certmanager update

Makefile.am

@@ -16,49 +16,16 @@ certmanagerd$(EXEEXT): $(certmanagerd_SOURCES) $(EXTRA_certmanagerd_SOURCES)
 
 
 certmanagerctl_SOURCES = cmd/certmanagerctl/main.go \
-	    cmd/certmanagerctl/servicecli.go \
-	    cmd/certmanagerctl/issuercli.go
+	    cmd/certmanagerctl/account.go \
+	    cmd/certmanagerctl/service.go \
+	    cmd/certmanagerctl/issuer.go \
+	    cmd/certmanagerctl/grant.go
 
 certmanagerctl$(EXEEXT): $(certmanagerctl_SOURCES) $(EXTRA_certmanagerd_SOURCES)
 	env CGO_ENABLED=1 $(GO) build $(GOFLAGS) -o certmanagerctl$(EXEEXT) $(certmanagerctl_SOURCES)
 
 
 EXTRA_certmanagerd_SOURCES = \
-	internal/config/config.go \
-	internal/database/database.go \
-	internal/database/issuer.go \
-	internal/database/service.go \
-	internal/descriptor/descriptor.go \
-	internal/grpc/handler/certman.go \
-	internal/grpc/handler/handler.go \
-	internal/grpc/handler/status.go \
-	internal/grpc/service/service.go \
-	internal/logic/auth.go \
-	internal/logic/issuer.go \
-	internal/logic/logic.go \
-	internal/logic/service.go \
-	internal/logic/status.go \
-	internal/server/server.go \
-	internal/wrpc/handler/basauth.go \
-	internal/wrpc/handler/handler.go \
-	internal/wrpc/handler/status.go \
-	internal/wrpc/service/service.go \
-	pkg/aux509/x509cert.go \
-	pkg/auxgin/corsmw.go \
-	pkg/auxgin/logmw.go \
-	pkg/auxgin/reqlog.go \
-	pkg/auxgin/reslog.go \
-	pkg/auxgrpc/error.go \
-	pkg/auxhttp/genres.go \
-	pkg/auxhttp/getbearer.go \
-	pkg/auxhttp/parseauth.go \
-	pkg/auxid/genid.go \
-	pkg/client/auth.go \
-	pkg/client/certman.go \
-	pkg/client/control.go \
-	pkg/cm509/x509.go \
-	pkg/common/common.go \
-	pkg/logger/logger.go \
 	pkg/cmctl/cmctl_grpc.pb.go \
 	pkg/cmctl/cmctl.pb.go
 

Makefile.in

@@ -298,45 +298,12 @@ BUILD = $(shell date -u '+%Y-%m-%d-%H%M')
 GOFLAGS = -v -ldflags='-s -w -X helmet/certmanager/internal/config.buildVersion=$(BUILD)'
 certmanagerd_SOURCES = cmd/certmanagerd/main.go
 certmanagerctl_SOURCES = cmd/certmanagerctl/main.go \
-	    cmd/certmanagerctl/servicecli.go \
-	    cmd/certmanagerctl/issuercli.go
+	    cmd/certmanagerctl/account.go \
+	    cmd/certmanagerctl/service.go \
+	    cmd/certmanagerctl/issuer.go \
+	    cmd/certmanagerctl/grant.go
 
