auth.go 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317
  1. package gorm
  2. import (
  3. "github.com/porter-dev/porter/internal/encryption"
  4. "github.com/porter-dev/porter/internal/models"
  5. "github.com/porter-dev/porter/internal/repository"
  6. "github.com/porter-dev/porter/internal/repository/credentials"
  7. "gorm.io/gorm"
  8. ints "github.com/porter-dev/porter/internal/models/integrations"
  9. )
  10. // KubeIntegrationRepository uses gorm.DB for querying the database
  11. type KubeIntegrationRepository struct {
  12. db *gorm.DB
  13. key *[32]byte
  14. }
  15. // NewKubeIntegrationRepository returns a KubeIntegrationRepository which uses
  16. // gorm.DB for querying the database. It accepts an encryption key to encrypt
  17. // sensitive data
  18. func NewKubeIntegrationRepository(
  19. db *gorm.DB,
  20. key *[32]byte,
  21. ) repository.KubeIntegrationRepository {
  22. return &KubeIntegrationRepository{db, key}
  23. }
  24. // CreateKubeIntegration creates a new kube auth mechanism
  25. func (repo *KubeIntegrationRepository) CreateKubeIntegration(
  26. am *ints.KubeIntegration,
  27. ) (*ints.KubeIntegration, error) {
  28. err := repo.EncryptKubeIntegrationData(am, repo.key)
  29. if err != nil {
  30. return nil, err
  31. }
  32. project := &models.Project{}
  33. if err := repo.db.Where("id = ?", am.ProjectID).First(&project).Error; err != nil {
  34. return nil, err
  35. }
  36. assoc := repo.db.Model(&project).Association("KubeIntegrations")
  37. if assoc.Error != nil {
  38. return nil, assoc.Error
  39. }
  40. if err := assoc.Append(am); err != nil {
  41. return nil, err
  42. }
  43. return am, nil
  44. }
  45. // ReadKubeIntegration finds a kube auth mechanism by id
  46. func (repo *KubeIntegrationRepository) ReadKubeIntegration(
  47. projectID, id uint,
  48. ) (*ints.KubeIntegration, error) {
  49. ki := &ints.KubeIntegration{}
  50. if err := repo.db.Where("project_id = ? AND id = ?", projectID, id).First(&ki).Error; err != nil {
  51. return nil, err
  52. }
  53. err := repo.DecryptKubeIntegrationData(ki, repo.key)
  54. if err != nil {
  55. return nil, err
  56. }
  57. return ki, nil
  58. }
  59. // ListKubeIntegrationsByProjectID finds all kube auth mechanisms
  60. // for a given project id
  61. func (repo *KubeIntegrationRepository) ListKubeIntegrationsByProjectID(
  62. projectID uint,
  63. ) ([]*ints.KubeIntegration, error) {
  64. kis := []*ints.KubeIntegration{}
  65. if err := repo.db.Where("project_id = ?", projectID).Find(&kis).Error; err != nil {
  66. return nil, err
  67. }
  68. return kis, nil
  69. }
  70. // EncryptKubeIntegrationData will encrypt the kube integration data before
  71. // writing to the DB
  72. func (repo *KubeIntegrationRepository) EncryptKubeIntegrationData(
  73. ki *ints.KubeIntegration,
  74. key *[32]byte,
  75. ) error {
  76. if len(ki.ClientCertificateData) > 0 {
  77. cipherData, err := encryption.Encrypt(ki.ClientCertificateData, key)
  78. if err != nil {
  79. return err
  80. }
  81. ki.ClientCertificateData = cipherData
  82. }
  83. if len(ki.ClientKeyData) > 0 {
  84. cipherData, err := encryption.Encrypt(ki.ClientKeyData, key)
  85. if err != nil {
  86. return err
  87. }
  88. ki.ClientKeyData = cipherData
  89. }
  90. if len(ki.Token) > 0 {
  91. cipherData, err := encryption.Encrypt(ki.Token, key)
  92. if err != nil {
  93. return err
  94. }
  95. ki.Token = cipherData
  96. }
  97. if len(ki.Username) > 0 {
  98. cipherData, err := encryption.Encrypt(ki.Username, key)
  99. if err != nil {
  100. return err
  101. }
  102. ki.Username = cipherData
  103. }
  104. if len(ki.Password) > 0 {
  105. cipherData, err := encryption.Encrypt(ki.Password, key)
  106. if err != nil {
  107. return err
  108. }
  109. ki.Password = cipherData
  110. }
  111. if len(ki.Kubeconfig) > 0 {
  112. cipherData, err := encryption.Encrypt(ki.Kubeconfig, key)
  113. if err != nil {
  114. return err
  115. }
  116. ki.Kubeconfig = cipherData
  117. }
  118. return nil
  119. }
  120. // DecryptKubeIntegrationData will decrypt the kube integration data before
  121. // returning it from the DB
  122. func (repo *KubeIntegrationRepository) DecryptKubeIntegrationData(
  123. ki *ints.KubeIntegration,
  124. key *[32]byte,
  125. ) error {
  126. if len(ki.ClientCertificateData) > 0 {
  127. plaintext, err := encryption.Decrypt(ki.ClientCertificateData, key)
  128. if err != nil {
  129. return err
  130. }
  131. ki.ClientCertificateData = plaintext
  132. }
