proper org creation endpoints

2023-02-27 20:29:52 -05:00 · 2023-02-27 20:29:52 -05:00 · 5d06781a63
parent 071bb7201e
commit 5d06781a63
6 changed files with 50 additions and 16 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -2412,6 +2412,7 @@ dependencies = [
 "tokio",
 "toml 0.7.1",
 "totp-rs",
+ "trifid-pki",
 "url",
 "urlencoding",
 "uuid",
@ -2419,7 +2420,7 @@ dependencies = [

 [[package]]
 name = "trifid-pki"
-version = "0.1.2"
+version = "0.1.3"
 dependencies = [
 "ed25519-dalek",
 "hex",
--- a/trifid-api/Cargo.toml
+++ b/trifid-api/Cargo.toml
@ -23,3 +23,4 @@ chrono = "0.4.23"
 aes-gcm = "0.10.1"
 hex = "0.4.3"
 rand = "0.8.5"
+trifid-pki = { version = "0.1.3", path = "../trifid-pki" }
--- a/trifid-api/config.toml
+++ b/trifid-api/config.toml
@ -5,4 +5,4 @@ web_root = "http://localhost:5173"
 magic_links_valid_for = 86400
 session_tokens_valid_for = 86400
 totp_verification_valid_for = 3600
-data_key = "1f94d6ba57d79845135ba66446478537f3fccb5ec8e5b7eff7262caa0c358858106a8c5d8d4269ed6e9fc4dd00612bc89b4db06c2288bc2b19ae3e7cebcb461d"
+data_key = "edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2"
--- a/trifid-api/src/crypto.rs
+++ b/trifid-api/src/crypto.rs
@ -1,6 +1,8 @@
 use std::error::Error;
 use aes_gcm::{Aes256Gcm, KeyInit, Nonce};
 use aes_gcm::aead::{Aead, Payload};
+use rand::Rng;
+use rand::rngs::OsRng;
 use crate::config::TFConfig;

 pub fn get_cipher_from_config(config: &TFConfig) -> Result<Aes256Gcm, Box<dyn Error>> {
@ -19,3 +21,7 @@ pub fn decrypt_with_nonce(ciphertext: &[u8], nonce: [u8; 12], cipher: &Aes256Gcm
    let plaintext = cipher.decrypt(nonce, Payload::from(ciphertext))?;
    Ok(plaintext)
 }
+
+pub fn generate_random_iv() -> [u8; 12] {
+    OsRng.gen()
+}
--- a/trifid-api/src/org.rs
+++ b/trifid-api/src/org.rs
@ -1,12 +1,10 @@
 use std::error::Error;
 use rocket::form::validate::Contains;
 use sqlx::PgPool;
+use trifid_pki::ca::NebulaCAPool;

 pub async fn get_org_by_owner_id(user: i32, db: &PgPool) -> Result<Option<i32>, Box<dyn Error>> {
-    Ok(match sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await? {
-        Some(r) => Some(r.id),
-        None => None
-    })
+    Ok(sqlx::query!("SELECT id FROM organizations WHERE owner = $1", user).fetch_optional(db).await?.map(|r| r.id))
 }

 pub async fn get_orgs_by_assoc_id(user: i32, db: &PgPool) -> Result<Vec<i32>, Box<dyn Error>> {
@ -27,7 +25,7 @@ pub async fn get_users_by_assoc_org(org: i32, db: &PgPool) -> Result<Vec<i32>, B
    let mut ret = vec![];

