Nathan Coad
ac60d1daef
All checks were successful
continuous-integration/drone/push Build is passing
397 lines
13 KiB
Go
397 lines
13 KiB
Go
package models
|
|
|
|
import (
|
|
"crypto/aes"
|
|
"crypto/cipher"
|
|
"crypto/rand"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"log"
|
|
"strings"
|
|
|
|
"github.com/jmoiron/sqlx"
|
|
)
|
|
|
|
// We use the json:"-" field tag to prevent showing these details to the user
|
|
type Secret struct {
|
|
SecretId int `db:"SecretId" json:"-"`
|
|
//RoleId int `db:"RoleId" json:"-"`
|
|
SafeId int `db:"SafeId"`
|
|
DeviceName string `db:"DeviceName"`
|
|
DeviceCategory string `db:"DeviceCategory"`
|
|
UserName string `db:"UserName"`
|
|
Secret string `db:"Secret"`
|
|
}
|
|
|
|
const nonceSize = 12
|
|
|
|
func (s *Secret) SaveSecret() (*Secret, error) {
|
|
|
|
var err error
|
|
|
|
log.Printf("SaveSecret storing values '%v'\n", s)
|
|
result, err := db.NamedExec((`INSERT INTO secrets (SafeId, DeviceName, DeviceCategory, UserName, Secret) VALUES (:SafeId, :DeviceName, :DeviceCategory, :UserName, :Secret)`), s)
|
|
|
|
if err != nil {
|
|
log.Printf("StoreSecret error executing sql record : '%s'\n", err)
|
|
return s, err
|
|
} else {
|
|
affected, _ := result.RowsAffected()
|
|
id, _ := result.LastInsertId()
|
|
log.Printf("StoreSecret insert returned result id '%d' affecting %d row(s).\n", id, affected)
|
|
}
|
|
|
|
return s, nil
|
|
}
|
|
|
|
// SecretsGetMultipleSafes queries the specified safes for matching secrets
|
|
func SecretsGetMultipleSafes(s *Secret, adminRole bool, safeIds []int) ([]Secret, error) {
|
|
var err error
|
|
var secretResults []Secret
|
|
|
|
/*
|
|
// First use an "In Query" to expand the list of safe Ids to query
|
|
// As per https://jmoiron.github.io/sqlx/#inQueries
|
|
|
|
query, args, _ := sqlx.In("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND UserName = ? and SafeId IN (?);", s.DeviceName, s.DeviceCategory, s.UserName, safeIds)
|
|
|
|
// sqlx.In returns queries with the `?` bindvar, we can rebind it for our backend
|
|
query = db.Rebind(query)
|
|
rows, err := db.Queryx(query, args)
|
|
*/
|
|
|
|
args := []interface{}{}
|
|
var query string
|
|
if adminRole {
|
|
// No need to limit query to any safe
|
|
query = "SELECT * FROM secrets WHERE 1=1 "
|
|
} else {
|
|
// Generate placeholders for the IN clause to match multiple SafeId values
|
|
placeholders := make([]string, len(safeIds))
|
|
for i := range safeIds {
|
|
placeholders[i] = "?"
|
|
}
|
|
placeholderStr := strings.Join(placeholders, ",")
|
|
|
|
// Create query with the necessary placeholders
|
|
query = fmt.Sprintf("SELECT * FROM secrets WHERE SafeId IN (%s) ", placeholderStr)
|
|
|
|
// Add the Safe Ids to the arguments list
|
|
for _, g := range safeIds {
|
|
args = append(args, g)
|
|
}
|
|
}
|
|
|
|
// Add any other arguments to the query if they were specified
|
|
if s.DeviceName != "" {
|
|
query += " AND DeviceName LIKE ? "
|
|
args = append(args, s.DeviceName)
|
|
}
|
|
|
|
if s.DeviceCategory != "" {
|
|
query += " AND DeviceCategory LIKE ? "
|
|
args = append(args, s.DeviceCategory)
|
|
}
|
|
|
|
if s.UserName != "" {
|
|
query += " AND UserName LIKE ? "
|
|
args = append(args, s.UserName)
|
|
}
|
|
|
|
// Execute the query
|
|
rows, err := db.Queryx(query, args...)
