admin roles should be able to retrieve any secret

controllers/retrieve_secrets.go

@@ -16,6 +16,7 @@ type RetrieveInput struct {
 
 func RetrieveSecret(c *gin.Context) {
 	var input RetrieveInput
+	var results []models.Secret
 
 	// Validate the input matches our struct
 	if err := c.ShouldBindJSON(&input); err != nil {
@@ -37,7 +38,13 @@ func RetrieveSecret(c *gin.Context) {
 	s.DeviceName = input.DeviceName
 	s.DeviceCategory = input.DeviceCategory
 
-	results, err := models.GetSecrets(&s)
+	// Don't apply a role filter if user has admin role
+	if u.Admin {
+		results, err = models.GetSecrets(&s, false)
+	} else {
+		results, err = models.GetSecrets(&s, true)
+	}
+
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -93,7 +100,7 @@ func retrieveSpecifiedSecret(s *models.Secret, c *gin.Context) {
 	}
 	s.RoleId = u.RoleId
 
-	results, err := models.GetSecrets(s)
+	results, err := models.GetSecrets(s, false)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -142,7 +149,7 @@ func RetrieveMultpleSecrets(c *gin.Context) {
 	s.DeviceName = input.DeviceName
 	s.DeviceCategory = input.DeviceCategory
 
-	results, err := models.GetSecrets(&s)
+	results, err := models.GetSecrets(&s, false)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return

controllers/store_secrets.go

@@ -51,7 +51,7 @@ func StoreSecret(c *gin.Context) {
 	}
 
 	// If this secret already exists in the database then generate an error
-	checkExists, err := models.GetSecrets(&s)
+	checkExists, err := models.GetSecrets(&s, false)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -118,7 +118,7 @@ func UpdateSecret(c *gin.Context) {
 	}
 
 	// Confirm that the secret already exists
-	checkExists, err := models.GetSecrets(&s)
+	checkExists, err := models.GetSecrets(&s, false)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return

models/secret.go

@@ -45,13 +45,29 @@ func (s *Secret) SaveSecret() (*Secret, error) {
 }
 
 // Returns all matching secrets, up to caller to determine how to deal with multiple results
-func GetSecrets(s *Secret) ([]Secret, error) {
+func GetSecrets(s *Secret, adminRole bool) ([]Secret, error) {
 	var err error
 	var rows *sqlx.Rows
 	var secretResults []Secret
 
 	log.Printf("GetSecret querying values '%v'\n", s)
 
+	// Admin roles should be able to access all secrets so don't do any filter based on RoleId
+	if adminRole {
+		// Determine whether to query for a specific device or a category of devices
+		// Prefer querying device name than category
+		if s.DeviceName != "" && s.DeviceCategory != "" {
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ?", s.DeviceName, s.DeviceCategory)
+		} else if s.DeviceName != "" {
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ?", s.DeviceName)
+		} else if s.DeviceCategory != "" {
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ?", s.DeviceCategory)
+		} else {
+			log.Printf("GetSecret no valid search options specified\n")
+			err = errors.New("no valid search options specified")
+			return secretResults, err
+		}
+	} else {
 		// Determine whether to query for a specific device or a category of devices
 		// Prefer querying device name than category
 		if s.DeviceName != "" && s.DeviceCategory != "" {
@@ -65,6 +81,7 @@ func GetSecrets(s *Secret) ([]Secret, error) {
 			err = errors.New("no valid search options specified")
 			return secretResults, err
 		}
+	}
 
 	if err != nil {
 		log.Printf("GetSecret error executing sql record : '%s'\n", err)