From 5262eff022ea329698c2a8f8c070266f44efae47 Mon Sep 17 00:00:00 2001 From: Nelson Isioma Date: Wed, 28 May 2025 23:59:43 +0100 Subject: [PATCH 1/3] feat: adding password expiry --- api/auth.go | 12 +++++++++- api/client.go | 29 +++++++++++++++++++----- api/password_expiry.go | 50 ++++++++++++++++++++++++++++++++++++++++++ api/resources.go | 11 ++++++++++ 4 files changed, 95 insertions(+), 7 deletions(-) create mode 100644 api/password_expiry.go diff --git a/api/auth.go b/api/auth.go index 19da61b..d3fb317 100644 --- a/api/auth.go +++ b/api/auth.go @@ -102,12 +102,22 @@ func (c *Client) Login(ctx context.Context) error { c.userID = user.ID + settings, err := c.GetServerSettings(ctx) + if err != nil { + return fmt.Errorf("Getting Server Settings: %w", err) + } + // after Login, fetch MetadataTypeSettings to finish the Client Setup - c.setMetadataTypeSettings(ctx) + err = c.setMetadataTypeSettings(ctx, settings) if err != nil { return fmt.Errorf("Setup Metadata Type Settings: %w", err) } + err = c.setPasswordExpirySettings(ctx, settings) + if err != nil { + return fmt.Errorf("Setup Password Expiry Settings: %w", err) + } + return nil } diff --git a/api/client.go b/api/client.go index 364ba75..a45f65c 100644 --- a/api/client.go +++ b/api/client.go @@ -36,6 +36,9 @@ type Client struct { // Server Settings Determining which Metadata Keys to use metadataKeySettings MetadataKeySettings + // Server Settings for password expiry + passwordExpirySettings PasswordExpirySettings + // used for solving MFA challenges. You can block this to for example wait for user input. // You shouden't run any unrelated API Calls while you are in this callback. // You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa @@ -207,12 +210,7 @@ func (c *Client) GetPublicKey(ctx context.Context) (string, string, error) { } // setMetadataTypeSettings Gets and configures the Client to use the Types the Server wants us to use -func (c *Client) setMetadataTypeSettings(ctx context.Context) error { - settings, err := c.GetServerSettings(ctx) - if err != nil { - return fmt.Errorf("Getting Server Settings: %w", err) - } - +func (c *Client) setMetadataTypeSettings(ctx context.Context, settings *ServerSettingsResponse) error { if settings.Passbolt.IsPluginEnabled("metadata") { c.log("Server has metadata plugin enabled, is v5 or Higher") metadataTypeSettings, err := c.GetServerMetadataTypeSettings(ctx) @@ -241,6 +239,25 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error { return nil } +// setPasswordExpirySettings Gets and configures the Client to use the password expiry plugin +func (c *Client) setPasswordExpirySettings(ctx context.Context, settings *ServerSettingsResponse) error { + if settings.Passbolt.IsPluginEnabled("passwordExpiry") && settings.Passbolt.IsPluginEnabled("passwordExpiryPolicies") { + c.log("Server has password expiry plugin enabled.") + passwordExpirySettings, err := c.GetServerPasswordExpirySettings(ctx) + if err != nil { + return fmt.Errorf("Getting Password Expiry Settings: %w", err) + } + + c.log("passwordExpirySettings: %+v", passwordExpirySettings) + c.passwordExpirySettings = *passwordExpirySettings + } else { + c.log("Server has password expiry plugin disabled or not installed.") + c.passwordExpirySettings = getDefaultPasswordExpirySettings() + } + + return nil +} + // GetPGPHandle Gets the Gopgenpgp Handler func (c *Client) GetPGPHandle() *crypto.PGPHandle { return c.pgp diff --git a/api/password_expiry.go b/api/password_expiry.go new file mode 100644 index 0000000..b5c756d --- /dev/null +++ b/api/password_expiry.go @@ -0,0 +1,50 @@ +package api + +import ( + "context" + "encoding/json" + "time" +) + +// PasswordExpirySettings contains the Password expiry settings +type PasswordExpirySettings struct { + ID string `json:"id"` + DefaultExpiryPeriod int `json:"default_expiry_period,omitempty"` + PolicyOverride bool `json:"policy_override"` + AutomaticExpiry bool `json:"automatic_expiry"` + AutomaticUpdate bool `json:"automatic_update"` + ExpiryNotificationPeriod int `json:"expiry_notification_period,omitempty"` + Created