From a0b82eb1752f39fcdd5fa9f1188912e00f42d26b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 3 Mar 2024 01:37:04 +0100 Subject: [PATCH 1/2] Fix typos --- agent/unixsocketagent.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/agent/unixsocketagent.go b/agent/unixsocketagent.go index 149f1a5..af4a0b7 100644 --- a/agent/unixsocketagent.go +++ b/agent/unixsocketagent.go @@ -145,9 +145,9 @@ func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) { }, } - pinnentrySetError := pinentry.SetExternalPinentry(pe) + pinentrySetError := pinentry.SetExternalPinentry(pe) payload := messages.PinentryRegistrationResponse{ - Success: pinnentrySetError == nil, + Success: pinentrySetError == nil, } log.Info("Pinentry registration success: %t", payload.Success) @@ -169,7 +169,7 @@ func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) { _, err = c.Write([]byte("\n")) time.Sleep(50 * time.Millisecond) //todo fix properly - if pinnentrySetError != nil { + if pinentrySetError != nil { return } @@ -348,14 +348,14 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { time.Sleep(60 * time.Second) continue } - var protectedUserSymetricKey crypto.SymmetricEncryptionKey + var protectedUserSymmetricKey crypto.SymmetricEncryptionKey if vault.Keyring.IsMemguard { - protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey) + protectedUserSymmetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey) } else { - protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey) + protectedUserSymmetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey) } - err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true) + err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymmetricKey, true) if err != nil { log.Error("Could not sync: %s", err.Error()) notify.Notify("Goldwarden", "Could not perform initial sync", "", 0, func() {}) @@ -435,14 +435,14 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { if err != nil { log.Error("Could not get user symmetric key: %s", err.Error()) } - var protectedUserSymetricKey crypto.SymmetricEncryptionKey + var protectedUserSymmetricKey crypto.SymmetricEncryptionKey if vault.Keyring.IsMemguard { - protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey) + protectedUserSymmetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(userSymmetricKey) } else { - protectedUserSymetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey) + protectedUserSymmetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey) } - err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymetricKey, true) + err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymmetricKey, true) if err != nil { log.Error("Could not sync: %s", err.Error()) notify.Notify("Goldwarden", "Could not perform initial sync on ssh unlock", "", 0, func() {}) From eb400ee656e75306472e86f15cce9a6f9574adab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 3 Mar 2024 01:38:11 +0100 Subject: [PATCH 2/2] Fix whole bunch of lints --- agent/actions/config.go | 18 ++++- agent/actions/login.go | 12 ++-- agent/actions/logins.go | 12 +--- agent/actions/vault.go | 5 +- agent/bitwarden/auth.go | 22 +++++- agent/bitwarden/crypto/crypto.go | 6 ++ agent/bitwarden/crypto/keyhierarchy.go | 10 ++- agent/bitwarden/send.go | 5 +- agent/bitwarden/sync.go | 11 ++- agent/bitwarden/websocket.go | 23 +++---- agent/config/config.go | 92 +++++++++++++++++--------- agent/notify/dbus.go | 50 +++++++------- agent/processsecurity/unix.go | 38 +++++------ agent/unixsocketagent.go | 36 +++++++--- 14 files changed, 210 insertions(+), 130 deletions(-) diff --git a/agent/actions/config.go b/agent/actions/config.go index 4479ea7..e6a7807 100644 --- a/agent/actions/config.go +++ b/agent/actions/config.go @@ -144,7 +144,14 @@ func handleGetConfigEnvironment(request messages.IPCMessage, cfg *config.Config, func handleSetClientID(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (response messages.IPCMessage, err error) { clientID := messages.ParsePayload(request).