ntfy/auth/auth_sqlite.go

package auth

import (
	"database/sql"
	_ "github.com/mattn/go-sqlite3" // SQLite driver
	"golang.org/x/crypto/bcrypt"
	"regexp"
)

const (
	bcryptCost = 11
)

// Auther-related queries
const (
	createAuthTablesQueries = `
		BEGIN;
		CREATE TABLE IF NOT EXISTS user (
			user TEXT NOT NULL PRIMARY KEY,
			pass TEXT NOT NULL,
			role TEXT NOT NULL
		);
		CREATE TABLE IF NOT EXISTS access (
			user TEXT NOT NULL,		
			topic TEXT NOT NULL,
			read INT NOT NULL,
			write INT NOT NULL,
			PRIMARY KEY (topic, user)
		);
		CREATE TABLE IF NOT EXISTS schema_version (
			id INT PRIMARY KEY,
			version INT NOT NULL
		);
		COMMIT;
	`
	selectUserQuery       = `SELECT pass, role FROM user WHERE user = ?`
	selectTopicPermsQuery = `
		SELECT read, write 
		FROM access 
		WHERE user IN ('*', ?) AND topic = ?
		ORDER BY user DESC
	`
)

// Manager-related queries
const (
	insertUserQuery      = `INSERT INTO user (user, pass, role) VALUES (?, ?, ?)`
	selectUsernamesQuery = `SELECT user FROM user ORDER BY role, user`
	updateUserPassQuery  = `UPDATE user SET pass = ? WHERE user = ?`
	updateUserRoleQuery  = `UPDATE user SET role = ? WHERE user = ?`
	deleteUserQuery      = `DELETE FROM user WHERE user = ?`

	upsertUserAccessQuery = `
		INSERT INTO access (user, topic, read, write) 
		VALUES (?, ?, ?, ?)
		ON CONFLICT (user, topic) DO UPDATE SET read=excluded.read, write=excluded.write
	`
	selectUserAccessQuery  = `SELECT topic, read, write FROM access WHERE user = ?`
	deleteAllAccessQuery   = `DELETE FROM access`
	deleteUserAccessQuery  = `DELETE FROM access WHERE user = ?`
	deleteTopicAccessQuery = `DELETE FROM access WHERE user = ? AND topic = ?`
)

type SQLiteAuth struct {
	db           *sql.DB
	defaultRead  bool
	defaultWrite bool
}

var (
	allowedUsernameRegex = regexp.MustCompile(`^[-_.@a-zA-Z0-9]+$`)
)

var _ Auther = (*SQLiteAuth)(nil)
var _ Manager = (*SQLiteAuth)(nil)

func NewSQLiteAuth(filename string, defaultRead, defaultWrite bool) (*SQLiteAuth, error) {
	db, err := sql.Open("sqlite3", filename)
	if err != nil {
		return nil, err
	}
	if err := setupNewAuthDB(db); err != nil {
		return nil, err
	}
	return &SQLiteAuth{
		db:           db,
		defaultRead:  defaultRead,
		defaultWrite: defaultWrite,
	}, nil
}

func setupNewAuthDB(db *sql.DB) error {
	if _, err := db.Exec(createAuthTablesQueries); err != nil {
		return err
	}
	// FIXME schema version
	return nil
}

func (a *SQLiteAuth) Authenticate(username, password string) (*User, error) {
	if username == Everyone {
		return nil, ErrUnauthenticated
	}
	user, err := a.User(username)
	if err != nil {
		bcrypt.CompareHashAndPassword([]byte("$2a$11$eX15DeF27FwAgXt9wqJF0uAUMz74XywJcGBH3kP93pzKYv6ATk2ka"),
			[]byte("intentional slow-down to avoid timing attacks"))
		return nil, ErrUnauthenticated
	}
	if err := bcrypt.CompareHashAndPassword([]byte(user.Hash), []byte(password)); err != nil {
		return nil, ErrUnauthenticated
	}
	return user, nil
}

