Show only secret keys if write only access

Infisical · Feb 12, 2023 · b066a55 · b066a55
1 parent 2f1a671
commit b066a55
Show file tree

Hide file tree

Showing 2 changed files with 122 additions and 18 deletions.
diff --git a/backend/src/controllers/v2/secretsController.ts b/backend/src/controllers/v2/secretsController.ts
@@ -17,7 +17,7 @@ import { EESecretService, EELogService } from '../../ee/services';
 import { postHogClient } from '../../services';
 import { getChannelFromUserAgent } from '../../utils/posthog';
 import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
 
 /**
  * Create secret(s) for workspace with id [workspaceId] and environment [environment]
@@ -298,27 +298,42 @@ export const getSecrets = async (req: Request, res: Response) => {
         userEmail = req.serviceTokenData.user.email;
     }
 
-    // none service token case as service tokens are already scoped
+    // none service token case as service tokens are already scoped to env and project
+    let hasWriteOnlyAccess
     if (!req.serviceTokenData) {
-        const hasAccess = await userHasWorkspaceAccess(userId, workspaceId, environment, ABILITY_READ)
-        if (!hasAccess) {
+        hasWriteOnlyAccess = await userHasWriteOnlyAbility(userId, workspaceId, environment)
+        const hasNoAccess = await userHasNoAbility(userId, workspaceId, environment)
+        if (hasNoAccess) {
             throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
         }
     }
-
-    const [err, secrets] = await to(Secret.find(
-        {
-            workspace: workspaceId,
-            environment,
-            $or: [
-                { user: userId },
-                { user: { $exists: false } }
-            ],
-            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
-        }
-    ).populate("tags").then())
-
-    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
+    let secrets: any
+    if (hasWriteOnlyAccess) {
+        secrets = await Secret.find(
+            {
+                workspace: workspaceId,
+                environment,
+                $or: [
+                    { user: userId },
+                    { user: { $exists: false } }
+                ],
+                type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+            }
+        )
+            .select("secretKeyCiphertext secretKeyIV secretKeyTag")
+    } else {
+        secrets = await Secret.find(
+            {
+                workspace: workspaceId,
+                environment,
+                $or: [
+                    { user: userId },
+                    { user: { $exists: false } }
+                ],
+                type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+            }
+        ).populate("tags")
+    }
 
     const channel = getChannelFromUserAgent(req.headers['user-agent'])
 
@@ -356,6 +371,59 @@ export const getSecrets = async (req: Request, res: Response) => {
     });
 }
 
+
+export const getOnlySecretKeys = async (req: Request, res: Response) => {
+    const { workspaceId, environment } = req.query;
+
+    let userId = "" // used for getting personal secrets for user
+    let userEmail = "" // used for posthog 
+    if (req.user) {
+        userId = req.user._id;
+        userEmail = req.user.email;
+    }
+
+    if (req.serviceTokenData) {
+        userId = req.serviceTokenData.user._id
+        userEmail = req.serviceTokenData.user.email;
+    }
+
+    // none service token case as service tokens are already scoped
+    if (!req.serviceTokenData) {
+        const hasAccess = await userHasWorkspaceAccess(userId, workspaceId, environment, ABILITY_READ)
+        if (!hasAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+    }
+
+    const [err, secretKeys] = await to(Secret.find(
+        {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+        }
+    )
+        .select("secretKeyIV secretKeyTag secretKeyCiphertext")
+        .then())
+
+    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
+
+    // readAction && await EELogService.createLog({
+    //     userId: new Types.ObjectId(userId),
+    //     workspaceId: new Types.ObjectId(workspaceId as string),
+    //     actions: [readAction],
+    //     channel,
+    //     ipAddress: req.ip
+    // });
+
+    return res.status(200).send({
+        secretKeys
+    });
+}
+
 /**
  * Update secret(s)
  * @param req 

diff --git a/backend/src/ee/helpers/checkMembershipPermissions.ts b/backend/src/ee/helpers/checkMembershipPermissions.ts
@@ -1,5 +1,6 @@
 import _ from "lodash";
 import { Membership } from "../../models";
+import { ABILITY_READ, ABILITY_WRITE } from "../../variables/organization";
 
 export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
   const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
@@ -15,4 +16,39 @@ export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, envi
   }
 
   return true
+}
+
+export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, environment: any) => {
+  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
+  if (!membershipForWorkspace) {
+    return false
+  }
+
+  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
+  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+
+  // case: you have write only if read is blocked and write is not
+  if (isReadDisallowed && !isWriteDisallowed) {
+    return true
+  }
+
+  return false
+}
+
+export const userHasNoAbility = async (userId: any, workspaceId: any, environment: any) => {
+  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
+  if (!membershipForWorkspace) {
+    return true
+  }
+
+  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
+  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+
+  if (isReadBlocked && isWriteDisallowed) {
+    return true
+  }
+
+  return false
 }