Core implementation written with Junie.

2025-06-06 10:15:49 -07:00
parent 0ef669352f
commit e22c12fd39
28 changed files with 2597 additions and 24 deletions
--- a/api/auth.go
+++ b/api/auth.go
@@ -0,0 +1,266 @@
+package api
+
+import (
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strings"
+	"time"
+
+	"git.wntrmute.dev/kyle/mcias/data"
+	"github.com/oklog/ulid/v2"
+)
+
+type LoginRequest struct {
+	Version string     `json:"version"`
+	Login   data.Login `json:"login"`
+}
+
+type TokenResponse struct {
+	Token   string `json:"token"`
+	Expires int64  `json:"expires"`
+}
+
+type ErrorResponse struct {
+	Error string `json:"error"`
+}
+
+type DatabaseCredentials struct {
+	Host     string `json:"host"`
+	Port     int    `json:"port"`
+	Name     string `json:"name"`
+	User     string `json:"user"`
+	Password string `json:"password"`
+}
+
+func (s *Server) handlePasswordLogin(w http.ResponseWriter, r *http.Request) {
+	var req LoginRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		s.sendError(w, "Invalid request format", http.StatusBadRequest)
+		return
+	}
+
+	if req.Version != "v1" || req.Login.User == "" || req.Login.Password == "" {
+		s.sendError(w, "Invalid login request", http.StatusBadRequest)
+		return
+	}
+
+	user, err := s.getUserByUsername(req.Login.User)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			s.sendError(w, "Invalid username or password", http.StatusUnauthorized)
+		} else {
+			s.Logger.Printf("Database error: %v", err)
+			s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		}
+		return
+	}
+
+	if !user.Check(&req.Login) {
+		s.sendError(w, "Invalid username or password", http.StatusUnauthorized)
+		return
+	}
+
+	token, expires, err := s.createToken(user.ID)
+	if err != nil {
+		s.Logger.Printf("Token creation error: %v", err)
+		s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	if err := json.NewEncoder(w).Encode(TokenResponse{
+		Token:   token,
+		Expires: expires,
+	}); err != nil {
+		s.Logger.Printf("Error encoding response: %v", err)
+	}
+}
+
+func (s *Server) handleTokenLogin(w http.ResponseWriter, r *http.Request) {
+	var req LoginRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		s.sendError(w, "Invalid request format", http.StatusBadRequest)
+		return
+	}
+
+	if req.Version != "v1" || req.Login.User == "" || req.Login.Token == "" {
+		s.sendError(w, "Invalid login request", http.StatusBadRequest)
+		return
+	}
+
+	userID, err := s.verifyToken(req.Login.User, req.Login.Token)
+	if err != nil {
+		s.sendError(w, "Invalid or expired token", http.StatusUnauthorized)
+		return
+	}
+
+	token, expires, err := s.createToken(userID)
+	if err != nil {
+		s.Logger.Printf("Token creation error: %v", err)
+		s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	if err := json.NewEncoder(w).Encode(TokenResponse{
+		Token:   token,
+		Expires: expires,
+	}); err != nil {
+		s.Logger.Printf("Error encoding response: %v", err)
+	}
+}
+
+func (s *Server) sendError(w http.ResponseWriter, message string, status int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(ErrorResponse{Error: message}); err != nil {
+		s.Logger.Printf("Error encoding error response: %v", err)
+	}
+}
+
+func (s *Server) getUserByUsername(username string) (*data.User, error) {
+	query := `SELECT id, created, user, password, salt FROM users WHERE user = ?`
+	row := s.DB.QueryRow(query, username)
+
+	user := &data.User{}
+	err := row.Scan(&user.ID, &user.Created, &user.User, &user.Password, &user.Salt)
+	if err != nil {
+		return nil, err
+	}
+
+	rolesQuery := `
+		SELECT r.role FROM roles r
+		JOIN user_roles ur ON r.id = ur.rid
+		WHERE ur.uid = ?
+	`
+	rows, err := s.DB.Query(rolesQuery, user.ID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var roles []string
+	for rows.Next() {
+		var role string
+		if err := rows.Scan(&role); err != nil {
+			return nil, err
+		}
+		roles = append(roles, role)
+	}
+	user.Roles = roles
+
+	return user, nil
+}
+
+func (s *Server) createToken(userID string) (string, int64, error) {
+	token := ulid.Make().String()
+
+	expires := time.Now().Add(24 * time.Hour).Unix()
+	query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
+	tokenID := ulid.Make().String()
+	_, err := s.DB.Exec(query, tokenID, userID, token, expires)
+	if err != nil {
+		return "", 0, err
+	}
+
+	return token, expires, nil
+}
+
+func (s *Server) verifyToken(username, token string) (string, error) {
+	query := `
+		SELECT t.uid, t.expires FROM tokens t
+		JOIN users u ON t.uid = u.id
+		WHERE u.user = ? AND t.token = ?
