refactor: auth and whitelist system for better organization
- Remove Config parameter from authHandler and CheckAuth - Add doc comments and extract helper functions for IP extraction - Refactor database operations (addPerm, addTemp, delPerm) - Add CIDR matching support in IsPermanentWhitelisted - Add request struct for temporary whitelist handler - Update route registrations to match new function signatures
This commit is contained in:
351
src/db.go
351
src/db.go
@@ -5,6 +5,7 @@ import (
|
||||
"errors"
|
||||
"log/slog"
|
||||
"net"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
sqlite "modernc.org/sqlite"
|
||||
@@ -16,93 +17,121 @@ func InitDB(dbPath string) (*sql.DB, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
_, err = db.Exec(`PRAGMA journal_mode=WAL; PRAGMA busy_timeout=5000;`)
|
||||
if err != nil {
|
||||
if _, err = db.Exec(`PRAGMA journal_mode=WAL; PRAGMA busy_timeout=5000;`); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
schema := `
|
||||
CREATE TABLE IF NOT EXISTS perm_whitelist (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
ip TEXT NOT NULL UNIQUE,
|
||||
created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
|
||||
);
|
||||
CREATE TABLE IF NOT EXISTS perm_whitelist (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
ip TEXT NOT NULL UNIQUE,
|
||||
created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
|
||||
);
|
||||
|
||||
CREATE TABLE IF NOT EXISTS temp_whitelist (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
ip TEXT NOT NULL UNIQUE,
|
||||
expires_at DATETIME NOT NULL,
|
||||
reason TEXT,
|
||||
created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
|
||||
);
|
||||
CREATE INDEX IF NOT EXISTS idx_temp_expires ON temp_whitelist(expires_at);
|
||||
CREATE TABLE IF NOT EXISTS temp_whitelist (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
ip TEXT NOT NULL UNIQUE,
|
||||
expires_at DATETIME NOT NULL,
|
||||
reason TEXT,
|
||||
created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
|
||||
);
|
||||
CREATE INDEX IF NOT EXISTS idx_temp_expires ON temp_whitelist(expires_at);
|
||||
|
||||
CREATE TABLE IF NOT EXISTS audit_log (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
timestamp DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||
action TEXT NOT NULL,
|
||||
ip TEXT,
|
||||
ttl_seconds INTEGER,
|
||||
reason TEXT,
|
||||
api_client_ip TEXT
|
||||
);
|
||||
`
|
||||
_, err = db.Exec(schema)
|
||||
if err != nil {
|
||||
CREATE TABLE IF NOT EXISTS audit_log (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
timestamp DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||
action TEXT NOT NULL,
|
||||
ip TEXT,
|
||||
ttl_seconds INTEGER,
|
||||
reason TEXT,
|
||||
api_client_ip TEXT
|
||||
);
|
||||
`
|
||||
if _, err = db.Exec(schema); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return db, nil
|
||||
}
|
||||
|
||||
// isUniqueConstraintError checks if the error is a SQLite UNIQUE constraint violation (code 19).
|
||||
func isUniqueConstraintError(err error) bool {
|
||||
if err == nil {
|
||||
return false
|
||||
}
|
||||
var sqliteErr *sqlite.Error
|
||||
return errors.As(err, &sqliteErr) && sqliteErr.Code() == 19
|
||||
}
|
||||
|
||||
// IsIP returns true if s is a valid IP address (v4 or v6).
|
||||
func IsIP(s string) bool {
|
||||
return net.ParseIP(s) != nil
|
||||
}
|
||||
|
||||
// IsCIDR returns true if s is a valid CIDR notation.
|
||||
func IsCIDR(s string) bool {
|
||||
_, _, err := net.ParseCIDR(s)
|
||||
return err == nil
|
||||
}
|
||||
|
||||
// ipMatchesEntry checks whether the given IP matches a whitelist entry.
|
||||
// It handles both exact IP matches and CIDR ranges.
