Fix flatpak permissions

quexten · Dec 26, 2023 · 5829f1a · 5829f1a
1 parent e675703
commit 5829f1a
Show file tree

Hide file tree

Showing 8 changed files with 142 additions and 55 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -1,6 +1,3 @@
-# This workflow will build a golang project
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
-
 name: Go
 
 on:
@@ -9,60 +6,87 @@ on:
   pull_request:
     branches: [ "main" ]
 
+env:
+  GO_VERSION: '1.20'
+
 jobs:
-  linux:
+  build_linux_x86_64:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
     - name: Set up Go
       uses: actions/setup-go@v4
       with:
-        go-version: '1.20'
+        go-version: ${{ env.GO_VERSION }}
     - name: Install libfido2-dev
       run: sudo apt-get install -y libfido2-dev
-    - name: Install gio dependencies
-      run: sudo apt-get install -y gcc pkg-config
-    - name: Build 
-      run: go build -v .
-    - name: Test
-      run: go test -v .
+    - name: Build
+      run: go build -o goldwarden_linux_x86_64 -v .
     - uses: actions/upload-artifact@v3
       with:
-        name: goldwarden-linux
-        path: ./goldwarden
+        name: goldwarden_linux_x86_64
+        path: ./goldwarden_linux_x86_64
 
-  macos:
+  build_linux_arm64:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+    - name: Install libfido2-dev
+      run: sudo apt-get install -y libfido2-dev
+    - name: Build
+      run: GOARCH=arm64 go build -tags nofido2 -o goldwarden_linux_arm64 -v .
+    - uses: actions/upload-artifact@v3
+      with:
+        name: goldwarden_linux_arm64
+        path: ./goldwarden_linux_arm64
+
+  build_linux_x86:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+    - name: Build
+      run: GOARCH=386 go build -tags nofido2 -o goldwarden_linux_x86 -v .
+    - uses: actions/upload-artifact@v3
+      with:
+        name: goldwarden_linux_x86
+        path: ./goldwarden_linux_x86
+
+  build_macos_x86_64:
     runs-on: macos-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v1
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
       - name: Build 
-        run: go build -tags "nofido2" -v .
-      - name: Test
-        run: go test -tags "nofido2" -v .
+        run: go build -tags "nofido2" -o "goldwarden_macos_x86_64" -v .
       - uses: actions/upload-artifact@v3
         with:
-          name: goldwarden-macos
-          path: ./goldwarden
-
-  windows:
+          name: goldwarden-macos_x86_64
+          path: ./goldwarden_macos_x86_64
+    
+  build_windows_x86_64:
     runs-on: windows-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v1
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: ${{ env.GO_VERSION }}
       - name: Build 
-        run: go build -tags "nofido2" -v .
-      - name: Test
-        run: go test -tags "nofido2" -v .
+        run: go build -tags "nofido2" -o "goldwarden_windows_x86_64.exe" -v .
       - uses: actions/upload-artifact@v3
         with:
-          name: goldwarden-windows.exe
-          path: ./goldwarden.exe
+          name: goldwarden-windows_x86_64.exe
+          path: ./goldwarden_windows_x86_64.exe
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ permissions:
     contents: write
     packages: write
 
