feat: Refactor and enhance user initialization and role handling.

This update introduces user initialization via a YAML file and role-based scope encryption for tokens. It also refactors database collection access across repositories and consolidates password handling and validation into utilities. Additionally, it includes new CLI and HTTP stream handling functionality.

Author: eliasmeireles

DockerfileBuild

@@ -17,6 +17,7 @@ COPY . .
 RUN go build -o wireguard-api cmd/server/main.go
 RUN go build -o api-key-generator cmd/generator/api_secret/main.go
 RUN go build -o wireguard-tools cmd/cli/main.go
+RUN go build -o wireguard-stream cmd/stream/main.go
 
 FROM alpine:latest
 
@@ -29,6 +30,8 @@ RUN mkdir -p /output
 COPY --from=builder /app/wireguard-api /bin/wireguard-api
 COPY --from=builder /app/api-key-generator /bin/api-key-generator
 COPY --from=builder /app/wireguard-tools /bin/wireguard-tools
+COPY --from=builder /app/wireguard-stream /bin/wireguard-stream
 COPY --from=builder /app/scripts/docker/compiler/build /bin/build
 
+
 CMD ["sh", "/bin/build"]

cmd/server/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"github.com/softwareplace/wireguard-api/pkg/domain/db"
 	"github.com/softwareplace/wireguard-api/pkg/domain/service/peer"
+	"github.com/softwareplace/wireguard-api/pkg/domain/service/user"
 	"github.com/softwareplace/wireguard-api/pkg/handlers"
 	"github.com/softwareplace/wireguard-api/pkg/router"
 )
@@ -12,5 +13,6 @@ func main() {
 	api := router.GetApiRouterHandler()
 	handlers.Init(api)
 	peer.GetService().Load()
+	user.GetService().Init()
 	api.StartServer()
 }

dev/conf.yaml

@@ -3,11 +3,11 @@ current-server: development
 current-profile: eliasmeireles
 servers:
   - name: development
-    host: http://localhost:8080/api/private-network/v1
+    host: http://localhost:1080/api/private-network/v1/
     apiKey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnQiOiJTb2Z0d2FyZSBQbGFjZSBDTyIsImV4cCI6MjA1MTYwMzA2Mywia2V5IjoibDNWcEovQmY1eTZhcVRpZGxZUy9meTZoY2lObTNqRzdvQWxHS2kzZVU5NkNWeHZITFVpeDl3PT0ifQ.2YJ3aBYT_3SgqTqhEyNJwK6iglCYCHvPRbCWc4MKzp0
     description: Development server
 profiles:
   - name: eliasmeireles
     description: Development server
-    authorization-id: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MzYzNDY4NDEsInJlcXVlc3QiOiJkUkpDcENtY1RST2JpRmdKVHl0dVpIdjJFZnRkaDd2aGdzdzNhb0xwNTJQblVvWWZhTm9rdytHRUltLzdWRFZKIiwic2NvcGUiOiJhRXMyUVk4UW1HaWRUVVh6cGlEY1IzaVJ5dk9xIn0.chRBSwLtJ5dm9-z6ZHIZdl6pb-43jUnLcqlYwBBlHtM
-    expires: "1736346841"
+    authorization-id: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MzYzNTUxNjMsInJlcXVlc3QiOiJrRG5ud2wzd3hteHNiRXo5eFpwT1RTNWUxTmFCakluaC9VUEdlWHpJWUZSVlBKRG11OXBRdW1ENHBXZTlrWll4Iiwic2NvcGUiOiI5WkVrVkJhdXNSemZFTUlMTWsxV3JDOXM3dXhCVkY3aVNYZk8wMWpRY1E9PSJ9.dDheBDMI1q6z35xzO_Zx_oFSprOFrul6kfV9wvS_spw
+    expires: "1736355163"

dev/init.yaml

@@ -0,0 +1,11 @@
+user:
+  username: my-username
+  email: user@email.com
+  password: ynT9558iiMga&ayTVGs3Gc6ug1
+  status: ACTIVE
+  roles:
+    - "resource:peers:get:peer"
+    - "resource:api-secret:generate"
+    - "resource:users:update:user"
+    - "resource:users:create:user"
+

pkg/auth/access_validation.go

@@ -1,28 +1,13 @@
 package auth
 
 import (
-	"github.com/softwareplace/wireguard-api/pkg/domain/repository/user"
-	"github.com/softwareplace/wireguard-api/pkg/domain/service/security"
 	"github.com/softwareplace/wireguard-api/pkg/handlers/request"
+	"github.com/softwareplace/wireguard-api/pkg/handlers/shared"
 	"github.com/softwareplace/wireguard-api/pkg/models"
 	"log"
 	"net/http"
-	"sync"
 )
 
