diff --git a/api/auth.go b/api/auth.go index 19da61b..d3fb317 100644 --- a/api/auth.go +++ b/api/auth.go @@ -102,12 +102,22 @@ func (c *Client) Login(ctx context.Context) error { c.userID = user.ID + settings, err := c.GetServerSettings(ctx) + if err != nil { + return fmt.Errorf("Getting Server Settings: %w", err) + } + // after Login, fetch MetadataTypeSettings to finish the Client Setup - c.setMetadataTypeSettings(ctx) + err = c.setMetadataTypeSettings(ctx, settings) if err != nil { return fmt.Errorf("Setup Metadata Type Settings: %w", err) } + err = c.setPasswordExpirySettings(ctx, settings) + if err != nil { + return fmt.Errorf("Setup Password Expiry Settings: %w", err) + } + return nil } diff --git a/api/client.go b/api/client.go index 364ba75..ce85767 100644 --- a/api/client.go +++ b/api/client.go @@ -36,6 +36,9 @@ type Client struct { // Server Settings Determining which Metadata Keys to use metadataKeySettings MetadataKeySettings + // Server Settings for password expiry + passwordExpirySettings PasswordExpirySettings + // used for solving MFA challenges. You can block this to for example wait for user input. // You shouden't run any unrelated API Calls while you are in this callback. // You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa @@ -207,12 +210,7 @@ func (c *Client) GetPublicKey(ctx context.Context) (string, string, error) { } // setMetadataTypeSettings Gets and configures the Client to use the Types the Server wants us to use -func (c *Client) setMetadataTypeSettings(ctx context.Context) error { - settings, err := c.GetServerSettings(ctx) - if err != nil { - return fmt.Errorf("Getting Server Settings: %w", err) - } - +func (c *Client) setMetadataTypeSettings(ctx context.Context, settings *ServerSettingsResponse) error { if settings.Passbolt.IsPluginEnabled("metadata") { c.log("Server has metadata plugin enabled, is v5 or Higher") metadataTypeSettings, err := c.GetServerMetadataTypeSettings(ctx) @@ -241,7 +239,31 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error { return nil } +// setPasswordExpirySettings fetches and configures the Client to use the password expiry plugin +func (c *Client) setPasswordExpirySettings(ctx context.Context, settings *ServerSettingsResponse) error { + if settings.Passbolt.IsPluginEnabled("passwordExpiry") && settings.Passbolt.IsPluginEnabled("passwordExpiryPolicies") { + c.log("Server has password expiry plugin enabled.") + passwordExpirySettings, err := c.getServerPasswordExpirySettings(ctx) + if err != nil { + return fmt.Errorf("Getting Password Expiry Settings: %w", err) + } + + c.log("passwordExpirySettings: %+v", passwordExpirySettings) + c.passwordExpirySettings = *passwordExpirySettings + } else { + c.log("Server has password expiry plugin disabled or not installed.") + c.passwordExpirySettings = getDefaultPasswordExpirySettings() + } + + return nil +} + // GetPGPHandle Gets the Gopgenpgp Handler func (c *Client) GetPGPHandle() *crypto.PGPHandle { return c.pgp } + +// GetPasswordExpirySettings returns the password expiry settings for the client +func (c *Client) GetPasswordExpirySettings() PasswordExpirySettings { + return c.passwordExpirySettings +} diff --git a/api/password_expiry.go b/api/password_expiry.go new file mode 100644 index 0000000..a375b6e --- /dev/null +++ b/api/password_expiry.go @@ -0,0 +1,50 @@ +package api + +import ( + "context" + "encoding/json" + "time" +) + +// PasswordExpirySettings contains the Password expiry settings +type PasswordExpirySettings struct { + ID string `json:"id"` + DefaultExpiryPeriod int `json:"default_expiry_period,omitempty"` + PolicyOverride bool `json:"policy_override"` + AutomaticExpiry bool `json:"automatic_expiry"` + AutomaticUpdate bool `json:"automatic_update"` + ExpiryNotificationPeriod int `json:"expiry_notification_period,omitempty"` + Created time.Time `json:"created"` + Modified time.Time `json:"modified"` + CreatedBy string `json:"created_by"` + ModifiedBy string `json:"modified_by"` +} + +// getServerPasswordExpirySettings gets the servers password expiry settings +func (c *Client) getServerPasswordExpirySettings(ctx context.Context) (*PasswordExpirySettings, error) { + msg, err := c.DoCustomRequestV5(ctx, "GET", "/password-expiry/settings.json", nil, nil) + if err != nil { + return nil, err + } + + var passwordExpirySettings PasswordExpirySettings + err = json.Unmarshal(msg.Body, &passwordExpirySettings) + if err != nil { + return nil, err + } + return &passwordExpirySettings, nil +} + +func getDefaultPasswordExpirySettings() PasswordExpirySettings { + return PasswordExpirySettings{ + ID: "default", + DefaultExpiryPeriod: 0, + PolicyOverride: false, + AutomaticExpiry: false, + AutomaticUpdate: false, + ExpiryNotificationPeriod: 0, + Created: time.Now(), + Modified: time.Now(), + CreatedBy: "default", + } +} diff --git a/api/resources.go b/api/resources.go index 2215686..3910ed4 100644 --- a/api/resources.go +++ b/api/resources.go @@ -35,6 +35,7 @@ type Resource struct { Secrets []Secret `json:"secrets,omitempty"` Tags []Tag `json:"tags,omitempty"` + Expired *Time `json:"expired,omitempty"` } // Tag is a Passbolt Password Tag @@ -122,6 +123,7 @@ func (c *Client) UpdateResource(ctx context.Context, resourceID string, resource if err != nil { return nil, fmt.Errorf("Checking ID format: %w", err) } + msg, err := c.DoCustomRequest(ctx, "PUT", "/resources/"+resourceID+".json", "v2", resource, nil) if err != nil { return nil, err diff --git a/helper/resource_create.go b/helper/resource_create.go index b3bc70b..e8c98db 100644 --- a/helper/resource_create.go +++ b/helper/resource_create.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "time" "github.com/passbolt/go-passbolt/api" ) @@ -99,6 +100,12 @@ func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name, } resource.Secrets = []api.Secret{{Data: encSecretData}} + passwordExpirySettings := c.GetPasswordExpirySettings() + if passwordExpirySettings.DefaultExpiryPeriod != 0 { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(passwordExpirySettings.DefaultExpiryPeriod)) + resource.Expired = &api.Time{Time: expiry} + } + newresource, err := c.CreateResource(ctx, resource) if err != nil { return "", fmt.Errorf("Creating Resource: %w", err) @@ -154,6 +161,12 @@ func CreateResourceV4(ctx context.Context, c *api.Client, folderParentID, name, } resource.Secrets = []api.Secret{{Data: encSecretData}} + passwordExpirySettings := c.GetPasswordExpirySettings() + if passwordExpirySettings.DefaultExpiryPeriod != 0 { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(passwordExpirySettings.DefaultExpiryPeriod)) + resource.Expired = &api.Time{Time: expiry} + } + newresource, err := c.CreateResource(ctx, resource) if err != nil { return "", fmt.Errorf("Creating Resource: %w", err) diff --git a/helper/resource_update.go b/helper/resource_update.go index a3d3e16..3c6b82b 100644 --- a/helper/resource_update.go +++ b/helper/resource_update.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "time" "github.com/ProtonMail/gopenpgp/v3/crypto" "github.com/passbolt/go-passbolt/api" @@ -376,6 +377,12 @@ func UpdateResource(ctx context.Context, c *api.Client, resourceID, name, userna }) } + passwordExpirySettings := c.GetPasswordExpirySettings() + if resource.Expired != nil && passwordExpirySettings.AutomaticUpdate { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(passwordExpirySettings.DefaultExpiryPeriod)) + newResource.Expired = &api.Time{expiry} + } + _, err = c.UpdateResource(ctx, resourceID, newResource) if err != nil { return fmt.Errorf("Updating Resource: %w", err)