 EXTRA_certmanagerd_SOURCES = \
-	internal/config/config.go \
-	internal/database/database.go \
-	internal/database/issuer.go \
-	internal/database/service.go \
-	internal/descriptor/descriptor.go \
-	internal/grpc/handler/certman.go \
-	internal/grpc/handler/handler.go \
-	internal/grpc/handler/status.go \
-	internal/grpc/service/service.go \
-	internal/logic/auth.go \
-	internal/logic/issuer.go \
-	internal/logic/logic.go \
-	internal/logic/service.go \
-	internal/logic/status.go \
-	internal/server/server.go \
-	internal/wrpc/handler/basauth.go \
-	internal/wrpc/handler/handler.go \
-	internal/wrpc/handler/status.go \
-	internal/wrpc/service/service.go \
-	pkg/aux509/x509cert.go \
-	pkg/auxgin/corsmw.go \
-	pkg/auxgin/logmw.go \
-	pkg/auxgin/reqlog.go \
-	pkg/auxgin/reslog.go \
-	pkg/auxgrpc/error.go \
-	pkg/auxhttp/genres.go \
-	pkg/auxhttp/getbearer.go \
-	pkg/auxhttp/parseauth.go \
-	pkg/auxid/genid.go \
-	pkg/client/auth.go \
-	pkg/client/certman.go \
-	pkg/client/control.go \
-	pkg/cm509/x509.go \
-	pkg/common/common.go \
-	pkg/logger/logger.go \
 	pkg/cmctl/cmctl_grpc.pb.go \
 	pkg/cmctl/cmctl.pb.go
 

cmd/certmanagerctl/main.go

@@ -1,5 +1,5 @@
 /*
- * Copyright 2022 Oleg Borodin  <borodin@unix7.org>
+ * Copyright 2024 Oleg Borodin  <borodin@unix7.org>
  */
 
 package main
@@ -15,7 +15,7 @@ import (
 	"time"
 
 	"certmanager/pkg/client"
-	cmapi "certmanager/pkg/cmctl"
+	"certmanager/pkg/cmctl"
 
 	"sigs.k8s.io/yaml"
 )
@@ -34,16 +34,20 @@ const (
 	unrevokeIssuerPairCmd   = "unrevokeIssuerPair"
 	listIssuerPairsCmd      = "listIssuerPairs"
 	getIssuerCertificateCmd = "getIssuerCertificate"
-	createServicePairCmd    = "createServicePair"
-	revokeServicePairCmd    = "revokeServicePair"
-	unrevokeServicePairCmd  = "unrevokeServicePair"
-	listServicePairsCmd     = "listServicePairs"
-	getServicePairCmd       = "getServicePair"
+
+	createServicePairCmd   = "createServicePair"
+	revokeServicePairCmd   = "revokeServicePair"
+	unrevokeServicePairCmd = "unrevokeServicePair"
+	listServicePairsCmd    = "listServicePairs"
+	getServicePairCmd      = "getServicePair"
 
 	createAccountCmd = "createAccount"
 	updateAccountCmd = "updateAccount"
-	deleteAccountCmd = "revokeAccount"
+	deleteAccountCmd = "deleteAccount"
 	listAccountsCmd  = "listAccounts"
+
+	setGrantCmd    = "setGrant"
+	deleteGrantCmd = "deleteGrant"
 )
 
 func main() {
@@ -60,7 +64,7 @@ type Util struct {
 	subCmd     string
 	cmdTimeout int64
 	access     client.Access
-	cont       *cmapi.ControlClient
+	cont       *cmctl.ControlClient
 
 	caFilenamesList   string
 	certFilename      string
@@ -82,6 +86,7 @@ type Util struct {
 	disable     bool
 	newUsername string
 	newPassword string
+	operation   string
 }
 
 func NewUtil() *Util {
@@ -126,23 +131,27 @@ func (util *Util) GetOpt() error {
 		fmt.Printf("Usage: %s [option] command [command option]\n", exeName)
 		fmt.Printf("\n")
 		fmt.Printf("Command list: help, %s\n", getStatusCmd)
-		fmt.Printf("Command list: %s, %s, %s, %s, %s, %s\n",
+		fmt.Printf("Command list: %s, %s, %s, %s, %s, %s,\n",
 			createIssuerPairCmd,
 			importIssuerPairCmd,
 			revokeIssuerPairCmd,
 			unrevokeIssuerPairCmd,
 			listIssuerPairsCmd,
 			getIssuerCertificateCmd)
-		fmt.Printf("Command list: %s, %s, %s, %s\n",
+		fmt.Printf("              %s, %s, %s, %s,\n",
 			createServicePairCmd,
 			revokeServicePairCmd,
 			listServicePairsCmd,
 			getServicePairCmd)
-		fmt.Printf("Command list: %s, %s, %s, %s\n",
+		fmt.Printf("              %s, %s, %s, %s,\n",
 			createAccountCmd,
 			deleteAccountCmd,
 			listAccountsCmd,
 			updateAccountCmd)
+		fmt.Printf("              %s, %s\n",
+			setGrantCmd,
+			deleteGrantCmd)
+
 		fmt.Printf("\n")
 		fmt.Printf("Global options:\n")
 		flag.PrintDefaults()
@@ -415,8 +424,8 @@ func (util *Util) GetOpt() error {
 		flagSet.StringVar(&util.username, "username", util.username, "user name")
 		flagSet.Int64Var(&util.accountID, "accountId", util.accountID, "account ID")
 
