quexten/goldwarden
1
1
Fork 0
mirror of https://github.com/quexten/goldwarden.git synced 2024-09-11 19:17:33 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: quexten:60abbb0f82bc8df438003307749a029e225cfda8
Branches Tags
quexten:main
quexten:dependabot/github_actions/dot-github/workflows/github_actions-14598a9f5f
quexten:dependabot/go_modules/golang.org/x/crypto-0.26.0
quexten:dependabot/go_modules/golang.org/x/sys-0.24.0
quexten:dependabot/go_modules/github.com/rymdport/portal-0.2.6
quexten:fix/camelcase-requests
quexten:fix/prelogin-url
quexten:feature/cipherkey-encryption
quexten:release
quexten:feature/import-ssh
quexten:feature/macos
quexten:fix/status-py
quexten:fix/rename-directive
quexten:feature/error-dialogs-on-login
quexten:fix/wrong_server_in_gui
quexten:fix/goldwarden_ui_main_executable_bit
quexten:fix/client-credentials
quexten:fix/check-ui-values
quexten:restructure
quexten:feature/x11-autotype
quexten:feature/resource-file
quexten:feature/gtk-blueprints
quexten:fix/autostart-os-reference
quexten:feature/detect-old-cipher
quexten:feature/libportal-notification
quexten:fix/browserbiometrics
quexten:quexten-patch-1
quexten:fix/os_undefined
quexten:feature/persistent-autotype-permission
quexten:fix/browser-biometric-setup
quexten:v0.3.3
quexten:v0.3.2
quexten:v0.3.1
quexten:v0.3.0
quexten:v0.2.16
quexten:v0.2.15
quexten:v0.2.14
quexten:v0.2.13
quexten:v0.2.12
quexten:v0.2.11
quexten:v0.2.10
quexten:v0.2.9
quexten:v0.2.8
quexten:v0.2.7
quexten:v0.2.6
quexten:v0.2.5
quexten:v0.2.4
quexten:v0.2.3
quexten:v0.2.2
quexten:v0.2.1
quexten:v0.2.0
quexten:v0.1.10
quexten:v0.1.9
quexten:v0.1.8
quexten:v0.1.7
quexten:v0.1.6
quexten:v0.1.5
quexten:v0.1.4
quexten:v0.1.3
quexten:v0.1.2
quexten:v0.1.1
quexten:v0.1.0
quexten:0.1.0
...
compare: quexten:bc1a94ba717ab9d17d5324a542c67c0e7860c8c0
Branches Tags
quexten:dependabot/github_actions/dot-github/workflows/github_actions-14598a9f5f
quexten:dependabot/go_modules/golang.org/x/crypto-0.26.0
quexten:dependabot/go_modules/golang.org/x/sys-0.24.0
quexten:dependabot/go_modules/github.com/rymdport/portal-0.2.6
quexten:main
quexten:fix/camelcase-requests
quexten:fix/prelogin-url
quexten:feature/cipherkey-encryption
quexten:release
quexten:feature/import-ssh
quexten:feature/macos
quexten:fix/status-py
quexten:fix/rename-directive
quexten:feature/error-dialogs-on-login
quexten:fix/wrong_server_in_gui
quexten:fix/goldwarden_ui_main_executable_bit
quexten:fix/client-credentials
quexten:fix/check-ui-values
quexten:restructure
quexten:feature/x11-autotype
quexten:feature/resource-file
quexten:feature/gtk-blueprints
quexten:fix/autostart-os-reference
quexten:feature/detect-old-cipher
quexten:feature/libportal-notification
quexten:fix/browserbiometrics
quexten:quexten-patch-1
quexten:fix/os_undefined
quexten:feature/persistent-autotype-permission
quexten:fix/browser-biometric-setup
quexten:v0.3.3
quexten:v0.3.2
quexten:v0.3.1
quexten:v0.3.0
quexten:v0.2.16
quexten:v0.2.15
quexten:v0.2.14
quexten:v0.2.13
quexten:v0.2.12
quexten:v0.2.11
quexten:v0.2.10
quexten:v0.2.9
quexten:v0.2.8
quexten:v0.2.7
quexten:v0.2.6
quexten:v0.2.5
quexten:v0.2.4
quexten:v0.2.3
quexten:v0.2.2
quexten:v0.2.1
quexten:v0.2.0
quexten:v0.1.10
quexten:v0.1.9
quexten:v0.1.8
quexten:v0.1.7
quexten:v0.1.6
quexten:v0.1.5
quexten:v0.1.4
quexten:v0.1.3
quexten:v0.1.2
quexten:v0.1.1
quexten:v0.1.0
quexten:0.1.0

