tt.auth, &tt.uri, tt.body, func(r *http.Response, err error) { if err != nil { t.Fatalf("failed %s with error: %+v", tt.method, err) } else if r.StatusCode != tt.status { diff --git a/go.mod b/go.mod index a8c3b29..0455251 100644 --- a/go.mod +++ b/go.mod @@ -3,3 +3,5 @@ module git.adyxax.org/adyxax/tfstated go 1.23.3 require github.com/mattn/go-sqlite3 v1.14.24 + +require go.n16f.net/uuid v0.0.0-20240707135755-e4fd26b968ad // indirect diff --git a/go.sum b/go.sum index 9dcdc9b..1d07d2a 100644 --- a/go.sum +++ b/go.sum @@ -1,2 +1,4 @@ github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM= github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= +go.n16f.net/uuid v0.0.0-20240707135755-e4fd26b968ad h1:QYbHaaFqx6hMor1L6iMSmyhMFvXQXhKaNk9nefug07M= +go.n16f.net/uuid v0.0.0-20240707135755-e4fd26b968ad/go.mod h1:hvPEWZmyP50in1DH72o5vUvoXFFyfRU6oL+p2tAcbgU= diff --git a/pkg/basic_auth/middleware.go b/pkg/basic_auth/middleware.go new file mode 100644 index 0000000..108124f --- /dev/null +++ b/pkg/basic_auth/middleware.go @@ -0,0 +1,39 @@ +package basic_auth + +import ( + "context" + "net/http" + "time" + + "git.adyxax.org/adyxax/tfstated/pkg/database" +) + +func Middleware(db *database.DB) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + username, password, ok := r.BasicAuth() + if !ok { + w.Header().Set("WWW-Authenticate", `Basic realm="tfstated", charset="UTF-8"`) + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return + } + account, err := db.LoadAccountByUsername(username) + if err != nil { + http.Error(w, "Internal Server Error", http.StatusInternalServerError) + return + } + if password != account.Password { + http.Error(w, "Forbidden", http.StatusForbidden) + return + } + now := time.Now().UTC() + _, err = db.Exec(`UPDATE accounts SET last_login = ? WHERE id = ?`, now.Unix(), account.Id) + if err != nil { + http.Error(w, "Internal Server Error", http.StatusInternalServerError) + return + } + ctx := context.WithValue(r.Context(), "account", account) + next.ServeHTTP(w, r.WithContext(ctx)) + }) + } +} diff --git a/pkg/database/accounts.go b/pkg/database/accounts.go new file mode 100644 index 0000000..7902371 --- /dev/null +++ b/pkg/database/accounts.go @@ -0,0 +1,88 @@ +package database + +import ( + "database/sql" + "fmt" + "log/slog" + "time" + + "git.adyxax.org/adyxax/tfstated/pkg/model" + "go.n16f.net/uuid" +) + +func (db *DB) LoadAccountByUsername(username string) (*model.Account, error) { + account := model.Account{ + Username: username, + } + var ( + encryptedPassword []byte + created int64 + lastLogin int64 + ) + err := db.QueryRow( + `SELECT id, password, is_admin, created, last_login, settings + FROM accounts + WHERE username = ?;`, + username, + ).Scan(&account.Id, + &encryptedPassword, + &account.IsAdmin, + &created, + &lastLogin, + &account.Settings, + ) + if err != nil { + return nil, err + } + password, err := db.dataEncryptionKey.DecryptAES256(encryptedPassword) + if err != nil { + return nil, err + } + account.Password = string(password) + account.Created = time.Unix(created, 0) + account.LastLogin = time.Unix(lastLogin, 0) + return &account, nil +} + +func (db *DB) InitAdminAccount() error { + tx, err := db.Begin() + if err != nil { + return err + } + defer func() { + if err != nil { + _ = tx.Rollback() + } + }() + var hasAdminAccount bool + if err = tx.QueryRowContext(db.ctx, `SELECT EXISTS (SELECT 1 FROM accounts WHERE is_admin);`).Scan(&hasAdminAccount); err != nil { + return fmt.Errorf("failed to select if there is an admin account in the database: %w", err) + } + if hasAdminAccount { + tx.Rollback() + } else { + var password uuid.UUID + if err = password.Generate(uuid.V4); err != nil { + return fmt.Errorf("failed to generate initial admin password: %w", err) + } + var encryptedPassword []byte + encryptedPassword, err = db.dataEncryptionKey.EncryptAES256([]byte(password.String())) + if err != nil { + return fmt.Errorf("failed to encrypt initial admin password: %w", err) + } + if _, err = tx.ExecContext(db.ctx, + `INSERT INTO accounts(username, password, is_admin) + VALUES ("admin", :password, TRUE) + ON CONFLICT DO UPDATE SET password = :password + WHERE username = "admin";`, + sql.Named("password", encryptedPassword), + ); err != nil { + return fmt.Errorf("failed to set initial admin password: %w", err) + } + err = tx.Commit() + if err == nil { + slog.Info("Generated an initial admin password, please change it or delete the admin account after your first login", "password", password.String()) + } + } + return err +} diff --git a/pkg/database/sql/000_init.sql b/pkg/database/sql/000_init.sql index ab40746..c56473f 100644 --- a/pkg/database/sql/000_init.sql +++ b/pkg/database/sql/000_init.sql @@ -2,6 +2,17 @@ CREATE TABLE schema_version ( version INTEGER NOT NULL ) STRICT; +CREATE TABLE accounts ( + id INTEGER PRIMARY KEY, + username TEXT NOT NULL, + password BLOB NOT NULL, + is_admin INTEGER NOT NULL DEFAULT FALSE, + created INTEGER NOT NULL DEFAULT (unixepoch()), + last_login INTEGER NOT NULL DEFAULT (unixepoch()), + settings TEXT +) STRICT; +CREATE UNIQUE INDEX accounts_username on accounts(username); + CREATE TABLE states ( id INTEGER PRIMARY KEY, path TEXT NOT NULL, @@ -11,9 +22,11 @@ CREATE UNIQUE INDEX states_path on states(path); CREATE TABLE versions ( id INTEGER PRIMARY KEY, + account_id INTEGER NOT NULL, state_id INTEGER, data BLOB, lock TEXT, created INTEGER DEFAULT (unixepoch()), + FOREIGN KEY(account_id) REFERENCES accounts(id) ON DELETE CASCADE FOREIGN KEY(state_id) REFERENCES states(id) ON DELETE CASCADE ) STRICT; diff --git a/pkg/database/states.go b/pkg/database/states.go index d1e9c7d..4f0ce58 100644 --- a/pkg/database/states.go +++ b/pkg/database/states.go @@ -43,7 +43,7 @@ func (db *DB) GetState(path string) ([]byte, error) { } // returns true in case of id mismatch -func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) { +func (db *DB) SetState(path string, accountID int, data []byte, lockID string) (bool, error) { encryptedData, err := db.dataEncryptionKey.EncryptAES256(data) if err != nil { return false, err @@ -82,10 +82,11 @@ func (db *DB) SetState(path string, data []byte, lockID string) (bool, error) { return true, err } _, err = tx.ExecContext(db.ctx, - `INSERT INTO versions(state_id, data, lock) - SELECT :stateID, :data, lock + `INSERT INTO versions(account_id, state_id, data, lock) + SELECT :accountID, :stateID, :data, lock FROM states WHERE states.id = :stateID;`, + sql.Named("accountID", accountID), sql.Named("stateID", stateID), sql.Named("data", encryptedData)) if err != nil { diff --git a/pkg/model/account.go b/pkg/model/account.go new file mode 100644 index 0000000..cbb6407 --- /dev/null +++ b/pkg/model/account.go @@ -0,0 +1,13 @@ +package model + +import "time" + +type Account struct { + Id int + Username string + Password string + IsAdmin bool + Created time.Time + LastLogin time.Time + Settings any +} -- cgit v1.2.3