We build too many walls and not enough bridges

pkg/keychain/keychain.go

@@ -0,0 +1,131 @@
+// Copyright (c) 2020 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+// Package keychain implements a native secure password store for each platform.
+package keychain
+
+import (
+	"errors"
+	"strings"
+	"sync"
+
+	"github.com/ProtonMail/proton-bridge/pkg/config"
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+const (
+	KeychainVersion = "k11" //nolint[golint]
+)
+
+var (
+	log = config.GetLogEntry("bridgeUtils/keychain") //nolint[gochecknoglobals]
+
+	ErrWrongKeychainURL    = errors.New("wrong keychain base URL")
+	ErrMacKeychainRebuild  = errors.New("keychain error -25293")
+	ErrMacKeychainList     = errors.New("function `osxkeychain.List()` is not valid function for mac keychain. Use `Access.ListKeychain()` instead")
+	ErrNoKeychainInstalled = errors.New("no keychain management installed on this system")
+	accessLocker           = &sync.Mutex{} //nolint[gochecknoglobals]
+)
+
+// NewAccess creates a new native keychain.
+func NewAccess(appName string) (*Access, error) {
+	newHelper, err := newKeychain()
+	if err != nil {
+		return nil, err
+	}
+	return &Access{
+		helper:            newHelper,
+		KeychainURL:       "protonmail/" + appName + "/users",
+		KeychainOldURL:    "protonmail/users",
+		KeychainMacURL:    "ProtonMail" + strings.Title(appName) + "Service",
+		KeychainOldMacURL: "ProtonMailService",
+	}, nil
+}
+
+type Access struct {
+	helper credentials.Helper
+	KeychainURL,
+	KeychainOldURL,
+	KeychainMacURL,
+	KeychainOldMacURL string
+}
+
+func (s *Access) List() (userIDs []string, err error) {
+	accessLocker.Lock()
+	defer accessLocker.Unlock()
+
+	var userIDByURL map[string]string
+	userIDByURL, err = s.ListKeychain()
+
+	if err != nil {
+		return
+	}
+
+	for itemURL, userID := range userIDByURL {
+		if itemURL == s.KeychainName(userID) {
+			userIDs = append(userIDs, userID)
+		}
+
+		// Clean up old keychain name.
+		if itemURL == s.KeychainOldName(userID) {
+			_ = s.helper.Delete(s.KeychainOldName(userID))
+		}
+	}
+
+	return
+}
+
+func (s *Access) Delete(userID string) (err error) {
+	accessLocker.Lock()
+	defer accessLocker.Unlock()
+	return s.helper.Delete(s.KeychainName(userID))
+}
+
+func (s *Access) Get(userID string) (secret string, err error) {
+	accessLocker.Lock()
+	defer accessLocker.Unlock()
+	_, secret, err = s.helper.Get(s.KeychainName(userID))
+	return
+}
+
+func (s *Access) Put(userID, secret string) error {
+	accessLocker.Lock()
+	defer accessLocker.Unlock()
+
+	// On macOS, adding a credential that already exists does not update it and returns an error.
+	// So let's remove it first.
+	_ = s.helper.Delete(s.KeychainName(userID))
+
+	cred := &credentials.Credentials{
+		ServerURL: s.KeychainName(userID),
+		Username:  userID,
+		Secret:    secret,
+	}
+
+	return s.helper.Add(cred)
+}
+
+func splitServiceAndID(keychainName string) (serviceName string, userID string, err error) { //nolint[unused]
+	splitted := strings.FieldsFunc(keychainName, func(c rune) bool { return c == '/' })
+	n := len(splitted)
+	if n <= 1 {
+		return "", "", ErrWrongKeychainURL
+	}
+	userID = splitted[len(splitted)-1]
+	serviceName = strings.Join(splitted[:len(splitted)-1], "/")
+	return
+}

