From 07c34c490f68d9d948ecf89171cc2a59b40d594d Mon Sep 17 00:00:00 2001 From: Tuan Dang Date: Mon, 26 Dec 2022 21:45:26 -0500 Subject: [PATCH] Begin moving /secret/workspaceId routes to /workspace/workspaceId --- backend/src/app.ts | 10 +- backend/src/controllers/v2/index.ts | 5 + .../src/controllers/v2/secretController.ts | 0 .../src/controllers/v2/workspaceController.ts | 560 ++++++++++++++++++ backend/src/routes/v2/index.ts | 7 + backend/src/routes/v2/secret.ts | 4 + backend/src/routes/v2/workspace.ts | 176 ++++++ 7 files changed, 761 insertions(+), 1 deletion(-) create mode 100644 backend/src/controllers/v2/index.ts create mode 100644 backend/src/controllers/v2/secretController.ts create mode 100644 backend/src/controllers/v2/workspaceController.ts create mode 100644 backend/src/routes/v2/index.ts create mode 100644 backend/src/routes/v2/secret.ts create mode 100644 backend/src/routes/v2/workspace.ts diff --git a/backend/src/app.ts b/backend/src/app.ts index dcad66f5d1..f4271a34bf 100644 --- a/backend/src/app.ts +++ b/backend/src/app.ts @@ -15,7 +15,6 @@ import { workspace as eeWorkspaceRouter, secret as eeSecretRouter } from './ee/routes/v1'; - import { signup as v1SignupRouter, auth as v1AuthRouter, @@ -35,6 +34,10 @@ import { integration as v1IntegrationRouter, integrationAuth as v1IntegrationAuthRouter } from './routes/v1'; +import { + secret as v2SecretRouter, + workspace as v2WorkspaceRouter +} from './routes/v2'; import { getLogger } from './utils/logger'; import { RouteNotFoundError } from './utils/errors'; @@ -86,6 +89,11 @@ app.use('/api/v1/stripe', v1StripeRouter); app.use('/api/v1/integration', v1IntegrationRouter); app.use('/api/v1/integration-auth', v1IntegrationAuthRouter); +// v2 routes (new) +app.use('/api/v1/workspace', v2WorkspaceRouter); +app.use('/api/v1/secret', v2SecretRouter); + + //* Handle unrouted requests and respond with proper error message as well as status code app.use((req, res, next)=>{ if(res.headersSent) return next(); diff --git a/backend/src/controllers/v2/index.ts b/backend/src/controllers/v2/index.ts new file mode 100644 index 0000000000..dc6977c912 --- /dev/null +++ b/backend/src/controllers/v2/index.ts @@ -0,0 +1,5 @@ +import * as workspaceController from './workspaceController'; + +export { + workspaceController +} diff --git a/backend/src/controllers/v2/secretController.ts b/backend/src/controllers/v2/secretController.ts new file mode 100644 index 0000000000..e69de29bb2 diff --git a/backend/src/controllers/v2/workspaceController.ts b/backend/src/controllers/v2/workspaceController.ts new file mode 100644 index 0000000000..3e784f22c9 --- /dev/null +++ b/backend/src/controllers/v2/workspaceController.ts @@ -0,0 +1,560 @@ +import { Request, Response } from 'express'; +import * as Sentry from '@sentry/node'; +import { + Workspace, + Membership, + MembershipOrg, + Integration, + IntegrationAuth, + Key, + IUser, + ServiceToken, +} from '../../models'; +import { + createWorkspace as create, + deleteWorkspace as deleteWork +} from '../../helpers/workspace'; +import { + pushSecrets as push, + pullSecrets as pull, + reformatPullSecrets +} from '../../helpers/secret'; +import { pushKeys } from '../../helpers/key'; +import { addMemberships } from '../../helpers/membership'; +import { postHogClient, EventService } from '../../services'; +import { eventPushSecrets } from '../../events'; +import { ADMIN, COMPLETED, GRANTED, ENV_SET } from '../../variables'; + +interface PushSecret { + ciphertextKey: string; + ivKey: string; + tagKey: string; + hashKey: string; + ciphertextValue: string; + ivValue: string; + tagValue: string; + hashValue: string; + type: 'shared' | 'personal'; +} + +/** + * Return public keys of members of workspace with id [workspaceId] + * @param req + * @param res + * @returns + */ +export const getWorkspacePublicKeys = async (req: Request, res: Response) => { + let publicKeys; + try { + const { workspaceId } = req.params; + + publicKeys = ( + await Membership.find({ + workspace: workspaceId + }).populate<{ user: IUser }>('user', 'publicKey') + ) + .filter((m) => m.status === COMPLETED || m.status === GRANTED) + .map((member) => { + return { + publicKey: member.user.publicKey, + userId: member.user._id + }; + }); + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to get workspace member public keys' + }); + } + + return res.status(200).send({ + publicKeys + }); +}; + +/** + * Return memberships for workspace with id [workspaceId] + * @param req + * @param res + * @returns + */ +export const getWorkspaceMemberships = async (req: Request, res: Response) => { + let users; + try { + const { workspaceId } = req.params; + + users = await Membership.find({ + workspace: workspaceId + }).populate('user', '+publicKey'); + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to get workspace members' + }); + } + + return res.status(200).send({ + users + }); +}; + +/** + * Return workspaces that user is part of + * @param req + * @param res + * @returns + */ +export const getWorkspaces = async (req: Request, res: Response) => { + let workspaces; + try { + workspaces = ( + await Membership.find({ + user: req.user._id + }).populate('workspace') + ).map((m) => m.workspace); + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to get workspaces' + }); + } + + return res.status(200).send({ + workspaces + }); +}; + +/** + * Return workspace with id [workspaceId] + * @param req + * @param res + * @returns + */ +export const getWorkspace = async (req: Request, res: Response) => { + let workspace; + try { + const { workspaceId } = req.params; + + workspace = await Workspace.findOne({ + _id: workspaceId + }); + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to get workspace' + }); + } + + return res.status(200).send({ + workspace + }); +}; + +/** + * Create new workspace named [workspaceName] under organization with id + * [organizationId] and add user as admin + * @param req + * @param res + * @returns + */ +export const createWorkspace = async (req: Request, res: Response) => { + let workspace; + try { + const { workspaceName, organizationId } = req.body; + + // validate organization membership + const membershipOrg = await MembershipOrg.findOne({ + user: req.user._id, + organization: organizationId + }); + + if (!membershipOrg) { + throw new Error('Failed to validate organization membership'); + } + + if (workspaceName.length < 1) { + throw new Error('Workspace names must be at least 1-character long'); + } + + // create workspace and add user as member + workspace = await create({ + name: workspaceName, + organizationId + }); + + await addMemberships({ + userIds: [req.user._id], + workspaceId: workspace._id.toString(), + roles: [ADMIN], + statuses: [GRANTED] + }); + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to create workspace' + }); + } + + return res.status(200).send({ + workspace + }); +}; + +/** + * Delete workspace with id [workspaceId] + * @param req + * @param res + * @returns + */ +export const deleteWorkspace = async (req: Request, res: Response) => { + try { + const { workspaceId } = req.params; + + // delete workspace + await deleteWork({ + id: workspaceId + }); + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to delete workspace' + }); + } + + return res.status(200).send({ + message: 'Successfully deleted workspace' + }); +}; + +/** + * Change name of workspace with id [workspaceId] to [name] + * @param req + * @param res + * @returns + */ +export const changeWorkspaceName = async (req: Request, res: Response) => { + let workspace; + try { + const { workspaceId } = req.params; + const { name } = req.body; + + workspace = await Workspace.findOneAndUpdate( + { + _id: workspaceId + }, + { + name + }, + { + new: true + } + ); + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to change workspace name' + }); + } + + return res.status(200).send({ + message: 'Successfully changed workspace name', + workspace + }); +}; + +/** + * Return integrations for workspace with id [workspaceId] + * @param req + * @param res + * @returns + */ +export const getWorkspaceIntegrations = async (req: Request, res: Response) => { + let integrations; + try { + const { workspaceId } = req.params; + + integrations = await Integration.find({ + workspace: workspaceId + }); + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to get workspace integrations' + }); + } + + return res.status(200).send({ + integrations + }); +}; + +/** + * Return (integration) authorizations for workspace with id [workspaceId] + * @param req + * @param res + * @returns + */ +export const getWorkspaceIntegrationAuthorizations = async ( + req: Request, + res: Response +) => { + let authorizations; + try { + const { workspaceId } = req.params; + + authorizations = await IntegrationAuth.find({ + workspace: workspaceId + }); + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to get workspace integration authorizations' + }); + } + + return res.status(200).send({ + authorizations + }); +}; + +/** + * Return service service tokens for workspace [workspaceId] belonging to user + * @param req + * @param res + * @returns + */ +export const getWorkspaceServiceTokens = async ( + req: Request, + res: Response +) => { + let serviceTokens; + try { + const { workspaceId } = req.params; + + serviceTokens = await ServiceToken.find({ + user: req.user._id, + workspace: workspaceId + }); + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to