From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 2 Mar 2026 17:02:25 +0000 (+0000)
Subject: auth: Add UID and permission to impersonate to API keys
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c82e40dae15ee590ea8e53e0c83ba7e037efb46f;p=dbl.git

auth: Add UID and permission to impersonate to API keys

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/database.sql b/src/database.sql
index 6056116..8da740e 100644
--- a/src/database.sql
+++ b/src/database.sql
@@ -2,7 +2,7 @@
 -- PostgreSQL database dump
 --
 
-\restrict 97QQcysG1ebcqz7Y7sN4EJb44D05KafpruWuQjJfkHpdoO21URCTKpqX39K4fwP
+\restrict WmWKbaDQfA4nBBtkMPZrgKfs3IuS4Rt4OGUXi43GEHyNlWwmMPGfl4UdQKiKmxj
 
 -- Dumped from database version 17.7 (Debian 17.7-0+deb13u1)
 -- Dumped by pg_dump version 17.7 (Debian 17.7-0+deb13u1)
@@ -34,7 +34,9 @@ CREATE TABLE public.api_keys (
     created_at timestamp with time zone DEFAULT CURRENT_TIMESTAMP NOT NULL,
     created_by text NOT NULL,
     deleted_at timestamp with time zone,
-    deleted_by text
+    deleted_by text,
+    uid text NOT NULL,
+    can_impersonate boolean DEFAULT false NOT NULL
 );
 
 
@@ -681,5 +683,5 @@ ALTER TABLE ONLY public.sources
 -- PostgreSQL database dump complete
 --
 
-\unrestrict 97QQcysG1ebcqz7Y7sN4EJb44D05KafpruWuQjJfkHpdoO21URCTKpqX39K4fwP
+\unrestrict WmWKbaDQfA4nBBtkMPZrgKfs3IuS4Rt4OGUXi43GEHyNlWwmMPGfl4UdQKiKmxj
 
diff --git a/src/dbl/auth.py b/src/dbl/auth.py
index 4159a76..3e7dfe9 100644
--- a/src/dbl/auth.py
+++ b/src/dbl/auth.py
@@ -94,10 +94,14 @@ class Auth(object):
 
 		return self.backend.db.fetch(stmt)
 
-	async def create(self, created_by):
+	async def create(self, uid, created_by):
 		"""
 			Creates a new API key
 		"""
+		# Check if the user actually exists
+		if not self.backend.users.get_by_uid(uid):
+			raise ValueError("User '%s' does not exist" % uid)
+
 		# Generate a new prefix
 		prefix = "".join(secrets.choice(ALPHABET) for _ in range(6))
 
@@ -110,10 +114,11 @@ class Auth(object):
 			prefix     = prefix,
 			secret     = secret,
 			created_by = created_by,
+			uid        = uid,
 		)
 
 		# Log action
-		log.info(_("A new API Key has been created by %s") % key.created_by)
+		log.info(_("A new API Key has been created for %s") % key.uid)
 
 		return key
 
@@ -147,6 +152,9 @@ class APIKey(sqlmodel.SQLModel, database.BackendMixin, table=True):
 	# Deleted By
 	deleted_by : str | None
 
+	# UID
+	uid: str
+
 	async def check(self, secret):
 		"""
 			Checks if the provided secret matches
@@ -162,3 +170,7 @@ class APIKey(sqlmodel.SQLModel, database.BackendMixin, table=True):
 
 		# Log action
 		log.info(_("API key %s has been deleted by %s") % (self.id, self.deleted_by))
+
+	# Permissions
+
+	can_impersonate: bool = False
diff --git a/src/scripts/dbl.in b/src/scripts/dbl.in
index 0d28f9a..e94fd8e 100644
--- a/src/scripts/dbl.in
+++ b/src/scripts/dbl.in
@@ -183,6 +183,8 @@ class CLI(object):
 		# Authentication: create-api-key
 		create_api_key = subparsers.add_parser("create-api-key",
 				help=_("Creates a new API key"))
+		create_api_key.add_argument("uid",
+				help=_("The user the API key is being created for"))
 		create_api_key.add_argument("--created-by", required=True,
 				default=os.environ.get("USER"), help=_("The creator of the key"))
 		create_api_key.set_defaults(func=self.__create_api_key)
@@ -583,7 +585,7 @@ class CLI(object):
 		"""
 			Creates a new API key
 		"""
-		key = await backend.auth.create(created_by=args.created_by)
+		key = await backend.auth.create(args.uid, created_by=args.created_by)
 
 		# Show the new key
 		print(_("Your new API key has been created: %s") % key)