implement global key assignment restrictions and add cleanup utility for account_keys (possible bun bug)

Author: ToeiRei

internal/core/db/assign_global_key_test.go

@@ -0,0 +1,106 @@
+// Copyright (c) 2026 Keymaster Team
+// Keymaster - SSH key management system
+// This source code is licensed under the MIT license found in the LICENSE file.
+
+package db
+
+import (
+	"context"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestAssignKeyToAccount_GlobalKey_ReturnsError(t *testing.T) {
+	bStore, err := New("sqlite", ":memory:")
+	if err != nil {
+		t.Fatalf("New failed: %v", err)
+	}
+	bdb := bStore.BunDB()
+	ctx := context.Background()
+
+	// Create account
+	_, err = ExecRaw(ctx, bdb, "INSERT INTO accounts(username, hostname, label) VALUES(?, ?, ?)", "user1", "host1.example.com", "Test1")
+	if err != nil {
+		t.Fatalf("insert account failed: %v", err)
+	}
+	acc, _ := GetAccountByIDBun(bdb, 1)
+	if acc == nil {
+		t.Fatal("account not found after insert")
+	}
+
+	// Create a GLOBAL key
+	err = AddPublicKeyBun(bdb, "ssh-ed25519", "AAAAC3test", "global-key", true, time.Time{})
+	if err != nil {
+		t.Fatalf("AddPublicKeyBun failed: %v", err)
+	}
+	pk, _ := GetPublicKeyByCommentBun(bdb, "global-key")
+	if pk == nil {
+		t.Fatal("key not found after insert")
+	}
+
+	// Try to assign the global key to an account - should fail
+	err = AssignKeyToAccountBun(bdb, pk.ID, acc.ID)
+	if err == nil {
+		t.Fatal("expected error when assigning global key, got nil")
+	}
+	if !strings.Contains(err.Error(), "cannot assign global key") {
+		t.Fatalf("expected error about global key, got: %v", err)
+	}
+
+	// Verify the key was NOT added to account_keys
+	keys, err := GetKeysForAccountBun(bdb, acc.ID)
+	if err != nil {
+		t.Fatalf("GetKeysForAccountBun failed: %v", err)
+	}
+	if len(keys) != 0 {
+		t.Fatalf("expected 0 keys in account_keys for account %d, got %d", acc.ID, len(keys))
+	}
+}
+
+func TestAssignKeyToAccount_NonGlobalKey_Succeeds(t *testing.T) {
+	bStore, err := New("sqlite", ":memory:")
+	if err != nil {
+		t.Fatalf("New failed: %v", err)
+	}
+	bdb := bStore.BunDB()
+	ctx := context.Background()
+
+	// Create account
+	_, err = ExecRaw(ctx, bdb, "INSERT INTO accounts(username, hostname, label) VALUES(?, ?, ?)", "user2", "host2.example.com", "Test2")
+	if err != nil {
+		t.Fatalf("insert account failed: %v", err)
+	}
+	acc, _ := GetAccountByIDBun(bdb, 1)
+	if acc == nil {
+		t.Fatal("account not found after insert")
+	}
+
+	// Create a NON-GLOBAL key
+	err = AddPublicKeyBun(bdb, "ssh-ed25519", "AAAAC3test2", "regular-key", false, time.Time{})
+	if err != nil {
+		t.Fatalf("AddPublicKeyBun failed: %v", err)
+	}
+	pk, _ := GetPublicKeyByCommentBun(bdb, "regular-key")
+	if pk == nil {
+		t.Fatal("key not found after insert")
+	}
+
+	// Assign the non-global key to an account - should succeed
+	err = AssignKeyToAccountBun(bdb, pk.ID, acc.ID)
+	if err != nil {
+		t.Fatalf("expected no error when assigning non-global key, got: %v", err)
+	}
+
+	// Verify the key WAS added to account_keys
+	keys, err := GetKeysForAccountBun(bdb, acc.ID)
+	if err != nil {
+		t.Fatalf("GetKeysForAccountBun failed: %v", err)
+	}
+	if len(keys) != 1 {
+		t.Fatalf("expected 1 key in account_keys for account %d, got %d", acc.ID, len(keys))
+	}
+	if keys[0].ID != pk.ID {
+		t.Fatalf("expected key ID %d, got %d", pk.ID, keys[0].ID)
+	}
+}

