Junie: fix token authentication

.gitignore

@@ -1 +1,3 @@
-/mcias.db
+mcias.db
+cmd/mcias/mcias
+.idea

api/auth.go

@@ -91,15 +91,17 @@ func (s *Server) handleTokenLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	userID, err := s.verifyToken(req.Login.User, req.Login.Token)
+	// Verify the token is valid
+	_, err := s.verifyToken(req.Login.User, req.Login.Token)
 	if err != nil {
 		s.sendError(w, "Invalid or expired token", http.StatusUnauthorized)
 		return
 	}
 
-	token, expires, err := s.createToken(userID)
+	// Renew the existing token instead of creating a new one
+	expires, err := s.renewToken(req.Login.User, req.Login.Token)
 	if err != nil {
-		s.Logger.Printf("Token creation error: %v", err)
+		s.Logger.Printf("Token renewal error: %v", err)
 		s.sendError(w, "Internal server error", http.StatusInternalServerError)
 		return
 	}
@@ -107,7 +109,7 @@ func (s *Server) handleTokenLogin(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
 	if err := json.NewEncoder(w).Encode(TokenResponse{
-		Token:   token,
+		Token:   req.Login.Token,
 		Expires: expires,
 	}); err != nil {
 		s.Logger.Printf("Error encoding response: %v", err)
@@ -190,6 +192,30 @@ func (s *Server) verifyToken(username, token string) (string, error) {
 	return userID, nil
 }
 
+func (s *Server) renewToken(username, token string) (int64, error) {
+	// First, verify the token exists and get the token ID
+	query := `
+		SELECT t.id FROM tokens t
+		JOIN users u ON t.uid = u.id
+		WHERE u.user = ? AND t.token = ?
+	`
+	var tokenID string
+	err := s.DB.QueryRow(query, username, token).Scan(&tokenID)
+	if err != nil {
+		return 0, err
+	}
+
+	// Update the token's expiry time
+	expires := time.Now().Add(24 * time.Hour).Unix()
+	updateQuery := `UPDATE tokens SET expires = ? WHERE id = ?`
+	_, err = s.DB.Exec(updateQuery, expires, tokenID)
+	if err != nil {
+		return 0, err
+	}
+
+	return expires, nil
+}
+
 func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Request) {
 	// Extract authorization header
 	authHeader := r.Header.Get("Authorization")
@@ -219,7 +245,7 @@ func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	// Check if user has admin role
+	// Check if user has permission to read database credentials
 	user, err := s.getUserByUsername(username)
 	if err != nil {
 		s.Logger.Printf("Database error: %v", err)
@@ -227,16 +253,15 @@ func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	hasAdminRole := false
+	hasPermission, err := user.HasPermission(s.Auth, "database_credentials", "read")
-	for _, role := range user.Roles {
+	if err != nil {
-		if role == "admin" {
+		s.Logger.Printf("Permission check error: %v", err)
-			hasAdminRole = true
+		s.sendError(w, "Internal server error", http.StatusInternalServerError)
-			break
+		return
-		}
 	}
 
-	if !hasAdminRole {
+	if !hasPermission {
-		s.sendError(w, "Insufficient permissions", http.StatusForbidden)
+		s.sendError(w, "Insufficient permissions: requires database_credentials:read permission", http.StatusForbidden)
 		return
 	}
 

api/auth_test.go

@@ -21,7 +21,7 @@ func setupTestDB(t *testing.T) *sql.DB {
 		t.Fatalf("Failed to open test database: %v", err)
 	}
 
-	schema, err := os.ReadFile("../schema.sql")
+	schema, err := os.ReadFile("../database/schema.sql")
 	if err != nil {
 		t.Fatalf("Failed to read schema: %v", err)
 	}
@@ -109,11 +109,11 @@ func TestTokenLogin(t *testing.T) {
 	server := NewServer(db, logger)
 
 	token := "testtoken123456"
-	expires := time.Now().Add(24 * time.Hour).Unix()
+	initialExpires := time.Now().Add(1 * time.Hour).Unix() // Set initial expiry to 1 hour from now
 
 	tokenID := "token123"
 	query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
-	_, err := db.Exec(query, tokenID, user.ID, token, expires)
+	_, err := db.Exec(query, tokenID, user.ID, token, initialExpires)
 	if err != nil {
 		t.Fatalf("Failed to insert test token: %v", err)
 	}
@@ -146,14 +146,31 @@ func TestTokenLogin(t *testing.T) {
 		t.Fatalf("Failed to decode response: %v", err)
 	}
 
-	if response.Token == "" {
+	// Verify that the same token is returned
-		t.Error("Expected token in response, got empty string")
+	if response.Token != token {
+		t.Errorf("Expected the same token '%s', got '%s'", token, response.Token)
+	}
+
+	// Verify that the expiry has been renewed (should be later than the initial expiry)
+	if response.Expires <= initialExpires {
+		t.Errorf("Expected renewed expiry to be later than initial expiry %d, got %d", initialExpires, response.Expires)
 	}
 
 	now := time.Now().Unix()
 	if response.Expires <= now {
 		t.Errorf("Expected token expiration in the future, got %d (now: %d)", response.Expires, now)
 	}
+
+	// Verify that the token in the database has been updated
+	var dbExpires int64
+	err = db.QueryRow("SELECT expires FROM tokens WHERE id = ?", tokenID).Scan(&dbExpires)
+	if err != nil {
+		t.Fatalf("Failed to query token from database: %v", err)
+	}
+
+	if dbExpires != response.Expires {
+		t.Errorf("Database expiry %d does not match response expiry %d", dbExpires, response.Expires)
+	}
 }
 
 func TestInvalidPasswordLogin(t *testing.T) {
@@ -225,11 +242,11 @@ func TestInvalidTokenLogin(t *testing.T) {
 func createTestAdminUser(t *testing.T, db *sql.DB) *data.User {
 	user := createTestUser(t, db)
 
