diff --git a/app/descr/account.go b/app/descr/account.go new file mode 100644 index 0000000..9607696 --- /dev/null +++ b/app/descr/account.go @@ -0,0 +1,24 @@ +package descr + +const ( + GrantModifyUsers = "modifyUsers" + GrantModifyDatabase = "modifyDatabase" + GrantModifyArtefact = "modifyArtefact" + GrantModifyDummy = "modifyDummy" +) + +type Account struct { + ID int64 `json:"id" yaml:"id" db:"id"` + Username string `json:"username" yaml:"username" db:"username"` + Passhash string `json:"passhash" yaml:"passhash" db:"passhash"` + Disabled bool `json:"disabled" yaml:"disabled" db:"disabled"` + CreatedAt string `json:"createdAt" yaml:"createdAt" db:"created_at"` + UpdatedAt string `json:"updatedAt,omitempty" yaml:"updatedAt,omitempty" db:"updated_at"` +} + +type Grant struct { + ID int64 `json:"id" yaml:"id" db:"id"` + AccountID int64 `json:"accountID" yaml:"accountID" db:"account_id"` + Operation string `json:"operation" yaml:"operation" db:"operation"` + CreatedAt string `json:"createdAt" yaml:"createdAt" db:"created_at"` +} diff --git a/app/handler/authmw.go b/app/handler/authmw.go new file mode 100644 index 0000000..4a07ebc --- /dev/null +++ b/app/handler/authmw.go @@ -0,0 +1,46 @@ +package handler + +import ( + //"encoding/base64" + //"fmt" + //"strings" + + "mstore/app/router" + "mstore/pkg/auxhttp" +) + +const ( + authTag = "authpass" + userTag = "username" +) + +func (hand *Handler) AuthMiddleware(next router.Handler) router.Handler { + var handlerFunc router.HandlerFunc + + handlerFunc = func(rctx *router.Context) { + authSuccessful, authError := hand.CheckAccess(rctx) + if authSuccessful && authError == nil { + rctx.SetBool(authTag, true) + } + if authError != nil { + hand.logg.Errorf("Authorization middleware error: %v", authError) + } + next.ServeHTTP(rctx) + + } + return handlerFunc +} + +func (hand *Handler) CheckAccess(rctx *router.Context) (bool, error) { + var err error + var res bool + + authHeader := rctx.GetHeader("Authorization") + hand.logg.Debugf("Authorization header is %s", authHeader) + username, password, err := auxhttp.ParseBasicAuth(authHeader) + hand.logg.Debugf("Authorization username is %s:%s", username, password) + + res = true + + return res, err +} diff --git a/app/handler/blob.go b/app/handler/blob.go index e3ff30c..add0d46 100644 --- a/app/handler/blob.go +++ b/app/handler/blob.go @@ -15,21 +15,22 @@ import ( "mstore/app/operator" "mstore/app/router" - - "sigs.k8s.io/yaml" ) -func (hand *Handler) DumpHeaders(message string, rctx *router.Context) { - headers := rctx.GetHeaders() - yamlData, _ := yaml.Marshal(headers) - hand.logg.Debugf("%s:\n%s\n", message, string(yamlData)) -} - // HEAD /v2//blobs/ 200 404 func (hand *Handler) BlobExists(rctx *router.Context) { name, _ := rctx.GetSubpath("name") digest, _ := rctx.GetSubpath("digest") + auth := rctx.GetHeader("Authorization") + hand.DumpHeaders("BlobExists", rctx) + + if auth == "" { + rctx.SetHeader("WWW-Authenticate", `Basic realm="mstore"`) + rctx.SetStatus(http.StatusUnauthorized) + return + } + params := &operator.BlobExistsParams{ Name: name, Digest: digest, diff --git a/app/handler/handler.go b/app/handler/handler.go index 7a9c28f..8b563b0 100644 --- a/app/handler/handler.go +++ b/app/handler/handler.go @@ -12,6 +12,9 @@ package handler import ( "mstore/app/logger" "mstore/app/operator" + "mstore/app/router" + + "sigs.k8s.io/yaml" ) type HandlerParams struct { @@ -31,3 +34,9 @@ func NewHandler(params *HandlerParams) (*Handler, error) { hand.logg = logger.NewLoggerWithSubject("handler") return hand, err } + +func (hand *Handler) DumpHeaders(label string, rctx *router.Context) { + headers := rctx.GetHeaders() + yamlData, _ := yaml.Marshal(headers) + hand.logg.Debugf("%s:\n%s\n", label, string(yamlData)) +} diff --git a/app/handler/version.go b/app/handler/version.go index d1b6bfb..5277763 100644 --- a/app/handler/version.go +++ b/app/handler/version.go @@ -17,6 +17,9 @@ import ( // GET /v2/ 200 404/401 func (hand *Handler) GetVersion(rctx *router.Context) { params := &operator.GetVersionParams{} + + hand.DumpHeaders("GetVersion", rctx) + ctx := rctx.GetContext() _, code, err := hand.oper.GetVersion(ctx, params) if err != nil { diff --git a/app/maindb/account.go b/app/maindb/account.go new file mode 100644 index 0000000..6be6c84 --- /dev/null +++ b/app/maindb/account.go @@ -0,0 +1,113 @@ +package maindb + +import ( + "context" + + "mstore/app/descr" +) + +func (db *Database) InsertAccount(ctx context.Context, account *descr.Account) error { + var err error + + request := `INSERT INTO accounts(id, username, passhash, disabled, created_at, updated_at) + VALUES ($1, $2, $3, $4, $5, $6)` + _, err = db.db.Exec(request, account.ID, account.Username, account.Passhash, + account.Disabled, account.CreatedAt, account.UpdatedAt) + if err != nil { + return err + } + return err +} + +func (db *Database) UpdateAccountByID(ctx context.Context, accountID int64, account *descr.Account) error { + var err error + + request := `UPDATE accounts SET username = $1, passhash = $2, disabled = $3, updated_at = $4 WHERE id = $6` + _, err = db.db.Exec(request, account.Username, account.Passhash, account.Disabled, account.UpdatedAt, accountID) + if err != nil { + return err + } + return err +} + +func (db *Database) ReducedListAccounts(ctx context.Context) ([]descr.Account, error) { + var err error + request := `SELECT id, username, disabled, created_at, updated_at FROM accounts` + res := make([]descr.Account, 0) + err = db.db.Select(&res, request) + if err != nil { + return res, err + } + return res, err +} + +func (db *Database) CompletedListAccounts(ctx context.Context) ([]descr.Account, error) { + var err error + request := `SELECT * FROM accounts` + res := make([]descr.Account, 0) + err = db.db.Select(&res, request) + if err != nil { + return res, err + } + return res, err +} + +func (db *Database) GetAccountByID(ctx context.Context, accountID int64) (bool, *descr.Account, error) { + var err error + var res *descr.Account + var exists bool + request := `SELECT * FROM accounts WHERE id = $1 LiMIT 1` + dbRes := make([]descr.Account, 0) + err = db.db.Select(&dbRes, request, accountID) + if err != nil { + return exists, res, err + } + if len(dbRes) == 0 { + return exists, res, err + } + exists = true + res = &dbRes[0] + return exists, res, err +} + +func (db *Database) GetAccountByUsername(ctx context.Context, username string) (bool, *descr.Account, error) { + var err error + var res *descr.Account + var exists bool + + request := `SELECT * FROM accounts WHERE username = $1 LIMIT 1` + dbRes := make([]descr.Account, 0) + err = db.db.Select(&dbRes, request, username) + if err != nil { + return exists, res, err + } + + if len(dbRes) == 0 { + return false, res, err + } + exists = true + res = &dbRes[0] + return exists, res, err +} + +func (db *Database) DeleteAccountByID(ctx context.Context, accountID int64) error { + var err error + + request := `DELETE FROM accounts WHERE id = $1` + _, err = db.db.Exec(request, accountID) + if err != nil { + return err + } + return err +} + +func (db *Database) DeleteAccountByUsername(ctx context.Context, username string) error { + var err error + + request := `DELETE FROM accounts WHERE username = $1` + _, err = db.db.Exec(request, username) + if err != nil { + return err + } + return err +} diff --git a/app/maindb/file.go b/app/maindb/file.go index 460c00b..159908b 100644 --- a/app/maindb/file.go +++ b/app/maindb/file.go @@ -17,7 +17,7 @@ import ( func (db *Database) InsertFile(ctx context.Context, file *descr.File) error { var err error - request := `INSERT INTO file(id, collection, name, type, checksum, size, created_at, updated_at, created_by, updated_by) + request := `INSERT INTO files(id, collection, name, type, checksum, size, created_at, updated_at, created_by, updated_by) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)` _, err = db.db.Exec(request, file.ID, file.Collection, file.Name, file.Type, file.Checksum, file.Size, file.CreatedAt, file.UpdatedAt, file.CreatedBy, file.UpdatedBy) @@ -29,7 +29,7 @@ func (db *Database) InsertFile(ctx context.Context, file *descr.File) error { func (db *Database) UpdateFileByID(ctx context.Context, fileID string, file *descr.File) error { var err error - request := `UPDATE file SET id = $1, collection = $2, name = $3, type = $4, checksum = $5, + request := `UPDATE files SET id = $1, collection = $2, name = $3, type = $4, checksum = $5, size = $6, updated_at = $7, created_by = $8, updated_by = $9 WHERE id = $10` _, err = db.db.Exec(request, file.ID, file.Collection, file.Name, file.Type, file.Checksum, @@ -42,7 +42,7 @@ func (db *Database) UpdateFileByID(ctx context.Context, fileID string, file *des func (db *Database) ListFilesByCollection(ctx context.Context, collection string) ([]descr.File, error) { var err error - request := `SELECT * FROM file WHERE collection = $1 ORDER BY collection, name` + request := `SELECT * FROM files WHERE collection = $1 ORDER BY collection, name` res := make([]descr.File, 0) err = db.db.Select(&res, request, collection) if err != nil { @@ -53,7 +53,7 @@ func (db *Database) ListFilesByCollection(ctx context.Context, collection string func (db *Database) ListAllFiles(ctx context.Context) ([]descr.File, error) { var err error - request := `SELECT * FROM file ORDER BY collection, name` + request := `SELECT * FROM files ORDER BY collection, name` res := make([]descr.File, 0) err = db.db.Select(&res, request) if err != nil { @@ -66,7 +66,7 @@ func (db *Database) GetFileByID(ctx context.Context, fileID int64) (bool, *descr var err error var res *descr.File var exists bool - request := `SELECT * FROM file WHERE id = $1 LiMIT 1` + request := `SELECT * FROM files WHERE id = $1 LiMIT 1` dbRes := make([]descr.File, 0) err = db.db.Select(&dbRes, request, fileID) if err != nil { @@ -84,8 +84,7 @@ func (db *Database) GetFileByCollection(ctx context.Context, collection, name st var err error var res *descr.File var exists bool - request := `SELECT * FROM file - WHERE collection = $1 AND name = $2 LIMIT 1` + request := `SELECT * FROM files WHERE collection = $1 AND name = $2 LIMIT 1` dbRes := make([]descr.File, 0) err = db.db.Select(&dbRes, request, collection, name) if err != nil { @@ -102,8 +101,7 @@ func (db *Database) GetFileByCollection(ctx context.Context, collection, name st func (db *Database) DeleteFileByCollection(ctx context.Context, collection, name string) error { var err error - - request := `DELETE FROM file WHERE collection = $1 AND name = $2` + request := `DELETE FROM files WHERE collection = $1 AND name = $2` _, err = db.db.Exec(request, collection, name) if err != nil { return err diff --git a/app/maindb/schema.go b/app/maindb/schema.go index abb2e91..4b17e1f 100644 --- a/app/maindb/schema.go +++ b/app/maindb/schema.go @@ -10,7 +10,7 @@ package maindb const schema = ` - CREATE TABLE IF NOT EXISTS file ( + CREATE TABLE IF NOT EXISTS files ( id VARCHAR(255) NOT NULL, collection VARCHAR(255) NOT NULL, name VARCHAR(255) NOT NULL, @@ -23,7 +23,7 @@ const schema = ` updated_by VARCHAR(255) NOT NULL ); CREATE UNIQUE INDEX IF NOT EXISTS file_index - ON file(collection, name); + ON files(collection, name); --- DROP TABLE IF EXISTS manifests; CREATE TABLE IF NOT EXISTS manifests ( @@ -56,4 +56,31 @@ const schema = ` CREATE UNIQUE INDEX IF NOT EXISTS blobs_index ON blobs(name, reference, digest); + --- DROP TABLE IF EXISTS accounts; + CREATE TABLE IF NOT EXISTS account ( + id INT NOT NULL, + username TEXT NOT NULL, + passhash TEXT NOT NULL, + created_at TEXT NOT NULL, + updated_at TEXT NOT NULL, + disabled BOOL + ); + CREATE UNIQUE INDEX IF NOT EXISTS account_index01 + ON accounts(id); + CREATE UNIQUE INDEX IF NOT EXISTS account_index02 + ON accounts(username); + + + --- DROP TABLE IF EXISTS grants; + CREATE TABLE IF NOT EXISTS grant ( + id