goldwarden/agent/config/config.go

558 lines
13 KiB
Go
Raw Normal View History

2023-07-17 04:23:26 +03:00
package config
import (
2023-12-22 14:01:21 +03:00
"bytes"
2023-07-17 04:23:26 +03:00
cryptoSubtle "crypto/subtle"
"encoding/base64"
"encoding/hex"
"encoding/json"
"errors"
"os"
"runtime/debug"
2023-12-28 15:41:07 +03:00
"strings"
2023-07-17 04:23:26 +03:00
"sync"
"github.com/google/uuid"
"github.com/quexten/goldwarden/agent/bitwarden/crypto"
"github.com/quexten/goldwarden/agent/notify"
2023-09-12 03:54:46 +03:00
"github.com/quexten/goldwarden/agent/systemauth/pinentry"
2023-07-17 04:23:26 +03:00
"github.com/quexten/goldwarden/agent/vault"
"github.com/tink-crypto/tink-go/v2/aead/subtle"
"golang.org/x/crypto/argon2"
"golang.org/x/crypto/sha3"
)
const (
2023-08-21 19:37:34 +03:00
KDFIterations = 2
KDFMemory = 2 * 1024 * 1024
KDFThreads = 8
2023-12-28 15:41:07 +03:00
DefaultConfigPath = "~/.config/goldwarden/goldwarden.json"
2023-07-17 04:23:26 +03:00
)
2023-08-21 19:37:34 +03:00
type RuntimeConfig struct {
DisableAuth bool
DisablePinRequirement bool
AuthMethod string
DoNotPersistConfig bool
ConfigDirectory string
DisableSSHAgent bool
WebsocketDisabled bool
ApiURI string
IdentityURI string
2023-09-11 15:14:27 +03:00
NotificationsURI string
2023-08-21 19:37:34 +03:00
SingleProcess bool
DeviceUUID string
User string
Password string
Pin string
2023-12-22 10:02:23 +03:00
UseMemguard bool
2023-12-30 20:53:01 +03:00
SSHAgentSocketPath string
GoldwardenSocketPath string
2023-08-21 19:37:34 +03:00
}
2023-07-17 04:23:26 +03:00
type ConfigFile struct {
IdentityUrl string
ApiUrl string
2023-09-11 15:14:27 +03:00
NotificationsUrl string
2024-01-04 23:53:38 +03:00
EncryptedClientID string
EncryptedClientSecret string
2023-07-17 04:23:26 +03:00
DeviceUUID string
ConfigKeyHash string
EncryptedToken string
EncryptedUserSymmetricKey string
EncryptedMasterPasswordHash string
EncryptedMasterKey string
2023-08-21 19:37:34 +03:00
RuntimeConfig RuntimeConfig `json:"-"`
2023-07-17 04:23:26 +03:00
}
type LoginToken struct {
AccessToken string `json:"access_token"`
ExpiresIn int `json:"expires_in"`
TokenType string `json:"token_type"`
RefreshToken string `json:"refresh_token"`
Key string `json:"key"`
}
type Config struct {
2023-12-22 14:01:21 +03:00
useMemguard bool
key *LockedBuffer
ConfigFile ConfigFile
mu sync.Mutex
2023-07-17 04:23:26 +03:00
}
2023-12-22 14:01:21 +03:00
func DefaultConfig(useMemguard bool) Config {
2023-07-17 04:23:26 +03:00
deviceUUID, _ := uuid.NewUUID()
2023-12-22 14:01:21 +03:00
keyBuffer := NewBuffer(32, useMemguard)
2023-07-17 04:23:26 +03:00
return Config{
2023-12-22 14:01:21 +03:00
useMemguard,
&keyBuffer,
2023-07-17 04:23:26 +03:00
ConfigFile{
2023-09-11 15:14:27 +03:00
IdentityUrl: "https://vault.bitwarden.com/identity",
ApiUrl: "https://vault.bitwarden.com/api",
NotificationsUrl: "https://notifications.bitwarden.com",
2024-01-04 23:53:38 +03:00
EncryptedClientID: "",
EncryptedClientSecret: "",