internal/core/db/bun_adapter.go

@@ -291,8 +291,24 @@ func DeleteAccountBun(bdb *bun.DB, id int) error {
 }
 
 // AssignKeyToAccountBun creates an association in account_keys.
+// Global keys should not be assigned to individual accounts since they're
+// automatically deployed everywhere. This function returns an error if attempting
+// to assign a global key.
 func AssignKeyToAccountBun(bdb *bun.DB, keyID, accountID int) error {
 	ctx := context.Background()
+
+	// Check if the key is global - global keys should not be in account_keys
+	pk, err := GetPublicKeyByIDBun(bdb, keyID)
+	if err != nil {
+		return err
+	}
+	if pk == nil {
+		return fmt.Errorf("key with ID %d not found", keyID)
+	}
+	if pk.IsGlobal {
+		return fmt.Errorf("cannot assign global key '%s' to individual accounts (it's already deployed everywhere)", pk.Comment)
+	}
+
 	// Use raw insert since account_keys likely has no PK model in codebase.
 	if _, err := ExecRaw(ctx, bdb, "INSERT INTO account_keys(key_id, account_id) VALUES(?, ?)", keyID, accountID); err != nil {
 		return MapDBError(err)
@@ -321,19 +337,25 @@ func UnassignKeyFromAccountBun(bdb *bun.DB, keyID, accountID int) error {
 func GetKeysForAccountBun(bdb *bun.DB, accountID int) ([]model.PublicKey, error) {
 	ctx := context.Background()
 	var pks []PublicKeyModel
-	err := bdb.NewSelect().Model(&pks).
-		TableExpr("public_keys AS pk").
-		Join("JOIN account_keys ak ON pk.id = ak.key_id").
-		Where("ak.account_id = ?", accountID).
-		OrderExpr("pk.comment").
-		Scan(ctx)
+	// Use raw query since BUN's Model + Join was not properly applying the WHERE clause
+	query := `SELECT pk.* FROM public_keys pk
+	          INNER JOIN account_keys ak ON pk.id = ak.key_id
+	          WHERE ak.account_id = ?
+	          ORDER BY pk.comment`
+	err := bdb.NewRaw(query, accountID).Scan(ctx, &pks)
 	if err != nil {
 		return nil, err
 	}
 	out := make([]model.PublicKey, 0, len(pks))
 	for _, p := range pks {
 		out = append(out, publicKeyModelToModel(p))
 	}
+	if dbDebugEnabled {
+		dbLogf("GetKeysForAccountBun(accountID=%d): returning %d keys", accountID, len(out))
+		for _, k := range out {
+			dbLogf("  - Key ID=%d, Comment=%s, IsGlobal=%v", k.ID, k.Comment, k.IsGlobal)
+		}
+	}
 	return out, nil
 }
 
@@ -732,6 +754,12 @@ func GetGlobalPublicKeysBun(bdb *bun.DB) ([]model.PublicKey, error) {
 	for _, p := range pks {
 		out = append(out, publicKeyModelToModel(p))
 	}
+	if dbDebugEnabled {
+		dbLogf("GetGlobalPublicKeysBun(): returning %d global keys", len(out))
+		for _, k := range out {
+			dbLogf("  - Key ID=%d, Comment=%s", k.ID, k.Comment)
+		}
+	}
 	return out, nil
 }
 

internal/core/db/bun_adapter_extra_test.go

@@ -5,6 +5,7 @@
 package db
 
 import (
+	"strings"
 	"testing"
 	"time"
 )
@@ -243,16 +244,13 @@ func TestPublicKeys_List_Toggle_Search_Delete_Assignments(t *testing.T) {
 			t.Fatalf("expected at least 2 global keys, got %d", len(globals))
 		}
 
