Merge crud cli api and cli changes

Infisical · Jan 4, 2023 · 7e026e8 · 7e026e8
2 parents e364094 + fe05732
commit 7e026e8
Show file tree

Hide file tree

Showing 24 changed files with 1,170 additions and 33 deletions.
diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -6,6 +6,7 @@
     "@sentry/tracing": "^7.19.0",
     "@types/crypto-js": "^4.1.1",
     "@types/libsodium-wrappers": "^0.7.10",
+    "await-to-js": "^3.0.0",
     "axios": "^1.1.3",
     "bcrypt": "^5.1.0",
     "bigint-conversion": "^2.2.2",
@@ -30,6 +31,7 @@
     "tweetnacl": "^1.0.3",
     "tweetnacl-util": "^0.15.1",
     "typescript": "^4.9.3",
+    "utility-types": "^3.10.0",
     "winston": "^3.8.2",
     "winston-loki": "^6.0.6"
   },

diff --git a/backend/src/controllers/v2/index.ts b/backend/src/controllers/v2/index.ts
@@ -1,9 +1,11 @@
 import * as workspaceController from './workspaceController';
 import * as serviceTokenDataController from './serviceTokenDataController';
 import * as apiKeyDataController from './apiKeyDataController';
+import * as secretController from './secretController';
 
-export { 
+export {
     workspaceController,
     serviceTokenDataController,
-    apiKeyDataController
+    apiKeyDataController,
+    secretController
 }
diff --git a/backend/src/controllers/v2/secretController.ts b/backend/src/controllers/v2/secretController.ts
@@ -0,0 +1,138 @@
+import to from "await-to-js";
+import { Request, Response } from "express";
+import mongoose, { Types } from "mongoose";
+import Secret, { ISecret } from "../../models/secret";
+import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCreate, SanitizedSecretModify } from "../../types/secret/types";
+const { ValidationError } = mongoose.Error;
+import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
+import { AnyBulkWriteOperation } from 'mongodb';
+
+export const batchCreateSecrets = async (req: Request, res: Response) => {
+  const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
+  const { workspaceId, environmentName } = req.params
+  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
+
+  secretsToCreate.forEach(rawSecret => {
+    const safeUpdateFields: SanitizedSecretForCreate = {
+      secretKeyCiphertext: rawSecret.secretKeyCiphertext,
+      secretKeyIV: rawSecret.secretKeyIV,
+      secretKeyTag: rawSecret.secretKeyTag,
+      secretKeyHash: rawSecret.secretKeyHash,
+      secretValueCiphertext: rawSecret.secretValueCiphertext,
+      secretValueIV: rawSecret.secretValueIV,
+      secretValueTag: rawSecret.secretValueTag,
+      secretValueHash: rawSecret.secretValueHash,
+      secretCommentCiphertext: rawSecret.secretCommentCiphertext,
+      secretCommentIV: rawSecret.secretCommentIV,
+      secretCommentTag: rawSecret.secretCommentTag,
+      secretCommentHash: rawSecret.secretCommentHash,
+      workspace: new Types.ObjectId(workspaceId),
+      environment: environmentName,
+      type: rawSecret.type,
+      user: new Types.ObjectId(req.user._id)
+    }
+
+    sanitizedSecretesToCreate.push(safeUpdateFields)
+  })
+
+  const [bulkCreateError, newlyCreatedSecrets] = await to(Secret.insertMany(sanitizedSecretesToCreate).then())
+  if (bulkCreateError) {
+    if (bulkCreateError instanceof ValidationError) {
+      throw RouteValidationError({ message: bulkCreateError.message, stack: bulkCreateError.stack })
+    }
+
+    throw InternalServerError({ message: "Unable to process your batch create request. Please try again", stack: bulkCreateError.stack })
+  }
+
+  res.status(200).send()
+}
+
+
+export const createSingleSecret = async (req: Request, res: Response) => {
+  try {
+    const secretFromDB = await Secret.findById(req.params.secretId)
+    return res.status(200).send(secretFromDB);
+  } catch (e) {
+    throw BadRequestError({ message: "Unable to find the requested secret" })
+  }
+}
+
+export const batchDeleteSecrets = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretIdsToDelete: string[] = req.body.secretIds
+
+  const [secretIdsUserCanDeleteError, secretIdsUserCanDelete] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdsUserCanDeleteError) {
+    throw InternalServerError({ message: `Unable to fetch secrets you own: [error=${secretIdsUserCanDeleteError.message}]` })
+  }
+
+  const secretsUserCanDeleteSet: Set<string> = new Set(secretIdsUserCanDelete.map(objectId => objectId._id.toString()));
+  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = []
+
+  secretIdsToDelete.forEach(secretIdToDelete => {
+    if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
+      const deleteOperation = { deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } } }
+      deleteOperationsToPerform.push(deleteOperation)
+    } else {
+      throw RouteValidationError({ message: "You cannot delete secrets that you do not have access to" })
+    }
+  })
+
+  const [bulkDeleteError, bulkDelete] = await to(Secret.bulkWrite(deleteOperationsToPerform).then())
+  if (bulkDeleteError) {
+    if (bulkDeleteError instanceof ValidationError) {
+      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkDeleteError.stack })
+    }
+    throw InternalServerError()
+  }
+
+  res.status(200).send()
+}
+
+export const batchModifySecrets = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
+  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdsUserCanModifyError) {
+    throw InternalServerError({ message: "Unable to fetch secrets you own" })
+  }
+
+  const secretsUserCanModifySet: Set<string> = new Set(secretIdsUserCanModify.map(objectId => objectId._id.toString()));
+  const updateOperationsToPerform: any = []
+
+
+  secretsModificationsRequested.forEach(userModifiedSecret => {
+    if (secretsUserCanModifySet.has(userModifiedSecret._id.toString())) {
+      const sanitizedSecret: SanitizedSecretModify = {
+        secretKeyCiphertext: userModifiedSecret.secretKeyCiphertext,
+        secretKeyIV: userModifiedSecret.secretKeyIV,
+        secretKeyTag: userModifiedSecret.secretKeyTag,
+        secretKeyHash: userModifiedSecret.secretKeyHash,
+        secretValueCiphertext: userModifiedSecret.secretValueCiphertext,
+        secretValueIV: userModifiedSecret.secretValueIV,
+        secretValueTag: userModifiedSecret.secretValueTag,
+        secretValueHash: userModifiedSecret.secretValueHash,
+        secretCommentCiphertext: userModifiedSecret.secretCommentCiphertext,
+        secretCommentIV: userModifiedSecret.secretCommentIV,
+        secretCommentTag: userModifiedSecret.secretCommentTag,
+        secretCommentHash: userModifiedSecret.secretCommentHash,
+      }
+
+      const updateOperation = { updateOne: { filter: { _id: userModifiedSecret._id, workspace: workspaceId }, update: { $inc: { version: 1 }, $set: sanitizedSecret } } }
+      updateOperationsToPerform.push(updateOperation)
+    } else {
+      throw UnauthorizedRequestError({ message: "You do not have permission to modify one or more of the requested secrets" })
+    }
+  })
+
+  const [bulkModificationInfoError, bulkModificationInfo] = await to(Secret.bulkWrite(updateOperationsToPerform).then())
+  if (bulkModificationInfoError) {
+    if (bulkModificationInfoError instanceof ValidationError) {
+      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkModificationInfoError.stack })
+    }
+
+    throw InternalServerError()
+  }
+
+  return res.status(200).send()
+}
diff --git a/backend/src/middleware/requireAuth.ts b/backend/src/middleware/requireAuth.ts
@@ -25,28 +25,28 @@ declare module 'jsonwebtoken' {
  * @param {String[]} obj.acceptedAuthModes - accepted modes of authentication (jwt/st)
  * @returns
  */
-const requireAuth  = ({
+const requireAuth = ({
 	acceptedAuthModes = ['jwt']
 }: {
 	acceptedAuthModes: string[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
-		const [ AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE ] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
-		if(AUTH_TOKEN_TYPE === null) 
-			return next(BadRequestError({message: `Missing Authorization Header in the request header.`}))
-		if(AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') 
-			return next(BadRequestError({message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`}))
-		if(AUTH_TOKEN_VALUE === null) 
-			return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
-		
+		const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+		if (AUTH_TOKEN_TYPE === null)
+			return next(BadRequestError({ message: `Missing Authorization Header in the request header.` }))
+		if (AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer')
+			return next(BadRequestError({ message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.` }))
+		if (AUTH_TOKEN_VALUE === null)
+			return next(BadRequestError({ message: 'Missing Authorization Body in the request header' }))
+
 		// validate auth token against 
 		const authMode = validateAuthMode({
 			authTokenValue: AUTH_TOKEN_VALUE,
 			acceptedAuthModes
 		});
-		
+
 		if (!acceptedAuthModes.includes(authMode)) throw new Error('Failed to validate auth mode');
-		
+
 		// attach auth payloads
 		switch (authMode) {
 			case 'serviceToken':