-	// Add admin role
+	// Use the existing admin role from schema.sql
-	roleID := "role123"
+	var roleID string
-	_, err := db.Exec("INSERT INTO roles (id, role) VALUES (?, ?)", roleID, "admin")
+	err := db.QueryRow("SELECT id FROM roles WHERE role = 'admin'").Scan(&roleID)
 	if err != nil {
-		t.Fatalf("Failed to insert admin role: %v", err)
+		t.Fatalf("Failed to get admin role ID: %v", err)
 	}
 
 	// Assign admin role to user
@@ -243,6 +260,42 @@ func createTestAdminUser(t *testing.T, db *sql.DB) *data.User {
 	return user
 }
 
+func createTestDBOperatorUser(t *testing.T, db *sql.DB) *data.User {
+	// Create a new user
+	user := &data.User{}
+	login := &data.Login{
+		User:     "dboperator",
+		Password: "testpassword",
+	}
+
+	if err := user.Register(login); err != nil {
+		t.Fatalf("Failed to register test user: %v", err)
+	}
+
+	query := `INSERT INTO users (id, created, user, password, salt) VALUES (?, ?, ?, ?, ?)`
+	_, err := db.Exec(query, user.ID, user.Created, user.User, user.Password, user.Salt)
+	if err != nil {
+		t.Fatalf("Failed to insert test user: %v", err)
+	}
+
+	// Use the existing db_operator role from schema.sql
+	var roleID string
+	err = db.QueryRow("SELECT id FROM roles WHERE role = 'db_operator'").Scan(&roleID)
+	if err != nil {
+		t.Fatalf("Failed to get db_operator role ID: %v", err)
+	}
+
+	// Assign db_operator role to user
+	userRoleID := "ur456"
+	_, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", userRoleID, user.ID, roleID)
+	if err != nil {
+		t.Fatalf("Failed to assign db_operator role to user: %v", err)
+	}
+
+	user.Roles = []string{"db_operator"}
+	return user
+}
+
 func insertTestDatabaseCredentials(t *testing.T, db *sql.DB) {
 	query := `INSERT INTO database (id, host, port, name, user, password) 
 			  VALUES (?, ?, ?, ?, ?, ?)`
@@ -252,7 +305,7 @@ func insertTestDatabaseCredentials(t *testing.T, db *sql.DB) {
 	}
 }
 
-func TestDatabaseCredentials(t *testing.T) {
+func TestDatabaseCredentialsAdmin(t *testing.T) {
 	db := setupTestDB(t)
 	defer db.Close()
 
@@ -304,20 +357,20 @@ func TestDatabaseCredentials(t *testing.T) {
 	}
 }
 
-func TestDatabaseCredentialsUnauthorized(t *testing.T) {
+func TestDatabaseCredentialsDBOperator(t *testing.T) {
 	db := setupTestDB(t)
 	defer db.Close()
 
-	user := createTestUser(t, db)  // Regular user without admin role
+	user := createTestDBOperatorUser(t, db)
 	insertTestDatabaseCredentials(t, db)
 
 	logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
 	server := NewServer(db, logger)
 
-	token := "testtoken123456"
+	token := "dboptoken123456"
 	expires := time.Now().Add(24 * time.Hour).Unix()
 
-	tokenID := "token123"
+	tokenID := "token456"
 	query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
 	_, err := db.Exec(query, tokenID, user.ID, token, expires)
 	if err != nil {
@@ -330,7 +383,100 @@ func TestDatabaseCredentialsUnauthorized(t *testing.T) {
 	recorder := httptest.NewRecorder()
 	server.handleDatabaseCredentials(recorder, req)
 
