diff --git a/agent/actions/actions.go b/agent/actions/actions.go index 1d9e83c..1de62c3 100644 --- a/agent/actions/actions.go +++ b/agent/actions/actions.go @@ -7,7 +7,7 @@ import ( "github.com/quexten/goldwarden/agent/bitwarden/crypto" "github.com/quexten/goldwarden/agent/config" "github.com/quexten/goldwarden/agent/sockets" - "github.com/quexten/goldwarden/agent/systemauth" + "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/vault" "github.com/quexten/goldwarden/ipc" ) @@ -85,9 +85,9 @@ func ensureIsNotLocked(action Action) Action { } } -func ensureBiometricsAuthorized(approvalType systemauth.Approval, action Action) Action { +func ensureBiometricsAuthorized(approvalType biometrics.Approval, action Action) Action { return func(request ipc.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx sockets.CallingContext) (interface{}, error) { - if !systemauth.CheckBiometrics(approvalType) { + if !biometrics.CheckBiometrics(approvalType) { return ipc.IPCMessageFromPayload(ipc.ActionResponse{ Success: false, Message: "Polkit authorization failed required", @@ -98,6 +98,6 @@ func ensureBiometricsAuthorized(approvalType systemauth.Approval, action Action) } } -func ensureEverything(approvalType systemauth.Approval, action Action) Action { +func ensureEverything(approvalType biometrics.Approval, action Action) Action { return ensureIsNotLocked(ensureIsLoggedIn(ensureBiometricsAuthorized(approvalType, action))) } diff --git a/agent/actions/browserbiometrics.go b/agent/actions/browserbiometrics.go index df0c918..e3eeb28 100644 --- a/agent/actions/browserbiometrics.go +++ b/agent/actions/browserbiometrics.go @@ -7,6 +7,7 @@ import ( "github.com/quexten/goldwarden/agent/config" "github.com/quexten/goldwarden/agent/sockets" "github.com/quexten/goldwarden/agent/systemauth" + "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/vault" "github.com/quexten/goldwarden/ipc" ) @@ -32,5 +33,5 @@ func handleGetBiometricsKey(request ipc.IPCMessage, cfg *config.Config, vault *v } func init() { - AgentActionsRegistry.Register(ipc.IPCMessageTypeGetBiometricsKeyRequest, ensureEverything(systemauth.BrowserBiometrics, handleGetBiometricsKey)) + AgentActionsRegistry.Register(ipc.IPCMessageTypeGetBiometricsKeyRequest, ensureEverything(biometrics.BrowserBiometrics, handleGetBiometricsKey)) } diff --git a/agent/actions/getclicredentials.go b/agent/actions/getclicredentials.go index 379f19c..7940bba 100644 --- a/agent/actions/getclicredentials.go +++ b/agent/actions/getclicredentials.go @@ -6,6 +6,7 @@ import ( "github.com/quexten/goldwarden/agent/config" "github.com/quexten/goldwarden/agent/sockets" "github.com/quexten/goldwarden/agent/systemauth" + "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/vault" "github.com/quexten/goldwarden/ipc" ) @@ -44,5 +45,5 @@ func handleGetCliCredentials(request ipc.IPCMessage, cfg *config.Config, vault * } func init() { - AgentActionsRegistry.Register(ipc.IPCMessageTypeGetCLICredentialsRequest, ensureEverything(systemauth.AccessCredential, handleGetCliCredentials)) + AgentActionsRegistry.Register(ipc.IPCMessageTypeGetCLICredentialsRequest, ensureEverything(biometrics.AccessCredential, handleGetCliCredentials)) } diff --git a/agent/actions/logins.go b/agent/actions/logins.go index 537144c..0efd364 100644 --- a/agent/actions/logins.go +++ b/agent/actions/logins.go @@ -11,6 +11,7 @@ import ( "github.com/quexten/goldwarden/agent/config" "github.com/quexten/goldwarden/agent/sockets" "github.com/quexten/goldwarden/agent/systemauth" + "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/vault" "github.com/quexten/goldwarden/ipc" ) @@ -156,6 +157,6 @@ func handleListLoginsRequest(request ipc.IPCMessage, cfg *config.Config, vault * } func