+	`
+	var userID string
+	var expires int64
+	err := s.DB.QueryRow(query, username, token).Scan(&userID, &expires)
+	if err != nil {
+		return "", err
+	}
+
+	if expires > 0 && expires < time.Now().Unix() {
+		return "", errors.New("token expired")
+	}
+
+	return userID, nil
+}
+
+func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Request) {
+	// Extract authorization header
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		s.sendError(w, "Authorization header required", http.StatusUnauthorized)
+		return
+	}
+
+	// Check if it's a Bearer token
+	parts := strings.Split(authHeader, " ")
+	if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" {
+		s.sendError(w, "Invalid authorization format", http.StatusUnauthorized)
+		return
+	}
+
+	token := parts[1]
+	username := r.URL.Query().Get("username")
+	if username == "" {
+		s.sendError(w, "Username parameter required", http.StatusBadRequest)
+		return
+	}
+
+	// Verify the token
+	_, err := s.verifyToken(username, token)
+	if err != nil {
+		s.sendError(w, "Invalid or expired token", http.StatusUnauthorized)
+		return
+	}
+
+	// Check if user has admin role
+	user, err := s.getUserByUsername(username)
+	if err != nil {
+		s.Logger.Printf("Database error: %v", err)
+		s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	hasAdminRole := false
+	for _, role := range user.Roles {
+		if role == "admin" {
+			hasAdminRole = true
+			break
+		}
+	}
+
+	if !hasAdminRole {
+		s.sendError(w, "Insufficient permissions", http.StatusForbidden)
+		return
+	}
+
+	// Retrieve database credentials
+	query := `SELECT id, host, port, name, user, password FROM database LIMIT 1`
+	row := s.DB.QueryRow(query)
+
+	var id string
+	var creds DatabaseCredentials
+	err = row.Scan(&id, &creds.Host, &creds.Port, &creds.Name, &creds.User, &creds.Password)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			s.sendError(w, "No database credentials found", http.StatusNotFound)
+		} else {
+			s.Logger.Printf("Database error: %v", err)
+			s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		}
+		return
+	}
+
+	// Return the credentials
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	if err := json.NewEncoder(w).Encode(creds); err != nil {
+		s.Logger.Printf("Error encoding response: %v", err)
+	}
+}
--- a/api/auth_test.go
+++ b/api/auth_test.go
@@ -0,0 +1,336 @@
+package api
+
+import (
+	"bytes"
+	"database/sql"
+	"encoding/json"
+	"log"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+	"time"
+
+	"git.wntrmute.dev/kyle/mcias/data"
+	_ "github.com/mattn/go-sqlite3"
+)
+
+func setupTestDB(t *testing.T) *sql.DB {
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		t.Fatalf("Failed to open test database: %v", err)
+	}
+
+	schema, err := os.ReadFile("../schema.sql")
+	if err != nil {
+		t.Fatalf("Failed to read schema: %v", err)
+	}
+
+	if _, err := db.Exec(string(schema)); err != nil {
+		t.Fatalf("Failed to initialize test database: %v", err)
+	}
+
+	return db
+}
+
+func createTestUser(t *testing.T, db *sql.DB) *data.User {
+	user := &data.User{}
+	login := &data.Login{
+		User:     "testuser",
+		Password: "testpassword",
+	}
+
+	if err := user.Register(login); err != nil {
+		t.Fatalf("Failed to register test user: %v", err)
+	}
+
+	query := `INSERT INTO users (id, created, user, password, salt) VALUES (?, ?, ?, ?, ?)`
+	_, err := db.Exec(query, user.ID, user.Created, user.User, user.Password, user.Salt)
+	if err != nil {
+		t.Fatalf("Failed to insert test user: %v", err)
+	}
+
+	return user
+}
+
+func TestPasswordLogin(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+
+	user := createTestUser(t, db)
+
+	logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
+	server := NewServer(db, logger)
+	loginReq := LoginRequest{
+		Version: "v1",
+		Login: data.Login{
+			User:     user.User,
+			Password: "testpassword",
+		},
+	}
+
+	body, err := json.Marshal(loginReq)
+	if err != nil {
+		t.Fatalf("Failed to marshal request: %v", err)
+	}
+
+	req := httptest.NewRequest("POST", "/v1/login/password", bytes.NewBuffer(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	server.handlePasswordLogin(recorder, req)
