goldwarden-vaultwarden-bitw.../agent/config/config.go

package config

import (
	"bytes"
	cryptoSubtle "crypto/subtle"
	"encoding/base64"
	"encoding/hex"
	"encoding/json"
	"errors"
	"os"
	"runtime/debug"
	"strings"
	"sync"
	"time"

	"github.com/google/uuid"
	"github.com/quexten/goldwarden/agent/bitwarden/crypto"
	"github.com/quexten/goldwarden/agent/notify"
	"github.com/quexten/goldwarden/agent/pincache"
	"github.com/quexten/goldwarden/agent/systemauth/pinentry"
	"github.com/quexten/goldwarden/agent/vault"
	"github.com/tink-crypto/tink-go/v2/aead/subtle"
	"golang.org/x/crypto/argon2"
	"golang.org/x/crypto/sha3"
)

const (
	KDFIterations     = 2
	KDFMemory         = 2 * 1024 * 1024
	KDFThreads        = 8
	DefaultConfigPath = "~/.config/goldwarden/goldwarden.json"
)

type RuntimeConfig struct {
	AuthMethod           string
	DoNotPersistConfig   bool
	ConfigDirectory      string
	DisableSSHAgent      bool
	WebsocketDisabled    bool
	DeviceUUID           string
	User                 string
	Password             string
	Pin                  string
	UseMemguard          bool
	SSHAgentSocketPath   string
	GoldwardenSocketPath string
	DaemonAuthToken      string
}

type ConfigFile struct {
	IdentityUrl                 string
	ApiUrl                      string
	NotificationsUrl            string
	VaultUrl                    string
	EncryptedClientID           string
	EncryptedClientSecret       string
	DeviceUUID                  string
	ConfigKeyHash               string
	EncryptedToken              string
	EncryptedUserSymmetricKey   string
	EncryptedMasterPasswordHash string
	EncryptedMasterKey          string
	RuntimeConfig               RuntimeConfig `json:"-"`
}

type LoginToken struct {
	AccessToken  string `json:"access_token"`
	ExpiresIn    int    `json:"expires_in"`
	TokenType    string `json:"token_type"`
	RefreshToken string `json:"refresh_token"`
	Key          string `json:"key"`
}

type Config struct {
	useMemguard bool
	key         *LockedBuffer
	ConfigFile  ConfigFile
	mu          sync.Mutex
}

func DefaultConfig(useMemguard bool) Config {
	deviceUUID, _ := uuid.NewUUID()
	keyBuffer := NewBuffer(32, useMemguard)
	return Config{
		useMemguard,
		&keyBuffer,
		ConfigFile{
			IdentityUrl:                 "https://vault.bitwarden.com/identity",
			ApiUrl:                      "https://vault.bitwarden.com/api",
			NotificationsUrl:            "https://notifications.bitwarden.com",
			VaultUrl:                    "https://vault.bitwarden.com",
			EncryptedClientID:           "",
			EncryptedClientSecret:       "",
			DeviceUUID:                  deviceUUID.String(),
			ConfigKeyHash:               "",
			EncryptedToken:              "",
			EncryptedUserSymmetricKey:   "",
			EncryptedMasterPasswordHash: "",
			EncryptedMasterKey:          "",
			RuntimeConfig:               RuntimeConfig{},
		},
		sync.Mutex{},
	}
}

func (c *Config) IsLocked() bool {
	key := (*c.key).Bytes()
	return bytes.Equal(key, make([]byte, 32)) && c.HasPin()
}

func (c *Config) IsLoggedIn() bool {
	return c.ConfigFile.EncryptedMasterPasswordHash != ""
}

func (c *Config) Unlock(password string) bool {
	c.mu.Lock()
	defer c.mu.Unlock()

	if !c.IsLocked() {
		return true
	}

	key := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)
	debug.FreeOSMemory()
	keyHash := sha3.Sum256(key)
	configKeyHash := hex.EncodeToString(keyHash[:])
	if cryptoSubtle.ConstantTimeCompare([]byte(configKeyHash), []byte(c.ConfigFile.ConfigKeyHash)) != 1 {
		return false
	}

	keyBuffer := NewBufferFromBytes(key, c.useMemguard)
	c.key = &keyBuffer
	notify.Notify("Goldwarden", "Vault Unlocked", "", 60*time.Second, func() {})
	pincache.SetPin(c.useMemguard, []byte(password))
	return true
}

func (c *Config) VerifyPin(password string) bool {
	key := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)
	debug.FreeOSMemory()
	keyHash := sha3.Sum256(key)
	configKeyHash := hex.EncodeToString(keyHash[:])
	if cryptoSubtle.ConstantTimeCompare([]byte(configKeyHash), []byte(c.ConfigFile.ConfigKeyHash)) != 1 {
		return false
	} else {
		return true
	}
}

func (c *Config) Lock() {
	c.mu.Lock()
	defer c.mu.Unlock()

	if c.IsLocked() {
		return
	}
	(*c.key).Wipe()
	notify.Notify("Goldwarden", "Vault Locked", "", 60*time.Second, func() {})
}

func (c *Config) Purge() {
	c.mu.Lock()
	defer c.mu.Unlock()

