service: Auth reset (#63)

keys-pub · Sep 17, 2020 · bda9381 · bda9381
1 parent 707b83c
commit bda9381
Show file tree

Hide file tree

Showing 43 changed files with 2,145 additions and 1,562 deletions.
diff --git a/service/auth.go b/service/auth.go
@@ -35,6 +35,8 @@ func newAuth(env *Env) *auth {
 		"/service.Keys/AuthUnlock",
 		"/service.Keys/AuthLock",
 		"/service.Keys/AuthVault",
+		"/service.Keys/AuthReset",
+		"/service.Keys/AuthRecover",
 		"/service.Keys/Rand",
 		"/service.Keys/RandPassword",
 		"/service.Keys/RuntimeStatus",

diff --git a/service/auth_fido2.go b/service/auth_fido2.go
@@ -185,10 +185,13 @@ func unlockHMACSecret(ctx context.Context, auths fido2.AuthServer, vlt *vault.Va
 	if err != nil {
 		return err
 	}
-	if status == vault.Setup {
+	if status == vault.SetupNeeded {
 		if err := vlt.Setup(key, provision); err != nil {
 			return err
 		}
+		if _, err := vlt.Unlock(key); err != nil {
+			return err
+		}
 	} else {
 		if _, err := vlt.Unlock(key); err != nil {
 			return err

diff --git a/service/auth_fido2_test.go b/service/auth_fido2_test.go
@@ -27,11 +27,14 @@ func TestHMACSecretAuthOnDevice(t *testing.T) {
 
 	// SetLogger(NewLogger(DebugLevel))
 
-	env, closeFn := newEnv(t, "KeysTest", "")
+	env, closeFn := newEnv(t, "", "")
 	defer closeFn()
 
 	auth := newAuth(env)
 	vlt := newTestVault(t)
+	err = vlt.Open()
+	require.NoError(t, err)
+	defer vlt.Close()
 
 	// Load plugin
 	fido2Plugin, err := fido2.OpenPlugin(filepath.Join(testGoBin(t), "fido2.so"))
@@ -53,10 +56,13 @@ func TestHMACSecretAuth(t *testing.T) {
 	// vault.SetLogger(NewLogger(DebugLevel))
 	var err error
 
-	env, closeFn := newEnv(t, "KeysTest", "")
+	env, closeFn := newEnv(t, "", "")
 	defer closeFn()
 	auth := newAuth(env)
 	vlt := newTestVault(t)
+	err = vlt.Open()
+	require.NoError(t, err)
+	defer vlt.Close()
 	pin := "12345"
 
 	// Try without plugin
@@ -77,6 +83,7 @@ func TestHMACSecretAuth(t *testing.T) {
 	require.NotEmpty(t, token)
 
 	mk := vlt.MasterKey()
+	require.NotEmpty(t, mk)
 
 	vlt.Lock()
 

diff --git a/service/auth_rpc.go b/service/auth_rpc.go
@@ -19,7 +19,7 @@ func (s *service) AuthSetup(ctx context.Context, req *AuthSetupRequest) (*AuthSe
 	if err != nil {
 		return nil, err
 	}
-	if status != vault.Setup {
+	if status != vault.SetupNeeded {
 		return nil, errors.Errorf("auth already setup")
 	}
 
@@ -55,7 +55,7 @@ func (s *service) AuthVault(ctx context.Context, req *AuthVaultRequest) (*AuthVa
 	if err != nil {
 		return nil, err
 	}
-	if status != vault.Setup {
+	if status != vault.SetupNeeded {
 		return nil, errors.Errorf("auth already setup")
 	}
 