+env:
+  GO_VERSION: '1.20'
+
 jobs:
   build_linux:
     runs-on: ubuntu-latest
@@ -15,19 +18,14 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v4
       with:
-        go-version: '1.20'
-
+        go-version: ${{ env.GO_VERSION }}
     - name: Install libfido2-dev
       run: sudo apt-get install -y libfido2-dev
-    - name: Build with All features
+    - name: Build
       run: go build -o goldwarden_linux_x86_64 -v .
-    - name: Build minimal x86 featureset
-      run: GOARCH=386 go build -tags nofido2 -o goldwarden_linux_x86 -v .
-    - name: Build minimal arm64 featureset
-      run: GOARCH=arm64 go build -tags nofido2 -o goldwarden_linux_arm64 -v .
     - uses: AButler/[email protected]
       with:
-        files: './goldwarden_linux_x86_64;./goldwarden_linux_x86;./goldwarden_linux_arm64'
+        files: './goldwarden_linux_x86_64'
         repo-token: ${{ secrets.GITHUB_TOKEN }}
     - name: Validate ArchLinux PKGBUILD
       uses: hapakaien/archlinux-package-action@v2
@@ -46,7 +44,6 @@ jobs:
         ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
         commit_message: Update AUR package from GitHub Actions automation
         ssh_keyscan_types: ed25519
-
     - name: Move binaries to directories
       run: |
         mkdir -p .debpkg/usr/bin
@@ -57,7 +54,6 @@ jobs:
         mkdir -p .rpmpkg/usr/share/polkit-1/actions/
         cp -p resources/com.quexten.goldwarden.policy .debpkg/usr/share/polkit-1/actions/
         cp -p resources/com.quexten.goldwarden.policy .rpmpkg/usr/share/polkit-1/actions/
-
     - uses: jiro4989/build-deb-action@v3
       with:
         package: goldwarden
@@ -70,7 +66,6 @@ jobs:
       with:
         files: './*.deb'
         repo-token: ${{ secrets.GITHUB_TOKEN }}
-
     - uses: jiro4989/build-rpm-action@v2
       with:
         summary: 'Goldwarden'
@@ -88,6 +83,37 @@ jobs:
         files: './*.rpm'
         repo-token: ${{ secrets.GITHUB_TOKEN }}
 
+  build_linux_arm64:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+    - name: Build
+      run: GOARCH=arm64 go build -tags nofido2 -o goldwarden_linux_arm64 -v .
+    - uses: AButler/[email protected]
+      with:
+        files: './goldwarden_linux_arm64'
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+  build_linux_x86:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: ${{ env.GO_VERSION }}
+    - name: Build
+      run: GOARCH=386 go build -tags nofido2 -o goldwarden_linux_x86 -v .
+    - uses: AButler/[email protected]
+      with:
+        files: './goldwarden_linux_x86'
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+
   build_macos_x86_64:
     runs-on: macos-latest
     steps:

diff --git a/agent/systemauth/biometrics/polkit.go b/agent/systemauth/biometrics/polkit.go
@@ -63,7 +63,19 @@ func CheckBiometrics(approvalType Approval) bool {
 
 	if err != nil {
 		log.Error("Failed to create polkit authority: %s", err.Error())
-		return false
+		log.Info("Falling back to pkexec permissions")
+		result, err = authority.CheckAuthorization(
+			"org.freedesktop.policykit.exec",
+			nil,
+			uint32(polkit.AuthenticationRequiredRetained), "",
+		)
+		if err != nil {
+			log.Error("Failed to create polkit authority: %s", err.Error())
+			return false
+		}
+
+		log.Info("Biometrics result: %t", result.IsAuthorized)
+		return result.IsAuthorized
 	}
 
 	log.Info("Biometrics result: %t", result.IsAuthorized)
@@ -100,5 +112,13 @@ func BiometricsWorking() bool {
 		}
 	}
 
+	testFor = "org.freedesktop.policykit.exec"
+	for _, action := range result {
+		if Approval(action.ActionID) == testFor {
+			log.Warn("Only pkexec permissions found, consider installing polkit policies")
+			return true
+		}
+	}
+
 	return false
 }
diff --git a/com.quexten.Goldwarden.yml b/com.quexten.Goldwarden.yml
@@ -4,16 +4,25 @@ runtime-version: '45'
 sdk: org.gnome.Sdk
 command: main.py
 finish-args:
-  - --share=ipc
+  # Allow network access for sync
   - --share=network
+
+  # GUI
+  - --share=ipc
   - --socket=wayland
   - --socket=fallback-x11
   - --device=dri
-  # - --filesystem=home
-  - --filesystem=host
-  # polkit & locking.. should filter this later on
-  - --socket=session-bus
-  - --socket=system-bus
+
+  # Lock on screensave
+  - --talk-name=org.gnome.ScreenSaver
+  - --talk-name=org.freedesktop.ScreenSaver
+
+  # Home directory access to setup browser ipc
+  - --filesystem=home
+  # pinentry & approval
+  - --talk-name=org.gnome.keyring.SystemPrompter
+  # biometric / user password auth
+  - --system-talk-name=org.freedesktop.PolicyKit1
 modules:
   - name: goldwarden
     buildsystem: simple

