Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

service: Auth reset #63

Merged
merged 1 commit into from
Sep 17, 2020
Merged

service: Auth reset #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions service/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ func newAuth(env *Env) *auth {
"/service.Keys/AuthUnlock",
"/service.Keys/AuthLock",
"/service.Keys/AuthVault",
"/service.Keys/AuthReset",
"/service.Keys/AuthRecover",
"/service.Keys/Rand",
"/service.Keys/RandPassword",
"/service.Keys/RuntimeStatus",
Expand Down
5 changes: 4 additions & 1 deletion service/auth_fido2.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,10 +185,13 @@ func unlockHMACSecret(ctx context.Context, auths fido2.AuthServer, vlt *vault.Va
if err != nil {
return err
}
if status == vault.Setup {
if status == vault.SetupNeeded {
if err := vlt.Setup(key, provision); err != nil {
return err
}
if _, err := vlt.Unlock(key); err != nil {
return err
}
} else {
if _, err := vlt.Unlock(key); err != nil {
return err
Expand Down
11 changes: 9 additions & 2 deletions service/auth_fido2_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,14 @@ func TestHMACSecretAuthOnDevice(t *testing.T) {

// SetLogger(NewLogger(DebugLevel))

env, closeFn := newEnv(t, "KeysTest", "")
env, closeFn := newEnv(t, "", "")
defer closeFn()

auth := newAuth(env)
vlt := newTestVault(t)
err = vlt.Open()
require.NoError(t, err)
defer vlt.Close()

// Load plugin
fido2Plugin, err := fido2.OpenPlugin(filepath.Join(testGoBin(t), "fido2.so"))
Expand All @@ -53,10 +56,13 @@ func TestHMACSecretAuth(t *testing.T) {
// vault.SetLogger(NewLogger(DebugLevel))
var err error

env, closeFn := newEnv(t, "KeysTest", "")
env, closeFn := newEnv(t, "", "")
defer closeFn()
auth := newAuth(env)
vlt := newTestVault(t)
err = vlt.Open()
require.NoError(t, err)
defer vlt.Close()
pin := "12345"

// Try without plugin
Expand All @@ -77,6 +83,7 @@ func TestHMACSecretAuth(t *testing.T) {
require.NotEmpty(t, token)

mk := vlt.MasterKey()
require.NotEmpty(t, mk)

vlt.Lock()

Expand Down
54 changes: 52 additions & 2 deletions service/auth_rpc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ func (s *service) AuthSetup(ctx context.Context, req *AuthSetupRequest) (*AuthSe
if err != nil {
return nil, err
}
if status != vault.Setup {
if status != vault.SetupNeeded {
return nil, errors.Errorf("auth already setup")
}

Expand Down Expand Up @@ -55,7 +55,7 @@ func (s *service) AuthVault(ctx context.Context, req *AuthVaultRequest) (*AuthVa
if err != nil {
return nil, err
}
if status != vault.Setup {
if status != vault.SetupNeeded {
return nil, errors.Errorf("auth already setup")
}

Expand Down Expand Up @@ -197,3 +197,53 @@ func matchAAGUID(provisions []*vault.Provision, aaguid string) *vault.Provision
}
return nil
}

func (s *service) AuthRecover(ctx context.Context, req *AuthRecoverRequest) (*AuthRecoverResponse, error) {
if req.KeyPhrase == "" {
return nil, errors.Errorf("no key phrase specified")
}
if req.NewPassword == "" {
return nil, errors.Errorf("no password specified")
}
unlockResp, err := s.AuthUnlock(ctx, &AuthUnlockRequest{
Secret: req.KeyPhrase,
Type: KeyPhraseAuth,
})
if err != nil {
return nil, err
}
if _, err := s.AuthProvision(ctx, &AuthProvisionRequest{
Secret: req.NewPassword,
Type: PasswordAuth,
}); err != nil {
return nil, err
}

return &AuthRecoverResponse{
AuthToken: unlockResp.AuthToken,
}, nil
}

func (s *service) AuthReset(ctx context.Context, req *AuthResetRequest) (*AuthResetResponse, error) {
if s.unlocked {
return nil, errors.Wrapf(errors.Errorf("auth is unlocked"), "failed to reset")
}

if req.AppName != s.env.AppName() {
return nil, errors.Wrapf(errors.Errorf("invalid app name"), "failed to reset")
}

if err := s.vault.Reset(); err != nil {
return nil, err
}

path, err := s.env.AppPath(kdbPath, false)
if err != nil {
return nil, err
}
if err := os.RemoveAll(path); err != nil {
return nil, err
}

return &AuthResetResponse{}, nil
}
79 changes: 72 additions & 7 deletions service/auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,25 +10,29 @@ import (
)

func TestAuthWithPassword(t *testing.T) {
env, closeFn := newEnv(t, "KeysTest", "")
var err error
env, closeFn := newEnv(t, "", "")
defer closeFn()
auth := newAuth(env)
vlt := newTestVault(t)
err = vlt.Open()
require.NoError(t, err)
defer vlt.Close()

ctx := context.TODO()

// Setup needed
status, err := vlt.Status()
require.NoError(t, err)
require.Equal(t, vault.Setup, status)
require.Equal(t, vault.SetupNeeded, status)

