2023-07-17 03:23:26 +02:00
|
|
|
package agent
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"os"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/quexten/goldwarden/agent/actions"
|
|
|
|
"github.com/quexten/goldwarden/agent/bitwarden"
|
|
|
|
"github.com/quexten/goldwarden/agent/bitwarden/crypto"
|
|
|
|
"github.com/quexten/goldwarden/agent/config"
|
|
|
|
"github.com/quexten/goldwarden/agent/sockets"
|
|
|
|
"github.com/quexten/goldwarden/agent/ssh"
|
|
|
|
"github.com/quexten/goldwarden/agent/vault"
|
|
|
|
"github.com/quexten/goldwarden/ipc"
|
2023-08-21 18:37:34 +02:00
|
|
|
"github.com/quexten/goldwarden/logging"
|
2023-07-17 03:23:26 +02:00
|
|
|
"golang.org/x/sys/unix"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
FullSyncInterval = 60 * time.Minute
|
|
|
|
TokenRefreshInterval = 30 * time.Minute
|
|
|
|
)
|
|
|
|
|
2023-08-21 18:37:34 +02:00
|
|
|
var log = logging.GetLogger("Goldwarden", "Agent")
|
2023-07-17 03:23:26 +02:00
|
|
|
|
|
|
|
func writeError(c net.Conn, errMsg error) error {
|
|
|
|
payload := ipc.ActionResponse{
|
|
|
|
Success: false,
|
|
|
|
Message: errMsg.Error(),
|
|
|
|
}
|
|
|
|
payloadBytes, err := json.Marshal(payload)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
_, err = c.Write(payloadBytes)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func serveAgentSession(c net.Conn, ctx context.Context, vault *vault.Vault, cfg *config.Config) {
|
|
|
|
for {
|
|
|
|
buf := make([]byte, 1024*1024)
|
|
|
|
nr, err := c.Read(buf)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
data := buf[0:nr]
|
|
|
|
|
|
|
|
var msg ipc.IPCMessage
|
|
|
|
err = json.Unmarshal(data, &msg)
|
|
|
|
if err != nil {
|
|
|
|
writeError(c, err)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
responseBytes := []byte{}
|
|
|
|
if action, actionFound := actions.AgentActionsRegistry.Get(msg.Type); actionFound {
|
|
|
|
callingContext := sockets.GetCallingContext(c)
|
|
|
|
payload, err := action(msg, cfg, vault, callingContext)
|
|
|
|
if err != nil {
|
|
|
|
writeError(c, err)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
responseBytes, err = json.Marshal(payload)
|
|
|
|
if err != nil {
|
|
|
|
writeError(c, err)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
payload := ipc.ActionResponse{
|
|
|
|
Success: false,
|
|
|
|
Message: "Action not found",
|
|
|
|
}
|
|
|
|
payloadBytes, err := json.Marshal(payload)
|
|
|
|
if err != nil {
|
|
|
|
writeError(c, err)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
responseBytes = payloadBytes
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = c.Write(responseBytes)
|
|
|
|
if err != nil {
|
|
|
|
log.Error("Failed writing to socket " + err.Error())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func disableDumpable() error {
|
|
|
|
return unix.Prctl(unix.PR_SET_DUMPABLE, 0, 0, 0, 0)
|
|
|
|
}
|
|
|
|
|
|
|
|
type AgentState struct {
|
|
|
|
vault *vault.Vault
|
|
|
|
config *config.ConfigFile
|
|
|
|
}
|
|
|
|
|
2023-08-21 18:37:34 +02:00
|
|
|
func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
|
2023-07-17 03:23:26 +02:00
|
|
|
ctx := context.Background()
|
|
|
|
|
|
|
|
// check if exists
|
|
|
|
keyring := crypto.NewKeyring(nil)
|
|
|
|
var vault = vault.NewVault(&keyring)
|
2023-08-21 18:37:34 +02:00
|
|
|
cfg, err := config.ReadConfig(runtimeConfig)
|
2023-07-17 03:23:26 +02:00
|
|
|
if err != nil {
|
|
|
|
var cfg = config.DefaultConfig()
|
|
|
|
cfg.WriteConfig()
|
|
|
|
}
|
2023-08-21 18:37:34 +02:00
|
|
|
cfg.ConfigFile.RuntimeConfig = runtimeConfig
|
|
|
|
if cfg.ConfigFile.RuntimeConfig.ApiURI != "" {
|
|
|
|
cfg.ConfigFile.ApiUrl = cfg.ConfigFile.RuntimeConfig.ApiURI
|
|
|
|
}
|
|
|
|
if cfg.ConfigFile.RuntimeConfig.IdentityURI != "" {
|
|
|
|
cfg.ConfigFile.IdentityUrl = cfg.ConfigFile.RuntimeConfig.IdentityURI
|
|
|
|
}
|
|
|
|
if cfg.ConfigFile.RuntimeConfig.DeviceUUID != "" {
|
|
|
|
cfg.ConfigFile.DeviceUUID = cfg.ConfigFile.RuntimeConfig.DeviceUUID
|
|
|
|
}
|
|
|
|
|
2023-07-17 03:23:26 +02:00
|
|
|
if !cfg.IsLocked() {
|
2023-07-17 05:02:56 +02:00
|
|
|
log.Warn("Config is not locked. SET A PIN!!")