+	if recorder.Code != http.StatusOK {
+		t.Errorf("Expected status code %d, got %d", http.StatusOK, recorder.Code)
+	}
+
+	var response DatabaseCredentials
+	if err := json.NewDecoder(recorder.Body).Decode(&response); err != nil {
+		t.Fatalf("Failed to decode response: %v", err)
+	}
+
+	if response.Host != "localhost" {
+		t.Errorf("Expected host 'localhost', got '%s'", response.Host)
+	}
+	if response.Port != 5432 {
+		t.Errorf("Expected port 5432, got %d", response.Port)
+	}
+	if response.Name != "testdb" {
+		t.Errorf("Expected database name 'testdb', got '%s'", response.Name)
+	}
+	if response.User != "postgres" {
+		t.Errorf("Expected user 'postgres', got '%s'", response.User)
+	}
+	if response.Password != "securepassword" {
+		t.Errorf("Expected password 'securepassword', got '%s'", response.Password)
+	}
+}
+
+func TestDatabaseCredentialsUnauthorized(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+
+	// Create a regular user with the 'user' role
+	user := &data.User{}
+	login := &data.Login{
+		User:     "regularuser",
+		Password: "testpassword",
+	}
+
+	if err := user.Register(login); err != nil {
+		t.Fatalf("Failed to register test user: %v", err)
+	}
+
+	query := `INSERT INTO users (id, created, user, password, salt) VALUES (?, ?, ?, ?, ?)`
+	_, err := db.Exec(query, user.ID, user.Created, user.User, user.Password, user.Salt)
+	if err != nil {
+		t.Fatalf("Failed to insert test user: %v", err)
+	}
+
+	// Use the existing user role from schema.sql
+	var roleID string
+	err = db.QueryRow("SELECT id FROM roles WHERE role = 'user'").Scan(&roleID)
+	if err != nil {
+		t.Fatalf("Failed to get user role ID: %v", err)
+	}
+
+	// Assign user role to user
+	userRoleID := "ur789"
+	_, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", userRoleID, user.ID, roleID)
+	if err != nil {
+		t.Fatalf("Failed to assign user role to user: %v", err)
+	}
+
+	insertTestDatabaseCredentials(t, db)
+
+	logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
+	server := NewServer(db, logger)
+
+	token := "usertoken123456"
+	expires := time.Now().Add(24 * time.Hour).Unix()
+
+	tokenID := "token789"
+	tokenQuery := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
+	_, err = db.Exec(tokenQuery, tokenID, user.ID, token, expires)
+	if err != nil {
+		t.Fatalf("Failed to insert test token: %v", err)
+	}
+
+	req := httptest.NewRequest("GET", "/v1/database/credentials?username="+user.User, nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+
+	recorder := httptest.NewRecorder()
+	server.handleDatabaseCredentials(recorder, req)
+
 	if recorder.Code != http.StatusForbidden {
 		t.Errorf("Expected status code %d, got %d", http.StatusForbidden, recorder.Code)
 	}
+
+	// Check that the error message mentions the required permission
+	var errResp ErrorResponse
+	if err := json.NewDecoder(recorder.Body).Decode(&errResp); err != nil {
+		t.Fatalf("Failed to decode error response: %v", err)
+	}
+
+	expectedErrMsg := "Insufficient permissions: requires database_credentials:read permission"
+	if errResp.Error != expectedErrMsg {
+		t.Errorf("Expected error message '%s', got '%s'", expectedErrMsg, errResp.Error)
+	}
 }

api/server.go

@@ -5,6 +5,7 @@ import (
 	"log"
 	"net/http"
 
+	"git.wntrmute.dev/kyle/mcias/data"
 	_ "github.com/mattn/go-sqlite3"
 )
 
@@ -12,6 +13,7 @@ type Server struct {
 	DB     *sql.DB
 	Router *http.ServeMux
 	Logger *log.Logger
+	Auth   *data.AuthorizationService
 }
 
 func NewServer(db *sql.DB, logger *log.Logger) *Server {
@@ -19,6 +21,7 @@ func NewServer(db *sql.DB, logger *log.Logger) *Server {
 		DB:     db,
 		Router: http.NewServeMux(),
 		Logger: logger,
+		Auth:   data.NewAuthorizationService(db),
 	}
 
 	s.registerRoutes()

