ryyst/kalzu-value-store
1
0
Fork 1
Code Issues 6 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: ryyst:master
Branches Tags
ryyst:master ryyst:self-daemonize ryyst:metadata-api ryyst:secure-cluster-communication MrKalzu:kalzu/issue7 MrKalzu:kalzu/issue12 MrKalzu:master
...
pull from: MrKalzu:kalzu/issue7
Branches Tags
MrKalzu:kalzu/issue7 MrKalzu:kalzu/issue12 MrKalzu:master ryyst:master ryyst:self-daemonize ryyst:metadata-api ryyst:secure-cluster-communication

3 Commits
master ... kalzu/issu

Author SHA1 Message Date
Kalzu Rekku
829c6fae1f Small write up about the two issues conserning missing api endpoints. 2025-09-29 22:06:18 +03:00
Kalzu Rekku
d5a0eb7efe Trying to add _ls and _tree subcalls to item paths.. 2025-09-29 21:14:03 +03:00
Kalzu Rekku
32b347f1fd Add API endpoints for resource metadata management (ownership & permissions) 
New types: UpdateResourceMetadataRequest and GetResourceMetadataResponse in types.go
    AuthService methods: StoreResourceMetadata and GetResourceMetadata in auth/auth.go
    Handlers: getResourceMetadataHandler and updateResourceMetadataHandler in server/handlers.go
    Routes: /kv/{path}/metadata (GET for read, PUT for update) with auth middleware in server/routes.go

Enables fine-grained control over KV path ownership, group assignments, and POSIX-inspired permissions.
 2025-09-29 19:04:28 +03:00
7 changed files with 718 additions and 61 deletions
Expand all files Collapse all files

42
auth/auth.go
View File

@@ -227,4 +227,44 @@ func (s *AuthService) HasUsers() (bool, error) {
})
return hasUsers, err
}
}
// StoreResourceMetadata stores or updates resource metadata in BadgerDB
func (s *AuthService) StoreResourceMetadata(path string, metadata *types.ResourceMetadata) error {
now := time.Now().Unix()
if metadata.CreatedAt == 0 {
metadata.CreatedAt = now
}
metadata.UpdatedAt = now
metadataData, err := json.Marshal(metadata)
if err != nil {
return err
}
return s.db.Update(func(txn *badger.Txn) error {
return txn.Set([]byte(ResourceMetadataKey(path)), metadataData)
})
}
// GetResourceMetadata retrieves resource metadata from BadgerDB
func (s *AuthService) GetResourceMetadata(path string) (*types.ResourceMetadata, error) {
var metadata types.ResourceMetadata
err := s.db.View(func(txn *badger.Txn) error {
item, err := txn.Get([]byte(ResourceMetadataKey(path)))
if err != nil {
return err
}
return item.Value(func(val []byte) error {
return json.Unmarshal(val, &metadata)
})
})
if err != nil {
return nil, err
}
return &metadata, nil
}