-		// Assign pk1 to account and verify accounts for key
-		if err := AssignKeyToAccountBun(bdb, pk1.ID, accID); err != nil {
-			t.Fatalf("AssignKeyToAccountBun failed: %v", err)
+		// Try to assign pk1 (now global) to account - should fail
+		err = AssignKeyToAccountBun(bdb, pk1.ID, accID)
+		if err == nil {
+			t.Fatal("AssignKeyToAccountBun should fail when trying to assign global key")
 		}
-		accs, err := GetAccountsForKeyBun(bdb, pk1.ID)
-		if err != nil {
-			t.Fatalf("GetAccountsForKeyBun failed: %v", err)
-		}
-		if len(accs) == 0 {
-			t.Fatalf("expected account assignment to be visible for key")
+		if !strings.Contains(err.Error(), "cannot assign global key") {
+			t.Fatalf("expected error about global key assignment, got: %v", err)
 		}
 
 		// Delete public key pk2

internal/core/db/log.go

@@ -19,6 +19,6 @@ func SetDebug(enabled bool) {
 
 func dbLogf(format string, v ...any) {
 	if dbDebugEnabled {
-		log.Debug(fmt.Sprintf(format, v...))
+		log.Info(fmt.Sprintf("[DB] "+format, v...))
 	}
 }

tools/cleanup_global_keys/main.go

@@ -0,0 +1,83 @@
+// Copyright (c) 2026 Keymaster Team
+// Keymaster - SSH key management system
+// This source code is licensed under the MIT license found in the LICENSE file.
+
+// This is a one-time cleanup utility to remove global keys from the account_keys table.
+// Global keys should only exist in public_keys with is_global=1, not in account_keys.
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/toeirei/keymaster/internal/core/db"
+)
+
+func main() {
+	// Initialize the database
+	store, err := db.New("sqlite", "keymaster.db")
+	if err != nil {
+		log.Fatalf("Failed to open database: %v", err)
+	}
+	bdb := store.BunDB()
+	ctx := context.Background()
+
+	// Find all global keys that are incorrectly in account_keys
+	query := `
+		SELECT DISTINCT pk.id, pk.comment, COUNT(ak.account_id) as assignment_count
+		FROM public_keys pk
+		INNER JOIN account_keys ak ON pk.id = ak.key_id
+		WHERE pk.is_global = 1
+		GROUP BY pk.id, pk.comment
+	`
+
+	type result struct {
+		ID              int
+		Comment         string
+		AssignmentCount int
+	}
+
+	var results []result
+	err = bdb.NewRaw(query).Scan(ctx, &results)
+	if err != nil {
+		log.Fatalf("Failed to query global keys in account_keys: %v", err)
+	}
+
+	if len(results) == 0 {
+		fmt.Println("✓ No global keys found in account_keys table. Database is clean!")
+		return
+	}
+
+	fmt.Printf("Found %d global key(s) incorrectly assigned in account_keys:\n", len(results))
+	for _, r := range results {
+		fmt.Printf("  - Key ID %d (%s): %d assignment(s)\n", r.ID, r.Comment, r.AssignmentCount)
+	}
+
+	// Delete all global keys from account_keys
+	deleteQuery := `
+		DELETE FROM account_keys
+		WHERE key_id IN (
+			SELECT id FROM public_keys WHERE is_global = 1
+		)
+	`
+
+	deleteResult, err := db.ExecRaw(ctx, bdb, deleteQuery)
+	if err != nil {
+		log.Fatalf("Failed to delete global keys from account_keys: %v", err)
+	}
+
+	rowsAffected, _ := deleteResult.RowsAffected()
+	fmt.Printf("\n✓ Removed %d incorrect assignment(s) from account_keys table.\n", rowsAffected)
+
+	// Mark all accounts as dirty since key assignments changed
+	_, err = db.ExecRaw(ctx, bdb, "UPDATE accounts SET is_dirty = 1")
+	if err != nil {
+		log.Fatalf("Failed to mark accounts dirty: %v", err)
+	}
+
+	fmt.Println("✓ Marked all accounts as dirty for redeployment.")
+	fmt.Println("\nCleanup complete! Global keys will now only be deployed via the is_global flag,")
+	fmt.Println("not through account_keys assignments.")
+}