Junie: fix token authentication

2025-06-06 11:26:42 -07:00
parent c6e109e99f
commit 13d009bf4f
11 changed files with 1146 additions and 49 deletions
--- a/api/auth.go
+++ b/api/auth.go
@@ -91,15 +91,17 @@ func (s *Server) handleTokenLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	userID, err := s.verifyToken(req.Login.User, req.Login.Token)
+	// Verify the token is valid
+	_, err := s.verifyToken(req.Login.User, req.Login.Token)
 	if err != nil {
 		s.sendError(w, "Invalid or expired token", http.StatusUnauthorized)
 		return
 	}

-	token, expires, err := s.createToken(userID)
+	// Renew the existing token instead of creating a new one
+	expires, err := s.renewToken(req.Login.User, req.Login.Token)
 	if err != nil {
-		s.Logger.Printf("Token creation error: %v", err)
+		s.Logger.Printf("Token renewal error: %v", err)
 		s.sendError(w, "Internal server error", http.StatusInternalServerError)
 		return
 	}
@@ -107,7 +109,7 @@ func (s *Server) handleTokenLogin(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
 	if err := json.NewEncoder(w).Encode(TokenResponse{
-		Token:   token,
+		Token:   req.Login.Token,
 		Expires: expires,
 	}); err != nil {
 		s.Logger.Printf("Error encoding response: %v", err)
@@ -190,6 +192,30 @@ func (s *Server) verifyToken(username, token string) (string, error) {
 	return userID, nil
 }

+func (s *Server) renewToken(username, token string) (int64, error) {
+	// First, verify the token exists and get the token ID
+	query := `
+		SELECT t.id FROM tokens t
+		JOIN users u ON t.uid = u.id
+		WHERE u.user = ? AND t.token = ?
+	`
+	var tokenID string
+	err := s.DB.QueryRow(query, username, token).Scan(&tokenID)
+	if err != nil {
+		return 0, err
+	}
+
+	// Update the token's expiry time
+	expires := time.Now().Add(24 * time.Hour).Unix()
+	updateQuery := `UPDATE tokens SET expires = ? WHERE id = ?`
+	_, err = s.DB.Exec(updateQuery, expires, tokenID)
+	if err != nil {
+		return 0, err
+	}
+
+	return expires, nil
+}
+
 func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Request) {
 	// Extract authorization header
 	authHeader := r.Header.Get("Authorization")
@@ -219,7 +245,7 @@ func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Reques
 		return
 	}

-	// Check if user has admin role
+	// Check if user has permission to read database credentials
 	user, err := s.getUserByUsername(username)
 	if err != nil {
 		s.Logger.Printf("Database error: %v", err)
@@ -227,16 +253,15 @@ func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Reques
 		return
 	}

-	hasAdminRole := false
-	for _, role := range user.Roles {
-		if role == "admin" {
-			hasAdminRole = true
-			break
-		}
+	hasPermission, err := user.HasPermission(s.Auth, "database_credentials", "read")
+	if err != nil {
+		s.Logger.Printf("Permission check error: %v", err)
+		s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		return
 	}

-	if !hasAdminRole {
-		s.sendError(w, "Insufficient permissions", http.StatusForbidden)
+	if !hasPermission {
+		s.sendError(w, "Insufficient permissions: requires database_credentials:read permission", http.StatusForbidden)
 		return
 	}

--- a/api/auth_test.go
+++ b/api/auth_test.go
@@ -21,7 +21,7 @@ func setupTestDB(t *testing.T) *sql.DB {
 		t.Fatalf("Failed to open test database: %v", err)
 	}

-	schema, err := os.ReadFile("../schema.sql")
+	schema, err := os.ReadFile("../database/schema.sql")
 	if err != nil {
 		t.Fatalf("Failed to read schema: %v", err)
 	}
@@ -109,11 +109,11 @@ func TestTokenLogin(t *testing.T) {
 	server := NewServer(db, logger)

 	token := "testtoken123456"
-	expires := time.Now().Add(24 * time.Hour).Unix()
+	initialExpires := time.Now().Add(1 * time.Hour).Unix() // Set initial expiry to 1 hour from now

 	tokenID := "token123"
 	query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
-	_, err := db.Exec(query, tokenID, user.ID, token, expires)
+	_, err := db.Exec(query, tokenID, user.ID, token, initialExpires)
 	if err != nil {
 		t.Fatalf("Failed to insert test token: %v", err)
 	}
@@ -146,14 +146,31 @@ func TestTokenLogin(t *testing.T) {
 		t.Fatalf("Failed to decode response: %v", err)
 	}

