new schema initial commit
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
@@ -5,13 +5,16 @@ import (
|
||||
"log"
|
||||
"net/http"
|
||||
"smt/models"
|
||||
"smt/utils/token"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
// bindings are validated by https://github.com/go-playground/validator
|
||||
type StoreInput struct {
|
||||
RoleId int `json:"roleId"`
|
||||
//RoleId int `json:"roleId"`
|
||||
SafeId int `json:"safeId"`
|
||||
SafeName string `json:"safeName"`
|
||||
DeviceName string `json:"deviceName"`
|
||||
DeviceCategory string `json:"deviceCategory"`
|
||||
UserName string `json:"userName" binding:"required"`
|
||||
@@ -36,15 +39,32 @@ func StoreSecret(c *gin.Context) {
|
||||
s.DeviceName = input.DeviceName
|
||||
s.DeviceCategory = input.DeviceCategory
|
||||
|
||||
// If RoleID is not defined then default to the same role as the user requesting secret to be stored
|
||||
if input.RoleId != 0 {
|
||||
s.RoleId = input.RoleId
|
||||
} else {
|
||||
ur, _ := models.GetUserRoleFromToken(c)
|
||||
log.Printf("StoreSecret RoleId was not specified, setting to RoleId of '%d'\n", ur.RoleId)
|
||||
s.RoleId = ur.RoleId
|
||||
// Query which safes the current user is allowed to access
|
||||
user_id, err := token.ExtractTokenID(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
|
||||
return
|
||||
}
|
||||
|
||||
safeId := SecretCheckSafeAllowed(int(user_id), input)
|
||||
if safeId == 0 {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining safe"})
|
||||
return
|
||||
}
|
||||
|
||||
s.SafeId = safeId
|
||||
|
||||
/*
|
||||
// If RoleID is not defined then default to the same role as the user requesting secret to be stored
|
||||
if input.RoleId != 0 {
|
||||
s.RoleId = input.RoleId
|
||||
} else {
|
||||
ur, _ := models.GetUserRoleFromToken(c)
|
||||
log.Printf("StoreSecret RoleId was not specified, setting to RoleId of '%d'\n", ur.RoleId)
|
||||
s.RoleId = ur.RoleId
|
||||
}
|
||||
*/
|
||||
|
||||
if input.DeviceCategory == "" && input.DeviceName == "" {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "cannot store secret with empty deviceName and empty deviceCategory"})
|
||||
return
|
||||
@@ -91,17 +111,19 @@ func UpdateSecret(c *gin.Context) {
|
||||
|
||||
log.Printf("UpdateSecret received JSON input '%v'\n", input)
|
||||
|
||||
// Get the user and role id of the requestor
|
||||
u, err := models.GetUserRoleFromToken(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
// Verify that the user role is not readonly
|
||||
if u.ReadOnly {
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": "UpdateSecret user role does not permit updates"})
|
||||
return
|
||||
}
|
||||
/*
|
||||
// Get the user and role id of the requestor
|
||||
u, err := models.UserGetRoleFromToken(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
// Verify that the user role is not readonly
|
||||
if u.ReadOnly {
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": "UpdateSecret user role does not permit updates"})
|
||||
return
|
||||
}
|
||||
*/
|
||||
|
||||
// Populate fields
|
||||
s := models.Secret{}
|
||||
@@ -110,13 +132,30 @@ func UpdateSecret(c *gin.Context) {
|
||||
s.DeviceName = input.DeviceName
|
||||
s.DeviceCategory = input.DeviceCategory
|
||||
|
||||
// Default role ID is 1 if not defined
|
||||
if input.RoleId != 0 {
|
||||
s.RoleId = input.RoleId
|
||||
} else {
|
||||
s.RoleId = 1
|
||||
/*
|
||||
// Default role ID is 1 if not defined
|
||||
if input.RoleId != 0 {
|
||||
s.RoleId = input.RoleId
|
||||
} else {
|
||||
s.RoleId = 1
|
||||
}
|
||||
*/
|
||||
|
||||
// Query which safes the current user is allowed to access
|
||||
user_id, err := token.ExtractTokenID(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
|
||||
return
|
||||
}
|
||||
|
||||
safeId := SecretCheckSafeAllowed(int(user_id), input)
|
||||
if safeId == 0 {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining safe"})
|
||||
return
|
||||
}
|
||||
|
||||
s.SafeId = safeId
|
||||
|
||||
// Confirm that the secret already exists
|
||||
checkExists, err := models.GetSecrets(&s, false)
|
||||
if err != nil {
|
||||
@@ -165,3 +204,36 @@ func UpdateSecret(c *gin.Context) {
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func SecretCheckSafeAllowed(user_id int, input StoreInput) int {
|
||||
// Query which safes the current user is allowed to access
|
||||
|
||||
// SafeId is by default the same as the safe that the user belongs to
|
||||
safeList, err := models.UserGetSafesAllowed(user_id)
|
||||
if err != nil {
|
||||
log.Printf("SecretCheckSafeAllowed error determining allowed safes for userId %d : '%s'\n", user_id, err)
|
||||
return 0
|
||||
}
|
||||
|
||||
// Verify user has access to specified safe
|
||||
for _, safe := range safeList {
|
||||
if len(input.SafeName) > 0 && safe.SafeName == input.SafeName { // Safe specifed by name
|
||||
return safe.SafeId
|
||||
} else if input.SafeId > 0 && safe.SafeId == input.SafeId { // Safe specified by id
|
||||
return safe.SafeId
|
||||
}
|
||||
}
|
||||
|
||||
// TODO what about Admin role
|
||||
|
||||
return 0
|
||||
|
||||
/*
|
||||
if !matchFound {
|
||||
errString := "no safe specified or no access to specified safe"
|
||||
log.Println(errString)
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": errString})
|
||||
return
|
||||
}
|
||||
*/
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user