diff --git a/.gitignore b/.gitignore index f9352ec..c178d28 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -/mcias.db +mcias.db +cmd/mcias/mcias +.idea diff --git a/api/auth.go b/api/auth.go index e805725..2a3d326 100644 --- a/api/auth.go +++ b/api/auth.go @@ -91,15 +91,17 @@ func (s *Server) handleTokenLogin(w http.ResponseWriter, r *http.Request) { return } - userID, err := s.verifyToken(req.Login.User, req.Login.Token) + // Verify the token is valid + _, err := s.verifyToken(req.Login.User, req.Login.Token) if err != nil { s.sendError(w, "Invalid or expired token", http.StatusUnauthorized) return } - token, expires, err := s.createToken(userID) + // Renew the existing token instead of creating a new one + expires, err := s.renewToken(req.Login.User, req.Login.Token) if err != nil { - s.Logger.Printf("Token creation error: %v", err) + s.Logger.Printf("Token renewal error: %v", err) s.sendError(w, "Internal server error", http.StatusInternalServerError) return } @@ -107,7 +109,7 @@ func (s *Server) handleTokenLogin(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") w.WriteHeader(http.StatusOK) if err := json.NewEncoder(w).Encode(TokenResponse{ - Token: token, + Token: req.Login.Token, Expires: expires, }); err != nil { s.Logger.Printf("Error encoding response: %v", err) @@ -190,6 +192,30 @@ func (s *Server) verifyToken(username, token string) (string, error) { return userID, nil } +func (s *Server) renewToken(username, token string) (int64, error) { + // First, verify the token exists and get the token ID + query := ` + SELECT t.id FROM tokens t + JOIN users u ON t.uid = u.id + WHERE u.user = ? AND t.token = ? + ` + var tokenID string + err := s.DB.QueryRow(query, username, token).Scan(&tokenID) + if err != nil { + return 0, err + } + + // Update the token's expiry time + expires := time.Now().Add(24 * time.Hour).Unix() + updateQuery := `UPDATE tokens SET expires = ? WHERE id = ?` + _, err = s.DB.Exec(updateQuery, expires, tokenID) + if err != nil { + return 0, err + } + + return expires, nil +} + func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Request) { // Extract authorization header authHeader := r.Header.Get("Authorization") @@ -219,7 +245,7 @@ func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Reques return } - // Check if user has admin role + // Check if user has permission to read database credentials user, err := s.getUserByUsername(username) if err != nil { s.Logger.Printf("Database error: %v", err) @@ -227,16 +253,15 @@ func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Reques return } - hasAdminRole := false - for _, role := range user.Roles { - if role == "admin" { - hasAdminRole = true - break - } + hasPermission, err := user.HasPermission(s.Auth, "database_credentials", "read") + if err != nil { + s.Logger.Printf("Permission check error: %v", err) + s.sendError(w, "Internal server error", http.StatusInternalServerError) + return } - if !hasAdminRole { - s.sendError(w, "Insufficient permissions", http.StatusForbidden) + if !hasPermission { + s.sendError(w, "Insufficient permissions: requires database_credentials:read permission", http.StatusForbidden) return } diff --git a/api/auth_test.go b/api/auth_test.go index 65dff77..f4d84cb 100644 --- a/api/auth_test.go +++ b/api/auth_test.go @@ -21,7 +21,7 @@ func setupTestDB(t *testing.T) *sql.DB { t.Fatalf("Failed to open test database: %v", err) } - schema, err := os.ReadFile("../schema.sql") + schema, err := os.ReadFile("../database/schema.sql") if err != nil { t.Fatalf("Failed to read schema: %v", err) } @@ -109,11 +109,11 @@ func TestTokenLogin(t *testing.T) { server := NewServer(db, logger) token := "testtoken123456" - expires := time.Now().Add(24 * time.Hour).Unix() + initialExpires := time.Now().Add(1 * time.Hour).Unix() // Set initial expiry to 1 hour from now tokenID := "token123" query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)` - _, err := db.Exec(query, tokenID, user.ID, token, expires) + _, err := db.Exec(query, tokenID, user.ID, token, initialExpires) if err != nil { t.Fatalf("Failed to insert test token: %v", err) } @@ -146,14 +146,31 @@ func TestTokenLogin(t *testing.T) { t.Fatalf("Failed to decode response: %v", err) } - if response.Token == "" { - t.Error("Expected token in response, got empty string") + // Verify that the same token is returned + if response.Token != token { + t.Errorf("Expected the same token '%s', got '%s'", token, response.Token) + } + + // Verify that the expiry has been renewed (should be later than the initial expiry) + if response.Expires <= initialExpires { + t.Errorf("Expected renewed expiry to be later than initial expiry %d, got %d", initialExpires, response.Expires) } now := time.Now().Unix() if response.Expires <= now { t.Errorf("Expected token expiration in the future, got %d (now: %d)", response.Expires, now) } + + // Verify that the token in the database has been updated + var dbExpires int64 + err = db.QueryRow("SELECT expires FROM tokens WHERE id = ?", tokenID).Scan(&dbExpires) + if err != nil { + t.Fatalf("Failed to query token from database: %v", err) + } + + if dbExpires != response.Expires { + t.Errorf("Database expiry %d does not match response expiry %d", dbExpires, response.Expires) + } } func TestInvalidPasswordLogin(t *testing.T) { @@ -225,11 +242,11 @@ func TestInvalidTokenLogin(t *testing.T) { func createTestAdminUser(t *testing.T, db *sql.DB) *data.User { user := createTestUser(t, db) - // Add admin role - roleID := "role123" - _, err := db.Exec("INSERT INTO roles (id, role) VALUES (?, ?)", roleID, "admin") + // Use the existing admin role from schema.sql + var roleID string + err := db.QueryRow("SELECT id FROM roles WHERE role = 'admin'").Scan(&roleID) if err != nil { - t.Fatalf("Failed to insert admin role: %v", err) + t.Fatalf("Failed to get admin role ID: %v", err) } // Assign admin role to user @@ -243,6 +260,42 @@ func createTestAdminUser(t *testing.T, db *sql.DB) *data.User { return user } +func createTestDBOperatorUser(t *testing.T, db *sql.DB) *data.User { + // Create a new user + user := &data.User{} + login := &data.Login{ + User: "dboperator", + Password: "testpassword", + } + + if err := user.Register(login); err != nil { + t.Fatalf("Failed to register test user: %v", err) + } + + query := `INSERT INTO users (id, created, user, password, salt) VALUES (?, ?, ?, ?, ?)` + _, err := db.Exec(query, user.ID, user.Created, user.User, user.Password, user.Salt) + if err != nil { + t.Fatalf("Failed to insert test user: %v", err) + } + + // Use the existing db_operator role from schema.sql + var roleID string + err = db.QueryRow("SELECT id FROM roles WHERE role = 'db_operator'").Scan(&roleID) + if err != nil { + t.Fatalf("Failed to get db_operator role ID: %v", err) + } + + // Assign db_operator role to user + userRoleID := "ur456" + _, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", userRoleID, user.ID, roleID) + if err != nil { + t.Fatalf("Failed to assign db_operator role to user: %v", err) + } + + user.Roles = []string{"db_operator"} + return user +} + func insertTestDatabaseCredentials(t *testing.T, db *sql.DB) { query := `INSERT INTO database (id, host, port, name, user, password) VALUES (?, ?, ?, ?, ?, ?)` @@ -252,7 +305,7 @@ func insertTestDatabaseCredentials(t *testing.T, db *sql.DB) { } } -func TestDatabaseCredentials(t *testing.T) { +func TestDatabaseCredentialsAdmin(t *testing.T) { db := setupTestDB(t) defer db.Close() @@ -304,20 +357,20 @@ func TestDatabaseCredentials(t *testing.T) { } } -func TestDatabaseCredentialsUnauthorized(t *testing.T) { +func TestDatabaseCredentialsDBOperator(t *testing.T) { db := setupTestDB(t) defer db.Close() - user := createTestUser(t, db) // Regular user without admin role + user := createTestDBOperatorUser(t, db) insertTestDatabaseCredentials(t, db) logger := log.New(os.Stdout, "TEST: ", log.LstdFlags) server := NewServer(db, logger) - token := "testtoken123456" + token := "dboptoken123456" expires := time.Now().Add(24 * time.Hour).Unix() - tokenID := "token123" + tokenID := "token456" query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)` _, err := db.Exec(query, tokenID, user.ID, token, expires) if err != nil { @@ -330,7 +383,100 @@ func TestDatabaseCredentialsUnauthorized(t *testing.T) { recorder := httptest.NewRecorder() server.handleDatabaseCredentials(recorder, req) + if recorder.Code != http.StatusOK { + t.Errorf("Expected status code %d, got %d", http.StatusOK, recorder.Code) + } + + var response DatabaseCredentials + if err := json.NewDecoder(recorder.Body).Decode(&response); err != nil { + t.Fatalf("Failed to decode response: %v", err) + } + + if response.Host != "localhost" { + t.Errorf("Expected host 'localhost', got '%s'", response.Host) + } + if response.Port != 5432 { + t.Errorf("Expected port 5432, got %d", response.Port) + } + if response.Name != "testdb" { + t.Errorf("Expected database name 'testdb', got '%s'", response.Name) + } + if response.User != "postgres" { + t.Errorf("Expected user 'postgres', got '%s'", response.User) + } + if response.Password != "securepassword" { + t.Errorf("Expected password 'securepassword', got '%s'", response.Password) + } +} + +func TestDatabaseCredentialsUnauthorized(t *testing.T) { + db := setupTestDB(t) + defer db.Close() + + // Create a regular user with the 'user' role + user := &data.User{} + login := &data.Login{ + User: "regularuser", + Password: "testpassword", + } + + if err := user.Register(login); err != nil { + t.Fatalf("Failed to register test user: %v", err) + } + + query := `INSERT INTO users (id, created, user, password, salt) VALUES (?, ?, ?, ?, ?)