goldwarden-vaultwarden-bitw.../agent/unixsocketagent.go

package agent

import (
	"context"
	"encoding/json"
	"fmt"
	"net"
	"os"
	"time"

	"github.com/quexten/goldwarden/agent/actions"
	"github.com/quexten/goldwarden/agent/bitwarden"
	"github.com/quexten/goldwarden/agent/bitwarden/crypto"
	"github.com/quexten/goldwarden/agent/config"
	"github.com/quexten/goldwarden/agent/notify"
	"github.com/quexten/goldwarden/agent/processsecurity"
	"github.com/quexten/goldwarden/agent/sockets"
	"github.com/quexten/goldwarden/agent/ssh"
	"github.com/quexten/goldwarden/agent/vault"
	"github.com/quexten/goldwarden/ipc/messages"
	"github.com/quexten/goldwarden/logging"
)

const (
	FullSyncInterval     = 60 * time.Minute
	TokenRefreshInterval = 30 * time.Minute
)

var log = logging.GetLogger("Goldwarden", "Agent")

func writeError(c net.Conn, errMsg error) error {
	payload := messages.ActionResponse{
		Success: false,
		Message: errMsg.Error(),
	}
	payloadBytes, err := json.Marshal(payload)
	if err != nil {
		return err
	}
	_, err = c.Write(payloadBytes)
	if err != nil {
		return err
	}
	return nil
}

func serveAgentSession(c net.Conn, ctx context.Context, vault *vault.Vault, cfg *config.Config) {
	for {
		buf := make([]byte, 1024*1024)
		nr, err := c.Read(buf)
		if err != nil {
			return
		}

		data := buf[0:nr]

		var msg messages.IPCMessage
		err = json.Unmarshal(data, &msg)
		if err != nil {
			writeError(c, err)
			continue
		}

		responseBytes := []byte{}
		if action, actionFound := actions.AgentActionsRegistry.Get(msg.Type); actionFound {
			callingContext := sockets.GetCallingContext(c)
			payload, err := action(msg, cfg, vault, &callingContext)
			if err != nil {
				writeError(c, err)
				continue
			}
			responseBytes, err = json.Marshal(payload)
			if err != nil {
				writeError(c, err)
				continue
			}
		} else {
			payload := messages.ActionResponse{
				Success: false,
				Message: "Action not found",
			}
			payloadBytes, err := json.Marshal(payload)
			if err != nil {
				writeError(c, err)
				continue
			}
			responseBytes = payloadBytes
		}

		_, err = c.Write(responseBytes)
		if err != nil {
			log.Error("Failed writing to socket " + err.Error())
		}
	}
}

type AgentState struct {
}

func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
	ctx := context.Background()

	var keyring crypto.Keyring
	if runtimeConfig.UseMemguard {
		keyring = crypto.NewMemguardKeyring(nil)
	} else {
		keyring = crypto.NewMemoryKeyring(nil)
	}

	var vault = vault.NewVault(&keyring)
	cfg, err := config.ReadConfig(runtimeConfig)
	if err != nil {
		log.Warn("Could not read config: %s", err.Error())
		cfg = config.DefaultConfig(runtimeConfig.UseMemguard)
		cfg.ConfigFile.RuntimeConfig = runtimeConfig
		cfg.WriteConfig()
	}
	cfg.ConfigFile.RuntimeConfig = runtimeConfig
	if cfg.ConfigFile.RuntimeConfig.ApiURI != "" {
		cfg.ConfigFile.ApiUrl = cfg.ConfigFile.RuntimeConfig.ApiURI
	}
	if cfg.ConfigFile.RuntimeConfig.IdentityURI != "" {
		cfg.ConfigFile.IdentityUrl = cfg.ConfigFile.RuntimeConfig.IdentityURI
	}
	if cfg.ConfigFile.RuntimeConfig.NotificationsURI != "" {
		cfg.ConfigFile.NotificationsUrl = cfg.ConfigFile.RuntimeConfig.NotificationsURI
	}
	if cfg.ConfigFile.RuntimeConfig.DeviceUUID != "" {
		cfg.ConfigFile.DeviceUUID = cfg.ConfigFile.RuntimeConfig.DeviceUUID
	}

