CLI: Begin 'page' and 'pageperms' commands

While interesitng in theory, there is nothing to be gained here,
because we don't really have user input at those early stages.

As we are also not a privileged process, those early stage
sandboxes in the end are not worth it, since they increase
complexity while there is no benefit in practise.

So, reduce those 3 stages to a single one (enable()), which we
activate after CLI server has launched.

Makefile

@@ -2,7 +2,7 @@
 
 CXXFLAGS=-std=c++17 -O0 -g -no-pie -pipe -MMD -Wall -Wextra
 RELEASE_CXXFLAGS=-std=c++17 -O3 -pipe -MMD -Wall -Wextra
-LDFLAGS=-lsqlite3 -lpthread -lcrypto -lstdc++fs -lseccomp
+LDFLAGS=-lsqlite3 -lpthread -lcrypto -lstdc++fs
 INCLUDEFLAGS=-I submodules/sqlitemoderncpp/hdr -I submodules/cpp-httplib -I submodules/qssb.h
 
 CXX=g++
@@ -55,6 +55,8 @@ gtest: $(GTESTS_TESTDIR)/*.cpp $(GTEST_OBJECTS)
 %.o:%.cpp
 	$(CXX) ${CXXFLAGS} ${LDFLAGS} ${INCLUDEFLAGS} -c -o $@ $<
 
+version.o:version.cpp
+	$(CXX) ${CXXFLAGS} ${LDFLAGS} ${INCLUDEFLAGS} -DGITCOMMIT=\"$(shell git rev-parse --short HEAD)\" -c -o $@ $<
 clean:
 	rm -f $(OBJECTS) $(DEPENDS)
 

authenticator.cpp

@@ -42,11 +42,12 @@ std::vector<char> Authenticator::pbkdf5(std::string password, const std::vector<
 	unsigned char hash[32];
 	const EVP_MD *sha256 = EVP_sha256();
 	const unsigned char *rawsalt = reinterpret_cast<const unsigned char *>(salt.data());
-	int ret = PKCS5_PBKDF2_HMAC(password.c_str(), password.size(), rawsalt, salt.size(), 300000, sha256, sizeof(hash), hash);
+	int ret =
+		PKCS5_PBKDF2_HMAC(password.c_str(), password.size(), rawsalt, salt.size(), 300000, sha256, sizeof(hash), hash);
 	if(ret != 1)
 	{
 		Logger::error() << "Authenticator: pbkdf5: Failed to create hash";
-		return { };
+		return {};
 	}
 	std::vector<char> result;
 

authenticator.h

@@ -3,6 +3,7 @@
 #include <variant>
 #include "database/userdao.h"
 
