nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity

new schema initial commit
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2024-01-08 14:30:16 +11:00
parent 7ecf27f7dc
commit d1eecc5c4f
14 changed files with 631 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
controllers/auth.go
View File

@@ -16,9 +16,11 @@ import (
)
type RegisterInput struct {
UserName string `json:"userName" binding:"required"`
Password string `json:"password" binding:"required"`
RoleId int `json:"roleid"`
UserName string `json:"userName" binding:"required"`
Password string `json:"password" binding:"required"`
GroupId int `json:"groupId"`
GroupName string `json:"groupName"`
//RoleId int `json:"roleid"`
}
type LoginInput struct {
@@ -52,7 +54,7 @@ func DeleteUser(c *gin.Context) {
u.UserName = html.EscapeString(strings.TrimSpace(u.UserName))
// Confirm user account exists
testUser, _ := models.GetUserByName(u.UserName)
testUser, _ := models.UserGetByName(u.UserName)
log.Printf("DeleteUser confirming user '%s' account exists\n", u.UserName)
if (models.User{} == testUser) {
err := errors.New("attempt to delete non-existing username '" + u.UserName + "'")
@@ -90,23 +92,51 @@ func RegisterUser(c *gin.Context) {
}
u := models.User{}
//u.RoleId = 1
u.UserName = input.UserName
u.Password = input.Password
// Default to regular user role if not specified
if input.RoleId == 0 {
log.Printf("Register no role specified, defaulting to builtin role UserRole with id 2.\n")
u.RoleId = 2
// Determine which GroupId to save
// Can be specified either by GroupName or GroupId in the request
if len(input.GroupName) > 0 {
g, err := models.GroupGetByName(input.GroupName)
if err != nil {
errString := fmt.Sprintf("RegisterUser error looking up group by name : '%s'", err)
log.Println(errString)
c.JSON(http.StatusBadRequest, gin.H{"error": errString})
return
}
if g == (models.Group{}) {
errString := fmt.Sprintf("RegisterUser specified group not found")
log.Println(errString)
c.JSON(http.StatusBadRequest, gin.H{"error": errString})
return
} else {
u.GroupId = g.GroupId
}
} else if input.GroupId > 0 {
u.GroupId = input.GroupId
} else {
u.RoleId = input.RoleId
errString := fmt.Sprintf("RegisterUser no group specified, must specify either GroupId or GroupName")
log.Println(errString)
c.JSON(http.StatusBadRequest, gin.H{"error": errString})
return
}
/*
// Default to regular user role if not specified
if input.RoleId == 0 {
log.Printf("Register no role specified, defaulting to builtin role UserRole with id 2.\n")
u.RoleId = 2
} else {
u.RoleId = input.RoleId
}
*/
//remove spaces in username
u.UserName = html.EscapeString(strings.TrimSpace(u.UserName))
// Check if user already exists
testUser, _ := models.GetUserByName(u.UserName)
testUser, _ := models.UserGetByName(u.UserName)
log.Printf("Register checking if user '%s' already exists\n", u.UserName)
if (models.User{} == testUser) {
log.Printf("Register confirmed no existing username\n")
@@ -214,7 +244,7 @@ func CurrentUser(c *gin.Context) {
return
}
u, err := models.GetUserByID(user_id)
u, err := models.UserGetByID(user_id)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
@@ -237,7 +267,7 @@ func GetRoles(c *gin.Context) {
}
func GetUsers(c *gin.Context) {
users, err := models.QueryUsers()
users, err := models.UserList()
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})