INT NOT NULL, + account_id INT NOT NULL, + operation TEXT NOT NULL, + created_at TEXT NOT NULL + ); + CREATE INDEX IF NOT EXISTS grant_index01 + ON grants(account_id); + CREATE UNIQUE INDEX IF NOT EXISTS grant_index02 + ON grants(account_id, operation); + ` diff --git a/app/router/context.go b/app/router/context.go index 808ba8f..3697e2e 100644 --- a/app/router/context.go +++ b/app/router/context.go @@ -22,6 +22,8 @@ type Context struct { Request *http.Request Writer http.ResponseWriter PathMap map[string]string + Bools map[string]bool + Strings map[string]string StatusCode int } @@ -32,10 +34,31 @@ func NewContext(writer http.ResponseWriter, request *http.Request) *Context { Request: request, Ctx: ctx, PathMap: make(map[string]string), + Bools: make(map[string]bool), + Strings: make(map[string]string), } return rctx } +// Aux maps +func (rctx *Context) SetBool(key string, value bool) { + rctx.Bools[key] = value +} + +func (rctx *Context) GetBool(key string) (bool, bool) { + exists, value := rctx.Bools[key] + return exists, value +} + +func (rctx *Context) SetString(key string, value string) { + rctx.Strings[key] = value +} + +func (rctx *Context) GetString(key string) (string, bool) { + value, exists := rctx.Strings[key] + return value, exists +} + // Request func (rctx *Context) GetSubpath(key string) (string, bool) { value, exists := rctx.PathMap[key] diff --git a/app/service/service.go b/app/service/service.go index b905c79..e4f8278 100644 --- a/app/service/service.go +++ b/app/service/service.go @@ -68,6 +68,7 @@ func (svc *Service) Build() error { svc.rout.Use(router.NewRecoveryMiddleware(svc.logg.Errorf)) svc.rout.Use(router.NewLoggingMiddleware(svc.logg.Infof)) svc.rout.Use(router.NewCorsMiddleware()) + svc.rout.Use(svc.hand.AuthMiddleware()) svc.rout.Get("/v3/api/service/hello", svc.hand.SendHello) diff --git a/pkg/auxhttp/basic.go b/pkg/auxhttp/basic.go new file mode 100644 index 0000000..e63dc57 --- /dev/null +++ b/pkg/auxhttp/basic.go @@ -0,0 +1,51 @@ +/* + * Copyright 2026 Oleg Borodin + * + * This work is published and licensed under a Creative Commons + * Attribution-NonCommercial-NoDerivatives 4.0 International License. + * + * Distribution of this work is permitted, but commercial use and + * modifications are strictly prohibited. + */ + +package auxhttp + +import ( + "encoding/base64" + "fmt" + "strings" +) + +func ParseBasicAuth(basicFields string) (string, string, error) { + var err error + var username string + var password string + if basicFields == "" { + err := fmt.Errorf("Empty auth field") + return username, password, err + } + authFields := strings.SplitN(basicFields, " ", 2) + if len(authFields) < 2 { + err = fmt.Errorf("Cannot split auth field: %s", basicFields) + return username, password, err + } + authType := strings.TrimSpace(authFields[0]) + if strings.ToLower(authType) != strings.ToLower("Basic") { + err = fmt.Errorf("Not basic auth type") + return username, password, err + } + authPairEncoded := authFields[1] + pairEncoded, err := base64.StdEncoding.DecodeString(authPairEncoded) + if err != nil { + err = fmt.Errorf("Cannon decode auth pair") + return username, password, err + } + authPair := strings.SplitN(string(pairEncoded), ":", 2) + if len(authPair) != 2 { + err = fmt.Errorf("Wrong auth pair") + return username, password, err + } + username = authPair[0] + password = authPair[1] + return username, password, err +} diff --git a/pkg/auxhttp/crange.go b/pkg/auxhttp/crange.go index fced06b..95e6ad4 100644 --- a/pkg/auxhttp/crange.go +++ b/pkg/auxhttp/crange.go @@ -7,11 +7,11 @@ * Distribution of this work is permitted, but commercial use and * modifications are strictly prohibited. */ + package auxhttp import ( "fmt" - "os" "strconv" "strings" ) diff --git a/pkg/auxpwd/passwd.go b/pkg/auxpwd/passwd.go new file mode 100644 index 0000000..20d0431 --- /dev/null +++ b/pkg/auxpwd/passwd.go @@ -0,0 +1,113 @@ +/* + * Copyright 2026 Oleg