Skip to content

Commit 5e7fe30

Browse files
frikkyfrikky
authored
Merge pull request #299 from Shuffle/revert-294-0x0elliot/encrypt-apikey-session
Revert "fix: encrypting api key + session on the fly"
2 parents 8b8166b + ef1231b commit 5e7fe30

File tree

3 files changed

+67
-355
lines changed

3 files changed

+67
-355
lines changed

db-connector.go

Lines changed: 43 additions & 100 deletions
Original file line numberDiff line numberDiff line change
@@ -4220,10 +4220,6 @@ func GetOrg(ctx context.Context, id string) (*Org, error) {
42204220
}
42214221

42224222
func init() {
4223-
// Skip import path check in test mode
4224-
if os.Getenv("SHUFFLE_TEST_MODE") == "true" {
4225-
return
4226-
}
42274223

42284224
isValid := checkImportPath()
42294225
if !isValid {
@@ -4905,13 +4901,14 @@ func DeleteKey(ctx context.Context, entity string, value string) error {
49054901

49064902
// Index = Username
49074903
func SetApikey(ctx context.Context, Userdata User) error {
4908-
log.Printf("[AUDIT] Setting API key %s", Userdata.ApiKey)
49094904

4905+
// Non indexed User data
49104906
newapiUser := new(Userapi)
4911-
newapiUser.Username = strings.ToLower(Userdata.Username)
49124907
newapiUser.ApiKey = Userdata.ApiKey
4908+
newapiUser.Username = strings.ToLower(Userdata.Username)
49134909
nameKey := "apikey"
49144910

4911+
// New struct, to not add body, author etc
49154912
if project.DbType == "opensearch" {
49164913
data, err := json.Marshal(Userdata)
49174914
if err != nil {
@@ -5110,7 +5107,10 @@ func GetOpenApiDatastore(ctx context.Context, id string) (ParsedOpenApi, error)
51105107
return *api, nil
51115108
}
51125109

5110+
// Index = Username
51135111
func SetSession(ctx context.Context, user User, value string) error {
5112+
//parsedKey := strings.ToLower(user.Username)
5113+
// Non indexed User data
51145114
parsedKey := user.Id
51155115
user.Session = value
51165116

@@ -6223,7 +6223,7 @@ func fixUserOrg(ctx context.Context, user *User) *User {
62236223
if !strings.Contains(err.Error(), "doesn't exist") {
62246224
log.Printf("[WARNING] Error getting org %s in fixUserOrg: %s", orgId, err)
62256225
}
6226-
6226+
62276227
return
62286228
}
62296229

@@ -9740,34 +9740,17 @@ func GetSessionNew(ctx context.Context, sessionId string) (User, error) {
97409740
}
97419741
}
97429742

9743-
sessionsToSearch := []string{sessionId}
9744-
encryptedSession, encErr := HandleKeyEncryption([]byte(sessionId), "session", true)
9745-
if encErr == nil {
9746-
sessionsToSearch = append([]string{string(encryptedSession)}, sessionsToSearch...)
9747-
} else {
9748-
log.Printf("[WARNING] Failed encrypting session: %s", encErr)
9749-
}
9750-
9743+
// Query for the specific API-key in users
97519744
nameKey := "Users"
97529745
var users []User
97539746
if project.DbType == "opensearch" {
9754-
shouldClauses := make([]map[string]interface{}, len(sessionsToSearch))
9755-
for i, sess := range sessionsToSearch {
9756-
shouldClauses[i] = map[string]interface{}{
9757-
"match": map[string]interface{}{
9758-
"session": sess,
9759-
},
9760-
}
9761-
}
9762-
97639747
var buf bytes.Buffer
97649748
query := map[string]interface{}{
97659749
"from": 0,
97669750
"size": 1000,
97679751
"query": map[string]interface{}{
9768-
"bool": map[string]interface{}{
9769-
"should": shouldClauses,
9770-
"minimum_should_match": 1,
9752+
"match": map[string]interface{}{
9753+
"session": sessionId,
97719754
},
97729755
},
97739756
}
@@ -9789,7 +9772,7 @@ func GetSessionNew(ctx context.Context, sessionId string) (User, error) {
97899772
return User{}, nil
97909773
}
97919774

