Merge pull request #100 from quexten/feature/authenticated-connection

Authenticated Session & External Pinentry
quexten · Feb 9, 2024 · 52156f8 · 52156f8
2 parents 4a3e8ca + 2e42a79
commit 52156f8
Show file tree

Hide file tree

Showing 55 changed files with 1,137 additions and 483 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,4 +3,5 @@ goldwarden
 __pycache__
 .flatpak-builder
 flatpak-pip-generator
-repo
+repo
+__debug*
diff --git a/agent/actions/logins.go b/agent/actions/logins.go
@@ -97,16 +97,16 @@ func handleGetLoginCipher(request messages.IPCMessage, cfg *config.Config, vault
 }
 
 func handleListLoginsRequest(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (response messages.IPCMessage, err error) {
-	if approved, err := pinentry.GetApproval("Access Vault", fmt.Sprintf("%s on %s>%s>%s is trying access ALL CREDENTIALS", ctx.UserName, ctx.GrandParentProcessName, ctx.ParentProcessName, ctx.ProcessName)); err != nil || !approved {
-		response, err = messages.IPCMessageFromPayload(messages.ActionResponse{
-			Success: false,
-			Message: "not approved",
-		})
-		if err != nil {
-			return messages.IPCMessage{}, err
-		}
-		return response, nil
-	}
+	// if approved, err := pinentry.GetApproval("Access Vault", fmt.Sprintf("%s on %s>%s>%s is trying access ALL CREDENTIALS", ctx.UserName, ctx.GrandParentProcessName, ctx.ParentProcessName, ctx.ProcessName)); err != nil || !approved {
+	// 	response, err = messages.IPCMessageFromPayload(messages.ActionResponse{
+	// 		Success: false,
+	// 		Message: "not approved",
+	// 	})
+	// 	if err != nil {
+	// 		return messages.IPCMessage{}, err
+	// 	}
+	// 	return response, nil
+	// }
 
 	logins := vault.GetLogins()
 	decryptedLoginCiphers := make([]messages.DecryptedLoginCipher, 0)

diff --git a/agent/bitwarden/http.go b/agent/bitwarden/http.go
@@ -10,7 +10,6 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/url"
-	"os"
 	"strings"
 	"time"
 )
@@ -114,7 +113,7 @@ func makeAuthenticatedHTTPRequest(ctx context.Context, req *http.Request, recv i
 		return &errStatusCode{res.StatusCode, body}
 	}
 	if err := json.Unmarshal(body, recv); err != nil {
-		fmt.Fprintln(os.Stderr, string(body))
+		fmt.Println(string(body))
 		return err
 	}
 	return nil

diff --git a/agent/config/config.go b/agent/config/config.go
@@ -49,6 +49,7 @@ type RuntimeConfig struct {
 	UseMemguard           bool
 	SSHAgentSocketPath    string
 	GoldwardenSocketPath  string
+	DaemonAuthToken       string
 }
 
 type ConfigFile struct {

diff --git a/agent/sockets/callingcontext.go b/agent/sockets/callingcontext.go
@@ -17,6 +17,7 @@ type CallingContext struct {
 	ParentProcessPid       int
 	GrandParentProcessPid  int
 	Error                  bool
+	Authenticated          bool
 }
 
 func GetCallingContext(connection net.Conn) CallingContext {
@@ -30,6 +31,7 @@ func GetCallingContext(connection net.Conn) CallingContext {
 		ParentProcessPid:       0,
 		GrandParentProcessPid:  0,
 		Error:                  true,
+		Authenticated:          false,
 	}
 	if err != nil {
 		return errorContext

diff --git a/agent/systemauth/pinentry/go-pinentry.go b/agent/systemauth/pinentry/go-pinentry.go
@@ -8,7 +8,7 @@ import (
 	"github.com/twpayne/go-pinentry"
 )
 
-func GetPassword(title string, description string) (string, error) {
+func getPassword(title string, description string) (string, error) {
 	client, err := pinentry.NewClient(
 		pinentry.WithBinaryNameFromGnuPGAgentConf(),
 		pinentry.WithGPGTTY(),
@@ -38,7 +38,7 @@ func GetPassword(title string, description string) (string, error) {
 	}
 }
 
