goldwarden-vaultwarden-bitw.../agent/config/config.go

package config

import (
	"bytes"
	cryptoSubtle "crypto/subtle"
	"encoding/base64"
	"encoding/hex"
	"encoding/json"
	"errors"
	"os"
	"runtime/debug"
	"sync"

	"github.com/google/uuid"
	"github.com/quexten/goldwarden/agent/bitwarden/crypto"
	"github.com/quexten/goldwarden/agent/systemauth/pinentry"
	"github.com/quexten/goldwarden/agent/vault"
	"github.com/tink-crypto/tink-go/v2/aead/subtle"
	"golang.org/x/crypto/argon2"
	"golang.org/x/crypto/sha3"
)

const (
	KDFIterations     = 2
	KDFMemory         = 2 * 1024 * 1024
	KDFThreads        = 8
	DefaultConfigPath = "~/.config/goldwarden.json"
)

type RuntimeConfig struct {
	DisableAuth           bool
	DisablePinRequirement bool
	AuthMethod            string
	DoNotPersistConfig    bool
	ConfigDirectory       string
	DisableSSHAgent       bool
	WebsocketDisabled     bool
	ApiURI                string
	IdentityURI           string
	NotificationsURI      string
	SingleProcess         bool
	DeviceUUID            string
	User                  string
	Password              string
	Pin                   string
	UseMemguard           bool
}

type ConfigFile struct {
	IdentityUrl                 string
	ApiUrl                      string
	NotificationsUrl            string
	DeviceUUID                  string
	ConfigKeyHash               string
	EncryptedToken              string
	EncryptedUserSymmetricKey   string
	EncryptedMasterPasswordHash string
	EncryptedMasterKey          string
	RuntimeConfig               RuntimeConfig `json:"-"`
}

type LoginToken struct {
	AccessToken  string `json:"access_token"`
	ExpiresIn    int    `json:"expires_in"`
	TokenType    string `json:"token_type"`
	RefreshToken string `json:"refresh_token"`
	Key          string `json:"key"`
}

type Config struct {
	useMemguard bool
	key         *LockedBuffer
	ConfigFile  ConfigFile
	mu          sync.Mutex
}

func DefaultConfig(useMemguard bool) Config {
	deviceUUID, _ := uuid.NewUUID()
	keyBuffer := NewBuffer(32, useMemguard)
	return Config{
		useMemguard,
		&keyBuffer,
		ConfigFile{
			IdentityUrl:                 "https://vault.bitwarden.com/identity",
			ApiUrl:                      "https://vault.bitwarden.com/api",
			NotificationsUrl:            "https://notifications.bitwarden.com",
			DeviceUUID:                  deviceUUID.String(),
			ConfigKeyHash:               "",
			EncryptedToken:              "",
			EncryptedUserSymmetricKey:   "",
			EncryptedMasterPasswordHash: "",
			EncryptedMasterKey:          "",
			RuntimeConfig:               RuntimeConfig{},
		},
		sync.Mutex{},
	}
}

func (c *Config) IsLocked() bool {
	key := (*c.key).Bytes()
	return bytes.Equal(key, make([]byte, 32)) && c.HasPin()
}

func (c *Config) IsLoggedIn() bool {
	return c.ConfigFile.EncryptedMasterPasswordHash != ""
}

func (c *Config) Unlock(password string) bool {
	c.mu.Lock()
	defer c.mu.Unlock()

	if !c.IsLocked() {
		return true
	}

	key := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)
	debug.FreeOSMemory()
	keyHash := sha3.Sum256(key)
	configKeyHash := hex.EncodeToString(keyHash[:])
	if cryptoSubtle.ConstantTimeCompare([]byte(configKeyHash), []byte(c.ConfigFile.ConfigKeyHash)) != 1 {
		return false
	}

	keyBuffer := NewBufferFromBytes(key, c.useMemguard)
	c.key = &keyBuffer
	return true
}