` + _, err := db.Exec(query, user.ID, user.Created, user.User, user.Password, user.Salt) + if err != nil { + t.Fatalf("Failed to insert test user: %v", err) + } + + // Use the existing user role from schema.sql + var roleID string + err = db.QueryRow("SELECT id FROM roles WHERE role = 'user'").Scan(&roleID) + if err != nil { + t.Fatalf("Failed to get user role ID: %v", err) + } + + // Assign user role to user + userRoleID := "ur789" + _, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", userRoleID, user.ID, roleID) + if err != nil { + t.Fatalf("Failed to assign user role to user: %v", err) + } + + insertTestDatabaseCredentials(t, db) + + logger := log.New(os.Stdout, "TEST: ", log.LstdFlags) + server := NewServer(db, logger) + + token := "usertoken123456" + expires := time.Now().Add(24 * time.Hour).Unix() + + tokenID := "token789" + tokenQuery := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)` + _, err = db.Exec(tokenQuery, tokenID, user.ID, token, expires) + if err != nil { + t.Fatalf("Failed to insert test token: %v", err) + } + + req := httptest.NewRequest("GET", "/v1/database/credentials?username="+user.User, nil) + req.Header.Set("Authorization", "Bearer "+token) + + recorder := httptest.NewRecorder() + server.handleDatabaseCredentials(recorder, req) + if recorder.Code != http.StatusForbidden { t.Errorf("Expected status code %d, got %d", http.StatusForbidden, recorder.Code) } + + // Check that the error message mentions the required permission + var errResp ErrorResponse + if err := json.NewDecoder(recorder.Body).Decode(&errResp); err != nil { + t.Fatalf("Failed to decode error response: %v", err) + } + + expectedErrMsg := "Insufficient permissions: requires database_credentials:read permission" + if errResp.Error != expectedErrMsg { + t.Errorf("Expected error message '%s', got '%s'", expectedErrMsg, errResp.Error) + } } diff --git a/api/server.go b/api/server.go index 8578876..ec412ef 100644 --- a/api/server.go +++ b/api/server.go @@ -5,6 +5,7 @@ import ( "log" "net/http" + "git.wntrmute.dev/kyle/mcias/data" _ "github.com/mattn/go-sqlite3" ) @@ -12,6 +13,7 @@ type Server struct { DB *sql.DB Router *http.ServeMux Logger *log.Logger + Auth *data.AuthorizationService } func NewServer(db *sql.DB, logger *log.Logger) *Server { @@ -19,6 +21,7 @@ func NewServer(db *sql.DB, logger *log.Logger) *Server { DB: db, Router: http.NewServeMux(), Logger: logger, + Auth: data.NewAuthorizationService(db), } s.registerRoutes() diff --git a/cmd/mcias/permission.go b/cmd/mcias/permission.go new file mode 100644 index 0000000..a8016ac --- /dev/null +++ b/cmd/mcias/permission.go @@ -0,0 +1,228 @@ +package main + +import ( + "database/sql" + "fmt" + "log" + "os" + "strings" + + "github.com/oklog/ulid/v2" + "github.com/spf13/cobra" + "github.com/spf13/viper" +) + +var ( + permissionRole string + permissionResource string + permissionAction string +) + +var permissionCmd = &cobra.Command{ + Use: "permission", + Short: "Manage permissions", + Long: `Commands for managing permissions in the MCIAS system.`, +} + +var listPermissionsCmd = &cobra.Command{ + Use: "list", + Short: "List all permissions", + Long: `List all permissions in the MCIAS system.`, + Run: func(cmd *cobra.Command, args []string) { + listPermissions() + }, +} + +var grantPermissionCmd = &cobra.Command{ + Use: "grant", + Short: "Grant a permission to a role", + Long: `Grant a permission to a role in the MCIAS system.`, + Run: func(cmd *cobra.Command, args []string) { + grantPermission() + }, +} + +var revokePermissionCmd = &cobra.Command{ + Use: "revoke", + Short: "Revoke a permission from a role", + Long: `Revoke a permission from a role in the MCIAS system.`, + Run: func(cmd *cobra.Command, args []string) { + revokePermission() + }, +} + +func init() { + rootCmd.AddCommand(permissionCmd) + permissionCmd.AddCommand(listPermissionsCmd) + permissionCmd.AddCommand(grantPermissionCmd) + permissionCmd.AddCommand(revokePermissionCmd) + + grantPermissionCmd.Flags().StringVar(&permissionRole, "role", "", "Name of the role to grant the permission to") + grantPermissionCmd.Flags().StringVar(&permissionResource, "resource", "", "Resource for the permission") + grantPermissionCmd.Flags().StringVar(&permissionAction, "action", "", "Action for the permission") + if err := grantPermissionCmd.MarkFlagRequired("role"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking role flag as required: %v\n", err) + } + if err := grantPermissionCmd.MarkFlagRequired("resource"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking resource flag as required: %v\n", err) + } + if err := grantPermissionCmd.MarkFlagRequired("action"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking action flag as required: %v\n", err) + } + + revokePermissionCmd.Flags().StringVar(&permissionRole, "role", "", "Name of the role to revoke the permission from") + revokePermissionCmd.Flags().StringVar(&permissionResource, "resource", "", "Resource for the permission") + revokePermissionCmd.Flags().StringVar(&permissionAction, "action", "", "Action for the permission") + if err := revokePermissionCmd.MarkFlagRequired("role"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking role flag as required: %v\n", err) + } + if err := revokePermissionCmd.MarkFlagRequired("resource"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking resource flag as required: %v\n", err) + } + if err := revokePermissionCmd.MarkFlagRequired("action"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking action flag as required: %v\n", err) + } +} + +func listPermissions() { + dbPath := viper.GetString("db") + logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags) + + db, err := sql.Open("sqlite3", dbPath) + if err != nil { + logger.Fatalf("Failed to open database: %v", err) + } + defer db.Close() + + rows, err := db.Query("SELECT id, resource, action, description FROM permissions ORDER BY resource, action") + if err != nil { + logger.Fatalf("Failed to query permissions: %v", err) + } + defer rows.Close() + + fmt.Printf("%-24s %-20s %-15s %-30s\n", "ID", "RESOURCE", "ACTION", "DESCRIPTION") + fmt.Println(strings.Repeat("-", 90)) + for rows.Next() { + var id, resource, action, description string + if err := rows.Scan(&id, &resource, &action, &description); err != nil { + logger.Fatalf("Failed to scan permission row: %v", err) + } + fmt.Printf("%-24s %-20s %-15s %-30s\n", id, resource, action, description) + } + + if err := rows.Err(); err != nil { + logger.Fatalf("Error iterating permission rows: %v", err) + } +} + +func grantPermission() { + dbPath := viper.GetString("db") + logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags) + + db, err := sql.Open("sqlite3", dbPath) + if err != nil { + logger.Fatalf("Failed to open database: %v", err) + } + defer db.Close() + + // Get role ID + var roleID string + err = db.QueryRow("SELECT id FROM roles WHERE role = ?", permissionRole).Scan(&roleID) + if err != nil { + if err == sql.ErrNoRows { + logger.Fatalf("Role %s not found", permissionRole) + } + logger.Fatalf("Failed to get role ID: %v", err) + } + + // Get permission ID + var permissionID string + err = db.QueryRow("SELECT id FROM permissions WHERE resource = ? AND action = ?", + permissionResource, permissionAction).Scan(&permissionID) + if err != nil { + if err == sql.ErrNoRows { + logger.Fatalf("Permission with resource '%s' and action '%s' not found", + permissionResource, permissionAction) + } + logger.Fatalf("Failed to get permission ID: %v", err) + } + + // Check if role already has this permission + var count int + err = db.QueryRow("SELECT COUNT(*) FROM role_permissions WHERE rid = ? AND pid = ?", + roleID, permissionID).Scan(&count) + if err != nil { + logger.Fatalf("Failed to check if role has permission: %v", err) + } + if count > 0 { + logger.Fatalf("Role %s already has permission %s:%s", + permissionRole, permissionResource, permissionAction) + } + + // Generate a new ID for the role-permission relationship + id := ulid.Make().String() + + // Grant permission to role + _, err = db.Exec("INSERT INTO role_permissions (id, rid, pid) VALUES (?, ?, ?)", + id, roleID, permissionID) + if err != nil { + logger.Fatalf("Failed to grant permission: %v", err) + } + + fmt.Printf("Permission %s:%s granted to role %s successfully\n", + permissionResource, permissionAction, permissionRole) +} + +func revokePermission() { + dbPath := viper.GetString("db") + logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags) + + db, err := sql.Open("sqlite3", dbPath) + if err != nil { + logger.Fatalf("Failed to open database: %v", err) + } + defer db.Close() + + // Get role ID + var roleID string + err = db.QueryRow("SELECT id FROM roles WHERE role = ?", permissionRole).Scan(&roleID) + if err != nil { + if err == sql.ErrNoRows { + logger.Fatalf("Role %s not found", permissionRole) + } + logger.Fatalf("Failed to get role ID: %v", err) + } + + // Get permission ID + var permissionID string + err = db.QueryRow("SELECT id FROM permissions WHERE resource = ? AND action = ?", + permissionResource, permissionAction).Scan(&permissionID) + if err != nil { + if err == sql.ErrNoRows { + logger.Fatalf("Permission with resource '%s' and action '%s' not found", + permissionResource, permissionAction) + } + logger.Fatalf("Failed to get permission ID: %v", err) + } + + // Check if role has this permission + var count int + err = db.QueryRow("SELECT COUNT(*) FROM role_permissions WHERE rid = ? AND pid = ?", + roleID, permissionID).Scan(&count) + if err != nil { + logger.Fatalf("Failed to check if role has permission: %v", err) + } + if count == 0 { + logger.Fatalf("Role %s does not have permission %s:%s", + permissionRole, permissionResource, permissionAction) + } + + // Revoke permission from role + _, err = db.Exec("DELETE FROM role_permissions WHERE rid = ? AND pid = ?", roleID, permissionID) + if err != nil { + logger.Fatalf("Failed to revoke permission: %v", err) + } + + fmt.Printf("Permission %s:%s revoked from role %s successfully\n", + permissionResource, permissionAction, permissionRole) +} \ No newline at end of file diff --git a/cmd/mcias/role.go b/cmd/mcias/role.go new file mode 100644 index 0000000..696b4f7 --- /dev/null +++ b/cmd/mcias/role.go @@ -0,0 +1,255 @@ +package main + +import ( + "database/sql" + "fmt" + "log" + "os" + "strings" + + "github.com/oklog/ulid/v2" + "github.com/spf13/cobra" + "github.com/spf13/viper" +) + +var ( + roleName string + roleUser string +) + +var roleCmd = &cobra.Command{ + Use: "role", + Short: "Manage roles", + Long: `Commands for managing roles in the MCIAS system.`, +} + +var addRoleCmd = &cobra.Command{ + Use: "add", + Short: "Add a new role", + Long: `Add a new role to the MCIAS system.`, + Run: func(cmd *cobra.Command, args []string) { + addRole() + }, +} + +var listRolesCmd = &cobra.Command{ + Use: "list", + Short: "List all roles", + Long: `List all roles in the MCIAS system.