package models import ( "crypto/aes" "crypto/cipher" "crypto/rand" "encoding/hex" "errors" "io" "log" "github.com/jmoiron/sqlx" ) // We use the json:"-" field tag to prevent showing these details to the user type Secret struct { SecretId int `db:"SecretId" json:"-"` RoleId int `db:"RoleId" json:"-"` DeviceName string `db:"DeviceName"` DeviceCategory string `db:"DeviceCategory"` UserName string `db:"UserName"` Secret string `db:"Secret"` } const nonceSize = 12 func (s *Secret) SaveSecret() (*Secret, error) { var err error log.Printf("SaveSecret storing values '%v'\n", s) result, err := db.NamedExec((`INSERT INTO secrets (RoleId, DeviceName, DeviceCategory, UserName, Secret) VALUES (:RoleId, :DeviceName, :DeviceCategory, :UserName, :Secret)`), s) if err != nil { log.Printf("StoreSecret error executing sql record : '%s'\n", err) return s, err } else { affected, _ := result.RowsAffected() id, _ := result.LastInsertId() log.Printf("StoreSecret insert returned result id '%d' affecting %d row(s).\n", id, affected) } return s, nil } // Returns all matching secrets, up to caller to determine how to deal with multiple results func GetSecrets(s *Secret, adminRole bool) ([]Secret, error) { var err error var rows *sqlx.Rows var secretResults []Secret log.Printf("GetSecrets querying values '%v' with admin role '%v'\n", s, adminRole) // Admin roles should be able to access all secrets so don't do any filter based on RoleId if adminRole { // Determine whether to query for a specific device or a category of devices // Prefer querying device name than category if s.DeviceName != "" && s.DeviceCategory != "" && s.UserName != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND UserName = ?", s.DeviceName, s.DeviceCategory, s.UserName) } else if s.DeviceName != "" && s.UserName != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND UserName = ?", s.DeviceName, s.UserName) } else if s.DeviceCategory != "" && s.UserName != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND UserName = ?", s.DeviceCategory, s.UserName) } else if s.DeviceName != "" && s.DeviceCategory != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ?", s.DeviceName, s.DeviceCategory) } else if s.DeviceName != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ?", s.DeviceName) } else if s.DeviceCategory != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ?", s.DeviceCategory) } else if s.UserName != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE UserName LIKE ?", s.UserName) } else { rows, err = db.Queryx("SELECT * FROM secrets") //log.Printf("GetSecret no valid search options specified\n") //err = errors.New("no valid search options specified") //return secretResults, err } } else { // Determine whether to query for a specific device or a category of devices // Prefer querying device name than category if s.DeviceName != "" && s.DeviceCategory != "" && s.UserName != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND UserName = ? AND RoleId = ?", s.DeviceName, s.DeviceCategory, s.UserName, s.RoleId) } else if s.DeviceName != "" && s.UserName != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND UserName = ? AND RoleId = ?", s.DeviceName, s.UserName, s.RoleId) } else if s.DeviceCategory != "" && s.UserName != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND UserName = ? AND RoleId = ?", s.DeviceCategory, s.UserName, s.RoleId) } else if s.DeviceName != "" && s.DeviceCategory != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND RoleId = ?", s.DeviceName, s.DeviceCategory, s.RoleId) } else if s.DeviceName != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND RoleId = ?", s.DeviceName, s.RoleId) } else if s.DeviceCategory != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND RoleId = ?", s.DeviceCategory, s.RoleId) } else if s.UserName != "" { rows, err = db.Queryx("SELECT * FROM secrets WHERE UserName LIKE ? AND RoleId = ?", s.UserName, s.RoleId) } else { rows, err = db.Queryx("SELECT * FROM secrets WHERE RoleId = ?", s.RoleId) //log.Printf("GetSecret no valid search options specified\n") //err = errors.New("no valid search options specified") //return secretResults, err } } if err != nil { log.Printf("GetSecret error executing sql record : '%s'\n", err) return secretResults, err } else { // parse all the results into a slice for rows.Next() { var r Secret err = rows.StructScan(&r) if err != nil { log.Printf("GetSecret error parsing sql record : '%s'\n", err) return secretResults, err } // Decrypt the secret _, err = r.DecryptSecret() if err != nil { //log.Printf("GetSecret unable to decrypt stored secret '%v' : '%s'\n", r.Secret, err) log.Printf("GetSecret unable to decrypt stored secret : '%s'\n", err) return secretResults, err } else { secretResults = append(secretResults, r) } } log.Printf("GetSecret retrieved '%d' results\n", len(secretResults)) } return secretResults, nil } func (s *Secret) UpdateSecret() (*Secret, error) { var err error log.Printf("UpdateSecret storing values '%v'\n", s) if s.SecretId == 0 { err = errors.New("UpdateSecret unable to locate secret with empty secretId field") log.Printf("UpdateSecret error in pre-check : '%s'\n", err) return s, err } result, err := db.NamedExec((`UPDATE secrets SET DeviceName = :DeviceName, DeviceCategory = :DeviceCategory, UserName = :UserName, Secret = :Secret WHERE SecretId = :SecretId`), s) if err != nil { log.Printf("UpdateSecret error executing sql record : '%s'\n", err) return &Secret{}, err } else { affected, _ := result.RowsAffected() id, _ := result.LastInsertId() log.Printf("UpdateSecret insert returned result id '%d' affecting %d row(s).\n", id, affected) } return s, nil } // startCipher does the initial setup of the AES256 GCM mode cipher func startCipher() (cipher.AEAD, error) { key, err := ProvideKey() if err != nil { return nil, err } block, err := aes.NewCipher(key) if err != nil { log.Printf("startCipher NewCipher error '%s'\n", err) return nil, err } aesgcm, err := cipher.NewGCM(block) if err != nil { log.Printf("startCipher NewGCM error '%s'\n", err) return nil, err } return aesgcm, nil } func (s *Secret) EncryptSecret() (*Secret, error) { //keyString := os.Getenv("SECRETS_KEY") //keyString := secretKey // The key argument should be the AES key, either 16 or 32 bytes // to select AES-128 or AES-256. //key := []byte(keyString) /* key, err := ProvideKey() if err != nil { return s, err } */ plaintext := []byte(s.Secret) // TODO : move block and aesgcm generation to separate function since the identical code is used for encrypt and decrypt /* log.Printf("EncryptSecret applying key '%v' of length '%d' to plaintext secret '%s'\n", key, len(key), s.Secret) block, err := aes.NewCipher(key) if err != nil { log.Printf("EncryptSecret NewCipher error '%s'\n", err) return s, err } aesgcm, err := cipher.NewGCM(block) if err != nil { log.Printf("EncryptSecret NewGCM error '%s'\n", err) return s, err } */ aesgcm, err := startCipher() if err != nil { log.Printf("EncryptSecret error commencing GCM cipher '%s'\n", err) return s, err } // Never use more than 2^32 random nonces with a given key because of the risk of a repeat. nonce := make([]byte, nonceSize) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { log.Printf("EncryptSecret nonce generation error '%s'\n", err) return s, err } //log.Printf("EncryptSecret random nonce value is '%x'\n", nonce) ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil) //log.Printf("EncryptSecret generated ciphertext '%x''\n", ciphertext) // Create a new slice to store nonce at the start and then the resulting ciphertext // Nonce is always 12 bytes combinedText := append(nonce, ciphertext...) //log.Printf("EncryptSecret combined secret value is now '%x'\n", combinedText) // Store the value back into the struct ready for database operations s.Secret = hex.EncodeToString(combinedText) return s, nil //return string(ciphertext[:]), nil } func (s *Secret) DecryptSecret() (*Secret, error) { // The key argument should be the AES key, either 16 or 32 bytes // to select AES-128 or AES-256. //keyString := os.Getenv("SECRETS_KEY") //keyString := secretKey //key := []byte(keyString) /* key, err := ProvideKey() if err != nil { return s, err } */ if len(s.Secret) < nonceSize { log.Printf("DecryptSecret ciphertext is too short to decrypt\n") return s, errors.New("ciphertext is too short") } crypted, err := hex.DecodeString(s.Secret) if err != nil { log.Printf("DecryptSecret unable to convert hex encoded string due to error '%s'\n", err) return s, err } //log.Printf("DecryptSecret processing secret '%x'\n", crypted) // The nonce is the first 12 bytes from the ciphertext nonce := crypted[:nonceSize] ciphertext := crypted[nonceSize:] /* log.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext) block, err := aes.NewCipher(key) if err != nil { log.Printf("DecryptSecret NewCipher error '%s'\n", err) return s, err } aesgcm, err := cipher.NewGCM(block) if err != nil { log.Printf("DecryptSecret NewGCM error '%s'\n", err) return s, err } */ aesgcm, err := startCipher() if err != nil { log.Printf("DecryptSecret error commencing GCM cipher '%s'\n", err) return s, err } plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil) if err != nil { log.Printf("DecryptSecret Open error '%s'\n", err) return s, err } //log.Printf("DecryptSecret plaintext is '%s'\n", plaintext) s.Secret = string(plaintext) return s, nil }