gophish/controllers/api.go

package controllers

import (
	"encoding/json"
	"fmt"
	"net/http"
	"strconv"
	"time"

	ctx "github.com/gorilla/context"
	"github.com/gorilla/mux"
	"github.com/jordan-wright/gophish/auth"
	"github.com/jordan-wright/gophish/db"
	"github.com/jordan-wright/gophish/models"
)

const (
	IN_PROGRESS string = "In progress"
	WAITING     string = "Waiting"
	COMPLETE    string = "Completed"
	ERROR       string = "Error"
)

// API (/api) provides access to api documentation
func API(w http.ResponseWriter, r *http.Request) {
	switch {
	case r.Method == "GET":
		getTemplate(w, "api_doc").ExecuteTemplate(w, "base", nil)
	}
}

// API (/api/reset) resets a user's API key
func API_Reset(w http.ResponseWriter, r *http.Request) {
	switch {
	case r.Method == "POST":
		u := ctx.Get(r, "user").(models.User)
		u.APIKey = auth.GenerateSecureKey()
		err := db.PutUser(&u)
		if err != nil {
			Flash(w, r, "danger", "Error resetting API Key")
		} else {
			Flash(w, r, "success", "API Key Successfully Reset")
		}
		http.Redirect(w, r, "/settings", 302)
	}
}

// API_Campaigns returns a list of campaigns if requested via GET.
// If requested via POST, API_Campaigns creates a new campaign and returns a reference to it.
func API_Campaigns(w http.ResponseWriter, r *http.Request) {
	switch {
	case r.Method == "GET":
		cs, err := db.GetCampaigns(ctx.Get(r, "user_id").(int64))
		if err != nil {
			fmt.Println(err)
		}
		cj, err := json.MarshalIndent(cs, "", "  ")
		if checkError(err, w, "Error looking up campaigns") {
			return
		}
		writeJSON(w, cj)
	//POST: Create a new campaign and return it as JSON
	case r.Method == "POST":
		c := models.Campaign{}
		// Put the request into a campaign
		err := json.NewDecoder(r.Body).Decode(&c)
		if checkError(err, w, "Invalid Request") {
			return
		}
		// Fill in the details
		c.CreatedDate = time.Now()
		c.CompletedDate = time.Time{}
		c.Status = IN_PROGRESS
		c.Uid = ctx.Get(r, "user_id").(int64)
		// Insert into the DB
		err = db.Conn.Insert(&c)
		if checkError(err, w, "Cannot insert campaign into database") {
			return
		}
		cj, err := json.MarshalIndent(c, "", "  ")
		if checkError(err, w, "Error creating JSON response") {
			return
		}
		writeJSON(w, cj)
	}
}

// API_Campaigns_Id returns details about the requested campaign. If the campaign is not
// valid, API_Campaigns_Id returns null.
func API_Campaigns_Id(w http.ResponseWriter, r *http.Request) {
	vars := mux.Vars(r)
	id, _ := strconv.ParseInt(vars["id"], 0, 64)
	switch {
	case r.Method == "GET":
		c := models.Campaign{}
		c, err := db.GetCampaign(id, ctx.Get(r, "user_id").(int64))
		if checkError(err, w, "No campaign found") {
			return
		}
		cj, err := json.MarshalIndent(c, "", "  ")
		if checkError(err, w, "Error creating JSON response") {
			return
		}
		writeJSON(w, cj)
	case r.Method == "DELETE":
		//c := models.Campaign{}
	}
}

func API_Campaigns_Id_Launch(w http.ResponseWriter, r *http.Request) {
	http.Redirect(w, r, "/", 302)
}

// API_Groups returns details about the requested group. If the campaign is not
// valid, API_Groups returns null.
// Example:
/*
POST	/api/groups
		{ "name" : "Test Group",
		  "targets" : [
		  {
		  	"email" : "test@example.com"
		  },
		  { "email" : test2@example.com"
		  }]
		}