2023-07-17 04:23:26 +03:00
DeviceUUID: deviceUUID.String(),
ConfigKeyHash: "",
EncryptedToken: "",
EncryptedUserSymmetricKey: "",
EncryptedMasterPasswordHash: "",
EncryptedMasterKey: "",
2023-08-21 19:37:34 +03:00
RuntimeConfig: RuntimeConfig{},
2023-07-17 04:23:26 +03:00
},
sync.Mutex{},
}
}
func (c *Config) IsLocked() bool {
2023-12-22 14:01:21 +03:00
key := (*c.key).Bytes()
return bytes.Equal(key, make([]byte, 32)) && c.HasPin()
2023-07-17 04:23:26 +03:00
}
2023-07-17 06:42:21 +03:00
func (c *Config) IsLoggedIn() bool {
return c.ConfigFile.EncryptedMasterPasswordHash != ""
}
2023-07-17 04:23:26 +03:00
func (c *Config) Unlock(password string) bool {
c.mu.Lock()
defer c.mu.Unlock()
if !c.IsLocked() {
return true
}
key := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)
debug.FreeOSMemory()
keyHash := sha3.Sum256(key)
configKeyHash := hex.EncodeToString(keyHash[:])
if cryptoSubtle.ConstantTimeCompare([]byte(configKeyHash), []byte(c.ConfigFile.ConfigKeyHash)) != 1 {
return false
}
2023-12-22 14:01:21 +03:00
keyBuffer := NewBufferFromBytes(key, c.useMemguard)
c.key = &keyBuffer
2023-07-17 04:23:26 +03:00
return true
}
2023-09-19 22:49:56 +03:00
func (c *Config) VerifyPin(password string) bool {
key := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)
debug.FreeOSMemory()
keyHash := sha3.Sum256(key)
configKeyHash := hex.EncodeToString(keyHash[:])
if cryptoSubtle.ConstantTimeCompare([]byte(configKeyHash), []byte(c.ConfigFile.ConfigKeyHash)) != 1 {
return false
} else {
return true
}
}
2023-07-17 04:23:26 +03:00
func (c *Config) Lock() {
c.mu.Lock()
defer c.mu.Unlock()
if c.IsLocked() {
return
}
2023-12-22 14:01:21 +03:00
(*c.key).Wipe()
notify.Notify("Goldwarden", "Vault Locked", "", func() {})
2023-07-17 04:23:26 +03:00
}
func (c *Config) Purge() {
c.mu.Lock()
defer c.mu.Unlock()
c.ConfigFile.EncryptedMasterPasswordHash = ""
c.ConfigFile.EncryptedToken = ""
c.ConfigFile.EncryptedUserSymmetricKey = ""
c.ConfigFile.ConfigKeyHash = ""
c.ConfigFile.EncryptedMasterKey = ""
2023-12-22 14:01:21 +03:00
key := NewBuffer(32, c.useMemguard)
c.key = &key
2023-07-17 04:23:26 +03:00
}
func (c *Config) HasPin() bool {
return c.ConfigFile.ConfigKeyHash != ""
}
func (c *Config) UpdatePin(password string, write bool) {
c.mu.Lock()
newKey := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)
keyHash := sha3.Sum256(newKey)
configKeyHash := hex.EncodeToString(keyHash[:])
debug.FreeOSMemory()
c.ConfigFile.ConfigKeyHash = configKeyHash
plaintextToken, err1 := c.decryptString(c.ConfigFile.EncryptedToken)
plaintextUserSymmetricKey, err3 := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)
plaintextEncryptedMasterPasswordHash, err4 := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)
plaintextMasterKey, err5 := c.decryptString(c.ConfigFile.EncryptedMasterKey)
2023-07-17 04:23:26 +03:00
2023-12-22 14:01:21 +03:00
key := NewBufferFromBytes(newKey, c.useMemguard)
c.key = &key
2023-07-17 04:23:26 +03:00
if err1 == nil {
