github-personal/databunker
1
0
Fork 0
mirror of https://github.com/outbackdingo/databunker.git synced 2026-01-27 10:18:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fode refactor

Browse Source
This commit is contained in:
yuli
2025-03-03 10:59:15 +02:00
parent 9b1b55684b
commit 31c170538e
21 changed files with 249 additions and 270 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
src/agreements_api.go
View File

@@ -7,7 +7,6 @@ import (
"reflect"
"github.com/julienschmidt/httprouter"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/utils"
//"go.mongodb.org/mongo-driver/bson"
)
@@ -18,7 +17,7 @@ func (e mainEnv) agreementAccept(w http.ResponseWriter, r *http.Request, ps http
mode := ps.ByName("mode")
brief = utils.NormalizeBrief(brief)
event := audit.CreateAuditEvent("accept agreement for "+brief, identity, mode, identity)
event := CreateAuditEvent("accept agreement for "+brief, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
strictCheck := true
@@ -34,21 +33,21 @@ func (e mainEnv) agreementAccept(w http.ResponseWriter, r *http.Request, ps http
}
if utils.CheckValidBrief(brief) == false {
utils.ReturnError(w, r, "incorrect brief format", 405, nil, event)
ReturnError(w, r, "incorrect brief format", 405, nil, event)
return
}
exists, err := e.db.checkLegalBasis(brief)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if exists == false {
utils.ReturnError(w, r, "not found", 404, nil, event)
ReturnError(w, r, "not found", 404, nil, event)
return
}
postData, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
starttime := int32(0)
@@ -110,7 +109,7 @@ func (e mainEnv) agreementWithdraw(w http.ResponseWriter, r *http.Request, ps ht
mode := ps.ByName("mode")
brief = utils.NormalizeBrief(brief)
event := audit.CreateAuditEvent("withdraw agreement for "+brief, identity, mode, identity)
event := CreateAuditEvent("withdraw agreement for "+brief, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
strictCheck := true
@@ -126,21 +125,21 @@ func (e mainEnv) agreementWithdraw(w http.ResponseWriter, r *http.Request, ps ht
return
}
if utils.CheckValidBrief(brief) == false {
utils.ReturnError(w, r, "bad brief format", 405, nil, event)
ReturnError(w, r, "bad brief format", 405, nil, event)
return
}
lbasis, err := e.db.getLegalBasis(brief)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if lbasis == nil {
utils.ReturnError(w, r, "not found", 405, nil, event)
ReturnError(w, r, "not found", 405, nil, event)
return
}
postData, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
lastmodifiedby := utils.GetStringValue(postData["lastmodifiedby"])
@@ -167,7 +166,7 @@ func (e mainEnv) agreementWithdraw(w http.ResponseWriter, r *http.Request, ps ht
if authResult == "login" && selfService == false {
rtoken, rstatus, err := e.db.saveUserRequest("agreement-withdraw", userTOKEN, userBSON, "", brief, nil, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -200,16 +199,16 @@ func (e mainEnv) agreementRevokeAll(w http.ResponseWriter, r *http.Request, ps h
return
}
if utils.CheckValidBrief(brief) == false {
utils.ReturnError(w, r, "bad brief format", 405, nil, nil)
ReturnError(w, r, "bad brief format", 405, nil, nil)
return
}
exists, err := e.db.checkLegalBasis(brief)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, nil, nil)
ReturnError(w, r, "internal error", 405, nil, nil)
return
}
if exists == false {
utils.ReturnError(w, r, "not found", 405, nil, nil)
ReturnError(w, r, "not found", 405, nil, nil)
return
}
e.db.revokeLegalBasis(brief)
@@ -221,7 +220,7 @@ func (e mainEnv) agreementRevokeAll(w http.ResponseWriter, r *http.Request, ps h
func (e mainEnv) agreementList(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("get agreements for "+mode, identity, mode, identity)
event := CreateAuditEvent("get agreements for "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, _, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -238,7 +237,7 @@ func (e mainEnv) agreementList(w http.ResponseWriter, r *http.Request, ps httpro
}
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -253,7 +252,7 @@ func (e mainEnv) agreementGet(w http.ResponseWriter, r *http.Request, ps httprou
mode := ps.ByName("mode")
brief = utils.NormalizeBrief(brief)
event := audit.CreateAuditEvent("get agreements for "+brief, identity, mode, identity)
event := CreateAuditEvent("get agreements for "+brief, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, _, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -261,26 +260,26 @@ func (e mainEnv) agreementGet(w http.ResponseWriter, r *http.Request, ps httprou
return
}
if utils.CheckValidBrief(brief) == false {
utils.ReturnError(w, r, "bad brief format", 405, nil, event)
ReturnError(w, r, "bad brief format", 405, nil, event)
return
}
exists, err := e.db.checkLegalBasis(brief)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if exists == false {
utils.ReturnError(w, r, "not found", 404, nil, event)
ReturnError(w, r, "not found", 404, nil, event)
return
}
resultJSON, err := e.db.viewAgreementRecord(userTOKEN, brief)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if resultJSON == nil {
utils.ReturnError(w, r, "not found", 405, err, event)
ReturnError(w, r, "not found", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -294,16 +293,16 @@ func (e mainEnv) consentUserRecord(w http.ResponseWriter, r *http.Request, ps ht
identity := ps.ByName("identity")
brief := ps.ByName("brief")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("consent record for "+brief, identity, mode, identity)
event := CreateAuditEvent("consent record for "+brief, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if utils.ValidateMode(mode) == false {
utils.ReturnError(w, r, "bad mode", 405, nil, event)
ReturnError(w, r, "bad mode", 405, nil, event)
return
}
brief = utils.NormalizeBrief(brief)
if utils.CheckValidBrief(brief) == false {
utils.ReturnError(w, r, "bad brief format", 405, nil, event)
ReturnError(w, r, "bad brief format", 405, nil, event)
return
}
userTOKEN := identity
@@ -321,7 +320,7 @@ func (e mainEnv) consentUserRecord(w http.ResponseWriter, r *http.Request, ps ht
}
}
if userBson == nil {
utils.ReturnError(w, r, "internal error", 405, nil, event)
ReturnError(w, r, "internal error", 405, nil, event)
return
}
// make sure that user is logged in here, unless he wants to cancel emails
@@ -330,11 +329,11 @@ func (e mainEnv) consentUserRecord(w http.ResponseWriter, r *http.Request, ps ht
}
resultJSON, err := e.db.viewConsentRecord(userTOKEN, brief)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if resultJSON == nil {
utils.ReturnError(w, r, "not found", 405, nil, event)
ReturnError(w, r, "not found", 405, nil, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -347,7 +346,7 @@ func (e mainEnv) consentUserRecord(w http.ResponseWriter, r *http.Request, ps ht
/*
func (e mainEnv) consentFilterRecords(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
brief := ps.ByName("brief")
event := audit.CreateAuditEvent("consent get all for "+brief, brief, "brief", brief)
event := CreateAuditEvent("consent get all for "+brief, brief, "brief", brief)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if e.EnforceAuth(w, r, event) == "" {
return
@@ -363,7 +362,7 @@ func (e mainEnv) consentFilterRecords(w http.ResponseWriter, r *http.Request, ps
}
resultJSON, numRecords, err := e.db.filterConsentRecords(brief, offset, limit)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
log.Printf("Total count of rows: %d\n", numRecords)

29
src/audit/audit.go
View File

@@ -1,29 +0,0 @@
package audit
import "time"
type AuditEvent struct {
When int32 `json:"when"`
Who string `json:"who"`
Mode string `json:"mode"`
Identity string `json:"identity"`
Record string `json:"record"`
App string `json:"app"`
Title string `json:"title"`
Status string `json:"status"`
Msg string `json:"msg"`
Debug string `json:"debug"`
Before string `json:"before"`
After string `json:"after"`
Atoken string `json:"atoken"`
}
func CreateAuditEvent(title string, record string, mode string, identity string) *AuditEvent {
//fmt.Printf("/%s : %s\n", title, record)
return &AuditEvent{Title: title, Mode: mode, Who: identity, Record: record, Status: "ok", When: int32(time.Now().Unix())}
}
func CreateAuditAppEvent(title string, record string, app string, mode string, identity string) *AuditEvent {
//fmt.Printf("/%s : %s : %s\n", title, app, record)
return &AuditEvent{Title: title, Mode: mode, Who: identity, Record: record, Status: "ok", When: int32(time.Now().Unix())}
}

