-- This file is part of Moonfire NVR, a security camera network video recorder.
-- Copyright (C) 2020 The Moonfire NVR Authors; see AUTHORS and LICENSE.txt.
-- SPDX-License-Identifier: GPL-v3.0-or-later WITH GPL-3.0-linking-exception.';

-- schema.sql: SQLite3 database schema for Moonfire NVR.
-- See also design/schema.md.

-- Database metadata. There should be exactly one row in this table.
create table meta (
  uuid blob not null check (length(uuid) = 16),

  -- Holds a json.GlobalConfig.
  config text
);

-- This table tracks the schema version.
-- There is one row for the initial database creation (inserted below, after the
-- create statements) and one for each upgrade procedure (if any).
create table version (
  id integer primary key,

  -- The unix time as of the creation/upgrade, as determined by
  -- cast(strftime('%s', 'now') as int).
  unix_time integer not null,

  -- Optional notes on the creation/upgrade; could include the binary version.
  notes text
);

-- Tracks every time the database has been opened in read/write mode.
-- This is used to ensure directories are in sync with the database (see
-- schema.proto:DirMeta), to disambiguate uncommitted recordings, and
-- potentially to understand time problems.
create table open (
  id integer primary key,
  uuid blob unique not null check (length(uuid) = 16),

  -- Information about when / how long the database was open. These may be all
  -- null, for example in the open that represents all information written
  -- prior to database version 3.

  -- System time when the database was opened, in 90 kHz units since
  -- 1970-01-01 00:00:00Z excluding leap seconds.
  start_time_90k integer,

  -- System time when the database was closed or (on crash) last flushed.
  end_time_90k integer,

  -- How long the database was open. This is end_time_90k - start_time_90k if
  -- there were no time steps or leap seconds during this time.
  duration_90k integer,

  boot_uuid check (length(boot_uuid) = 16)
);

create table sample_file_dir (
  id integer primary key,
  uuid blob unique not null check (length(uuid) = 16),

  -- See json.SampleFileDirConfig.
  config text,

  -- The last (read/write) open of this directory which fully completed.
  -- See schema.proto:DirMeta for a more complete description.
  last_complete_open_id integer references open (id)
);

create table camera (
  id integer primary key,
  uuid blob unique not null check (length(uuid) = 16),

  -- A short name of the camera, used in log messages.
  short_name text not null,

  -- A serialized json.CameraConfig
  config text not null
);

create table stream (
  id integer primary key,
  camera_id integer not null references camera (id),
  sample_file_dir_id integer references sample_file_dir (id),
  type text not null check (type in ('main', 'sub', 'ext')),

  -- A serialized json.StreamConfig
  config text not null,

  -- The total number of recordings ever created on this stream, including
  -- deleted ones. This is used for assigning the next recording id.
  cum_recordings integer not null check (cum_recordings >= 0),

  -- The total media duration of all recordings ever created on this stream.
  cum_media_duration_90k integer not null check (cum_media_duration_90k >= 0),

  -- The total number of runs (recordings with run_offset = 0) ever created
  -- on this stream.
  cum_runs integer not null check (cum_runs >= 0),

  unique (camera_id, type)
);

-- Each row represents a single completed recorded segment of video.
-- Recordings are typically ~60 seconds; never more than 5 minutes.
create table recording (
  -- The high 32 bits of composite_id are taken from the stream's id, which
  -- improves locality. The low 32 bits are taken from the stream's
  -- cum_recordings (which should be post-incremented in the same
  -- transaction). It'd be simpler to use a "without rowid" table and separate
  -- fields to make up the primary key, but
  -- <https://www.sqlite.org/withoutrowid.html> points out that "without
  -- rowid" is not appropriate when the average row size is in excess of 50
  -- bytes. recording_cover rows (which match this id format) are typically
  -- 1--5 KiB.
  composite_id integer primary key,