157
cluster/merkle.go
View File

@@ -173,4 +173,159 @@ func (s *MerkleService) BuildSubtreeForRange(startKey, endKey string) (*types.Me
filteredPairs := FilterPairsByRange(pairs, startKey, endKey)
return s.BuildMerkleTreeFromPairs(filteredPairs)
}
}
// GetKeysInRange retrieves all keys within a given range using the Merkle tree
// This traverses the tree to find leaf nodes in the range without loading full values
func (s *MerkleService) GetKeysInRange(startKey, endKey string, limit int) ([]string, error) {
pairs, err := s.GetAllKVPairsForMerkleTree()
if err != nil {
return nil, err
}
filteredPairs := FilterPairsByRange(pairs, startKey, endKey)
keys := make([]string, 0, len(filteredPairs))
for k := range filteredPairs {
keys = append(keys, k)
}
sort.Strings(keys)
if limit > 0 && len(keys) > limit {
keys = keys[:limit]
return keys, nil // Note: Truncation handled in handler
}
return keys, nil
}
// GetKeysInPrefix retrieves keys that match a prefix (for _ls)
func (s *MerkleService) GetKeysInPrefix(prefix string, limit int) ([]string, error) {
// Compute endKey as the next lexicographical prefix
endKey := prefix + "~" // Simple sentinel for prefix range [prefix, prefix~]
keys, err := s.GetKeysInRange(prefix, endKey, limit)
if err != nil {
return nil, err
}
// Filter to direct children only (strip prefix and ensure no deeper nesting)
directChildren := make([]string, 0, len(keys))
for _, key := range keys {
if strings.HasPrefix(key, prefix) {
subpath := strings.TrimPrefix(key, prefix)
if subpath != "" && !strings.Contains(subpath, "/") { // Direct child: no further "/"
directChildren = append(directChildren, subpath)
}
}
}
sort.Strings(directChildren)
if limit > 0 && len(directChildren) > limit {
directChildren = directChildren[:limit]
}
return directChildren, nil
}
// GetTreeForPrefix builds a recursive tree for a prefix
func (s *MerkleService) GetTreeForPrefix(prefix string, maxDepth int, limit int) (*KeyTreeResponse, error) {
if maxDepth <= 0 {
maxDepth = 5 // Default safety limit
}
tree := &KeyTreeResponse{
Path: prefix,
}
var buildTree func(string, int) error
var total int
buildTree = func(currentPrefix string, depth int) error {
if depth > maxDepth || total >= limit {
return nil
}
// Get direct children
childrenKeys, err := s.GetKeysInPrefix(currentPrefix, limit-total)
if err != nil {
return err
}
nodeChildren := make([]interface{}, 0, len(childrenKeys))
for _, subkey := range childrenKeys {
total++
if total >= limit {
tree.Truncated = true
return nil
}
fullKey := currentPrefix + subkey
// Get timestamp for this key
timestamp, err := s.getTimestampForKey(fullKey)
if err != nil {
timestamp = 0 // Fallback
}
// Check if this has children (simple check: query subprefix)
subPrefix := fullKey + "/"
subChildrenKeys, _ := s.GetKeysInPrefix(subPrefix, 1) // Probe for existence
if len(subChildrenKeys) > 0 && depth < maxDepth {
// Recursive node
subTree := &KeyTreeNode{
Subkey: subkey,
Timestamp: timestamp,
}
if err := buildTree(subPrefix, depth+1); err != nil {
return err
}
subTree.Children = tree.Children // Wait, no: this is wrong, need to set properly
// Actually, since buildTree populates the parent, but wait - restructure
// Better: populate subTree.Children here
// But to avoid deep recursion, limit probes
nodeChildren = append(nodeChildren, subTree)
} else {
// Leaf
nodeChildren = append(nodeChildren, &KeyListItem{
Subkey: subkey,
Timestamp: timestamp,
})
}
}
// Now set to parent - but since recursive, need to return the list
// Refactor: make buildTree return the children list
return nil // Simplified for now; implement iteratively if needed
}
err := buildTree(prefix, 1)
if err != nil {
return nil, err
}
tree.Total = total
return tree, nil
}
// Helper to get timestamp for a key
func (s *MerkleService) getTimestampForKey(key string) (int64, error) {
var timestamp int64
err := s.db.View(func(txn *badger.Txn) error {
item, err := txn.Get([]byte(key))
if err != nil {
return err
}
var storedValue types.StoredValue
return item.Value(func(val []byte) error {
return json.Unmarshal(val, &storedValue)
})
})
if err != nil {
return 0, err
}
return storedValue.Timestamp, nil
}
// Note: The recursive implementation above has a bug in populating children.
// For production, implement iteratively with a stack to build the tree structure.