3
src/audit/go.mod
View File

@@ -1,3 +0,0 @@
module github.com/securitybunker/databunker/src/utils
go 1.21

46
src/audit_api.go
View File

@@ -4,13 +4,39 @@ import (
"fmt"
"log"
"net/http"
"time"
"github.com/julienschmidt/httprouter"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/utils"
)
func (e mainEnv) EnforceAuth(w http.ResponseWriter, r *http.Request, event *audit.AuditEvent) string {
type AuditEvent struct {
When int32 `json:"when"`
Who string `json:"who"`
Mode string `json:"mode"`
Identity string `json:"identity"`
Record string `json:"record"`
App string `json:"app"`
Title string `json:"title"`
Status string `json:"status"`
Msg string `json:"msg"`
Debug string `json:"debug"`
Before string `json:"before"`
After string `json:"after"`
Atoken string `json:"atoken"`
}
func CreateAuditEvent(title string, record string, mode string, identity string) *AuditEvent {
//fmt.Printf("/%s : %s\n", title, record)
return &AuditEvent{Title: title, Mode: mode, Who: identity, Record: record, Status: "ok", When: int32(time.Now().Unix())}
}
func CreateAuditAppEvent(title string, record string, app string, mode string, identity string) *AuditEvent {
//fmt.Printf("/%s : %s : %s\n", title, app, record)
return &AuditEvent{Title: title, Mode: mode, Who: identity, Record: record, Status: "ok", When: int32(time.Now().Unix())}
}
func (e mainEnv) EnforceAuth(w http.ResponseWriter, r *http.Request, event *AuditEvent) string {
/*
for key, value := range r.Header {
fmt.Printf("%s => %s\n", key, value)
@@ -49,7 +75,7 @@ func (e mainEnv) EnforceAuth(w http.ResponseWriter, r *http.Request, event *audi
return ""
}
func (e mainEnv) EnforceAdmin(w http.ResponseWriter, r *http.Request, event *audit.AuditEvent) string {
func (e mainEnv) EnforceAdmin(w http.ResponseWriter, r *http.Request, event *AuditEvent) string {
if token, ok := r.Header["X-Bunker-Token"]; ok {
authResult, err := e.db.checkUserAuthXToken(token[0])
//fmt.Printf("error in auth? error %s - %s\n", err, token[0])
@@ -70,9 +96,9 @@ func (e mainEnv) EnforceAdmin(w http.ResponseWriter, r *http.Request, event *aud
func (e mainEnv) auditEventList(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
userTOKEN := ps.ByName("token")
event := audit.CreateAuditEvent("view audit events", userTOKEN, "token", userTOKEN)
event := CreateAuditEvent("view audit events", userTOKEN, "token", userTOKEN)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if utils.EnforceUUID(w, userTOKEN, event) == false {
if EnforceUUID(w, userTOKEN, event) == false {
return
}
if e.EnforceAuth(w, r, event) == "" {
@@ -89,7 +115,7 @@ func (e mainEnv) auditEventList(w http.ResponseWriter, r *http.Request, ps httpr
}
resultJSON, counter, err := e.db.getAuditEvents(userTOKEN, offset, limit)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
//fmt.Printf("Total count of events: %d\n", counter)
@@ -114,7 +140,7 @@ func (e mainEnv) auditEventListAll(w http.ResponseWriter, r *http.Request, ps ht
}
resultJSON, counter, err := e.db.getAdminAuditEvents(offset, limit)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, nil)
ReturnError(w, r, "internal error", 405, err, nil)
return
}
//fmt.Printf("Total count of events: %d\n", counter)
@@ -126,16 +152,16 @@ func (e mainEnv) auditEventListAll(w http.ResponseWriter, r *http.Request, ps ht
func (e mainEnv) auditEventGet(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
atoken := ps.ByName("atoken")
event := audit.CreateAuditEvent("view audit event", atoken, "token", atoken)
event := CreateAuditEvent("view audit event", atoken, "token", atoken)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
//fmt.Println("error code")
if utils.EnforceUUID(w, atoken, event) == false {
if EnforceUUID(w, atoken, event) == false {
return
}
userTOKEN, resultJSON, err := e.db.getAuditEvent(atoken)
log.Printf("extracted user token: %s", userTOKEN)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
event.Record = userTOKEN

3
src/audit_db.go
View File

@@ -8,13 +8,12 @@ import (
//"log"
uuid "github.com/hashicorp/go-uuid"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/storage"
"github.com/securitybunker/databunker/src/utils"
"go.mongodb.org/mongo-driver/bson"
)
func SaveAuditEvent(event *audit.AuditEvent, db *dbcon, conf Config) {
func SaveAuditEvent(event *AuditEvent, db *dbcon, conf Config) {
if event == nil {
return
}

2
src/bulk_api.go
View File

@@ -14,7 +14,7 @@ func (e mainEnv) userListAll(w http.ResponseWriter, r *http.Request, ps httprout
return
}
if e.conf.Generic.ListUsers == false {
utils.ReturnError(w, r, "access denied", 403, nil, nil)
ReturnError(w, r, "access denied", 403, nil, nil)
return
}
var offset int32 = 0

19
src/bunker.go
View File

@@ -19,7 +19,6 @@ import (
"github.com/kelseyhightower/envconfig"
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promhttp"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/autocontext"
"github.com/securitybunker/databunker/src/storage"
"github.com/securitybunker/databunker/src/utils"
@@ -384,15 +383,15 @@ func (e mainEnv) dbCleanup() {
}
// helper function to load user details by idex name
func (e mainEnv) getUserToken(w http.ResponseWriter, r *http.Request, mode string, identity string, event *audit.AuditEvent, strictCheck bool) (string, map[string]interface{}, error) {
func (e mainEnv) getUserToken(w http.ResponseWriter, r *http.Request, mode string, identity string, event *AuditEvent, strictCheck bool) (string, map[string]interface{}, error) {
var userBSON map[string]interface{}
var err error
if utils.ValidateMode(mode) == false {
utils.ReturnError(w, r, "bad mode", 405, nil, event)
ReturnError(w, r, "bad mode", 405, nil, event)
return "", userBSON, errors.New("bad mode")
}
if mode == "token" {
if utils.EnforceUUID(w, identity, event) == false {
if EnforceUUID(w, identity, event) == false {
return "", userBSON, errors.New("uuid is incorrect")
}
userBSON, err = e.db.lookupUserRecord(identity)
@@ -400,7 +399,7 @@ func (e mainEnv) getUserToken(w http.ResponseWriter, r *http.Request, mode strin
userBSON, err = e.db.lookupUserRecordByIndex(mode, identity, e.conf)
}
if err != nil {
utils.ReturnError(w, r, "internal error", 405, nil, event)
ReturnError(w, r, "internal error", 405, nil, event)
return "", userBSON, err
}
userToken := utils.GetUuidString(userBSON["token"])
@@ -409,10 +408,10 @@ func (e mainEnv) getUserToken(w http.ResponseWriter, r *http.Request, mode strin
event.Record = userToken
}
_, exists := r.Header["X-Bunker-Token"]
// if strict check is disabled and we have no auth token
if exists == false && strictCheck == false {
return userToken, userBSON, nil
}
// if strict check is disabled and we have no auth token
if exists == false && strictCheck == false {
return userToken, userBSON, nil
}
//log.Printf("getUserToken -> EnforceAuth()")
if e.EnforceAuth(w, r, event) == "" {
//log.Printf("XToken validation error")
@@ -422,7 +421,7 @@ func (e mainEnv) getUserToken(w http.ResponseWriter, r *http.Request, mode strin
}
// not found
if strictCheck == true {
utils.ReturnError(w, r, "not found", 405, nil, event)
ReturnError(w, r, "not found", 405, nil, event)
return "", userBSON, errors.New("not found")
}
// make sure to check if user is admin

