gohorsejobs/backend/internal/services/credentials_service.go

package services

import (
	"context"
	"crypto/rand"
	"crypto/rsa"
	"crypto/sha256"
	"crypto/x509"
	"database/sql"
	"encoding/base64"
	"encoding/json"
	"encoding/pem"
	"fmt"
	"os"
	"sync"
)

type CredentialsService struct {
	DB *sql.DB
	// Cache for decrypted keys
	cache      map[string]string
	cacheMutex sync.RWMutex
}

func NewCredentialsService(db *sql.DB) *CredentialsService {
	return &CredentialsService{
		DB:    db,
		cache: make(map[string]string),
	}
}

// SaveCredentials saves the encrypted payload for a service
func (s *CredentialsService) SaveCredentials(ctx context.Context, serviceName, encryptedPayload, updatedBy string) error {
	query := `
		INSERT INTO external_services_credentials (service_name, encrypted_payload, updated_by, updated_at)
		VALUES ($1, $2, $3, NOW())
		ON CONFLICT (service_name)
		DO UPDATE SET 
			encrypted_payload = EXCLUDED.encrypted_payload,
			updated_by = EXCLUDED.updated_by,
			updated_at = NOW()
	`
	_, err := s.DB.ExecContext(ctx, query, serviceName, encryptedPayload, updatedBy)
	if err != nil {
		return err
	}

	// Invalidate cache
	s.cacheMutex.Lock()
	delete(s.cache, serviceName)
	s.cacheMutex.Unlock()

	return nil
}

// GetDecryptedKey retrieves and decrypts the key for a service
func (s *CredentialsService) GetDecryptedKey(ctx context.Context, serviceName string) (string, error) {
	// Check cache first
	// Cache DISABLED to support external updates from Backoffice
	/*
		s.cacheMutex.RLock()
		if val, ok := s.cache[serviceName]; ok {
			s.cacheMutex.RUnlock()
			return val, nil
		}
		s.cacheMutex.RUnlock()
	*/

	// Fetch from DB
	var encryptedPayload string
	query := `SELECT encrypted_payload FROM external_services_credentials WHERE service_name = $1`
	err := s.DB.QueryRowContext(ctx, query, serviceName).Scan(&encryptedPayload)
	if err == sql.ErrNoRows {
		return "", fmt.Errorf("credentials for service %s not found", serviceName)
	}
	if err != nil {
		return "", err
	}

	// Decrypt
	decrypted, err := s.decryptPayload(encryptedPayload)
	if err != nil {
		return "", fmt.Errorf("failed to decrypt credentials: %w", err)
	}

	// Update cache
	s.cacheMutex.Lock()
	s.cache[serviceName] = decrypted
	s.cacheMutex.Unlock()

	return decrypted, nil
}

func (s *CredentialsService) decryptPayload(encryptedPayload string) (string, error) {
	// 1. Decode Private Key from Env
	rawPrivateKey, err := base64.StdEncoding.DecodeString(os.Getenv("RSA_PRIVATE_KEY_BASE64"))
	if err != nil {
		return "", fmt.Errorf("failed to decode env RSA private key: %w", err)
	}

	block, _ := pem.Decode(rawPrivateKey)
	if block == nil {
		return "", fmt.Errorf("failed to parse PEM block containing the private key")
	}

	privKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
	if err != nil {
		// Try generic PKCS8 if PKCS1 fails
		if key, err2 := x509.ParsePKCS8PrivateKey(block.Bytes); err2 == nil {
			if rsaKey, ok := key.(*rsa.PrivateKey); ok {
				privKey = rsaKey
			} else {
				return "", fmt.Errorf("key is not RSA")
			}
		} else {
			return "", err
		}
	}

	// 2. Decode ciphertext
	ciphertext, err := base64.StdEncoding.DecodeString(encryptedPayload)
	if err != nil {
		return "", err
	}

	// 3. Decrypt using RSA-OAEP
	plaintext, err := rsa.DecryptOAEP(
		sha256.New(),
		rand.Reader,
		privKey,
		ciphertext,
		nil,
	)
	if err != nil {
		return "", err
	}

	return string(plaintext), nil
}

// ConfiguredService represents a service with saved credentials (without revealing the actual value)
type ConfiguredService struct {
	ServiceName  string `json:"service_name"`
	UpdatedAt    string `json:"updated_at"`
	UpdatedBy    string `json:"updated_by,omitempty"`
	IsConfigured bool   `json:"is_configured"`
}

// ListConfiguredServices returns all configured services without revealing credential values
func (s *CredentialsService) ListConfiguredServices(ctx context.Context) ([]ConfiguredService, error) {
	// Define all supported services
	allServices := []string{
		"appwrite",
		"stripe",
		"firebase",
		"cloudflare",
		"smtp",
		"s3",
		"lavinmq",
	}

	query := `
		SELECT service_name, updated_at, COALESCE(updated_by::text, '') as updated_by
		FROM external_services_credentials
	`
	rows, err := s.DB.QueryContext(ctx, query)
	if err != nil {
		return nil, err
	}
	defer rows.Close()

	// Map of configured services
	configured := make(map[string]ConfiguredService)
	for rows.Next() {
		var cs ConfiguredService
		if err := rows.Scan(&cs.ServiceName, &cs.UpdatedAt, &cs.UpdatedBy); err != nil {
			return nil, err
		}
		cs.IsConfigured = true
		configured[cs.ServiceName] = cs
	}

