nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity

updates
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2024-01-08 15:35:13 +11:00
parent d1857f2db1
commit ac60d1daef
4 changed files with 97 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
controllers/retrieve_secrets.go
View File

@@ -29,8 +29,8 @@ type ListSecret struct {
func RetrieveSecret(c *gin.Context) { func RetrieveSecret(c *gin.Context) {
var input RetrieveInput var input RetrieveInput
var results []models.Secret //var results []models.Secret
var userIsAdmin bool = false //var userIsAdmin bool = false
// Validate the input matches our struct // Validate the input matches our struct
if err := c.ShouldBindJSON(&input); err != nil { if err := c.ShouldBindJSON(&input); err != nil {
@@ -55,55 +55,67 @@ func RetrieveSecret(c *gin.Context) {
s.DeviceCategory = input.DeviceCategory s.DeviceCategory = input.DeviceCategory
s.UserName = input.UserName s.UserName = input.UserName
user_id, err := token.ExtractTokenID(c) retrieveSpecifiedSecret(&s, c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
return
}
// Work out which safe to query for this user if the safe was not specified /*
safeList, err := models.UserGetSafesAllowed(int(user_id)) user_id, err := token.ExtractTokenID(c)
if err != nil {
// If there was only one result then just use that c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
if len(safeList) == 0 {
// check if the user is an admin, if not then they seem to have access to zero safes
if !models.UserCheckIfAdmin(int(user_id)) {
c.JSON(http.StatusBadRequest, gin.H{"error": "user has no access to any secrets"})
return return
} }
// Don't apply a role filter if user has admin role
results, err = models.GetSecrets(&s, userIsAdmin)
} else if len(safeList) == 1 {
s.SafeId = safeList[0].SafeId
userIsAdmin = safeList[0].AdminUser || safeList[0].AdminGroup
// Don't apply a role filter if user has admin role
results, err = models.GetSecrets(&s, userIsAdmin)
} else {
// TODO - this is tricky. How to query multiple safes?
var safeIds []int // Work out which safe to query for this user if the safe was not specified
for _, safe := range safeList { safeList, err := models.UserGetSafesAllowed(int(user_id))
safeIds = append(safeIds, safe.SafeId)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user safes"})
return
} }
results, err = models.SecretsGetMultipleSafes(&s, false, safeIds) // If there was only one result then just use that
} if len(safeList) == 0 {
// check if the user is an admin, if not then they seem to have access to zero safes
if !models.UserCheckIfAdmin(int(user_id)) {
c.JSON(http.StatusBadRequest, gin.H{"error": "user has no access to any secrets"})
return
} else {
// Don't apply a role filter if user has admin role
results, err = models.SecretsGetMultipleSafes(&s, true, []int{})
}
if err != nil { } else if len(safeList) == 1 {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) s.SafeId = safeList[0].SafeId
return userIsAdmin = safeList[0].AdminUser || safeList[0].AdminGroup
} // Don't apply a role filter if user has admin role
//results, err = models.GetSecrets(&s, userIsAdmin)
results, err = models.SecretsGetMultipleSafes(&s, userIsAdmin, []int{s.SafeId})
} else {
// Create a list of all the safes this user can access
var safeIds []int
for _, safe := range safeList {
safeIds = append(safeIds, safe.SafeId)
}
if len(results) == 1 { results, err = models.SecretsGetMultipleSafes(&s, false, safeIds)
// output results as json }
c.JSON(http.StatusOK, gin.H{"message": "success", "data": results})
} else if len(results) > 1 { if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "found multiple matching secrets, use retrieveMultiple instead"}) c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return return
} else { }
c.JSON(http.StatusBadRequest, gin.H{"error": "found no matching secrets"})
return
} if len(results) == 1 {
// output results as json
c.JSON(http.StatusOK, gin.H{"message": "success", "data": results})
} else if len(results) > 1 {
c.JSON(http.StatusBadRequest, gin.H{"error": "found multiple matching secrets, use retrieveMultiple instead"})
return
} else {
c.JSON(http.StatusBadRequest, gin.H{"error": "found no matching secrets"})
return
}
*/
} }
func RetrieveSecretByDevicename(c *gin.Context) { func RetrieveSecretByDevicename(c *gin.Context) {
@@ -163,23 +175,30 @@ func retrieveSpecifiedSecret(s *models.Secret, c *gin.Context) {
// Work out which safe to query for this user if the safe was not specified // Work out which safe to query for this user if the safe was not specified
safeList, err := models.UserGetSafesAllowed(int(user_id)) safeList, err := models.UserGetSafesAllowed(int(user_id))
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user safes"})
return
}
// If there was only one result then just use that // If there was only one result then just use that
if len(safeList) == 0 { if len(safeList) == 0 {
// check if the user is an admin, if not then they seem to have access to zero safes // check if the user is an admin, if not then they seem to have access to zero safes
if !models.UserCheckIfAdmin(int(user_id)) { if !models.UserCheckIfAdmin(int(user_id)) {
c.JSON(http.StatusBadRequest, gin.H{"error": "user has no access to any secrets"}) c.JSON(http.StatusBadRequest, gin.H{"error": "user has no access to any secrets"})
return return
} else {
// Don't apply a role filter if user has admin role
results, err = models.SecretsGetMultipleSafes(s, true, []int{})
} }
// Don't apply a role filter if user has admin role
results, err = models.GetSecrets(s, userIsAdmin)
} else if len(safeList) == 1 { } else if len(safeList) == 1 {
s.SafeId = safeList[0].SafeId s.SafeId = safeList[0].SafeId
userIsAdmin = safeList[0].AdminUser || safeList[0].AdminGroup userIsAdmin = safeList[0].AdminUser || safeList[0].AdminGroup
// Don't apply a role filter if user has admin role // Don't apply a role filter if user has admin role
results, err = models.GetSecrets(s, userIsAdmin) //results, err = models.GetSecrets(&s, userIsAdmin)
results, err = models.SecretsGetMultipleSafes(s, userIsAdmin, []int{s.SafeId})
} else { } else {
// TODO - this is tricky. How to query multiple safes? // Create a list of all the safes this user can access
var safeIds []int var safeIds []int
for _, safe := range safeList { for _, safe := range safeList {
safeIds = append(safeIds, safe.SafeId) safeIds = append(safeIds, safe.SafeId)
@@ -188,6 +207,11 @@ func retrieveSpecifiedSecret(s *models.Secret, c *gin.Context) {
results, err = models.SecretsGetMultipleSafes(s, false, safeIds) results, err = models.SecretsGetMultipleSafes(s, false, safeIds)
} }
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
if len(results) == 1 { if len(results) == 1 {
// output results as json // output results as json
c.JSON(http.StatusOK, gin.H{"message": "success", "data": results}) c.JSON(http.StatusOK, gin.H{"message": "success", "data": results})

