nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity
Files
b9a0c3ec0a34a985f6184b6fbf6e4326bbd2060e
smt/models/secret.go
Nathan Coad b9a0c3ec0a
All checks were successful
continuous-integration/drone/push Build is passing
Details
add list secret api endpoint
2023-04-05 11:31:42 +10:00

235 lines
7.4 KiB
Go
Raw Blame History

package models
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/hex"
"errors"
"io"
"log"
"os"
"github.com/jmoiron/sqlx"
)
// We use the json:"-" field tag to prevent showing these details to the user
type Secret struct {
SecretId int `db:"SecretId" json:"-"`
RoleId int `db:"RoleId" json:"-"`
DeviceName string `db:"DeviceName"`
DeviceCategory string `db:"DeviceCategory"`
UserName string `db:"UserName"`
Secret string `db:"Secret"`
}
const nonceSize = 12
func (s *Secret) SaveSecret() (*Secret, error) {
var err error
log.Printf("SaveSecret storing values '%v'\n", s)
result, err := db.NamedExec((`INSERT INTO secrets (RoleId, DeviceName, DeviceCategory, UserName, Secret) VALUES (:RoleId, :DeviceName, :DeviceCategory, :UserName, :Secret)`), s)
if err != nil {
log.Printf("StoreSecret error executing sql record : '%s'\n", err)
return s, err
} else {
affected, _ := result.RowsAffected()
id, _ := result.LastInsertId()
log.Printf("StoreSecret insert returned result id '%d' affecting %d row(s).\n", id, affected)
}
return s, nil
}
// Returns all matching secrets, up to caller to determine how to deal with multiple results
func GetSecrets(s *Secret, adminRole bool) ([]Secret, error) {
var err error
var rows *sqlx.Rows
var secretResults []Secret
log.Printf("GetSecret querying values '%v'\n", s)
// Admin roles should be able to access all secrets so don't do any filter based on RoleId
if adminRole {
// Determine whether to query for a specific device or a category of devices
// Prefer querying device name than category
if s.DeviceName != "" && s.DeviceCategory != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ?", s.DeviceName, s.DeviceCategory)
} else if s.DeviceName != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ?", s.DeviceName)
} else if s.DeviceCategory != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ?", s.DeviceCategory)
} else {
rows, err = db.Queryx("SELECT * FROM secrets")
//log.Printf("GetSecret no valid search options specified\n")
//err = errors.New("no valid search options specified")
//return secretResults, err
}
} else {
// Determine whether to query for a specific device or a category of devices
// Prefer querying device name than category
if s.DeviceName != "" && s.DeviceCategory != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND DeviceCategory LIKE ? AND RoleId = ?", s.DeviceName, s.DeviceCategory, s.RoleId)
} else if s.DeviceName != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceName LIKE ? AND RoleId = ?", s.DeviceName, s.RoleId)
} else if s.DeviceCategory != "" {
rows, err = db.Queryx("SELECT * FROM secrets WHERE DeviceCategory LIKE ? AND RoleId = ?", s.DeviceCategory, s.RoleId)
} else {
rows, err = db.Queryx("SELECT * FROM secrets WHERE RoleId = ?", s.RoleId)
//log.Printf("GetSecret no valid search options specified\n")
//err = errors.New("no valid search options specified")
//return secretResults, err
}
}
if err != nil {
log.Printf("GetSecret error executing sql record : '%s'\n", err)
return secretResults, err
} else {
// parse all the results into a slice
for rows.Next() {
var r Secret
err = rows.StructScan(&r)
if err != nil {
log.Printf("GetSecret error parsing sql record : '%s'\n", err)
return secretResults, err
}
// Decrypt the secret
_, err = r.DecryptSecret()
if err != nil {
log.Printf("GetSecret unable to decrypt stored secret '%v', skipping result.\n", r.Secret)
} else {
secretResults = append(secretResults, r)
}
}
log.Printf("GetSecret retrieved '%d' results\n", len(secretResults))
}
return secretResults, nil
}
func (s *Secret) UpdateSecret() (*Secret, error) {
var err error
log.Printf("UpdateSecret storing values '%v'\n", s)
if s.SecretId == 0 {
err = errors.New("UpdateSecret unable to locate secret with empty secretId field")
log.Printf("UpdateSecret error in pre-check : '%s'\n", err)
return s, err
}
result, err := db.NamedExec((`UPDATE secrets SET DeviceName = :DeviceName, DeviceCategory = :DeviceCategory, UserName = :UserName, Secret = :Secret WHERE SecretId = :SecretId`), s)
if err != nil {
log.Printf("UpdateSecret error executing sql record : '%s'\n", err)
return &Secret{}, err
} else {
affected, _ := result.RowsAffected()
id, _ := result.LastInsertId()
log.Printf("UpdateSecret insert returned result id '%d' affecting %d row(s).\n", id, affected)
}
return s, nil
}
func (s *Secret) EncryptSecret() (*Secret, error) {
keyString := os.Getenv("SECRETS_KEY")
// The key argument should be the AES key, either 16 or 32 bytes
// to select AES-128 or AES-256.
