ntfy/auth/auth_sqlite.go

package auth

import (
	"database/sql"
	"golang.org/x/crypto/bcrypt"
)

/*

SELECT * FROM user;
SELECT * FROM user_topic;

INSERT INTO user VALUES ('phil','$2a$06$.4W0LI5mcxzxhpjUvpTaNeu0MhRO0T7B.CYnmAkRnlztIy7PrSODu', 'admin');
INSERT INTO user VALUES ('ben','$2a$06$skJK/AecWCUmiCjr69ke.Ow/hFA616RdvJJPxnI221zyohsRlyXL.', 'user');
INSERT INTO user VALUES ('marian','$2a$10$8U90swQIatvHHI4sw0Wo7.OUy6dUwzMcoOABi6BsS4uF0x3zcSXRW', 'user');

INSERT INTO user_topic VALUES ('ben','alerts',1,1);
INSERT INTO user_topic VALUES ('marian','alerts',1,0);
INSERT INTO user_topic VALUES ('','announcements',1,0);
INSERT INTO user_topic VALUES ('','write-all',1,1);

---
dabbling for CLI
	ntfy user add phil --role=admin
	ntfy user del phil
	ntfy user change-pass phil
	ntfy user allow phil mytopic
	ntfy user allow phil mytopic --read-only
	ntfy user deny phil mytopic
	ntfy user list
	   phil (admin)
	   - read-write access to everything
	   ben (user)
	   - read-write access to a topic alerts
	   - read access to
       everyone (no user)
       - read-only access to topic announcements


*/

const (
	createAuthTablesQueries = `
		BEGIN;
		CREATE TABLE IF NOT EXISTS user (
			user TEXT NOT NULL PRIMARY KEY,
			pass TEXT NOT NULL,
			role TEXT NOT NULL
		);
		CREATE TABLE IF NOT EXISTS user_topic (
			user TEXT NOT NULL,		
			topic TEXT NOT NULL,
			read INT NOT NULL,
			write INT NOT NULL,
			PRIMARY KEY (topic, user)
		);
		CREATE TABLE IF NOT EXISTS schema_version (
			id INT PRIMARY KEY,
			version INT NOT NULL
		);
		COMMIT;
	`
	selectUserQuery       = `SELECT pass, role FROM user WHERE user = ?`
	selectTopicPermsQuery = `
		SELECT read, write 
		FROM user_topic 
		WHERE user IN ('', ?) AND topic = ?
		ORDER BY user DESC
	`
)

type SQLiteAuth struct {
	db           *sql.DB
	defaultRead  bool
	defaultWrite bool
}

var _ Auth = (*SQLiteAuth)(nil)

func NewSQLiteAuth(filename string, defaultRead, defaultWrite bool) (*SQLiteAuth, error) {
	db, err := sql.Open("sqlite3", filename)
	if err != nil {
		return nil, err
	}
	if err := setupNewAuthDB(db); err != nil {
		return nil, err
	}
	return &SQLiteAuth{
		db:           db,
		defaultRead:  defaultRead,
		defaultWrite: defaultWrite,
	}, nil
}

func setupNewAuthDB(db *sql.DB) error {
	if _, err := db.Exec(createAuthTablesQueries); err != nil {
		return err
	}
	// FIXME schema version
	return nil
}

func (a *SQLiteAuth) Authenticate(username, password string) (*User, error) {
	rows, err := a.db.Query(selectUserQuery, username)
	if err != nil {
		return nil, err
	}
	defer rows.Close()
	var hash, role string
	if rows.Next() {
		if err := rows.Scan(&hash, &role); err != nil {
			return nil, err
		} else if err := rows.Err(); err != nil {
			return nil, err
		}
	}
	if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)); err != nil {
		return nil, err
	}
	return &User{
		Name: username,
		Role: Role(role),
	}, nil
}