func (c *Config) VerifyPin(password string) bool {
	key := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)
	debug.FreeOSMemory()
	keyHash := sha3.Sum256(key)
	configKeyHash := hex.EncodeToString(keyHash[:])
	if cryptoSubtle.ConstantTimeCompare([]byte(configKeyHash), []byte(c.ConfigFile.ConfigKeyHash)) != 1 {
		return false
	} else {
		return true
	}
}

func (c *Config) Lock() {
	c.mu.Lock()
	defer c.mu.Unlock()

	if c.IsLocked() {
		return
	}
	(*c.key).Wipe()
}

func (c *Config) Purge() {
	c.mu.Lock()
	defer c.mu.Unlock()

	c.ConfigFile.EncryptedMasterPasswordHash = ""
	c.ConfigFile.EncryptedToken = ""
	c.ConfigFile.EncryptedUserSymmetricKey = ""
	c.ConfigFile.ConfigKeyHash = ""
	c.ConfigFile.EncryptedMasterKey = ""
	key := NewBuffer(32, c.useMemguard)
	c.key = &key
}

func (c *Config) HasPin() bool {
	return c.ConfigFile.ConfigKeyHash != ""
}

func (c *Config) UpdatePin(password string, write bool) {
	c.mu.Lock()

	newKey := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)
	keyHash := sha3.Sum256(newKey)
	configKeyHash := hex.EncodeToString(keyHash[:])
	debug.FreeOSMemory()

	c.ConfigFile.ConfigKeyHash = configKeyHash

	plaintextToken, err1 := c.decryptString(c.ConfigFile.EncryptedToken)
	plaintextUserSymmetricKey, err3 := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)
	plaintextEncryptedMasterPasswordHash, err4 := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)
	plaintextMasterKey, err5 := c.decryptString(c.ConfigFile.EncryptedMasterKey)

	key := NewBufferFromBytes(newKey, c.useMemguard)
	c.key = &key

	if err1 == nil {
		c.ConfigFile.EncryptedToken, err1 = c.encryptString(plaintextToken)
	}
	if err3 == nil {
		c.ConfigFile.EncryptedUserSymmetricKey, err3 = c.encryptString(plaintextUserSymmetricKey)
	}
	if err4 == nil {
		c.ConfigFile.EncryptedMasterPasswordHash, err4 = c.encryptString(plaintextEncryptedMasterPasswordHash)
	}
	if err5 == nil {
		c.ConfigFile.EncryptedMasterKey, err5 = c.encryptString(plaintextMasterKey)
	}
	c.mu.Unlock()

	if write {
		c.WriteConfig()
	}
}

func (c *Config) GetToken() (LoginToken, error) {
	if c.IsLocked() {
		return LoginToken{}, errors.New("config is locked")
	}
	tokenJson, err := c.decryptString(c.ConfigFile.EncryptedToken)
	if err != nil {
		return LoginToken{}, err
	}

	var token LoginToken
	err = json.Unmarshal([]byte(tokenJson), &token)
	if err != nil {
		return LoginToken{}, err
	}
	return token, nil
}

func (c *Config) SetToken(token LoginToken) error {
	if c.IsLocked() {
		return errors.New("config is locked")
	}

	tokenJson, err := json.Marshal(token)
	encryptedToken, err := c.encryptString(string(tokenJson))
	if err != nil {
		return err
	}
	// c.mu.Lock()
	c.ConfigFile.EncryptedToken = encryptedToken
	// c.mu.Unlock()
	c.WriteConfig()
	return nil
}

func (c *Config) GetUserSymmetricKey() ([]byte, error) {
	if c.IsLocked() {
		return []byte{}, errors.New("config is locked")
	}
	decrypted, err := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)
	if err != nil {
		return []byte{}, err
	}
	return []byte(decrypted), nil
}

