working commit

app/descr/account.go

@@ -0,0 +1,24 @@
+package descr
+
+const (
+	GrantModifyUsers    = "modifyUsers"
+	GrantModifyDatabase = "modifyDatabase"
+	GrantModifyArtefact = "modifyArtefact"
+	GrantModifyDummy    = "modifyDummy"
+)
+
+type Account struct {
+	ID        int64  `json:"id"                   yaml:"id"                    db:"id"`
+	Username  string `json:"username"             yaml:"username"              db:"username"`
+	Passhash  string `json:"passhash"             yaml:"passhash"              db:"passhash"`
+	Disabled  bool   `json:"disabled"             yaml:"disabled"              db:"disabled"`
+	CreatedAt string `json:"createdAt"            yaml:"createdAt"             db:"created_at"`
+	UpdatedAt string `json:"updatedAt,omitempty"  yaml:"updatedAt,omitempty"   db:"updated_at"`
+}
+
+type Grant struct {
+	ID        int64  `json:"id"         yaml:"id"         db:"id"`
+	AccountID int64  `json:"accountID"  yaml:"accountID"  db:"account_id"`
+	Operation string `json:"operation"  yaml:"operation"  db:"operation"`
+	CreatedAt string `json:"createdAt"  yaml:"createdAt"  db:"created_at"`
+}

app/handler/authmw.go

@@ -0,0 +1,46 @@
+package handler
+
+import (
+	//"encoding/base64"
+	//"fmt"
+	//"strings"
+
+	"mstore/app/router"
+	"mstore/pkg/auxhttp"
+)
+
+const (
+	authTag = "authpass"
+	userTag = "username"
+)
+
+func (hand *Handler) AuthMiddleware(next router.Handler) router.Handler {
+	var handlerFunc router.HandlerFunc
+
+	handlerFunc = func(rctx *router.Context) {
+		authSuccessful, authError := hand.CheckAccess(rctx)
+		if authSuccessful && authError == nil {
+			rctx.SetBool(authTag, true)
+		}
+		if authError != nil {
+			hand.logg.Errorf("Authorization middleware error: %v", authError)
+		}
+		next.ServeHTTP(rctx)
+
+	}
+	return handlerFunc
+}
+
+func (hand *Handler) CheckAccess(rctx *router.Context) (bool, error) {
+	var err error
+	var res bool
+
+	authHeader := rctx.GetHeader("Authorization")
+	hand.logg.Debugf("Authorization header is %s", authHeader)
+	username, password, err := auxhttp.ParseBasicAuth(authHeader)
+	hand.logg.Debugf("Authorization username is %s:%s", username, password)
+
+	res = true
+
+	return res, err
+}

app/handler/blob.go

@@ -15,21 +15,22 @@ import (
 
 	"mstore/app/operator"
 	"mstore/app/router"
-
-	"sigs.k8s.io/yaml"
 )
 
-func (hand *Handler) DumpHeaders(message string, rctx *router.Context) {
-	headers := rctx.GetHeaders()
-	yamlData, _ := yaml.Marshal(headers)
-	hand.logg.Debugf("%s:\n%s\n", message, string(yamlData))
-}
-
 // HEAD /v2/<name>/blobs/<digest> 200 404
 func (hand *Handler) BlobExists(rctx *router.Context) {
 	name, _ := rctx.GetSubpath("name")
 	digest, _ := rctx.GetSubpath("digest")
 
+	auth := rctx.GetHeader("Authorization")
+	hand.DumpHeaders("BlobExists", rctx)
+
+	if auth == "" {
+		rctx.SetHeader("WWW-Authenticate", `Basic realm="mstore"`)
+		rctx.SetStatus(http.StatusUnauthorized)
+		return
+	}
+
 	params := &operator.BlobExistsParams{
 		Name:   name,
 		Digest: digest,

app/handler/handler.go

@@ -12,6 +12,9 @@ package handler
 import (
 	"mstore/app/logger"
 	"mstore/app/operator"
+	"mstore/app/router"
+
+	"sigs.k8s.io/yaml"
 )
 
 type HandlerParams struct {
@@ -31,3 +34,9 @@ func NewHandler(params *HandlerParams) (*Handler, error) {
 	hand.logg = logger.NewLoggerWithSubject("handler")
 	return hand, err
 }
+
+func (hand *Handler) DumpHeaders(label string, rctx *router.Context) {
+	headers := rctx.GetHeaders()
+	yamlData, _ := yaml.Marshal(headers)
+	hand.logg.Debugf("%s:\n%s\n", label, string(yamlData))
+}