3 Commits
60abbb0f82 ... bc1a94ba71

Author SHA1 Message Date
Bernd Schoolmann
bc1a94ba71
Merge pull request #130 from SuperSandro2000/lints-agents 
Fix whole bunch of lints
 2024-03-05 15:06:13 +01:00
Sandro Jäckel
eb400ee656
Fix whole bunch of lints 2024-03-03 02:30:38 +01:00
Sandro Jäckel
a0b82eb175
Fix typos 2024-03-03 01:42:50 +01:00
14 changed files with 221 additions and 141 deletions
Show Stats Expand all files Collapse all files

18
agent/actions/config.go
View File

@ -144,7 +144,14 @@ func handleGetConfigEnvironment(request messages.IPCMessage, cfg *config.Config,
func handleSetClientID(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (response messages.IPCMessage, err error) {
clientID := messages.ParsePayload(request).(messages.SetClientIDRequest).Value
cfg.SetClientID(clientID)
err = cfg.SetClientID(clientID)
if err != nil {
return messages.IPCMessageFromPayload(messages.ActionResponse{
Success: false,
Message: err.Error(),
})
}
err = cfg.WriteConfig()
if err != nil {
return messages.IPCMessageFromPayload(messages.ActionResponse{
@ -160,7 +167,14 @@ func handleSetClientID(request messages.IPCMessage, cfg *config.Config, vault *v
func handleSetClientSecret(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (response messages.IPCMessage, err error) {
clientSecret := messages.ParsePayload(request).(messages.SetClientSecretRequest).Value
cfg.SetClientSecret(clientSecret)
err = cfg.SetClientSecret(clientSecret)
if err != nil {
return messages.IPCMessageFromPayload(messages.ActionResponse{
Success: false,
Message: err.Error(),
})
}
err = cfg.WriteConfig()
if err != nil {
return messages.IPCMessageFromPayload(messages.ActionResponse{

12
agent/actions/login.go
View File

@ -57,7 +57,7 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault
return
}
cfg.SetToken(config.LoginToken{
_ = cfg.SetToken(config.LoginToken{
AccessToken: token.AccessToken,
ExpiresIn: token.ExpiresIn,
TokenType: token.TokenType,
@ -88,7 +88,7 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault
if err != nil {
defer func() {
notify.Notify("Goldwarden", "Could not decrypt. Wrong password?", "", 10*time.Second, func() {})
cfg.SetToken(config.LoginToken{})
_ = cfg.SetToken(config.LoginToken{})
vault.Clear()
}()
@ -103,9 +103,9 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault
return
}
cfg.SetUserSymmetricKey(vault.Keyring.GetAccountKey().Bytes())
cfg.SetMasterPasswordHash([]byte(masterpasswordHash))
cfg.SetMasterKey([]byte(masterKey.GetBytes()))
err = cfg.SetUserSymmetricKey(vault.Keyring.GetAccountKey().Bytes())
err = cfg.SetMasterPasswordHash([]byte(masterpasswordHash))
err = cfg.SetMasterKey([]byte(masterKey.GetBytes()))
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
if vault.Keyring.IsMemguard {
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(vault.Keyring.GetAccountKey().Bytes())
@ -115,7 +115,7 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault
if err != nil {
defer func() {
notify.Notify("Goldwarden", "Could not decrypt. Wrong password?", "", 10*time.Second, func() {})
cfg.SetToken(config.LoginToken{})
_ = cfg.SetToken(config.LoginToken{})
vault.Clear()
}()

