goldwarden-vaultwarden-bitw.../agent/systemauth/systemauth.go

package systemauth

import (
	"fmt"
	"math"
	"time"

	"github.com/quexten/goldwarden/agent/config"
	"github.com/quexten/goldwarden/agent/sockets"
	"github.com/quexten/goldwarden/agent/systemauth/biometrics"
	"github.com/quexten/goldwarden/agent/systemauth/pinentry"
	"github.com/quexten/goldwarden/logging"
)

var log = logging.GetLogger("Goldwarden", "Systemauth")

const tokenExpiry = 60 * time.Minute
const SSHTTL = 60 * time.Minute

type SessionType string

const (
	AccessVault SessionType = "com.quexten.goldwarden.accessvault"
	SSHKey      SessionType = "com.quexten.goldwarden.usesshkey"
	Pin         SessionType = "com.quexten.goldwarden.pin" // this counts as all other permissions
)

var sessionStore = SessionStore{
	Store: []Session{},
}

type Session struct {
	Pid            int
	ParentPid      int
	GrandParentPid int
	Expires        time.Time
	sessionType    SessionType
}

type SessionStore struct {
	Store []Session
}

func (s *SessionStore) CreateSession(pid int, parentpid int, grandparentpid int, sessionType SessionType, ttl time.Duration) Session {
	var session = Session{
		Pid:            pid,
		ParentPid:      parentpid,
		GrandParentPid: grandparentpid,
		Expires:        time.Now().Add(ttl),
		sessionType:    sessionType,
	}
	s.Store = append(s.Store, session)
	return session
}

func (s *SessionStore) verifySession(ctx sockets.CallingContext, sessionType SessionType) bool {
	for _, session := range s.Store {
		if session.ParentPid == ctx.ParentProcessPid && session.GrandParentPid == ctx.GrandParentProcessPid && (session.sessionType == sessionType || session.sessionType == Pin) {
			if session.Expires.After(time.Now()) {
				return true
			}
		}
	}
	return false
}

// with session
func GetPermission(sessionType SessionType, ctx sockets.CallingContext, config *config.Config) (bool, error) {
	if ctx.Authenticated {
		return true, nil
	}

	log.Info("Checking permission for " + ctx.ProcessName + " with session type " + string(sessionType))
	var actionDescription = ""
	biometricsApprovalType := biometrics.AccessVault
	switch sessionType {
	case AccessVault:
		actionDescription = "access the vault"
		biometricsApprovalType = biometrics.AccessVault
	case SSHKey:
		actionDescription = "use an SSH key for signing"
		biometricsApprovalType = biometrics.SSHKey
	}
	var message = fmt.Sprintf("Do you want to authorize %s>%s>%s to %s? (This choice will be remembered for %d minutes)", ctx.GrandParentProcessName, ctx.ParentProcessName, ctx.ProcessName, actionDescription, int(math.Floor(tokenExpiry.Minutes())))

	if sessionStore.verifySession(ctx, sessionType) {
		log.Info("Permission granted from cached session")
	} else {
		if biometrics.BiometricsWorking() {
			biometricsApproval := biometrics.CheckBiometrics(biometricsApprovalType)
			if !biometricsApproval {
				return false, nil
			}
		} else {
			log.Warn("Biometrics is not available, asking for pin")
			pin, err := pinentry.GetPassword("Enter PIN", "Biometrics is not available. Enter your pin to authorize this action. "+message)
			if err != nil {
				return false, err
			}
			if !config.VerifyPin(pin) {
				return false, nil
			}
		}

		// approval, err := pinentry.GetApproval("Goldwarden authorization", message)
		// if err != nil || !approval {
		// 	return false, err
		// }

		log.Info("Permission granted, creating session")
		sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, sessionType, tokenExpiry)
	}
	return true, nil
}

// no session
func CheckBiometrics(callingContext *sockets.CallingContext, approvalType biometrics.Approval) bool {
	var message = fmt.Sprintf("Do you want to grant %s>%s>%s one-time access your vault?", callingContext.GrandParentProcessName, callingContext.ParentProcessName, callingContext.ProcessName)
	var bioApproval = biometrics.CheckBiometrics(approvalType)
	if !bioApproval {
		return false
	}

	approval, err := pinentry.GetApproval("Goldwarden authorization", message)
	if err != nil {
		log.Error(err.Error())
	}

	return approval
}

func CreatePinSession(ctx sockets.CallingContext, ttl time.Duration) Session {
	return sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, Pin, ttl)
}

func VerifyPinSession(ctx sockets.CallingContext) bool {
	return sessionStore.verifySession(ctx, Pin)
}
Introduce session cache 2023-09-12 18:56:35 +02:00			`package systemauth`

