Skip to content

Commit

Permalink
encrypt other sensitive information (#89)
Browse files Browse the repository at this point in the history 
* encrypt other sensitive information

* fix encryption on mongo db
  • Loading branch information
@zengchen1024
zengchen1024 authored Apr 9, 2021
1 parent 61af095 commit efdc5d6
Show file tree
Hide file tree
Showing 24 changed files with 390 additions and 108 deletions.
1 change: 1 addition & 0 deletions conf/app.conf.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ verification_code_expiry: 300
api_token_expiry: 3600
api_token_key: fsfsfsafsfsasaf242342424sdfs;.]{77&&&
symmetric_encryption_key: key-can-be--16-24-32-bytes-long!
symmetric_encryption_nonce: {{hex encoded 12 bytes}}

pdf_org_signature_dir: ./conf/org_signature_pdf
pdf_out_dir: ./conf/pdf
Expand Down
5 changes: 3 additions & 2 deletions config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ type appConfig struct {
APITokenExpiry int64 `json:"api_token_expiry" required:"true"`
APITokenKey string `json:"api_token_key" required:"true"`
SymmetricEncryptionKey string `json:"symmetric_encryption_key" required:"true"`
SymmetricEncryptionNonce string `json:"symmetric_encryption_nonce" required:"true"`
PDFOrgSignatureDir string `json:"pdf_org_signature_dir" required:"true"`
PDFOutDir string `json:"pdf_out_dir" required:"true"`
CodePlatformConfigFile string `json:"code_platforms" required:"true"`
Expand Down Expand Up @@ -99,8 +100,8 @@ func (cfg *appConfig) validate() error {
return fmt.Errorf("The length of api_token_key should be bigger than 20")
}

if err := util.IsSymmetricEncryptionKeyValid(cfg.SymmetricEncryptionKey); err != nil {
return fmt.Errorf("The symmetric encryption key is not valid, %s", err.Error())
if _, err := util.NewSymmetricEncryption(cfg.SymmetricEncryptionKey, cfg.SymmetricEncryptionNonce); err != nil {
return fmt.Errorf("The symmetric encryption key or nonce is invalid, %s", err.Error())
}

if util.IsNotDir(cfg.PDFOrgSignatureDir) {
Expand Down
9 changes: 5 additions & 4 deletions controllers/access-controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,12 +103,13 @@ func (this *accessController) verify(permission []string, addr string) error {
return nil
}

func (this *accessController) symmetricEncryptionKey() []byte {
return []byte(config.AppConfig.SymmetricEncryptionKey)
func (this *accessController) newEncryption() util.SymmetricEncryption {
e, _ := util.NewSymmetricEncryption(config.AppConfig.SymmetricEncryptionKey, "")
return e
}

func (this *accessController) encryptToken(token string) (string, error) {
t, err := util.Encrypt([]byte(token), this.symmetricEncryptionKey())
t, err := this.newEncryption().Encrypt([]byte(token))
if err != nil {
return "", err
}
Expand All @@ -121,7 +122,7 @@ func (this *accessController) decryptToken(token string) (string, error) {
return "", err
}

s, err := util.Decrypt(dst, this.symmetricEncryptionKey())
s, err := this.newEncryption().Decrypt(dst)
if err != nil {
return "", err
}
Expand Down
2 changes: 1 addition & 1 deletion controllers/corporation-manager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ func (this *CorporationManagerController) Put() {

this.sendSuccessResp(action + " successfully")

notifyCorpAdmin(orgInfo, added)
notifyCorpAdmin(linkID, orgInfo, added)
}

// @Title Patch
Expand Down
4 changes: 2 additions & 2 deletions controllers/employee-manager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ func (this *EmployeeManagerController) Post() {

this.sendSuccessResp(action + " successfully")

notifyCorpManagerWhenAdding(&pl.OrgInfo, added)
notifyCorpManagerWhenAdding(pl.LinkID, &pl.OrgInfo, added)
}

// @Title Delete
Expand Down Expand Up @@ -95,7 +95,7 @@ func (this *EmployeeManagerController) Delete() {
Org: pl.OrgAlias,
ProjectURL: pl.ProjectURL(),
}
sendEmailToIndividual(item.Email, pl.OrgEmail, subject, msg)
sendEmailToIndividual(pl.LinkID, item.Email, subject, msg)
}
}

Expand Down
14 changes: 7 additions & 7 deletions controllers/employee-signing.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ func (this *EmployeeSigningController) Post() {
this.sendFailedResultAsResp(fr, action)
} else {
this.sendSuccessResp("sign successfully")
this.notifyManagers(managers, &info, orgInfo)
this.notifyManagers(linkID, managers, &info, orgInfo)
}
}