12
agent/actions/logins.go
View File

@ -69,11 +69,7 @@ func handleGetLoginCipher(request messages.IPCMessage, cfg *config.Config, vault
if !login.Login.Totp.IsNull() {
decryptedTotp, err := crypto.DecryptWith(login.Login.Totp, cipherKey)
if err == nil {
if err == nil {
decryptedLogin.TOTPSeed = string(decryptedTotp)
} else {
fmt.Println(err)
}
decryptedLogin.TOTPSeed = string(decryptedTotp)
} else {
fmt.Println(string(decryptedTotp))
}
@ -117,11 +113,7 @@ func handleListLoginsRequest(request messages.IPCMessage, cfg *config.Config, va
continue
}
var decryptedName []byte = []byte{}
var decryptedUsername []byte = []byte{}
var decryptedPassword []byte = []byte{}
var decryptedTotp []byte = []byte{}
var decryptedURL []byte = []byte{}
var decryptedName, decryptedUsername, decryptedPassword, decryptedTotp, decryptedURL []byte
if !login.Name.IsNull() {
decryptedName, err = crypto.DecryptWith(login.Name, key)

5
agent/actions/vault.go
View File

@ -146,7 +146,10 @@ func handleLockVault(request messages.IPCMessage, cfg *config.Config, vault *vau
func handleWipeVault(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, callingContext *sockets.CallingContext) (response messages.IPCMessage, err error) {
cfg.Purge()
cfg.WriteConfig()
err = cfg.WriteConfig()
if err != nil {
panic(err)
}
vault.Clear()
response, err = messages.IPCMessageFromPayload(messages.ActionResponse{

22
agent/bitwarden/auth.go
View File

@ -208,7 +208,15 @@ func LoginWithDevice(ctx context.Context, email string, cfg *config.Config, vaul
}
if authRequestData.RequestApproved {
masterKey, err := crypto.DecryptWithAsymmetric([]byte(authRequestData.Key), publicKey)
if err != nil {
return LoginResponseToken{}, crypto.MasterKey{}, "", fmt.Errorf("could not decrypt key with asymmetric key: %s", err.Error())
}
masterPasswordHash, err := crypto.DecryptWithAsymmetric([]byte(authRequestData.MasterPasswordHash), publicKey)
if err != nil {
return LoginResponseToken{}, crypto.MasterKey{}, "", fmt.Errorf("could not decrypt master password hash with asymmetric key: %s", err.Error())
}
values := urlValues(
"grant_type", "password",
"username", email,
@ -233,7 +241,7 @@ func LoginWithDevice(ctx context.Context, email string, cfg *config.Config, vaul
return LoginResponseToken{}, crypto.MasterKey{}, "", fmt.Errorf("captcha required, please login via the web interface")
} else if err != nil {
return LoginResponseToken{}, crypto.MasterKey{}, "", fmt.Errorf("could not login via password: %v", err)
return LoginResponseToken{}, crypto.MasterKey{}, "", fmt.Errorf("could not login via password: %s", err.Error())
}
return loginResponseToken, crypto.MasterKeyFromBytes(masterKey), string(masterPasswordHash), nil
}
@ -282,13 +290,17 @@ func RefreshToken(ctx context.Context, cfg *config.Config) bool {
return false
}
cfg.SetToken(config.LoginToken{
err = cfg.SetToken(config.LoginToken{
AccessToken: loginResponseToken.AccessToken,
RefreshToken: "",
Key: loginResponseToken.Key,
TokenType: loginResponseToken.TokenType,
ExpiresIn: loginResponseToken.ExpiresIn,
})
if err != nil {
authLog.Error("Could not set token: %s", err.Error())
return false
}
} else {
authLog.Info("No api credentials set")
}
@ -306,13 +318,17 @@ func RefreshToken(ctx context.Context, cfg *config.Config) bool {
notify.Notify("Goldwarden", fmt.Sprintf("Could not refresh token: %v", err), "", 0, func() {})
return false
}
cfg.SetToken(config.LoginToken{
err = cfg.SetToken(config.LoginToken{
AccessToken: loginResponseToken.AccessToken,
RefreshToken: loginResponseToken.RefreshToken,
Key: loginResponseToken.Key,
TokenType: loginResponseToken.TokenType,
ExpiresIn: loginResponseToken.ExpiresIn,
})
if err != nil {
authLog.Error("Could not set token: %s", err.Error())
return false
}
}
authLog.Info("Token refreshed")

