Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
Force the inclusion of the SDB id in addition to path so that things …
Browse files Browse the repository at this point in the history
…are more secure. (#187)
  • Loading branch information
fieldju authored Feb 8, 2019
1 parent 4791789 commit 14b63ac
Show file tree
Hide file tree
Showing 17 changed files with 141 additions and 116 deletions.
32 changes: 16 additions & 16 deletions src/main/java/com/nike/cerberus/dao/SecureDataDao.java
Original file line number Diff line number Diff line change
Expand Up @@ -84,32 +84,32 @@ public void updateSecureData(String sdbId,
);
}

public Optional<SecureDataRecord> readSecureDataByPath(String path) {
return Optional.ofNullable(secureDataMapper.readSecureDataByPath(path));
public Optional<SecureDataRecord> readSecureDataByPath(String sdbId, String path) {
return Optional.ofNullable(secureDataMapper.readSecureDataByPath(sdbId, path));
}

public Optional<SecureDataRecord> readSecureDataByPathAndType(String path, SecureDataType type) {
return Optional.ofNullable(secureDataMapper.readSecureDataByPathAndType(path, type));
public Optional<SecureDataRecord> readSecureDataByPathAndType(String sdbId, String path, SecureDataType type) {
return Optional.ofNullable(secureDataMapper.readSecureDataByPathAndType(sdbId, path, type));
}

public Optional<SecureDataRecord> readMetadataByPathAndType(String path, SecureDataType type) {
return Optional.ofNullable(secureDataMapper.readMetadataByPathAndType(path, type));
public Optional<SecureDataRecord> readMetadataByPathAndType(String sdbId, String path, SecureDataType type) {
return Optional.ofNullable(secureDataMapper.readMetadataByPathAndType(sdbId, path, type));
}

public String[] getPathsByPartialPath(String partialPath) {
return secureDataMapper.getPathsByPartialPath(partialPath);
public String[] getPathsByPartialPath(String sdbId, String partialPath) {
return secureDataMapper.getPathsByPartialPath(sdbId, partialPath);
}

public String[] getPathsByPartialPathAndType(String partialPath, SecureDataType type) {
return secureDataMapper.getPathsByPartialPathAndType(partialPath, type);
public String[] getPathsByPartialPathAndType(String sdbId, String partialPath, SecureDataType type) {
return secureDataMapper.getPathsByPartialPathAndType(sdbId, partialPath, type);
}

public Set<String> getPathsBySdbId(String sdbId) {
return secureDataMapper.getPathsBySdbId(sdbId);
}

public List<SecureDataRecord> listSecureDataByPartialPathAndType(String partialPath, SecureDataType type, int limit, int offset) {
return secureDataMapper.listSecureDataByPartialPathAndType(partialPath, type, limit, offset);
public List<SecureDataRecord> listSecureDataByPartialPathAndType(String sdbId, String partialPath, SecureDataType type, int limit, int offset) {
return secureDataMapper.listSecureDataByPartialPathAndType(sdbId, partialPath, type, limit, offset);
}

public int countByPartialPathAndType(String partialPath, SecureDataType type) {
Expand All @@ -124,12 +124,12 @@ public int getTotalNumberOfDataNodes() {
return secureDataMapper.getTotalNumberOfDataNodes();
}

public void deleteAllSecretsThatStartWithGivenPartialPath(String partialPath) {
secureDataMapper.deleteAllSecretsThatStartWithGivenPartialPath(partialPath);
public void deleteAllSecretsThatStartWithGivenPartialPath(String sdbId, String partialPath) {
secureDataMapper.deleteAllSecretsThatStartWithGivenPartialPath(sdbId, partialPath);
}

public void deleteSecret(String path) {
secureDataMapper.deleteSecret(path);
public void deleteSecret(String sdbId, String path) {
secureDataMapper.deleteSecret(sdbId, path);
}

public int getSumTopLevelKeyValuePairs() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ private ResponseInfo<Void> restoreSdb(RequestInfo<SDBMetadata> request, Security
metadataService.restoreMetadata(sdbMetadata, principal);
String sdbId = metadataService.getSdbId(sdbMetadata);
String sdbPathWithoutCategory = StringUtils.substringAfter(sdbMetadata.getPath(), "/");
secureDataService.deleteAllSecretsThatStartWithGivenPartialPath(sdbPathWithoutCategory);
secureDataService.deleteAllSecretsThatStartWithGivenPartialPath(sdbId, sdbPathWithoutCategory);
secureDataService.restoreSdbSecrets(sdbId, sdbMetadata.getData(), principal);