	if !cfg.IsLocked() {
		log.Warn("Config is not locked. SET A PIN!!")
		token, err := cfg.GetToken()
		if err == nil {
			if token.AccessToken != "" {
				// attempt to sync every minute until successful
				for {
					bitwarden.RefreshToken(ctx, &cfg)
					userSymmetricKey, err := cfg.GetUserSymmetricKey()
					if err != nil {
						fmt.Println(err)
						time.Sleep(60 * time.Second)
						continue
					}
					var protectedUserSymetricKey crypto.SymmetricEncryptionKey
					if vault.Keyring.IsMemguard {
						protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
					} else {
						protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
					}

					err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
					if err != nil {
						fmt.Println(err)
						time.Sleep(60 * time.Second)
						continue
					} else {
						break
					}
				}
			}
		}
	}

	processsecurity.DisableDumpable()
	go func() {
		err = processsecurity.MonitorLocks(func() {
			cfg.Lock()
			vault.Clear()
			vault.Keyring.Lock()
		})
		if err != nil {
			log.Warn("Could not monitor screensaver: %s", err.Error())
		}
	}()
	go func() {
		err = processsecurity.MonitorIdle(func() {
			log.Warn("Idling detected but no action is implemented")
		})
		if err != nil {
			log.Warn("Could not monitor idle: %s", err.Error())
		}
	}()
	go func() {
		err = notify.ListenForNotifications()
		if err != nil {
			log.Warn("Could not listen for notifications: %s", err.Error())
		}
	}()

	go func() {
		if !runtimeConfig.WebsocketDisabled {
			for {
				// polling, switch this to signal based later
				if !cfg.IsLocked() && cfg.IsLoggedIn() {
					bitwarden.RunWebsocketDaemon(ctx, vault, &cfg)
					time.Sleep(60 * time.Second)
				}
				time.Sleep(1 * time.Second)
			}
		}
	}()

	if !runtimeConfig.DisableSSHAgent {
		vaultAgent := ssh.NewVaultAgent(vault, &cfg, &runtimeConfig)
		vaultAgent.SetUnlockRequestAction(func() bool {
			err := cfg.TryUnlock(vault)
			if err == nil {
				token, err := cfg.GetToken()
				if err == nil {
					if token.AccessToken != "" {
						bitwarden.RefreshToken(ctx, &cfg)
						userSymmetricKey, err := cfg.GetUserSymmetricKey()
						if err != nil {
							fmt.Println(err)
						}
						var protectedUserSymetricKey crypto.SymmetricEncryptionKey
						if vault.Keyring.IsMemguard {
							protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)
						} else {
							protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)
						}

						err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
						if err != nil {
							fmt.Println(err)
						}
					}
				}
				return true
			}
			return false
		})
		go vaultAgent.Serve()
	}

	go func() {
		for {
			time.Sleep(TokenRefreshInterval)
			if !cfg.IsLocked() {
				bitwarden.RefreshToken(ctx, &cfg)
			}
		}
	}()

	go func() {
		for {
			time.Sleep(FullSyncInterval)
			if !cfg.IsLocked() {
				token, err := cfg.GetToken()
				if err != nil {
					log.Warn("Could not get token: %s", err.Error())
					continue
				}

				bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token), vault, &cfg, nil, false)
			}
		}
	}()

	if _, err := os.Stat(path); err == nil {
		if err := os.Remove(path); err != nil {
			return err
		}
	}

	l, err := net.Listen("unix", path)
	if err != nil {
		println("listen error", err.Error())
		return err
	}
	log.Info("Agent listening on %s...", path)

	go func() {
		for {
			fd, err := l.Accept()
			if err != nil {
				println("accept error", err.Error())
			}

			go serveAgentSession(fd, ctx, vault, &cfg)
		}
	}()

	mainloop()
	return nil
}
Initial commit 2023-07-17 03:23:26 +02:00			`package agent`

			`import (`
			`"context"`
			`"encoding/json"`
			`"fmt"`
			`"net"`
			`"os"`
			`"time"`