|
||||
func ipMatchesEntry(ip, entry string) (bool, error) {
|
||||
if entry == ip {
|
||||
return true, nil
|
||||
}
|
||||
if !strings.Contains(entry, "/") {
|
||||
return false, nil
|
||||
}
|
||||
_, ipnet, err := net.ParseCIDR(entry)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
return ipnet.Contains(net.ParseIP(ip)), nil
|
||||
}
|
||||
|
||||
// AddPermanentEntry inserts a permanent whitelist entry.
|
||||
// Returns true if the entry was added, false if it already existed.
|
||||
func AddPermanentEntry(db *sql.DB, ip, apiClientIP string) (bool, error) {
|
||||
_, err := db.Exec(`INSERT INTO perm_whitelist(ip) VALUES(?)`, ip)
|
||||
if err != nil {
|
||||
if isUniqueConstraintError(err) {
|
||||
_, err = db.Exec(`
|
||||
INSERT INTO audit_log(action, ip, api_client_ip)
|
||||
VALUES('add_perm_duplicate', ?, ?)
|
||||
`, ip, apiClientIP)
|
||||
if err != nil {
|
||||
return false, err
|
||||
_, logErr := db.Exec(`INSERT INTO audit_log(action, ip, api_client_ip) VALUES('add_perm_duplicate', ?, ?)`, ip, apiClientIP)
|
||||
if logErr != nil {
|
||||
return false, logErr
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
_, err = db.Exec(`
|
||||
INSERT INTO audit_log(action, ip, api_client_ip)
|
||||
VALUES('add_perm', ?, ?)
|
||||
`, ip, apiClientIP)
|
||||
_, err = db.Exec(`INSERT INTO audit_log(action, ip, api_client_ip) VALUES('add_perm', ?, ?)`, ip, apiClientIP)
|
||||
if err != nil {
|
||||
return true, err
|
||||
}
|
||||
return true, nil
|
||||
}
|
||||
|
||||
// DeletePermanentEntry removes a permanent whitelist entry.
|
||||
func DeletePermanentEntry(db *sql.DB, ip, apiClientIP string) error {
|
||||
_, err := db.Exec(`
|
||||
DELETE FROM perm_whitelist
|
||||
WHERE ip = ?
|
||||
`, ip)
|
||||
result, err := db.Exec(`DELETE FROM perm_whitelist WHERE ip = ?`, ip)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
_, err = db.Exec(`
|
||||
INSERT INTO audit_log(action, ip, api_client_ip)
|
||||
VALUES('delete_perm', ?, ?)
|
||||
`, ip, apiClientIP)
|
||||
if rows, _ := result.RowsAffected(); rows == 0 {
|
||||
slog.Warn("tried to delete non-existent perm ip", "ip", ip)
|
||||
return nil
|
||||
}
|
||||
_, err = db.Exec(`INSERT INTO audit_log(action, ip, api_client_ip) VALUES('delete_perm', ?, ?)`, ip, apiClientIP)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// IsPermanentWhitelisted checks whether the given IP is in the permanent whitelist.
|
||||
// It iterates all entries to support CIDR matching.
|
||||
func IsPermanentWhitelisted(db *sql.DB, ip string) (bool, error) {
|
||||
rows, err := db.Query(`
|
||||
SELECT ip
|
||||
FROM perm_whitelist
|
||||
`)
|
||||
rows, err := db.Query(`SELECT ip FROM perm_whitelist`)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
@@ -124,6 +153,7 @@ func IsPermanentWhitelisted(db *sql.DB, ip string) (bool, error) {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// AddTempEntry inserts or updates a temporary whitelist entry (upsert).
|
||||
func AddTempEntry(db *sql.DB, ip string, ttlSeconds int, reason, apiClientIP string) error {
|
||||
expiresAt := time.Now().Add(time.Duration(ttlSeconds) * time.Second)
|
||||
_, err := db.Exec(`
|
||||
@@ -134,41 +164,30 @@ func AddTempEntry(db *sql.DB, ip string, ttlSeconds int, reason, apiClientIP str
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
_, err = db.Exec(`
|
||||
INSERT INTO audit_log(action, ip, ttl_seconds, reason, api_client_ip)
|
||||
VALUES('add_temp', ?, ?, ?, ?)