-		flagSet.StringVar(&util.newUsername, "username", util.newUsername, "new user name")
-		flagSet.StringVar(&util.newPassword, "password", util.newPassword, "new user password")
+		flagSet.StringVar(&util.newUsername, "newUsername", util.newUsername, "new user name")
+		flagSet.StringVar(&util.newPassword, "newPassword", util.newPassword, "new user password")
 		flagSet.BoolVar(&util.disable, "disable", util.disable, "disable account")
 
 		flagSet.Usage = func() {
@@ -430,6 +439,42 @@ func (util *Util) GetOpt() error {
 		flagSet.Parse(subArgs)
 		util.subCmd = subCmd
 
+	case setGrantCmd:
+		flagSet := flag.NewFlagSet(setGrantCmd, flag.ExitOnError)
+
+		flagSet.StringVar(&util.username, "username", util.username, "user name")
+		flagSet.Int64Var(&util.accountID, "accountId", util.accountID, "account ID")
+		flagSet.StringVar(&util.operation, "operation", util.operation, "grant type")
+
+		flagSet.Usage = func() {
+			fmt.Printf("\n")
+			fmt.Printf("Usage: %s [global options] %s [command options]\n", exeName, subCmd)
+			fmt.Printf("\n")
+			fmt.Printf("The command options: none\n")
+			flagSet.PrintDefaults()
+			fmt.Printf("\n")
+		}
+		flagSet.Parse(subArgs)
+		util.subCmd = subCmd
+
+	case deleteGrantCmd:
+		flagSet := flag.NewFlagSet(deleteGrantCmd, flag.ExitOnError)
+
+		flagSet.StringVar(&util.username, "username", util.username, "user name")
+		flagSet.Int64Var(&util.accountID, "accountId", util.accountID, "account ID")
+		flagSet.StringVar(&util.operation, "operation", util.operation, "grant type")
+
+		flagSet.Usage = func() {
+			fmt.Printf("\n")
+			fmt.Printf("Usage: %s [global options] %s [command options]\n", exeName, subCmd)
+			fmt.Printf("\n")
+			fmt.Printf("The command options: none\n")
+			flagSet.PrintDefaults()
+			fmt.Printf("\n")
+		}
+		flagSet.Parse(subArgs)
+		util.subCmd = subCmd
+
 	default:
 		help()
 		return errors.New("Unknown command")
@@ -470,6 +515,7 @@ func (util *Util) Exec() error {
 		res, err = util.ListIssuerPairs(ctx)
 	case getIssuerCertificateCmd:
 		res, err = util.GetIssuerCertificate(ctx)
+
 	case createServicePairCmd:
 		res, err = util.CreateServicePair(ctx)
 	case revokeServicePairCmd:
@@ -490,6 +536,11 @@ func (util *Util) Exec() error {
 	case deleteAccountCmd:
 		res, err = util.DeleteAccount(ctx)
 
+	case setGrantCmd:
+		res, err = util.SetGrant(ctx)
+	case deleteGrantCmd:
+		res, err = util.DeleteGrant(ctx)
+
 	default:
 		err = errors.New("Unknown cli command")
 	}
@@ -507,14 +558,14 @@ func (util *Util) Exec() error {
 	return err
 }
 