app/handler/version.go

@@ -17,6 +17,9 @@ import (
 // GET /v2/ 200 404/401
 func (hand *Handler) GetVersion(rctx *router.Context) {
 	params := &operator.GetVersionParams{}
+
+	hand.DumpHeaders("GetVersion", rctx)
+
 	ctx := rctx.GetContext()
 	_, code, err := hand.oper.GetVersion(ctx, params)
 	if err != nil {

app/maindb/account.go

@@ -0,0 +1,113 @@
+package maindb
+
+import (
+	"context"
+
+	"mstore/app/descr"
+)
+
+func (db *Database) InsertAccount(ctx context.Context, account *descr.Account) error {
+	var err error
+
+	request := `INSERT INTO accounts(id, username, passhash, disabled, created_at, updated_at)
+                        VALUES ($1, $2, $3, $4, $5, $6)`
+	_, err = db.db.Exec(request, account.ID, account.Username, account.Passhash,
+		account.Disabled, account.CreatedAt, account.UpdatedAt)
+	if err != nil {
+		return err
+	}
+	return err
+}
+
+func (db *Database) UpdateAccountByID(ctx context.Context, accountID int64, account *descr.Account) error {
+	var err error
+
+	request := `UPDATE accounts SET username = $1, passhash = $2, disabled = $3, updated_at = $4 WHERE id = $6`
+	_, err = db.db.Exec(request, account.Username, account.Passhash, account.Disabled, account.UpdatedAt, accountID)
+	if err != nil {
+		return err
+	}
+	return err
+}
+
+func (db *Database) ReducedListAccounts(ctx context.Context) ([]descr.Account, error) {
+	var err error
+	request := `SELECT id, username, disabled, created_at, updated_at FROM accounts`
+	res := make([]descr.Account, 0)
+	err = db.db.Select(&res, request)
+	if err != nil {
+		return res, err
+	}
+	return res, err
+}
+
+func (db *Database) CompletedListAccounts(ctx context.Context) ([]descr.Account, error) {
+	var err error
+	request := `SELECT * FROM accounts`
+	res := make([]descr.Account, 0)
+	err = db.db.Select(&res, request)
+	if err != nil {
+		return res, err
+	}
+	return res, err
+}
+
+func (db *Database) GetAccountByID(ctx context.Context, accountID int64) (bool, *descr.Account, error) {
+	var err error
+	var res *descr.Account
+	var exists bool
+	request := `SELECT * FROM accounts WHERE id = $1 LiMIT 1`
+	dbRes := make([]descr.Account, 0)
+	err = db.db.Select(&dbRes, request, accountID)
+	if err != nil {
+		return exists, res, err
+	}
+	if len(dbRes) == 0 {
+		return exists, res, err
+	}
+	exists = true
+	res = &dbRes[0]
+	return exists, res, err
+}
+
+func (db *Database) GetAccountByUsername(ctx context.Context, username string) (bool, *descr.Account, error) {
+	var err error
+	var res *descr.Account
+	var exists bool
+
+	request := `SELECT * FROM accounts WHERE username = $1 LIMIT 1`
+	dbRes := make([]descr.Account, 0)
+	err = db.db.Select(&dbRes, request, username)
+	if err != nil {
+		return exists, res, err
+	}
+
+	if len(dbRes) == 0 {
+		return false, res, err
+	}
+	exists = true
+	res = &dbRes[0]
+	return exists, res, err
+}
+
+func (db *Database) DeleteAccountByID(ctx context.Context, accountID int64) error {
+	var err error
+
+	request := `DELETE FROM accounts WHERE id = $1`
+	_, err = db.db.Exec(request, accountID)
+	if err != nil {
+		return err
+	}
+	return err
+}
+
+func (db *Database) DeleteAccountByUsername(ctx context.Context, username string) error {
+	var err error
+
+	request := `DELETE FROM accounts WHERE username = $1`
+	_, err = db.db.Exec(request, username)
+	if err != nil {
+		return err
+	}
+	return err
+}

app/maindb/file.go

@@ -17,7 +17,7 @@ import (
 
 func (db *Database) InsertFile(ctx context.Context, file *descr.File) error {
 	var err error
-	request := `INSERT INTO file(id, collection, name, type, checksum, size, created_at, updated_at, created_by, updated_by)
+	request := `INSERT INTO files(id, collection, name, type, checksum, size, created_at, updated_at, created_by, updated_by)
                         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)`
 	_, err = db.db.Exec(request, file.ID, file.Collection, file.Name, file.Type, file.Checksum, file.Size,
 		file.CreatedAt, file.UpdatedAt, file.CreatedBy, file.UpdatedBy)
@@ -29,7 +29,7 @@ func (db *Database) InsertFile(ctx context.Context, file *descr.File) error {
 