  133. if len(ki.ClientKeyData) > 0 {
  134. plaintext, err := encryption.Decrypt(ki.ClientKeyData, key)
  135. if err != nil {
  136. return err
  137. }
  138. ki.ClientKeyData = plaintext
  139. }
  140. if len(ki.Token) > 0 {
  141. plaintext, err := encryption.Decrypt(ki.Token, key)
  142. if err != nil {
  143. return err
  144. }
  145. ki.Token = plaintext
  146. }
  147. if len(ki.Username) > 0 {
  148. plaintext, err := encryption.Decrypt(ki.Username, key)
  149. if err != nil {
  150. return err
  151. }
  152. ki.Username = plaintext
  153. }
  154. if len(ki.Password) > 0 {
  155. plaintext, err := encryption.Decrypt(ki.Password, key)
  156. if err != nil {
  157. return err
  158. }
  159. ki.Password = plaintext
  160. }
  161. if len(ki.Kubeconfig) > 0 {
  162. plaintext, err := encryption.Decrypt(ki.Kubeconfig, key)
  163. if err != nil {
  164. return err
  165. }
  166. ki.Kubeconfig = plaintext
  167. }
  168. return nil
  169. }
  170. // BasicIntegrationRepository uses gorm.DB for querying the database
  171. type BasicIntegrationRepository struct {
  172. db *gorm.DB
  173. key *[32]byte
  174. }
  175. // NewBasicIntegrationRepository returns a BasicIntegrationRepository which uses
  176. // gorm.DB for querying the database. It accepts an encryption key to encrypt
  177. // sensitive data
  178. func NewBasicIntegrationRepository(
  179. db *gorm.DB,
  180. key *[32]byte,
  181. ) repository.BasicIntegrationRepository {
  182. return &BasicIntegrationRepository{db, key}
  183. }
  184. // CreateBasicIntegration creates a new basic auth mechanism
  185. func (repo *BasicIntegrationRepository) CreateBasicIntegration(
  186. am *ints.BasicIntegration,
  187. ) (*ints.BasicIntegration, error) {
  188. err := repo.EncryptBasicIntegrationData(am, repo.key)
  189. if err != nil {
  190. return nil, err
  191. }
  192. project := &models.Project{}
  193. if err := repo.db.Where("id = ?", am.ProjectID).First(&project).Error; err != nil {
  194. return nil, err
  195. }
  196. assoc := repo.db.Model(&project).Association("BasicIntegrations")
  197. if assoc.Error != nil {
  198. return nil, assoc.Error
  199. }
  200. if err := assoc.Append(am); err != nil {
  201. return nil, err
  202. }
  203. return am, nil
  204. }
  205. // ReadBasicIntegration finds a basic auth mechanism by id
  206. func (repo *BasicIntegrationRepository) ReadBasicIntegration(
  207. projectID, id uint,
  208. ) (*ints.BasicIntegration, error) {
  209. basic := &ints.BasicIntegration{}
  210. if err := repo.db.Where("project_id = ? AND id = ?", projectID, id).First(&basic).Error; err != nil {
  211. return nil, err
  212. }
  213. err := repo.DecryptBasicIntegrationData(basic, repo.key)
  214. if err != nil {
  215. return nil, err
  216. }
  217. return basic, nil
  218. }
  219. // ListBasicIntegrationsByProjectID finds all basic auth mechanisms
  220. // for a given project id
  221. func (repo *BasicIntegrationRepository) ListBasicIntegrationsByProjectID(
  222. projectID uint,
  223. ) ([]*ints.BasicIntegration, error) {
  224. basics := []*ints.BasicIntegration{}
  225. if err := repo.db.Where("project_id = ?", projectID).Find(&basics).Error; err != nil {
  226. return nil, err
  227. }
  228. return basics, nil
  229. }
  230. // EncryptBasicIntegrationData will encrypt the basic integration data before
  231. // writing to the DB
  232. func (repo *BasicIntegrationRepository) EncryptBasicIntegrationData(
  233. basic *ints.BasicIntegration,
  234. key *[32]byte,
  235. ) error {
  236. if len(basic.Username) > 0 {
  237. cipherData, err := encryption.Encrypt(basic.Username, key)
  238. if err != nil {
  239. return err
  240. }
  241. basic.Username = cipherData
  242. }
  243. if len(basic.Password) > 0 {
  244. cipherData, err := encryption.Encrypt(basic.Password, key)
  245. if err != nil {
  246. return err
  247. }
  248. basic.Password = cipherData
  249. }
  250. return nil
  251. }
  252. // DecryptBasicIntegrationData will decrypt the basic integration data before
  253. // returning it from the DB
  254. func (repo *BasicIntegrationRepository) DecryptBasicIntegrationData(
  255. basic *ints.BasicIntegration,
  256. key *[32]byte,
  257. ) error {
  258. if len(basic.Username) > 0 {
  259. plaintext, err := encryption.Decrypt(basic.Username, key)
  260. if err != nil {
  261. return err
  262. }
  263. basic.Username = plaintext
  264. }
  265. if len(basic.Password) > 0 {
  266. plaintext, err := encryption.Decrypt(basic.Password, key)
  267. if err != nil {
  268. return err