c.ConfigFile.EncryptedToken, err1 = c.encryptString(plaintextToken)
}
if err3 == nil {
c.ConfigFile.EncryptedUserSymmetricKey, err3 = c.encryptString(plaintextUserSymmetricKey)
}
if err4 == nil {
c.ConfigFile.EncryptedMasterPasswordHash, err4 = c.encryptString(plaintextEncryptedMasterPasswordHash)
}
if err5 == nil {
c.ConfigFile.EncryptedMasterKey, err5 = c.encryptString(plaintextMasterKey)
}
2023-07-17 06:42:21 +03:00
c.mu.Unlock()
2023-07-17 04:23:26 +03:00
if write {
c.WriteConfig()
}
}
func (c *Config) GetToken() (LoginToken, error) {
if c.IsLocked() {
return LoginToken{}, errors.New("config is locked")
}
tokenJson, err := c.decryptString(c.ConfigFile.EncryptedToken)
if err != nil {
return LoginToken{}, err
}
var token LoginToken
err = json.Unmarshal([]byte(tokenJson), &token)
if err != nil {
return LoginToken{}, err
}
return token, nil
}
func (c *Config) SetToken(token LoginToken) error {
if c.IsLocked() {
return errors.New("config is locked")
}
tokenJson, err := json.Marshal(token)
encryptedToken, err := c.encryptString(string(tokenJson))
if err != nil {
return err
}
// c.mu.Lock()
c.ConfigFile.EncryptedToken = encryptedToken
// c.mu.Unlock()
c.WriteConfig()
return nil
}
2024-01-04 23:53:38 +03:00
func (c *Config) GetClientID() (string, error) {
if c.IsLocked() {
return "", errors.New("config is locked")
}
if c.ConfigFile.EncryptedClientID == "" {
return "", nil
}
decrypted, err := c.decryptString(c.ConfigFile.EncryptedClientID)
if err != nil {
return "", err
}
return decrypted, nil
}
func (c *Config) SetClientID(clientID string) error {
if c.IsLocked() {
return errors.New("config is locked")
}
if clientID == "" {
c.ConfigFile.EncryptedClientID = ""
c.WriteConfig()
return nil
}
encryptedClientID, err := c.encryptString(clientID)
if err != nil {
return err
}
// c.mu.Lock()
c.ConfigFile.EncryptedClientID = encryptedClientID
// c.mu.Unlock()
c.WriteConfig()
return nil
}
func (c *Config) GetClientSecret() (string, error) {
if c.IsLocked() {
return "", errors.New("config is locked")
}
if c.ConfigFile.EncryptedClientSecret == "" {
return "", nil
}
decrypted, err := c.decryptString(c.ConfigFile.EncryptedClientSecret)
if err != nil {
return "", err
}
return decrypted, nil
}
func (c *Config) SetClientSecret(clientSecret string) error {
if c.IsLocked() {
return errors.New("config is locked")
}
if clientSecret == "" {
c.ConfigFile.EncryptedClientSecret = ""
c.WriteConfig()
return nil
}
encryptedClientSecret, err := c.encryptString(clientSecret)
if err != nil {
return err
}
// c.mu.Lock()
c.ConfigFile.EncryptedClientSecret = encryptedClientSecret
// c.mu.Unlock()
c.WriteConfig()
return nil
}
2023-07-17 04:23:26 +03:00
func (c *Config) GetUserSymmetricKey() ([]byte, error) {
if c.IsLocked() {
return []byte{}, errors.New("config is locked")
}
decrypted, err := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)
if err != nil {
return []byte{}, err
}
return []byte(decrypted), nil
}
func (c *Config) SetUserSymmetricKey(key []byte) error {