func (a *SQLiteAuth) Authorize(user *User, topic string, perm Permission) error {
	if user.Role == RoleAdmin {
		return nil // Admin can do everything
	}
	// Select the read/write permissions for this user/topic combo. The query may return two
	// rows (one for everyone, and one for the user), but prioritizes the user. The value for
	// user.Name may be empty (= everyone).
	rows, err := a.db.Query(selectTopicPermsQuery, user.Name, topic)
	if err != nil {
		return err
	}
	defer rows.Close()
	if !rows.Next() {
		return a.resolvePerms(a.defaultRead, a.defaultWrite, perm)
	}
	var read, write bool
	if err := rows.Scan(&read, &write); err != nil {
		return err
	} else if err := rows.Err(); err != nil {
		return err
	}
	return a.resolvePerms(read, write, perm)
}

func (a *SQLiteAuth) resolvePerms(read, write bool, perm Permission) error {
	if perm == PermissionRead && read {
		return nil
	} else if perm == PermissionWrite && write {
		return nil
	}
	return ErrUnauthorized
}
Move to package 2022-01-23 18:02:16 +13:00			`package auth`
Simplify tables 2022-01-23 17:01:20 +13:00
			`import (`
			`"database/sql"`
			`"golang.org/x/crypto/bcrypt"`
			`)`

			`/*`

			`SELECT * FROM user;`
			`SELECT * FROM user_topic;`

			`INSERT INTO user VALUES ('phil','$2a$06$.4W0LI5mcxzxhpjUvpTaNeu0MhRO0T7B.CYnmAkRnlztIy7PrSODu', 'admin');`
			`INSERT INTO user VALUES ('ben','$2a$06$skJK/AecWCUmiCjr69ke.Ow/hFA616RdvJJPxnI221zyohsRlyXL.', 'user');`
. 2022-01-23 17:07:55 +13:00			`INSERT INTO user VALUES ('marian','$2a$10$8U90swQIatvHHI4sw0Wo7.OUy6dUwzMcoOABi6BsS4uF0x3zcSXRW', 'user');`
Simplify tables 2022-01-23 17:01:20 +13:00
			`INSERT INTO user_topic VALUES ('ben','alerts',1,1);`
			`INSERT INTO user_topic VALUES ('marian','alerts',1,0);`
			`INSERT INTO user_topic VALUES ('','announcements',1,0);`
			`INSERT INTO user_topic VALUES ('','write-all',1,1);`

			`---`
			`dabbling for CLI`
			`ntfy user add phil --role=admin`
			`ntfy user del phil`
			`ntfy user change-pass phil`
			`ntfy user allow phil mytopic`
			`ntfy user allow phil mytopic --read-only`
			`ntfy user deny phil mytopic`
			`ntfy user list`
			`phil (admin)`
			`- read-write access to everything`
			`ben (user)`
			`- read-write access to a topic alerts`
			`- read access to`
			`everyone (no user)`
			`- read-only access to topic announcements`


			`*/`

			`const (`
			createAuthTablesQueries = `
			`BEGIN;`
			`CREATE TABLE IF NOT EXISTS user (`
			`user TEXT NOT NULL PRIMARY KEY,`
			`pass TEXT NOT NULL,`
			`role TEXT NOT NULL`
			`);`
			`CREATE TABLE IF NOT EXISTS user_topic (`
			`user TEXT NOT NULL,`
			`topic TEXT NOT NULL,`
			`read INT NOT NULL,`
			`write INT NOT NULL,`
			`PRIMARY KEY (topic, user)`
			`);`
			`CREATE TABLE IF NOT EXISTS schema_version (`
			`id INT PRIMARY KEY,`
			`version INT NOT NULL`
			`);`
			`COMMIT;`
			`
			selectUserQuery = `SELECT pass, role FROM user WHERE user = ?`
			selectTopicPermsQuery = `
			`SELECT read, write`
			`FROM user_topic`
			`WHERE user IN ('', ?) AND topic = ?`
			`ORDER BY user DESC`
			`
			`)`