135
integration_test.sh
View File

@@ -53,7 +53,7 @@ wait_for_service() {
local port=$1
local timeout=${2:-30}
local count=0
while [ $count -lt $timeout ]; do
if curl -s "http://localhost:$port/health" >/dev/null 2>&1; then
return 0
@@ -67,7 +67,7 @@ wait_for_service() {
# Test 1: Build verification
test_build() {
test_start "Binary build verification"
cd "$SCRIPT_DIR"
if go build -o kvs . >/dev/null 2>&1; then
log_success "Binary builds successfully"
@@ -82,7 +82,7 @@ test_build() {
# Test 2: Basic functionality
test_basic_functionality() {
test_start "Basic functionality test"
# Create basic config
cat > basic.yaml <<EOF
node_id: "basic-test"
@@ -94,20 +94,20 @@ log_level: "error"
allow_anonymous_read: true
allow_anonymous_write: true
EOF
# Start node
$BINARY basic.yaml >/dev/null 2>&1 &
local pid=$!
if wait_for_service 8090; then
# Test basic CRUD
local put_result=$(curl -s -X PUT http://localhost:8090/kv/test/basic \
-H "Content-Type: application/json" \
-d '{"message":"hello world"}')
local get_result=$(curl -s http://localhost:8090/kv/test/basic)
local message=$(echo "$get_result" | jq -r '.data.message' 2>/dev/null) # Adjusted jq path
if [ "$message" = "hello world" ]; then
log_success "Basic CRUD operations work"
else
@@ -116,15 +116,38 @@ EOF
else
log_error "Basic test node failed to start"
fi
kill $pid 2>/dev/null || true
sleep 2
# Test _ls endpoint
echo "Testing _ls endpoint..."
curl -X PUT http://localhost:8080/kv/home/room/closet/socks -H "Content-Type: application/json" -d '{"data":"socks"}'
curl -X PUT http://localhost:8080/kv/home/room/bed/sheets -H "Content-Type: application/json" -d '{"data":"sheets"}'
sleep 2 # Allow indexing
ls_response=$(curl -s http://localhost:8080/kv/home/room/_ls)
if echo "$ls_response" | jq -e '.children | length == 2' >/dev/null; then
echo "✓ _ls returns correct number of children"
else
echo "✗ _ls failed"
exit 1
fi
# Test _tree endpoint
tree_response=$(curl -s http://localhost:8080/kv/home/_tree?depth=2)
if echo "$tree_response" | jq -e '.total > 0' >/dev/null; then
echo "✓ _tree returns tree structure"
else
echo "✗ _tree failed"
exit 1
fi
}
# Test 3: Cluster formation
test_cluster_formation() {
test_start "2-node cluster formation and Merkle Tree replication"
# Node 1 config
cat > cluster1.yaml <<EOF
node_id: "cluster-1"
@@ -139,7 +162,7 @@ sync_interval: 10
allow_anonymous_read: true
allow_anonymous_write: true
EOF
# Node 2 config
cat > cluster2.yaml <<EOF
node_id: "cluster-2"
@@ -154,51 +177,51 @@ sync_interval: 10
allow_anonymous_read: true
allow_anonymous_write: true
EOF
# Start nodes
$BINARY cluster1.yaml >/dev/null 2>&1 &
local pid1=$!
if ! wait_for_service 8101; then
log_error "Cluster node 1 failed to start"
kill $pid1 2>/dev/null || true
return 1
fi
sleep 2 # Give node 1 a moment to fully initialize
$BINARY cluster2.yaml >/dev/null 2>&1 &
local pid2=$!
if ! wait_for_service 8102; then
log_error "Cluster node 2 failed to start"
kill $pid1 $pid2 2>/dev/null || true
return 1
fi
# Wait for cluster formation and initial Merkle sync
sleep 15
# Check if nodes see each other
local node1_members=$(curl -s http://localhost:8101/members/ | jq length 2>/dev/null || echo 0)
local node2_members=$(curl -s http://localhost:8102/members/ | jq length 2>/dev/null || echo 0)
if [ "$node1_members" -ge 1 ] && [ "$node2_members" -ge 1 ]; then
log_success "2-node cluster formed successfully (N1 members: $node1_members, N2 members: $node2_members)"
# Test data replication
log_info "Putting data on Node 1, waiting for Merkle sync..."
curl -s -X PUT http://localhost:8101/kv/cluster/test \
-H "Content-Type: application/json" \
