From b8658587aa94a76c458126564264d5c478045c97 Mon Sep 17 00:00:00 2001
From: root <stremovsky@gmail.com>
Date: Sat, 22 Aug 2020 20:07:37 +0000
Subject: [PATCH] finally encrypt audit who & record key in database

---
 src/audit_db.go | 18 ++++++++++++++++--
 src/conf.go     |  4 ++++
 src/cryptor.go  | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 66 insertions(+), 2 deletions(-)

diff --git a/src/audit_db.go b/src/audit_db.go
index 1efc75f..f0de3cc 100644
--- a/src/audit_db.go
+++ b/src/audit_db.go
@@ -44,7 +44,7 @@ func (event auditEvent) submit(db *dbcon) {
 	bdoc["atoken"] = atoken
 	bdoc["when"] = event.When
 	if len(event.Who) > 0 {
-		bdoc["who"] = event.Who
+		bdoc["who"], _ = basicStringEncrypt(event.Who, db.masterKey, db.GetCode())
 	}
 	if len(event.Mode) > 0 {
 		bdoc["mode"] = event.Mode
@@ -53,7 +53,7 @@ func (event auditEvent) submit(db *dbcon) {
 		bdoc["identity"] = event.Identity
 	}
 	if len(event.Record) > 0 {
-		bdoc["record"] = event.Record
+		bdoc["record"], _ = basicStringEncrypt(event.Record, db.masterKey, db.GetCode())
 	}
 	if len(event.App) > 0 {
 		bdoc["app"] = event.App
@@ -90,6 +90,7 @@ func (dbobj dbcon) getAuditEvents(userTOKEN string, offset int32, limit int32) (
 	if err != nil {
 		return nil, 0, err
 	}
+	code := dbobj.GetCode()
 	for _, element := range records {
 		element["more"] = false
 		if _, ok := element["before"]; ok {
@@ -104,6 +105,12 @@ func (dbobj dbcon) getAuditEvents(userTOKEN string, offset int32, limit int32) (
 			element["more"] = true
 			element["debug"] = ""
 		}
+		if _, ok := element["record"]; ok {
+			element["record"], _ = basicStringDecrypt(element["record"].(string), dbobj.masterKey, code)
+		}
+		if _, ok := element["who"]; ok {
+			element["who"], _ = basicStringDecrypt(element["who"].(string), dbobj.masterKey, code)
+		}
 		results = append(results, element)
 	}
 	resultJSON, err := json.Marshal(records)
@@ -126,6 +133,7 @@ func (dbobj dbcon) getAdminAuditEvents(offset int32, limit int32) ([]byte, int64
         if err != nil {
                 return nil, 0, err
         }
+	code := dbobj.GetCode()
         for _, element := range records {
                 element["more"] = false
                 if _, ok := element["before"]; ok {
@@ -140,6 +148,12 @@ func (dbobj dbcon) getAdminAuditEvents(offset int32, limit int32) ([]byte, int64
                         element["more"] = true
                         element["debug"] = ""
                 }
+                if _, ok := element["record"]; ok {
+                        element["record"], _ = basicStringDecrypt(element["record"].(string), dbobj.masterKey, code)
+                }
+                if _, ok := element["who"]; ok {
+                        element["who"], _ = basicStringDecrypt(element["who"].(string), dbobj.masterKey, code)
+                }
                 results = append(results, element)
         }
         resultJSON, err := json.Marshal(records)
diff --git a/src/conf.go b/src/conf.go
index 03b082e..545df8d 100644
--- a/src/conf.go
+++ b/src/conf.go
@@ -70,3 +70,7 @@ func (dbobj dbcon) GlobalUserChangeEmail(oldEmail string, newEmail string) {
         // not implemented
 }
 
+func (dbobj dbcon) GetCode() []byte {
+    code := dbobj.hash[4:12]
+    return code
+}
diff --git a/src/cryptor.go b/src/cryptor.go
index db80050..4e301d8 100644
--- a/src/cryptor.go
+++ b/src/cryptor.go
@@ -4,6 +4,8 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
+	"encoding/base64"
+	"log"
 	"io"
 )
 
@@ -74,3 +76,47 @@ func encrypt(masterKey []byte, userKey []byte, plaintext []byte) ([]byte, error)
 	ciphertext = append(ciphertext, nonce...)
 	return ciphertext, nil
 }
+
+func basicStringEncrypt(plaintext string, masterKey []byte, code []byte) (string, error) {
+    //log.Printf("Going to encrypt %s", plaintext)
+    nonce := []byte("$DataBunker$")
+    key := append(masterKey, code...)
+    block, err := aes.NewCipher(key)
+    if err != nil {
+      log.Printf("error in aes.NewCipher %s", err)
+      return "", err
+    }
+    aesgcm, err := cipher.NewGCM(block)
+    if err != nil {
+      log.Printf("error in cipher.NewGCM: %s", err)
+      return "", err
+    }
+    ciphertext := aesgcm.Seal(nil, nonce, []byte(plaintext), nil)
+    result := base64.StdEncoding.EncodeToString(ciphertext)
+    //log.Printf("ciphertext : %s", result)
+    return result, nil
+}
+
+func basicStringDecrypt(data string, masterKey []byte, code []byte) (string, error) {
+    ciphertext, err := base64.StdEncoding.DecodeString(data)
+    if err != nil {
+      return "", err
+    }
+    nonce := []byte("$DataBunker$")
+    key := append(masterKey, code...)
+    block, err := aes.NewCipher(key)
+    if err != nil {
+      return "", err
+    }
+    aesgcm, err := cipher.NewGCM(block)
+    if err != nil {
+      return "", err
+    }
+    plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil)
+    if err != nil {
+      return "", err
+    }
+    //log.Printf("decrypt result : %s", string(plaintext))
+    return string(plaintext), err
+}
+