Expand Down Expand Up @@ -222,10 +222,10 @@ func (this *EmployeeSigningController) Update() {
msg := this.newEmployeeNotification(pl, employeeEmail)
if info.Enabled {
msg.Active = true
sendEmailToIndividual(employeeEmail, pl.OrgEmail, "Activate CLA signing", msg)
sendEmailToIndividual(pl.LinkID, employeeEmail, "Activate CLA signing", msg)
} else {
msg.Inactive = true
sendEmailToIndividual(employeeEmail, pl.OrgEmail, "Inactivate CLA signing", msg)
sendEmailToIndividual(pl.LinkID, employeeEmail, "Inactivate CLA signing", msg)
}
}

Expand Down Expand Up @@ -258,10 +258,10 @@ func (this *EmployeeSigningController) Delete() {

msg := this.newEmployeeNotification(pl, employeeEmail)
msg.Removing = true
sendEmailToIndividual(employeeEmail, pl.OrgEmail, "Remove employee", msg)
sendEmailToIndividual(pl.LinkID, employeeEmail, "Remove employee", msg)
}

func (this *EmployeeSigningController) notifyManagers(managers []dbmodels.CorporationManagerListResult, info *models.EmployeeSigning, orgInfo *models.OrgInfo) {
func (this *EmployeeSigningController) notifyManagers(linkID string, managers []dbmodels.CorporationManagerListResult, info *models.EmployeeSigning, orgInfo *models.OrgInfo) {
ms := make([]string, 0, len(managers))
to := make([]string, 0, len(managers))
for _, item := range managers {
Expand All @@ -276,7 +276,7 @@ func (this *EmployeeSigningController) notifyManagers(managers []dbmodels.Corpor
Managers: " " + strings.Join(ms, "\n "),
}
sendEmailToIndividual(
info.Email, orgInfo.OrgEmail,
linkID, info.Email,
fmt.Sprintf("Signing CLA on project of \"%s\"", msg.Org),
msg,
)
Expand All @@ -287,7 +287,7 @@ func (this *EmployeeSigningController) notifyManagers(managers []dbmodels.Corpor
ProjectURL: orgInfo.ProjectURL(),
URLOfCLAPlatform: config.AppConfig.CLAPlatformURL,
}
sendEmail(to, orgInfo.OrgEmail, "An employee has signed CLA", msg1)
sendEmail(linkID, to, "An employee has signed CLA", msg1)
}

func (this *EmployeeSigningController) newEmployeeNotification(pl *acForCorpManagerPayload, employeeName string) *email.EmployeeNotification {
Expand Down
7 changes: 6 additions & 1 deletion controllers/org-email.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,12 @@ func (this *EmailController) Auth() {
}

if token.RefreshToken == "" {
if _, err := models.GetOrgEmailInfo(emailAddr); err != nil {
v, err := models.HasOrgEmail(emailAddr)
if err != nil {
rs(errSystemError, err)
return
}
if !v {
rs(errNoRefreshToken, fmt.Errorf("no refresh token"))
return
}
Expand Down
16 changes: 8 additions & 8 deletions controllers/util.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,11 @@ const (
fileNameOfUploadingOrgSignatue = "org_signature_file"
)

func sendEmailToIndividual(to, from, subject string, builder email.IEmailMessageBulder) {
sendEmail([]string{to}, from, subject, builder)
func sendEmailToIndividual(linkID, to, subject string, builder email.IEmailMessageBulder) {
sendEmail(linkID, []string{to}, subject, builder)
}

func sendEmail(to []string, from, subject string, builder email.IEmailMessageBulder) {
func sendEmail(linkID string, to []string, subject string, builder email.IEmailMessageBulder) {
msg, err := builder.GenEmailMsg()
if err != nil {
beego.Error(err)
Expand All @@ -36,14 +36,14 @@ func sendEmail(to []string, from, subject string, builder email.IEmailMessageBul
msg.To = to
msg.Subject = subject

worker.GetEmailWorker().SendSimpleMessage(from, msg)
worker.GetEmailWorker().SendSimpleMessage(linkID, msg)
}

func notifyCorpAdmin(orgInfo *models.OrgInfo, info *dbmodels.CorporationManagerCreateOption) {
notifyCorpManagerWhenAdding(orgInfo, []dbmodels.CorporationManagerCreateOption{*info})
func notifyCorpAdmin(linkID string, orgInfo *models.OrgInfo, info *dbmodels.CorporationManagerCreateOption) {
notifyCorpManagerWhenAdding(linkID, orgInfo, []dbmodels.CorporationManagerCreateOption{*info})
}