+#define AUTH_DEFAULT_SALT_SIZE 32
 enum AuthenticationError
 {
 	UserNotFound,

cli.cpp

@@ -0,0 +1,251 @@
+#include <map>
+#include <functional>
+#include <iomanip>
+
+#include "cli.h"
+#include "utils.h"
+#include "random.h"
+#include "authenticator.h"
+#include "config.h"
+#include "logger.h"
+#include "version.h"
+
+CLIHandler::CLIHandler(Config &config, Database &db)
+{
+	this->db = &db;
+	this->conf = &config;
+}
+
+std::pair<bool, std::string> CLIHandler::user_add(const std::vector<std::string> &args)
+{
+	std::string username = args.at(0);
+	std::string password = args.at(1);
+
+	auto userDao = db->createUserDao();
+
+	Permissions perms = this->conf->handlersConfig.anon_permissions;
+	int p = perms.getPermissions();
+	p |= PERM_CAN_CREATE | PERM_CAN_SEARCH | PERM_CAN_EDIT;
+	Permissions newPermissions = Permissions{p};
+
+	Random r;
+	User user;
+	user.enabled = true;
+	user.login = username;
+	user.salt = r.getRandom(AUTH_DEFAULT_SALT_SIZE);
+	user.permissions = newPermissions;
+
+	Authenticator auth{*userDao};
+	std::vector<char> hashResult = auth.hash(password, user.salt);
+	if(hashResult.empty())
+	{
+		return {false, "Error during hashing - Got empty hash"};
+	}
+	user.password = hashResult;
+
+	try
+	{
+		userDao->save(user);
+	}
+	catch(std::runtime_error &e)
+	{
+		return {false, "Exception: " + std::string(e.what())};
+	}
+	return {true, ""};
+}
+
+std::pair<bool, std::string> CLIHandler::user_change_pw(const std::vector<std::string> &args)
+{
+	std::string username = args.at(0);
+	std::string password = args.at(1);
+
+	auto userDao = db->createUserDao();
+
+	auto user = userDao->find(username);
+	if(user)
+	{
+		Random r;
+		Authenticator auth{*userDao};
+		user->salt = r.getRandom(AUTH_DEFAULT_SALT_SIZE);
+		user->password = auth.hash(password, user->salt);
+		if(user->password.empty())
+		{
+			return {false, "Error during hashing - Got empty hash"};
+		}
+
+		userDao->save(*user);
+	}
+	else
+	{
+		return {false, "User not found"};
+	}
+}
+
+std::pair<bool, std::string> CLIHandler::user_rename(const std::vector<std::string> &args)
+{
+
+	return {true, ""};
+}
+
+std::pair<bool, std::string> CLIHandler::user_set_perms(const std::vector<std::string> &args)
+{
+	auto userDao = this->db->createUserDao();
+	std::string username = args.at(0);
+	std::string permission_string = args.at(1);
+
+	Permissions perms{permission_string};
+
+	auto user = userDao->find(username);
+	if(user)
+	{
+		user->permissions = perms;
+		userDao->save(*user);
+		user_show({username});
+		return {true, ""};
+	}
+
+	return {false, "User not found"};
+}
+
+std::pair<bool, std::string> CLIHandler::user_list(const std::vector<std::string> &args)
+{
+	auto userDao = this->db->createUserDao();
+	QueryOption o;
+	auto result = userDao->list(o);
+	std::stringstream stream;
+	for(User &u : result)
+	{
+		stream << u.login << "\t" << std::string(u.enabled ? "enabled" : "disabled") << "\t" << u.permissions.toString()
+			   << std::endl;
+	}
+	return {true, stream.str()};
+}
+
+std::pair<bool, std::string> CLIHandler::user_show(const std::vector<std::string> &args)
+{
+	std::string username = args.at(0);
+	auto userDao = this->db->createUserDao();
+	auto user = userDao->find(username);
+	std::stringstream stream;
+	if(user)
+	{
+		stream << "Username: " << user->login << std::endl;
+
+		stream << "Enabled: " << std::string(user->enabled ? "yes" : "no") << std::endl;
+		stream << "Permissions (general): " << user->permissions.toString() << std::endl;
+		return {true, stream.str()};
+	}
+	return {false, "User not found"};
+}
+
+std::pair<bool, std::string> CLIHandler::page_list(const std::vector<std::string> &args)
+{
+	auto pageDao = this->db->createPageDao();
+	QueryOption o;
+	auto result = pageDao->getPageList(o);
+	std::stringstream stream;
+	for(std::string pagename : result)
+	{
+		Page p = pageDao->find(pagename).value();
+		stream << p.name << " " << p.pageid << " " << std::string(p.listed ? "listed" : "unlisted") << std::endl;
+	}
+	return {true, stream.str()};
+}
+
+std::pair<bool, std::string> CLIHandler::pageperms_set_permissions(const std::vector<std::string> &args)
+{
+	std::string page = args.at(0);
+	std::string username = args.at(1);
+	std::string perms = args.at(2);
+
+	auto permissionsDao = this->db->createPermissionsDao();
+	permissionsDao->save(page, username, Permissions{perms});
+	return {true, ""};
+}
+
+std::pair<bool, std::string> CLIHandler::attach(const std::vector<std::string> &args)
+{
+	/* TODO: consider authentication */
+	pid_t pid = getpid();
+	return {true, "Hi, I am pid: " + std::to_string(pid)};
+}
+
+std::pair<bool, std::string> CLIHandler::cli_help(const std::vector<std::string> &args)
+{
+	std::string command;
+	if(args.size() > 0)
+		command = args[0];
+	std::stringstream stream;
+	for(struct cmd &cmd : cmds)
+	{
+		if(command != "" && cmd.name != command)
+		{
+			continue;
+		}
+
+		stream << cmd.name << " - " << cmd.helptext << std::endl;
+		for(struct cmd &subCmd : cmd.subCommands)
+		{
+			stream << "\t" << subCmd.name << " " << subCmd.helptext << std::endl;
+		}
+		stream << std::endl;
+	}
+	return {true, stream.str()};
+}
+
+std::pair<bool, std::string> CLIHandler::processCommand(const std::vector<CLIHandler::cmd> &commands, std::string cmd,
+														const std::vector<std::string> &args)
+{
+	auto c = std::find_if(commands.begin(), commands.end(),
+						  [&cmd](const struct CLIHandler::cmd &a) { return a.name == cmd; });
+	if(c == commands.end())
+	{
+		std::cout << "No such command: " << cmd << std::endl;
+		return cli_help({});
+	}
+
+	if(!c->subCommands.empty() && args.size() >= c->required_args)
+	{
+		std::string newcmd = args[0];
+		std::vector<std::string> newargs = args;
+		newargs.erase(newargs.begin());
+		return processCommand(c->subCommands, newcmd, newargs);
+	}
+	if(args.size() < c->required_args)
+	{
+		return {false, "not enough parameters passed"};
+	}
+
+	try
+	{
+		return c->func(this, args);
+	}
+	catch(std::runtime_error &e)
+	{
+		return {false, "Exception: " + std::string(e.what())};
+	}
+	return {false, ""};
+}
+
+std::pair<bool, std::string> CLIHandler::processCommand(std::string cmd, const std::vector<std::string> &args)
+{
+	return processCommand(this->cmds, cmd, args);
+}
+
+std::pair<std::string, std::vector<std::string>> CLIHandler::splitCommand(std::string input)
+{
+	input = utils::trim(input);
+	std::vector<std::string> splitted = utils::split(input, "\\s+");
+	if(splitted.empty())
+	{
+		return {" ", splitted};
+	}
+	std::string cmd = splitted[0];
+	splitted.erase(splitted.begin());
+	return {cmd, splitted};
+}
+
+std::pair<bool, std::string> CLIHandler::version(const std::vector<std::string> &args)
+{
+	return {true, get_version_string()};
+}

