This commit is contained in:
@@ -168,44 +168,45 @@ func RegisterUser(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{"message": "user registration success"})
|
||||
}
|
||||
|
||||
func AddRole(c *gin.Context) {
|
||||
var input AddRoleInput
|
||||
/*
|
||||
func AddRole(c *gin.Context) {
|
||||
var input AddRoleInput
|
||||
|
||||
if err := c.ShouldBindJSON(&input); err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
if err := c.ShouldBindJSON(&input); err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
// define the new role properties
|
||||
r := models.Role{}
|
||||
r.RoleName = input.RoleName
|
||||
r.ReadOnly = input.ReadOnly
|
||||
r.Admin = input.Admin
|
||||
r.LdapGroup = input.LdapGroup
|
||||
|
||||
// Check if role already exists
|
||||
testRole, _ := models.GetRoleByName(r.RoleName)
|
||||
log.Printf("AddRole checking if role '%s' already exists\n", r.RoleName)
|
||||
|
||||
if (models.Role{} == testRole) {
|
||||
log.Printf("AddRole confirmed no existing rolename\n")
|
||||
} else {
|
||||
errorString := fmt.Sprintf("attempt to register conflicting rolename '%s'", r.RoleName)
|
||||
log.Printf("Register error : '%s'\n", errorString)
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": errorString})
|
||||
return
|
||||
}
|
||||
|
||||
_, err := r.AddRole()
|
||||
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"Error creating role": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{"message": "role creation success"})
|
||||
}
|
||||
|
||||
// define the new role properties
|
||||
r := models.Role{}
|
||||
r.RoleName = input.RoleName
|
||||
r.ReadOnly = input.ReadOnly
|
||||
r.Admin = input.Admin
|
||||
r.LdapGroup = input.LdapGroup
|
||||
|
||||
// Check if role already exists
|
||||
testRole, _ := models.GetRoleByName(r.RoleName)
|
||||
log.Printf("AddRole checking if role '%s' already exists\n", r.RoleName)
|
||||
|
||||
if (models.Role{} == testRole) {
|
||||
log.Printf("AddRole confirmed no existing rolename\n")
|
||||
} else {
|
||||
errorString := fmt.Sprintf("attempt to register conflicting rolename '%s'", r.RoleName)
|
||||
log.Printf("Register error : '%s'\n", errorString)
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": errorString})
|
||||
return
|
||||
}
|
||||
|
||||
_, err := r.AddRole()
|
||||
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"Error creating role": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{"message": "role creation success"})
|
||||
}
|
||||
|
||||
*/
|
||||
func Login(c *gin.Context) {
|
||||
|
||||
var input LoginInput
|
||||
@@ -254,17 +255,18 @@ func CurrentUser(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{"message": "success", "data": u})
|
||||
}
|
||||
|
||||
func GetRoles(c *gin.Context) {
|
||||
roles, err := models.QueryRoles()
|
||||
/*
|
||||
func GetRoles(c *gin.Context) {
|
||||
roles, err := models.QueryRoles()
|
||||
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{"message": "success", "data": roles})
|
||||
}
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{"message": "success", "data": roles})
|
||||
|
||||
}
|
||||
*/
|
||||
|
||||
func GetUsers(c *gin.Context) {
|
||||
users, err := models.UserList()
|
||||
|
||||
@@ -4,7 +4,6 @@ import (
|
||||
"log"
|
||||
"net/http"
|
||||
"smt/models"
|
||||
"smt/utils/token"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
@@ -165,12 +164,14 @@ func retrieveSpecifiedSecret(s *models.Secret, c *gin.Context) {
|
||||
*/
|
||||
|
||||
var results []models.Secret
|
||||
var userIsAdmin = false
|
||||
user_id, err := token.ExtractTokenID(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
|
||||
return
|
||||
}
|
||||
/*
|
||||
user_id, err := token.ExtractTokenID(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
|
||||
return
|
||||
}
|
||||
*/
|
||||
user_id := c.GetInt("user-id")
|
||||
|
||||
// Work out which safe to query for this user if the safe was not specified
|
||||
safeList, err := models.UserGetSafesAllowed(int(user_id))
|
||||
@@ -182,21 +183,13 @@ func retrieveSpecifiedSecret(s *models.Secret, c *gin.Context) {
|
||||
|
||||
// If there was only one result then just use that
|
||||
if len(safeList) == 0 {
|
||||