func (c *Config) SetUserSymmetricKey(key []byte) error {
	if c.IsLocked() {
		return errors.New("config is locked")
	}
	encryptedKey, err := c.encryptString(string(key))
	if err != nil {
		return err
	}
	// c.mu.Lock()
	c.ConfigFile.EncryptedUserSymmetricKey = encryptedKey
	// c.mu.Unlock()
	c.WriteConfig()
	return nil
}

func (c *Config) GetMasterPasswordHash() ([]byte, error) {
	if c.IsLocked() {
		return []byte{}, errors.New("config is locked")
	}
	decrypted, err := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)
	if err != nil {
		return []byte{}, err
	}
	return []byte(decrypted), nil
}

func (c *Config) SetMasterPasswordHash(hash []byte) error {

	if c.IsLocked() {
		return errors.New("config is locked")
	}
	encryptedHash, err := c.encryptString(string(hash))
	if err != nil {
		c.mu.Unlock()
		return err
	}

	// c.mu.Lock()
	c.ConfigFile.EncryptedMasterPasswordHash = encryptedHash
	// c.mu.Unlock()

	c.WriteConfig()
	return nil
}

func (c *Config) GetMasterKey() ([]byte, error) {
	if c.IsLocked() {
		return []byte{}, errors.New("config is locked")
	}
	decrypted, err := c.decryptString(c.ConfigFile.EncryptedMasterKey)
	if err != nil {
		return []byte{}, err
	}
	return []byte(decrypted), nil
}

func (c *Config) SetMasterKey(key []byte) error {
	if c.IsLocked() {
		return errors.New("config is locked")
	}
	encryptedKey, err := c.encryptString(string(key))
	if err != nil {
		return err
	}
	// c.mu.Lock()
	c.ConfigFile.EncryptedMasterKey = encryptedKey
	// c.mu.Unlock()
	c.WriteConfig()
	return nil
}

func (c *Config) encryptString(data string) (string, error) {
	if c.IsLocked() {
		return "", errors.New("config is locked")
	}
	ca, err := subtle.NewChaCha20Poly1305((*c.key).Bytes())
	if err != nil {
		return "", err
	}
	result, err := ca.Encrypt([]byte(data), []byte{})
	if err != nil {
		return "", err
	}

	return base64.StdEncoding.EncodeToString(result), nil
}

func (c *Config) decryptString(data string) (string, error) {
	if c.IsLocked() {
		return "", errors.New("config is locked")
	}

	decoded, err := base64.StdEncoding.DecodeString(data)
	if err != nil {
		return "", err
	}

	ca, err := subtle.NewChaCha20Poly1305((*c.key).Bytes())
	if err != nil {
		return "", err
	}
	result, err := ca.Decrypt(decoded, []byte{})
	if err != nil {
		return "", err
	}
	return string(result), nil
}

func (config *Config) WriteConfig() error {
	if config.ConfigFile.RuntimeConfig.DoNotPersistConfig {
		return nil
	}

	config.mu.Lock()
	defer config.mu.Unlock()

	jsonBytes, err := json.Marshal(config.ConfigFile)
	if err != nil {
		return err
	}

	// write to disk
	os.Remove(config.ConfigFile.RuntimeConfig.ConfigDirectory)
	file, err := os.OpenFile(config.ConfigFile.RuntimeConfig.ConfigDirectory, os.O_CREATE|os.O_WRONLY, 0600)
	if err != nil {
		return err
	}
	defer file.Close()

