speatzle/go-passbolt
1
0
Fork 0
mirror of https://github.com/passbolt/go-passbolt.git synced 2025-09-13 14:29:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: speatzle:8b00fcd4971ec6b7c454ebc064d6ad1b0a52eb92
Branches Tags
speatzle:main
speatzle:v5
speatzle:v5-fix-jsonschema
speatzle:v5-schema-fixes
speatzle:fix-password-string-validation
speatzle:v5-metadata-trusting
speatzle:v5-reorg
speatzle:v5-resource-update
speatzle:v5-fix-metadatakey
speatzle:v5-resource-share
speatzle:v5-metadata-creation
speatzle:v5-metadata-decryption
speatzle:gopenpgp-v3
speatzle:v5-basic-metadatakeys
speatzle:v5-server-settings
speatzle:v5-run-workflow
speatzle:auto-skip-integration-tests
speatzle:jwt-auth
speatzle:v0.7.2
speatzle:v0.7.1
speatzle:v0.7.0
speatzle:v0.6.1
speatzle:v0.6.0
speatzle:v0.5.8
speatzle:v0.5.7
speatzle:v0.5.6
speatzle:v0.5.5
speatzle:v0.5.4
speatzle:v0.5.3
speatzle:v0.5.2
speatzle:v0.5.1
speatzle:v0.5.0
speatzle:v0.4.0
speatzle:v0.3.1
speatzle:v0.3.0
speatzle:v0.2.2
speatzle:v0.2.1
speatzle:v0.2.0
speatzle:v0.1.1
speatzle:v0.1.0
speatzle:v0.0.1
..
compare: speatzle:7d6d1c614cabb65e5c02b14dca07cfc4afa4d7c5
Branches Tags
speatzle:v5
speatzle:v5-fix-jsonschema
speatzle:v5-schema-fixes
speatzle:fix-password-string-validation
speatzle:v5-metadata-trusting
speatzle:v5-reorg
speatzle:v5-resource-update
speatzle:v5-fix-metadatakey
speatzle:v5-resource-share
speatzle:v5-metadata-creation
speatzle:v5-metadata-decryption
speatzle:gopenpgp-v3
speatzle:v5-basic-metadatakeys
speatzle:v5-server-settings
speatzle:v5-run-workflow
speatzle:auto-skip-integration-tests
speatzle:main
speatzle:jwt-auth
speatzle:v0.7.2
speatzle:v0.7.1
speatzle:v0.7.0
speatzle:v0.6.1
speatzle:v0.6.0
speatzle:v0.5.8
speatzle:v0.5.7
speatzle:v0.5.6
speatzle:v0.5.5
speatzle:v0.5.4
speatzle:v0.5.3
speatzle:v0.5.2
speatzle:v0.5.1
speatzle:v0.5.0
speatzle:v0.4.0
speatzle:v0.3.1
speatzle:v0.3.0
speatzle:v0.2.2
speatzle:v0.2.1
speatzle:v0.2.0
speatzle:v0.1.1
speatzle:v0.1.0
speatzle:v0.0.1

No commits in common. "8b00fcd4971ec6b7c454ebc064d6ad1b0a52eb92" and "7d6d1c614cabb65e5c02b14dca07cfc4afa4d7c5" have entirely different histories.
8b00fcd497 ... 7d6d1c614c

7 changed files with 140 additions and 207 deletions
Download patch file Download diff file Expand all files Collapse all files

10
api/client.go
View file

@ -9,7 +9,6 @@ import (
"net/http" "net/http"
"net/url" "net/url"
"path" "path"
"time"
"github.com/ProtonMail/gopenpgp/v3/crypto" "github.com/ProtonMail/gopenpgp/v3/crypto"
"github.com/google/go-querystring/query" "github.com/google/go-querystring/query"
@ -39,15 +38,6 @@ type Client struct {
// Server Settings for password expiry // Server Settings for password expiry
passwordExpirySettings PasswordExpirySettings passwordExpirySettings PasswordExpirySettings
// trusted metadatakey, Shared Metadata Keys which are trusted for encryption
trustedMetadataKeyFingerprint *string
trustedMetadataKeySigntime *time.Time
// MetadataKeyUpdatedCallback is Called by the Client when the Metadatakey has changed
// trusted shows if this key has been signed and thus been trusted by another client of this user
// the consumer should prompt the user about the keychange and save the new fingerprint (may be skipped if it is trusted).
// If no error is returned then the new key will be accepted and its fingerpint set in the client
MetadataKeyUpdatedCallback func(ctx context.Context, trusted bool, fingerprint string, signTime time.Time) error
// used for solving MFA challenges. You can block this to for example wait for user input. // used for solving MFA challenges. You can block this to for example wait for user input.
// You shouden't run any unrelated API Calls while you are in this callback. // You shouden't run any unrelated API Calls while you are in this callback.