// check if the user is an admin, if not then they seem to have access to zero safes
|
||||
if !models.UserCheckIfAdmin(int(user_id)) {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "user has no access to any secrets"})
|
||||
return
|
||||
} else {
|
||||
// Don't apply a role filter if user has admin role
|
||||
results, err = models.SecretsGetMultipleSafes(s, true, []int{})
|
||||
}
|
||||
|
||||
errString := "no matching secret or user has no access to specified secret"
|
||||
log.Printf("retrieveSpecifiedSecret %s\n", errString)
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": errString})
|
||||
return
|
||||
} else if len(safeList) == 1 {
|
||||
s.SafeId = safeList[0].SafeId
|
||||
userIsAdmin = safeList[0].AdminUser || safeList[0].AdminGroup
|
||||
// Don't apply a role filter if user has admin role
|
||||
//results, err = models.GetSecrets(&s, userIsAdmin)
|
||||
results, err = models.SecretsGetMultipleSafes(s, userIsAdmin, []int{s.SafeId})
|
||||
results, err = models.SecretsGetMultipleSafes(s, []int{s.SafeId})
|
||||
} else {
|
||||
// Create a list of all the safes this user can access
|
||||
var safeIds []int
|
||||
@@ -204,7 +197,7 @@ func retrieveSpecifiedSecret(s *models.Secret, c *gin.Context) {
|
||||
safeIds = append(safeIds, safe.SafeId)
|
||||
}
|
||||
|
||||
results, err = models.SecretsGetMultipleSafes(s, false, safeIds)
|
||||
results, err = models.SecretsGetMultipleSafes(s, safeIds)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
@@ -250,12 +243,8 @@ func ListSecrets(c *gin.Context) {
|
||||
*/
|
||||
|
||||
var results []models.Secret
|
||||
var userIsAdmin = false
|
||||
user_id, err := token.ExtractTokenID(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
|
||||
return
|
||||
}
|
||||
s := models.Secret{}
|
||||
user_id := c.GetInt("user-id")
|
||||
|
||||
// Work out which safe to query for this user if the safe was not specified
|
||||
safeList, err := models.UserGetSafesAllowed(int(user_id))
|
||||
@@ -267,18 +256,13 @@ func ListSecrets(c *gin.Context) {
|
||||
|
||||
// If there was only one result then just use that
|
||||
if len(safeList) == 0 {
|
||||
// check if the user is an admin, if not then they seem to have access to zero safes
|
||||
if !models.UserCheckIfAdmin(int(user_id)) {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "user has no access to any secrets"})
|
||||
return
|
||||
} else {
|
||||
// Don't apply a role filter if user has admin role
|
||||
results, err = models.SecretsGetMultipleSafes(&models.Secret{}, true, []int{})
|
||||
}
|
||||
|
||||
errString := "no matching secret or user has no access to specified secret"
|
||||
log.Printf("ListSecrets %s\n", errString)
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": errString})
|
||||
return
|
||||
} else if len(safeList) == 1 {
|
||||
userIsAdmin = safeList[0].AdminUser || safeList[0].AdminGroup
|
||||
results, err = models.SecretsGetMultipleSafes(&models.Secret{}, userIsAdmin, []int{safeList[0].SafeId})
|
||||
s.SafeId = safeList[0].SafeId
|
||||
results, err = models.SecretsGetMultipleSafes(&s, []int{s.SafeId})
|
||||
} else {
|
||||
// Create a list of all the safes this user can access
|
||||
var safeIds []int
|
||||
@@ -286,7 +270,7 @@ func ListSecrets(c *gin.Context) {
|
||||
safeIds = append(safeIds, safe.SafeId)
|
||||
}
|
||||
|
||||
results, err = models.SecretsGetMultipleSafes(&models.Secret{}, false, safeIds)
|
||||
results, err = models.SecretsGetMultipleSafes(&s, safeIds)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
|
||||
@@ -111,6 +111,23 @@ func StoreSecret(c *gin.Context) {
|
||||
|
||||
// CheckUpdateSecretAllowed checks to see if a user has access to the specified secret. If so, the corresponding SafeId is returned
|
||||
func CheckUpdateSecretAllowed(s *models.Secret, user_id int) (int, error) {
|
||||
|
||||
// If user has Admin access then perform update
|
||||
// If user has normal access to the safe the secret is stored in then perform update
|
||||
// If matching secret is found in multiple safes then generate error
|
||||
// If user doesn't have access to the safe the matching secret is in then generate error
|
||||
|
||||
// NO. That is too complicated!