diff --git a/backend/src/middleware/validateRequest.ts b/backend/src/middleware/validateRequest.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { validationResult } from 'express-validator';
-import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
+import { BadRequestError, UnauthorizedRequestError, ValidationError } from '../utils/errors';
 
 /**
  * Validate intended inputs on [req] via express-validator
@@ -15,12 +15,12 @@ const validate = (req: Request, res: Response, next: NextFunction) => {
 	try {
 		const errors = validationResult(req);
 		if (!errors.isEmpty()) {
-			return next(BadRequestError({context: {errors: errors.array}}))
+			return next(ValidationError({ context: { errors: `One or more of your parameters are invalid [error(s)=${(JSON.stringify(errors))}]` } }))
 		}
 
 		return next();
 	} catch (err) {
-		return next(UnauthorizedRequestError({message: 'Unauthenticated requests are not allowed. Try logging in'}))
+		return next(UnauthorizedRequestError({ message: 'Unauthenticated requests are not allowed. Try logging in' }))
 	}
 };
 

diff --git a/backend/src/models/secret.ts b/backend/src/models/secret.ts
@@ -33,7 +33,8 @@ const secretSchema = new Schema<ISecret>(
 	{
 		version: {
 			type: Number,
-			required: true
+			required: true,
+			default: 1
 		},
 		workspace: {
 			type: Schema.Types.ObjectId,