init() { - AgentActionsRegistry.Register(ipc.IPCMessageGetLoginRequest, ensureEverything(systemauth.AccessCredential, handleGetLoginCipher)) - AgentActionsRegistry.Register(ipc.IPCMessageListLoginsRequest, ensureEverything(systemauth.AccessCredential, handleListLoginsRequest)) + AgentActionsRegistry.Register(ipc.IPCMessageGetLoginRequest, ensureEverything(biometrics.AccessCredential, handleGetLoginCipher)) + AgentActionsRegistry.Register(ipc.IPCMessageListLoginsRequest, ensureEverything(biometrics.AccessCredential, handleListLoginsRequest)) } diff --git a/agent/actions/ssh.go b/agent/actions/ssh.go index 7eb4c83..224d6e1 100644 --- a/agent/actions/ssh.go +++ b/agent/actions/ssh.go @@ -8,7 +8,7 @@ import ( "github.com/quexten/goldwarden/agent/config" "github.com/quexten/goldwarden/agent/sockets" "github.com/quexten/goldwarden/agent/ssh" - "github.com/quexten/goldwarden/agent/systemauth" + "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/vault" "github.com/quexten/goldwarden/ipc" "github.com/quexten/goldwarden/logging" @@ -57,6 +57,6 @@ func handleListSSH(msg ipc.IPCMessage, cfg *config.Config, vault *vault.Vault, c } func init() { - AgentActionsRegistry.Register(ipc.IPCMessageTypeCreateSSHKeyRequest, ensureEverything(systemauth.SSHKey, handleAddSSH)) + AgentActionsRegistry.Register(ipc.IPCMessageTypeCreateSSHKeyRequest, ensureEverything(biometrics.SSHKey, handleAddSSH)) AgentActionsRegistry.Register(ipc.IPCMessageTypeGetSSHKeysRequest, ensureIsNotLocked(ensureIsLoggedIn(handleListSSH))) } diff --git a/agent/actions/vault.go b/agent/actions/vault.go index bc67428..3c3ceb1 100644 --- a/agent/actions/vault.go +++ b/agent/actions/vault.go @@ -9,6 +9,7 @@ import ( "github.com/quexten/goldwarden/agent/config" "github.com/quexten/goldwarden/agent/sockets" "github.com/quexten/goldwarden/agent/systemauth" + "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/vault" "github.com/quexten/goldwarden/ipc" ) @@ -180,6 +181,6 @@ func init() { AgentActionsRegistry.Register(ipc.IPCMessageTypeUnlockVaultRequest, handleUnlockVault) AgentActionsRegistry.Register(ipc.IPCMessageTypeLockVaultRequest, handleLockVault) AgentActionsRegistry.Register(ipc.IPCMessageTypeWipeVaultRequest, handleWipeVault) - AgentActionsRegistry.Register(ipc.IPCMessageTypeUpdateVaultPINRequest, ensureBiometricsAuthorized(systemauth.ChangePin, handleUpdateVaultPin)) + AgentActionsRegistry.Register(ipc.IPCMessageTypeUpdateVaultPINRequest, ensureBiometricsAuthorized(biometrics.ChangePin, handleUpdateVaultPin)) AgentActionsRegistry.Register(ipc.IPCMessageTypeGetVaultPINStatusRequest, handlePinStatus) } diff --git a/agent/bitwarden/websocket.go b/agent/bitwarden/websocket.go index cd3b2ad..df4e3ef 100644 --- a/agent/bitwarden/websocket.go +++ b/agent/bitwarden/websocket.go @@ -14,6 +14,7 @@ import ( "github.com/quexten/goldwarden/agent/bitwarden/models" "github.com/quexten/goldwarden/agent/config" "github.com/quexten/goldwarden/agent/systemauth" + "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/vault" "github.com/quexten/goldwarden/logging" "github.com/vmihailenco/msgpack/v5" @@ -182,7 +183,7 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con websocketLog.Info("AuthRequest denied") break } - if !systemauth.CheckBiometrics(systemauth.AccessCredential) { + if !biometrics.CheckBiometrics(biometrics.AccessCredential) { websocketLog.Info("AuthRequest denied - biometrics required") break } diff --git a/agent/ssh/ssh.go b/agent/ssh/ssh.go index c2c33d2..0dcf313 100644 --- a/agent/ssh/ssh.go +++ b/agent/ssh/ssh.go @@ -10,6 +10,7 @@ import ( "github.com/quexten/goldwarden/agent/sockets" "github.com/quexten/goldwarden/agent/systemauth" + "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/vault" "github.com/quexten/goldwarden/logging" "golang.org/x/crypto/ssh" @@ -99,7 +100,7 @@ func (vaultAgent vaultAgent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signatur return nil, errors.New("Approval