-- Migration: Add authentication rules tables -- Purpose: Enable whitelist/blacklist functionality for Ginxsom -- Date: 2025-01-12 -- Enable foreign key constraints PRAGMA foreign_keys = ON; -- Authentication rules table for whitelist/blacklist functionality CREATE TABLE IF NOT EXISTS auth_rules ( id INTEGER PRIMARY KEY AUTOINCREMENT, rule_type TEXT NOT NULL, -- 'pubkey_blacklist', 'pubkey_whitelist', -- 'hash_blacklist', 'mime_blacklist', 'mime_whitelist' rule_target TEXT NOT NULL, -- The pubkey, hash, or MIME type to match operation TEXT NOT NULL DEFAULT '*', -- 'upload', 'delete', 'list', or '*' for all enabled INTEGER NOT NULL DEFAULT 1, -- 1 = enabled, 0 = disabled priority INTEGER NOT NULL DEFAULT 100,-- Lower number = higher priority description TEXT, -- Human-readable description created_by TEXT, -- Admin pubkey who created the rule created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')), updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')), -- Constraints CHECK (rule_type IN ('pubkey_blacklist', 'pubkey_whitelist', 'hash_blacklist', 'mime_blacklist', 'mime_whitelist')), CHECK (operation IN ('upload', 'delete', 'list', '*')), CHECK (enabled IN (0, 1)), CHECK (priority >= 0), -- Unique constraint: one rule per type/target/operation combination UNIQUE(rule_type, rule_target, operation) ); -- Indexes for performance optimization CREATE INDEX IF NOT EXISTS idx_auth_rules_type_target ON auth_rules(rule_type, rule_target); CREATE INDEX IF NOT EXISTS idx_auth_rules_operation ON auth_rules(operation); CREATE INDEX IF NOT EXISTS idx_auth_rules_enabled ON auth_rules(enabled); CREATE INDEX IF NOT EXISTS idx_auth_rules_priority ON auth_rules(priority); CREATE INDEX IF NOT EXISTS idx_auth_rules_type_operation ON auth_rules(rule_type, operation, enabled); -- Cache table for authentication decisions (5-minute TTL) CREATE TABLE IF NOT EXISTS auth_rules_cache ( cache_key TEXT PRIMARY KEY NOT NULL, -- SHA-256 hash of request parameters decision INTEGER NOT NULL, -- 1 = allow, 0 = deny reason TEXT, -- Reason for decision pubkey TEXT, -- Public key from request operation TEXT, -- Operation type resource_hash TEXT, -- Resource hash (if applicable) created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')), expires_at INTEGER NOT NULL, -- Expiration timestamp CHECK (decision IN (0, 1)) ); -- Index for cache expiration cleanup CREATE INDEX IF NOT EXISTS idx_auth_cache_expires ON auth_rules_cache(expires_at); CREATE INDEX IF NOT EXISTS idx_auth_cache_pubkey ON auth_rules_cache(pubkey); -- Insert example rules (commented out - uncomment to use) -- Example: Blacklist a specific pubkey for uploads -- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES -- ('pubkey_blacklist', '79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798', 'upload', 10, 'Example blacklisted user', 'admin_pubkey_here'); -- Example: Whitelist a specific pubkey for all operations -- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES -- ('pubkey_whitelist', 'your_pubkey_here', '*', 300, 'Trusted user - all operations allowed', 'admin_pubkey_here'); -- Example: Blacklist executable MIME types -- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES -- ('mime_blacklist', 'application/x-executable', 'upload', 200, 'Block executable files', 'admin_pubkey_here'), -- ('mime_blacklist', 'application/x-msdos-program', 'upload', 200, 'Block DOS executables', 'admin_pubkey_here'), -- ('mime_blacklist', 'application/x-msdownload', 'upload', 200, 'Block Windows executables', 'admin_pubkey_here'); -- Example: Whitelist common image types -- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES -- ('mime_whitelist', 'image/jpeg', 'upload', 400, 'Allow JPEG images', 'admin_pubkey_here'), -- ('mime_whitelist', 'image/png', 'upload', 400, 'Allow PNG images', 'admin_pubkey_here'), -- ('mime_whitelist', 'image/gif', 'upload', 400, 'Allow GIF images', 'admin_pubkey_here'), -- ('mime_whitelist', 'image/webp', 'upload', 400, 'Allow WebP images', 'admin_pubkey_here');