@@ -197,3 +197,53 @@ func matchAAGUID(provisions []*vault.Provision, aaguid string) *vault.Provision
 	}
 	return nil
 }
+
+func (s *service) AuthRecover(ctx context.Context, req *AuthRecoverRequest) (*AuthRecoverResponse, error) {
+	if req.KeyPhrase == "" {
+		return nil, errors.Errorf("no key phrase specified")
+	}
+	if req.NewPassword == "" {
+		return nil, errors.Errorf("no password specified")
+	}
+	unlockResp, err := s.AuthUnlock(ctx, &AuthUnlockRequest{
+		Secret: req.KeyPhrase,
+		Type:   KeyPhraseAuth,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if _, err := s.AuthProvision(ctx, &AuthProvisionRequest{
+		Secret: req.NewPassword,
+		Type:   PasswordAuth,
+	}); err != nil {
+		return nil, err
+	}
+
+	return &AuthRecoverResponse{
+		AuthToken: unlockResp.AuthToken,
+	}, nil
+}
+
+func (s *service) AuthReset(ctx context.Context, req *AuthResetRequest) (*AuthResetResponse, error) {
+	if s.unlocked {
+		return nil, errors.Wrapf(errors.Errorf("auth is unlocked"), "failed to reset")
+	}
+
+	if req.AppName != s.env.AppName() {
+		return nil, errors.Wrapf(errors.Errorf("invalid app name"), "failed to reset")
+	}
+
+	if err := s.vault.Reset(); err != nil {
+		return nil, err
+	}
+
+	path, err := s.env.AppPath(kdbPath, false)
+	if err != nil {
+		return nil, err
+	}
+	if err := os.RemoveAll(path); err != nil {
+		return nil, err
+	}
+
+	return &AuthResetResponse{}, nil
+}
diff --git a/service/auth_test.go b/service/auth_test.go
@@ -10,25 +10,29 @@ import (
 )
 
 func TestAuthWithPassword(t *testing.T) {
-	env, closeFn := newEnv(t, "KeysTest", "")
+	var err error
+	env, closeFn := newEnv(t, "", "")
 	defer closeFn()
 	auth := newAuth(env)
 	vlt := newTestVault(t)
+	err = vlt.Open()
+	require.NoError(t, err)
+	defer vlt.Close()
 
 	ctx := context.TODO()
 
 	// Setup needed
 	status, err := vlt.Status()
 	require.NoError(t, err)
-	require.Equal(t, vault.Setup, status)
+	require.Equal(t, vault.SetupNeeded, status)
 
 	// Setup
 	err = auth.setup(ctx, vlt, "password123", PasswordAuth)
 	require.NoError(t, err)
 
 	status, err = vlt.Status()
 	require.NoError(t, err)
-	require.Equal(t, vault.Unlocked, status)
+	require.Equal(t, vault.Locked, status)
 
 	// Unlock
 	token, err := auth.unlock(ctx, vlt, "password123", PasswordAuth, "test")
@@ -53,10 +57,13 @@ func TestAuthWithPassword(t *testing.T) {
 
 func TestAuthorize(t *testing.T) {
 	var err error
-	env, closeFn := newEnv(t, "KeysTest", "")
+	env, closeFn := newEnv(t, "", "")
 	defer closeFn()
 	auth := newAuth(env)
 	vlt := newTestVault(t)
+	err = vlt.Open()
+	require.NoError(t, err)
+	defer vlt.Close()
 
 	ctx := metadata.NewIncomingContext(context.TODO(), metadata.MD{})
 	err = auth.authorize(ctx, "/service.Keys/SomeMethod")
@@ -103,7 +110,7 @@ func TestGenerateToken(t *testing.T) {
 
 func TestAuthUnlockLock(t *testing.T) {
 	env := newTestEnv(t)
-	service, closeFn := newTestService(t, env, "")
+	service, closeFn := newTestService(t, env)
 	defer closeFn()
 	ctx := context.TODO()
 
@@ -150,7 +157,7 @@ func TestAuthUnlockLock(t *testing.T) {
 func TestPasswordChange(t *testing.T) {
 	var err error
 	env := newTestEnv(t)
-	service, closeFn := newTestService(t, env, "")
+	service, closeFn := newTestService(t, env)
 	defer closeFn()
 	ctx := context.TODO()
 