6
src/captcha.go
View File

@@ -28,19 +28,19 @@ func (e mainEnv) showCaptcha(w http.ResponseWriter, r *http.Request, ps httprout
code := ps.ByName("code")
if len(code) == 0 {
err := errors.New("Bad code")
utils.ReturnError(w, r, "bad code", 405, err, nil)
ReturnError(w, r, "bad code", 405, err, nil)
return
}
s, err := decryptCaptcha(code)
if err != nil {
utils.ReturnError(w, r, err.Error(), 405, err, nil)
ReturnError(w, r, err.Error(), 405, err, nil)
return
}
log.Printf("Decoded captcha: %s", s)
//box := packr.NewBox("../ui")
//comic, err := box.Find("site/fonts/comic.ttf")
//if err != nil {
// utils.ReturnError(w, r, err.Error(), 405, err, nil)
// ReturnError(w, r, err.Error(), 405, err, nil)
// return
//}
cap := captcha.New()

10
src/utils/checks.go → src/checks.go
View File

@@ -1,14 +1,14 @@
package utils
package main
import (
"fmt"
"log"
"net/http"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/utils"
)
func ReturnError(w http.ResponseWriter, r *http.Request, message string, code int, err error, event *audit.AuditEvent) {
func ReturnError(w http.ResponseWriter, r *http.Request, message string, code int, err error, event *AuditEvent) {
w.Header().Set("Content-Type", "application/json; charset=utf-8")
w.WriteHeader(code)
fmt.Fprintf(w, `{"status":"error","message":%q}`, message)
@@ -25,8 +25,8 @@ func ReturnError(w http.ResponseWriter, r *http.Request, message string, code in
//http.Error(w, http.StatusText(405), 405)
}
func EnforceUUID(w http.ResponseWriter, uuidCode string, event *audit.AuditEvent) bool {
if CheckValidUUID(uuidCode) == false {
func EnforceUUID(w http.ResponseWriter, uuidCode string, event *AuditEvent) bool {
if utils.CheckValidUUID(uuidCode) == false {
//fmt.Printf("405 bad uuid in : %s\n", uuidCode)
w.Header().Set("Content-Type", "application/json; charset=utf-8")
w.WriteHeader(405)

3
src/conf.go
View File

@@ -7,7 +7,6 @@ import (
"github.com/julienschmidt/httprouter"
"github.com/securitybunker/databunker/src/autocontext"
"github.com/securitybunker/databunker/src/utils"
)
func (e mainEnv) setupConfRouter(router *httprouter.Router) *httprouter.Router {
@@ -24,7 +23,7 @@ func (e mainEnv) initContext(r *http.Request) {
func (e mainEnv) cookieSettings(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
resultJSON, scriptsJSON, _, err := e.db.getLegalBasisCookieConf()
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, nil)
ReturnError(w, r, "internal error", 405, err, nil)
return
}
resultUIConfJSON, _ := json.Marshal(e.conf.UI)

31
src/expiration_api.go
View File

@@ -6,7 +6,6 @@ import (
uuid "github.com/hashicorp/go-uuid"
"github.com/julienschmidt/httprouter"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/storage"
"github.com/securitybunker/databunker/src/utils"
)
@@ -32,7 +31,7 @@ func (e mainEnv) expGetStatus(w http.ResponseWriter, r *http.Request, ps httprou
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("get expiration status by "+mode, identity, mode, identity)
event := CreateAuditEvent("get expiration status by "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, userBSON, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -54,7 +53,7 @@ func (e mainEnv) expCancel(w http.ResponseWriter, r *http.Request, ps httprouter
var err error
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("clear user expiration by "+mode, identity, mode, identity)
event := CreateAuditEvent("clear user expiration by "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, _, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -65,7 +64,7 @@ func (e mainEnv) expCancel(w http.ResponseWriter, r *http.Request, ps httprouter
status := ""
err = e.db.updateUserExpStatus(userTOKEN, status)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, nil, event)
ReturnError(w, r, "internal error", 405, nil, event)
return
}
finalJSON := `{"status":"ok"}`
@@ -77,14 +76,14 @@ func (e mainEnv) expCancel(w http.ResponseWriter, r *http.Request, ps httprouter
func (e mainEnv) expRetainData(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("exptoken")
mode := "exptoken"
event := audit.CreateAuditEvent("retain user data by exptoken", identity, mode, identity)
event := CreateAuditEvent("retain user data by exptoken", identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if utils.EnforceUUID(w, identity, event) == false {
if EnforceUUID(w, identity, event) == false {
return
}
userBson, err := e.db.lookupUserRecordByIndex(mode, identity, e.conf)
if userBson == nil || err != nil {
utils.ReturnError(w, r, "internal error", 405, nil, event)
ReturnError(w, r, "internal error", 405, nil, event)
return
}
userTOKEN := utils.GetUuidString(userBson["token"])
@@ -92,7 +91,7 @@ func (e mainEnv) expRetainData(w http.ResponseWriter, r *http.Request, ps httpro
status := "retain"
err = e.db.updateUserExpStatus(userTOKEN, status)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, nil, event)
ReturnError(w, r, "internal error", 405, nil, event)
return
}
w.WriteHeader(200)
@@ -102,14 +101,14 @@ func (e mainEnv) expRetainData(w http.ResponseWriter, r *http.Request, ps httpro
func (e mainEnv) expDeleteData(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("exptoken")
mode := "exptoken"
event := audit.CreateAuditEvent("delete user data by exptoken", identity, mode, identity)
event := CreateAuditEvent("delete user data by exptoken", identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if utils.EnforceUUID(w, identity, event) == false {
if EnforceUUID(w, identity, event) == false {
return
}
userJSON, userTOKEN, userBSON, err := e.db.getUserByIndex(identity, mode, e.conf)
if userJSON == nil || err != nil {
utils.ReturnError(w, r, "internal error", 405, nil, event)
ReturnError(w, r, "internal error", 405, nil, event)
return
}
event.Record = userTOKEN
@@ -119,7 +118,7 @@ func (e mainEnv) expDeleteData(w http.ResponseWriter, r *http.Request, ps httpro
}
_, err = e.db.deleteUserRecord(userJSON, userTOKEN, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, nil, event)
ReturnError(w, r, "internal error", 405, nil, event)
return
}
e.db.updateUserExpStatus(userTOKEN, "expired")
@@ -131,7 +130,7 @@ func (e mainEnv) expStart(w http.ResponseWriter, r *http.Request, ps httprouter.
var err error
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("initiate user record expiration by "+mode, identity, mode, identity)
event := CreateAuditEvent("initiate user record expiration by "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, _, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -146,7 +145,7 @@ func (e mainEnv) expStart(w http.ResponseWriter, r *http.Request, ps httprouter.
postData, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
endtime := utils.SetExpiration(e.conf.Policy.MaxUserRetentionPeriod, postData["expiration"])
@@ -157,11 +156,11 @@ func (e mainEnv) expStart(w http.ResponseWriter, r *http.Request, ps httprouter.
}
expToken, err := uuid.GenerateUUID()
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
}
err = e.db.initiateUserExpiration(userTOKEN, endtime, status, expToken)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
finalJSON := fmt.Sprintf(`{"status":"ok","exptoken":"%s"}`, expToken)

3
src/go.mod
View File

@@ -8,8 +8,6 @@ replace github.com/securitybunker/databunker/src/storage => ./storage
replace github.com/securitybunker/databunker/src/utils => ./utils
replace github.com/securitybunker/databunker/src/audit => ./audit
require (
github.com/afocus/captcha v0.0.0-20191010092841-4bd1f21c8868
github.com/evanphx/json-patch v5.9.0+incompatible
@@ -20,7 +18,6 @@ require (
github.com/oschwald/geoip2-golang v1.11.0
github.com/prometheus/client_golang v1.20.5
github.com/qri-io/jsonpointer v0.1.1
github.com/securitybunker/databunker/src/audit v0.0.0
github.com/securitybunker/databunker/src/storage v0.0.0
github.com/securitybunker/databunker/src/utils v0.0.0
github.com/securitybunker/jsonschema v0.2.1-0.20201128224651-d77c1a3cb787