Move to package 2022-01-23 18:02:16 +13:00			`type SQLiteAuth struct {`
Simplify tables 2022-01-23 17:01:20 +13:00			`db *sql.DB`
			`defaultRead bool`
			`defaultWrite bool`
			`}`

Move to package 2022-01-23 18:02:16 +13:00			`var _ Auth = (*SQLiteAuth)(nil)`
Simplify tables 2022-01-23 17:01:20 +13:00
Move to package 2022-01-23 18:02:16 +13:00			`func NewSQLiteAuth(filename string, defaultRead, defaultWrite bool) (*SQLiteAuth, error) {`
Simplify tables 2022-01-23 17:01:20 +13:00			`db, err := sql.Open("sqlite3", filename)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if err := setupNewAuthDB(db); err != nil {`
			`return nil, err`
			`}`
Move to package 2022-01-23 18:02:16 +13:00			`return &SQLiteAuth{`
Simplify tables 2022-01-23 17:01:20 +13:00			`db: db,`
			`defaultRead: defaultRead,`
			`defaultWrite: defaultWrite,`
			`}, nil`
			`}`

			`func setupNewAuthDB(db *sql.DB) error {`
			`if _, err := db.Exec(createAuthTablesQueries); err != nil {`
			`return err`
			`}`
			`// FIXME schema version`
			`return nil`
			`}`

Move to package 2022-01-23 18:02:16 +13:00			`func (a SQLiteAuth) Authenticate(username, password string) (User, error) {`
Simplify tables 2022-01-23 17:01:20 +13:00			`rows, err := a.db.Query(selectUserQuery, username)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer rows.Close()`
			`var hash, role string`
			`if rows.Next() {`
			`if err := rows.Scan(&hash, &role); err != nil {`
			`return nil, err`
			`} else if err := rows.Err(); err != nil {`
			`return nil, err`
			`}`
			`}`
			`if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)); err != nil {`
			`return nil, err`
			`}`
Move to package 2022-01-23 18:02:16 +13:00			`return &User{`
Simplify tables 2022-01-23 17:01:20 +13:00			`Name: username,`
Move to package 2022-01-23 18:02:16 +13:00			`Role: Role(role),`
Simplify tables 2022-01-23 17:01:20 +13:00			`}, nil`
			`}`

Move to package 2022-01-23 18:02:16 +13:00			`func (a SQLiteAuth) Authorize(user User, topic string, perm Permission) error {`
			`if user.Role == RoleAdmin {`
Simplify tables 2022-01-23 17:01:20 +13:00			`return nil // Admin can do everything`
			`}`
			`// Select the read/write permissions for this user/topic combo. The query may return two`
			`// rows (one for everyone, and one for the user), but prioritizes the user. The value for`
			`// user.Name may be empty (= everyone).`
			`rows, err := a.db.Query(selectTopicPermsQuery, user.Name, topic)`
			`if err != nil {`
			`return err`
			`}`
			`defer rows.Close()`
			`if !rows.Next() {`
			`return a.resolvePerms(a.defaultRead, a.defaultWrite, perm)`
			`}`
			`var read, write bool`
			`if err := rows.Scan(&read, &write); err != nil {`
			`return err`
			`} else if err := rows.Err(); err != nil {`
			`return err`
			`}`
			`return a.resolvePerms(read, write, perm)`
			`}`

Move to package 2022-01-23 18:02:16 +13:00			`func (a *SQLiteAuth) resolvePerms(read, write bool, perm Permission) error {`
			`if perm == PermissionRead && read {`
Simplify tables 2022-01-23 17:01:20 +13:00			`return nil`
Move to package 2022-01-23 18:02:16 +13:00			`} else if perm == PermissionWrite && write {`
Simplify tables 2022-01-23 17:01:20 +13:00			`return nil`
			`}`
Move to package 2022-01-23 18:02:16 +13:00			`return ErrUnauthorized`
Simplify tables 2022-01-23 17:01:20 +13:00			`}`