added initial roadmap and implementation

2026-03-11 22:23:16 +02:00
parent 39b97a6db5
commit c0792f2e1d
62 changed files with 12410 additions and 1 deletions
--- a/control_plane/src/lib.rs
+++ b/control_plane/src/lib.rs
@@ -0,0 +1,251 @@
+use axum::{
+    extract::{Path, State},
+    http::StatusCode,
+    routing::{delete, get, put},
+    Json, Router,
+};
+use jsonwebtoken::{encode, EncodingKey, Header};
+use rand::Rng;
+use serde::{Deserialize, Serialize};
+use sqlx::PgPool;
+use uuid::Uuid;
+
+#[derive(Clone)]
+pub struct ControlPlaneState {
+    pub db: PgPool,
+}
+
+#[derive(Debug, Serialize, Deserialize, sqlx::FromRow)]
+pub struct Project {
+    pub id: Uuid,
+    pub name: String,
+    pub owner_id: Option<Uuid>,
+    pub status: String,
+    pub db_url: String,
+    pub jwt_secret: String,
+    pub anon_key: Option<String>,
+    pub service_role_key: Option<String>,
+    pub created_at: Option<chrono::DateTime<chrono::Utc>>,
+}
+
+#[derive(Deserialize)]
+pub struct CreateProjectRequest {
+    pub name: String,
+    pub owner_id: Option<Uuid>,
+}
+
+#[derive(Serialize, Deserialize)]
+struct Claims {
+    role: String,
+    iss: String,
+    iat: usize,
+    exp: usize,
+    sub: String,
+}
+
+pub async fn list_projects(
+    State(state): State<ControlPlaneState>,
+) -> Result<Json<Vec<Project>>, (StatusCode, String)> {
+    let projects = sqlx::query_as::<_, Project>("SELECT * FROM projects")
+        .fetch_all(&state.db)
+        .await
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+    Ok(Json(projects))
+}
+
+pub async fn create_project(
+    State(state): State<ControlPlaneState>,
+    Json(payload): Json<CreateProjectRequest>,
+) -> Result<Json<Project>, (StatusCode, String)> {
+    // 1. Generate JWT Secret
+    let jwt_secret: String = rand::thread_rng()
+        .sample_iter(&rand::distributions::Alphanumeric)
+        .take(40)
+        .map(char::from)
+        .collect();
+
+    // 2. Generate Keys (JWTs)
+    let anon_key = generate_jwt(&jwt_secret, "anon")
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+    let service_role_key = generate_jwt(&jwt_secret, "service_role")
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+    let default_db_url = std::env::var("DEFAULT_TENANT_DB_URL")
+        .or_else(|_| std::env::var("DATABASE_URL"))
+        .unwrap_or_default();
+
+    let project = sqlx::query_as::<_, Project>(
+        r#"
+        INSERT INTO projects (name, owner_id, status, db_url, jwt_secret, anon_key, service_role_key)
+        VALUES ($1, $2, 'active', $3, $4, $5, $6)
+        RETURNING *
+        "#
+    )
+    .bind(&payload.name)
+    .bind(payload.owner_id)
+    .bind(default_db_url)
+    .bind(&jwt_secret)
+    .bind(&anon_key)
+    .bind(&service_role_key)
+    .fetch_one(&state.db)
+    .await
+    .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+    Ok(Json(project))
+}
+
+pub async fn delete_project(
+    State(state): State<ControlPlaneState>,
+    Path(id): Path<Uuid>,
+) -> Result<StatusCode, (StatusCode, String)> {
+    // Soft delete
+    let result = sqlx::query("UPDATE projects SET status = 'deleted' WHERE id = $1")
+        .bind(id)
+        .execute(&state.db)
+        .await
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+    if result.rows_affected() == 0 {
+        return Err((StatusCode::NOT_FOUND, "Project not found".to_string()));
+    }
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+#[derive(Deserialize)]
+pub struct RotateKeyRequest {
+    pub new_secret: Option<String>,
+}
+
+pub async fn rotate_keys(
+    State(state): State<ControlPlaneState>,
+    Path(id): Path<Uuid>,
+    Json(payload): Json<RotateKeyRequest>,
+) -> Result<Json<Project>, (StatusCode, String)> {
