smt/controllers/store_secrets.go

package controllers

import (
	"errors"
	"log"
	"net/http"
	"smt/models"

	"github.com/gin-gonic/gin"
)

// bindings are validated by https://github.com/go-playground/validator
type StoreInput struct {
	RoleId         int    `json:"roleId"`
	DeviceName     string `json:"deviceName"`
	DeviceCategory string `json:"deviceCategory"`
	UserName       string `json:"userName" binding:"required"`
	SecretValue    string `json:"secretValue" binding:"required"`
}

func StoreSecret(c *gin.Context) {
	var err error
	var input StoreInput

	if err := c.ShouldBindJSON(&input); err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid JSON received : " + err.Error()})
		return
	}

	// Don't log this since it contains plaintext secrets
	//log.Printf("StoreSecret received JSON input '%v'\n", input)

	// Populate fields
	s := models.Secret{}
	s.UserName = input.UserName
	s.DeviceName = input.DeviceName
	s.DeviceCategory = input.DeviceCategory

	// If RoleID is not defined then default to the same role as the user requesting secret to be stored
	if input.RoleId != 0 {
		s.RoleId = input.RoleId
	} else {
		ur, _ := models.GetUserRoleFromToken(c)
		log.Printf("StoreSecret RoleId was not specified, setting to RoleId of '%d'\n", ur.RoleId)
		s.RoleId = ur.RoleId
	}

	if input.DeviceCategory == "" && input.DeviceName == "" {
		c.JSON(http.StatusBadRequest, gin.H{"error": "cannot store secret with empty deviceName and empty deviceCategory"})
		return
	}

	// If this secret already exists in the database then generate an error
	checkExists, err := models.GetSecrets(&s, false)
	if err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}

	if len(checkExists) > 0 {
		log.Printf("StoreSecret not storing secret with '%d' already matching secrets.\n", len(checkExists))
		c.JSON(http.StatusBadRequest, gin.H{"error": "StoreSecret attempting to store secret already defined. API calls for update/delete don't yet exist"})
		return
	}

	// Encrypt secret
	s.Secret = input.SecretValue
	_, err = s.EncryptSecret()
	if err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": "StoreSecret error encrypting secret : " + err.Error()})
		return
	}

	_, err = s.SaveSecret()
	if err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": "StoreSecret error saving secret : " + err.Error()})
		return
	}

	c.JSON(http.StatusOK, gin.H{"message": "secret stored successfully"})
}

func UpdateSecret(c *gin.Context) {
	var err error
	var input StoreInput

	if err := c.ShouldBindJSON(&input); err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": "UpdateSecret error binding to input JSON : " + err.Error()})
		return
	}

	log.Printf("UpdateSecret received JSON input '%v'\n", input)

	// Get the user and role id of the requestor
	u, err := models.GetUserRoleFromToken(c)
	if err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}
	// Verify that the user role is not readonly
	if u.ReadOnly {
		c.JSON(http.StatusForbidden, gin.H{"error": "UpdateSecret user role does not permit updates"})
		return
	}

	// Populate fields
	s := models.Secret{}

	s.UserName = input.UserName
	s.DeviceName = input.DeviceName
	s.DeviceCategory = input.DeviceCategory

	// Default role ID is 1 if not defined
	if input.RoleId != 0 {
		s.RoleId = input.RoleId
	} else {
		s.RoleId = 1
	}

	// Confirm that the secret already exists
	checkExists, err := models.GetSecrets(&s, false)
	if err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}

	if len(checkExists) == 0 {
		err = errors.New("UpdateSecret could not find existing secret to update")
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	} else if len(checkExists) == 1 {
		// Set the secret id with the one retrieved from the database
		s.SecretId = checkExists[0].SecretId

		// check for empty fields in the update request and update from the existing record
		if s.UserName == "" {
			s.UserName = checkExists[0].UserName
		}
		if s.DeviceCategory == "" {
			s.DeviceCategory = checkExists[0].DeviceCategory
		}
		if s.DeviceName == "" {
			s.DeviceName = checkExists[0].DeviceName
		}

		// Encrypt secret
		s.Secret = input.SecretValue
		_, err = s.EncryptSecret()
		if err != nil {
			c.JSON(http.StatusBadRequest, gin.H{"error": "UpdateSecret error encrypting secret : " + err.Error()})
			return
		}

		_, err = s.UpdateSecret()
		if err != nil {
			c.JSON(http.StatusBadRequest, gin.H{"error": "UpdateSecret error saving secret : " + err.Error()})
			return
		}

		c.JSON(http.StatusOK, gin.H{"message": "secret updated successfully"})
	} else {
		err = errors.New("UpdateSecret found multiple secrets matching input data, be more specific")
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}

}