-func (util *Util) GetStatus(ctx context.Context) (*cmapi.GetStatusResult, error) {
+func (util *Util) GetStatus(ctx context.Context) (*cmctl.GetStatusResult, error) {
 	var err error
-	res := &cmapi.GetStatusResult{}
+	res := &cmctl.GetStatusResult{}
 	cont, err := client.NewClient(&util.access)
 	if err != nil {
 		return res, err
 	}
-	params := &cmapi.GetStatusParams{}
+	params := &cmctl.GetStatusParams{}
 	res, err = cont.GetStatus(ctx, params)
 	if err != nil {
 		return res, err

cmd/certmanagerd/.gitignore

@@ -1,3 +0,0 @@
-~*
-lbmanagerd*
-main

internal/config/path.go

@@ -1,8 +1,8 @@
 package config
 
 const (
-	confdirPath = "/usr/local/etc/certmanager"
-	rundirPath  = "/var/run/certmanager"
-	logdirPath  = "/var/log/certmanager"
-	datadirPath = "/var/data/certmanager"
+	confdirPath = "/home/ziggi/Projects/certman/etc/certmanager"
+	rundirPath  = "/home/ziggi/Projects/certman/tmp/run"
+	logdirPath  = "/home/ziggi/Projects/certman/tmp/log"
+	datadirPath = "/home/ziggi/Projects/certman/tmp/data"
 )

internal/database/database.go

@@ -11,7 +11,7 @@ import (
 )
 
 const schema = `
-    DROP TABLE IF EXISTS issuer;
+    --- DROP TABLE IF EXISTS issuer;
     CREATE TABLE IF NOT EXISTS issuer (
 	id          INT  NOT NULL,
 	name        TEXT NOT NULL,
@@ -21,10 +21,12 @@ const schema = `
 	signer_name TEXT NOT NULL,
 	revoked     BOOL
     );
-    CREATE INDEX IF NOT EXISTS issuer_index
-        ON issuer(id, name);
+    CREATE UNIQUE INDEX IF NOT EXISTS issuer_index01
+        ON issuer(id);
+    CREATE UNIQUE INDEX IF NOT EXISTS issuer_index02
+        ON issuer(name);
 
-    DROP TABLE IF EXISTS service;
+    --- DROP TABLE IF EXISTS service;
     CREATE TABLE IF NOT EXISTS service (
 	id          INT  NOT NULL,
         issuer_id   INT  NOT NULL,
@@ -34,10 +36,12 @@ const schema = `
 	key         TEXT NOT NULL,
 	revoked     BOOL
     );
-    CREATE INDEX IF NOT EXISTS service_index
-        ON issuer(id, name);
+    CREATE UNIQUE INDEX IF NOT EXISTS service_index01
+        ON service(id);
+    CREATE UNIQUE INDEX IF NOT EXISTS service_index02
+        ON service(name);
 
-    DROP TABLE IF EXISTS account;
+    --- DROP TABLE IF EXISTS account;
     CREATE TABLE IF NOT EXISTS account (
 	id          INT  NOT NULL,
 	username    TEXT NOT NULL,
@@ -46,14 +50,24 @@ const schema = `
         updated_at  TEXT NOT NULL,
         disabled    BOOL
     );
+    CREATE UNIQUE INDEX IF NOT EXISTS account_index01
+        ON account(id);
+    CREATE UNIQUE INDEX IF NOT EXISTS account_index02
+        ON account(username);
 
-    DROP TABLE IF EXISTS grant;
+
+    --- DROP TABLE IF EXISTS grant;
     CREATE TABLE IF NOT EXISTS grant (
 	id          INT  NOT NULL,
         account_id  INT  NOT NULL,
 	operation   TEXT NOT NULL,
-	subject_id  INT  NOT NULL
+        created_at  TEXT NOT NULL
     );
+    CREATE INDEX IF NOT EXISTS grant_index01
+        ON grant(account_id);
+    CREATE UNIQUE INDEX IF NOT EXISTS grant_index02
+        ON grant(account_id, operation);
+
 `
 
 type Database struct {
@@ -98,6 +112,8 @@ func (db *Database) CleanDatabase(ctx context.Context) error {
 	request := `
                 DELETE FROM issuer;
                 DELETE FROM service;
+                DELETE FROM user;
+                DELETE FROM grant;
         `
 	_, err = db.db.Exec(request)
 	if err != nil {

internal/database/grant.go

@@ -8,19 +8,11 @@ import (
 	_ "github.com/mattn/go-sqlite3"
 )
 
