Implement CLI setup

cmd/ferretdb/main.go

@@ -43,6 +43,7 @@ import (
 	"github.com/FerretDB/FerretDB/internal/util/debugbuild"
 	"github.com/FerretDB/FerretDB/internal/util/logging"
 	"github.com/FerretDB/FerretDB/internal/util/must"
+	"github.com/FerretDB/FerretDB/internal/util/password"
 	"github.com/FerretDB/FerretDB/internal/util/state"
 	"github.com/FerretDB/FerretDB/internal/util/telemetry"
 )
@@ -58,12 +59,6 @@ var cli struct {
 	StateDir    string `default:"."               help:"Process state directory."`
 	ReplSetName string `default:""                help:"Replica set name."`
 
-	Setup struct {
-		Username string        `default:""    help:"Username for setup."`
-		Password string        `default:""    help:"Password for setup."`
-		Timeout  time.Duration `default:"30s" help:"Timeout for setup."`
-	} `embed:"" prefix:"setup-"`
-
 	Listen struct {
 		Addr        string `default:"127.0.0.1:27017" help:"Listen TCP address."`
 		Unix        string `default:""                help:"Listen Unix domain socket path."`
@@ -85,6 +80,13 @@ var cli struct {
 	// see setCLIPlugins
 	kong.Plugins
 
+	Setup struct {
+		Database string        `default:""    help:"FIXME"` // FIXME
+		Username string        `default:""    help:"Setup user during backend initialization."`
+		Password string        `default:""    help:"Setup user's password."`
+		Timeout  time.Duration `default:"30s" help:"Setup timeout."`
+	} `embed:"" prefix:"setup-"`
+
 	Log struct {
 		Level  string `default:"${default_log_level}" help:"${help_log_level}"`
 		Format string `default:"console"              help:"${help_log_format}"                     enum:"${enum_log_format}"`
@@ -106,9 +108,10 @@ var cli struct {
 			Percentage uint8         `default:"10" help:"Experimental: percentage of documents to cleanup."`
 		} `embed:"" prefix:"capped-cleanup-"`
 
-		EnableNewAuth        bool `default:"false" help:"Experimental: enable new authentication."`
-		BatchSize            int  `default:"100"   help:"Experimental: maximum insertion batch size."`
-		MaxBsonObjectSizeMiB int  `default:"16"    help:"Experimental: maximum BSON object size in MiB."`
+		EnableNewAuth bool `default:"false" help:"Experimental: enable new authentication."`
+
+		BatchSize            int `default:"100" help:"Experimental: maximum insertion batch size."`
+		MaxBsonObjectSizeMiB int `default:"16"  help:"Experimental: maximum BSON object size in MiB."`
 
 		Telemetry struct {
 			URL            string        `default:"https://beacon.ferretdb.com/" help:"Telemetry: reporting URL."`
@@ -292,6 +295,23 @@ func setupLogger(stateProvider *state.Provider, format string) *zap.Logger {
 	return l
 }
 
+// checkFlags checks that CLI flags are not self-contradictory.
+func checkFlags(logger *zap.Logger) {
+	l := logger.Sugar()
+
+	if (cli.Setup.Database == "") != (cli.Setup.Username == "") {
+		l.Fatal("--setup-database should be used together with --setup-username")
+	}
+
+	if cli.Setup.Database != "" && !cli.Test.EnableNewAuth {
+		l.Fatal("--setup-database requires --test-enable-new-auth")
+	}
+
+	if cli.Test.DisablePushdown && cli.Test.EnableNestedPushdown {
+		l.Fatal("--test-disable-pushdown and --test-enable-nested-pushdown should not be set at the same time")
+	}
+}
+
 // runTelemetryReporter runs telemetry reporter until ctx is canceled.
 func runTelemetryReporter(ctx context.Context, opts *telemetry.NewReporterOpts) {
 	r, err := telemetry.NewReporter(opts)
@@ -347,6 +367,8 @@ func run() {
 
 	logger := setupLogger(stateProvider, cli.Log.Format)
 
