diff --git a/src/de/steamwar/sql/Event.java b/src/de/steamwar/sql/Event.java index a853e13..31c220a 100644 --- a/src/de/steamwar/sql/Event.java +++ b/src/de/steamwar/sql/Event.java @@ -87,6 +87,7 @@ public class Event { private final SchematicType schemType; @Field private final boolean publicSchemsOnly; + @Deprecated @Field private final boolean spectateSystem; diff --git a/src/de/steamwar/sql/EventFight.java b/src/de/steamwar/sql/EventFight.java index eed7f51..4df1ff6 100644 --- a/src/de/steamwar/sql/EventFight.java +++ b/src/de/steamwar/sql/EventFight.java @@ -84,8 +84,12 @@ public class EventFight implements Comparable { private final int teamRed; @Getter @Field + @Deprecated private final int kampfleiter; @Getter + @Field + private final int spectatePort; + @Getter @Field(def = "0") private int ergebnis; @Field(nullable = true) diff --git a/src/de/steamwar/sql/Referee.java b/src/de/steamwar/sql/Referee.java new file mode 100644 index 0000000..281ad30 --- /dev/null +++ b/src/de/steamwar/sql/Referee.java @@ -0,0 +1,44 @@ +/* + * This file is a part of the SteamWar software. + * + * Copyright (C) 2024 SteamWar.de-Serverteam + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package de.steamwar.sql; + +import de.steamwar.sql.internal.Field; +import de.steamwar.sql.internal.SelectStatement; +import de.steamwar.sql.internal.Table; +import lombok.AllArgsConstructor; + +import java.util.Set; +import java.util.stream.Collectors; + +@AllArgsConstructor +public class Referee { + + private static final Table table = new Table<>(Referee.class); + private static final SelectStatement byEvent = table.selectFields("eventID"); + + public static Set get(int eventID) { + return byEvent.listSelect(eventID).stream().map(referee -> referee.userID).collect(Collectors.toSet()); + } + + @Field(keys = {"eventReferee"}) + private final int eventID; + @Field(keys = {"eventReferee"}) + private final int userID; +} diff --git a/src/de/steamwar/sql/SchematicNode.java b/src/de/steamwar/sql/SchematicNode.java index 6aa83e1..b432a70 100644 --- a/src/de/steamwar/sql/SchematicNode.java +++ b/src/de/steamwar/sql/SchematicNode.java @@ -56,7 +56,7 @@ public class SchematicNode { private static final SelectStatement list = new SelectStatement<>(table, "SELECT SchematicNode.NodeId, NodeOwner, ? AS EffectiveOwner, NodeName, NM.ParentId AS ParentNode, LastUpdate, NodeItem, NodeType, NodeRank, ReplaceColor, AllowReplay FROM SchematicNode INNER JOIN NodeMember NM on SchematicNode.NodeId = NM.NodeId WHERE NM.ParentId " + Statement.NULL_SAFE_EQUALS + "? AND NM.UserId = ? UNION ALL SELECT SchematicNode.NodeId, NodeOwner, ? AS EffectiveOwner, NodeName, ParentNode, LastUpdate, NodeItem, NodeType, NodeRank, ReplaceColor, AllowReplay FROM SchematicNode WHERE (? IS NULL AND ParentNode IS NULL AND NodeOwner = ?) OR (? IS NOT NULL AND ParentNode = ?) ORDER BY NodeName"); private static final SelectStatement byParentName = new SelectStatement<>(table, "SELECT SchematicNode.NodeId, NodeOwner, ? AS EffectiveOwner, NodeName, NM.ParentId AS ParentNode, LastUpdate, NodeItem, NodeType, NodeRank, ReplaceColor, AllowReplay FROM SchematicNode INNER JOIN NodeMember NM on SchematicNode.NodeId = NM.NodeId WHERE NM.ParentId " + Statement.NULL_SAFE_EQUALS + "? AND NM.UserId = ? AND SchematicNode.NodeName = ? UNION ALL SELECT SchematicNode.NodeId, NodeOwner, ? AS EffectiveOwner, NodeName, ParentNode, LastUpdate, NodeItem, NodeType, NodeRank, ReplaceColor, AllowReplay