func notifyCorpManagerWhenAdding(orgInfo *models.OrgInfo, info []dbmodels.CorporationManagerCreateOption) {
func notifyCorpManagerWhenAdding(linkID string, orgInfo *models.OrgInfo, info []dbmodels.CorporationManagerCreateOption) {
admin := (info[0].Role == dbmodels.RoleAdmin)
subject := fmt.Sprintf("Account on project of \"%s\"", orgInfo.OrgAlias)

Expand All @@ -60,7 +60,7 @@ func notifyCorpManagerWhenAdding(orgInfo *models.OrgInfo, info []dbmodels.Corpor
URLOfCLAPlatform: config.AppConfig.CLAPlatformURL,
}

sendEmailToIndividual(item.Email, orgInfo.OrgEmail, subject, d)
sendEmailToIndividual(linkID, item.Email, subject, d)
}
}

Expand Down
2 changes: 1 addition & 1 deletion controllers/verification_code.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ func (this *VerificationCodeController) Post() {
this.sendSuccessResp("create verification code successfully")

sendEmailToIndividual(
emailOfSigner, orgInfo.OrgEmail,
linkID, emailOfSigner,
fmt.Sprintf(
"Verification code for signing CLA on project of \"%s\"",
orgInfo.OrgAlias,
Expand Down
1 change: 1 addition & 0 deletions dbmodels/db.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ type ICorporationManager interface {
type IOrgEmail interface {
CreateOrgEmail(opt OrgEmailCreateInfo) IDBError
GetOrgEmailInfo(email string) (*OrgEmailCreateInfo, IDBError)
GetOrgEmailOfLink(linkID string) (*OrgEmailCreateInfo, IDBError)
}

type IIndividualSigning interface {
Expand Down
1 change: 1 addition & 0 deletions deploy/app.conf.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ verification_code_expiry: 300
api_token_expiry: 1800
api_token_key: "${API_TOKEN_KEY}"
symmetric_encryption_key: "${SYMMETRIC_ENCRYPTION_KEY}"
symmetric_encryption_nonce: "${SYMMETRIC_ENCRYPTION_NONCE}"

pdf_org_signature_dir: ./conf/pdfs/org_signature_pdf
pdf_out_dir: ./conf/pdfs/output
Expand Down
6 changes: 5 additions & 1 deletion main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,11 @@ func main() {
}
}

mongoClient, err := mongodb.Initialize(&AppConfig.Mongodb)
mongoClient, err := mongodb.Initialize(
&AppConfig.Mongodb,
AppConfig.SymmetricEncryptionKey,
AppConfig.SymmetricEncryptionNonce,
)
if err != nil {
beego.Error(err)
os.Exit(1)
Expand Down
18 changes: 15 additions & 3 deletions models/org-email.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ func (this *OrgEmail) Create() IModelError {
return parseDBError(dbErr)
}

func GetOrgEmailInfo(email string) (*OrgEmail, IModelError) {
info, err := dbmodels.GetDB().GetOrgEmailInfo(email)
func GetOrgEmailOfLink(linkID string) (*OrgEmail, IModelError) {
info, err := dbmodels.GetDB().GetOrgEmailOfLink(linkID)
if err != nil {
if err.IsErrorOf(dbmodels.ErrNoDBRecord) {
return nil, newModelError(ErrOrgEmailNotExists, err)
Expand All @@ -46,8 +46,20 @@ func GetOrgEmailInfo(email string) (*OrgEmail, IModelError) {
}

return &OrgEmail{
Email: email,
Email: info.Email,
Token: &token,
Platform: info.Platform,
}, nil
}

func HasOrgEmail(email string) (bool, IModelError) {
_, err := dbmodels.GetDB().GetOrgEmailInfo(email)
if err == nil {
return true, nil
}

if err.IsErrorOf(dbmodels.ErrNoDBRecord) {
return false, nil
}
return false, parseDBError(err)
}
49 changes: 37 additions & 12 deletions mongodb/corporation-manager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,22 +13,24 @@ func docFilterOfCorpManager(linkID string) bson.M {
return docFilterOfSigning(linkID)
}

func elemFilterOfCorpManager(email string) bson.M {
return bson.M{
fieldCorpID: genCorpID(email),
fieldEmail: email,
}
func (c *client) elemFilterOfCorpManager(email string) (bson.M, dbmodels.IDBError) {
return c.elemFilterOfIndividualSigning(email)
}