|
||||
|
||||
// Lets try to make this more simple
|
||||
// A user can only be in one group
|
||||
// A group can have permissions on multiple safes
|
||||
|
||||
// If a user is an admin they can do user related functions like create users, groups, assign permissions
|
||||
// But a user has to have a permission that maps the group to the safe in order to perform CRUD operations
|
||||
|
||||
// What does a group being an admin give them? All users in that group can do user related function
|
||||
|
||||
// Query all safes for secrets matching parameters specified
|
||||
matchingSecrets, err := models.SecretsSearchAllSafes(s)
|
||||
if err != nil {
|
||||
@@ -133,14 +150,7 @@ func CheckUpdateSecretAllowed(s *models.Secret, user_id int) (int, error) {
|
||||
return 0, errors.New(errString)
|
||||
} else if len(matchingSecrets) == 1 {
|
||||
log.Printf("CheckUpdateSecretAllowed found a single matching secret :\n'%+v'\n", matchingSecrets[0])
|
||||
// Check if user is admin
|
||||
for _, val := range userSafes {
|
||||
if val.User.Admin || val.AdminGroup {
|
||||
return matchingSecrets[0].SafeId, nil
|
||||
}
|
||||
}
|
||||
|
||||
// If we reach here then user is not admin
|
||||
// Check to see user is allowed to access the safe holding the secret
|
||||
for _, secret := range matchingSecrets {
|
||||
for _, user := range userSafes {
|
||||
@@ -167,19 +177,6 @@ func CheckUpdateSecretAllowed(s *models.Secret, user_id int) (int, error) {
|
||||
return 0, errors.New(errString)
|
||||
}
|
||||
}
|
||||
|
||||
if user.User.Admin || user.AdminGroup {
|
||||
log.Printf("CheckUpdateSecretAllowed found user to be admin, assuming SafeId '%d'\n", user.SafeId)
|
||||
if !matchFound {
|
||||
matchFound = true
|
||||
matchingSafeId = user.SafeId
|
||||
} else {
|
||||
// Found more than one applicable secret, how do we know which one to update?
|
||||
errString := "CheckUpdateSecretAllowed found multiple secrets matching supplied parameters, supply more specific parameters"
|
||||
log.Println(errString)
|
||||
return 0, errors.New(errString)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -213,11 +210,14 @@ func UpdateSecret(c *gin.Context) {
|
||||
}
|
||||
*/
|
||||
|
||||
user_id, err := token.ExtractTokenID(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
|
||||
return
|
||||
}
|
||||
/*
|
||||
user_id, err := token.ExtractTokenID(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
|
||||
return
|
||||
}
|
||||
*/
|
||||
user_id := c.GetInt("user-id")
|
||||
|
||||
// Populate fields
|
||||
s := models.Secret{}
|
||||
@@ -226,6 +226,15 @@ func UpdateSecret(c *gin.Context) {
|
||||
s.DeviceName = input.DeviceName
|
||||
s.DeviceCategory = input.DeviceCategory
|
||||
|
||||
// TODO:
|
||||
// Get a list of matching secrets - SecretsSearchAllSafes
|
||||
//secretList, err := models.SecretsSearchAllSafes(&s)
|
||||
// Check if user has access to the safes containing those secrets - something like UserGetSafesAllowed but not quite
|
||||
//allowedSafes, err := models.UserGetSafesAllowed(user_id)
|
||||
// Make sure that the access is not readonly
|
||||
// If user has access to more than one safe containing the secret, generate an error
|
||||
// Otherwise, update the secret
|
||||
|
||||
allowedUpdate, err := CheckUpdateSecretAllowed(&s, int(user_id))
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("error determining secret : '%s'", err)})
|
||||
@@ -236,11 +245,6 @@ func UpdateSecret(c *gin.Context) {
|
||||
s.SafeId = allowedUpdate
|
||||
}
|
||||
|
||||
// If user has Admin access then perform update
|
||||
// If user has normal access to the safe the secret is stored in then perform update
|
||||
// If matching secret is found in multiple safes then generate error
|
||||
// If user doesn't have access to the safe the matching secret is in then generate error
|
||||
|
||||
// Query which safes the current user is allowed to access
|
||||
|
||||
/*
|
||||
@@ -319,10 +323,8 @@ func SecretCheckSafeAllowed(user_id int, input StoreInput) int {
|
||||
return safe.SafeId
|
||||
} else if input.SafeId > 0 && safe.SafeId == input.SafeId { // Safe specified by id
|
||||
return safe.SafeId
|
||||
} else if safe.User.Admin || safe.AdminGroup { // User has admin role so they're allowed this safe anyway
|
||||
return safe.SafeId
|
||||
} else {
|
||||
log.Printf("SecretCheckSafeAllowed ")
|
||||
log.Printf("SecretCheckSafeAllowed unexpected\n")
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user