  269. }
  270. basic.Password = plaintext
  271. }
  272. return nil
  273. }
  274. // OIDCIntegrationRepository uses gorm.DB for querying the database
  275. type OIDCIntegrationRepository struct {
  276. db *gorm.DB
  277. key *[32]byte
  278. }
  279. // NewOIDCIntegrationRepository returns a OIDCIntegrationRepository which uses
  280. // gorm.DB for querying the database. It accepts an encryption key to encrypt
  281. // sensitive data
  282. func NewOIDCIntegrationRepository(
  283. db *gorm.DB,
  284. key *[32]byte,
  285. ) repository.OIDCIntegrationRepository {
  286. return &OIDCIntegrationRepository{db, key}
  287. }
  288. // CreateOIDCIntegration creates a new oidc auth mechanism
  289. func (repo *OIDCIntegrationRepository) CreateOIDCIntegration(
  290. am *ints.OIDCIntegration,
  291. ) (*ints.OIDCIntegration, error) {
  292. err := repo.EncryptOIDCIntegrationData(am, repo.key)
  293. if err != nil {
  294. return nil, err
  295. }
  296. project := &models.Project{}
  297. if err := repo.db.Where("id = ?", am.ProjectID).First(&project).Error; err != nil {
  298. return nil, err
  299. }
  300. assoc := repo.db.Model(&project).Association("OIDCIntegrations")
  301. if assoc.Error != nil {
  302. return nil, assoc.Error
  303. }
  304. if err := assoc.Append(am); err != nil {
  305. return nil, err
  306. }
  307. return am, nil
  308. }
  309. // ReadOIDCIntegration finds a oidc auth mechanism by id
  310. func (repo *OIDCIntegrationRepository) ReadOIDCIntegration(
  311. projectID, id uint,
  312. ) (*ints.OIDCIntegration, error) {
  313. oidc := &ints.OIDCIntegration{}
  314. if err := repo.db.Where("project_id = ? AND id = ?", projectID, id).First(&oidc).Error; err != nil {
  315. return nil, err
  316. }
  317. err := repo.DecryptOIDCIntegrationData(oidc, repo.key)
  318. if err != nil {
  319. return nil, err
  320. }
  321. return oidc, nil
  322. }
  323. // ListOIDCIntegrationsByProjectID finds all oidc auth mechanisms
  324. // for a given project id
  325. func (repo *OIDCIntegrationRepository) ListOIDCIntegrationsByProjectID(
  326. projectID uint,
  327. ) ([]*ints.OIDCIntegration, error) {
  328. oidcs := []*ints.OIDCIntegration{}
  329. if err := repo.db.Where("project_id = ?", projectID).Find(&oidcs).Error; err != nil {
  330. return nil, err
  331. }
  332. return oidcs, nil
  333. }
  334. // EncryptOIDCIntegrationData will encrypt the oidc integration data before
  335. // writing to the DB
  336. func (repo *OIDCIntegrationRepository) EncryptOIDCIntegrationData(
  337. oidc *ints.OIDCIntegration,
  338. key *[32]byte,
  339. ) error {
  340. if len(oidc.IssuerURL) > 0 {
  341. cipherData, err := encryption.Encrypt(oidc.IssuerURL, key)
  342. if err != nil {
  343. return err
  344. }
  345. oidc.IssuerURL = cipherData
  346. }
  347. if len(oidc.ClientID) > 0 {
  348. cipherData, err := encryption.Encrypt(oidc.ClientID, key)
  349. if err != nil {
  350. return err
  351. }
  352. oidc.ClientID = cipherData
  353. }
  354. if len(oidc.ClientSecret) > 0 {
  355. cipherData, err := encryption.Encrypt(oidc.ClientSecret, key)
  356. if err != nil {
  357. return err
  358. }
  359. oidc.ClientSecret = cipherData
  360. }
  361. if len(oidc.CertificateAuthorityData) > 0 {
  362. cipherData, err := encryption.Encrypt(oidc.CertificateAuthorityData, key)
  363. if err != nil {
  364. return err
  365. }
  366. oidc.CertificateAuthorityData = cipherData
  367. }
  368. if len(oidc.IDToken) > 0 {
  369. cipherData, err := encryption.Encrypt(oidc.IDToken, key)
  370. if err != nil {
  371. return err
  372. }
  373. oidc.IDToken = cipherData
  374. }
  375. if len(oidc.RefreshToken) > 0 {
  376. cipherData, err := encryption.Encrypt(oidc.RefreshToken, key)
  377. if err != nil {
  378. return err
  379. }
  380. oidc.RefreshToken = cipherData
  381. }
  382. return nil
  383. }
  384. // DecryptOIDCIntegrationData will decrypt the kube integration data before
  385. // returning it from the DB
  386. func (repo *OIDCIntegrationRepository) DecryptOIDCIntegrationData(
  387. oidc *ints.OIDCIntegration,
  388. key *[32]byte,
  389. ) error {
  390. if len(oidc.IssuerURL) > 0 {
  391. plaintext, err := encryption.Decrypt(oidc.IssuerURL, key)
  392. if err != nil {
  393. return err
  394. }
  395. oidc.IssuerURL = plaintext
  396. }
  397. if len(oidc.ClientID) > 0 {
  398. plaintext, err := encryption.Decrypt(oidc.ClientID, key)
  399. if err != nil {
  400. return err
  401. }
  402. oidc.ClientID = plaintext
  403. }
  404. if len(oidc.ClientSecret) > 0 {