|
2023-07-17 03:23:26 +02:00
|
|
|
token, err := cfg.GetToken()
|
|
|
|
if err == nil {
|
|
|
|
if token.AccessToken != "" {
|
|
|
|
bitwarden.RefreshToken(ctx, &cfg)
|
|
|
|
userSymmetricKey, err := cfg.GetUserSymmetricKey()
|
|
|
|
if err != nil {
|
|
|
|
fmt.Println(err)
|
|
|
|
}
|
|
|
|
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
|
|
|
|
2023-07-17 06:00:26 +02:00
|
|
|
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
2023-07-17 03:23:26 +02:00
|
|
|
if err != nil {
|
|
|
|
fmt.Println(err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
disableDumpable()
|
2023-08-21 18:37:34 +02:00
|
|
|
if !runtimeConfig.WebsocketDisabled {
|
2023-08-21 13:52:06 +02:00
|
|
|
go bitwarden.RunWebsocketDaemon(ctx, vault, &cfg)
|
|
|
|
}
|
2023-07-17 03:23:26 +02:00
|
|
|
|
2023-08-21 18:37:34 +02:00
|
|
|
if !runtimeConfig.DisableSSHAgent {
|
2023-08-21 13:52:06 +02:00
|
|
|
vaultAgent := ssh.NewVaultAgent(vault)
|
|
|
|
vaultAgent.SetUnlockRequestAction(func() bool {
|
|
|
|
err := cfg.TryUnlock(vault)
|
2023-07-17 03:23:26 +02:00
|
|
|
if err == nil {
|
2023-08-21 13:52:06 +02:00
|
|
|
token, err := cfg.GetToken()
|
|
|
|
if err == nil {
|
|
|
|
if token.AccessToken != "" {
|
|
|
|
bitwarden.RefreshToken(ctx, &cfg)
|
|
|
|
userSymmetricKey, err := cfg.GetUserSymmetricKey()
|
|
|
|
if err != nil {
|
|
|
|
fmt.Println(err)
|
|
|
|
}
|
|
|
|
protectedUserSymetricKey, err := crypto.SymmetricEncryptionKeyFromBytes(userSymmetricKey)
|
|
|
|
|
|
|
|
err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true)
|
|
|
|
if err != nil {
|
|
|
|
fmt.Println(err)
|
|
|
|
}
|
2023-07-17 03:23:26 +02:00
|
|
|
}
|
|
|
|
}
|
2023-08-21 13:52:06 +02:00
|
|
|
return true
|
2023-07-17 03:23:26 +02:00
|
|
|
}
|
2023-08-21 13:52:06 +02:00
|
|
|
return false
|
|
|
|
})
|
|
|
|
go vaultAgent.Serve()
|
|
|
|
}
|
2023-07-17 03:23:26 +02:00
|
|
|
|
|
|
|
go func() {
|
|
|
|
for {
|
|
|
|
time.Sleep(TokenRefreshInterval)
|
|
|
|
if !cfg.IsLocked() {
|
|
|
|
bitwarden.RefreshToken(ctx, &cfg)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
for {
|
|
|
|
time.Sleep(FullSyncInterval)
|
|
|
|
if !cfg.IsLocked() {
|
|
|
|
token, err := cfg.GetToken()
|
|
|
|
if err != nil {
|
|
|
|
log.Warn("Could not get token: %s", err.Error())
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2023-07-17 06:00:26 +02:00
|
|
|
bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token), vault, &cfg, nil, false)
|
2023-07-17 03:23:26 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
if _, err := os.Stat(path); err == nil {
|
|
|
|
if err := os.Remove(path); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
l, err := net.Listen("unix", path)
|
|
|
|
if err != nil {
|
|
|
|
println("listen error", err.Error())
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
log.Info("Agent listening on %s...", path)
|
|
|
|
|
|
|
|
for {
|
|
|
|
fd, err := l.Accept()
|
|
|
|
if err != nil {
|
|
|
|
println("accept error", err.Error())
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
go serveAgentSession(fd, ctx, vault, &cfg)
|
|
|
|
}
|
|
|
|
}
|