new schema initial commit

models/audit.go

@@ -0,0 +1,3 @@
+package models
+
+// Define audit functions

models/group.go

@@ -0,0 +1,55 @@
+package models
+
+import (
+	"errors"
+	"log"
+)
+
+type Group struct {
+	GroupId   int    `db:"GroupId"`
+	GroupName string `db:"GroupName"`
+	LdapGroup bool   `db:"LdapGroup"`
+	LdapDn    string `db:"LdapDN"`
+	Admin     bool   `db:"Admin"`
+}
+
+// GroupGetByName queries the database for the specified group name
+func GroupGetByName(groupname string) (Group, error) {
+	var g Group
+
+	// Query database for matching group object
+	err := db.QueryRowx("SELECT * FROM groups WHERE GroupName=?", groupname).StructScan(&g)
+	if err != nil {
+		return g, errors.New("group not found")
+	}
+
+	return g, nil
+}
+
+// GroupList returns a list of all groups in database
+func GroupList() ([]Group, error) {
+	var results []Group
+
+	// Query database for role definitions
+	rows, err := db.Queryx("SELECT * FROM groups")
+
+	if err != nil {
+		log.Printf("GroupList error executing sql record : '%s'\n", err)
+		return results, err
+	} else {
+		// parse all the results into a slice
+		for rows.Next() {
+			var g Group
+			err = rows.StructScan(&g)
+			if err != nil {
+				log.Printf("GroupList error parsing sql record : '%s'\n", err)
+				return results, err
+			}
+			results = append(results, g)
+
+		}
+		log.Printf("GroupList retrieved '%d' results\n", len(results))
+	}
+
+	return results, nil
+}

models/ldap.go

@@ -227,7 +227,8 @@ func LookupNamingContext(ldaps *ldap.Conn) string {
 	return defaultNamingContext
 }
 
-func GetLdapGroupMembership(username string, password string) ([]string, error) {
+// LdapGetGroupMembership returns a list of distinguishedNames for groups that a user is a member of
+func LdapGetGroupMembership(username string, password string) ([]string, error) {
 	var err error
 	username = CheckUsername(username)
 

models/permissions.go

@@ -0,0 +1,8 @@
+package models
+
+type Permission struct {
+	PermissionId int `db:"PermissionId"`
+	RoleId       int `db:"RoleId"`
+	SafeId       int `db:"SafeId"`
+	GroupId      int `db:"GroupId"`
+}

models/safe.go

@@ -0,0 +1,6 @@
+package models
+
+type Safe struct {
+	SafeId   int    `db:"SafeId"`
+	SafeName string `db:"SafeName"`
+}

models/secret.go

@@ -6,16 +6,19 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"errors"
+	"fmt"
 	"io"
 	"log"
+	"strings"
 
 	"github.com/jmoiron/sqlx"
 )
 
 // We use the json:"-" field tag to prevent showing these details to the user
 type Secret struct {
-	SecretId       int    `db:"SecretId" json:"-"`
-	RoleId         int    `db:"RoleId" json:"-"`
+	SecretId int `db:"SecretId" json:"-"`
+	//RoleId         int    `db:"RoleId" json:"-"`
+	SafeId         int    `db:"SafeId"`
 	DeviceName     string `db:"DeviceName"`
 	DeviceCategory string `db:"DeviceCategory"`
 	UserName       string `db:"UserName"`
@@ -29,7 +32,7 @@ func (s *Secret) SaveSecret() (*Secret, error) {
 	var err error
 
 	log.Printf("SaveSecret storing values '%v'\n", s)
-	result, err := db.NamedExec((`INSERT INTO secrets (RoleId, DeviceName, DeviceCategory, UserName, Secret) VALUES (:RoleId, :DeviceName, :DeviceCategory, :UserName, :Secret)`), s)
+	result, err := db.NamedExec((`INSERT INTO secrets (SafeId, DeviceName, DeviceCategory, UserName, Secret) VALUES (:SafeId, :DeviceName, :DeviceCategory, :UserName, :Secret)`), s)
 
 	if err != nil {
 		log.Printf("StoreSecret error executing sql record : '%s'\n", err)
@@ -43,6 +46,96 @@ func (s *Secret) SaveSecret() (*Secret, error) {
 	return s, nil
 }
 