10
src/lbasis_api.go
View File

@@ -17,18 +17,18 @@ func (e mainEnv) legalBasisCreate(w http.ResponseWriter, r *http.Request, ps htt
}
brief = utils.NormalizeBrief(brief)
if utils.CheckValidBrief(brief) == false {
utils.ReturnError(w, r, "bad brief format", 405, nil, nil)
ReturnError(w, r, "bad brief format", 405, nil, nil)
return
}
postData, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, nil)
ReturnError(w, r, "failed to decode request body", 405, err, nil)
return
}
newbrief := utils.GetStringValue(postData["brief"])
if len(newbrief) > 0 && newbrief != brief {
if utils.CheckValidBrief(newbrief) == false {
utils.ReturnError(w, r, "bad brief format", 405, nil, nil)
ReturnError(w, r, "bad brief format", 405, nil, nil)
return
}
}
@@ -87,7 +87,7 @@ func (e mainEnv) legalBasisDelete(w http.ResponseWriter, r *http.Request, ps htt
}
brief = utils.NormalizeBrief(brief)
if utils.CheckValidBrief(brief) == false {
utils.ReturnError(w, r, "bad brief format", 405, nil, nil)
ReturnError(w, r, "bad brief format", 405, nil, nil)
return
}
e.db.unlinkProcessingActivityBrief(brief)
@@ -103,7 +103,7 @@ func (e mainEnv) legalBasisListAll(w http.ResponseWriter, r *http.Request, ps ht
}
resultJSON, numRecords, err := e.db.getLegalBasisRecords()
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, nil)
ReturnError(w, r, "internal error", 405, err, nil)
return
}
//log.Printf("Total count of rows: %d\n", numRecords)

24
src/pactivities_api.go
View File

@@ -17,12 +17,12 @@ func (e mainEnv) pactivityCreate(w http.ResponseWriter, r *http.Request, ps http
}
activity = utils.NormalizeBrief(activity)
if utils.CheckValidBrief(activity) == false {
utils.ReturnError(w, r, "bad activity format", 405, nil, nil)
ReturnError(w, r, "bad activity format", 405, nil, nil)
return
}
records, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, nil)
ReturnError(w, r, "failed to decode request body", 405, err, nil)
return
}
defer func() {
@@ -51,7 +51,7 @@ func (e mainEnv) pactivityDelete(w http.ResponseWriter, r *http.Request, ps http
}
activity = utils.NormalizeBrief(activity)
if utils.CheckValidBrief(activity) == false {
utils.ReturnError(w, r, "bad activity format", 405, nil, nil)
ReturnError(w, r, "bad activity format", 405, nil, nil)
return
}
e.db.deleteProcessingActivity(activity)
@@ -68,26 +68,26 @@ func (e mainEnv) pactivityLink(w http.ResponseWriter, r *http.Request, ps httpro
}
activity = utils.NormalizeBrief(activity)
if utils.CheckValidBrief(activity) == false {
utils.ReturnError(w, r, "bad activity format", 405, nil, nil)
ReturnError(w, r, "bad activity format", 405, nil, nil)
return
}
brief = utils.NormalizeBrief(brief)
if utils.CheckValidBrief(brief) == false {
utils.ReturnError(w, r, "bad brief format", 405, nil, nil)
ReturnError(w, r, "bad brief format", 405, nil, nil)
return
}
exists, err := e.db.checkLegalBasis(brief)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, nil, nil)
ReturnError(w, r, "internal error", 405, nil, nil)
return
}
if exists == false {
utils.ReturnError(w, r, "not found", 405, nil, nil)
ReturnError(w, r, "not found", 405, nil, nil)
return
}
_, err = e.db.linkProcessingActivity(activity, brief)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, nil)
ReturnError(w, r, "internal error", 405, err, nil)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -103,17 +103,17 @@ func (e mainEnv) pactivityUnlink(w http.ResponseWriter, r *http.Request, ps http
}
activity = utils.NormalizeBrief(activity)
if utils.CheckValidBrief(activity) == false {
utils.ReturnError(w, r, "bad activity format", 405, nil, nil)
ReturnError(w, r, "bad activity format", 405, nil, nil)
return
}
brief = utils.NormalizeBrief(brief)
if utils.CheckValidBrief(brief) == false {
utils.ReturnError(w, r, "bad brief format", 405, nil, nil)
ReturnError(w, r, "bad brief format", 405, nil, nil)
return
}
_, err := e.db.unlinkProcessingActivity(activity, brief)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, nil)
ReturnError(w, r, "internal error", 405, err, nil)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -127,7 +127,7 @@ func (e mainEnv) pactivityListAll(w http.ResponseWriter, r *http.Request, ps htt
}
resultJSON, numRecords, err := e.db.listProcessingActivities()
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, nil)
ReturnError(w, r, "internal error", 405, err, nil)
return
}
log.Printf("Total count of rows: %d\n", numRecords)