	c.ConfigFile.EncryptedMasterPasswordHash = ""
	c.ConfigFile.EncryptedToken = ""
	c.ConfigFile.EncryptedUserSymmetricKey = ""
	c.ConfigFile.EncryptedClientID = ""
	c.ConfigFile.EncryptedClientSecret = ""
	c.ConfigFile.ConfigKeyHash = ""
	c.ConfigFile.EncryptedMasterKey = ""
	key := NewBuffer(32, c.useMemguard)
	c.key = &key
}

func (c *Config) HasPin() bool {
	return c.ConfigFile.ConfigKeyHash != ""
}

func (c *Config) UpdatePin(password string, write bool) {
	c.mu.Lock()

	newKey := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)
	keyHash := sha3.Sum256(newKey)
	configKeyHash := hex.EncodeToString(keyHash[:])
	debug.FreeOSMemory()

	c.ConfigFile.ConfigKeyHash = configKeyHash

	plaintextToken, err1 := c.decryptString(c.ConfigFile.EncryptedToken)
	plaintextUserSymmetricKey, err3 := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)
	plaintextEncryptedMasterPasswordHash, err4 := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)
	plaintextMasterKey, err5 := c.decryptString(c.ConfigFile.EncryptedMasterKey)
	plaintextClientID, err6 := c.decryptString(c.ConfigFile.EncryptedClientID)
	plaintextClientSecret, err7 := c.decryptString(c.ConfigFile.EncryptedClientSecret)

	key := NewBufferFromBytes(newKey, c.useMemguard)
	c.key = &key

	if err1 == nil {
		c.ConfigFile.EncryptedToken, err1 = c.encryptString(plaintextToken)
	}
	if err3 == nil {
		c.ConfigFile.EncryptedUserSymmetricKey, err3 = c.encryptString(plaintextUserSymmetricKey)
	}
	if err4 == nil {
		c.ConfigFile.EncryptedMasterPasswordHash, err4 = c.encryptString(plaintextEncryptedMasterPasswordHash)
	}
	if err5 == nil {
		c.ConfigFile.EncryptedMasterKey, err5 = c.encryptString(plaintextMasterKey)
	}
	if err6 == nil {
		c.ConfigFile.EncryptedClientID, err6 = c.encryptString(plaintextClientID)
	}
	if err7 == nil {
		c.ConfigFile.EncryptedClientSecret, err7 = c.encryptString(plaintextClientSecret)
	}
	c.mu.Unlock()

	if write {
		c.WriteConfig()
	}

	pincache.SetPin(c.useMemguard, []byte(password))
}

func (c *Config) GetToken() (LoginToken, error) {
	if c.IsLocked() {
		return LoginToken{}, errors.New("config is locked")
	}
	tokenJson, err := c.decryptString(c.ConfigFile.EncryptedToken)
	if err != nil {
		return LoginToken{}, err
	}

	var token LoginToken
	err = json.Unmarshal([]byte(tokenJson), &token)
	if err != nil {
		return LoginToken{}, err
	}
	return token, nil
}

func (c *Config) SetToken(token LoginToken) error {
	if c.IsLocked() {
		return errors.New("config is locked")
	}

	tokenJson, err := json.Marshal(token)
	encryptedToken, err := c.encryptString(string(tokenJson))
	if err != nil {
		return err
	}
	// c.mu.Lock()
	c.ConfigFile.EncryptedToken = encryptedToken
	// c.mu.Unlock()
	c.WriteConfig()
	return nil
}

func (c *Config) GetClientID() (string, error) {
	if c.IsLocked() {
		return "", errors.New("config is locked")
	}

	if c.ConfigFile.EncryptedClientID == "" {
		return "", nil
	}

	decrypted, err := c.decryptString(c.ConfigFile.EncryptedClientID)
	if err != nil {
		return "", err
	}
	return decrypted, nil
}

func (c *Config) SetClientID(clientID string) error {
	if c.IsLocked() {
		return errors.New("config is locked")
	}

	if clientID == "" {
		c.ConfigFile.EncryptedClientID = ""
		c.WriteConfig()
		return nil
	}

	encryptedClientID, err := c.encryptString(clientID)
	if err != nil {
		return err
	}
	// c.mu.Lock()
	c.ConfigFile.EncryptedClientID = encryptedClientID
	// c.mu.Unlock()
	c.WriteConfig()
	return nil
}

func (c *Config) GetClientSecret() (string, error) {
	if c.IsLocked() {
		return "", errors.New("config is locked")
	}

	if c.ConfigFile.EncryptedClientSecret == "" {
		return "", nil
	}

	decrypted, err := c.decryptString(c.ConfigFile.EncryptedClientSecret)
	if err != nil {
		return "", err
	}
	return decrypted, nil
}

func (c *Config) SetClientSecret(clientSecret string) error {
	if c.IsLocked() {
		return errors.New("config is locked")
	}

	if clientSecret == "" {
		c.ConfigFile.EncryptedClientSecret = ""
		c.WriteConfig()
		return nil
	}