+	checkFlags(logger)
+
 	if _, err := maxprocs.Set(maxprocs.Logger(logger.Sugar().Debugf)); err != nil {
 		logger.Sugar().Warnf("Failed to set GOMAXPROCS: %s.", err)
 	}
@@ -361,14 +383,6 @@ func run() {
 
 	var wg sync.WaitGroup
 
-	if cli.Setup.Username != "" && !cli.Test.EnableNewAuth {
-		logger.Sugar().Fatal("--setup-username requires --test-enable-new-auth")
-	}
-
-	if cli.Test.DisablePushdown && cli.Test.EnableNestedPushdown {
-		logger.Sugar().Fatal("--test-disable-pushdown and --test-enable-nested-pushdown should not be set at the same time")
-	}
-
 	if cli.DebugAddr != "" && cli.DebugAddr != "-" {
 		wg.Add(1)
 
@@ -408,6 +422,11 @@ func run() {
 		TCPHost:       cli.Listen.Addr,
 		ReplSetName:   cli.ReplSetName,
 
+		SetupDatabase: cli.Setup.Database,
+		SetupUsername: cli.Setup.Username,
+		SetupPassword: password.WrapPassword(cli.Setup.Password),
+		SetupTimeout:  cli.Setup.Timeout,
+
 		PostgreSQLURL: postgreSQLFlags.PostgreSQLURL,
 
 		SQLiteURL: sqliteFlags.SQLiteURL,

internal/backends/user.go

@@ -0,0 +1,118 @@
+// Copyright 2021 FerretDB Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package backends
+
+import (
+	"context"
+	"errors"
+
+	"github.com/google/uuid"
+
+	"github.com/FerretDB/FerretDB/internal/types"
+	"github.com/FerretDB/FerretDB/internal/util/iterator"
+	"github.com/FerretDB/FerretDB/internal/util/lazyerrors"
+	"github.com/FerretDB/FerretDB/internal/util/must"
+	"github.com/FerretDB/FerretDB/internal/util/password"
+)
+
+// CreateUserParams represents the parameters of CreateUser function.
+//
+//nolint:vet // for readability
+type CreateUserParams struct {
+	Database   string
+	Username   string
+	Password   password.Password
+	Mechanisms *types.Array
+}
+
+// CreateUser stores a new user in the given backend.
+func CreateUser(ctx context.Context, b Backend, params *CreateUserParams) error {
+	must.NotBeZero(params)
+
+	credentials, err := MakeCredentials(params.Username, params.Password, params.Mechanisms)
+	if err != nil {
+		return err
+	}
+
+	id := uuid.New()
+	saved := must.NotFail(types.NewDocument(
+		"_id", params.Database+"."+params.Username,
+		"credentials", credentials,
+		"user", params.Username,
+		"db", params.Database,
+		"roles", types.MakeArray(0),
+		"userId", types.Binary{Subtype: types.BinaryUUID, B: must.NotFail(id.MarshalBinary())},
+	))
+
+	db := must.NotFail(b.Database("admin"))
+	coll := must.NotFail(db.Collection("system.users"))
+
+	_, err = coll.InsertAll(ctx, &InsertAllParams{
+		Docs: []*types.Document{saved},
+	})
+
+	return err
+}
+
+// MakeCredentials creates a document with credentials for the chosen mechanisms.
+// The mechanisms array must be validated by the caller.
+func MakeCredentials(username string, userPassword password.Password, mechanisms *types.Array) (*types.Document, error) {
+	credentials := types.MakeDocument(0)
+
+	if mechanisms == nil {
+		mechanisms = must.NotFail(types.NewArray("SCRAM-SHA-1", "SCRAM-SHA-256"))
+	}
+
+	iter := mechanisms.Iterator()
+	defer iter.Close()
+
+	for {
+		var v any
+		_, v, err := iter.Next()
+
+		if errors.Is(err, iterator.ErrIteratorDone) {
+			break
+		}
+
+		if err != nil {
+			return nil, lazyerrors.Error(err)
+		}
+
+		var hash *types.Document
+
+		switch v {
+		case "PLAIN":
+			credentials.Set("PLAIN", must.NotFail(password.PlainHash(userPassword.Password())))
+		case "SCRAM-SHA-1":
+			hash, err = password.SCRAMSHA1Hash(username, userPassword.Password())
+			if err != nil {
+				return nil, err
+			}
+
+			credentials.Set("SCRAM-SHA-1", hash)
+		case "SCRAM-SHA-256":
+			hash, err = password.SCRAMSHA256Hash(userPassword.Password())
+			if err != nil {
+				return nil, err
+			}
+
+			credentials.Set("SCRAM-SHA-256", hash)
+		default:
+			panic("unknown mechanism")
+		}
+	}
+
+	return credentials, nil
+}

