authelia/internal/storage/sql_provider_queries.go
James Elliott 347bd1be77
feat(storage): encrypted secret values (#2588)
This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330.

Closes #682
2021-11-25 12:56:58 +11:00

161 lines
3.8 KiB
Go

package storage
const (
queryFmtSelectMigrations = `
SELECT id, applied, version_before, version_after, application_version
FROM %s;`
queryFmtSelectLatestMigration = `
SELECT id, applied, version_before, version_after, application_version
FROM %s
ORDER BY id DESC
LIMIT 1;`
queryFmtInsertMigration = `
INSERT INTO %s (applied, version_before, version_after, application_version)
VALUES (?, ?, ?, ?);`
)
const (
queryMySQLSelectExistingTables = `
SELECT table_name
FROM information_schema.tables
WHERE table_type = 'BASE TABLE' AND table_schema = database();`
queryPostgreSelectExistingTables = `
SELECT table_name
FROM information_schema.tables
WHERE table_type = 'BASE TABLE' AND table_schema = 'public';`
querySQLiteSelectExistingTables = `
SELECT name
FROM sqlite_master
WHERE type = 'table';`
)
const (
queryFmtSelectUserInfo = `
SELECT second_factor_method, (SELECT EXISTS (SELECT id FROM %s WHERE username = ?)) AS has_totp, (SELECT EXISTS (SELECT id FROM %s WHERE username = ?)) AS has_u2f
FROM %s
WHERE username = ?;`
queryFmtSelectPreferred2FAMethod = `
SELECT second_factor_method
FROM %s
WHERE username = ?;`
queryFmtUpsertPreferred2FAMethod = `
REPLACE INTO %s (username, second_factor_method)
VALUES (?, ?);`
queryFmtPostgresUpsertPreferred2FAMethod = `
INSERT INTO %s (username, second_factor_method)
VALUES ($1, $2)
ON CONFLICT (username)
DO UPDATE SET second_factor_method = $2;`
)
const (
queryFmtSelectExistsIdentityVerification = `
SELECT EXISTS (
SELECT id
FROM %s
WHERE token = ?
);`
queryFmtInsertIdentityVerification = `
INSERT INTO %s (token)
VALUES (?);`
queryFmtDeleteIdentityVerification = `
DELETE FROM %s
WHERE token = ?;`
)
const (
queryFmtSelectTOTPConfiguration = `
SELECT id, username, algorithm, digits, totp_period, secret
FROM %s
WHERE username = ?;`
queryFmtSelectTOTPConfigurations = `
SELECT id, username, algorithm, digits, totp_period, secret
FROM %s
LIMIT ?
OFFSET ?;`
//nolint:gosec // These are not hardcoded credentials it's a query to obtain credentials.
queryFmtUpdateTOTPConfigurationSecret = `
UPDATE %s
SET secret = ?
WHERE id = ?;`
//nolint:gosec // These are not hardcoded credentials it's a query to obtain credentials.
queryFmtUpdateTOTPConfigurationSecretByUsername = `
UPDATE %s
SET secret = ?
WHERE username = ?;`
queryFmtUpsertTOTPConfiguration = `
REPLACE INTO %s (username, algorithm, digits, totp_period, secret)
VALUES (?, ?, ?, ?, ?);`
queryFmtPostgresUpsertTOTPConfiguration = `
INSERT INTO %s (username, algorithm, digits, totp_period, secret)
VALUES ($1, $2, $3, $4, $5)
ON CONFLICT (username)
DO UPDATE SET algorithm = $2, digits = $3, totp_period = $4, secret = $5;`
queryFmtDeleteTOTPConfiguration = `
DELETE FROM %s
WHERE username = ?;`
)
const (
queryFmtSelectU2FDevice = `
SELECT key_handle, public_key
FROM %s
WHERE username = ?;`
queryFmtUpsertU2FDevice = `
REPLACE INTO %s (username, key_handle, public_key)
VALUES (?, ?, ?);`
queryFmtPostgresUpsertU2FDevice = `
INSERT INTO %s (username, key_handle, public_key)
VALUES ($1, $2, $3)
ON CONFLICT (username)
DO UPDATE SET key_handle=$2, public_key=$3;`
)
const (
queryFmtInsertAuthenticationLogEntry = `
INSERT INTO %s (time, successful, username)
VALUES (?, ?, ?);`
queryFmtSelect1FAAuthenticationLogEntryByUsername = `
SELECT time, successful, username
FROM %s
WHERE time > ? AND username = ?
ORDER BY time DESC
LIMIT ?
OFFSET ?;`
)
const (
queryFmtSelectEncryptionValue = `
SELECT (value)
FROM %s
WHERE name = ?`
queryFmtUpsertEncryptionValue = `
REPLACE INTO %s (name, value)
VALUES (?, ?);`
queryFmtPostgresUpsertEncryptionValue = `
INSERT INTO %s (name, value)
VALUES ($1, $2)
ON CONFLICT (name)
DO UPDATE SET value=$2;`
)