	_, err = file.Write(jsonBytes)
	if err != nil {
		return err
	}
	return nil
}

func ReadConfig(rtCfg RuntimeConfig) (Config, error) {
	file, err := os.Open(rtCfg.ConfigDirectory)
	if err != nil {
		key := NewBuffer(32, rtCfg.UseMemguard)
		return Config{
			key:        &key,
			ConfigFile: ConfigFile{},
		}, err
	}
	defer file.Close()

	decoder := json.NewDecoder(file)
	config := ConfigFile{}
	err = decoder.Decode(&config)
	if err != nil {
		key := NewBuffer(32, rtCfg.UseMemguard)
		return Config{
			key:        &key,
			ConfigFile: ConfigFile{},
		}, err
	}
	if config.ConfigKeyHash == "" {
		key := NewBuffer(32, rtCfg.UseMemguard)
		return Config{
			key:        &key,
			ConfigFile: config,
		}, nil
	}
	key := NewBuffer(32, rtCfg.UseMemguard)
	return Config{
		key:        &key,
		ConfigFile: config,
	}, nil
}

func (cfg *Config) TryUnlock(vault *vault.Vault) error {
	pin, err := pinentry.GetPassword("Unlock Goldwarden", "Enter the vault PIN")
	if err != nil {
		return err
	}
	success := cfg.Unlock(pin)
	if !success {
		return errors.New("invalid PIN")
	}

	if cfg.IsLoggedIn() {
		userKey, err := cfg.GetUserSymmetricKey()
		if err == nil {
			var key crypto.SymmetricEncryptionKey
			var err error
			if vault.Keyring.IsMemguard {
				key, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userKey)
			} else {
				key, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userKey)
			}
			if err != nil {
				return err
			}
			vault.Keyring.UnlockWithAccountKey(key)
		} else {
			cfg.Lock()
			return err
		}
	}

	return nil
}
Initial commit 2023-07-17 03:23:26 +02:00			`package config`

			`import (`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`"bytes"`
Initial commit 2023-07-17 03:23:26 +02:00			`cryptoSubtle "crypto/subtle"`
			`"encoding/base64"`
			`"encoding/hex"`
			`"encoding/json"`
			`"errors"`
			`"os"`
			`"runtime/debug"`
			`"sync"`

			`"github.com/google/uuid"`
			`"github.com/quexten/goldwarden/agent/bitwarden/crypto"`
Refactor platform abstractions 2023-09-12 02:54:46 +02:00			`"github.com/quexten/goldwarden/agent/systemauth/pinentry"`
Initial commit 2023-07-17 03:23:26 +02:00			`"github.com/quexten/goldwarden/agent/vault"`
			`"github.com/tink-crypto/tink-go/v2/aead/subtle"`
			`"golang.org/x/crypto/argon2"`
			`"golang.org/x/crypto/sha3"`
			`)`

			`const (`
Add more env variables 2023-08-21 18:37:34 +02:00			`KDFIterations = 2`
			`KDFMemory = 2 * 1024 * 1024`
			`KDFThreads = 8`
			`DefaultConfigPath = "~/.config/goldwarden.json"`
Initial commit 2023-07-17 03:23:26 +02:00			`)`

Add more env variables 2023-08-21 18:37:34 +02:00			`type RuntimeConfig struct {`
			`DisableAuth bool`
			`DisablePinRequirement bool`
			`AuthMethod string`
			`DoNotPersistConfig bool`
			`ConfigDirectory string`
			`DisableSSHAgent bool`
			`WebsocketDisabled bool`
			`ApiURI string`
			`IdentityURI string`
Fix login on main bitwarden instance 2023-09-11 14:14:27 +02:00			`NotificationsURI string`
Add more env variables 2023-08-21 18:37:34 +02:00			`SingleProcess bool`
			`DeviceUUID string`
			`User string`
			`Password string`
			`Pin string`
Add no memguard mode 2023-12-22 08:02:23 +01:00			`UseMemguard bool`
Add more env variables 2023-08-21 18:37:34 +02:00			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`type ConfigFile struct {`
			`IdentityUrl string`
			`ApiUrl string`
Fix login on main bitwarden instance 2023-09-11 14:14:27 +02:00			`NotificationsUrl string`
Initial commit 2023-07-17 03:23:26 +02:00			`DeviceUUID string`
			`ConfigKeyHash string`
			`EncryptedToken string`
			`EncryptedUserSymmetricKey string`
			`EncryptedMasterPasswordHash string`
Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`EncryptedMasterKey string`
Add more env variables 2023-08-21 18:37:34 +02:00			RuntimeConfig RuntimeConfig `json:"-"`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

