2023-09-12 02:22:48 +03:00
|
|
|
//go:build linux || freebsd
|
|
|
|
|
|
|
|
package biometrics
|
2023-08-03 01:42:31 +03:00
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/amenzhinsky/go-polkit"
|
|
|
|
)
|
|
|
|
|
|
|
|
const POLICY = `<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE policyconfig PUBLIC
|
|
|
|
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
|
2023-09-19 23:29:21 +03:00
|
|
|
"http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
|
2023-08-03 01:42:31 +03:00
|
|
|
<policyconfig>
|
2023-09-19 23:29:21 +03:00
|
|
|
|
|
|
|
<action id="com.quexten.goldwarden.accessvault">
|
|
|
|
<description>Allow access to the vault</description>
|
|
|
|
<message>Allows access to the vault</message>
|
|
|
|
<defaults>
|
|
|
|
<allow_any>auth_self</allow_any>
|
|
|
|
<allow_inactive>auth_self</allow_inactive>
|
|
|
|
<allow_active>auth_self</allow_active>
|
|
|
|
</defaults>
|
|
|
|
</action>
|
|
|
|
<action id="com.quexten.goldwarden.usesshkey">
|
|
|
|
<description>Use SSH Key</description>
|
|
|
|
<message>Authenticate to use an SSH Key from your vault</message>
|
|
|
|
<defaults>
|
|
|
|
<allow_any>auth_self</allow_any>
|
|
|
|
<allow_inactive>auth_self</allow_inactive>
|
|
|
|
<allow_active>auth_self</allow_active>
|
|
|
|
</defaults>
|
|
|
|
</action>
|
|
|
|
<action id="com.quexten.goldwarden.browserbiometrics">
|
|
|
|
<description>Browser Biometrics</description>
|
|
|
|
<message>Authenticate to allow Goldwarden to unlock your browser</message>
|
|
|
|
<defaults>
|
|
|
|
<allow_any>auth_self</allow_any>
|
|
|
|
<allow_inactive>auth_self</allow_inactive>
|
|
|
|
<allow_active>auth_self</allow_active>
|
|
|
|
</defaults>
|
|
|
|
</action>
|
|
|
|
|
2023-08-03 01:42:31 +03:00
|
|
|
</policyconfig>`
|
|
|
|
|
|
|
|
func CheckBiometrics(approvalType Approval) bool {
|
2023-09-12 02:22:48 +03:00
|
|
|
if biometricsDisabled {
|
2023-08-21 14:52:06 +03:00
|
|
|
return true
|
|
|
|
}
|
2023-08-03 01:42:31 +03:00
|
|
|
|
2023-08-21 19:37:34 +03:00
|
|
|
log.Info("Checking biometrics for %s", approvalType.String())
|
|
|
|
|
2023-08-03 01:42:31 +03:00
|
|
|
authority, err := polkit.NewAuthority()
|
|
|
|
if err != nil {
|
2023-09-19 22:49:56 +03:00
|
|
|
log.Error("Failed to create polkit authority: %s", err.Error())
|
2023-08-03 01:42:31 +03:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
result, err := authority.CheckAuthorization(
|
|
|
|
approvalType.String(),
|
|
|
|
nil,
|
2023-09-19 22:49:56 +03:00
|
|
|
uint32(polkit.AuthenticationRequiredRetained), "",
|
2023-08-03 01:42:31 +03:00
|
|
|
)
|
|
|
|
|
|
|
|
if err != nil {
|
2023-09-19 22:49:56 +03:00
|
|
|
log.Error("Failed to create polkit authority: %s", err.Error())
|
2023-12-26 22:49:47 +03:00
|
|
|
log.Info("Falling back to pkexec permissions")
|
|
|
|
result, err = authority.CheckAuthorization(
|
|
|
|
"org.freedesktop.policykit.exec",
|
|
|
|
nil,
|
|
|
|
uint32(polkit.AuthenticationRequiredRetained), "",
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
log.Error("Failed to create polkit authority: %s", err.Error())
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Info("Biometrics result: %t", result.IsAuthorized)
|
|
|
|
return result.IsAuthorized
|
2023-08-03 01:42:31 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
log.Info("Biometrics result: %t", result.IsAuthorized)
|
|
|
|
|
|
|
|
return result.IsAuthorized
|
|
|
|
}
|
2023-09-19 22:49:56 +03:00
|
|
|
|
|
|
|
func BiometricsWorking() bool {
|
|
|
|
if biometricsDisabled {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
authority, err := polkit.NewAuthority()
|
|
|
|
if err != nil {
|
2023-12-23 15:24:46 +03:00
|
|
|
log.Warn("Failed to create polkit authority: %s", err.Error())
|
2023-09-19 22:49:56 +03:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
result, err := authority.EnumerateActions("en")
|
|
|
|
if err != nil {
|
2023-12-23 15:24:46 +03:00
|
|
|
log.Warn("Failed to enumerate polkit actions: %s", err.Error())
|
2023-09-19 22:49:56 +03:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(result) == 0 {
|
2023-12-23 15:24:46 +03:00
|
|
|
log.Warn("No polkit actions found")
|
2023-09-19 22:49:56 +03:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
testFor := AccessVault
|
|
|
|
for _, action := range result {
|
|
|
|
if Approval(action.ActionID) == testFor {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-12-26 22:49:47 +03:00
|
|
|
testFor = "org.freedesktop.policykit.exec"
|
|
|
|
for _, action := range result {
|
|
|
|
if Approval(action.ActionID) == testFor {
|
|
|
|
log.Warn("Only pkexec permissions found, consider installing polkit policies")
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-09-19 22:49:56 +03:00
|
|
|
return false
|
|
|
|
}
|