+// TODO - use this function when user has access to multiple safes
+func SecretsGetMultipleSafes(s *Secret, adminRole bool, safeIds []int) ([]Secret, error) {
+	var err error
+	var secretResults []Secret
+
+	/*
+		// First use an "In Query" to expand the list of safe Ids to query
+		// As per https://jmoiron.github.io/sqlx/#inQueries
+
+		query, args, _ := sqlx.In("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND UserName = ? and SafeId IN (?);", s.DeviceName, s.DeviceCategory, s.UserName, safeIds)
+
+		// sqlx.In returns queries with the `?` bindvar, we can rebind it for our backend
+		query = db.Rebind(query)
+		rows, err := db.Queryx(query, args)
+	*/
+
+	// Generate placeholders for the IN clause to match multiple SafeId values
+	placeholders := make([]string, len(safeIds))
+	for i := range safeIds {
+		placeholders[i] = "?"
+	}
+	placeholderStr := strings.Join(placeholders, ",")
+
+	query := fmt.Sprintf("SELECT * FROM secrets WHERE SafeId IN (%s) ", placeholderStr)
+	args := []interface{}{}
+
+	// Add the Safe Ids
+	for _, g := range safeIds {
+		args = append(args, g)
+	}
+
+	// Add any other parameters
+	if s.DeviceName != "" {
+		query += " AND DeviceName LIKE ? "
+		args = append(args, s.DeviceName)
+	}
+
+	if s.DeviceCategory != "" {
+		query += " AND DeviceCategory LIKE ? "
+		args = append(args, s.DeviceCategory)
+	}
+
+	if s.UserName != "" {
+		query += " AND UserName LIKE ? "
+		args = append(args, s.UserName)
+	}
+
+	/*
+		// Construct the query
+		query := fmt.Sprintf("SELECT * FROM users WHERE username = ? AND group IN (%s)", placeholderStr)
+		args := make([]interface{}, 0, len(groups)+1)
+		args = append(args, username)
+		for _, g := range safeIds {
+			args = append(args, g)
+		}
+	*/
+
+	// Execute the query
+	rows, err := db.Queryx(query, args...)
+
+	if err != nil {
+		log.Printf("SecretsGetMultipleSafes error executing sql record : '%s'\n", err)
+		return secretResults, err
+	} else {
+		// parse all the results into a slice
+		for rows.Next() {
+			var r Secret
+			err = rows.StructScan(&r)
+			if err != nil {
+				log.Printf("SecretsGetMultipleSafes error parsing sql record : '%s'\n", err)
+				return secretResults, err
+			}
+
+			// Decrypt the secret
+			_, err = r.DecryptSecret()
+			if err != nil {
+				//log.Printf("GetSecret unable to decrypt stored secret '%v' : '%s'\n", r.Secret, err)
+				log.Printf("SecretsGetMultipleSafes unable to decrypt stored secret : '%s'\n", err)
+				return secretResults, err
+			} else {
+				secretResults = append(secretResults, r)
+			}
+
+		}
+		log.Printf("SecretsGetMultipleSafes retrieved '%d' results\n", len(secretResults))
+	}
+
+	return secretResults, nil
+}
