Cleaned up csrf exemptions

Cleaned up models
Added UNIQUE constraint on many-many tables
Added form parsing/ userid from API key lookup in middleware
pull/24/head
Jordan 2014-02-04 15:23:09 -06:00
parent 4c722afe8b
commit 359fa01c1c
4 changed files with 30 additions and 26 deletions

View File

@ -37,12 +37,14 @@ func CreateRouter() *nosurf.CSRFHandler {
api.HandleFunc("/groups", Use(API_Groups, mid.RequireAPIKey)) api.HandleFunc("/groups", Use(API_Groups, mid.RequireAPIKey))
api.HandleFunc("/groups/{id:[0-9]+}", Use(API_Groups_Id, mid.RequireAPIKey)) api.HandleFunc("/groups/{id:[0-9]+}", Use(API_Groups_Id, mid.RequireAPIKey))
//Setup static file serving // Setup static file serving
router.PathPrefix("/").Handler(http.FileServer(http.Dir("./static/"))) router.PathPrefix("/").Handler(http.FileServer(http.Dir("./static/")))
//Setup CSRF Protection // Setup CSRF Protection
csrfHandler := nosurf.New(router) csrfHandler := nosurf.New(router)
csrfHandler.ExemptGlob("/api/*/*") // Exempt API routes and Static files
csrfHandler.ExemptGlob("/api/campaigns*")
csrfHandler.ExemptGlob("/api/groups*")
csrfHandler.ExemptGlob("/static/*") csrfHandler.ExemptGlob("/static/*")
return csrfHandler return csrfHandler
} }

View File

@ -26,7 +26,6 @@ func Setup() error {
Conn.AddTableWithName(models.User{}, "users").SetKeys(true, "Id") Conn.AddTableWithName(models.User{}, "users").SetKeys(true, "Id")
Conn.AddTableWithName(models.Campaign{}, "campaigns").SetKeys(true, "Id") Conn.AddTableWithName(models.Campaign{}, "campaigns").SetKeys(true, "Id")
Conn.AddTableWithName(models.Group{}, "groups").SetKeys(true, "Id") Conn.AddTableWithName(models.Group{}, "groups").SetKeys(true, "Id")
Conn.AddTableWithName(models.GroupTarget{}, "group_target")
if err != nil { if err != nil {
fmt.Println("Database not found, recreating...") fmt.Println("Database not found, recreating...")
createTablesSQL := []string{ createTablesSQL := []string{
@ -34,8 +33,9 @@ func Setup() error {
`CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL, hash VARCHAR(60) NOT NULL, api_key VARCHAR(32));`, `CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL, hash VARCHAR(60) NOT NULL, api_key VARCHAR(32));`,
`CREATE TABLE campaigns (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, created_date TIMESTAMP NOT NULL, completed_date TIMESTAMP, template TEXT, status TEXT NOT NULL, uid INTEGER, FOREIGN KEY (uid) REFERENCES users(id));`, `CREATE TABLE campaigns (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, created_date TIMESTAMP NOT NULL, completed_date TIMESTAMP, template TEXT, status TEXT NOT NULL, uid INTEGER, FOREIGN KEY (uid) REFERENCES users(id));`,
`CREATE TABLE targets (id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT NOT NULL);`, `CREATE TABLE targets (id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT NOT NULL);`,
`CREATE TABLE groups (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL);`, `CREATE TABLE groups (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, modified_date TIMESTAMP NOT NULL);`,
`CREATE TABLE group_targets (gid INTEGER NOT NULL, tid INTEGER NOT NULL, FOREIGN KEY (gid) REFERENCES groups(id), FOREIGN KEY (tid) REFERENCES targets(id));`, `CREATE TABLE user_groups (uid INTEGER NOT NULL, gid INTEGER NOT NULL, FOREIGN KEY (uid) REFERENCES users(id), FOREIGN KEY (gid) REFERENCES groups(id), UNIQUE(uid, gid))`,
`CREATE TABLE group_targets (gid INTEGER NOT NULL, tid INTEGER NOT NULL, FOREIGN KEY (gid) REFERENCES groups(id), FOREIGN KEY (tid) REFERENCES targets(id), UNIQUE(gid, tid));`,
} }
fmt.Println("Creating db at " + config.Conf.DBPath) fmt.Println("Creating db at " + config.Conf.DBPath)
//Create the tables needed //Create the tables needed

View File

@ -5,6 +5,7 @@ import (
ctx "github.com/gorilla/context" ctx "github.com/gorilla/context"
"github.com/jordan-wright/gophish/auth" "github.com/jordan-wright/gophish/auth"
"github.com/jordan-wright/gophish/db"
) )
// GetContext wraps each request in a function which fills in the context for a given request. // GetContext wraps each request in a function which fills in the context for a given request.
@ -12,6 +13,11 @@ import (
func GetContext(handler http.Handler) http.HandlerFunc { func GetContext(handler http.Handler) http.HandlerFunc {
// Set the context here // Set the context here
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
// Parse the request form
err := r.ParseForm()
if err != nil {
http.Error(w, "Error parsing request", http.StatusInternalServerError)
}
// Set the context appropriately here. // Set the context appropriately here.
// Set the session // Set the session
session, _ := auth.Store.Get(r, "gophish") session, _ := auth.Store.Get(r, "gophish")
@ -39,6 +45,12 @@ func RequireAPIKey(handler http.Handler) http.HandlerFunc {
if ak == "" { if ak == "" {
JSONError(w, 500, "API Key not set") JSONError(w, 500, "API Key not set")
} else { } else {
id, err := db.Conn.SelectInt("SELECT id FROM users WHERE api_key=?", ak)
if id == 0 || err != nil {
http.Error(w, "Error: Invalid API Key", http.StatusInternalServerError)
return
}
ctx.Set(r, "user_id", id)
ctx.Set(r, "api_key", ak) ctx.Set(r, "api_key", ak)
handler.ServeHTTP(w, r) handler.ServeHTTP(w, r)
} }

View File

@ -1,11 +1,9 @@
package models package models
import ( import
"net/mail"
// SMTPServer is used to provide a default SMTP server preference. // SMTPServer is used to provide a default SMTP server preference.
"time" "time"
)
type SMTPServer struct { type SMTPServer struct {
Host string `json:"host"` Host string `json:"host"`
@ -46,11 +44,6 @@ type Campaign struct {
Uid int64 `json:"-"` Uid int64 `json:"-"`
} }
type UserCampaigns struct {
CampaignId int64
UserId int64
}
type Result struct { type Result struct {
Id int64 Id int64
TargetId int64 TargetId int64
@ -59,16 +52,13 @@ type Result struct {
type Group struct { type Group struct {
Id int64 `json:"id"` Id int64 `json:"id"`
Targets []Target Name string `json:"name"`
Uid int64 ModifiedDate time.Time `json:"modified_date" db:"modified_date"`
} Targets []Target `json:"targets" db:"-"`
Uid int64 `json:"-"`
type GroupTarget struct {
Gid int64
Tid int64
} }
type Target struct { type Target struct {
Id int64 `json:"-"` Id int64 `json:"-"`
Email mail.Address `json:"email"` Email string `json:"email"`
} }