			`"github.com/quexten/goldwarden/agent/actions"`
			`"github.com/quexten/goldwarden/agent/bitwarden"`
			`"github.com/quexten/goldwarden/agent/bitwarden/crypto"`
			`"github.com/quexten/goldwarden/agent/config"`
Add notification support to the goldwarden daemon 2023-12-28 12:58:02 +01:00			`"github.com/quexten/goldwarden/agent/notify"`
Move processsecurity into submodule 2023-08-24 03:22:03 +02:00			`"github.com/quexten/goldwarden/agent/processsecurity"`
Initial commit 2023-07-17 03:23:26 +02:00			`"github.com/quexten/goldwarden/agent/sockets"`
			`"github.com/quexten/goldwarden/agent/ssh"`
			`"github.com/quexten/goldwarden/agent/vault"`
Refactor ipc 2023-09-20 03:05:44 +02:00			`"github.com/quexten/goldwarden/ipc/messages"`
Add more env variables 2023-08-21 18:37:34 +02:00			`"github.com/quexten/goldwarden/logging"`
Initial commit 2023-07-17 03:23:26 +02:00			`)`

			`const (`
			`FullSyncInterval = 60 * time.Minute`
			`TokenRefreshInterval = 30 * time.Minute`
			`)`

Add more env variables 2023-08-21 18:37:34 +02:00			`var log = logging.GetLogger("Goldwarden", "Agent")`
Initial commit 2023-07-17 03:23:26 +02:00
			`func writeError(c net.Conn, errMsg error) error {`
Refactor ipc 2023-09-20 03:05:44 +02:00			`payload := messages.ActionResponse{`
Initial commit 2023-07-17 03:23:26 +02:00			`Success: false,`
			`Message: errMsg.Error(),`
			`}`
			`payloadBytes, err := json.Marshal(payload)`
			`if err != nil {`
			`return err`
			`}`
			`_, err = c.Write(payloadBytes)`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`

			`func serveAgentSession(c net.Conn, ctx context.Context, vault vault.Vault, cfg config.Config) {`
			`for {`
			`buf := make([]byte, 1024*1024)`
			`nr, err := c.Read(buf)`
			`if err != nil {`
			`return`
			`}`

			`data := buf[0:nr]`

Refactor ipc 2023-09-20 03:05:44 +02:00			`var msg messages.IPCMessage`
Initial commit 2023-07-17 03:23:26 +02:00			`err = json.Unmarshal(data, &msg)`
			`if err != nil {`
			`writeError(c, err)`
			`continue`
			`}`

			`responseBytes := []byte{}`
			`if action, actionFound := actions.AgentActionsRegistry.Get(msg.Type); actionFound {`
			`callingContext := sockets.GetCallingContext(c)`
Introduce session cache 2023-09-12 18:56:35 +02:00			`payload, err := action(msg, cfg, vault, &callingContext)`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
			`writeError(c, err)`
			`continue`
			`}`
			`responseBytes, err = json.Marshal(payload)`
			`if err != nil {`
			`writeError(c, err)`
			`continue`
			`}`
			`} else {`
Refactor ipc 2023-09-20 03:05:44 +02:00			`payload := messages.ActionResponse{`
Initial commit 2023-07-17 03:23:26 +02:00			`Success: false,`
			`Message: "Action not found",`
			`}`
			`payloadBytes, err := json.Marshal(payload)`
			`if err != nil {`
			`writeError(c, err)`
			`continue`
			`}`
			`responseBytes = payloadBytes`
			`}`

			`_, err = c.Write(responseBytes)`
			`if err != nil {`
			`log.Error("Failed writing to socket " + err.Error())`
			`}`
			`}`
			`}`

			`type AgentState struct {`
			`}`

Add more env variables 2023-08-21 18:37:34 +02:00			`func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {`
Initial commit 2023-07-17 03:23:26 +02:00			`ctx := context.Background()`