+
 // Returns all matching secrets, up to caller to determine how to deal with multiple results
 func GetSecrets(s *Secret, adminRole bool) ([]Secret, error) {
 	var err error
@@ -79,21 +172,21 @@ func GetSecrets(s *Secret, adminRole bool) ([]Secret, error) {
 		// Determine whether to query for a specific device or a category of devices
 		// Prefer querying device name than category
 		if s.DeviceName != "" && s.DeviceCategory != "" && s.UserName != "" {
-			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND UserName = ? AND RoleId = ?", s.DeviceName, s.DeviceCategory, s.UserName, s.RoleId)
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND UserName = ? AND SafeId = ?", s.DeviceName, s.DeviceCategory, s.UserName, s.SafeId)
 		} else if s.DeviceName != "" && s.UserName != "" {
-			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND UserName = ? AND RoleId = ?", s.DeviceName, s.UserName, s.RoleId)
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND UserName = ? AND SafeId = ?", s.DeviceName, s.UserName, s.SafeId)
 		} else if s.DeviceCategory != "" && s.UserName != "" {
-			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND UserName = ? AND RoleId = ?", s.DeviceCategory, s.UserName, s.RoleId)
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND UserName = ? AND SafeId = ?", s.DeviceCategory, s.UserName, s.SafeId)
 		} else if s.DeviceName != "" && s.DeviceCategory != "" {
-			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND RoleId = ?", s.DeviceName, s.DeviceCategory, s.RoleId)
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND SafeId = ?", s.DeviceName, s.DeviceCategory, s.SafeId)
 		} else if s.DeviceName != "" {
-			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND RoleId = ?", s.DeviceName, s.RoleId)
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND SafeId = ?", s.DeviceName, s.SafeId)
 		} else if s.DeviceCategory != "" {
-			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND RoleId = ?", s.DeviceCategory, s.RoleId)
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND SafeId = ?", s.DeviceCategory, s.SafeId)
 		} else if s.UserName != "" {
-			rows, err = db.Queryx("SELECT * FROM secrets WHERE UserName LIKE ? AND RoleId = ?", s.UserName, s.RoleId)
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE UserName LIKE ? AND SafeId = ?", s.UserName, s.SafeId)
 		} else {
-			rows, err = db.Queryx("SELECT * FROM secrets WHERE RoleId = ?", s.RoleId)
+			rows, err = db.Queryx("SELECT * FROM secrets WHERE RoleId = ?", s.SafeId)
 			//log.Printf("GetSecret no valid search options specified\n")
 			//err = errors.New("no valid search options specified")
 			//return secretResults, err

