core
/
trifid
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 7 Releases Wiki Activity

proper org creation endpoints

This commit is contained in:
core 2023-02-27 20:29:52 -05:00
parent 071bb7201e
commit 5d06781a63
Signed by: core
GPG Key ID: FDBF740DADDCEECF
6 changed files with 50 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Cargo.lock generated
View File

@ -2412,6 +2412,7 @@ dependencies = [
"tokio", "tokio",
"toml 0.7.1", "toml 0.7.1",
"totp-rs", "totp-rs",
"trifid-pki",
"url", "url",
"urlencoding", "urlencoding",
"uuid", "uuid",
@ -2419,7 +2420,7 @@ dependencies = [
[[package]] [[package]]
name = "trifid-pki" name = "trifid-pki"
version = "0.1.2" version = "0.1.3"
dependencies = [ dependencies = [
"ed25519-dalek", "ed25519-dalek",
"hex", "hex",

3
trifid-api/Cargo.toml
View File

@ -22,4 +22,5 @@ urlencoding = "2.1.2"
chrono = "0.4.23" chrono = "0.4.23"
aes-gcm = "0.10.1" aes-gcm = "0.10.1"
hex = "0.4.3" hex = "0.4.3"
rand = "0.8.5" rand = "0.8.5"
trifid-pki = { version = "0.1.3", path = "../trifid-pki" }

2
trifid-api/config.toml
View File

@ -5,4 +5,4 @@ web_root = "http://localhost:5173"
magic_links_valid_for = 86400 magic_links_valid_for = 86400
session_tokens_valid_for = 86400 session_tokens_valid_for = 86400
totp_verification_valid_for = 3600 totp_verification_valid_for = 3600
data_key = "1f94d6ba57d79845135ba66446478537f3fccb5ec8e5b7eff7262caa0c358858106a8c5d8d4269ed6e9fc4dd00612bc89b4db06c2288bc2b19ae3e7cebcb461d" data_key = "edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2"

6
trifid-api/src/crypto.rs
View File

@ -1,6 +1,8 @@
use std::error::Error; use std::error::Error;
use aes_gcm::{Aes256Gcm, KeyInit, Nonce}; use aes_gcm::{Aes256Gcm, KeyInit, Nonce};
use aes_gcm::aead::{Aead, Payload}; use aes_gcm::aead::{Aead, Payload};
use rand::Rng;
use rand::rngs::OsRng;
use crate::config::TFConfig; use crate::config::TFConfig;
pub fn get_cipher_from_config(config: &TFConfig) -> Result<Aes256Gcm, Box<dyn Error>> { pub fn get_cipher_from_config(config: &TFConfig) -> Result<Aes256Gcm, Box<dyn Error>> {
@ -18,4 +20,8 @@ pub fn decrypt_with_nonce(ciphertext: &[u8], nonce: [u8; 12], cipher: &Aes256Gcm
let nonce = Nonce::from_slice(&nonce); let nonce = Nonce::from_slice(&nonce);
let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?; let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?;
Ok(plaintext) Ok(plaintext)
}
pub fn generate_random_iv() -> [u8; 12] {
OsRng.gen()
} }

17
trifid-api/src/org.rs
View File

@ -1,12 +1,10 @@
use std::error::Error; use std::error::Error;
use rocket::form::validate::Contains; use rocket::form::validate::Contains;
use sqlx::PgPool; use sqlx::PgPool;
use trifid_pki::ca::NebulaCAPool;
pub async fn get_org_by_owner_id(user: i32, db: &PgPool) -> Result<Option<i32>, Box<dyn Error>> { pub async fn get_org_by_owner_id(user: i32, db: &PgPool) -> Result<Option<i32>, Box<dyn Error>> {
Ok(match sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await? { Ok(sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await?.map(|r| r.id))
Some(r) => Some(r.id),
None => None
})
} }
pub async fn get_orgs_by_assoc_id(user: i32, db: &PgPool) -> Result<Vec<i32>, Box<dyn Error>> { pub async fn get_orgs_by_assoc_id(user: i32, db: &PgPool) -> Result<Vec<i32>, Box<dyn Error>> {
@ -27,7 +25,7 @@ pub async fn get_users_by_assoc_org(org: i32, db: &PgPool) -> Result<Vec<i32>, B
let mut ret = vec![]; let mut ret = vec![];
for i in res { for i in res {
ret.push(i.org_id); ret.push(i.user_id);
} }
Ok(ret) Ok(ret)
@ -47,4 +45,13 @@ pub async fn get_associated_orgs(user: i32, db: &PgPool) -> Result<Vec<i32>, Box
pub async fn user_has_org_assoc(user: i32, org: i32, db: &PgPool) -> Result<bool, Box<dyn Error>> { pub async fn user_has_org_assoc(user: i32, org: i32, db: &PgPool) -> Result<bool, Box<dyn Error>> {
Ok(get_associated_orgs(user, db).await?.contains(org)) Ok(get_associated_orgs(user, db).await?.contains(org))
}
pub async fn get_org_ca_pool(org: i32, db: &PgPool) -> Result<NebulaCAPool, Box<dyn Error>> {
// get CAPool PEM from db
let pem = sqlx::query!("SELECT ca_crt FROM organizations WHERE id = $1", org).fetch_one(db).await?.ca_crt;
let ca_pool = NebulaCAPool::new_from_pem(&hex::decode(pem)?)?;
Ok(ca_pool)
} }

