Merge pull request #13 from geico/server/begin-tuxtape-server

graysonguarino · web-flow · commit 0c40472c24df · 2025-03-27T15:15:24.000-04:00
Begin `tuxtape-server`
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -0,0 +1,7 @@
+[workspace]
+resolver = "3"
+
+members = [
+    "tuxtape-server",
+    "tuxtape-server/tuxtape-database-bridge"
+]
diff --git a/proto/tuxtape/common/v1/vulnerability.proto b/proto/tuxtape/common/v1/vulnerability.proto
@@ -8,11 +8,16 @@ message Vulnerability {
   // Instances of this Vulnerability across different MainlineKernelVersions.
   // Will be empty if no instances exist in the managed fleet.
   repeated VulnerabilityInstance instances = 1;
-
+  // A custom description that can be set for a Vulnerability.
+  // Since a Vulnerability almost always describes a Cve, and since CVEs being
+  // patched are typically evaluated by NIST, this value is most useful when
+  // patching a Vulnerability which has not yet been catalogued as a CVE.
+  // Usually, the description for the CVE will be more useful.
+  optional string description = 2;
   // The CVE that this Vulnerability describes.
   // A Vulnerability will always describe a Cve unless a CVE has not yet been
   // published for this Vulnerability.
-  optional Cve cve = 2;
+  optional Cve cve = 3;
 }
 
 // An instance of a Vulnerability.
diff --git a/tuxtape-server/Cargo.toml b/tuxtape-server/Cargo.toml
@@ -0,0 +1,14 @@
+[package]
+name = "tuxtape-server"
+edition = "2024"
+description = "The central server for a complete TuxTape environment."
+
+[dependencies]
+clap = { version = "4.5", features = ["derive", "env"] }
+tokio = { version = "1.44", features = ["full"] }
+color-eyre = "0.6"
+tuxtape-database-bridge = { path = "tuxtape-database-bridge" }
+
+[[bin]]
+name = "tuxtape-server"
+path = "src/main.rs"
diff --git a/tuxtape-server/diesel.toml b/tuxtape-server/diesel.toml
@@ -0,0 +1,9 @@
+# For documentation on how to configure this file,
+# see https://diesel.rs/guides/configuring-diesel-cli
+
+[print_schema]
+file = "tuxtape-database-bridge/src/schema.rs"
+custom_type_derives = ["diesel::query_builder::QueryId", "Clone"]
+
+[migrations_directory]
+dir = "migrations"
diff --git a/tuxtape-server/migrations/2025-03-18-193149_init/down.sql b/tuxtape-server/migrations/2025-03-18-193149_init/down.sql
@@ -0,0 +1,9 @@
+DROP TABLE vulnerability;
+DROP TABLE vulnerability_instance;
+DROP TABLE vulnerability_instance_affected_file;
+DROP TABLE cve;
+DROP TABLE mainline_kernel_release;
+DROP TABLE kernel_release;
+DROP TABLE kernel_source;
+DROP TABLE kernel_file;
+DROP TABLE meta;
diff --git a/tuxtape-server/migrations/2025-03-18-193149_init/up.sql b/tuxtape-server/migrations/2025-03-18-193149_init/up.sql
@@ -0,0 +1,81 @@
+-- Initializes the TuxTape database
+
+CREATE TABLE vulnerability (
+    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    description TEXT
+);
+
+CREATE TABLE vulnerability_instance (
+    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    vulnerability_id INTEGER NOT NULL,
+    description TEXT,
+    mainline_kernel_release_introduced_id INTEGER,
+    mainline_kernel_release_fixed_id INTEGER,
+    fixed_commit TEXT,
+    patch_diff TEXT,
+    FOREIGN KEY(vulnerability_id) REFERENCES vulnerability(id),
+    FOREIGN KEY(mainline_kernel_release_introduced_id) REFERENCES mainline_kernel_release(id),
+    FOREIGN KEY(mainline_kernel_release_fixed_id) REFERENCES mainline_kernel_release(id)
+);
+
+CREATE TABLE vulnerability_instance_affected_file (
+    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    vulnerability_instance_id INTEGER NOT NULL,
+    file_path TEXT NOT NULL,
+    FOREIGN KEY(vulnerability_instance_id) REFERENCES vulnerability_instance(id)
+);
+
+CREATE TABLE cve (
+    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    cve_id TEXT NOT NULL,
+    vulnerability_id INTEGER NOT NULL,
+    base_score REAL,
+    attack_vector TEXT,
+    attack_complexity TEXT,
+    privileges_required TEXT,
+    user_interaction TEXT,
+    scope TEXT,
+    confidentiality_impact TEXT,
+    integrity_impact TEXT,
+    availability_impact TEXT,