|
|
|
|
if err != nil {
|
|
log.Printf("SecretsGetMultipleSafes error executing sql record : '%s'\n", err)
|
|
return secretResults, err
|
|
} else {
|
|
// parse all the results into a slice
|
|
for rows.Next() {
|
|
var r Secret
|
|
err = rows.StructScan(&r)
|
|
if err != nil {
|
|
log.Printf("SecretsGetMultipleSafes error parsing sql record : '%s'\n", err)
|
|
return secretResults, err
|
|
}
|
|
|
|
// Decrypt the secret
|
|
_, err = r.DecryptSecret()
|
|
if err != nil {
|
|
//log.Printf("GetSecret unable to decrypt stored secret '%v' : '%s'\n", r.Secret, err)
|
|
log.Printf("SecretsGetMultipleSafes unable to decrypt stored secret : '%s'\n", err)
|
|
return secretResults, err
|
|
} else {
|
|
secretResults = append(secretResults, r)
|
|
}
|
|
|
|
}
|
|
log.Printf("SecretsGetMultipleSafes retrieved '%d' results\n", len(secretResults))
|
|
}
|
|
|
|
return secretResults, nil
|
|
}
|
|
|
|
// Returns all matching secrets, up to caller to determine how to deal with multiple results
|
|
func GetSecrets(s *Secret, adminRole bool) ([]Secret, error) {
|
|
var err error
|
|
var rows *sqlx.Rows
|
|
var secretResults []Secret
|
|
|
|
log.Printf("GetSecrets querying values '%v' with admin role '%v'\n", s, adminRole)
|
|
|
|
// Admin roles should be able to access all secrets so don't do any filter based on RoleId
|
|
if adminRole {
|
|
// Determine whether to query for a specific device or a category of devices
|
|
// Prefer querying device name than category
|
|
if s.DeviceName != "" && s.DeviceCategory != "" && s.UserName != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND UserName = ?", s.DeviceName, s.DeviceCategory, s.UserName)
|
|
} else if s.DeviceName != "" && s.UserName != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND UserName = ?", s.DeviceName, s.UserName)
|
|
} else if s.DeviceCategory != "" && s.UserName != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND UserName = ?", s.DeviceCategory, s.UserName)
|
|
} else if s.DeviceName != "" && s.DeviceCategory != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ?", s.DeviceName, s.DeviceCategory)
|
|
} else if s.DeviceName != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ?", s.DeviceName)
|
|
} else if s.DeviceCategory != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ?", s.DeviceCategory)
|
|
} else if s.UserName != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE UserName LIKE ?", s.UserName)
|
|
} else {
|
|
rows, err = db.Queryx("SELECT * FROM secrets")
|
|
//log.Printf("GetSecret no valid search options specified\n")
|
|
//err = errors.New("no valid search options specified")
|
|
//return secretResults, err
|
|
}
|
|
} else {
|
|
// Determine whether to query for a specific device or a category of devices
|
|
// Prefer querying device name than category
|
|
if s.DeviceName != "" && s.DeviceCategory != "" && s.UserName != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND UserName = ? AND SafeId = ?", s.DeviceName, s.DeviceCategory, s.UserName, s.SafeId)
|
|
} else if s.DeviceName != "" && s.UserName != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND UserName = ? AND SafeId = ?", s.DeviceName, s.UserName, s.SafeId)
|
|
} else if s.DeviceCategory != "" && s.UserName != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND UserName = ? AND SafeId = ?", s.DeviceCategory, s.UserName, s.SafeId)