return ResponseInfo.<Void>newBuilder()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,8 @@ private ResponseInfo<Void> deleteSecureFile(final RequestInfo<Void> request) {
if (securityContext.isPresent()) {
SecureDataRequestInfo requestInfo = secureDataRequestService.parseAndValidateRequest(request);

secureDataService.deleteSecret(requestInfo.getPath(), SecureDataType.FILE, requestInfo.getPrincipal().getName());
secureDataService.deleteSecret(requestInfo.getSdbId(),
requestInfo.getPath(), SecureDataType.FILE, requestInfo.getPrincipal().getName());

return ResponseInfo.<Void>newBuilder().
withHttpStatusCode(HttpResponseStatus.NO_CONTENT.code()).
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,10 @@ public CompletableFuture<ResponseInfo<SecureFileSummaryResult>> doExecute(Reques

SecureDataRequestInfo info = secureDataRequestService.parseAndValidateRequest(request);
SecureFileSummaryResult fileSummaryResult = secureDataService.listSecureFilesSummaries(
info.getPath(),
paginationService.getLimit(request),
paginationService.getOffset(request));
info.getSdbId(),
info.getPath(),
paginationService.getLimit(request),
paginationService.getOffset(request));

final ResponseInfo response = ResponseInfo.newBuilder()
.withContentForFullResponse(fileSummaryResult)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,13 +61,13 @@ protected HeadSecureFile(SecureDataService secureDataService,

@Override
public CompletableFuture<ResponseInfo<Void>> doExecute(RequestInfo<Void> request,
Executor longRunningTaskExecutor,
ChannelHandlerContext ctx) {
Executor longRunningTaskExecutor,
ChannelHandlerContext ctx) {

SecureDataRequestInfo requestInfo = secureDataRequestService.parseAndValidateRequest(request);
ResponseInfo<Void> response;

Optional<SecureFileSummary> secureFileOpt = secureDataService.readFileMetadataOnly(requestInfo.getPath());
Optional<SecureFileSummary> secureFileOpt = secureDataService.readFileMetadataOnly(requestInfo.getSdbId(), requestInfo.getPath());

if (! secureFileOpt.isPresent()) {
throw new ApiException.Builder()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ public CompletableFuture<ResponseInfo<byte[]>> doExecute(RequestInfo<Void> reque
String versionId = request.getQueryParamSingle("versionId");
response = readSecureDataVersion(requestInfo, versionId);
} else {
Optional<SecureFile> secureFileOpt = secureDataService.readFile(requestInfo.getPath());
Optional<SecureFile> secureFileOpt = secureDataService.readFile(requestInfo.getSdbId(), requestInfo.getPath());

if (! secureFileOpt.isPresent()) {
throw ApiException.newBuilder()
Expand Down Expand Up @@ -107,6 +107,7 @@ public CompletableFuture<ResponseInfo<byte[]>> doExecute(RequestInfo<Void> reque
private ResponseInfo<byte[]> readSecureDataVersion(SecureDataRequestInfo requestInfo,
String versionId) {
Optional<SecureFileVersion> secureFileVersionOpt = secureDataVersionService.getSecureFileVersionById(
requestInfo.getSdbId(),
versionId,
requestInfo.getCategory(),
requestInfo.getPath());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ public CompletableFuture<ResponseInfo<Object>> executeSecureDataCall(SecureDataR
private ResponseInfo<Object> deleteSecureData(SecureDataRequestInfo requestInfo) {
CerberusPrincipal principal = requestInfo.getPrincipal();

secureDataService.deleteSecret(requestInfo.getPath(), SecureDataType.OBJECT, principal.getName());
secureDataService.deleteSecret(requestInfo.getSdbId(), requestInfo.getPath(), SecureDataType.OBJECT, principal.getName());
return ResponseInfo.newBuilder().withHttpStatusCode(HttpResponseStatus.NO_CONTENT.code()).build();
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ public CompletableFuture<ResponseInfo<Object>> executeSecureDataCall(SecureDataR
String versionId = request.getQueryParamSingle("versionId");
response = readSecureDataVersion(requestInfo, versionId);
} else {
Optional<SecureData> secureDataOpt = secureDataService.readSecret(requestInfo.getPath());
Optional<SecureData> secureDataOpt = secureDataService.readSecret(requestInfo.getSdbId(), requestInfo.getPath());

if (! secureDataOpt.isPresent()) {
response = generateVaultStyleResponse(
Expand All @@ -102,7 +102,7 @@ public CompletableFuture<ResponseInfo<Object>> executeSecureDataCall(SecureDataR
}