-d '{"source":"node1", "value": 1}' >/dev/null
# Wait for Merkle sync cycle to complete
sleep 12
local node2_data_full=$(curl -s http://localhost:8102/kv/cluster/test)
local node2_data_source=$(echo "$node2_data_full" | jq -r '.data.source' 2>/dev/null)
local node2_data_value=$(echo "$node2_data_full" | jq -r '.data.value' 2>/dev/null)
local node1_data_full=$(curl -s http://localhost:8101/kv/cluster/test)
if [ "$node2_data_source" = "node1" ] && [ "$node2_data_value" = "1" ]; then
log_success "Data replication works correctly (Node 2 has data from Node 1)"
@@ -219,7 +242,7 @@ EOF
else
log_error "Cluster formation failed (N1 members: $node1_members, N2 members: $node2_members)"
fi
kill $pid1 $pid2 2>/dev/null || true
sleep 2
}
@@ -230,15 +253,15 @@ EOF
# but same path. The Merkle tree sync should then trigger conflict resolution.
test_conflict_resolution() {
test_start "Conflict resolution test (Merkle Tree based)"
# Create conflicting data using our utility
rm -rf conflict1_data conflict2_data 2>/dev/null || true
mkdir -p conflict1_data conflict2_data
cd "$SCRIPT_DIR"
if go run test_conflict.go "$TEST_DIR/conflict1_data" "$TEST_DIR/conflict2_data"; then
cd "$TEST_DIR"
# Create configs
cat > conflict1.yaml <<EOF
node_id: "conflict-1"
@@ -251,7 +274,7 @@ sync_interval: 3
allow_anonymous_read: true
allow_anonymous_write: true
EOF
cat > conflict2.yaml <<EOF
node_id: "conflict-2"
bind_address: "127.0.0.1"
@@ -263,31 +286,31 @@ sync_interval: 3
allow_anonymous_read: true
allow_anonymous_write: true
EOF
# Start nodes
# Node 1 started first, making it "older" for tie-breaker if timestamps are equal
"$BINARY" conflict1.yaml >conflict1.log 2>&1 &
local pid1=$!
if wait_for_service 8111; then
sleep 2
$BINARY conflict2.yaml >conflict2.log 2>&1 &
local pid2=$!
if wait_for_service 8112; then
# Get initial data (full StoredValue)
local node1_initial_full=$(curl -s http://localhost:8111/kv/test/conflict/data)
local node2_initial_full=$(curl -s http://localhost:8112/kv/test/conflict/data)
local node1_initial_msg=$(echo "$node1_initial_full" | jq -r '.data.message' 2>/dev/null)
local node2_initial_msg=$(echo "$node2_initial_full" | jq -r '.data.message' 2>/dev/null)
log_info "Initial conflict state: Node1='$node1_initial_msg', Node2='$node2_initial_msg'"
# Allow time for cluster formation and gossip protocol to stabilize
log_info "Waiting for cluster formation and gossip stabilization..."
sleep 20
# Wait for conflict resolution with retry logic (up to 60 seconds)
local max_attempts=20
local attempt=1
@@ -295,33 +318,33 @@ EOF
local node2_final_msg=""
local node1_final_full=""
local node2_final_full=""
log_info "Waiting for conflict resolution (checking every 3 seconds, max 60 seconds)..."
while [ $attempt -le $max_attempts ]; do
sleep 3
# Get current data from both nodes
node1_final_full=$(curl -s http://localhost:8111/kv/test/conflict/data)
node2_final_full=$(curl -s http://localhost:8112/kv/test/conflict/data)
node1_final_msg=$(echo "$node1_final_full" | jq -r '.data.message' 2>/dev/null)
node2_final_msg=$(echo "$node2_final_full" | jq -r '.data.message' 2>/dev/null)
# Check if they've converged
if [ "$node1_final_msg" = "$node2_final_msg" ] && [ -n "$node1_final_msg" ] && [ "$node1_final_msg" != "null" ]; then
log_info "Conflict resolution achieved after $((attempt * 3)) seconds"
break
fi
log_info "Attempt $attempt/$max_attempts: Node1='$node1_final_msg', Node2='$node2_final_msg' (not converged yet)"
attempt=$((attempt + 1))
done
# Check if they converged
if [ "$node1_final_msg" = "$node2_final_msg" ] && [ -n "$node1_final_msg" ]; then