  -- The open in which this was committed to the database. For a given
  -- composite_id, only one recording will ever be committed to the database,
  -- but in-memory state may reflect a recording which never gets committed.
  -- This field allows disambiguation in etags and such.
  open_id integer not null references open (id),

  -- This field is redundant with composite_id above, but used to enforce the
  -- reference constraint and to structure the recording_start_time index.
  stream_id integer not null references stream (id),

  -- The offset of this recording within a run. 0 means this was the first
  -- recording made from a RTSP session. The start of the run has composite_id
  -- (composite_id-run_offset).
  run_offset integer not null,

  -- flags is a bitmask:
  --
  -- * 1, or "trailing zero", indicates that this recording is the last in a
  --   stream. As the duration of a sample is not known until the next sample
  --   is received, the final sample in this recording will have duration 0.
  flags integer not null,

  sample_file_bytes integer not null check (sample_file_bytes > 0),

  -- The starting time of the recording, in 90 kHz units since
  -- 1970-01-01 00:00:00 UTC excluding leap seconds. Currently on initial
  -- connection, this is taken from the local system time; on subsequent
  -- recordings in a run, it exactly matches the previous recording's end
  -- time.
  start_time_90k integer not null check (start_time_90k > 0),

  -- The total duration of all previous recordings on this stream. This is
  -- returned in API requests and may be helpful for timestamps in a HTML
  -- MediaSourceExtensions SourceBuffer.
  prev_media_duration_90k integer not null
      check (prev_media_duration_90k >= 0),

  -- The total number of previous runs (rows in which run_offset = 0).
  prev_runs integer not null check (prev_runs >= 0),

  -- The wall-time duration of the recording, in 90 kHz units. This is the
  -- "corrected" duration.
  wall_duration_90k integer not null
      check (wall_duration_90k >= 0 and wall_duration_90k < 5*60*90000),

  -- The media-time duration of the recording, relative to wall_duration_90k.
  -- That is, media_duration_90k = wall_duration_90k + media_duration_delta_90k.
  media_duration_delta_90k integer not null,

  video_samples integer not null check (video_samples > 0),
  video_sync_samples integer not null check (video_sync_samples > 0),
  video_sample_entry_id integer references video_sample_entry (id),

  -- The reason this run ended. Absent if there are more recordings in this
  -- run or if this recording predates schema version 7.
  end_reason text

  check (composite_id >> 32 = stream_id)
);

create index recording_cover on recording (
  -- Typical queries use "where stream_id = ? order by start_time_90k".
  stream_id,
  start_time_90k,

  -- These fields are not used for ordering; they cover most queries so
  -- that only database verification and actual viewing of recordings need
  -- to consult the underlying row.
  open_id,
  wall_duration_90k,
  media_duration_delta_90k,
  video_samples,
  video_sync_samples,
  video_sample_entry_id,
  sample_file_bytes,
  run_offset,
  flags
);

-- Fields which are only needed to check/correct database integrity problems
-- (such as incorrect timestamps).
create table recording_integrity (
  -- See description on recording table.
  composite_id integer primary key references recording (composite_id),

  -- The number of 90 kHz units the local system's monotonic clock has
  -- advanced more than the stated duration of recordings in a run since the
  -- first recording ended. Negative numbers indicate the local system time is
  -- behind the recording.
  --
  -- The first recording of a run (that is, one with run_offset=0) has null
  -- local_time_delta_90k because errors are assumed to
  -- be the result of initial buffering rather than frequency mismatch.
  --
  -- This value should be near 0 even on long runs in which the camera's clock
  -- and local system's clock frequency differ because each recording's delta
  -- is used to correct the durations of the next (up to 500 ppm error).
  local_time_delta_90k integer,

  -- The number of 90 kHz units the local system's monotonic clock had
  -- advanced since the database was opened, as of the start of recording.
  -- TODO: fill this in!
  local_time_since_open_90k integer,