-var (
-	openPath           []string
-	openPathLock       sync.RWMutex
-	apiSecurityService = security.GetApiSecurityService()
-	usersRepo          = user.Repository()
-)
-
-func AddOpenPath(path string) {
-	openPathLock.Lock()
-	defer openPathLock.Unlock()
-	openPath = append(openPath, path)
-}
-
 func AccessValidation(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		openPathLock.RLock()
@@ -42,12 +27,52 @@ func AccessValidation(next http.Handler) http.Handler {
 			if !success {
 				return
 			}
+
+			if !hasResourceAccess(w, r, ctx) {
+				return
+			}
 		}
 
 		next.ServeHTTP(w, ctx.Request)
 	})
 }
 
+func hasResourceAccess(w http.ResponseWriter, r *http.Request, ctx request.ApiRequestContext) bool {
+	userRoles, err := ctx.GetRoles()
+
+	if err != nil {
+		shared.MakeErrorResponse(w, "You are not allowed to access this resource", http.StatusUnauthorized)
+		return false
+	}
+
+	accessRoles, hasRoles := GetRolesForPath(r)
+
+	if !hasRoles {
+		shared.MakeErrorResponse(w, "You are not allowed to access this resource", http.StatusUnauthorized)
+		return false
+	}
+
+	hasAccess := false
+
+	for _, userRole := range userRoles {
+		for _, accessRole := range accessRoles {
+			if userRole == accessRole {
+				hasAccess = true
+				break
+			}
+		}
+		if hasAccess {
+			break
+		}
+	}
+
+	if !hasAccess {
+		shared.MakeErrorResponse(w, "You are not allowed to access this resource", http.StatusUnauthorized)
+		return false
+	}
+	return true
+}
+
 func _nextValidation(ctx *request.ApiRequestContext) (*models.User, bool) {
 	accessContext := ctx.GetAccessContext()
 	userData, err := usersRepo.FindUserBySalt(accessContext.AccessId)

pkg/auth/data.go

@@ -0,0 +1,36 @@
+package auth
+
+import (
+	"github.com/softwareplace/wireguard-api/pkg/domain/repository/user"
+	"github.com/softwareplace/wireguard-api/pkg/domain/service/security"
+	"net/http"
+	"sync"
+)
+
+var (
+	roles              = make(map[string][]string)
+	openPath           []string
+	openPathLock       sync.RWMutex
+	apiSecurityService = security.GetApiSecurityService()
+	usersRepo          = user.Repository()
+)
+
+func AddOpenPath(path string) {
+	openPathLock.Lock()
+	defer openPathLock.Unlock()
+	openPath = append(openPath, path)
+}
+
+func AddRoles(path string, requiredRoles ...string) {
+	if len(requiredRoles) > 0 {
+		roles[path] = requiredRoles
+	}
+}
+
+func GetRolesForPath(r *http.Request) ([]string, bool) {
+	path := r.Method + "::" + r.URL.Path
+	if roles[path] != nil {
+		return roles[path], true
+	}
+	return nil, false
+}

pkg/domain/repository/peer/peer_repository.go

@@ -3,7 +3,6 @@ package peer
 import (
 	"context"
 	"errors"
-	"github.com/softwareplace/wireguard-api/pkg/domain/db"
 	"github.com/softwareplace/wireguard-api/pkg/models"
 	"github.com/softwareplace/wireguard-api/pkg/utils/date"
 	"go.mongodb.org/mongo-driver/bson"
@@ -13,7 +12,7 @@ import (
 )
 
 func (r *repositoryImpl) SaveAll(peers []models.Peer) error {
-	database := db.GetDB().Collection("peers")
+	database := r.collection()
 
 	for _, peer := range peers {
 		filter := bson.M{"fileName": peer.FileName}
@@ -48,7 +47,7 @@ func (r *repositoryImpl) SaveAll(peers []models.Peer) error {
 }
 
 func (r *repositoryImpl) Save(peer models.Peer) error {
-	database := db.GetDB().Collection("peers")
+	database := r.collection()
 	nowToString := date.NowToString()
 	peer.UpdatedAt = nowToString
 	peer.CreatedAt = nowToString
@@ -63,7 +62,7 @@ func (r *repositoryImpl) Save(peer models.Peer) error {
 }
 
 func (r *repositoryImpl) GetAvailablePeer() (*models.Peer, error) {
-	database := db.GetDB().Collection("peers")
+	database := r.collection()
 
 	var peer models.Peer
 	err := database.FindOne(context.Background(), bson.M{}).Decode(&peer)

pkg/domain/repository/peer/repository.go

@@ -1,15 +1,27 @@
 package peer
 
-import "github.com/softwareplace/wireguard-api/pkg/models"
+import (
+	"github.com/softwareplace/wireguard-api/pkg/domain/db"
+	"github.com/softwareplace/wireguard-api/pkg/models"
+	"go.mongodb.org/mongo-driver/mongo"
+)
 
 type Repository interface {
 	SaveAll(peers []models.Peer) error
 	Save(peer models.Peer) error
 	GetAvailablePeer() (*models.Peer, error)
 }
 