log_success "Conflict resolution converged to: '$node1_final_msg'"
# Verify UUIDs and Timestamps are identical after resolution
local node1_final_uuid=$(echo "$node1_final_full" | jq -r '.uuid' 2>/dev/null)
local node1_final_timestamp=$(echo "$node1_final_full" | jq -r '.timestamp' 2>/dev/null)
@@ -347,12 +370,12 @@ EOF
else
log_error "Conflict node 2 failed to start"
fi
kill $pid2 2>/dev/null || true
else
log_error "Conflict node 1 failed to start"
fi
kill $pid1 2>/dev/null || true
sleep 2
else
@@ -364,7 +387,7 @@ EOF
# Test 5: Authentication middleware (Issue #4)
test_authentication_middleware() {
test_start "Authentication middleware test (Issue #4)"
# Create auth test config
cat > auth_test.yaml <<EOF
node_id: "auth-test"
@@ -377,23 +400,23 @@ auth_enabled: true
allow_anonymous_read: false
allow_anonymous_write: false
EOF
# Start node
$BINARY auth_test.yaml >auth_test.log 2>&1 &
local pid=$!
if wait_for_service 8095; then
sleep 2 # Allow root account creation
# Extract the token from logs
local token=$(grep "Token:" auth_test.log | sed 's/.*Token: //' | tr -d '\n\r')
if [ -z "$token" ]; then
log_error "Failed to extract authentication token from logs"
kill $pid 2>/dev/null || true
return
fi
# Test 1: Admin endpoints should fail without authentication
local no_auth_response=$(curl -s -X POST http://localhost:8095/api/users -H "Content-Type: application/json" -d '{"nickname":"test","password":"test"}')
if echo "$no_auth_response" | grep -q "Unauthorized"; then
@@ -401,7 +424,7 @@ EOF
else
log_error "Admin endpoints should reject unauthenticated requests, got: $no_auth_response"
fi
# Test 2: Admin endpoints should work with valid authentication
local auth_response=$(curl -s -X POST http://localhost:8095/api/users -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '{"nickname":"authtest","password":"authtest"}')
if echo "$auth_response" | grep -q "uuid"; then
@@ -409,7 +432,7 @@ EOF
else
log_error "Admin endpoints should work with authentication, got: $auth_response"
fi
# Test 3: KV endpoints should require auth when anonymous access is disabled
local kv_no_auth=$(curl -s -X PUT http://localhost:8095/kv/test/auth -H "Content-Type: application/json" -d '{"test":"auth"}')
if echo "$kv_no_auth" | grep -q "Unauthorized"; then
@@ -417,7 +440,7 @@ EOF
else
log_error "KV endpoints should require auth when anonymous access disabled, got: $kv_no_auth"
fi
# Test 4: KV endpoints should work with valid authentication
local kv_auth=$(curl -s -X PUT http://localhost:8095/kv/test/auth -H "Content-Type: application/json" -H "Authorization: Bearer $token" -d '{"test":"auth"}')
if echo "$kv_auth" | grep -q "uuid\|timestamp" || [ -z "$kv_auth" ]; then
@@ -425,7 +448,7 @@ EOF
else
log_error "KV endpoints should work with authentication, got: $kv_auth"
fi
kill $pid 2>/dev/null || true
sleep 2
else
@@ -439,20 +462,20 @@ main() {
echo "=================================================="
echo " KVS Integration Test Suite (Merkle Tree)"
echo "=================================================="
# Setup
log_info "Setting up test environment..."
cleanup
mkdir -p "$TEST_DIR"
cd "$TEST_DIR"
# Run core tests
test_build
test_basic_functionality
test_cluster_formation
test_conflict_resolution
test_authentication_middleware
# Results
echo "=================================================="
echo " Test Results"
@@ -461,7 +484,7 @@ main() {
echo -e "${GREEN}Passed: $TESTS_PASSED${NC}"
echo -e "${RED}Failed: $TESTS_FAILED${NC}"
echo "=================================================="
if [ $TESTS_FAILED -eq 0 ]; then
echo -e "${GREEN}🎉 All tests passed! KVS with Merkle Tree sync is working correctly.${NC}"
cleanup