Add no memguard mode 2023-12-22 08:02:23 +01:00			`var keyring crypto.Keyring`
			`if runtimeConfig.UseMemguard {`
			`keyring = crypto.NewMemguardKeyring(nil)`
			`} else {`
			`keyring = crypto.NewMemoryKeyring(nil)`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`var vault = vault.NewVault(&keyring)`
Add more env variables 2023-08-21 18:37:34 +02:00			`cfg, err := config.ReadConfig(runtimeConfig)`
Initial commit 2023-07-17 03:23:26 +02:00			`if err != nil {`
Add warning for error when reading config 2023-09-19 22:14:52 +02:00			`log.Warn("Could not read config: %s", err.Error())`
Make memguard fully optional 2023-12-22 12:01:21 +01:00			`cfg = config.DefaultConfig(runtimeConfig.UseMemguard)`
Fix login on main bitwarden instance 2023-09-11 14:14:27 +02:00			`cfg.ConfigFile.RuntimeConfig = runtimeConfig`
Initial commit 2023-07-17 03:23:26 +02:00			`cfg.WriteConfig()`
			`}`
Add more env variables 2023-08-21 18:37:34 +02:00			`cfg.ConfigFile.RuntimeConfig = runtimeConfig`
			`if cfg.ConfigFile.RuntimeConfig.ApiURI != "" {`
			`cfg.ConfigFile.ApiUrl = cfg.ConfigFile.RuntimeConfig.ApiURI`
			`}`
			`if cfg.ConfigFile.RuntimeConfig.IdentityURI != "" {`
			`cfg.ConfigFile.IdentityUrl = cfg.ConfigFile.RuntimeConfig.IdentityURI`
			`}`
Fix login on main bitwarden instance 2023-09-11 14:14:27 +02:00			`if cfg.ConfigFile.RuntimeConfig.NotificationsURI != "" {`
			`cfg.ConfigFile.NotificationsUrl = cfg.ConfigFile.RuntimeConfig.NotificationsURI`
			`}`
Add more env variables 2023-08-21 18:37:34 +02:00			`if cfg.ConfigFile.RuntimeConfig.DeviceUUID != "" {`
			`cfg.ConfigFile.DeviceUUID = cfg.ConfigFile.RuntimeConfig.DeviceUUID`
			`}`

Initial commit 2023-07-17 03:23:26 +02:00			`if !cfg.IsLocked() {`
Update no pin message 2023-07-17 05:02:56 +02:00			`log.Warn("Config is not locked. SET A PIN!!")`
Initial commit 2023-07-17 03:23:26 +02:00			`token, err := cfg.GetToken()`
			`if err == nil {`
			`if token.AccessToken != "" {`
Implement attempt sync until online 2023-09-20 03:32:37 +02:00			`// attempt to sync every minute until successful`
			`for {`
			`bitwarden.RefreshToken(ctx, &cfg)`
			`userSymmetricKey, err := cfg.GetUserSymmetricKey()`
			`if err != nil {`
			`fmt.Println(err)`
			`time.Sleep(60 * time.Second)`
			`continue`
			`}`
Add no memguard mode 2023-12-22 08:02:23 +01:00			`var protectedUserSymetricKey crypto.SymmetricEncryptionKey`
			`if vault.Keyring.IsMemguard {`
			`protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)`
			`} else {`
			`protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)`
			`}`
Implement attempt sync until online 2023-09-20 03:32:37 +02:00
			`err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)`
			`if err != nil {`
			`fmt.Println(err)`
			`time.Sleep(60 * time.Second)`
			`continue`
			`} else {`
			`break`
			`}`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
			`}`
			`}`
			`}`