65
src/requests_api.go
View File

@@ -7,13 +7,12 @@ import (
"strings"
"github.com/julienschmidt/httprouter"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/utils"
)
// This function retrieves all requests that require admin approval. This function supports result pager.
func (e mainEnv) userReqListAll(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
event := audit.CreateAuditEvent("view user requests", "", "", "")
event := CreateAuditEvent("view user requests", "", "", "")
if e.EnforceAdmin(w, r, event) == "" {
return
}
@@ -32,7 +31,7 @@ func (e mainEnv) userReqListAll(w http.ResponseWriter, r *http.Request, ps httpr
}
resultJSON, counter, err := e.db.getRequests(status, offset, limit)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -45,7 +44,7 @@ func (e mainEnv) userReqListAll(w http.ResponseWriter, r *http.Request, ps httpr
func (e mainEnv) userReqList(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("get user privacy requests", identity, mode, identity)
event := CreateAuditEvent("get user privacy requests", identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, _, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -64,7 +63,7 @@ func (e mainEnv) userReqList(w http.ResponseWriter, r *http.Request, ps httprout
}
resultJSON, counter, err := e.db.getUserRequests(userTOKEN, offset, limit)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, nil)
ReturnError(w, r, "internal error", 405, err, nil)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -75,19 +74,19 @@ func (e mainEnv) userReqList(w http.ResponseWriter, r *http.Request, ps httprout
func (e mainEnv) userReqGet(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
request := ps.ByName("request")
event := audit.CreateAuditEvent("get user request by request token", request, "request", request)
event := CreateAuditEvent("get user request by request token", request, "request", request)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if utils.EnforceUUID(w, request, event) == false {
if EnforceUUID(w, request, event) == false {
return
}
requestInfo, err := e.db.getRequest(request)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, nil)
ReturnError(w, r, "internal error", 405, err, nil)
return
}
if len(requestInfo) == 0 {
utils.ReturnError(w, r, "not found", 405, err, event)
ReturnError(w, r, "not found", 405, err, event)
return
}
var resultJSON []byte
@@ -106,7 +105,7 @@ func (e mainEnv) userReqGet(w http.ResponseWriter, r *http.Request, ps httproute
}
userBSON, err := e.db.lookupUserRecord(userTOKEN)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if len(appName) > 0 {
@@ -118,11 +117,11 @@ func (e mainEnv) userReqGet(w http.ResponseWriter, r *http.Request, ps httproute
resultJSON, err = e.db.getUserJSON(userTOKEN)
}
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if resultJSON == nil {
utils.ReturnError(w, r, "not found", 405, err, event)
ReturnError(w, r, "not found", 405, err, event)
return
}
//fmt.Printf("Full json: %s\n", resultJSON)
@@ -141,7 +140,7 @@ func (e mainEnv) userReqGet(w http.ResponseWriter, r *http.Request, ps httproute
if value, ok := requestInfo["change"]; ok {
change := value.(string)
//recBson := bson.M{}
if len(change) > 0 {
if len(change) > 0 {
change2, _ := e.db.userDecrypt(userBSON, change)
//log.Printf("change: %s", change2)
requestInfo["change"] = change2
@@ -155,10 +154,10 @@ func (e mainEnv) userReqGet(w http.ResponseWriter, r *http.Request, ps httproute
func (e mainEnv) userReqApprove(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
request := ps.ByName("request")
event := audit.CreateAuditEvent("approve user request", request, "request", request)
event := CreateAuditEvent("approve user request", request, "request", request)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if utils.EnforceUUID(w, request, event) == false {
if EnforceUUID(w, request, event) == false {
return
}
authResult := e.EnforceAdmin(w, r, event)
@@ -167,17 +166,17 @@ func (e mainEnv) userReqApprove(w http.ResponseWriter, r *http.Request, ps httpr
}
postData, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
reason := utils.GetStringValue(postData["reason"])
requestInfo, err := e.db.getRequest(request)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if len(requestInfo) == 0 {
utils.ReturnError(w, r, "not found", 405, err, event)
ReturnError(w, r, "not found", 405, err, event)
return
}
userTOKEN := utils.GetStringValue(requestInfo["token"])
@@ -187,16 +186,16 @@ func (e mainEnv) userReqApprove(w http.ResponseWriter, r *http.Request, ps httpr
action := utils.GetStringValue(requestInfo["action"])
status := utils.GetStringValue(requestInfo["status"])
if status != "open" {
utils.ReturnError(w, r, "wrong status: "+status, 405, err, event)
ReturnError(w, r, "wrong status: "+status, 405, err, event)
return
}
userJSON, userBSON, err := e.db.getUser(userTOKEN)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if userJSON == nil {
utils.ReturnError(w, r, "not found", 405, err, event)
ReturnError(w, r, "not found", 405, err, event)
return
}
if value, ok := requestInfo["change"]; ok {
@@ -221,7 +220,7 @@ func (e mainEnv) userReqApprove(w http.ResponseWriter, r *http.Request, ps httpr
event.Msg = "failed to delete"
}
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
notifyURL := e.conf.Notification.NotificationURL
@@ -229,11 +228,11 @@ func (e mainEnv) userReqApprove(w http.ResponseWriter, r *http.Request, ps httpr
} else if action == "change-profile" {
oldJSON, newJSON, lookupErr, err := e.db.updateUserRecord(requestInfo["change"].([]uint8), userTOKEN, userBSON, event, e.conf)
if lookupErr {
utils.ReturnError(w, r, "internal error", 405, errors.New("not found"), event)
ReturnError(w, r, "internal error", 405, errors.New("not found"), event)
return
}
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
utils.ReturnUUID(w, userTOKEN)
@@ -243,7 +242,7 @@ func (e mainEnv) userReqApprove(w http.ResponseWriter, r *http.Request, ps httpr
app := requestInfo["app"].(string)
_, err = e.db.updateAppRecord(requestInfo["change"].([]uint8), userTOKEN, userBSON, app, event, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
} else if action == "agreement-withdraw" {
@@ -261,25 +260,25 @@ func (e mainEnv) userReqApprove(w http.ResponseWriter, r *http.Request, ps httpr
func (e mainEnv) userReqCancel(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
request := ps.ByName("request")
event := audit.CreateAuditEvent("cancel user request", request, "request", request)
event := CreateAuditEvent("cancel user request", request, "request", request)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if utils.EnforceUUID(w, request, event) == false {
if EnforceUUID(w, request, event) == false {
return
}
postData, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
reason := utils.GetStringValue(postData["reason"])
requestInfo, err := e.db.getRequest(request)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if len(requestInfo) == 0 {
utils.ReturnError(w, r, "not found", 405, err, event)
ReturnError(w, r, "not found", 405, err, event)
return
}
userTOKEN := utils.GetStringValue(requestInfo["token"])
@@ -291,16 +290,16 @@ func (e mainEnv) userReqCancel(w http.ResponseWriter, r *http.Request, ps httpro
return
}
if requestInfo["status"].(string) != "open" {
utils.ReturnError(w, r, "wrong status: "+requestInfo["status"].(string), 405, err, event)
ReturnError(w, r, "wrong status: "+requestInfo["status"].(string), 405, err, event)
return
}
resultJSON, err := e.db.getUserJSON(userTOKEN)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if resultJSON == nil {
utils.ReturnError(w, r, "not found", 405, err, event)
ReturnError(w, r, "not found", 405, err, event)
return
}
if len(reason) == 0 && authResult == "login" {

45
src/sessions_api.go
View File

@@ -9,21 +9,20 @@ import (
uuid "github.com/hashicorp/go-uuid"
"github.com/julienschmidt/httprouter"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/storage"
"github.com/securitybunker/databunker/src/utils"
)
func (e mainEnv) sessionCreate(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
session := ps.ByName("session")
var event *audit.AuditEvent
var event *AuditEvent
defer func() {
if event != nil {
SaveAuditEvent(event, e.db, e.conf)
}
}()
if utils.EnforceUUID(w, session, event) == false {
//utils.ReturnError(w, r, "bad session format", nil, event)
if EnforceUUID(w, session, event) == false {
//ReturnError(w, r, "bad session format", nil, event)
return
}
if e.EnforceAdmin(w, r, event) == "" {
@@ -31,11 +30,11 @@ func (e mainEnv) sessionCreate(w http.ResponseWriter, r *http.Request, ps httpro
}
postData, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
if len(postData) == 0 {
utils.ReturnError(w, r, "empty body", 405, nil, event)
ReturnError(w, r, "empty body", 405, nil, event)
return
}
expiration := utils.SetExpiration(e.conf.Policy.MaxSessionRetentionPeriod, postData["expiration"])
@@ -60,23 +59,23 @@ func (e mainEnv) sessionCreate(w http.ResponseWriter, r *http.Request, ps httpro
userBson, err = e.db.lookupUserRecord(userToken)
}
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
userTOKEN := ""
if userBson != nil {
event = audit.CreateAuditEvent("create session", session, "session", session)
event = CreateAuditEvent("create session", session, "session", session)
userTOKEN = utils.GetUuidString(userBson["token"])
event.Record = userTOKEN
}
jsonData, err := json.Marshal(postData)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
session, err = e.db.createSessionRecord(session, userTOKEN, expiration, jsonData)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -86,10 +85,10 @@ func (e mainEnv) sessionCreate(w http.ResponseWriter, r *http.Request, ps httpro
func (e mainEnv) sessionDelete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
session := ps.ByName("session")
event := audit.CreateAuditEvent("delete session", session, "session", session)
event := CreateAuditEvent("delete session", session, "session", session)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if utils.EnforceUUID(w, session, event) == false {
//utils.ReturnError(w, r, "bad session format", nil, event)
if EnforceUUID(w, session, event) == false {
//ReturnError(w, r, "bad session format", nil, event)
return
}
if e.EnforceAdmin(w, r, event) == "" {
@@ -105,7 +104,7 @@ func (e mainEnv) sessionDelete(w http.ResponseWriter, r *http.Request, ps httpro
func (e mainEnv) sessionNewOld(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("create user session by "+mode, identity, mode, identity)
event := CreateAuditEvent("create user session by "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, _, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -114,11 +113,11 @@ func (e mainEnv) sessionNewOld(w http.ResponseWriter, r *http.Request, ps httpro
}
postData, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
if len(postData) == 0 {
utils.ReturnError(w, r, "empty body", 405, nil, event)
ReturnError(w, r, "empty body", 405, nil, event)
return
}
expirationStr := utils.GetStringValue(postData["expiration"])
@@ -126,17 +125,17 @@ func (e mainEnv) sessionNewOld(w http.ResponseWriter, r *http.Request, ps httpro
log.Printf("Record expiration: %d", expiration)
jsonData, err := json.Marshal(postData)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
sessionUUID, err := uuid.GenerateUUID()
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
sessionID, err := e.db.createSessionRecord(sessionUUID, userTOKEN, expiration, jsonData)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -147,7 +146,7 @@ func (e mainEnv) sessionNewOld(w http.ResponseWriter, r *http.Request, ps httpro
func (e mainEnv) sessionList(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("get all user sessions", identity, mode, identity)
event := CreateAuditEvent("get all user sessions", identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, _, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -167,7 +166,7 @@ func (e mainEnv) sessionList(w http.ResponseWriter, r *http.Request, ps httprout
}
records, count, err := e.db.getUserSessionsByToken(userTOKEN, offset, limit)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
data := strings.Join(records, ",")
@@ -178,7 +177,7 @@ func (e mainEnv) sessionList(w http.ResponseWriter, r *http.Request, ps httprout
func (e mainEnv) sessionGet(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
session := ps.ByName("session")
event := audit.CreateAuditEvent("get session", session, "session", session)
event := CreateAuditEvent("get session", session, "session", session)
defer func() {
if event != nil {
SaveAuditEvent(event, e.db, e.conf)
@@ -190,7 +189,7 @@ func (e mainEnv) sessionGet(w http.ResponseWriter, r *http.Request, ps httproute
e.db.store.DeleteExpired(storage.TblName.Sessions, "token", userTOKEN)
}
if err != nil {
utils.ReturnError(w, r, err.Error(), 405, err, event)
ReturnError(w, r, err.Error(), 405, err, event)
return
}

