diff --git a/Cargo.lock b/Cargo.lock index a14c4b2..a702c5c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2412,6 +2412,7 @@ dependencies = [ "tokio", "toml 0.7.1", "totp-rs", + "trifid-pki", "url", "urlencoding", "uuid", @@ -2419,7 +2420,7 @@ dependencies = [ [[package]] name = "trifid-pki" -version = "0.1.2" +version = "0.1.3" dependencies = [ "ed25519-dalek", "hex", diff --git a/trifid-api/Cargo.toml b/trifid-api/Cargo.toml index 84d8cb0..49a21ac 100644 --- a/trifid-api/Cargo.toml +++ b/trifid-api/Cargo.toml @@ -22,4 +22,5 @@ urlencoding = "2.1.2" chrono = "0.4.23" aes-gcm = "0.10.1" hex = "0.4.3" -rand = "0.8.5" \ No newline at end of file +rand = "0.8.5" +trifid-pki = { version = "0.1.3", path = "../trifid-pki" } \ No newline at end of file diff --git a/trifid-api/config.toml b/trifid-api/config.toml index ef4d2c3..02d1ef3 100644 --- a/trifid-api/config.toml +++ b/trifid-api/config.toml @@ -5,4 +5,4 @@ web_root = "http://localhost:5173" magic_links_valid_for = 86400 session_tokens_valid_for = 86400 totp_verification_valid_for = 3600 -data_key = "1f94d6ba57d79845135ba66446478537f3fccb5ec8e5b7eff7262caa0c358858106a8c5d8d4269ed6e9fc4dd00612bc89b4db06c2288bc2b19ae3e7cebcb461d" +data_key = "edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2" diff --git a/trifid-api/src/crypto.rs b/trifid-api/src/crypto.rs index 193ddf0..66f3000 100644 --- a/trifid-api/src/crypto.rs +++ b/trifid-api/src/crypto.rs @@ -1,6 +1,8 @@ use std::error::Error; use aes_gcm::{Aes256Gcm, KeyInit, Nonce}; use aes_gcm::aead::{Aead, Payload}; +use rand::Rng; +use rand::rngs::OsRng; use crate::config::TFConfig; pub fn get_cipher_from_config(config: &TFConfig) -> Result> { @@ -18,4 +20,8 @@ pub fn decrypt_with_nonce(ciphertext: &[u8], nonce: [u8; 12], cipher: &Aes256Gcm let nonce = Nonce::from_slice(&nonce); let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?; Ok(plaintext) +} + +pub fn generate_random_iv() -> [u8; 12] { + OsRng.gen() } \ No newline at end of file diff --git a/trifid-api/src/org.rs b/trifid-api/src/org.rs index de1dcb4..315f8e7 100644 --- a/trifid-api/src/org.rs +++ b/trifid-api/src/org.rs @@ -1,12 +1,10 @@ use std::error::Error; use rocket::form::validate::Contains; use sqlx::PgPool; +use trifid_pki::ca::NebulaCAPool; pub async fn get_org_by_owner_id(user: i32, db: &PgPool) -> Result, Box> { - Ok(match sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await? { - Some(r) => Some(r.id), - None => None - }) + Ok(sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await?.map(|r| r.id)) } pub async fn get_orgs_by_assoc_id(user: i32, db: &PgPool) -> Result, Box> { @@ -27,7 +25,7 @@ pub async fn get_users_by_assoc_org(org: i32, db: &PgPool) -> Result, B let mut ret = vec![]; for i in res { - ret.push(i.org_id); + ret.push(i.user_id); } Ok(ret) @@ -47,4 +45,13 @@ pub async fn get_associated_orgs(user: i32, db: &PgPool) -> Result, Box pub async fn user_has_org_assoc(user: i32, org: i32, db: &PgPool) -> Result> { Ok(get_associated_orgs(user, db).await?.contains(org)) +} + +pub async fn get_org_ca_pool(org: i32, db: &PgPool) -> Result> { + // get CAPool PEM from db + let pem = sqlx::query!("SELECT ca_crt FROM organizations WHERE id = $1", org).fetch_one(db).await?.ca_crt; + + let ca_pool = NebulaCAPool::new_from_pem(&hex::decode(pem)?)?; + + Ok(ca_pool) } \ No newline at end of file diff --git a/trifid-api/src/routes/v1/organization.rs b/trifid-api/src/routes/v1/organization.rs index 947e417..ac3d557 100644 --- a/trifid-api/src/routes/v1/organization.rs +++ b/trifid-api/src/routes/v1/organization.rs @@ -1,4 +1,3 @@ -use std::slice::from_raw_parts_mut; use rocket::{get, post, options, State}; use rocket::http::{ContentType, Status}; use rocket::serde::json::Json; @@ -6,6 +5,7 @@ use serde::{Serialize, Deserialize}; use sqlx::PgPool; use crate::auth::TOTPAuthenticatedUserInfo; use crate::config::TFConfig; +use crate::crypto::{encrypt_with_nonce, generate_random_iv, get_cipher_from_config}; use crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc}; #[options("/v1/orgs")] @@ -29,7 +29,7 @@ pub async fn orglist_req(user: TOTPAuthenticatedUserInfo, db: &State) -> // this endpoint lists the associated organizations this user has access to let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await { Ok(r) => r, - Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query"))) + Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query", e))) }; Ok((ContentType::JSON, Json(OrglistStruct { @@ -52,7 +52,7 @@ pub async fn orginfo_req(orgid: i32, user: TOTPAuthenticatedUserInfo, db: &State return Err((Status::Unauthorized, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_MISSING_ORG_AUTHORIZATION", "this user does not have permission to access this org"))); } - let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(orgid).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?; + let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?; let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?; Ok((ContentType::JSON, Json( @@ -71,14 +71,33 @@ pub async fn create_org(user: TOTPAuthenticatedUserInfo, db: &State, con return Err((Status::Conflict, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_USER_OWNS_ORG", "a user can only own one organization at a time"))) } - // we need to generate a keypair and CA certificate for this new org + // generate an AES iv to use for key encryption + let iv = generate_random_iv(); + let iv_hex = hex::encode(iv); + + let owner_id = user.user_id; + let cipher = match get_cipher_from_config(config) { + Ok(c) => c, + Err(e) => { + return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_CREATE_CIPHER", "Unable to build cipher construct, please try again later", e))); + } + }; + let ca_key = match encrypt_with_nonce(b"", iv, &cipher) { + Ok(key) => hex::encode(key), + Err(e) => { + return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_ENCRYPT_KEY", "Unable to build cipher construct, please try again later", e))); + } + }; + let ca_crt = hex::encode(b""); + + let result = sqlx::query!("INSERT INTO organizations (owner, ca_key, ca_crt, iv) VALUES ($1, $2, $3, $4) RETURNING id", owner_id, ca_key, ca_crt, iv_hex).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?; Ok((ContentType::JSON, Json( OrginfoStruct { - org_id: orgid, - owner_id: org.owner, - ca_crt: org.ca_crt, - authorized_users, + org_id: result.id, + owner_id, + ca_crt, + authorized_users: vec![owner_id], } ))) } \ No newline at end of file