  405. plaintext, err := encryption.Decrypt(oidc.ClientSecret, key)
  406. if err != nil {
  407. return err
  408. }
  409. oidc.ClientSecret = plaintext
  410. }
  411. if len(oidc.CertificateAuthorityData) > 0 {
  412. plaintext, err := encryption.Decrypt(oidc.CertificateAuthorityData, key)
  413. if err != nil {
  414. return err
  415. }
  416. oidc.CertificateAuthorityData = plaintext
  417. }
  418. if len(oidc.IDToken) > 0 {
  419. plaintext, err := encryption.Decrypt(oidc.IDToken, key)
  420. if err != nil {
  421. return err
  422. }
  423. oidc.IDToken = plaintext
  424. }
  425. if len(oidc.RefreshToken) > 0 {
  426. plaintext, err := encryption.Decrypt(oidc.RefreshToken, key)
  427. if err != nil {
  428. return err
  429. }
  430. oidc.RefreshToken = plaintext
  431. }
  432. return nil
  433. }
  434. // OAuthIntegrationRepository uses gorm.DB for querying the database
  435. type OAuthIntegrationRepository struct {
  436. db *gorm.DB
  437. key *[32]byte
  438. storageBackend credentials.CredentialStorage
  439. }
  440. // NewOAuthIntegrationRepository returns a OAuthIntegrationRepository which uses
  441. // gorm.DB for querying the database. It accepts an encryption key to encrypt
  442. // sensitive data
  443. func NewOAuthIntegrationRepository(
  444. db *gorm.DB,
  445. key *[32]byte,
  446. storageBackend credentials.CredentialStorage,
  447. ) repository.OAuthIntegrationRepository {
  448. return &OAuthIntegrationRepository{db, key, storageBackend}
  449. }
  450. // CreateOAuthIntegration creates a new oauth auth mechanism
  451. func (repo *OAuthIntegrationRepository) CreateOAuthIntegration(
  452. am *ints.OAuthIntegration,
  453. ) (*ints.OAuthIntegration, error) {
  454. err := repo.EncryptOAuthIntegrationData(am, repo.key)
  455. if err != nil {
  456. return nil, err
  457. }
  458. // if storage backend is not nil, strip out credential data, which will be stored in credential
  459. // storage backend after write to DB
  460. var credentialData = &credentials.OAuthCredential{}
  461. if repo.storageBackend != nil {
  462. credentialData.AccessToken = am.AccessToken
  463. credentialData.RefreshToken = am.RefreshToken
  464. credentialData.ClientID = am.ClientID
  465. am.AccessToken = []byte{}
  466. am.RefreshToken = []byte{}
  467. am.ClientID = []byte{}
  468. }
  469. project := &models.Project{}
  470. if err := repo.db.Where("id = ?", am.ProjectID).First(&project).Error; err != nil {
  471. return nil, err
  472. }
  473. assoc := repo.db.Model(&project).Association("OAuthIntegrations")
  474. if assoc.Error != nil {
  475. return nil, assoc.Error
  476. }
  477. if err := assoc.Append(am); err != nil {
  478. return nil, err
  479. }
  480. if repo.storageBackend != nil {
  481. err = repo.storageBackend.WriteOAuthCredential(am, credentialData)
  482. if err != nil {
  483. return nil, err
  484. }
  485. }
  486. return am, nil
  487. }
  488. // ReadOAuthIntegration finds a oauth auth mechanism by id
  489. func (repo *OAuthIntegrationRepository) ReadOAuthIntegration(
  490. projectID, id uint,
  491. ) (*ints.OAuthIntegration, error) {
  492. oauth := &ints.OAuthIntegration{}
  493. if err := repo.db.Where("project_id = ? AND id = ?", projectID, id).First(&oauth).Error; err != nil {
  494. return nil, err
  495. }
  496. if repo.storageBackend != nil {
  497. credentialData, err := repo.storageBackend.GetOAuthCredential(oauth)
  498. if err != nil {
  499. return nil, err
  500. }
  501. oauth.AccessToken = credentialData.AccessToken
  502. oauth.RefreshToken = credentialData.RefreshToken
  503. oauth.ClientID = credentialData.ClientID
  504. }
  505. err := repo.DecryptOAuthIntegrationData(oauth, repo.key)
  506. if err != nil {
  507. return nil, err
  508. }
  509. return oauth, nil
  510. }
  511. // ListOAuthIntegrationsByProjectID finds all oauth auth mechanisms
  512. // for a given project id
  513. func (repo *OAuthIntegrationRepository) ListOAuthIntegrationsByProjectID(
  514. projectID uint,
  515. ) ([]*ints.OAuthIntegration, error) {
  516. oauths := []*ints.OAuthIntegration{}
  517. if err := repo.db.Where("project_id = ?", projectID).Find(&oauths).Error; err != nil {
  518. return nil, err
  519. }
  520. return oauths, nil
  521. }
  522. // UpdateOAuthIntegration modifies an existing oauth integration in the database
  523. func (repo *OAuthIntegrationRepository) UpdateOAuthIntegration(
  524. am *ints.OAuthIntegration,
  525. ) (*ints.OAuthIntegration, error) {
  526. err := repo.EncryptOAuthIntegrationData(am, repo.key)