-//type Grant struct {
-//ID        int64  `json:"id"         yaml:"id"         db:"id"`
-//AccountID int64  `json:"accountID"  yaml:"accountID"  db:"account_id"`
-//Operation string `json:"operation"  yaml:"operation"  db:"operation"`
-//SubjectID int64  `json:"subjectID"  yaml:"subjectID"  db:"subjectID"`
-//}
-
 func (db *Database) InsertGrant(ctx context.Context, grant *descriptor.Grant) error {
 	var err error
-	request := `INSERT INTO grant(id, account_id, operation, subject_id)
+	request := `INSERT INTO grant(id, account_id, operation, created_at)
                         VALUES ($1, $2, $3, $4)`
-	_, err = db.db.Exec(request, grant.ID, grant.AccountID, grant.Operation,
-		grant.SubjectID)
+	_, err = db.db.Exec(request, grant.ID, grant.AccountID, grant.Operation, grant.CreatedAt)
 	if err != nil {
 		return err
 	}
@@ -29,7 +21,7 @@ func (db *Database) InsertGrant(ctx context.Context, grant *descriptor.Grant) er
 
 func (db *Database) ListGrantsByAccountID(ctx context.Context, accountID int64) ([]descriptor.Grant, error) {
 	var err error
-	request := `SELECT * FROM grant WHERE `
+	request := `SELECT * FROM grant WHERE account_id = $1`
 	res := make([]descriptor.Grant, 0)
 	err = db.db.Select(&res, request, accountID)
 	if err != nil {
@@ -38,42 +30,39 @@ func (db *Database) ListGrantsByAccountID(ctx context.Context, accountID int64)
 	return res, err
 }
 
-func (db *Database) GetGrant(ctx context.Context, accountID, subjectID int64) (bool, []*descriptor.Grant, error) {
+func (db *Database) GetGrant(ctx context.Context, accountID int64, operation string) (bool, *descriptor.Grant, error) {
 	var err error
-	var res []*descriptor.Grant
-	var exists bool
-	request := `SELECT id, operation, grant_id, subject_id FROM grant
-                 WHERE account_id = $1
-                 AND subject_id = $1`
-	dbRes := make([]*descriptor.Grant, 0)
-	err = db.db.Select(&dbRes, request, accountID, subjectID)
+	res := &descriptor.Grant{}
+	request := `SELECT * FROM grant WHERE account_id = $1 AND operation = $2 LIMIT 1`
+	dbRes := make([]descriptor.Grant, 0)
+	err = db.db.Select(&dbRes, request, accountID, operation)
 	if err != nil {
-		return exists, res, err
+		return false, res, err
 	}
 	if len(dbRes) == 0 {
 		return false, res, err
+
 	}
-	exists = true
-	res = dbRes
-	return exists, res, err
+	res = &dbRes[0]
+	return true, res, err
 }
 
-func (db *Database) DeleteGrantByAccountID(ctx context.Context, grantID int64) error {
+func (db *Database) DeleteGrantByAccountID(ctx context.Context, grantID int64, operation string) error {
 	var err error
-	request := `DELETE FROM grant WHERE grant_id = $1`
+	request := `DELETE FROM grant WHERE account_id = $1 AND operation = $2`
+	_, err = db.db.Exec(request, grantID, operation)
+	if err != nil {
+		return err
+	}
+	return err
+}
+
+func (db *Database) DeleteAllGrantsForAccountID(ctx context.Context, grantID int64) error {
+	var err error
+	request := `DELETE FROM grant WHERE account_id = $1`
 	_, err = db.db.Exec(request, grantID)
 	if err != nil {
 		return err
 	}
 	return err
 }
-
-func (db *Database) DeleteGrantsBySubjectID(ctx context.Context, subjectID int64) error {
-	var err error
-	request := `DELETE FROM grant WHERE subject_id = $1`
-	_, err = db.db.Exec(request, subjectID)
-	if err != nil {
-		return err
-	}
-	return err
-}

