speatzle/go-passbolt
1
0
Fork 0
mirror of https://github.com/passbolt/go-passbolt.git synced 2025-05-14 19:38:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #47 from passbolt/v5-metadata-creation

Browse source 
V5 metadata / Resource creation
This commit is contained in:
Samuel Lorch 2025-05-12 21:16:46 +02:00 committed by GitHub
commit 19bc97c9e1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 343 additions and 111 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
api/client.go
View file

@ -33,6 +33,9 @@ type Client struct {
// Server Settings Determining which Resource Types we can use // Server Settings Determining which Resource Types we can use
metadataTypeSettings MetadataTypeSettings metadataTypeSettings MetadataTypeSettings
// Server Settings Determining which Metadata Keys to use
metadataKeySettings MetadataKeySettings
// used for solving MFA challenges. You can block this to for example wait for user input. // used for solving MFA challenges. You can block this to for example wait for user input.
// You shouden't run any unrelated API Calls while you are in this callback. // You shouden't run any unrelated API Calls while you are in this callback.
// You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa // You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa
@ -212,16 +215,28 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error {
if settings.Passbolt.IsPluginEnabled("metadata") { if settings.Passbolt.IsPluginEnabled("metadata") {
c.log("Server has metadata plugin enabled, is v5 or Higher") c.log("Server has metadata plugin enabled, is v5 or Higher")
metadataTypeSettings, err := c.GetMetadataTypeSettings(ctx) metadataTypeSettings, err := c.GetServerMetadataTypeSettings(ctx)
if err != nil { if err != nil {
return fmt.Errorf("Getting Metadata Type Settings: %w", err) return fmt.Errorf("Getting Metadata Type Settings: %w", err)
} }
c.log("metadataTypeSettings: %+v", metadataTypeSettings) c.log("metadataTypeSettings: %+v", metadataTypeSettings)
c.metadataTypeSettings = *metadataTypeSettings c.metadataTypeSettings = *metadataTypeSettings
metadataKeySettings, err := c.GetServerMetadataKeySettings(ctx)
if err != nil {
return fmt.Errorf("Getting Metadata Key Settings: %w", err)
}
c.log("metadataKeySettings: %+v", metadataKeySettings)
c.metadataKeySettings = *metadataKeySettings
} else { } else {
c.log("Server has metadata plugin disabled or not installed, Server is v4") c.log("Server has metadata plugin disabled or not installed, Server is v4")
c.metadataTypeSettings = getV4DefaultMetadataTypeSettings() c.metadataTypeSettings = getV4DefaultMetadataTypeSettings()
c.metadataKeySettings = MetadataKeySettings{
AllowUsageOfPersonalKeys: true,
AllowZeroKnowledgeKeyShare: false,
}
} }
return nil return nil
} }

8
api/encryption.go
View file

@ -140,3 +140,11 @@ func (c *Client) DecryptMessageWithSessionKey(sessionKey *crypto.SessionKey, cip
return res.String(), nil return res.String(), nil
} }
func (c *Client) GetUserPrivateKeyCopy() (*crypto.Key, error) {
key, err := c.userPrivateKey.Copy()
if err != nil {
return nil, fmt.Errorf("Get Private Key Copy: %w", err)
}
return key, nil
}

3
api/metadata.go
View file

@ -6,6 +6,9 @@ import (
"github.com/ProtonMail/gopenpgp/v3/crypto" "github.com/ProtonMail/gopenpgp/v3/crypto"
) )
const PASSBOLT_OBJECT_TYPE_RESOURCE_METADATA = "PASSBOLT_RESOURCE_METADATA"
const PASSBOLT_OBJECT_TYPE_SECRET_DATA = "PASSBOLT_SECRET_DATA"
// ResourceMetadataTypeV5Default // ResourceMetadataTypeV5Default
type ResourceMetadataTypeV5Default struct { type ResourceMetadataTypeV5Default struct {
ObjectType string `json:"object_type"` ObjectType string `json:"object_type"`

