nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity

admin roles should be able to retrieve any secret
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2023-04-05 10:42:35 +10:00
parent 1f80d0b9ad
commit 70f8103901
3 changed files with 41 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
controllers/retrieve_secrets.go
View File

@@ -16,6 +16,7 @@ type RetrieveInput struct {
func RetrieveSecret(c *gin.Context) { func RetrieveSecret(c *gin.Context) {
var input RetrieveInput var input RetrieveInput
var results []models.Secret
// Validate the input matches our struct // Validate the input matches our struct
if err := c.ShouldBindJSON(&input); err != nil { if err := c.ShouldBindJSON(&input); err != nil {
@@ -37,7 +38,13 @@ func RetrieveSecret(c *gin.Context) {
s.DeviceName = input.DeviceName s.DeviceName = input.DeviceName
s.DeviceCategory = input.DeviceCategory s.DeviceCategory = input.DeviceCategory
results, err := models.GetSecrets(&s) // Don't apply a role filter if user has admin role
if u.Admin {
results, err = models.GetSecrets(&s, false)
} else {
results, err = models.GetSecrets(&s, true)
}
if err != nil { if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return return
@@ -93,7 +100,7 @@ func retrieveSpecifiedSecret(s *models.Secret, c *gin.Context) {
} }
s.RoleId = u.RoleId s.RoleId = u.RoleId
results, err := models.GetSecrets(s) results, err := models.GetSecrets(s, false)
if err != nil { if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return return
@@ -142,7 +149,7 @@ func RetrieveMultpleSecrets(c *gin.Context) {
s.DeviceName = input.DeviceName s.DeviceName = input.DeviceName
s.DeviceCategory = input.DeviceCategory s.DeviceCategory = input.DeviceCategory
results, err := models.GetSecrets(&s) results, err := models.GetSecrets(&s, false)
if err != nil { if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return return

4
controllers/store_secrets.go
View File

@@ -51,7 +51,7 @@ func StoreSecret(c *gin.Context) {
} }
// If this secret already exists in the database then generate an error // If this secret already exists in the database then generate an error
checkExists, err := models.GetSecrets(&s) checkExists, err := models.GetSecrets(&s, false)
if err != nil { if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return return
@@ -118,7 +118,7 @@ func UpdateSecret(c *gin.Context) {
} }
// Confirm that the secret already exists // Confirm that the secret already exists
checkExists, err := models.GetSecrets(&s) checkExists, err := models.GetSecrets(&s, false)
if err != nil { if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return return

41
models/secret.go
View File

@@ -45,25 +45,42 @@ func (s *Secret) SaveSecret() (*Secret, error) {
} }
// Returns all matching secrets, up to caller to determine how to deal with multiple results // Returns all matching secrets, up to caller to determine how to deal with multiple results
func GetSecrets(s *Secret) ([]Secret, error) { func GetSecrets(s *Secret, adminRole bool) ([]Secret, error) {
var err error var err error
var rows *sqlx.Rows var rows *sqlx.Rows
var secretResults []Secret var secretResults []Secret
log.Printf("GetSecret querying values '%v'\n", s) log.Printf("GetSecret querying values '%v'\n", s)
// Determine whether to query for a specific device or a category of devices // Admin roles should be able to access all secrets so don't do any filter based on RoleId
// Prefer querying device name than category if adminRole {
if s.DeviceName != "" && s.DeviceCategory != "" { // Determine whether to query for a specific device or a category of devices
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND RoleId = ?", s.DeviceName, s.DeviceCategory, s.RoleId) // Prefer querying device name than category
} else if s.DeviceName != "" { if s.DeviceName != "" && s.DeviceCategory != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND RoleId = ?", s.DeviceName, s.RoleId) rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ?", s.DeviceName, s.DeviceCategory)
} else if s.DeviceCategory != "" { } else if s.DeviceName != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND RoleId = ?", s.DeviceCategory, s.RoleId) rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ?", s.DeviceName)
} else if s.DeviceCategory != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ?", s.DeviceCategory)
} else {
log.Printf("GetSecret no valid search options specified\n")
err = errors.New("no valid search options specified")
return secretResults, err
}
} else { } else {
log.Printf("GetSecret no valid search options specified\n") // Determine whether to query for a specific device or a category of devices
err = errors.New("no valid search options specified") // Prefer querying device name than category
return secretResults, err if s.DeviceName != "" && s.DeviceCategory != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND RoleId = ?", s.DeviceName, s.DeviceCategory, s.RoleId)
} else if s.DeviceName != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND RoleId = ?", s.DeviceName, s.RoleId)
} else if s.DeviceCategory != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND RoleId = ?", s.DeviceCategory, s.RoleId)
} else {
log.Printf("GetSecret no valid search options specified\n")
err = errors.New("no valid search options specified")
return secretResults, err
}
} }
if err != nil { if err != nil {