+
+	if recorder.Code != http.StatusOK {
+		t.Errorf("Expected status code %d, got %d", http.StatusOK, recorder.Code)
+	}
+
+	var response TokenResponse
+	if err := json.NewDecoder(recorder.Body).Decode(&response); err != nil {
+		t.Fatalf("Failed to decode response: %v", err)
+	}
+
+	if response.Token == "" {
+		t.Error("Expected token in response, got empty string")
+	}
+
+	now := time.Now().Unix()
+	if response.Expires <= now {
+		t.Errorf("Expected token expiration in the future, got %d (now: %d)", response.Expires, now)
+	}
+}
+
+func TestTokenLogin(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+
+	user := createTestUser(t, db)
+
+	logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
+	server := NewServer(db, logger)
+
+	token := "testtoken123456"
+	expires := time.Now().Add(24 * time.Hour).Unix()
+
+	tokenID := "token123"
+	query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
+	_, err := db.Exec(query, tokenID, user.ID, token, expires)
+	if err != nil {
+		t.Fatalf("Failed to insert test token: %v", err)
+	}
+
+	loginReq := LoginRequest{
+		Version: "v1",
+		Login: data.Login{
+			User:  user.User,
+			Token: token,
+		},
+	}
+
+	body, err := json.Marshal(loginReq)
+	if err != nil {
+		t.Fatalf("Failed to marshal request: %v", err)
+	}
+
+	req := httptest.NewRequest("POST", "/v1/login/token", bytes.NewBuffer(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	server.handleTokenLogin(recorder, req)
+
+	if recorder.Code != http.StatusOK {
+		t.Errorf("Expected status code %d, got %d", http.StatusOK, recorder.Code)
+	}
+
+	var response TokenResponse
+	if err := json.NewDecoder(recorder.Body).Decode(&response); err != nil {
+		t.Fatalf("Failed to decode response: %v", err)
+	}
+
+	if response.Token == "" {
+		t.Error("Expected token in response, got empty string")
+	}
+
+	now := time.Now().Unix()
+	if response.Expires <= now {
+		t.Errorf("Expected token expiration in the future, got %d (now: %d)", response.Expires, now)
+	}
+}
+
+func TestInvalidPasswordLogin(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+
+	user := createTestUser(t, db)
+
+	logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
+	server := NewServer(db, logger)
+
+	loginReq := LoginRequest{
+		Version: "v1",
+		Login: data.Login{
+			User:     user.User,
+			Password: "wrongpassword",
+		},
+	}
+
+	body, err := json.Marshal(loginReq)
+	if err != nil {
+		t.Fatalf("Failed to marshal request: %v", err)
+	}
+
+	req := httptest.NewRequest("POST", "/v1/login/password", bytes.NewBuffer(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	server.handlePasswordLogin(recorder, req)
+
+	if recorder.Code != http.StatusUnauthorized {
+		t.Errorf("Expected status code %d, got %d", http.StatusUnauthorized, recorder.Code)
+	}
+}
+
+func TestInvalidTokenLogin(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+
+	user := createTestUser(t, db)
+
+	logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
+	server := NewServer(db, logger)
+
+	loginReq := LoginRequest{
+		Version: "v1",
+		Login: data.Login{
+			User:  user.User,
+			Token: "invalidtoken",
+		},
+	}
+
+	body, err := json.Marshal(loginReq)
+	if err != nil {
+		t.Fatalf("Failed to marshal request: %v", err)
+	}
+
+	req := httptest.NewRequest("POST", "/v1/login/token", bytes.NewBuffer(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	recorder := httptest.NewRecorder()
+	server.handleTokenLogin(recorder, req)
+
+	if recorder.Code != http.StatusUnauthorized {
+		t.Errorf("Expected status code %d, got %d", http.StatusUnauthorized, recorder.Code)
+	}
+}
+
+func createTestAdminUser(t *testing.T, db *sql.DB) *data.User {
+	user := createTestUser(t, db)
+
+	// Add admin role
+	roleID := "role123"
+	_, err := db.Exec("INSERT INTO roles (id, role) VALUES (?, ?)", roleID, "admin")
+	if err != nil {
+		t.Fatalf("Failed to insert admin role: %v", err)
+	}
+
+	// Assign admin role to user
+	userRoleID := "ur123"
+	_, err = db.Exec("INSERT INTO user_roles (id, uid, rid) VALUES (?, ?, ?)", userRoleID, user.ID, roleID)