cmd/mcias/permission.go

@@ -0,0 +1,228 @@
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+
+	"github.com/oklog/ulid/v2"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var (
+	permissionRole     string
+	permissionResource string
+	permissionAction   string
+)
+
+var permissionCmd = &cobra.Command{
+	Use:   "permission",
+	Short: "Manage permissions",
+	Long:  `Commands for managing permissions in the MCIAS system.`,
+}
+
+var listPermissionsCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List all permissions",
+	Long:  `List all permissions in the MCIAS system.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		listPermissions()
+	},
+}
+
+var grantPermissionCmd = &cobra.Command{
+	Use:   "grant",
+	Short: "Grant a permission to a role",
+	Long:  `Grant a permission to a role in the MCIAS system.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		grantPermission()
+	},
+}
+
+var revokePermissionCmd = &cobra.Command{
+	Use:   "revoke",
+	Short: "Revoke a permission from a role",
+	Long:  `Revoke a permission from a role in the MCIAS system.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		revokePermission()
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(permissionCmd)
+	permissionCmd.AddCommand(listPermissionsCmd)
+	permissionCmd.AddCommand(grantPermissionCmd)
+	permissionCmd.AddCommand(revokePermissionCmd)
+
+	grantPermissionCmd.Flags().StringVar(&permissionRole, "role", "", "Name of the role to grant the permission to")
+	grantPermissionCmd.Flags().StringVar(&permissionResource, "resource", "", "Resource for the permission")
+	grantPermissionCmd.Flags().StringVar(&permissionAction, "action", "", "Action for the permission")
+	if err := grantPermissionCmd.MarkFlagRequired("role"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking role flag as required: %v\n", err)
+	}
+	if err := grantPermissionCmd.MarkFlagRequired("resource"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking resource flag as required: %v\n", err)
+	}
+	if err := grantPermissionCmd.MarkFlagRequired("action"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking action flag as required: %v\n", err)
+	}
+
+	revokePermissionCmd.Flags().StringVar(&permissionRole, "role", "", "Name of the role to revoke the permission from")
+	revokePermissionCmd.Flags().StringVar(&permissionResource, "resource", "", "Resource for the permission")
+	revokePermissionCmd.Flags().StringVar(&permissionAction, "action", "", "Action for the permission")
+	if err := revokePermissionCmd.MarkFlagRequired("role"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking role flag as required: %v\n", err)
+	}
+	if err := revokePermissionCmd.MarkFlagRequired("resource"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking resource flag as required: %v\n", err)
+	}
+	if err := revokePermissionCmd.MarkFlagRequired("action"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking action flag as required: %v\n", err)
+	}
+}
+
+func listPermissions() {
+	dbPath := viper.GetString("db")
+	logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags)
+
+	db, err := sql.Open("sqlite3", dbPath)
+	if err != nil {
+		logger.Fatalf("Failed to open database: %v", err)
+	}
+	defer db.Close()
+
+	rows, err := db.Query("SELECT id, resource, action, description FROM permissions ORDER BY resource, action")
+	if err != nil {
+		logger.Fatalf("Failed to query permissions: %v", err)
+	}
+	defer rows.Close()
+
+	fmt.Printf("%-24s %-20s %-15s %-30s\n", "ID", "RESOURCE", "ACTION", "DESCRIPTION")
+	fmt.Println(strings.Repeat("-", 90))
+	for rows.Next() {
+		var id, resource, action, description string
+		if err := rows.Scan(&id, &resource, &action, &description); err != nil {
+			logger.Fatalf("Failed to scan permission row: %v", err)
+		}
+		fmt.Printf("%-24s %-20s %-15s %-30s\n", id, resource, action, description)
+	}
+
+	if err := rows.Err(); err != nil {
+		logger.Fatalf("Error iterating permission rows: %v", err)
+	}
+}
+
+func grantPermission() {
+	dbPath := viper.GetString("db")
+	logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags)
+
+	db, err := sql.Open("sqlite3", dbPath)
+	if err != nil {
+		logger.Fatalf("Failed to open database: %v", err)
+	}
+	defer db.Close()
+
+	// Get role ID
+	var roleID string
+	err = db.QueryRow("SELECT id FROM roles WHERE role = ?", permissionRole).Scan(&roleID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			logger.Fatalf("Role %s not found", permissionRole)
+		}
+		logger.Fatalf("Failed to get role ID: %v", err)
+	}
+
+	// Get permission ID
+	var permissionID string
+	err = db.QueryRow("SELECT id FROM permissions WHERE resource = ? AND action = ?", 
+		permissionResource, permissionAction).Scan(&permissionID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			logger.Fatalf("Permission with resource '%s' and action '%s' not found", 
+				permissionResource, permissionAction)
+		}
+		logger.Fatalf("Failed to get permission ID: %v", err)
+	}
+
+	// Check if role already has this permission
+	var count int
+	err = db.QueryRow("SELECT COUNT(*) FROM role_permissions WHERE rid = ? AND pid = ?", 
+		roleID, permissionID).Scan(&count)
+	if err != nil {
+		logger.Fatalf("Failed to check if role has permission: %v", err)
+	}
+	if count > 0 {
+		logger.Fatalf("Role %s already has permission %s:%s", 
+			permissionRole, permissionResource, permissionAction)
+	}
+
+	// Generate a new ID for the role-permission relationship
+	id := ulid.Make().String()
+
+	// Grant permission to role
+	_, err = db.Exec("INSERT INTO role_permissions (id, rid, pid) VALUES (?, ?, ?)", 
+		id, roleID, permissionID)
+	if err != nil {
+		logger.Fatalf("Failed to grant permission: %v", err)
+	}
+
+	fmt.Printf("Permission %s:%s granted to role %s successfully\n", 
+		permissionResource, permissionAction, permissionRole)
+}
+
+func revokePermission() {
+	dbPath := viper.GetString("db")
+	logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags)
+
+	db, err := sql.Open("sqlite3", dbPath)
+	if err != nil {
+		logger.Fatalf("Failed to open database: %v", err)
+	}
+	defer db.Close()
+
+	// Get role ID
+	var roleID string
+	err = db.QueryRow("SELECT id FROM roles WHERE role = ?", permissionRole).Scan(&roleID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			logger.Fatalf("Role %s not found", permissionRole)
+		}
+		logger.Fatalf("Failed to get role ID: %v", err)
+	}
+
+	// Get permission ID
+	var permissionID string
+	err = db.QueryRow("SELECT id FROM permissions WHERE resource = ? AND action = ?", 
+		permissionResource, permissionAction).Scan(&permissionID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			logger.Fatalf("Permission with resource '%s' and action '%s' not found", 
+				permissionResource, permissionAction)
+		}
+		logger.Fatalf("Failed to get permission ID: %v", err)
+	}
+
+	// Check if role has this permission
+	var count int
+	err = db.QueryRow("SELECT COUNT(*) FROM role_permissions WHERE rid = ? AND pid = ?", 
+		roleID, permissionID).Scan(&count)
+	if err != nil {
+		logger.Fatalf("Failed to check if role has permission: %v", err)
+	}
+	if count == 0 {
+		logger.Fatalf("Role %s does not have permission %s:%s", 
+			permissionRole, permissionResource, permissionAction)
+	}
+
+	// Revoke permission from role
+	_, err = db.Exec("DELETE FROM role_permissions WHERE rid = ? AND pid = ?", roleID, permissionID)
+	if err != nil {
+		logger.Fatalf("Failed to revoke permission: %v", err)
+	}
+
+	fmt.Printf("Permission %s:%s revoked from role %s successfully\n", 
+		permissionResource, permissionAction, permissionRole)
+}

