protect unlock api endpoint
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
@@ -62,7 +62,7 @@ WantedBy=multi-user.target
|
||||
## API
|
||||
|
||||
### Unlock
|
||||
POST `/api/unlock`
|
||||
POST `/api/admin/unlock`
|
||||
|
||||
Data
|
||||
```
|
||||
@@ -73,9 +73,11 @@ Data
|
||||
|
||||
If the SECRETS_KEY environment variable is not defined, this API call to unlock stored secrets must be performed after initial startup of SMT. Storing/retrieval of secrets will not succeed until this API call has been made.
|
||||
|
||||
This API call can only be made once after the service has started. Subsequent calls will receive an error until the service is restarted.
|
||||
|
||||
### User Operations
|
||||
|
||||
#### Register
|
||||
#### Register User
|
||||
POST `/api/admin/user/register`
|
||||
|
||||
Data
|
||||
@@ -89,7 +91,7 @@ Data
|
||||
|
||||
This operation can only be performed by a user with a role that is admin enabled. There are 3 built in roles, which can be viewed via the `/api/admin/roles` endpoint.
|
||||
|
||||
#### Remove Users
|
||||
#### Remove User
|
||||
POST `/api/admin/user/delete`
|
||||
|
||||
Data
|
||||
|
||||
@@ -24,6 +24,11 @@ func Unlock(c *gin.Context) {
|
||||
}
|
||||
log.Println("Unlock received JSON input")
|
||||
|
||||
if models.CheckKeyProvided() {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "secret key can only be provided once after service start"})
|
||||
return
|
||||
}
|
||||
|
||||
// check that the key is 32 bytes long
|
||||
if len(input.SecretKey) != 32 {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "secret key provided is invalid, must be exactly 32 bytes long"})
|
||||
|
||||
5
main.go
5
main.go
@@ -242,7 +242,7 @@ func main() {
|
||||
// Register our routes
|
||||
public := router.Group("/api")
|
||||
public.POST("/login", controllers.Login)
|
||||
public.POST("/unlock", controllers.Unlock)
|
||||
//public.POST("/unlock", controllers.Unlock)
|
||||
|
||||
// API calls that only an administrator can make
|
||||
adminOnly := router.Group("/api/admin")
|
||||
@@ -252,6 +252,9 @@ func main() {
|
||||
adminOnly.GET("/roles", controllers.GetRoles)
|
||||
adminOnly.GET("/users", controllers.GetUsers)
|
||||
|
||||
// TODO Make unlock an admin only function
|
||||
adminOnly.POST("/unlock", controllers.Unlock)
|
||||
|
||||
// Get secrets
|
||||
protected := router.Group("/api/secret")
|
||||
protected.Use(middlewares.JwtAuthMiddleware())
|
||||
|
||||
@@ -28,3 +28,7 @@ func ProvideKey() ([]byte, error) {
|
||||
return nil, errors.New("secret key has not been received")
|
||||
}
|
||||
}
|
||||
|
||||
func CheckKeyProvided() bool {
|
||||
return secretReceived
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user