Lock down session auth mode
This commit is contained in:
parent
f1395d4b6d
commit
35cc409943
4 changed files with 18 additions and 16 deletions
|
|
@ -103,7 +103,7 @@ func ensureIsNotLocked(action Action) Action {
|
|||
}
|
||||
}
|
||||
|
||||
systemauth.CreatePinSession(*ctx)
|
||||
systemauth.CreatePinSession(*ctx, systemauth.SSHTTL)
|
||||
}
|
||||
|
||||
return action(request, cfg, vault, ctx)
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ func (vaultAgent vaultAgent) List() ([]*agent.Key, error) {
|
|||
return nil, errors.New("vault is locked")
|
||||
}
|
||||
|
||||
systemauth.CreatePinSession(vaultAgent.context)
|
||||
systemauth.CreatePinSession(vaultAgent.context, systemauth.SSHTTL)
|
||||
}
|
||||
|
||||
vaultSSHKeys := (*vaultAgent.vault).GetSSHKeys()
|
||||
|
|
@ -87,7 +87,7 @@ func (vaultAgent vaultAgent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signatur
|
|||
return nil, errors.New("vault is locked")
|
||||
}
|
||||
|
||||
systemauth.CreatePinSession(vaultAgent.context)
|
||||
systemauth.CreatePinSession(vaultAgent.context, systemauth.SSHTTL)
|
||||
}
|
||||
|
||||
var signer ssh.Signer
|
||||
|
|
|
|||
|
|
@ -14,7 +14,8 @@ import (
|
|||
|
||||
var log = logging.GetLogger("Goldwarden", "Systemauth")
|
||||
|
||||
const tokenExpiry = 10 * time.Minute
|
||||
const tokenExpiry = 60 * time.Minute
|
||||
const SSHTTL = 60 * time.Minute
|
||||
|
||||
type SessionType string
|
||||
|
||||
|
|
@ -40,12 +41,12 @@ type SessionStore struct {
|
|||
Store []Session
|
||||
}
|
||||
|
||||
func (s *SessionStore) CreateSession(pid int, parentpid int, grandparentpid int, sessionType SessionType) Session {
|
||||
func (s *SessionStore) CreateSession(pid int, parentpid int, grandparentpid int, sessionType SessionType, ttl time.Duration) Session {
|
||||
var session = Session{
|
||||
Pid: pid,
|
||||
ParentPid: parentpid,
|
||||
GrandParentPid: grandparentpid,
|
||||
Expires: time.Now().Add(tokenExpiry),
|
||||
Expires: time.Now().Add(ttl),
|
||||
sessionType: sessionType,
|
||||
}
|
||||
s.Store = append(s.Store, session)
|
||||
|
|
@ -107,7 +108,7 @@ func GetPermission(sessionType SessionType, ctx sockets.CallingContext, config *
|
|||
// }
|
||||
|
||||
log.Info("Permission granted, creating session")
|
||||
sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, sessionType)
|
||||
sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, sessionType, tokenExpiry)
|
||||
}
|
||||
return true, nil
|
||||
}
|
||||
|
|
@ -128,8 +129,8 @@ func CheckBiometrics(callingContext *sockets.CallingContext, approvalType biomet
|
|||
return approval
|
||||
}
|
||||
|
||||
func CreatePinSession(ctx sockets.CallingContext) {
|
||||
sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, Pin)
|
||||
func CreatePinSession(ctx sockets.CallingContext, ttl time.Duration) Session {
|
||||
return sessionStore.CreateSession(ctx.ProcessPid, ctx.ParentProcessPid, ctx.GrandParentProcessPid, Pin, ttl)
|
||||
}
|
||||
|
||||
func VerifyPinSession(ctx sockets.CallingContext) bool {
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package agent
|
|||
|
||||
import (
|
||||
"context"
|
||||
"crypto/subtle"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net"
|
||||
|
|
@ -65,17 +66,17 @@ func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) {
|
|||
|
||||
// todo refactor to other file
|
||||
if msg.Type == messages.MessageTypeForEmptyPayload(messages.SessionAuthRequest{}) {
|
||||
log.Info("Received session auth request")
|
||||
req := messages.ParsePayload(msg).(messages.SessionAuthRequest)
|
||||
fmt.Println("Daemontoken", cfg.ConfigFile.RuntimeConfig.DaemonAuthToken)
|
||||
fmt.Println("Token", req.Token)
|
||||
fmt.Println(len(cfg.ConfigFile.RuntimeConfig.DaemonAuthToken), len(req.Token))
|
||||
verified := subtle.ConstantTimeCompare([]byte(cfg.ConfigFile.RuntimeConfig.DaemonAuthToken), []byte(req.Token)) == 1
|
||||
|
||||
payload := messages.SessionAuthResponse{
|
||||
Verified: cfg.ConfigFile.RuntimeConfig.DaemonAuthToken == req.Token,
|
||||
Verified: verified,
|
||||
}
|
||||
log.Info("Verified: %t", payload.Verified)
|
||||
log.Info("Verified: %t", verified)
|
||||
callingContext := sockets.GetCallingContext(c)
|
||||
systemauth.CreatePinSession(callingContext)
|
||||
if verified {
|
||||
systemauth.CreatePinSession(callingContext, 365*24*time.Hour) // permanent session
|
||||
}
|
||||
|
||||
responsePayload, err := messages.IPCMessageFromPayload(payload)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Reference in a new issue