Merge pull request #53 from Nelwhix/#51-handle-password-expiry

V5 Password Expiry

Author: speatzle

api/auth.go

@@ -102,12 +102,22 @@ func (c *Client) Login(ctx context.Context) error {
 
 	c.userID = user.ID
 
+	settings, err := c.GetServerSettings(ctx)
+	if err != nil {
+		return fmt.Errorf("Getting Server Settings: %w", err)
+	}
+
 	// after Login, fetch MetadataTypeSettings to finish the Client Setup
-	c.setMetadataTypeSettings(ctx)
+	err = c.setMetadataTypeSettings(ctx, settings)
 	if err != nil {
 		return fmt.Errorf("Setup Metadata Type Settings: %w", err)
 	}
 
+	err = c.setPasswordExpirySettings(ctx, settings)
+	if err != nil {
+		return fmt.Errorf("Setup Password Expiry Settings: %w", err)
+	}
+
 	return nil
 }
 

api/client.go

@@ -36,6 +36,9 @@ type Client struct {
 	// Server Settings Determining which Metadata Keys to use
 	metadataKeySettings MetadataKeySettings
 
+	// Server Settings for password expiry
+	passwordExpirySettings PasswordExpirySettings
+
 	// used for solving MFA challenges. You can block this to for example wait for user input.
 	// You shouden't run any unrelated API Calls while you are in this callback.
 	// You need to Return the Cookie that Passbolt expects to verify you MFA, usually it is called passbolt_mfa
@@ -207,12 +210,7 @@ func (c *Client) GetPublicKey(ctx context.Context) (string, string, error) {
 }
 
 // setMetadataTypeSettings Gets and configures the Client to use the Types the Server wants us to use
-func (c *Client) setMetadataTypeSettings(ctx context.Context) error {
-	settings, err := c.GetServerSettings(ctx)
-	if err != nil {
-		return fmt.Errorf("Getting Server Settings: %w", err)
-	}
-
+func (c *Client) setMetadataTypeSettings(ctx context.Context, settings *ServerSettingsResponse) error {
 	if settings.Passbolt.IsPluginEnabled("metadata") {
 		c.log("Server has metadata plugin enabled, is v5 or Higher")
 		metadataTypeSettings, err := c.GetServerMetadataTypeSettings(ctx)
@@ -241,7 +239,31 @@ func (c *Client) setMetadataTypeSettings(ctx context.Context) error {
 	return nil
 }
 
+// setPasswordExpirySettings fetches and configures the Client to use the password expiry plugin
+func (c *Client) setPasswordExpirySettings(ctx context.Context, settings *ServerSettingsResponse) error {
+	if settings.Passbolt.IsPluginEnabled("passwordExpiry") && settings.Passbolt.IsPluginEnabled("passwordExpiryPolicies") {
+		c.log("Server has password expiry plugin enabled.")
+		passwordExpirySettings, err := c.getServerPasswordExpirySettings(ctx)
+		if err != nil {
+			return fmt.Errorf("Getting Password Expiry Settings: %w", err)
+		}
+
+		c.log("passwordExpirySettings: %+v", passwordExpirySettings)
+		c.passwordExpirySettings = *passwordExpirySettings
+	} else {
+		c.log("Server has password expiry plugin disabled or not installed.")
+		c.passwordExpirySettings = getDefaultPasswordExpirySettings()
+	}
+
+	return nil
+}
+
 // GetPGPHandle Gets the Gopgenpgp Handler
 func (c *Client) GetPGPHandle() *crypto.PGPHandle {
 	return c.pgp
 }
+
+// GetPasswordExpirySettings returns the password expiry settings for the client
+func (c *Client) GetPasswordExpirySettings() PasswordExpirySettings {
+	return c.passwordExpirySettings
+}