cmd/mcias/role.go

@@ -0,0 +1,255 @@
+package main
+
+import (
+	"database/sql"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+
+	"github.com/oklog/ulid/v2"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var (
+	roleName string
+	roleUser string
+)
+
+var roleCmd = &cobra.Command{
+	Use:   "role",
+	Short: "Manage roles",
+	Long:  `Commands for managing roles in the MCIAS system.`,
+}
+
+var addRoleCmd = &cobra.Command{
+	Use:   "add",
+	Short: "Add a new role",
+	Long:  `Add a new role to the MCIAS system.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		addRole()
+	},
+}
+
+var listRolesCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List all roles",
+	Long:  `List all roles in the MCIAS system.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		listRoles()
+	},
+}
+
+var assignRoleCmd = &cobra.Command{
+	Use:   "assign",
+	Short: "Assign a role to a user",
+	Long:  `Assign a role to a user in the MCIAS system.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		assignRole()
+	},
+}
+
+var revokeRoleCmd = &cobra.Command{
+	Use:   "revoke",
+	Short: "Revoke a role from a user",
+	Long:  `Revoke a role from a user in the MCIAS system.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		revokeRole()
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(roleCmd)
+	roleCmd.AddCommand(addRoleCmd)
+	roleCmd.AddCommand(listRolesCmd)
+	roleCmd.AddCommand(assignRoleCmd)
+	roleCmd.AddCommand(revokeRoleCmd)
+
+	addRoleCmd.Flags().StringVar(&roleName, "name", "", "Name of the role")
+	if err := addRoleCmd.MarkFlagRequired("name"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking name flag as required: %v\n", err)
+	}
+
+	assignRoleCmd.Flags().StringVar(&roleUser, "user", "", "Username to assign the role to")
+	assignRoleCmd.Flags().StringVar(&roleName, "role", "", "Name of the role to assign")
+	if err := assignRoleCmd.MarkFlagRequired("user"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking user flag as required: %v\n", err)
+	}
+	if err := assignRoleCmd.MarkFlagRequired("role"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking role flag as required: %v\n", err)
+	}
+
+	revokeRoleCmd.Flags().StringVar(&roleUser, "user", "", "Username to revoke the role from")
+	revokeRoleCmd.Flags().StringVar(&roleName, "role", "", "Name of the role to revoke")
+	if err := revokeRoleCmd.MarkFlagRequired("user"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking user flag as required: %v\n", err)
+	}
+	if err := revokeRoleCmd.MarkFlagRequired("role"); err != nil {
+		fmt.Fprintf(os.Stderr, "Error marking role flag as required: %v\n", err)
+	}
+}
+
+func addRole() {
+	dbPath := viper.GetString("db")
+	logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags)
+
+	db, err := sql.Open("sqlite3", dbPath)
+	if err != nil {
+		logger.Fatalf("Failed to open database: %v", err)
+	}
+	defer db.Close()
+
+	// Check if role already exists
+	var count int
+	err = db.QueryRow("SELECT COUNT(*) FROM roles WHERE role = ?", roleName).Scan(&count)
+	if err != nil {
+		logger.Fatalf("Failed to check if role exists: %v", err)
+	}
+	if count > 0 {
+		logger.Fatalf("Role %s already exists", roleName)
+	}
+
+	// Generate a new ID for the role
+	id := ulid.Make().String()
+
+	// Insert the new role
+	_, err = db.Exec("INSERT INTO roles (id, role) VALUES (?, ?)", id, roleName)
+	if err != nil {
+		logger.Fatalf("Failed to insert role: %v", err)
+	}
+
+	fmt.Printf("Role %s added successfully with ID %s\n", roleName, id)
+}
+
+func listRoles() {
+	dbPath := viper.GetString("db")
+	logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags)
+
+	db, err := sql.Open("sqlite3", dbPath)
+	if err != nil {
+		logger.Fatalf("Failed to open database: %v", err)
+	}
+	defer db.Close()
+
+	rows, err := db.Query("SELECT id, role FROM roles ORDER BY role")
+	if err != nil {
+		logger.Fatalf("Failed to query roles: %v", err)
+	}
+	defer rows.Close()
+
+	fmt.Printf("%-24s %-30s\n", "ID", "ROLE")
+	fmt.Println(strings.Repeat("-", 55))
+	for rows.Next() {
+		var id, role string
+		if err := rows.Scan(&id, &role); err != nil {
+			logger.Fatalf("Failed to scan role row: %v", err)
+		}
+		fmt.Printf("%-24s %-30s\n", id, role)
+	}
+
+	if err := rows.Err(); err != nil {
+		logger.Fatalf("Error iterating role rows: %v", err)
+	}
+}
+
+func assignRole() {
+	dbPath := viper.GetString("db")
+	logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags)
+
+	db, err := sql.Open("sqlite3", dbPath)
+	if err != nil {
+		logger.Fatalf("Failed to open database: %v", err)
+	}
+	defer db.Close()
+
+	// Get user ID
+	var userID string
+	err = db.QueryRow("SELECT id FROM users WHERE user = ?", roleUser).Scan(&userID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			logger.Fatalf("User %s not found", roleUser)
+		}
+		logger.Fatalf("Failed to get user ID: %v", err)
+	}
+
+	// Get role ID
+	var roleID string
+	err = db.QueryRow("SELECT id FROM roles WHERE role = ?", roleName).Scan(&roleID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			logger.Fatalf("Role %s not found", roleName)
+		}
+		logger.Fatalf("Failed to get role ID: %v", err)
+	}
+
+	// Check if user already has this role
+	var count int
+	err = db.QueryRow("SELECT COUNT(*) FROM user_roles WHERE uid = ? AND rid = ?", userID, roleID).Scan(&count)
+	if err != nil {
+		logger.Fatalf("Failed to check if user has role: %v", err)
+	}
+	if count > 0 {
+		logger.Fatalf("User %s already has role %s", roleUser, roleName)
+	}
+
+	// Generate a new ID for the user-role relationship
+	id := ulid.Make().String()
+
+	// Assign role to user
+	_, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", id, userID, roleID)
+	if err != nil {
+		logger.Fatalf("Failed to assign role: %v", err)
+	}
+
+	fmt.Printf("Role %s assigned to user %s successfully\n", roleName, roleUser)
+}
+
+func revokeRole() {
+	dbPath := viper.GetString("db")
+	logger := log.New(os.Stdout, "MCIAS: ", log.LstdFlags)
+
+	db, err := sql.Open("sqlite3", dbPath)
+	if err != nil {
+		logger.Fatalf("Failed to open database: %v", err)
+	}
+	defer db.Close()
+
+	// Get user ID
+	var userID string
+	err = db.QueryRow("SELECT id FROM users WHERE user = ?", roleUser).Scan(&userID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			logger.Fatalf("User %s not found", roleUser)
+		}
+		logger.Fatalf("Failed to get user ID: %v", err)
+	}
+
+	// Get role ID
+	var roleID string
+	err = db.QueryRow("SELECT id FROM roles WHERE role = ?", roleName).Scan(&roleID)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			logger.Fatalf("Role %s not found", roleName)
+		}
+		logger.Fatalf("Failed to get role ID: %v", err)
+	}
+
+	// Check if user has this role
+	var count int
+	err = db.QueryRow("SELECT COUNT(*) FROM user_roles WHERE uid = ? AND rid = ?", userID, roleID).Scan(&count)
+	if err != nil {
+		logger.Fatalf("Failed to check if user has role: %v", err)
+	}
+	if count == 0 {
+		logger.Fatalf("User %s does not have role %s", roleUser, roleName)
+	}
+
+	// Revoke role from user
+	_, err = db.Exec("DELETE FROM user_roles WHERE uid = ? AND rid = ?", userID, roleID)
+	if err != nil {
+		logger.Fatalf("Failed to revoke role: %v", err)
+	}
+
+	fmt.Printf("Role %s revoked from user %s successfully\n", roleName, roleUser)
+}