// Setup
err = auth.setup(ctx, vlt, "password123", PasswordAuth)
require.NoError(t, err)

status, err = vlt.Status()
require.NoError(t, err)
require.Equal(t, vault.Unlocked, status)
require.Equal(t, vault.Locked, status)

// Unlock
token, err := auth.unlock(ctx, vlt, "password123", PasswordAuth, "test")
Expand All @@ -53,10 +57,13 @@ func TestAuthWithPassword(t *testing.T) {

func TestAuthorize(t *testing.T) {
var err error
env, closeFn := newEnv(t, "KeysTest", "")
env, closeFn := newEnv(t, "", "")
defer closeFn()
auth := newAuth(env)
vlt := newTestVault(t)
err = vlt.Open()
require.NoError(t, err)
defer vlt.Close()

ctx := metadata.NewIncomingContext(context.TODO(), metadata.MD{})
err = auth.authorize(ctx, "/service.Keys/SomeMethod")
Expand Down Expand Up @@ -103,7 +110,7 @@ func TestGenerateToken(t *testing.T) {

func TestAuthUnlockLock(t *testing.T) {
env := newTestEnv(t)
service, closeFn := newTestService(t, env, "")
service, closeFn := newTestService(t, env)
defer closeFn()
ctx := context.TODO()

Expand Down Expand Up @@ -150,7 +157,7 @@ func TestAuthUnlockLock(t *testing.T) {
func TestPasswordChange(t *testing.T) {
var err error
env := newTestEnv(t)
service, closeFn := newTestService(t, env, "")
service, closeFn := newTestService(t, env)
defer closeFn()
ctx := context.TODO()

Expand Down Expand Up @@ -193,7 +200,7 @@ func TestPasswordChange(t *testing.T) {

func TestUnlockMultipleClients(t *testing.T) {
env := newTestEnv(t)
service, closeFn := newTestService(t, env, "")
service, closeFn := newTestService(t, env)
defer closeFn()
ctx := context.TODO()

Expand Down Expand Up @@ -238,3 +245,61 @@ func TestUnlockMultipleClients(t *testing.T) {

require.False(t, service.db.IsOpen())
}

func TestAuthReset(t *testing.T) {
var err error
env := newTestEnv(t)
service, closeFn := newTestService(t, env)
defer closeFn()
ctx := context.TODO()

_, err = service.AuthSetup(ctx, &AuthSetupRequest{Secret: "password123", Type: PasswordAuth})
require.NoError(t, err)
_, err = service.AuthUnlock(ctx, &AuthUnlockRequest{Secret: "password123", Type: PasswordAuth})
require.NoError(t, err)

_, err = service.KeyGenerate(ctx, &KeyGenerateRequest{Type: EdX25519})
require.NoError(t, err)

keysResp, err := service.Keys(ctx, &KeysRequest{})
require.NoError(t, err)
require.Equal(t, 1, len(keysResp.Keys))

_, err = service.AuthReset(ctx, &AuthResetRequest{AppName: service.env.AppName()})
require.EqualError(t, err, "failed to reset: auth is unlocked")

_, err = service.AuthLock(ctx, &AuthLockRequest{})
require.NoError(t, err)

_, err = service.AuthReset(ctx, &AuthResetRequest{AppName: "InvalidAppName"})
require.EqualError(t, err, "failed to reset: invalid app name")

_, err = service.AuthReset(ctx, &AuthResetRequest{AppName: service.env.AppName()})
require.NoError(t, err)

_, err = service.AuthSetup(ctx, &AuthSetupRequest{Secret: "password12345", Type: PasswordAuth})
require.NoError(t, err)
_, err = service.AuthUnlock(ctx, &AuthUnlockRequest{Secret: "password12345", Type: PasswordAuth})
require.NoError(t, err)

_, err = service.KeyGenerate(ctx, &KeyGenerateRequest{Type: EdX25519})
require.NoError(t, err)

keysResp, err = service.Keys(ctx, &KeysRequest{})
require.NoError(t, err)
require.Equal(t, 1, len(keysResp.Keys))
}

func TestAuthSetupLocked(t *testing.T) {
var err error
env := newTestEnv(t)
service, closeFn := newTestService(t, env)
defer closeFn()
ctx := context.TODO()

_, err = service.AuthSetup(ctx, &AuthSetupRequest{Secret: "password123", Type: PasswordAuth})
require.NoError(t, err)

_, err = service.KeyGenerate(ctx, &KeyGenerateRequest{Type: EdX25519})
require.EqualError(t, err, "vault is locked")
}
2 changes: 1 addition & 1 deletion service/cert_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import (
)

func TestCertificate(t *testing.T) {
env, closeFn := newEnv(t, "KeysTest", "")
env, closeFn := newEnv(t, "", "")
defer closeFn()

cert, err := loadCertificate(env)
Expand Down
3 changes: 3 additions & 0 deletions service/client_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ func (l listener) dial(context.Context, string) (net.Conn, error) {
}

func newTestRPCClient(t *testing.T, srvc *service, tenv *testEnv, appName string, out io.Writer) (*Client, func()) {
if appName == "" {
appName = "KeysTest-" + randName()
}
listener := listener{lis: bufconn.Listen(1024 * 1024)}

connect := func(env *Env, authToken string) (*grpc.ClientConn, error) {
Expand Down
Loading