phil/ezidam
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

database: added keys migration, get/insert, insert keys at launch if none are present

Browse source
This commit is contained in:
Philippe Loctaux 2023-03-12 18:45:55 +01:00
parent 7f11016a34
commit 8c37fc1181
15 changed files with 453 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
crates/database/migrations/20230312153840_keys.down.sql Normal file
View file

@ -0,0 +1 @@
drop table if exists keys;

8
crates/database/migrations/20230312153840_keys.up.sql Normal file
View file

@ -0,0 +1,8 @@
create table if not exists keys
(
id TEXT not null primary key,
created_at TEXT not null default CURRENT_TIMESTAMP,
revoked_at TEXT,
private_der BLOB not null,
public_der BLOB not null
);

8
crates/database/queries/keys/get_all.sql Normal file
View file

@ -0,0 +1,8 @@
select id,
created_at as "created_at: DateTime<Utc>",
revoked_at as "revoked_at: DateTime<Utc>",
private_der,
public_der
from keys
order by created_at desc

9
crates/database/queries/keys/get_all_revoked.sql Normal file
View file

@ -0,0 +1,9 @@
select id,
created_at as "created_at: DateTime<Utc>",
revoked_at as "revoked_at: DateTime<Utc>",
private_der,
public_der
from keys
where revoked_at is not null
order by created_at desc

9
crates/database/queries/keys/get_all_valid.sql Normal file
View file

@ -0,0 +1,9 @@
select id,
created_at as "created_at: DateTime<Utc>",
revoked_at as "revoked_at: DateTime<Utc>",
private_der,
public_der
from keys
where revoked_at is null
order by created_at desc

10
crates/database/queries/keys/get_most_recent.sql Normal file
View file

@ -0,0 +1,10 @@
select id,
created_at as "created_at: DateTime<Utc>",
revoked_at as "revoked_at: DateTime<Utc>",
private_der,
public_der
from keys
where revoked_at is null
order by created_at desc
limit 1

2
crates/database/queries/keys/insert.sql Normal file
View file

@ -0,0 +1,2 @@
insert into keys (id, private_der, public_der)
values (?, ?, ?)