35
api/metadata_settings.go
View file

@ -38,6 +38,12 @@ type MetadataTypeSettings struct {
AllowV4V5Downgrade bool `json:"allow_v5_v4_downgrade"` AllowV4V5Downgrade bool `json:"allow_v5_v4_downgrade"`
} }
// MetadataTypeSettings Contains the Servers Settings about which Types to use
type MetadataKeySettings struct {
AllowUsageOfPersonalKeys bool `json:"allow_usage_of_personal_keys"`
AllowZeroKnowledgeKeyShare bool `json:"zero_knowledge_key_share"`
}
func getV4DefaultMetadataTypeSettings() MetadataTypeSettings { func getV4DefaultMetadataTypeSettings() MetadataTypeSettings {
return MetadataTypeSettings{ return MetadataTypeSettings{
DefaultResourceType: PassboltAPIVersionTypeV4, DefaultResourceType: PassboltAPIVersionTypeV4,
@ -57,8 +63,13 @@ func getV4DefaultMetadataTypeSettings() MetadataTypeSettings {
} }
} }
// GetMetadataTypeSettings gets the Servers Settings about which Types to use // MetadataTypeSettings Gives the Current MetadataTypeSettings
func (c *Client) GetMetadataTypeSettings(ctx context.Context) (*MetadataTypeSettings, error) { func (c *Client) MetadataTypeSettings() MetadataTypeSettings {
return c.metadataTypeSettings
}
// GetServerMetadataTypeSettings gets the Servers Settings about which Types to use, usually you should use MetadataTypeSettings instead
func (c *Client) GetServerMetadataTypeSettings(ctx context.Context) (*MetadataTypeSettings, error) {
msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/types/settings.json", nil, nil) msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/types/settings.json", nil, nil)
if err != nil { if err != nil {
return nil, err return nil, err
@ -71,3 +82,23 @@ func (c *Client) GetMetadataTypeSettings(ctx context.Context) (*MetadataTypeSett
} }
return &metadataSettings, nil return &metadataSettings, nil
} }
// MetadataKeySettings Gives the Current MetadataKeySettings
func (c *Client) MetadataKeySettings() MetadataKeySettings {
return c.metadataKeySettings
}
// GetServerMetadataKeySettings gets the Servers Settings about which Key to use, usually you should use MetadataKeySettings instead
func (c *Client) GetServerMetadataKeySettings(ctx context.Context) (*MetadataKeySettings, error) {
msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/keys/settings.json", nil, nil)
if err != nil {
return nil, err
}
var metadataKeySettings MetadataKeySettings
err = json.Unmarshal(msg.Body, &metadataKeySettings)
if err != nil {
return nil, err
}
return &metadataKeySettings, nil
}

93
helper/metadata.go
View file

@ -11,80 +11,56 @@ import (
"github.com/santhosh-tekuri/jsonschema" "github.com/santhosh-tekuri/jsonschema"
) )
func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resource, rType api.ResourceType) (string, error) { func GetResourceMetadata(ctx context.Context, c *api.Client, resource *api.Resource, rType *api.ResourceType) (string, error) {
keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{ _, _, metadatakey, err := GetMetadataKey(ctx, c, resource.MetadataKeyType == api.MetadataKeyTypeUserKey)
ContainMetadataPrivateKeys: true,
})
if err != nil { if err != nil {
return "", fmt.Errorf("Get Metadata Key: %w", err) return "", fmt.Errorf("Get Metadata Key: %w", err)
} }
// TODO Get Key by id? // TODO should we instead get the Metadata key of this resource by id?
if len(keys) != 1 {
return "", fmt.Errorf("Not Exactly One Metadatakey Available")
}
if len(keys[0].MetadataPrivateKeys) == 0 { decMetadata, err := c.DecryptMetadata(metadatakey, resource.Metadata)
return "", fmt.Errorf("No Metadata Private key for our user")
}
if len(keys[0].MetadataPrivateKeys) > 1 {
return "", fmt.Errorf("More than 1 metadata Private key for our user")
}
var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0]
if *privMetdata.UserID != c.GetUserID() {
return "", fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID)
}
decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data)
if err != nil {
return "", fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
}
var data api.MetadataPrivateKeyData
err = json.Unmarshal([]byte(decPrivMetadatakey), &data)
if err != nil {
return "", fmt.Errorf("Parse Metadata Private Key Data")
}
metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
if err != nil {
return "", fmt.Errorf("Get Metadata Private Key: %w", err)
}
decMetadata, err := c.DecryptMetadata(metadataPrivateKeyObj, resource.Metadata)
if err != nil { if err != nil {
return "", fmt.Errorf("Decrypt Metadata: %w", err) return "", fmt.Errorf("Decrypt Metadata: %w", err)
} }
err = validateMetadata(rType, string(decMetadata))
if err != nil {
return "", fmt.Errorf("Validate Metadata: %w", err)
}
return decMetadata, nil
}
func validateMetadata(rType *api.ResourceType, metadata string) error {
var schemaDefinition api.ResourceTypeSchema var schemaDefinition api.ResourceTypeSchema
err = json.Unmarshal([]byte(rType.Definition), &schemaDefinition) definition := rType.Definition
// Fallback schema
if string(definition) == "[]" || string(definition) == "\"[]\"" {
tmp, ok := api.ResourceSchemas[rType.Slug]
if !ok {
return fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug)
}
definition = tmp
}
err := json.Unmarshal([]byte(definition), &schemaDefinition)
if err != nil { if err != nil {
// Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string // Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string
if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" { if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" {
var tmp string var tmp string
err = json.Unmarshal([]byte(rType.Definition), &tmp) err = json.Unmarshal([]byte(definition), &tmp)
if err != nil { if err != nil {
return "", fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err)
}
if tmp == "[]" {
// Use The Builtin Fallback Schemas in this Case
schema, ok := api.ResourceSchemas[rType.Slug]
if !ok {
return "", fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug)
}
tmp = string(schema)
} }
err = json.Unmarshal([]byte(tmp), &schemaDefinition) err = json.Unmarshal([]byte(tmp), &schemaDefinition)
if err != nil { if err != nil {
return "", fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err)
} }
} else { } else {
return "", fmt.Errorf("Unmarshal Json Schema: %w", err) return fmt.Errorf("Unmarshal Json Schema: %w", err)
} }
} }
@ -92,18 +68,17 @@ func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resour
err = comp.AddResource("metadata.json", bytes.NewReader(schemaDefinition.Resource)) err = comp.AddResource("metadata.json", bytes.NewReader(schemaDefinition.Resource))
if err != nil { if err != nil {
return "", fmt.Errorf("Adding Json Schema: %w", err) return fmt.Errorf("Adding Json Schema: %w", err)
} }
schema, err := comp.Compile("metadata.json") schema, err := comp.Compile("metadata.json")
if err != nil { if err != nil {
return "", fmt.Errorf("Compiling Json Schema: %w", err) return fmt.Errorf("Compiling Json Schema: %w", err)
} }
err = schema.Validate(strings.NewReader(decMetadata)) err = schema.Validate(strings.NewReader(metadata))
if err != nil { if err != nil {
return "", fmt.Errorf("Validating Secret Data: %w", err) return fmt.Errorf("Validating Secret Data: %w", err)
} }
return nil
return decMetadata, nil
} }