200
api/metadatakey.go
View file

@ -2,12 +2,7 @@ package api
import ( import (
"context" "context"
"encoding/hex"
"encoding/json" "encoding/json"
"fmt"
"time"
"github.com/ProtonMail/gopenpgp/v3/crypto"
) )
type MetadataKeyType string type MetadataKeyType string
@ -45,15 +40,14 @@ type MetadataKey struct {
// MetadataPrivateKey is a MetadataPrivateKey // MetadataPrivateKey is a MetadataPrivateKey
type MetadataPrivateKey struct { type MetadataPrivateKey struct {
ID string `json:"id,omitempty"` ID string `json:"id,omitempty"`
MetadataKeyID string `json:"metadata_key_id,omitempty"` MetadataKeyID string `json:"metadata_key_id,omitempty"`
UserID *string `json:"user_id,omitempty"` // TODO, is this nullable. The Docs says yes and no UserID *string `json:"user_id,omitempty"` // TODO, is this nullable. The Docs says yes and no
Data string `json:"data,omitempty"` Data string `json:"data,omitempty"`
Created Time `json:"created,omitempty"` Created Time `json:"created,omitempty"`
Modified Time `json:"modified,omitempty"` Modified Time `json:"modified,omitempty"`
CreatedBy *string `json:"created_by,omitempty"` CreatedBy *string `json:"created_by,omitempty"`
ModifiedBy *string `json:"modified_by,omitempty"` ModifiedBy *string `json:"modified_by,omitempty"`
DataSignedByCurrentUser *Time `json:"data_signed_by_current_user,omitempty"`
} }
// MetadataPrivateKeyData is a MetadataPrivateKeyData // MetadataPrivateKeyData is a MetadataPrivateKeyData
@ -66,8 +60,6 @@ type MetadataPrivateKeyData struct {
ArmoredKey string `json:"armored_key,omitempty"` ArmoredKey string `json:"armored_key,omitempty"`
// Passphrase must be Empty for Server Keys // Passphrase must be Empty for Server Keys
Passphrase string `json:"passphrase,omitempty"` Passphrase string `json:"passphrase,omitempty"`
// When this key was Signed by our User for Trusting new keys which where trusted on other Devices
Signed Time `json:"signed,omitempty"`
} }
// GetMetadataKeysOptions are all available query parameters // GetMetadataKeysOptions are all available query parameters
@ -78,16 +70,6 @@ type GetMetadataKeysOptions struct {
ContainMetadataPrivateKeys bool `url:"contain[metadata_private_keys],omitempty"` ContainMetadataPrivateKeys bool `url:"contain[metadata_private_keys],omitempty"`
} }
// SetTrustedMetadatakeyFingerprint
func (c *Client) SetTrustedMetadatakeyFingerprint(fingerprint string, signTime time.Time) {
c.trustedMetadataKeyFingerprint = &fingerprint
}
// GetTrustedMetadatakeyFingerprint
func (c *Client) GetTrustedMetadatakeyFingerprint() *string {
return c.trustedMetadataKeyFingerprint
}
// GetMetadataKeys gets all Passbolt GetMetadataKeys // GetMetadataKeys gets all Passbolt GetMetadataKeys
func (c *Client) GetMetadataKeys(ctx context.Context, opts *GetMetadataKeysOptions) ([]MetadataKey, error) { func (c *Client) GetMetadataKeys(ctx context.Context, opts *GetMetadataKeysOptions) ([]MetadataKey, error) {
msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/keys.json", nil, opts) msg, err := c.DoCustomRequestV5(ctx, "GET", "/metadata/keys.json", nil, opts)
@ -102,169 +84,3 @@ func (c *Client) GetMetadataKeys(ctx context.Context, opts *GetMetadataKeysOptio
} }
return metadataKeys, nil return metadataKeys, nil
} }
// GetMetadataKey gets a Metadata key, Personal indicates if the function should return the personal key,
// If personal keys have been disabled on the server then we return the shared key
// Returns the Key ID, Key Type and the Key itself
func (c *Client) GetMetadataKey(ctx context.Context, personal bool) (string, MetadataKeyType, *crypto.Key, error) {
// if personal is requsted and it is allowed by the server, then return that
if personal && c.MetadataKeySettings().AllowUsageOfPersonalKeys {
key, err := c.GetUserPrivateKeyCopy()
if err != nil {
return "", "", nil, fmt.Errorf("Get User Private Key: %w", err)
}
me, err := c.GetMe(ctx)
if err != nil {
return "", "", nil, fmt.Errorf("Get User Me: %w", err)
}
if me.GPGKey == nil {
return "", "", nil, fmt.Errorf("User Me GPG Key nil")
}
return me.GPGKey.ID, MetadataKeyTypeUserKey, key, nil
}
keys, err := c.GetMetadataKeys(ctx, &GetMetadataKeysOptions{
ContainMetadataPrivateKeys: true,
})
if err != nil {
return "", "", nil, fmt.Errorf("Get Metadata Key: %w", err)
}
// Get The Newest Metadata Key
metadatakey := keys[len(keys)-1]
var privateMetadataKey *MetadataPrivateKey = nil
for _, _privateMetadataKey := range metadatakey.MetadataPrivateKeys {