api/password_expiry.go

@@ -0,0 +1,50 @@
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+)
+
+// PasswordExpirySettings contains the Password expiry settings
+type PasswordExpirySettings struct {
+	ID                       string    `json:"id"`
+	DefaultExpiryPeriod      int       `json:"default_expiry_period,omitempty"`
+	PolicyOverride           bool      `json:"policy_override"`
+	AutomaticExpiry          bool      `json:"automatic_expiry"`
+	AutomaticUpdate          bool      `json:"automatic_update"`
+	ExpiryNotificationPeriod int       `json:"expiry_notification_period,omitempty"`
+	Created                  time.Time `json:"created"`
+	Modified                 time.Time `json:"modified"`
+	CreatedBy                string    `json:"created_by"`
+	ModifiedBy               string    `json:"modified_by"`
+}
+
+// getServerPasswordExpirySettings gets the servers password expiry settings
+func (c *Client) getServerPasswordExpirySettings(ctx context.Context) (*PasswordExpirySettings, error) {
+	msg, err := c.DoCustomRequestV5(ctx, "GET", "/password-expiry/settings.json", nil, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var passwordExpirySettings PasswordExpirySettings
+	err = json.Unmarshal(msg.Body, &passwordExpirySettings)
+	if err != nil {
+		return nil, err
+	}
+	return &passwordExpirySettings, nil
+}
+
+func getDefaultPasswordExpirySettings() PasswordExpirySettings {
+	return PasswordExpirySettings{
+		ID:                       "default",
+		DefaultExpiryPeriod:      0,
+		PolicyOverride:           false,
+		AutomaticExpiry:          false,
+		AutomaticUpdate:          false,
+		ExpiryNotificationPeriod: 0,
+		Created:                  time.Now(),
+		Modified:                 time.Now(),
+		CreatedBy:                "default",
+	}
+}

api/resources.go

@@ -35,6 +35,7 @@ type Resource struct {
 
 	Secrets []Secret `json:"secrets,omitempty"`
 	Tags    []Tag    `json:"tags,omitempty"`
+	Expired *Time    `json:"expired,omitempty"`
 }
 
 // Tag is a Passbolt Password Tag
@@ -122,6 +123,7 @@ func (c *Client) UpdateResource(ctx context.Context, resourceID string, resource
 	if err != nil {
 		return nil, fmt.Errorf("Checking ID format: %w", err)
 	}
+
 	msg, err := c.DoCustomRequest(ctx, "PUT", "/resources/"+resourceID+".json", "v2", resource, nil)
 	if err != nil {
 		return nil, err

helper/resource_create.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"time"
 
 	"github.com/passbolt/go-passbolt/api"
 )
@@ -99,6 +100,12 @@ func CreateResourceV5(ctx context.Context, c *api.Client, folderParentID, name,
 	}
 	resource.Secrets = []api.Secret{{Data: encSecretData}}
 
+	passwordExpirySettings := c.GetPasswordExpirySettings()
+	if passwordExpirySettings.DefaultExpiryPeriod != 0 {
+		expiry := time.Now().Add(time.Hour * 24 * time.Duration(passwordExpirySettings.DefaultExpiryPeriod))
+		resource.Expired = &api.Time{Time: expiry}
+	}
+
 	newresource, err := c.CreateResource(ctx, resource)
 	if err != nil {
 		return "", fmt.Errorf("Creating Resource: %w", err)
@@ -154,6 +161,12 @@ func CreateResourceV4(ctx context.Context, c *api.Client, folderParentID, name,
 	}
 	resource.Secrets = []api.Secret{{Data: encSecretData}}
 
+	passwordExpirySettings := c.GetPasswordExpirySettings()
+	if passwordExpirySettings.DefaultExpiryPeriod != 0 {
+		expiry := time.Now().Add(time.Hour * 24 * time.Duration(passwordExpirySettings.DefaultExpiryPeriod))
+		resource.Expired = &api.Time{Time: expiry}
+	}
+
 	newresource, err := c.CreateResource(ctx, resource)
 	if err != nil {
 		return "", fmt.Errorf("Creating Resource: %w", err)

helper/resource_update.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"time"
 
 	"github.com/ProtonMail/gopenpgp/v3/crypto"
 	"github.com/passbolt/go-passbolt/api"
@@ -376,6 +377,12 @@ func UpdateResource(ctx context.Context, c *api.Client, resourceID, name, userna
 		})
 	}
 
+	passwordExpirySettings := c.GetPasswordExpirySettings()
+	if resource.Expired != nil && passwordExpirySettings.AutomaticUpdate {
+		expiry := time.Now().Add(time.Hour * 24 * time.Duration(passwordExpirySettings.DefaultExpiryPeriod))
+		newResource.Expired = &api.Time{expiry}
+	}
+
 	_, err = c.UpdateResource(ctx, resourceID, newResource)
 	if err != nil {
 		return fmt.Errorf("Updating Resource: %w", err)