forked from kabdelrazek-do/SecurityAndAuthentication
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdatabase.sql
More file actions
270 lines (236 loc) · 9.15 KB
/
database.sql
File metadata and controls
270 lines (236 loc) · 9.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
-- SafeVault Database Schema
-- This script creates the database structure for the SafeVault application
-- Create database
CREATE DATABASE IF NOT EXISTS SafeVault;
USE SafeVault;
-- Create Users table with secure design
CREATE TABLE Users (
UserID INT PRIMARY KEY AUTO_INCREMENT,
Username VARCHAR(100) NOT NULL UNIQUE,
Email VARCHAR(100) NOT NULL UNIQUE,
PasswordHash VARCHAR(255) NOT NULL,
Salt VARCHAR(255) NOT NULL,
CreatedAt TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UpdatedAt TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
IsActive BOOLEAN DEFAULT TRUE,
LastLogin TIMESTAMP NULL,
FailedLoginAttempts INT DEFAULT 0,
AccountLockedUntil TIMESTAMP NULL
);
-- Create audit log table for security monitoring
CREATE TABLE AuditLog (
LogID INT PRIMARY KEY AUTO_INCREMENT,
UserID INT,
Action VARCHAR(100) NOT NULL,
Details TEXT,
IPAddress VARCHAR(45),
UserAgent TEXT,
Timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (UserID) REFERENCES Users(UserID) ON DELETE SET NULL
);
-- Create session table for secure session management
CREATE TABLE UserSessions (
SessionID VARCHAR(255) PRIMARY KEY,
UserID INT NOT NULL,
CreatedAt TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
ExpiresAt TIMESTAMP NOT NULL,
IPAddress VARCHAR(45),
UserAgent TEXT,
IsActive BOOLEAN DEFAULT TRUE,
FOREIGN KEY (UserID) REFERENCES Users(UserID) ON DELETE CASCADE
);
-- Create roles table
CREATE TABLE Roles (
RoleID INT PRIMARY KEY AUTO_INCREMENT,
RoleName VARCHAR(50) NOT NULL UNIQUE,
Description TEXT,
IsActive BOOLEAN DEFAULT TRUE,
CreatedAt TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
-- Create permissions table
CREATE TABLE Permissions (
PermissionID INT PRIMARY KEY AUTO_INCREMENT,
Action VARCHAR(100) NOT NULL,
Resource VARCHAR(100),
Description TEXT,
CreatedAt TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE KEY unique_action_resource (Action, Resource)
);
-- Create role permissions junction table
CREATE TABLE RolePermissions (
RoleID INT NOT NULL,
PermissionID INT NOT NULL,
CreatedAt TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (RoleID, PermissionID),
FOREIGN KEY (RoleID) REFERENCES Roles(RoleID) ON DELETE CASCADE,
FOREIGN KEY (PermissionID) REFERENCES Permissions(PermissionID) ON DELETE CASCADE
);
-- Create user roles junction table
CREATE TABLE UserRoles (
UserID INT NOT NULL,
RoleID INT NOT NULL,
AssignedAt TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
AssignedBy INT,
PRIMARY KEY (UserID, RoleID),
FOREIGN KEY (UserID) REFERENCES Users(UserID) ON DELETE CASCADE,
FOREIGN KEY (RoleID) REFERENCES Roles(RoleID) ON DELETE CASCADE,
FOREIGN KEY (AssignedBy) REFERENCES Users(UserID) ON DELETE SET NULL
);
-- Create indexes for performance and security
CREATE INDEX idx_users_username ON Users(Username);
CREATE INDEX idx_users_email ON Users(Email);
CREATE INDEX idx_audit_user_timestamp ON AuditLog(UserID, Timestamp);
CREATE INDEX idx_sessions_user_expires ON UserSessions(UserID, ExpiresAt);
-- Insert sample data for testing (with secure password hashing)
-- Note: In production, passwords should be hashed using bcrypt or similar
INSERT INTO Users (Username, Email, PasswordHash, Salt) VALUES
('admin', 'admin@safevault.com', '$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewdBPj4J/8KzKz2K', 'randomsalt1'),
('testuser', 'test@safevault.com', '$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewdBPj4J/8KzKz2K', 'randomsalt2');
-- Insert default roles
INSERT INTO Roles (RoleName, Description) VALUES
('Admin', 'System administrator with full access'),
('User', 'Regular user with basic access'),
('Manager', 'Manager with elevated permissions'),
('Auditor', 'Auditor with read-only access');
-- Insert default permissions
INSERT INTO Permissions (Action, Resource, Description) VALUES
('CreateUser', 'Users', 'Create new users'),
('ReadUser', 'Users', 'View user information'),
('UpdateUser', 'Users', 'Update user information'),
('DeleteUser', 'Users', 'Delete users'),
('AssignRole', 'Roles', 'Assign roles to users'),
('RemoveRole', 'Roles', 'Remove roles from users'),
('ReadAuditLog', 'AuditLog', 'View audit logs'),
