Compare commits
	
		
			2 Commits
		
	
	
		
			metadata-a
			...
			46e246374d
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|   | 46e246374d | ||
|   | 0b7af92761 | 
							
								
								
									
										27
									
								
								auth/auth.go
									
									
									
									
									
								
							
							
						
						
									
										27
									
								
								auth/auth.go
									
									
									
									
									
								
							| @@ -39,7 +39,7 @@ func NewAuthService(db *badger.DB, logger *logrus.Logger) *AuthService { | ||||
| // StoreAPIToken stores an API token in BadgerDB with TTL | ||||
| func (s *AuthService) StoreAPIToken(tokenString string, userUUID string, scopes []string, expiresAt int64) error { | ||||
| 	tokenHash := utils.HashToken(tokenString) | ||||
| 	 | ||||
|  | ||||
| 	apiToken := types.APIToken{ | ||||
| 		TokenHash: tokenHash, | ||||
| 		UserUUID:  userUUID, | ||||
| @@ -55,13 +55,13 @@ func (s *AuthService) StoreAPIToken(tokenString string, userUUID string, scopes | ||||
|  | ||||
| 	return s.db.Update(func(txn *badger.Txn) error { | ||||
| 		entry := badger.NewEntry([]byte(TokenStorageKey(tokenHash)), tokenData) | ||||
| 		 | ||||
|  | ||||
| 		// Set TTL to the token expiration time | ||||
| 		ttl := time.Until(time.Unix(expiresAt, 0)) | ||||
| 		if ttl > 0 { | ||||
| 			entry = entry.WithTTL(ttl) | ||||
| 		} | ||||
| 		 | ||||
|  | ||||
| 		return txn.SetEntry(entry) | ||||
| 	}) | ||||
| } | ||||
| @@ -69,7 +69,7 @@ func (s *AuthService) StoreAPIToken(tokenString string, userUUID string, scopes | ||||
| // GetAPIToken retrieves an API token from BadgerDB by hash | ||||
| func (s *AuthService) GetAPIToken(tokenHash string) (*types.APIToken, error) { | ||||
| 	var apiToken types.APIToken | ||||
| 	 | ||||
|  | ||||
| 	err := s.db.View(func(txn *badger.Txn) error { | ||||
| 		item, err := txn.Get([]byte(TokenStorageKey(tokenHash))) | ||||
| 		if err != nil { | ||||
| @@ -202,4 +202,21 @@ func GetAuthContext(ctx context.Context) *AuthContext { | ||||
| 		return authCtx | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| } | ||||
|  | ||||
| // HasUsers checks if any users exist in the database | ||||
| func (s *AuthService) HasUsers() (bool, error) { | ||||
| 	var has bool | ||||
| 	err := s.db.View(func(txn *badger.Txn) error { | ||||
| 		opts := badger.DefaultIteratorOptions | ||||
| 		opts.PrefetchValues = false // Only need keys | ||||
| 		it := txn.NewIterator(opts) | ||||
| 		defer it.Close() | ||||
|  | ||||
| 		prefix := []byte("user:") // Adjust if UserStorageKey uses a different prefix | ||||
| 		it.Seek(prefix) | ||||
| 		has = it.ValidForPrefix(prefix) | ||||
| 		return nil | ||||
| 	}) | ||||
| 	return has, err | ||||
| } | ||||
|   | ||||
| @@ -8,15 +8,18 @@ import ( | ||||
| 	"path/filepath" | ||||
| 	"sync" | ||||
| 	"time" | ||||
| 	"encoding/json" | ||||
|  | ||||
| 	"github.com/dgraph-io/badger/v4" | ||||
| 	"github.com/robfig/cron/v3" | ||||
| 	"github.com/sirupsen/logrus" | ||||
| 	"github.com/google/uuid" | ||||
|  | ||||
| 	"kvs/auth" | ||||
| 	"kvs/cluster" | ||||
| 	"kvs/storage" | ||||
| 	"kvs/types" | ||||
| 	"kvs/utils" | ||||
| ) | ||||
|  | ||||
| // Server represents the KVS node | ||||
| @@ -117,6 +120,100 @@ func NewServer(config *types.Config) (*Server, error) { | ||||
| 	// Initialize authentication service | ||||
| 	server.authService = auth.NewAuthService(db, logger) | ||||
|  | ||||
| 	// New: Initial root account setup for empty DB with no seeds | ||||
| 	if len(config.SeedNodes) == 0 { | ||||
| 		hasUsers, err := server.authService.HasUsers() | ||||
| 		if err != nil { | ||||
| 			return nil, fmt.Errorf("failed to check for existing users: %v", err) | ||||
| 		} | ||||
| 		if !hasUsers { | ||||
| 			server.logger.Info("Detected empty database with no seed nodes; creating initial root account") | ||||
|  | ||||