data/auth.go

@@ -0,0 +1,174 @@
+package data
+
+import (
+	"database/sql"
+	"fmt"
+
+	"github.com/oklog/ulid/v2"
+)
+
+// Permission represents a system permission
+type Permission struct {
+	ID          string
+	Resource    string
+	Action      string
+	Description string
+}
+
+// AuthorizationService provides methods for checking user permissions
+type AuthorizationService struct {
+	db *sql.DB
+}
+
+// NewAuthorizationService creates a new authorization service
+func NewAuthorizationService(db *sql.DB) *AuthorizationService {
+	return &AuthorizationService{db: db}
+}
+
+// UserHasPermission checks if a user has a specific permission for a resource and action
+func (a *AuthorizationService) UserHasPermission(userID, resource, action string) (bool, error) {
+	query := `
+		SELECT COUNT(*) FROM permissions p
+		JOIN role_permissions rp ON p.id = rp.pid
+		JOIN user_roles ur ON rp.rid = ur.rid
+		WHERE ur.uid = ? AND p.resource = ? AND p.action = ?
+	`
+
+	var count int
+	err := a.db.QueryRow(query, userID, resource, action).Scan(&count)
+	if err != nil {
+		return false, fmt.Errorf("failed to check user permission: %w", err)
+	}
+
+	return count > 0, nil
+}
+
+// GetUserPermissions returns all permissions for a user based on their roles
+func (a *AuthorizationService) GetUserPermissions(userID string) ([]Permission, error) {
+	query := `
+		SELECT DISTINCT p.id, p.resource, p.action, p.description FROM permissions p
+		JOIN role_permissions rp ON p.id = rp.pid
+		JOIN user_roles ur ON rp.rid = ur.rid
+		WHERE ur.uid = ?
+	`
+
+	rows, err := a.db.Query(query, userID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user permissions: %w", err)
+	}
+	defer rows.Close()
+
+	var permissions []Permission
+	for rows.Next() {
+		var perm Permission
+		if err := rows.Scan(&perm.ID, &perm.Resource, &perm.Action, &perm.Description); err != nil {
+			return nil, fmt.Errorf("failed to scan permission: %w", err)
+		}
+		permissions = append(permissions, perm)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating permissions: %w", err)
+	}
+
+	return permissions, nil
+}
+
+// GetRolePermissions returns all permissions for a specific role
+func (a *AuthorizationService) GetRolePermissions(roleID string) ([]Permission, error) {
+	query := `
+		SELECT p.id, p.resource, p.action, p.description FROM permissions p
+		JOIN role_permissions rp ON p.id = rp.pid
+		WHERE rp.rid = ?
+	`
+
+	rows, err := a.db.Query(query, roleID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get role permissions: %w", err)
+	}
+	defer rows.Close()
+
+	var permissions []Permission
+	for rows.Next() {
+		var perm Permission
+		if err := rows.Scan(&perm.ID, &perm.Resource, &perm.Action, &perm.Description); err != nil {
+			return nil, fmt.Errorf("failed to scan permission: %w", err)
+		}
+		permissions = append(permissions, perm)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating permissions: %w", err)
+	}
+
+	return permissions, nil
+}
+
+// GrantPermissionToRole grants a permission to a role
+func (a *AuthorizationService) GrantPermissionToRole(roleID, permissionID string) error {
+	// Check if the role-permission relationship already exists
+	checkQuery := `SELECT COUNT(*) FROM role_permissions WHERE rid = ? AND pid = ?`
+	var count int
+	err := a.db.QueryRow(checkQuery, roleID, permissionID).Scan(&count)
+	if err != nil {
+		return fmt.Errorf("failed to check role permission: %w", err)
+	}
+
+	if count > 0 {
+		return nil // Permission already granted
+	}
+
+	// Generate a new ID for the role-permission relationship
+	id := GenerateID()
+
+	// Insert the new role-permission relationship
+	insertQuery := `INSERT INTO role_permissions (id, rid, pid) VALUES (?, ?, ?)`
+	_, err = a.db.Exec(insertQuery, id, roleID, permissionID)
+	if err != nil {
+		return fmt.Errorf("failed to grant permission to role: %w", err)
+	}
+
+	return nil
+}
+
+// RevokePermissionFromRole revokes a permission from a role
+func (a *AuthorizationService) RevokePermissionFromRole(roleID, permissionID string) error {
+	query := `DELETE FROM role_permissions WHERE rid = ? AND pid = ?`
+	_, err := a.db.Exec(query, roleID, permissionID)
+	if err != nil {
+		return fmt.Errorf("failed to revoke permission from role: %w", err)
+	}
+
+	return nil
+}
+
+// GetAllPermissions returns all permissions in the system
+func (a *AuthorizationService) GetAllPermissions() ([]Permission, error) {
+	query := `SELECT id, resource, action, description FROM permissions`
+
+	rows, err := a.db.Query(query)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get permissions: %w", err)
+	}
+	defer rows.Close()
+
+	var permissions []Permission
+	for rows.Next() {
+		var perm Permission
+		if err := rows.Scan(&perm.ID, &perm.Resource, &perm.Action, &perm.Description); err != nil {
+			return nil, fmt.Errorf("failed to scan permission: %w", err)
+		}
+		permissions = append(permissions, perm)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating permissions: %w", err)
+	}
+
+	return permissions, nil
+}
+
+// GenerateID generates a unique ID for database records
+func GenerateID() string {
+	return ulid.Make().String()
+}