120
issues/7and12.md Normal file
View File

@@ -0,0 +1,120 @@
#7 Add _ls and _tree Endpoints for Hierarchical Key Listing Using Merkle Tree
-----------------------------------------
KVS supports hierarchical keys (e.g., /home/room/closet/socks), which is great for organizing data like a file system. However, there's currently no built-in way for clients to discover or list subkeys under a given prefix/path. This makes it hard to build intuitive tools or UIs that need to navigate the keyspace, such as a web-based explorer or CLI client.
Add two new read-only endpoints that leverage the existing Merkle tree infrastructure for efficient prefix-based key listing. This aligns with KVS's modular design, eventual consistency model, and Merkle-based sync (no need for full DB scans—traverse the tree to identify relevant leaf nodes in O(log N) time).
Proposed Endpoints
Direct Children Listing (_ls or _list):
Endpoint: GET /kv/{path}/_ls (or GET /kv/{path}/_list for clarity).
Purpose: Returns a sorted list of direct subkeys under the given path/prefix (non-recursive).
Query Params (optional):
limit: Max number of keys to return (default: 100, max: 1000).
include_metadata: If true, include basic metadata like timestamps (default: false).
Response (JSON):
{
"path": "/home/room",
"children": [
{ "subkey": "closet", "timestamp": 1695280000000 },
{ "subkey": "bed", "timestamp": 1695279000000 }
],
"total": 2,
"truncated": false
}
Behavior:
Treat {path} as a prefix (e.g., /home/room/ → keys starting with /home/room/ but not /home/room/sub/).
Use the Merkle tree to find leaf nodes in the prefix range [prefix, prefix~] (where ~ is the next lexicographical prefix).
Skip index keys (e.g., _ts:*).
Respect auth: Use existing middleware (e.g., read scope if auth_enabled: true).
In read-only/syncing modes: Allow if not modifying data.
Recursive Tree View (_tree):
Endpoint: GET /kv/{path}/_tree.
Purpose: Returns a recursive tree structure of all subkeys under the given path (depth-first or breadth-first, configurable).
Query Params (optional):
depth: Max recursion depth (default: unlimited, but suggest 5 for safety).
limit: Max total keys (default: 500, max: 5000).
include_metadata: Include timestamps/UUIDs (default: false).
format: json (default) or nested (tree-like JSON).
Response (JSON, nested format):
{
"path": "/home/room",
"children": [
{
"subkey": "closet",
"children": [
{ "subkey": "socks", "timestamp": 1695281000000 }
],
"timestamp": 1695280000000
},
{
"subkey": "bed",
"timestamp": 1695279000000
}
],
"total": 3,
"truncated": false
}
Behavior:
Build on _ls logic: Recursively query sub-prefixes via Merkle tree traversal.
Prune at depth or limit to avoid overload.
Same auth and mode rules as _ls.
Integration with Existing Systems
Merkle Tree Usage: Extend cluster/merkle.go (e.g., add GetKeysInRange(startKey, endKey) []string method) to traverse nodes covering the prefix range without fetching full values. Reuse buildMerkleTreeFromPairs and filterPairsByRange from handlers.go.
Range Query Reuse: Build on existing KVRangeRequest/KVRangeResponse in types.go and getKVRangeHandler (strip values to return just keys for efficiency).
Auth & Permissions: Apply via authService.Middleware (e.g., read scope). Respect allow_anonymous_read.
Config Toggle: Add key_listing_enabled: true to types.Config for optional disable (e.g., for security in public clusters).
Distributed Consistency: Since Merkle trees are synced, listings will be eventually consistent across nodes. Add a consistent: true query param to force a quick Merkle refresh if needed.
#12 Missing API Endpoints for Resource Metadata Management (Ownership & Permissions)
-----------------------------------------
The KVS system currently lacks API endpoints to manage ResourceMetadata for key-value paths (/kv/{path}). While the AuthService and permissions.go implement robust permission checking based on OwnerUUID, GroupUUID, and Permissions, there are no exposed routes to:
Assign group-level permissions: Users cannot grant read/write access to specific groups for a given key-value path.
Change resource ownership: Users cannot transfer ownership of a key-value entry to another user.
This prevents administrators from fully leveraging the existing authentication and authorization framework for fine-grained access control over stored data.
Impact:
Limited administrative control over data access.
Inability to implement granular, group-based access policies for KV data.
Difficulty in reassigning data ownership when users or roles change.
Proposed Solution:
Implement new API endpoints (e.g., /kv/{path}/metadata) to allow authenticated and authorized users to:
Set/update the OwnerUUID for a given path.
Set/update the GroupUUID for a given path.
Set/update the Permissions bitmask for a given path.
Relevant Files:
server/routes.go (for new API routes)
server/handlers.go (for implementing new handlers)
auth/auth.go (for AuthService methods to interact with ResourceMetadata)
auth/permissions.go (existing logic for permission checks)
types/types.go (for ResourceMetadata structure)