private ResponseInfo<Object> listKeys(SecureDataRequestInfo info) {
Set<String> keys = secureDataService.listKeys(info.getPath());
Set<String> keys = secureDataService.listKeys(info.getSdbId(), info.getPath());

if (keys.isEmpty()) {
return generateVaultStyleResponse(VaultStyleErrorResponse.Builder.create().build(),
Expand Down Expand Up @@ -134,6 +134,7 @@ private ResponseInfo<Object> listKeys(SecureDataRequestInfo info) {
private ResponseInfo<Object> readSecureDataVersion(SecureDataRequestInfo requestInfo,
String versionId) {
Optional<SecureDataVersion> secureDataVersionOpt = secureDataVersionService.getSecureDataVersionById(
requestInfo.getSdbId(),
versionId,
requestInfo.getCategory(),
requestInfo.getPath());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ public ResponseInfo<SecureDataVersionsResult> getVersionPathsForSdb(final Reques
String pathToSecret = requestInfo.getPath();

SecureDataVersionsResult result = secureDataVersionService.getSecureDataVersionSummariesByPath(
requestInfo.getSdbId(),
pathToSecret,
requestInfo.getCategory(),
paginationService.getLimit(request),
Expand Down
24 changes: 13 additions & 11 deletions src/main/java/com/nike/cerberus/mapper/SecureDataMapper.java
Original file line number Diff line number Diff line change
Expand Up @@ -29,21 +29,22 @@ public interface SecureDataMapper {

int updateSecureData(@Param("record") SecureDataRecord record);

SecureDataRecord readSecureDataByPath(@Param("path") String path);
SecureDataRecord readSecureDataByPath(@Param("sdbId") String sdbId, @Param("path") String path);

SecureDataRecord readSecureDataByPathAndType(@Param("path") String path, @Param("type") SecureDataType type);
SecureDataRecord readSecureDataByPathAndType(@Param("sdbId") String sdbId, @Param("path") String path, @Param("type") SecureDataType type);

SecureDataRecord readMetadataByPathAndType(@Param("path") String path, @Param("type") SecureDataType type);
SecureDataRecord readMetadataByPathAndType(@Param("sdbId") String sdbId, @Param("path") String path, @Param("type") SecureDataType type);

String[] getPathsByPartialPath(@Param("partialPath") String partialPath);
String[] getPathsByPartialPath(@Param("sdbId") String sdbId, @Param("partialPath") String partialPath);

String[] getPathsByPartialPathAndType(@Param("partialPath") String partialPath, @Param("type") SecureDataType type);
String[] getPathsByPartialPathAndType(@Param("sdbId") String sdbId, @Param("partialPath") String partialPath, @Param("type") SecureDataType type);

List<SecureDataRecord> listSecureDataByPartialPathAndType(
@Param("partialPath") String partialPath,
@Param("type") SecureDataType type,
@Param("limit") int limit,
@Param("offset") int offset);
@Param("sdbId") String sdbId,
@Param("partialPath") String partialPath,
@Param("type") SecureDataType type,
@Param("limit") int limit,
@Param("offset") int offset);

int countByPartialPathAndType(@Param("partialPath") String partialPath, @Param("type") SecureDataType type);

Expand All @@ -53,9 +54,10 @@ List<SecureDataRecord> listSecureDataByPartialPathAndType(

int getTotalNumberOfDataNodes();

int deleteAllSecretsThatStartWithGivenPartialPath(@Param("partialPath") String partialPath);
int deleteAllSecretsThatStartWithGivenPartialPath(@Param("sdbId") String sdbId,
@Param("partialPath") String partialPath);

int deleteSecret(@Param("path") String path);
int deleteSecret(@Param("sdbId") String sdbId, @Param("path") String path);

Integer getSumTopLevelKeyValuePairs();
}
Original file line number Diff line number Diff line change
Expand Up @@ -378,7 +378,7 @@ public void deleteSafeDepositBox(CerberusPrincipal authPrincipal, final String i

// 2. Delete all secrets and versions from the safe deposit box.
String sdbPathWithoutCategory = StringUtils.substringAfter(box.getPath(), "/");
secureDataService.deleteAllSecretsThatStartWithGivenPartialPath(sdbPathWithoutCategory);
secureDataService.deleteAllSecretsThatStartWithGivenPartialPath(id, sdbPathWithoutCategory);
secureDataVersionDao.deleteAllVersionsThatStartWithPartialPath(sdbPathWithoutCategory);

// 3. Remove metadata
Expand Down
Loading

0 comments on commit 14b63ac

Please sign in to comment.