5
controllers/store_secrets.go
View File

@@ -70,13 +70,14 @@ func StoreSecret(c *gin.Context) {
return return
} }
// TODO - replace this with a call to SecretsGetMultipleSafes
// If this secret already exists in the database then generate an error // If this secret already exists in the database then generate an error
checkExists, err := models.GetSecrets(&s, false) checkExists, err := models.GetSecrets(&s, false)
if err != nil { if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return return
} }
if len(checkExists) > 0 { if len(checkExists) > 0 {
log.Printf("StoreSecret not storing secret with '%d' already matching secrets.\n", len(checkExists)) log.Printf("StoreSecret not storing secret with '%d' already matching secrets.\n", len(checkExists))
c.JSON(http.StatusBadRequest, gin.H{"error": "StoreSecret attempting to store secret already defined. Use update API call instead"}) c.JSON(http.StatusBadRequest, gin.H{"error": "StoreSecret attempting to store secret already defined. Use update API call instead"})
@@ -156,6 +157,8 @@ func UpdateSecret(c *gin.Context) {
s.SafeId = safeId s.SafeId = safeId
// TODO - replace this with a call to SecretsGetMultipleSafes
// Confirm that the secret already exists // Confirm that the secret already exists
checkExists, err := models.GetSecrets(&s, false) checkExists, err := models.GetSecrets(&s, false)
if err != nil { if err != nil {