 func (db *Database) UpdateFileByID(ctx context.Context, fileID string, file *descr.File) error {
 	var err error
-	request := `UPDATE file SET id = $1, collection = $2, name = $3, type = $4, checksum = $5,
+	request := `UPDATE files SET id = $1, collection = $2, name = $3, type = $4, checksum = $5,
                           size = $6, updated_at = $7, created_by = $8, updated_by = $9
                           WHERE id = $10`
 	_, err = db.db.Exec(request, file.ID, file.Collection, file.Name, file.Type, file.Checksum,
@@ -42,7 +42,7 @@ func (db *Database) UpdateFileByID(ctx context.Context, fileID string, file *des
 
 func (db *Database) ListFilesByCollection(ctx context.Context, collection string) ([]descr.File, error) {
 	var err error
-	request := `SELECT * FROM file WHERE collection = $1 ORDER BY collection, name`
+	request := `SELECT * FROM files WHERE collection = $1 ORDER BY collection, name`
 	res := make([]descr.File, 0)
 	err = db.db.Select(&res, request, collection)
 	if err != nil {
@@ -53,7 +53,7 @@ func (db *Database) ListFilesByCollection(ctx context.Context, collection string
 
 func (db *Database) ListAllFiles(ctx context.Context) ([]descr.File, error) {
 	var err error
-	request := `SELECT * FROM file ORDER BY collection, name`
+	request := `SELECT * FROM files ORDER BY collection, name`
 	res := make([]descr.File, 0)
 	err = db.db.Select(&res, request)
 	if err != nil {
@@ -66,7 +66,7 @@ func (db *Database) GetFileByID(ctx context.Context, fileID int64) (bool, *descr
 	var err error
 	var res *descr.File
 	var exists bool
-	request := `SELECT * FROM file WHERE id = $1 LiMIT 1`
+	request := `SELECT * FROM files WHERE id = $1 LiMIT 1`
 	dbRes := make([]descr.File, 0)
 	err = db.db.Select(&dbRes, request, fileID)
 	if err != nil {
@@ -84,8 +84,7 @@ func (db *Database) GetFileByCollection(ctx context.Context, collection, name st
 	var err error
 	var res *descr.File
 	var exists bool
-	request := `SELECT * FROM file
-                       WHERE collection = $1 AND name = $2 LIMIT 1`
+	request := `SELECT * FROM files WHERE collection = $1 AND name = $2 LIMIT 1`
 	dbRes := make([]descr.File, 0)
 	err = db.db.Select(&dbRes, request, collection, name)
 	if err != nil {
@@ -102,8 +101,7 @@ func (db *Database) GetFileByCollection(ctx context.Context, collection, name st
 
 func (db *Database) DeleteFileByCollection(ctx context.Context, collection, name string) error {
 	var err error
-
-	request := `DELETE FROM file WHERE collection = $1 AND name = $2`
+	request := `DELETE FROM files WHERE collection = $1 AND name = $2`
 	_, err = db.db.Exec(request, collection, name)
 	if err != nil {
 		return err

app/maindb/schema.go

@@ -10,7 +10,7 @@
 package maindb
 
 const schema = `
-    CREATE TABLE IF NOT EXISTS file (
+    CREATE TABLE IF NOT EXISTS files (
         id          VARCHAR(255) NOT NULL,
         collection  VARCHAR(255) NOT NULL,
         name        VARCHAR(255) NOT NULL,
@@ -23,7 +23,7 @@ const schema = `
         updated_by  VARCHAR(255) NOT NULL
     );
     CREATE UNIQUE INDEX IF NOT EXISTS file_index
-        ON file(collection, name);
+        ON files(collection, name);
 
     --- DROP TABLE IF EXISTS manifests;
     CREATE TABLE IF NOT EXISTS manifests (
@@ -56,4 +56,31 @@ const schema = `
     CREATE UNIQUE INDEX IF NOT EXISTS blobs_index
         ON blobs(name, reference, digest);
 