cli.h

@@ -0,0 +1,84 @@
+#ifndef CLI_H
+#define CLI_H
+#include <iostream>
+#include <string>
+#include <vector>
+#include "database/database.h"
+#include "config.h"
+
+class CLIHandler
+{
+	struct cmd
+	{
+		std::string name;
+		std::string helptext;
+		unsigned int required_args;
+		std::vector<cmd> subCommands;
+		std::function<std::pair<bool, std::string>(CLIHandler *, const std::vector<std::string> &)> func;
+	};
+
+  private:
+	Database *db;
+	Config *conf;
+
+  protected:
+	std::pair<bool, std::string> attach(const std::vector<std::string> &args);
+	std::pair<bool, std::string> cli_help(const std::vector<std::string> &args);
+	std::pair<bool, std::string> user_add(const std::vector<std::string> &args);
+	std::pair<bool, std::string> user_change_pw(const std::vector<std::string> &args);
+	std::pair<bool, std::string> user_rename(const std::vector<std::string> &args);
+	std::pair<bool, std::string> user_set_perms(const std::vector<std::string> &args);
+	std::pair<bool, std::string> user_list(const std::vector<std::string> &args);
+	std::pair<bool, std::string> user_show(const std::vector<std::string> &args);
+	std::pair<bool, std::string> page_list(const std::vector<std::string> &args);
+	std::pair<bool, std::string> pageperms_set_permissions(const std::vector<std::string> &args);
+	std::pair<bool, std::string> version(const std::vector<std::string> &args);
+
+	std::vector<struct cmd> cmds{
+		{{"user",
+		  "user operations on the database",
+		  1,
+		  {{{"add", "[user] [password] - creates a user", 2, {}, &CLIHandler::user_add},
+			{"changepw", "[user] [password] - changes the password of user", 2, {}, &CLIHandler::user_change_pw},
+			{"rename", "[user] [new name] - renames a user", 2, {}, &CLIHandler::user_rename},
+			{"setperms", "[user] [perms] - sets the permissions of the user", 2, {}, &CLIHandler::user_set_perms},
+			{"list", "- lists users", 0, {}, &CLIHandler::user_list},
+			{"show", "[user] - show detailed information about user", 1, {}, &CLIHandler::user_show}}},
+		  &CLIHandler::cli_help},
+		 {"page",
+		  "operation on pages",
+		  1,
+		  {{{"list", "- lists existing pages", 0, {}, &CLIHandler::page_list}}},
+		  &CLIHandler::cli_help},
+		 {"pageperms",
+		  "set permissions on pages",
+		  1,
+		  {{{"set",
+			 "- [page] [username] [permissions] set permisisons on page",
+			 3,
+			 {},
+			 &CLIHandler::pageperms_set_permissions}}},
+		  &CLIHandler::cli_help},
+		 {"exit",
+		  "exit cli",
+		  0,
+		  {},
+		  [](CLIHandler *, const std::vector<std::string> &args) -> std::pair<bool, std::string>
+		  {
+			  exit(EXIT_SUCCESS);
+			  return {true, ""};
+		  }},
+		 {"help", "print this help", 0, {}, &CLIHandler::cli_help},
+		 {"attach", "attach to running instance", 0, {}, &CLIHandler::attach},
+		 {"version", "print verison info", 0, {}, &CLIHandler::version}}};
+
+	std::pair<bool, std::string> processCommand(const std::vector<CLIHandler::cmd> &commands, std::string cmd,
+												const std::vector<std::string> &args);
+
+  public:
+	CLIHandler(Config &config, Database &d);
+	std::pair<bool, std::string> processCommand(std::string cmd, const std::vector<std::string> &args);
+	static std::pair<std::string, std::vector<std::string>> splitCommand(std::string input);
+};
+
+#endif // CLI_H

cliconsole.cpp

@@ -0,0 +1,137 @@
+#include "cliconsole.h"
+
+CLIConsole::CLIConsole(CLIHandler &cliHandler, std::string socketPath)
+{
+	this->handler = &cliHandler;
+	this->socketPath = socketPath;
+}
+
+std::pair<bool, std::string> CLIConsole::send(std::string input)
+{
+	ssize_t ret =
+		sendto(this->sock, input.c_str(), input.size(), 0, (const sockaddr *)&this->server, sizeof(this->server));
+	if((size_t)ret != input.size())
+	{
+		return {false, "sendto failed: " + std::to_string(ret) + " " + std::string(strerror(errno))};
+	}
+	char buffer[1024] = {0};
+	ret = recvfrom(this->sock, buffer, sizeof(buffer) - 1, 0, NULL, NULL);
+	if(ret == -1)
+	{
+		return {false, "recvfrom failed: " + std::string(strerror(errno))};
+	}
+
+	bool success = false;
+	std::string_view view = buffer;
+	if(view[0] == '1')
+	{
+		success = true;
+	}
+	view.remove_prefix(1);
+	std::string msg = std::string{view};
+
+	return {success, msg};
+}
+
+void CLIConsole::attach()
+{
+	if(attached)
+	{
+		std::cout << "Already attached" << std::endl;
+		return;
+	}
+	if(socketPath.size() > sizeof(this->server.sun_path) - 1)
+	{
+		std::cout << "Socket path too long" << std::endl;
+		return;
+	}
+	memset(&this->server, 0, sizeof(this->server));
+	this->server.sun_family = AF_UNIX;
+	memcpy(&this->server.sun_path, socketPath.c_str(), socketPath.size());
+	this->server.sun_path[socketPath.size()] = 0;
+
+	int s = socket(AF_UNIX, SOCK_DGRAM, 0);
+	if(s == -1)
+	{
+		std::cout << "Failed to create socket" << strerror(errno) << std::endl;
+		return;
+	}
+	this->sock = s;
+
+	struct sockaddr_un client;
+	client.sun_family = AF_UNIX;
+	client.sun_path[0] = '\0';
+
+	int ret = bind(this->sock, (struct sockaddr *)&client, sizeof(client));
+	if(ret != 0)
+	{
+		std::cout << "bind() failed: " << strerror(errno) << std::endl;
+		return;
+	}
+	auto result = this->send("attach");
+	if(result.first)
+	{
+		std::cout << "Attached successfully: " << result.second << std::endl;
+		this->attached = true;
+	}
+	else
+	{
+		std::cout << "Attached unsuccessfully: " << result.second << std::endl;
+	}
+}
+
+void CLIConsole::startInteractive()
+{
+	std::cout << "qswiki CLI" << std::endl;
+	std::cout << "not attached - use 'attach' to connect to running instance" << std::endl;
+
+	while(true)
+	{
+		std::string input;
+		std::cout << "> ";
+		std::getline(std::cin, input);
+
+		if(std::cin.bad() || std::cin.eof())
+		{
+			std::cout << "Exiting" << std::endl;
+			return;
+		}
+		if(input.empty())
+		{
+			continue;
+		}
+
+		auto pair = CLIHandler::splitCommand(input);
+		if(pair.first == "exit")
+		{
+			std::cout << "Exiting CLI";
+			exit(EXIT_SUCCESS);
+		}
+		if(pair.first == "attach")
+		{
+			attach();
+			continue;
+		}
+
+		std::pair<bool, std::string> result;
+		if(!attached)
+		{
+			result = handler->processCommand(pair.first, pair.second);
+		}
+		else
+		{
+			result = this->send(input);
+		}
+
+		if(!result.second.empty())
+		{
+			std::cout << result.second << std::endl;
+		}
+		if(!result.first)
+		{
+			std::cout << "Command failed" << std::endl;
+		}
+	}
+
+	std::cout << "\n";
+}