FROM SchematicNode WHERE ((? IS NULL AND ParentNode IS NULL AND NodeOwner = ?) OR (? IS NOT NULL AND ParentNode = ?)) AND NodeName = ?"); private static final SelectStatement schematicAccessibleForUser = new SelectStatement<>(table, "SELECT COUNT(DISTINCT NodeId) FROM EffectiveSchematicNode WHERE EffectiveOwner = ? AND NodeId = ?"); - private static final SelectStatement accessibleByUserTypeInParent = new SelectStatement<>(table, "WITH RECURSIVE RSASN AS (WITH RSAN AS (WITH RECURSIVE RSA AS (SELECT SN.NodeId, NM.ParentId FROM SchematicNode SN LEFT JOIN NodeMember NM on SN.NodeId = NM.NodeId WHERE UserId = ? UNION SELECT SN.NodeId, SN.ParentNode FROM SchematicNode SN, RSA WHERE RSA.NodeId = SN.ParentNode) SELECT * FROM RSA UNION SELECT NodeId, ParentNode FROM SchematicNode WHERE NodeOwner = ?) SELECT RSAN.NodeId, RSAN.ParentId FROM RSAN INNER JOIN SchematicNode SN ON SN.NodeId = RSAN.NodeId WHERE NodeType = ? UNION SELECT SN.NodeId, SN.ParentNode FROM SchematicNode SN, RSASN WHERE SN.NodeId = RSASN.ParentId) SELECT SN.*, ? as EffectiveOwner, RSASN.ParentId AS ParentNode FROM RSASN INNER JOIN SchematicNode SN ON SN.NodeId = RSASN.NodeId WHERE RSASN.ParentId" + Statement.NULL_SAFE_EQUALS + "?"); + private static final SelectStatement accessibleByUserTypeInParent = new SelectStatement<>(table, "WITH RECURSIVE RSASN AS(WITH RECURSIVE RSAN AS (WITH RSANH AS (WITH RECURSIVE RSA AS (SELECT SN.NodeId, NM.ParentId FROM SchematicNode SN LEFT JOIN NodeMember NM on SN.NodeId = NM.NodeId WHERE NM.UserId = ? UNION SELECT SN.NodeId, SN.ParentNode FROM SchematicNode SN INNER JOIN RSA ON RSA.NodeId = SN.ParentNode) SELECT * FROM RSA UNION SELECT NodeId, ParentNode FROM SchematicNode WHERE NodeOwner = ?) SELECT * FROM RSANH UNION SELECT SN.NodeId, SN.ParentNode FROM RSANH JOIN SchematicNode SN ON SN.ParentNode = RSANH.NodeId) SELECT RSAN.NodeId, RSAN.ParentId FROM RSAN JOIN SchematicNode SN ON SN.NodeId = RSAN.NodeId WHERE NodeType = ? UNION SELECT SN.NodeId, SN.ParentNode FROM SchematicNode SN JOIN RSASN ON SN.NodeId = RSASN.ParentId) SELECT SN.*, ? as EffectiveOwner, RSASN.ParentId AS ParentNode FROM RSASN JOIN SchematicNode SN ON SN.NodeId = RSASN.NodeId WHERE RSASN.ParentId" + Statement.NULL_SAFE_EQUALS + "? ORDER BY NodeName"); private static final SelectStatement accessibleByUserType = new SelectStatement<>(table, "WITH RECURSIVE Nodes AS (SELECT NodeId, ParentId as ParentNode FROM NodeMember WHERE UserId = ? UNION SELECT NodeId, ParentNode FROM SchematicNode WHERE NodeOwner = ?), RSN AS ( SELECT NodeId, ParentNode FROM Nodes UNION SELECT SN.NodeId, SN.ParentNode FROM SchematicNode SN, RSN WHERE SN.ParentNode = RSN.NodeId ) SELECT SN.*, ? AS EffectiveOwner FROM RSN INNER JOIN SchematicNode SN ON RSN.NodeId = SN.NodeId WHERE NodeType = ?"); private static final SelectStatement byIdAndUser = new SelectStatement<>(table, "SELECT NodeId, NodeOwner, ? AS EffectiveOwner, NodeName, ParentNode, LastUpdate, NodeItem, NodeType, NodeRank, ReplaceColor, AllowReplay FROM SchematicNode WHERE NodeId = ?"); private static final SelectStatement allParentsOfNode = new SelectStatement<>(table, "WITH RECURSIVE R AS (SELECT NodeId, ParentNode FROM EffectiveSchematicNode WHERE NodeId = ? AND EffectiveOwner = ? UNION SELECT E.NodeId, E.ParentNode FROM R, EffectiveSchematicNode E WHERE R.ParentNode = E.NodeId AND E.EffectiveOwner = ?) SELECT SN.NodeId, SN.NodeOwner, ? AS EffectiveOwner, SN.NodeName, R.ParentNode, SN.LastUpdate, SN.NodeItem, SN.NodeType, SN.NodeRank, SN.ReplaceColor, SN.AllowReplay FROM R INNER JOIN SchematicNode SN ON SN.NodeId = R.NodeId"); diff --git a/src/de/steamwar/sql/SteamwarUser.java b/src/de/steamwar/sql/SteamwarUser.java index edbcb26..3166124 100644 --- a/src/de/steamwar/sql/SteamwarUser.java +++ b/src/de/steamwar/sql/SteamwarUser.java @@ -21,17 +21,32 @@ package de.steamwar.sql; import de.steamwar.sql.internal.