proper org creation endpoints
This commit is contained in:
parent
071bb7201e
commit
5d06781a63
6 changed files with 50 additions and 16 deletions
3
Cargo.lock
generated
3
Cargo.lock
generated
|
@ -2412,6 +2412,7 @@ dependencies = [
|
|||
"tokio",
|
||||
"toml 0.7.1",
|
||||
"totp-rs",
|
||||
"trifid-pki",
|
||||
"url",
|
||||
"urlencoding",
|
||||
"uuid",
|
||||
|
@ -2419,7 +2420,7 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "trifid-pki"
|
||||
version = "0.1.2"
|
||||
version = "0.1.3"
|
||||
dependencies = [
|
||||
"ed25519-dalek",
|
||||
"hex",
|
||||
|
|
|
@ -22,4 +22,5 @@ urlencoding = "2.1.2"
|
|||
chrono = "0.4.23"
|
||||
aes-gcm = "0.10.1"
|
||||
hex = "0.4.3"
|
||||
rand = "0.8.5"
|
||||
rand = "0.8.5"
|
||||
trifid-pki = { version = "0.1.3", path = "../trifid-pki" }
|
|
@ -5,4 +5,4 @@ web_root = "http://localhost:5173"
|
|||
magic_links_valid_for = 86400
|
||||
session_tokens_valid_for = 86400
|
||||
totp_verification_valid_for = 3600
|
||||
data_key = "1f94d6ba57d79845135ba66446478537f3fccb5ec8e5b7eff7262caa0c358858106a8c5d8d4269ed6e9fc4dd00612bc89b4db06c2288bc2b19ae3e7cebcb461d"
|
||||
data_key = "edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2"
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
use std::error::Error;
|
||||
use aes_gcm::{Aes256Gcm, KeyInit, Nonce};
|
||||
use aes_gcm::aead::{Aead, Payload};
|
||||
use rand::Rng;
|
||||
use rand::rngs::OsRng;
|
||||
use crate::config::TFConfig;
|
||||
|
||||
pub fn get_cipher_from_config(config: &TFConfig) -> Result<Aes256Gcm, Box<dyn Error>> {
|
||||
|
@ -18,4 +20,8 @@ pub fn decrypt_with_nonce(ciphertext: &[u8], nonce: [u8; 12], cipher: &Aes256Gcm
|
|||
let nonce = Nonce::from_slice(&nonce);
|
||||
let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?;
|
||||
Ok(plaintext)
|
||||
}
|
||||
|
||||
pub fn generate_random_iv() -> [u8; 12] {
|
||||
OsRng.gen()
|
||||
}
|
|
@ -1,12 +1,10 @@
|
|||
use std::error::Error;
|
||||
use rocket::form::validate::Contains;
|
||||
use sqlx::PgPool;
|
||||
use trifid_pki::ca::NebulaCAPool;
|
||||
|
||||
pub async fn get_org_by_owner_id(user: i32, db: &PgPool) -> Result<Option<i32>, Box<dyn Error>> {
|
||||
Ok(match sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await? {
|
||||
Some(r) => Some(r.id),
|
||||
None => None
|
||||
})
|
||||
Ok(sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await?.map(|r| r.id))
|
||||
}
|
||||
|
||||
pub async fn get_orgs_by_assoc_id(user: i32, db: &PgPool) -> Result<Vec<i32>, Box<dyn Error>> {
|
||||
|
@ -27,7 +25,7 @@ pub async fn get_users_by_assoc_org(org: i32, db: &PgPool) -> Result<Vec<i32>, B
|
|||
let mut ret = vec![];
|
||||
|
||||
for i in res {
|
||||
ret.push(i.org_id);
|
||||
ret.push(i.user_id);
|
||||
}
|
||||
|
||||
Ok(ret)
|
||||
|
@ -47,4 +45,13 @@ pub async fn get_associated_orgs(user: i32, db: &PgPool) -> Result<Vec<i32>, Box
|
|||
|
||||
pub async fn user_has_org_assoc(user: i32, org: i32, db: &PgPool) -> Result<bool, Box<dyn Error>> {
|
||||
Ok(get_associated_orgs(user, db).await?.contains(org))
|
||||
}
|
||||
|
||||
pub async fn get_org_ca_pool(org: i32, db: &PgPool) -> Result<NebulaCAPool, Box<dyn Error>> {
|
||||
// get CAPool PEM from db
|
||||
let pem = sqlx::query!("SELECT ca_crt FROM organizations WHERE id = $1", org).fetch_one(db).await?.ca_crt;
|
||||
|
||||
let ca_pool = NebulaCAPool::new_from_pem(&hex::decode(pem)?)?;