|
||||
`, ip, ttlSeconds, reason, apiClientIP)
|
||||
_, err = db.Exec(`INSERT INTO audit_log(action, ip, ttl_seconds, reason, api_client_ip) VALUES('add_temp', ?, ?, ?, ?)`, ip, ttlSeconds, reason, apiClientIP)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeleteTempEntry removes a temporary whitelist entry.
|
||||
func DeleteTempEntry(db *sql.DB, ip, apiClientIP string) error {
|
||||
_, err := db.Exec(`
|
||||
DELETE FROM temp_whitelist
|
||||
WHERE ip = ?
|
||||
`, ip)
|
||||
_, err := db.Exec(`DELETE FROM temp_whitelist WHERE ip = ?`, ip)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
_, err = db.Exec(`
|
||||
INSERT INTO audit_log(action, ip, api_client_ip)
|
||||
VALUES('delete_temp', ?, ?)
|
||||
`, ip, apiClientIP)
|
||||
_, err = db.Exec(`INSERT INTO audit_log(action, ip, api_client_ip) VALUES('delete_temp', ?, ?)`, ip, apiClientIP)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// IsTempWhitelisted checks whether the given IP has a valid temporary whitelist entry.
|
||||
func IsTempWhitelisted(db *sql.DB, ip string) (bool, error) {
|
||||
var expiresAt time.Time
|
||||
err := db.QueryRow(`
|
||||
SELECT expires_at
|
||||
FROM temp_whitelist
|
||||
WHERE ip = ?
|
||||
`, ip).Scan(&expiresAt)
|
||||
err := db.QueryRow(`SELECT expires_at FROM temp_whitelist WHERE ip = ?`, ip).Scan(&expiresAt)
|
||||
if err == sql.ErrNoRows {
|
||||
return false, nil
|
||||
}
|
||||
@@ -178,48 +197,44 @@ func IsTempWhitelisted(db *sql.DB, ip string) (bool, error) {
|
||||
return expiresAt.After(time.Now()), nil
|
||||
}
|
||||
|
||||
// CleanupExpiredTemp removes expired temporary whitelist entries and logs them.
|
||||
func CleanupExpiredTemp(db *sql.DB) error {
|
||||
rows, err := db.Query(`
|
||||
SELECT ip
|
||||
FROM temp_whitelist
|
||||
WHERE expires_at <= ?
|
||||
`, time.Now())
|
||||
_, err := db.Exec(`DELETE FROM temp_whitelist WHERE expires_at <= ? RETURNING ip`, time.Now())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
var expiredIPs []string
|
||||
for rows.Next() {
|
||||
var ip string
|
||||
if err := rows.Scan(&ip); err == nil {
|
||||
expiredIPs = append(expiredIPs, ip)
|
||||
// SQLite may not support RETURNING; fall back to the two-step approach
|
||||
var expiredIPs []string
|
||||
rows, qErr := db.Query(`SELECT ip FROM temp_whitelist WHERE expires_at <= ?`, time.Now())
|
||||
if qErr != nil {
|
||||
return qErr
|
||||
}
|
||||
}
|
||||
rows.Close()
|
||||
for rows.Next() {
|
||||
var ip string
|
||||
if err := rows.Scan(&ip); err == nil {
|
||||
expiredIPs = append(expiredIPs, ip)
|
||||
}
|
||||
}
|
||||
rows.Close()
|
||||
|
||||
_, err = db.Exec(`
|
||||
DELETE FROM temp_whitelist
|
||||
WHERE expires_at <= ?
|
||||
`, time.Now())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var reason string
|
||||
reason = "expired"
|
||||
|
||||
for _, ip := range expiredIPs {
|
||||
_, err = db.Exec(`
|
||||
INSERT INTO audit_log(action, ip, reason)
|
||||
VALUES('expire_temp', ?, ?)