time.Time `json:"created"` + Modified time.Time `json:"modified"` + CreatedBy string `json:"created_by"` + ModifiedBy string `json:"modified_by"` +} + +// GetServerPasswordExpirySettings gets the servers password expiry settings +func (c *Client) GetServerPasswordExpirySettings(ctx context.Context) (*PasswordExpirySettings, error) { + msg, err := c.DoCustomRequestV5(ctx, "GET", "/password-expiry/settings.json", nil, nil) + if err != nil { + return nil, err + } + + var passwordExpirySettings PasswordExpirySettings + err = json.Unmarshal(msg.Body, &passwordExpirySettings) + if err != nil { + return nil, err + } + return &passwordExpirySettings, nil +} + +func getDefaultPasswordExpirySettings() PasswordExpirySettings { + return PasswordExpirySettings{ + ID: "default", + DefaultExpiryPeriod: 0, + PolicyOverride: false, + AutomaticExpiry: false, + AutomaticUpdate: false, + ExpiryNotificationPeriod: 0, + Created: time.Now(), + Modified: time.Now(), + CreatedBy: "default", + } +} diff --git a/api/resources.go b/api/resources.go index 2215686..3523cb8 100644 --- a/api/resources.go +++ b/api/resources.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "time" ) // Resource is a Resource. @@ -35,6 +36,7 @@ type Resource struct { Secrets []Secret `json:"secrets,omitempty"` Tags []Tag `json:"tags,omitempty"` + Expired *Time `json:"expired,omitempty"` } // Tag is a Passbolt Password Tag @@ -85,6 +87,10 @@ func (c *Client) GetResources(ctx context.Context, opts *GetResourcesOptions) ([ // CreateResource Creates a new Passbolt Resource func (c *Client) CreateResource(ctx context.Context, resource Resource) (*Resource, error) { + if c.passwordExpirySettings.DefaultExpiryPeriod != 0 { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.passwordExpirySettings.DefaultExpiryPeriod)) + resource.Expired = &Time{expiry} + } msg, err := c.DoCustomRequest(ctx, "POST", "/resources.json", "v2", resource, nil) if err != nil { return nil, err @@ -122,6 +128,11 @@ func (c *Client) UpdateResource(ctx context.Context, resourceID string, resource if err != nil { return nil, fmt.Errorf("Checking ID format: %w", err) } + + if resource.Expired != nil && c.passwordExpirySettings.AutomaticUpdate { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.passwordExpirySettings.DefaultExpiryPeriod)) + resource.Expired = &Time{expiry} + } msg, err := c.DoCustomRequest(ctx, "PUT", "/resources/"+resourceID+".json", "v2", resource, nil) if err != nil { return nil, err From 5b34b6da860d098325a4439446a42316c027ad97 Mon Sep 17 00:00:00 2001 From: Nelson Isioma Date: Mon, 23 Jun 2025 02:46:49 +0100 Subject: [PATCH 2/3] feat: adding password expiry --- api/client.go | 6 +++--- api/resources.go | 9 --------- helper/resource_create.go | 11 +++++++++++ helper/resource_update.go | 6 ++++++ 4 files changed, 20 insertions(+), 12 deletions(-) diff --git a/api/client.go b/api/client.go index a45f65c..e4da693 100644 --- a/api/client.go +++ b/api/client.go @@ -37,7 +37,7 @@ type Client struct { metadataKeySettings MetadataKeySettings // Server Settings for password expiry - passwordExpirySettings PasswordExpirySettings + PasswordExpirySettings PasswordExpirySettings // used for solving MFA challenges. You can block this to for example wait for user input. // You shouden't run any unrelated API Calls while you are in this callback. @@ -249,10 +249,10 @@ func (c *Client) setPasswordExpirySettings(ctx context.Context, settings *Server } c.log("passwordExpirySettings: %+v", passwordExpirySettings) - c.passwordExpirySettings = *passwordExpirySettings + c.PasswordExpirySettings = *passwordExpirySettings } else { c.log("Server has password expiry plugin disabled or not installed.") - c.passwordExpirySettings = getDefaultPasswordExpirySettings() + c.PasswordExpirySettings = getDefaultPasswordExpirySettings() } return nil diff --git a/api/resources.go b/api/resources.go index 3523cb8..3910ed4 100644 --- a/api/resources.go +++ b/api/resources.go @@ -4,7 +4,6 @@ import ( "context" "encoding/json" "fmt" - "time" ) // Resource is a Resource. @@ -87,10 +86,6 @@ func (c *Client) GetResources(ctx context.Context, opts *GetResourcesOptions) ([ // CreateResource Creates a new Passbolt Resource func (c *Client) CreateResource(ctx context.Context, resource Resource) (*Resource, error) { - if c.passwordExpirySettings.DefaultExpiryPeriod != 0 { - expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.passwordExpirySettings.DefaultExpiryPeriod)) - resource.Expired = &Time{expiry} - } msg, err := c.DoCustomRequest(ctx, "POST", "/resources.json", "v2", resource, nil) if err != nil { return nil, err @@ -129,10 +124,6 @@ func (c *Client) UpdateResource(ctx context.Context, resourceID string, resource return nil, fmt.Errorf("Checking ID format: %w", err) } - if resource.Expired != nil && c.passwordExpirySettings.AutomaticUpdate { - expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.passwordExpirySettings.DefaultExpiryPeriod)) - resource.Expired = &Time{expiry} - } msg, err := c.DoCustomRequest(ctx, "PUT", "/resources/"+resourceID+".json", "v2", resource, nil) if err != nil { return nil, err diff --git a/helper/resource_create.go b/helper/resource_create.go index b3bc70b..88fffbb 100644 --- a/helper/resource_create.go +++ b/helper/resource_create.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "time" "github.com/passbolt/go-passbolt/api" ) @@ -99,6 +100,11 @@ func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name, } resource.Secrets = []api.Secret{{Data: encSecretData}} + if c.PasswordExpirySettings.DefaultExpiryPeriod != 0 { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.PasswordExpirySettings.DefaultExpiryPeriod)) + resource.Expired = &api.Time{Time: expiry} + } + newresource, err := c.CreateResource(ctx, resource) if err != nil { return "", fmt.Errorf("Creating Resource: %w", err) @@ -154,6 +160,11 @@ func CreateResourceV4(ctx context.Context, c *api.Client, folderParentID, name, } resource.Secrets = []api.Secret{{Data: encSecretData}} + if c.PasswordExpirySettings.DefaultExpiryPeriod != 0 { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.PasswordExpirySettings.DefaultExpiryPeriod)) + resource.Expired = &api.Time{Time: expiry} + } + newresource, err := c.CreateResource(ctx, resource) if err != nil { return "", fmt.Errorf("Creating Resource: %w", err) diff --git a/helper/resource_update.go b/helper/resource_update.go index a3d3e16..d91bb0f 100644 --- a/helper/resource_update.go +++ b/helper/resource_update.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "time" "github.com/ProtonMail/gopenpgp/v3/crypto" "github.com/passbolt/go-passbolt/api" @@ -376,6 +377,11 @@ func UpdateResource(ctx context.Context, c *api.Client, resourceID, name, userna }) } + if resource.Expired != nil && c.PasswordExpirySettings.AutomaticUpdate { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.PasswordExpirySettings.DefaultExpiryPeriod)) + newResource.Expired = &api.Time{expiry} + } + _, err = c.UpdateResource(ctx, resourceID, newResource) if err != nil { return fmt.Errorf("Updating Resource: %w", err) From fb0ce5892bbd5649c6edd666813029dbd2021fb2 Mon Sep 17 00:00:00 2001 From: Nelson Isioma Date: Wed, 25 Jun 2025 07:51:28 +0100 Subject: [PATCH 3/3] cleanups --- api/client.go | 15 ++++++++++----- api/password_expiry.go | 4 ++-- helper/resource_create.go | 10 ++++++---- helper/resource_update.go | 5 +++-- 4 files changed, 21 insertions(+), 13 deletions(-) diff --git a/api/client.go b/api/client.go index e4da693..ce85767 100644 --- a/api/client.go +++ b/api/client.go @@ -37,7 +37,7 @@ type Client struct { metadataKeySettings MetadataKeySettings // Server Settings for password expiry - PasswordExpirySettings PasswordExpirySettings + passwordExpirySettings PasswordExpirySettings // used for solving MFA challenges. You can block this to for example wait for user input. // You shouden't run any unrelated API Calls while you are in this callback. @@ -239,20 +239,20 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context, settings *ServerSe return nil } -// setPasswordExpirySettings Gets and configures the Client to use the password expiry plugin +// setPasswordExpirySettings