cliconsole.h

@@ -0,0 +1,27 @@
+#ifndef CLICONSOLE_H
+#define CLICONSOLE_H
+
+#include <iostream>
+#include <string>
+#include <vector>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include "cli.h"
+
+class CLIConsole
+{
+  private:
+	struct sockaddr_un server;
+	int sock;
+	CLIHandler *handler;
+	std::string socketPath;
+	bool attached = false;
+	std::pair<bool, std::string> send(std::string input);
+	void attach();
+
+  public:
+	CLIConsole(CLIHandler &cliHandler, std::string socketPath);
+	void startInteractive();
+};
+
+#endif // CLICONSOLE_H

cliserver.cpp

@@ -0,0 +1,77 @@
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include "cliserver.h"
+#include "logger.h"
+CLIServer::CLIServer(CLIHandler &handler)
+{
+	this->handler = &handler;
+}
+
+bool CLIServer::detachServer(std::string socketpath)
+{
+	struct sockaddr_un name;
+	const int max_socket_length = sizeof(name.sun_path) - 1;
+	if(socketpath.size() > max_socket_length)
+	{
+		perror("socket path too long");
+		return false;
+	}
+	int s = socket(AF_UNIX, SOCK_DGRAM, 0);
+	if(s == -1)
+	{
+		perror("socket");
+		return false;
+	}
+
+	memset(&name, 0, sizeof(name));
+	name.sun_family = AF_UNIX;
+	memcpy(&name.sun_path, socketpath.c_str(), socketpath.size());
+
+	unlink(socketpath.c_str());
+	int ret = bind(s, (const struct sockaddr *)&name, sizeof(name));
+	if(ret == -1)
+	{
+		perror("bind");
+		exit(EXIT_FAILURE);
+	}
+
+	auto worker = [=]
+	{
+		while(true)
+		{
+			char buffer[1024] = {0};
+			struct sockaddr_un peer;
+			socklen_t peerlen = sizeof(peer);
+
+			int ret = recvfrom(s, buffer, sizeof(buffer) - 1, 0, (struct sockaddr *)&peer, &peerlen);
+			if(ret == -1)
+			{
+				Logger::error() << "Error during recvfrom in CLI server: " << strerror(errno);
+				return false;
+			}
+
+			std::string input{buffer};
+
+			auto pair = CLIHandler::splitCommand(input);
+
+			auto result = handler->processCommand(pair.first, pair.second);
+			char resultCode = '0';
+			if(result.first)
+			{
+				resultCode = '1';
+			}
+			std::string resultString;
+			resultString += resultCode;
+			resultString += result.second;
+			ret = sendto(s, resultString.c_str(), resultString.size(), 0, (struct sockaddr *)&peer, peerlen);
+			if(ret == -1)
+			{
+				Logger::error() << "Error during sendto in CLI server: " << strerror(errno);
+			}
+		}
+	};
+	std::thread t1{worker};
+	t1.detach();
+	return true;
+}

cliserver.h

@@ -0,0 +1,16 @@
+#ifndef CLISERVER_H
+#define CLISERVER_H
+#include <thread>
+#include "cli.h"
+
+class CLIServer
+{
+  private:
+	CLIHandler *handler = nullptr;
+
+  public:
+	CLIServer(CLIHandler &handler);
+	bool detachServer(std::string socketpath);
+};
+
+#endif // CLISERVER_H

database/permissionsdao.h

@@ -7,6 +7,7 @@ class PermissionsDao
   public:
 	PermissionsDao();
 	virtual std::optional<Permissions> find(std::string pagename, std::string username) = 0;
+	virtual void save(std::string pagename, std::string username, Permissions perms) = 0;
 };
 
 #endif // PERMISSIONSDAO_H

database/permissionsdaosqlite.cpp

@@ -41,3 +41,21 @@ std::optional<Permissions> PermissionsDaoSqlite::find(std::string pagename, std:
 
 	return Permissions{permissions};
 }
+
+void PermissionsDaoSqlite::save(std::string pagename, std::string username, Permissions perms)
+{
+	try
+	{
+		auto query =
+			*db
+			<< "INSERT OR REPLACE INTO permissions (id, permissions, userid, page) VALUES((SELECT id FROM permissions "
+			   "WHERE page = (SELECT id FROM page WHERE name = ?) AND userid = (SELECT id FROM user WHERE username = "
+			   "?)), ?, (SELECT id FROM user WHERE username = ?), (SELECT id FROM page WHERE name = ?))";
+		query << pagename << username << perms.getPermissions() << username << pagename;
+		query.execute();
+	}
+	catch(const sqlite::errors::no_rows &e)
+	{
+		throwFrom(e);
+	}
+}

database/permissionsdaosqlite.h

@@ -9,6 +9,7 @@ class PermissionsDaoSqlite : public PermissionsDao, protected SqliteDao
 	PermissionsDaoSqlite();
 
 	std::optional<Permissions> find(std::string pagename, std::string username) override;
+	virtual void save(std::string pagename, std::string username, Permissions perms) override;
 	using SqliteDao::SqliteDao;
 };
 

database/userdao.h

@@ -3,6 +3,7 @@
 #include <string>
 #include <optional>
 #include "../user.h"
+#include "queryoption.h"
 class UserDao
 {
   public:
@@ -10,6 +11,7 @@ class UserDao
 	virtual bool exists(std::string username) = 0;
 	virtual std::optional<User> find(std::string username) = 0;
 	virtual std::optional<User> find(int id) = 0;
+	virtual std::vector<User> list(QueryOption o) = 0;
 	virtual void deleteUser(std::string username) = 0;
 	virtual void save(const User &u) = 0;
 	virtual ~UserDao(){};

database/userdaosqlite.cpp

@@ -23,6 +23,7 @@ SOFTWARE.
 #include <memory>
 #include <cstring>
 #include "userdaosqlite.h"
+#include "sqlitequeryoption.h"
 
