speatzle/go-passbolt
1
0
Fork 0
mirror of https://github.com/passbolt/go-passbolt.git synced 2025-05-14 19:38:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Support MetadataKeyTypeUserKey, Rework Metadata Validation

Browse source
This commit is contained in:
Samuel Lorch 2025-05-12 20:01:47 +02:00
parent 6a72f6987c
commit 5369030d50
1 changed files with 84 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

145
helper/metadata.go
View file

@ -7,84 +7,108 @@ import (
"fmt" "fmt"
"strings" "strings"
"github.com/ProtonMail/gopenpgp/v3/crypto"
"github.com/passbolt/go-passbolt/api" "github.com/passbolt/go-passbolt/api"
"github.com/santhosh-tekuri/jsonschema" "github.com/santhosh-tekuri/jsonschema"
) )
func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resource, rType api.ResourceType) (string, error) { func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resource, rType api.ResourceType) (string, error) {
keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{ var metadatakey *crypto.Key
ContainMetadataPrivateKeys: true, if resource.MetadataKeyType == api.MetadataKeyTypeUserKey {
}) key, err := c.GetUserPrivateKeyCopy()
if err != nil { if err != nil {
return "", fmt.Errorf("Get Metadata Key: %w", err) return "", fmt.Errorf("Get User Private Key Copy: %W", err)
}
metadatakey = key
} else {
// Must be a shared key
keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{
ContainMetadataPrivateKeys: true,
})
if err != nil {
return "", fmt.Errorf("Get Metadata Key: %w", err)
}
// TODO Get Key by id?
if len(keys) != 1 {
return "", fmt.Errorf("Not Exactly One Metadatakey Available")
}
if len(keys[0].MetadataPrivateKeys) == 0 {
return "", fmt.Errorf("No Metadata Private key for our user")
}
if len(keys[0].MetadataPrivateKeys) > 1 {
return "", fmt.Errorf("More than 1 metadata Private key for our user")
}
var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0]
if *privMetdata.UserID != c.GetUserID() {
return "", fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID)
}
decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data)
if err != nil {
return "", fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
}
var data api.MetadataPrivateKeyData
err = json.Unmarshal([]byte(decPrivMetadatakey), &data)
if err != nil {
return "", fmt.Errorf("Parse Metadata Private Key Data")
}
metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
if err != nil {
return "", fmt.Errorf("Get Metadata Private Key: %w", err)
}
metadatakey = metadataPrivateKeyObj
} }
// TODO Get Key by id? decMetadata, err := c.DecryptMetadata(metadatakey, resource.Metadata)
if len(keys) != 1 {
return "", fmt.Errorf("Not Exactly One Metadatakey Available")
}
if len(keys[0].MetadataPrivateKeys) == 0 {
return "", fmt.Errorf("No Metadata Private key for our user")
}
if len(keys[0].MetadataPrivateKeys) > 1 {
return "", fmt.Errorf("More than 1 metadata Private key for our user")
}
var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0]
if *privMetdata.UserID != c.GetUserID() {
return "", fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID)
}
decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data)
if err != nil {
return "", fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
}
var data api.MetadataPrivateKeyData
err = json.Unmarshal([]byte(decPrivMetadatakey), &data)
if err != nil {
return "", fmt.Errorf("Parse Metadata Private Key Data")
}
metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
if err != nil {
return "", fmt.Errorf("Get Metadata Private Key: %w", err)
}
decMetadata, err := c.DecryptMetadata(metadataPrivateKeyObj, resource.Metadata)
if err != nil { if err != nil {
return "", fmt.Errorf("Decrypt Metadata: %w", err) return "", fmt.Errorf("Decrypt Metadata: %w", err)
} }
err = validateMetadata(&rType, string(decMetadata))
if err != nil {
return "", fmt.Errorf("Validate Metadata: %w", err)
}
return decMetadata, nil
}
func validateMetadata(rType *api.ResourceType, metadata string) error {
var schemaDefinition api.ResourceTypeSchema var schemaDefinition api.ResourceTypeSchema
err = json.Unmarshal([]byte(rType.Definition), &schemaDefinition) definition := rType.Definition
// Fallback schema
if string(definition) == "[]" || string(definition) == "\"[]\"" {
tmp, ok := api.ResourceSchemas[rType.Slug]
if !ok {
return fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug)
}
definition = tmp
}
err := json.Unmarshal([]byte(definition), &schemaDefinition)
if err != nil { if err != nil {
// Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string // Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string
if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" { if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" {
var tmp string var tmp string
err = json.Unmarshal([]byte(rType.Definition), &tmp) err = json.Unmarshal([]byte(definition), &tmp)
if err != nil { if err != nil {
return "", fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err)
}
if tmp == "[]" {
// Use The Builtin Fallback Schemas in this Case
schema, ok := api.ResourceSchemas[rType.Slug]
if !ok {
return "", fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug)
}
tmp = string(schema)
} }
err = json.Unmarshal([]byte(tmp), &schemaDefinition) err = json.Unmarshal([]byte(tmp), &schemaDefinition)
if err != nil { if err != nil {
return "", fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err)
} }
} else { } else {
return "", fmt.Errorf("Unmarshal Json Schema: %w", err) return fmt.Errorf("Unmarshal Json Schema: %w", err)
} }
} }
@ -92,18 +116,17 @@ func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resour
err = comp.AddResource("metadata.json", bytes.NewReader(schemaDefinition.Resource)) err = comp.AddResource("metadata.json", bytes.NewReader(schemaDefinition.Resource))
if err != nil { if err != nil {
return "", fmt.Errorf("Adding Json Schema: %w", err) return fmt.Errorf("Adding Json Schema: %w", err)
} }
schema, err := comp.Compile("metadata.json") schema, err := comp.Compile("metadata.json")
if err != nil { if err != nil {
return "", fmt.Errorf("Compiling Json Schema: %w", err) return fmt.Errorf("Compiling Json Schema: %w", err)
} }
err = schema.Validate(strings.NewReader(decMetadata)) err = schema.Validate(strings.NewReader(metadata))
if err != nil { if err != nil {
return "", fmt.Errorf("Validating Secret Data: %w", err) return fmt.Errorf("Validating Secret Data: %w", err)
} }
return nil
return decMetadata, nil
} }