			`import (`
Rework systemauth 2023-09-19 21:49:56 +02:00			`"fmt"`
			`"math"`
Introduce session cache 2023-09-12 18:56:35 +02:00			`"time"`

Rework systemauth 2023-09-19 21:49:56 +02:00			`"github.com/quexten/goldwarden/agent/config"`
Introduce session cache 2023-09-12 18:56:35 +02:00			`"github.com/quexten/goldwarden/agent/sockets"`
			`"github.com/quexten/goldwarden/agent/systemauth/biometrics"`
			`"github.com/quexten/goldwarden/agent/systemauth/pinentry"`
Rework systemauth 2023-09-19 21:49:56 +02:00			`"github.com/quexten/goldwarden/logging"`
Introduce session cache 2023-09-12 18:56:35 +02:00			`)`

Rework systemauth 2023-09-19 21:49:56 +02:00			`var log = logging.GetLogger("Goldwarden", "Systemauth")`

Lock down session auth mode 2024-02-09 19:32:01 +01:00			`const tokenExpiry = 60 * time.Minute`
			`const SSHTTL = 60 * time.Minute`
Introduce session cache 2023-09-12 18:56:35 +02:00
Rework systemauth 2023-09-19 21:49:56 +02:00			`type SessionType string`

			`const (`
			`AccessVault SessionType = "com.quexten.goldwarden.accessvault"`
			`SSHKey SessionType = "com.quexten.goldwarden.usesshkey"`
			`Pin SessionType = "com.quexten.goldwarden.pin" // this counts as all other permissions`
			`)`

Introduce session cache 2023-09-12 18:56:35 +02:00			`var sessionStore = SessionStore{`
			`Store: []Session{},`
			`}`

			`type Session struct {`
			`Pid int`
			`ParentPid int`
			`GrandParentPid int`
			`Expires time.Time`
Rework systemauth 2023-09-19 21:49:56 +02:00			`sessionType SessionType`
Introduce session cache 2023-09-12 18:56:35 +02:00			`}`

			`type SessionStore struct {`
			`Store []Session`
			`}`

Lock down session auth mode 2024-02-09 19:32:01 +01:00			`func (s *SessionStore) CreateSession(pid int, parentpid int, grandparentpid int, sessionType SessionType, ttl time.Duration) Session {`
Introduce session cache 2023-09-12 18:56:35 +02:00			`var session = Session{`
			`Pid: pid,`
			`ParentPid: parentpid,`
			`GrandParentPid: grandparentpid,`
Lock down session auth mode 2024-02-09 19:32:01 +01:00			`Expires: time.Now().Add(ttl),`
Rework systemauth 2023-09-19 21:49:56 +02:00			`sessionType: sessionType,`
Introduce session cache 2023-09-12 18:56:35 +02:00			`}`
			`s.Store = append(s.Store, session)`
			`return session`
			`}`

Rework systemauth 2023-09-19 21:49:56 +02:00			`func (s *SessionStore) verifySession(ctx sockets.CallingContext, sessionType SessionType) bool {`
Introduce session cache 2023-09-12 18:56:35 +02:00			`for _, session := range s.Store {`
Rework systemauth 2023-09-19 21:49:56 +02:00			`if session.ParentPid == ctx.ParentProcessPid && session.GrandParentPid == ctx.GrandParentProcessPid && (session.sessionType == sessionType \|\| session.sessionType == Pin) {`
Introduce session cache 2023-09-12 18:56:35 +02:00			`if session.Expires.After(time.Now()) {`
			`return true`
			`}`
			`}`
			`}`
			`return false`
			`}`

Rework systemauth 2023-09-19 21:49:56 +02:00			`// with session`
			`func GetPermission(sessionType SessionType, ctx sockets.CallingContext, config *config.Config) (bool, error) {`
Add initial authenticated connection work 2024-02-08 16:35:07 +01:00			`if ctx.Authenticated {`
			`return true, nil`
			`}`