-func GetApproval(title string, description string) (bool, error) {
+func getApproval(title string, description string) (bool, error) {
 	if systemAuthDisabled {
 		return true, nil
 	}

diff --git a/agent/systemauth/pinentry/keybase-pinentry.go b/agent/systemauth/pinentry/keybase-pinentry.go
@@ -10,7 +10,7 @@ import (
 	pinentry "github.com/quexten/goldwarden/agent/systemauth/pinentry/keybase-pinentry"
 )
 
-func GetPassword(title string, description string) (string, error) {
+func getPassword(title string, description string) (string, error) {
 	pinentryInstance := pinentry.New("", logger.New(""), "")
 	result, err := pinentryInstance.Get(keybase1.SecretEntryArg{
 		Prompt: title,
@@ -28,7 +28,7 @@ func GetPassword(title string, description string) (string, error) {
 	return result.Text, nil
 }
 
-func GetApproval(title string, description string) (bool, error) {
+func getApproval(title string, description string) (bool, error) {
 	pinentryInstance := pinentry.New("", logger.New(""), "")
 	result, err := pinentryInstance.Get(keybase1.SecretEntryArg{
 		Prompt:     title,

diff --git a/agent/systemauth/pinentry/pinentry.go b/agent/systemauth/pinentry/pinentry.go
@@ -1,6 +1,7 @@
 package pinentry
 
 import (
+	"errors"
 	"os"
 
 	"github.com/quexten/goldwarden/logging"
@@ -9,8 +10,52 @@ import (
 var log = logging.GetLogger("Goldwarden", "Pinentry")
 var systemAuthDisabled = false
 
+type Pinentry struct {
+	GetPassword func(title string, description string) (string, error)
+	GetApproval func(title string, description string) (bool, error)
+}
+
+var externalPinentry Pinentry = Pinentry{}
+
 func init() {
 	if os.Getenv("GOLDWARDEN_SYSTEM_AUTH_DISABLED") == "true" {
 		systemAuthDisabled = true
 	}
 }
+
+func SetExternalPinentry(pinentry Pinentry) error {
+	if externalPinentry.GetPassword != nil {
+		return errors.New("External pinentry already set")
+	}
+
+	externalPinentry = pinentry
+	return nil
+}
+
+func GetPassword(title string, description string) (string, error) {
+	password, err := getPassword(title, description)
+	if err == nil {
+		return password, nil
+	}
+
+	if externalPinentry.GetPassword != nil {
+		return externalPinentry.GetPassword(title, description)
+	}
+
+	// return "", errors.New("Not implemented")
+	return password, nil
+}
+
+func GetApproval(title string, description string) (bool, error) {
+	approval, err := getApproval(title, description)
+	if err == nil {
+		return approval, nil
+	}
+
+	if externalPinentry.GetApproval != nil {
+		return externalPinentry.GetApproval(title, description)
+	}
+
+	// return true, errors.New("Not implemented")
+	return approval, nil
+}
diff --git a/agent/systemauth/pinentry/unimplemented.go b/agent/systemauth/pinentry/unimplemented.go
@@ -4,12 +4,12 @@ package pinentry
 
 import "errors"
 
-func GetPassword(title string, description string) (string, error) {
+func getPassword(title string, description string) (string, error) {
 	log.Info("Asking for password is not implemented on this platform")
 	return "", errors.New("Not implemented")
 }
 
-func GetApproval(title string, description string) (bool, error) {
+func getApproval(title string, description string) (bool, error) {
 	log.Info("Asking for approval is not implemented on this platform")
 	return true, errors.New("Not implemented")
 }
diff --git a/agent/systemauth/systemauth.go b/agent/systemauth/systemauth.go
@@ -65,6 +65,10 @@ func (s *SessionStore) verifySession(ctx sockets.CallingContext, sessionType Ses
 
 // with session
 func GetPermission(sessionType SessionType, ctx sockets.CallingContext, config *config.Config) (bool, error) {
+	if ctx.Authenticated {
+		return true, nil
+	}
+
 	log.Info("Checking permission for " + ctx.ProcessName + " with session type " + string(sessionType))
 	var actionDescription = ""
 	biometricsApprovalType := biometrics.AccessVault