+	if err != nil {
+		t.Fatalf("Failed to assign admin role to user: %v", err)
+	}
+
+	user.Roles = []string{"admin"}
+	return user
+}
+
+func insertTestDatabaseCredentials(t *testing.T, db *sql.DB) {
+	query := `INSERT INTO database (id, host, port, name, user, password) 
+			  VALUES (?, ?, ?, ?, ?, ?)`
+	_, err := db.Exec(query, "db123", "localhost", 5432, "testdb", "postgres", "securepassword")
+	if err != nil {
+		t.Fatalf("Failed to insert test database credentials: %v", err)
+	}
+}
+
+func TestDatabaseCredentials(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+
+	user := createTestAdminUser(t, db)
+	insertTestDatabaseCredentials(t, db)
+
+	logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
+	server := NewServer(db, logger)
+
+	token := "testtoken123456"
+	expires := time.Now().Add(24 * time.Hour).Unix()
+
+	tokenID := "token123"
+	query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
+	_, err := db.Exec(query, tokenID, user.ID, token, expires)
+	if err != nil {
+		t.Fatalf("Failed to insert test token: %v", err)
+	}
+
+	req := httptest.NewRequest("GET", "/v1/database/credentials?username="+user.User, nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+
+	recorder := httptest.NewRecorder()
+	server.handleDatabaseCredentials(recorder, req)
+
+	if recorder.Code != http.StatusOK {
+		t.Errorf("Expected status code %d, got %d", http.StatusOK, recorder.Code)
+	}
+
+	var response DatabaseCredentials
+	if err := json.NewDecoder(recorder.Body).Decode(&response); err != nil {
+		t.Fatalf("Failed to decode response: %v", err)
+	}
+
+	if response.Host != "localhost" {
+		t.Errorf("Expected host 'localhost', got '%s'", response.Host)
+	}
+	if response.Port != 5432 {
+		t.Errorf("Expected port 5432, got %d", response.Port)
+	}
+	if response.Name != "testdb" {
+		t.Errorf("Expected database name 'testdb', got '%s'", response.Name)
+	}
+	if response.User != "postgres" {
+		t.Errorf("Expected user 'postgres', got '%s'", response.User)
+	}
+	if response.Password != "securepassword" {
+		t.Errorf("Expected password 'securepassword', got '%s'", response.Password)
+	}
+}
+
+func TestDatabaseCredentialsUnauthorized(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+
+	user := createTestUser(t, db)  // Regular user without admin role
+	insertTestDatabaseCredentials(t, db)
+
+	logger := log.New(os.Stdout, "TEST: ", log.LstdFlags)
+	server := NewServer(db, logger)
+
+	token := "testtoken123456"
+	expires := time.Now().Add(24 * time.Hour).Unix()
+
+	tokenID := "token123"
+	query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
+	_, err := db.Exec(query, tokenID, user.ID, token, expires)
+	if err != nil {
+		t.Fatalf("Failed to insert test token: %v", err)
+	}
+
+	req := httptest.NewRequest("GET", "/v1/database/credentials?username="+user.User, nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+
+	recorder := httptest.NewRecorder()
+	server.handleDatabaseCredentials(recorder, req)
+
+	if recorder.Code != http.StatusForbidden {
+		t.Errorf("Expected status code %d, got %d", http.StatusForbidden, recorder.Code)
+	}
+}
--- a/api/server.go
+++ b/api/server.go
@@ -0,0 +1,42 @@
+package api
+
+import (
+	"database/sql"
+	"log"
+	"net/http"
+
+	_ "github.com/mattn/go-sqlite3"
+)
+
+type Server struct {
+	DB     *sql.DB
+	Router *http.ServeMux
+	Logger *log.Logger
+}
+
+func NewServer(db *sql.DB, logger *log.Logger) *Server {
+	s := &Server{
+		DB:     db,
+		Router: http.NewServeMux(),
+		Logger: logger,
+	}
+
+	s.registerRoutes()
+
+	return s
+}
+
+func (s *Server) registerRoutes() {
+	s.Router.HandleFunc("POST /v1/login/password", s.handlePasswordLogin)
+	s.Router.HandleFunc("POST /v1/login/token", s.handleTokenLogin)
+	s.Router.HandleFunc("GET /v1/database/credentials", s.handleDatabaseCredentials)
+}
+
+func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	s.Router.ServeHTTP(w, r)
+}
+
+func (s *Server) Start(addr string) error {
+	s.Logger.Printf("Starting server on %s", addr)
+	return http.ListenAndServe(addr, s)
+}