proper org creation endpoints
This commit is contained in:
parent
071bb7201e
commit
5d06781a63
|
@ -2412,6 +2412,7 @@ dependencies = [
|
||||||
"tokio",
|
"tokio",
|
||||||
"toml 0.7.1",
|
"toml 0.7.1",
|
||||||
"totp-rs",
|
"totp-rs",
|
||||||
|
"trifid-pki",
|
||||||
"url",
|
"url",
|
||||||
"urlencoding",
|
"urlencoding",
|
||||||
"uuid",
|
"uuid",
|
||||||
|
@ -2419,7 +2420,7 @@ dependencies = [
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "trifid-pki"
|
name = "trifid-pki"
|
||||||
version = "0.1.2"
|
version = "0.1.3"
|
||||||
dependencies = [
|
dependencies = [
|
||||||
"ed25519-dalek",
|
"ed25519-dalek",
|
||||||
"hex",
|
"hex",
|
||||||
|
|
|
@ -23,3 +23,4 @@ chrono = "0.4.23"
|
||||||
aes-gcm = "0.10.1"
|
aes-gcm = "0.10.1"
|
||||||
hex = "0.4.3"
|
hex = "0.4.3"
|
||||||
rand = "0.8.5"
|
rand = "0.8.5"
|
||||||
|
trifid-pki = { version = "0.1.3", path = "../trifid-pki" }
|
|
@ -5,4 +5,4 @@ web_root = "http://localhost:5173"
|
||||||
magic_links_valid_for = 86400
|
magic_links_valid_for = 86400
|
||||||
session_tokens_valid_for = 86400
|
session_tokens_valid_for = 86400
|
||||||
totp_verification_valid_for = 3600
|
totp_verification_valid_for = 3600
|
||||||
data_key = "1f94d6ba57d79845135ba66446478537f3fccb5ec8e5b7eff7262caa0c358858106a8c5d8d4269ed6e9fc4dd00612bc89b4db06c2288bc2b19ae3e7cebcb461d"
|
data_key = "edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2"
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
use std::error::Error;
|
use std::error::Error;
|
||||||
use aes_gcm::{Aes256Gcm, KeyInit, Nonce};
|
use aes_gcm::{Aes256Gcm, KeyInit, Nonce};
|
||||||
use aes_gcm::aead::{Aead, Payload};
|
use aes_gcm::aead::{Aead, Payload};
|
||||||
|
use rand::Rng;
|
||||||
|
use rand::rngs::OsRng;
|
||||||
use crate::config::TFConfig;
|
use crate::config::TFConfig;
|
||||||
|
|
||||||
pub fn get_cipher_from_config(config: &TFConfig) -> Result<Aes256Gcm, Box<dyn Error>> {
|
pub fn get_cipher_from_config(config: &TFConfig) -> Result<Aes256Gcm, Box<dyn Error>> {
|
||||||
|
@ -19,3 +21,7 @@ pub fn decrypt_with_nonce(ciphertext: &[u8], nonce: [u8; 12], cipher: &Aes256Gcm
|
||||||
let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?;
|
let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?;
|
||||||
Ok(plaintext)
|
Ok(plaintext)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn generate_random_iv() -> [u8; 12] {
|
||||||
|
OsRng.gen()
|
||||||
|
}
|
|
@ -1,12 +1,10 @@
|
||||||
use std::error::Error;
|
use std::error::Error;
|
||||||
use rocket::form::validate::Contains;
|
use rocket::form::validate::Contains;
|
||||||
use sqlx::PgPool;
|
use sqlx::PgPool;
|
||||||
|
use trifid_pki::ca::NebulaCAPool;
|
||||||
|
|
||||||
pub async fn get_org_by_owner_id(user: i32, db: &PgPool) -> Result<Option<i32>, Box<dyn Error>> {
|
pub async fn get_org_by_owner_id(user: i32, db: &PgPool) -> Result<Option<i32>, Box<dyn Error>> {
|
||||||
Ok(match sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await? {
|
Ok(sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await?.map(|r| r.id))
|
||||||
Some(r) => Some(r.id),
|
|
||||||
None => None
|
|
||||||
})
|
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn get_orgs_by_assoc_id(user: i32, db: &PgPool) -> Result<Vec<i32>, Box<dyn Error>> {
|
pub async fn get_orgs_by_assoc_id(user: i32, db: &PgPool) -> Result<Vec<i32>, Box<dyn Error>> {
|
||||||
|
@ -27,7 +25,7 @@ pub async fn get_users_by_assoc_org(org: i32, db: &PgPool) -> Result<Vec<i32>, B
|
||||||
let mut ret = vec![];
|
let mut ret = vec![];
|
||||||
|
|
||||||
for i in res {
|
for i in res {
|
||||||
ret.push(i.org_id);
|
ret.push(i.user_id);
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(ret)
|
Ok(ret)
|
||||||
|
@ -48,3 +46,12 @@ pub async fn get_associated_orgs(user: i32, db: &PgPool) -> Result<Vec<i32>, Box
|
||||||
pub async fn user_has_org_assoc(user: i32, org: i32, db: &PgPool) -> Result<bool, Box<dyn Error>> {
|
pub async fn user_has_org_assoc(user: i32, org: i32, db: &PgPool) -> Result<bool, Box<dyn Error>> {
|
||||||
Ok(get_associated_orgs(user, db).await?.contains(org))
|
Ok(get_associated_orgs(user, db).await?.contains(org))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub async fn get_org_ca_pool(org: i32, db: &PgPool) -> Result<NebulaCAPool, Box<dyn Error>> {
|
||||||
|
// get CAPool PEM from db
|
||||||
|
let pem = sqlx::query!("SELECT ca_crt FROM organizations WHERE id = $1", org).fetch_one(db).await?.ca_crt;
|
||||||
|
|
||||||
|
let ca_pool = NebulaCAPool::new_from_pem(&hex::decode(pem)?)?;