			`type LoginToken struct {`
			AccessToken string `json:"access_token"`
			ExpiresIn int `json:"expires_in"`
			TokenType string `json:"token_type"`
			RefreshToken string `json:"refresh_token"`
			Key string `json:"key"`
			`}`

			`type Config struct {`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`useMemguard bool`
			`key *LockedBuffer`
			`ConfigFile ConfigFile`
			`mu sync.Mutex`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

Make memguard fully optional 2023-12-22 12:01:21 +01:00			`func DefaultConfig(useMemguard bool) Config {`
Initial commit 2023-07-17 03:23:26 +02:00			`deviceUUID, _ := uuid.NewUUID()`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`keyBuffer := NewBuffer(32, useMemguard)`
Initial commit 2023-07-17 03:23:26 +02:00			`return Config{`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`useMemguard,`
			`&keyBuffer,`
Initial commit 2023-07-17 03:23:26 +02:00			`ConfigFile{`
Fix login on main bitwarden instance 2023-09-11 14:14:27 +02:00			`IdentityUrl: "https://vault.bitwarden.com/identity",`
			`ApiUrl: "https://vault.bitwarden.com/api",`
			`NotificationsUrl: "https://notifications.bitwarden.com",`
Initial commit 2023-07-17 03:23:26 +02:00			`DeviceUUID: deviceUUID.String(),`
			`ConfigKeyHash: "",`
			`EncryptedToken: "",`
			`EncryptedUserSymmetricKey: "",`
			`EncryptedMasterPasswordHash: "",`
Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`EncryptedMasterKey: "",`
Add more env variables 2023-08-21 18:37:34 +02:00			`RuntimeConfig: RuntimeConfig{},`
Initial commit 2023-07-17 03:23:26 +02:00			`},`
			`sync.Mutex{},`
			`}`
			`}`

			`func (c *Config) IsLocked() bool {`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := (*c.key).Bytes()`
			`return bytes.Equal(key, make([]byte, 32)) && c.HasPin()`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

Fix deadlock & unlocking 2023-07-17 05:42:21 +02:00			`func (c *Config) IsLoggedIn() bool {`
			`return c.ConfigFile.EncryptedMasterPasswordHash != ""`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`func (c *Config) Unlock(password string) bool {`
			`c.mu.Lock()`
			`defer c.mu.Unlock()`

			`if !c.IsLocked() {`
			`return true`
			`}`

			`key := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)`
			`debug.FreeOSMemory()`
			`keyHash := sha3.Sum256(key)`
			`configKeyHash := hex.EncodeToString(keyHash[:])`
			`if cryptoSubtle.ConstantTimeCompare([]byte(configKeyHash), []byte(c.ConfigFile.ConfigKeyHash)) != 1 {`
			`return false`
			`}`

Make memguard fully optional 2023-12-22 12:01:21 +01:00			`keyBuffer := NewBufferFromBytes(key, c.useMemguard)`
			`c.key = &keyBuffer`
Initial commit 2023-07-17 03:23:26 +02:00			`return true`
			`}`

Rework systemauth 2023-09-19 21:49:56 +02:00			`func (c *Config) VerifyPin(password string) bool {`
			`key := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)`
			`debug.FreeOSMemory()`
			`keyHash := sha3.Sum256(key)`
			`configKeyHash := hex.EncodeToString(keyHash[:])`
			`if cryptoSubtle.ConstantTimeCompare([]byte(configKeyHash), []byte(c.ConfigFile.ConfigKeyHash)) != 1 {`
			`return false`
			`} else {`
			`return true`
			`}`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`func (c *Config) Lock() {`
			`c.mu.Lock()`
			`defer c.mu.Unlock()`