    for i in res {
-        ret.push(i.org_id);
+        ret.push(i.user_id);
    }

    Ok(ret)
@ -48,3 +46,12 @@ pub async fn get_associated_orgs(user: i32, db: &PgPool) -> Result<Vec<i32>, Box
 pub async fn user_has_org_assoc(user: i32, org: i32, db: &PgPool) -> Result<bool, Box<dyn Error>> {
    Ok(get_associated_orgs(user, db).await?.contains(org))
 }
+
+pub async fn get_org_ca_pool(org: i32, db: &PgPool) -> Result<NebulaCAPool, Box<dyn Error>> {
+    // get CAPool PEM from db
+    let pem = sqlx::query!("SELECT ca_crt FROM organizations WHERE id = $1", org).fetch_one(db).await?.ca_crt;
+
+    let ca_pool = NebulaCAPool::new_from_pem(&hex::decode(pem)?)?;
+
+    Ok(ca_pool)
+}
--- a/trifid-api/src/routes/v1/organization.rs
+++ b/trifid-api/src/routes/v1/organization.rs
@ -1,4 +1,3 @@
-use std::slice::from_raw_parts_mut;
 use rocket::{get, post, options, State};
 use rocket::http::{ContentType, Status};
 use rocket::serde::json::Json;
@ -6,6 +5,7 @@ use serde::{Serialize, Deserialize};
 use sqlx::PgPool;
 use crate::auth::TOTPAuthenticatedUserInfo;
 use crate::config::TFConfig;
+use crate::crypto::{encrypt_with_nonce, generate_random_iv, get_cipher_from_config};
 use crate::org::{get_associated_orgs, get_org_by_owner_id, get_users_by_assoc_org, user_has_org_assoc};

 #[options("/v1/orgs")]
@ -29,7 +29,7 @@ pub async fn orglist_req(user: TOTPAuthenticatedUserInfo, db: &State<PgPool>) ->
    // this endpoint lists the associated organizations this user has access to
    let associated_orgs = match get_associated_orgs(user.user_id, db.inner()).await {
        Ok(r) => r,
-        Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query")))
+        Err(e) => return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_DB_QUERY_FAILED", "an error occurred while running the database query", e)))
    };

    Ok((ContentType::JSON, Json(OrglistStruct {
@ -52,7 +52,7 @@ pub async fn orginfo_req(orgid: i32, user: TOTPAuthenticatedUserInfo, db: &State
        return Err((Status::Unauthorized, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_MISSING_ORG_AUTHORIZATION", "this user does not have permission to access this org")));
    }

-    let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(orgid).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
+    let org = sqlx::query!("SELECT id, owner, ca_crt FROM organizations WHERE id = $1", orgid).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;
    let authorized_users = get_users_by_assoc_org(orgid, db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;

    Ok((ContentType::JSON, Json(
@ -71,14 +71,33 @@ pub async fn create_org(user: TOTPAuthenticatedUserInfo, db: &State<PgPool>, con
        return Err((Status::Conflict, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{}\"}}]}}", "ERR_USER_OWNS_ORG", "a user can only own one organization at a time")))
    }

-    // we need to generate a keypair and CA certificate for this new org
+    // generate an AES iv to use for key encryption
+    let iv = generate_random_iv();
+    let iv_hex = hex::encode(iv);
+
+    let owner_id = user.user_id;
+    let cipher = match get_cipher_from_config(config) {
+        Ok(c) => c,
+        Err(e) => {
+            return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_CREATE_CIPHER", "Unable to build cipher construct, please try again later", e)));
+        }
+    };
+    let ca_key = match encrypt_with_nonce(b"", iv, &cipher) {
+        Ok(key) => hex::encode(key),
+        Err(e) => {
+            return Err((Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_CRYPTOGRAPHY_ENCRYPT_KEY", "Unable to build cipher construct, please try again later", e)));
+        }
+    };
+    let ca_crt = hex::encode(b"");
+
+    let result = sqlx::query!("INSERT INTO organizations (owner, ca_key, ca_crt, iv) VALUES ($1, $2, $3, $4) RETURNING id", owner_id, ca_key, ca_crt, iv_hex).fetch_one(db.inner()).await.map_err(|e| (Status::InternalServerError, format!("{{\"errors\":[{{\"code\":\"{}\",\"message\":\"{} - {}\"}}]}}", "ERR_QL_QUERY_FAILED", "an error occurred while running the graphql query", e)))?;

    Ok((ContentType::JSON, Json(
        OrginfoStruct {
-            org_id: orgid,
-            owner_id: org.owner,
-            ca_crt: org.ca_crt,
-            authorized_users,
+            org_id: result.id,
+            owner_id,
+            ca_crt,
+            authorized_users: vec![owner_id],
        }
    )))
 }