something
This commit is contained in:
@@ -6,7 +6,8 @@ import (
|
||||
"database/sql"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"os"
|
||||
"jiggablend/internal/config"
|
||||
"jiggablend/internal/database"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
@@ -14,21 +15,14 @@ import (
|
||||
|
||||
// Secrets handles API key management
|
||||
type Secrets struct {
|
||||
db *sql.DB
|
||||
db *database.DB
|
||||
cfg *config.Config
|
||||
RegistrationMu sync.Mutex // Protects concurrent runner registrations
|
||||
fixedAPIKey string // Fixed API key from environment variable (optional)
|
||||
}
|
||||
|
||||
// NewSecrets creates a new secrets manager
|
||||
func NewSecrets(db *sql.DB) (*Secrets, error) {
|
||||
s := &Secrets{db: db}
|
||||
|
||||
// Check for fixed API key from environment
|
||||
if fixedKey := os.Getenv("FIXED_API_KEY"); fixedKey != "" {
|
||||
s.fixedAPIKey = fixedKey
|
||||
}
|
||||
|
||||
return s, nil
|
||||
func NewSecrets(db *database.DB, cfg *config.Config) (*Secrets, error) {
|
||||
return &Secrets{db: db, cfg: cfg}, nil
|
||||
}
|
||||
|
||||
// APIKeyInfo represents information about an API key
|
||||
@@ -61,25 +55,34 @@ func (s *Secrets) GenerateRunnerAPIKey(createdBy int64, name, description string
|
||||
keyHash := sha256.Sum256([]byte(key))
|
||||
keyHashStr := hex.EncodeToString(keyHash[:])
|
||||
|
||||
_, err = s.db.Exec(
|
||||
var keyInfo APIKeyInfo
|
||||
err = s.db.With(func(conn *sql.DB) error {
|
||||
result, err := conn.Exec(
|
||||
`INSERT INTO runner_api_keys (key_prefix, key_hash, name, description, scope, is_active, created_by)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?)`,
|
||||
keyPrefix, keyHashStr, name, description, scope, true, createdBy,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to store API key: %w", err)
|
||||
return fmt.Errorf("failed to store API key: %w", err)
|
||||
}
|
||||
|
||||
keyID, err := result.LastInsertId()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get inserted key ID: %w", err)
|
||||
}
|
||||
|
||||
// Get the inserted key info
|
||||
var keyInfo APIKeyInfo
|
||||
err = s.db.QueryRow(
|
||||
err = conn.QueryRow(
|
||||
`SELECT id, name, description, scope, is_active, created_at, created_by
|
||||
FROM runner_api_keys WHERE key_prefix = ?`,
|
||||
keyPrefix,
|
||||
FROM runner_api_keys WHERE id = ?`,
|
||||
keyID,
|
||||
).Scan(&keyInfo.ID, &keyInfo.Name, &keyInfo.Description, &keyInfo.Scope, &keyInfo.IsActive, &keyInfo.CreatedAt, &keyInfo.CreatedBy)
|
||||
|
||||
return err
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to retrieve created API key: %w", err)
|
||||
return nil, fmt.Errorf("failed to create API key: %w", err)
|
||||
}
|
||||
|
||||
keyInfo.Key = key
|
||||
@@ -91,18 +94,25 @@ func (s *Secrets) generateAPIKey() (string, error) {
|
||||
// Generate random suffix
|
||||
randomBytes := make([]byte, 16)
|
||||
if _, err := rand.Read(randomBytes); err != nil {
|
||||
return "", err
|
||||
return "", fmt.Errorf("failed to generate random bytes: %w", err)
|
||||
}
|
||||
randomStr := hex.EncodeToString(randomBytes)
|
||||
|
||||
// Generate a unique prefix (jk_r followed by 1 random digit)
|
||||
prefixDigit := make([]byte, 1)
|
||||
if _, err := rand.Read(prefixDigit); err != nil {
|
||||
return "", err
|
||||
return "", fmt.Errorf("failed to generate prefix digit: %w", err)
|
||||
}
|
||||
|
||||
prefix := fmt.Sprintf("jk_r%d", prefixDigit[0]%10)
|
||||
return fmt.Sprintf("%s_%s", prefix, randomStr), nil
|
||||
key := fmt.Sprintf("%s_%s", prefix, randomStr)
|
||||
|
||||
// Validate generated key format
|
||||
if !strings.HasPrefix(key, "jk_r") {
|
||||
return "", fmt.Errorf("generated invalid API key format: %s", key)
|
||||
}
|
||||
|
||||
return key, nil
|
||||
}
|
||||
|
||||
// ValidateRunnerAPIKey validates an API key and returns the key ID and scope if valid