213
controllers/retrieve_secrets.go
View File

@@ -13,11 +13,14 @@ type RetrieveInput struct {
DeviceName string `json:"deviceName"`
DeviceCategory string `json:"deviceCategory"`
UserName string `json:"userName"`
SafeId int `json:"safeId"`
SafeName string `json:"safeName"`
}
type ListSecret struct {
SecretId int `db:"SecretId" json:"-"`
RoleId int `db:"RoleId" json:"-"`
SecretId int `db:"SecretId" json:"-"`
//RoleId int `db:"RoleId" json:"-"`
SafeId int `db:"SafeId"`
DeviceName string `db:"DeviceName"`
DeviceCategory string `db:"DeviceCategory"`
UserName string `db:"UserName"`
@@ -27,6 +30,7 @@ type ListSecret struct {
func RetrieveSecret(c *gin.Context) {
var input RetrieveInput
var results []models.Secret
var userIsAdmin bool = false
// Validate the input matches our struct
if err := c.ShouldBindJSON(&input); err != nil {
@@ -35,22 +39,55 @@ func RetrieveSecret(c *gin.Context) {
}
log.Printf("RetrieveSecret received JSON input '%v'\n", input)
// Get the user and role id of the requestor
u, err := models.GetUserRoleFromToken(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
/*
// Get the user and role id of the requestor
u, err := models.UserGetRoleFromToken(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
*/
// Populate fields
s := models.Secret{}
s.RoleId = u.RoleId
//s.RoleId = u.RoleId
s.DeviceName = input.DeviceName
s.DeviceCategory = input.DeviceCategory
s.UserName = input.UserName
// Don't apply a role filter if user has admin role
results, err = models.GetSecrets(&s, u.Admin)
user_id, err := token.ExtractTokenID(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
return
}
// Work out which safe to query for this user if the safe was not specified
safeList, err := models.UserGetSafesAllowed(int(user_id))
// If there was only one result then just use that
if len(safeList) == 0 {
// check if the user is an admin, if not then they seem to have access to zero safes
if !models.UserCheckIfAdmin(int(user_id)) {
c.JSON(http.StatusBadRequest, gin.H{"error": "user has no access to any secrets"})
return
}
// Don't apply a role filter if user has admin role
results, err = models.GetSecrets(&s, userIsAdmin)
} else if len(safeList) == 1 {
s.SafeId = safeList[0].SafeId
userIsAdmin = safeList[0].AdminUser || safeList[0].AdminGroup
// Don't apply a role filter if user has admin role
results, err = models.GetSecrets(&s, userIsAdmin)
} else {
// TODO - this is tricky. How to query multiple safes?
var safeIds []int
for _, safe := range safeList {
safeIds = append(safeIds, safe.SafeId)
}
results, err = models.SecretsGetMultipleSafes(&s, false, safeIds)
}
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
@@ -99,18 +136,56 @@ func RetrieveSecretByDevicecategory(c *gin.Context) {
}
func retrieveSpecifiedSecret(s *models.Secret, c *gin.Context) {
// Get the user and role id of the requestor
u, err := models.GetUserRoleFromToken(c)
/*
// Get the user and role id of the requestor
u, err := models.UserGetRoleFromToken(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
s.RoleId = u.RoleId
results, err := models.GetSecrets(s, false)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
*/
var results []models.Secret
var userIsAdmin = false
user_id, err := token.ExtractTokenID(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
return
}
s.RoleId = u.RoleId
results, err := models.GetSecrets(s, false)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
// Work out which safe to query for this user if the safe was not specified
safeList, err := models.UserGetSafesAllowed(int(user_id))
// If there was only one result then just use that
if len(safeList) == 0 {
// check if the user is an admin, if not then they seem to have access to zero safes
if !models.UserCheckIfAdmin(int(user_id)) {
c.JSON(http.StatusBadRequest, gin.H{"error": "user has no access to any secrets"})
return
}
// Don't apply a role filter if user has admin role
results, err = models.GetSecrets(s, userIsAdmin)
} else if len(safeList) == 1 {
s.SafeId = safeList[0].SafeId
userIsAdmin = safeList[0].AdminUser || safeList[0].AdminGroup
// Don't apply a role filter if user has admin role
results, err = models.GetSecrets(s, userIsAdmin)
} else {
// TODO - this is tricky. How to query multiple safes?
var safeIds []int
for _, safe := range safeList {
safeIds = append(safeIds, safe.SafeId)
}
results, err = models.SecretsGetMultipleSafes(s, false, safeIds)
}
if len(results) == 1 {
@@ -125,69 +200,75 @@ func retrieveSpecifiedSecret(s *models.Secret, c *gin.Context) {
}
}
func ListSecrets(c *gin.Context) {
var results []models.Secret
var output []ListSecret
// TODO implement with new schema
/*
var results []models.Secret
// Get the user and role id of the requestor
u, err := models.UserGetRoleFromToken(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
// Get the user and role id of the requestor
u, err := models.GetUserRoleFromToken(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
// If user is admin then list everything, otherwise only list for current role
results, err = models.GetSecrets(&models.Secret{RoleId: u.RoleId}, u.Admin)
// If user is admin then list everything, otherwise only list for current role
results, err = models.GetSecrets(&models.Secret{RoleId: u.RoleId}, u.Admin)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
for _, v := range results {
output = append(output, ListSecret(v))
}
for _, v := range results {
output = append(output, ListSecret(v))
}
*/
// output results as json
c.JSON(http.StatusOK, gin.H{"message": "success", "data": output})
}
func RetrieveMultpleSecrets(c *gin.Context) {
var input RetrieveInput
// TODO implement with new schema
/*
var input RetrieveInput
// Validate the input matches our struct
if err := c.ShouldBindJSON(&input); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
log.Printf("StoreSecret received JSON input '%v'\n", input)
// Validate the input matches our struct
if err := c.ShouldBindJSON(&input); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
log.Printf("StoreSecret received JSON input '%v'\n", input)
// Get the user and role id of the requestor
user_id, err := token.ExtractTokenID(c)
// Get the user and role id of the requestor
user_id, err := token.ExtractTokenID(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
u, err := models.GetUserRoleByID(user_id)
u, err := models.GetUserRoleByID(user_id)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
// Populate fields
s := models.Secret{}
s.RoleId = u.RoleId
s.DeviceName = input.DeviceName
s.DeviceCategory = input.DeviceCategory
// Populate fields
s := models.Secret{}
s.RoleId = u.RoleId
s.DeviceName = input.DeviceName
s.DeviceCategory = input.DeviceCategory
results, err := models.GetSecrets(&s, false)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
results, err := models.GetSecrets(&s, false)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
// output results as json
c.JSON(http.StatusOK, gin.H{"message": "success", "data": results})
// output results as json
c.JSON(http.StatusOK, gin.H{"message": "success", "data": results})
*/
}

