Fix insert xss, add admins to users

Author: Trolldemorted

src/main.rs

@@ -125,65 +125,77 @@ struct DeployInput {
 }
 
 #[post("/", data = "<form>")]
-fn index_post(form: Result<Form<FormInput>, FormError>) -> content::Html<String> {
-    content::Html(match form {
+fn index_post(form: Result<Form<FormInput>, FormError>) -> Template {
+    match form {
         Ok(form) => {
             let config = &*CONFIG.lock().unwrap();
             let admin = if form.authkey == config.admin_psk {
                 true
             } else if &form.authkey == &config.user_psk {
                 false
             } else {
-                return content::Html(format!("Wrong AUTHKEY: {:?}", form));
+                return Template::render("insert_result", &format!("Wrong authkey: {:?}", form));
             };
             println!("authkey {} admin={}", &form.authkey, admin);
             if form.radio == FormOption::GitHub {
                 match storage::handle_submission("github", &form.github_username, &form.name, admin)
                 {
-                    Ok(_) => format!(
-                        "<b>SUCCESS added github user {:?}</b>",
-                        &form.github_username
+                    Ok(_) => Template::render(
+                        "insert_result",
+                        &format!("Successfully added github user {:?}", &form.github_username),
                     ),
-                    Err(e) => format!("ERROR: {:?}", e),
+                    Err(e) => Template::render("insert_result", &format!("ERROR: {:?}", e)),
                 }
             } else if form.radio == FormOption::TubLab {
                 match storage::handle_submission("tublab", &form.tublab_username, &form.name, admin)
                 {
-                    Ok(_) => format!(
-                        "<b>SUCCESS added tubit gitlab user {:?}</b>",
-                        &form.tublab_username
+                    Ok(_) => Template::render(
+                        "insert_result",
+                        &format!(
+                            "Successfully added tubit gitlab user {:?}",
+                            &form.tublab_username
+                        ),
                     ),
-                    Err(e) => format!("ERROR: {:?}", e),
+                    Err(e) => Template::render("insert_result", &format!("ERROR: {:?}", e)),
                 }
             } else if form.radio == FormOption::GitLab {
                 match storage::handle_submission("gitlab", &form.gitlab_username, &form.name, admin)
                 {
-                    Ok(_) => format!(
-                        "<b>SUCCESS added gitlab.com user {:?}</b>",
-                        &form.gitlab_username
+                    Ok(_) => Template::render(
+                        "insert_result",
+                        &format!(
+                            "Successfully added gitlab.com user {:?}",
+                            &form.gitlab_username
+                        ),
                     ),
-                    Err(e) => format!("ERROR: {:?}", e),
+                    Err(e) => Template::render("insert_result", &format!("ERROR: {:?}", e)),
                 }
             } else if form.radio == FormOption::EnoLab {
                 match storage::handle_submission("enolab", &form.enolab_username, &form.name, admin)
                 {
-                    Ok(_) => format!(
-                        "<b>SUCCESS added enoflag gitlab user {:?}</b>",
-                        &form.enolab_username
+                    Ok(_) => Template::render(
+                        "insert_result",
+                        &format!(
+                            "Successfully added enoflag gitlab user {:?}",
+                            &form.enolab_username
+                        ),
                     ),
-                    Err(e) => format!("ERROR: {:?}", e),
+                    Err(e) => Template::render("insert_result", &format!("ERROR: {:?}", e)),
                 }
             } else if form.radio == FormOption::PubKey {
                 match storage::handle_raw_submission(&form.name, &form.pub_key, admin) {
-                    Ok(_) => format!("<b>SUCCESS added raw pubkey {:?}</b>", &form.pub_key),
-                    Err(e) => format!("ERROR: {:?}", e),
+                    Ok(_) => Template::render(
+                        "insert_result",
+                        &format!("Successfully added raw pubkey{:?}", &form.pub_key),
+                    ),
+                    Err(e) => Template::render("insert_result", &format!("ERROR: {:?}", e)),
                 }
             } else {
-                format!("ERROR: {:?}", form)
+                Template::render("insert_result", &format!("ERROR: {:?}", form))
             }
         }
-        Err(e) => format!("Invalid form input: {:?}", e),
-    })
+        Err(e) => Template::render("insert_result", &format!("Invalid form input: {:?}", e)),
+    }
 }
 