data/auth_test.go

@@ -0,0 +1,223 @@
+package data
+
+import (
+	"database/sql"
+	"os"
+	"testing"
+
+	_ "github.com/mattn/go-sqlite3"
+)
+
+func setupTestDB(t *testing.T) (*sql.DB, func()) {
+	// Create a temporary database for testing
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		t.Fatalf("Failed to open in-memory database: %v", err)
+	}
+
+	// Read the schema file
+	schemaBytes, err := os.ReadFile("../database/schema.sql")
+	if err != nil {
+		t.Fatalf("Failed to read schema file: %v", err)
+	}
+	schema := string(schemaBytes)
+
+	// Execute the schema
+	_, err = db.Exec(schema)
+	if err != nil {
+		t.Fatalf("Failed to execute schema: %v", err)
+	}
+
+	// Create test data
+	setupTestData(t, db)
+
+	// Return the database and a cleanup function
+	return db, func() {
+		db.Close()
+	}
+}
+
+func setupTestData(t *testing.T, db *sql.DB) {
+	// Create test users
+	_, err := db.Exec(`INSERT INTO users (id, created, user, password, salt) VALUES 
+		('user1', 1622505600, 'testadmin', 'dummy', 'dummy'),
+		('user2', 1622505600, 'testoperator', 'dummy', 'dummy'),
+		('user3', 1622505600, 'testuser', 'dummy', 'dummy')`)
+	if err != nil {
+		t.Fatalf("Failed to insert test users: %v", err)
+	}
+
+	// Create test roles (these should already exist from schema.sql)
+	// But we'll check and insert if needed
+	var count int
+	err = db.QueryRow("SELECT COUNT(*) FROM roles WHERE role = 'admin'").Scan(&count)
+	if err != nil {
+		t.Fatalf("Failed to check roles: %v", err)
+	}
+	if count == 0 {
+		_, err = db.Exec(`INSERT INTO roles (id, role) VALUES 
+			('role_admin', 'admin'),
+			('role_db_operator', 'db_operator'),
+			('role_user', 'user')`)
+		if err != nil {
+			t.Fatalf("Failed to insert test roles: %v", err)
+		}
+	}
+
+	// Assign roles to users
+	_, err = db.Exec(`INSERT INTO user_roles (id, uid, rid) VALUES 
+		('ur1', 'user1', 'role_admin'),
+		('ur2', 'user2', 'role_db_operator'),
+		('ur3', 'user3', 'role_user')`)
+	if err != nil {
+		t.Fatalf("Failed to assign roles to users: %v", err)
+	}
+}
+
+func TestUserHasPermission(t *testing.T) {
+	db, cleanup := setupTestDB(t)
+	defer cleanup()
+
+	authService := NewAuthorizationService(db)
+
+	tests := []struct {
+		name     string
+		userID   string
+		resource string
+		action   string
+		want     bool
+	}{
+		{
+			name:     "Admin has database read permission",
+			userID:   "user1",
+			resource: "database_credentials",
+			action:   "read",
+			want:     true,
+		},
+		{
+			name:     "Admin has database write permission",
+			userID:   "user1",
+			resource: "database_credentials",
+			action:   "write",
+			want:     true,
+		},
+		{
+			name:     "DB Operator has database read permission",
+			userID:   "user2",
+			resource: "database_credentials",
+			action:   "read",
+			want:     true,
+		},
+		{
+			name:     "DB Operator does not have database write permission",
+			userID:   "user2",
+			resource: "database_credentials",
+			action:   "write",
+			want:     false,
+		},
+		{
+			name:     "Regular user does not have database read permission",
+			userID:   "user3",
+			resource: "database_credentials",
+			action:   "read",
+			want:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := authService.UserHasPermission(tt.userID, tt.resource, tt.action)
+			if err != nil {
+				t.Errorf("AuthorizationService.UserHasPermission() error = %v", err)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("AuthorizationService.UserHasPermission() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestGetUserPermissions(t *testing.T) {
+	db, cleanup := setupTestDB(t)
+	defer cleanup()
+
+	authService := NewAuthorizationService(db)
+
+	t.Run("Admin has all permissions", func(t *testing.T) {
+		permissions, err := authService.GetUserPermissions("user1")
+		if err != nil {
+			t.Errorf("AuthorizationService.GetUserPermissions() error = %v", err)
+			return
+		}
+		
+		// Admin should have 4 permissions
+		if len(permissions) != 4 {
+			t.Errorf("Admin should have 4 permissions, got %d", len(permissions))
+		}
+		
+		// Check for specific permissions
+		hasDBRead := false
+		hasDBWrite := false
+		for _, p := range permissions {
+			if p.Resource == "database_credentials" && p.Action == "read" {
+				hasDBRead = true
+			}
+			if p.Resource == "database_credentials" && p.Action == "write" {
+				hasDBWrite = true
+			}
+		}
+		
+		if !hasDBRead {
+			t.Errorf("Admin should have database_credentials:read permission")
+		}
+		if !hasDBWrite {
+			t.Errorf("Admin should have database_credentials:write permission")
+		}
+	})
+
+	t.Run("DB Operator has limited permissions", func(t *testing.T) {
+		permissions, err := authService.GetUserPermissions("user2")
+		if err != nil {
+			t.Errorf("AuthorizationService.GetUserPermissions() error = %v", err)
+			return
+		}
+		
+		// DB Operator should have 1 permission
+		if len(permissions) != 1 {
+			t.Errorf("DB Operator should have 1 permission, got %d", len(permissions))
+		}
+		
+		// Check for specific permissions
+		hasDBRead := false
+		hasDBWrite := false
+		for _, p := range permissions {
+			if p.Resource == "database_credentials" && p.Action == "read" {
+				hasDBRead = true
+			}
+			if p.Resource == "database_credentials" && p.Action == "write" {
+				hasDBWrite = true
+			}
+		}
+		
+		if !hasDBRead {
+			t.Errorf("DB Operator should have database_credentials:read permission")
+		}
+		if hasDBWrite {
+			t.Errorf("DB Operator should not have database_credentials:write permission")
+		}
+	})
+
+	t.Run("Regular user has no permissions", func(t *testing.T) {
+		permissions, err := authService.GetUserPermissions("user3")
+		if err != nil {
+			t.Errorf("AuthorizationService.GetUserPermissions() error = %v", err)
+			return
+		}
+		
+		// Regular user should have 0 permissions
+		if len(permissions) != 0 {
+			t.Errorf("Regular user should have 0 permissions, got %d", len(permissions))
+		}
+	})
+}