75
helper/metadatakey.go Normal file
View file

@ -0,0 +1,75 @@
package helper
import (
"context"
"encoding/json"
"fmt"
"github.com/ProtonMail/gopenpgp/v3/crypto"
"github.com/passbolt/go-passbolt/api"
)
// GetMetadataKey gets a Metadata key, Personal indicates if the function should return the personal key,
// If personal keys have been disabled on the server then we return the shared key
// Returns the Key ID, Key Type and the Key itself
func GetMetadataKey(ctx context.Context, c *api.Client, personal bool) (string, api.MetadataKeyType, *crypto.Key, error) {
// if personal is requsted and it is allowed by the server, then return that
if personal && c.MetadataKeySettings().AllowUsageOfPersonalKeys {
key, err := c.GetUserPrivateKeyCopy()
if err != nil {
return "", "", nil, fmt.Errorf("Get User Private Key: %w", err)
}
me, err := c.GetMe(ctx)
if err != nil {
return "", "", nil, fmt.Errorf("Get User Me: %w", err)
}
if me.GPGKey == nil {
return "", "", nil, fmt.Errorf("User Me GPG Key nil")
}
return me.GPGKey.ID, api.MetadataKeyTypeUserKey, key, nil
}
keys, err := c.GetMetadataKeys(ctx, nil)
if err != nil {
return "", "", nil, fmt.Errorf("Get Metadata Key: %w", err)
}
// TODO Get Key by id?
if len(keys) != 1 {
return "", "", nil, fmt.Errorf("Not Exactly One Metadatakey Available")
}
if len(keys[0].MetadataPrivateKeys) == 0 {
return "", "", nil, fmt.Errorf("No Metadata Private key for our user")
}
if len(keys[0].MetadataPrivateKeys) > 1 {
return "", "", nil, fmt.Errorf("More than 1 metadata Private key for our user")
}
var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0]
if *privMetdata.UserID != c.GetUserID() {
return "", "", nil, fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID)
}
decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data)
if err != nil {
return "", "", nil, fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
}
var data api.MetadataPrivateKeyData
err = json.Unmarshal([]byte(decPrivMetadatakey), &data)
if err != nil {
return "", "", nil, fmt.Errorf("Parse Metadata Private Key Data")
}
metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
if err != nil {
return "", "", nil, fmt.Errorf("Get Metadata Private Key: %w", err)
}
return keys[0].ID, api.MetadataKeyTypeSharedKey, metadataPrivateKeyObj, nil
}