43
models/secret.go
View File

@@ -46,7 +46,7 @@ func (s *Secret) SaveSecret() (*Secret, error) {
return s, nil return s, nil
} }
// TODO - use this function when user has access to multiple safes // SecretsGetMultipleSafes queries the specified safes for matching secrets
func SecretsGetMultipleSafes(s *Secret, adminRole bool, safeIds []int) ([]Secret, error) { func SecretsGetMultipleSafes(s *Secret, adminRole bool, safeIds []int) ([]Secret, error) {
var err error var err error
var secretResults []Secret var secretResults []Secret
@@ -62,22 +62,29 @@ func SecretsGetMultipleSafes(s *Secret, adminRole bool, safeIds []int) ([]Secret
rows, err := db.Queryx(query, args) rows, err := db.Queryx(query, args)
*/ */
// Generate placeholders for the IN clause to match multiple SafeId values
placeholders := make([]string, len(safeIds))
for i := range safeIds {
placeholders[i] = "?"
}
placeholderStr := strings.Join(placeholders, ",")
query := fmt.Sprintf("SELECT * FROM secrets WHERE SafeId IN (%s) ", placeholderStr)
args := []interface{}{} args := []interface{}{}
var query string
if adminRole {
// No need to limit query to any safe
query = "SELECT * FROM secrets WHERE 1=1 "
} else {
// Generate placeholders for the IN clause to match multiple SafeId values
placeholders := make([]string, len(safeIds))
for i := range safeIds {
placeholders[i] = "?"
}
placeholderStr := strings.Join(placeholders, ",")
// Add the Safe Ids // Create query with the necessary placeholders
for _, g := range safeIds { query = fmt.Sprintf("SELECT * FROM secrets WHERE SafeId IN (%s) ", placeholderStr)
args = append(args, g)
// Add the Safe Ids to the arguments list
for _, g := range safeIds {
args = append(args, g)
}
} }
// Add any other parameters // Add any other arguments to the query if they were specified
if s.DeviceName != "" { if s.DeviceName != "" {
query += " AND DeviceName LIKE ? " query += " AND DeviceName LIKE ? "
args = append(args, s.DeviceName) args = append(args, s.DeviceName)
@@ -93,16 +100,6 @@ func SecretsGetMultipleSafes(s *Secret, adminRole bool, safeIds []int) ([]Secret
args = append(args, s.UserName) args = append(args, s.UserName)
} }
/*
// Construct the query
query := fmt.Sprintf("SELECT * FROM users WHERE username = ? AND group IN (%s)", placeholderStr)
args := make([]interface{}, 0, len(groups)+1)
args = append(args, username)
for _, g := range safeIds {
args = append(args, g)
}
*/
// Execute the query // Execute the query
rows, err := db.Queryx(query, args...) rows, err := db.Queryx(query, args...)

3
models/user.go
View File

@@ -364,8 +364,7 @@ func UserGetSafesAllowed(userId int) ([]UserSafe, error) {
INNER JOIN groups ON users.GroupId = groups.GroupId INNER JOIN groups ON users.GroupId = groups.GroupId
INNER JOIN permissions ON groups.GroupId = permissions.GroupId INNER JOIN permissions ON groups.GroupId = permissions.GroupId
INNER JOIN safes on permissions.SafeId = safes.SafeId INNER JOIN safes on permissions.SafeId = safes.SafeId
WHERE users.UserId=?" WHERE users.UserId=?`, userId)
`, userId)
if err != nil { if err != nil {
log.Printf("UserGetSafesAllowed error executing sql record : '%s'\n", err) log.Printf("UserGetSafesAllowed error executing sql record : '%s'\n", err)
return results, err return results, err