178
crates/database/sqlx-data.json
View file

@ -30,6 +30,90 @@
}, },
"query": "insert into users (id, is_admin, username, password)\nvalues (?, ?, ?, ?)\n" "query": "insert into users (id, is_admin, username, password)\nvalues (?, ?, ?, ?)\n"
}, },
"56a9c0dff010858189a95087d014c7d0ce930da5d841b9d788a9c0e84b580bc6": {
"describe": {
"columns": [
{
"name": "id",
"ordinal": 0,
"type_info": "Text"
},
{
"name": "created_at: DateTime<Utc>",
"ordinal": 1,
"type_info": "Text"
},
{
"name": "revoked_at: DateTime<Utc>",
"ordinal": 2,
"type_info": "Text"
},
{
"name": "private_der",
"ordinal": 3,
"type_info": "Blob"
},
{
"name": "public_der",
"ordinal": 4,
"type_info": "Blob"
}
],
"nullable": [
false,
false,
true,
false,
false
],
"parameters": {
"Right": 0
}
},
"query": "select id,\n created_at as \"created_at: DateTime<Utc>\",\n revoked_at as \"revoked_at: DateTime<Utc>\",\n private_der,\n public_der\n\nfrom keys\norder by created_at desc\n"
},
"5f946348ad62389fab3c97a1563d1592cbc5180abbba6d5abd44326bf0862669": {
"describe": {
"columns": [
{
"name": "id",
"ordinal": 0,
"type_info": "Text"
},
{
"name": "created_at: DateTime<Utc>",
"ordinal": 1,
"type_info": "Text"
},
{
"name": "revoked_at: DateTime<Utc>",
"ordinal": 2,
"type_info": "Text"
},
{
"name": "private_der",
"ordinal": 3,
"type_info": "Blob"
},
{
"name": "public_der",
"ordinal": 4,
"type_info": "Blob"
}
],
"nullable": [
false,
false,
true,
false,
false
],
"parameters": {
"Right": 0
}
},
"query": "select id,\n created_at as \"created_at: DateTime<Utc>\",\n revoked_at as \"revoked_at: DateTime<Utc>\",\n private_der,\n public_der\n\nfrom keys\nwhere revoked_at is not null\norder by created_at desc\n"
},
"62c75412f673f6a293b0d188d79c50676ec21cf94e2e50e18f9279c91e6b85c8": { "62c75412f673f6a293b0d188d79c50676ec21cf94e2e50e18f9279c91e6b85c8": {
"describe": { "describe": {
"columns": [], "columns": [],
@ -166,6 +250,48 @@
}, },
"query": "select id,\n created_at as \"created_at: DateTime<Utc>\",\n updated_at as \"updated_at: DateTime<Utc>\",\n is_admin as \"is_admin: bool\",\n username,\n name,\n email,\n password,\n password_recover,\n paper_key,\n is_archived as \"is_archived: bool\"\nfrom users\n\nwhere email is (?)\n" "query": "select id,\n created_at as \"created_at: DateTime<Utc>\",\n updated_at as \"updated_at: DateTime<Utc>\",\n is_admin as \"is_admin: bool\",\n username,\n name,\n email,\n password,\n password_recover,\n paper_key,\n is_archived as \"is_archived: bool\"\nfrom users\n\nwhere email is (?)\n"
}, },
"6e1431ff2b4f589daaa7b221c1bc2a08ee378949fb27988531210ee75fc88298": {
"describe": {
"columns": [
{
"name": "id",
"ordinal": 0,
"type_info": "Text"
},
{
"name": "created_at: DateTime<Utc>",
"ordinal": 1,
"type_info": "Text"
},
{
"name": "revoked_at: DateTime<Utc>",
"ordinal": 2,
"type_info": "Text"
},
{
"name": "private_der",
"ordinal": 3,
"type_info": "Blob"
},
{
"name": "public_der",
"ordinal": 4,
"type_info": "Blob"
}
],
"nullable": [
false,
false,
true,
false,
false
],
"parameters": {
"Right": 0
}
},
"query": "select id,\n created_at as \"created_at: DateTime<Utc>\",\n revoked_at as \"revoked_at: DateTime<Utc>\",\n private_der,\n public_der\n\nfrom keys\nwhere revoked_at is null\norder by created_at desc\nlimit 1\n"
},
"87906834faa6f185aee0e4d893b9754908b1c173e9dce383663d723891a89cd1": { "87906834faa6f185aee0e4d893b9754908b1c173e9dce383663d723891a89cd1": {
"describe": { "describe": {
"columns": [], "columns": [],
@ -342,6 +468,48 @@
}, },
"query": "select u.id,\n u.created_at as \"created_at: DateTime<Utc>\",\n u.updated_at as \"updated_at: DateTime<Utc>\",\n u.is_admin as \"is_admin: bool\",\n u.username,\n u.name,\n u.email,\n u.password,\n u.password_recover,\n u.paper_key,\n u.is_archived as \"is_archived: bool\"\nfrom users u\n\n inner join settings s on u.id = s.first_admin\n\nwhere u.is_admin is 1\n and u.is_archived is 0\n and u.id is s.first_admin\n\nlimit 1" "query": "select u.id,\n u.created_at as \"created_at: DateTime<Utc>\",\n u.updated_at as \"updated_at: DateTime<Utc>\",\n u.is_admin as \"is_admin: bool\",\n u.username,\n u.name,\n u.email,\n u.password,\n u.password_recover,\n u.paper_key,\n u.is_archived as \"is_archived: bool\"\nfrom users u\n\n inner join settings s on u.id = s.first_admin\n\nwhere u.is_admin is 1\n and u.is_archived is 0\n and u.id is s.first_admin\n\nlimit 1"
}, },
"d166553746afb2d3eaa1ddcb9986b7b9723258f4051bce8287038e3dd1ac928a": {
"describe": {
"columns": [
{
"name": "id",
"ordinal": 0,
"type_info": "Text"
},
{
"name": "created_at: DateTime<Utc>",
"ordinal": 1,
"type_info": "Text"
},
{
"name": "revoked_at: DateTime<Utc>",
"ordinal": 2,
"type_info": "Text"
},
{
"name": "private_der",
"ordinal": 3,
"type_info": "Blob"
},
{
"name": "public_der",
"ordinal": 4,
"type_info": "Blob"
}
],
"nullable": [
false,
false,
true,
false,
false
],
"parameters": {
"Right": 0
}
},
"query": "select id,\n created_at as \"created_at: DateTime<Utc>\",\n revoked_at as \"revoked_at: DateTime<Utc>\",\n private_der,\n public_der\n\nfrom keys\nwhere revoked_at is null\norder by created_at desc\n"
},
"f4edf4567542eaead2e0db14b0d4197c5d3c1bc02da1897b571bf63bfcb4526a": { "f4edf4567542eaead2e0db14b0d4197c5d3c1bc02da1897b571bf63bfcb4526a": {
"describe": { "describe": {
"columns": [ "columns": [
@ -419,5 +587,15 @@
} }
}, },
"query": "select id,\n created_at as \"created_at: DateTime<Utc>\",\n updated_at as \"updated_at: DateTime<Utc>\",\n is_admin as \"is_admin: bool\",\n username,\n name,\n email,\n password,\n password_recover,\n paper_key,\n is_archived as \"is_archived: bool\"\nfrom users\n\nwhere id is (?)\n" "query": "select id,\n created_at as \"created_at: DateTime<Utc>\",\n updated_at as \"updated_at: DateTime<Utc>\",\n is_admin as \"is_admin: bool\",\n username,\n name,\n email,\n password,\n password_recover,\n paper_key,\n is_archived as \"is_archived: bool\"\nfrom users\n\nwhere id is (?)\n"
},
"f705411720bd037562f7e3622832262ac4c0a8fc0921fbd934d2b98146d3f413": {
"describe": {
"columns": [],
"nullable": [],
"parameters": {
"Right": 3
}
},
"query": "insert into keys (id, private_der, public_der)\nvalues (?, ?, ?)\n"
} }
} }