func (a *SQLiteAuth) Authorize(user *User, topic string, perm Permission) error {
	if user != nil && user.Role == RoleAdmin {
		return nil // Admin can do everything
	}
	// Select the read/write permissions for this user/topic combo. The query may return two
	// rows (one for everyone, and one for the user), but prioritizes the user. The value for
	// user.Name may be empty (= everyone).
	username := Everyone
	if user != nil {
		username = user.Name
	}
	rows, err := a.db.Query(selectTopicPermsQuery, username, topic)
	if err != nil {
		return err
	}
	defer rows.Close()
	if !rows.Next() {
		return a.resolvePerms(a.defaultRead, a.defaultWrite, perm)
	}
	var read, write bool
	if err := rows.Scan(&read, &write); err != nil {
		return err
	} else if err := rows.Err(); err != nil {
		return err
	}
	return a.resolvePerms(read, write, perm)
}

func (a *SQLiteAuth) resolvePerms(read, write bool, perm Permission) error {
	if perm == PermissionRead && read {
		return nil
	} else if perm == PermissionWrite && write {
		return nil
	}
	return ErrUnauthorized
}

func (a *SQLiteAuth) AddUser(username, password string, role Role) error {
	if !allowedUsernameRegex.MatchString(username) || (role != RoleAdmin && role != RoleUser) {
		return ErrInvalidArgument
	}
	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost)
	if err != nil {
		return err
	}
	if _, err = a.db.Exec(insertUserQuery, username, hash, role); err != nil {
		return err
	}
	return nil
}

func (a *SQLiteAuth) RemoveUser(username string) error {
	if !allowedUsernameRegex.MatchString(username) || username == Everyone {
		return ErrInvalidArgument
	}
	if _, err := a.db.Exec(deleteUserQuery, username); err != nil {
		return err
	}
	if _, err := a.db.Exec(deleteUserAccessQuery, username); err != nil {
		return err
	}
	return nil
}

func (a *SQLiteAuth) Users() ([]*User, error) {
	rows, err := a.db.Query(selectUsernamesQuery)
	if err != nil {
		return nil, err
	}
	defer rows.Close()
	usernames := make([]string, 0)
	for rows.Next() {
		var username string
		if err := rows.Scan(&username); err != nil {
			return nil, err
		} else if err := rows.Err(); err != nil {
			return nil, err
		}
		usernames = append(usernames, username)
	}
	rows.Close()
	users := make([]*User, 0)
	for _, username := range usernames {
		user, err := a.User(username)
		if err != nil {
			return nil, err
		}
		users = append(users, user)
	}
	everyone, err := a.everyoneUser()
	if err != nil {
		return nil, err
	}
	users = append(users, everyone)
	return users, nil
}

func (a *SQLiteAuth) User(username string) (*User, error) {
	if username == Everyone {
		return a.everyoneUser()
	}
	rows, err := a.db.Query(selectUserQuery, username)
	if err != nil {
		return nil, err
	}
	defer rows.Close()
	var hash, role string
	if !rows.Next() {
		return nil, ErrNotFound
	}
	if err := rows.Scan(&hash, &role); err != nil {
		return nil, err
	} else if err := rows.Err(); err != nil {
		return nil, err
	}
	grants, err := a.readGrants(username)
	if err != nil {
		return nil, err
	}
	return &User{
		Name:   username,
		Hash:   hash,
		Role:   Role(role),
		Grants: grants,
	}, nil
}

func (a *SQLiteAuth) everyoneUser() (*User, error) {
	grants, err := a.readGrants(Everyone)
	if err != nil {
		return nil, err
	}
	return &User{
		Name:   Everyone,
		Hash:   "",
		Role:   RoleAnonymous,
		Grants: grants,
	}, nil
}

func (a *SQLiteAuth) readGrants(username string) ([]Grant, error) {
	rows, err := a.db.Query(selectUserAccessQuery, username)
	if err != nil {
		return nil, err
	}
	defer rows.Close()
	grants := make([]Grant, 0)
	for rows.Next() {
		var topic string
		var read, write bool
		if err := rows.Scan(&topic, &read, &write); err != nil {
			return nil, err
		} else if err := rows.Err(); err != nil {
			return nil, err
		}
		grants = append(grants, Grant{
			Topic: topic,
			Read:  read,
			Write: write,
		})
	}
	return grants, nil
}

func (a *SQLiteAuth) ChangePassword(username, password string) error {
	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost)
	if err != nil {
		return err
	}
	if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
		return err
	}
	return nil
}