115
helper/resources.go
View file

@ -8,8 +8,109 @@ import (
"github.com/passbolt/go-passbolt/api" "github.com/passbolt/go-passbolt/api"
) )
// CreateResource Creates a Resource where the Password and Description are Encrypted and Returns the Resources ID // CreateResource Creates a Resource, Creates a v4 or v5 Resources based on the server Preference
func CreateResource(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) { func CreateResource(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) {
// Create a v5 Password if that is the Server Default
if c.MetadataTypeSettings().DefaultResourceType == api.PassboltAPIVersionTypeV5 {
return CreateResourceV5(ctx, c, folderParentID, name, username, uri, password, description)
} else {
return CreateResourceV4(ctx, c, folderParentID, name, username, uri, password, description)
}
}
func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) {
if c.MetadataTypeSettings().AllowCreationOfV5Resources == false {
return "", fmt.Errorf("Creation of V5 Passwords is disabled on this Server")
}
types, err := c.GetResourceTypes(ctx, nil)
if err != nil {
return "", fmt.Errorf("Getting ResourceTypes: %w", err)
}
var rType *api.ResourceType
for _, tmp := range types {
if tmp.Slug == "v5-default" {
rType = &tmp
break
}
}
if rType == nil {
return "", fmt.Errorf("Cannot find Resource type password-and-description")
}
// Base Resource
resource := api.Resource{
ResourceTypeID: rType.ID,
FolderParentID: folderParentID,
}
// Resource Metadata
meta := api.ResourceMetadataTypeV5Default{
ObjectType: api.PASSBOLT_OBJECT_TYPE_RESOURCE_METADATA,
ResourceTypeID: rType.ID,
Name: name,
Username: username,
URIs: []string{uri},
}
metaData, err := json.Marshal(&meta)
if err != nil {
return "", fmt.Errorf("Marshalling metadata: %w", err)
}
err = validateMetadata(rType, string(metaData))
if err != nil {
return "", fmt.Errorf("Validating metadata: %w", err)
}
metadataKeyID, metadataKeyType, publicMetadataKey, err := GetMetadataKey(ctx, c, true)
if err != nil {
return "", fmt.Errorf("Get Metadata Key: %w", err)
}
resource.MetadataKeyID = metadataKeyID
resource.MetadataKeyType = metadataKeyType
encMetadata, err := c.EncryptMessageWithKey(publicMetadataKey, string(metaData))
if err != nil {
return "", fmt.Errorf("Encrypt Metadata: %w", err)
}
resource.Metadata = encMetadata
// Resource Secret
secret := api.SecretDataTypeV5Default{
ObjectType: api.PASSBOLT_OBJECT_TYPE_SECRET_DATA,
Password: password,
Description: description,
}
secretData, err := json.Marshal(&secret)
if err != nil {
return "", fmt.Errorf("Marshalling Secret Data: %w", err)
}
err = validateSecretData(rType, string(secretData))
if err != nil {
return "", fmt.Errorf("Validating Secret Data: %w", err)
}
encSecretData, err := c.EncryptMessage(string(secretData))
if err != nil {
return "", fmt.Errorf("Encrypting Secret Data for User me: %w", err)
}
resource.Secrets = []api.Secret{{Data: encSecretData}}
newresource, err := c.CreateResource(ctx, resource)
if err != nil {
return "", fmt.Errorf("Creating Resource: %w", err)
}
return newresource.ID, nil
}
func CreateResourceV4(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) {
if c.MetadataTypeSettings().AllowCreationOfV4Resources == false {
return "", fmt.Errorf("Creation of V4 Passwords is disabled on this Server")
}
types, err := c.GetResourceTypes(ctx, nil) types, err := c.GetResourceTypes(ctx, nil)
if err != nil { if err != nil {
return "", fmt.Errorf("Getting ResourceTypes: %w", err) return "", fmt.Errorf("Getting ResourceTypes: %w", err)
@ -62,6 +163,12 @@ func CreateResource(ctx context.Context, c *api.Client, folderParentID, name, us
// CreateResourceSimple Creates a Legacy Resource where only the Password is Encrypted and Returns the Resources ID // CreateResourceSimple Creates a Legacy Resource where only the Password is Encrypted and Returns the Resources ID
func CreateResourceSimple(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) { func CreateResourceSimple(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) {
if c.MetadataTypeSettings().AllowCreationOfV4Resources == false {
return "", fmt.Errorf("Creation of V4 Passwords is disabled on this Server")
}
// TODO Create a v5-password-string if v5 is enabled
enc, err := c.EncryptMessage(password) enc, err := c.EncryptMessage(password)
if err != nil { if err != nil {
return "", fmt.Errorf("Encrypting Password: %w", err) return "", fmt.Errorf("Encrypting Password: %w", err)
@ -163,7 +270,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret
uri = resource.URI uri = resource.URI
// nothing fits into the interface in this case // nothing fits into the interface in this case
case "v5-default": case "v5-default":
rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType) rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType)
if err != nil { if err != nil {
return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err) return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err)
} }
@ -193,7 +300,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret
pw = secretData.Password pw = secretData.Password
desc = secretData.Description desc = secretData.Description
case "v5-default-with-totp": case "v5-default-with-totp":
rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType) rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType)
if err != nil { if err != nil {
return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err) return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err)
} }
@ -223,7 +330,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret
pw = secretData.Password pw = secretData.Password
desc = secretData.Description desc = secretData.Description
case "v5-password-string": case "v5-password-string":
rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType) rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType)
if err != nil { if err != nil {
return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err) return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err)
} }