2
crates/database/src/tables.rs
View file

@ -1,5 +1,7 @@
mod keys;
mod settings; mod settings;
mod users; mod users;
pub use keys::Keys;
pub use settings::Settings; pub use settings::Settings;
pub use users::Users; pub use users::Users;

66
crates/database/src/tables/keys.rs Normal file
View file

@ -0,0 +1,66 @@
use crate::error::{handle_error, Error};
use sqlx::sqlite::SqliteQueryResult;
use sqlx::types::chrono::{DateTime, Utc};
use sqlx::{FromRow, SqliteExecutor};
#[derive(FromRow)]
pub struct Keys {
pub id: String,
pub created_at: DateTime<Utc>,
pub revoked_at: Option<DateTime<Utc>>,
pub private_der: Vec<u8>,
pub public_der: Vec<u8>,
}
impl Keys {
pub async fn insert(
conn: impl SqliteExecutor<'_>,
id: &str,
private_der: &[u8],
public_der: &[u8],
) -> Result<Option<()>, Error> {
let query: SqliteQueryResult =
sqlx::query_file!("queries/keys/insert.sql", id, private_der, public_der)
.execute(conn)
.await
.map_err(handle_error)?;
Ok((query.rows_affected() == 1).then_some(()))
}
pub async fn get_most_recent(conn: impl SqliteExecutor<'_>) -> Result<Option<Self>, Error> {
sqlx::query_file_as!(Self, "queries/keys/get_most_recent.sql")
.fetch_optional(conn)
.await
.map_err(handle_error)
}
pub async fn get_all(
conn: impl SqliteExecutor<'_>,
filter_get_revoked: Option<bool>,
) -> Result<Vec<Self>, Error> {
match filter_get_revoked {
Some(true) => {
// Get all revoked keys
sqlx::query_file_as!(Self, "queries/keys/get_all_revoked.sql")
.fetch_all(conn)
.await
.map_err(handle_error)
}
Some(false) => {
// Get all valid keys
sqlx::query_file_as!(Self, "queries/keys/get_all_valid.sql")
.fetch_all(conn)
.await
.map_err(handle_error)
}
None => {
// Get all keys
sqlx::query_file_as!(Self, "queries/keys/get_all.sql")
.fetch_all(conn)
.await
.map_err(handle_error)
}
}
}
}