+    --- DROP TABLE IF EXISTS accounts;
+    CREATE TABLE IF NOT EXISTS account (
+	id          INT  NOT NULL,
+	username    TEXT NOT NULL,
+	passhash    TEXT NOT NULL,
+        created_at  TEXT NOT NULL,
+        updated_at  TEXT NOT NULL,
+        disabled    BOOL
+    );
+    CREATE UNIQUE INDEX IF NOT EXISTS account_index01
+        ON accounts(id);
+    CREATE UNIQUE INDEX IF NOT EXISTS account_index02
+        ON accounts(username);
+
+
+    --- DROP TABLE IF EXISTS grants;
+    CREATE TABLE IF NOT EXISTS grant (
+	id          INT  NOT NULL,
+        account_id  INT  NOT NULL,
+	operation   TEXT NOT NULL,
+        created_at  TEXT NOT NULL
+    );
+    CREATE INDEX IF NOT EXISTS grant_index01
+        ON grants(account_id);
+    CREATE UNIQUE INDEX IF NOT EXISTS grant_index02
+        ON grants(account_id, operation);
+
 `

app/router/context.go

@@ -22,6 +22,8 @@ type Context struct {
 	Request    *http.Request
 	Writer     http.ResponseWriter
 	PathMap    map[string]string
+	Bools      map[string]bool
+	Strings    map[string]string
 	StatusCode int
 }
 
@@ -32,10 +34,31 @@ func NewContext(writer http.ResponseWriter, request *http.Request) *Context {
 		Request: request,
 		Ctx:     ctx,
 		PathMap: make(map[string]string),
+		Bools:   make(map[string]bool),
+		Strings: make(map[string]string),
 	}
 	return rctx
 }
 
+// Aux maps
+func (rctx *Context) SetBool(key string, value bool) {
+	rctx.Bools[key] = value
+}
+
+func (rctx *Context) GetBool(key string) (bool, bool) {
+	exists, value := rctx.Bools[key]
+	return exists, value
+}
+
+func (rctx *Context) SetString(key string, value string) {
+	rctx.Strings[key] = value
+}
+
+func (rctx *Context) GetString(key string) (string, bool) {
+	value, exists := rctx.Strings[key]
+	return value, exists
+}
+
 // Request
 func (rctx *Context) GetSubpath(key string) (string, bool) {
 	value, exists := rctx.PathMap[key]

app/service/service.go

@@ -68,6 +68,7 @@ func (svc *Service) Build() error {
 	svc.rout.Use(router.NewRecoveryMiddleware(svc.logg.Errorf))
 	svc.rout.Use(router.NewLoggingMiddleware(svc.logg.Infof))
 	svc.rout.Use(router.NewCorsMiddleware())
+	svc.rout.Use(svc.hand.AuthMiddleware())
 
 	svc.rout.Get("/v3/api/service/hello", svc.hand.SendHello)
 

pkg/auxhttp/basic.go

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2026 Oleg Borodin <onborodin@gmail.com>
+ *
+ * This work is published and licensed under a Creative Commons
+ * Attribution-NonCommercial-NoDerivatives 4.0 International License.
+ *
+ * Distribution of this work is permitted, but commercial use and
+ * modifications are strictly prohibited.
+ */
+
+package auxhttp
+
+import (
+	"encoding/base64"
+	"fmt"
+	"strings"
+)
+
+func ParseBasicAuth(basicFields string) (string, string, error) {
+	var err error
+	var username string
+	var password string
+	if basicFields == "" {
+		err := fmt.Errorf("Empty auth field")
+		return username, password, err
+	}
+	authFields := strings.SplitN(basicFields, " ", 2)
+	if len(authFields) < 2 {
+		err = fmt.Errorf("Cannot split auth field: %s", basicFields)
+		return username, password, err
+	}
+	authType := strings.TrimSpace(authFields[0])
+	if strings.ToLower(authType) != strings.ToLower("Basic") {
+		err = fmt.Errorf("Not basic auth type")
+		return username, password, err
+	}
+	authPairEncoded := authFields[1]
+	pairEncoded, err := base64.StdEncoding.DecodeString(authPairEncoded)
+	if err != nil {
+		err = fmt.Errorf("Cannon decode auth pair")
+		return username, password, err
+	}
+	authPair := strings.SplitN(string(pairEncoded), ":", 2)
+	if len(authPair) != 2 {
+		err = fmt.Errorf("Wrong auth pair")
+		return username, password, err
+	}
+	username = authPair[0]
+	password = authPair[1]
+	return username, password, err
+}

pkg/auxhttp/crange.go

@@ -7,11 +7,11 @@
  * Distribution of this work is permitted, but commercial use and
  * modifications are strictly prohibited.
  */
+
 package auxhttp
 
 import (
 	"fmt"
-	"os"
 	"strconv"
 	"strings"
 )