  527. if err != nil {
  528. return nil, err
  529. }
  530. // if storage backend is not nil, strip out credential data, which will be stored in credential
  531. // storage backend after write to DB
  532. var credentialData = &credentials.OAuthCredential{}
  533. if repo.storageBackend != nil {
  534. credentialData.AccessToken = am.AccessToken
  535. credentialData.RefreshToken = am.RefreshToken
  536. credentialData.ClientID = am.ClientID
  537. am.AccessToken = []byte{}
  538. am.RefreshToken = []byte{}
  539. am.ClientID = []byte{}
  540. }
  541. if err := repo.db.Save(am).Error; err != nil {
  542. return nil, err
  543. }
  544. err = repo.DecryptOAuthIntegrationData(am, repo.key)
  545. if err != nil {
  546. return nil, err
  547. }
  548. if repo.storageBackend != nil {
  549. err = repo.storageBackend.WriteOAuthCredential(am, credentialData)
  550. if err != nil {
  551. return nil, err
  552. }
  553. }
  554. return am, nil
  555. }
  556. // EncryptOAuthIntegrationData will encrypt the oauth integration data before
  557. // writing to the DB
  558. func (repo *OAuthIntegrationRepository) EncryptOAuthIntegrationData(
  559. oauth *ints.OAuthIntegration,
  560. key *[32]byte,
  561. ) error {
  562. if len(oauth.ClientID) > 0 {
  563. cipherData, err := encryption.Encrypt(oauth.ClientID, key)
  564. if err != nil {
  565. return err
  566. }
  567. oauth.ClientID = cipherData
  568. }
  569. if len(oauth.AccessToken) > 0 {
  570. cipherData, err := encryption.Encrypt(oauth.AccessToken, key)
  571. if err != nil {
  572. return err
  573. }
  574. oauth.AccessToken = cipherData
  575. }
  576. if len(oauth.RefreshToken) > 0 {
  577. cipherData, err := encryption.Encrypt(oauth.RefreshToken, key)
  578. if err != nil {
  579. return err
  580. }
  581. oauth.RefreshToken = cipherData
  582. }
  583. return nil
  584. }
  585. // DecryptOAuthIntegrationData will decrypt the oauth integration data before
  586. // returning it from the DB
  587. func (repo *OAuthIntegrationRepository) DecryptOAuthIntegrationData(
  588. oauth *ints.OAuthIntegration,
  589. key *[32]byte,
  590. ) error {
  591. if len(oauth.ClientID) > 0 {
  592. plaintext, err := encryption.Decrypt(oauth.ClientID, key)
  593. if err != nil {
  594. return err
  595. }
  596. oauth.ClientID = plaintext
  597. }
  598. if len(oauth.AccessToken) > 0 {
  599. plaintext, err := encryption.Decrypt(oauth.AccessToken, key)
  600. if err != nil {
  601. return err
  602. }
  603. oauth.AccessToken = plaintext
  604. }
  605. if len(oauth.RefreshToken) > 0 {
  606. plaintext, err := encryption.Decrypt(oauth.RefreshToken, key)
  607. if err != nil {
  608. return err
  609. }
  610. oauth.RefreshToken = plaintext
  611. }
  612. return nil
  613. }
  614. // GCPIntegrationRepository uses gorm.DB for querying the database
  615. type GCPIntegrationRepository struct {
  616. db *gorm.DB
  617. key *[32]byte
  618. storageBackend credentials.CredentialStorage
  619. }
  620. // NewGCPIntegrationRepository returns a GCPIntegrationRepository which uses
  621. // gorm.DB for querying the database. It accepts an encryption key to encrypt
  622. // sensitive data
  623. func NewGCPIntegrationRepository(
  624. db *gorm.DB,
  625. key *[32]byte,
  626. storageBackend credentials.CredentialStorage,
  627. ) repository.GCPIntegrationRepository {
  628. return &GCPIntegrationRepository{db, key, storageBackend}
  629. }
  630. // CreateGCPIntegration creates a new gcp auth mechanism
  631. func (repo *GCPIntegrationRepository) CreateGCPIntegration(
  632. am *ints.GCPIntegration,
  633. ) (*ints.GCPIntegration, error) {
  634. err := repo.EncryptGCPIntegrationData(am, repo.key)
  635. if err != nil {
  636. return nil, err
  637. }
  638. // if storage backend is not nil, strip out credential data, which will be stored in credential
  639. // storage backend after write to DB
  640. var credentialData = &credentials.GCPCredential{}
  641. if repo.storageBackend != nil {
  642. credentialData.GCPKeyData = am.GCPKeyData
  643. am.GCPKeyData = []byte{}
  644. }
  645. project := &models.Project{}
  646. if err := repo.db.Where("id = ?", am.ProjectID).First(&project).Error; err != nil {
  647. return nil, err
  648. }
  649. assoc := repo.db.Model(&project).Association("GCPIntegrations")
  650. if assoc.Error != nil {
  651. return nil, assoc.Error
  652. }
  653. if err := assoc.Append(am); err != nil {
  654. return nil, err
  655. }
  656. if repo.storageBackend != nil {
  657. err = repo.storageBackend.WriteGCPCredential(am, credentialData)
