vaultwarden
/
goldwarden-vaultwarden-bitwarden-client
mirror of https://github.com/quexten/goldwarden.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Attempt to fix browserbiometrics

This commit is contained in:
Bernd Schoolmann 2024-01-19 08:24:26 +01:00
parent 49e17b36ae
commit fd8d483e91
No known key found for this signature in database
4 changed files with 43 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
agent/actions/actions.go
View File

@ -37,6 +37,7 @@ func (registry *ActionsRegistry) Get(messageType messages.IPCMessageType) (Actio
func ensureIsLoggedIn(action Action) Action { func ensureIsLoggedIn(action Action) Action {
return func(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (messages.IPCMessage, error) { return func(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (messages.IPCMessage, error) {
if hash, err := cfg.GetMasterPasswordHash(); err != nil || len(hash) == 0 { if hash, err := cfg.GetMasterPasswordHash(); err != nil || len(hash) == 0 {
actionsLog.Error("EnsureIsLoggedIn - %s", err.Error())
return messages.IPCMessageFromPayload(messages.ActionResponse{ return messages.IPCMessageFromPayload(messages.ActionResponse{
Success: false, Success: false,
Message: "Not logged in", Message: "Not logged in",

43
agent/actions/browserbiometrics.go
View File

@ -1,6 +1,7 @@
package actions package actions
import ( import (
"context"
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"time" "time"
@ -8,7 +9,6 @@ import (
"github.com/quexten/goldwarden/agent/config" "github.com/quexten/goldwarden/agent/config"
"github.com/quexten/goldwarden/agent/notify" "github.com/quexten/goldwarden/agent/notify"
"github.com/quexten/goldwarden/agent/sockets" "github.com/quexten/goldwarden/agent/sockets"
"github.com/quexten/goldwarden/agent/systemauth"
"github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/systemauth/biometrics"
"github.com/quexten/goldwarden/agent/systemauth/pinentry" "github.com/quexten/goldwarden/agent/systemauth/pinentry"
"github.com/quexten/goldwarden/agent/vault" "github.com/quexten/goldwarden/agent/vault"
@ -18,12 +18,47 @@ import (
func handleGetBiometricsKey(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (response messages.IPCMessage, err error) { func handleGetBiometricsKey(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (response messages.IPCMessage, err error) {
actionsLog.Info("Browser Biometrics: Key requested, verifying biometrics...") actionsLog.Info("Browser Biometrics: Key requested, verifying biometrics...")
if !(systemauth.VerifyPinSession(*ctx) || biometrics.CheckBiometrics(biometrics.BrowserBiometrics)) { authenticated := false
if cfg.IsLocked() {
actionsLog.Info("Browser Biometrics: Vault is locked, asking for pin...")
err := cfg.TryUnlock(vault)
if err != nil {
actionsLog.Info("Browser Biometrics: Vault not unlocked")
return messages.IPCMessage{}, err
}
ctx1 := context.Background()
success := sync(ctx1, vault, cfg)
if !success {
actionsLog.Info("Browser Biometrics: Vault not synced")
return messages.IPCMessage{}, err
}
actionsLog.Info("Browser Biometrics: Vault unlocked")
authenticated = true
} else {
authenticated = biometrics.CheckBiometrics(biometrics.BrowserBiometrics)
if !authenticated {
// todo, skip when explicitly denied instead of error
actionsLog.Info("Browser Biometrics: Biometrics not approved, asking for pin...")
pin, err := pinentry.GetPassword("Goldwarden", "Enter your pin to unlock your vault")
if err == nil {
authenticated = cfg.VerifyPin(pin)
if !authenticated {
actionsLog.Info("Browser Biometrics: Pin not approved")
} else {
actionsLog.Info("Browser Biometrics: Pin approved")
}
}
} else {
actionsLog.Info("Browser Biometrics: Biometrics approved")
}
}
if !authenticated {
response, err = messages.IPCMessageFromPayload(messages.ActionResponse{ response, err = messages.IPCMessageFromPayload(messages.ActionResponse{
Success: false, Success: false,
Message: "not approved", Message: "not approved",
}) })
actionsLog.Info("Browser Biometrics: Biometrics not approved %v", err)
if err != nil { if err != nil {
return messages.IPCMessage{}, err return messages.IPCMessage{}, err
} }
@ -58,5 +93,5 @@ func handleGetBiometricsKey(request messages.IPCMessage, cfg *config.Config, vau
} }
func init() { func init() {
AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.GetBiometricsKeyRequest{}), ensureIsNotLocked(ensureIsLoggedIn(handleGetBiometricsKey))) AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.GetBiometricsKeyRequest{}), handleGetBiometricsKey)
} }

2
agent/unixsocketagent.go
View File

@ -288,6 +288,8 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error {
fd, err := l.Accept() fd, err := l.Accept()
if err != nil { if err != nil {
println("accept error", err.Error()) println("accept error", err.Error())
} else {
log.Info("Accepted unix socket connection; handling request")
} }
go serveAgentSession(fd, ctx, vault, &cfg) go serveAgentSession(fd, ctx, vault, &cfg)

1
browserbiometrics/protocol.go
View File

@ -105,6 +105,7 @@ func handlePayloadMessage(msg PayloadMessage, appID string) {
case "biometricUnlock": case "biometricUnlock":
logging.Debugf("Biometric unlock requested") logging.Debugf("Biometric unlock requested")
// logging.Debugf("Biometrics authorized: %t", isAuthorized) // logging.Debugf("Biometrics authorized: %t", isAuthorized)
logging.Debugf("Connecting to agent at path %s", runtimeConfig.GoldwardenSocketPath)
result, err := client.NewUnixSocketClient(runtimeConfig).SendToAgent(messages.GetBiometricsKeyRequest{}) result, err := client.NewUnixSocketClient(runtimeConfig).SendToAgent(messages.GetBiometricsKeyRequest{})
if err != nil { if err != nil {
logging.Errorf("Unable to send message to agent: %s", err.Error()) logging.Errorf("Unable to send message to agent: %s", err.Error())