35
trifid-api/src/routes/v1/organization.rs
View File

@ -1,4 +1,3 @@
use std::slice::from_raw_parts_mut;
use rocket::{get, post, options, State}; use rocket::{get, post, options, State};
use rocket::http::{ContentType, Status}; use rocket::http::{ContentType, Status};
use rocket::serde::json::Json; use rocket::serde::json::Json;
@ -6,6 +5,7 @@ use serde::{Serialize, Deserialize};
use sqlx::PgPool; use sqlx::PgPool;
use crate::auth::TOTPAuthenticatedUserInfo; use crate::auth::TOTPAuthenticatedUserInfo;
use crate::config::TFConfig; use crate::config::TFConfig;
use crate::crypto::{encrypt_with_nonce, generate_random_iv, get_cipher_from_config};
use crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc}; use crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc};
#[options("/v1/orgs")] #[options("/v1/orgs")]
@ -29,7 +29,7 @@ pub async fn orglist_req(user: TOTPAuthenticatedUserInfo, db: &State<PgPool>) ->
// this endpoint lists the associated organizations this user has access to // this endpoint lists the associated organizations this user has access to
let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await { let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await {
Ok(r) => r, Ok(r) => r,
Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query"))) Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query", e)))
}; };
Ok((ContentType::JSON, Json(OrglistStruct { Ok((ContentType::JSON, Json(OrglistStruct {
@ -52,7 +52,7 @@ pub async fn orginfo_req(orgid: i32, user: TOTPAuthenticatedUserInfo, db: &State
return Err((Status::Unauthorized, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_MISSING_ORG_AUTHORIZATION", "this user does not have permission to access this org"))); return Err((Status::Unauthorized, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_MISSING_ORG_AUTHORIZATION", "this user does not have permission to access this org")));
} }
let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(orgid).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?; let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?; let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
Ok((ContentType::JSON, Json( Ok((ContentType::JSON, Json(
@ -71,14 +71,33 @@ pub async fn create_org(user: TOTPAuthenticatedUserInfo, db: &State<PgPool>, con
return Err((Status::Conflict, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_USER_OWNS_ORG", "a user can only own one organization at a time"))) return Err((Status::Conflict, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_USER_OWNS_ORG", "a user can only own one organization at a time")))
} }
// we need to generate a keypair and CA certificate for this new org // generate an AES iv to use for key encryption
let iv = generate_random_iv();
let iv_hex = hex::encode(iv);
let owner_id = user.user_id;
let cipher = match get_cipher_from_config(config) {
Ok(c) => c,
Err(e) => {
return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_CREATE_CIPHER", "Unable to build cipher construct, please try again later", e)));
}
};
let ca_key = match encrypt_with_nonce(b"", iv, &cipher) {
Ok(key) => hex::encode(key),
Err(e) => {
return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_ENCRYPT_KEY", "Unable to build cipher construct, please try again later", e)));
}
};
let ca_crt = hex::encode(b"");
let result = sqlx::query!("INSERT INTO organizations (owner, ca_key, ca_crt, iv) VALUES ($1, $2, $3, $4) RETURNING id", owner_id, ca_key, ca_crt, iv_hex).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
Ok((ContentType::JSON, Json( Ok((ContentType::JSON, Json(
OrginfoStruct { OrginfoStruct {
org_id: orgid, org_id: result.id,
owner_id: org.owner, owner_id,
ca_crt: org.ca_crt, ca_crt,
authorized_users, authorized_users: vec![owner_id],
} }
))) )))
} }