Source: Introduce Usernames

doc/20-HTTP-API.md

@@ -11,8 +11,12 @@ After creating a source in Icinga Notifications Web,
 the specified credentials can be used via HTTP Basic Authentication to submit a JSON-encoded
 [`Event`](https://github.com/Icinga/icinga-go-library/blob/main/notifications/event/event.go).
 
-The authentication is performed via HTTP Basic Authentication, expecting `source-${id}` as the username,
-`${id}` being the source's `id` within the database, and the configured password.
+The authentication is performed via HTTP Basic Authentication using the source's username and password.
+
+!!! info
+
+    Before Icinga Notifications version 0.2.0, the username was a fixed string based on the source ID, such as `source-${id}`.
+    When upgrading a setup from an earlier version, these usernames are still valid, but can be changed in Icinga Notifications Web.
 
 Events sent to Icinga Notifications are expected to match rules that describe further event escalations.
 These rules can be created in the web interface.

internal/config/runtime.go

@@ -13,7 +13,6 @@ import (
 	"github.com/icinga/icinga-notifications/internal/timeperiod"
 	"go.uber.org/zap"
 	"golang.org/x/crypto/bcrypt"
-	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -205,29 +204,24 @@ func (r *RuntimeConfig) GetSourceFromCredentials(user, pass string, logger *logg
 	r.RLock()
 	defer r.RUnlock()
 
-	sourceIdRaw, sourceIdOk := strings.CutPrefix(user, "source-")
-	if !sourceIdOk {
-		logger.Debugw("Cannot extract source ID from HTTP basic auth username", zap.String("user_input", user))
-		return nil
-	}
-	sourceId, err := strconv.ParseInt(sourceIdRaw, 10, 64)
-	if err != nil {
-		logger.Debugw("Cannot convert extracted source Id to int", zap.String("user_input", user), zap.Error(err))
-		return nil
+	var src *Source
+	for _, tmpSrc := range r.Sources {
+		if tmpSrc.ListenerUsername.Valid && tmpSrc.ListenerUsername.String == user {
+			src = tmpSrc
+			break
+		}
 	}
-
-	src, ok := r.Sources[sourceId]
-	if !ok {
-		logger.Debugw("Cannot check credentials for unknown source ID", zap.Int64("id", sourceId))
+	if src == nil {
+		logger.Debugw("Cannot find source for username", zap.String("user", user))
 		return nil
 	}
 
-	err = src.PasswordCompare([]byte(pass))
+	err := src.PasswordCompare([]byte(pass))
 	if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {
-		logger.Debugw("Invalid password for this source", zap.Int64("id", sourceId))
+		logger.Debugw("Invalid password for source", zap.Int64("id", src.ID))
 		return nil
 	} else if err != nil {
-		logger.Errorw("Failed to verify password for this source", zap.Int64("id", sourceId), zap.Error(err))
+		logger.Errorw("Failed to verify password for source", zap.Int64("id", src.ID), zap.Error(err))
 		return nil
 	}
 

internal/config/source.go

@@ -17,6 +17,7 @@ type Source struct {
 	Type string `db:"type"`
 	Name string `db:"name"`
 
+	ListenerUsername      types.String `db:"listener_username"`
 	ListenerPasswordHash  types.String `db:"listener_password_hash"`
 	listenerPassword      []byte       `db:"-"`
 	listenerPasswordMutex sync.Mutex

internal/incident/incidents_test.go

@@ -24,8 +24,9 @@ func TestLoadOpenIncidents(t *testing.T) {
 
 	// Insert a dummy source for our test cases!
 	source := &config.Source{
-		Type: "notifications",
-		Name: "Icinga Notifications",
+		Type:             "notifications",
+		Name:             "Icinga Notifications",
+		ListenerUsername: types.MakeString("notifications"),
 	}
 	source.ChangedAt = types.UnixMilli(time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC))
 	source.Deleted = types.Bool{Bool: false, Valid: true}