Rework systemauth 2023-09-19 21:49:56 +02:00			`log.Info("Checking permission for " + ctx.ProcessName + " with session type " + string(sessionType))`
			`var actionDescription = ""`
			`biometricsApprovalType := biometrics.AccessVault`
			`switch sessionType {`
			`case AccessVault:`
			`actionDescription = "access the vault"`
			`biometricsApprovalType = biometrics.AccessVault`
			`case SSHKey:`
			`actionDescription = "use an SSH key for signing"`
			`biometricsApprovalType = biometrics.SSHKey`
Introduce session cache 2023-09-12 18:56:35 +02:00			`}`
Rework systemauth 2023-09-19 21:49:56 +02:00			`var message = fmt.Sprintf("Do you want to authorize %s>%s>%s to %s? (This choice will be remembered for %d minutes)", ctx.GrandParentProcessName, ctx.ParentProcessName, ctx.ProcessName, actionDescription, int(math.Floor(tokenExpiry.Minutes())))`

			`if sessionStore.verifySession(ctx, sessionType) {`
			`log.Info("Permission granted from cached session")`
			`} else {`
			`if biometrics.BiometricsWorking() {`
			`biometricsApproval := biometrics.CheckBiometrics(biometricsApprovalType)`
			`if !biometricsApproval {`
			`return false, nil`
			`}`
			`} else {`
Spawn goldwarden daemon automatically on boot; fix biometrics 2023-12-23 13:24:46 +01:00			`log.Warn("Biometrics is not available, asking for pin")`
Rework systemauth 2023-09-19 21:49:56 +02:00			`pin, err := pinentry.GetPassword("Enter PIN", "Biometrics is not available. Enter your pin to authorize this action. "+message)`
			`if err != nil {`
			`return false, err`
			`}`
			`if !config.VerifyPin(pin) {`
			`return false, nil`
			`}`
Introduce session cache 2023-09-12 18:56:35 +02:00			`}`
Rework systemauth 2023-09-19 21:49:56 +02:00
Improve usability of callingcontext & approval 2023-12-23 13:44:16 +01:00			`// approval, err := pinentry.GetApproval("Goldwarden authorization", message)`
			`// if err != nil \|\| !approval {`
			`// return false, err`
			`// }`
Rework systemauth 2023-09-19 21:49:56 +02:00
			`log.Info("Permission granted, creating session")`
Lock down session auth mode 2024-02-09 19:32:01 +01:00			`sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, sessionType, tokenExpiry)`
Introduce session cache 2023-09-12 18:56:35 +02:00			`}`
Rework systemauth 2023-09-19 21:49:56 +02:00			`return true, nil`
Introduce session cache 2023-09-12 18:56:35 +02:00			`}`

Rework systemauth 2023-09-19 21:49:56 +02:00			`// no session`
Introduce session cache 2023-09-12 18:56:35 +02:00			`func CheckBiometrics(callingContext *sockets.CallingContext, approvalType biometrics.Approval) bool {`
Rework systemauth 2023-09-19 21:49:56 +02:00			`var message = fmt.Sprintf("Do you want to grant %s>%s>%s one-time access your vault?", callingContext.GrandParentProcessName, callingContext.ParentProcessName, callingContext.ProcessName)`
			`var bioApproval = biometrics.CheckBiometrics(approvalType)`
			`if !bioApproval {`
			`return false`
Introduce session cache 2023-09-12 18:56:35 +02:00			`}`

Rework systemauth 2023-09-19 21:49:56 +02:00			`approval, err := pinentry.GetApproval("Goldwarden authorization", message)`
			`if err != nil {`
			`log.Error(err.Error())`
Introduce session cache 2023-09-12 18:56:35 +02:00			`}`

Rework systemauth 2023-09-19 21:49:56 +02:00			`return approval`
			`}`

Lock down session auth mode 2024-02-09 19:32:01 +01:00			`func CreatePinSession(ctx sockets.CallingContext, ttl time.Duration) Session {`
			`return sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, Pin, ttl)`
Introduce session cache 2023-09-12 18:56:35 +02:00			`}`

Rework systemauth 2023-09-19 21:49:56 +02:00			`func VerifyPinSession(ctx sockets.CallingContext) bool {`
			`return sessionStore.verifySession(ctx, Pin)`
Introduce session cache 2023-09-12 18:56:35 +02:00			`}`