	encryptedClientSecret, err := c.encryptString(clientSecret)
	if err != nil {
		return err
	}
	// c.mu.Lock()
	c.ConfigFile.EncryptedClientSecret = encryptedClientSecret
	// c.mu.Unlock()
	c.WriteConfig()
	return nil
}

func (c *Config) GetUserSymmetricKey() ([]byte, error) {
	if c.IsLocked() {
		return []byte{}, errors.New("config is locked")
	}
	decrypted, err := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)
	if err != nil {
		return []byte{}, err
	}
	return []byte(decrypted), nil
}

func (c *Config) SetUserSymmetricKey(key []byte) error {
	if c.IsLocked() {
		return errors.New("config is locked")
	}
	encryptedKey, err := c.encryptString(string(key))
	if err != nil {
		return err
	}
	// c.mu.Lock()
	c.ConfigFile.EncryptedUserSymmetricKey = encryptedKey
	// c.mu.Unlock()
	c.WriteConfig()
	return nil
}

func (c *Config) GetMasterPasswordHash() ([]byte, error) {
	if c.IsLocked() {
		return []byte{}, errors.New("config is locked")
	}
	decrypted, err := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)
	if err != nil {
		return []byte{}, err
	}
	return []byte(decrypted), nil
}

func (c *Config) SetMasterPasswordHash(hash []byte) error {

	if c.IsLocked() {
		return errors.New("config is locked")
	}
	encryptedHash, err := c.encryptString(string(hash))
	if err != nil {
		c.mu.Unlock()
		return err
	}

	// c.mu.Lock()
	c.ConfigFile.EncryptedMasterPasswordHash = encryptedHash
	// c.mu.Unlock()

	c.WriteConfig()
	return nil
}

func (c *Config) GetMasterKey() ([]byte, error) {
	if c.IsLocked() {
		return []byte{}, errors.New("config is locked")
	}
	decrypted, err := c.decryptString(c.ConfigFile.EncryptedMasterKey)
	if err != nil {
		return []byte{}, err
	}
	return []byte(decrypted), nil
}

func (c *Config) SetMasterKey(key []byte) error {
	if c.IsLocked() {
		return errors.New("config is locked")
	}
	encryptedKey, err := c.encryptString(string(key))
	if err != nil {
		return err
	}
	// c.mu.Lock()
	c.ConfigFile.EncryptedMasterKey = encryptedKey
	// c.mu.Unlock()
	c.WriteConfig()
	return nil
}

func (c *Config) encryptString(data string) (string, error) {
	if c.IsLocked() {
		return "", errors.New("config is locked")
	}
	ca, err := subtle.NewChaCha20Poly1305((*c.key).Bytes())
	if err != nil {
		return "", err
	}
	result, err := ca.Encrypt([]byte(data), []byte{})
	if err != nil {
		return "", err
	}

	return base64.StdEncoding.EncodeToString(result), nil
}

func (c *Config) decryptString(data string) (string, error) {
	if c.IsLocked() {
		return "", errors.New("config is locked")
	}

	decoded, err := base64.StdEncoding.DecodeString(data)
	if err != nil {
		return "", err
	}

	ca, err := subtle.NewChaCha20Poly1305((*c.key).Bytes())
	if err != nil {
		return "", err
	}
	result, err := ca.Decrypt(decoded, []byte{})
	if err != nil {
		return "", err
	}
	return string(result), nil
}

func (config *Config) WriteConfig() error {
	if config.ConfigFile.RuntimeConfig.DoNotPersistConfig {
		return nil
	}

	config.mu.Lock()
	defer config.mu.Unlock()

	jsonBytes, err := json.Marshal(config.ConfigFile)
	if err != nil {
		return err
	}

	// write to disk
	os.Remove(config.ConfigFile.RuntimeConfig.ConfigDirectory)
	parentDirectory := config.ConfigFile.RuntimeConfig.ConfigDirectory[:len(config.ConfigFile.RuntimeConfig.ConfigDirectory)-len("/goldwarden.json")]
	if _, err := os.Stat(parentDirectory); os.IsNotExist(err) {
		err := os.MkdirAll(parentDirectory, 0700)
		if err != nil {
			return err
		}
	}

	file, err := os.OpenFile(config.ConfigFile.RuntimeConfig.ConfigDirectory, os.O_CREATE|os.O_WRONLY, 0600)
	if err != nil {
		return err
	}
	defer file.Close()

	_, err = file.Write(jsonBytes)
	if err != nil {
		return err
	}
	return nil
}

func ReadConfig(rtCfg RuntimeConfig) (Config, error) {
	userHome, _ := os.UserHomeDir()
	oldPath := strings.ReplaceAll("~/.config/goldwarden.json", "~", userHome)
	newPathParent := strings.ReplaceAll("~/.config/goldwarden", "~", userHome)
	newPath := strings.ReplaceAll("~/.config/goldwarden/goldwarden.json", "~", userHome)

