From 70f81039012b3e334e9c51b3a36b6ffe8d6ec9e2 Mon Sep 17 00:00:00 2001 From: Nathan Coad Date: Wed, 5 Apr 2023 10:42:35 +1000 Subject: [PATCH] admin roles should be able to retrieve any secret --- controllers/retrieve_secrets.go | 13 ++++++++--- controllers/store_secrets.go | 4 ++-- models/secret.go | 41 +++++++++++++++++++++++---------- 3 files changed, 41 insertions(+), 17 deletions(-) diff --git a/controllers/retrieve_secrets.go b/controllers/retrieve_secrets.go index 1fad1ba..642c221 100644 --- a/controllers/retrieve_secrets.go +++ b/controllers/retrieve_secrets.go @@ -16,6 +16,7 @@ type RetrieveInput struct { func RetrieveSecret(c *gin.Context) { var input RetrieveInput + var results []models.Secret // Validate the input matches our struct if err := c.ShouldBindJSON(&input); err != nil { @@ -37,7 +38,13 @@ func RetrieveSecret(c *gin.Context) { s.DeviceName = input.DeviceName s.DeviceCategory = input.DeviceCategory - results, err := models.GetSecrets(&s) + // Don't apply a role filter if user has admin role + if u.Admin { + results, err = models.GetSecrets(&s, false) + } else { + results, err = models.GetSecrets(&s, true) + } + if err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return @@ -93,7 +100,7 @@ func retrieveSpecifiedSecret(s *models.Secret, c *gin.Context) { } s.RoleId = u.RoleId - results, err := models.GetSecrets(s) + results, err := models.GetSecrets(s, false) if err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return @@ -142,7 +149,7 @@ func RetrieveMultpleSecrets(c *gin.Context) { s.DeviceName = input.DeviceName s.DeviceCategory = input.DeviceCategory - results, err := models.GetSecrets(&s) + results, err := models.GetSecrets(&s, false) if err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return diff --git a/controllers/store_secrets.go b/controllers/store_secrets.go index 552b5a4..b2d9eb7 100644 --- a/controllers/store_secrets.go +++ b/controllers/store_secrets.go @@ -51,7 +51,7 @@ func StoreSecret(c *gin.Context) { } // If this secret already exists in the database then generate an error - checkExists, err := models.GetSecrets(&s) + checkExists, err := models.GetSecrets(&s, false) if err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return @@ -118,7 +118,7 @@ func UpdateSecret(c *gin.Context) { } // Confirm that the secret already exists - checkExists, err := models.GetSecrets(&s) + checkExists, err := models.GetSecrets(&s, false) if err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return diff --git a/models/secret.go b/models/secret.go index 97e3d70..a36ad32 100644 --- a/models/secret.go +++ b/models/secret.go @@ -45,25 +45,42 @@ func (s *Secret) SaveSecret() (*Secret, error) { } // Returns all matching secrets, up to caller to determine how to deal with multiple results -func GetSecrets(s *Secret) ([]Secret, error) { +func GetSecrets(s *Secret, adminRole bool) ([]Secret, error) { var err error var rows *sqlx.Rows var secretResults []Secret log.Printf("GetSecret querying values '%v'\n", s) - // Determine whether to query for a specific device or a category of devices - // Prefer querying device name than category - if s.DeviceName != "" && s.DeviceCategory != "" { - rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND RoleId = ?", s.DeviceName, s.DeviceCategory, s.RoleId) - } else if s.DeviceName != "" { - rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND RoleId = ?", s.DeviceName, s.RoleId) - } else if s.DeviceCategory != "" { - rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND RoleId = ?", s.DeviceCategory, s.RoleId) + // Admin roles should be able to access all secrets so don't do any filter based on RoleId + if adminRole { + // Determine whether to query for a specific device or a category of devices + // Prefer querying device name than category + if s.DeviceName != "" && s.DeviceCategory != "" { + rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ?", s.DeviceName, s.DeviceCategory) + } else if s.DeviceName != "" { + rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ?", s.DeviceName) + } else if s.DeviceCategory != "" { + rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ?", s.DeviceCategory) + } else { + log.Printf("GetSecret no valid search options specified\n") + err = errors.New("no valid search options specified") + return secretResults, err + } } else { - log.Printf("GetSecret no valid search options specified\n") - err = errors.New("no valid search options specified") - return secretResults, err + // Determine whether to query for a specific device or a category of devices + // Prefer querying device name than category + if s.DeviceName != "" && s.DeviceCategory != "" { + rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND RoleId = ?", s.DeviceName, s.DeviceCategory, s.RoleId) + } else if s.DeviceName != "" { + rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND RoleId = ?", s.DeviceName, s.RoleId) + } else if s.DeviceCategory != "" { + rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND RoleId = ?", s.DeviceCategory, s.RoleId) + } else { + log.Printf("GetSecret no valid search options specified\n") + err = errors.New("no valid search options specified") + return secretResults, err + } } if err != nil {