  658. if err != nil {
  659. return nil, err
  660. }
  661. }
  662. return am, nil
  663. }
  664. // ReadGCPIntegration finds a gcp auth mechanism by id
  665. func (repo *GCPIntegrationRepository) ReadGCPIntegration(
  666. projectID, id uint,
  667. ) (*ints.GCPIntegration, error) {
  668. gcp := &ints.GCPIntegration{}
  669. if err := repo.db.Where("project_id = ? AND id = ?", projectID, id).First(&gcp).Error; err != nil {
  670. return nil, err
  671. }
  672. if repo.storageBackend != nil {
  673. credentialData, err := repo.storageBackend.GetGCPCredential(gcp)
  674. if err != nil {
  675. return nil, err
  676. }
  677. gcp.GCPKeyData = credentialData.GCPKeyData
  678. }
  679. err := repo.DecryptGCPIntegrationData(gcp, repo.key)
  680. if err != nil {
  681. return nil, err
  682. }
  683. return gcp, nil
  684. }
  685. // ListGCPIntegrationsByProjectID finds all gcp auth mechanisms
  686. // for a given project id
  687. func (repo *GCPIntegrationRepository) ListGCPIntegrationsByProjectID(
  688. projectID uint,
  689. ) ([]*ints.GCPIntegration, error) {
  690. gcps := []*ints.GCPIntegration{}
  691. if err := repo.db.Where("project_id = ?", projectID).Find(&gcps).Error; err != nil {
  692. return nil, err
  693. }
  694. return gcps, nil
  695. }
  696. // EncryptGCPIntegrationData will encrypt the gcp integration data before
  697. // writing to the DB
  698. func (repo *GCPIntegrationRepository) EncryptGCPIntegrationData(
  699. gcp *ints.GCPIntegration,
  700. key *[32]byte,
  701. ) error {
  702. if len(gcp.GCPKeyData) > 0 {
  703. cipherData, err := encryption.Encrypt(gcp.GCPKeyData, key)
  704. if err != nil {
  705. return err
  706. }
  707. gcp.GCPKeyData = cipherData
  708. }
  709. return nil
  710. }
  711. // DecryptGCPIntegrationData will decrypt the gcp integration data before
  712. // returning it from the DB
  713. func (repo *GCPIntegrationRepository) DecryptGCPIntegrationData(
  714. gcp *ints.GCPIntegration,
  715. key *[32]byte,
  716. ) error {
  717. if len(gcp.GCPKeyData) > 0 {
  718. plaintext, err := encryption.Decrypt(gcp.GCPKeyData, key)
  719. if err != nil {
  720. return err
  721. }
  722. gcp.GCPKeyData = plaintext
  723. }
  724. return nil
  725. }
  726. // AWSIntegrationRepository uses gorm.DB for querying the database
  727. type AWSIntegrationRepository struct {
  728. db *gorm.DB
  729. key *[32]byte
  730. storageBackend credentials.CredentialStorage
  731. }
  732. // NewAWSIntegrationRepository returns a AWSIntegrationRepository which uses
  733. // gorm.DB for querying the database. It accepts an encryption key to encrypt
  734. // sensitive data
  735. func NewAWSIntegrationRepository(
  736. db *gorm.DB,
  737. key *[32]byte,
  738. storageBackend credentials.CredentialStorage,
  739. ) repository.AWSIntegrationRepository {
  740. return &AWSIntegrationRepository{db, key, storageBackend}
  741. }
  742. // CreateAWSIntegration creates a new aws auth mechanism
  743. func (repo *AWSIntegrationRepository) CreateAWSIntegration(
  744. am *ints.AWSIntegration,
  745. ) (*ints.AWSIntegration, error) {
  746. err := repo.EncryptAWSIntegrationData(am, repo.key)
  747. if err != nil {
  748. return nil, err
  749. }
  750. // if storage backend is not nil, strip out credential data, which will be stored in credential
  751. // storage backend after write to DB
  752. var credentialData = &credentials.AWSCredential{}
  753. if repo.storageBackend != nil {
  754. credentialData.AWSAccessKeyID = am.AWSAccessKeyID
  755. credentialData.AWSClusterID = am.AWSClusterID
  756. credentialData.AWSSecretAccessKey = am.AWSSecretAccessKey
  757. credentialData.AWSSessionToken = am.AWSSessionToken
  758. am.AWSAccessKeyID = []byte{}
  759. am.AWSClusterID = []byte{}
  760. am.AWSSecretAccessKey = []byte{}
  761. am.AWSSessionToken = []byte{}
  762. }
  763. project := &models.Project{}
  764. if err := repo.db.Where("id = ?", am.ProjectID).First(&project).Error; err != nil {
  765. return nil, err
  766. }
  767. assoc := repo.db.Model(&project).Association("AWSIntegrations")
  768. if assoc.Error != nil {
  769. return nil, assoc.Error
  770. }
  771. if err := assoc.Append(am); err != nil {
  772. return nil, err
  773. }
  774. if repo.storageBackend != nil {
  775. err = repo.storageBackend.WriteAWSCredential(am, credentialData)
  776. if err != nil {
  777. return nil, err
  778. }
  779. }
  780. return am, nil
  781. }
  782. // UpdateCluster modifies an existing Cluster in the database