	// Build result with all services
	result := make([]ConfiguredService, 0, len(allServices))
	for _, name := range allServices {
		if cs, ok := configured[name]; ok {
			result = append(result, cs)
		} else {
			result = append(result, ConfiguredService{
				ServiceName:  name,
				IsConfigured: false,
			})
		}
	}

	return result, nil
}

// DeleteCredentials removes credentials for a service
func (s *CredentialsService) DeleteCredentials(ctx context.Context, serviceName string) error {
	query := `DELETE FROM external_services_credentials WHERE service_name = $1`
	_, err := s.DB.ExecContext(ctx, query, serviceName)
	if err != nil {
		return err
	}

	// Clear cache
	s.cacheMutex.Lock()
	delete(s.cache, serviceName)
	s.cacheMutex.Unlock()

	return nil
}

// EncryptPayload encrypts a payload using the derived public key
func (s *CredentialsService) EncryptPayload(payload string) (string, error) {
	// 1. Decode Private Key from Env (to derive Public Key)
	// In a real scenario, you might store Public Key separately, but we can derive it.
	rawPrivateKey, err := base64.StdEncoding.DecodeString(os.Getenv("RSA_PRIVATE_KEY_BASE64"))
	if err != nil {
		return "", fmt.Errorf("failed to decode env RSA private key: %w", err)
	}

	block, _ := pem.Decode(rawPrivateKey)
	if block == nil {
		return "", fmt.Errorf("failed to parse PEM block containing the private key")
	}

	privKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
	if err != nil {
		// Try generic PKCS8 if PKCS1 fails
		if key, err2 := x509.ParsePKCS8PrivateKey(block.Bytes); err2 == nil {
			if rsaKey, ok := key.(*rsa.PrivateKey); ok {
				privKey = rsaKey
			} else {
				return "", fmt.Errorf("key is not RSA")
			}
		} else {
			return "", err
		}
	}

	pubKey := &privKey.PublicKey

	// 2. Encrypt using RSA-OAEP
	ciphertext, err := rsa.EncryptOAEP(
		sha256.New(),
		rand.Reader,
		pubKey,
		[]byte(payload),
		nil,
	)
	if err != nil {
		return "", fmt.Errorf("encryption failed: %w", err)
	}

	return base64.StdEncoding.EncodeToString(ciphertext), nil
}

// BootstrapCredentials checks if credentials are in DB, if not, migrates from Env
func (s *CredentialsService) BootstrapCredentials(ctx context.Context) error {
	// List of services and their env mapping
	services := map[string]func() interface{}{
		"stripe": func() interface{} {
			return map[string]string{
				"secretKey":      os.Getenv("STRIPE_SECRET_KEY"),
				"webhookSecret":  os.Getenv("STRIPE_WEBHOOK_SECRET"),
				"publishableKey": os.Getenv("STRIPE_PUBLISHABLE_KEY"),
			}
		},
		"storage": func() interface{} {
			return map[string]string{
				"endpoint":  os.Getenv("AWS_ENDPOINT"),
				"accessKey": os.Getenv("AWS_ACCESS_KEY_ID"),
				"secretKey": os.Getenv("AWS_SECRET_ACCESS_KEY"),
				"bucket":    os.Getenv("S3_BUCKET"),
				"region":    os.Getenv("AWS_REGION"),
			}
		},
		"cloudflare_config": func() interface{} {
			return map[string]string{
				"apiToken": os.Getenv("CLOUDFLARE_API_TOKEN"),
				"zoneId":   os.Getenv("CLOUDFLARE_ZONE_ID"),
			}
		},
		"cpanel": func() interface{} {
			return map[string]string{
				"host":     os.Getenv("CPANEL_HOST"),
				"username": os.Getenv("CPANEL_USERNAME"),
				"apiToken": os.Getenv("CPANEL_API_TOKEN"),
			}
		},
	}

	for service, getEnvData := range services {
		// Check if already configured
		configured, err := s.isServiceConfigured(ctx, service)
		if err != nil {
			fmt.Printf("[CredentialsBootstrap] Error checking %s: %v\n", service, err)
			continue
		}

		if !configured {
			data := getEnvData()
			// Validate if env vars exist (naive check: at least one field not empty)
			hasData := false
			jsonBytes, _ := json.Marshal(data)
			var stringMap map[string]string
			json.Unmarshal(jsonBytes, &stringMap)
			for _, v := range stringMap {
				if v != "" {
					hasData = true
					break
				}
			}

			if hasData {
				fmt.Printf("[CredentialsBootstrap] Migrating %s from Env to DB...\n", service)
				encrypted, err := s.EncryptPayload(string(jsonBytes))
				if err != nil {
					fmt.Printf("[CredentialsBootstrap] Failed to encrypt %s: %v\n", service, err)
					continue
				}
				if err := s.SaveCredentials(ctx, service, encrypted, "system_bootstrap"); err != nil {
					fmt.Printf("[CredentialsBootstrap] Failed to save %s: %v\n", service, err)
				} else {
					fmt.Printf("[CredentialsBootstrap] Successfully migrated %s\n", service)
				}
			}
		}
	}
	return nil
}

func (s *CredentialsService) isServiceConfigured(ctx context.Context, serviceName string) (bool, error) {
	var exists bool
	query := `SELECT EXISTS(SELECT 1 FROM external_services_credentials WHERE service_name = $1)`
	err := s.DB.QueryRowContext(ctx, query, serviceName).Scan(&exists)
	return exists, err
}