models/setup.go

@@ -26,8 +26,7 @@ const createRoles string = `
 	CREATE TABLE IF NOT EXISTS roles (
 		RoleId INTEGER PRIMARY KEY ASC,
 		RoleName VARCHAR,
-		ReadOnly BOOLEAN,
-		Admin BOOLEAN
+		ReadOnly BOOLEAN
 	);
 `
 
@@ -37,8 +36,8 @@ const createUsers string = `
 		GroupId INTEGER,
 		UserName VARCHAR,
 		Password VARCHAR,
+		Admin BOOLEAN DEFAULT 0,
 		LdapUser BOOLEAN DEFAULT 0,
-		LdapDN VARCHAR DEFAULT '',
 		FOREIGN KEY (GroupId) REFERENCES groups(GroupId)
 	);
 `
@@ -55,7 +54,8 @@ const createGroups string = `
 		GroupId INTEGER PRIMARY KEY ASC,
 		GroupName VARCHAR,
 		LdapGroup BOOLEAN DEFAULT 0,
-		LdapDN VARCHAR DEFAULT ''
+		LdapDN VARCHAR DEFAULT '',
+		Admin BOOLEAN DEFAULT 0
 	);
 `
 
@@ -213,6 +213,36 @@ func CreateTables() {
 		os.Exit(1)
 	}
 
+	// Add initial groups
+	rowCount, _ = CheckCount("groups")
+	if rowCount == 0 {
+		if _, err = db.Exec("INSERT INTO groups (GroupId, GroupName, Admin) VALUES(1, 'Administrators', 1);"); err != nil {
+			log.Printf("Error adding initial group entry id 1 : '%s'", err)
+			os.Exit(1)
+		}
+		if _, err = db.Exec("INSERT INTO groups (GroupId, GroupName, Admin) VALUES(2, 'Users', 0);"); err != nil {
+			log.Printf("Error adding initial group entry id 2 : '%s'", err)
+			os.Exit(1)
+		}
+	}
+
+	// Add initial permissions
+	rowCount, _ = CheckCount("permissions")
+	if rowCount == 0 {
+		if _, err = db.Exec("INSERT INTO permissions (RoleId, SafeId, UserId) VALUES(1, 1, 1);"); err != nil {
+			log.Printf("Error adding initial permissions entry userid 1 : '%s'", err)
+			os.Exit(1)
+		}
+		if _, err = db.Exec("INSERT INTO permissions (RoleId, SafeId, UserId) VALUES(1, 1, 2);"); err != nil {
+			log.Printf("Error adding initial permissions entry userid 2 : '%s'", err)
+			os.Exit(1)
+		}
+		if _, err = db.Exec("INSERT INTO permissions (RoleId, SafeId, UserId) VALUES(1, 1, 3);"); err != nil {
+			log.Printf("Error adding initial permissions entry userid 3 : '%s'", err)
+			os.Exit(1)
+		}
+	}
+
 	// Schema table should go last so we know if the database has a value in the schema table then everything was created properly
 	if _, err = db.Exec(createSchema); err != nil {
 		log.Printf("Error checking schema table : '%s'", err)
@@ -246,8 +276,8 @@ func CreateTables() {
 			GroupId INTEGER,
 			UserName VARCHAR,
 			Password VARCHAR,
-			LdapUser BOOLEAN DEFAULT 0,
-			LdapDN VARCHAR DEFAULT '',
+			Admin BOOLEAN DEFAULT 0,
+			LdapUser BOOLEAN DEFAULT 0
 			FOREIGN KEY (GroupId) REFERENCES groups(GroupId)
 		);
 		INSERT INTO users SELECT * FROM _users_old;

models/user.go

@@ -5,20 +5,19 @@ import (
 	"errors"
 	"fmt"
 	"log"
-	"net/http"
 	"smt/utils/token"
 
-	"github.com/gin-gonic/gin"
 	"golang.org/x/crypto/bcrypt"
 )
 
 type User struct {
 	UserId   int    `db:"UserId" json:"userId"`
-	RoleId   int    `db:"RoleId" json:"roleId"`
+	GroupId  int    `db:"GroupId" json:"groupId"`
 	UserName string `db:"UserName" json:"userName"`
 	Password string `db:"Password" json:"-"`
 	LdapUser bool   `db:"LdapUser" json:"ldapUser"`
-	LdapDn   string `db:"LdapDN" json:"ldapDn"`
+	Admin    bool   `db:"Admin"`
+	//LdapDn   string `db:"LdapDN" json:"ldapDn"`
 }
 
 type UserRole struct {
@@ -28,15 +27,32 @@ type UserRole struct {
 	Admin    bool   `db:"Admin"`
 }
 
+type UserGroup struct {
+	User
+	GroupName string `db:"GroupName"`
+	LdapGroup bool   `db:"LdapGroup"`
+	LdapDn    string `db:"LdapDN"`
+	Admin     bool   `db:"Admin"`
+}
+
+type UserSafe struct {
+	User
+	AdminUser  bool   `db:"AdminUser"`
+	AdminGroup bool   `db:"AdminGroup"`
+	SafeId     int    `db:"SafeId"`
+	SafeName   string `db:"SafeName"`
+	GroupId    int    `db:"GroupId"`
+}
+
 func (u *User) SaveUser() (*User, error) {
 
