From fa68d2d26b56be919971f927a2449ba491e21104 Mon Sep 17 00:00:00 2001 From: petruki <31597636+petruki@users.noreply.github.com> Date: Sun, 6 Oct 2024 13:22:08 -0700 Subject: [PATCH] Opaque encrypted token from account API responses --- src/controller/account.go | 17 ++++++++++++++++- src/controller/account_test.go | 15 +++++++++------ 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/src/controller/account.go b/src/controller/account.go index 0b02720..06755f5 100644 --- a/src/controller/account.go +++ b/src/controller/account.go @@ -64,6 +64,7 @@ func (controller *AccountController) CreateAccountHandler(w http.ResponseWriter, gitService := core.NewGitService(accountCreated.Repository, accountCreated.Token, accountCreated.Branch) go controller.coreHandler.StartAccountHandler(accountCreated.ID.Hex(), gitService) + opaqueTokenFromResponse(accountCreated) utils.ResponseJSON(w, accountCreated, http.StatusCreated) } @@ -78,6 +79,7 @@ func (controller *AccountController) FetchAccountHandler(w http.ResponseWriter, return } + opaqueTokenFromResponse(account) utils.ResponseJSON(w, account, http.StatusOK) } @@ -91,7 +93,13 @@ func (controller *AccountController) FetchAllAccountsByDomainIdHandler(w http.Re return } - utils.ResponseJSON(w, accounts, http.StatusOK) + var accountsResponse []model.Account + for _, account := range accounts { + opaqueTokenFromResponse(&account) + accountsResponse = append(accountsResponse, account) + } + + utils.ResponseJSON(w, accountsResponse, http.StatusOK) } func (controller *AccountController) UpdateAccountHandler(w http.ResponseWriter, r *http.Request) { @@ -115,6 +123,7 @@ func (controller *AccountController) UpdateAccountHandler(w http.ResponseWriter, return } + opaqueTokenFromResponse(accountUpdated) utils.ResponseJSON(w, accountUpdated, http.StatusOK) } @@ -131,3 +140,9 @@ func (controller *AccountController) DeleteAccountHandler(w http.ResponseWriter, utils.ResponseJSON(w, nil, http.StatusNoContent) } + +func opaqueTokenFromResponse(account *model.Account) { + if account.Token != "" { + account.Token = "..." + account.Token[len(account.Token)-4:] + } +} diff --git a/src/controller/account_test.go b/src/controller/account_test.go index 611e056..a01c9f0 100644 --- a/src/controller/account_test.go +++ b/src/controller/account_test.go @@ -11,6 +11,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/switcherapi/switcher-gitops/src/config" "github.com/switcherapi/switcher-gitops/src/model" + "github.com/switcherapi/switcher-gitops/src/repository" "github.com/switcherapi/switcher-gitops/src/utils" ) @@ -29,9 +30,7 @@ func TestCreateAccountHandler(t *testing.T) { assert.Equal(t, http.StatusCreated, response.Code) assert.Nil(t, err) assert.Equal(t, accountV1.Repository, accountResponse.Repository) - - token, _ := utils.Decrypt(accountResponse.Token, config.GetEnv("GIT_TOKEN_PRIVATE_KEY")) - assert.Equal(t, accountV1.Token, token) + assert.Contains(t, accountResponse.Token, "...") }) t.Run("Should not create an account - invalid request", func(t *testing.T) { @@ -78,6 +77,7 @@ func TestFetchAccountHandler(t *testing.T) { assert.Equal(t, http.StatusOK, response.Code) assert.Nil(t, err) assert.Equal(t, accountV1.Repository, accountResponse.Repository) + assert.Contains(t, accountResponse.Token, "...") }) t.Run("Should not fetch an account by domain ID / environment - not found", func(t *testing.T) { @@ -110,6 +110,8 @@ func TestFetchAccountHandler(t *testing.T) { assert.Equal(t, http.StatusOK, response.Code) assert.Nil(t, err) assert.Equal(t, 2, len(accountsResponse)) + assert.Contains(t, accountsResponse[0].Token, "...") + assert.Contains(t, accountsResponse[1].Token, "...") }) t.Run("Should not fetch all accounts by domain ID - not found", func(t *testing.T) { @@ -174,11 +176,12 @@ func TestUpdateAccountHandler(t *testing.T) { assert.Equal(t, http.StatusOK, response.Code) assert.Nil(t, err) assert.Equal(t, accountV1.Repository, accountResponse.Repository) + assert.Contains(t, accountResponse.Token, "...") - encryptedToken := utils.Encrypt(accountV1.Token, config.GetEnv("GIT_TOKEN_PRIVATE_KEY")) - assert.NotEqual(t, encryptedToken, accountResponse.Token) + accountRepository := repository.NewAccountRepositoryMongo(mongoDb) + accountFromDb, _ := accountRepository.FetchByAccountId(accountResponse.ID.Hex()) - decryptedToken, _ := utils.Decrypt(accountResponse.Token, config.GetEnv("GIT_TOKEN_PRIVATE_KEY")) + decryptedToken, _ := utils.Decrypt(accountFromDb.Token, config.GetEnv("GIT_TOKEN_PRIVATE_KEY")) assert.Equal(t, "new-token", decryptedToken) })