|
||||
@@ -111,8 +121,9 @@ func (s *Secrets) ValidateRunnerAPIKey(apiKey string) (int64, string, error) {
|
||||
return 0, "", fmt.Errorf("API key is required")
|
||||
}
|
||||
|
||||
// Check fixed API key first (for testing/development)
|
||||
if s.fixedAPIKey != "" && apiKey == s.fixedAPIKey {
|
||||
// Check fixed API key first (from database config)
|
||||
fixedKey := s.cfg.FixedAPIKey()
|
||||
if fixedKey != "" && apiKey == fixedKey {
|
||||
// Return a special ID for fixed API key (doesn't exist in database)
|
||||
return -1, "manager", nil
|
||||
}
|
||||
@@ -137,42 +148,50 @@ func (s *Secrets) ValidateRunnerAPIKey(apiKey string) (int64, string, error) {
|
||||
var scope string
|
||||
var isActive bool
|
||||
|
||||
err := s.db.QueryRow(
|
||||
err := s.db.With(func(conn *sql.DB) error {
|
||||
err := conn.QueryRow(
|
||||
`SELECT id, scope, is_active FROM runner_api_keys
|
||||
WHERE key_prefix = ? AND key_hash = ?`,
|
||||
keyPrefix, keyHashStr,
|
||||
).Scan(&keyID, &scope, &isActive)
|
||||
|
||||
if err == sql.ErrNoRows {
|
||||
return 0, "", fmt.Errorf("API key not found or invalid - please check that the key is correct and active")
|
||||
return fmt.Errorf("API key not found or invalid - please check that the key is correct and active")
|
||||
}
|
||||
if err != nil {
|
||||
return 0, "", fmt.Errorf("failed to validate API key: %w", err)
|
||||
return fmt.Errorf("failed to validate API key: %w", err)
|
||||
}
|
||||
|
||||
if !isActive {
|
||||
return 0, "", fmt.Errorf("API key is inactive")
|
||||
return fmt.Errorf("API key is inactive")
|
||||
}
|
||||
|
||||
// Update last_used_at (don't fail if this update fails)
|
||||
s.db.Exec(`UPDATE runner_api_keys SET last_used_at = ? WHERE id = ?`, time.Now(), keyID)
|
||||
conn.Exec(`UPDATE runner_api_keys SET last_used_at = ? WHERE id = ?`, time.Now(), keyID)
|
||||
return nil
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return 0, "", err
|
||||
}
|
||||
|
||||
return keyID, scope, nil
|
||||
}
|
||||
|
||||
// ListRunnerAPIKeys lists all runner API keys
|
||||
func (s *Secrets) ListRunnerAPIKeys() ([]APIKeyInfo, error) {
|
||||
rows, err := s.db.Query(
|
||||
var keys []APIKeyInfo
|
||||
err := s.db.With(func(conn *sql.DB) error {
|
||||
rows, err := conn.Query(
|
||||
`SELECT id, key_prefix, name, description, scope, is_active, created_at, created_by
|
||||
FROM runner_api_keys
|
||||
ORDER BY created_at DESC`,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to query API keys: %w", err)
|
||||
return fmt.Errorf("failed to query API keys: %w", err)
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
var keys []APIKeyInfo
|
||||
for rows.Next() {
|
||||
var key APIKeyInfo
|
||||
var description sql.NullString
|
||||
@@ -188,20 +207,28 @@ func (s *Secrets) ListRunnerAPIKeys() ([]APIKeyInfo, error) {
|
||||
|
||||
keys = append(keys, key)
|
||||
}
|
||||
|
||||
return nil
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return keys, nil
|
||||
}
|
||||
|
||||
// RevokeRunnerAPIKey revokes (deactivates) a runner API key
|
||||
func (s *Secrets) RevokeRunnerAPIKey(keyID int64) error {
|
||||
_, err := s.db.Exec("UPDATE runner_api_keys SET is_active = false WHERE id = ?", keyID)
|
||||
return s.db.With(func(conn *sql.DB) error {
|
||||
_, err := conn.Exec("UPDATE runner_api_keys SET is_active = false WHERE id = ?", keyID)
|
||||
return err
|
||||
})
|
||||
}
|
||||
|
||||
// DeleteRunnerAPIKey deletes a runner API key
|
||||
func (s *Secrets) DeleteRunnerAPIKey(keyID int64) error {
|
||||
_, err := s.db.Exec("DELETE FROM runner_api_keys WHERE id = ?", keyID)
|
||||
return s.db.With(func(conn *sql.DB) error {
|
||||
_, err := conn.Exec("DELETE FROM runner_api_keys WHERE id = ?", keyID)
|
||||
return err
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user