data/user.go

@@ -25,6 +25,26 @@ type User struct {
 	Roles    []string
 }
 
+// HasRole checks if the user has a specific role
+func (u *User) HasRole(role string) bool {
+	for _, r := range u.Roles {
+		if r == role {
+			return true
+		}
+	}
+	return false
+}
+
+// HasPermission checks if the user has a specific permission using the authorization service
+func (u *User) HasPermission(authService *AuthorizationService, resource, action string) (bool, error) {
+	return authService.UserHasPermission(u.ID, resource, action)
+}
+
+// GetPermissions returns all permissions for the user using the authorization service
+func (u *User) GetPermissions(authService *AuthorizationService) ([]Permission, error) {
+	return authService.GetUserPermissions(u.ID)
+}
+
 type Login struct {
 	User     string `json:"user"`
 	Password string `json:"password,omitzero"`

database/schema.sql

@@ -39,4 +39,45 @@ CREATE TABLE user_roles (
 	rid	text not null,
 	FOREIGN KEY(uid) REFERENCES user(id),
 	FOREIGN KEY(rid) REFERENCES roles(id)
-);
+);
+
+-- Add permissions table
+CREATE TABLE permissions (
+    id TEXT PRIMARY KEY,
+    resource TEXT NOT NULL,
+    action TEXT NOT NULL,
+    description TEXT
+);
+
+-- Link roles to permissions
+CREATE TABLE role_permissions (
+    id TEXT PRIMARY KEY,
+    rid TEXT NOT NULL,
+    pid TEXT NOT NULL,
+    FOREIGN KEY(rid) REFERENCES roles(id),
+    FOREIGN KEY(pid) REFERENCES permissions(id)
+);
+
+-- Add default permissions
+INSERT INTO permissions (id, resource, action, description) VALUES 
+    ('perm_db_read', 'database_credentials', 'read', 'Read database credentials'),
+    ('perm_db_write', 'database_credentials', 'write', 'Modify database credentials'),
+    ('perm_user_manage', 'users', 'manage', 'Manage user accounts'),
+    ('perm_token_manage', 'tokens', 'manage', 'Manage authentication tokens');
+
+-- Add default roles
+INSERT INTO roles (id, role) VALUES 
+    ('role_admin', 'admin'),
+    ('role_db_operator', 'db_operator'),
+    ('role_user', 'user');
+
+-- Grant permissions to admin role
+INSERT INTO role_permissions (id, rid, pid) VALUES 
+    ('rp_admin_db_read', 'role_admin', 'perm_db_read'),
+    ('rp_admin_db_write', 'role_admin', 'perm_db_write'),
+    ('rp_admin_user_manage', 'role_admin', 'perm_user_manage'),
+    ('rp_admin_token_manage', 'role_admin', 'perm_token_manage');
+
+-- Grant database access to db_operator role
+INSERT INTO role_permissions (id, rid, pid) VALUES 
+    ('rp_dbop_db_read', 'role_db_operator', 'perm_db_read');

main.go

@@ -1,20 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-)
-
-func main() {
-	cmd := exec.Command("go", "run", "cmd/mcias/main.go")
-
-	cmd.Stdin = os.Stdin
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-
-	if err := cmd.Run(); err != nil {
-		fmt.Fprintf(os.Stderr, "Error running mcias command: %v\n", err)
-		os.Exit(1)
-	}
-}