120
controllers/store_secrets.go
View File

@@ -5,13 +5,16 @@ import (
"log"
"net/http"
"smt/models"
"smt/utils/token"
"github.com/gin-gonic/gin"
)
// bindings are validated by https://github.com/go-playground/validator
type StoreInput struct {
RoleId int `json:"roleId"`
//RoleId int `json:"roleId"`
SafeId int `json:"safeId"`
SafeName string `json:"safeName"`
DeviceName string `json:"deviceName"`
DeviceCategory string `json:"deviceCategory"`
UserName string `json:"userName" binding:"required"`
@@ -36,15 +39,32 @@ func StoreSecret(c *gin.Context) {
s.DeviceName = input.DeviceName
s.DeviceCategory = input.DeviceCategory
// If RoleID is not defined then default to the same role as the user requesting secret to be stored
if input.RoleId != 0 {
s.RoleId = input.RoleId
} else {
ur, _ := models.GetUserRoleFromToken(c)
log.Printf("StoreSecret RoleId was not specified, setting to RoleId of '%d'\n", ur.RoleId)
s.RoleId = ur.RoleId
// Query which safes the current user is allowed to access
user_id, err := token.ExtractTokenID(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
return
}
safeId := SecretCheckSafeAllowed(int(user_id), input)
if safeId == 0 {
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining safe"})
return
}
s.SafeId = safeId
/*
// If RoleID is not defined then default to the same role as the user requesting secret to be stored
if input.RoleId != 0 {
s.RoleId = input.RoleId
} else {
ur, _ := models.GetUserRoleFromToken(c)
log.Printf("StoreSecret RoleId was not specified, setting to RoleId of '%d'\n", ur.RoleId)
s.RoleId = ur.RoleId
}
*/
if input.DeviceCategory == "" && input.DeviceName == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "cannot store secret with empty deviceName and empty deviceCategory"})
return
@@ -91,17 +111,19 @@ func UpdateSecret(c *gin.Context) {
log.Printf("UpdateSecret received JSON input '%v'\n", input)
// Get the user and role id of the requestor
u, err := models.GetUserRoleFromToken(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
// Verify that the user role is not readonly
if u.ReadOnly {
c.JSON(http.StatusForbidden, gin.H{"error": "UpdateSecret user role does not permit updates"})
return
}
/*
// Get the user and role id of the requestor
u, err := models.UserGetRoleFromToken(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
// Verify that the user role is not readonly
if u.ReadOnly {
c.JSON(http.StatusForbidden, gin.H{"error": "UpdateSecret user role does not permit updates"})
return
}
*/
// Populate fields
s := models.Secret{}
@@ -110,13 +132,30 @@ func UpdateSecret(c *gin.Context) {
s.DeviceName = input.DeviceName
s.DeviceCategory = input.DeviceCategory
// Default role ID is 1 if not defined
if input.RoleId != 0 {
s.RoleId = input.RoleId
} else {
s.RoleId = 1
/*
// Default role ID is 1 if not defined
if input.RoleId != 0 {
s.RoleId = input.RoleId
} else {
s.RoleId = 1
}
*/
// Query which safes the current user is allowed to access
user_id, err := token.ExtractTokenID(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
return
}
safeId := SecretCheckSafeAllowed(int(user_id), input)
if safeId == 0 {
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining safe"})
return
}
s.SafeId = safeId
// Confirm that the secret already exists
checkExists, err := models.GetSecrets(&s, false)
if err != nil {
@@ -165,3 +204,36 @@ func UpdateSecret(c *gin.Context) {
}
}
func SecretCheckSafeAllowed(user_id int, input StoreInput) int {
// Query which safes the current user is allowed to access
// SafeId is by default the same as the safe that the user belongs to
safeList, err := models.UserGetSafesAllowed(user_id)
if err != nil {
log.Printf("SecretCheckSafeAllowed error determining allowed safes for userId %d : '%s'\n", user_id, err)
return 0
}
// Verify user has access to specified safe
for _, safe := range safeList {
if len(input.SafeName) > 0 && safe.SafeName == input.SafeName { // Safe specifed by name
return safe.SafeId
} else if input.SafeId > 0 && safe.SafeId == input.SafeId { // Safe specified by id
return safe.SafeId
}
}
// TODO what about Admin role
return 0
/*
if !matchFound {
errString := "no safe specified or no access to specified safe"
log.Println(errString)
c.JSON(http.StatusBadRequest, gin.H{"error": errString})
return
}
*/
}