first up

internal/settings/settings.go

@@ -0,0 +1,161 @@
+package settings
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"io"
+	"os"
+
+	"git.rouggy.com/rouggy/stockradar/internal/db"
+)
+
+type Settings struct {
+	db        *db.DB
+	masterKey []byte
+}
+
+func New(database *db.DB) (*Settings, error) {
+	key := os.Getenv("MASTER_KEY")
+	if key == "" {
+		return nil, errors.New("MASTER_KEY not set in environment")
+	}
+	// AES-256 nécessite 32 bytes
+	keyBytes := make([]byte, 32)
+	copy(keyBytes, []byte(key))
+
+	return &Settings{
+		db:        database,
+		masterKey: keyBytes,
+	}, nil
+}
+
+// Set stocke une valeur, chiffrée si encrypted=true
+func (s *Settings) Set(key, value string, encrypted bool) error {
+	stored := value
+	if encrypted {
+		var err error
+		stored, err = s.encrypt(value)
+		if err != nil {
+			return err
+		}
+	}
+
+	enc := 0
+	if encrypted {
+		enc = 1
+	}
+
+	_, err := s.db.Exec(`
+		INSERT INTO settings (key, value, encrypted, updated_at)
+		VALUES (?, ?, ?, CURRENT_TIMESTAMP)
+		ON CONFLICT(key) DO UPDATE SET
+			value      = excluded.value,
+			encrypted  = excluded.encrypted,
+			updated_at = CURRENT_TIMESTAMP
+	`, key, stored, enc)
+	return err
+}
+
+// Get récupère une valeur, la déchiffre si nécessaire
+func (s *Settings) Get(key string) (string, error) {
+	var value string
+	var encrypted int
+
+	err := s.db.QueryRow(
+		`SELECT value, encrypted FROM settings WHERE key = ?`, key,
+	).Scan(&value, &encrypted)
+	if err != nil {
+		return "", err
+	}
+
+	if encrypted == 1 {
+		return s.decrypt(value)
+	}
+	return value, nil
+}
+
+// GetAll retourne tous les settings (valeurs sensibles masquées)
+func (s *Settings) GetAll() (map[string]interface{}, error) {
+	rows, err := s.db.Query(`SELECT key, value, encrypted FROM settings`)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	result := make(map[string]interface{})
+	for rows.Next() {
+		var key, value string
+		var encrypted int
+		if err := rows.Scan(&key, &value, &encrypted); err != nil {
+			return nil, err
+		}
+		if encrypted == 1 {
+			result[key] = "********" // on ne renvoie jamais les clés API en clair
+		} else {
+			result[key] = value
+		}
+	}
+	return result, nil
+}
+
+// HasKey vérifie si une clé API est configurée sans la déchiffrer
+func (s *Settings) HasKey(key string) bool {
+	var count int
+	s.db.QueryRow(
+		`SELECT COUNT(*) FROM settings WHERE key = ? AND value != ''`, key,
+	).Scan(&count)
+	return count > 0
+}
+
+func (s *Settings) encrypt(plaintext string) (string, error) {
+	block, err := aes.NewCipher(s.masterKey)
+	if err != nil {
+		return "", err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return "", err
+	}
+
+	ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
+	return base64.StdEncoding.EncodeToString(ciphertext), nil
+}
+
+func (s *Settings) decrypt(encoded string) (string, error) {
+	ciphertext, err := base64.StdEncoding.DecodeString(encoded)
+	if err != nil {
+		return "", err
+	}
+
+	block, err := aes.NewCipher(s.masterKey)
+	if err != nil {
+		return "", err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+
+	nonceSize := gcm.NonceSize()
+	if len(ciphertext) < nonceSize {
+		return "", errors.New("ciphertext too short")
+	}
+
+	nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
+	plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
+	if err != nil {
+		return "", err
+	}
+
+	return string(plaintext), nil
+}