 #[get("/")]
@@ -246,10 +258,30 @@ fn main() {
     let program = args[0].clone();
     let mut opts = Options::new();
     opts.optflag("h", "help", "Print this help menu");
-    opts.optopt("a", "admin-servers", "Set the destinations (remote server) for the admin group", "ADMIN_SERVERS");
-    opts.optopt("p", "admin-psk", "Set the pre-shared key to add keys the admin group", "ADMIN_PSK");
-    opts.optopt("u", "user-servers", "Set the destinations (remote server) for the user group", "USER_SERVERS");
-    opts.optopt("q", "user-psk", "Set the pre-shared key to add keys the user group", "USER_PSK");
+    opts.optopt(
+        "a",
+        "admin-servers",
+        "Set the destinations (remote server) for the admin group",
+        "ADMIN_SERVERS",
+    );
+    opts.optopt(
+        "p",
+        "admin-psk",
+        "Set the pre-shared key to add keys the admin group",
+        "ADMIN_PSK",
+    );
+    opts.optopt(
+        "u",
+        "user-servers",
+        "Set the destinations (remote server) for the user group",
+        "USER_SERVERS",
+    );
+    opts.optopt(
+        "q",
+        "user-psk",
+        "Set the pre-shared key to add keys the user group",
+        "USER_PSK",
+    );
 
     let matches = match opts.parse(&args[1..]) {
         Ok(m) => m,
@@ -270,15 +302,15 @@ fn main() {
             Some(admin) => parse_destinations(&admin),
             None => {
                 println!("Warning: No admin servers set");
-                Ok(vec!())
+                Ok(vec![])
             }
         };
 
         let user_env = match matches.opt_str("u") {
             Some(user) => parse_destinations(&user),
             None => {
                 println!("Warning: No user servers set");
-                Ok(vec!())
+                Ok(vec![])
             }
         };
 
@@ -301,13 +333,29 @@ fn main() {
         config
             .admin_destinations
             .extend(config.user_destinations.iter().cloned());
-
-        config.user_psk = matches.opt_str("q").unwrap_or_else(||{
+        println!(
+            "admin destinations: {:?}",
+            &config
+                .admin_destinations
+                .iter()
+                .map(|d| d.destination_name.clone())
+                .collect::<String>()
+        );
+        println!(
+            "user destinations: {:?}",
+            &config
+                .user_destinations
+                .iter()
+                .map(|d| d.destination_name.clone())
+                .collect::<String>()
+        );
+
+        config.user_psk = matches.opt_str("q").unwrap_or_else(|| {
             println!("Warning: User PSK not set.");
             "default".to_string()
         });
 
-        config.admin_psk = matches.opt_str("p").unwrap_or_else(||{
+        config.admin_psk = matches.opt_str("p").unwrap_or_else(|| {
             println!("Warning: Admin PSK not set.");
             "default".to_string()
         });
@@ -338,7 +386,6 @@ fn parse_destinations(input: &str) -> Result<Vec<Destination>, EnokeysError> {
         return Ok(vec![]);
     }
     let entries: Vec<&str> = input.split(",").collect();
-    println!("{:?}", &entries);
     let mut destinations = vec![];
     for entry in entries {
         let split: Vec<&str> = entry.split('@').collect();

src/storage.rs

@@ -65,16 +65,10 @@ pub fn handle_submission(
 
 fn generate_authorized_key_file(
     authorized_keys_file_name: &PathBuf,
-    providers_storage_file_name: &PathBuf,
-    raw_storage_file_name: &PathBuf,
+    providers_storage_file_names: &[&PathBuf],
+    raw_storage_file_names: &[&PathBuf],
 ) -> Result<(), EnokeysError> {
     let mut authorized_keys_file = File::create(&authorized_keys_file_name)?;
-    let mut storage_file = OpenOptions::new()
-        .read(true)
-        .write(true)
-        .create(true)
-        .open(&providers_storage_file_name)?;
-    let mut storage_file_content = String::new();
 
     // append deploy key
     let mut deploy_key = String::new();
@@ -89,54 +83,19 @@ fn generate_authorized_key_file(
     }
 