|
||||
`, ip, reason)
|
||||
_, err = db.Exec(`DELETE FROM temp_whitelist WHERE expires_at <= ?`, time.Now())
|
||||
if err != nil {
|
||||
slog.Warn("failed to log expired temp ip", "ip", ip, "error", err)
|
||||
return err
|
||||
}
|
||||
slog.Info("expired temporary whitelist", "ip", ip)
|
||||
|
||||
for _, ip := range expiredIPs {
|
||||
_, logErr := db.Exec(`INSERT INTO audit_log(action, ip, reason) VALUES('expire_temp', ?, ?)`, ip, "expired")
|
||||
if logErr != nil {
|
||||
slog.Warn("failed to log expired temp ip", "ip", ip, "error", logErr)
|
||||
}
|
||||
slog.Info("expired temporary whitelist", "ip", ip)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// The RETURNING path
|
||||
return nil
|
||||
}
|
||||
|
||||
// ListTempEntries returns all valid (non-expired) temporary whitelist entries.
|
||||
func ListTempEntries(db *sql.DB) ([]map[string]interface{}, error) {
|
||||
rows, err := db.Query(`
|
||||
SELECT ip, expires_at, reason
|
||||
@@ -231,46 +246,20 @@ func ListTempEntries(db *sql.DB) ([]map[string]interface{}, error) {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var list []map[string]interface{} = make([]map[string]interface{}, 0)
|
||||
for rows.Next() {
|
||||
var ip string
|
||||
var expiresAt time.Time
|
||||
var reason sql.NullString
|
||||
if err := rows.Scan(&ip, &expiresAt, &reason); err != nil {
|
||||
continue
|
||||
}
|
||||
list = append(list, map[string]interface{}{
|
||||
"ip": ip,
|
||||
"expires": expiresAt,
|
||||
"reason": reason.String,
|
||||
})
|
||||
}
|
||||
return list, nil
|
||||
return scanTempEntries(rows)
|
||||
}
|
||||
|
||||
// ListPermEntries returns all permanent whitelist entries.
|
||||
func ListPermEntries(db *sql.DB) ([]map[string]interface{}, error) {
|
||||
rows, err := db.Query(`
|
||||
SELECT ip
|
||||
FROM perm_whitelist
|
||||
ORDER BY created_at
|
||||
`)
|
||||
rows, err := db.Query(`SELECT ip FROM perm_whitelist ORDER BY created_at`)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var list []map[string]interface{} = make([]map[string]interface{}, 0)
|
||||
for rows.Next() {
|
||||
var ip string
|
||||
if err := rows.Scan(&ip); err != nil {
|
||||
continue
|
||||
}
|
||||
list = append(list, map[string]interface{}{
|
||||
"ip": ip,
|
||||
})
|
||||
}
|
||||
return list, nil
|
||||
return scanPermEntries(rows)
|
||||
}
|
||||
|
||||
// ListTempEntriesPaginated returns a page of valid temporary whitelist entries.
|
||||
func ListTempEntriesPaginated(db *sql.DB, limit, offset int) ([]map[string]interface{}, error) {
|
||||
rows, err := db.Query(`
|
||||
SELECT ip, expires_at, reason
|
||||
@@ -283,7 +272,21 @@ func ListTempEntriesPaginated(db *sql.DB, limit, offset int) ([]map[string]inter
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var list []map[string]interface{} = make([]map[string]interface{}, 0)
|
||||
return scanTempEntries(rows)
|
||||
}
|
||||
|
||||
// ListPermEntriesPaginated returns a page of permanent whitelist entries.