 	var err error
 
 	// Validate username not already in use
-	_, err = GetUserByName(u.UserName)
+	_, err = UserGetByName(u.UserName)
 	if err != nil && err.Error() == "user not found" {
 		log.Printf("SaveUser confirmed no existing user, continuing with creation of user '%s'\n", u.UserName)
-		result, err := db.NamedExec((`INSERT INTO users (RoleId, UserName, Password, LdapUser, LdapDn) VALUES (:RoleId, :UserName, :Password, :LdapUser, :LdapDN)`), u)
+		result, err := db.NamedExec((`INSERT INTO users (GroupId, UserName, Password, LdapUser) VALUES (:GroupId, :UserName, :Password, :LdapUser`), u)
 
 		if err != nil {
 			log.Printf("SaveUser error executing sql record : '%s'\n", err)
@@ -56,7 +72,7 @@ func (u *User) SaveUser() (*User, error) {
 func (u *User) DeleteUser() error {
 
 	// Validate username exists
-	_, err := GetUserByName(u.UserName)
+	_, err := UserGetByName(u.UserName)
 	if err != nil {
 		log.Printf("DeleteUser error finding user account to remove : '%s'\n", err)
 		return err
@@ -180,7 +196,7 @@ func LdapLoginCheck(username string, password string) (User, error) {
 	u.UserName = username
 
 	// try to get LDAP group membership
-	groups, err := GetLdapGroupMembership(username, password)
+	ldapGroups, err := LdapGetGroupMembership(username, password)
 	if err != nil {
 		if err.Error() == "invalid user credentials" {
 			return u, nil
@@ -190,22 +206,37 @@ func LdapLoginCheck(username string, password string) (User, error) {
 	}
 
 	// Compare all roles against the list of user's group membership
-	roleList, err := QueryRoles()
+	//roleList, err := QueryRoles()
+	groupList, err := GroupList()
 	if err != nil {
 		return u, err
 	}
 
 	matchFound := false
-	for _, role := range roleList {
-		for _, group := range groups {
-			if role.LdapGroup == group {
-				log.Printf("Found match with role '%s' and LDAP group '%s', user is allowed role ID '%d'\n", role.RoleName, role.LdapGroup, role.RoleId)
-				u.RoleId = role.RoleId
+	/*
+		for _, role := range roleList {
+			for _, group := range groups {
+				if role.LdapGroup == group {
+					log.Printf("Found match with role '%s' and LDAP group '%s', user is allowed role ID '%d'\n", role.RoleName, role.LdapGroup, role.RoleId)
+					u.RoleId = role.RoleId
+					matchFound = true
+					break
+				} //else {
+				//log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group)
+				//}
+			}
+		}
+	*/
+	for _, group := range groupList {
+		for _, lg := range ldapGroups {
+			if group.LdapDn == lg {
+				log.Printf("Found match with groupname '%s' and LDAP group DN '%s', user is a member of group ID '%d'\n", group.GroupName, group.LdapDn, group.GroupId)
+				u.GroupId = group.GroupId
 				matchFound = true
 				break
-			} //else {
-			//log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group)
-			//}
+			} else {
+				log.Printf("Groupname '%s' with LDAP group '%s' not match user group '%s'\n", group.GroupName, group.LdapDn, lg)
+			}
 		}
 	}
 
@@ -226,7 +257,7 @@ func StoreLdapUser(u *User) error {
 	return nil
 }
 
-func GetUserByID(uid uint) (User, error) {
+func UserGetByID(uid uint) (User, error) {
 
 	var u User
 
@@ -246,7 +277,7 @@ func GetUserByID(uid uint) (User, error) {
 
 }
 
-func GetUserByName(username string) (User, error) {
+func UserGetByName(username string) (User, error) {
 
 	var u User
 
@@ -259,6 +290,7 @@ func GetUserByName(username string) (User, error) {
 	return u, nil
 }
 