+    description TEXT,
+    FOREIGN KEY(vulnerability_id) REFERENCES vulnerability(id)
+);
+
+CREATE TABLE mainline_kernel_release (
+    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    version_major INTEGER NOT NULL,
+    version_minor INTEGER NOT NULL,
+    version_patch INTEGER NOT NULL,
+    version_extra TEXT NOT NULL,
+    UNIQUE (version_major, version_minor, version_patch, version_extra)
+);
+
+CREATE TABLE kernel_release (
+    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    mainline_kernel_release_id INTEGER NOT NULL,
+    version_local TEXT,
+    FOREIGN KEY(mainline_kernel_release_id) REFERENCES mainline_kernel_release(id),
+    UNIQUE (version_local)
+);
+
+CREATE TABLE kernel_source (
+    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    kernel_release_id INTEGER NOT NULL,
+    url TEXT NOT NULL,
+    FOREIGN KEY(kernel_release_id) REFERENCES kernel_release(id),
+    UNIQUE (kernel_release_id, url)
+);
+
+CREATE TABLE kernel_file (
+    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    kernel_release_id INTEGER NOT NULL,
+    file_path TEXT NOT NULL,
+    FOREIGN KEY(kernel_release_id) REFERENCES kernel_release(id)
+);
+
+CREATE TABLE meta (
+    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT CHECK (id = 1),
+    based_on_vulns_commit TEXT NOT NULL,
+    last_run_unix_time INTEGER NOT NULL
+);
diff --git a/tuxtape-server/src/cli.rs b/tuxtape-server/src/cli.rs
@@ -0,0 +1,29 @@
+use clap::Parser;
+use tuxtape_database_bridge::connection::DatabaseBackend;
+
+#[derive(clap::ValueEnum, Clone, Debug)]
+pub enum CliDatabaseBackend {
+    Pg,
+    Sqlite,
+}
+
+impl From<CliDatabaseBackend> for DatabaseBackend {
+    fn from(val: CliDatabaseBackend) -> Self {
+        match val {
+            CliDatabaseBackend::Pg => DatabaseBackend::Pg,
+            CliDatabaseBackend::Sqlite => DatabaseBackend::Sqlite,
+        }
+    }
+}
+
+#[derive(Parser, Debug)]
+#[command(version, about, long_about = None)]
+pub struct Cli {
+    /// The URL to the database. If Postgres, this should be a web URL. If SQLite, this should be a
+    /// path to the database file, either relative or absolute.
+    #[arg(short('d'), long, default_value = concat!(env!("HOME"), "/.cache/tuxtape-server/db.db3"))]
+    pub db_url: String,
+    /// The database backend. If Postgres, this should "pg". If SQLite, this should be "sqlite".
+    #[arg(short('b'), long, default_value = "sqlite")]
+    pub db_backend: CliDatabaseBackend,
+}
diff --git a/tuxtape-server/src/grpc/mod.rs b/tuxtape-server/src/grpc/mod.rs
@@ -0,0 +1 @@
+// TODO
diff --git a/tuxtape-server/src/main.rs b/tuxtape-server/src/main.rs
@@ -0,0 +1,21 @@
+use clap::Parser;
+use cli::Cli;
+use color_eyre::{Result, eyre::eyre};
+
+mod cli;
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    let args = Cli::parse();
+
+    // Attempt to connect to database and exit early and loudly if failed.
+    let mut conn = tuxtape_database_bridge::connection::establish_connection(
+        args.db_backend.into(),
+        &args.db_url,
+    )?;
+
+    // Run any pending database migrations before proceeding.
+    tuxtape_database_bridge::migration::run_pending_migrations(&mut conn).map_err(|e| eyre!(e))?;
+
+    Ok(())
+}
diff --git a/tuxtape-server/tuxtape-database-bridge/Cargo.toml b/tuxtape-server/tuxtape-database-bridge/Cargo.toml
@@ -0,0 +1,13 @@
+[package]
+name = "tuxtape-database-bridge"
+version = "0.1.0"
+edition = "2024"
+
+[dependencies]
+diesel = { version = "2.2", features= ["postgres", "sqlite", "returning_clauses_for_sqlite_3_35" ]}
+libsqlite3-sys = { version = "0.29", features = ["bundled"] }
+diesel_migrations = "2.2"
+
+[build-dependencies]
+dsync = "0.1"
+diesel = { version = "2.2", features= ["postgres", "sqlite" ]}
diff --git a/tuxtape-server/tuxtape-database-bridge/README.md b/tuxtape-server/tuxtape-database-bridge/README.md
@@ -0,0 +1,8 @@
+# tuxtape-database-bridge
+
+This library serves as the "bridge" to the SQL database backend used for
+`tuxtape-server`. Most of the code here is boilerplate ORM code either generated
+by `diesel`'s CLI tool (`src/schema.rs`) or `dsync` at build time.