6
agent/bitwarden/crypto/crypto.go
View File

@ -123,6 +123,9 @@ func MemguardAssymmetricEncryptionKeyFromBytes(key []byte) (MemguardAsymmetricEn
func (key MemoryAsymmetricEncryptionKey) PublicBytes() []byte {
privateKey, err := x509.ParsePKCS8PrivateKey(key.encKey)
if err != nil {
panic(err)
}
pub := (privateKey.(*rsa.PrivateKey)).Public()
publicKeyBytes, err := x509.MarshalPKIXPublicKey(pub)
if err != nil {
@ -137,6 +140,9 @@ func (key MemguardAsymmetricEncryptionKey) PublicBytes() []byte {
panic(err)
}
privateKey, err := x509.ParsePKCS8PrivateKey(buffer.Bytes())
if err != nil {
panic(err)
}
pub := (privateKey.(*rsa.PrivateKey)).Public()
publicKeyBytes, err := x509.MarshalPKIXPublicKey(pub)
if err != nil {

10
agent/bitwarden/crypto/keyhierarchy.go
View File

@ -90,9 +90,15 @@ func stretchKey(masterKey MasterKey, useMemguard bool) (SymmetricEncryptionKey,
var r io.Reader
r = hkdf.Expand(sha256.New, buffer.Data(), []byte("enc"))
r.Read(key)
_, err = r.Read(key)
if err != nil {
return nil, err
}
r = hkdf.Expand(sha256.New, buffer.Data(), []byte("mac"))
r.Read(macKey)
_, err = r.Read(macKey)
if err != nil {
return nil, err
}
if useMemguard {
return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil

5
agent/bitwarden/send.go
View File

@ -71,7 +71,10 @@ func CreateSend(ctx context.Context, cfg *config.Config, vault *vault.Vault, nam
}
sendUseKeyPairBytes := make([]byte, 64)
hkdf.New(sha256.New, sendSourceKey, []byte("bitwarden-send"), []byte("send")).Read(sendUseKeyPairBytes)
_, err = hkdf.New(sha256.New, sendSourceKey, []byte("bitwarden-send"), []byte("send")).Read(sendUseKeyPairBytes)
if err != nil {
return "", err
}
sendUseKeyPair, err := crypto.MemorySymmetricEncryptionKeyFromBytes(sendUseKeyPairBytes)
if err != nil {

11
agent/bitwarden/sync.go
View File

@ -25,7 +25,11 @@ func Sync(ctx context.Context, config *config.Config) (models.SyncData, error) {
}
home, _ := os.UserHomeDir()
WriteVault(sync, home+path)
err := WriteVault(sync, home+path)
if err != nil {
return sync, err
}
return sync, nil
}
@ -55,7 +59,10 @@ func DoFullSync(ctx context.Context, vault *vault.Vault, config *config.Config,
}
if userSymmetricKey != nil {
log.Info("Initializing keyring from user symmetric key...")
crypto.InitKeyringFromUserSymmetricKey(vault.Keyring, *userSymmetricKey, sync.Profile.PrivateKey, orgKeys)
err = crypto.InitKeyringFromUserSymmetricKey(vault.Keyring, *userSymmetricKey, sync.Profile.PrivateKey, orgKeys)
if err != nil {
return err
}
}
log.Info("Clearing vault...")