get workspace service tokens' + }); + } + + return res.status(200).send({ + serviceTokens + }); +} + +/** + * Upload (encrypted) secrets to workspace with id [workspaceId] + * for environment [environment] + * @param req + * @param res + * @returns + */ +export const pushSecrets = async (req: Request, res: Response) => { + // upload (encrypted) secrets to workspace with id [workspaceId] + + try { + let { secrets }: { secrets: PushSecret[] } = req.body; + const { keys, environment, channel } = req.body; + const { workspaceId } = req.params; + + // validate environment + if (!ENV_SET.has(environment)) { + throw new Error('Failed to validate environment'); + } + + // sanitize secrets + secrets = secrets.filter( + (s: PushSecret) => s.ciphertextKey !== '' && s.ciphertextValue !== '' + ); + + await push({ + userId: req.user._id, + workspaceId, + environment, + secrets + }); + + await pushKeys({ + userId: req.user._id, + workspaceId, + keys + }); + + + if (postHogClient) { + postHogClient.capture({ + event: 'secrets pushed', + distinctId: req.user.email, + properties: { + numberOfSecrets: secrets.length, + environment, + workspaceId, + channel: channel ? channel : 'cli' + } + }); + } + + // trigger event - push secrets + EventService.handleEvent({ + event: eventPushSecrets({ + workspaceId + }) + }); + + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to upload workspace secrets' + }); + } + + return res.status(200).send({ + message: 'Successfully uploaded workspace secrets' + }); +}; + +/** + * Return (encrypted) secrets for workspace with id [workspaceId] + * for environment [environment] and (encrypted) workspace key + * @param req + * @param res + * @returns + */ +export const pullSecrets = async (req: Request, res: Response) => { + let secrets; + let key; + try { + const environment: string = req.query.environment as string; + const channel: string = req.query.channel as string; + const { workspaceId } = req.params; + + // validate environment + if (!ENV_SET.has(environment)) { + throw new Error('Failed to validate environment'); + } + + secrets = await pull({ + userId: req.user._id.toString(), + workspaceId, + environment + }); + + key = await Key.findOne({ + workspace: workspaceId, + receiver: req.user._id + }) + .sort({ createdAt: -1 }) + .populate('sender', '+publicKey'); + + if (channel !== 'cli') { + secrets = reformatPullSecrets({ secrets }); + } + + if (postHogClient) { + // capture secrets pushed event in production + postHogClient.capture({ + distinctId: req.user.email, + event: 'secrets pulled', + properties: { + numberOfSecrets: secrets.length, + environment, + workspaceId, + channel: channel ? channel : 'cli' + } + }); + } + } catch (err) { + Sentry.setUser({ email: req.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to pull workspace secrets' + }); + } + + return res.status(200).send({ + secrets, + key + }); +}; + +// TODO: modify based on upcoming serviceTokenData changes + +/** + * Return (encrypted) secrets for workspace with id [workspaceId] + * for environment [environment] and (encrypted) workspace key + * via service token + * @param req + * @param res + * @returns + */ + export const pullSecretsServiceToken = async (req: Request, res: Response) => { + let secrets; + let key; + try { + const environment: string = req.query.environment as string; + const channel: string = req.query.channel as string; + const { workspaceId } = req.params; + + // validate environment + if (!ENV_SET.has(environment)) { + throw new Error('Failed to validate environment'); + } + + secrets = await pull({ + userId: req.serviceToken.user._id.toString(), + workspaceId, + environment + }); + + key = { + encryptedKey: req.serviceToken.encryptedKey, + nonce: req.serviceToken.nonce, + sender: { + publicKey: req.serviceToken.publicKey + }, + receiver: req.serviceToken.user, + workspace: req.serviceToken.workspace + }; + + if (postHogClient) { + // capture secrets pulled event in production + postHogClient.capture({ + distinctId: req.serviceToken.user.email, + event: 'secrets pulled', + properties: { + numberOfSecrets: secrets.length, + environment, + workspaceId, + channel: channel ? channel : 'cli' + } + }); + } + } catch (err) { + Sentry.setUser({ email: req.serviceToken.user.email }); + Sentry.captureException(err); + return res.status(400).send({ + message: 'Failed to pull workspace secrets' + }); + } + + return res.status(200).send({ + secrets: reformatPullSecrets({ secrets }), + key + }); +}; \ No newline at end of file diff --git a/backend/src/routes/v2/index.ts b/backend/src/routes/v2/index.ts new file mode 100644 index 0000000000..6e6758753b --- /dev/null +++ b/backend/src/routes/v2/index.ts @@ -0,0 +1,7 @@ +import secret