fix(GODT-2387): Ensure vault can be unlocked after factory reset

When performing a factory reset, we don't want to wipe all keychain entries. The only keychain entry should be the vault's passphrase, and we need this to be able to decrypt the vault at next startup (to avoid it being reported as corrupt).
2025-12-11 05:06:51 +00:00 · 2023-02-22 13:39:59 +01:00
parent 8534da98ea
commit e9f20aee7a
7 changed files with 68 additions and 50 deletions
--- a/internal/app/bridge.go
+++ b/internal/app/bridge.go
@ -41,8 +41,6 @@ import (
 	"github.com/urfave/cli/v2"
 )

-const vaultSecretName = "bridge-vault-key"
-
 // deleteOldGoIMAPFiles Set with `-ldflags -X app.deleteOldGoIMAPFiles=true` to enable cleanup of old imap cache data.
 var deleteOldGoIMAPFiles bool //nolint:gochecknoglobals

--- a/internal/app/vault.go
+++ b/internal/app/vault.go
@ -18,18 +18,15 @@
 package app

 import (
-	"encoding/base64"
 	"fmt"
 	"path"

-	"github.com/ProtonMail/gopenpgp/v2/crypto"
 	"github.com/ProtonMail/proton-bridge/v3/internal/certs"
 	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
 	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
 	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
 	"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
 	"github.com/sirupsen/logrus"
-	"golang.org/x/exp/slices"
 )

 func WithVault(locations *locations.Locations, fn func(*vault.Vault, bool, bool) error) error {
@ -82,7 +79,7 @@ func newVault(locations *locations.Locations) (*vault.Vault, bool, bool, error)
 		insecure bool
 	)

-	if key, err := getVaultKey(vaultDir); err != nil {
+	if key, err := loadVaultKey(vaultDir); err != nil {
 		insecure = true

 		// We store the insecure vault in a separate directory
@ -104,42 +101,25 @@ func newVault(locations *locations.Locations) (*vault.Vault, bool, bool, error)
 	return vault, insecure, corrupt, nil
 }

-func getVaultKey(vaultDir string) ([]byte, error) {
+func loadVaultKey(vaultDir string) ([]byte, error) {
 	helper, err := vault.GetHelper(vaultDir)
 	if err != nil {
 		return nil, fmt.Errorf("could not get keychain helper: %w", err)
 	}

-	keychain, err := keychain.NewKeychain(helper, constants.KeyChainName)
+	kc, err := keychain.NewKeychain(helper, constants.KeyChainName)
 	if err != nil {
 		return nil, fmt.Errorf("could not create keychain: %w", err)
 	}

-	secrets, err := keychain.List()
+	has, err := vault.HasVaultKey(kc)
 	if err != nil {
-		return nil, fmt.Errorf("could not list keychain: %w", err)
+		return nil, fmt.Errorf("could not check for vault key: %w", err)
 	}

-	if !slices.Contains(secrets, vaultSecretName) {
-		tok, err := crypto.RandomToken(32)
-		if err != nil {
-			return nil, fmt.Errorf("could not generate random token: %w", err)
-		}
-
-		if err := keychain.Put(vaultSecretName, base64.StdEncoding.EncodeToString(tok)); err != nil {
-			return nil, fmt.Errorf("could not put keychain item: %w", err)
-		}
+	if has {
+		return vault.GetVaultKey(kc)
 	}

-	_, keyEnc, err := keychain.Get(vaultSecretName)
-	if err != nil {
-		return nil, fmt.Errorf("could not get keychain item: %w", err)
-	}
-
-	keyDec, err := base64.StdEncoding.DecodeString(keyEnc)
-	if err != nil {
-		return nil, fmt.Errorf("could not decode keychain item: %w", err)
-	}
-
-	return keyDec, nil
+	return vault.NewVaultKey(kc)
 }