pkg/keychain/keychain_darwin.go

@@ -0,0 +1,140 @@
+// Copyright (c) 2020 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package keychain
+
+import (
+	"strings"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+	mackeychain "github.com/keybase/go-keychain"
+)
+
+func (s *Access) KeychainName(userID string) string {
+	return s.KeychainMacURL + "/" + userID
+}
+
+func (s *Access) KeychainOldName(userID string) string {
+	return s.KeychainOldMacURL + "/" + userID
+}
+
+type osxkeychain struct {
+}
+
+func newKeychain() (credentials.Helper, error) {
+	log.Debug("creating osckeychain")
+	return &osxkeychain{}, nil
+}
+
+func newQuery(serviceName, username string) mackeychain.Item {
+	query := mackeychain.NewItem()
+	query.SetSecClass(mackeychain.SecClassGenericPassword)
+	query.SetService(serviceName)
+	query.SetAccount(username)
+	return query
+}
+
+func parseError(original error) error {
+	if original != nil && strings.Contains(original.Error(), "25293") {
+		return ErrMacKeychainRebuild
+	}
+	return original
+}
+
+// Add appends credentials to the store (assuming old record with same ID is already deleted).
+func (s *osxkeychain) Add(cred *credentials.Credentials) error {
+	serviceName, userID, err := splitServiceAndID(cred.ServerURL)
+	if err != nil {
+		return err
+	}
+
+	query := newQuery(serviceName, userID)
+	query.SetData([]byte(cred.Secret))
+	err = mackeychain.AddItem(query)
+	return parseError(err)
+}
+
+// Delete removes credentials from the store.
+func (s *osxkeychain) Delete(serverURL string) error {
+	serviceName, userID, err := splitServiceAndID(serverURL)
+	if err != nil {
+		return err
+	}
+
+	query := newQuery(serviceName, userID)
+	err = mackeychain.DeleteItem(query)
+	if err != nil && !strings.Contains(err.Error(), "25300") { // Missing item is not error.
+		return err
+	}
+	return nil
+}
+
+// Get retrieves credentials from the store.
+// It returns username and secret as strings.
+func (s *osxkeychain) Get(serverURL string) (userID string, secret string, err error) {
+	serviceName, userID, err := splitServiceAndID(serverURL)
+	if err != nil {
+		return
+	}
+
+	query := newQuery(serviceName, userID)
+	query.SetMatchLimit(mackeychain.MatchLimitOne)
+	query.SetReturnData(true)
+	results, err := mackeychain.QueryItem(query)
+	if err != nil {
+		return "", "", parseError(err)
+	}
+
+	if len(results) == 1 {
+		secret = string(results[0].Data)
+	}
+
+	return
+}
+
+// ListKeychain lists items in our services.
+func (s *Access) ListKeychain() (userIDByURL map[string]string, err error) {
+	// Pick up correct service name and trim '/'.
+	serviceName, _, err := splitServiceAndID(s.KeychainOldName("not-id"))
+	if err != nil {
+		return
+	}
+
+	userIDByURL = make(map[string]string)
+
+	if oldIDs, err := mackeychain.GetGenericPasswordAccounts(serviceName); err == nil {
+		for _, userIDold := range oldIDs {
+			userIDByURL[s.KeychainOldName(userIDold)] = userIDold
+		}
+	}
+
+	serviceName, _, _ = splitServiceAndID(s.KeychainName("not-id"))
+	if userIDs, err := mackeychain.GetGenericPasswordAccounts(serviceName); err == nil {
+		for _, userID := range userIDs {
+			userIDByURL[s.KeychainName(userID)] = userID
+		}
+	}
+
+	return
+}
+
+// List returns the stored serverURLs and their associated usernames.
+// NOTE: This is not valid for go-keychain. Use ListKeychain instead.
+func (s *osxkeychain) List() (userIDByURL map[string]string, err error) {
+	err = ErrMacKeychainList
+	return
+}

pkg/keychain/keychain_linux.go

@@ -0,0 +1,73 @@
+// Copyright (c) 2020 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package keychain
+
+import (
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker-credential-helpers/pass"
+	"github.com/docker/docker-credential-helpers/secretservice"
+)
+
+func newKeychain() (credentials.Helper, error) {
+	log.Debug("creating pass")
+	passHelper := &pass.Pass{}
+	passErr := checkPassIsUsable(passHelper)
+	if passErr == nil {
+		return passHelper, nil
+	}
+
+	log.Debug("creating secretservice")
+	sserviceHelper := &secretservice.Secretservice{}
+	_, sserviceErr := sserviceHelper.List()
+	if sserviceErr == nil {
+		return sserviceHelper, nil
+	}
+
+	log.Error("No keychain! Pass: ", passErr, ", secretService: ", sserviceErr)
+	return nil, ErrNoKeychainInstalled
+}
+
+func checkPassIsUsable(passHelper *pass.Pass) (err error) {
+	creds := &credentials.Credentials{
+		ServerURL: "initCheck/pass",
+		Username:  "pass",
+		Secret:    "pass",
+	}
+
+	if err = passHelper.Add(creds); err != nil {
+		return
+	}
+	// Pass is not asked about unlock until you try to decrypt.
+	if _, _, err = passHelper.Get(creds.ServerURL); err != nil {
+		return
+	}
+	_ = passHelper.Delete(creds.ServerURL) // Doesn't matter if you are able to clear.
+	return
+}
+
+func (s *Access) KeychainName(userID string) string {
+	return s.KeychainURL + "/" + userID
+}
+
+func (s *Access) KeychainOldName(userID string) string {
+	return s.KeychainOldURL + "/" + userID
+}
+
+func (s *Access) ListKeychain() (map[string]string, error) {
+	return s.helper.List()
+}