	// Migrate old config
	if _, err := os.Stat(oldPath); err == nil {
		if _, err := os.Stat(newPath); err != nil {
			if _, err := os.Stat(newPathParent); os.IsNotExist(err) {
				os.Mkdir(newPathParent, 0700)
			}
			os.Rename(oldPath, newPath)
		}
	}

	file, err := os.Open(rtCfg.ConfigDirectory)
	if err != nil {
		key := NewBuffer(32, rtCfg.UseMemguard)
		return Config{
			key:        &key,
			ConfigFile: ConfigFile{},
		}, err
	}
	defer file.Close()

	decoder := json.NewDecoder(file)
	config := ConfigFile{}
	err = decoder.Decode(&config)
	if err != nil {
		key := NewBuffer(32, rtCfg.UseMemguard)
		return Config{
			key:        &key,
			ConfigFile: ConfigFile{},
		}, err
	}
	if config.ConfigKeyHash == "" {
		key := NewBuffer(32, rtCfg.UseMemguard)
		return Config{
			key:        &key,
			ConfigFile: config,
		}, nil
	}
	key := NewBuffer(32, rtCfg.UseMemguard)
	return Config{
		key:        &key,
		ConfigFile: config,
	}, nil
}

func (cfg *Config) TryUnlock(vault *vault.Vault) error {
	var pin string
	if pincache.HasPin() {
		pinBytes, err := pincache.GetPin()
		if err != nil {
			return err
		}
		pin = string(pinBytes)
	} else {
		var err error
		pin, err = pinentry.GetPassword("Unlock Goldwarden", "Enter the vault PIN")
		if err != nil {
			return err
		}
	}

	success := cfg.Unlock(pin)
	if !success {
		return errors.New("invalid PIN")
	}

	if cfg.IsLoggedIn() {
		userKey, err := cfg.GetUserSymmetricKey()
		if err == nil {
			var key crypto.SymmetricEncryptionKey
			var err error
			if vault.Keyring.IsMemguard {
				key, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userKey)
			} else {
				key, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userKey)
			}
			if err != nil {
				return err
			}
			vault.Keyring.UnlockWithAccountKey(key)
		} else {
			cfg.Lock()
			return err
		}
	}

	return nil
}
Initial commit 2023-07-17 03:23:26 +02:00			`package config`

			`import (`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`"bytes"`
Initial commit 2023-07-17 03:23:26 +02:00			`cryptoSubtle "crypto/subtle"`
			`"encoding/base64"`
			`"encoding/hex"`
			`"encoding/json"`
			`"errors"`
			`"os"`
			`"runtime/debug"`
Move config file 2023-12-28 13:41:07 +01:00			`"strings"`
Initial commit 2023-07-17 03:23:26 +02:00			`"sync"`
Add timeout to notifications 2024-01-19 05:14:25 +01:00			`"time"`
Initial commit 2023-07-17 03:23:26 +02:00
			`"github.com/google/uuid"`
			`"github.com/quexten/goldwarden/agent/bitwarden/crypto"`
Add notification support to the goldwarden daemon 2023-12-28 12:58:02 +01:00			`"github.com/quexten/goldwarden/agent/notify"`
Implement pincache 2024-02-09 20:48:44 +01:00			`"github.com/quexten/goldwarden/agent/pincache"`
Refactor platform abstractions 2023-09-12 02:54:46 +02:00			`"github.com/quexten/goldwarden/agent/systemauth/pinentry"`
Initial commit 2023-07-17 03:23:26 +02:00			`"github.com/quexten/goldwarden/agent/vault"`
			`"github.com/tink-crypto/tink-go/v2/aead/subtle"`
			`"golang.org/x/crypto/argon2"`
			`"golang.org/x/crypto/sha3"`
			`)`

			`const (`
Add more env variables 2023-08-21 18:37:34 +02:00			`KDFIterations = 2`
			`KDFMemory = 2 * 1024 * 1024`
			`KDFThreads = 8`
Move config file 2023-12-28 13:41:07 +01:00			`DefaultConfigPath = "~/.config/goldwarden/goldwarden.json"`
Initial commit 2023-07-17 03:23:26 +02:00			`)`

Add more env variables 2023-08-21 18:37:34 +02:00			`type RuntimeConfig struct {`
Remove old config options 2024-02-09 19:37:09 +01:00			`AuthMethod string`
			`DoNotPersistConfig bool`
			`ConfigDirectory string`
			`DisableSSHAgent bool`
			`WebsocketDisabled bool`
			`DeviceUUID string`
			`User string`
			`Password string`
			`Pin string`
			`UseMemguard bool`
			`SSHAgentSocketPath string`
			`GoldwardenSocketPath string`
			`DaemonAuthToken string`
Add more env variables 2023-08-21 18:37:34 +02:00			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`type ConfigFile struct {`
			`IdentityUrl string`
			`ApiUrl string`
Fix login on main bitwarden instance 2023-09-11 14:14:27 +02:00			`NotificationsUrl string`
Add url auto-config and web vault config 2024-01-20 12:31:37 +01:00			`VaultUrl string`
Add api-key based login 2024-01-04 21:53:38 +01:00			`EncryptedClientID string`
			`EncryptedClientSecret string`
Initial commit 2023-07-17 03:23:26 +02:00			`DeviceUUID string`
			`ConfigKeyHash string`
			`EncryptedToken string`
			`EncryptedUserSymmetricKey string`
			`EncryptedMasterPasswordHash string`
Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`EncryptedMasterKey string`
Add more env variables 2023-08-21 18:37:34 +02:00			RuntimeConfig RuntimeConfig `json:"-"`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