9792-
log.Printf("[ERROR] Error getting response from Opensearch (get session): %s", err)
9775+
log.Printf("[ERROR] Error getting response from Opensearch (get api keys): %s", err)
97939776
return User{}, err
97949777
}
97959778

@@ -9832,38 +9815,27 @@ func GetSessionNew(ctx context.Context, sessionId string) (User, error) {
98329815

98339816
users = []User{}
98349817
for _, hit := range wrapped.Hits.Hits {
9835-
// Check if session matches any of our search keys
9836-
matched := false
9837-
for _, sess := range sessionsToSearch {
9838-
if hit.Source.Session == sess {
9839-
matched = true
9840-
break
9841-
}
9842-
}
9843-
if !matched {
9818+
if hit.Source.Session != sessionId {
98449819
continue
98459820
}
9821+
98469822
users = append(users, hit.Source)
98479823
}
98489824

98499825
} else {
9850-
// Datastore: try encrypted first, then plain (no IN filter support)
9851-
for _, sess := range sessionsToSearch {
9852-
q := datastore.NewQuery(nameKey).Filter("session =", sess).Limit(1)
9853-
_, err := project.Dbclient.GetAll(ctx, q, &users)
9854-
if err != nil && len(users) == 0 {
9855-
if !strings.Contains(err.Error(), `cannot load field`) {
9856-
continue
9857-
}
9858-
}
9859-
if len(users) > 0 {
9860-
break
9826+
//log.Printf("[DEBUG] Searching for session %s", sessionId)
9827+
q := datastore.NewQuery(nameKey).Filter("session =", sessionId).Limit(1)
9828+
_, err := project.Dbclient.GetAll(ctx, q, &users)
9829+
if err != nil && len(users) == 0 {
9830+
if !strings.Contains(err.Error(), `cannot load field`) {
9831+
log.Printf("[WARNING] Error getting session: %s", err)
9832+
return User{}, err
98619833
}
98629834
}
98639835
}
98649836

98659837
if len(users) == 0 {
9866-
return User{}, errors.New("No users found for this session")
9838+
return User{}, errors.New("No users found for this apikey (1)")
98679839
}
98689840

98699841
if project.CacheDb {
@@ -9883,34 +9855,17 @@ func GetSessionNew(ctx context.Context, sessionId string) (User, error) {
98839855
}
98849856

98859857
func GetApikey(ctx context.Context, apikey string) (User, error) {
9886-
// Build list of keys to search: encrypted (new) + plain (backwards compat)
9887-
keysToSearch := []string{apikey}
9888-
encryptedKey, encErr := HandleKeyEncryption([]byte(apikey), "apikey", true)
9889-
if encErr == nil {
9890-
keysToSearch = append([]string{string(encryptedKey)}, keysToSearch...)
9891-
}
9892-
9858+
// Query for the specific API-key in users
98939859
nameKey := "Users"
98949860
var users []User
98959861
if project.DbType == "opensearch" {
9896-
// Build OR query for both encrypted and plain apikey
9897-
shouldClauses := make([]map[string]interface{}, len(keysToSearch))
9898-
for i, key := range keysToSearch {
9899-
shouldClauses[i] = map[string]interface{}{
9900-
"match": map[string]interface{}{
9901-
"apikey": key,
9902-
},
9903-
}
9904-
}
9905-
99069862
var buf bytes.Buffer
99079863
query := map[string]interface{}{
99089864
"from": 0,
99099865
"size": 1000,
99109866
"query": map[string]interface{}{
9911-
"bool": map[string]interface{}{
9912-
"should": shouldClauses,
9913-
"minimum_should_match": 1,
9867+
"match": map[string]interface{}{
9868+
"apikey": apikey,
99149869
},
99159870
},
99169871
}
@@ -9975,32 +9930,20 @@ func GetApikey(ctx context.Context, apikey string) (User, error) {
99759930