     // append raw keys
-    let mut raw_keys = String::new();
-    if let Ok(mut raw_keys_file) = File::open(&raw_storage_file_name) {
-        raw_keys_file.read_to_string(&mut raw_keys)?;
-        match PublicKey::parse(&raw_keys) {
-            Ok(key) => match &key.comment {
-                Some(ref comment) => {
-                    let comment = USERNAME_REGEX.replace_all(&comment, "_");
-                    let line = format!(
-                        "{} {} {}\n",
-                        key.keytype(),
-                        base64::encode(&key.data()),
-                        &comment[0..min(comment.len(), 100)]
-                    );
-                    write!(authorized_keys_file, "{}", &line)?
-                }
-                None => writeln!(
-                    authorized_keys_file,
-                    "{} {}",
-                    key.keytype(),
-                    base64::encode(&key.data())
-                )?,
-            },
-            Err(e) => println!("Failed to parse PublicKey: {:?}", e),
-        }
-    }
-
-    // append keys from providers
-    storage_file.read_to_string(&mut storage_file_content)?;
-    for line in storage_file_content
-        .split('\n')
-        .filter(|&i| !i.is_empty())
-        .filter(|&s| &s[0..1] != "#")
-    {
-        let entry = line.split(':').collect::<Vec<&str>>();
-        let user_keys = scraper::fetch(entry[1], entry[0])?;
-        for key in user_keys {
-            println!("parsing key: {}", &key);
-            match PublicKey::parse(&key) {
+    for raw_storage_file_name in raw_storage_file_names {
+        let mut raw_keys = String::new();
+        if let Ok(mut raw_keys_file) = File::open(&raw_storage_file_name) {
+            raw_keys_file.read_to_string(&mut raw_keys)?;
+            match PublicKey::parse(&raw_keys) {
                 Ok(key) => match &key.comment {
                     Some(ref comment) => {
-                        let comment = USERNAME_REGEX.replace_all(&comment, " ");
+                        let comment = USERNAME_REGEX.replace_all(&comment, "_");
                         let line = format!(
-                            "{} {} {}_({}@{})\n",
+                            "{} {} {}\n",
                             key.keytype(),
                             base64::encode(&key.data()),
-                            &comment[0..min(comment.len(), 100)],
-                            entry[1],
-                            entry[0]
+                            &comment[0..min(comment.len(), 100)]
                         );
                         write!(authorized_keys_file, "{}", &line)?
                     }
@@ -151,19 +110,70 @@ fn generate_authorized_key_file(
             }
         }
     }
+
+    // append keys from providers
+    for providers_storage_file_name in providers_storage_file_names {
+        let mut storage_file = OpenOptions::new()
+            .read(true)
+            .write(true)
+            .create(true)
+            .open(&providers_storage_file_name)?;
+        let mut storage_file_content = String::new();
+        storage_file.read_to_string(&mut storage_file_content)?;
+        for line in storage_file_content
+            .split('\n')
+            .filter(|&i| !i.is_empty())
+            .filter(|&s| &s[0..1] != "#")
+        {
+            let entry = line.split(':').collect::<Vec<&str>>();
+            let user_keys = scraper::fetch(entry[1], entry[0])?;
+            for key in user_keys {
+                println!("parsing key: {}", &key);
+                match PublicKey::parse(&key) {
+                    Ok(key) => match &key.comment {
+                        Some(ref comment) => {
+                            let comment = USERNAME_REGEX.replace_all(&comment, " ");
+                            let line = format!(
+                                "{} {} {}_({}@{})\n",
+                                key.keytype(),
+                                base64::encode(&key.data()),
+                                &comment[0..min(comment.len(), 100)],
+                                entry[1],
+                                entry[0]
+                            );
+                            write!(authorized_keys_file, "{}", &line)?
+                        }
+                        None => writeln!(
+                            authorized_keys_file,
+                            "{} {}",
+                            key.keytype(),
+                            base64::encode(&key.data())
+                        )?,
+                    },
+                    Err(e) => println!("Failed to parse PublicKey: {:?}", e),
+                }
+            }
+        }
+    }
     Ok(())
 }
 
 pub fn generate_authorized_key_files() -> Result<(), EnokeysError> {
     generate_authorized_key_file(
         &ADMIN_DESTINATIONS_AUTHORIZED_KEYS,
-        &ADMIN_DESTINATIONS_STORAGE_PROVIDERS,
-        &ADMIN_DESTINATIONS_STORAGE_RAW,
+        &[&ADMIN_DESTINATIONS_STORAGE_PROVIDERS],
+        &[&ADMIN_DESTINATIONS_STORAGE_RAW],
     )?;
     generate_authorized_key_file(
         &USER_DESTINATIONS_AUTHORIZED_KEYS,
-        &USER_DESTINATIONS_STORAGE_PROVIDERS,
-        &USER_DESTINATIONS_STORAGE_RAW,
+        &[
+            &ADMIN_DESTINATIONS_STORAGE_PROVIDERS,
+            &USER_DESTINATIONS_STORAGE_PROVIDERS,
+        ],
+        &[
+            &ADMIN_DESTINATIONS_STORAGE_RAW,
+            &USER_DESTINATIONS_STORAGE_RAW,
+        ],
     )?;
     Ok(())
 }

templates/insert_result.html.hbs

@@ -0,0 +1,19 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <title>ENOKEY - SSH PublicKey Self-Service Center</title>
+    <!-- Required meta tags -->
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+
+    <!-- Bootstrap CSS -->
+    <link rel="stylesheet" href="static/css/bootstrap.min.css">
+    <link rel="stylesheet" href="static/css/style.css">
+  </head>
+  <body>
+    <nav class="navbar navbar-expand-lg navbar-light bg-light">
+      <a class="navbar-brand" href="/">ENOKEYS - SSH PublicKey Self-Service Center</a>
+    </nav>
+    {{ this }}
+  </body>
+</html>