2023-08-03 00:42:31 +02:00
|
|
|
package systemauth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/amenzhinsky/go-polkit"
|
2023-08-21 18:37:34 +02:00
|
|
|
"github.com/quexten/goldwarden/logging"
|
2023-08-03 00:42:31 +02:00
|
|
|
)
|
|
|
|
|
2023-08-21 18:37:34 +02:00
|
|
|
var log = logging.GetLogger("Goldwarden", "Systemauth")
|
2023-08-03 00:42:31 +02:00
|
|
|
|
|
|
|
type Approval string
|
|
|
|
|
|
|
|
const (
|
|
|
|
AccessCredential Approval = "com.quexten.goldwarden.accesscredential"
|
|
|
|
ChangePin Approval = "com.quexten.goldwarden.changepin"
|
|
|
|
SSHKey Approval = "com.quexten.goldwarden.usesshkey"
|
|
|
|
ModifyVault Approval = "com.quexten.goldwarden.modifyvault"
|
|
|
|
BrowserBiometrics Approval = "com.quexten.goldwarden.browserbiometrics"
|
|
|
|
)
|
|
|
|
|
|
|
|
const POLICY = `<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE policyconfig PUBLIC
|
|
|
|
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
|
|
|
|
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
|
|
|
|
|
|
|
|
<policyconfig>
|
|
|
|
<action id="com.quexten.goldwarden.accesscredential">
|
|
|
|
<description>Allow Credential Access</description>
|
|
|
|
<message>Authenticate to allow access to a single credential</message>
|
|
|
|
<defaults>
|
|
|
|
<allow_any>auth_self</allow_any>
|
|
|
|
<allow_inactive>auth_self</allow_inactive>
|
|
|
|
<allow_active>auth_self</allow_active>
|
|
|
|
</defaults>
|
|
|
|
</action>
|
|
|
|
<action id="com.quexten.goldwarden.changepin">
|
|
|
|
<description>Approve Pin Change</description>
|
|
|
|
<message>Authenticate to change your Goldwarden PIN.</message>
|
|
|
|
<defaults>
|
|
|
|
<allow_any>auth_self</allow_any>
|
|
|
|
<allow_inactive>auth_self</allow_inactive>
|
|
|
|
<allow_active>auth_self</allow_active>
|
|
|
|
</defaults>
|
|
|
|
</action>
|
|
|
|
<action id="com.quexten.goldwarden.usesshkey">
|
|
|
|
<description>Use Bitwarden SSH Key</description>
|
|
|
|
<message>Authenticate to use an SSH Key from your vault</message>
|
|
|
|
<defaults>
|
|
|
|
<allow_any>auth_self</allow_any>
|
|
|
|
<allow_inactive>auth_self</allow_inactive>
|
|
|
|
<allow_active>auth_self</allow_active>
|
|
|
|
</defaults>
|
|
|
|
</action>
|
|
|
|
<action id="com.quexten.goldwarden.modifyvault">
|
|
|
|
<description>Modify Bitwarden Vault</description>
|
|
|
|
<message>Authenticate to allow modification of your Bitvarden vault in Goldwarden</message>
|
|
|
|
<defaults>
|
|
|
|
<allow_any>auth_self</allow_any>
|
|
|
|
<allow_inactive>auth_self</allow_inactive>
|
|
|
|
<allow_active>auth_self</allow_active>
|
|
|
|
</defaults>
|
|
|
|
</action>
|
|
|
|
<action id="com.quexten.goldwarden.browserbiometrics">
|
|
|
|
<description>Browser Biometrics</description>
|
|
|
|
<message>Authenticate to allow Goldwarden to unlock your browser.</message>
|
|
|
|
<defaults>
|
|
|
|
<allow_any>auth_self</allow_any>
|
|
|
|
<allow_inactive>auth_self</allow_inactive>
|
|
|
|
<allow_active>auth_self</allow_active>
|
|
|
|
</defaults>
|
|
|
|
</action>
|
|
|
|
</policyconfig>`
|
|
|
|
|
|
|
|
func (a Approval) String() string {
|
|
|
|
return string(a)
|
|
|
|
}
|
|
|
|
|
|
|
|
func CheckBiometrics(approvalType Approval) bool {
|
2023-08-21 18:37:34 +02:00
|
|
|
if systemAuthDisabled {
|
2023-08-21 13:52:06 +02:00
|
|
|
return true
|
|
|
|
}
|
2023-08-03 00:42:31 +02:00
|
|
|
|
2023-08-21 18:37:34 +02:00
|
|
|
log.Info("Checking biometrics for %s", approvalType.String())
|
|
|
|
|
2023-08-03 00:42:31 +02:00
|
|
|
authority, err := polkit.NewAuthority()
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
result, err := authority.CheckAuthorization(
|
|
|
|
approvalType.String(),
|
|
|
|
nil,
|
|
|
|
polkit.CheckAuthorizationAllowUserInteraction, "",
|
|
|
|
)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Info("Biometrics result: %t", result.IsAuthorized)
|
|
|
|
|
|
|
|
return result.IsAuthorized
|
|
|
|
}
|