func (a *SQLiteAuth) ChangeRole(username string, role Role) error {
	if !allowedUsernameRegex.MatchString(username) || (role != RoleAdmin && role != RoleUser) {
		return ErrInvalidArgument
	}
	if _, err := a.db.Exec(updateUserRoleQuery, string(role), username); err != nil {
		return err
	}
	if role == RoleAdmin {
		if _, err := a.db.Exec(deleteUserAccessQuery, username); err != nil {
			return err
		}
	}
	return nil
}

func (a *SQLiteAuth) DefaultAccess() (read bool, write bool) {
	return a.defaultRead, a.defaultWrite
}

func (a *SQLiteAuth) AllowAccess(username string, topic string, read bool, write bool) error {
	if _, err := a.db.Exec(upsertUserAccessQuery, username, topic, read, write); err != nil {
		return err
	}
	return nil
}

func (a *SQLiteAuth) ResetAccess(username string, topic string) error {
	if username == "" && topic == "" {
		_, err := a.db.Exec(deleteAllAccessQuery, username)
		return err
	} else if topic == "" {
		_, err := a.db.Exec(deleteUserAccessQuery, username)
		return err
	}
	_, err := a.db.Exec(deleteTopicAccessQuery, username, topic)
	return err
}
Move to package 2022-01-23 06:02:16 +01:00			`package auth`
Simplify tables 2022-01-23 05:01:20 +01:00
			`import (`
			`"database/sql"`
Tests 2022-01-26 03:57:28 +01:00			`_ "github.com/mattn/go-sqlite3" // SQLite driver`
Simplify tables 2022-01-23 05:01:20 +01:00			`"golang.org/x/crypto/bcrypt"`
Tests 2022-01-26 03:57:28 +01:00			`"regexp"`
Simplify tables 2022-01-23 05:01:20 +01:00			`)`

Tests 2022-01-26 03:57:28 +01:00			`const (`
			`bcryptCost = 11`
			`)`
Simplify tables 2022-01-23 05:01:20 +01:00
More auth CLi 2022-01-23 06:54:18 +01:00			`// Auther-related queries`
Simplify tables 2022-01-23 05:01:20 +01:00			`const (`
			createAuthTablesQueries = `
			`BEGIN;`
			`CREATE TABLE IF NOT EXISTS user (`
			`user TEXT NOT NULL PRIMARY KEY,`
			`pass TEXT NOT NULL,`
			`role TEXT NOT NULL`
			`);`
More CLI for access control 2022-01-23 21:30:30 +01:00			`CREATE TABLE IF NOT EXISTS access (`
Simplify tables 2022-01-23 05:01:20 +01:00			`user TEXT NOT NULL,`
			`topic TEXT NOT NULL,`
			`read INT NOT NULL,`
			`write INT NOT NULL,`
			`PRIMARY KEY (topic, user)`
			`);`
			`CREATE TABLE IF NOT EXISTS schema_version (`
			`id INT PRIMARY KEY,`
			`version INT NOT NULL`
			`);`
			`COMMIT;`
			`
			selectUserQuery = `SELECT pass, role FROM user WHERE user = ?`
			selectTopicPermsQuery = `
			`SELECT read, write`
More CLI for access control 2022-01-23 21:30:30 +01:00			`FROM access`
More auth 2022-01-24 06:54:28 +01:00			`WHERE user IN ('*', ?) AND topic = ?`
Simplify tables 2022-01-23 05:01:20 +01:00			`ORDER BY user DESC`
			`
			`)`

More auth CLi 2022-01-23 06:54:18 +01:00			`// Manager-related queries`
			`const (`
More auth 2022-01-24 06:54:28 +01:00			insertUserQuery = `INSERT INTO user (user, pass, role) VALUES (?, ?, ?)`
			selectUsernamesQuery = `SELECT user FROM user ORDER BY role, user`
			updateUserPassQuery = `UPDATE user SET pass = ? WHERE user = ?`
			updateUserRoleQuery = `UPDATE user SET role = ? WHERE user = ?`
			deleteUserQuery = `DELETE FROM user WHERE user = ?`

			upsertUserAccessQuery = `
More CLI for access control 2022-01-23 21:30:30 +01:00			`INSERT INTO access (user, topic, read, write)`
			`VALUES (?, ?, ?, ?)`
			`ON CONFLICT (user, topic) DO UPDATE SET read=excluded.read, write=excluded.write`
			`
More auth 2022-01-24 06:54:28 +01:00			selectUserAccessQuery = `SELECT topic, read, write FROM access WHERE user = ?`
			deleteAllAccessQuery = `DELETE FROM access`
			deleteUserAccessQuery = `DELETE FROM access WHERE user = ?`
			deleteTopicAccessQuery = `DELETE FROM access WHERE user = ? AND topic = ?`
More auth CLi 2022-01-23 06:54:18 +01:00			`)`