			`type LoginToken struct {`
			AccessToken string `json:"access_token"`
			ExpiresIn int `json:"expires_in"`
			TokenType string `json:"token_type"`
			RefreshToken string `json:"refresh_token"`
			Key string `json:"key"`
			`}`

			`type Config struct {`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`useMemguard bool`
			`key *LockedBuffer`
			`ConfigFile ConfigFile`
			`mu sync.Mutex`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

Make memguard fully optional 2023-12-22 12:01:21 +01:00			`func DefaultConfig(useMemguard bool) Config {`
Initial commit 2023-07-17 03:23:26 +02:00			`deviceUUID, _ := uuid.NewUUID()`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`keyBuffer := NewBuffer(32, useMemguard)`
Initial commit 2023-07-17 03:23:26 +02:00			`return Config{`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`useMemguard,`
			`&keyBuffer,`
Initial commit 2023-07-17 03:23:26 +02:00			`ConfigFile{`
Fix login on main bitwarden instance 2023-09-11 14:14:27 +02:00			`IdentityUrl: "https://vault.bitwarden.com/identity",`
			`ApiUrl: "https://vault.bitwarden.com/api",`
			`NotificationsUrl: "https://notifications.bitwarden.com",`
Add url auto-config and web vault config 2024-01-20 12:31:37 +01:00			`VaultUrl: "https://vault.bitwarden.com",`
Add api-key based login 2024-01-04 21:53:38 +01:00			`EncryptedClientID: "",`
			`EncryptedClientSecret: "",`
Initial commit 2023-07-17 03:23:26 +02:00			`DeviceUUID: deviceUUID.String(),`
			`ConfigKeyHash: "",`
			`EncryptedToken: "",`
			`EncryptedUserSymmetricKey: "",`
			`EncryptedMasterPasswordHash: "",`
Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`EncryptedMasterKey: "",`
Add more env variables 2023-08-21 18:37:34 +02:00			`RuntimeConfig: RuntimeConfig{},`
Initial commit 2023-07-17 03:23:26 +02:00			`},`
			`sync.Mutex{},`
			`}`
			`}`

			`func (c *Config) IsLocked() bool {`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := (*c.key).Bytes()`
			`return bytes.Equal(key, make([]byte, 32)) && c.HasPin()`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

Fix deadlock & unlocking 2023-07-17 05:42:21 +02:00			`func (c *Config) IsLoggedIn() bool {`
			`return c.ConfigFile.EncryptedMasterPasswordHash != ""`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`func (c *Config) Unlock(password string) bool {`
			`c.mu.Lock()`
			`defer c.mu.Unlock()`

			`if !c.IsLocked() {`
			`return true`
			`}`

			`key := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)`
			`debug.FreeOSMemory()`
			`keyHash := sha3.Sum256(key)`
			`configKeyHash := hex.EncodeToString(keyHash[:])`
			`if cryptoSubtle.ConstantTimeCompare([]byte(configKeyHash), []byte(c.ConfigFile.ConfigKeyHash)) != 1 {`
			`return false`
			`}`

Make memguard fully optional 2023-12-22 12:01:21 +01:00			`keyBuffer := NewBufferFromBytes(key, c.useMemguard)`
			`c.key = &keyBuffer`
Add timeout to notifications 2024-01-19 05:14:25 +01:00			`notify.Notify("Goldwarden", "Vault Unlocked", "", 60*time.Second, func() {})`
Implement pincache 2024-02-09 20:48:44 +01:00			`pincache.SetPin(c.useMemguard, []byte(password))`
Initial commit 2023-07-17 03:23:26 +02:00			`return true`
			`}`

Rework systemauth 2023-09-19 21:49:56 +02:00			`func (c *Config) VerifyPin(password string) bool {`
			`key := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)`
			`debug.FreeOSMemory()`
			`keyHash := sha3.Sum256(key)`
			`configKeyHash := hex.EncodeToString(keyHash[:])`
			`if cryptoSubtle.ConstantTimeCompare([]byte(configKeyHash), []byte(c.ConfigFile.ConfigKeyHash)) != 1 {`
			`return false`
			`} else {`
			`return true`
			`}`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`func (c *Config) Lock() {`
			`c.mu.Lock()`
			`defer c.mu.Unlock()`

			`if c.IsLocked() {`
			`return`
			`}`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`(*c.key).Wipe()`
Add timeout to notifications 2024-01-19 05:14:25 +01:00			`notify.Notify("Goldwarden", "Vault Locked", "", 60*time.Second, func() {})`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

			`func (c *Config) Purge() {`
			`c.mu.Lock()`
			`defer c.mu.Unlock()`

			`c.ConfigFile.EncryptedMasterPasswordHash = ""`
			`c.ConfigFile.EncryptedToken = ""`
			`c.ConfigFile.EncryptedUserSymmetricKey = ""`
Fix api token breaking authentication 2024-01-04 23:40:07 +01:00			`c.ConfigFile.EncryptedClientID = ""`
			`c.ConfigFile.EncryptedClientSecret = ""`
Initial commit 2023-07-17 03:23:26 +02:00			`c.ConfigFile.ConfigKeyHash = ""`
Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`c.ConfigFile.EncryptedMasterKey = ""`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBuffer(32, c.useMemguard)`
			`c.key = &key`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