internal/descriptor/descriptor.go

@@ -1,13 +1,9 @@
 package descriptor
 
 const (
-	OperationAddGrant          = "addGrant"
-	OperationDeleteGrant       = "deleteGrant"
-	OperationCreateIssuerPair  = "createIssuerPair"
-	OperationRevokeIssuerPair  = "revokeIssuerPair"
-	OperationCreateServicePair = "createSericePair"
-	OperationRevokeServicePair = "revokeServicePair"
-	OperationGetServicePair    = "getServicePair"
+	GrantModifyServices = "modifyServices"
+	GrantModifyUssuers  = "modifyIssuers"
+	GrantModifyUsers    = "modifyUsers"
 )
 
 type Issuer struct {
@@ -43,5 +39,5 @@ type Grant struct {
 	ID        int64  `json:"id"         yaml:"id"         db:"id"`
 	AccountID int64  `json:"accountID"  yaml:"accountID"  db:"account_id"`
 	Operation string `json:"operation"  yaml:"operation"  db:"operation"`
-	SubjectID int64  `json:"subjectID"  yaml:"subjectID"  db:"subject_id"`
+	CreatedAt string `json:"createdAt"  yaml:"createdAt"  db:"created_at"`
 }

internal/logic/account.go

@@ -10,33 +10,6 @@ import (
 	"certmanager/pkg/cmctl"
 )
 
-func (lg *Logic) SeedAccount(ctx context.Context) (int64, error) {
-	var err error
-	var userID int64
-
-	accountDescrs, err := lg.db.ListAccounts(ctx)
-	if err != nil {
-		return userID, err
-	}
-	if len(accountDescrs) == 0 {
-		now := time.Now().Format(time.RFC3339)
-		accountDescr := &descriptor.Account{
-			ID:        auxid.GenID(),
-			Username:  "certman",
-			Password:  "certman",
-			Disabled:  false,
-			CreatedAt: now,
-			UpdatedAt: now,
-		}
-		err = lg.db.InsertAccount(ctx, accountDescr)
-		if err != nil {
-			return userID, err
-		}
-		userID = accountDescr.ID
-	}
-	return userID, err
-}
-
 func (lg *Logic) ValidateAcount(ctx context.Context, username, password string) (bool, int64, error) {
 	var err error
 	var userID int64
@@ -54,13 +27,22 @@ func (lg *Logic) ValidateAcount(ctx context.Context, username, password string)
 	valid = true
 	userID = accountDescr.ID
 	return valid, userID, err
-
 }
 
 func (lg *Logic) CreateAccount(ctx context.Context, userID int64, params *cmctl.CreateAccountParams) (*cmctl.CreateAccountResult, error) {
 	var err error
 	res := &cmctl.CreateAccountResult{}
 
+	if params.Username == "" {
+		err := fmt.Errorf("Empty username parameters")
+		return res, err
+	}
+
+	if params.Password == "" {
+		err := fmt.Errorf("Empty password parameter")
+		return res, err
+	}
+
 	accountExists, _, err := lg.db.GetAccountByUsername(ctx, params.Username)
 	if err != nil {
 		return res, err
@@ -152,6 +134,10 @@ func (lg *Logic) DeleteAccount(ctx context.Context, userID int64, params *cmctl.
 		return res, err
 	}
 
