nodedb 0.3.0

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290

// SPDX-License-Identifier: BUSL-1.1

//! User CRUD operations: create, deactivate, update password/roles.

use crate::types::TenantId;

use super::super::super::buses::SessionInvalidationReason;
use super::super::super::identity::Role;
use super::super::super::time::now_secs;
use super::super::hash::{
    compute_scram_salted_password, generate_scram_salt, hash_password_argon2,
};
use super::super::record::UserRecord;
use super::core::{CredentialStore, write_lock};

impl CredentialStore {
    /// Create a new user. Returns the user_id.
    pub fn create_user(
        &self,
        username: &str,
        password: &str,
        tenant_id: TenantId,
        roles: Vec<Role>,
    ) -> crate::Result<u64> {
        let mut users = write_lock(&self.users)?;
        if users.contains_key(username) {
            return Err(crate::Error::BadRequest {
                detail: format!("user '{username}' already exists"),
            });
        }

        let salt = generate_scram_salt();
        let scram_salted_password = compute_scram_salted_password(password, &salt);
        let password_hash = hash_password_argon2(password, &self.argon2_config)?;
        let user_id = self.alloc_user_id()?;

        let is_superuser = roles.contains(&Role::Superuser);
        let now = now_secs();
        let mut record = UserRecord {
            user_id,
            username: username.to_string(),
            tenant_id,
            password_hash,
            scram_salt: salt,
            scram_salted_password,
            roles,
            is_superuser,
            is_active: true,
            is_service_account: false,
            created_at: now,
            updated_at: now,
            password_expires_at: self.compute_expiry(),
            must_change_password: false,
            password_changed_at: now,
            default_database_id: 0,
            accessible_databases: vec![],
        };

        // create_user: no open sessions to invalidate — no invalidation reason.
        self.commit_user_mutation(&mut record, None)?;
        users.insert(username.to_string(), record);
        Ok(user_id)
    }

    /// Create a service account. No password — can only authenticate
    /// via API keys. Returns the user_id.
    ///
    /// `accessible_databases`: if non-empty, the service account is restricted
    /// to those databases. Empty = legacy = treated as `[DatabaseId::DEFAULT]`
    /// at auth time.
    pub fn create_service_account(
        &self,
        name: &str,
        tenant_id: TenantId,
        roles: Vec<Role>,
        accessible_databases: Vec<nodedb_types::id::DatabaseId>,
    ) -> crate::Result<u64> {
        let mut users = write_lock(&self.users)?;
        if users.contains_key(name) {
            return Err(crate::Error::BadRequest {
                detail: format!("user or service account '{name}' already exists"),
            });
        }

        let user_id = self.alloc_user_id()?;
        let is_superuser = roles.contains(&Role::Superuser);
        let now = now_secs();
        let mut record = UserRecord {
            user_id,
            username: name.to_string(),
            tenant_id,
            password_hash: String::new(),
            scram_salt: Vec::new(),
            scram_salted_password: Vec::new(),
            roles,
            is_superuser,
            is_active: true,
            is_service_account: true,
            created_at: now,
            updated_at: now,
            password_expires_at: 0,
            must_change_password: false,
            password_changed_at: now,
            default_database_id: 0,
            accessible_databases,
        };

        // Service-account creation: no open sessions — no invalidation reason.
        self.commit_user_mutation(&mut record, None)?;
        users.insert(name.to_string(), record);
        Ok(user_id)
    }

    /// Drop a user. Fully removes the identity record from the
    /// in-memory cache AND the redb catalog, then publishes
    /// `UserDropped` to hard-revoke open sessions. Returns `false`
    /// if no such user exists.
    ///
    /// A full delete (not a soft-delete tombstone) is required so the
    /// username is freed for reuse — a stale `is_active = false`
    /// record would still trip the `CREATE USER` uniqueness check.
    pub fn drop_user(&self, username: &str) -> crate::Result<bool> {
        let record = {
            let mut users = write_lock(&self.users)?;
            match users.remove(username) {
                Some(record) => record,
                None => return Ok(false),
            }
        };
        self.purge_user(&record)?;
        Ok(true)
    }

    /// Update a user's password. Recomputes both Argon2 hash and SCRAM
    /// credentials.  Password change is a credential mutation but does not
    /// change role/access — no session invalidation reason.
    pub fn update_password(&self, username: &str, password: &str) -> crate::Result<()> {
        let mut users = write_lock(&self.users)?;
        let record = users
            .get_mut(username)
            .ok_or_else(|| crate::Error::BadRequest {
                detail: format!("user '{username}' not found"),
            })?;
        if !record.is_active {
            return Err(crate::Error::BadRequest {
                detail: format!("user '{username}' is inactive"),
            });
        }
        let salt = generate_scram_salt();
        record.scram_salted_password = compute_scram_salted_password(password, &salt);
        record.scram_salt = salt;
        record.password_hash = hash_password_argon2(password, &self.argon2_config)?;
        record.password_expires_at = self.compute_expiry();
        record.must_change_password = false;
        record.password_changed_at = now_secs();
        // Password change only — no role/access change, no session invalidation.
        self.commit_user_mutation(record, None)?;
        Ok(())
    }