if c.IsLocked() {
return errors.New("config is locked")
}
encryptedKey, err := c.encryptString(string(key))
if err != nil {
return err
}
// c.mu.Lock()
c.ConfigFile.EncryptedUserSymmetricKey = encryptedKey
// c.mu.Unlock()
c.WriteConfig()
return nil
}
func (c *Config) GetMasterPasswordHash() ([]byte, error) {
if c.IsLocked() {
return []byte{}, errors.New("config is locked")
}
decrypted, err := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)
if err != nil {
return []byte{}, err
}
return []byte(decrypted), nil
}
func (c *Config) SetMasterPasswordHash(hash []byte) error {
if c.IsLocked() {
return errors.New("config is locked")
}
encryptedHash, err := c.encryptString(string(hash))
if err != nil {
c.mu.Unlock()
return err
}
// c.mu.Lock()
c.ConfigFile.EncryptedMasterPasswordHash = encryptedHash
// c.mu.Unlock()
c.WriteConfig()
return nil
}
func (c *Config) GetMasterKey() ([]byte, error) {
if c.IsLocked() {
return []byte{}, errors.New("config is locked")
}
decrypted, err := c.decryptString(c.ConfigFile.EncryptedMasterKey)
if err != nil {
return []byte{}, err
}
return []byte(decrypted), nil
}
func (c *Config) SetMasterKey(key []byte) error {
if c.IsLocked() {
return errors.New("config is locked")
}
encryptedKey, err := c.encryptString(string(key))
if err != nil {
return err
}
// c.mu.Lock()
c.ConfigFile.EncryptedMasterKey = encryptedKey
// c.mu.Unlock()
c.WriteConfig()
return nil
}
2023-07-17 04:23:26 +03:00
func (c *Config) encryptString(data string) (string, error) {
if c.IsLocked() {
return "", errors.New("config is locked")
}
2023-12-22 14:01:21 +03:00
ca, err := subtle.NewChaCha20Poly1305((*c.key).Bytes())
2023-07-17 04:23:26 +03:00
if err != nil {
return "", err
}
result, err := ca.Encrypt([]byte(data), []byte{})
if err != nil {
return "", err
}
return base64.StdEncoding.EncodeToString(result), nil
}
func (c *Config) decryptString(data string) (string, error) {
if c.IsLocked() {
return "", errors.New("config is locked")
}
decoded, err := base64.StdEncoding.DecodeString(data)
if err != nil {
return "", err
}
2023-12-22 14:01:21 +03:00
ca, err := subtle.NewChaCha20Poly1305((*c.key).Bytes())
2023-07-17 04:23:26 +03:00
if err != nil {
return "", err
}
result, err := ca.Decrypt(decoded, []byte{})
if err != nil {
return "", err
}
return string(result), nil
}
func (config *Config) WriteConfig() error {
2023-08-21 19:37:34 +03:00
if config.ConfigFile.RuntimeConfig.DoNotPersistConfig {
return nil
}
2023-07-17 04:23:26 +03:00
config.mu.Lock()
defer config.mu.Unlock()
jsonBytes, err := json.Marshal(config.ConfigFile)
if err != nil {
return err
}
// write to disk
2023-08-21 19:37:34 +03:00
os.Remove(config.ConfigFile.RuntimeConfig.ConfigDirectory)
2023-12-28 15:41:07 +03:00
parentDirectory := config.ConfigFile.RuntimeConfig.ConfigDirectory[:len(config.ConfigFile.RuntimeConfig.ConfigDirectory)-len("/goldwarden.json")]
if _, err := os.Stat(parentDirectory); os.IsNotExist(err) {
os.Mkdir(parentDirectory, 0700)
