Merge pull request #117 from Mte90/patch-2

Silent notice on quickaccess.py

agent/actions/logins.go

@@ -129,6 +129,8 @@ func handleListLoginsRequest(request messages.IPCMessage, cfg *config.Config, va
 				actionsLog.Warn("Could not decrypt login:" + err.Error())
 				continue
 			}
+		} else {
+			decryptedName = []byte{}
 		}
 
 		if !login.Login.Username.IsNull() {
@@ -137,6 +139,8 @@ func handleListLoginsRequest(request messages.IPCMessage, cfg *config.Config, va
 				actionsLog.Warn("Could not decrypt login:" + err.Error())
 				continue
 			}
+		} else {
+			decryptedUsername = []byte{}
 		}
 
 		if !login.Login.Password.IsNull() {
@@ -145,6 +149,8 @@ func handleListLoginsRequest(request messages.IPCMessage, cfg *config.Config, va
 				actionsLog.Warn("Could not decrypt login:" + err.Error())
 				continue
 			}
+		} else {
+			decryptedPassword = []byte{}
 		}
 
 		if !login.Login.Totp.IsNull() {
@@ -153,6 +159,8 @@ func handleListLoginsRequest(request messages.IPCMessage, cfg *config.Config, va
 				actionsLog.Warn("Could not decrypt login:" + err.Error())
 				continue
 			}
+		} else {
+			decryptedTotp = []byte{}
 		}
 
 		if !login.Login.URI.IsNull() {
@@ -161,6 +169,8 @@ func handleListLoginsRequest(request messages.IPCMessage, cfg *config.Config, va
 				actionsLog.Warn("Could not decrypt login:" + err.Error())
 				continue
 			}
+		} else {
+			decryptedURL = []byte{}
 		}
 
 		decryptedLoginCiphers = append(decryptedLoginCiphers, messages.DecryptedLoginCipher{

agent/ssh/ssh.go

@@ -130,14 +130,23 @@ func (vaultAgent vaultAgent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signatur
 		message = fmt.Sprintf(requestTemplate, vaultAgent.context.UserName, sshKey.Name)
 	}
 
-	if approved, err := pinentry.GetApproval("SSH Key Signing Request", message); err != nil || !approved {
-		log.Info("Sign Request for key: %s denied", sshKey.Name)
-		return nil, errors.New("Approval not given")
-	}
+	// todo refactor
+	if !systemauth.GetSSHSession(vaultAgent.context) {
+		if approved, err := pinentry.GetApproval("SSH Key Signing Request", message); err != nil || !approved {
+			log.Info("Sign Request for key: %s denied", sshKey.Name)
+			return nil, errors.New("Approval not given")
+		}
 
-	if permission, err := systemauth.GetPermission(systemauth.SSHKey, vaultAgent.context, vaultAgent.config); err != nil || !permission {
-		log.Info("Sign Request for key: %s denied", key.Marshal())
-		return nil, errors.New("Biometrics not checked")
+		if !systemauth.VerifyPinSession(vaultAgent.context) {
+			if permission, err := systemauth.GetPermission(systemauth.SSHKey, vaultAgent.context, vaultAgent.config); err != nil || !permission {
+				log.Info("Sign Request for key: %s denied", key.Marshal())
+				return nil, errors.New("Biometrics not checked")
+			}
+		}
+
+		systemauth.CreateSSHSession(vaultAgent.context)
+	} else {
+		log.Info("Using cached session approval")
 	}
 
 	var rand = rand.Reader

agent/systemauth/systemauth.go

@@ -22,7 +22,7 @@ type SessionType string
 const (
 	AccessVault SessionType = "com.quexten.goldwarden.accessvault"
 	SSHKey      SessionType = "com.quexten.goldwarden.usesshkey"
-	Pin         SessionType = "com.quexten.goldwarden.pin" // this counts as all other permissions
+	Pin         SessionType = "com.quexten.goldwarden.pin"
 )
 
 var sessionStore = SessionStore{
@@ -55,7 +55,7 @@ func (s *SessionStore) CreateSession(pid int, parentpid int, grandparentpid int,
 
 func (s *SessionStore) verifySession(ctx sockets.CallingContext, sessionType SessionType) bool {
 	for _, session := range s.Store {
-		if session.ParentPid == ctx.ParentProcessPid && session.GrandParentPid == ctx.GrandParentProcessPid && (session.sessionType == sessionType || session.sessionType == Pin) {
+		if session.ParentPid == ctx.ParentProcessPid && session.GrandParentPid == ctx.GrandParentProcessPid && session.sessionType == sessionType {
 			if session.Expires.After(time.Now()) {
 				return true
 			}
@@ -136,3 +136,15 @@ func CreatePinSession(ctx sockets.CallingContext, ttl time.Duration) Session {
 func VerifyPinSession(ctx sockets.CallingContext) bool {
 	return sessionStore.verifySession(ctx, Pin)
 }
+
+func CreateSSHSession(ctx sockets.CallingContext) Session {
+	return sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, SSHKey, SSHTTL)
+}
+
+func GetSSHSession(ctx sockets.CallingContext) bool {
+	return sessionStore.verifySession(ctx, SSHKey)
+}
+
+func WipeSessions() {
+	sessionStore.Store = []Session{}
+}

agent/unixsocketagent.go

@@ -375,6 +375,7 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
 			cfg.Lock()
 			vault.Clear()
 			vault.Keyring.Lock()
+			systemauth.WipeSessions()
 		})
 		if err != nil {
 			log.Warn("Could not monitor screensaver: %s", err.Error())
@@ -385,6 +386,7 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
 			cfg.Lock()
 			vault.Clear()
 			vault.Keyring.Lock()
+			systemauth.WipeSessions()
 		})
 		if err != nil {
 			log.Warn("Could not monitor idle: %s", err.Error())

gui/__init__.py

@@ -0,0 +1 @@
+

gui/src/gui/quickaccess.py

@@ -1,6 +1,7 @@
 import gi
 gi.require_version('Gtk', '4.0')
 gi.require_version('Adw', '1')
+gi.require_version('Notify', '0.7')
 import gc
 import time
 from gi.repository import Gtk, Adw, GLib, Notify, Gdk
@@ -161,4 +162,4 @@ class MainWindow(Gtk.ApplicationWindow):
         self.set_title("Goldwarden Quick Access")
 
 app = MyApp(application_id="com.quexten.Goldwarden.autofill-menu")
-app.run(sys.argv)
+app.run(sys.argv)