+	err = lg.db.DeleteAllGrantsForAccountID(ctx, accountDescr.ID)
+	if err != nil {
+		return res, err
+	}
 	err = lg.db.DeleteAccountByID(ctx, accountDescr.ID)
 	if err != nil {
 		return res, err
@@ -169,13 +155,25 @@ func (lg *Logic) ListAccounts(ctx context.Context, userID int64, params *cmctl.L
 		return res, err
 	}
 	for _, accountDescr := range accountDescrs {
-		shortDescr := &cmctl.AccountShortDescr{
+		accountShortDescr := &cmctl.AccountShortDescr{
 			Username:  accountDescr.Username,
 			Disabled:  accountDescr.Disabled,
 			CreatedAt: accountDescr.CreatedAt,
 			UpdatedAt: accountDescr.UpdatedAt,
+			Grants:    make([]*cmctl.GrantShortDescr, 0),
 		}
-		res.Accounts = append(res.Accounts, shortDescr)
+		grantDescrs, err := lg.db.ListGrantsByAccountID(ctx, accountDescr.ID)
+		if err != nil {
+			return res, err
+		}
+		for _, grantDescrs := range grantDescrs {
+			grantShortDescrs := &cmctl.GrantShortDescr{
+				Operation: grantDescrs.Operation,
+				CreatedAt: grantDescrs.CreatedAt,
+			}
+			accountShortDescr.Grants = append(accountShortDescr.Grants, grantShortDescrs)
+		}
+		res.Accounts = append(res.Accounts, accountShortDescr)
 	}
 	return res, err
 }

internal/server/server.go

@@ -93,12 +93,6 @@ func (srv *Server) Build() error {
 	if err != nil {
 		return err
 	}
-	// Seed accounts
-	ctx, _ := context.WithTimeout(context.Background(), 1*time.Second)
-	_, err = srv.lg.SeedAccount(ctx)
-	if err != nil {
-		return err
-	}
 
 	// Create whandler
 	whandlerConfig := &whandler.HandlerConfig{
@@ -164,12 +158,19 @@ func (srv *Server) Run() error {
 	}
 	srv.log.Infof("Running server as user %s", currUser.Username)
 
-	// Show current user
+	// Initialize database
 	err = srv.db.InitDatabase()
 	if err != nil {
 		return err
 	}
 
+	// Seed accounts
+	ctx, _ := context.WithTimeout(context.Background(), 1*time.Second)
+	_, err = srv.lg.SeedAccount(ctx)
+	if err != nil {
+		return err
+	}
+
 	sigs := make(chan os.Signal, 1)
 	gdone := make(chan error, 1)
 	wdone := make(chan error, 1)

pkg/cmctl/cmctl_grpc.pb.go

@@ -36,6 +36,8 @@ const (
 	Control_UpdateAccount_FullMethodName        = "/certmanagercontrol.Control/updateAccount"
 	Control_GetAccount_FullMethodName           = "/certmanagercontrol.Control/getAccount"
 	Control_ListAccounts_FullMethodName         = "/certmanagercontrol.Control/listAccounts"
+	Control_SetGrant_FullMethodName             = "/certmanagercontrol.Control/setGrant"
+	Control_DeleteGrant_FullMethodName          = "/certmanagercontrol.Control/deleteGrant"
 )
 
 // ControlClient is the client API for Control service.
@@ -59,6 +61,8 @@ type ControlClient interface {
 	UpdateAccount(ctx context.Context, in *UpdateAccountParams, opts ...grpc.CallOption) (*UpdateAccountResult, error)
 	GetAccount(ctx context.Context, in *GetAccountParams, opts ...grpc.CallOption) (*GetAccountResult, error)
 	ListAccounts(ctx context.Context, in *ListAccountsParams, opts ...grpc.CallOption) (*ListAccountsResult, error)
+	SetGrant(ctx context.Context, in *SetGrantParams, opts ...grpc.CallOption) (*SetGrantResult, error)
+	DeleteGrant(ctx context.Context, in *DeleteGrantParams, opts ...grpc.CallOption) (*DeleteGrantResult, error)
 }
 
 type controlClient struct {
@@ -222,6 +226,24 @@ func (c *controlClient) ListAccounts(ctx context.Context, in *ListAccountsParams
 	return out, nil
 }
 