}
2023-08-21 19:37:34 +03:00
file, err := os.OpenFile(config.ConfigFile.RuntimeConfig.ConfigDirectory, os.O_CREATE|os.O_WRONLY, 0600)
2023-07-17 04:23:26 +03:00
if err != nil {
return err
}
defer file.Close()
_, err = file.Write(jsonBytes)
if err != nil {
return err
}
return nil
}
2023-08-21 19:37:34 +03:00
func ReadConfig(rtCfg RuntimeConfig) (Config, error) {
2023-12-28 15:41:07 +03:00
userHome, _ := os.UserHomeDir()
oldPath := strings.ReplaceAll("~/.config/goldwarden.json", "~", userHome)
newPathParent := strings.ReplaceAll("~/.config/goldwarden", "~", userHome)
newPath := strings.ReplaceAll("~/.config/goldwarden/goldwarden.json", "~", userHome)
// Migrate old config
if _, err := os.Stat(oldPath); err == nil {
if _, err := os.Stat(newPath); err != nil {
if _, err := os.Stat(newPathParent); os.IsNotExist(err) {
os.Mkdir(newPathParent, 0700)
}
os.Rename(oldPath, newPath)
}
}
2023-08-21 19:37:34 +03:00
file, err := os.Open(rtCfg.ConfigDirectory)
2023-07-17 04:23:26 +03:00
if err != nil {
2023-12-22 14:01:21 +03:00
key := NewBuffer(32, rtCfg.UseMemguard)
2023-08-21 19:37:34 +03:00
return Config{
2023-12-22 14:01:21 +03:00
key: &key,
2023-08-21 19:37:34 +03:00
ConfigFile: ConfigFile{},
}, err
2023-07-17 04:23:26 +03:00
}
defer file.Close()
decoder := json.NewDecoder(file)
config := ConfigFile{}
err = decoder.Decode(&config)
if err != nil {
2023-12-22 14:01:21 +03:00
key := NewBuffer(32, rtCfg.UseMemguard)
2023-08-21 19:37:34 +03:00
return Config{
2023-12-22 14:01:21 +03:00
key: &key,
2023-08-21 19:37:34 +03:00
ConfigFile: ConfigFile{},
}, err
2023-07-17 04:23:26 +03:00
}
if config.ConfigKeyHash == "" {
2023-12-22 14:01:21 +03:00
key := NewBuffer(32, rtCfg.UseMemguard)
2023-08-21 19:37:34 +03:00
return Config{
2023-12-22 14:01:21 +03:00
key: &key,
2023-08-21 19:37:34 +03:00
ConfigFile: config,
}, nil
2023-07-17 04:23:26 +03:00
}
2023-12-22 14:01:21 +03:00
key := NewBuffer(32, rtCfg.UseMemguard)
2023-08-21 19:37:34 +03:00
return Config{
2023-12-22 14:01:21 +03:00
key: &key,
2023-08-21 19:37:34 +03:00
ConfigFile: config,
}, nil
2023-07-17 04:23:26 +03:00
}
func (cfg *Config) TryUnlock(vault *vault.Vault) error {
2023-09-12 03:54:46 +03:00
pin, err := pinentry.GetPassword("Unlock Goldwarden", "Enter the vault PIN")
2023-07-17 04:23:26 +03:00
if err != nil {
return err
}
2023-07-17 06:42:21 +03:00
success := cfg.Unlock(pin)
if !success {
return errors.New("invalid PIN")
}
if cfg.IsLoggedIn() {
userKey, err := cfg.GetUserSymmetricKey()
if err == nil {
2023-12-22 10:02:23 +03:00
var key crypto.SymmetricEncryptionKey
var err error
if vault.Keyring.IsMemguard {
key, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userKey)
} else {
key, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userKey)
}
2023-07-17 06:42:21 +03:00
if err != nil {
return err
}
2023-12-22 14:43:38 +03:00
vault.Keyring.UnlockWithAccountKey(key)
2023-07-17 06:42:21 +03:00
} else {
cfg.Lock()
2023-07-17 04:23:26 +03:00
return err
}
}
return nil
}