-	if response.Token == "" {
-		t.Error("Expected token in response, got empty string")
+	// Verify that the same token is returned
+	if response.Token != token {
+		t.Errorf("Expected the same token '%s', got '%s'", token, response.Token)
+	}
+
+	// Verify that the expiry has been renewed (should be later than the initial expiry)
+	if response.Expires <= initialExpires {
+		t.Errorf("Expected renewed expiry to be later than initial expiry %d, got %d", initialExpires, response.Expires)
 	}

 	now := time.Now().Unix()
 	if response.Expires <= now {
 		t.Errorf("Expected token expiration in the future, got %d (now: %d)", response.Expires, now)
 	}
+
+	// Verify that the token in the database has been updated
+	var dbExpires int64
+	err = db.QueryRow("SELECT expires FROM tokens WHERE id = ?", tokenID).Scan(&dbExpires)
+	if err != nil {
+		t.Fatalf("Failed to query token from database: %v", err)
+	}
+
+	if dbExpires != response.Expires {
+		t.Errorf("Database expiry %d does not match response expiry %d", dbExpires, response.Expires)
+	}
 }

 func TestInvalidPasswordLogin(t *testing.T) {
@@ -225,11 +242,11 @@ func TestInvalidTokenLogin(t *testing.T) {
 func createTestAdminUser(t *testing.T, db *sql.DB) *data.User {
 	user := createTestUser(t, db)

-	// Add admin role
-	roleID := "role123"
-	_, err := db.Exec("INSERT INTO roles (id, role) VALUES (?, ?)", roleID, "admin")
+	// Use the existing admin role from schema.sql
+	var roleID string
+	err := db.QueryRow("SELECT id FROM roles WHERE role = 'admin'").Scan(&roleID)
 	if err != nil {
-		t.Fatalf("Failed to insert admin role: %v", err)
+		t.Fatalf("Failed to get admin role ID: %v", err)
 	}

 	// Assign admin role to user
@@ -243,6 +260,42 @@ func createTestAdminUser(t *testing.T, db *sql.DB) *data.User {
 	return user
 }

+func createTestDBOperatorUser(t *testing.T, db *sql.DB) *data.User {
+	// Create a new user
+	user := &data.User{}
+	login := &data.Login{
+		User:     "dboperator",
+		Password: "testpassword",
+	}
+
+	if err := user.Register(login); err != nil {
+		t.Fatalf("Failed to register test user: %v", err)
+	}
+
+	query := `INSERT INTO users (id, created, user, password, salt) VALUES (?, ?, ?, ?, ?)`
+	_, err := db.Exec(query, user.ID, user.Created, user.User, user.Password, user.Salt)
+	if err != nil {
+		t.Fatalf("Failed to insert test user: %v", err)
+	}
+
+	// Use the existing db_operator role from schema.sql
+	var roleID string
+	err = db.QueryRow("SELECT id FROM roles WHERE role = 'db_operator'").Scan(&roleID)
+	if err != nil {
+		t.Fatalf("Failed to get db_operator role ID: %v", err)
+	}
+
+	// Assign db_operator role to user
+	userRoleID := "ur456"
+	_, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", userRoleID, user.ID, roleID)
+	if err != nil {
+		t.Fatalf("Failed to assign db_operator role to user: %v", err)
+	}
+
+	user.Roles = []string{"db_operator"}
+	return user
+}
+
 func insertTestDatabaseCredentials(t *testing.T, db *sql.DB) {
 	query := `INSERT INTO database (id, host, port, name, user, password) 
 			  VALUES (?, ?, ?, ?, ?, ?)`
@@ -252,7 +305,7 @@ func insertTestDatabaseCredentials(t *testing.T, db *sql.DB) {
 	}
 }

-func TestDatabaseCredentials(t *testing.T) {
+func TestDatabaseCredentialsAdmin(t *testing.T) {
 	db := setupTestDB(t)
 	defer db.Close()

@@ -304,20 +357,20 @@ func TestDatabaseCredentials(t *testing.T) {
 	}
 }

-func TestDatabaseCredentialsUnauthorized(t *testing.T) {
+func TestDatabaseCredentialsDBOperator(t *testing.T) {
 	db := setupTestDB(t)
 	defer db.Close()

-	user := createTestUser(t, db)  // Regular user without admin role
+	user := createTestDBOperatorUser(t, db)
 	insertTestDatabaseCredentials(t, db)

 	logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
 	server := NewServer(db, logger)

-	token := "testtoken123456"
+	token := "dboptoken123456"
 	expires := time.Now().Add(24 * time.Hour).Unix()