RESULT { "name" : "Test Group",
		  "targets" : [
		  {
		  	"email" : "test@example.com"
		  },
		  { "email" : test2@example.com"
		  }]
		}
*/
func API_Groups(w http.ResponseWriter, r *http.Request) {
	switch {
	case r.Method == "GET":
		gs, err := db.GetGroups(ctx.Get(r, "user_id").(int64))
		if checkError(err, w, "Cannot retrieve group information") {
			return
		}
		gj, err := json.MarshalIndent(gs, "", "  ")
		if checkError(err, w, "Error marshaling group information") {
			return
		}
		writeJSON(w, gj)
	//POST: Create a new group and return it as JSON
	case r.Method == "POST":
		g := models.Group{}
		// Put the request into a group
		err := json.NewDecoder(r.Body).Decode(&g)
		if checkError(err, w, "Invalid Request") {
			return
		}
		// Check to make sure targets were specified
		if len(g.Targets) == 0 {
			http.Error(w, "Error: No targets specified", http.StatusInternalServerError)
			return
		}
		g.ModifiedDate = time.Now()
		err = db.PostGroup(&g, ctx.Get(r, "user_id").(int64))
		if checkError(err, w, "Error inserting group") {
			return
		}
		gj, err := json.MarshalIndent(g, "", "  ")
		if checkError(err, w, "Error creating JSON response") {
			return
		}
		writeJSON(w, gj)
	}
}

// API_Groups_Id returns details about the requested campaign. If the campaign is not
// valid, API_Campaigns_Id returns null.
func API_Groups_Id(w http.ResponseWriter, r *http.Request) {
	vars := mux.Vars(r)
	id, _ := strconv.ParseInt(vars["id"], 0, 64)
	switch {
	case r.Method == "GET":
		g := models.Group{}
		g, err := db.GetGroup(id, ctx.Get(r, "user_id").(int64))
		if checkError(err, w, "No group found") {
			return
		}
		gj, err := json.MarshalIndent(g, "", "  ")
		if checkError(err, w, "Error creating JSON response") {
			return
		}
		writeJSON(w, gj)
	case r.Method == "DELETE":
		err := db.DeleteGroup(id, ctx.Get(r, "user_id").(int64))
		if checkError(err, w, "Error creating JSON response") {
			return
		}
		writeJSON(w, []byte("{\"success\" : \"true\"}"))
	}
}

func writeJSON(w http.ResponseWriter, c []byte) {
	w.Header().Set("Content-Type", "application/json")
	fmt.Fprintf(w, "%s", c)
}
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`package controllers`

			`import (`
Working on API layout 2014-01-13 02:00:20 +00:00			`"encoding/json"`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`"fmt"`
			`"net/http"`
Changing int to int64 Starting to implement angularjs Implemented /api/campaigns/:id GET Changed template delims to {{% and %}} 2014-02-01 02:49:22 +00:00			`"strconv"`
Implemented POST /api/campaigns Renamed "apikey" table to "api_key" for consistency Bug fix in checkError() 2014-01-31 22:25:02 +00:00			`"time"`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00
Working on API layout 2014-01-13 02:00:20 +00:00			`ctx "github.com/gorilla/context"`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`"github.com/gorilla/mux"`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`"github.com/jordan-wright/gophish/auth"`
- Working on implementing the API (started working on /api/campaigns) - Implemented APIKey middleware - Changed settings template to look a bit nicer and to, you know, work. 2014-01-31 04:46:25 +00:00			`"github.com/jordan-wright/gophish/db"`
			`"github.com/jordan-wright/gophish/models"`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`)`

Implemented POST /api/campaigns Renamed "apikey" table to "api_key" for consistency Bug fix in checkError() 2014-01-31 22:25:02 +00:00			`const (`
			`IN_PROGRESS string = "In progress"`
			`WAITING string = "Waiting"`
			`COMPLETE string = "Completed"`
			`ERROR string = "Error"`
			`)`

Cleaning up router /campaigns - depreciated /api/doc - now /api/ 2014-02-01 03:49:35 +00:00			`// API (/api) provides access to api documentation`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`func API(w http.ResponseWriter, r *http.Request) {`
Cleaning up router /campaigns - depreciated /api/doc - now /api/ 2014-02-01 03:49:35 +00:00			`switch {`
			`case r.Method == "GET":`
			`getTemplate(w, "api_doc").ExecuteTemplate(w, "base", nil)`
Working on API layout 2014-01-13 02:00:20 +00:00			`}`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`}`