+
+Any handlers should not be defined inside this library. This should only serve
+as an interface to the database, not an implementation of usage of the database.
diff --git a/tuxtape-server/tuxtape-database-bridge/build.rs b/tuxtape-server/tuxtape-database-bridge/build.rs
@@ -0,0 +1,22 @@
+use dsync::{GenerationConfig, GenerationConfigOpts, TableOptions};
+use std::path::PathBuf;
+include!("src/connection.rs");
+
+/// Generates model code into src/models
+pub fn main() -> Result<(), Box<dyn std::error::Error>> {
+    let dir = env!("CARGO_MANIFEST_DIR");
+
+    dsync::generate_files(
+        &PathBuf::from_iter([dir, "src/schema.rs"]),
+        &PathBuf::from_iter([dir, "src/models"]),
+        GenerationConfig {
+            connection_type: "crate::connection::AnyConnection".to_string(),
+            options: GenerationConfigOpts {
+                default_table_options: TableOptions::default().disable_serde(),
+                ..Default::default()
+            },
+        },
+    )?;
+
+    Ok(())
+}
diff --git a/tuxtape-server/tuxtape-database-bridge/src/connection.rs b/tuxtape-server/tuxtape-database-bridge/src/connection.rs
@@ -0,0 +1,33 @@
+use diesel::prelude::*;
+use diesel::{Connection, MultiConnection, PgConnection, SqliteConnection};
+
+/// The allowed database backends
+#[derive(Clone, Debug)]
+pub enum DatabaseBackend {
+    Pg,
+    Sqlite,
+}
+
+/// A wrapper to support multiple database backends.
+#[derive(MultiConnection)]
+pub enum AnyConnection {
+    Pg(diesel::PgConnection),
+    Sqlite(diesel::SqliteConnection),
+}
+
+/// Establish a connection to a database backend.
+pub fn establish_connection(
+    backend: DatabaseBackend,
+    database_url: &str,
+) -> ConnectionResult<AnyConnection> {
+    match backend {
+        DatabaseBackend::Sqlite => {
+            let sqlite_connection = SqliteConnection::establish(database_url)?;
+            Ok(AnyConnection::Sqlite(sqlite_connection))
+        }
+        DatabaseBackend::Pg => {
+            let pg_connection = PgConnection::establish(database_url)?;
+            Ok(AnyConnection::Pg(pg_connection))
+        }
+    }
+}
diff --git a/tuxtape-server/tuxtape-database-bridge/src/lib.rs b/tuxtape-server/tuxtape-database-bridge/src/lib.rs
@@ -0,0 +1,6 @@
+pub mod connection;
+pub mod migration;
+pub mod models;
+mod schema;
+
+pub use diesel;
diff --git a/tuxtape-server/tuxtape-database-bridge/src/migration.rs b/tuxtape-server/tuxtape-database-bridge/src/migration.rs
@@ -0,0 +1,15 @@
+use crate::connection::AnyConnection;
+use diesel::migration::MigrationVersion;
+use diesel_migrations::{EmbeddedMigrations, MigrationHarness, embed_migrations};
+
+// Embed all migrations into the binary
+const MIGRATIONS: EmbeddedMigrations = embed_migrations!("../migrations");
+
+pub type MigrationError =
+    std::boxed::Box<(dyn std::error::Error + std::marker::Send + std::marker::Sync + 'static)>;
+
+pub fn run_pending_migrations(
+    conn: &mut AnyConnection,
+) -> Result<Vec<MigrationVersion<'_>>, MigrationError> {
+    conn.run_pending_migrations(MIGRATIONS)
+}
diff --git a/tuxtape-server/tuxtape-database-bridge/src/models/.gitignore b/tuxtape-server/tuxtape-database-bridge/src/models/.gitignore
@@ -0,0 +1,8 @@
+# .gitignore suggestion thanks to https://stackoverflow.com/a/932982
+# Cannot do this in global .gitignore as `cargo build` sometimes fails on
+# rebuild if `src/models` doesn't exist.
+
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/tuxtape-server/tuxtape-database-bridge/src/schema.rs b/tuxtape-server/tuxtape-database-bridge/src/schema.rs