Move to package 2022-01-23 06:02:16 +01:00			`type SQLiteAuth struct {`
Simplify tables 2022-01-23 05:01:20 +01:00			`db *sql.DB`
			`defaultRead bool`
			`defaultWrite bool`
			`}`

Tests 2022-01-26 03:57:28 +01:00			`var (`
			allowedUsernameRegex = regexp.MustCompile(`^[-_.@a-zA-Z0-9]+$`)
			`)`

More auth CLi 2022-01-23 06:54:18 +01:00			`var _ Auther = (*SQLiteAuth)(nil)`
			`var _ Manager = (*SQLiteAuth)(nil)`
Simplify tables 2022-01-23 05:01:20 +01:00
Move to package 2022-01-23 06:02:16 +01:00			`func NewSQLiteAuth(filename string, defaultRead, defaultWrite bool) (*SQLiteAuth, error) {`
Simplify tables 2022-01-23 05:01:20 +01:00			`db, err := sql.Open("sqlite3", filename)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if err := setupNewAuthDB(db); err != nil {`
			`return nil, err`
			`}`
Move to package 2022-01-23 06:02:16 +01:00			`return &SQLiteAuth{`
Simplify tables 2022-01-23 05:01:20 +01:00			`db: db,`
			`defaultRead: defaultRead,`
			`defaultWrite: defaultWrite,`
			`}, nil`
			`}`

			`func setupNewAuthDB(db *sql.DB) error {`
			`if _, err := db.Exec(createAuthTablesQueries); err != nil {`
			`return err`
			`}`
			`// FIXME schema version`
			`return nil`
			`}`

Move to package 2022-01-23 06:02:16 +01:00			`func (a SQLiteAuth) Authenticate(username, password string) (User, error) {`
More auth 2022-01-24 06:54:28 +01:00			`if username == Everyone {`
Tests 2022-01-26 03:57:28 +01:00			`return nil, ErrUnauthenticated`
More auth 2022-01-24 06:54:28 +01:00			`}`
Tests 2022-01-26 03:57:28 +01:00			`user, err := a.User(username)`
Simplify tables 2022-01-23 05:01:20 +01:00			`if err != nil {`
Tests 2022-01-26 03:57:28 +01:00			`bcrypt.CompareHashAndPassword([]byte("$2a$11$eX15DeF27FwAgXt9wqJF0uAUMz74XywJcGBH3kP93pzKYv6ATk2ka"),`
			`[]byte("intentional slow-down to avoid timing attacks"))`
			`return nil, ErrUnauthenticated`
Simplify tables 2022-01-23 05:01:20 +01:00			`}`
Tests 2022-01-26 03:57:28 +01:00			`if err := bcrypt.CompareHashAndPassword([]byte(user.Hash), []byte(password)); err != nil {`
			`return nil, ErrUnauthenticated`
Simplify tables 2022-01-23 05:01:20 +01:00			`}`
Tests 2022-01-26 03:57:28 +01:00			`return user, nil`
Simplify tables 2022-01-23 05:01:20 +01:00			`}`

Move to package 2022-01-23 06:02:16 +01:00			`func (a SQLiteAuth) Authorize(user User, topic string, perm Permission) error {`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`if user != nil && user.Role == RoleAdmin {`
Simplify tables 2022-01-23 05:01:20 +01:00			`return nil // Admin can do everything`
			`}`
			`// Select the read/write permissions for this user/topic combo. The query may return two`
			`// rows (one for everyone, and one for the user), but prioritizes the user. The value for`
			`// user.Name may be empty (= everyone).`
More auth 2022-01-24 06:54:28 +01:00			`username := Everyone`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`if user != nil {`
			`username = user.Name`
			`}`
			`rows, err := a.db.Query(selectTopicPermsQuery, username, topic)`
Simplify tables 2022-01-23 05:01:20 +01:00			`if err != nil {`
			`return err`
			`}`
			`defer rows.Close()`
			`if !rows.Next() {`
			`return a.resolvePerms(a.defaultRead, a.defaultWrite, perm)`
			`}`
			`var read, write bool`
			`if err := rows.Scan(&read, &write); err != nil {`
			`return err`
			`} else if err := rows.Err(); err != nil {`
			`return err`
			`}`
			`return a.resolvePerms(read, write, perm)`
			`}`