23
agent/bitwarden/websocket.go
View File

@ -88,7 +88,10 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con
done := make(chan struct{})
//handshake required for official bitwarden implementation
c.WriteMessage(1, []byte(`{"protocol":"messagepack","version":1}`))
err = c.WriteMessage(1, []byte(`{"protocol":"messagepack","version":1}`))
if err != nil {
return err
}
go func() {
for {
@ -123,12 +126,14 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con
websocketLog.Error("Error getting token %s", err)
break
}
DoFullSync(context.WithValue(ctx, AuthToken{}, token.AccessToken), vault, cfg, nil, false)
break
err = DoFullSync(context.WithValue(ctx, AuthToken{}, token.AccessToken), vault, cfg, nil, false)
if err != nil {
log.Error("could not perform full sync: %s", err.Error())
return
}
case SyncCipherDelete:
websocketLog.Warn("Delete requested for cipher " + cipherid)
vault.DeleteCipher(cipherid)
break
case SyncCipherUpdate:
websocketLog.Warn("Update requested for cipher " + cipherid)
token, err := cfg.GetToken()
@ -154,8 +159,6 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con
vault.AddOrUpdateLogin(cipher)
}
vault.SetLastSynced(time.Now().Unix())
break
case SyncCipherCreate:
websocketLog.Warn("Create requested for cipher " + cipherid)
token, err := cfg.GetToken()
@ -176,11 +179,8 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con
vault.AddOrUpdateLogin(cipher)
}
vault.SetLastSynced(time.Now().Unix())
break
case SyncSendCreate, SyncSendUpdate, SyncSendDelete:
websocketLog.Warn("SyncSend requested: sends are not supported")
break
case LogOut:
websocketLog.Info("LogOut received. Wiping vault and exiting...")
if vault.Keyring.IsMemguard {
@ -213,17 +213,12 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con
websocketLog.Error("Error creating auth response %s", err)
}
})
break
case AuthRequestResponse:
websocketLog.Info("AuthRequestResponse received")
break
case SyncFolderDelete, SyncFolderCreate, SyncFolderUpdate:
websocketLog.Warn("SyncFolder requested: folders are not supported")
break
case SyncOrgKeys, SyncSettings:
websocketLog.Warn("SyncOrgKeys requested: orgs / settings are not supported")
break
default:
websocketLog.Warn("Unknown message type received %d", mt1)
}