pkg/auxpwd/passwd.go

@@ -0,0 +1,113 @@
+/*
+ * Copyright 2026 Oleg Borodin <onborodin@gmail.com>
+ *
+ * This work is published and licensed under a Creative Commons
+ * Attribution-NonCommercial-NoDerivatives 4.0 International License.
+ *
+ * Distribution of this work is permitted, but commercial use and
+ * modifications are strictly prohibited.
+ */
+package auxpwd
+
+import (
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/hex"
+	"fmt"
+	"math/rand"
+	"strings"
+	"time"
+)
+
+var rnd *rand.Rand
+
+const (
+	sha256Prefix = "sha256pwd"
+	sha512Prefix = "sha512pwd"
+	saltSize     = 16
+)
+
+func init() {
+	src := rand.NewSource(time.Now().UnixNano())
+	rnd = rand.New(src)
+}
+
+func MakeSHA256Hash(passwd []byte) string {
+	var res string
+	salt := hex.EncodeToString(randomBytes(saltSize))
+	passwdString := hex.EncodeToString(passwd)
+	passwdString = fmt.Sprintf("%s%s", passwdString, salt)
+
+	hasher := sha256.New()
+	hasher.Write([]byte(passwdString))
+	checksum := hex.EncodeToString(hasher.Sum(nil))
+
+	res = fmt.Sprintf("%s:%s:%s", sha256Prefix, salt, checksum)
+	return res
+}
+
+func MakeSHA512Hash(passwd []byte) string {
+	var res string
+	salt := hex.EncodeToString(randomBytes(saltSize))
+	passwdString := hex.EncodeToString(passwd)
+	passwdString = fmt.Sprintf("%s%s", passwdString, salt)
+
+	hasher := sha512.New()
+	hasher.Write([]byte(passwdString))
+	checksum := hex.EncodeToString(hasher.Sum(nil))
+
+	res = fmt.Sprintf("%s:%s:%s", sha512Prefix, salt, checksum)
+	return res
+}
+
+func PasswordMatch(passwd []byte, hash string) bool {
+	hashComponents := strings.Split(hash, ":")
+	if len(hashComponents) != 3 {
+		return false
+	}
+	method := hashComponents[0]
+	salt := hashComponents[1]
+	controlChecksum := hashComponents[2]
+
+	switch method {
+	case sha256Prefix:
+		passwdString := hex.EncodeToString(passwd)
+		passwdString = fmt.Sprintf("%s%s", passwdString, salt)
+		hasher := sha256.New()
+		hasher.Write([]byte(passwdString))
+		checksum := hex.EncodeToString(hasher.Sum(nil))
+		if checksum != controlChecksum {
+			return false
+		}
+	case sha512Prefix:
+		passwdString := hex.EncodeToString(passwd)
+		passwdString = fmt.Sprintf("%s%s", passwdString, salt)
+		hasher := sha512.New()
+		hasher.Write([]byte(passwdString))
+		checksum := hex.EncodeToString(hasher.Sum(nil))
+		if checksum != controlChecksum {
+			return false
+		}
+	default:
+		return false
+	}
+	return true
+}
+
+func randomString(n int) string {
+	const letters = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
+	arr := make([]byte, n)
+	lettersArrayLen := len(letters)
+	for i := range arr {
+		arr[i] = letters[rnd.Intn(lettersArrayLen)]
+	}
+	return string(arr)
+}
+
+func randomBytes(n int) []byte {
+	arr := make([]byte, n)
+	for i := range arr {
+		arr[i] = byte(rnd.Intn(256) & 0xFF)
+	}
+	return arr
+}

pkg/auxpwd/passwd_test.go

@@ -0,0 +1,49 @@
+/*
+ * Copyright 2026 Oleg Borodin <onborodin@gmail.com>
+ *
+ * This work is published and licensed under a Creative Commons
+ * Attribution-NonCommercial-NoDerivatives 4.0 International License.
+ *
+ * Distribution of this work is permitted, but commercial use and
+ * modifications are strictly prohibited.
+ */
+package auxpwd
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestPasswd256(t *testing.T) {
+	password := []byte("123456789")
+	wrongPasswd := []byte("qwerty")
+
+	hash := MakeSHA256Hash(password)
+	fmt.Printf("%s\n", hash)
+	{
+		match := PasswordMatch(password, hash)
+		require.Equal(t, true, match)
+	}
+	{
+		match := PasswordMatch(wrongPasswd, hash)
+		require.NotEqual(t, true, match)
+	}
+}
+
+func TestPasswd512(t *testing.T) {
+	password := []byte("123456781")
+	wrongPasswd := []byte("qwerty")
+
+	hash := MakeSHA512Hash(password)
+	fmt.Printf("%s\n", hash)
+	{
+		match := PasswordMatch(password, hash)
+		require.Equal(t, true, match)
+	}
+	{
+		match := PasswordMatch(wrongPasswd, hash)
+		require.NotEqual(t, true, match)
+	}
+}