+/*
 func GetUserRoleByID(uid uint) (UserRole, error) {
 
 	var ur UserRole
@@ -273,8 +305,26 @@ func GetUserRoleByID(uid uint) (UserRole, error) {
 
 	return ur, nil
 }
+*/
 
-func GetUserRoleFromToken(c *gin.Context) (UserRole, error) {
+func UserGetGroupByID(uid uint) (UserGroup, error) {
+
+	var ug UserGroup
+
+	// Query database for matching user object
+	log.Printf("UserGetGroupByID querying for userid '%d'\n", uid)
+
+	err := db.QueryRowx("SELECT users.UserId, users.GroupId, users.UserName, users.Password, users.LdapUser, groups.GroupName, groups.LdapGroup, groups.LdapDN, groups.Admin FROM users INNER JOIN groups ON users.GroupId = groups.GroupId WHERE users.UserId=?", uid).StructScan(&ug)
+	if err != nil {
+		log.Printf("UserGetGroupByID received error when querying database : '%s'\n", err)
+		return ug, errors.New("UserGetGroupByID user id not found")
+	}
+
+	return ug, nil
+}
+
+/*
+func UserGetRoleFromToken(c *gin.Context) (UserRole, error) {
 
 	var ur UserRole
 
@@ -286,17 +336,45 @@ func GetUserRoleFromToken(c *gin.Context) (UserRole, error) {
 	}
 
 	// Query database for matching user object
-	log.Printf("GetUserRoleFromToken querying for userid '%d'\n", user_id)
+	log.Printf("UserGetRoleFromToken querying for userid '%d'\n", user_id)
 	err = db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, users.LdapUser, users.LdapDN, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", user_id).StructScan(&ur)
 	if err != nil {
-		log.Printf("GetUserRoleFromToken received error when querying database : '%s'\n", err)
-		return ur, errors.New("GetUserRoleFromToken user not found")
+		log.Printf("UserGetRoleFromToken received error when querying database : '%s'\n", err)
+		return ur, errors.New("UserGetRoleFromToken user not found")
 	}
 
 	return ur, nil
 }
+*/
 
-func QueryUsers() ([]User, error) {
+func UserGetSafesAllowed(userId int) ([]UserSafe, error) {
+
+	var results []UserSafe
+
+	// join users, groups and permissions
+	rows, err := db.Queryx("SELECT users.UserId, users.GroupId, users.Admin as AdminUser, groups.Admin as AdminGroup, permissions.SafeId, safe.SafeName FROM users INNER JOIN groups ON users.GroupId = groups.GroupId INNER JOIN permissions ON groups.GroupId = permissions.GroupId INNER JOIN safes on permissions.SafeId = safes.SafeId WHERE users.UserId=?", userId)
+	if err != nil {
+		log.Printf("UserGetSafesAllowed error executing sql record : '%s'\n", err)
+		return results, err
+	} else {
+		// parse all the results into a slice
+		for rows.Next() {
+			var us UserSafe
+			err = rows.StructScan(&us)
+			if err != nil {
+				log.Printf("UserGetSafesAllowed error parsing sql record : '%s'\n", err)
+				return results, err
+			}
+			results = append(results, us)
+
+		}
+		log.Printf("UserGetSafesAllowed retrieved '%d' results\n", len(results))
+	}
+
+	return results, nil
+}
+
+func UserList() ([]User, error) {
 	var results []User
 
 	// Query database for role definitions
@@ -322,3 +400,23 @@ func QueryUsers() ([]User, error) {
 
 	return results, nil
 }
+
+func UserCheckIfAdmin(userId int) bool {
+	// TODO
+
+	u, err := UserGetByID(uint(userId))
+	if err != nil {
+		log.Printf("UserCheckIfAdmin received error : '%s'\n", err)
+		return false
+	}
+
+	return u.Admin
+}
+
+func UserGetSafe() {
+
+}
+
+// need a way of checking what safe a user has access to
+// if they only have access to one then that is easy
+// if they are an admin then they have access to everything