  783. func (repo *AWSIntegrationRepository) OverwriteAWSIntegration(
  784. am *ints.AWSIntegration,
  785. ) (*ints.AWSIntegration, error) {
  786. err := repo.EncryptAWSIntegrationData(am, repo.key)
  787. if err != nil {
  788. return nil, err
  789. }
  790. // if storage backend is not nil, strip out credential data, which will be stored in credential
  791. // storage backend after write to DB
  792. var credentialData = &credentials.AWSCredential{}
  793. if repo.storageBackend != nil {
  794. credentialData.AWSAccessKeyID = am.AWSAccessKeyID
  795. credentialData.AWSClusterID = am.AWSClusterID
  796. credentialData.AWSSecretAccessKey = am.AWSSecretAccessKey
  797. credentialData.AWSSessionToken = am.AWSSessionToken
  798. am.AWSAccessKeyID = []byte{}
  799. am.AWSClusterID = []byte{}
  800. am.AWSSecretAccessKey = []byte{}
  801. am.AWSSessionToken = []byte{}
  802. }
  803. if err := repo.db.Save(am).Error; err != nil {
  804. return nil, err
  805. }
  806. if repo.storageBackend != nil {
  807. err = repo.storageBackend.WriteAWSCredential(am, credentialData)
  808. if err != nil {
  809. return nil, err
  810. }
  811. }
  812. return am, nil
  813. }
  814. // ReadAWSIntegration finds a aws auth mechanism by id
  815. func (repo *AWSIntegrationRepository) ReadAWSIntegration(
  816. projectID, id uint,
  817. ) (*ints.AWSIntegration, error) {
  818. aws := &ints.AWSIntegration{}
  819. if err := repo.db.Where("project_id = ? AND id = ?", projectID, id).First(&aws).Error; err != nil {
  820. return nil, err
  821. }
  822. if repo.storageBackend != nil {
  823. credentialData, err := repo.storageBackend.GetAWSCredential(aws)
  824. if err != nil {
  825. return nil, err
  826. }
  827. aws.AWSAccessKeyID = credentialData.AWSAccessKeyID
  828. aws.AWSClusterID = credentialData.AWSClusterID
  829. aws.AWSSecretAccessKey = credentialData.AWSSecretAccessKey
  830. aws.AWSSessionToken = credentialData.AWSSessionToken
  831. }
  832. err := repo.DecryptAWSIntegrationData(aws, repo.key)
  833. if err != nil {
  834. return nil, err
  835. }
  836. return aws, nil
  837. }
  838. // ListAWSIntegrationsByProjectID finds all aws auth mechanisms
  839. // for a given project id
  840. func (repo *AWSIntegrationRepository) ListAWSIntegrationsByProjectID(
  841. projectID uint,
  842. ) ([]*ints.AWSIntegration, error) {
  843. awss := []*ints.AWSIntegration{}
  844. if err := repo.db.Where("project_id = ?", projectID).Find(&awss).Error; err != nil {
  845. return nil, err
  846. }
  847. return awss, nil
  848. }
  849. // EncryptAWSIntegrationData will encrypt the aws integration data before
  850. // writing to the DB
  851. func (repo *AWSIntegrationRepository) EncryptAWSIntegrationData(
  852. aws *ints.AWSIntegration,
  853. key *[32]byte,
  854. ) error {
  855. if len(aws.AWSClusterID) > 0 {
  856. cipherData, err := encryption.Encrypt(aws.AWSClusterID, key)
  857. if err != nil {
  858. return err
  859. }
  860. aws.AWSClusterID = cipherData
  861. }
  862. if len(aws.AWSAccessKeyID) > 0 {
  863. cipherData, err := encryption.Encrypt(aws.AWSAccessKeyID, key)
  864. if err != nil {
  865. return err
  866. }
  867. aws.AWSAccessKeyID = cipherData
  868. }
  869. if len(aws.AWSSecretAccessKey) > 0 {
  870. cipherData, err := encryption.Encrypt(aws.AWSSecretAccessKey, key)
  871. if err != nil {
  872. return err
  873. }
  874. aws.AWSSecretAccessKey = cipherData
  875. }
  876. if len(aws.AWSSessionToken) > 0 {
  877. cipherData, err := encryption.Encrypt(aws.AWSSessionToken, key)
  878. if err != nil {
  879. return err
  880. }
  881. aws.AWSSessionToken = cipherData
  882. }
  883. return nil
  884. }
  885. // DecryptAWSIntegrationData will decrypt the aws integration data before
  886. // returning it from the DB
  887. func (repo *AWSIntegrationRepository) DecryptAWSIntegrationData(
  888. aws *ints.AWSIntegration,
  889. key *[32]byte,
  890. ) error {
  891. if len(aws.AWSClusterID) > 0 {
  892. plaintext, err := encryption.Decrypt(aws.AWSClusterID, key)
  893. if err != nil {
  894. return err
  895. }
  896. aws.AWSClusterID = plaintext
  897. }
  898. if len(aws.AWSAccessKeyID) > 0 {
  899. plaintext, err := encryption.Decrypt(aws.AWSAccessKeyID, key)
  900. if err != nil {
  901. return err
  902. }
  903. aws.AWSAccessKeyID = plaintext
  904. }
  905. if len(aws.AWSSecretAccessKey) > 0 {
  906. plaintext, err := encryption.Decrypt(aws.AWSSecretAccessKey, key)
  907. if err != nil {
  908. return err
  909. }
  910. aws.AWSSecretAccessKey = plaintext
  911. }