80
crates/ezidam/src/database.rs
View file

@ -1,5 +1,6 @@
use database_pool::run_migrations; use database_pool::run_migrations;
use rocket::fairing::AdHoc; use rocket::fairing::AdHoc;
use rocket::tokio::task;
use rocket::{error, fairing, info, Build, Rocket}; use rocket::{error, fairing, info, Build, Rocket};
use rocket_db_pools::{sqlx, Database as RocketDatabase}; use rocket_db_pools::{sqlx, Database as RocketDatabase};
use settings::Settings; use settings::Settings;
@ -42,12 +43,87 @@ impl Database {
} else { } else {
info!("Found existing settings in database"); info!("Found existing settings in database");
} }
Ok(rocket)
} }
Err(e) => { Err(e) => {
error!("Failed to interact with settings: {}", e); error!("Failed to interact with settings: {}", e);
Err(rocket) return Err(rocket);
}
}
// Make sure at least one key is available on startup
match jwt::database::Key::get_most_recent(&db.0).await {
Ok(most_recent) => match most_recent {
Some(most_recent) => {
info!(
"Most recent key: {}\t{}",
most_recent.key_id(),
most_recent.created_at()
);
}
None => {
info!("No valid keys are present. Starting generation...");
// Generate key id
let key_id = match task::spawn_blocking(id::KeyID::default).await {
Ok(key_id) => {
info!("Generated KeyID {}", key_id);
key_id
}
Err(e) => {
error!("Failed to run KeyID generation: {}", e);
return Err(rocket);
}
};
// Generate keys
info!("Starting key generation. This should not be long.");
let key_id_for_generation = key_id.clone();
let new_keys = match task::spawn_blocking(move || {
jwt::generate(&key_id_for_generation)
})
.await
{
Ok(res) => match res {
Ok(keys) => {
info!("Generated public and private key! Starting to save in database.");
keys
}
Err(e) => {
error!("Failed to generate keys: {}", e);
return Err(rocket);
}
},
Err(e) => {
error!("Failed to run key generation: {}", e);
return Err(rocket);
}
};
// Insert keys in database
match jwt::database::save_new_keys(&db.0, &key_id, &new_keys.0, &new_keys.1)
.await
{
Ok(Some(())) => {
info!("Saved keys with id {}", key_id);
}
Ok(None) => {
error!("Keys got generated, but they were not saved in database");
return Err(rocket);
}
Err(e) => {
error!("Failed to save keys in database: {}", e);
return Err(rocket);
} }
} }
} }
},
Err(e) => {
error!("Failed to interact with keys: {}", e);
return Err(rocket);
}
}
info!("Ready to launch!");
Ok(rocket)
}
} }

2
crates/jwt/Cargo.toml
View file

@ -10,6 +10,8 @@ serde = { workspace = true }
serde_json = { workspace = true } serde_json = { workspace = true }
rand = "0.8.5" rand = "0.8.5"
rsa = "0.7.2" rsa = "0.7.2"
chrono = { workspace = true }
# local crates # local crates
id = { path = "../id" } id = { path = "../id" }
database = { path = "../database" }

76
crates/jwt/src/database.rs Normal file
View file

@ -0,0 +1,76 @@
use crate::{Error, PrivateKey, PublicKey};
use chrono::{DateTime, Utc};
use database::sqlx::SqliteExecutor;
use database::Keys as DatabaseKeys;
use id::KeyID;
pub async fn save_new_keys(
conn: impl SqliteExecutor<'_>,
id: &KeyID,
private: &PrivateKey,
public: &PublicKey,
) -> Result<Option<()>, Error> {
Ok(DatabaseKeys::insert(
conn,
&id.0,
private.to_der()?.as_slice(),
public.to_der()?.as_slice(),
)
.await?)
}
#[derive(Debug)]
pub struct Key {
id: KeyID,
created_at: DateTime<Utc>,
revoked_at: Option<DateTime<Utc>>,
private_der: Vec<u8>,
public_der: Vec<u8>,
}
impl Key {
pub fn key_id(&self) -> &KeyID {
&self.id
}
pub fn created_at(&self) -> DateTime<Utc> {
self.created_at
}
pub fn private_der(&self) -> &[u8] {
&self.private_der
}
pub fn public_der(&self) -> &[u8] {
&self.public_der
}
}
impl From<DatabaseKeys> for Key {
fn from(db: DatabaseKeys) -> Self {
Self {
id: KeyID(db.id),
created_at: db.created_at,
revoked_at: db.revoked_at,
private_der: db.private_der,
public_der: db.public_der,
}
}
}
impl Key {
pub async fn get_most_recent(conn: impl SqliteExecutor<'_>) -> Result<Option<Self>, Error> {
Ok(DatabaseKeys::get_most_recent(conn).await?.map(Self::from))
}
pub async fn get_all(
conn: impl SqliteExecutor<'_>,
filter_get_revoked: Option<bool>,
) -> Result<Vec<Self>, Error> {
Ok(DatabaseKeys::get_all(conn, filter_get_revoked)
.await?
.into_iter()
.map(Self::from)
.collect::<Vec<_>>())
}
}

3
crates/jwt/src/error.rs
View file

@ -3,6 +3,9 @@
// the rest // the rest
#[derive(Debug)] #[derive(Debug)]
pub enum Error { pub enum Error {
#[error("Database: {0}")]
Database(#[from] database::Error),
#[error("Failed to generate key: `{0}`")] #[error("Failed to generate key: `{0}`")]
Generation(#[from] rsa::errors::Error), Generation(#[from] rsa::errors::Error),

1
crates/jwt/src/lib.rs
View file

@ -1,5 +1,6 @@
extern crate core; extern crate core;
pub mod database;
mod error; mod error;
mod jwk; mod jwk;
mod key; mod key;