			`if c.IsLocked() {`
			`return`
			`}`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`(*c.key).Wipe()`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

			`func (c *Config) Purge() {`
			`c.mu.Lock()`
			`defer c.mu.Unlock()`

			`c.ConfigFile.EncryptedMasterPasswordHash = ""`
			`c.ConfigFile.EncryptedToken = ""`
			`c.ConfigFile.EncryptedUserSymmetricKey = ""`
			`c.ConfigFile.ConfigKeyHash = ""`
Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`c.ConfigFile.EncryptedMasterKey = ""`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBuffer(32, c.useMemguard)`
			`c.key = &key`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

			`func (c *Config) HasPin() bool {`
			`return c.ConfigFile.ConfigKeyHash != ""`
			`}`

			`func (c *Config) UpdatePin(password string, write bool) {`
			`c.mu.Lock()`

			`newKey := argon2.Key([]byte(password), []byte(c.ConfigFile.DeviceUUID), KDFIterations, KDFMemory, KDFThreads, 32)`
			`keyHash := sha3.Sum256(newKey)`
			`configKeyHash := hex.EncodeToString(keyHash[:])`
			`debug.FreeOSMemory()`

			`c.ConfigFile.ConfigKeyHash = configKeyHash`

			`plaintextToken, err1 := c.decryptString(c.ConfigFile.EncryptedToken)`
			`plaintextUserSymmetricKey, err3 := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)`
			`plaintextEncryptedMasterPasswordHash, err4 := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)`
Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`plaintextMasterKey, err5 := c.decryptString(c.ConfigFile.EncryptedMasterKey)`
Initial commit 2023-07-17 03:23:26 +02:00
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBufferFromBytes(newKey, c.useMemguard)`
			`c.key = &key`
Initial commit 2023-07-17 03:23:26 +02:00
			`if err1 == nil {`
			`c.ConfigFile.EncryptedToken, err1 = c.encryptString(plaintextToken)`
			`}`
			`if err3 == nil {`
			`c.ConfigFile.EncryptedUserSymmetricKey, err3 = c.encryptString(plaintextUserSymmetricKey)`
			`}`
			`if err4 == nil {`
			`c.ConfigFile.EncryptedMasterPasswordHash, err4 = c.encryptString(plaintextEncryptedMasterPasswordHash)`
			`}`
Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`if err5 == nil {`
			`c.ConfigFile.EncryptedMasterKey, err5 = c.encryptString(plaintextMasterKey)`
			`}`
Fix deadlock & unlocking 2023-07-17 05:42:21 +02:00			`c.mu.Unlock()`
Initial commit 2023-07-17 03:23:26 +02:00
			`if write {`
			`c.WriteConfig()`
			`}`
			`}`

			`func (c *Config) GetToken() (LoginToken, error) {`
			`if c.IsLocked() {`
			`return LoginToken{}, errors.New("config is locked")`
			`}`
			`tokenJson, err := c.decryptString(c.ConfigFile.EncryptedToken)`
			`if err != nil {`
			`return LoginToken{}, err`
			`}`

			`var token LoginToken`
			`err = json.Unmarshal([]byte(tokenJson), &token)`
			`if err != nil {`
			`return LoginToken{}, err`
			`}`
			`return token, nil`
			`}`

			`func (c *Config) SetToken(token LoginToken) error {`
			`if c.IsLocked() {`
			`return errors.New("config is locked")`
			`}`

			`tokenJson, err := json.Marshal(token)`
			`encryptedToken, err := c.encryptString(string(tokenJson))`
			`if err != nil {`
			`return err`
			`}`
			`// c.mu.Lock()`
			`c.ConfigFile.EncryptedToken = encryptedToken`
			`// c.mu.Unlock()`
			`c.WriteConfig()`
			`return nil`
			`}`