Added ability to reset API token Cleaned up session flash handling 2014-02-02 20:47:06 +00:00			`// API (/api/reset) resets a user's API key`
			`func API_Reset(w http.ResponseWriter, r *http.Request) {`
			`switch {`
Updated README Added CSRF Protection to login, /api/reset functions Added auto highlighting of API key when clicked 2014-02-03 23:21:56 +00:00			`case r.Method == "POST":`
Added ability to reset API token Cleaned up session flash handling 2014-02-02 20:47:06 +00:00			`u := ctx.Get(r, "user").(models.User)`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`u.APIKey = auth.GenerateSecureKey()`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`err := db.PutUser(&u)`
			`if err != nil {`
			`Flash(w, r, "danger", "Error resetting API Key")`
			`} else {`
			`Flash(w, r, "success", "API Key Successfully Reset")`
			`}`
Added ability to reset API token Cleaned up session flash handling 2014-02-02 20:47:06 +00:00			`http.Redirect(w, r, "/settings", 302)`
			`}`
			`}`

Cleaning up router /campaigns - depreciated /api/doc - now /api/ 2014-02-01 03:49:35 +00:00			`// API_Campaigns returns a list of campaigns if requested via GET.`
			`// If requested via POST, API_Campaigns creates a new campaign and returns a reference to it.`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`func API_Campaigns(w http.ResponseWriter, r *http.Request) {`
			`switch {`
			`case r.Method == "GET":`
Updated angular ui to support adding group Updated POST /api/groups/ to successfully add group Fixed CSRF in API issue Moved PUT and DELETE to /api/groups/:id (TODO: Implement) Changed SQL to use user_id instead of API key It is now possible to add a new group! Will propagate logic to campaigns soon. 2014-02-10 01:34:47 +00:00			`cs, err := db.GetCampaigns(ctx.Get(r, "user_id").(int64))`
- Working on implementing the API (started working on /api/campaigns) - Implemented APIKey middleware - Changed settings template to look a bit nicer and to, you know, work. 2014-01-31 04:46:25 +00:00			`if err != nil {`
			`fmt.Println(err)`
			`}`
Implemented POST /api/campaigns Renamed "apikey" table to "api_key" for consistency Bug fix in checkError() 2014-01-31 22:25:02 +00:00			`cj, err := json.MarshalIndent(cs, "", " ")`
			`if checkError(err, w, "Error looking up campaigns") {`
			`return`
- Working on implementing the API (started working on /api/campaigns) - Implemented APIKey middleware - Changed settings template to look a bit nicer and to, you know, work. 2014-01-31 04:46:25 +00:00			`}`
Implemented POST /api/campaigns Renamed "apikey" table to "api_key" for consistency Bug fix in checkError() 2014-01-31 22:25:02 +00:00			`writeJSON(w, cj)`
Added ability to reset API token Cleaned up session flash handling 2014-02-02 20:47:06 +00:00			`//POST: Create a new campaign and return it as JSON`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`case r.Method == "POST":`
Implemented POST /api/campaigns Renamed "apikey" table to "api_key" for consistency Bug fix in checkError() 2014-01-31 22:25:02 +00:00			`c := models.Campaign{}`
			`// Put the request into a campaign`
			`err := json.NewDecoder(r.Body).Decode(&c)`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`if checkError(err, w, "Invalid Request") {`
			`return`
			`}`
Implemented POST /api/campaigns Renamed "apikey" table to "api_key" for consistency Bug fix in checkError() 2014-01-31 22:25:02 +00:00			`// Fill in the details`
			`c.CreatedDate = time.Now()`
			`c.CompletedDate = time.Time{}`
			`c.Status = IN_PROGRESS`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`c.Uid = ctx.Get(r, "user_id").(int64)`
Implemented POST /api/campaigns Renamed "apikey" table to "api_key" for consistency Bug fix in checkError() 2014-01-31 22:25:02 +00:00			`// Insert into the DB`
			`err = db.Conn.Insert(&c)`
			`if checkError(err, w, "Cannot insert campaign into database") {`
			`return`
			`}`
			`cj, err := json.MarshalIndent(c, "", " ")`
			`if checkError(err, w, "Error creating JSON response") {`
			`return`
			`}`
			`writeJSON(w, cj)`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`}`
			`}`