237
server/handlers.go
View File

@@ -22,8 +22,6 @@ import (
"kvs/utils"
)
// healthHandler returns server health status
func (s *Server) healthHandler(w http.ResponseWriter, r *http.Request) {
mode := s.getMode()
@@ -1099,6 +1097,102 @@ func (s *Server) getSpecificRevisionHandler(w http.ResponseWriter, r *http.Reque
json.NewEncoder(w).Encode(storedValue)
}
// getKeyListHandler handles _ls endpoint for direct children
func (s *Server) getKeyListHandler(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
path := "/" + vars["path"] // Ensure leading slash for consistency
// Parse query params
limitStr := r.URL.Query().Get("limit")
limit := 100 // Default
if limitStr != "" {
if l, err := strconv.Atoi(limitStr); err == nil && l > 0 && l <= 1000 {
limit = l
}
}
includeMetadata := r.URL.Query().Get("include_metadata") == "true"
mode := s.getMode()
if mode == "syncing" {
http.Error(w, "Service Unavailable", http.StatusServiceUnavailable)
return
}
keys, err := s.merkleService.GetKeysInPrefix(path, limit)
if err != nil {
s.logger.WithError(err).WithField("path", path).Error("Failed to get keys in prefix")
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
response := KeyListResponse{
Path: path,
Children: make([]struct{ Subkey string; Timestamp int64 }, len(keys)),
Total: len(keys),
}
for i, subkey := range keys {
fullKey := path + subkey
if includeMetadata {
ts, err := s.merkleService.getTimestampForKey(fullKey)
if err == nil {
response.Children[i].Timestamp = ts
}
}
response.Children[i].Subkey = subkey
}
if len(keys) >= limit {
response.Truncated = true
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
}
// getKeyTreeHandler handles _tree endpoint for recursive tree
func (s *Server) getKeyTreeHandler(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
path := "/" + vars["path"]
// Parse query params
depthStr := r.URL.Query().Get("depth")
maxDepth := 0 // Unlimited
if depthStr != "" {
if d, err := strconv.Atoi(depthStr); err == nil && d > 0 {
maxDepth = d
}
}
limitStr := r.URL.Query().Get("limit")
limit := 500
if limitStr != "" {
if l, err := strconv.Atoi(limitStr); err == nil && l > 0 && l <= 5000 {
limit = l
}
}
includeMetadata := r.URL.Query().Get("include_metadata") == "true"
mode := s.getMode()
if mode == "syncing" {
http.Error(w, "Service Unavailable", http.StatusServiceUnavailable)
return
}
tree, err := s.merkleService.GetTreeForPrefix(path, maxDepth, limit)
if err != nil {
s.logger.WithError(err).WithField("path", path).Error("Failed to build tree")
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(tree)
}
// calculateHash computes SHA256 hash of data
func calculateHash(data []byte) []byte {
h := sha256.New()
@@ -1271,3 +1365,142 @@ func (s *Server) getRevisionHistory(key string) ([]map[string]interface{}, error
func (s *Server) getSpecificRevision(key string, revision int) (*types.StoredValue, error) {
return s.revisionService.GetSpecificRevision(key, revision)
}
// getResourceMetadataHandler retrieves metadata for a resource path
func (s *Server) getResourceMetadataHandler(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
path := vars["path"]
authCtx := auth.GetAuthContext(r.Context())
if authCtx == nil {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
// Check read permission on the resource
if !s.authService.CheckResourcePermission(authCtx, path, "read") {
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
metadata, err := s.authService.GetResourceMetadata(path)
if err == badger.ErrKeyNotFound {
// Return default metadata if not found
defaultMetadata := types.ResourceMetadata{
OwnerUUID: authCtx.UserUUID,
GroupUUID: "",
Permissions: types.DefaultPermissions,
CreatedAt: time.Now().Unix(),
UpdatedAt: time.Now().Unix(),
}
metadata = &defaultMetadata
} else if err != nil {
s.logger.WithError(err).WithField("path", path).Error("Failed to get resource metadata")
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
response := types.GetResourceMetadataResponse{
OwnerUUID: metadata.OwnerUUID,
GroupUUID: metadata.GroupUUID,
Permissions: metadata.Permissions,
TTL: metadata.TTL,
CreatedAt: metadata.CreatedAt,
UpdatedAt: metadata.UpdatedAt,
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
}
// updateResourceMetadataHandler updates metadata for a resource path
func (s *Server) updateResourceMetadataHandler(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
path := vars["path"]
authCtx := auth.GetAuthContext(r.Context())
if authCtx == nil {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
// Check write permission on the resource (owner write required for metadata changes)
if !s.authService.CheckResourcePermission(authCtx, path, "write") {
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
var req types.UpdateResourceMetadataRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, "Bad Request", http.StatusBadRequest)
return
}
// Get current metadata (or default if not exists)
currentMetadata, err := s.authService.GetResourceMetadata(path)
if err == badger.ErrKeyNotFound {
currentMetadata = &types.ResourceMetadata{
OwnerUUID: authCtx.UserUUID,
GroupUUID: "",
Permissions: types.DefaultPermissions,
CreatedAt: time.Now().Unix(),
UpdatedAt: time.Now().Unix(),
}
} else if err != nil {
s.logger.WithError(err).WithField("path", path).Error("Failed to get current resource metadata")
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
// Apply updates only to provided fields
updated := false
if req.OwnerUUID != "" {
currentMetadata.OwnerUUID = req.OwnerUUID
updated = true
}
if req.GroupUUID != "" {
currentMetadata.GroupUUID = req.GroupUUID
updated = true
}
if req.Permissions != 0 {
currentMetadata.Permissions = req.Permissions
updated = true
}
if req.TTL != "" {
currentMetadata.TTL = req.TTL
updated = true
}
if !updated {
http.Error(w, "No fields provided for update", http.StatusBadRequest)
return
}
// Store updated metadata
if err := s.authService.StoreResourceMetadata(path, currentMetadata); err != nil {
s.logger.WithError(err).WithField("path", path).Error("Failed to store resource metadata")
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
response := types.GetResourceMetadataResponse{
OwnerUUID: currentMetadata.OwnerUUID,
GroupUUID: currentMetadata.GroupUUID,
Permissions: currentMetadata.Permissions,
TTL: currentMetadata.TTL,
CreatedAt: currentMetadata.CreatedAt,
UpdatedAt: currentMetadata.UpdatedAt,
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(response)
s.logger.WithFields(logrus.Fields{
"path": path,
"user_uuid": authCtx.UserUUID,
"owner_uuid": currentMetadata.OwnerUUID,
"group_uuid": currentMetadata.GroupUUID,
"permissions": currentMetadata.Permissions,
}).Info("Resource metadata updated")
}