fetches and configures the Client to use the password expiry plugin func (c *Client) setPasswordExpirySettings(ctx context.Context, settings *ServerSettingsResponse) error { if settings.Passbolt.IsPluginEnabled("passwordExpiry") && settings.Passbolt.IsPluginEnabled("passwordExpiryPolicies") { c.log("Server has password expiry plugin enabled.") - passwordExpirySettings, err := c.GetServerPasswordExpirySettings(ctx) + passwordExpirySettings, err := c.getServerPasswordExpirySettings(ctx) if err != nil { return fmt.Errorf("Getting Password Expiry Settings: %w", err) } c.log("passwordExpirySettings: %+v", passwordExpirySettings) - c.PasswordExpirySettings = *passwordExpirySettings + c.passwordExpirySettings = *passwordExpirySettings } else { c.log("Server has password expiry plugin disabled or not installed.") - c.PasswordExpirySettings = getDefaultPasswordExpirySettings() + c.passwordExpirySettings = getDefaultPasswordExpirySettings() } return nil @@ -262,3 +262,8 @@ func (c *Client) setPasswordExpirySettings(ctx context.Context, settings *Server func (c *Client) GetPGPHandle() *crypto.PGPHandle { return c.pgp } + +// GetPasswordExpirySettings returns the password expiry settings for the client +func (c *Client) GetPasswordExpirySettings() PasswordExpirySettings { + return c.passwordExpirySettings +} diff --git a/api/password_expiry.go b/api/password_expiry.go index b5c756d..a375b6e 100644 --- a/api/password_expiry.go +++ b/api/password_expiry.go @@ -20,8 +20,8 @@ type PasswordExpirySettings struct { ModifiedBy string `json:"modified_by"` } -// GetServerPasswordExpirySettings gets the servers password expiry settings -func (c *Client) GetServerPasswordExpirySettings(ctx context.Context) (*PasswordExpirySettings, error) { +// getServerPasswordExpirySettings gets the servers password expiry settings +func (c *Client) getServerPasswordExpirySettings(ctx context.Context) (*PasswordExpirySettings, error) { msg, err := c.DoCustomRequestV5(ctx, "GET", "/password-expiry/settings.json", nil, nil) if err != nil { return nil, err diff --git a/helper/resource_create.go b/helper/resource_create.go index 88fffbb..e8c98db 100644 --- a/helper/resource_create.go +++ b/helper/resource_create.go @@ -100,8 +100,9 @@ func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name, } resource.Secrets = []api.Secret{{Data: encSecretData}} - if c.PasswordExpirySettings.DefaultExpiryPeriod != 0 { - expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.PasswordExpirySettings.DefaultExpiryPeriod)) + passwordExpirySettings := c.GetPasswordExpirySettings() + if passwordExpirySettings.DefaultExpiryPeriod != 0 { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(passwordExpirySettings.DefaultExpiryPeriod)) resource.Expired = &api.Time{Time: expiry} } @@ -160,8 +161,9 @@ func CreateResourceV4(ctx context.Context, c *api.Client, folderParentID, name, } resource.Secrets = []api.Secret{{Data: encSecretData}} - if c.PasswordExpirySettings.DefaultExpiryPeriod != 0 { - expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.PasswordExpirySettings.DefaultExpiryPeriod)) + passwordExpirySettings := c.GetPasswordExpirySettings() + if passwordExpirySettings.DefaultExpiryPeriod != 0 { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(passwordExpirySettings.DefaultExpiryPeriod)) resource.Expired = &api.Time{Time: expiry} } diff --git a/helper/resource_update.go b/helper/resource_update.go index d91bb0f..3c6b82b 100644 --- a/helper/resource_update.go +++ b/helper/resource_update.go @@ -377,8 +377,9 @@ func UpdateResource(ctx context.Context, c *api.Client, resourceID, name, userna }) } - if resource.Expired != nil && c.PasswordExpirySettings.AutomaticUpdate { - expiry := time.Now().Add(time.Hour * 24 * time.Duration(c.PasswordExpirySettings.DefaultExpiryPeriod)) + passwordExpirySettings := c.GetPasswordExpirySettings() + if resource.Expired != nil && passwordExpirySettings.AutomaticUpdate { + expiry := time.Now().Add(time.Hour * 24 * time.Duration(passwordExpirySettings.DefaultExpiryPeriod)) newResource.Expired = &api.Time{expiry} }