internal/object/objects_test.go

@@ -24,13 +24,14 @@ func TestRestoreMutedObjects(t *testing.T) {
 			"type":       "notifications",
 			"name":       "Icinga Notifications",
 			"changed_at": int64(1720702049000),
+			"user":       "jane.doe",
 			"pwd_hash":   "$2y$", // Needed to pass the database constraint.
 		}
 		// We can't use config.Source here unfortunately due to cyclic import error!
 		id, err := database.InsertObtainID(
 			ctx,
 			tx,
-			`INSERT INTO source (type, name, changed_at, listener_password_hash) VALUES (:type, :name, :changed_at, :pwd_hash)`,
+			`INSERT INTO source (type, name, changed_at, listener_username, listener_password_hash) VALUES (:type, :name, :changed_at, :user, :pwd_hash)`,
 			args)
 		require.NoError(t, err, "populating source table should not fail")
 

schema/mysql/schema.sql

@@ -212,13 +212,16 @@ CREATE TABLE source (
     -- will likely need a distinguishing value for multiple sources of the same type in the future, like for example
     -- the Icinga DB environment ID for Icinga 2 sources
 
-    -- This column is required to limit API access for incoming connections to the Listener.
-    -- The username will be "source-${id}", allowing early verification.
+    -- listener_{username,password_hash} are required to limit API access for incoming connections to the Listener.
+    listener_username varchar(255),
     listener_password_hash text,
 
     changed_at bigint NOT NULL,
     deleted enum('n', 'y') NOT NULL DEFAULT 'n',
 
+    CONSTRAINT uk_source_listener_username UNIQUE (listener_username),
+    CONSTRAINT ck_source_listener_username_or_deleted CHECK (deleted = 'y' OR listener_username IS NOT NULL),
+
     -- The hash is a PHP password_hash with PASSWORD_DEFAULT algorithm, defaulting to bcrypt. This check roughly ensures
     -- that listener_password_hash can only be populated with bcrypt hashes.
     -- https://icinga.com/docs/icinga-web/latest/doc/20-Advanced-Topics/#manual-user-creation-for-database-authentication-backend

schema/mysql/upgrades/0.2.0-source-username.sql

@@ -0,0 +1,5 @@
+ALTER TABLE source ADD COLUMN listener_username varchar(255) AFTER name;
+UPDATE source SET listener_username = CONCAT('source-', source.id) WHERE deleted = 'n';
+ALTER TABLE source
+    ADD CONSTRAINT uk_source_listener_username UNIQUE (listener_username),
+    ADD CONSTRAINT ck_source_listener_username_or_deleted CHECK (deleted = 'y' OR listener_username IS NOT NULL);

schema/pgsql/schema.sql

@@ -244,13 +244,16 @@ CREATE TABLE source (
     -- will likely need a distinguishing value for multiple sources of the same type in the future, like for example
     -- the Icinga DB environment ID for Icinga 2 sources
 
-    -- This column is required to limit API access for incoming connections to the Listener.
-    -- The username will be "source-${id}", allowing early verification.
+    -- listener_{username,password_hash} are required to limit API access for incoming connections to the Listener.
+    listener_username varchar(255),
     listener_password_hash text,
 
     changed_at bigint NOT NULL,
     deleted boolenum NOT NULL DEFAULT 'n',
 
+    CONSTRAINT uk_source_listener_username UNIQUE (listener_username),
+    CONSTRAINT ck_source_listener_username_or_deleted CHECK (deleted = 'y' OR listener_username IS NOT NULL),
+
     -- The hash is a PHP password_hash with PASSWORD_DEFAULT algorithm, defaulting to bcrypt. This check roughly ensures
     -- that listener_password_hash can only be populated with bcrypt hashes.
     -- https://icinga.com/docs/icinga-web/latest/doc/20-Advanced-Topics/#manual-user-creation-for-database-authentication-backend

schema/pgsql/upgrades/0.2.0-source-username.sql

@@ -0,0 +1,5 @@
+ALTER TABLE source ADD COLUMN listener_username varchar(255);
+UPDATE source SET listener_username = CONCAT('source-', source.id) WHERE deleted = 'n';
+ALTER TABLE source
+    ADD CONSTRAINT uk_source_listener_username UNIQUE (listener_username),
+    ADD CONSTRAINT ck_source_listener_username_or_deleted CHECK (deleted = 'y' OR listener_username IS NOT NULL);