92
agent/config/config.go
View File

@ -7,6 +7,7 @@ import (
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"os"
"runtime/debug"
"strings"
@ -19,6 +20,7 @@ import (
"github.com/quexten/goldwarden/agent/pincache"
"github.com/quexten/goldwarden/agent/systemauth/pinentry"
"github.com/quexten/goldwarden/agent/vault"
"github.com/quexten/goldwarden/logging"
"github.com/tink-crypto/tink-go/v2/aead/subtle"
"golang.org/x/crypto/argon2"
"golang.org/x/crypto/sha3"
@ -78,6 +80,8 @@ type Config struct {
mu sync.Mutex
}
var log = logging.GetLogger("Goldwarden", "Config")
func DefaultConfig(useMemguard bool) Config {
deviceUUID, _ := uuid.NewUUID()
keyBuffer := NewBuffer(32, useMemguard)
@ -188,37 +192,65 @@ func (c *Config) UpdatePin(password string, write bool) {
c.ConfigFile.ConfigKeyHash = configKeyHash
plaintextToken, err1 := c.decryptString(c.ConfigFile.EncryptedToken)
plaintextUserSymmetricKey, err3 := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)
plaintextEncryptedMasterPasswordHash, err4 := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)
plaintextMasterKey, err5 := c.decryptString(c.ConfigFile.EncryptedMasterKey)
plaintextClientID, err6 := c.decryptString(c.ConfigFile.EncryptedClientID)
plaintextClientSecret, err7 := c.decryptString(c.ConfigFile.EncryptedClientSecret)
plaintextUserSymmetricKey, err2 := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)
plaintextEncryptedMasterPasswordHash, err3 := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)
plaintextMasterKey, err4 := c.decryptString(c.ConfigFile.EncryptedMasterKey)
plaintextClientID, err5 := c.decryptString(c.ConfigFile.EncryptedClientID)
plaintextClientSecret, err6 := c.decryptString(c.ConfigFile.EncryptedClientSecret)
key := NewBufferFromBytes(newKey, c.useMemguard)
c.key = &key
if err1 == nil {
c.ConfigFile.EncryptedToken, err1 = c.encryptString(plaintextToken)
if err1 != nil {
log.Error("could not encrypt token: %s", err1.Error())
return
}
}
if err2 == nil {
c.ConfigFile.EncryptedUserSymmetricKey, err2 = c.encryptString(plaintextUserSymmetricKey)
if err2 != nil {
log.Error("could not encrypt user symmetric key: %s", err2.Error())
return
}
}
if err3 == nil {
c.ConfigFile.EncryptedUserSymmetricKey, err3 = c.encryptString(plaintextUserSymmetricKey)
c.ConfigFile.EncryptedMasterPasswordHash, err3 = c.encryptString(plaintextEncryptedMasterPasswordHash)
if err3 != nil {
log.Error("could not encrypt master password hash: %s", err3.Error())
return
}
}
if err4 == nil {
c.ConfigFile.EncryptedMasterPasswordHash, err4 = c.encryptString(plaintextEncryptedMasterPasswordHash)
c.ConfigFile.EncryptedMasterKey, err4 = c.encryptString(plaintextMasterKey)
if err4 != nil {
log.Error("could not encrypt master key: %s", err4.Error())
return
}
}
if err5 == nil {
c.ConfigFile.EncryptedMasterKey, err5 = c.encryptString(plaintextMasterKey)
c.ConfigFile.EncryptedClientID, err5 = c.encryptString(plaintextClientID)
if err5 != nil {
log.Error("could not encrypt client id: %s", err5.Error())
return
}
}
if err6 == nil {
c.ConfigFile.EncryptedClientID, err6 = c.encryptString(plaintextClientID)
}
if err7 == nil {
c.ConfigFile.EncryptedClientSecret, err7 = c.encryptString(plaintextClientSecret)
c.ConfigFile.EncryptedClientSecret, err6 = c.encryptString(plaintextClientSecret)
if err6 != nil {
log.Error("could not encrypt client secret: %s", err6.Error())
return
}
}
c.mu.Unlock()
if write {
c.WriteConfig()
err := c.WriteConfig()
if err != nil {
log.Error("could not write config: %s", err.Error())
return
}
}
pincache.SetPin(c.useMemguard, []byte(password))
@ -247,6 +279,9 @@ func (c *Config) SetToken(token LoginToken) error {
}
tokenJson, err := json.Marshal(token)
if err != nil {
return fmt.Errorf("could not marshall json: %s", err.Error())
}
encryptedToken, err := c.encryptString(string(tokenJson))
if err != nil {
return err
@ -254,8 +289,7 @@ func (c *Config) SetToken(token LoginToken) error {
// c.mu.Lock()
c.ConfigFile.EncryptedToken = encryptedToken
// c.mu.Unlock()
c.WriteConfig()
return nil
return c.WriteConfig()
}
func (c *Config) GetClientID() (string, error) {
@ -281,8 +315,7 @@ func (c *Config) SetClientID(clientID string) error {
if clientID == "" {
c.ConfigFile.EncryptedClientID = ""
c.WriteConfig()
return nil
return c.WriteConfig()
}
encryptedClientID, err := c.encryptString(clientID)
@ -292,8 +325,7 @@ func (c *Config) SetClientID(clientID string) error {
// c.mu.Lock()
c.ConfigFile.EncryptedClientID = encryptedClientID
// c.mu.Unlock()
c.WriteConfig()
return nil
return c.WriteConfig()
}
func (c *Config) GetClientSecret() (string, error) {
@ -319,8 +351,7 @@ func (c *Config) SetClientSecret(clientSecret string) error {
if clientSecret == "" {
c.ConfigFile.EncryptedClientSecret = ""
c.WriteConfig()
return nil
return c.WriteConfig()
}
encryptedClientSecret, err := c.encryptString(clientSecret)
@ -330,8 +361,7 @@ func (c *Config) SetClientSecret(clientSecret string) error {
// c.mu.Lock()
c.ConfigFile.EncryptedClientSecret = encryptedClientSecret
// c.mu.Unlock()
c.WriteConfig()
return nil
return c.WriteConfig()
}
func (c *Config) GetUserSymmetricKey() ([]byte, error) {
@ -356,8 +386,7 @@ func (c *Config) SetUserSymmetricKey(key []byte) error {
// c.mu.Lock()
c.ConfigFile.EncryptedUserSymmetricKey = encryptedKey
// c.mu.Unlock()
c.WriteConfig()
return nil
return c.WriteConfig()
}
func (c *Config) GetMasterPasswordHash() ([]byte, error) {
@ -372,7 +401,6 @@ func (c *Config) GetMasterPasswordHash() ([]byte, error) {
}
func (c *Config) SetMasterPasswordHash(hash []byte) error {
if c.IsLocked() {
return errors.New("config is locked")
}
@ -386,8 +414,7 @@ func (c *Config) SetMasterPasswordHash(hash []byte) error {
c.ConfigFile.EncryptedMasterPasswordHash = encryptedHash
// c.mu.Unlock()
c.WriteConfig()
return nil
return c.WriteConfig()
}
func (c *Config) GetMasterKey() ([]byte, error) {
@ -412,8 +439,7 @@ func (c *Config) SetMasterKey(key []byte) error {
// c.mu.Lock()
c.ConfigFile.EncryptedMasterKey = encryptedKey
// c.mu.Unlock()
c.WriteConfig()
return nil
return c.WriteConfig()
}
func (c *Config) encryptString(data string) (string, error) {
@ -499,9 +525,11 @@ func ReadConfig(rtCfg RuntimeConfig) (Config, error) {
if _, err := os.Stat(oldPath); err == nil {
if _, err := os.Stat(newPath); err != nil {
if _, err := os.Stat(newPathParent); os.IsNotExist(err) {
os.Mkdir(newPathParent, 0700)
err = os.Mkdir(newPathParent, 0700)
return Config{}, err
}
os.Rename(oldPath, newPath)
err = os.Rename(oldPath, newPath)
return Config{}, err
}
}