| 			now := time.Now().Unix() | ||||
|  | ||||
| 			// Create admin group | ||||
| 			adminGroupUUID := uuid.NewString() | ||||
| 			hashedGroupName := utils.HashGroupName("admin") | ||||
| 			adminGroup := types.Group{ | ||||
| 				UUID:      adminGroupUUID, | ||||
| 				NameHash:  hashedGroupName, | ||||
| 				Members:   []string{}, | ||||
| 				CreatedAt: now, | ||||
| 				UpdatedAt: now, | ||||
| 			} | ||||
| 			groupData, err := json.Marshal(adminGroup) | ||||
| 			if err != nil { | ||||
| 				return nil, fmt.Errorf("failed to marshal admin group: %v", err) | ||||
| 			} | ||||
| 			err = db.Update(func(txn *badger.Txn) error { | ||||
| 				return txn.Set([]byte(auth.GroupStorageKey(adminGroupUUID)), groupData) | ||||
| 			}) | ||||
| 			if err != nil { | ||||
| 				return nil, fmt.Errorf("failed to store admin group: %v", err) | ||||
| 			} | ||||
|  | ||||
| 			// Create root user | ||||
| 			rootUUID := uuid.NewString() | ||||
| 			hashedNickname := utils.HashUserNickname("root") | ||||
| 			rootUser := types.User{ | ||||
| 				UUID:         rootUUID, | ||||
| 				NicknameHash: hashedNickname, | ||||
| 				Groups:       []string{adminGroupUUID}, | ||||
| 				CreatedAt:    now, | ||||
| 				UpdatedAt:    now, | ||||
| 			} | ||||
| 			userData, err := json.Marshal(rootUser) | ||||
| 			if err != nil { | ||||
| 				return nil, fmt.Errorf("failed to marshal root user: %v", err) | ||||
| 			} | ||||
| 			err = db.Update(func(txn *badger.Txn) error { | ||||
| 				return txn.Set([]byte(auth.UserStorageKey(rootUUID)), userData) | ||||
| 			}) | ||||
| 			if err != nil { | ||||
| 				return nil, fmt.Errorf("failed to store root user: %v", err) | ||||
| 			} | ||||
|  | ||||
| 			// Update admin group to include root user (bidirectional) | ||||
| 			adminGroup.Members = append(adminGroup.Members, rootUUID) | ||||
| 			groupData, err = json.Marshal(adminGroup) | ||||
| 			if err != nil { | ||||
| 				return nil, fmt.Errorf("failed to marshal updated admin group: %v", err) | ||||
| 			} | ||||
| 			err = db.Update(func(txn *badger.Txn) error { | ||||
| 				return txn.Set([]byte(auth.GroupStorageKey(adminGroupUUID)), groupData) | ||||
| 			}) | ||||
| 			if err != nil { | ||||
| 				return nil, fmt.Errorf("failed to update admin group: %v", err) | ||||
| 			} | ||||
|  | ||||
| 			// Generate and store API token | ||||
| 			scopes := []string{"admin", "read", "write", "create", "delete"} | ||||
| 			expirationHours := 8760 // 1 year | ||||
| 			tokenString, expiresAt, err := auth.GenerateJWT(rootUUID, scopes, expirationHours) | ||||
| 			if err != nil { | ||||
| 				return nil, fmt.Errorf("failed to generate JWT: %v", err) | ||||
| 			} | ||||
| 			err = server.authService.StoreAPIToken(tokenString, rootUUID, scopes, expiresAt) | ||||
| 			if err != nil { | ||||
| 				return nil, fmt.Errorf("failed to store API token: %v", err) | ||||
| 			} | ||||
|  | ||||
| 			// Log the details securely (only once, to stderr) | ||||
| 			fmt.Fprintf(os.Stderr, ` | ||||
| *************************************************************************** | ||||
| WARNING: Initial root user created for new server instance. | ||||
| Save this information securely—it will not be shown again. | ||||
|  | ||||
| Root User UUID: %s | ||||
| API Token (Bearer): %s | ||||
| Expires At: %s (UTC) | ||||
|  | ||||
| Use this token for authentication in API requests. Change or revoke it immediately via the API for security. | ||||
| *************************************************************************** | ||||
| `, rootUUID, tokenString, time.Unix(expiresAt, 0).UTC()) | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// Initialize Merkle tree using cluster service | ||||
| 	if err := server.syncService.InitializeMerkleTree(); err != nil { | ||||
| 		return nil, fmt.Errorf("failed to initialize Merkle tree: %v", err) | ||||
|   | ||||
		Reference in New Issue
	
	Block a user