(messages.SetClientIDRequest).Value - cfg.SetClientID(clientID) + err = cfg.SetClientID(clientID) + if err != nil { + return messages.IPCMessageFromPayload(messages.ActionResponse{ + Success: false, + Message: err.Error(), + }) + } + err = cfg.WriteConfig() if err != nil { return messages.IPCMessageFromPayload(messages.ActionResponse{ @@ -160,7 +167,14 @@ func handleSetClientID(request messages.IPCMessage, cfg *config.Config, vault *v func handleSetClientSecret(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, ctx *sockets.CallingContext) (response messages.IPCMessage, err error) { clientSecret := messages.ParsePayload(request).(messages.SetClientSecretRequest).Value - cfg.SetClientSecret(clientSecret) + err = cfg.SetClientSecret(clientSecret) + if err != nil { + return messages.IPCMessageFromPayload(messages.ActionResponse{ + Success: false, + Message: err.Error(), + }) + } + err = cfg.WriteConfig() if err != nil { return messages.IPCMessageFromPayload(messages.ActionResponse{ diff --git a/agent/actions/login.go b/agent/actions/login.go index 1109b06..5f2a8e3 100644 --- a/agent/actions/login.go +++ b/agent/actions/login.go @@ -56,7 +56,7 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault return } - cfg.SetToken(config.LoginToken{ + _ = cfg.SetToken(config.LoginToken{ AccessToken: token.AccessToken, ExpiresIn: token.ExpiresIn, TokenType: token.TokenType, @@ -87,7 +87,7 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault if err != nil { defer func() { notify.Notify("Goldwarden", "Could not decrypt. Wrong password?", "", 10*time.Second, func() {}) - cfg.SetToken(config.LoginToken{}) + _ = cfg.SetToken(config.LoginToken{}) vault.Clear() }() @@ -102,9 +102,9 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault return } - cfg.SetUserSymmetricKey(vault.Keyring.GetAccountKey().Bytes()) - cfg.SetMasterPasswordHash([]byte(masterpasswordHash)) - cfg.SetMasterKey([]byte(masterKey.GetBytes())) + err = cfg.SetUserSymmetricKey(vault.Keyring.GetAccountKey().Bytes()) + err = cfg.SetMasterPasswordHash([]byte(masterpasswordHash)) + err = cfg.SetMasterKey([]byte(masterKey.GetBytes())) var protectedUserSymetricKey crypto.SymmetricEncryptionKey if vault.Keyring.IsMemguard { protectedUserSymetricKey, err = crypto.MemguardSymmetricEncryptionKeyFromBytes(vault.Keyring.GetAccountKey().Bytes()) @@ -114,7 +114,7 @@ func handleLogin(msg messages.IPCMessage, cfg *config.Config, vault *vault.Vault if err != nil { defer func() { notify.Notify("Goldwarden", "Could not decrypt. Wrong password?", "", 10*time.Second, func() {}) - cfg.SetToken(config.LoginToken{}) + _ = cfg.SetToken(config.LoginToken{}) vault.Clear() }() diff --git a/agent/actions/logins.go b/agent/actions/logins.go index d10224a..399ecd7 100644 --- a/agent/actions/logins.go +++ b/agent/actions/logins.go @@ -69,11 +69,7 @@ func handleGetLoginCipher(request messages.IPCMessage, cfg *config.Config, vault if !login.Login.Totp.IsNull() { decryptedTotp, err := crypto.DecryptWith(login.Login.Totp, cipherKey) if err == nil { - if err == nil { - decryptedLogin.TOTPSeed = string(decryptedTotp) - } else { - fmt.Println(err) - } + decryptedLogin.TOTPSeed = string(decryptedTotp) } else { fmt.Println(string(decryptedTotp)) } @@ -117,11 +113,7 @@ func handleListLoginsRequest(request messages.IPCMessage, cfg *config.Config, va continue } - var decryptedName []byte = []byte{} - var decryptedUsername []byte = []byte{} - var decryptedPassword []byte = []byte{} - var decryptedTotp []byte = []byte{} - var decryptedURL []byte = []byte{} + var decryptedName, decryptedUsername, decryptedPassword, decryptedTotp, decryptedURL []byte if !login.Name.IsNull() { decryptedName, err = crypto.DecryptWith(login.Name, key) diff --git a/agent/actions/vault.go b/agent/actions/vault.go index 0decc5c..c57d4f0 100644 --- a/agent/actions/vault.go +++ b/agent/actions/vault.go @@ -146,7 +146,10 @@ func handleLockVault(request messages.IPCMessage, cfg *config.Config, vault *vau func handleWipeVault(request messages.IPCMessage, cfg *config.Config, vault *vault.Vault, callingContext *sockets.CallingContext) (response messages.IPCMessage, err error) { cfg.Purge() - cfg.WriteConfig() + err = cfg.WriteConfig() + if err != nil { + panic(err) + } vault.Clear() response, err = messages.IPCMessageFromPayload(messages.ActionResponse{ diff --git a/agent/bitwarden/auth.go b/agent/bitwarden/auth.go index f5b5198..213840c 100644 --- a/agent/bitwarden/auth.go +++ b/agent/bitwarden/auth.go @@ -208,7 +208,15 @@ func LoginWithDevice(ctx context.Context, email string, cfg *config.Config, vaul } if authRequestData.RequestApproved { masterKey, err := crypto.DecryptWithAsymmetric([]byte(authRequestData.Key), publicKey) + if err != nil { + return LoginResponseToken{}, crypto.MasterKey{}, "", fmt.Errorf("could not decrypt key with asymmetric key: %s", err.Error()) + } + masterPasswordHash, err := crypto.DecryptWithAsymmetric([]byte(authRequestData.MasterPasswordHash), publicKey) + if err != nil { + return LoginResponseToken{}, crypto.MasterKey{}, "", fmt.Errorf("could not decrypt master password hash with asymmetric key: %s", err.Error()) + } + values := urlValues( "grant_type", "password", "username", email, @@ -233,7 +241,7 @@ func LoginWithDevice(ctx context.Context, email string, cfg *config.Config, vaul return LoginResponseToken{}, crypto.MasterKey{}, "", fmt.Errorf("captcha required, please login via the web interface") } else if err != nil { - return LoginResponseToken{}, crypto.MasterKey{}, "", fmt.Errorf("could not login via password: %v", err) + return LoginResponseToken{}, crypto.MasterKey{}, "", fmt.Errorf("could not login via password: %s", err.Error()) } return loginResponseToken, crypto.MasterKeyFromBytes(masterKey), string(masterPasswordHash), nil } @@ -282,13 +290,17 @@ func RefreshToken(ctx context.Context, cfg *config.Config) bool { return false } - cfg.SetToken(config.LoginToken{ + err = cfg.SetToken(config.LoginToken{ AccessToken: loginResponseToken.AccessToken, RefreshToken: "", Key: loginResponseToken.Key, TokenType: loginResponseToken.TokenType, ExpiresIn: loginResponseToken.ExpiresIn, }) + if err != nil { + authLog.Error("Could not set token: %s", err.Error()) + return false + } } else { authLog.Info("No api credentials set") } @@ -306,13 +318,17 @@ func RefreshToken(ctx context.Context, cfg *config.Config) bool { notify.Notify("Goldwarden", fmt.Sprintf("Could not refresh token: %v", err), "", 0, func() {}) return false } - cfg.SetToken(config.LoginToken{ + err = cfg.SetToken(config.LoginToken{ AccessToken: loginResponseToken.AccessToken, RefreshToken: loginResponseToken.RefreshToken, Key: loginResponseToken.Key, TokenType: loginResponseToken.TokenType, ExpiresIn: loginResponseToken.ExpiresIn, }) + if err != nil { + authLog.Error("Could not set token: %s", err.Error()) + return false + } } authLog.Info("Token refreshed") diff --git a/agent/bitwarden/crypto/crypto.go b/agent/bitwarden/crypto/crypto.go index e1f37e6..fb850da 100644 --- a/agent/bitwarden/crypto/crypto.go +++ b/agent/bitwarden/crypto/crypto.go @@ -123,6 +123,9 @@ func MemguardAssymmetricEncryptionKeyFromBytes(key []byte) (MemguardAsymmetricEn func (key MemoryAsymmetricEncryptionKey) PublicBytes() []byte { privateKey, err := x509.ParsePKCS8PrivateKey(key.encKey) + if err != nil { + panic(err) + } pub := (privateKey.