From 5829f1a797e4616f74d00f06b2408fd7bfbef6be Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Tue, 26 Dec 2023 20:49:47 +0100 Subject: [PATCH] Fix flatpak permissions --- .github/workflows/go.yml | 80 +++++++++++++++++---------- .github/workflows/release.yml | 48 ++++++++++++---- agent/systemauth/biometrics/polkit.go | 22 +++++++- com.quexten.Goldwarden.yml | 21 +++++-- ui/autofill.py | 2 +- ui/main.py | 6 ++ ui/monitors/dbus_autofill_monitor.py | 13 ++--- ui/settings.py | 5 +- 8 files changed, 142 insertions(+), 55 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 55a9df8..cf8b2ee 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -1,6 +1,3 @@ -# This workflow will build a golang project -# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go - name: Go on: @@ -9,29 +6,60 @@ on: pull_request: branches: [ "main" ] +env: + GO_VERSION: '1.20' + jobs: - linux: + build_linux_x86_64: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Set up Go uses: actions/setup-go@v4 with: - go-version: '1.20' + go-version: ${{ env.GO_VERSION }} - name: Install libfido2-dev run: sudo apt-get install -y libfido2-dev - - name: Install gio dependencies - run: sudo apt-get install -y gcc pkg-config - - name: Build - run: go build -v . - - name: Test - run: go test -v . + - name: Build + run: go build -o goldwarden_linux_x86_64 -v . - uses: actions/upload-artifact@v3 with: - name: goldwarden-linux - path: ./goldwarden + name: goldwarden_linux_x86_64 + path: ./goldwarden_linux_x86_64 - macos: + build_linux_arm64: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: ${{ env.GO_VERSION }} + - name: Install libfido2-dev + run: sudo apt-get install -y libfido2-dev + - name: Build + run: GOARCH=arm64 go build -tags nofido2 -o goldwarden_linux_arm64 -v . + - uses: actions/upload-artifact@v3 + with: + name: goldwarden_linux_arm64 + path: ./goldwarden_linux_arm64 + + build_linux_x86: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: ${{ env.GO_VERSION }} + - name: Build + run: GOARCH=386 go build -tags nofido2 -o goldwarden_linux_x86 -v . + - uses: actions/upload-artifact@v3 + with: + name: goldwarden_linux_x86 + path: ./goldwarden_linux_x86 + + build_macos_x86_64: runs-on: macos-latest steps: - name: Checkout @@ -39,17 +67,15 @@ jobs: - name: Set up Go uses: actions/setup-go@v4 with: - go-version: '1.20' + go-version: ${{ env.GO_VERSION }} - name: Build - run: go build -tags "nofido2" -v . - - name: Test - run: go test -tags "nofido2" -v . + run: go build -tags "nofido2" -o "goldwarden_macos_x86_64" -v . - uses: actions/upload-artifact@v3 with: - name: goldwarden-macos - path: ./goldwarden - - windows: + name: goldwarden-macos_x86_64 + path: ./goldwarden_macos_x86_64 + + build_windows_x86_64: runs-on: windows-latest steps: - name: Checkout @@ -57,12 +83,10 @@ jobs: - name: Set up Go uses: actions/setup-go@v4 with: - go-version: '1.20' + go-version: ${{ env.GO_VERSION }} - name: Build - run: go build -tags "nofido2" -v . - - name: Test - run: go test -tags "nofido2" -v . + run: go build -tags "nofido2" -o "goldwarden_windows_x86_64.exe" -v . - uses: actions/upload-artifact@v3 with: - name: goldwarden-windows.exe - path: ./goldwarden.exe + name: goldwarden-windows_x86_64.exe + path: ./goldwarden_windows_x86_64.exe diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2efe293..d66f9cc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ permissions: contents: write packages: write +env: + GO_VERSION: '1.20' + jobs: build_linux: runs-on: ubuntu-latest @@ -15,19 +18,14 @@ jobs: - name: Set up Go uses: actions/setup-go@v4 with: - go-version: '1.20' - + go-version: ${{ env.GO_VERSION }} - name: Install libfido2-dev run: sudo apt-get install -y libfido2-dev - - name: Build with All features + - name: Build run: go build -o goldwarden_linux_x86_64 -v . - - name: Build minimal x86 featureset - run: GOARCH=386 go build -tags nofido2 -o goldwarden_linux_x86 -v . - - name: Build minimal arm64 featureset - run: GOARCH=arm64 go build -tags nofido2 -o goldwarden_linux_arm64 -v . - uses: AButler/upload-release-assets@v2.0 with: - files: './goldwarden_linux_x86_64;./goldwarden_linux_x86;./goldwarden_linux_arm64' + files: './goldwarden_linux_x86_64' repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Validate ArchLinux PKGBUILD uses: hapakaien/archlinux-package-action@v2 @@ -46,7 +44,6 @@ jobs: ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }} commit_message: Update AUR package from GitHub Actions automation ssh_keyscan_types: ed25519 - - name: Move binaries to directories run: | mkdir -p .debpkg/usr/bin @@ -57,7 +54,6 @@ jobs: mkdir -p .rpmpkg/usr/share/polkit-1/actions/ cp -p resources/com.quexten.goldwarden.policy .debpkg/usr/share/polkit-1/actions/ cp -p resources/com.quexten.goldwarden.policy .rpmpkg/usr/share/polkit-1/actions/ - - uses: jiro4989/build-deb-action@v3 with: package: goldwarden @@ -70,7 +66,6 @@ jobs: with: files: './*.deb' repo-token: ${{ secrets.GITHUB_TOKEN }} - - uses: jiro4989/build-rpm-action@v2 with: summary: 'Goldwarden' @@ -88,6 +83,37 @@ jobs: files: './*.rpm' repo-token: ${{ secrets.GITHUB_TOKEN }} + build_linux_arm64: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: ${{ env.GO_VERSION }} + - name: Build + run: GOARCH=arm64 go build -tags nofido2 -o goldwarden_linux_arm64 -v . + - uses: AButler/upload-release-assets@v2.0 + with: + files: './goldwarden_linux_arm64' + repo-token: ${{ secrets.GITHUB_TOKEN }} + + build_linux_x86: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: ${{ env.GO_VERSION }} + - name: Build + run: GOARCH=386 go build -tags nofido2 -o goldwarden_linux_x86 -v . + - uses: AButler/upload-release-assets@v2.0 + with: + files: './goldwarden_linux_x86' + repo-token: ${{ secrets.GITHUB_TOKEN }} + build_macos_x86_64: runs-on: macos-latest steps: diff --git a/agent/systemauth/biometrics/polkit.go b/agent/systemauth/biometrics/polkit.go index 7a08647..c22ade2 100644 --- a/agent/systemauth/biometrics/polkit.go +++ b/agent/systemauth/biometrics/polkit.go @@ -63,7 +63,19 @@ func CheckBiometrics(approvalType Approval) bool { if err != nil { log.Error("Failed to create polkit authority: %s", err.Error()) - return false + log.Info("Falling back to pkexec permissions") + result, err = authority.CheckAuthorization( + "org.freedesktop.policykit.exec", + nil, + uint32(polkit.AuthenticationRequiredRetained), "", + ) + if err != nil { + log.Error("Failed to create polkit authority: %s", err.Error()) + return false + } + + log.Info("Biometrics result: %t", result.IsAuthorized) + return result.IsAuthorized } log.Info("Biometrics result: %t", result.IsAuthorized) @@ -100,5 +112,13 @@ func BiometricsWorking() bool { } } + testFor = "org.freedesktop.policykit.exec" + for _, action := range result { + if Approval(action.ActionID) == testFor { + log.Warn("Only pkexec permissions found, consider installing polkit policies") + return true + } + } + return false } diff --git a/com.quexten.Goldwarden.yml b/com.quexten.Goldwarden.yml index 8428318..86ff204 100644 --- a/com.quexten.Goldwarden.yml +++ b/com.quexten.Goldwarden.yml @@ -4,16 +4,25 @@ runtime-version: '45' sdk: org.gnome.Sdk command: main.py finish-args: - - --share=ipc + # Allow network access for sync - --share=network + + # GUI + - --share=ipc - --socket=wayland - --socket=fallback-x11 - --device=dri - # - --filesystem=home - - --filesystem=host - # polkit & locking.. should filter this later on - - --socket=session-bus - - --socket=system-bus + + # Lock on screensave + - --talk-name=org.gnome.ScreenSaver + - --talk-name=org.freedesktop.ScreenSaver + + # Home directory access to setup browser ipc + - --filesystem=home + # pinentry & approval + - --talk-name=org.gnome.keyring.SystemPrompter + # biometric / user password auth + - --system-talk-name=org.freedesktop.PolicyKit1 modules: - name: goldwarden buildsystem: simple diff --git a/ui/autofill.py b/ui/autofill.py index 4836769..daded3a 100644 --- a/ui/autofill.py +++ b/ui/autofill.py @@ -104,5 +104,5 @@ def do_autotype(username, password): self.set_default_size(700, 700) self.set_title("Goldwarden") -app = MyApp(application_id="com.quexten.Goldwarden.autofill") +app = MyApp(application_id="com.quexten.Goldwarden.autofill-menu") app.run(sys.argv) \ No newline at end of file diff --git a/ui/main.py b/ui/main.py index 5265b9c..b5742dd 100644 --- a/ui/main.py +++ b/ui/main.py @@ -30,8 +30,14 @@ def run_daemon(): # todo: do a proper check if is_hidden: time.sleep(20) + print("IS daemon running", goldwarden.is_daemon_running()) if not goldwarden.is_daemon_running(): + print("running daemon") goldwarden.run_daemon() + print("daemon running") + +thread = Thread(target=run_daemon) +thread.start() def on_autofill(): subprocess.Popen(["python3", "/app/bin/autofill.py"], start_new_session=True) diff --git a/ui/monitors/dbus_autofill_monitor.py b/ui/monitors/dbus_autofill_monitor.py index 5737164..e7a29a3 100644 --- a/ui/monitors/dbus_autofill_monitor.py +++ b/ui/monitors/dbus_autofill_monitor.py @@ -6,22 +6,21 @@ import dbus.service from dbus.mainloop.glib import DBusGMainLoop from threading import Thread -import gi.repository.GLib on_autofill = lambda: None class GoldwardenDBUSService(dbus.service.Object): def __init__(self): - bus_name = dbus.service.BusName('com.quexten.goldwarden', bus=dbus.SessionBus()) - dbus.service.Object.__init__(self, bus_name, '/com/quexten/goldwarden') + bus_name = dbus.service.BusName('com.quexten.Goldwarden.autofill', bus=dbus.SessionBus()) + dbus.service.Object.__init__(self, bus_name, '/com/quexten/Goldwarden') - @dbus.service.method('com.quexten.goldwarden.Autofill') + @dbus.service.method('com.quexten.Goldwarden.Autofill') def autofill(self): on_autofill() return "" def run_daemon(): - mainloop = DBusGMainLoop(set_as_default=True) + DBusGMainLoop(set_as_default=True) service = GoldwardenDBUSService() - mloop = gi.repository.GLib.MainLoop() - mloop.run() \ No newline at end of file + from gi.repository import GLib, GObject as gobject + gobject.MainLoop().run() diff --git a/ui/settings.py b/ui/settings.py index 343ccab..98d3f44 100644 --- a/ui/settings.py +++ b/ui/settings.py @@ -9,10 +9,13 @@ import goldwarden from threading import Thread +hidden = False + class SettingsWinvdow(Gtk.ApplicationWindow): def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) + print("init settings window") self.stack = Gtk.Stack() self.stack.set_transition_type(Gtk.StackTransitionType.SLIDE_LEFT_RIGHT) self.set_child(self.stack) @@ -156,7 +159,6 @@ def on_activate(self, app): self.settings_win = SettingsWinvdow(application=app) self.settings_win.present() -app = MyApp(application_id="com.quexten.Goldwarden") def show_login(): dialog = Gtk.Dialog(title="Goldwarden") @@ -218,4 +220,5 @@ def handle_res(): dialog.set_modal(True) dialog.present() +app = MyApp(application_id="com.quexten.Goldwarden.settings") app.run(sys.argv) \ No newline at end of file