func memberNameOfCorpManager(field string) string {
return fmt.Sprintf("%s.%s", fieldCorpManagers, field)
}

func (this *client) AddCorpAdministrator(linkID string, opt *dbmodels.CorporationManagerCreateOption) dbmodels.IDBError {
email, err := this.encrypt.encryptStr(opt.Email)
if err != nil {
return err
}

info := dCorpManager{
ID: opt.ID,
Name: opt.Name,
Email: opt.Email,
Email: email,
Role: dbmodels.RoleAdmin,
Password: opt.Password,
CorpID: genCorpID(opt.Email),
Expand Down Expand Up @@ -65,7 +67,11 @@ func (this *client) CheckCorporationManagerExist(opt dbmodels.CorporationManager

var elemFilter bson.M
if opt.Email != "" {
elemFilter = elemFilterOfCorpManager(opt.Email)
v, err := this.elemFilterOfCorpManager(opt.Email)
if err != nil {
return nil, err
}
elemFilter = v
} else {
elemFilter = bson.M{
fieldCorpID: opt.EmailSuffix,
Expand Down Expand Up @@ -109,10 +115,16 @@ func (this *client) CheckCorporationManagerExist(opt dbmodels.CorporationManager
}

item := &cm[0]

email, err := this.encrypt.decryptStr(item.Email)
if err != nil {
return nil, err
}

orgRepo := dbmodels.ParseToOrgRepo(doc.OrgIdentity)
result[doc.LinkID] = dbmodels.CorporationManagerCheckResult{
Name: item.Name,
Email: item.Email,
Email: email,
Role: item.Role,
Password: item.Password,
InitialPWChanged: item.InitialPWChanged,
Expand All @@ -138,7 +150,10 @@ func (this *client) ResetCorporationManagerPassword(linkID, email string, opt db
fieldChanged: true,
}

elemFilter := elemFilterOfCorpManager(email)
elemFilter, err := this.elemFilterOfCorpManager(email)
if err != nil {
return err
}
elemFilter[fieldPassword] = opt.OldPassword

docFilter := docFilterOfCorpManager(linkID)
Expand Down Expand Up @@ -191,17 +206,28 @@ func (this *client) ListCorporationManager(linkID, email, role string) ([]dbmode
r := make([]dbmodels.CorporationManagerListResult, 0, len(ms))
for i := range ms {
item := &ms[i]

email, err := this.encrypt.decryptStr(item.Email)
if err != nil {
return nil, err
}

r = append(r, dbmodels.CorporationManagerListResult{
ID: item.ID,
Name: item.Name,
Email: item.Email,
Email: email,
Role: item.Role,
})
}
return r, nil
}

func (this *client) GetCorporationManager(linkID, email string) (*dbmodels.CorporationManagerCheckResult, dbmodels.IDBError) {
elemFilter, err := this.elemFilterOfCorpManager(email)
if err != nil {
return nil, err
}

project := bson.M{
memberNameOfCorpManager(fieldPassword): 1,
}
Expand All @@ -211,8 +237,7 @@ func (this *client) GetCorporationManager(linkID, email string) (*dbmodels.Corpo
f := func(ctx context.Context) error {
return this.getArrayElem(
ctx, this.corpSigningCollection, fieldCorpManagers,
docFilterOfCorpManager(linkID), elemFilterOfCorpManager(email),
project, &v,
docFilterOfCorpManager(linkID), elemFilter, project, &v,
)
}

Expand Down
8 changes: 7 additions & 1 deletion mongodb/corporation-signing-deleted.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ func (this *client) DeleteCorpSigning(linkID, email string) dbmodels.IDBError {
if err != nil {
return err
}
doc[fieldInfo] = data.SigningInfo

f := func(ctx context.Context) dbmodels.IDBError {
return this.moveArrayElem(
Expand Down Expand Up @@ -97,7 +98,12 @@ func (this *client) ListDeletedCorpSignings(linkID string) ([]dbmodels.Corporati

r := make([]dbmodels.CorporationSigningBasicInfo, 0, n)
for i := 0; i < n; i++ {
r = append(r, *toDBModelCorporationSigningBasicInfo(&deleted[i]))
bi, err := this.toDBModelCorporationSigningBasicInfo(&deleted[i])
if err != nil {
return nil, err
}

r = append(r, *bi)
}

return r, nil
Expand Down
Loading

0 comments on commit efdc5d6

Please sign in to comment.