19
src/sharedrecords_api.go
View File

@@ -8,7 +8,6 @@ import (
"strings"
"github.com/julienschmidt/httprouter"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/utils"
"github.com/tidwall/gjson"
)
@@ -16,7 +15,7 @@ import (
func (e mainEnv) sharedRecordCreate(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("create shareable record by "+mode, identity, "token", identity)
event := CreateAuditEvent("create shareable record by "+mode, identity, "token", identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, _, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -25,7 +24,7 @@ func (e mainEnv) sharedRecordCreate(w http.ResponseWriter, r *http.Request, ps h
}
postData, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
fields := utils.GetStringValue(postData["fields"])
@@ -35,13 +34,13 @@ func (e mainEnv) sharedRecordCreate(w http.ResponseWriter, r *http.Request, ps h
if len(appName) > 0 {
appName = strings.ToLower(appName)
if utils.CheckValidApp(appName) == false {
utils.ReturnError(w, r, "unknown app name", 405, nil, event)
ReturnError(w, r, "unknown app name", 405, nil, event)
}
}
expiration := utils.SetExpiration(e.conf.Policy.MaxShareableRecordRetentionPeriod, postData["expiration"])
recordUUID, err := e.db.saveSharedRecord(userTOKEN, fields, expiration, session, appName, partner, e.conf)
if err != nil {
utils.ReturnError(w, r, err.Error(), 405, err, event)
ReturnError(w, r, err.Error(), 405, err, event)
return
}
event.Record = userTOKEN
@@ -53,10 +52,10 @@ func (e mainEnv) sharedRecordCreate(w http.ResponseWriter, r *http.Request, ps h
func (e mainEnv) sharedRecordGet(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
record := ps.ByName("record")
event := audit.CreateAuditEvent("get shareable record by token", record, "record", record)
event := CreateAuditEvent("get shareable record by token", record, "record", record)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if utils.EnforceUUID(w, record, event) == false {
if EnforceUUID(w, record, event) == false {
return
}
recordInfo, err := e.db.getSharedRecord(record)
@@ -76,7 +75,7 @@ func (e mainEnv) sharedRecordGet(w http.ResponseWriter, r *http.Request, ps http
if len(recordInfo.token) > 0 {
userBSON, err := e.db.lookupUserRecord(recordInfo.token)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
resultJSON, err = e.db.getUserApp(recordInfo.token, userBSON, recordInfo.appName, e.conf)
@@ -87,11 +86,11 @@ func (e mainEnv) sharedRecordGet(w http.ResponseWriter, r *http.Request, ps http
resultJSON, err = e.db.getUserJSON(recordInfo.token)
}
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if resultJSON == nil {
utils.ReturnError(w, r, "not found", 405, err, event)
ReturnError(w, r, "not found", 405, err, event)
return
}
//log.Printf("Full json: %s\n", resultJSON)

51
src/userapps_api.go
View File

@@ -7,7 +7,6 @@ import (
"strings"
"github.com/julienschmidt/httprouter"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/utils"
)
@@ -15,7 +14,7 @@ func (e mainEnv) userappCreate(w http.ResponseWriter, r *http.Request, ps httpro
appName := strings.ToLower(ps.ByName("appname"))
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditAppEvent("create user app record by "+mode, identity, appName, mode, identity)
event := CreateAuditAppEvent("create user app record by "+mode, identity, appName, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, userBSON, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -24,30 +23,30 @@ func (e mainEnv) userappCreate(w http.ResponseWriter, r *http.Request, ps httpro
}
if utils.CheckValidApp(appName) == false {
utils.ReturnError(w, r, "bad appname", 405, nil, event)
ReturnError(w, r, "bad appname", 405, nil, event)
return
}
if e.db.store.ValidateNewApp("app_"+appName) == false {
utils.ReturnError(w, r, "db limitation", 405, nil, event)
ReturnError(w, r, "db limitation", 405, nil, event)
return
}
postData, err := utils.GetJSONPostMap(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
if len(postData) == 0 {
utils.ReturnError(w, r, "empty body", 405, nil, event)
ReturnError(w, r, "empty body", 405, nil, event)
return
}
jsonData, err := json.Marshal(postData)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
_, err = e.db.createAppRecord(jsonData, userTOKEN, userBSON, appName, event, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
utils.ReturnUUID(w, userTOKEN)
@@ -58,7 +57,7 @@ func (e mainEnv) userappChange(w http.ResponseWriter, r *http.Request, ps httpro
appName := strings.ToLower(ps.ByName("appname"))
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditAppEvent("change user app record by "+mode, identity, appName, mode, identity)
event := CreateAuditAppEvent("change user app record by "+mode, identity, appName, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, userBSON, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -68,32 +67,32 @@ func (e mainEnv) userappChange(w http.ResponseWriter, r *http.Request, ps httpro
authResult := e.EnforceAuth(w, r, event)
if utils.CheckValidApp(appName) == false {
utils.ReturnError(w, r, "bad appname", 405, nil, event)
ReturnError(w, r, "bad appname", 405, nil, event)
return
}
jsonData, err := utils.GetJSONPostData(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
if jsonData == nil {
utils.ReturnError(w, r, "empty body", 405, nil, event)
ReturnError(w, r, "empty body", 405, nil, event)
return
}
// make sure userapp exists
// resultJSON, err := e.db.getUserApp(userTOKEN, userBSON, appName, e.conf)
// if err != nil {
// utils.ReturnError(w, r, "internal error", 405, err, event)
// ReturnError(w, r, "internal error", 405, err, event)
// return
// }
// if resultJSON == nil {
// utils.ReturnError(w, r, "not found", 405, nil, event)
// ReturnError(w, r, "not found", 405, nil, event)
// return
// }
if authResult != "login" {
_, err = e.db.updateAppRecord(jsonData, userTOKEN, userBSON, appName, event, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
utils.ReturnUUID(w, userTOKEN)
@@ -104,7 +103,7 @@ func (e mainEnv) userappChange(w http.ResponseWriter, r *http.Request, ps httpro
if utils.StringPatternMatch(strings.ToLower(name), appName) {
_, err = e.db.updateAppRecord(jsonData, userTOKEN, userBSON, appName, event, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
utils.ReturnUUID(w, userTOKEN)
@@ -114,7 +113,7 @@ func (e mainEnv) userappChange(w http.ResponseWriter, r *http.Request, ps httpro
}
rtoken, rstatus, err := e.db.saveUserRequest("change-app-data", userTOKEN, userBSON, appName, "", jsonData, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -125,7 +124,7 @@ func (e mainEnv) userappChange(w http.ResponseWriter, r *http.Request, ps httpro
func (e mainEnv) userappList(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("get user app list by "+mode, identity, mode, identity)
event := CreateAuditEvent("get user app list by "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, _, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -135,7 +134,7 @@ func (e mainEnv) userappList(w http.ResponseWriter, r *http.Request, ps httprout
result, err := e.db.listUserApps(userTOKEN, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -147,7 +146,7 @@ func (e mainEnv) userappGet(w http.ResponseWriter, r *http.Request, ps httproute
appName := strings.ToLower(ps.ByName("appname"))
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditAppEvent("get user app record by "+mode, identity, appName, mode, identity)
event := CreateAuditAppEvent("get user app record by "+mode, identity, appName, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, userBSON, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -155,16 +154,16 @@ func (e mainEnv) userappGet(w http.ResponseWriter, r *http.Request, ps httproute
return
}
if utils.CheckValidApp(appName) == false {
utils.ReturnError(w, r, "bad appname", 405, nil, event)
ReturnError(w, r, "bad appname", 405, nil, event)
return
}
resultJSON, err := e.db.getUserApp(userTOKEN, userBSON, appName, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if resultJSON == nil {
utils.ReturnError(w, r, "not found", 405, nil, event)
ReturnError(w, r, "not found", 405, nil, event)
return
}
finalJSON := fmt.Sprintf(`{"status":"ok","token":"%s","data":%s}`, userTOKEN, resultJSON)
@@ -177,7 +176,7 @@ func (e mainEnv) userappDelete(w http.ResponseWriter, r *http.Request, ps httpro
appName := strings.ToLower(ps.ByName("appname"))
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditAppEvent("delete user app record by "+mode, identity, appName, mode, identity)
event := CreateAuditAppEvent("delete user app record by "+mode, identity, appName, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, _, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -186,7 +185,7 @@ func (e mainEnv) userappDelete(w http.ResponseWriter, r *http.Request, ps httpro
}
if utils.CheckValidApp(appName) == false {
utils.ReturnError(w, r, "bad appname", 405, nil, event)
ReturnError(w, r, "bad appname", 405, nil, event)
return
}
e.db.deleteUserApp(userTOKEN, appName, e.conf)
@@ -203,7 +202,7 @@ func (e mainEnv) userappListNames(w http.ResponseWriter, r *http.Request, ps htt
}
result, err := e.db.listAllApps(e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, nil)
ReturnError(w, r, "internal error", 405, err, nil)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")