Move processsecurity into submodule 2023-08-24 03:22:03 +02:00			`processsecurity.DisableDumpable()`
Add idle monitor 2023-12-28 01:04:46 +01:00			`go func() {`
			`err = processsecurity.MonitorLocks(func() {`
			`cfg.Lock()`
			`vault.Clear()`
			`vault.Keyring.Lock()`
			`})`
			`if err != nil {`
			`log.Warn("Could not monitor screensaver: %s", err.Error())`
			`}`
			`}()`
			`go func() {`
			`err = processsecurity.MonitorIdle(func() {`
			`log.Warn("Idling detected but no action is implemented")`
			`})`
			`if err != nil {`
			`log.Warn("Could not monitor idle: %s", err.Error())`
			`}`
			`}()`
Add notification support to the goldwarden daemon 2023-12-28 12:58:02 +01:00			`go func() {`
			`err = notify.ListenForNotifications()`
			`if err != nil {`
			`log.Warn("Could not listen for notifications: %s", err.Error())`
			`}`
			`}()`
Add lock on screensaver 2023-12-23 08:37:17 +01:00
Reconnect websocket on unlock 2023-12-28 11:45:36 +01:00			`go func() {`
			`if !runtimeConfig.WebsocketDisabled {`
			`for {`
			`// polling, switch this to signal based later`
			`if !cfg.IsLocked() && cfg.IsLoggedIn() {`
			`bitwarden.RunWebsocketDaemon(ctx, vault, &cfg)`
Fix websocket sometimes not connecting 2023-12-28 14:48:42 +01:00			`time.Sleep(60 * time.Second)`
Reconnect websocket on unlock 2023-12-28 11:45:36 +01:00			`}`
Fix websocket sometimes not connecting 2023-12-28 14:48:42 +01:00			`time.Sleep(1 * time.Second)`
Reconnect websocket on unlock 2023-12-28 11:45:36 +01:00			`}`
			`}`
			`}()`
Initial commit 2023-07-17 03:23:26 +02:00
Add more env variables 2023-08-21 18:37:34 +02:00			`if !runtimeConfig.DisableSSHAgent {`
Move daemon and ssh socket paths 2023-12-30 18:53:01 +01:00			`vaultAgent := ssh.NewVaultAgent(vault, &cfg, &runtimeConfig)`
Login with device & virtual ipc 2023-08-21 13:52:06 +02:00			`vaultAgent.SetUnlockRequestAction(func() bool {`
			`err := cfg.TryUnlock(vault)`
Initial commit 2023-07-17 03:23:26 +02:00			`if err == nil {`
Login with device & virtual ipc 2023-08-21 13:52:06 +02:00			`token, err := cfg.GetToken()`
			`if err == nil {`
			`if token.AccessToken != "" {`
			`bitwarden.RefreshToken(ctx, &cfg)`
			`userSymmetricKey, err := cfg.GetUserSymmetricKey()`
			`if err != nil {`
			`fmt.Println(err)`
			`}`
Add no memguard mode 2023-12-22 08:02:23 +01:00			`var protectedUserSymetricKey crypto.SymmetricEncryptionKey`
			`if vault.Keyring.IsMemguard {`
			`protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey)`
			`} else {`
			`protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey)`
			`}`
Login with device & virtual ipc 2023-08-21 13:52:06 +02:00
			`err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)`
			`if err != nil {`
			`fmt.Println(err)`
			`}`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
			`}`
Login with device & virtual ipc 2023-08-21 13:52:06 +02:00			`return true`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
Login with device & virtual ipc 2023-08-21 13:52:06 +02:00			`return false`
			`})`
			`go vaultAgent.Serve()`
			`}`
Initial commit 2023-07-17 03:23:26 +02:00
			`go func() {`
			`for {`
			`time.Sleep(TokenRefreshInterval)`
			`if !cfg.IsLocked() {`
			`bitwarden.RefreshToken(ctx, &cfg)`
			`}`
			`}`
			`}()`

			`go func() {`
			`for {`
			`time.Sleep(FullSyncInterval)`
			`if !cfg.IsLocked() {`
			`token, err := cfg.GetToken()`
			`if err != nil {`
			`log.Warn("Could not get token: %s", err.Error())`
			`continue`
			`}`

Allow offline start 2023-07-17 06:00:26 +02:00			`bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token), vault, &cfg, nil, false)`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
			`}`
			`}()`

			`if _, err := os.Stat(path); err == nil {`
			`if err := os.Remove(path); err != nil {`
			`return err`
			`}`
			`}`

			`l, err := net.Listen("unix", path)`
			`if err != nil {`
			`println("listen error", err.Error())`
			`return err`
			`}`
			`log.Info("Agent listening on %s...", path)`

Implement pinentry for mac and windows 2023-09-20 18:00:00 +02:00			`go func() {`
			`for {`
			`fd, err := l.Accept()`
			`if err != nil {`
			`println("accept error", err.Error())`
			`}`

			`go serveAgentSession(fd, ctx, vault, &cfg)`
Initial commit 2023-07-17 03:23:26 +02:00			`}`
Implement pinentry for mac and windows 2023-09-20 18:00:00 +02:00			`}()`
Initial commit 2023-07-17 03:23:26 +02:00
Implement pinentry for mac and windows 2023-09-20 18:00:00 +02:00			`mainloop()`
			`return nil`
Initial commit 2023-07-17 03:23:26 +02:00			`}`