From d2cd2da7e26df3b69a54d8035d3487a6b51613d6 Mon Sep 17 00:00:00 2001 From: Bernd Schoolmann Date: Fri, 19 Jan 2024 09:26:19 +0100 Subject: [PATCH] Fix vault pin not settable without biometrics --- agent/actions/vault.go | 54 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/agent/actions/vault.go b/agent/actions/vault.go index 23dd188..0decc5c 100644 --- a/agent/actions/vault.go +++ b/agent/actions/vault.go @@ -7,7 +7,7 @@ import ( "github.com/quexten/goldwarden/agent/bitwarden/crypto" "github.com/quexten/goldwarden/agent/config" "github.com/quexten/goldwarden/agent/sockets" - "github.com/quexten/goldwarden/agent/systemauth" + "github.com/quexten/goldwarden/agent/systemauth/biometrics" "github.com/quexten/goldwarden/agent/systemauth/pinentry" "github.com/quexten/goldwarden/agent/vault" @@ -160,6 +160,56 @@ func handleWipeVault(request messages.IPCMessage, cfg *config.Config, vault *vau } func handleUpdateVaultPin(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, callingContext *sockets.CallingContext) (response messages.IPCMessage, err error) { + //todo refactor + if cfg.HasPin() { + authenticated := false + if cfg.IsLocked() { + actionsLog.Info("Browser Biometrics: Vault is locked, asking for pin...") + err := cfg.TryUnlock(vault) + if err != nil { + actionsLog.Info("Browser Biometrics: Vault not unlocked") + return messages.IPCMessage{}, err + } + ctx1 := context.Background() + success := sync(ctx1, vault, cfg) + if !success { + actionsLog.Info("Browser Biometrics: Vault not synced") + return messages.IPCMessage{}, err + } + actionsLog.Info("Browser Biometrics: Vault unlocked") + authenticated = true + } else { + authenticated = biometrics.CheckBiometrics(biometrics.BrowserBiometrics) + if !authenticated { + // todo, skip when explicitly denied instead of error + actionsLog.Info("Browser Biometrics: Biometrics not approved, asking for pin...") + pin, err := pinentry.GetPassword("Goldwarden", "Enter your pin to unlock your vault") + if err == nil { + authenticated = cfg.VerifyPin(pin) + if !authenticated { + actionsLog.Info("Browser Biometrics: Pin not approved") + } else { + actionsLog.Info("Browser Biometrics: Pin approved") + } + } + } else { + actionsLog.Info("Browser Biometrics: Biometrics approved") + } + } + + if !authenticated { + response, err = messages.IPCMessageFromPayload(messages.ActionResponse{ + Success: false, + Message: "Not authenticated", + }) + if err != nil { + return messages.IPCMessage{}, err + } else { + return response, nil + } + } + } + pin, err := pinentry.GetPassword("Pin Change", "Enter your desired pin") if err != nil { response, err = messages.IPCMessageFromPayload(messages.ActionResponse{ @@ -214,7 +264,7 @@ func init() { AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.UnlockVaultRequest{}), handleUnlockVault) AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.LockVaultRequest{}), handleLockVault) AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.WipeVaultRequest{}), handleWipeVault) - AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.UpdateVaultPINRequest{}), ensureBiometricsAuthorized(systemauth.AccessVault, handleUpdateVaultPin)) + AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.UpdateVaultPINRequest{}), handleUpdateVaultPin) AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.GetVaultPINRequest{}), handlePinStatus) AgentActionsRegistry.Register(messages.MessageTypeForEmptyPayload(messages.VaultStatusRequest{}), handleVaultStatus) }