From 5cf7839a42265b20ded3dbc8028337ff55bf742e Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Mon, 12 May 2025 19:57:59 +0200 Subject: [PATCH 1/8] move and rework secret Validation --- helper/secret.go | 63 ++++++++++++++++++++++++++++++++++++++++++++++++ helper/util.go | 45 ---------------------------------- 2 files changed, 63 insertions(+), 45 deletions(-) create mode 100644 helper/secret.go diff --git a/helper/secret.go b/helper/secret.go new file mode 100644 index 0000000..f6849dc --- /dev/null +++ b/helper/secret.go @@ -0,0 +1,63 @@ +package helper + +import ( + "bytes" + "encoding/json" + "fmt" + "strings" + + "github.com/passbolt/go-passbolt/api" + "github.com/santhosh-tekuri/jsonschema" +) + +func validateSecretData(rType *api.ResourceType, secretData string) error { + var schemaDefinition api.ResourceTypeSchema + definition := rType.Definition + + // Fallback schema + if string(definition) == "[]" || string(definition) == "\"[]\"" { + tmp, ok := api.ResourceSchemas[rType.Slug] + if !ok { + return fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug) + } + definition = tmp + } + + err := json.Unmarshal([]byte(definition), &schemaDefinition) + if err != nil { + // Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string + if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" { + var tmp string + err = json.Unmarshal([]byte(definition), &tmp) + if err != nil { + return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) + } + + err = json.Unmarshal([]byte(tmp), &schemaDefinition) + if err != nil { + return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) + } + + } else { + return fmt.Errorf("Unmarshal Json Schema: %w", err) + } + } + + comp := jsonschema.NewCompiler() + + err = comp.AddResource("secret.json", bytes.NewReader(schemaDefinition.Secret)) + if err != nil { + return fmt.Errorf("Adding Json Schema: %w", err) + } + + schema, err := comp.Compile("secret.json") + if err != nil { + return fmt.Errorf("Compiling Json Schema: %w", err) + } + + err = schema.Validate(strings.NewReader(secretData)) + if err != nil { + return fmt.Errorf("Validating Secret Data: %w", err) + } + return nil +} diff --git a/helper/util.go b/helper/util.go index 4d7a144..78b1960 100644 --- a/helper/util.go +++ b/helper/util.go @@ -1,13 +1,9 @@ package helper import ( - "bytes" - "encoding/json" "fmt" - "strings" "github.com/passbolt/go-passbolt/api" - "github.com/santhosh-tekuri/jsonschema" ) func getPublicKeyByUserID(userID string, Users []api.User) (string, error) { @@ -36,44 +32,3 @@ func getSecretByResourceID(secrets []api.Secret, resourceID string) (*api.Secret } return nil, fmt.Errorf("Cannot Find Secret for id %v", resourceID) } - -func validateSecretData(rType *api.ResourceType, secretData string) error { - var schemaDefinition api.ResourceTypeSchema - err := json.Unmarshal([]byte(rType.Definition), &schemaDefinition) - if err != nil { - // Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string - if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" { - var tmp string - err = json.Unmarshal([]byte(rType.Definition), &tmp) - if err != nil { - return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) - } - - err = json.Unmarshal([]byte(tmp), &schemaDefinition) - if err != nil { - return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) - } - - } else { - return fmt.Errorf("Unmarshal Json Schema: %w", err) - } - } - - comp := jsonschema.NewCompiler() - - err = comp.AddResource("secret.json", bytes.NewReader(schemaDefinition.Secret)) - if err != nil { - return fmt.Errorf("Adding Json Schema: %w", err) - } - - schema, err := comp.Compile("secret.json") - if err != nil { - return fmt.Errorf("Compiling Json Schema: %w", err) - } - - err = schema.Validate(strings.NewReader(secretData)) - if err != nil { - return fmt.Errorf("Validating Secret Data: %w", err) - } - return nil -} From 14e5fed276d2511d1d9b5d862d685195761c1436 Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Mon, 12 May 2025 19:58:36 +0200 Subject: [PATCH 2/8] Add Get User Private Key Copy --- api/encryption.