  912. if len(aws.AWSSessionToken) > 0 {
  913. plaintext, err := encryption.Decrypt(aws.AWSSessionToken, key)
  914. if err != nil {
  915. return err
  916. }
  917. aws.AWSSessionToken = plaintext
  918. }
  919. return nil
  920. }
  921. // GithubAppInstallationRepository implements repository.GithubAppInstallationRepository
  922. type GithubAppInstallationRepository struct {
  923. db *gorm.DB
  924. }
  925. // NewGithubAppInstallationRepository creates a new GithubAppInstallationRepository
  926. func NewGithubAppInstallationRepository(db *gorm.DB) repository.GithubAppInstallationRepository {
  927. return &GithubAppInstallationRepository{db}
  928. }
  929. // CreateGithubAppInstallation creates a new GithubAppInstallation instance
  930. func (repo *GithubAppInstallationRepository) CreateGithubAppInstallation(am *ints.GithubAppInstallation) (*ints.GithubAppInstallation, error) {
  931. if err := repo.db.Create(am).Error; err != nil {
  932. return nil, err
  933. }
  934. return am, nil
  935. }
  936. // ReadGithubAppInstallationByInstallationID finds a GithubAppInstallation by id
  937. func (repo *GithubAppInstallationRepository) ReadGithubAppInstallationByInstallationID(gaID uint) (*ints.GithubAppInstallation, error) {
  938. ret := &ints.GithubAppInstallation{}
  939. if err := repo.db.Where("installation_id = ?", gaID).First(&ret).Error; err != nil {
  940. return nil, err
  941. }
  942. return ret, nil
  943. }
  944. // ReadGithubAppInstallationByAccountID finds a GithubAppInstallation by an account ID
  945. func (repo *GithubAppInstallationRepository) ReadGithubAppInstallationByAccountID(accountID int64) (*ints.GithubAppInstallation, error) {
  946. ret := &ints.GithubAppInstallation{}
  947. if err := repo.db.Where("account_id = ?", accountID).First(&ret).Error; err != nil {
  948. return nil, err
  949. }
  950. return ret, nil
  951. }
  952. // ReadGithubAppInstallationByAccountIDs finds all instances of GithubInstallations given a list of account IDs
  953. // note that if there is not Installation for a given ID, no error will be generated
  954. func (repo *GithubAppInstallationRepository) ReadGithubAppInstallationByAccountIDs(accountIDs []int64) ([]*ints.GithubAppInstallation, error) {
  955. ret := make([]*ints.GithubAppInstallation, 0)
  956. if err := repo.db.Where("account_id IN ?", accountIDs).Find(&ret).Error; err != nil {
  957. return nil, err
  958. }
  959. return ret, nil
  960. }
  961. // DeleteGithubAppInstallationByAccountID deletes a GithubAppInstallation given an account ID
  962. // note that this deletion is done with db.Unscoped(), so the record is actually deleted
  963. func (repo *GithubAppInstallationRepository) DeleteGithubAppInstallationByAccountID(accountID int64) error {
  964. if err := repo.db.Unscoped().Where("account_id = ?", accountID).Delete(&ints.GithubAppInstallation{}).Error; err != nil {
  965. return err
  966. }
  967. return nil
  968. }
  969. // GithubAppOAuthIntegrationRepository implements repository.GithubAppOAuthIntegrationRepository
  970. type GithubAppOAuthIntegrationRepository struct {
  971. db *gorm.DB
  972. }
  973. // NewGithubAppOAuthIntegrationRepository creates a GithubAppOAuthIntegrationRepository
  974. func NewGithubAppOAuthIntegrationRepository(db *gorm.DB) repository.GithubAppOAuthIntegrationRepository {
  975. return &GithubAppOAuthIntegrationRepository{db}
  976. }
  977. // CreateGithubAppOAuthIntegration creates a new GithubAppOAuthIntegration
  978. func (repo *GithubAppOAuthIntegrationRepository) CreateGithubAppOAuthIntegration(am *ints.GithubAppOAuthIntegration) (*ints.GithubAppOAuthIntegration, error) {
  979. if err := repo.db.Create(am).Error; err != nil {
  980. return nil, err
  981. }
  982. return am, nil
  983. }
  984. // ReadGithubAppOauthIntegration finds a GithubAppOauthIntegration by id
  985. func (repo *GithubAppOAuthIntegrationRepository) ReadGithubAppOauthIntegration(id uint) (*ints.GithubAppOAuthIntegration, error) {
  986. ret := &ints.GithubAppOAuthIntegration{}
  987. if err := repo.db.Where("id = ?", id).First(&ret).Error; err != nil {
  988. return nil, err
  989. }
  990. return ret, nil
  991. }
  992. // UpdateGithubAppOauthIntegration updates a GithubAppOauthIntegration
  993. func (repo *GithubAppOAuthIntegrationRepository) UpdateGithubAppOauthIntegration(am *ints.GithubAppOAuthIntegration) (*ints.GithubAppOAuthIntegration, error) {
  994. err := repo.db.Save(am).Error
  995. if err != nil {
  996. return nil, err
  997. }
  998. return am, nil
  999. }