			`func (c *Config) GetUserSymmetricKey() ([]byte, error) {`
			`if c.IsLocked() {`
			`return []byte{}, errors.New("config is locked")`
			`}`
			`decrypted, err := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey)`
			`if err != nil {`
			`return []byte{}, err`
			`}`
			`return []byte(decrypted), nil`
			`}`

			`func (c *Config) SetUserSymmetricKey(key []byte) error {`
			`if c.IsLocked() {`
			`return errors.New("config is locked")`
			`}`
			`encryptedKey, err := c.encryptString(string(key))`
			`if err != nil {`
			`return err`
			`}`
			`// c.mu.Lock()`
			`c.ConfigFile.EncryptedUserSymmetricKey = encryptedKey`
			`// c.mu.Unlock()`
			`c.WriteConfig()`
			`return nil`
			`}`

			`func (c *Config) GetMasterPasswordHash() ([]byte, error) {`
			`if c.IsLocked() {`
			`return []byte{}, errors.New("config is locked")`
			`}`
			`decrypted, err := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash)`
			`if err != nil {`
			`return []byte{}, err`
			`}`
			`return []byte(decrypted), nil`
			`}`

			`func (c *Config) SetMasterPasswordHash(hash []byte) error {`

			`if c.IsLocked() {`
			`return errors.New("config is locked")`
			`}`
			`encryptedHash, err := c.encryptString(string(hash))`
			`if err != nil {`
			`c.mu.Unlock()`
			`return err`
			`}`

			`// c.mu.Lock()`
			`c.ConfigFile.EncryptedMasterPasswordHash = encryptedHash`
			`// c.mu.Unlock()`

			`c.WriteConfig()`
			`return nil`
			`}`

Port bw-bio-handler for browser biometrics 2023-07-17 05:02:29 +02:00			`func (c *Config) GetMasterKey() ([]byte, error) {`
			`if c.IsLocked() {`
			`return []byte{}, errors.New("config is locked")`
			`}`
			`decrypted, err := c.decryptString(c.ConfigFile.EncryptedMasterKey)`
			`if err != nil {`
			`return []byte{}, err`
			`}`
			`return []byte(decrypted), nil`
			`}`

			`func (c *Config) SetMasterKey(key []byte) error {`
			`if c.IsLocked() {`
			`return errors.New("config is locked")`
			`}`
			`encryptedKey, err := c.encryptString(string(key))`
			`if err != nil {`
			`return err`
			`}`
			`// c.mu.Lock()`
			`c.ConfigFile.EncryptedMasterKey = encryptedKey`
			`// c.mu.Unlock()`
			`c.WriteConfig()`
			`return nil`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`func (c *Config) encryptString(data string) (string, error) {`
			`if c.IsLocked() {`
			`return "", errors.New("config is locked")`
			`}`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`ca, err := subtle.NewChaCha20Poly1305((*c.key).Bytes())`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
			`return "", err`
			`}`
			`result, err := ca.Encrypt([]byte(data), []byte{})`
			`if err != nil {`
			`return "", err`
			`}`

			`return base64.StdEncoding.EncodeToString(result), nil`
			`}`

			`func (c *Config) decryptString(data string) (string, error) {`
			`if c.IsLocked() {`
			`return "", errors.New("config is locked")`
			`}`

			`decoded, err := base64.StdEncoding.DecodeString(data)`
			`if err != nil {`
			`return "", err`
			`}`

Make memguard fully optional 2023-12-22 12:01:21 +01:00			`ca, err := subtle.NewChaCha20Poly1305((*c.key).Bytes())`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
			`return "", err`
			`}`
			`result, err := ca.Decrypt(decoded, []byte{})`
			`if err != nil {`
			`return "", err`
			`}`
			`return string(result), nil`
			`}`