|
|
} else if s.DeviceName != "" && s.DeviceCategory != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND SafeId = ?", s.DeviceName, s.DeviceCategory, s.SafeId)
|
|
} else if s.DeviceName != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND SafeId = ?", s.DeviceName, s.SafeId)
|
|
} else if s.DeviceCategory != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND SafeId = ?", s.DeviceCategory, s.SafeId)
|
|
} else if s.UserName != "" {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE UserName LIKE ? AND SafeId = ?", s.UserName, s.SafeId)
|
|
} else {
|
|
rows, err = db.Queryx("SELECT * FROM secrets WHERE RoleId = ?", s.SafeId)
|
|
//log.Printf("GetSecret no valid search options specified\n")
|
|
//err = errors.New("no valid search options specified")
|
|
//return secretResults, err
|
|
}
|
|
}
|
|
|
|
if err != nil {
|
|
log.Printf("GetSecret error executing sql record : '%s'\n", err)
|
|
return secretResults, err
|
|
} else {
|
|
// parse all the results into a slice
|
|
for rows.Next() {
|
|
var r Secret
|
|
err = rows.StructScan(&r)
|
|
if err != nil {
|
|
log.Printf("GetSecret error parsing sql record : '%s'\n", err)
|
|
return secretResults, err
|
|
}
|
|
|
|
// Decrypt the secret
|
|
_, err = r.DecryptSecret()
|
|
if err != nil {
|
|
//log.Printf("GetSecret unable to decrypt stored secret '%v' : '%s'\n", r.Secret, err)
|
|
log.Printf("GetSecret unable to decrypt stored secret : '%s'\n", err)
|
|
return secretResults, err
|
|
} else {
|
|
secretResults = append(secretResults, r)
|
|
}
|
|
|
|
}
|
|
log.Printf("GetSecret retrieved '%d' results\n", len(secretResults))
|
|
}
|
|
|
|
return secretResults, nil
|
|
}
|
|
|
|
func (s *Secret) UpdateSecret() (*Secret, error) {
|
|
|
|
var err error
|
|
|
|
log.Printf("UpdateSecret storing values '%v'\n", s)
|
|
|
|
if s.SecretId == 0 {
|
|
err = errors.New("UpdateSecret unable to locate secret with empty secretId field")
|
|
log.Printf("UpdateSecret error in pre-check : '%s'\n", err)
|
|
return s, err
|
|
}
|
|
|
|
result, err := db.NamedExec((`UPDATE secrets SET DeviceName = :DeviceName, DeviceCategory = :DeviceCategory, UserName = :UserName, Secret = :Secret WHERE SecretId = :SecretId`), s)
|
|
if err != nil {
|
|
log.Printf("UpdateSecret error executing sql record : '%s'\n", err)
|
|
return &Secret{}, err
|
|
} else {
|
|
affected, _ := result.RowsAffected()
|
|
id, _ := result.LastInsertId()
|
|
log.Printf("UpdateSecret insert returned result id '%d' affecting %d row(s).\n", id, affected)
|
|
}
|
|
|
|
return s, nil
|
|
}
|
|
|
|
// startCipher does the initial setup of the AES256 GCM mode cipher
|
|
func startCipher() (cipher.AEAD, error) {
|
|
key, err := ProvideKey()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
block, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
log.Printf("startCipher NewCipher error '%s'\n", err)
|
|
return nil, err
|
|
}
|
|
|
|
aesgcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
log.Printf("startCipher NewGCM error '%s'\n", err)
|
|
return nil, err
|
|
}
|
|
|
|
return aesgcm, nil
|
|
}
|
|
|
|
func (s *Secret) EncryptSecret() (*Secret, error) {
|
|
|
|
//keyString := os.Getenv("SECRETS_KEY")
|
|
//keyString := secretKey
|
|
|
|
// The key argument should be the AES key, either 16 or 32 bytes
|
|
// to select AES-128 or AES-256.