Cleaning up router /campaigns - depreciated /api/doc - now /api/ 2014-02-01 03:49:35 +00:00			`// API_Campaigns_Id returns details about the requested campaign. If the campaign is not`
			`// valid, API_Campaigns_Id returns null.`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`func API_Campaigns_Id(w http.ResponseWriter, r *http.Request) {`
			`vars := mux.Vars(r)`
Cleaned up some errors Implemented using db.* helpers (ie GetUser) Implemented ChangePassword (not reachable from UI currently) Fixed angular issue in settings.html template 2014-02-06 16:49:53 +00:00			`id, _ := strconv.ParseInt(vars["id"], 0, 64)`
Changing int to int64 Starting to implement angularjs Implemented /api/campaigns/:id GET Changed template delims to {{% and %}} 2014-02-01 02:49:22 +00:00			`switch {`
			`case r.Method == "GET":`
			`c := models.Campaign{}`
Updated angular ui to support adding group Updated POST /api/groups/ to successfully add group Fixed CSRF in API issue Moved PUT and DELETE to /api/groups/:id (TODO: Implement) Changed SQL to use user_id instead of API key It is now possible to add a new group! Will propagate logic to campaigns soon. 2014-02-10 01:34:47 +00:00			`c, err := db.GetCampaign(id, ctx.Get(r, "user_id").(int64))`
Changing int to int64 Starting to implement angularjs Implemented /api/campaigns/:id GET Changed template delims to {{% and %}} 2014-02-01 02:49:22 +00:00			`if checkError(err, w, "No campaign found") {`
			`return`
			`}`
			`cj, err := json.MarshalIndent(c, "", " ")`
			`if checkError(err, w, "Error creating JSON response") {`
			`return`
			`}`
			`writeJSON(w, cj)`
			`case r.Method == "DELETE":`
			`//c := models.Campaign{}`
			`}`
Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture. Added doc.go for each package 2014-01-09 06:42:05 +00:00			`}`

Refined CSRF Protection Exempt Glob (/api/* to /api//) to provide CSRF protection /api/reset Added stub for /api/campaigns/:id/launch 2014-02-04 05:41:31 +00:00			`func API_Campaigns_Id_Launch(w http.ResponseWriter, r *http.Request) {`
			`http.Redirect(w, r, "/", 302)`
			`}`

Cleaning up some broken links Changed default admin password to 'gophish' Fixed bug in POST /api/campaigns Starting to implements groups and users functionality 2014-02-02 22:37:36 +00:00			`// API_Groups returns details about the requested group. If the campaign is not`
			`// valid, API_Groups returns null.`
Implementing /api/groups functionality. POST is almost working :) 2014-02-05 03:08:09 +00:00			`// Example:`
			`/*`
			`POST /api/groups`
			`{ "name" : "Test Group",`
Finished implementing first version of GET, POST /api/groups 2014-02-05 03:53:11 +00:00			`"targets" : [`
			`{`
			`"email" : "test@example.com"`
			`},`
			`{ "email" : test2@example.com"`
			`}]`
Implementing /api/groups functionality. POST is almost working :) 2014-02-05 03:08:09 +00:00			`}`