			`func (c *Config) HasPin() bool {`
			`return c.ConfigFile.ConfigKeyHash != ""`
			`}`

			`func (c *Config) UpdatePin(password string, write bool) {`
			`c.mu.Lock()`

			`newKey := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)`
			`keyHash := sha3.Sum256(newKey)`
			`configKeyHash := hex.EncodeToString(keyHash[:])`
			`debug.FreeOSMemory()`

			`c.ConfigFile.ConfigKeyHash = configKeyHash`

			`plaintextToken, err1 := c.decryptString(c.ConfigFile.EncryptedToken)`
			`plaintextUserSymmetricKey, err3 := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)`
			`plaintextEncryptedMasterPasswordHash, err4 := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)`
Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`plaintextMasterKey, err5 := c.decryptString(c.ConfigFile.EncryptedMasterKey)`
Fix api token breaking authentication 2024-01-04 23:40:07 +01:00			`plaintextClientID, err6 := c.decryptString(c.ConfigFile.EncryptedClientID)`
			`plaintextClientSecret, err7 := c.decryptString(c.ConfigFile.EncryptedClientSecret)`
Initial commit 2023-07-17 03:23:26 +02:00
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBufferFromBytes(newKey, c.useMemguard)`
			`c.key = &key`
Initial commit 2023-07-17 03:23:26 +02:00
			`if err1 == nil {`
			`c.ConfigFile.EncryptedToken, err1 = c.encryptString(plaintextToken)`
			`}`
			`if err3 == nil {`
			`c.ConfigFile.EncryptedUserSymmetricKey, err3 = c.encryptString(plaintextUserSymmetricKey)`
			`}`
			`if err4 == nil {`
			`c.ConfigFile.EncryptedMasterPasswordHash, err4 = c.encryptString(plaintextEncryptedMasterPasswordHash)`
			`}`
Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`if err5 == nil {`
			`c.ConfigFile.EncryptedMasterKey, err5 = c.encryptString(plaintextMasterKey)`
			`}`
Fix api token breaking authentication 2024-01-04 23:40:07 +01:00			`if err6 == nil {`
			`c.ConfigFile.EncryptedClientID, err6 = c.encryptString(plaintextClientID)`
			`}`
			`if err7 == nil {`
			`c.ConfigFile.EncryptedClientSecret, err7 = c.encryptString(plaintextClientSecret)`
			`}`
Fix deadlock & unlocking 2023-07-17 05:42:21 +02:00			`c.mu.Unlock()`
Initial commit 2023-07-17 03:23:26 +02:00
			`if write {`
			`c.WriteConfig()`
			`}`
Implement pincache 2024-02-09 20:48:44 +01:00
			`pincache.SetPin(c.useMemguard, []byte(password))`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

			`func (c *Config) GetToken() (LoginToken, error) {`
			`if c.IsLocked() {`
			`return LoginToken{}, errors.New("config is locked")`
			`}`
			`tokenJson, err := c.decryptString(c.ConfigFile.EncryptedToken)`
			`if err != nil {`
			`return LoginToken{}, err`
			`}`

			`var token LoginToken`
			`err = json.Unmarshal([]byte(tokenJson), &token)`
			`if err != nil {`
			`return LoginToken{}, err`
			`}`
			`return token, nil`
			`}`

			`func (c *Config) SetToken(token LoginToken) error {`
			`if c.IsLocked() {`
			`return errors.New("config is locked")`
			`}`

			`tokenJson, err := json.Marshal(token)`
			`encryptedToken, err := c.encryptString(string(tokenJson))`
			`if err != nil {`
			`return err`
			`}`
			`// c.mu.Lock()`
			`c.ConfigFile.EncryptedToken = encryptedToken`
			`// c.mu.Unlock()`
			`c.WriteConfig()`
			`return nil`
			`}`

Add api-key based login 2024-01-04 21:53:38 +01:00			`func (c *Config) GetClientID() (string, error) {`
			`if c.IsLocked() {`
			`return "", errors.New("config is locked")`
			`}`

			`if c.ConfigFile.EncryptedClientID == "" {`
			`return "", nil`
			`}`

			`decrypted, err := c.decryptString(c.ConfigFile.EncryptedClientID)`
			`if err != nil {`
			`return "", err`
			`}`
			`return decrypted, nil`
			`}`

			`func (c *Config) SetClientID(clientID string) error {`
			`if c.IsLocked() {`
			`return errors.New("config is locked")`
			`}`

			`if clientID == "" {`
			`c.ConfigFile.EncryptedClientID = ""`
			`c.WriteConfig()`
			`return nil`
			`}`

			`encryptedClientID, err := c.encryptString(clientID)`
			`if err != nil {`
			`return err`
			`}`
			`// c.mu.Lock()`
			`c.ConfigFile.EncryptedClientID = encryptedClientID`
			`// c.mu.Unlock()`
			`c.WriteConfig()`
			`return nil`
			`}`