`, + Run: func(cmd *cobra.Command, args []string) { + listRoles() + }, +} + +var assignRoleCmd = &cobra.Command{ + Use: "assign", + Short: "Assign a role to a user", + Long: `Assign a role to a user in the MCIAS system.`, + Run: func(cmd *cobra.Command, args []string) { + assignRole() + }, +} + +var revokeRoleCmd = &cobra.Command{ + Use: "revoke", + Short: "Revoke a role from a user", + Long: `Revoke a role from a user in the MCIAS system.`, + Run: func(cmd *cobra.Command, args []string) { + revokeRole() + }, +} + +func init() { + rootCmd.AddCommand(roleCmd) + roleCmd.AddCommand(addRoleCmd) + roleCmd.AddCommand(listRolesCmd) + roleCmd.AddCommand(assignRoleCmd) + roleCmd.AddCommand(revokeRoleCmd) + + addRoleCmd.Flags().StringVar(&roleName, "name", "", "Name of the role") + if err := addRoleCmd.MarkFlagRequired("name"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking name flag as required: %v\n", err) + } + + assignRoleCmd.Flags().StringVar(&roleUser, "user", "", "Username to assign the role to") + assignRoleCmd.Flags().StringVar(&roleName, "role", "", "Name of the role to assign") + if err := assignRoleCmd.MarkFlagRequired("user"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking user flag as required: %v\n", err) + } + if err := assignRoleCmd.MarkFlagRequired("role"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking role flag as required: %v\n", err) + } + + revokeRoleCmd.Flags().StringVar(&roleUser, "user", "", "Username to revoke the role from") + revokeRoleCmd.Flags().StringVar(&roleName, "role", "", "Name of the role to revoke") + if err := revokeRoleCmd.MarkFlagRequired("user"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking user flag as required: %v\n", err) + } + if err := revokeRoleCmd.MarkFlagRequired("role"); err != nil { + fmt.Fprintf(os.Stderr, "Error marking role flag as required: %v\n", err) + } +} + +func addRole() { + dbPath := viper.GetString("db") + logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags) + + db, err := sql.Open("sqlite3", dbPath) + if err != nil { + logger.Fatalf("Failed to open database: %v", err) + } + defer db.Close() + + // Check if role already exists + var count int + err = db.QueryRow("SELECT COUNT(*) FROM roles WHERE role = ?", roleName).Scan(&count) + if err != nil { + logger.Fatalf("Failed to check if role exists: %v", err) + } + if count > 0 { + logger.Fatalf("Role %s already exists", roleName) + } + + // Generate a new ID for the role + id := ulid.Make().String() + + // Insert the new role + _, err = db.Exec("INSERT INTO roles (id, role) VALUES (?, ?)", id, roleName) + if err != nil { + logger.Fatalf("Failed to insert role: %v", err) + } + + fmt.Printf("Role %s added successfully with ID %s\n", roleName, id) +} + +func listRoles() { + dbPath := viper.GetString("db") + logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags) + + db, err := sql.Open("sqlite3", dbPath) + if err != nil { + logger.Fatalf("Failed to open database: %v", err) + } + defer db.Close() + + rows, err := db.Query("SELECT id, role FROM roles ORDER BY role") + if err != nil { + logger.Fatalf("Failed to query roles: %v", err) + } + defer rows.Close() + + fmt.Printf("%-24s %-30s\n", "ID", "ROLE") + fmt.Println(strings.Repeat("-", 55)) + for rows.Next() { + var id, role string + if err := rows.Scan(&id, &role); err != nil { + logger.Fatalf("Failed to scan role row: %v", err) + } + fmt.Printf("%-24s %-30s\n", id, role) + } + + if err := rows.Err(); err != nil { + logger.Fatalf("Error iterating role rows: %v", err) + } +} + +func assignRole() { + dbPath := viper.GetString("db") + logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags) + + db, err := sql.Open("sqlite3", dbPath) + if err != nil { + logger.Fatalf("Failed to open database: %v", err) + } + defer db.Close() + + // Get user ID + var userID string + err = db.QueryRow("SELECT id FROM users WHERE user = ?", roleUser).Scan(&userID) + if err != nil { + if err == sql.ErrNoRows { + logger.Fatalf("User %s not found", roleUser) + } + logger.Fatalf("Failed to get user ID: %v", err) + } + + // Get role ID + var roleID string + err = db.QueryRow("SELECT id FROM roles WHERE role = ?", roleName).Scan(&roleID) + if err != nil { + if err == sql.ErrNoRows { + logger.Fatalf("Role %s not found", roleName) + } + logger.Fatalf("Failed to get role ID: %v", err) + } + + // Check if user already has this role + var count int + err = db.QueryRow("SELECT COUNT(*) FROM user_roles WHERE uid = ? AND rid = ?", userID, roleID).Scan(&count) + if err != nil { + logger.Fatalf("Failed to check if user has role: %v", err) + } + if count > 0 { + logger.Fatalf("User %s already has role %s", roleUser, roleName) + } + + // Generate a new ID for the user-role relationship + id := ulid.Make().String() + + // Assign role to user + _, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", id, userID, roleID) + if err != nil { + logger.Fatalf("Failed to assign role: %v", err) + } + + fmt.Printf("Role %s assigned to user %s successfully\n", roleName, roleUser) +} + +func revokeRole() { + dbPath := viper.GetString("db") + logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags) + + db, err := sql.Open("sqlite3", dbPath) + if err != nil { + logger.Fatalf("Failed to open database: %v", err) + } + defer db.Close() + + // Get user ID + var userID string + err = db.QueryRow("SELECT id FROM users WHERE user = ?", roleUser).Scan(&userID) + if err != nil { + if err == sql.ErrNoRows { + logger.Fatalf("User %s not found", roleUser) + } + logger.Fatalf("Failed to get user ID: %v", err) + } + + // Get role ID + var roleID string + err = db.QueryRow("SELECT id FROM roles WHERE role = ?", roleName).Scan(&roleID) + if err != nil { + if err == sql.ErrNoRows { + logger.Fatalf("Role %s not found", roleName) + } + logger.Fatalf("Failed to get role ID: %v", err) + } + + // Check if user has this role + var count int + err = db.QueryRow("SELECT COUNT(*) FROM user_roles WHERE uid = ? AND rid = ?", userID, roleID).Scan(&count) + if err != nil { + logger.Fatalf("Failed to check if user has role: %v", err) + } + if count == 0 { + logger.Fatalf("User %s does not have role %s", roleUser, roleName) + } + + // Revoke role from user + _, err = db.Exec("DELETE FROM user_roles WHERE uid = ? AND rid = ?", userID, roleID) + if err != nil { + logger.Fatalf("Failed to revoke role: %v", err) + } + + fmt.Printf("Role %s revoked from user %s successfully\n", roleName, roleUser) +} \ No newline at end of file diff --git a/data/auth.go b/data/auth.go new file mode 100644 index 0000000..686c686 --- /dev/null +++ b/data/auth.go @@ -0,0 +1,174 @@ +package data + +import ( + "database/sql" + "fmt" + + "github.com/oklog/ulid/v2" +) + +// Permission represents a system permission +type Permission struct { + ID string + Resource string + Action string + Description string +} + +// AuthorizationService provides methods for checking user permissions +type AuthorizationService struct { + db *sql.DB +} + +// NewAuthorizationService creates a new authorization service +func NewAuthorizationService(db *sql.DB) *AuthorizationService { + return &AuthorizationService{db: db} +} + +// UserHasPermission checks if a user has a specific permission for a resource and action +func (a *AuthorizationService) UserHasPermission(userID, resource, action string) (bool, error) { + query := ` + SELECT COUNT(*) FROM permissions p + JOIN role_permissions rp ON p.id = rp.pid + JOIN user_roles ur ON rp.rid = ur.rid + WHERE ur.uid = ? AND p.resource = ? AND p.action = ? + ` + + var count int + err := a.db.QueryRow(query, userID, resource, action).Scan(&count) + if err != nil { + return false, fmt.Errorf("failed to check user permission: %w", err) + } + + return count > 0, nil +} + +// GetUserPermissions returns all permissions for a user based on their roles +func (a *AuthorizationService) GetUserPermissions(userID string) ([]Permission, error) { + query := ` + SELECT DISTINCT p.id, p.resource, p.action, p.description FROM permissions p + JOIN role_permissions rp ON p.id = rp.pid + JOIN user_roles ur ON rp.rid = ur.rid + WHERE ur.uid = ? + ` + + rows, err := a.db.Query(query, userID) + if err != nil { + return nil, fmt.Errorf("failed to get user permissions: %w", err) + } + defer rows.Close() + + var permissions []Permission + for rows.Next() { + var perm Permission + if err := rows.Scan(&perm.ID, &perm.Resource, &perm.Action, &perm.Description); err != nil { + return nil, fmt.Errorf("failed to scan permission: %w", err) + } + permissions = append(permissions, perm) + } + + if err := rows.Err(); err != nil { + return nil, fmt.Errorf("error iterating permissions: %w", err) + } + + return permissions, nil +} + +// GetRolePermissions returns all permissions for a specific role +func (a *AuthorizationService) GetRolePermissions(roleID string) ([]Permission, error) { + query := ` + SELECT p.id, p.resource, p.action, p.description FROM permissions p + JOIN role_permissions rp ON p.id = rp.pid + WHERE rp.rid = ? + ` + + rows, err := a.db.Query(query, roleID) + if err != nil { + return nil, fmt.Errorf("failed to get role permissions: %w", err) + } + defer rows.Close() + + var permissions []Permission + for rows.Next() { + var perm Permission + if err := rows.Scan(&perm.ID, &perm.Resource, &perm.Action, &perm.Description); err != nil { + return nil, fmt.Errorf("failed to scan permission: %w", err) + } + permissions = append(permissions, perm) + } + + if err := rows.Err(); err != nil { + return nil, fmt.Errorf("error iterating permissions: %w", err) + } + + return permissions, nil +} + +// GrantPermissionToRole grants a permission to a role +func (a *AuthorizationService) GrantPermissionToRole(roleID, permissionID string) error { + // Check if the role-permission relationship already exists + checkQuery := `SELECT COUNT(*) FROM role_permissions WHERE rid = ? AND pid = ?` + var count int + err := a.db.QueryRow(checkQuery, roleID, permissionID).Scan(&count) + if err != nil { + return fmt.Errorf("failed to check role permission: %w", err) + } + + if count > 0 { + return nil // Permission already granted + } + + // Generate a new ID for the role-permission relationship + id := GenerateID() + + // Insert the new role-permission relationship + insertQuery := `INSERT INTO role_permissions (id, rid, pid) VALUES (?, ?, ?)