|
||||||
|
|
||||||
|
Ok(ca_pool)
|
||||||
|
}
|
|
@ -1,4 +1,3 @@
|
||||||
use std::slice::from_raw_parts_mut;
|
|
||||||
use rocket::{get, post, options, State};
|
use rocket::{get, post, options, State};
|
||||||
use rocket::http::{ContentType, Status};
|
use rocket::http::{ContentType, Status};
|
||||||
use rocket::serde::json::Json;
|
use rocket::serde::json::Json;
|
||||||
|
@ -6,6 +5,7 @@ use serde::{Serialize, Deserialize};
|
||||||
use sqlx::PgPool;
|
use sqlx::PgPool;
|
||||||
use crate::auth::TOTPAuthenticatedUserInfo;
|
use crate::auth::TOTPAuthenticatedUserInfo;
|
||||||
use crate::config::TFConfig;
|
use crate::config::TFConfig;
|
||||||
|
use crate::crypto::{encrypt_with_nonce, generate_random_iv, get_cipher_from_config};
|
||||||
use crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc};
|
use crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc};
|
||||||
|
|
||||||
#[options("/v1/orgs")]
|
#[options("/v1/orgs")]
|
||||||
|
@ -29,7 +29,7 @@ pub async fn orglist_req(user: TOTPAuthenticatedUserInfo, db: &State<PgPool>) ->
|
||||||
// this endpoint lists the associated organizations this user has access to
|
// this endpoint lists the associated organizations this user has access to
|
||||||
let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await {
|
let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await {
|
||||||
Ok(r) => r,
|
Ok(r) => r,
|
||||||
Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query")))
|
Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query", e)))
|
||||||
};
|
};
|
||||||
|
|
||||||
Ok((ContentType::JSON, Json(OrglistStruct {
|
Ok((ContentType::JSON, Json(OrglistStruct {
|
||||||
|
@ -52,7 +52,7 @@ pub async fn orginfo_req(orgid: i32, user: TOTPAuthenticatedUserInfo, db: &State
|
||||||
return Err((Status::Unauthorized, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_MISSING_ORG_AUTHORIZATION", "this user does not have permission to access this org")));
|
return Err((Status::Unauthorized, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_MISSING_ORG_AUTHORIZATION", "this user does not have permission to access this org")));
|
||||||
}
|
}
|
||||||
|
|
||||||
let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(orgid).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
|
let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
|
||||||
let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
|
let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
|
||||||
|
|
||||||
Ok((ContentType::JSON, Json(
|
Ok((ContentType::JSON, Json(
|
||||||
|
@ -71,14 +71,33 @@ pub async fn create_org(user: TOTPAuthenticatedUserInfo, db: &State<PgPool>, con
|
||||||
return Err((Status::Conflict, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_USER_OWNS_ORG", "a user can only own one organization at a time")))
|
return Err((Status::Conflict, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_USER_OWNS_ORG", "a user can only own one organization at a time")))
|
||||||
}
|
}
|
||||||
|
|
||||||
// we need to generate a keypair and CA certificate for this new org
|
// generate an AES iv to use for key encryption
|
||||||
|
let iv = generate_random_iv();
|
||||||
|
let iv_hex = hex::encode(iv);
|
||||||
|
|
||||||
|
let owner_id = user.user_id;
|
||||||
|
let cipher = match get_cipher_from_config(config) {
|
||||||
|
Ok(c) => c,
|
||||||
|
Err(e) => {
|
||||||
|
return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_CREATE_CIPHER", "Unable to build cipher construct, please try again later", e)));
|
||||||
|
}
|
||||||
|
};
|
||||||
|
let ca_key = match encrypt_with_nonce(b"", iv, &cipher) {
|
||||||
|
Ok(key) => hex::encode(key),
|
||||||
|
Err(e) => {
|
||||||
|
return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_ENCRYPT_KEY", "Unable to build cipher construct, please try again later", e)));
|
||||||
|
}
|
||||||
|
};
|
||||||
|
let ca_crt = hex::encode(b"");
|
||||||
|
|
||||||
|
let result = sqlx::query!("INSERT INTO organizations (owner, ca_key, ca_crt, iv) VALUES ($1, $2, $3, $4) RETURNING id", owner_id, ca_key, ca_crt, iv_hex).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
|
||||||
|
|
||||||
Ok((ContentType::JSON, Json(
|
Ok((ContentType::JSON, Json(
|
||||||
OrginfoStruct {
|
OrginfoStruct {
|
||||||
org_id: orgid,
|
org_id: result.id,
|
||||||
owner_id: org.owner,
|
owner_id,
|
||||||
ca_crt: org.ca_crt,
|
ca_crt,
|
||||||
authorized_users,
|
authorized_users: vec![owner_id],
|
||||||
}
|
}
|
||||||
)))
|
)))
|
||||||
}
|
}
|
Loading…
Reference in New Issue