-type repositoryImpl struct{}
+type repositoryImpl struct {
+	database *mongo.Database
+}
 
 func GetRepository() Repository {
-	return &repositoryImpl{}
+	return &repositoryImpl{
+		database: db.GetDB(),
+	}
+}
+
+func (r *repositoryImpl) collection() *mongo.Collection {
+	return r.database.Collection("peers")
 }

pkg/domain/repository/user/users_repository.go

@@ -1,7 +1,9 @@
 package user
 
 import (
+	"github.com/softwareplace/wireguard-api/pkg/domain/db"
 	"github.com/softwareplace/wireguard-api/pkg/models"
+	"go.mongodb.org/mongo-driver/mongo"
 )
 
 type UsersRepository interface {
@@ -14,8 +16,15 @@ type UsersRepository interface {
 }
 
 type usersRepositoryImpl struct {
+	database *mongo.Database
+}
+
+func (r *usersRepositoryImpl) collection() *mongo.Collection {
+	return r.database.Collection("users")
 }
 
 func Repository() UsersRepository {
-	return &usersRepositoryImpl{}
+	return &usersRepositoryImpl{
+		database: db.GetDB(),
+	}
 }

pkg/domain/repository/user/users_repository_impl.go

@@ -3,15 +3,14 @@ package user
 import (
 	"context"
 	"fmt"
-	"github.com/softwareplace/wireguard-api/pkg/domain/db"
 	"github.com/softwareplace/wireguard-api/pkg/models"
 	"github.com/softwareplace/wireguard-api/pkg/utils/date"
 	"go.mongodb.org/mongo-driver/bson"
 	"log"
 )
 
-func (impl *usersRepositoryImpl) Save(user models.User) error {
-	collection := db.GetDB().Collection("users")
+func (r *usersRepositoryImpl) Save(user models.User) error {
+	collection := r.collection()
 
 	nowToString := date.NowToString()
 	user.CreatedAt = nowToString
@@ -21,8 +20,8 @@ func (impl *usersRepositoryImpl) Save(user models.User) error {
 	return err
 }
 
-func (impl *usersRepositoryImpl) Update(user models.User) error {
-	collection := db.GetDB().Collection("users")
+func (r *usersRepositoryImpl) Update(user models.User) error {
+	collection := r.collection()
 	user.UpdatedAt = date.NowToString()
 
 	filter := bson.M{"_id": user.Id}
@@ -31,8 +30,8 @@ func (impl *usersRepositoryImpl) Update(user models.User) error {
 	return err
 }
 
-func (impl *usersRepositoryImpl) FindUserBySalt(salt string) (*models.User, error) {
-	collection := db.GetDB().Collection("users")
+func (r *usersRepositoryImpl) FindUserBySalt(salt string) (*models.User, error) {
+	collection := r.collection()
 	var currentUser models.User
 
 	err := collection.FindOne(context.Background(), map[string]interface{}{
@@ -46,8 +45,8 @@ func (impl *usersRepositoryImpl) FindUserBySalt(salt string) (*models.User, erro
 	return &currentUser, nil
 }
 
-func (impl *usersRepositoryImpl) FindUserByEmail(email string) (*models.User, error) {
-	collection := db.GetDB().Collection("users")
+func (r *usersRepositoryImpl) FindUserByEmail(email string) (*models.User, error) {
+	collection := r.collection()
 	var user models.User
 	err := collection.FindOne(context.Background(), map[string]interface{}{
 		"email": email,
@@ -58,8 +57,8 @@ func (impl *usersRepositoryImpl) FindUserByEmail(email string) (*models.User, er
 	return &user, nil
 }
 
-func (impl *usersRepositoryImpl) FindUserByUsername(username string) (*models.User, error) {
-	collection := db.GetDB().Collection("users")
+func (r *usersRepositoryImpl) FindUserByUsername(username string) (*models.User, error) {
+	collection := r.collection()
 	var user models.User
 	err := collection.FindOne(context.Background(), map[string]interface{}{
 		"username": username,
@@ -70,14 +69,14 @@ func (impl *usersRepositoryImpl) FindUserByUsername(username string) (*models.Us
 	return &user, nil
 }
 
-func (impl *usersRepositoryImpl) FindUserByUsernameOrEmail(username string, email string) (*models.User, error) {
+func (r *usersRepositoryImpl) FindUserByUsernameOrEmail(username string, email string) (*models.User, error) {
 	if username != "" {
-		return impl.FindUserByUsername(username)
+		return r.FindUserByUsername(username)
 
 	}
 
 	if email != "" {
-		return impl.FindUserByEmail(email)
+		return r.FindUserByEmail(email)
 	}
 
 	return nil, fmt.Errorf("username or email must be provided")