-	tokenID := "token123"
+	tokenID := "token456"
 	query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
 	_, err := db.Exec(query, tokenID, user.ID, token, expires)
 	if err != nil {
@@ -330,7 +383,100 @@ func TestDatabaseCredentialsUnauthorized(t *testing.T) {
 	recorder := httptest.NewRecorder()
 	server.handleDatabaseCredentials(recorder, req)

+	if recorder.Code != http.StatusOK {
+		t.Errorf("Expected status code %d, got %d", http.StatusOK, recorder.Code)
+	}
+
+	var response DatabaseCredentials
+	if err := json.NewDecoder(recorder.Body).Decode(&response); err != nil {
+		t.Fatalf("Failed to decode response: %v", err)
+	}
+
+	if response.Host != "localhost" {
+		t.Errorf("Expected host 'localhost', got '%s'", response.Host)
+	}
+	if response.Port != 5432 {
+		t.Errorf("Expected port 5432, got %d", response.Port)
+	}
+	if response.Name != "testdb" {
+		t.Errorf("Expected database name 'testdb', got '%s'", response.Name)
+	}
+	if response.User != "postgres" {
+		t.Errorf("Expected user 'postgres', got '%s'", response.User)
+	}
+	if response.Password != "securepassword" {
+		t.Errorf("Expected password 'securepassword', got '%s'", response.Password)
+	}
+}
+
+func TestDatabaseCredentialsUnauthorized(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+
+	// Create a regular user with the 'user' role
+	user := &data.User{}
+	login := &data.Login{
+		User:     "regularuser",
+		Password: "testpassword",
+	}
+
+	if err := user.Register(login); err != nil {
+		t.Fatalf("Failed to register test user: %v", err)
+	}
+
+	query := `INSERT INTO users (id, created, user, password, salt) VALUES (?, ?, ?, ?, ?)`
+	_, err := db.Exec(query, user.ID, user.Created, user.User, user.Password, user.Salt)
+	if err != nil {
+		t.Fatalf("Failed to insert test user: %v", err)
+	}
+
+	// Use the existing user role from schema.sql
+	var roleID string
+	err = db.QueryRow("SELECT id FROM roles WHERE role = 'user'").Scan(&roleID)
+	if err != nil {
+		t.Fatalf("Failed to get user role ID: %v", err)
+	}
+
+	// Assign user role to user
+	userRoleID := "ur789"
+	_, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", userRoleID, user.ID, roleID)
+	if err != nil {
+		t.Fatalf("Failed to assign user role to user: %v", err)
+	}
+
+	insertTestDatabaseCredentials(t, db)
+
+	logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
+	server := NewServer(db, logger)
+
+	token := "usertoken123456"
+	expires := time.Now().Add(24 * time.Hour).Unix()
+
+	tokenID := "token789"
+	tokenQuery := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
+	_, err = db.Exec(tokenQuery, tokenID, user.ID, token, expires)
+	if err != nil {
+		t.Fatalf("Failed to insert test token: %v", err)
+	}
+
+	req := httptest.NewRequest("GET", "/v1/database/credentials?username="+user.User, nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+
+	recorder := httptest.NewRecorder()
+	server.handleDatabaseCredentials(recorder, req)
+
 	if recorder.Code != http.StatusForbidden {
 		t.Errorf("Expected status code %d, got %d", http.StatusForbidden, recorder.Code)
 	}
+
+	// Check that the error message mentions the required permission
+	var errResp ErrorResponse
+	if err := json.NewDecoder(recorder.Body).Decode(&errResp); err != nil {
+		t.Fatalf("Failed to decode error response: %v", err)
+	}
+
+	expectedErrMsg := "Insufficient permissions: requires database_credentials:read permission"
+	if errResp.Error != expectedErrMsg {
+		t.Errorf("Expected error message '%s', got '%s'", expectedErrMsg, errResp.Error)
+	}
 }
--- a/api/server.go
+++ b/api/server.go
@@ -5,6 +5,7 @@ import (
 	"log"
 	"net/http"

+	"git.wntrmute.dev/kyle/mcias/data"
 	_ "github.com/mattn/go-sqlite3"
 )

@@ -12,6 +13,7 @@ type Server struct {
 	DB     *sql.DB
 	Router *http.ServeMux
 	Logger *log.Logger
+	Auth   *data.AuthorizationService
 }

 func NewServer(db *sql.DB, logger *log.Logger) *Server {
@@ -19,6 +21,7 @@ func NewServer(db *sql.DB, logger *log.Logger) *Server {
 		DB:     db,
 		Router: http.NewServeMux(),
 		Logger: logger,
+		Auth:   data.NewAuthorizationService(db),
 	}

 	s.registerRoutes()