From 5369030d505b62020c66c27a19804e648fba9b25 Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Mon, 12 May 2025 20:01:47 +0200 Subject: [PATCH] Support MetadataKeyTypeUserKey, Rework Metadata Validation --- helper/metadata.go | 145 ++++++++++++++++++++++++++------------------- 1 file changed, 84 insertions(+), 61 deletions(-) diff --git a/helper/metadata.go b/helper/metadata.go index e89cb78..0363e8f 100644 --- a/helper/metadata.go +++ b/helper/metadata.go @@ -7,84 +7,108 @@ import ( "fmt" "strings" + "github.com/ProtonMail/gopenpgp/v3/crypto" "github.com/passbolt/go-passbolt/api" "github.com/santhosh-tekuri/jsonschema" ) func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resource, rType api.ResourceType) (string, error) { - keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{ - ContainMetadataPrivateKeys: true, - }) - if err != nil { - return "", fmt.Errorf("Get Metadata Key: %w", err) + var metadatakey *crypto.Key + if resource.MetadataKeyType == api.MetadataKeyTypeUserKey { + key, err := c.GetUserPrivateKeyCopy() + if err != nil { + return "", fmt.Errorf("Get User Private Key Copy: %W", err) + } + + metadatakey = key + } else { + // Must be a shared key + keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{ + ContainMetadataPrivateKeys: true, + }) + if err != nil { + return "", fmt.Errorf("Get Metadata Key: %w", err) + } + + // TODO Get Key by id? + if len(keys) != 1 { + return "", fmt.Errorf("Not Exactly One Metadatakey Available") + } + + if len(keys[0].MetadataPrivateKeys) == 0 { + return "", fmt.Errorf("No Metadata Private key for our user") + } + + if len(keys[0].MetadataPrivateKeys) > 1 { + return "", fmt.Errorf("More than 1 metadata Private key for our user") + } + + var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0] + if *privMetdata.UserID != c.GetUserID() { + return "", fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID) + } + + decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data) + if err != nil { + return "", fmt.Errorf("Decrypt Metadata Private Key Data: %w", err) + } + + var data api.MetadataPrivateKeyData + err = json.Unmarshal([]byte(decPrivMetadatakey), &data) + if err != nil { + return "", fmt.Errorf("Parse Metadata Private Key Data") + } + + metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase)) + if err != nil { + return "", fmt.Errorf("Get Metadata Private Key: %w", err) + } + + metadatakey = metadataPrivateKeyObj } - // TODO Get Key by id? - if len(keys) != 1 { - return "", fmt.Errorf("Not Exactly One Metadatakey Available") - } - - if len(keys[0].MetadataPrivateKeys) == 0 { - return "", fmt.Errorf("No Metadata Private key for our user") - } - - if len(keys[0].MetadataPrivateKeys) > 1 { - return "", fmt.Errorf("More than 1 metadata Private key for our user") - } - - var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0] - if *privMetdata.UserID != c.GetUserID() { - return "", fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID) - } - - decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data) - if err != nil { - return "", fmt.Errorf("Decrypt Metadata Private Key Data: %w", err) - } - - var data api.MetadataPrivateKeyData - err = json.Unmarshal([]byte(decPrivMetadatakey), &data) - if err != nil { - return "", fmt.Errorf("Parse Metadata Private Key Data") - } - - metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase)) - if err != nil { - return "", fmt.Errorf("Get Metadata Private Key: %w", err) - } - - decMetadata, err := c.DecryptMetadata(metadataPrivateKeyObj, resource.Metadata) + decMetadata, err := c.DecryptMetadata(metadatakey, resource.Metadata) if err != nil { return "", fmt.Errorf("Decrypt Metadata: %w", err) } + err = validateMetadata(&rType, string(decMetadata)) + if err != nil { + return "", fmt.Errorf("Validate Metadata: %w", err) + } + + return decMetadata, nil +} + +func validateMetadata(rType *api.ResourceType, metadata string) error { var schemaDefinition api.ResourceTypeSchema - err = json.Unmarshal([]byte(rType.Definition), &schemaDefinition) + definition := rType.Definition + + // Fallback schema + if string(definition) == "[]" || string(definition) == "\"[]\"" { + tmp, ok := api.ResourceSchemas[rType.Slug] + if !ok { + return fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug) + } + definition = tmp + } + + err := json.Unmarshal([]byte(definition), &schemaDefinition) if err != nil { // Workaround for inconsistant API Responses where sometime the Schema is embedded directly and sometimes it's escaped as a string if err.Error() == "json: cannot unmarshal string into Go value of type api.ResourceTypeSchema" { var tmp string - err = json.Unmarshal([]byte(rType.Definition), &tmp) + err = json.Unmarshal([]byte(definition), &tmp) if err != nil { - return "", fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) - } - - if tmp == "[]" { - // Use The Builtin Fallback Schemas in this Case - schema, ok := api.ResourceSchemas[rType.Slug] - if !ok { - return "", fmt.Errorf("Server Does not have the Required json Schema and there is no fallback available for type: %v", rType.Slug) - } - tmp = string(schema) + return fmt.Errorf("Workaround Unmarshal Json Schema String: %w", err) } err = json.Unmarshal([]byte(tmp), &schemaDefinition) if err != nil { - return "", fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) + return fmt.Errorf("Workaround Unmarshal Json Schema: %w", err) } - } else { - return "", fmt.Errorf("Unmarshal Json Schema: %w", err) + return fmt.Errorf("Unmarshal Json Schema: %w", err) } } @@ -92,18 +116,17 @@ func GetResourceMetadata(ctx context.Context, c *api.Client, resource api.Resour err = comp.AddResource("metadata.json", bytes.NewReader(schemaDefinition.Resource)) if err != nil { - return "", fmt.Errorf("Adding Json Schema: %w", err) + return fmt.Errorf("Adding Json Schema: %w", err) } schema, err := comp.Compile("metadata.json") if err != nil { - return "", fmt.Errorf("Compiling Json Schema: %w", err) + return fmt.Errorf("Compiling Json Schema: %w", err) } - err = schema.Validate(strings.NewReader(decMetadata)) + err = schema.Validate(strings.NewReader(metadata)) if err != nil { - return "", fmt.Errorf("Validating Secret Data: %w", err) + return fmt.Errorf("Validating Secret Data: %w", err) } - - return decMetadata, nil + return nil }