(*rsa.PrivateKey)).Public() publicKeyBytes, err := x509.MarshalPKIXPublicKey(pub) if err != nil { @@ -137,6 +140,9 @@ func (key MemguardAsymmetricEncryptionKey) PublicBytes() []byte { panic(err) } privateKey, err := x509.ParsePKCS8PrivateKey(buffer.Bytes()) + if err != nil { + panic(err) + } pub := (privateKey.(*rsa.PrivateKey)).Public() publicKeyBytes, err := x509.MarshalPKIXPublicKey(pub) if err != nil { diff --git a/agent/bitwarden/crypto/keyhierarchy.go b/agent/bitwarden/crypto/keyhierarchy.go index d0dc398..e850cc4 100644 --- a/agent/bitwarden/crypto/keyhierarchy.go +++ b/agent/bitwarden/crypto/keyhierarchy.go @@ -90,9 +90,15 @@ func stretchKey(masterKey MasterKey, useMemguard bool) (SymmetricEncryptionKey, var r io.Reader r = hkdf.Expand(sha256.New, buffer.Data(), []byte("enc")) - r.Read(key) + _, err = r.Read(key) + if err != nil { + return nil, err + } r = hkdf.Expand(sha256.New, buffer.Data(), []byte("mac")) - r.Read(macKey) + _, err = r.Read(macKey) + if err != nil { + return nil, err + } if useMemguard { return MemguardSymmetricEncryptionKey{memguard.NewEnclave(key), memguard.NewEnclave(macKey)}, nil diff --git a/agent/bitwarden/send.go b/agent/bitwarden/send.go index de4f38b..de18338 100644 --- a/agent/bitwarden/send.go +++ b/agent/bitwarden/send.go @@ -71,7 +71,10 @@ func CreateSend(ctx context.Context, cfg *config.Config, vault *vault.Vault, nam } sendUseKeyPairBytes := make([]byte, 64) - hkdf.New(sha256.New, sendSourceKey, []byte("bitwarden-send"), []byte("send")).Read(sendUseKeyPairBytes) + _, err = hkdf.New(sha256.New, sendSourceKey, []byte("bitwarden-send"), []byte("send")).Read(sendUseKeyPairBytes) + if err != nil { + return "", err + } sendUseKeyPair, err := crypto.MemorySymmetricEncryptionKeyFromBytes(sendUseKeyPairBytes) if err != nil { diff --git a/agent/bitwarden/sync.go b/agent/bitwarden/sync.go index 7e5994c..de680f3 100644 --- a/agent/bitwarden/sync.go +++ b/agent/bitwarden/sync.go @@ -25,7 +25,11 @@ func Sync(ctx context.Context, config *config.Config) (models.SyncData, error) { } home, _ := os.UserHomeDir() - WriteVault(sync, home+path) + err := WriteVault(sync, home+path) + if err != nil { + return sync, err + } + return sync, nil } @@ -55,7 +59,10 @@ func DoFullSync(ctx context.Context, vault *vault.Vault, config *config.Config, } if userSymmetricKey != nil { log.Info("Initializing keyring from user symmetric key...") - crypto.InitKeyringFromUserSymmetricKey(vault.Keyring, *userSymmetricKey, sync.Profile.PrivateKey, orgKeys) + err = crypto.InitKeyringFromUserSymmetricKey(vault.Keyring, *userSymmetricKey, sync.Profile.PrivateKey, orgKeys) + if err != nil { + return err + } } log.Info("Clearing vault...") diff --git a/agent/bitwarden/websocket.go b/agent/bitwarden/websocket.go index 5afa8eb..4978d37 100644 --- a/agent/bitwarden/websocket.go +++ b/agent/bitwarden/websocket.go @@ -88,7 +88,10 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con done := make(chan struct{}) //handshake required for official bitwarden implementation - c.WriteMessage(1, []byte(`{"protocol":"messagepack","version":1}`)) + err = c.WriteMessage(1, []byte(`{"protocol":"messagepack","version":1}`)) + if err != nil { + return err + } go func() { for { @@ -123,12 +126,14 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con websocketLog.Error("Error getting token %s", err) break } - DoFullSync(context.WithValue(ctx, AuthToken{}, token.AccessToken), vault, cfg, nil, false) - break + err = DoFullSync(context.WithValue(ctx, AuthToken{}, token.AccessToken), vault, cfg, nil, false) + if err != nil { + log.Error("could not perform full sync: %s", err.Error()) + return + } case SyncCipherDelete: websocketLog.Warn("Delete requested