 UserDaoSqlite::UserDaoSqlite()
 {
@@ -82,6 +83,39 @@ std::optional<User> UserDaoSqlite::find(int id)
 	}
 }
 
+std::vector<User> UserDaoSqlite::list(QueryOption o)
+{
+	std::vector<User> result;
+
+	try
+	{
+
+		std::string queryOption = SqliteQueryOption(o).setOrderByColumn("username").setPrependWhere(true).build();
+		std::string query = "SELECT username, password, salt, permissions, enabled FROM user " + queryOption;
+
+		*db << query >>
+			[&](std::string username, std::vector<char> pw, std::vector<char> salt, int permisisons, bool enabled)
+		{
+			User tmp;
+			tmp.login = username;
+			tmp.password = pw;
+			tmp.salt = salt;
+			tmp.permissions = Permissions{permisisons};
+			tmp.enabled = enabled;
+			result.push_back(tmp);
+		};
+	}
+	catch(const sqlite::errors::no_rows &e)
+	{
+		return result;
+	}
+	catch(sqlite::sqlite_exception &e)
+	{
+		throwFrom(e);
+	}
+	return result;
+}
+
 void UserDaoSqlite::deleteUser(std::string username)
 {
 	// What to do with the contributions of the user?

database/userdaosqlite.h

@@ -13,6 +13,7 @@ class UserDaoSqlite : public UserDao, protected SqliteDao
 	std::optional<User> find(std::string username);
 	std::optional<User> find(int id);
 
+	std::vector<User> list(QueryOption o);
 	void deleteUser(std::string username);
 	void save(const User &u);
 	using SqliteDao::SqliteDao;

handlers/handlerusersettings.cpp

@@ -15,19 +15,20 @@ Response HandlerUserSettings::handleRequest(const Request &r)
 
 			if(newpassword != newpasswordconfirm)
 			{
-				//TODO: is not nice, users has to hit the back button...
+				// TODO: is not nice, users has to hit the back button...
 				return this->errorResponse("Passwords don't match", "The entered new passwords don't match");
 			}
 			auto userDao = this->database->createUserDao();
 			Authenticator authenticator(*userDao);
 
-			std::variant<User, AuthenticationError> authresult = authenticator.authenticate(this->userSession->user.login, oldpassword);
+			std::variant<User, AuthenticationError> authresult =
+				authenticator.authenticate(this->userSession->user.login, oldpassword);
 			if(std::holds_alternative<AuthenticationError>(authresult))
 			{
 				return this->errorResponse("Invalid current password", "The old password you entered is invalid");
 			}
 			Random r;
-			std::vector<char> salt = r.getRandom(23);
+			std::vector<char> salt = r.getRandom(AUTH_DEFAULT_SALT_SIZE);
 			User user = std::get<User>(authresult);
 			user.salt = salt;
 			user.password = authenticator.hash(newpassword, user.salt);

permissions.cpp

@@ -20,6 +20,17 @@ SOFTWARE.
 */
 #include "permissions.h"
 
+static const std::map<std::string, int> permmap = {{"can_read", PERM_CAN_READ},
+												   {"can_edit", PERM_CAN_EDIT},
+												   {"can_page_history", PERM_CAN_PAGE_HISTORY},
+												   {"can_global_history", PERM_CAN_GLOBAL_HISTORY},
+												   {"can_delete", PERM_CAN_DELETE},
+												   {"can_see_page_list", PERM_CAN_SEE_PAGE_LIST},
+												   {"can_create", PERM_CAN_CREATE},
+												   {"can_see_category_list", PERM_CAN_SEE_CATEGORY_LIST},
+												   {"can_see_links_here", PERM_CAN_SEE_LINKS_HERE},
+												   {"can_search", PERM_CAN_SEARCH}};
+
 Permissions::Permissions(int permissions)
 {
 	this->permissions = permissions;
@@ -36,3 +47,20 @@ Permissions::Permissions(const std::string &str)
 		}
 	}
 }
+
+std::string Permissions::toString(int perms)
+{
+	std::string result;
+	for(auto pair : permmap)
+	{
+		if(pair.second & perms)
+		{
+			result += pair.first + ",";
+		}
+	}
+	if(result.size() > 0)
+	{
+		result.pop_back();
+	}
+	return result;
+}

permissions.h

@@ -14,20 +14,12 @@
 
 #include <string>
 #include <map>
+
 class Permissions
+
 {
   private:
 	int permissions = 0;
-	const std::map<std::string, int> permmap = {{"can_read", PERM_CAN_READ},
-												{"can_edit", PERM_CAN_EDIT},
-												{"can_page_history", PERM_CAN_PAGE_HISTORY},
-												{"can_global_history", PERM_CAN_GLOBAL_HISTORY},
-												{"can_delete", PERM_CAN_DELETE},
-												{"can_see_page_list", PERM_CAN_SEE_PAGE_LIST},
-												{"can_create", PERM_CAN_CREATE},
-												{"can_see_category_list", PERM_CAN_SEE_CATEGORY_LIST},
-												{"can_see_links_here", PERM_CAN_SEE_LINKS_HERE},
-												{"can_search", PERM_CAN_SEARCH}};
 
   public:
 	Permissions()
@@ -102,6 +94,13 @@ class Permissions
 	{
 		return this->permissions & PERM_CAN_SEE_PAGE_LIST;
 	}
+
+	std::string toString() const
+	{
+		return Permissions::toString(this->permissions);
+	}
+
+	static std::string toString(int perms);
 };
 