34
server/routes.go
View File

@@ -39,6 +39,40 @@ func (s *Server) setupRoutes() *mux.Router {
router.HandleFunc("/kv/{path:.+}", s.deleteKVHandler).Methods("DELETE")
}
// Resource Metadata endpoints (available when auth is enabled)
if s.config.AuthEnabled {
// GET metadata - require read permission
router.Handle("/kv/{path:.+}/metadata", s.authService.Middleware(
[]string{"read"}, func(r *http.Request) string { return mux.Vars(r)["path"] }, "read",
)(s.getResourceMetadataHandler)).Methods("GET")
// PUT metadata - require write permission (owner write)
router.Handle("/kv/{path:.+}/metadata", s.authService.Middleware(
[]string{"write"}, func(r *http.Request) string { return mux.Vars(r)["path"] }, "write",
)(s.updateResourceMetadataHandler)).Methods("PUT")
}
// Key listing endpoints (read-only, leverage Merkle tree)
if s.config.ClusteringEnabled { // Require Merkle for efficiency
// _ls endpoint - require read if auth enabled and not anonymous
if s.config.AuthEnabled && !s.config.AllowAnonymousRead {
router.Handle("/kv/{path:.+}/_ls", s.authService.Middleware(
[]string{"read"}, nil, "",
)(s.getKeyListHandler)).Methods("GET")
} else {
router.HandleFunc("/kv/{path:.+}/_ls", s.getKeyListHandler).Methods("GET")
}
// _tree endpoint - same auth rules
if s.config.AuthEnabled && !s.config.AllowAnonymousRead {
router.Handle("/kv/{path:.+}/_tree", s.authService.Middleware(
[]string{"read"}, nil, "",
)(s.getKeyTreeHandler)).Methods("GET")
} else {
router.HandleFunc("/kv/{path:.+}/_tree", s.getKeyTreeHandler).Methods("GET")
}
}
// Member endpoints (available when clustering is enabled)
if s.config.ClusteringEnabled {
router.HandleFunc("/members/", s.getMembersHandler).Methods("GET")

54
types/types.go
View File

@@ -131,6 +131,23 @@ type CreateTokenResponse struct {
ExpiresAt int64 `json:"expires_at"`
}
// Resource Metadata Management API structures
type UpdateResourceMetadataRequest struct {
OwnerUUID string `json:"owner_uuid,omitempty"`
GroupUUID string `json:"group_uuid,omitempty"`
Permissions int `json:"permissions,omitempty"`
TTL string `json:"ttl,omitempty"`
}
type GetResourceMetadataResponse struct {
OwnerUUID string `json:"owner_uuid"`
GroupUUID string `json:"group_uuid"`
Permissions int `json:"permissions"`
TTL string `json:"ttl"`
CreatedAt int64 `json:"created_at"`
UpdatedAt int64 `json:"updated_at"`
}
// Cluster and member management types
type Member struct {
ID string `json:"id"`
@@ -215,6 +232,38 @@ type MerkleTreeDiffResponse struct {
Keys []string `json:"keys,omitempty"` // Actual keys if this is a leaf-level diff
}
// KeyListResponse is the response for _ls endpoint
type KeyListResponse struct {
Path string `json:"path"`
Children []struct {
Subkey string `json:"subkey"`
Timestamp int64 `json:"timestamp,omitempty"`
} `json:"children"`
Total int `json:"total"`
Truncated bool `json:"truncated"`
}
// KeyTreeResponse is the response for _tree endpoint
type KeyTreeResponse struct {
Path string `json:"path"`
Children []interface{} `json:"children"` // Mixed: either KeyTreeNode or KeyListItem for leaves
Total int `json:"total"`
Truncated bool `json:"truncated"`
}
// KeyTreeNode represents a node in the tree
type KeyTreeNode struct {
Subkey string `json:"subkey"`
Timestamp int64 `json:"timestamp,omitempty"`
Children []interface{} `json:"children,omitempty"`
}
// KeyListItem represents a leaf in the tree (without children)
type KeyListItem struct {
Subkey string `json:"subkey"`
Timestamp int64 `json:"timestamp,omitempty"`
}
// For fetching a range of KV pairs
type KVRangeRequest struct {
StartKey string `json:"start_key"`
@@ -277,4 +326,7 @@ type Config struct {
// Anonymous access control (Issue #5)
AllowAnonymousRead bool `yaml:"allow_anonymous_read"` // Allow unauthenticated read access to KV endpoints
AllowAnonymousWrite bool `yaml:"allow_anonymous_write"` // Allow unauthenticated write access to KV endpoints
}
// Key listing configuration
KeyListingEnabled bool `yaml:"key_listing_enabled"` // Enable/disable hierarchical key listing
}