if *_privateMetadataKey.UserID == c.userID {
privateMetadataKey = &_privateMetadataKey
c.log("Found privateMetadataKey for our user %v", _privateMetadataKey.ID)
break
}
}
if privateMetadataKey == nil {
return "", "", nil, fmt.Errorf("No Metadata Private key for our user")
}
decPrivateMetadatakey, err := c.DecryptMessage(privateMetadataKey.Data)
if err != nil {
return "", "", nil, fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
}
var data MetadataPrivateKeyData
err = json.Unmarshal([]byte(decPrivateMetadatakey), &data)
if err != nil {
return "", "", nil, fmt.Errorf("Parse Metadata Private Key Data")
}
metadataPrivateKeyObj, err := GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
if err != nil {
return "", "", nil, fmt.Errorf("Get Metadata Private Key: %w", err)
}
// Verify the key
if c.GetTrustedMetadatakeyFingerprint() == nil || metadataPrivateKeyObj.GetFingerprint() != *c.GetTrustedMetadatakeyFingerprint() {
if c.trustedMetadataKeySigntime != nil && !data.Signed.Time.After(*c.trustedMetadataKeySigntime) {
return "", "", nil, fmt.Errorf("New Metadata Key is older than the currently trusted one: %w", err)
}
userPrivateKey, err := c.GetUserPrivateKeyCopy()
if err != nil {
return "", "", nil, fmt.Errorf("Get User Private Key Copy: %w", err)
}
verify, err := c.pgp.Verify().VerificationKey(userPrivateKey).New()
verifyRes, err := verify.VerifyInline([]byte(privateMetadataKey.Data), crypto.Armor)
if err != nil {
return "", "", nil, fmt.Errorf("Verify User Metadata Private Key Signature: %w", err)
}
signedByFingerprint := hex.EncodeToString(verifyRes.SignedByFingerprint())
c.log("Metadata Private key Signed by %v", signedByFingerprint)
c.log("User key Fingerprint %v", userPrivateKey.GetFingerprint())
// Check if the Metadata Private Key was signed by our User Private key
trusted := false
if signedByFingerprint == userPrivateKey.GetFingerprint() {
trusted = true
c.log("New Metadata Private Key has been signed by our Private key")
} else {
c.log("New Metadata Private Key has failed the signature check")
}
// Callback not Defined
if c.MetadataKeyUpdatedCallback == nil {
// Fail if there is a key pinned but the signature check failed
if c.trustedMetadataKeyFingerprint != nil || !trusted {
return "", "", nil, fmt.Errorf("Metadata Key has changed, The Callback is nil, There is a Key Pinned but the new one is not trusted")
}
c.log("No Callback is defined, No Metadata key is pinned and the Signature is by our Private key, automatically trusting")
} else {
err = c.MetadataKeyUpdatedCallback(ctx, trusted, metadataPrivateKeyObj.GetFingerprint(), data.Signed.Time)
if err != nil {
return "", "", nil, fmt.Errorf("Metadata Key has changed, Callback: %w", err)
}
}
// Callback has not Returned an error, Thus the New Key has been accepted
c.SetTrustedMetadatakeyFingerprint(metadataPrivateKeyObj.GetFingerprint(), data.Signed.Time)
}
return metadatakey.ID, MetadataKeyTypeSharedKey, metadataPrivateKeyObj, nil
}
// GetMetadataKeyById is for fetching a specific metadatakey if needed for Decryption, these are not verified
func (c *Client) GetMetadataKeyById(ctx context.Context, id string) (*crypto.Key, error) {
keys, err := c.GetMetadataKeys(ctx, &GetMetadataKeysOptions{
ContainMetadataPrivateKeys: true,
})
if err != nil {
return nil, fmt.Errorf("Get Metadata Key: %w", err)
}
var key *MetadataKey
for _, k := range keys {
if k.ID == id {
key = &k
break
}
}
if key == nil {
return nil, fmt.Errorf("Metadata key not found: %v", id)
}
if len(key.MetadataPrivateKeys) == 0 {
return nil, fmt.Errorf("No Metadata Private key for our user")
}
if len(key.MetadataPrivateKeys) > 1 {
return nil, fmt.Errorf("More than 1 metadata Private key for our user")
}
var privMetdata MetadataPrivateKey = key.MetadataPrivateKeys[0]
if *privMetdata.UserID != c.GetUserID() {
return nil, fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID)
}
decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data)
if err != nil {
return nil, fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
}
var data MetadataPrivateKeyData
err = json.Unmarshal([]byte(decPrivMetadatakey), &data)
if err != nil {
return nil, fmt.Errorf("Parse Metadata Private Key Data")
}
metadataPrivateKeyObj, err := GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
if err != nil {
return nil, fmt.Errorf("Get Metadata Private Key: %w", err)
}
return metadataPrivateKeyObj, nil
}