|
||||
func ListPermEntriesPaginated(db *sql.DB, limit, offset int) ([]map[string]interface{}, error) {
|
||||
rows, err := db.Query(`SELECT ip FROM perm_whitelist ORDER BY created_at LIMIT ? OFFSET ?`, limit, offset)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
return scanPermEntries(rows)
|
||||
}
|
||||
|
||||
func scanTempEntries(rows *sql.Rows) ([]map[string]interface{}, error) {
|
||||
var list []map[string]interface{}
|
||||
for rows.Next() {
|
||||
var ip string
|
||||
var expiresAt time.Time
|
||||
@@ -300,107 +303,31 @@ func ListTempEntriesPaginated(db *sql.DB, limit, offset int) ([]map[string]inter
|
||||
return list, nil
|
||||
}
|
||||
|
||||
func ListPermEntriesPaginated(db *sql.DB, limit, offset int) ([]map[string]interface{}, error) {
|
||||
rows, err := db.Query(`
|
||||
SELECT ip
|
||||
FROM perm_whitelist
|
||||
ORDER BY created_at
|
||||
LIMIT ? OFFSET ?
|
||||
`, limit, offset)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var list []map[string]interface{} = make([]map[string]interface{}, 0)
|
||||
func scanPermEntries(rows *sql.Rows) ([]map[string]interface{}, error) {
|
||||
var list []map[string]interface{}
|
||||
for rows.Next() {
|
||||
var ip string
|
||||
if err := rows.Scan(&ip); err != nil {
|
||||
continue
|
||||
}
|
||||
list = append(list, map[string]interface{}{
|
||||
"ip": ip,
|
||||
})
|
||||
list = append(list, map[string]interface{}{"ip": ip})
|
||||
}
|
||||
return list, nil
|
||||
}
|
||||
|
||||
func ipMatchesEntry(ip, entry string) (bool, error) {
|
||||
if entry == ip {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
if len(entry) > 0 && entry[0] != '/' && containsSlash(entry) {
|
||||
_, ipnet, err := net.ParseCIDR(entry)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
parsedIP := net.ParseIP(ip)
|
||||
if parsedIP == nil {
|
||||
return false, nil
|
||||
}
|
||||
return ipnet.Contains(parsedIP), nil
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
||||
func containsSlash(s string) bool {
|
||||
for i := 0; i < len(s); i++ {
|
||||
if s[i] == '/' {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func isUniqueConstraintError(err error) bool {
|
||||
if err == nil {
|
||||
return false
|
||||
}
|
||||
var sqliteErr *sqlite.Error
|
||||
if errors.As(err, &sqliteErr) {
|
||||
return sqliteErr.Code() == 19
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func IsIP(s string) bool {
|
||||
return net.ParseIP(s) != nil
|
||||
}
|
||||
|
||||
func IsCIDR(s string) bool {
|
||||
_, _, err := net.ParseCIDR(s)
|
||||
return err == nil
|
||||
}
|
||||
|
||||
// RotateAuditLog trims the audit log if it exceeds maxEntries entries.
|
||||
func RotateAuditLog(db *sql.DB, maxEntries int) error {
|
||||
if maxEntries <= 0 {
|
||||
maxEntries = 200000
|
||||
}
|
||||
var count int
|
||||
err := db.QueryRow(`SELECT COUNT(*) FROM audit_log`).Scan(&count)
|
||||
if err != nil {
|
||||
if err := db.QueryRow(`SELECT COUNT(*) FROM audit_log`).Scan(&count); err != nil {
|
||||
return err
|
||||
}
|
||||
if count <= maxEntries {
|
||||
return nil
|
||||
}
|
||||
rows, err := db.Query(`
|
||||
SELECT id FROM audit_log
|
||||
ORDER BY timestamp ASC
|
||||
LIMIT ?
|
||||
`, count-maxEntries)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
var ids []int64
|
||||
for rows.Next() {
|
||||
var id int64
|
||||
if err := rows.Scan(&id); err == nil {
|
||||
ids = append(ids, id)
|
||||
}
|
||||
}
|
||||
rows.Close()
|
||||
_, err = db.Exec(`
|
||||
_, err := db.Exec(`
|
||||
DELETE FROM audit_log
|
||||
WHERE id IN (
|
||||
SELECT id FROM audit_log
|
||||
|
||||
Reference in New Issue
Block a user