50
agent/notify/dbus.go
View File

@ -6,15 +6,18 @@ import (
"time"
"github.com/godbus/dbus/v5"
"github.com/quexten/goldwarden/logging"
)
var closeListenerMap = make(map[uint32]func())
var notificationID uint32 = 1000000
var log = logging.GetLogger("Goldwarden", "Dbus")
func Notify(title string, body string, actionName string, timeout time.Duration, onclose func()) error {
func Notify(title string, body string, actionName string, timeout time.Duration, onclose func()) {
bus, err := dbus.SessionBus()
if err != nil {
return err
log.Error("could not get a dbus session: %s", err.Error())
return
}
obj := bus.Object("org.freedesktop.Notifications", "/org/freedesktop/Notifications")
actions := []string{}
@ -26,16 +29,17 @@ func Notify(title string, body string, actionName string, timeout time.Duration,
call := obj.Call("org.freedesktop.Notifications.Notify", 0, "goldwarden", uint32(notificationID), "", title, body, actions, map[string]dbus.Variant{}, int32(60000))
if call.Err != nil {
return call.Err
log.Error("could not call dbus object: %s", call.Err.Error())
return
}
if len(call.Body) < 1 {
return nil
return
}
id := call.Body[0].(uint32)
closeListenerMap[id] = onclose
if timeout == 0 {
return nil
return
} else {
go func(id uint32) {
time.Sleep(timeout)
@ -45,8 +49,6 @@ func Notify(title string, body string, actionName string, timeout time.Duration,
}
}(id)
}
return nil
}
func ListenForNotifications() error {
@ -62,26 +64,22 @@ func ListenForNotifications() error {
signals := make(chan *dbus.Signal, 10)
bus.Signal(signals)
for {
select {
case message := <-signals:
if message.Name == "org.freedesktop.Notifications.NotificationClosed" {
if len(message.Body) < 1 {
continue
}
id, ok := message.Body[0].(uint32)
if !ok {
continue
}
if id == 0 {
continue
}
if closeListener, ok := closeListenerMap[id]; ok {
delete(closeListenerMap, id)
closeListener()
}
message := <-signals
if message.Name == "org.freedesktop.Notifications.NotificationClosed" {
if len(message.Body) < 1 {
continue
}
id, ok := message.Body[0].(uint32)
if !ok {
continue
}
if id == 0 {
continue
}
if closeListener, ok := closeListenerMap[id]; ok {
delete(closeListenerMap, id)
closeListener()
}
}
}
return nil
}

38
agent/processsecurity/unix.go
View File

@ -37,30 +37,26 @@ func MonitorLocks(onlock func()) error {
signals := make(chan *dbus.Signal, 10)
bus.Signal(signals)
for {
select {
case message := <-signals:
if message.Name == "org.gnome.ScreenSaver.ActiveChanged" {
if len(message.Body) == 0 {
continue
}
locked, err := message.Body[0].(bool)
if err || locked {
onlock()
}
message := <-signals
if message.Name == "org.gnome.ScreenSaver.ActiveChanged" {
if len(message.Body) == 0 {
continue
}
if message.Name == "org.freedesktop.ScreenSaver.ActiveChanged" {
if len(message.Body) == 0 {
continue
}
locked, err := message.Body[0].(bool)
if err || locked {
onlock()
}
locked, err := message.Body[0].(bool)
if err || locked {
onlock()
}
}
if message.Name == "org.freedesktop.ScreenSaver.ActiveChanged" {
if len(message.Body) == 0 {
continue
}
locked, err := message.Body[0].(bool)
if err || locked {
onlock()
}
}
}
return nil
}
func MonitorIdle(onidle func()) error {
@ -88,6 +84,4 @@ func MonitorIdle(onidle func()) error {
time.Sleep(1 * time.Second)
}
return nil
}