  -- The difference between start_time_90k+duration_90k and a wall clock
  -- timestamp captured at end of this recording. This is meaningful for all
  -- recordings in a run, even the initial one (run_offset=0), because
  -- start_time_90k is derived from the wall time as of when recording
  -- starts, not when it ends.
  -- TODO: fill this in!
  wall_time_delta_90k integer,

  -- The (possibly truncated) raw blake3 hash of the contents of the sample
  -- file.
  sample_file_blake3 blob check (length(sample_file_blake3) <= 32)
);

-- Large fields for a recording which are needed ony for playback.
-- In particular, when serving a byte range within a .mp4 file, the
-- recording_playback row is needed for the recording(s) corresponding to that
-- particular byte range, needed, but the recording rows suffice for all other
-- recordings in the .mp4.
create table recording_playback (
  -- See description on recording table.
  composite_id integer primary key references recording (composite_id),

  -- See design/schema.md#video_index for a description of this field.
  video_index blob not null check (length(video_index) > 0)

  -- audio_index could be added here in the future.
);

-- Files which are to be deleted (may or may not still exist).
-- Note that besides these files, for each stream, any recordings >= its
-- cum_recordings should be discarded on startup.
create table garbage (
  -- This is _mostly_ redundant with composite_id, which contains the stream
  -- id and thus a linkage to the sample file directory. Listing it here
  -- explicitly means that streams can be deleted without losing the
  -- association of garbage to directory.
  sample_file_dir_id integer not null references sample_file_dir (id),

  -- See description on recording table.
  composite_id integer not null,

  -- Organize the table first by directory, as that's how it will be queried.
  primary key (sample_file_dir_id, composite_id)
) without rowid;

-- A concrete box derived from a ISO/IEC 14496-12 section 8.5.2
-- VisualSampleEntry box. Describes the codec, width, height, etc.
create table video_sample_entry (
  id integer primary key,

  -- The width and height in pixels; must match values within
  -- `sample_entry_bytes`.
  width integer not null check (width > 0),
  height integer not null check (height > 0),

  -- The codec in RFC-6381 format, such as "avc1.4d001f".
  rfc6381_codec text not null,

  -- The serialized box, including the leading length and box type (avcC in
  -- the case of H.264).
  data blob not null check (length(data) > 86),

  -- Pixel aspect ratio, if known. As defined in ISO/IEC 14496-12 section
  -- 12.1.4.
  pasp_h_spacing integer not null default 1 check (pasp_h_spacing > 0),
  pasp_v_spacing integer not null default 1 check (pasp_v_spacing > 0)
);

create table user (
  id integer primary key,
  username unique not null,

  -- A json.UserConfig.
  config text,

  -- If set, a hash for password authentication, which currently must be
  -- in PHC format using the scrypt algorithm. This is separate from config for
  -- two reasons:
  -- *   It should never be sent over the wire, because password hashes are
  --     almost as sensitive as passwords themselves. Keeping it separate avoids
  --     complicating the protocol for retrieving the config and updating it
  --     with optimistic concurrency control.
  -- *   It may be updated while authenticating to upgrade the password hash
  --     format, and the conflicting writes again might complicate the update
  --     protocol.
  password_hash text,

  -- A counter which increments with every password reset or clear.
  password_id integer not null default 0,

  -- Updated lazily on database flush; reset when password_id is incremented.
  -- This could be used to automatically disable the password on hitting a threshold.
  password_failure_count integer not null default 0,

  -- Permissions available for newly created tokens or when authenticating via
  -- unix_uid above. A serialized "Permissions" protobuf.
  permissions blob not null default X''
);

-- A single session, whether for browser or robot use.
-- These map at the HTTP layer to an "s" cookie (exact format described
-- elsewhere), which holds the session id and an encrypted sequence number for
-- replay protection.
create table user_session (
  -- The session id is a 48-byte blob. This is the unsalted Blake3 (32 bytes)
  -- of the unencoded session id. Much like `password_hash`, a hash is used here
  -- so that a leaked database backup can't be trivially used to steal
  -- credentials.
  session_id_hash blob primary key not null,

  user_id integer references user (id) not null,

  -- A 32-byte random number. Used to derive keys for the replay protection
  -- and CSRF tokens.
  seed blob not null,

