
180 lines
3.6 KiB
Raw Permalink Normal View History

2020-12-10 16:42:50 +00:00
package main
import (
2021-01-19 05:00:56 +00:00
2020-12-10 16:42:50 +00:00
2021-01-19 05:00:56 +00:00
2020-12-10 16:42:50 +00:00
aw ""
var (
wf *aw.Workflow
oath *ykoath.OATH
keychainAccount = "yubico-auth-creds"
2021-01-19 05:00:56 +00:00
errIncorrectPassword = errors.New("incorrect password")
2020-12-10 16:42:50 +00:00
func init() {
wf = aw.New()
func main() {
func promptPassword() (string, error) {
out, err := util.Run("./password-prompt.js")
if err != nil {
2021-01-19 05:00:56 +00:00
return "", fmt.Errorf("error reading password from prompt: %w", err)
2020-12-10 16:42:50 +00:00
2021-01-19 05:00:56 +00:00
2020-12-10 16:42:50 +00:00
out = bytes.TrimRight(out, "\n")
2021-01-19 05:00:56 +00:00
2020-12-10 16:42:50 +00:00
return string(out), nil
func setPassword(s *ykoath.Select) error {
passphrase, err := promptPassword()
if err != nil {
2021-01-19 05:00:56 +00:00
return fmt.Errorf("failed reading passphrase: %w", err)
err = validatePassphrase(s, passphrase)
if err != nil {
return fmt.Errorf("failed validating passphrase: %w", err)
err = wf.Keychain.Set(keychainAccount, passphrase)
if err != nil {
return fmt.Errorf("failed storing passphrase in keychain: %w", err)
2020-12-10 16:42:50 +00:00
2021-01-19 05:00:56 +00:00
return nil
func sendResult(result string, args ...string) error {
results := aw.NewArgVars()
results.Var("result", result)
return results.Send()
func validatePassphrase(s *ykoath.Select, passphrase string) error {
2020-12-10 16:42:50 +00:00
key := s.DeriveKey(passphrase)
2021-01-19 05:00:56 +00:00
// verify password is correct with a validate call
ok, err := oath.Validate(s, key)
2020-12-10 16:42:50 +00:00
if err != nil {
2021-01-19 05:00:56 +00:00
return fmt.Errorf("error in validate: %w", err)
if !ok {
return errIncorrectPassword
2020-12-10 16:42:50 +00:00
2021-01-19 05:00:56 +00:00
2020-12-10 16:42:50 +00:00
return nil
func run() {
2021-01-19 05:00:56 +00:00
runScript := flag.Bool("run-script", false, "change output to script output")
2020-12-10 16:42:50 +00:00
2021-01-19 05:00:56 +00:00
if *runScript {
2020-12-10 16:42:50 +00:00
var err error
2021-01-19 05:00:56 +00:00
2020-12-10 16:42:50 +00:00
oath, err = ykoath.New()
if err != nil {
2021-01-19 05:00:56 +00:00
wf.FatalError(fmt.Errorf("failed to iniatialize new oath: %w", err))
2020-12-10 16:42:50 +00:00
2021-01-19 05:00:56 +00:00
2020-12-10 16:42:50 +00:00
defer oath.Close()
oath.Debug = slog.Debug
// Select oath to begin
s, err := oath.Select()
if err != nil {
2021-01-19 05:00:56 +00:00
wf.FatalError(fmt.Errorf("failed to select oath: %w", err))
2020-12-10 16:42:50 +00:00
// Check to see if we are trying to set a password
if flag.Arg(0) == "set-password" {
err = setPassword(s)
if err != nil {
2021-01-19 05:00:56 +00:00
wf.FatalError(fmt.Errorf("failed to set password: %w", err))
2020-12-10 16:42:50 +00:00
2021-01-19 05:00:56 +00:00
if err = sendResult("success"); err != nil {
wf.FatalError(fmt.Errorf("failed to send password set result: %w", err))
2020-12-10 16:42:50 +00:00
// If required, authenticate with password from keychain
if s.Challenge != nil {
2021-01-19 05:00:56 +00:00
passphrase, err := wf.Keychain.Get(keychainAccount)
2020-12-10 16:42:50 +00:00
if err != nil {
slog.Error("no key found in keychain but password is required")
wf.NewWarningItem("No password set", "↵ to set password").
Var("action", "set-password").
2021-01-19 05:00:56 +00:00
2020-12-10 16:42:50 +00:00
2021-01-19 05:00:56 +00:00
err = validatePassphrase(s, passphrase)
if err != nil {
wf.FatalError(fmt.Errorf("passphrase failed: %w", err))
2020-12-10 16:42:50 +00:00
if flag.Arg(0) == "list" {
// List names only
names, err := oath.List()
2021-01-19 05:00:56 +00:00
if err != nil {
wf.FatalError(fmt.Errorf("failed to list names: %w", err))
2020-12-10 16:42:50 +00:00
for _, name := range names {
2021-01-19 05:00:56 +00:00
Subtitle("Copy to clipboard").
2020-12-10 16:42:50 +00:00
} else {
2021-01-19 05:00:56 +00:00
name := flag.Arg(0)
code, err := oath.CalculateOne(name)
2020-12-10 16:42:50 +00:00
if err != nil {
2021-01-19 05:00:56 +00:00
// TODO: Check for error "requires-auth" and notify touch
wf.FatalError(fmt.Errorf("failed to generate code: %w", err))
2020-12-10 16:42:50 +00:00
2021-01-19 05:00:56 +00:00
if err = sendResult("success", code); err != nil {
wf.FatalError(fmt.Errorf("failed to send code: %w", err))
2020-12-10 16:42:50 +00:00
2021-01-19 05:00:56 +00:00
if !*runScript {
2020-12-10 16:42:50 +00:00