5
src/userapps_db.go
View File

@@ -8,7 +8,6 @@ import (
"strings"
jsonpatch "github.com/evanphx/json-patch"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/storage"
"github.com/securitybunker/databunker/src/utils"
"go.mongodb.org/mongo-driver/bson"
@@ -55,7 +54,7 @@ func (dbobj dbcon) deleteUserApps(userTOKEN string, conf Config) {
}
}
func (dbobj dbcon) createAppRecord(jsonData []byte, userTOKEN string, userBSON map[string]interface{}, appName string, event *audit.AuditEvent, conf Config) (string, error) {
func (dbobj dbcon) createAppRecord(jsonData []byte, userTOKEN string, userBSON map[string]interface{}, appName string, event *AuditEvent, conf Config) (string, error) {
appNameFull := "app_" + appName
//log.Printf("Going to create app record: %s\n", appName)
encodedStr, err := dbobj.userEncrypt(userBSON, jsonData)
@@ -104,7 +103,7 @@ func (dbobj dbcon) createAppRecord(jsonData []byte, userTOKEN string, userBSON m
return userTOKEN, err
}
func (dbobj dbcon) updateAppRecord(jsonDataPatch []byte, userTOKEN string, userBSON map[string]interface{}, appName string, event *audit.AuditEvent, conf Config) (string, error) {
func (dbobj dbcon) updateAppRecord(jsonDataPatch []byte, userTOKEN string, userBSON map[string]interface{}, appName string, event *AuditEvent, conf Config) (string, error) {
//_, err = collection.InsertOne(context.TODO(), bson.M{"name": "The Go Language2", "genre": "Coding", "authorId": "4"})
appNameFull := "app_" + appName
// get user key