			`RESULT { "name" : "Test Group",`
Moved Group insertion to db.PostGroup() Stubbed db.DeleteGroup() Added better logging to db (Logging to come soon for all other packages) 2014-02-07 01:16:29 +00:00			`"targets" : [`
			`{`
			`"email" : "test@example.com"`
			`},`
			`{ "email" : test2@example.com"`
			`}]`
Implementing /api/groups functionality. POST is almost working :) 2014-02-05 03:08:09 +00:00			`}`
			`*/`
Cleaning up some broken links Changed default admin password to 'gophish' Fixed bug in POST /api/campaigns Starting to implements groups and users functionality 2014-02-02 22:37:36 +00:00			`func API_Groups(w http.ResponseWriter, r *http.Request) {`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`switch {`
			`case r.Method == "GET":`
Updated angular ui to support adding group Updated POST /api/groups/ to successfully add group Fixed CSRF in API issue Moved PUT and DELETE to /api/groups/:id (TODO: Implement) Changed SQL to use user_id instead of API key It is now possible to add a new group! Will propagate logic to campaigns soon. 2014-02-10 01:34:47 +00:00			`gs, err := db.GetGroups(ctx.Get(r, "user_id").(int64))`
Updated API (/api/groups) 2014-02-06 19:30:05 +00:00			`if checkError(err, w, "Cannot retrieve group information") {`
			`return`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`}`
			`gj, err := json.MarshalIndent(gs, "", " ")`
Updated API (/api/groups) 2014-02-06 19:30:05 +00:00			`if checkError(err, w, "Error marshaling group information") {`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`return`
			`}`
			`writeJSON(w, gj)`
			`//POST: Create a new group and return it as JSON`
			`case r.Method == "POST":`
			`g := models.Group{}`
			`// Put the request into a group`
			`err := json.NewDecoder(r.Body).Decode(&g)`
			`if checkError(err, w, "Invalid Request") {`
			`return`
			`}`
			`// Check to make sure targets were specified`
			`if len(g.Targets) == 0 {`
			`http.Error(w, "Error: No targets specified", http.StatusInternalServerError)`
			`return`
			`}`
			`g.ModifiedDate = time.Now()`
Moved Group insertion to db.PostGroup() Stubbed db.DeleteGroup() Added better logging to db (Logging to come soon for all other packages) 2014-02-07 01:16:29 +00:00			`err = db.PostGroup(&g, ctx.Get(r, "user_id").(int64))`
			`if checkError(err, w, "Error inserting group") {`
Implementing /api/groups functionality. POST is almost working :) 2014-02-05 03:08:09 +00:00			`return`
			`}`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`gj, err := json.MarshalIndent(g, "", " ")`
			`if checkError(err, w, "Error creating JSON response") {`
			`return`
			`}`
			`writeJSON(w, gj)`
Updated angular ui to support adding group Updated POST /api/groups/ to successfully add group Fixed CSRF in API issue Moved PUT and DELETE to /api/groups/:id (TODO: Implement) Changed SQL to use user_id instead of API key It is now possible to add a new group! Will propagate logic to campaigns soon. 2014-02-10 01:34:47 +00:00			`}`
			`}`

			`// API_Groups_Id returns details about the requested campaign. If the campaign is not`
			`// valid, API_Campaigns_Id returns null.`
			`func API_Groups_Id(w http.ResponseWriter, r *http.Request) {`
			`vars := mux.Vars(r)`
			`id, _ := strconv.ParseInt(vars["id"], 0, 64)`
			`switch {`
			`case r.Method == "GET":`
			`g := models.Group{}`
			`g, err := db.GetGroup(id, ctx.Get(r, "user_id").(int64))`
			`if checkError(err, w, "No group found") {`
			`return`
			`}`
			`gj, err := json.MarshalIndent(g, "", " ")`
			`if checkError(err, w, "Error creating JSON response") {`
			`return`
			`}`
			`writeJSON(w, gj)`
Moved Group insertion to db.PostGroup() Stubbed db.DeleteGroup() Added better logging to db (Logging to come soon for all other packages) 2014-02-07 01:16:29 +00:00			`case r.Method == "DELETE":`
Updated interfacing with ng-table module. Will propagate changes to campaigns soon. Updated footer copyright year Cleaned up tables in templates 2014-02-10 07:15:36 +00:00			`err := db.DeleteGroup(id, ctx.Get(r, "user_id").(int64))`
Moved Group insertion to db.PostGroup() Stubbed db.DeleteGroup() Added better logging to db (Logging to come soon for all other packages) 2014-02-07 01:16:29 +00:00			`if checkError(err, w, "Error creating JSON response") {`
			`return`
			`}`
Quick bugfixes Added dropdown to dashboard table 2014-02-07 03:36:00 +00:00			`writeJSON(w, []byte("{\"success\" : \"true\"}"))`
Implemented Registration Created auth.GenerateSecureKey to handle generating API Keys 2014-02-05 00:39:01 +00:00			`}`
Cleaning up some broken links Changed default admin password to 'gophish' Fixed bug in POST /api/campaigns Starting to implements groups and users functionality 2014-02-02 22:37:36 +00:00			`}`

Working on API layout 2014-01-13 02:00:20 +00:00			`func writeJSON(w http.ResponseWriter, c []byte) {`
			`w.Header().Set("Content-Type", "application/json")`
			`fmt.Fprintf(w, "%s", c)`
			`}`