 #endif // PERMISSIONS_H

qswiki.cpp

@@ -25,6 +25,7 @@ SOFTWARE.
 #include <unistd.h>
 #include <sys/types.h>
 #include <filesystem>
+#include <getopt.h>
 #include "gateway/gatewayinterface.h"
 #include "gateway/gatewayfactory.h"
 #include "handlers/handlerfactory.h"
@@ -37,6 +38,11 @@ SOFTWARE.
 #include "requestworker.h"
 #include "cache/fscache.h"
 #include "sandbox/sandboxfactory.h"
+#include "cli.h"
+#include "cliconsole.h"
+#include "cliserver.h"
+#include "version.h"
+
 void sigterm_handler(int arg)
 {
 	// TODO: proper shutdown.
@@ -56,6 +62,10 @@ void setup_signal_handlers()
 	}
 }
 
+#define OPT_PRINT_VERSION 23
+
+static struct option long_options[] = {{"cli", no_argument, 0, 'c'}, {"version", no_argument, 0, OPT_PRINT_VERSION}};
+
 std::unique_ptr<ICache> createCache(const ConfigVariableResolver &resolver)
 {
 
@@ -63,13 +73,43 @@ std::unique_ptr<ICache> createCache(const ConfigVariableResolver &resolver)
 
 	return std::make_unique<FsCache>(path);
 }
+
 int main(int argc, char **argv)
 {
+
+	char *configfilepath = NULL;
+	int option;
+	int option_index;
+	bool cli_mode = false;
+
 	if(geteuid() == 0)
 	{
 		std::cerr << "Do not run this as root!" << std::endl;
 		return 1;
 	}
+
+	while((option = getopt_long(argc, argv, "cv", long_options, &option_index)) != -1)
+	{
+		switch(option)
+		{
+		case 'c':
+			cli_mode = true;
+			break;
+		case OPT_PRINT_VERSION:
+			std::cout << get_version_string() << std::endl;
+			exit(EXIT_SUCCESS);
+			break;
+		}
+	}
+
+	if(optind == argc)
+	{
+		std::cerr << "Missing config path" << std::endl;
+		return 1;
+	}
+
+	configfilepath = argv[optind++];
+
 	auto sandbox = createSandbox();
 	// TODO: do we want to keep it mandatory or configurable?
 	if(!sandbox->supported())
@@ -77,35 +117,18 @@ int main(int argc, char **argv)
 		Logger::error() << "Sandbox is not supported, exiting";
 		exit(EXIT_FAILURE);
 	}
-	if(!sandbox->enableForInit())
-	{
-		Logger::error() << "Sandboxing for init mode could not be activated.";
-		exit(EXIT_FAILURE);
-	}
-
 	if(argc < 2)
 	{
 		std::cerr << "no path to config file provided" << std::endl;
 		return 1;
 	}
+	std::string configpath = std::filesystem::absolute(configfilepath).string();
 
 	try
 	{
-		ConfigReader configreader(argv[1]);
+		ConfigReader configreader(configpath);
 		Config config = configreader.readConfig();
 
-		// TODO: config.connectiontring only works as long as we only support sqlite of course
-		if(!sandbox->enablePreWorker({
-			   config.configVarResolver.getConfig("cache_fs_dir"),
-			   config.templatepath,
-			   std::filesystem::path(config.logfile).parent_path(),
-			   std::filesystem::path(config.connectionstring).parent_path(),
-		   }))
-		{
-			Logger::error() << "Sandboxing for pre worker stage could not be activated.";
-			exit(EXIT_FAILURE);
-		}
-
 		setup_signal_handlers();
 
 		std::fstream logstream;
@@ -113,6 +136,34 @@ int main(int argc, char **argv)
 		Logger::setStream(&logstream);
 
 		auto database = createDatabase(config);
+		std::string socketPath = config.configVarResolver.getConfig("socketpath");
+		CLIHandler cliHandler(config, *database);
+
+		if(cli_mode)
+		{
+			CLIConsole console{cliHandler, socketPath};
+			console.startInteractive();
+			return 0;
+		}
+
+		// TODO: config.connectiontring only works as long as we only support sqlite of course
+		if(!sandbox->enable({
+			   config.configVarResolver.getConfig("cache_fs_dir"),
+			   config.templatepath,
+			   std::filesystem::path(config.logfile).parent_path(),
+			   std::filesystem::path(config.connectionstring).parent_path(),
+		   }))
+		{
+			Logger::error() << "Sandboxing for worker could not be enabled!";
+			exit(EXIT_FAILURE);
+		}
+
+		CLIServer cliServer{cliHandler};
+		if(!cliServer.detachServer(socketPath))
+		{
+			Logger::error() << "Error: Failed to detach unix socket server";
+			return 1;
+		}
 
 		// TODO: quite ugly, anon-handling must be rethought
 		auto userdao = database->createUserDao();
@@ -140,11 +191,6 @@ int main(int argc, char **argv)
 
 		auto interface = createGateway(config);
 
-		if(!sandbox->enableForWorker())
-		{
-			Logger::error() << "Sandboxing for worker could not be enabled!";
-			exit(EXIT_FAILURE);
-		}
 		interface->work(requestWorker);
 	}
 	catch(const std::exception &e)

sandbox/sandbox-linux.cpp

@@ -23,52 +23,6 @@
  * obvious systemcalls. To whitelist, we need to analyse our
  * dependencies (http library, sqlite wrapper, sqlite lib etc.) */
 