  -- A bitwise mask of flags, currently all properties of the HTTP cookie
  -- used to hold the session:
  -- 1: HttpOnly
  -- 2: Secure
  -- 4: SameSite=Lax
  -- 8: SameSite=Strict - 4 must also be set.
  flags integer not null,

  -- The domain of the HTTP cookie used to store this session. The outbound
  -- `Set-Cookie` header never specifies a scope, so this matches the `Host:` of
  -- the inbound HTTP request (minus the :port, if any was specified).
  domain text,

  -- An editable description which might describe the device/program which uses
  -- this session, such as "Chromebook", "iPhone", or "motion detection worker".
  description text,

  creation_password_id integer,        -- the id it was created from, if created via password
  creation_time_sec integer not null,  -- sec since epoch
  creation_user_agent text,            -- User-Agent header from inbound HTTP request.
  creation_peer_addr blob,             -- IPv4 or IPv6 address, or null for Unix socket.

  revocation_time_sec integer,         -- sec since epoch
  revocation_user_agent text,          -- User-Agent header from inbound HTTP request.
  revocation_peer_addr blob,           -- IPv4 or IPv6 address, or null for Unix socket/no peer.

  -- A value indicating the reason for revocation, with optional additional
  -- text detail. Enumeration values:
  -- 0: logout link clicked (i.e. from within the session itself)
  -- 1: obsoleted by a change in hashing algorithm (eg schema 5->6 upgrade)
  --
  -- This might be extended for a variety of other reasons:
  -- x: user revoked (while authenticated in another way)
  -- x: password change invalidated all sessions created with that password
  -- x: expired (due to fixed total time or time inactive)
  -- x: evicted (due to too many sessions)
  -- x: suspicious activity
  revocation_reason integer,
  revocation_reason_detail text,

  -- Information about requests which used this session, updated lazily on database flush.
  last_use_time_sec integer,           -- sec since epoch
  last_use_user_agent text,            -- User-Agent header from inbound HTTP request.
  last_use_peer_addr blob,             -- IPv4 or IPv6 address, or null for Unix socket.
  use_count not null default 0,

  -- Permissions associated with this token; a serialized "Permissions" protobuf.
  permissions blob not null default X''
) without rowid;

create index user_session_uid on user_session (user_id);

-- Timeseries with an enum value, eg:
-- *   camera motion detection results (unknown, still, moving)
-- *   security system arm status (unknown, disarmed, away, stay)
-- *   security system zone status (unknown, normal, violated, trouble)
create table signal (
  id integer primary key,
  uuid blob unique not null check (length(uuid) = 16),
  type_uuid blob not null references signal_type (uuid)
      check (length(type_uuid) = 16),

  -- Holds a json.SignalConfig
  config text
);

create table signal_type (
  uuid blob primary key check (length(uuid) = 16),

  -- Holds a json.SignalTypeConfig
  config text
) without rowid;

-- Changes to signals as of a given timestamp.
create table signal_change (
  -- Event time, in 90 kHz units since 1970-01-01 00:00:00Z excluding leap seconds.
  time_90k integer primary key,

  -- Changes at this timestamp.
  --
  -- A blob of varints representing a list of
  -- (signal number - next allowed, state) pairs, where signal number is
  -- non-decreasing. For example,
  -- input signals: 1         3         200 (must be sorted)
  -- delta:         1         1         196 (must be non-negative)
  -- states:             1         1              2
  -- varint:        \x01 \x01 \x01 \x01 \xc4 \x01 \x02
  changes blob not null
);

insert into version (id, unix_time,                           notes)
             values (7,  cast(strftime('%s', 'now') as int), 'db creation');