from './secret'; +import workspace from './workspace'; + +export { + secret, + workspace +} diff --git a/backend/src/routes/v2/secret.ts b/backend/src/routes/v2/secret.ts new file mode 100644 index 0000000000..17a91d39c9 --- /dev/null +++ b/backend/src/routes/v2/secret.ts @@ -0,0 +1,4 @@ +import express from 'express'; +const router = express.Router(); + +export default router; diff --git a/backend/src/routes/v2/workspace.ts b/backend/src/routes/v2/workspace.ts new file mode 100644 index 0000000000..4e954c75d4 --- /dev/null +++ b/backend/src/routes/v2/workspace.ts @@ -0,0 +1,176 @@ +import express from 'express'; +const router = express.Router(); +import { body, param, query } from 'express-validator'; +import { + requireAuth, + requireWorkspaceAuth, + requireServiceTokenAuth, + validateRequest +} from '../../middleware'; +import { ADMIN, MEMBER, COMPLETED, GRANTED } from '../../variables'; +import { membershipController } from '../../controllers/v1'; +import { workspaceController } from '../../controllers/v2'; + +router.get( + '/:workspaceId/keys', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN, MEMBER], + acceptedStatuses: [COMPLETED, GRANTED] + }), + param('workspaceId').exists().trim(), + validateRequest, + workspaceController.getWorkspacePublicKeys +); + +router.get( + '/:workspaceId/users', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN, MEMBER], + acceptedStatuses: [COMPLETED, GRANTED] + }), + param('workspaceId').exists().trim(), + validateRequest, + workspaceController.getWorkspaceMemberships +); + +router.get('/', requireAuth, workspaceController.getWorkspaces); + +router.get( + '/:workspaceId', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN, MEMBER], + acceptedStatuses: [COMPLETED, GRANTED] + }), + param('workspaceId').exists().trim(), + validateRequest, + workspaceController.getWorkspace +); + +router.post( + '/', + requireAuth, + body('workspaceName').exists().trim().notEmpty(), + body('organizationId').exists().trim().notEmpty(), + validateRequest, + workspaceController.createWorkspace +); + +router.delete( + '/:workspaceId', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN], + acceptedStatuses: [GRANTED] + }), + param('workspaceId').exists().trim(), + validateRequest, + workspaceController.deleteWorkspace +); + +router.post( + '/:workspaceId/name', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN, MEMBER], + acceptedStatuses: [COMPLETED, GRANTED] + }), + param('workspaceId').exists().trim(), + body('name').exists().trim().notEmpty(), + validateRequest, + workspaceController.changeWorkspaceName +); + +router.post( + '/:workspaceId/invite-signup', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN, MEMBER], + acceptedStatuses: [GRANTED] + }), + param('workspaceId').exists().trim(), + body('email').exists().trim().notEmpty(), + validateRequest, + membershipController.inviteUserToWorkspace +); + +router.get( + '/:workspaceId/integrations', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN, MEMBER], + acceptedStatuses: [GRANTED] + }), + param('workspaceId').exists().trim(), + validateRequest, + workspaceController.getWorkspaceIntegrations +); + +router.get( + '/:workspaceId/authorizations', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN, MEMBER], + acceptedStatuses: [GRANTED] + }), + param('workspaceId').exists().trim(), + validateRequest, + workspaceController.getWorkspaceIntegrationAuthorizations +); + +router.get( + '/:workspaceId/service-tokens', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN, MEMBER], + acceptedStatuses: [GRANTED] + }), + param('workspaceId').exists().trim(), + validateRequest, + workspaceController.getWorkspaceServiceTokens +); + +router.post( + '/:workspaceId/secrets', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN, MEMBER], + acceptedStatuses: [COMPLETED, GRANTED] + }), + body('secrets').exists(), + body('keys').exists(), + body('environment').exists().trim().notEmpty(), + body('channel'), + param('workspaceId').exists().trim(), + validateRequest, + workspaceController.pushSecrets +); + +router.get( + '/:workspaceId/secrets', + requireAuth, + requireWorkspaceAuth({ + acceptedRoles: [ADMIN, MEMBER], + acceptedStatuses: [COMPLETED, GRANTED] + }), + query('environment').exists().trim(), + query('channel'), + param('workspaceId').exists().trim(), + validateRequest, + workspaceController.pullSecrets +); + +router.get( // TODO: modify based on upcoming serviceTokenData changes + '/:workspaceId/secrets-service-token', + requireServiceTokenAuth, + query('environment').exists().trim(), + query('channel'), + param('workspaceId').exists().trim(), + validateRequest, + workspaceController.pullSecretsServiceToken +); + + +export default router;