for cipher " + cipherid) vault.DeleteCipher(cipherid) - break case SyncCipherUpdate: websocketLog.Warn("Update requested for cipher " + cipherid) token, err := cfg.GetToken() @@ -154,8 +159,6 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con vault.AddOrUpdateLogin(cipher) } vault.SetLastSynced(time.Now().Unix()) - - break case SyncCipherCreate: websocketLog.Warn("Create requested for cipher " + cipherid) token, err := cfg.GetToken() @@ -176,11 +179,8 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con vault.AddOrUpdateLogin(cipher) } vault.SetLastSynced(time.Now().Unix()) - - break case SyncSendCreate, SyncSendUpdate, SyncSendDelete: websocketLog.Warn("SyncSend requested: sends are not supported") - break case LogOut: websocketLog.Info("LogOut received. Wiping vault and exiting...") if vault.Keyring.IsMemguard { @@ -213,17 +213,12 @@ func connectToWebsocket(ctx context.Context, vault *vault.Vault, cfg *config.Con websocketLog.Error("Error creating auth response %s", err) } }) - - break case AuthRequestResponse: websocketLog.Info("AuthRequestResponse received") - break case SyncFolderDelete, SyncFolderCreate, SyncFolderUpdate: websocketLog.Warn("SyncFolder requested: folders are not supported") - break case SyncOrgKeys, SyncSettings: websocketLog.Warn("SyncOrgKeys requested: orgs / settings are not supported") - break default: websocketLog.Warn("Unknown message type received %d", mt1) } diff --git a/agent/config/config.go b/agent/config/config.go index 4dfadb9..9e868a5 100644 --- a/agent/config/config.go +++ b/agent/config/config.go @@ -7,6 +7,7 @@ import ( "encoding/hex" "encoding/json" "errors" + "fmt" "os" "runtime/debug" "strings" @@ -19,6 +20,7 @@ import ( "github.com/quexten/goldwarden/agent/pincache" "github.com/quexten/goldwarden/agent/systemauth/pinentry" "github.com/quexten/goldwarden/agent/vault" + "github.com/quexten/goldwarden/logging" "github.com/tink-crypto/tink-go/v2/aead/subtle" "golang.org/x/crypto/argon2" "golang.org/x/crypto/sha3" @@ -78,6 +80,8 @@ type Config struct { mu sync.Mutex } +var log = logging.GetLogger("Goldwarden", "Config") + func DefaultConfig(useMemguard bool) Config { deviceUUID, _ := uuid.NewUUID() keyBuffer := NewBuffer(32, useMemguard) @@ -188,37 +192,65 @@ func (c *Config) UpdatePin(password string, write bool) { c.ConfigFile.ConfigKeyHash = configKeyHash plaintextToken, err1 := c.decryptString(c.ConfigFile.EncryptedToken) - plaintextUserSymmetricKey, err3 := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey) - plaintextEncryptedMasterPasswordHash, err4 := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash) - plaintextMasterKey, err5 := c.decryptString(c.ConfigFile.EncryptedMasterKey) - plaintextClientID, err6 := c.decryptString(c.ConfigFile.EncryptedClientID) - plaintextClientSecret, err7 := c.decryptString(c.ConfigFile.EncryptedClientSecret) + plaintextUserSymmetricKey, err2 := c.decryptString(c.ConfigFile.EncryptedUserSymmetricKey) + plaintextEncryptedMasterPasswordHash, err3 := c.decryptString(c.ConfigFile.EncryptedMasterPasswordHash) + plaintextMasterKey, err4 := c.decryptString(c.ConfigFile.EncryptedMasterKey) + plaintextClientID, err5 := c.decryptString(c.ConfigFile.EncryptedClientID) + plaintextClientSecret, err6 := c.decryptString(c.ConfigFile.EncryptedClientSecret) key := NewBufferFromBytes(newKey, c.useMemguard) c.key = &key if err1 == nil { c.ConfigFile.EncryptedToken, err1 = c.encryptString(plaintextToken) + if err1 != nil { + log.Error("could not encrypt token: %s", err1.Error()) + return + } + } + if err2 == nil { + c.ConfigFile.EncryptedUserSymmetricKey, err2 = c.encryptString(plaintextUserSymmetricKey) + if err2 != nil { + log.Error("could not encrypt user symmetric key: %s", err2.Error()) + return + } } if err3 == nil { - c.ConfigFile.EncryptedUserSymmetricKey, err3 = c.encryptString(plaintextUserSymmetricKey) + c.ConfigFile.EncryptedMasterPasswordHash, err3 = c.encryptString(plaintextEncryptedMasterPasswordHash) + if err3 != nil { + log.Error("could not encrypt master password hash: %s", err3.Error()) + return + } } if err4 == nil { - c.ConfigFile.EncryptedMasterPasswordHash, err4 = c.encryptString(plaintextEncryptedMasterPasswordHash) + c.ConfigFile.EncryptedMasterKey, err4 = c.encryptString(plaintextMasterKey) + if err4 != nil { + log.Error("could not encrypt master key: %s", err4.Error()) + return + } } if err5 == nil { - c.ConfigFile.EncryptedMasterKey, err5 = c.encryptString(plaintextMasterKey) + c.ConfigFile.EncryptedClientID, err5 = c.encryptString(plaintextClientID) + if err5 != nil { + log.Error("could not encrypt client id: %s", err5.Error()) + return + } } if err6 == nil { - c.ConfigFile.EncryptedClientID, err6 = c.encryptString(plaintextClientID) - } - if err7 == nil { - c.ConfigFile.EncryptedClientSecret, err7 = c.encryptString(plaintextClientSecret) + c.ConfigFile.EncryptedClientSecret, err6 = c.encryptString(plaintextClientSecret) + if err6 != nil { + log.Error("could not encrypt client secret: %s", err6.Error()) + return + } } c.mu.Unlock() if write { - c.WriteConfig() + err := c.WriteConfig() + if err != nil { + log.Error("could not write config: %s", err.Error()) + return + } } pincache.SetPin(c.useMemguard, []byte(password)) @@ -247,6 +279,9 @@ func (c *Config) SetToken(token LoginToken) error { } tokenJson, err := json.Marshal(token) + if err != nil { + return fmt.Errorf("could not marshall json: %s", err.Error()) + } encryptedToken, err := c.encryptString(string(tokenJson)) if err != nil { return err @@ -254,8 +289,7 @@ func (c *Config) SetToken(token LoginToken) error { // c.mu.Lock() c.ConfigFile.EncryptedToken = encryptedToken // c.mu.Unlock() - c.WriteConfig() - return nil + return c.WriteConfig() } func (c *Config) GetClientID() (string, error) { @@ -281,8 +315,7 @@ func (c *Config) SetClientID(clientID string) error { if clientID == "" { c.ConfigFile.EncryptedClientID = "" - c.WriteConfig() - return nil + return c.WriteConfig() } encryptedClientID, err := c.encryptString(clientID) @@ -292,8 +325,7 @@ func (c *Config) SetClientID(clientID string) error { // c.mu.Lock() c.ConfigFile.EncryptedClientID = encryptedClientID // c.mu.Unlock() - c.WriteConfig() - return nil + return c.WriteConfig() } func (c *Config) GetClientSecret() (string, error) { @@ -319,8 +351,7 @@ func (c *Config) SetClientSecret(clientSecret string) error { if clientSecret == "" { c.ConfigFile.EncryptedClientSecret = "" - c.WriteConfig() - return nil + return c.WriteConfig() } encryptedClientSecret, err := c.encryptString(clientSecret) @@ -330,8 +361,7 @@ func (c *Config) SetClientSecret(clientSecret string) error { // c.mu.Lock() c.ConfigFile.EncryptedClientSecret = encryptedClientSecret // c.mu.Unlock() - c.WriteConfig() - return nil + return c.WriteConfig() } func (c *Config) GetUserSymmetricKey() ([]byte, error) { @@ -356,8 +386,7 @@ func (c *Config) SetUserSymmetricKey(key []byte) error { // c.mu.Lock() c.ConfigFile.EncryptedUserSymmetricKey = encryptedKey // c.mu.Unlock() - c.WriteConfig() - return nil + return c.WriteConfig() } func (c *Config) GetMasterPasswordHash() ([]byte, error) { @@ -372,7 +401,6 @@ func (c *Config) GetMasterPasswordHash() ([]byte, error) { } func (c *Config) SetMasterPasswordHash(hash []byte) error { - if c.IsLocked() { return errors.New("config is locked") } @@ -386,8 +414,7 @@ func (c *Config) SetMasterPasswordHash(hash []byte) error { c.ConfigFile.EncryptedMasterPasswordHash = encryptedHash // c.mu.Unlock() - c.WriteConfig() - return nil + return