diff --git a/ui/autofill.py b/ui/autofill.py
@@ -104,5 +104,5 @@ def do_autotype(username, password):
         self.set_default_size(700, 700)
         self.set_title("Goldwarden")
 
-app = MyApp(application_id="com.quexten.Goldwarden.autofill")
+app = MyApp(application_id="com.quexten.Goldwarden.autofill-menu")
 app.run(sys.argv)
diff --git a/ui/main.py b/ui/main.py
@@ -30,8 +30,14 @@ def run_daemon():
     # todo: do a proper check
     if is_hidden:
         time.sleep(20)
+    print("IS daemon running", goldwarden.is_daemon_running())
     if not goldwarden.is_daemon_running():
+        print("running daemon")
         goldwarden.run_daemon()
+        print("daemon running")
+
+thread = Thread(target=run_daemon)
+thread.start()
 
 def on_autofill():
     subprocess.Popen(["python3", "/app/bin/autofill.py"], start_new_session=True)

diff --git a/ui/monitors/dbus_autofill_monitor.py b/ui/monitors/dbus_autofill_monitor.py
@@ -6,22 +6,21 @@
 import dbus.service
 from dbus.mainloop.glib import DBusGMainLoop
 from threading import Thread
-import gi.repository.GLib
 
 on_autofill = lambda: None
 
 class GoldwardenDBUSService(dbus.service.Object):
     def __init__(self):
-        bus_name = dbus.service.BusName('com.quexten.goldwarden', bus=dbus.SessionBus())
-        dbus.service.Object.__init__(self, bus_name, '/com/quexten/goldwarden')
+        bus_name = dbus.service.BusName('com.quexten.Goldwarden.autofill', bus=dbus.SessionBus())
+        dbus.service.Object.__init__(self, bus_name, '/com/quexten/Goldwarden')
 
-    @dbus.service.method('com.quexten.goldwarden.Autofill')
+    @dbus.service.method('com.quexten.Goldwarden.Autofill')
     def autofill(self):
         on_autofill()
         return ""
 
 def run_daemon():
-    mainloop = DBusGMainLoop(set_as_default=True)
+    DBusGMainLoop(set_as_default=True)
     service = GoldwardenDBUSService()
-    mloop = gi.repository.GLib.MainLoop()
-    mloop.run()
+    from gi.repository import GLib, GObject as gobject
+    gobject.MainLoop().run()
diff --git a/ui/settings.py b/ui/settings.py
@@ -9,10 +9,13 @@
 import goldwarden
 from threading import Thread
 
+hidden = False
+
 class SettingsWinvdow(Gtk.ApplicationWindow):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
+        print("init settings window")
         self.stack = Gtk.Stack()
         self.stack.set_transition_type(Gtk.StackTransitionType.SLIDE_LEFT_RIGHT)
         self.set_child(self.stack)
@@ -156,7 +159,6 @@ def on_activate(self, app):
         self.settings_win = SettingsWinvdow(application=app)
         self.settings_win.present()
 
-app = MyApp(application_id="com.quexten.Goldwarden")
 
 def show_login():
     dialog = Gtk.Dialog(title="Goldwarden")
@@ -218,4 +220,5 @@ def handle_res():
     dialog.set_modal(True)
     dialog.present()
 
+app = MyApp(application_id="com.quexten.Goldwarden.settings")
 app.run(sys.argv)