` + _, err = a.db.Exec(insertQuery, id, roleID, permissionID) + if err != nil { + return fmt.Errorf("failed to grant permission to role: %w", err) + } + + return nil +} + +// RevokePermissionFromRole revokes a permission from a role +func (a *AuthorizationService) RevokePermissionFromRole(roleID, permissionID string) error { + query := `DELETE FROM role_permissions WHERE rid = ? AND pid = ?` + _, err := a.db.Exec(query, roleID, permissionID) + if err != nil { + return fmt.Errorf("failed to revoke permission from role: %w", err) + } + + return nil +} + +// GetAllPermissions returns all permissions in the system +func (a *AuthorizationService) GetAllPermissions() ([]Permission, error) { + query := `SELECT id, resource, action, description FROM permissions` + + rows, err := a.db.Query(query) + if err != nil { + return nil, fmt.Errorf("failed to get permissions: %w", err) + } + defer rows.Close() + + var permissions []Permission + for rows.Next() { + var perm Permission + if err := rows.Scan(&perm.ID, &perm.Resource, &perm.Action, &perm.Description); err != nil { + return nil, fmt.Errorf("failed to scan permission: %w", err) + } + permissions = append(permissions, perm) + } + + if err := rows.Err(); err != nil { + return nil, fmt.Errorf("error iterating permissions: %w", err) + } + + return permissions, nil +} + +// GenerateID generates a unique ID for database records +func GenerateID() string { + return ulid.Make().String() +} diff --git a/data/auth_test.go b/data/auth_test.go new file mode 100644 index 0000000..d3263df --- /dev/null +++ b/data/auth_test.go @@ -0,0 +1,223 @@ +package data + +import ( + "database/sql" + "os" + "testing" + + _ "github.com/mattn/go-sqlite3" +) + +func setupTestDB(t *testing.T) (*sql.DB, func()) { + // Create a temporary database for testing + db, err := sql.Open("sqlite3", ":memory:") + if err != nil { + t.Fatalf("Failed to open in-memory database: %v", err) + } + + // Read the schema file + schemaBytes, err := os.ReadFile("../database/schema.sql") + if err != nil { + t.Fatalf("Failed to read schema file: %v", err) + } + schema := string(schemaBytes) + + // Execute the schema + _, err = db.Exec(schema) + if err != nil { + t.Fatalf("Failed to execute schema: %v", err) + } + + // Create test data + setupTestData(t, db) + + // Return the database and a cleanup function + return db, func() { + db.Close() + } +} + +func setupTestData(t *testing.T, db *sql.DB) { + // Create test users + _, err := db.Exec(`INSERT INTO users (id, created, user, password, salt) VALUES + ('user1', 1622505600, 'testadmin', 'dummy', 'dummy'), + ('user2', 1622505600, 'testoperator', 'dummy', 'dummy'), + ('user3', 1622505600, 'testuser', 'dummy', 'dummy')`) + if err != nil { + t.Fatalf("Failed to insert test users: %v", err) + } + + // Create test roles (these should already exist from schema.sql) + // But we'll check and insert if needed + var count int + err = db.QueryRow("SELECT COUNT(*) FROM roles WHERE role = 'admin'").Scan(&count) + if err != nil { + t.Fatalf("Failed to check roles: %v", err) + } + if count == 0 { + _, err = db.Exec(`INSERT INTO roles (id, role) VALUES + ('role_admin', 'admin'), + ('role_db_operator', 'db_operator'), + ('role_user', 'user')`) + if err != nil { + t.Fatalf("Failed to insert test roles: %v", err) + } + } + + // Assign roles to users + _, err = db.Exec(`INSERT INTO user_roles (id, uid, rid) VALUES + ('ur1', 'user1', 'role_admin'), + ('ur2', 'user2', 'role_db_operator'), + ('ur3', 'user3', 'role_user')`) + if err != nil { + t.Fatalf("Failed to assign roles to users: %v", err) + } +} + +func TestUserHasPermission(t *testing.T) { + db, cleanup := setupTestDB(t) + defer cleanup() + + authService := NewAuthorizationService(db) + + tests := []struct { + name string + userID string + resource string + action string + want bool + }{ + { + name: "Admin has database read permission", + userID: "user1", + resource: "database_credentials", + action: "read", + want: true, + }, + { + name: "Admin has database write permission", + userID: "user1", + resource: "database_credentials", + action: "write", + want: true, + }, + { + name: "DB Operator has database read permission", + userID: "user2", + resource: "database_credentials", + action: "read", + want: true, + }, + { + name: "DB Operator does not have database write permission", + userID: "user2", + resource: "database_credentials", + action: "write", + want: false, + }, + { + name: "Regular user does not have database read permission", + userID: "user3", + resource: "database_credentials", + action: "read", + want: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := authService.UserHasPermission(tt.userID, tt.resource, tt.action) + if err != nil { + t.Errorf("AuthorizationService.UserHasPermission() error = %v", err) + return + } + if got != tt.want { + t.Errorf("AuthorizationService.UserHasPermission() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestGetUserPermissions(t *testing.T) { + db, cleanup := setupTestDB(t) + defer cleanup() + + authService := NewAuthorizationService(db) + + t.Run("Admin has all permissions", func(t *testing.T) { + permissions, err := authService.GetUserPermissions("user1") + if err != nil { + t.Errorf("AuthorizationService.GetUserPermissions() error = %v", err) + return + } + + // Admin should have 4 permissions + if len(permissions) != 4 { + t.Errorf("Admin should have 4 permissions, got %d", len(permissions)) + } + + // Check for specific permissions + hasDBRead := false + hasDBWrite := false + for _, p := range permissions { + if p.Resource == "database_credentials" && p.Action == "read" { + hasDBRead = true + } + if p.Resource == "database_credentials" && p.Action == "write" { + hasDBWrite = true + } + } + + if !hasDBRead { + t.Errorf("Admin should have database_credentials:read permission") + } + if !hasDBWrite { + t.Errorf("Admin should have database_credentials:write permission") + } + }) + + t.Run("DB Operator has limited permissions", func(t *testing.T) { + permissions, err := authService.GetUserPermissions("user2") + if err != nil { + t.Errorf("AuthorizationService.GetUserPermissions() error = %v", err) + return + } + + // DB Operator should have 1 permission + if len(permissions) != 1 { + t.Errorf("DB Operator should have 1 permission, got %d", len(permissions)) + } + + // Check for specific permissions + hasDBRead := false + hasDBWrite := false + for _, p := range permissions { + if p.Resource == "database_credentials" && p.Action == "read" { + hasDBRead = true + } + if p.Resource == "database_credentials" && p.Action == "write" { + hasDBWrite = true + } + } + + if !hasDBRead { + t.Errorf("DB Operator should have database_credentials:read permission") + } + if hasDBWrite { + t.Errorf("DB Operator should not have database_credentials:write permission") + } + }) + + t.Run("Regular user has no permissions", func(t *testing.T) { + permissions, err := authService.GetUserPermissions("user3") + if err != nil { + t.Errorf("AuthorizationService.GetUserPermissions() error = %v", err) + return + } + + // Regular user should have 0 permissions + if len(permissions) != 0 { + t.Errorf("Regular user should have 0 permissions, got %d", len(permissions)) + } + }) +} \ No newline at end of file diff --git a/data/user.go b/data/user.go index b5ea0d2..c1aa61a 100644 --- a/data/user.go +++ b/data/user.go @@ -25,6 +25,26 @@ type User struct { Roles []string } +// HasRole checks if the user has a specific role +func (u *User) HasRole(role string) bool { + for _, r := range u.Roles { + if r == role { + return true + } + } + return false +} + +// HasPermission checks if the user has a specific permission using the authorization service +func (u *User) HasPermission(authService *AuthorizationService, resource, action string) (bool, error) { + return authService.UserHasPermission(u.ID, resource, action) +} + +// GetPermissions returns all permissions for the user using the authorization service +func (u *User) GetPermissions(authService *AuthorizationService) ([]Permission, error) { + return authService.GetUserPermissions(u.ID) +} + type Login struct { User string `json:"user"` Password string `json:"password,omitzero"` diff --git a/database/schema.sql b/database/schema.sql index 8f78467..790a80f 100644 --- a/database/schema.sql +++ b/database/schema.sql @@ -39,4 +39,45 @@ CREATE TABLE user_roles ( rid text not null, FOREIGN KEY(uid) REFERENCES user(id), FOREIGN KEY(rid) REFERENCES roles(id) -); \ No newline at end of file +); + +-- Add permissions table +CREATE TABLE permissions ( + id TEXT PRIMARY KEY, + resource TEXT NOT NULL, + action TEXT NOT NULL, + description TEXT +); + +-- Link roles to permissions +CREATE TABLE role_permissions ( + id TEXT PRIMARY KEY, + rid TEXT NOT NULL, + pid TEXT NOT NULL, + FOREIGN KEY(rid) REFERENCES roles(id), + FOREIGN KEY(pid) REFERENCES permissions(id) +); + +-- Add default permissions +INSERT INTO permissions (id, resource, action, description) VALUES + ('perm_db_read', 'database_credentials', 'read', 'Read database credentials'), + ('perm_db_write', 'database_credentials', 'write', 'Modify database credentials'), + ('perm_user_manage', 'users', 'manage', 'Manage user accounts'), + ('perm_token_manage', 'tokens', 'manage', 'Manage authentication tokens'); + +-- Add default roles +INSERT INTO roles (id, role) VALUES + ('role_admin', 'admin'), + ('role_db_operator', 'db_operator'), + ('role_user', 'user'); + +-- Grant permissions to admin role +INSERT INTO role_permissions (id, rid, pid) VALUES + ('rp_admin_db_read', 'role_admin', 'perm_db_read'), + ('rp_admin_db_write', 'role_admin', 'perm_db_write'), + ('rp_admin_user_manage', 'role_admin', 'perm_user_manage'), + ('rp_admin_token_manage', 'role_admin', 'perm_token_manage'); + +-- Grant database access to db_operator role +INSERT INTO role_permissions (id, rid, pid) VALUES + ('rp_dbop_db_read', 'role_db_operator', 'perm_db_read'); diff --git a/main.go b/main.go deleted file mode 100644 index 2dbc829..0000000 --- a/main.go +++ /dev/null @@ -1,20 +0,0 @@ -package main - -import ( - "fmt" - "os" - "os/exec" -) - -func main() { - cmd := exec.Command("go", "run", "cmd/mcias/main.go") - - cmd.Stdin = os.Stdin - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - - if err := cmd.Run(); err != nil { - fmt.Fprintf(os.Stderr, "Error running mcias command: %v\n", err) - os.Exit(1) - } -}