func (a *api) auth() bool {
var err error
k := new(secrets.Key)
var secretKey string
// Grab the credentials, look in the header first and fall back to the query string.
if k.Name = a.req.Header.Get("X-Secret-ID"); k.Name == "" {
k.Name = a.req.FormValue("secretid")
}
if secretKey = a.req.Header.Get("X-Secret-Key"); secretKey == "" {
secretKey = a.req.FormValue("secretkey")
}
// If the master key has been used then just check the key, else check both.
if k.Name == secrets.MasterKeyName {
if secretKeyRegex.MatchString(secretKey) != true {
log.Error("Invalid auth credential format.")
return false
}
} else if secretIDRegex.MatchString(k.Name) != true || secretKeyRegex.MatchString(secretKey) != true {
log.Error("Invalid auth credential format.")
return false
}
a.keyID = k.Name
a.key, err = base64.StdEncoding.DecodeString(
secretKey)
if err != nil {
return false
}
priv := new([32]byte)
pub := new([32]byte)
copy(priv[:], a.key)
defer secrets.Zero(priv[:])
err = database.GetKey(k)
if err != nil {
return false
}
if !k.ReadOnly {
a.admin = true
}
curve25519.ScalarBaseMult(pub, priv)
if subtle.ConstantTimeCompare(pub[:], k.Public) == 1 {
return true
}
return false
}
func readDBcert() (cert []byte, err error) {
root := new(secrets.Secret)
shared := new(secrets.Secret)
root.Name = certName
shared.Name = certName
key := new(secrets.Key)
key.Name = certID
priv, err := base64.StdEncoding.DecodeString(certKey)
if err != nil {
return
}
err = database.GetSharedSecret(shared, key)
switch err {
case gorm.ErrRecordNotFound:
err = errors.New("Cert is not shared or does not exist")
return
case nil:
break
default:
return
}
err = database.GetRootSecret(root)
switch err {
case gorm.ErrRecordNotFound:
err = errors.New("Cert does not exist")
return
case nil:
break
default:
return
}
return root.Decrypt(shared, priv)
}
// View downloads a decrypted message
func View(w http.ResponseWriter, r *http.Request) {
api := newAPI(w, r)
defer api.req.Body.Close()
if !api.auth() {
api.error("Unauthorized", 401)
return
}
request, err := api.read()
if err != nil {
log.Debug(err)
api.error("Bad request", 400)
return
}
if name, ok := api.params["messageName"]; ok {
request.Name = name
}
root := new(secrets.Secret)
shared := new(secrets.Secret)
root.Name = request.Name
shared.Name = request.Name
key := new(secrets.Key)
key.Name = api.keyID
err = database.GetSharedSecret(shared, key)
switch err {
case gorm.ErrRecordNotFound:
api.error("Secret does not exist", 404)
return
case nil:
break
default:
log.Error(err)
api.error("Database error", 500)
return
}
err = database.GetRootSecret(root)
switch err {
case gorm.ErrRecordNotFound:
api.error("Secret does not exist", 404)
return
case nil:
break
default:
log.Error(err)
api.error("Database error", 500)
return
}
message, err := root.Decrypt(shared, api.key)
if err != nil {
log.Debug(err)
api.error("Cannot decrypt secret", 500)
return
}
defer secrets.Zero(message)
log.Info("Secret: ", shared.Name, " viewed by: ", key.Name)
viewCount++
api.rawMessage(message, 200)
}
// Share grants a key access to a message
func Share(w http.ResponseWriter, r *http.Request) {
api := newAPI(w, r)
defer api.req.Body.Close()
if !api.auth() || !api.admin {
api.error("Unauthorized", 401)
return
}
request, err := api.read()
if err != nil {
log.Debug(err)
api.error("Bad request", 400)
return
}
if len(request.KeyID) == 0 {
api.error("Missing elements in request", 400)
return
}
if len(request.Name) == 0 {
api.error("Missing elements in request", 400)
return
}
key := new(secrets.Key)
key.Name = request.KeyID
key.Key = request.Key
err = database.GetKey(key)
if err != nil {
log.Error(err)
api.error("Database error", 500)
return
}
secret := new(secrets.Secret)
secret.Name = request.Name
err = database.GetRootSecret(secret)
switch err {
case gorm.ErrRecordNotFound:
api.error("Secret does not exist", 404)
return
case nil:
break
default:
log.Error(err)
api.error("Database error", 500)
return
}
shared, err := secret.Share(key)
if err != nil {
log.Error(err)
api.error(err.Error(), 500)
return
}
err = database.AddSecret(shared)
if err != nil {
log.Error(err)
api.error("Database error", 500)
return
}
log.Info("Secret: ", shared.Name, " shared with: ", key.Name)
api.message("OK", 201)
return
}