|
|
//key := []byte(keyString)
|
|
/*
|
|
key, err := ProvideKey()
|
|
if err != nil {
|
|
return s, err
|
|
}
|
|
*/
|
|
|
|
plaintext := []byte(s.Secret)
|
|
|
|
// TODO : move block and aesgcm generation to separate function since the identical code is used for encrypt and decrypt
|
|
/*
|
|
log.Printf("EncryptSecret applying key '%v' of length '%d' to plaintext secret '%s'\n", key, len(key), s.Secret)
|
|
block, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
log.Printf("EncryptSecret NewCipher error '%s'\n", err)
|
|
return s, err
|
|
}
|
|
|
|
aesgcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
log.Printf("EncryptSecret NewGCM error '%s'\n", err)
|
|
return s, err
|
|
}
|
|
*/
|
|
|
|
aesgcm, err := startCipher()
|
|
if err != nil {
|
|
log.Printf("EncryptSecret error commencing GCM cipher '%s'\n", err)
|
|
return s, err
|
|
}
|
|
|
|
// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
|
|
nonce := make([]byte, nonceSize)
|
|
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
|
|
log.Printf("EncryptSecret nonce generation error '%s'\n", err)
|
|
return s, err
|
|
}
|
|
//log.Printf("EncryptSecret random nonce value is '%x'\n", nonce)
|
|
|
|
ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
|
|
//log.Printf("EncryptSecret generated ciphertext '%x''\n", ciphertext)
|
|
|
|
// Create a new slice to store nonce at the start and then the resulting ciphertext
|
|
// Nonce is always 12 bytes
|
|
combinedText := append(nonce, ciphertext...)
|
|
//log.Printf("EncryptSecret combined secret value is now '%x'\n", combinedText)
|
|
|
|
// Store the value back into the struct ready for database operations
|
|
s.Secret = hex.EncodeToString(combinedText)
|
|
|
|
return s, nil
|
|
|
|
//return string(ciphertext[:]), nil
|
|
}
|
|
|
|
func (s *Secret) DecryptSecret() (*Secret, error) {
|
|
// The key argument should be the AES key, either 16 or 32 bytes
|
|
// to select AES-128 or AES-256.
|
|
//keyString := os.Getenv("SECRETS_KEY")
|
|
//keyString := secretKey
|
|
|
|
//key := []byte(keyString)
|
|
/*
|
|
key, err := ProvideKey()
|
|
if err != nil {
|
|
return s, err
|
|
}
|
|
*/
|
|
|
|
if len(s.Secret) < nonceSize {
|
|
log.Printf("DecryptSecret ciphertext is too short to decrypt\n")
|
|
return s, errors.New("ciphertext is too short")
|
|
}
|
|
|
|
crypted, err := hex.DecodeString(s.Secret)
|
|
if err != nil {
|
|
log.Printf("DecryptSecret unable to convert hex encoded string due to error '%s'\n", err)
|
|
return s, err
|
|
}
|
|
|
|
//log.Printf("DecryptSecret processing secret '%x'\n", crypted)
|
|
|
|
// The nonce is the first 12 bytes from the ciphertext
|
|
nonce := crypted[:nonceSize]
|
|
ciphertext := crypted[nonceSize:]
|
|
|
|
/*
|
|
log.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext)
|
|
|
|
block, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
log.Printf("DecryptSecret NewCipher error '%s'\n", err)
|
|
return s, err
|
|
}
|
|
|
|
aesgcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
log.Printf("DecryptSecret NewGCM error '%s'\n", err)
|
|
return s, err
|
|
}
|
|
*/
|
|
|
|
aesgcm, err := startCipher()
|
|
if err != nil {
|
|
log.Printf("DecryptSecret error commencing GCM cipher '%s'\n", err)
|
|
return s, err
|
|
}
|
|
|
|
plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil)
|
|
if err != nil {
|
|
log.Printf("DecryptSecret Open error '%s'\n", err)
|
|
return s, err
|
|
}
|
|
|
|
//log.Printf("DecryptSecret plaintext is '%s'\n", plaintext)
|
|
|
|
s.Secret = string(plaintext)
|
|
return s, nil
|
|
}
|