2
helper/metadata.go
View file

@ -21,7 +21,7 @@ func GetResourceMetadata(ctx context.Context, c *api.Client, resource *api.Resou
} }
metadatakey = tmp metadatakey = tmp
} else { } else {
key, err := c.GetMetadataKeyById(ctx, resource.MetadataKeyID) key, err := GetMetadataKeyById(ctx, c, resource.MetadataKeyID)
if err != nil { if err != nil {
return "", fmt.Errorf("Get Metadata Key by ID: %w", err) return "", fmt.Errorf("Get Metadata Key by ID: %w", err)
} }

128
helper/metadatakey.go
View file

@ -1 +1,129 @@
package helper package helper
import (
"context"
"encoding/json"
"fmt"
"github.com/ProtonMail/gopenpgp/v3/crypto"
"github.com/passbolt/go-passbolt/api"
)
// GetMetadataKey gets a Metadata key, Personal indicates if the function should return the personal key,
// If personal keys have been disabled on the server then we return the shared key
// Returns the Key ID, Key Type and the Key itself
func GetMetadataKey(ctx context.Context, c *api.Client, personal bool) (string, api.MetadataKeyType, *crypto.Key, error) {
// if personal is requsted and it is allowed by the server, then return that
if personal && c.MetadataKeySettings().AllowUsageOfPersonalKeys {
key, err := c.GetUserPrivateKeyCopy()
if err != nil {
return "", "", nil, fmt.Errorf("Get User Private Key: %w", err)
}
me, err := c.GetMe(ctx)
if err != nil {
return "", "", nil, fmt.Errorf("Get User Me: %w", err)
}
if me.GPGKey == nil {
return "", "", nil, fmt.Errorf("User Me GPG Key nil")
}
return me.GPGKey.ID, api.MetadataKeyTypeUserKey, key, nil
}
keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{
ContainMetadataPrivateKeys: true,
})
if err != nil {
return "", "", nil, fmt.Errorf("Get Metadata Key: %w", err)
}
// TODO Get Key by id?
if len(keys) != 1 {
return "", "", nil, fmt.Errorf("Not Exactly One Metadatakey Available")
}
if len(keys[0].MetadataPrivateKeys) == 0 {
return "", "", nil, fmt.Errorf("No Metadata Private key for our user")
}
if len(keys[0].MetadataPrivateKeys) > 1 {
return "", "", nil, fmt.Errorf("More than 1 metadata Private key for our user")
}
var privMetdata api.MetadataPrivateKey = keys[0].MetadataPrivateKeys[0]
if *privMetdata.UserID != c.GetUserID() {
return "", "", nil, fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID)
}
decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data)
if err != nil {
return "", "", nil, fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
}
var data api.MetadataPrivateKeyData
err = json.Unmarshal([]byte(decPrivMetadatakey), &data)
if err != nil {
return "", "", nil, fmt.Errorf("Parse Metadata Private Key Data")
}
metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
if err != nil {
return "", "", nil, fmt.Errorf("Get Metadata Private Key: %w", err)
}
return keys[0].ID, api.MetadataKeyTypeSharedKey, metadataPrivateKeyObj, nil
}
// GetMetadataKeyById is for fetching a specific metadatakey if needed for Decryption
func GetMetadataKeyById(ctx context.Context, c *api.Client, id string) (*crypto.Key, error) {
keys, err := c.GetMetadataKeys(ctx, &api.GetMetadataKeysOptions{
ContainMetadataPrivateKeys: true,
})
if err != nil {
return nil, fmt.Errorf("Get Metadata Key: %w", err)
}
var key *api.MetadataKey
for _, k := range keys {
if k.ID == id {
key = &k
break
}
}
if key == nil {
return nil, fmt.Errorf("Metadata key not found: %v", id)
}
if len(key.MetadataPrivateKeys) == 0 {
return nil, fmt.Errorf("No Metadata Private key for our user")
}
if len(key.MetadataPrivateKeys) > 1 {
return nil, fmt.Errorf("More than 1 metadata Private key for our user")
}
var privMetdata api.MetadataPrivateKey = key.MetadataPrivateKeys[0]
if *privMetdata.UserID != c.GetUserID() {
return nil, fmt.Errorf("MetadataPrivateKey is not for our user id: %v", privMetdata.UserID)
}
decPrivMetadatakey, err := c.DecryptMessage(privMetdata.Data)
if err != nil {
return nil, fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
}
var data api.MetadataPrivateKeyData
err = json.Unmarshal([]byte(decPrivMetadatakey), &data)
if err != nil {
return nil, fmt.Errorf("Parse Metadata Private Key Data")
}
metadataPrivateKeyObj, err := api.GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
if err != nil {
return nil, fmt.Errorf("Get Metadata Private Key: %w", err)
}
return metadataPrivateKeyObj, nil
}