('ManageRoles', 'Roles', 'Manage roles and permissions'),
('AccessAdminPanel', 'AdminPanel', 'Access administrative panel'),
('ViewReports', 'Reports', 'View system reports'),
('ManageSettings', 'Settings', 'Manage system settings');
-- Assign permissions to roles
-- Admin role gets all permissions
INSERT INTO RolePermissions (RoleID, PermissionID)
SELECT r.RoleID, p.PermissionID
FROM Roles r, Permissions p
WHERE r.RoleName = 'Admin';
-- User role gets basic permissions
INSERT INTO RolePermissions (RoleID, PermissionID)
SELECT r.RoleID, p.PermissionID
FROM Roles r, Permissions p
WHERE r.RoleName = 'User'
AND p.Action IN ('ReadUser', 'ViewReports');
-- Manager role gets elevated permissions
INSERT INTO RolePermissions (RoleID, PermissionID)
SELECT r.RoleID, p.PermissionID
FROM Roles r, Permissions p
WHERE r.RoleName = 'Manager'
AND p.Action IN ('CreateUser', 'ReadUser', 'UpdateUser', 'AssignRole', 'ReadAuditLog', 'ViewReports');
-- Auditor role gets read-only permissions
INSERT INTO RolePermissions (RoleID, PermissionID)
SELECT r.RoleID, p.PermissionID
FROM Roles r, Permissions p
WHERE r.RoleName = 'Auditor'
AND p.Action IN ('ReadUser', 'ReadAuditLog', 'ViewReports');
-- Assign roles to sample users
INSERT INTO UserRoles (UserID, RoleID)
SELECT u.UserID, r.RoleID
FROM Users u, Roles r
WHERE u.Username = 'admin' AND r.RoleName = 'Admin';
INSERT INTO UserRoles (UserID, RoleID)
SELECT u.UserID, r.RoleID
FROM Users u, Roles r
WHERE u.Username = 'testuser' AND r.RoleName = 'User';
-- Create stored procedures for secure operations
DELIMITER //
-- Secure user creation procedure
CREATE PROCEDURE CreateUser(
IN p_username VARCHAR(100),
IN p_email VARCHAR(100),
IN p_password_hash VARCHAR(255),
IN p_salt VARCHAR(255),
IN p_ip_address VARCHAR(45),
IN p_user_agent TEXT
)
BEGIN
DECLARE EXIT HANDLER FOR SQLEXCEPTION
BEGIN
ROLLBACK;
RESIGNAL;
END;
START TRANSACTION;
-- Insert user
INSERT INTO Users (Username, Email, PasswordHash, Salt)
VALUES (p_username, p_email, p_password_hash, p_salt);
-- Log the action
INSERT INTO AuditLog (UserID, Action, Details, IPAddress, UserAgent)
VALUES (LAST_INSERT_ID(), 'USER_CREATED', CONCAT('User created: ', p_username), p_ip_address, p_user_agent);
COMMIT;
END //
-- Secure user authentication procedure
CREATE PROCEDURE AuthenticateUser(
IN p_username VARCHAR(100),
IN p_password_hash VARCHAR(255),
IN p_ip_address VARCHAR(45),
IN p_user_agent TEXT,
OUT p_user_id INT,
OUT p_success BOOLEAN
)
BEGIN
DECLARE user_exists INT DEFAULT 0;
DECLARE account_locked BOOLEAN DEFAULT FALSE;
DECLARE failed_attempts INT DEFAULT 0;
DECLARE EXIT HANDLER FOR SQLEXCEPTION
BEGIN
ROLLBACK;
RESIGNAL;
END;
START TRANSACTION;
-- Check if user exists and get account status
SELECT UserID,
CASE WHEN AccountLockedUntil > NOW() THEN TRUE ELSE FALSE END,
FailedLoginAttempts
INTO p_user_id, account_locked, failed_attempts
FROM Users
WHERE Username = p_username AND IsActive = TRUE;
IF p_user_id IS NULL THEN
SET p_success = FALSE;
-- Log failed attempt
INSERT INTO AuditLog (Action, Details, IPAddress, UserAgent)
VALUES ('LOGIN_FAILED', CONCAT('Invalid username: ', p_username), p_ip_address, p_user_agent);
ELSEIF account_locked THEN
SET p_success = FALSE;
-- Log locked account attempt
INSERT INTO AuditLog (UserID, Action, Details, IPAddress, UserAgent)
VALUES (p_user_id, 'LOGIN_BLOCKED', 'Account is locked', p_ip_address, p_user_agent);
ELSE
-- Verify password
SELECT COUNT(*) INTO user_exists
FROM Users
WHERE UserID = p_user_id AND PasswordHash = p_password_hash;
IF user_exists > 0 THEN
SET p_success = TRUE;
-- Reset failed attempts and update last login
UPDATE Users
SET FailedLoginAttempts = 0,
LastLogin = NOW(),
AccountLockedUntil = NULL
WHERE UserID = p_user_id;
-- Log successful login
INSERT INTO AuditLog (UserID, Action, Details, IPAddress, UserAgent)
VALUES (p_user_id, 'LOGIN_SUCCESS', 'User logged in successfully', p_ip_address, p_user_agent);
ELSE
SET p_success = FALSE;
-- Increment failed attempts
UPDATE Users
SET FailedLoginAttempts = FailedLoginAttempts + 1,
AccountLockedUntil = CASE
WHEN FailedLoginAttempts >= 4 THEN DATE_ADD(NOW(), INTERVAL 30 MINUTE)
ELSE AccountLockedUntil
END
WHERE UserID = p_user_id;
-- Log failed attempt
INSERT INTO AuditLog (UserID, Action, Details, IPAddress, UserAgent)
VALUES (p_user_id, 'LOGIN_FAILED', 'Invalid password', p_ip_address, p_user_agent);
END IF;
END IF;
COMMIT;
END //
DELIMITER ;