99769931
users = []User{}
99779932
for _, hit := range wrapped.Hits.Hits {
9978-
// Check if apikey matches any of our search keys
9979-
matched := false
9980-
for _, key := range keysToSearch {
9981-
if hit.Source.ApiKey == key {
9982-
matched = true
9983-
break
9984-
}
9985-
}
9986-
if !matched {
9933+
if hit.Source.ApiKey != apikey {
99879934
continue
99889935
}
9936+
99899937
users = append(users, hit.Source)
99909938
}
99919939

99929940
} else {
9993-
// Datastore: try encrypted first, then plain (no IN filter support)
9994-
for _, key := range keysToSearch {
9995-
q := datastore.NewQuery(nameKey).Filter("apikey =", key).Limit(1)
9996-
_, err := project.Dbclient.GetAll(ctx, q, &users)
9997-
if err != nil && len(users) == 0 {
9998-
if !strings.Contains(err.Error(), `cannot load field`) {
9999-
continue
10000-
}
10001-
}
10002-
if len(users) > 0 {
10003-
break
9941+
q := datastore.NewQuery(nameKey).Filter("apikey =", apikey).Limit(1)
9942+
_, err := project.Dbclient.GetAll(ctx, q, &users)
9943+
if err != nil && len(users) == 0 {
9944+
if !strings.Contains(err.Error(), `cannot load field`) {
9945+
log.Printf("[WARNING] Error getting apikey: %s", err)
9946+
return User{}, err
100049947
}
100059948
}
100069949
}
@@ -14024,7 +13967,7 @@ func GetDatastoreKey(ctx context.Context, id string, category string) (*CacheKey
1402413967

1402513968
category = strings.ReplaceAll(strings.ToLower(category), " ", "_")
1402613969
if len(category) > 0 && category != "default" {
14027-
// FIXME: If they key itself is 'test_protected' and category
13970+
// FIXME: If they key itself is 'test_protected' and category
1402813971
// is 'protected' this breaks... Keeping it for now.
1402913972
if !strings.HasSuffix(id, fmt.Sprintf("_%s", category)) {
1403013973
id = fmt.Sprintf("%s_%s", id, category)
@@ -14284,18 +14227,18 @@ func RunInit(dbclient datastore.Client, storageClient storage.Client, gceProject
1428414227
} else {
1428514228
//log.Printf("\n\n[INFO] Should check for SSO during setup - finding main org\n\n")
1428614229
/*
14287-
orgs, err := GetAllOrgs(ctx)
14288-
if err == nil {
14289-
for _, org := range orgs {
14290-
if len(org.ManagerOrgs) == 0 && len(org.SSOConfig.SSOEntrypoint) > 0 {
14291-
log.Printf("[INFO] Set initial SSO url for logins to %s", org.SSOConfig.SSOEntrypoint)
14292-
SSOUrl = org.SSOConfig.SSOEntrypoint
14293-
break
14294-
}
14230+
orgs, err := GetAllOrgs(ctx)
14231+
if err == nil {
14232+
for _, org := range orgs {
14233+
if len(org.ManagerOrgs) == 0 && len(org.SSOConfig.SSOEntrypoint) > 0 {
14234+
log.Printf("[INFO] Set initial SSO url for logins to %s", org.SSOConfig.SSOEntrypoint)
14235+
SSOUrl = org.SSOConfig.SSOEntrypoint
14236+
break
1429514237
}
14296-
} else {
14297-
log.Printf("[WARNING] Error loading orgs: %s", err)
1429814238
}
14239+
} else {
14240+
log.Printf("[WARNING] Error loading orgs: %s", err)
14241+
}
1429914242
*/
1430014243
}
1430114244
} else {

0 commit comments

Comments
 (0)