SecretSting amalgamation

DefGuard · Aug 22, 2023 · 8f2cfcb · 8f2cfcb
1 parent b141749
commit 8f2cfcb
Show file tree

Hide file tree

Showing 10 changed files with 159 additions and 98 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -7,32 +7,52 @@ edition = "2021"
 
 [dependencies]
 model_derive = { path = "model-derive" }
+anyhow = "1.0"
 argon2 = { version = "0.5", features = ["std"] }
 base64 = { version = "0.21" }
 bincode = "1.3"
-chrono = { version = "0.4", features = ["serde"] }
+chrono = { version = "0.4", default-features = false, features = [
+    "clock",
+    "serde",
+    "std",
+] }
 clap = { version = "4.0", features = ["derive", "env"] }
+dotenvy = "0.15"
+ethers = { version = "2.0", features = ["eip712"] }
+ethabi = "18.0"
 fern = { version = "0.6", features = ["colored"] }
+humantime = "2.1"
 # match ipnetwork version from sqlx-core
 ipnetwork = { version = "0.19", features = ["serde"] }
 jsonwebtoken = "8.1"
+lazy_static = "1.4"
 ldap3 = "0.11"
+lettre = { version = "0.10", features = ["tokio1", "tokio1-native-tls"] }
 log = "0.4"
 md4 = "0.10"
 otpauth = "0.4"
 openidconnect = { version = "3.0", default-features = false, optional = true }
+pulldown-cmark = "0.9"
 prost = "0.11"
 rand = "0.8"
 rand_core = { version = "0.6", default-features = false, features = [
     "getrandom",
 ] }
+regex = "1.8"
 reqwest = { version = "0.11", features = ["json"] }
 rocket = { version = "0.5.0-rc.3", features = ["json", "secrets"] }
-rsa = {version = "0.8", features = ["pem"]}
-secp256k1 = { version = "0.27", features = ["recovery", "rand-std", "global-context"] }
+rsa = { version = "0.8", features = ["pem"] }
+rust-ini = "0.19"
+secp256k1 = { version = "0.27", features = [
+    "recovery",
+    "rand-std",
+    "global-context",
+] }
+secrecy = {version = "0.8", features = ["serde"] }
 serde = { version = "1.0", features = ["derive"] }
 # match version from webauthn-rs-core
 serde_cbor = { version = "0.12.0-dev", package = "serde_cbor_2" }
+serde_json = "1.0.104"
 serde_urlencoded = "0.7"
 sha-1 = "0.10"
 sqlx = { version = "0.6", features = [
@@ -43,6 +63,8 @@ sqlx = { version = "0.6", features = [
     "postgres",
     "uuid",
 ] }
+tera = "1.19"
+thiserror = "1.0"
 tiny-keccak = { version = "2.0", features = ["keccak"] }
 tokio = { version = "1", features = [
     "macros",
@@ -55,32 +77,18 @@ tokio = { version = "1", features = [
 tokio-stream = "0.1"
 tonic = { version = "0.9", features = ["gzip", "tls", "tls-roots"] }
 uuid = { version = "1.1", features = ["v4"] }
+webauthn-authenticator-rs = { version = "0.4" }
 webauthn-rs = { version = "0.4", features = [
     "danger-allow-state-serialisation",
 ] }
 webauthn-rs-proto = "0.4.9"
 # Use pre to match zeroize version used by ethers
 x25519-dalek = { version = "2.0.0-rc.2", features = ["static_secrets"] }
-ethers = {version = "2.0.3", features = ["eip712"]}
-ethabi = "18.0.0"
-anyhow = "1.0"
-rust-ini = "0.19"
-regex = "1.8"
-lazy_static = "1.4"
-thiserror = "1.0"
-dotenvy = "0.15"
-lettre = { version = "0.10.4", features = ["tokio1", "tokio1-native-tls"] }
-serde_json = "1.0.104"
-humantime = "2.1"
-tera = "1.19"
-pulldown-cmark = "0.9"
-secrecy = { version = "0.8.0", features = ["serde"] }
 
 [dev-dependencies]
+claims = "0.7"
 matches = "0.1"
 serde_qs = "0.12"
-webauthn-authenticator-rs = { version = "0.4" }
-claims = "0.7"
 