|
||||
|
||||
Ok(ca_pool)
|
||||
}
|
|
@ -1,4 +1,3 @@
|
|||
use std::slice::from_raw_parts_mut;
|
||||
use rocket::{get, post, options, State};
|
||||
use rocket::http::{ContentType, Status};
|
||||
use rocket::serde::json::Json;
|
||||
|
@ -6,6 +5,7 @@ use serde::{Serialize, Deserialize};
|
|||
use sqlx::PgPool;
|
||||
use crate::auth::TOTPAuthenticatedUserInfo;
|
||||
use crate::config::TFConfig;
|
||||
use crate::crypto::{encrypt_with_nonce, generate_random_iv, get_cipher_from_config};
|
||||
use crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc};
|
||||
|
||||
#[options("/v1/orgs")]
|
||||
|
@ -29,7 +29,7 @@ pub async fn orglist_req(user: TOTPAuthenticatedUserInfo, db: &State<PgPool>) ->
|
|||
// this endpoint lists the associated organizations this user has access to
|
||||
let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await {
|
||||
Ok(r) => r,
|
||||
Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query")))
|
||||
Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query", e)))
|
||||
};
|
||||
|
||||
Ok((ContentType::JSON, Json(OrglistStruct {
|
||||
|
@ -52,7 +52,7 @@ pub async fn orginfo_req(orgid: i32, user: TOTPAuthenticatedUserInfo, db: &State
|
|||
return Err((Status::Unauthorized, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_MISSING_ORG_AUTHORIZATION", "this user does not have permission to access this org")));
|
||||
}
|
||||
|
||||
let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(orgid).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
|
||||
let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
|
||||
let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
|
||||
|
||||
Ok((ContentType::JSON, Json(
|
||||
|
@ -71,14 +71,33 @@ pub async fn create_org(user: TOTPAuthenticatedUserInfo, db: &State<PgPool>, con
|
|||
return Err((Status::Conflict, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_USER_OWNS_ORG", "a user can only own one organization at a time")))
|
||||
}
|
||||
|
||||
// we need to generate a keypair and CA certificate for this new org
|
||||
// generate an AES iv to use for key encryption
|
||||
let iv = generate_random_iv();
|
||||
let iv_hex = hex::encode(iv);
|
||||
|
||||
let owner_id = user.user_id;
|
||||
let cipher = match get_cipher_from_config(config) {
|
||||
Ok(c) => c,
|
||||
Err(e) => {
|
||||
return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_CREATE_CIPHER", "Unable to build cipher construct, please try again later", e)));
|
||||
}
|
||||
};
|
||||
let ca_key = match encrypt_with_nonce(b"", iv, &cipher) {
|
||||
Ok(key) => hex::encode(key),
|
||||
Err(e) => {
|
||||
return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_ENCRYPT_KEY", "Unable to build cipher construct, please try again later", e)));
|
||||
}
|
||||
};
|
||||
let ca_crt = hex::encode(b"");
|
||||
|
||||
let result = sqlx::query!("INSERT INTO organizations (owner, ca_key, ca_crt, iv) VALUES ($1, $2, $3, $4) RETURNING id", owner_id, ca_key, ca_crt, iv_hex).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
|
||||
|
||||
Ok((ContentType::JSON, Json(
|
||||
OrginfoStruct {
|
||||
org_id: orgid,
|
||||
owner_id: org.owner,
|
||||
ca_crt: org.ca_crt,
|
||||
authorized_users,
|
||||
org_id: result.id,
|
||||
owner_id,
|
||||
ca_crt,
|
||||
authorized_users: vec![owner_id],
|
||||
}
|
||||
)))
|
||||
}
|
Loading…
Reference in a new issue