+func (c *controlClient) SetGrant(ctx context.Context, in *SetGrantParams, opts ...grpc.CallOption) (*SetGrantResult, error) {
+	out := new(SetGrantResult)
+	err := c.cc.Invoke(ctx, Control_SetGrant_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controlClient) DeleteGrant(ctx context.Context, in *DeleteGrantParams, opts ...grpc.CallOption) (*DeleteGrantResult, error) {
+	out := new(DeleteGrantResult)
+	err := c.cc.Invoke(ctx, Control_DeleteGrant_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // ControlServer is the server API for Control service.
 // All implementations must embed UnimplementedControlServer
 // for forward compatibility
@@ -243,6 +265,8 @@ type ControlServer interface {
 	UpdateAccount(context.Context, *UpdateAccountParams) (*UpdateAccountResult, error)
 	GetAccount(context.Context, *GetAccountParams) (*GetAccountResult, error)
 	ListAccounts(context.Context, *ListAccountsParams) (*ListAccountsResult, error)
+	SetGrant(context.Context, *SetGrantParams) (*SetGrantResult, error)
+	DeleteGrant(context.Context, *DeleteGrantParams) (*DeleteGrantResult, error)
 	mustEmbedUnimplementedControlServer()
 }
 
@@ -301,6 +325,12 @@ func (UnimplementedControlServer) GetAccount(context.Context, *GetAccountParams)
 func (UnimplementedControlServer) ListAccounts(context.Context, *ListAccountsParams) (*ListAccountsResult, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListAccounts not implemented")
 }
+func (UnimplementedControlServer) SetGrant(context.Context, *SetGrantParams) (*SetGrantResult, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SetGrant not implemented")
+}
+func (UnimplementedControlServer) DeleteGrant(context.Context, *DeleteGrantParams) (*DeleteGrantResult, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteGrant not implemented")
+}
 func (UnimplementedControlServer) mustEmbedUnimplementedControlServer() {}
 
 // UnsafeControlServer may be embedded to opt out of forward compatibility for this service.
@@ -620,6 +650,42 @@ func _Control_ListAccounts_Handler(srv interface{}, ctx context.Context, dec fun
 	return interceptor(ctx, in, info, handler)
 }
 
+func _Control_SetGrant_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SetGrantParams)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServer).SetGrant(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Control_SetGrant_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServer).SetGrant(ctx, req.(*SetGrantParams))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Control_DeleteGrant_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeleteGrantParams)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServer).DeleteGrant(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Control_DeleteGrant_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServer).DeleteGrant(ctx, req.(*DeleteGrantParams))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // Control_ServiceDesc is the grpc.ServiceDesc for Control service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -695,6 +761,14 @@ var Control_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "listAccounts",
 			Handler:    _Control_ListAccounts_Handler,
 		},
+		{
+			MethodName: "setGrant",
+			Handler:    _Control_SetGrant_Handler,
+		},
+		{
+			MethodName: "deleteGrant",
+			Handler:    _Control_DeleteGrant_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "cmctl.proto",

proto/cmctl.proto

@@ -26,8 +26,27 @@ service Control {
   rpc getAccount(getAccountParams) returns (getAccountResult) {};
   rpc listAccounts(listAccountsParams) returns (listAccountsResult) {};
 
+  rpc setGrant(setGrantParams) returns (setGrantResult) {};
+  rpc deleteGrant(deleteGrantParams) returns (deleteGrantResult) {};
+
 }
 
+message setGrantParams {
+    string username         = 1;
+    int64 accountID         = 2;
+    string operation        = 3;
+}
+message setGrantResult {
+    int64 grantID           = 1;
+}
+
+message deleteGrantParams {
+    string username         = 1;
+    int64 accountID         = 2;
+    string operation        = 3;
+}
+message deleteGrantResult {}
+
 
 message createAccountParams {
     string username         = 1;
@@ -65,8 +84,16 @@ message accountShortDescr {
     bool disabled           = 2;
     string createdAt        = 3;
     string updatedAt        = 4;
+    repeated grantShortDescr grants = 5;
 }
 
+message grantShortDescr {
+    string operation        = 1;
+    string createdAt        = 2;
+}
+
+
+
 message getStatusParams {}
 message getStatusResult {
     string message           = 1;