 [build-dependencies]
 tonic-build = "0.9"

diff --git a/src/bin/defguard.rs b/src/bin/defguard.rs
@@ -10,12 +10,12 @@ use defguard::{
     wireguard_stats_purge::run_periodic_stats_purge,
     SERVER_CONFIG,
 };
+use secrecy::ExposeSecret;
 use std::{
     fs::read_to_string,
     sync::{Arc, Mutex},
 };
 use tokio::sync::{broadcast, mpsc::unbounded_channel};
-use secrecy::ExposeSecret;
 
 #[tokio::main]
 async fn main() -> Result<(), anyhow::Error> {

diff --git a/src/config.rs b/src/config.rs
@@ -5,8 +5,6 @@ use reqwest::Url;
 use rsa::{pkcs1::EncodeRsaPrivateKey, pkcs8::DecodePrivateKey, PublicKeyParts, RsaPrivateKey};
 use secrecy::Secret;
 
-use crate::expose_secret_string;
-
 #[derive(Clone, Parser, Serialize, Debug)]
 #[command(version)]
 pub struct DefGuardConfig {

diff --git a/src/db/models/settings.rs b/src/db/models/settings.rs
@@ -1,9 +1,8 @@
-use crate::{secret::SecretString, db::DbPool};
-use model_derive::Model;
+use crate::{db::DbPool, secret::SecretString};
+// use model_derive::Model;
 use sqlx::{query, Type};
 use std::collections::HashMap;
 
-
 #[derive(Clone, Deserialize, Serialize, PartialEq, Eq, Type, Debug)]
 #[sqlx(type_name = "smtp_encryption", rename_all = "lowercase")]
 pub enum SmtpEncryption {
@@ -12,8 +11,7 @@ pub enum SmtpEncryption {
     ImplicitTls,
 }
 
-
-#[derive(Model, Serialize, Deserialize, Debug, Clone)]
+#[derive(Serialize, Deserialize, Debug, Clone)]
 pub struct Settings {
     #[serde(skip)]
     pub id: Option<i64>,
@@ -28,7 +26,7 @@ pub struct Settings {
     pub nav_logo_url: String,
     pub smtp_server: Option<String>,
     pub smtp_port: Option<i32>,
-    #[model(enum)]
+    // #[model(enum)]
     pub smtp_encryption: SmtpEncryption,
     pub smtp_user: Option<String>,
     pub smtp_password: Option<SecretString>,
@@ -40,6 +38,72 @@ pub struct Settings {
     pub enrollment_use_welcome_message_as_email: bool,
 }
 
