nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity

protect unlock api endpoint
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2024-01-03 17:18:23 +11:00
parent 85bea202f0
commit f7168d465a
4 changed files with 19 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -62,7 +62,7 @@ WantedBy=multi-user.target
## API ## API
### Unlock ### Unlock
POST `/api/unlock` POST `/api/admin/unlock`
Data Data
``` ```
@@ -73,9 +73,11 @@ Data
If the SECRETS_KEY environment variable is not defined, this API call to unlock stored secrets must be performed after initial startup of SMT. Storing/retrieval of secrets will not succeed until this API call has been made. If the SECRETS_KEY environment variable is not defined, this API call to unlock stored secrets must be performed after initial startup of SMT. Storing/retrieval of secrets will not succeed until this API call has been made.
This API call can only be made once after the service has started. Subsequent calls will receive an error until the service is restarted.
### User Operations ### User Operations
#### Register #### Register User
POST `/api/admin/user/register` POST `/api/admin/user/register`
Data Data
@@ -89,7 +91,7 @@ Data
This operation can only be performed by a user with a role that is admin enabled. There are 3 built in roles, which can be viewed via the `/api/admin/roles` endpoint. This operation can only be performed by a user with a role that is admin enabled. There are 3 built in roles, which can be viewed via the `/api/admin/roles` endpoint.
#### Remove Users #### Remove User
POST `/api/admin/user/delete` POST `/api/admin/user/delete`
Data Data

5
controllers/unlock.go
View File

@@ -24,6 +24,11 @@ func Unlock(c *gin.Context) {
} }
log.Println("Unlock received JSON input") log.Println("Unlock received JSON input")
if models.CheckKeyProvided() {
c.JSON(http.StatusBadRequest, gin.H{"error": "secret key can only be provided once after service start"})
return
}
// check that the key is 32 bytes long // check that the key is 32 bytes long
if len(input.SecretKey) != 32 { if len(input.SecretKey) != 32 {
c.JSON(http.StatusBadRequest, gin.H{"error": "secret key provided is invalid, must be exactly 32 bytes long"}) c.JSON(http.StatusBadRequest, gin.H{"error": "secret key provided is invalid, must be exactly 32 bytes long"})

5
main.go
View File

@@ -242,7 +242,7 @@ func main() {
// Register our routes // Register our routes
public := router.Group("/api") public := router.Group("/api")
public.POST("/login", controllers.Login) public.POST("/login", controllers.Login)
public.POST("/unlock", controllers.Unlock) //public.POST("/unlock", controllers.Unlock)
// API calls that only an administrator can make // API calls that only an administrator can make
adminOnly := router.Group("/api/admin") adminOnly := router.Group("/api/admin")
@@ -252,6 +252,9 @@ func main() {
adminOnly.GET("/roles", controllers.GetRoles) adminOnly.GET("/roles", controllers.GetRoles)
adminOnly.GET("/users", controllers.GetUsers) adminOnly.GET("/users", controllers.GetUsers)
// TODO Make unlock an admin only function
adminOnly.POST("/unlock", controllers.Unlock)
// Get secrets // Get secrets
protected := router.Group("/api/secret") protected := router.Group("/api/secret")
protected.Use(middlewares.JwtAuthMiddleware()) protected.Use(middlewares.JwtAuthMiddleware())

4
models/key.go
View File

@@ -28,3 +28,7 @@ func ProvideKey() ([]byte, error) {
return nil, errors.New("secret key has not been received") return nil, errors.New("secret key has not been received")
} }
} }
func CheckKeyProvided() bool {
return secretReceived
}