63
helper/secret.go Normal file
View file

@ -0,0 +1,63 @@
package helper
import (
"bytes"
"encoding/json"
"fmt"
"strings"
"github.com/passbolt/go-passbolt/api"
"github.com/santhosh-tekuri/jsonschema"
)
func validateSecretData(rType *api.ResourceType, secretData string) error {
var schemaDefinition api.ResourceTypeSchema
definition := rType.Definition
// Fallback schema
if string(definition) == "[]" || string(definition) == "\"[]\"" {
tmp, ok := api.ResourceSchemas[rType.Slug]
if !ok {
return fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug)
}
definition = tmp
}
err := json.Unmarshal([]byte(definition), &schemaDefinition)
if err != nil {
// Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string
if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" {
var tmp string
err = json.Unmarshal([]byte(definition), &tmp)
if err != nil {
return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err)
}
err = json.Unmarshal([]byte(tmp), &schemaDefinition)
if err != nil {
return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err)
}
} else {
return fmt.Errorf("Unmarshal Json Schema: %w", err)
}
}
comp := jsonschema.NewCompiler()
err = comp.AddResource("secret.json", bytes.NewReader(schemaDefinition.Secret))
if err != nil {
return fmt.Errorf("Adding Json Schema: %w", err)
}
schema, err := comp.Compile("secret.json")
if err != nil {
return fmt.Errorf("Compiling Json Schema: %w", err)
}
err = schema.Validate(strings.NewReader(secretData))
if err != nil {
return fmt.Errorf("Validating Secret Data: %w", err)
}
return nil
}

45
helper/util.go
View file

@ -1,13 +1,9 @@
package helper package helper
import ( import (
"bytes"
"encoding/json"
"fmt" "fmt"
"strings"
"github.com/passbolt/go-passbolt/api" "github.com/passbolt/go-passbolt/api"
"github.com/santhosh-tekuri/jsonschema"
) )
func getPublicKeyByUserID(userID string, Users []api.User) (string, error) { func getPublicKeyByUserID(userID string, Users []api.User) (string, error) {
@ -36,44 +32,3 @@ func getSecretByResourceID(secrets []api.Secret, resourceID string) (*api.Secret
} }
return nil, fmt.Errorf("Cannot Find Secret for id %v", resourceID) return nil, fmt.Errorf("Cannot Find Secret for id %v", resourceID)
} }
func validateSecretData(rType *api.ResourceType, secretData string) error {
var schemaDefinition api.ResourceTypeSchema
err := json.Unmarshal([]byte(rType.Definition), &schemaDefinition)
if err != nil {
// Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string
if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" {
var tmp string
err = json.Unmarshal([]byte(rType.Definition), &tmp)
if err != nil {
return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err)
}
err = json.Unmarshal([]byte(tmp), &schemaDefinition)
if err != nil {
return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err)
}
} else {
return fmt.Errorf("Unmarshal Json Schema: %w", err)
}
}
comp := jsonschema.NewCompiler()
err = comp.AddResource("secret.json", bytes.NewReader(schemaDefinition.Secret))
if err != nil {
return fmt.Errorf("Adding Json Schema: %w", err)
}
schema, err := comp.Compile("secret.json")
if err != nil {
return fmt.Errorf("Compiling Json Schema: %w", err)
}
err = schema.Validate(strings.NewReader(secretData))
if err != nil {
return fmt.Errorf("Validating Secret Data: %w", err)
}
return nil
}