			`func (c *Config) GetClientSecret() (string, error) {`
			`if c.IsLocked() {`
			`return "", errors.New("config is locked")`
			`}`

			`if c.ConfigFile.EncryptedClientSecret == "" {`
			`return "", nil`
			`}`

			`decrypted, err := c.decryptString(c.ConfigFile.EncryptedClientSecret)`
			`if err != nil {`
			`return "", err`
			`}`
			`return decrypted, nil`
			`}`

			`func (c *Config) SetClientSecret(clientSecret string) error {`
			`if c.IsLocked() {`
			`return errors.New("config is locked")`
			`}`

			`if clientSecret == "" {`
			`c.ConfigFile.EncryptedClientSecret = ""`
			`c.WriteConfig()`
			`return nil`
			`}`

			`encryptedClientSecret, err := c.encryptString(clientSecret)`
			`if err != nil {`
			`return err`
			`}`
			`// c.mu.Lock()`
			`c.ConfigFile.EncryptedClientSecret = encryptedClientSecret`
			`// c.mu.Unlock()`
			`c.WriteConfig()`
			`return nil`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`func (c *Config) GetUserSymmetricKey() ([]byte, error) {`
			`if c.IsLocked() {`
			`return []byte{}, errors.New("config is locked")`
			`}`
			`decrypted, err := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)`
			`if err != nil {`
			`return []byte{}, err`
			`}`
			`return []byte(decrypted), nil`
			`}`

			`func (c *Config) SetUserSymmetricKey(key []byte) error {`
			`if c.IsLocked() {`
			`return errors.New("config is locked")`
			`}`
			`encryptedKey, err := c.encryptString(string(key))`
			`if err != nil {`
			`return err`
			`}`
			`// c.mu.Lock()`
			`c.ConfigFile.EncryptedUserSymmetricKey = encryptedKey`
			`// c.mu.Unlock()`
			`c.WriteConfig()`
			`return nil`
			`}`

			`func (c *Config) GetMasterPasswordHash() ([]byte, error) {`
			`if c.IsLocked() {`
			`return []byte{}, errors.New("config is locked")`
			`}`
			`decrypted, err := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)`
			`if err != nil {`
			`return []byte{}, err`
			`}`
			`return []byte(decrypted), nil`
			`}`

			`func (c *Config) SetMasterPasswordHash(hash []byte) error {`

			`if c.IsLocked() {`
			`return errors.New("config is locked")`
			`}`
			`encryptedHash, err := c.encryptString(string(hash))`
			`if err != nil {`
			`c.mu.Unlock()`
			`return err`
			`}`

			`// c.mu.Lock()`
			`c.ConfigFile.EncryptedMasterPasswordHash = encryptedHash`
			`// c.mu.Unlock()`

			`c.WriteConfig()`
			`return nil`
			`}`

Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`func (c *Config) GetMasterKey() ([]byte, error) {`
			`if c.IsLocked() {`
			`return []byte{}, errors.New("config is locked")`
			`}`
			`decrypted, err := c.decryptString(c.ConfigFile.EncryptedMasterKey)`
			`if err != nil {`
			`return []byte{}, err`
			`}`
			`return []byte(decrypted), nil`
			`}`

			`func (c *Config) SetMasterKey(key []byte) error {`
			`if c.IsLocked() {`
			`return errors.New("config is locked")`
			`}`
			`encryptedKey, err := c.encryptString(string(key))`
			`if err != nil {`
			`return err`
			`}`
			`// c.mu.Lock()`
			`c.ConfigFile.EncryptedMasterKey = encryptedKey`
			`// c.mu.Unlock()`
			`c.WriteConfig()`
			`return nil`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`func (c *Config) encryptString(data string) (string, error) {`
			`if c.IsLocked() {`
			`return "", errors.New("config is locked")`
			`}`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`ca, err := subtle.NewChaCha20Poly1305((*c.key).Bytes())`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
			`return "", err`
			`}`
			`result, err := ca.Encrypt([]byte(data), []byte{})`
			`if err != nil {`
			`return "", err`
			`}`

			`return base64.StdEncoding.EncodeToString(result), nil`
			`}`

			`func (c *Config) decryptString(data string) (string, error) {`
			`if c.IsLocked() {`
			`return "", errors.New("config is locked")`
			`}`

			`decoded, err := base64.StdEncoding.DecodeString(data)`
			`if err != nil {`
			`return "", err`
			`}`

Make memguard fully optional 2023-12-22 12:01:21 +01:00			`ca, err := subtle.NewChaCha20Poly1305((*c.key).Bytes())`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
			`return "", err`
			`}`
			`result, err := ca.Decrypt(decoded, []byte{})`
			`if err != nil {`
			`return "", err`
			`}`
			`return string(result), nil`
			`}`

			`func (config *Config) WriteConfig() error {`
Add more env variables 2023-08-21 18:37:34 +02:00			`if config.ConfigFile.RuntimeConfig.DoNotPersistConfig {`
			`return nil`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`config.mu.Lock()`
			`defer config.mu.Unlock()`

			`jsonBytes, err := json.Marshal(config.ConfigFile)`
			`if err != nil {`
			`return err`
			`}`

