lockbox

password manager
Log | Files | Refs | README | LICENSE
commit ffe84c86bb3944bc65d2548ca0cfc7a24ebad9f9
parent e74e91126622bfc62c5f3c74772af51419c1fd58
Author: Sean Enck <sean@ttypty.com>
Date:   Wed, 26 Jul 2023 21:52:14 -0400

fully support keyfile only mode

Diffstat:

Minternal/backend/core.go | 9+++++++--


Minternal/inputs/vars.go | 5++---


Mtests/run.sh | 3+++


3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/internal/backend/core.go b/internal/backend/core.go
@@ -60,11 +60,16 @@ func splitComponents(path string) ([]string, string, error) {
 }
 
 func getCredentials(key, keyFile string) (*gokeepasslib.DBCredentials, error) {
-	if len(keyFile) > 0 {
+	hasKey := len(key) > 0
+	hasKeyFile := len(keyFile) > 0
+	if !hasKey && !hasKeyFile {
+		return nil, errors.New("key and/or keyfile must be set")
+	}
+	if hasKeyFile {
 		if !platform.PathExists(keyFile) {
 			return nil, errors.New("no keyfile found on disk")
 		}
-		if len(key) == 0 {
+		if !hasKey {
 			return gokeepasslib.NewKeyCredentials(keyFile)
 		}
 		return gokeepasslib.NewPasswordAndKeyCredentials(key, keyFile)
diff --git a/internal/inputs/vars.go b/internal/inputs/vars.go
@@ -72,7 +72,7 @@ var (
 	EnvJSONDataOutput = EnvironmentString{environmentBase: environmentBase{key: prefixKey + "JSON_DATA_OUTPUT", desc: fmt.Sprintf("changes what the data field in JSON outputs will contain\nuse '%s' with CAUTION", JSONDataOutputRaw)}, canDefault: true, defaultValue: string(JSONDataOutputHash), allowed: []string{string(JSONDataOutputRaw), string(JSONDataOutputHash), string(JSONDataOutputBlank)}}
 	// EnvFormatTOTP supports formatting the TOTP tokens for generation of tokens
 	EnvFormatTOTP = EnvironmentFormatter{environmentBase: environmentBase{key: EnvTOTPToken.key + "_FORMAT", desc: "override the otpauth url used to store totp tokens. It must have ONE format\nstring ('%s') to insert the totp base code"}, fxn: formatterTOTP, allowed: "otpauth//url/%s/args..."}
-	envKeyMode    = EnvironmentString{environmentBase: environmentBase{key: prefixKey + "KEYMODE", requirement: "must be set to a valid mode", desc: "how to retrieve the database store password"}, allowed: []string{commandKeyMode, plainKeyMode}, canDefault: true, defaultValue: commandKeyMode}
+	envKeyMode    = EnvironmentString{environmentBase: environmentBase{key: prefixKey + "KEYMODE", requirement: "must be set to a valid mode when using a key", desc: "how to retrieve the database store password"}, allowed: []string{commandKeyMode, plainKeyMode}, canDefault: true, defaultValue: commandKeyMode}
 	envKey        = EnvironmentString{environmentBase: environmentBase{requirement: requiredKeyOrKeyFile, key: prefixKey + "KEY", desc: fmt.Sprintf("the database key ('%s' mode) or command to run ('%s' mode)\nto retrieve the database password", plainKeyMode, commandKeyMode)}, allowed: []string{commandArgsExample, "password"}, canDefault: false}
 )
 
@@ -112,13 +112,12 @@ func GetReKey(args []string) ([]string, error) {
 
 // GetKey will get the encryption key setup for lb
 func GetKey() ([]byte, error) {
-	useKeyMode := envKeyMode.Get()
 	useKey := envKey.Get()
 	if useKey == "" {
 		return nil, nil
 	}
 	var data []byte
-	switch useKeyMode {
+	switch envKeyMode.Get() {
 	case commandKeyMode:
 		parts, err := shlex(useKey)
 		if err != nil {
diff --git a/tests/run.sh b/tests/run.sh
@@ -90,6 +90,9 @@ _invalid() {
   local keyfile
   if [ -n "$LOCKBOX_KEYFILE" ]; then
     export LOCKBOX_KEYFILE=""
+    if [ -z "$LOCKBOX_KEY" ]; then
+      export LOCKBOX_KEY="garbage"
+    fi
   else
     keyfile="$DATA/invalid.key"
     echo "invalid" > "$keyfile"