+    let jwt_secret = payload.new_secret.unwrap_or_else(|| {
+        rand::thread_rng()
+            .sample_iter(&rand::distributions::Alphanumeric)
+            .take(40)
+            .map(char::from)
+            .collect()
+    });
+
+    let anon_key = generate_jwt(&jwt_secret, "anon")
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+    let service_role_key = generate_jwt(&jwt_secret, "service_role")
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+    let project = sqlx::query_as::<_, Project>(
+        r#"
+        UPDATE projects
+        SET jwt_secret = $1, anon_key = $2, service_role_key = $3
+        WHERE id = $4
+        RETURNING *
+        "#,
+    )
+    .bind(&jwt_secret)
+    .bind(&anon_key)
+    .bind(&service_role_key)
+    .bind(id)
+    .fetch_optional(&state.db)
+    .await
+    .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
+    .ok_or((StatusCode::NOT_FOUND, "Project not found".to_string()))?;
+
+    Ok(Json(project))
+}
+
+#[derive(Serialize, sqlx::FromRow)]
+pub struct AdminUser {
+    pub id: Uuid,
+    pub email: String,
+    pub created_at: chrono::DateTime<chrono::Utc>,
+}
+
+pub async fn list_users(
+    State(state): State<ControlPlaneState>,
+) -> Result<Json<Vec<AdminUser>>, (StatusCode, String)> {
+    let users = sqlx::query_as::<_, AdminUser>("SELECT id, email, created_at FROM users")
+        .fetch_all(&state.db)
+        .await
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+    Ok(Json(users))
+}
+
+pub async fn delete_user(
+    State(state): State<ControlPlaneState>,
+    Path(id): Path<Uuid>,
+) -> Result<StatusCode, (StatusCode, String)> {
+    let result = sqlx::query("DELETE FROM users WHERE id = $1")
+        .bind(id)
+        .execute(&state.db)
+        .await
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+
+    if result.rows_affected() == 0 {
+        return Err((StatusCode::NOT_FOUND, "User not found".to_string()));
+    }
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+fn generate_jwt(secret: &str, role: &str) -> anyhow::Result<String> {
+    let now = chrono::Utc::now();
+    let claims = Claims {
+        role: role.to_string(),
+        iss: "madbase".to_string(),
+        iat: now.timestamp() as usize,
+        exp: (now + chrono::Duration::days(365 * 10)).timestamp() as usize, // 10 years
+        sub: role.to_string(),                                              // Use role as sub
+    };
+
+    let token = encode(
+        &Header::default(),
+        &claims,
+        &EncodingKey::from_secret(secret.as_bytes()),
+    )?;
+
+    Ok(token)
+}
+
+pub fn router(state: ControlPlaneState) -> Router {
+    Router::new()
+        .route("/projects", get(list_projects).post(create_project))
+        .route("/projects/:id", delete(delete_project))
+        .route("/projects/:id/keys", put(rotate_keys))
+        .route("/users", get(list_users))
+        .route("/users/:id", delete(delete_user))
+        .with_state(state)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
+
+    #[test]
+    fn test_jwt_generation() {
+        let secret = "test-secret-123";
+        let role = "anon";
+
+        let token = generate_jwt(secret, role).expect("Failed to generate JWT");
+
+        let mut validation = Validation::new(Algorithm::HS256);
+        validation.validate_exp = true;
+
+        let token_data = decode::<Claims>(
+            &token,
+            &DecodingKey::from_secret(secret.as_bytes()),
+            &validation,
+        )
+        .expect("Failed to decode JWT");
+
+        assert_eq!(token_data.claims.role, "anon");
+        assert_eq!(token_data.claims.sub, "anon");
+        assert_eq!(token_data.claims.iss, "madbase");
+    }
+}