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/api/encryption.go b/api/encryption.go index 2c393ee..6078e19 100644 --- a/api/encryption.go +++ b/api/encryption.go @@ -140,3 +140,11 @@ func (c *Client) DecryptMessageWithSessionKey(sessionKey *crypto.SessionKey, cip return res.String(), nil } + +func (c *Client) GetUserPrivateKeyCopy() (*crypto.Key, error) { + key, err := c.userPrivateKey.Copy() + if err != nil { + return nil, fmt.Errorf("Get Private Key Copy: %w", err) + } + return key, nil +} From 9da77b46bfddfd874ece6aedc06e7bcbd0bb43cd Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Mon, 12 May 2025 19:59:03 +0200 Subject: [PATCH 3/8] Add Passbolt Object Type constants --- api/metadata.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/api/metadata.go b/api/metadata.go index cc40425..bf6c7ca 100644 --- a/api/metadata.go +++ b/api/metadata.go @@ -6,6 +6,9 @@ import ( "github.com/ProtonMail/gopenpgp/v3/crypto" ) +const PASSBOLT_OBJECT_TYPE_RESOURCE_METADATA = "PASSBOLT_RESOURCE_METADATA" +const PASSBOLT_OBJECT_TYPE_SECRET_DATA = "PASSBOLT_SECRET_DATA" + // ResourceMetadataTypeV5Default type ResourceMetadataTypeV5Default struct { ObjectType string `json:"object_type"` From 6a72f6987ca86def9dd6e4c0e9831b51f3bd8f16 Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Mon, 12 May 2025 20:00:15 +0200 Subject: [PATCH 4/8] Also Fetch Metadata Key Settings on Login, add getter --- api/client.go | 17 ++++++++++++++++- api/metadata_settings.go | 35 +++++++++++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 3 deletions(-) diff --git a/api/client.go b/api/client.go index 0ce0701..364ba75 100644 --- a/api/client.go +++ b/api/client.go @@ -33,6 +33,9 @@ type Client struct { // Server Settings Determining which Resource Types we can use metadataTypeSettings MetadataTypeSettings + // Server Settings Determining which Metadata Keys to use + metadataKeySettings MetadataKeySettings + // used for solving MFA challenges. You can block this to for example wait for user input. // You shouden't run any unrelated API Calls while you are in this callback. // You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa @@ -212,16 +215,28 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error { if settings.Passbolt.IsPluginEnabled("metadata") { c.log("Server has metadata plugin enabled, is v5 or Higher") - metadataTypeSettings, err := c.GetMetadataTypeSettings(ctx) + metadataTypeSettings, err := c.GetServerMetadataTypeSettings(ctx) if err != nil { return fmt.Errorf("Getting Metadata Type Settings: %w", err) } c.log("metadataTypeSettings: %+v", metadataTypeSettings) c.metadataTypeSettings = *metadataTypeSettings + + metadataKeySettings, err := c.GetServerMetadataKeySettings(ctx) + if err != nil { + return fmt.Errorf("Getting Metadata Key Settings: %w", err) + } + + c.log("metadataKeySettings: %+v", metadataKeySettings) + c.metadataKeySettings = *metadataKeySettings } else { c.log("Server has metadata plugin disabled or not installed, Server is v4") c.metadataTypeSettings = getV4DefaultMetadataTypeSettings() + c.metadataKeySettings = MetadataKeySettings{ + AllowUsageOfPersonalKeys: true, + AllowZeroKnowledgeKeyShare: false, + } } return nil } diff --git a/api/metadata_settings.go b/api/metadata_settings.go index ae80715..92ac9a9 100644 --- a/api/metadata_settings.go +++ b/api/metadata_settings.go @@ -38,6 +38,12 @@ type MetadataTypeSettings struct { AllowV4V5Downgrade bool `json:"allow_v5_v4_downgrade"` } +// MetadataTypeSettings Contains the Servers Settings about which Types to use +type MetadataKeySettings struct { + AllowUsageOfPersonalKeys bool `json:"allow_usage_of_personal_keys"` + AllowZeroKnowledgeKeyShare bool `json:"zero_knowledge_key_share"` +} + func getV4DefaultMetadataTypeSettings() MetadataTypeSettings { return MetadataTypeSettings{ DefaultResourceType: PassboltAPIVersionTypeV4, @@ -57,8 +63,13 @@ func getV4DefaultMetadataTypeSettings() MetadataTypeSettings { } } -// GetMetadataTypeSettings gets the Servers Settings about which Types to use -func (c *Client) GetMetadataTypeSettings(ctx context.Context) (*MetadataTypeSettings, error) { +// MetadataTypeSettings Gives the Current MetadataTypeSettings +func (c *Client) MetadataTypeSettings() MetadataTypeSettings { + return c.metadataTypeSettings +} + +// GetServerMetadataTypeSettings gets the Servers Settings about which Types to use, usually you should use MetadataTypeSettings instead +func (c *Client) GetServerMetadataTypeSettings(ctx context.Context) (*MetadataTypeSettings, error) { msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/types/settings.json", nil, nil) if err != nil { return nil, err @@ -71,3 +82,23 @@ func (c *Client) GetMetadataTypeSettings(ctx context.Context) (*MetadataTypeSett } return &metadataSettings, nil } + +// MetadataKeySettings Gives the Current MetadataKeySettings +func (c *Client) MetadataKeySettings() MetadataKeySettings { + return c.metadataKeySettings +} + +// GetServerMetadataKeySettings gets the Servers Settings about which Key to use, usually you should use MetadataKeySettings instead +func (c *Client) GetServerMetadataKeySettings(ctx context.Context) (*MetadataKeySettings, error) { + msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/keys/settings.json", nil, nil) + if err != nil { + return nil, err + } + + var metadataKeySettings MetadataKeySettings + err = json.Unmarshal(msg.Body, &metadataKeySettings) + if err != nil { + return nil, err + } + return &metadataKeySettings, nil +} From 5369030d505b62020c66c27a19804e648fba9b25 Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Mon, 12 May 2025 20:01:47 +0200 Subject: [PATCH 5/8] Support MetadataKeyTypeUserKey, Rework Metadata Validation --- helper/metadata.go | 145 ++++++++++++++++++++++++++------------------- 1 file changed, 84 insertions(+), 61 deletions(-) diff --git a/helper/metadata.go b/helper/metadata.go index e89cb78..0363e8f 100644 --- a/helper/metadata.go +++ b/helper/metadata.go @@ -7,84 +7,108 @@ import ( "fmt" "strings" + "github.com/ProtonMail/gopenpgp/v3/crypto" "github.com/passbolt/go-passbolt/api" "github.com/santhosh-tekuri/jsonschema" ) func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resource, rType api.ResourceType) (string, error) { - keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{ - ContainMetadataPrivateKeys: true, - }) - if err != nil { - return "", fmt.Errorf("Get Metadata Key: %w", err) + var metadatakey *crypto.Key + if resource.MetadataKeyType == api.MetadataKeyTypeUserKey { + key, err := c.GetUserPrivateKeyCopy() + if err != nil { + return "", fmt.Errorf("Get User Private Key Copy: %W", err) + } + + metadatakey = key + } else { + // Must be a shared key + keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{ + ContainMetadataPrivateKeys: true, + }) + if err != nil { + return "", fmt.Errorf("Get Metadata Key: %w", err) + } + + // TODO Get Key by id? + if len(keys) != 1 { + return "", fmt.Errorf("Not Exactly One Metadatakey Available") + } + + if len(keys[0].MetadataPrivateKeys) == 0 { + return "", fmt.Errorf("No Metadata Private key for our user") + } + + if len(keys[0].MetadataPrivateKeys) > 1 { + return "", fmt.Errorf("More than 1 metadata Private key for our user") + } + + var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0] + if *privMetdata.UserID != c.GetUserID() { + return "", fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID) + } + + decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data) + if err != nil { + return "", fmt.Errorf("Decrypt Metadata Private Key Data: %w", err) + } + + var data api.MetadataPrivateKeyData + err = json.Unmarshal([]byte(decPrivMetadatakey), &data) + if err != nil { + return "", fmt.Errorf("Parse Metadata Private Key Data") + } + + metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase)) + if err != nil { + return "", fmt.Errorf("Get Metadata Private Key: %w", err) + } + + metadatakey = metadataPrivateKeyObj } - // TODO Get Key by id? - if len(keys) != 1 { - return "", fmt.Errorf("Not Exactly One Metadatakey Available") - } - - if len(keys[0].MetadataPrivateKeys) == 0 { - return "", fmt.Errorf("No Metadata Private key for our user") - } - - if len(keys[0].MetadataPrivateKeys) > 1 { - return "", fmt.Errorf("More than 1 metadata Private key for our user") - } - - var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0] - if *privMetdata.UserID != c.GetUserID() { - return "", fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID) - } - - decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data) - if err != nil { - return "", fmt.Errorf("Decrypt Metadata Private Key Data: %w", err) - } - - var data api.MetadataPrivateKeyData - err = json.Unmarshal([]byte(decPrivMetadatakey), &data) - if err != nil { - return "", fmt.Errorf("Parse Metadata Private Key Data") - } - - metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase)) - if err != nil { - return "", fmt.Errorf("Get Metadata Private Key: %w", err) - } - - decMetadata, err := c.DecryptMetadata(metadataPrivateKeyObj, resource.Metadata) + decMetadata, err := c.DecryptMetadata(metadatakey, resource.Metadata) if err != nil { return "", fmt.Errorf("Decrypt Metadata: %w", err) } + err = validateMetadata(&rType, string(decMetadata)) + if err != nil { + return "", fmt.Errorf("Validate Metadata: %w", err) + } + + return decMetadata, nil +} + +func validateMetadata(rType *api.ResourceType, metadata string) error { var schemaDefinition api.ResourceTypeSchema - err = json.Unmarshal([]byte(rType.Definition), &schemaDefinition) + definition := rType.Definition + + // Fallback schema + if string(definition) == "[]" || string(definition) == "\"[]\"" { + tmp, ok := api.ResourceSchemas[rType.Slug] + if !ok { + return fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug) + } + definition = tmp + } + + err := json.Unmarshal([]byte(definition), &schemaDefinition) if err != nil { // Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" { var tmp string - err = json.Unmarshal([]byte(rType.Definition), &tmp) + err = json.Unmarshal([]byte(definition), &tmp) if err != nil { - return "", fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) - } - - if tmp == "[]" { - // Use The Builtin Fallback Schemas in this Case - schema, ok := api.ResourceSchemas[rType.Slug] - if !ok { - return "", fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug) - } - tmp = string(schema) + return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) } err = json.Unmarshal([]byte(tmp), &schemaDefinition) if err != nil { - return "", fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) + return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) } - } else { - return "", fmt.Errorf("Unmarshal Json Schema: %w", err) + return fmt.Errorf("Unmarshal Json Schema: %w", err) } } @@ -92,18 +116,17 @@ func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resour err = comp.AddResource("metadata.json", bytes.NewReader(schemaDefinition.Resource)) if err != nil { - return "", fmt.Errorf("Adding Json Schema: %w", err) + return fmt.Errorf("Adding Json Schema: %w", err) } schema, err := comp.Compile("metadata.json") if err != nil { - return "", fmt.Errorf("Compiling