    /// Mark a user as requiring a password change on next login.
    pub fn set_must_change_password(&self, username: &str, required: bool) -> crate::Result<()> {
        let mut users = write_lock(&self.users)?;
        let record = users
            .get_mut(username)
            .ok_or_else(|| crate::Error::BadRequest {
                detail: format!("user '{username}' not found"),
            })?;
        if !record.is_active {
            return Err(crate::Error::BadRequest {
                detail: format!("user '{username}' is inactive"),
            });
        }
        record.must_change_password = required;
        self.commit_user_mutation(record, None)?;
        Ok(())
    }

    /// Set password expiry to 0 (never expires) for a user.
    pub fn set_password_never_expires(&self, username: &str) -> crate::Result<()> {
        let mut users = write_lock(&self.users)?;
        let record = users
            .get_mut(username)
            .ok_or_else(|| crate::Error::BadRequest {
                detail: format!("user '{username}' not found"),
            })?;
        if !record.is_active {
            return Err(crate::Error::BadRequest {
                detail: format!("user '{username}' is inactive"),
            });
        }
        record.password_expires_at = 0;
        self.commit_user_mutation(record, None)?;
        Ok(())
    }

    /// Set a specific password expiry timestamp for a user.
    pub fn set_password_expires_at(&self, username: &str, expires_at: u64) -> crate::Result<()> {
        let mut users = write_lock(&self.users)?;
        let record = users
            .get_mut(username)
            .ok_or_else(|| crate::Error::BadRequest {
                detail: format!("user '{username}' not found"),
            })?;
        if !record.is_active {
            return Err(crate::Error::BadRequest {
                detail: format!("user '{username}' is inactive"),
            });
        }
        record.password_expires_at = expires_at;
        self.commit_user_mutation(record, None)?;
        Ok(())
    }

    /// Replace all roles for a user. Triggers identity rehydrate on open
    /// sessions via `RoleAltered`.
    pub fn update_roles(&self, username: &str, roles: Vec<Role>) -> crate::Result<()> {
        let mut users = write_lock(&self.users)?;
        let record = users
            .get_mut(username)
            .ok_or_else(|| crate::Error::BadRequest {
                detail: format!("user '{username}' not found"),
            })?;
        record.is_superuser = roles.contains(&Role::Superuser);
        record.roles = roles;
        self.commit_user_mutation(record, Some(SessionInvalidationReason::RoleAltered))?;
        Ok(())
    }

    /// Add a role to a user (if not already present). Triggers `RoleGranted`
    /// soft-revoke on open sessions.
    pub fn add_role(&self, username: &str, role: Role) -> crate::Result<()> {
        let mut users = write_lock(&self.users)?;
        let record = users
            .get_mut(username)
            .ok_or_else(|| crate::Error::BadRequest {
                detail: format!("user '{username}' not found"),
            })?;
        if !record.roles.contains(&role) {
            record.roles.push(role.clone());
            if matches!(role, Role::Superuser) {
                record.is_superuser = true;
            }
        }
        self.commit_user_mutation(record, Some(SessionInvalidationReason::RoleGranted))?;
        Ok(())
    }

    /// Replace the `accessible_databases` list on a service account.
    ///
    /// Requires the caller to have already verified superuser authority.
    /// For non-service-account users, returns an error.
    pub fn set_service_account_databases(
        &self,
        name: &str,
        databases: Vec<nodedb_types::id::DatabaseId>,
    ) -> crate::Result<()> {
        let mut users = write_lock(&self.users)?;
        let record = users
            .get_mut(name)
            .ok_or_else(|| crate::Error::BadRequest {
                detail: format!("service account '{name}' not found"),
            })?;
        if !record.is_service_account {
            return Err(crate::Error::BadRequest {
                detail: format!("'{name}' is a user, not a service account"),
            });
        }
        record.accessible_databases = databases;
        self.commit_user_mutation(record, Some(SessionInvalidationReason::RoleAltered))?;
        Ok(())
    }

    /// Remove a role from a user. Triggers `RoleRevoked` soft-revoke on
    /// open sessions.
    pub fn remove_role(&self, username: &str, role: &Role) -> crate::Result<()> {
        let mut users = write_lock(&self.users)?;
        let record = users
            .get_mut(username)
            .ok_or_else(|| crate::Error::BadRequest {
                detail: format!("user '{username}' not found"),
            })?;
        record.roles.retain(|r| r != role);
        if matches!(role, Role::Superuser) {
            record.is_superuser = false;
        }
        self.commit_user_mutation(record, Some(SessionInvalidationReason::RoleRevoked))?;
        Ok(())
    }
}