			`func (config *Config) WriteConfig() error {`
Add more env variables 2023-08-21 18:37:34 +02:00			`if config.ConfigFile.RuntimeConfig.DoNotPersistConfig {`
			`return nil`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`config.mu.Lock()`
			`defer config.mu.Unlock()`

			`jsonBytes, err := json.Marshal(config.ConfigFile)`
			`if err != nil {`
			`return err`
			`}`

			`// write to disk`
Add more env variables 2023-08-21 18:37:34 +02:00			`os.Remove(config.ConfigFile.RuntimeConfig.ConfigDirectory)`
			`file, err := os.OpenFile(config.ConfigFile.RuntimeConfig.ConfigDirectory, os.O_CREATE\|os.O_WRONLY, 0600)`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
			`return err`
			`}`
			`defer file.Close()`

			`_, err = file.Write(jsonBytes)`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`

Add more env variables 2023-08-21 18:37:34 +02:00			`func ReadConfig(rtCfg RuntimeConfig) (Config, error) {`
			`file, err := os.Open(rtCfg.ConfigDirectory)`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBuffer(32, rtCfg.UseMemguard)`
Add more env variables 2023-08-21 18:37:34 +02:00			`return Config{`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key: &key,`
Add more env variables 2023-08-21 18:37:34 +02:00			`ConfigFile: ConfigFile{},`
			`}, err`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
			`defer file.Close()`

			`decoder := json.NewDecoder(file)`
			`config := ConfigFile{}`
			`err = decoder.Decode(&config)`
			`if err != nil {`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBuffer(32, rtCfg.UseMemguard)`
Add more env variables 2023-08-21 18:37:34 +02:00			`return Config{`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key: &key,`
Add more env variables 2023-08-21 18:37:34 +02:00			`ConfigFile: ConfigFile{},`
			`}, err`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
			`if config.ConfigKeyHash == "" {`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBuffer(32, rtCfg.UseMemguard)`
Add more env variables 2023-08-21 18:37:34 +02:00			`return Config{`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key: &key,`
Add more env variables 2023-08-21 18:37:34 +02:00			`ConfigFile: config,`
			`}, nil`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key := NewBuffer(32, rtCfg.UseMemguard)`
Add more env variables 2023-08-21 18:37:34 +02:00			`return Config{`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`key: &key,`
Add more env variables 2023-08-21 18:37:34 +02:00			`ConfigFile: config,`
			`}, nil`
Initial commit 2023-07-17 03:23:26 +02:00			`}`

			`func (cfg Config) TryUnlock(vault vault.Vault) error {`
Refactor platform abstractions 2023-09-12 02:54:46 +02:00			`pin, err := pinentry.GetPassword("Unlock Goldwarden", "Enter the vault PIN")`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
			`return err`
			`}`
Fix deadlock & unlocking 2023-07-17 05:42:21 +02:00			`success := cfg.Unlock(pin)`
			`if !success {`
			`return errors.New("invalid PIN")`
			`}`

			`if cfg.IsLoggedIn() {`
			`userKey, err := cfg.GetUserSymmetricKey()`
			`if err == nil {`
Add no memguard mode 2023-12-22 08:02:23 +01:00			`var key crypto.SymmetricEncryptionKey`
			`var err error`
			`if vault.Keyring.IsMemguard {`
			`key, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userKey)`
			`} else {`
			`key, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userKey)`
			`}`
Fix deadlock & unlocking 2023-07-17 05:42:21 +02:00			`if err != nil {`
			`return err`
			`}`
Fix keyring locked detection 2023-12-22 12:43:38 +01:00			`vault.Keyring.UnlockWithAccountKey(key)`
Fix deadlock & unlocking 2023-07-17 05:42:21 +02:00			`} else {`
			`cfg.Lock()`
Initial commit 2023-07-17 03:23:26 +02:00			`return err`
			`}`
			`}`

			`return nil`
			`}`