2
helper/resource_create.go
View file

@ -64,7 +64,7 @@ func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name,
return "", fmt.Errorf("Validating metadata: %w", err) return "", fmt.Errorf("Validating metadata: %w", err)
} }
metadataKeyID, metadataKeyType, publicMetadataKey, err := c.GetMetadataKey(ctx, true) metadataKeyID, metadataKeyType, publicMetadataKey, err := GetMetadataKey(ctx, c, true)
if err != nil { if err != nil {
return "", fmt.Errorf("Get Metadata Key: %w", err) return "", fmt.Errorf("Get Metadata Key: %w", err)
} }

2
helper/resource_update.go
View file

@ -113,7 +113,7 @@ func UpdateResource(ctx context.Context, c *api.Client, resourceID, name, userna
return fmt.Errorf("Validating metadata: %w", err) return fmt.Errorf("Validating metadata: %w", err)
} }
metadataKeyID, metadataKeyType, publicMetadataKey, err := c.GetMetadataKey(ctx, true) metadataKeyID, metadataKeyType, publicMetadataKey, err := GetMetadataKey(ctx, c, true)
if err != nil { if err != nil {
return fmt.Errorf("Get Metadata Key: %w", err) return fmt.Errorf("Get Metadata Key: %w", err)
} }

3
helper/share.go
View file

@ -81,14 +81,13 @@ func ShareResource(ctx context.Context, c *api.Client, resourceID string, change
// if Metadata has not been shared yet then we need to do that // if Metadata has not been shared yet then we need to do that
// we assume that if MetadataKeyType is not null that this is a v5 Resource and that the other field are fine // we assume that if MetadataKeyType is not null that this is a v5 Resource and that the other field are fine
// TODO Calculate if this should be the Shared Metadatakey or our Personal one (if we are unsharing)
if resource.MetadataKeyType == api.MetadataKeyTypeUserKey { if resource.MetadataKeyType == api.MetadataKeyTypeUserKey {
metadata, err := GetResourceMetadata(ctx, c, resource, rType) metadata, err := GetResourceMetadata(ctx, c, resource, rType)
if err != nil { if err != nil {
return fmt.Errorf("Get Metadata: %w", err) return fmt.Errorf("Get Metadata: %w", err)
} }
metadataKeyID, metadataKeyType, publicMetadataKey, err := c.GetMetadataKey(ctx, false) metadataKeyID, metadataKeyType, publicMetadataKey, err := GetMetadataKey(ctx, c, true)
if err != nil { if err != nil {
return fmt.Errorf("Get Metadata Key: %w", err) return fmt.Errorf("Get Metadata Key: %w", err)
} }