Json Schema: %w", err) + return fmt.Errorf("Compiling Json Schema: %w", err) } - err = schema.Validate(strings.NewReader(decMetadata)) + err = schema.Validate(strings.NewReader(metadata)) if err != nil { - return "", fmt.Errorf("Validating Secret Data: %w", err) + return fmt.Errorf("Validating Secret Data: %w", err) } - - return decMetadata, nil + return nil } From e90a19a41de5ae8743530a8c1ddb9ff75c5ff0ce Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Mon, 12 May 2025 20:02:51 +0200 Subject: [PATCH 6/8] Implement v5 Resource Creation --- helper/resources.go | 141 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 140 insertions(+), 1 deletion(-) diff --git a/helper/resources.go b/helper/resources.go index 9c2d31a..8218c3b 100644 --- a/helper/resources.go +++ b/helper/resources.go @@ -5,11 +5,144 @@ import ( "encoding/json" "fmt" + "github.com/ProtonMail/gopenpgp/v3/crypto" "github.com/passbolt/go-passbolt/api" ) -// CreateResource Creates a Resource where the Password and Description are Encrypted and Returns the Resources ID +// CreateResource Creates a Resource, Creates a v4 or v5 Resources based on the server Preference func CreateResource(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) { + // Create a v5 Password if that is the Server Default + if c.MetadataTypeSettings().DefaultResourceType == api.PassboltAPIVersionTypeV5 { + return CreateResourceV5(ctx, c, folderParentID, name, username, uri, password, description) + } else { + return CreateResourceV4(ctx, c, folderParentID, name, username, uri, password, description) + } +} + +func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) { + if c.MetadataTypeSettings().AllowCreationOfV5Resources == false { + return "", fmt.Errorf("Creation of V5 Passwords is disabled on this Server") + } + + types, err := c.GetResourceTypes(ctx, nil) + if err != nil { + return "", fmt.Errorf("Getting ResourceTypes: %w", err) + } + var rType *api.ResourceType + for _, tmp := range types { + if tmp.Slug == "v5-default" { + rType = &tmp + break + } + } + if rType == nil { + return "", fmt.Errorf("Cannot find Resource type password-and-description") + } + + // Base Resource + resource := api.Resource{ + ResourceTypeID: rType.ID, + FolderParentID: folderParentID, + } + + // Resource Metadata + meta := api.ResourceMetadataTypeV5Default{ + ObjectType: api.PASSBOLT_OBJECT_TYPE_RESOURCE_METADATA, + Name: name, + Username: username, + URIs: []string{uri}, + } + + metaData, err := json.Marshal(&meta) + if err != nil { + return "", fmt.Errorf("Marshalling metadata: %w", err) + } + + err = validateMetadata(rType, string(metaData)) + if err != nil { + return "", fmt.Errorf("Validating metadata: %w", err) + } + + var publicMetadataKey *crypto.Key + // Since we are not sharing, use the Personal Key if allowed + if c.MetadataKeySettings().AllowUsageOfPersonalKeys { + publicMetadataKey, err = c.GetUserPrivateKeyCopy() + if err != nil { + return "", fmt.Errorf("Get User Private Key: %w", err) + } + + me, err := c.GetMe(ctx) + if err != nil { + return "", fmt.Errorf("Get User Me: %w", err) + } + + if me.GPGKey == nil { + return "", fmt.Errorf("User Me GPG Key nil") + } + + resource.MetadataKeyID = me.GPGKey.ID + resource.MetadataKeyType = api.MetadataKeyTypeUserKey + } else { + keys, err := c.GetMetadataKeys(ctx, nil) + if err != nil { + return "", fmt.Errorf("Get Metadata Key: %w", err) + } + + // TODO Get Key by id? + if len(keys) != 1 { + return "", fmt.Errorf("Not Exactly One Metadatakey Available") + } + + publicMetadataKey, err = crypto.NewKeyFromArmored(keys[0].ArmoredKey) + if err != nil { + return "", fmt.Errorf("Get Metadata Public Key: %w", err) + } + + resource.MetadataKeyID = keys[0].ID + resource.MetadataKeyType = api.MetadataKeyTypeSharedKey + } + + encMetadata, err := c.EncryptMessageWithKey(publicMetadataKey, string(metaData)) + if err != nil { + return "", fmt.Errorf("Encrypt Metadata: %w", err) + } + resource.Metadata = encMetadata + + // Resource Secret + secret := api.SecretDataTypeV5Default{ + ObjectType: api.PASSBOLT_OBJECT_TYPE_SECRET_DATA, + Password: password, + Description: description, + } + + secretData, err := json.Marshal(&secret) + if err != nil { + return "", fmt.Errorf("Marshalling Secret Data: %w", err) + } + + err = validateSecretData(rType, string(secretData)) + if err != nil { + return "", fmt.Errorf("Validating Secret Data: %w", err) + } + + encSecretData, err := c.EncryptMessage(string(secretData)) + if err != nil { + return "", fmt.Errorf("Encrypting Secret Data for User me: %w", err) + } + resource.Secrets = []api.Secret{{Data: encSecretData}} + + newresource, err := c.CreateResource(ctx, resource) + if err != nil { + return "", fmt.Errorf("Creating Resource: %w", err) + } + return newresource.ID, nil +} + +func CreateResourceV4(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) { + if c.MetadataTypeSettings().AllowCreationOfV4Resources == false { + return "", fmt.Errorf("Creation of V4 Passwords is disabled on this Server") + } + types, err := c.GetResourceTypes(ctx, nil) if err != nil { return "", fmt.Errorf("Getting ResourceTypes: %w", err) @@ -62,6 +195,12 @@ func CreateResource(ctx context.Context, c *api.Client, folderParentID, name, us // CreateResourceSimple Creates a Legacy Resource where only the Password is Encrypted and Returns the Resources ID func CreateResourceSimple(ctx context.Context, c *api.Client, folderParentID, name, username, uri, password, description string) (string, error) { + if c.MetadataTypeSettings().AllowCreationOfV4Resources == false { + return "", fmt.Errorf("Creation of V4 Passwords is disabled on this Server") + } + + // TODO Create a v5-password-string if v5 is enabled + enc, err := c.EncryptMessage(password) if err != nil { return "", fmt.Errorf("Encrypting Password: %w", err) From f5654f36df56228b3681cb83dbab77dc35658086 Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Mon, 12 May 2025 20:23:38 +0200 Subject: [PATCH 7/8] Fix Missing Resource Type ID --- helper/resources.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/helper/resources.go b/helper/resources.go index 8218c3b..5444c9b 100644 --- a/helper/resources.go +++ b/helper/resources.go @@ -47,10 +47,11 @@ func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name, // Resource Metadata meta := api.ResourceMetadataTypeV5Default{ - ObjectType: api.PASSBOLT_OBJECT_TYPE_RESOURCE_METADATA, - Name: name, - Username: username, - URIs: []string{uri}, + ObjectType: api.PASSBOLT_OBJECT_TYPE_RESOURCE_METADATA, + ResourceTypeID: rType.ID, + Name: name, + Username: username, + URIs: []string{uri}, } metaData, err := json.Marshal(&meta) From b4cf29482d53a1e9a2657ad23789da6534dc9374 Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Mon, 12 May 2025 21:05:58 +0200 Subject: [PATCH 8/8] Move Metadatakey logic to seperate function, use pointer --- helper/metadata.go | 62 ++++------------------------------- helper/metadatakey.go | 75 +++++++++++++++++++++++++++++++++++++++++++ helper/resources.go | 49 +++++----------------------- 3 files changed, 90 insertions(+), 96 deletions(-) create mode 100644 helper/metadatakey.go diff --git a/helper/metadata.go b/helper/metadata.go index 0363e8f..be09475 100644 --- a/helper/metadata.go +++ b/helper/metadata.go @@ -7,72 +7,24 @@ import ( "fmt" "strings" - "github.com/ProtonMail/gopenpgp/v3/crypto" "github.com/passbolt/go-passbolt/api" "github.com/santhosh-tekuri/jsonschema" ) -func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resource, rType api.ResourceType) (string, error) { - var metadatakey *crypto.Key - if resource.MetadataKeyType == api.MetadataKeyTypeUserKey { - key, err := c.GetUserPrivateKeyCopy() - if err != nil { - return "", fmt.Errorf("Get User Private Key Copy: %W", err) - } - - metadatakey = key - } else { - // Must be a shared key - keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{ - ContainMetadataPrivateKeys: true, - }) - if err != nil { - return "", fmt.Errorf("Get Metadata Key: %w", err) - } - - // TODO Get Key by id? - if len(keys) != 1 { - return "", fmt.Errorf("Not Exactly One Metadatakey Available") - } - - if len(keys[0].MetadataPrivateKeys) == 0 { - return "", fmt.Errorf("No Metadata Private key for our user") - } - - if len(keys[0].MetadataPrivateKeys) > 1 { - return "", fmt.Errorf("More than 1 metadata Private key for our user") - } - - var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0] - if *privMetdata.UserID != c.GetUserID() { - return "", fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID) - } - - decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data) - if err != nil { - return "", fmt.Errorf("Decrypt Metadata Private Key Data: %w", err) - } - - var data api.MetadataPrivateKeyData - err = json.Unmarshal([]byte(decPrivMetadatakey), &data) - if err != nil { - return "", fmt.Errorf("Parse Metadata Private Key Data") - } - - metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase)) - if err != nil { - return "", fmt.Errorf("Get Metadata Private Key: %w", err) - } - - metadatakey = metadataPrivateKeyObj +func GetResourceMetadata(ctx context.Context, c *api.Client, resource *api.Resource, rType *api.ResourceType) (string, error) { + _, _, metadatakey, err := GetMetadataKey(ctx, c, resource.MetadataKeyType == api.MetadataKeyTypeUserKey) + if err != nil { + return "", fmt.Errorf("Get Metadata Key: %w", err) } + // TODO should we instead get the Metadata key of this resource by id? + decMetadata, err := c.DecryptMetadata(metadatakey, resource.Metadata) if err != nil { return "", fmt.Errorf("Decrypt Metadata: %w", err) } - err = validateMetadata(&rType, string(decMetadata)) + err = validateMetadata(rType, string(decMetadata)) if err != nil { return "", fmt.Errorf("Validate Metadata: %w", err) } diff --git a/helper/metadatakey.go b/helper/metadatakey.go new file mode 100644 index 0000000..0e7bb16 --- /dev/null +++ b/helper/metadatakey.go @@ -0,0 +1,75 @@ +package helper + +import ( + "context" + "encoding/json" + "fmt" + + "github.com/ProtonMail/gopenpgp/v3/crypto" + "github.com/passbolt/go-passbolt/api" +) + +// GetMetadataKey gets a Metadata key, Personal indicates if the function should return the personal key, +// If personal keys have been disabled on the server then we return the shared key +// Returns the Key ID, Key Type and the Key itself +func GetMetadataKey(ctx context.Context, c *api.Client, personal bool) (string, api.MetadataKeyType, *crypto.Key, error) { + // if personal is requsted and it is allowed by the server, then return that + if personal && c.MetadataKeySettings().AllowUsageOfPersonalKeys { + key, err := c.GetUserPrivateKeyCopy() + if err != nil { + return "", "", nil, fmt.Errorf("Get User Private Key: %w", err) + } + + me, err := c.GetMe(ctx) + if err != nil { + return "", "", nil, fmt.Errorf("Get User Me: %w", err) + } + + if me.GPGKey == nil { + return "", "", nil, fmt.Errorf("User Me GPG Key nil") + } + + return me.GPGKey.ID, api.MetadataKeyTypeUserKey, key, nil + } + + keys, err := c.GetMetadataKeys(ctx, nil) + if err != nil { + return "", "", nil, fmt.Errorf("Get Metadata Key: %w", err) + } + + // TODO Get Key by id? + if len(keys) != 1 { + return "", "", nil, fmt.Errorf("Not Exactly One Metadatakey Available") + } + + if len(keys[0].MetadataPrivateKeys) == 0 { + return "", "", nil, fmt.Errorf("No Metadata Private key for our user") + } + + if len(keys[0].MetadataPrivateKeys) > 1 { + return "", "", nil, fmt.Errorf("More than 1 metadata Private key for our user") + } + + var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0] + if *privMetdata.UserID != c.GetUserID() { + return "", "", nil, fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID) + } + + decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data) + if err != nil { + return "", "", nil, fmt.Errorf("Decrypt Metadata Private Key Data: %w", err) + } + + var data api.MetadataPrivateKeyData + err = json.Unmarshal([]byte(decPrivMetadatakey), &data) + if err != nil { + return "", "", nil, fmt.Errorf("Parse Metadata Private Key Data") + } + + metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase)) + if err != nil { + return "", "", nil, fmt.Errorf("Get Metadata Private Key: %w", err) + } + + return keys[0].ID, api.MetadataKeyTypeSharedKey, metadataPrivateKeyObj, nil +} diff --git a/helper/resources.go b/helper/resources.go index 5444c9b..5163ecb 100644 --- a/helper/resources.go +++ b/helper/resources.go @@ -5,7 +5,6 @@ import ( "encoding/json" "fmt" - "github.com/ProtonMail/gopenpgp/v3/crypto" "github.com/passbolt/go-passbolt/api" ) @@ -64,44 +63,12 @@ func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name, return "", fmt.Errorf("Validating metadata: %w", err) } - var publicMetadataKey *crypto.Key - // Since we are not sharing, use the Personal Key if allowed - if c.MetadataKeySettings().AllowUsageOfPersonalKeys { - publicMetadataKey, err = c.GetUserPrivateKeyCopy() - if err != nil { - return "", fmt.Errorf("Get User Private Key: %w", err) - } - - me, err := c.GetMe(ctx) - if err != nil { - return "", fmt.Errorf("Get User Me: %w", err) - } - - if me.GPGKey == nil { - return "", fmt.Errorf("User Me GPG Key nil") - } - - resource.MetadataKeyID = me.GPGKey.ID - resource.MetadataKeyType = api.MetadataKeyTypeUserKey - } else { - keys, err := c.GetMetadataKeys(ctx, nil) - if err != nil { - return "", fmt.Errorf("Get Metadata Key: %w", err) - } - - // TODO Get Key by id? - if len(keys) != 1 { - return "", fmt.Errorf("Not Exactly One Metadatakey Available") - } - - publicMetadataKey, err = crypto.NewKeyFromArmored(keys[0].ArmoredKey) - if err != nil { - return "", fmt.Errorf("Get Metadata Public Key: %w", err) - } - - resource.MetadataKeyID = keys[0].ID - resource.MetadataKeyType = api.MetadataKeyTypeSharedKey + metadataKeyID, metadataKeyType, publicMetadataKey, err := GetMetadataKey(ctx, c, true) + if err != nil { + return "", fmt.Errorf("Get Metadata Key: %w", err) } + resource.MetadataKeyID = metadataKeyID + resource.MetadataKeyType = metadataKeyType encMetadata, err := c.EncryptMessageWithKey(publicMetadataKey, string(metaData)) if err != nil { @@ -303,7 +270,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret uri = resource.URI // nothing fits into the interface in this case case "v5-default": - rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType) + rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType) if err != nil { return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err) } @@ -333,7 +300,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret pw = secretData.Password desc = secretData.Description case "v5-default-with-totp": - rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType) + rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType) if err != nil { return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err) } @@ -363,7 +330,7 @@ func GetResourceFromData(c *api.Client, resource api.Resource, secret api.Secret pw = secretData.Password desc = secretData.Description case "v5-password-string": - rawMetadata, err := GetResourceMetadata(ctx, c, resource, rType) + rawMetadata, err := GetResourceMetadata(ctx, c, &resource, &rType) if err != nil { return "", "", "", "", "", "", fmt.Errorf("Getting Metadata: %w", err) }