58
agent/unixsocketagent.go
View File

@ -31,20 +31,20 @@ const (
var log = logging.GetLogger("Goldwarden", "Agent")
func writeError(c net.Conn, errMsg error) error {
func writeError(c net.Conn, errMsg error) {
payload := messages.ActionResponse{
Success: false,
Message: errMsg.Error(),
}
payloadBytes, err := json.Marshal(payload)
if err != nil {
return err
log.Warn("Could not json marshall: %s", err.Error())
return
}
_, err = c.Write(payloadBytes)
if err != nil {
return err
log.Warn("Could not write payload: %s", err.Error())
}
return nil
}
func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) {
@ -145,9 +145,9 @@ func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) {
},
}
pinnentrySetError := pinentry.SetExternalPinentry(pe)
pinentrySetError := pinentry.SetExternalPinentry(pe)
payload := messages.PinentryRegistrationResponse{
Success: pinnentrySetError == nil,
Success: pinentrySetError == nil,
}
log.Info("Pinentry registration success: %t", payload.Success)
@ -167,9 +167,12 @@ func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) {
log.Error("Failed writing to socket " + err.Error())
}
_, err = c.Write([]byte("\n"))
if err != nil {
log.Error("Failed writing to socket " + err.Error())
}
time.Sleep(50 * time.Millisecond) //todo fix properly
if pinnentrySetError != nil {
if pinentrySetError != nil {
return
}
@ -266,8 +269,6 @@ func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) {
}
}
}
continue
}
var responseBytes []byte
@ -322,7 +323,10 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
log.Warn("Could not read config: %s", err.Error())
cfg = config.DefaultConfig(runtimeConfig.UseMemguard)
cfg.ConfigFile.RuntimeConfig = runtimeConfig
cfg.WriteConfig()
err = cfg.WriteConfig()
if err != nil {
log.Warn("Could not write config: %s", err.Error())
}
}
cfg.ConfigFile.RuntimeConfig = runtimeConfig
if cfg.ConfigFile.RuntimeConfig.DeviceUUID != "" {
@ -348,14 +352,17 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
time.Sleep(60 * time.Second)
continue
}
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
var protectedUserSymmetricKey crypto.SymmetricEncryptionKey
if vault.Keyring.IsMemguard {
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
protectedUserSymmetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
} else {
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
protectedUserSymmetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
}
if err != nil {
log.Error("could not get encryption key from bytes: %s", err.Error())
}
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymmetricKey, true)
if err != nil {
log.Error("Could not sync: %s", err.Error())
notify.Notify("Goldwarden", "Could not perform initial sync", "", 0, func() {})
@ -369,7 +376,11 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
}
}
processsecurity.DisableDumpable()
err = processsecurity.DisableDumpable()
if err != nil {
log.Warn("Could not disable dumpable: %s", err.Error())
}
go func() {
err = processsecurity.MonitorLocks(func() {
cfg.Lock()
@ -435,14 +446,17 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
if err != nil {
log.Error("Could not get user symmetric key: %s", err.Error())
}
var protectedUserSymetricKey crypto.SymmetricEncryptionKey
var protectedUserSymmetricKey crypto.SymmetricEncryptionKey
if vault.Keyring.IsMemguard {
protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
protectedUserSymmetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
} else {
protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
protectedUserSymmetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
}
if err != nil {
log.Error("could not get encryption key from bytes: %s", err.Error())
}
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymmetricKey, true)
if err != nil {
log.Error("Could not sync: %s", err.Error())
notify.Notify("Goldwarden", "Could not perform initial sync on ssh unlock", "", 0, func() {})
@ -482,7 +496,11 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
continue
}
bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, nil, false)
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, nil, false)
if err != nil {
log.Warn("Could not do full sync: %s", err.Error())
continue
}
}
}
}()