feat(be): change error message for access key decryption

2025-01-20 15:29:28 +01:00 · 2021-09-10 03:41:36 +05:00 · 2021-09-10 03:41:36 +05:00 · f207aa6bff
commit f207aa6bff
parent 554e797e24
8 changed files with 30 additions and 22 deletions
--- a/api/projects/keys.go
+++ b/api/projects/keys.go
@ -1,7 +1,6 @@
 package projects

 import (
-	"fmt"
 	log "github.com/Sirupsen/logrus"
 	"github.com/ansible-semaphore/semaphore/api/helpers"
 	"github.com/ansible-semaphore/semaphore/db"
@ -19,15 +18,13 @@ func KeyMiddleware(next http.Handler) http.Handler {
 			return
 		}

-		key, err := helpers.Store(r).GetAccessKey(project.ID, keyID, false)
+		key, err := helpers.Store(r).GetAccessKey(project.ID, keyID)

 		if err != nil {
 			helpers.WriteError(w, err)
 			return
 		}

-		fmt.Println(key.SshKey.PrivateKey)
-
 		context.Set(r, "accessKey", key)
 		next.ServeHTTP(w, r)
 	})
--- a/api/tasks/runner.go
+++ b/api/tasks/runner.go
@ -352,6 +352,12 @@ func (t *task) installVaultPassFile() error {

 	path := t.template.VaultPass.GetPath()

+	err := t.template.VaultPass.DeserializeSecret()
+
+	if err != nil {
+		return err
+	}
+
 	return ioutil.WriteFile(path, []byte(t.template.VaultPass.LoginPassword.Password), 0600)
 }

@ -364,6 +370,12 @@ func (t *task) installKey(key db.AccessKey) error {

 	path := key.GetPath()

+	err := key.DeserializeSecret()
+
+	if err != nil {
+		return err
+	}
+
 	if key.SshKey.Passphrase != "" {
 		return fmt.Errorf("ssh key with passphrase not supported")
 	}
--- a/db/AccessKey.go
+++ b/db/AccessKey.go
@ -177,7 +177,11 @@ func (key *AccessKey) DeserializeSecret() error {
 	}

 	if util.Config.AccessKeyEncryption == "" {
-		return key.unmarshalAppropriateField(ciphertext)
+		err = key.unmarshalAppropriateField(ciphertext)
+		if _, ok := err.(*json.SyntaxError); ok {
+			err = fmt.Errorf("[ERR_INVALID_ENCRYPTION_KEY] Cannot decrypt access key, perhaps encryption key was changed")
+		}
+		return err
 	}

 	encryption, err := base64.StdEncoding.DecodeString(util.Config.AccessKeyEncryption)
@ -205,6 +209,9 @@ func (key *AccessKey) DeserializeSecret() error {
 	ciphertext, err = gcm.Open(nil, nonce, ciphertext, nil)

 	if err != nil {
+		if err.Error() == "cipher: message authentication failed" {
+			err = fmt.Errorf("[ERR_INVALID_ENCRYPTION_KEY] Cannot decrypt access key, perhaps encryption key was changed")
+		}
 		return err
 	}

--- a/db/Store.go
+++ b/db/Store.go
@ -71,7 +71,7 @@ type Store interface {
 	DeleteRepository(projectID int, repositoryID int) error
 	DeleteRepositorySoft(projectID int, repositoryID int) error

-	GetAccessKey(projectID int, accessKeyID int, deserializeSecret bool) (AccessKey, error)
+	GetAccessKey(projectID int, accessKeyID int) (AccessKey, error)
 	GetAccessKeys(projectID int, params RetrieveQueryParams) ([]AccessKey, error)

 	UpdateAccessKey(accessKey AccessKey) error
@ -143,14 +143,14 @@ type Store interface {

 func FillTemplate(d Store, template *Template) (err error) {
 	if template.VaultPassID != nil {
-		template.VaultPass, err = d.GetAccessKey(template.ProjectID, *template.VaultPassID, true)
+		template.VaultPass, err = d.GetAccessKey(template.ProjectID, *template.VaultPassID)
 	}
 	return
 }

 func FillInventory(d Store, inventory *Inventory) (err error) {
 	if inventory.SSHKeyID != nil {
-		inventory.SSHKey, err = d.GetAccessKey(inventory.ProjectID, *inventory.SSHKeyID, true)
+		inventory.SSHKey, err = d.GetAccessKey(inventory.ProjectID, *inventory.SSHKeyID)
 	}

 	if err != nil {
@ -158,7 +158,7 @@ func FillInventory(d Store, inventory *Inventory) (err error) {
 	}

 	if inventory.BecomeKeyID != nil {
-		inventory.BecomeKey, err = d.GetAccessKey(inventory.ProjectID, *inventory.BecomeKeyID, true)
+		inventory.BecomeKey, err = d.GetAccessKey(inventory.ProjectID, *inventory.BecomeKeyID)
 	}

 	return
--- a/db/bolt/access_key.go
+++ b/db/bolt/access_key.go
@ -4,16 +4,12 @@ import (
 	"github.com/ansible-semaphore/semaphore/db"
 )

-func (d *BoltDb) GetAccessKey(projectID int, accessKeyID int, deserializeSecret bool) (key db.AccessKey, err error) {
+func (d *BoltDb) GetAccessKey(projectID int, accessKeyID int) (key db.AccessKey, err error) {
 	err = d.getObject(projectID, db.AccessKeyProps, intObjectID(accessKeyID), &key)
 	if err != nil {
 		return
 	}

-	if deserializeSecret {
-		err = key.DeserializeSecret()
-	}
-
 	return
 }

@ -36,7 +32,7 @@ func (d *BoltDb) UpdateAccessKey(key db.AccessKey) error {
 			return err
 		}
 	} else { // accept only new name, ignore other changes
-		oldKey, err2 := d.GetAccessKey(*key.ProjectID, key.ID, false)
+		oldKey, err2 := d.GetAccessKey(*key.ProjectID, key.ID)
 		if err2 != nil {
 			return err2
 		}
--- a/db/bolt/repository.go
+++ b/db/bolt/repository.go
@ -9,7 +9,7 @@ func (d *BoltDb) GetRepository(projectID int, repositoryID int) (repository db.R
 	if err != nil {
 		return
 	}
-	repository.SSHKey, err = d.GetAccessKey(projectID, repository.SSHKeyID, true)
+	repository.SSHKey, err = d.GetAccessKey(projectID, repository.SSHKeyID)
 	return
 }

--- a/db/sql/access_key.go
+++ b/db/sql/access_key.go
@ -5,17 +5,13 @@ import (
 	"github.com/ansible-semaphore/semaphore/db"
 )

-func (d *SqlDb) GetAccessKey(projectID int, accessKeyID int, deserializeSecret bool) (key db.AccessKey, err error) {
+func (d *SqlDb) GetAccessKey(projectID int, accessKeyID int) (key db.AccessKey, err error) {
 	err = d.getObject(projectID, db.AccessKeyProps, accessKeyID, &key)

 	if err != nil {
 		return
 	}

-	if deserializeSecret {
-		err = key.DeserializeSecret()
-	}
-
 	return
 }

--- a/db/sql/repository.go
+++ b/db/sql/repository.go
@ -13,7 +13,7 @@ func (d *SqlDb) GetRepository(projectID int, repositoryID int) (db.Repository, e
 		return repository, err
 	}

-	repository.SSHKey, err = d.GetAccessKey(projectID, repository.SSHKeyID, true)
+	repository.SSHKey, err = d.GetAccessKey(projectID, repository.SSHKeyID)

 	return repository, err
 }