goldwarden/agent/systemauth/biometrics/polkit.go

125 lines
3.1 KiB
Go
Raw Normal View History

2023-09-12 02:22:48 +03:00
//go:build linux || freebsd
package biometrics
2023-08-03 01:42:31 +03:00
import (
"github.com/amenzhinsky/go-polkit"
)
const POLICY = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
2023-09-19 23:29:21 +03:00
"http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
2023-08-03 01:42:31 +03:00
<policyconfig>
2023-09-19 23:29:21 +03:00
<action id="com.quexten.goldwarden.accessvault">
<description>Allow access to the vault</description>
<message>Allows access to the vault</message>
<defaults>
<allow_any>auth_self</allow_any>
<allow_inactive>auth_self</allow_inactive>
<allow_active>auth_self</allow_active>
</defaults>
</action>
<action id="com.quexten.goldwarden.usesshkey">
<description>Use SSH Key</description>
<message>Authenticate to use an SSH Key from your vault</message>
<defaults>
<allow_any>auth_self</allow_any>
<allow_inactive>auth_self</allow_inactive>
<allow_active>auth_self</allow_active>
</defaults>
</action>
<action id="com.quexten.goldwarden.browserbiometrics">
<description>Browser Biometrics</description>
<message>Authenticate to allow Goldwarden to unlock your browser</message>
<defaults>
<allow_any>auth_self</allow_any>
<allow_inactive>auth_self</allow_inactive>
<allow_active>auth_self</allow_active>
</defaults>
</action>
2023-08-03 01:42:31 +03:00
</policyconfig>`
func CheckBiometrics(approvalType Approval) bool {
2023-09-12 02:22:48 +03:00
if biometricsDisabled {
2023-08-21 14:52:06 +03:00
return true
}
2023-08-03 01:42:31 +03:00
2023-08-21 19:37:34 +03:00
log.Info("Checking biometrics for %s", approvalType.String())
2023-08-03 01:42:31 +03:00
authority, err := polkit.NewAuthority()
if err != nil {
2023-09-19 22:49:56 +03:00
log.Error("Failed to create polkit authority: %s", err.Error())
2023-08-03 01:42:31 +03:00
return false
}
result, err := authority.CheckAuthorization(
approvalType.String(),
nil,
2023-09-19 22:49:56 +03:00
uint32(polkit.AuthenticationRequiredRetained), "",
2023-08-03 01:42:31 +03:00
)
if err != nil {
2023-09-19 22:49:56 +03:00
log.Error("Failed to create polkit authority: %s", err.Error())
2023-12-26 22:49:47 +03:00
log.Info("Falling back to pkexec permissions")
result, err = authority.CheckAuthorization(
"org.freedesktop.policykit.exec",
nil,
uint32(polkit.AuthenticationRequiredRetained), "",
)
if err != nil {
log.Error("Failed to create polkit authority: %s", err.Error())
return false
}
log.Info("Biometrics result: %t", result.IsAuthorized)
return result.IsAuthorized
2023-08-03 01:42:31 +03:00
}
log.Info("Biometrics result: %t", result.IsAuthorized)
return result.IsAuthorized
}
2023-09-19 22:49:56 +03:00
func BiometricsWorking() bool {
if biometricsDisabled {
return false
}
authority, err := polkit.NewAuthority()
if err != nil {
log.Warn("Failed to create polkit authority: %s", err.Error())
2023-09-19 22:49:56 +03:00
return false
}
result, err := authority.EnumerateActions("en")
if err != nil {
log.Warn("Failed to enumerate polkit actions: %s", err.Error())
2023-09-19 22:49:56 +03:00
return false
}
if len(result) == 0 {
log.Warn("No polkit actions found")
2023-09-19 22:49:56 +03:00
return false
}
testFor := AccessVault
for _, action := range result {
if Approval(action.ActionID) == testFor {
return true
}
}
2023-12-26 22:49:47 +03:00
testFor = "org.freedesktop.policykit.exec"
for _, action := range result {
if Approval(action.ActionID) == testFor {
log.Warn("Only pkexec permissions found, consider installing polkit policies")
return true
}
}
2023-09-19 22:49:56 +03:00
return false
}