+// FIXME: implement `SecretString` handling in `Model`
+impl Settings {
+    pub async fn find_by_id<'e, E>(executor: E, id: i64) -> Result<Option<Self>, sqlx::Error>
+    where
+        E: sqlx::Executor<'e, Database = sqlx::Postgres>,
+    {
+        sqlx::query_as!(Self,
+            "SELECT id \"id?\", \"openid_enabled\", \"ldap_enabled\", \"wireguard_enabled\", \"webhooks_enabled\", \
+            \"worker_enabled\", \"challenge_template\", \"instance_name\", \"main_logo_url\", \"nav_logo_url\", \
+            \"smtp_server\", \"smtp_port\", \"smtp_encryption\" \"smtp_encryption: _\", \"smtp_user\", \
+            smtp_password \"smtp_password?: SecretString\", \
+            \"smtp_sender\", \"enrollment_vpn_step_optional\", \"enrollment_welcome_message\", \"enrollment_welcome_email\", \
+            \"enrollment_welcome_email_subject\", \"enrollment_use_welcome_message_as_email\" \
+            FROM \"settings\" WHERE id = $1",id).fetch_optional(executor).await
+    }
+    pub async fn all<'e, E>(executor: E) -> Result<Vec<Self>, sqlx::Error>
+    where
+        E: sqlx::Executor<'e, Database = sqlx::Postgres>,
+    {
+        sqlx::query_as!(Self,
+            "SELECT id \"id?\", \"openid_enabled\", \"ldap_enabled\", \"wireguard_enabled\", \"webhooks_enabled\", \
+            \"worker_enabled\", \"challenge_template\", \"instance_name\", \"main_logo_url\", \"nav_logo_url\", \
+            \"smtp_server\", \"smtp_port\", \"smtp_encryption\" \"smtp_encryption: _\", \"smtp_user\", \
+            smtp_password \"smtp_password?: SecretString\", \
+            \"smtp_sender\", \"enrollment_vpn_step_optional\", \"enrollment_welcome_message\", \"enrollment_welcome_email\", \
+            \"enrollment_welcome_email_subject\", \"enrollment_use_welcome_message_as_email\" \
+            FROM \"settings\"").fetch_all(executor).await
+    }
+    pub async fn delete<'e, E>(self, executor: E) -> Result<(), sqlx::Error>
+    where
+        E: sqlx::Executor<'e, Database = sqlx::Postgres>,
+    {
+        if let Some(id) = self.id {
+            sqlx::query!("DELETE FROM \"settings\" WHERE id = $1", id)
+                .execute(executor)
+                .await?;
+        }
+        Ok(())
+    }
+    pub async fn save<'e, E>(&mut self, executor: E) -> Result<(), sqlx::Error>
+    where
+        E: sqlx::Executor<'e, Database = sqlx::Postgres>,
+    {
+        match self.id {
+            None => {
+                let id = sqlx::query_scalar!("INSERT INTO \"settings\" (\"openid_enabled\", \"ldap_enabled\", \"wireguard_enabled\", \"webhooks_enabled\", \"worker_enabled\", \"challenge_template\", \"instance_name\", \"main_logo_url\", \"nav_logo_url\", \"smtp_server\", \"smtp_port\", \"smtp_encryption\", \"smtp_user\", \
+                \"smtp_password\", \
+                \"smtp_sender\", \"enrollment_vpn_step_optional\", \"enrollment_welcome_message\", \"enrollment_welcome_email\", \"enrollment_welcome_email_subject\", \"enrollment_use_welcome_message_as_email\") VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20) RETURNING id",
+                self.openid_enabled,self.ldap_enabled,self.wireguard_enabled,self.webhooks_enabled,self.worker_enabled,self.challenge_template,self.instance_name,self.main_logo_url,self.nav_logo_url,self.smtp_server,self.smtp_port,
+                &self.smtp_encryption as &SmtpEncryption, self.smtp_user,&self.smtp_password as &Option<SecretString>,
+                self.smtp_sender,self.enrollment_vpn_step_optional,self.enrollment_welcome_message,self.enrollment_welcome_email,self.enrollment_welcome_email_subject,self.enrollment_use_welcome_message_as_email,).fetch_one(executor).await? ;
+                self.id = Some(id);
+            }
+            Some(id) => {
+                sqlx::query!("UPDATE \"settings\" SET \"openid_enabled\" = $2, \"ldap_enabled\" = $3, \"wireguard_enabled\" = $4, \"webhooks_enabled\" = $5, \"worker_enabled\" = $6, \"challenge_template\" = $7, \"instance_name\" = $8, \"main_logo_url\" = $9, \"nav_logo_url\" = $10, \"smtp_server\" = $11, \"smtp_port\" = $12, \"smtp_encryption\" = $13, \"smtp_user\" = $14, \
+                \"smtp_password\" = $15, \
+                \"smtp_sender\" = $16, \"enrollment_vpn_step_optional\" = $17, \"enrollment_welcome_message\" = $18, \"enrollment_welcome_email\" = $19, \"enrollment_welcome_email_subject\" = $20, \"enrollment_use_welcome_message_as_email\" = $21 WHERE id = $1",
+                id,self.openid_enabled,self.ldap_enabled,self.wireguard_enabled,self.webhooks_enabled,self.worker_enabled,self.challenge_template,self.instance_name,self.main_logo_url,self.nav_logo_url,self.smtp_server,self.smtp_port,
+                &self.smtp_encryption as &SmtpEncryption,self.smtp_user,&self.smtp_password as &Option<SecretString>,
+                self.smtp_sender,self.enrollment_vpn_step_optional,self.enrollment_welcome_message,self.enrollment_welcome_email,self.enrollment_welcome_email_subject,self.enrollment_use_welcome_message_as_email,).execute(executor).await? ;
+            }
+        }
+        Ok(())
+    }
+}
+
 impl Settings {
     pub(crate) async fn get_settings<'e, E>(executor: E) -> Result<Settings, sqlx::Error>
     where

diff --git a/src/db/models/user.rs b/src/db/models/user.rs
@@ -336,7 +336,7 @@ impl User {
         }
         Ok(())
     }
-    /// Select all users without sensitive data. 
+    /// Select all users without sensitive data.
     pub async fn all_without_sensitive_data(pool: &DbPool) -> Result<Vec<Self>, SqlxError> {
         let users = query_as!(
             Self,
@@ -348,7 +348,6 @@ impl User {
         .fetch_all(pool)
         .await?;
         Ok(users)
-
     }
 
     /// Check if TOTP `code` is valid.