-bool SandboxLinux::enableForInit()
-{
-	umask(0027);
-	struct qssb_policy policy = {0};
-	int blacklisted_syscalls[] = {QSSB_SYS(execveat), QSSB_SYS(execve), -1};
-	policy.blacklisted_syscalls = blacklisted_syscalls;
-	policy.no_new_privs = 1;
-	int result = qssb_enable_policy(&policy);
-	if(result != 0)
-	{
-		Logger::error() << "Failed to install sandboxing policy (init): " << result;
-		return false;
-	}
-	return true;
-}
-
-bool SandboxLinux::enablePreWorker(std::vector<std::string> fsPaths)
-{
-	std::sort(fsPaths.begin(), fsPaths.end(),
-			  [](const std::string &a, const std::string &b) { return a.length() < b.length(); });
-
-	struct qssb_path_policy *policies = new qssb_path_policy[fsPaths.size()];
-	for(unsigned int i = 0; i < fsPaths.size(); i++)
-	{
-		policies[i].next = policies + (i + 1);
-		policies[i].mountpoint = fsPaths[i].c_str();
-		policies[i].policy = QSSB_MOUNT_ALLOW_READ | QSSB_MOUNT_ALLOW_WRITE;
-	}
-	policies[fsPaths.size() - 1].next = NULL;
-
-	struct qssb_policy policy = {0};
-	policy.path_policies = policies;
-	policy.namespace_options |= QSSB_UNSHARE_MOUNT;
-	policy.namespace_options |= QSSB_UNSHARE_USER;
-	int blacklisted_syscalls[] = {QSSB_SYS(execveat), QSSB_SYS(execve), -1};
-	policy.blacklisted_syscalls = blacklisted_syscalls;
-	int result = qssb_enable_policy(&policy);
-	if(result != 0)
-	{
-		Logger::error() << "Failed to install sandboxing policy (preworker): %i" << result;
-		return false;
-	}
-	delete[] policies;
-	return true;
-}
-
 bool SandboxLinux::supported()
 {
 	std::fstream stream;
@@ -86,32 +40,43 @@ bool SandboxLinux::supported()
 	}
 	return true;
 }
-bool SandboxLinux::enableForWorker()
+bool SandboxLinux::enable(std::vector<std::string> fsPaths)
 {
-	struct qssb_policy policy = {0};
-	policy.drop_caps = 1;
-	policy.not_dumpable = 1;
-	policy.no_new_privs = 1;
+	std::sort(fsPaths.begin(), fsPaths.end(),
+			  [](const std::string &a, const std::string &b) { return a.length() < b.length(); });
 
-	/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
-	 * sense that more could be listed here and some critical ones are probably missing */
-	int blacklisted_syscalls[] = {QSSB_SYS(setuid),
-								  QSSB_SYS(connect),
-								  QSSB_SYS(chroot),
-								  QSSB_SYS(pivot_root),
-								  QSSB_SYS(mount),
-								  QSSB_SYS(setns),
-								  QSSB_SYS(unshare),
-								  QSSB_SYS(ptrace),
-								  QSSB_SYS(personality),
-								  QSSB_SYS(prctl),
-								  -1};
-	policy.blacklisted_syscalls = blacklisted_syscalls;
-	if(qssb_enable_policy(&policy) != 0)
+	struct qssb_policy *policy = qssb_init_policy();
+	if(policy == NULL)
 	{
-		Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
+		Logger::error() << "Failed to init sandboxing policy (worker) ";
 		return false;
 	}
+	for(unsigned int i = 0; i < fsPaths.size(); i++)
+	{
+		qssb_append_path_policy(policy, QSSB_FS_ALLOW_READ | QSSB_FS_ALLOW_WRITE, fsPaths[i].c_str());
+	}
+	policy->drop_caps = 1;
+	policy->not_dumpable = 1;
+	policy->no_new_privs = 1;
+	policy->mount_path_policies_to_chroot = 1;
+	/* TODO: as said, a whitelist approach is better. As such, this list is bound to be incomplete in the
+	 * sense that more could be listed here and some critical ones are probably missing */
 
+	/* TODO: use qssb groups */
+	long blacklisted_syscalls[] = {QSSB_SYS(setuid),	  QSSB_SYS(connect), QSSB_SYS(chroot),	 QSSB_SYS(pivot_root),
+								   QSSB_SYS(mount),		  QSSB_SYS(setns),	 QSSB_SYS(unshare),	 QSSB_SYS(ptrace),
+								   QSSB_SYS(personality), QSSB_SYS(prctl),	 QSSB_SYS(execveat), QSSB_SYS(execve),
+								   QSSB_SYS(fork)};
+	qssb_append_syscalls_policy(policy, QSSB_SYSCALL_DENY_KILL_PROCESS, blacklisted_syscalls,
+								sizeof(blacklisted_syscalls) / sizeof(blacklisted_syscalls[0]));
+	qssb_append_syscall_default_policy(policy, QSSB_SYSCALL_ALLOW);
+
+	if(qssb_enable_policy(policy) != 0)
+	{
+		Logger::error() << "Sandbox: Activation of seccomp blacklist failed!";
+		qssb_free_policy(policy);
+		return false;
+	}
+	qssb_free_policy(policy);
 	return true;
 }

sandbox/sandbox-linux.h

@@ -8,8 +8,6 @@ class SandboxLinux : public Sandbox
   public:
 	using Sandbox::Sandbox;
 	bool supported() override;
-	bool enableForInit() override;
-	bool enablePreWorker(std::vector<std::string> fsPaths) override;
-	bool enableForWorker() override;
+	bool enable(std::vector<std::string> fsPaths) override;
 };
 #endif

sandbox/sandbox-openbsd.h

@@ -6,10 +6,6 @@ class SandboxOpenBSD : public Sandbox
 {
   public:
 	bool supported() override;
-	bool enableForInit() override;
-	bool enableForWorker() override;
-
-  private:
-	bool seccomp_blacklist(std::vector<int> syscalls);
+	bool enable(std::vector<std::string> fsPaths) override;
 };
 #endif

sandbox/sandbox.h

@@ -10,16 +10,7 @@ class Sandbox
 	/* Whether the platform has everything required to active all sandbnox modes */
 	virtual bool supported() = 0;
 