Move to package 2022-01-23 06:02:16 +01:00			`func (a *SQLiteAuth) resolvePerms(read, write bool, perm Permission) error {`
			`if perm == PermissionRead && read {`
Simplify tables 2022-01-23 05:01:20 +01:00			`return nil`
Move to package 2022-01-23 06:02:16 +01:00			`} else if perm == PermissionWrite && write {`
Simplify tables 2022-01-23 05:01:20 +01:00			`return nil`
			`}`
Move to package 2022-01-23 06:02:16 +01:00			`return ErrUnauthorized`
Simplify tables 2022-01-23 05:01:20 +01:00			`}`
More auth CLi 2022-01-23 06:54:18 +01:00
			`func (a *SQLiteAuth) AddUser(username, password string, role Role) error {`
Tests 2022-01-26 03:57:28 +01:00			`if !allowedUsernameRegex.MatchString(username) \|\| (role != RoleAdmin && role != RoleUser) {`
			`return ErrInvalidArgument`
			`}`
			`hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost)`
More auth CLi 2022-01-23 06:54:18 +01:00			`if err != nil {`
			`return err`
			`}`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`if _, err = a.db.Exec(insertUserQuery, username, hash, role); err != nil {`
More auth CLi 2022-01-23 06:54:18 +01:00			`return err`
			`}`
			`return nil`
			`}`

			`func (a *SQLiteAuth) RemoveUser(username string) error {`
Tests 2022-01-26 03:57:28 +01:00			`if !allowedUsernameRegex.MatchString(username) \|\| username == Everyone {`
			`return ErrInvalidArgument`
			`}`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`if _, err := a.db.Exec(deleteUserQuery, username); err != nil {`
More auth CLi 2022-01-23 06:54:18 +01:00			`return err`
			`}`
More auth 2022-01-24 06:54:28 +01:00			`if _, err := a.db.Exec(deleteUserAccessQuery, username); err != nil {`
More auth CLi 2022-01-23 06:54:18 +01:00			`return err`
			`}`
			`return nil`
			`}`

Auth CLI, continued 2022-01-24 05:02:39 +01:00			`func (a SQLiteAuth) Users() ([]User, error) {`
			`rows, err := a.db.Query(selectUsernamesQuery)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer rows.Close()`
			`usernames := make([]string, 0)`
			`for rows.Next() {`
			`var username string`
			`if err := rows.Scan(&username); err != nil {`
			`return nil, err`
			`} else if err := rows.Err(); err != nil {`
			`return nil, err`
			`}`
			`usernames = append(usernames, username)`
			`}`
			`rows.Close()`
			`users := make([]*User, 0)`
			`for _, username := range usernames {`
			`user, err := a.User(username)`
			`if err != nil {`
			`return nil, err`
			`}`
			`users = append(users, user)`
			`}`
More auth 2022-01-24 06:54:28 +01:00			`everyone, err := a.everyoneUser()`
			`if err != nil {`
			`return nil, err`
			`}`
			`users = append(users, everyone)`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`return users, nil`
			`}`

			`func (a SQLiteAuth) User(username string) (User, error) {`
More auth 2022-01-24 06:54:28 +01:00			`if username == Everyone {`
			`return a.everyoneUser()`
			`}`
Tests 2022-01-26 03:57:28 +01:00			`rows, err := a.db.Query(selectUserQuery, username)`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`if err != nil {`
			`return nil, err`
			`}`
Tests 2022-01-26 03:57:28 +01:00			`defer rows.Close()`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`var hash, role string`
Tests 2022-01-26 03:57:28 +01:00			`if !rows.Next() {`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`return nil, ErrNotFound`
			`}`
Tests 2022-01-26 03:57:28 +01:00			`if err := rows.Scan(&hash, &role); err != nil {`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`return nil, err`
Tests 2022-01-26 03:57:28 +01:00			`} else if err := rows.Err(); err != nil {`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`return nil, err`
			`}`
More auth 2022-01-24 06:54:28 +01:00			`grants, err := a.readGrants(username)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &User{`
			`Name: username,`
Tests 2022-01-26 03:57:28 +01:00			`Hash: hash,`
More auth 2022-01-24 06:54:28 +01:00			`Role: Role(role),`
			`Grants: grants,`
			`}, nil`
			`}`