77
src/users_api.go
View File

@@ -7,13 +7,12 @@ import (
"net/http"
"github.com/julienschmidt/httprouter"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/storage"
"github.com/securitybunker/databunker/src/utils"
)
func (e mainEnv) userCreate(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
event := audit.CreateAuditEvent("create user record", "", "", "")
event := CreateAuditEvent("create user record", "", "", "")
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if e.conf.Generic.CreateUserWithoutAccessToken == false {
@@ -25,60 +24,60 @@ func (e mainEnv) userCreate(w http.ResponseWriter, r *http.Request, ps httproute
}
userJSON, err := utils.GetUserJSONStruct(r, e.conf.Sms.DefaultCountry)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
if len(userJSON.JsonData) == 0 {
utils.ReturnError(w, r, "empty request body", 405, nil, event)
ReturnError(w, r, "empty request body", 405, nil, event)
return
}
err = validateUserRecord(userJSON.JsonData)
if err != nil {
utils.ReturnError(w, r, "user schema error: "+err.Error(), 405, err, event)
ReturnError(w, r, "user schema error: "+err.Error(), 405, err, event)
return
}
// make sure that login, email and phone are unique
if len(userJSON.LoginIdx) > 0 {
otherUserBson, err := e.db.lookupUserRecordByIndex("login", userJSON.LoginIdx, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if otherUserBson != nil {
utils.ReturnError(w, r, "duplicate index: login", 405, nil, event)
ReturnError(w, r, "duplicate index: login", 405, nil, event)
return
}
}
if len(userJSON.EmailIdx) > 0 {
otherUserBson, err := e.db.lookupUserRecordByIndex("email", userJSON.EmailIdx, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if otherUserBson != nil {
utils.ReturnError(w, r, "duplicate index: email", 405, nil, event)
ReturnError(w, r, "duplicate index: email", 405, nil, event)
return
}
}
if len(userJSON.PhoneIdx) > 0 {
otherUserBson, err := e.db.lookupUserRecordByIndex("phone", userJSON.PhoneIdx, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if otherUserBson != nil {
utils.ReturnError(w, r, "duplicate index: phone", 405, nil, event)
ReturnError(w, r, "duplicate index: phone", 405, nil, event)
return
}
}
if len(userJSON.CustomIdx) > 0 {
otherUserBson, err := e.db.lookupUserRecordByIndex("custom", userJSON.CustomIdx, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if otherUserBson != nil {
utils.ReturnError(w, r, "duplicate index: custom", 405, nil, event)
ReturnError(w, r, "duplicate index: custom", 405, nil, event)
return
}
}
@@ -86,13 +85,13 @@ func (e mainEnv) userCreate(w http.ResponseWriter, r *http.Request, ps httproute
len(userJSON.EmailIdx) == 0 &&
len(userJSON.PhoneIdx) == 0 &&
len(userJSON.CustomIdx) == 0 {
utils.ReturnError(w, r, "failed to create user, all user lookup fields are missing", 405, err, event)
ReturnError(w, r, "failed to create user, all user lookup fields are missing", 405, err, event)
return
}
userTOKEN, err := e.db.createUserRecord(userJSON, event)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
encPhoneIdx := ""
@@ -125,7 +124,7 @@ func (e mainEnv) userCreate(w http.ResponseWriter, r *http.Request, ps httproute
func (e mainEnv) userGet(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("get user record by "+mode, identity, mode, identity)
event := CreateAuditEvent("get user record by "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, userBSON, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -137,7 +136,7 @@ func (e mainEnv) userGet(w http.ResponseWriter, r *http.Request, ps httprouter.P
resultJSON = []byte("{}")
}
// if resultJSON == nil {
// utils.ReturnError(w, r, "record not found", 405, nil, event)
// ReturnError(w, r, "record not found", 405, nil, event)
// return
// }
finalJSON := fmt.Sprintf(`{"status":"ok","token":"%s","data":%s}`, userTOKEN, resultJSON)
@@ -151,7 +150,7 @@ func (e mainEnv) userGet(w http.ResponseWriter, r *http.Request, ps httprouter.P
func (e mainEnv) userChange(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("change user record by "+mode, identity, mode, identity)
event := CreateAuditEvent("change user record by "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
userTOKEN, userBSON, _ := e.getUserToken(w, r, mode, identity, event, true)
@@ -160,17 +159,17 @@ func (e mainEnv) userChange(w http.ResponseWriter, r *http.Request, ps httproute
}
userJSON, _ := e.db.userProfileDecrypt(userBSON)
if userJSON == nil {
utils.ReturnError(w, r, "user record not found", 405, nil, event)
ReturnError(w, r, "user record not found", 405, nil, event)
return
}
postData, err := utils.GetJSONPostData(r)
if err != nil {
utils.ReturnError(w, r, "failed to decode request body", 405, err, event)
ReturnError(w, r, "failed to decode request body", 405, err, event)
return
}
if postData == nil {
utils.ReturnError(w, r, "empty request body", 405, nil, event)
ReturnError(w, r, "empty request body", 405, nil, event)
return
}
@@ -182,7 +181,7 @@ func (e mainEnv) userChange(w http.ResponseWriter, r *http.Request, ps httproute
if UserSchemaEnabled() {
adminRecordChanged, err = e.db.validateUserRecordChange(userJSON, postData, userTOKEN, authResult)
if err != nil {
utils.ReturnError(w, r, "schema validation error: "+err.Error(), 405, err, event)
ReturnError(w, r, "schema validation error: "+err.Error(), 405, err, event)
return
}
}
@@ -191,7 +190,7 @@ func (e mainEnv) userChange(w http.ResponseWriter, r *http.Request, ps httproute
if e.conf.SelfService.UserRecordChange == false || adminRecordChanged == true {
rtoken, rstatus, err := e.db.saveUserRequest("change-profile", userTOKEN, userBSON, "", "", postData, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -202,11 +201,11 @@ func (e mainEnv) userChange(w http.ResponseWriter, r *http.Request, ps httproute
}
oldJSON, newJSON, lookupErr, err := e.db.updateUserRecord(postData, userTOKEN, userBSON, event, e.conf)
if lookupErr {
utils.ReturnError(w, r, "record not found", 405, errors.New("record not found"), event)
ReturnError(w, r, "record not found", 405, errors.New("record not found"), event)
return
}
if err != nil {
utils.ReturnError(w, r, "error updating user", 405, err, event)
ReturnError(w, r, "error updating user", 405, err, event)
return
}
utils.ReturnUUID(w, userTOKEN)
@@ -218,7 +217,7 @@ func (e mainEnv) userChange(w http.ResponseWriter, r *http.Request, ps httproute
func (e mainEnv) userDelete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("delete user record by "+mode, identity, mode, identity)
event := CreateAuditEvent("delete user record by "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
strictCheck := true
@@ -244,7 +243,7 @@ func (e mainEnv) userDelete(w http.ResponseWriter, r *http.Request, ps httproute
fmt.Fprintf(w, `{"status":"ok","result":"done"}`)
return
}
utils.ReturnError(w, r, "record not found", 405, nil, event)
ReturnError(w, r, "record not found", 405, nil, event)
return
}
@@ -253,7 +252,7 @@ func (e mainEnv) userDelete(w http.ResponseWriter, r *http.Request, ps httproute
if e.conf.SelfService.ForgetMe == false {
rtoken, rstatus, err := e.db.saveUserRequest("forget-me", userTOKEN, userBSON, "", "", nil, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -265,7 +264,7 @@ func (e mainEnv) userDelete(w http.ResponseWriter, r *http.Request, ps httproute
// decrypt user!
userJSON, err := e.db.userProfileDecrypt(userBSON)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if userJSON == nil {
@@ -279,7 +278,7 @@ func (e mainEnv) userDelete(w http.ResponseWriter, r *http.Request, ps httproute
//fmt.Printf("deleting user %s\n", userTOKEN)
_, err = e.db.deleteUserRecord(userJSON, userTOKEN, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -294,7 +293,7 @@ func (e mainEnv) userPrelogin(w http.ResponseWriter, r *http.Request, ps httprou
code := ps.ByName("code")
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("user prelogin by "+mode, identity, mode, identity)
event := CreateAuditEvent("user prelogin by "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
code0, err := decryptCaptcha(captcha)
@@ -305,12 +304,12 @@ func (e mainEnv) userPrelogin(w http.ResponseWriter, r *http.Request, ps httprou
return
}
if mode != "phone" && mode != "email" {
utils.ReturnError(w, r, "bad mode", 405, nil, event)
ReturnError(w, r, "bad mode", 405, nil, event)
return
}
userBson, err := e.db.lookupUserRecordByIndex(mode, identity, e.conf)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
if userBson != nil {
@@ -332,7 +331,7 @@ func (e mainEnv) userPrelogin(w http.ResponseWriter, r *http.Request, ps httprou
if mode == "email" {
//notifyURL := e.conf.Notification.NotificationURL
//notifyBadLogin(notifyURL, mode, identity)
//utils.ReturnError(w, r, "record not found", 405, errors.New("record not found"), event)
//ReturnError(w, r, "record not found", 405, errors.New("record not found"), event)
captcha, _ := generateCaptcha()
w.Header().Set("Content-Type", "application/json; charset=utf-8")
w.WriteHeader(403)
@@ -350,17 +349,17 @@ func (e mainEnv) userLogin(w http.ResponseWriter, r *http.Request, ps httprouter
tmp := utils.Atoi(ps.ByName("tmp"))
identity := ps.ByName("identity")
mode := ps.ByName("mode")
event := audit.CreateAuditEvent("user login by "+mode, identity, mode, identity)
event := CreateAuditEvent("user login by "+mode, identity, mode, identity)
defer func() { SaveAuditEvent(event, e.db, e.conf) }()
if mode != "phone" && mode != "email" {
utils.ReturnError(w, r, "bad mode", 405, nil, event)
ReturnError(w, r, "bad mode", 405, nil, event)
return
}
userBson, err := e.db.lookupUserRecordByIndex(mode, identity, e.conf)
if userBson == nil || err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
@@ -376,7 +375,7 @@ func (e mainEnv) userLogin(w http.ResponseWriter, r *http.Request, ps httprouter
xtoken, hashedToken, err := e.db.genUserLoginXtoken(userTOKEN)
//fmt.Printf("generate user access token: %s\n", xtoken)
if err != nil {
utils.ReturnError(w, r, "internal error", 405, err, event)
ReturnError(w, r, "internal error", 405, err, event)
return
}
event.Msg = "generated: " + hashedToken
@@ -385,5 +384,5 @@ func (e mainEnv) userLogin(w http.ResponseWriter, r *http.Request, ps httprouter
fmt.Fprintf(w, `{"status":"ok","xtoken":"%s","token":"%s"}`, xtoken, userTOKEN)
return
}
utils.ReturnError(w, r, "internal error", 405, nil, event)
ReturnError(w, r, "internal error", 405, nil, event)
}

7
src/users_db.go
View File

@@ -11,13 +11,12 @@ import (
jsonpatch "github.com/evanphx/json-patch"
uuid "github.com/hashicorp/go-uuid"
"github.com/securitybunker/databunker/src/audit"
"github.com/securitybunker/databunker/src/storage"
"github.com/securitybunker/databunker/src/utils"
"go.mongodb.org/mongo-driver/bson"
)
func (dbobj dbcon) createUserRecord(parsedData utils.UserJSONStruct, event *audit.AuditEvent) (string, error) {
func (dbobj dbcon) createUserRecord(parsedData utils.UserJSONStruct, event *AuditEvent) (string, error) {
//var bdoc interface{}
bdoc := bson.M{}
userTOKEN, err := uuid.GenerateUUID()
@@ -139,7 +138,7 @@ func (dbobj dbcon) validateUserRecordChange(oldUserJSON []byte, jsonDataPatch []
return validateUserRecordChange(oldUserJSON, newJSON, authResult)
}
func (dbobj dbcon) updateUserRecord(jsonDataPatch []byte, userTOKEN string, userBSON bson.M, event *audit.AuditEvent, conf Config) ([]byte, []byte, bool, error) {
func (dbobj dbcon) updateUserRecord(jsonDataPatch []byte, userTOKEN string, userBSON bson.M, event *AuditEvent, conf Config) ([]byte, []byte, bool, error) {
oldJSON, newJSON, lookupErr, err := dbobj.updateUserRecordDo(jsonDataPatch, userTOKEN, userBSON, event, conf)
if lookupErr == true {
return oldJSON, newJSON, lookupErr, err
@@ -162,7 +161,7 @@ func (dbobj dbcon) updateUserRecord(jsonDataPatch []byte, userTOKEN string, user
return nil, nil, false, err
}
func (dbobj dbcon) updateUserRecordDo(jsonDataPatch []byte, userTOKEN string, oldUserBson bson.M, event *audit.AuditEvent, conf Config) ([]byte, []byte, bool, error) {
func (dbobj dbcon) updateUserRecordDo(jsonDataPatch []byte, userTOKEN string, oldUserBson bson.M, event *AuditEvent, conf Config) ([]byte, []byte, bool, error) {
// get user key
userKey := oldUserBson["key"].(string)