-	/* Activated early. At this point, we need more system calls
-	 * than later on */
-	virtual bool enableForInit() = 0;
-
-	/* Activated after config has been read. Now we now which paths we need access to */
-	virtual bool enablePreWorker(std::vector<std::string> fsPaths) = 0;
-
-	/* Activated after we have acquired resources (bound to ports etc.)
-	 *
-	 * This should allow us to further restrcit the process */
-	virtual bool enableForWorker() = 0;
+	/* Activated after we have acquired resources (bound to ports etc.)*/
+	virtual bool enable(std::vector<std::string> fsPaths) = 0;
 };
 #endif

setup/sqlite.sql

@@ -25,24 +25,13 @@ count integer
 CREATE TABLE category(id INTEGER PRIMARY KEY, name varchar(255));
 CREATE TABLE categorymember(id INTEGER PRIMARY KEY, category REFERENCES category(id), page REFERENCES page (id));
 CREATE INDEX revisionid ON revision (revisionid DESC);
-CREATE INDEX pagename ON page (name)
-;
-CREATE INDEX token ON session (token)
-;
-CREATE TRIGGER search_ai AFTER INSERT ON revision BEGIN
-  DELETE FROM search WHERE page = new.page;
-  INSERT INTO search(rowid, content, page) VALUES (new.id, new.content, new.page);
-END;
-CREATE TRIGGER search_au AFTER UPDATE ON revision BEGIN
-  DELETE FROM search WHERE page = old.page;
-  INSERT INTO search(rowid, content, page) VALUES (new.id, new.content, new.page);
-END;
-CREATE VIRTUAL TABLE search USING fts5(content, page UNINDEXED, content=revision,content_rowid=id)
-/* search(content,page) */;
-CREATE TABLE IF NOT EXISTS 'search_data'(id INTEGER PRIMARY KEY, block BLOB);
-CREATE TABLE IF NOT EXISTS 'search_idx'(segid, term, pgno, PRIMARY KEY(segid, term)) WITHOUT ROWID;
-CREATE TABLE IF NOT EXISTS 'search_docsize'(id INTEGER PRIMARY KEY, sz BLOB);
-CREATE TABLE IF NOT EXISTS 'search_config'(k PRIMARY KEY, v) WITHOUT ROWID;
+CREATE INDEX pagename ON page (name);
+CREATE INDEX token ON session (token);
+CREATE VIRTUAL TABLE search USING fts5(content, page UNINDEXED, content=revision,content_rowid=id);
 CREATE TRIGGER search_ad AFTER DELETE ON revision BEGIN
   INSERT INTO search(search, rowid, content, page) VALUES('delete', old.id, old.content, old.page);
 END;
+CREATE TRIGGER search_ai AFTER INSERT ON revision BEGIN
+  INSERT INTO search(search, rowid, content, page) SELECT 'delete', id, content, page FROM revision WHERE page = new.page AND revisionid = new.revisionid - 1; 
+  INSERT INTO search(rowid, content, page) VALUES (new.id, new.content, new.page);
+END;

template.cpp

@@ -130,11 +130,10 @@ std::string Template::renderRevisionList(const std::vector<Revision> &revisions,
 	std::stringstream stream;
 	UrlProvider urlprovider(*this->configUrls);
 
-	auto genwithoutpage = [&] {
+	auto genwithoutpage = [&]
+	{
 		for(const Revision &revision : revisions)
 		{
-
-			Logger::debug() << "processing: " << revision.revision;
 			stream << "<tr><td><a href=\"" << urlprovider.pageRevision(revision.page, revision.revision) << "\">"
 				   << revision.revision << "</a></td>"
 				   << "<td>" << revision.author << "</td>"
@@ -143,7 +142,8 @@ std::string Template::renderRevisionList(const std::vector<Revision> &revisions,
 		}
 	};
 
-	auto genwithpage = [&] {
+	auto genwithpage = [&]
+	{
 		for(const Revision &revision : revisions)
 		{
 

utils.cpp

@@ -46,6 +46,12 @@ std::string utils::html_xss(std::string_view str)
 		case '%':
 			result += "%";
 			break;
+		case '\'':
+			result += "'";
+			break;
+		case '&':
+			result += "&";
+			break;
 		default:
 			result += c;
 		}
@@ -93,7 +99,7 @@ std::vector<std::string> utils::split(const std::string &str, char delim)
 // TODO: can easily break if we pass a regex here
 std::vector<std::string> utils::split(const std::string &str, const std::string &delim)
 {
-	std::regex regex { delim + "+" };
+	std::regex regex{delim + "+"};
 	return split(str, regex);
 }
 
@@ -175,3 +181,20 @@ std::string utils::toISODate(time_t t)
 	}
 	return std::string{result};
 }
+
+std::string utils::trim(const std::string &str)
+{
+	std::string_view chars = " \t\n\r";
+	std::string_view view = str;
+	auto n = view.find_first_not_of(chars);
+	if(n != std::string_view::npos)
+	{
+		view.remove_prefix(n);
+	}
+	n = view.find_last_not_of(chars);
+	if(n != std::string_view::npos)
+	{
+		view.remove_suffix(view.size() - n - 1);
+	}
+	return std::string{view};
+}

utils.h

@@ -93,5 +93,7 @@ template <class T> inline std::string toString(const T &v)
 	return std::string(v.begin(), v.end());
 }
 
+std::string trim(const std::string &str);
+
 } // namespace utils
 #endif

version.cpp

@@ -0,0 +1,11 @@
+#include "version.h"
+
+std::string git_commit_id()
+{
+	return std::string(GITCOMMIT);
+}
+
+std::string get_version_string()
+{
+	return git_commit_id() + " Built: " + __DATE__ + " " + __TIME__;
+}

version.h

@@ -0,0 +1,7 @@
+#ifndef VERSION_H
+#define VERSION_H
+
+#include <string>
+std::string git_commit_id();
+std::string get_version_string();
+#endif // VERSION_H