@@ -193,7 +200,7 @@ func TestPasswordChange(t *testing.T) {
 
 func TestUnlockMultipleClients(t *testing.T) {
 	env := newTestEnv(t)
-	service, closeFn := newTestService(t, env, "")
+	service, closeFn := newTestService(t, env)
 	defer closeFn()
 	ctx := context.TODO()
 
@@ -238,3 +245,61 @@ func TestUnlockMultipleClients(t *testing.T) {
 
 	require.False(t, service.db.IsOpen())
 }
+
+func TestAuthReset(t *testing.T) {
+	var err error
+	env := newTestEnv(t)
+	service, closeFn := newTestService(t, env)
+	defer closeFn()
+	ctx := context.TODO()
+
+	_, err = service.AuthSetup(ctx, &AuthSetupRequest{Secret: "password123", Type: PasswordAuth})
+	require.NoError(t, err)
+	_, err = service.AuthUnlock(ctx, &AuthUnlockRequest{Secret: "password123", Type: PasswordAuth})
+	require.NoError(t, err)
+
+	_, err = service.KeyGenerate(ctx, &KeyGenerateRequest{Type: EdX25519})
+	require.NoError(t, err)
+
+	keysResp, err := service.Keys(ctx, &KeysRequest{})
+	require.NoError(t, err)
+	require.Equal(t, 1, len(keysResp.Keys))
+
+	_, err = service.AuthReset(ctx, &AuthResetRequest{AppName: service.env.AppName()})
+	require.EqualError(t, err, "failed to reset: auth is unlocked")
+
+	_, err = service.AuthLock(ctx, &AuthLockRequest{})
+	require.NoError(t, err)
+
+	_, err = service.AuthReset(ctx, &AuthResetRequest{AppName: "InvalidAppName"})
+	require.EqualError(t, err, "failed to reset: invalid app name")
+
+	_, err = service.AuthReset(ctx, &AuthResetRequest{AppName: service.env.AppName()})
+	require.NoError(t, err)
+
+	_, err = service.AuthSetup(ctx, &AuthSetupRequest{Secret: "password12345", Type: PasswordAuth})
+	require.NoError(t, err)
+	_, err = service.AuthUnlock(ctx, &AuthUnlockRequest{Secret: "password12345", Type: PasswordAuth})
+	require.NoError(t, err)
+
+	_, err = service.KeyGenerate(ctx, &KeyGenerateRequest{Type: EdX25519})
+	require.NoError(t, err)
+
+	keysResp, err = service.Keys(ctx, &KeysRequest{})
+	require.NoError(t, err)
+	require.Equal(t, 1, len(keysResp.Keys))
+}
+
+func TestAuthSetupLocked(t *testing.T) {
+	var err error
+	env := newTestEnv(t)
+	service, closeFn := newTestService(t, env)
+	defer closeFn()
+	ctx := context.TODO()
+
+	_, err = service.AuthSetup(ctx, &AuthSetupRequest{Secret: "password123", Type: PasswordAuth})
+	require.NoError(t, err)
+
+	_, err = service.KeyGenerate(ctx, &KeyGenerateRequest{Type: EdX25519})
+	require.EqualError(t, err, "vault is locked")
+}
diff --git a/service/cert_test.go b/service/cert_test.go
@@ -8,7 +8,7 @@ import (
 )
 
 func TestCertificate(t *testing.T) {
-	env, closeFn := newEnv(t, "KeysTest", "")
+	env, closeFn := newEnv(t, "", "")
 	defer closeFn()
 
 	cert, err := loadCertificate(env)

diff --git a/service/client_test.go b/service/client_test.go
@@ -21,6 +21,9 @@ func (l listener) dial(context.Context, string) (net.Conn, error) {
 }
 
 func newTestRPCClient(t *testing.T, srvc *service, tenv *testEnv, appName string, out io.Writer) (*Client, func()) {
+	if appName == "" {
+		appName = "KeysTest-" + randName()
+	}
 	listener := listener{lis: bufconn.Listen(1024 * 1024)}
 
 	connect := func(env *Env, authToken string) (*grpc.ClientConn, error) {