c.WriteConfig() } func (c *Config) GetMasterKey() ([]byte, error) { @@ -412,8 +439,7 @@ func (c *Config) SetMasterKey(key []byte) error { // c.mu.Lock() c.ConfigFile.EncryptedMasterKey = encryptedKey // c.mu.Unlock() - c.WriteConfig() - return nil + return c.WriteConfig() } func (c *Config) encryptString(data string) (string, error) { @@ -499,9 +525,11 @@ func ReadConfig(rtCfg RuntimeConfig) (Config, error) { if _, err := os.Stat(oldPath); err == nil { if _, err := os.Stat(newPath); err != nil { if _, err := os.Stat(newPathParent); os.IsNotExist(err) { - os.Mkdir(newPathParent, 0700) + err = os.Mkdir(newPathParent, 0700) + return Config{}, err } - os.Rename(oldPath, newPath) + err = os.Rename(oldPath, newPath) + return Config{}, err } } diff --git a/agent/notify/dbus.go b/agent/notify/dbus.go index 6ded710..59ab9dc 100644 --- a/agent/notify/dbus.go +++ b/agent/notify/dbus.go @@ -6,15 +6,18 @@ import ( "time" "github.com/godbus/dbus/v5" + "github.com/quexten/goldwarden/logging" ) var closeListenerMap = make(map[uint32]func()) var notificationID uint32 = 1000000 +var log = logging.GetLogger("Goldwarden", "Dbus") -func Notify(title string, body string, actionName string, timeout time.Duration, onclose func()) error { +func Notify(title string, body string, actionName string, timeout time.Duration, onclose func()) { bus, err := dbus.SessionBus() if err != nil { - return err + log.Error("could not get a dbus session: %s", err.Error()) + return } obj := bus.Object("org.freedesktop.Notifications", "/org/freedesktop/Notifications") actions := []string{} @@ -26,16 +29,17 @@ func Notify(title string, body string, actionName string, timeout time.Duration, call := obj.Call("org.freedesktop.Notifications.Notify", 0, "goldwarden", uint32(notificationID), "", title, body, actions, map[string]dbus.Variant{}, int32(60000)) if call.Err != nil { - return call.Err + log.Error("could not call dbus object: %s", call.Err.Error()) + return } if len(call.Body) < 1 { - return nil + return } id := call.Body[0].(uint32) closeListenerMap[id] = onclose if timeout == 0 { - return nil + return } else { go func(id uint32) { time.Sleep(timeout) @@ -45,8 +49,6 @@ func Notify(title string, body string, actionName string, timeout time.Duration, } }(id) } - - return nil } func ListenForNotifications() error { @@ -62,26 +64,22 @@ func ListenForNotifications() error { signals := make(chan *dbus.Signal, 10) bus.Signal(signals) for { - select { - case message := <-signals: - if message.Name == "org.freedesktop.Notifications.NotificationClosed" { - if len(message.Body) < 1 { - continue - } - id, ok := message.Body[0].(uint32) - if !ok { - continue - } - if id == 0 { - continue - } - if closeListener, ok := closeListenerMap[id]; ok { - delete(closeListenerMap, id) - closeListener() - } + message := <-signals + if message.Name == "org.freedesktop.Notifications.NotificationClosed" { + if len(message.Body) < 1 { + continue + } + id, ok := message.Body[0].(uint32) + if !ok { + continue + } + if id == 0 { + continue + } + if closeListener, ok := closeListenerMap[id]; ok { + delete(closeListenerMap, id) + closeListener() } } } - - return nil } diff --git a/agent/processsecurity/unix.go b/agent/processsecurity/unix.go index b1e9370..a5b813b 100644 --- a/agent/processsecurity/unix.go +++ b/agent/processsecurity/unix.go @@ -37,30 +37,26 @@ func MonitorLocks(onlock func()) error { signals := make(chan *dbus.Signal, 10) bus.Signal(signals) for { - select { - case message := <-signals: - if message.Name == "org.gnome.ScreenSaver.ActiveChanged" { - if len(message.Body) == 0 { - continue - } - locked, err := message.Body[0].