pkg/keychain/keychain_test.go

@@ -0,0 +1,152 @@
+// Copyright (c) 2020 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package keychain
+
+import (
+	"encoding/base64"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+var suffix = []byte("\x00avoidFix\x00\x00\x00\x00\x00\x00\x00") //nolint[gochecknoglobals]
+
+var testData = map[string]string{ //nolint[gochecknoglobals]
+	"user1": base64.StdEncoding.EncodeToString(append([]byte("data1"), suffix...)),
+	"user2": base64.StdEncoding.EncodeToString(append([]byte("data2"), suffix...)),
+}
+
+func TestSplitServiceAndID(t *testing.T) {
+	acc, err := NewAccess("bridge")
+	require.NoError(t, err)
+	expectedUserID := "user"
+
+	acc.KeychainURL = "Something/With/Several/Slashes/"
+	acc.KeychainMacURL = acc.KeychainURL
+	expectedServiceName := acc.KeychainURL
+	serviceName, userID, err := splitServiceAndID(acc.KeychainName(expectedUserID))
+	require.NoError(t, err)
+	require.Equal(t, expectedUserID, userID)
+	require.Equal(t, expectedServiceName, serviceName+"/")
+
+	acc.KeychainURL = "SomethingWithoutSlash"
+	acc.KeychainMacURL = acc.KeychainURL
+	expectedServiceName = acc.KeychainURL
+	serviceName, userID, err = splitServiceAndID(acc.KeychainName(expectedUserID))
+	require.NoError(t, err)
+	require.Equal(t, expectedUserID, userID)
+	require.Equal(t, expectedServiceName, serviceName)
+}
+
+func TestInsertReadRemove(t *testing.T) { // nolint[funlen]
+	if testing.Short() {
+		t.Skip("skipping test in short mode.")
+	}
+
+	access, err := NewAccess("bridge")
+	require.NoError(t, err)
+	access.KeychainURL = "protonmail/testchain/users"
+	access.KeychainMacURL = "ProtonMailTestChainService"
+
+	// Clear before test.
+	for id := range testData {
+		// Keychain can be empty.
+		_ = access.Delete(id)
+	}
+
+	for id, secret := range testData {
+		expectedList, _ := access.List()
+		// Add expected secrets.
+		expectedSecret := secret
+		require.NoError(t, access.Put(id, expectedSecret))
+
+		// Check list.
+		actualList, err := access.List()
+		require.NoError(t, err)
+		expectedList = append(expectedList, id)
+		require.ElementsMatch(t, expectedList, actualList)
+
+		// Get and check what was inserted.
+		actualSecret, err := access.Get(id)
+		require.NoError(t, err)
+		require.Equal(t, expectedSecret, actualSecret)
+
+		// Put what changed.
+
+		expectedSecret = "edited_" + id
+		expectedSecret = base64.StdEncoding.EncodeToString(append([]byte(expectedSecret), suffix...))
+
+		nJobs := 100
+		nWorkers := 3
+		jobs := make(chan interface{}, nJobs)
+		done := make(chan interface{})
+		for i := 0; i < nWorkers; i++ {
+			go func() {
+				for {
+					_, more := <-jobs
+					if more {
+						require.NoError(t, access.Put(id, expectedSecret))
+					} else {
+						done <- nil
+						return
+					}
+				}
+			}()
+		}
+
+		for i := 0; i < nJobs; i++ {
+			jobs <- nil
+		}
+		close(jobs)
+		for i := 0; i < nWorkers; i++ {
+			<-done
+		}
+
+		// Check list.
+		actualList, err = access.List()
+		require.NoError(t, err)
+		require.ElementsMatch(t, expectedList, actualList)
+
+		// Get and check what changed.
+		actualSecret, err = access.Get(id)
+		require.NoError(t, err)
+		require.Equal(t, expectedSecret, actualSecret)
+
+		if id != "user1" {
+			// Remove.
+			err = access.Delete(id)
+			require.NoError(t, err)
+
+			// Check removed.
+			actualList, err = access.List()
+			require.NoError(t, err)
+			expectedList = expectedList[:len(expectedList)-1]
+			require.ElementsMatch(t, expectedList, actualList)
+		}
+	}
+
+	// Clear first.
+	err = access.Delete("user1")
+	require.NoError(t, err)
+
+	actualList, err := access.List()
+	require.NoError(t, err)
+	for id := range testData {
+		require.NotContains(t, actualList, id)
+	}
+}

pkg/keychain/keychain_windows.go

@@ -0,0 +1,40 @@
+// Copyright (c) 2020 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package keychain
+
+import (
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker-credential-helpers/wincred"
+)
+
+func newKeychain() (credentials.Helper, error) {
+	log.Debug("creating wincred")
+	return &wincred.Wincred{}, nil
+}
+
+func (s *Access) KeychainName(userID string) string {
+	return s.KeychainURL + "/" + userID
+}
+
+func (s *Access) KeychainOldName(userID string) string {
+	return s.KeychainOldURL + "/" + userID
+}
+
+func (s *Access) ListKeychain() (map[string]string, error) {
+	return s.helper.List()
+}