			`func (a SQLiteAuth) everyoneUser() (User, error) {`
			`grants, err := a.readGrants(Everyone)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &User{`
			`Name: Everyone,`
Tests 2022-01-26 03:57:28 +01:00			`Hash: "",`
More auth 2022-01-24 06:54:28 +01:00			`Role: RoleAnonymous,`
			`Grants: grants,`
			`}, nil`
			`}`

			`func (a *SQLiteAuth) readGrants(username string) ([]Grant, error) {`
			`rows, err := a.db.Query(selectUserAccessQuery, username)`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`if err != nil {`
			`return nil, err`
			`}`
More auth 2022-01-24 06:54:28 +01:00			`defer rows.Close()`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`grants := make([]Grant, 0)`
More auth 2022-01-24 06:54:28 +01:00			`for rows.Next() {`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`var topic string`
			`var read, write bool`
More auth 2022-01-24 06:54:28 +01:00			`if err := rows.Scan(&topic, &read, &write); err != nil {`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`return nil, err`
More auth 2022-01-24 06:54:28 +01:00			`} else if err := rows.Err(); err != nil {`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`return nil, err`
			`}`
			`grants = append(grants, Grant{`
			`Topic: topic,`
			`Read: read,`
			`Write: write,`
			`})`
			`}`
More auth 2022-01-24 06:54:28 +01:00			`return grants, nil`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`}`

More auth CLi 2022-01-23 06:54:18 +01:00			`func (a *SQLiteAuth) ChangePassword(username, password string) error {`
Tests 2022-01-26 03:57:28 +01:00			`hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost)`
More auth CLi 2022-01-23 06:54:18 +01:00			`if err != nil {`
			`return err`
			`}`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {`
More auth CLi 2022-01-23 06:54:18 +01:00			`return err`
			`}`
			`return nil`
			`}`
More CLI for access control 2022-01-23 21:30:30 +01:00
			`func (a *SQLiteAuth) ChangeRole(username string, role Role) error {`
Tests 2022-01-26 03:57:28 +01:00			`if !allowedUsernameRegex.MatchString(username) \|\| (role != RoleAdmin && role != RoleUser) {`
			`return ErrInvalidArgument`
			`}`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`if _, err := a.db.Exec(updateUserRoleQuery, string(role), username); err != nil {`
More CLI for access control 2022-01-23 21:30:30 +01:00			`return err`
			`}`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`if role == RoleAdmin {`
More auth 2022-01-24 06:54:28 +01:00			`if _, err := a.db.Exec(deleteUserAccessQuery, username); err != nil {`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`return err`
			`}`
			`}`
More CLI for access control 2022-01-23 21:30:30 +01:00			`return nil`
			`}`

More auth 2022-01-24 06:54:28 +01:00			`func (a *SQLiteAuth) DefaultAccess() (read bool, write bool) {`
			`return a.defaultRead, a.defaultWrite`
			`}`

More CLI for access control 2022-01-23 21:30:30 +01:00			`func (a *SQLiteAuth) AllowAccess(username string, topic string, read bool, write bool) error {`
More auth 2022-01-24 06:54:28 +01:00			`if _, err := a.db.Exec(upsertUserAccessQuery, username, topic, read, write); err != nil {`
More CLI for access control 2022-01-23 21:30:30 +01:00			`return err`
			`}`
			`return nil`
			`}`

			`func (a *SQLiteAuth) ResetAccess(username string, topic string) error {`
More auth 2022-01-24 06:54:28 +01:00			`if username == "" && topic == "" {`
			`_, err := a.db.Exec(deleteAllAccessQuery, username)`
			`return err`
			`} else if topic == "" {`
			`_, err := a.db.Exec(deleteUserAccessQuery, username)`
			`return err`
More CLI for access control 2022-01-23 21:30:30 +01:00			`}`
More auth 2022-01-24 06:54:28 +01:00			`_, err := a.db.Exec(deleteTopicAccessQuery, username, topic)`
			`return err`
More CLI for access control 2022-01-23 21:30:30 +01:00			`}`