(bool) - if err || locked { - onlock() - } + message := <-signals + if message.Name == "org.gnome.ScreenSaver.ActiveChanged" { + if len(message.Body) == 0 { + continue } - if message.Name == "org.freedesktop.ScreenSaver.ActiveChanged" { - if len(message.Body) == 0 { - continue - } - locked, err := message.Body[0].(bool) - if err || locked { - onlock() - } + locked, err := message.Body[0].(bool) + if err || locked { + onlock() + } + } + if message.Name == "org.freedesktop.ScreenSaver.ActiveChanged" { + if len(message.Body) == 0 { + continue + } + locked, err := message.Body[0].(bool) + if err || locked { + onlock() } } } - - return nil } func MonitorIdle(onidle func()) error { @@ -88,6 +84,4 @@ func MonitorIdle(onidle func()) error { time.Sleep(1 * time.Second) } - - return nil } diff --git a/agent/unixsocketagent.go b/agent/unixsocketagent.go index af4a0b7..f5e7100 100644 --- a/agent/unixsocketagent.go +++ b/agent/unixsocketagent.go @@ -31,20 +31,20 @@ const ( var log = logging.GetLogger("Goldwarden", "Agent") -func writeError(c net.Conn, errMsg error) error { +func writeError(c net.Conn, errMsg error) { payload := messages.ActionResponse{ Success: false, Message: errMsg.Error(), } payloadBytes, err := json.Marshal(payload) if err != nil { - return err + log.Warn("Could not json marshall: %s", err.Error()) + return } _, err = c.Write(payloadBytes) if err != nil { - return err + log.Warn("Could not write payload: %s", err.Error()) } - return nil } func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) { @@ -167,6 +167,9 @@ func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) { log.Error("Failed writing to socket " + err.Error()) } _, err = c.Write([]byte("\n")) + if err != nil { + log.Error("Failed writing to socket " + err.Error()) + } time.Sleep(50 * time.Millisecond) //todo fix properly if pinentrySetError != nil { @@ -266,8 +269,6 @@ func serveAgentSession(c net.Conn, vault *vault.Vault, cfg *config.Config) { } } } - - continue } var responseBytes []byte @@ -322,7 +323,10 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { log.Warn("Could not read config: %s", err.Error()) cfg = config.DefaultConfig(runtimeConfig.UseMemguard) cfg.ConfigFile.RuntimeConfig = runtimeConfig - cfg.WriteConfig() + err = cfg.WriteConfig() + if err != nil { + log.Warn("Could not write config: %s", err.Error()) + } } cfg.ConfigFile.RuntimeConfig = runtimeConfig if cfg.ConfigFile.RuntimeConfig.DeviceUUID != "" { @@ -354,6 +358,9 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { } else { protectedUserSymmetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey) } + if err != nil { + log.Error("could not get encryption key from bytes: %s", err.Error()) + } err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymmetricKey, true) if err != nil { @@ -369,7 +376,11 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { } } - processsecurity.DisableDumpable() + err = processsecurity.DisableDumpable() + if err != nil { + log.Warn("Could not disable dumpable: %s", err.Error()) + } + go func() { err = processsecurity.MonitorLocks(func() { cfg.Lock() @@ -441,6 +452,9 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { } else { protectedUserSymmetricKey, err = crypto.MemorySymmetricEncryptionKeyFromBytes(userSymmetricKey) } + if err != nil { + log.Error("could not get encryption key from bytes: %s", err.Error()) + } err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, &protectedUserSymmetricKey, true) if err != nil { @@ -482,7 +496,11 @@ func StartUnixAgent(path string, runtimeConfig config.RuntimeConfig) error { continue } - bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, nil, false) + err = bitwarden.DoFullSync(context.WithValue(ctx, bitwarden.AuthToken{}, token.AccessToken), vault, &cfg, nil, false) + if err != nil { + log.Warn("Could not do full sync: %s", err.Error()) + continue + } } } }()