key := []byte(keyString)
plaintext := []byte(s.Secret)
//log.Printf("EncryptSecret applying key '%v' of length '%d' to plaintext secret '%s'\n", key, len(key), s.Secret)
block, err := aes.NewCipher(key)
if err != nil {
log.Printf("EncryptSecret NewCipher error '%s'\n", err)
return s, err
}
// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
nonce := make([]byte, nonceSize)
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
log.Printf("EncryptSecret nonce generation error '%s'\n", err)
return s, err
}
//log.Printf("EncryptSecret random nonce value is '%x'\n", nonce)
aesgcm, err := cipher.NewGCM(block)
if err != nil {
log.Printf("EncryptSecret NewGCM error '%s'\n", err)
return s, err
}
ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
//log.Printf("EncryptSecret generated ciphertext '%x''\n", ciphertext)
// Create a new slice to store nonce at the start and then the resulting ciphertext
// Nonce is always 12 bytes
combinedText := append(nonce, ciphertext...)
//log.Printf("EncryptSecret combined secret value is now '%x'\n", combinedText)
// Store the value back into the struct ready for database operations
s.Secret = hex.EncodeToString(combinedText)
return s, nil
//return string(ciphertext[:]), nil
}
func (s *Secret) DecryptSecret() (*Secret, error) {
// The key argument should be the AES key, either 16 or 32 bytes
// to select AES-128 or AES-256.
keyString := os.Getenv("SECRETS_KEY")
key := []byte(keyString)
if len(s.Secret) < nonceSize {
log.Printf("DecryptSecret ciphertext is too short to decrypt\n")
return s, errors.New("ciphertext is too short")
}
crypted, err := hex.DecodeString(s.Secret)
if err != nil {
log.Printf("DecryptSecret unable to convert hex encoded string due to error '%s'\n", err)
return s, err
}
//log.Printf("DecryptSecret processing secret '%x'\n", crypted)
// The nonce is the first 12 bytes from the ciphertext
nonce := crypted[:nonceSize]
ciphertext := crypted[nonceSize:]
//log.Printf("DecryptSecret applying key '%v' and nonce '%x' to ciphertext '%x'\n", key, nonce, ciphertext)
block, err := aes.NewCipher(key)
if err != nil {
log.Printf("DecryptSecret NewCipher error '%s'\n", err)
return s, err
}
aesgcm, err := cipher.NewGCM(block)
if err != nil {
log.Printf("DecryptSecret NewGCM error '%s'\n", err)
return s, err
}
plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil)
if err != nil {
log.Printf("DecryptSecret Open error '%s'\n", err)
return s, err
}
//log.Printf("DecryptSecret plaintext is '%s'\n", plaintext)
s.Secret = string(plaintext)
return s, nil
}
Reference in New Issue View Git Blame Copy Permalink