not given") } - if !systemauth.CheckBiometrics(systemauth.SSHKey) { + if !biometrics.CheckBiometrics(biometrics.SSHKey) { log.Info("Sign Request for key: %s denied", key.Marshal()) return nil, errors.New("Biometrics not checked") } diff --git a/agent/systemauth/biometrics/biometrics.go b/agent/systemauth/biometrics/biometrics.go new file mode 100644 index 0000000..1078a7b --- /dev/null +++ b/agent/systemauth/biometrics/biometrics.go @@ -0,0 +1,25 @@ +package biometrics + +import "os" + +var biometricsDisabled = false + +func init() { + if os.Getenv("GOLDWARDEN_SYSTEM_AUTH_DISABLED") == "true" { + biometricsDisabled = true + } +} + +type Approval string + +const ( + AccessCredential Approval = "com.quexten.goldwarden.accesscredential" + ChangePin Approval = "com.quexten.goldwarden.changepin" + SSHKey Approval = "com.quexten.goldwarden.usesshkey" + ModifyVault Approval = "com.quexten.goldwarden.modifyvault" + BrowserBiometrics Approval = "com.quexten.goldwarden.browserbiometrics" +) + +func (a Approval) String() string { + return string(a) +} diff --git a/agent/systemauth/polkitbiometrics.go b/agent/systemauth/biometrics/polkit.go similarity index 83% rename from agent/systemauth/polkitbiometrics.go rename to agent/systemauth/biometrics/polkit.go index 2f4350e..80a846f 100644 --- a/agent/systemauth/polkitbiometrics.go +++ b/agent/systemauth/biometrics/polkit.go @@ -1,21 +1,13 @@ -package systemauth +//go:build linux || freebsd + +package biometrics import ( "github.com/amenzhinsky/go-polkit" "github.com/quexten/goldwarden/logging" ) -var log = logging.GetLogger("Goldwarden", "Systemauth") - -type Approval string - -const ( - AccessCredential Approval = "com.quexten.goldwarden.accesscredential" - ChangePin Approval = "com.quexten.goldwarden.changepin" - SSHKey Approval = "com.quexten.goldwarden.usesshkey" - ModifyVault Approval = "com.quexten.goldwarden.modifyvault" - BrowserBiometrics Approval = "com.quexten.goldwarden.browserbiometrics" -) +var log = logging.GetLogger("Goldwarden", "Biometrics") const POLICY = ` ` -func (a Approval) String() string { - return string(a) -} - func CheckBiometrics(approvalType Approval) bool { - if systemAuthDisabled { + if biometricsDisabled { return true } diff --git a/agent/systemauth/biometrics/touchid.go b/agent/systemauth/biometrics/touchid.go new file mode 100644 index 0000000..30c8df3 --- /dev/null +++ b/agent/systemauth/biometrics/touchid.go @@ -0,0 +1,18 @@ +//go:build windows || darwin + +package biometrics + +func CheckBiometrics(approvalType Approval) bool { + ok, err := touchid.Authenticate(approvalType.String() + if err != nil { + log.Fatal(err) + } + + if ok { + log.Printf("Authenticated") + return true + } else { + log.Fatal("Failed to authenticate") + return false + } +} diff --git a/agent/systemauth/systemauth.go b/agent/systemauth/systemauth.go index 8432170..9afad16 100644 --- a/agent/systemauth/systemauth.go +++ b/agent/systemauth/systemauth.go @@ -1,6 +1,12 @@ package systemauth -import "os" +import ( + "os" + + "github.com/quexten/goldwarden/logging" +) + +var log = logging.GetLogger("Goldwarden", "Systemauth") var systemAuthDisabled = false diff --git a/cmd/setup.go b/cmd/setup_linux.go similarity index 95% rename from cmd/setup.go rename to cmd/setup_linux.go index c6256e5..f88ebfa 100644 --- a/cmd/setup.go +++ b/cmd/setup_linux.go @@ -1,3 +1,5 @@ +//go:build linux || freebsd + package cmd import ( @@ -6,7 +8,7 @@ import ( "os/exec" "strings" - "github.com/quexten/goldwarden/agent/systemauth" + "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/browserbiometrics" "github.com/spf13/cobra" ) @@ -16,7 +18,7 @@ func setupPolkit() { if err != nil { panic(err) } - _, err = file.WriteString(systemauth.POLICY) + _, err = file.WriteString(biometrics.POLICY) if err != nil { panic(err) }