internal/clientconn/listener.go

@@ -242,7 +242,6 @@ func acceptLoop(ctx context.Context, listener net.Listener, wg *sync.WaitGroup,
 				retry++
 				ctxutil.SleepWithJitter(ctx, time.Second, retry)
 			}
-			continue
 		}
 
 		wg.Add(1)

internal/handler/authenticate.go

@@ -55,7 +55,7 @@ func (h *Handler) authenticate(ctx context.Context) error {
 	username, userPassword, mechanism := conninfo.Get(ctx).Auth()
 
 	switch mechanism {
-	case "SCRAM-SHA-256", "SCRAM-SHA-1":
+	case "SCRAM-SHA-256", "SCRAM-SHA-1": //nolint:goconst // we don't need a constant for this
 		// SCRAM calls back scramCredentialLookup each time Step is called,
 		// and that checks the authentication.
 		return nil

internal/handler/handler.go

@@ -31,9 +31,11 @@
 	"github.com/FerretDB/FerretDB/internal/clientconn/connmetrics"
 	"github.com/FerretDB/FerretDB/internal/clientconn/cursor"
 	"github.com/FerretDB/FerretDB/internal/types"
+	"github.com/FerretDB/FerretDB/internal/util/ctxutil"
 	"github.com/FerretDB/FerretDB/internal/util/iterator"
 	"github.com/FerretDB/FerretDB/internal/util/lazyerrors"
 	"github.com/FerretDB/FerretDB/internal/util/must"
+	"github.com/FerretDB/FerretDB/internal/util/password"
 	"github.com/FerretDB/FerretDB/internal/util/state"
 )
 
@@ -71,6 +73,11 @@
 	TCPHost     string
 	ReplSetName string
 
+	SetupDatabase string
+	SetupUsername string
+	SetupPassword password.Password
+	SetupTimeout  time.Duration
+
 	L             *zap.Logger
 	ConnMetrics   *connmetrics.ConnMetrics
 	StateProvider *state.Provider
@@ -126,6 +133,11 @@
 		),
 	}
 
+	if err := h.setupFIXME(); err != nil {
+		h.Close()
+		return nil, err
+	}
+
 	h.initCommands()
 
 	h.wg.Add(1)
@@ -139,6 +151,46 @@
 	return h, nil
 }
 
+// FIXME
+func (h *Handler) setupFIXME() error {
+	if h.SetupDatabase == "" {
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.TODO(), h.SetupTimeout)
+	defer cancel()
+
+	info := conninfo.New()
+	info.SetBypassBackendAuth()
+
+	ctx = conninfo.Ctx(ctx, info)
+
+	var retry int64
+	for ctx.Err() == nil {
+		if _, err := h.b.Status(ctx, nil); err == nil {
+			break
+		}
+
+		retry++
+		ctxutil.SleepWithJitter(ctx, time.Second, retry)
+	}
+
+	res, err := h.b.ListDatabases(ctx, &backends.ListDatabasesParams{Name: h.SetupDatabase})
+	if err != nil {
+		return err
+	}
+
+	if len(res.Databases) != 0 {
+		return nil
+	}
+
+	return backends.CreateUser(ctx, h.b, &backends.CreateUserParams{
+		Database: h.SetupDatabase,
+		Username: h.SetupUsername,
+		Password: h.SetupPassword,
+	})
+}
+
 // runCappedCleanup calls capped collections cleanup function according to the given interval.
 func (h *Handler) runCappedCleanup() {
 	if h.CappedCleanupInterval <= 0 {