			`// write to disk`
Add more env variables 2023-08-21 18:37:34 +02:00			`os.Remove(config.ConfigFile.RuntimeConfig.ConfigDirectory)`
Move config file 2023-12-28 13:41:07 +01:00			`parentDirectory := config.ConfigFile.RuntimeConfig.ConfigDirectory[:len(config.ConfigFile.RuntimeConfig.ConfigDirectory)-len("/goldwarden.json")]`
			`if _, err := os.Stat(parentDirectory); os.IsNotExist(err) {`
Fix config dir creation on windows 2024-02-03 23:15:29 +01:00			`err := os.MkdirAll(parentDirectory, 0700)`
			`if err != nil {`
			`return err`
			`}`
Move config file 2023-12-28 13:41:07 +01:00			`}`

Add more env variables 2023-08-21 18:37:34 +02:00			`file, err := os.OpenFile(config.ConfigFile.RuntimeConfig.ConfigDirectory, os.O_CREATE\|os.O_WRONLY, 0600)`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
			`return err`
			`}`
			`defer file.Close()`

			`_, err = file.Write(jsonBytes)`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`

Add more env variables 2023-08-21 18:37:34 +02:00			`func ReadConfig(rtCfg RuntimeConfig) (Config, error) {`
Move config file 2023-12-28 13:41:07 +01:00			`userHome, _ := os.UserHomeDir()`
			`oldPath := strings.ReplaceAll("~/.config/goldwarden.json", "~", userHome)`
			`newPathParent := strings.ReplaceAll("~/.config/goldwarden", "~", userHome)`
			`newPath := strings.ReplaceAll("~/.config/goldwarden/goldwarden.json", "~", userHome)`

			`// Migrate old config`
			`if _, err := os.Stat(oldPath); err == nil {`
			`if _, err := os.Stat(newPath); err != nil {`
			`if _, err := os.Stat(newPathParent); os.IsNotExist(err) {`
			`os.Mkdir(newPathParent, 0700)`
			`}`
			`os.Rename(oldPath, newPath)`
			`}`
			`}`

Add more env variables 2023-08-21 18:37:34 +02:00			`file, err := os.Open(rtCfg.ConfigDirectory)`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBuffer(32, rtCfg.UseMemguard)`
Add more env variables 2023-08-21 18:37:34 +02:00			`return Config{`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key: &key,`
Add more env variables 2023-08-21 18:37:34 +02:00			`ConfigFile: ConfigFile{},`
			`}, err`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
			`defer file.Close()`

			`decoder := json.NewDecoder(file)`
			`config := ConfigFile{}`
			`err = decoder.Decode(&config)`
			`if err != nil {`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBuffer(32, rtCfg.UseMemguard)`
Add more env variables 2023-08-21 18:37:34 +02:00			`return Config{`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key: &key,`
Add more env variables 2023-08-21 18:37:34 +02:00			`ConfigFile: ConfigFile{},`
			`}, err`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
			`if config.ConfigKeyHash == "" {`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBuffer(32, rtCfg.UseMemguard)`
Add more env variables 2023-08-21 18:37:34 +02:00			`return Config{`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key: &key,`
Add more env variables 2023-08-21 18:37:34 +02:00			`ConfigFile: config,`
			`}, nil`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBuffer(32, rtCfg.UseMemguard)`
Add more env variables 2023-08-21 18:37:34 +02:00			`return Config{`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key: &key,`
Add more env variables 2023-08-21 18:37:34 +02:00			`ConfigFile: config,`
			`}, nil`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

			`func (cfg Config) TryUnlock(vault vault.Vault) error {`
Implement pincache 2024-02-09 20:48:44 +01:00			`var pin string`
			`if pincache.HasPin() {`
			`pinBytes, err := pincache.GetPin()`
			`if err != nil {`
			`return err`
			`}`
			`pin = string(pinBytes)`
			`} else {`
			`var err error`
			`pin, err = pinentry.GetPassword("Unlock Goldwarden", "Enter the vault PIN")`
			`if err != nil {`
			`return err`
			`}`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
Implement pincache 2024-02-09 20:48:44 +01:00
Fix deadlock & unlocking 2023-07-17 05:42:21 +02:00			`success := cfg.Unlock(pin)`
			`if !success {`
			`return errors.New("invalid PIN")`
			`}`

			`if cfg.IsLoggedIn() {`
			`userKey, err := cfg.GetUserSymmetricKey()`
			`if err == nil {`
Add no memguard mode 2023-12-22 08:02:23 +01:00			`var key crypto.SymmetricEncryptionKey`
			`var err error`
			`if vault.Keyring.IsMemguard {`
			`key, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userKey)`
			`} else {`
			`key, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userKey)`
			`}`
Fix deadlock & unlocking 2023-07-17 05:42:21 +02:00			`if err != nil {`
			`return err`
			`}`
Fix keyring locked detection 2023-12-22 12:43:38 +01:00			`vault.Keyring.UnlockWithAccountKey(key)`
Fix deadlock & unlocking 2023-07-17 05:42:21 +02:00			`} else {`
			`cfg.Lock()`
Initial commit 2023-07-17 03:23:26 +02:00			`return err`
			`}`
			`}`

			`return nil`
			`}`