Borodin + * + * This work is published and licensed under a Creative Commons + * Attribution-NonCommercial-NoDerivatives 4.0 International License. + * + * Distribution of this work is permitted, but commercial use and + * modifications are strictly prohibited. + */ +package auxpwd + +import ( + "crypto/sha256" + "crypto/sha512" + "encoding/hex" + "fmt" + "math/rand" + "strings" + "time" +) + +var rnd *rand.Rand + +const ( + sha256Prefix = "sha256pwd" + sha512Prefix = "sha512pwd" + saltSize = 16 +) + +func init() { + src := rand.NewSource(time.Now().UnixNano()) + rnd = rand.New(src) +} + +func MakeSHA256Hash(passwd []byte) string { + var res string + salt := hex.EncodeToString(randomBytes(saltSize)) + passwdString := hex.EncodeToString(passwd) + passwdString = fmt.Sprintf("%s%s", passwdString, salt) + + hasher := sha256.New() + hasher.Write([]byte(passwdString)) + checksum := hex.EncodeToString(hasher.Sum(nil)) + + res = fmt.Sprintf("%s:%s:%s", sha256Prefix, salt, checksum) + return res +} + +func MakeSHA512Hash(passwd []byte) string { + var res string + salt := hex.EncodeToString(randomBytes(saltSize)) + passwdString := hex.EncodeToString(passwd) + passwdString = fmt.Sprintf("%s%s", passwdString, salt) + + hasher := sha512.New() + hasher.Write([]byte(passwdString)) + checksum := hex.EncodeToString(hasher.Sum(nil)) + + res = fmt.Sprintf("%s:%s:%s", sha512Prefix, salt, checksum) + return res +} + +func PasswordMatch(passwd []byte, hash string) bool { + hashComponents := strings.Split(hash, ":") + if len(hashComponents) != 3 { + return false + } + method := hashComponents[0] + salt := hashComponents[1] + controlChecksum := hashComponents[2] + + switch method { + case sha256Prefix: + passwdString := hex.EncodeToString(passwd) + passwdString = fmt.Sprintf("%s%s", passwdString, salt) + hasher := sha256.New() + hasher.Write([]byte(passwdString)) + checksum := hex.EncodeToString(hasher.Sum(nil)) + if checksum != controlChecksum { + return false + } + case sha512Prefix: + passwdString := hex.EncodeToString(passwd) + passwdString = fmt.Sprintf("%s%s", passwdString, salt) + hasher := sha512.New() + hasher.Write([]byte(passwdString)) + checksum := hex.EncodeToString(hasher.Sum(nil)) + if checksum != controlChecksum { + return false + } + default: + return false + } + return true +} + +func randomString(n int) string { + const letters = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" + arr := make([]byte, n) + lettersArrayLen := len(letters) + for i := range arr { + arr[i] = letters[rnd.Intn(lettersArrayLen)] + } + return string(arr) +} + +func randomBytes(n int) []byte { + arr := make([]byte, n) + for i := range arr { + arr[i] = byte(rnd.Intn(256) & 0xFF) + } + return arr +} diff --git a/pkg/auxpwd/passwd_test.go b/pkg/auxpwd/passwd_test.go new file mode 100644 index 0000000..fae0454 --- /dev/null +++ b/pkg/auxpwd/passwd_test.go @@ -0,0 +1,49 @@ +/* + * Copyright 2026 Oleg Borodin + * + * This work is published and licensed under a Creative Commons + * Attribution-NonCommercial-NoDerivatives 4.0 International License. + * + * Distribution of this work is permitted, but commercial use and + * modifications are strictly prohibited. + */ +package auxpwd + +import ( + "fmt" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestPasswd256(t *testing.T) { + password := []byte("123456789") + wrongPasswd := []byte("qwerty") + + hash := MakeSHA256Hash(password) + fmt.Printf("%s\n", hash) + { + match := PasswordMatch(password, hash) + require.Equal(t, true, match) + } + { + match := PasswordMatch(wrongPasswd, hash) + require.NotEqual(t, true, match) + } +} + +func TestPasswd512(t *testing.T) { + password := []byte("123456781") + wrongPasswd := []byte("qwerty") + + hash := MakeSHA512Hash(password) + fmt.Printf("%s\n", hash) + { + match := PasswordMatch(password, hash) + require.Equal(t, true, match) + } + { + match := PasswordMatch(wrongPasswd, hash) + require.NotEqual(t, true, match) + } +}