From fd8d483e918bd4404b2c1492812128661da732ab Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Fri, 19 Jan 2024 08:24:26 +0100 Subject: [PATCH] Attempt to fix browserbiometrics --- agent/actions/actions.go | 1 + agent/actions/browserbiometrics.go | 43 +++++++++++++++++++++++++++--- agent/unixsocketagent.go | 2 ++ browserbiometrics/protocol.go | 1 + 4 files changed, 43 insertions(+), 4 deletions(-) diff --git a/agent/actions/actions.go b/agent/actions/actions.go index 5209778..ec8de47 100644 --- a/agent/actions/actions.go +++ b/agent/actions/actions.go @@ -37,6 +37,7 @@ func (registry *ActionsRegistry) Get(messageType messages.IPCMessageType) (Actio func ensureIsLoggedIn(action Action) Action { return func(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (messages.IPCMessage, error) { if hash, err := cfg.GetMasterPasswordHash(); err != nil || len(hash) == 0 { + actionsLog.Error("EnsureIsLoggedIn - %s", err.Error()) return messages.IPCMessageFromPayload(messages.ActionResponse{ Success: false, Message: "Not logged in", diff --git a/agent/actions/browserbiometrics.go b/agent/actions/browserbiometrics.go index d182dc7..7667026 100644 --- a/agent/actions/browserbiometrics.go +++ b/agent/actions/browserbiometrics.go @@ -1,6 +1,7 @@ package actions import ( + "context" "encoding/base64" "fmt" "time" @@ -8,7 +9,6 @@ import ( "github.com/quexten/goldwarden/agent/config" "github.com/quexten/goldwarden/agent/notify" "github.com/quexten/goldwarden/agent/sockets" - "github.com/quexten/goldwarden/agent/systemauth" "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/systemauth/pinentry" "github.com/quexten/goldwarden/agent/vault" @@ -18,12 +18,47 @@ import ( func handleGetBiometricsKey(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (response messages.IPCMessage, err error) { actionsLog.Info("Browser Biometrics: Key requested, verifying biometrics...") - if !(systemauth.VerifyPinSession(*ctx) || biometrics.CheckBiometrics(biometrics.BrowserBiometrics)) { + authenticated := false + + if cfg.IsLocked() { + actionsLog.Info("Browser Biometrics: Vault is locked, asking for pin...") + err := cfg.TryUnlock(vault) + if err != nil { + actionsLog.Info("Browser Biometrics: Vault not unlocked") + return messages.IPCMessage{}, err + } + ctx1 := context.Background() + success := sync(ctx1, vault, cfg) + if !success { + actionsLog.Info("Browser Biometrics: Vault not synced") + return messages.IPCMessage{}, err + } + actionsLog.Info("Browser Biometrics: Vault unlocked") + authenticated = true + } else { + authenticated = biometrics.CheckBiometrics(biometrics.BrowserBiometrics) + if !authenticated { + // todo, skip when explicitly denied instead of error + actionsLog.Info("Browser Biometrics: Biometrics not approved, asking for pin...") + pin, err := pinentry.GetPassword("Goldwarden", "Enter your pin to unlock your vault") + if err == nil { + authenticated = cfg.VerifyPin(pin) + if !authenticated { + actionsLog.Info("Browser Biometrics: Pin not approved") + } else { + actionsLog.Info("Browser Biometrics: Pin approved") + } + } + } else { + actionsLog.Info("Browser Biometrics: Biometrics approved") + } + } + + if !authenticated { response, err = messages.IPCMessageFromPayload(messages.ActionResponse{ Success: false, Message: "not approved", }) - actionsLog.Info("Browser Biometrics: Biometrics not approved %v", err) if err != nil { return messages.IPCMessage{}, err } @@ -58,5 +93,5 @@ func handleGetBiometricsKey(request messages.IPCMessage, cfg *config.Config, vau } func init() { - AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.GetBiometricsKeyRequest{}), ensureIsNotLocked(ensureIsLoggedIn(handleGetBiometricsKey))) + AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.GetBiometricsKeyRequest{}), handleGetBiometricsKey) } diff --git a/agent/unixsocketagent.go b/agent/unixsocketagent.go index e4fec05..0a01a71 100644 --- a/agent/unixsocketagent.go +++ b/agent/unixsocketagent.go @@ -288,6 +288,8 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { fd, err := l.Accept() if err != nil { println("accept error", err.Error()) + } else { + log.Info("Accepted unix socket connection; handling request") } go serveAgentSession(fd, ctx, vault, &cfg) diff --git a/browserbiometrics/protocol.go b/browserbiometrics/protocol.go index d8ed9cc..cb75359 100644 --- a/browserbiometrics/protocol.go +++ b/browserbiometrics/protocol.go @@ -105,6 +105,7 @@ func handlePayloadMessage(msg PayloadMessage, appID string) { case "biometricUnlock": logging.Debugf("Biometric unlock requested") // logging.Debugf("Biometrics authorized: %t", isAuthorized) + logging.Debugf("Connecting to agent at path %s", runtimeConfig.GoldwardenSocketPath) result, err := client.NewUnixSocketClient(runtimeConfig).SendToAgent(messages.GetBiometricsKeyRequest{}) if err != nil { logging.Errorf("Unable to send message to agent: %s", err.Error())