*; import lombok.Getter; +import lombok.SneakyThrows; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; +import java.security.spec.InvalidKeySpecException; import java.sql.Timestamp; import java.util.*; import java.util.function.BiConsumer; import java.util.function.Consumer; +import java.util.logging.Level; import java.util.stream.Collectors; public class SteamwarUser { + private static final SecureRandom random = new SecureRandom(); + private static final SecretKeyFactory factory; static { - new SqlTypeMapper<>(UUID.class, "CHAR(36)", (rs, identifier) -> UUID.fromString(rs.getString(identifier)), (st, index, value) -> st.setString(index, value.toString())); + try { + factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512"); + } catch (NoSuchAlgorithmException e) { + throw new SecurityException(e); + } + + new SqlTypeMapper<>(UUID.class, "CHAR(36)", (rs, identifier) -> UUID.fromString(rs.getString(identifier)), (st, index, value) -> st.setString(index, value.toString())); new SqlTypeMapper<>(Locale.class, "VARCHAR(32)", (rs, identifier) -> { String l = rs.getString(identifier); return l != null ? Locale.forLanguageTag(l) : null; @@ -49,6 +64,7 @@ public class SteamwarUser { private static final SelectStatement getServerTeam = new SelectStatement<>(table, "SELECT * FROM UserData WHERE UserGroup != 'Member' AND UserGroup != 'YouTuber'"); private static final Statement updateName = table.update(Table.PRIMARY, "UserName"); + private static final Statement updatePassword = table.update(Table.PRIMARY, "Password"); private static final Statement updateLocale = table.update(Table.PRIMARY, "Locale", "ManualLocale"); private static final Statement updateTeam = table.update(Table.PRIMARY, "Team"); private static final Statement updateLeader = table.update(Table.PRIMARY, "Leader"); @@ -110,7 +126,7 @@ public class SteamwarUser { if (user != null) { if (!user.userName.equals(name)) { updateName.update(name, user.id); - nameUpdate.accept(user.userName, name); + nameUpdate.accept(user.userName, name); user.userName = name; } @@ -148,7 +164,9 @@ public class SteamwarUser { @Getter @Field private String userName; - @Getter + @Field(nullable = true) + private String password; + @Getter @Field(def = "0") private int team; @Getter @@ -166,10 +184,11 @@ public class SteamwarUser { private Set permissions = null; private UserPerm.Prefix prefix = null; - public SteamwarUser(int id, UUID uuid, String userName, int team, boolean leader, Locale locale, boolean manualLocale, Long discordId) { + public SteamwarUser(int id, UUID uuid, String userName, String password, int team, boolean leader, Locale locale, boolean manualLocale, Long discordId) { this.id = id; this.uuid = uuid; this.userName = userName; + this.password = password; this.team = team; this.leader = leader; this.locale = locale; @@ -280,6 +299,52 @@ public class SteamwarUser { } } + public void setPassword(String password) { + try { + byte[] salt = new byte[16]; + random.nextBytes(salt); + String saltString = Base64.getEncoder().encodeToString(salt); + + byte[] hash = generateHash(password, salt); + String hashString = Base64.getEncoder().encodeToString(hash); + this.password = hashString + ":" + saltString; + updatePassword.update(this.password, id); + } catch (Exception e) { + throw new SecurityException(e); + } + } + + public boolean verifyPassword(String password) { + try { + if (this.password == null) { + return false; + } + + String[] parts = this.password.split(":"); + if (parts.length != 2) { + SQLConfig.impl.getLogger().log(Level.SEVERE ,"Invalid password hash for user {0} ({1})", new Object[]{userName, id}); + return false; + } + + String hashString = parts[0]; + byte[] realHash = Base64.getDecoder().decode(hashString); + String saltString = parts[1]; + byte[] salt = Base64.getDecoder().decode(saltString); + byte[] hash = generateHash(password, salt); + return Arrays.equals(realHash, hash); + } catch (Exception e) { + SQLConfig.impl.getLogger().log(Level.SEVERE, "Error while verifying password for user " + userName + " (" + id + ")", e); + return false; + } + } + + private byte[] generateHash(String password, byte[] salt) + throws InvalidKeySpecException { + PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, 65536, 512); + return factory.generateSecret(spec).getEncoded(); + + } + private void initPunishments() { if(punishments != null) return; diff --git a/src/de/steamwar/sql/Token.java b/src/de/steamwar/sql/Token.java index db34967..007a16e 100644 --- a/src/de/steamwar/sql/Token.java +++ b/src/de/steamwar/sql/Token.java @@ -25,9 +25,13 @@ import de.steamwar.sql.internal.Statement; import de.steamwar.sql.internal.Table; import lombok.AllArgsConstructor; import lombok.Getter; +import lombok.SneakyThrows; import lombok.ToString; +import java.security.MessageDigest; +import java.security.SecureRandom; import java.sql.Timestamp; +import java.util.Base64; import java.util.List; @AllArgsConstructor @@ -41,6 +45,29 @@ public class Token { private static final SelectStatement getHash = table.selectFields("hash"); private static final Statement delete = table.delete(Table.PRIMARY); + @SneakyThrows + private static String getHash(String code) { + return Base64.getEncoder().encodeToString(MessageDigest.getInstance("SHA-512").digest(code.getBytes())); + } + + @SneakyThrows + public static String createToken(String name, SteamwarUser owner) { + SecureRandom random = new SecureRandom(); + byte[] bytes = new byte[20]; + random.nextBytes(bytes); + + String code = Base64.getEncoder().encodeToString(bytes); + + String hash = getHash(code); + create(name, owner, hash); + return code; + } + + public static Token getTokenByCode(String code) { + String hash = getHash(code); + return get(hash); + } + public static Token create(String name, SteamwarUser owner, String hash) { int id = insert.insertGetKey(name, owner, hash); return get(id); diff --git a/src/de/steamwar/sql/internal/Statement.java b/src/de/steamwar/sql/internal/Statement.java index c29f711..3d6a49b 100644 --- a/src/de/steamwar/sql/internal/Statement.java +++ b/src/de/steamwar/sql/internal/Statement.java @@ -134,7 +134,11 @@ public class Statement implements AutoCloseable { public T select(ResultSetUser user, Object... objects) { return withConnection(st -> { - ResultSet rs = st.executeQuery(); + boolean res = st.execute(); + if(!res) { + throw new SecurityException("No result set for select statement"); + } + ResultSet rs = st.getResultSet(); T result = user.use(rs); rs.close(); return result;