retrieve secret working

models/secret.go

@@ -5,20 +5,26 @@ import (
 	"crypto/cipher"
 	"crypto/rand"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"io"
 	"os"
+
+	"github.com/jmoiron/sqlx"
 )
 
+// We use the json:"-" field tag to prevent showing these details to the user
 type Secret struct {
-	SecretId       int    `db:"SecretId"`
-	RoleId         int    `db:"RoleId"`
+	SecretId       int    `db:"SecretId" json:"-"`
+	RoleId         int    `db:"RoleId" json:"-"`
 	DeviceName     string `db:"DeviceName"`
 	DeviceCategory string `db:"DeviceCategory"`
 	UserName       string `db:"UserName"`
 	Secret         string `db:"Secret"`
 }
 
+const nonceSize = 12
+
 func (s *Secret) SaveSecret() (*Secret, error) {
 
 	var err error
@@ -38,6 +44,54 @@ func (s *Secret) SaveSecret() (*Secret, error) {
 	return s, nil
 }
 
+func GetSecrets(s *Secret) ([]Secret, error) {
+	var err error
+	var rows *sqlx.Rows
+	var secretResults []Secret
+
+	fmt.Printf("GetSecret querying values '%v'\n", s)
+
+	// Determine whether to query for a specific device or a category of devices
+	if s.DeviceName != "" {
+		rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND RoleId = ?", s.DeviceName, s.RoleId)
+	} else if s.DeviceCategory != "" {
+		rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND RoleId = ?", s.DeviceCategory, s.RoleId)
+	} else {
+		fmt.Printf("GetSecret no valid search options specified\n")
+		err = errors.New("no valid search options specified")
+		return secretResults, err
+	}
+
+	// TODO - do we want to generate an error if the query returns more than one result?
+
+	if err != nil {
+		fmt.Printf("GetSecret error executing sql record : '%s'\n", err)
+		return secretResults, err
+	} else {
+		// parse all the results into a slice
+		for rows.Next() {
+			var r Secret
+			err = rows.StructScan(&r)
+			if err != nil {
+				fmt.Printf("GetSecret error parsing sql record : '%s'\n", err)
+				return secretResults, err
+			}
+
+			// Decrypt the secret
+			_, err = r.DecryptSecret()
+			if err != nil {
+				fmt.Printf("GetSecret unable to decrypt stored secret '%v', skipping result.\n", r.Secret)
+			} else {
+				secretResults = append(secretResults, r)
+			}
+
+		}
+		fmt.Printf("GetSecret retrieved '%d' results\n", len(secretResults))
+	}
+
+	return secretResults, nil
+}
+
 func (s *Secret) EncryptSecret() (*Secret, error) {
 
 	keyString := os.Getenv("SECRETS_KEY")
@@ -56,7 +110,7 @@ func (s *Secret) EncryptSecret() (*Secret, error) {
 	}
 
 	// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
-	nonce := make([]byte, 12)
+	nonce := make([]byte, nonceSize)
 	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
 		fmt.Printf("EncryptSecret nonce generation error '%s'\n", err)
 		return s, err
@@ -93,12 +147,23 @@ func (s *Secret) DecryptSecret() (*Secret, error) {
 	// to select AES-128 or AES-256.
 	//key := []byte("ECB518652A170880555136EA1F9752D6")
 
-	crypted, _ := hex.DecodeString(s.Secret)
+	if len(s.Secret) < nonceSize {
+		fmt.Printf("DecryptSecret ciphertext is too short to decrypt\n")
+		return s, errors.New("ciphertext is too short")
+	}
+
+	crypted, err := hex.DecodeString(s.Secret)
+	if err != nil {
+		fmt.Printf("DecryptSecret unable to convert hex encoded string due to  error '%s'\n", err)
+		return s, err
+	}
+
+	fmt.Printf("DecryptSecret processing secret '%x'\n", crypted)
 
 	//nonce, _ := hex.DecodeString("64a9433eae7ccceee2fc0eda")
 	// The nonce is the first 12 bytes from the ciphertext
-	nonce := crypted[:12]
-	ciphertext := crypted[12:]
+	nonce := crypted[:nonceSize]
+	ciphertext := crypted[nonceSize:]
 
 	fmt.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext)
 
@@ -121,5 +186,7 @@ func (s *Secret) DecryptSecret() (*Secret, error) {
 	}
 
 	fmt.Printf("DecryptSecret plaintext is '%s'\n", plaintext)
+
+	s.Secret = string(plaintext)
 	return s, nil
 }