Example #1
0
func (a *api) auth() bool {
	var err error

	k := new(secrets.Key)

	var secretKey string

	// Grab the credentials, look in the header first and fall back to the query string.
	if k.Name = a.req.Header.Get("X-Secret-ID"); k.Name == "" {
		k.Name = a.req.FormValue("secretid")
	}
	if secretKey = a.req.Header.Get("X-Secret-Key"); secretKey == "" {
		secretKey = a.req.FormValue("secretkey")
	}

	// If the master key has been used then just check the key, else check both.
	if k.Name == secrets.MasterKeyName {
		if secretKeyRegex.MatchString(secretKey) != true {
			log.Error("Invalid auth credential format.")
			return false
		}
	} else if secretIDRegex.MatchString(k.Name) != true || secretKeyRegex.MatchString(secretKey) != true {
		log.Error("Invalid auth credential format.")
		return false
	}

	a.keyID = k.Name
	a.key, err = base64.StdEncoding.DecodeString(
		secretKey)
	if err != nil {
		return false
	}

	priv := new([32]byte)
	pub := new([32]byte)

	copy(priv[:], a.key)
	defer secrets.Zero(priv[:])

	err = database.GetKey(k)
	if err != nil {
		return false
	}

	if !k.ReadOnly {
		a.admin = true
	}

	curve25519.ScalarBaseMult(pub, priv)
	if subtle.ConstantTimeCompare(pub[:], k.Public) == 1 {
		return true
	}
	return false
}
Example #2
0
func readDBcert() (cert []byte, err error) {
	root := new(secrets.Secret)
	shared := new(secrets.Secret)
	root.Name = certName
	shared.Name = certName

	key := new(secrets.Key)
	key.Name = certID

	priv, err := base64.StdEncoding.DecodeString(certKey)
	if err != nil {
		return
	}

	err = database.GetSharedSecret(shared, key)
	switch err {

	case gorm.ErrRecordNotFound:
		err = errors.New("Cert is not shared or does not exist")
		return

	case nil:
		break

	default:
		return

	}

	err = database.GetRootSecret(root)
	switch err {

	case gorm.ErrRecordNotFound:
		err = errors.New("Cert does not exist")
		return

	case nil:
		break

	default:
		return
	}

	return root.Decrypt(shared, priv)
}
Example #3
0
// View downloads a decrypted message
func View(w http.ResponseWriter, r *http.Request) {
	api := newAPI(w, r)
	defer api.req.Body.Close()

	if !api.auth() {
		api.error("Unauthorized", 401)
		return
	}

	request, err := api.read()
	if err != nil {
		log.Debug(err)
		api.error("Bad request", 400)
		return
	}

	if name, ok := api.params["messageName"]; ok {
		request.Name = name
	}

	root := new(secrets.Secret)
	shared := new(secrets.Secret)
	root.Name = request.Name
	shared.Name = request.Name

	key := new(secrets.Key)
	key.Name = api.keyID

	err = database.GetSharedSecret(shared, key)
	switch err {

	case gorm.ErrRecordNotFound:
		api.error("Secret does not exist", 404)
		return

	case nil:
		break

	default:
		log.Error(err)
		api.error("Database error", 500)
		return

	}

	err = database.GetRootSecret(root)
	switch err {

	case gorm.ErrRecordNotFound:
		api.error("Secret does not exist", 404)
		return

	case nil:
		break

	default:
		log.Error(err)
		api.error("Database error", 500)
		return
	}

	message, err := root.Decrypt(shared, api.key)
	if err != nil {
		log.Debug(err)
		api.error("Cannot decrypt secret", 500)
		return
	}
	defer secrets.Zero(message)

	log.Info("Secret: ", shared.Name, " viewed by: ", key.Name)
	viewCount++

	api.rawMessage(message, 200)
}
Example #4
0
// Share grants a key access to a message
func Share(w http.ResponseWriter, r *http.Request) {
	api := newAPI(w, r)
	defer api.req.Body.Close()

	if !api.auth() || !api.admin {
		api.error("Unauthorized", 401)
		return
	}

	request, err := api.read()
	if err != nil {
		log.Debug(err)
		api.error("Bad request", 400)
		return
	}

	if len(request.KeyID) == 0 {
		api.error("Missing elements in request", 400)
		return
	}
	if len(request.Name) == 0 {
		api.error("Missing elements in request", 400)
		return
	}

	key := new(secrets.Key)
	key.Name = request.KeyID
	key.Key = request.Key

	err = database.GetKey(key)
	if err != nil {
		log.Error(err)
		api.error("Database error", 500)
		return
	}

	secret := new(secrets.Secret)
	secret.Name = request.Name

	err = database.GetRootSecret(secret)
	switch err {

	case gorm.ErrRecordNotFound:
		api.error("Secret does not exist", 404)
		return

	case nil:
		break

	default:
		log.Error(err)
		api.error("Database error", 500)
		return

	}

	shared, err := secret.Share(key)
	if err != nil {
		log.Error(err)
		api.error(err.Error(), 500)
		return
	}

	err = database.AddSecret(shared)
	if err != nil {
		log.Error(err)
		api.error("Database error", 500)
		return
	}

	log.Info("Secret: ", shared.Name, " shared with: ", key.Name)

	api.message("OK", 201)
	return
}