store sysclient password and received admin password encrypted by a s…

…ecret key

sysclient/admin.go

@@ -8,6 +8,8 @@ import (
 	"errors"
 	"fmt"
 	"os"
+
+	"github.com/ricoschulte/go-myapps/encryption"
 )
 
 // Sysclient message header
@@ -64,7 +66,7 @@ func (am *AdminMessage) AsBytes() []byte {
 receives the sysclient password and stores it.
 no answer is required
 */
-func (am *AdminMessage) HandleAdminReceiveSysclientPassword(fileSysclientpassword string) error {
+func (am *AdminMessage) HandleAdminReceiveSysclientPassword(secretKey []byte, fileSysclientpassword string) error {
 	password, err_from_json := NewPassword(am.Data)
 	if err_from_json != nil {
 		return fmt.Errorf("parsing password from JSON failed: %v", err_from_json)
@@ -73,14 +75,15 @@ func (am *AdminMessage) HandleAdminReceiveSysclientPassword(fileSysclientpasswor
 		return fmt.Errorf("the password parsed from JSON has a invalid length of: %v", len(password.Password))
 	}
 
-	err := os.WriteFile(fileSysclientpassword, []byte(password.Password), 0644)
+	//err := os.WriteFile(fileSysclientpassword, []byte(password.Password), 0644)
+	err := encryption.EncryptFileSha256AES256(secretKey, []byte(password.Password), fileSysclientpassword, 0644)
 	if err != nil {
 		return fmt.Errorf("error while writing adminpassword to file '%s': %v", fileSysclientpassword, err)
 	}
 	return nil
 }
 
-func (am *AdminMessage) HandleAdminReceiveChallenge(deviceInfo *Identity, fileSysclientpassword string) (*AdminMessage, error) {
+func (am *AdminMessage) HandleAdminReceiveChallenge(secretKey []byte, deviceInfo *Identity, fileSysclientpassword string) (*AdminMessage, error) {
 	challenge, err_from_json := NewChallenge(am.Data)
 	if err_from_json != nil {
 		return nil, fmt.Errorf("parsing challenge from json failed: %v", err_from_json)
@@ -97,7 +100,8 @@ func (am *AdminMessage) HandleAdminReceiveChallenge(deviceInfo *Identity, fileSy
 	if fileinfo.IsDir() {
 		return nil, fmt.Errorf("path is a directory: %s", fileinfo.Name())
 	}
-	password, err := os.ReadFile(fileSysclientpassword)
+	//password, err := os.ReadFile(fileSysclientpassword)
+	password, err := encryption.DecryptFileSha256AES256(secretKey, fileSysclientpassword)
 	if err != nil {
 		fmt.Printf("error while reading password file: %v\n", err)
 		return nil, err
@@ -146,7 +150,7 @@ func (am *AdminMessage) GetLoginDigest(id, product, version, challenge, password
 /*
 receives a admin password and stores it, no answer is required
 */
-func (am *AdminMessage) handleAdminReceiveNewAdministrativePassword(fileSysclientpassword string, fileAdministrativePassword string) error {
+func (am *AdminMessage) handleAdminReceiveNewAdministrativePassword(secretKey []byte, fileSysclientpassword string, fileAdministrativePassword string) error {
 	if fileSysclientpassword == "" {
 		return errors.New("fileSysclientpassword cant be empty")
 	}
@@ -156,7 +160,9 @@ func (am *AdminMessage) handleAdminReceiveNewAdministrativePassword(fileSysclien
 		return fmt.Errorf("couldn't parse AdministrativePassword Message: %v", err)
 	}
 
-	passwordBytes, err := os.ReadFile(fileSysclientpassword)
+	//passwordBytes, err := os.ReadFile(fileSysclientpassword)
+	passwordBytes, err := encryption.DecryptFileSha256AES256(secretKey, fileSysclientpassword)
+
 	if err != nil {
 		return err
 	}
@@ -165,9 +171,10 @@ func (am *AdminMessage) handleAdminReceiveNewAdministrativePassword(fileSysclien
 		return err_decrypt
 	}
 
-	err = os.WriteFile(fileAdministrativePassword, decryped_adminpassword, 0644)
-	if err != nil {
-		return err
+	//err = os.WriteFile(fileAdministrativePassword, decryped_adminpassword, 0644)
+	err_write_adminpassword := encryption.EncryptFileSha256AES256(secretKey, decryped_adminpassword, fileAdministrativePassword, 0644)
+	if err_write_adminpassword != nil {
+		return err_write_adminpassword
 	}
 	return nil //resp, nil
 }

sysclient/sysclient.go

@@ -14,7 +14,6 @@ import (
 	"github.com/ricoschulte/go-myapps/connection"
 )
 
-
 type Sysclient struct {
 	Identity           Identity
 	Url                string
@@ -27,9 +26,10 @@ type Sysclient struct {
 
 	FileSysclientPassword      string // filename to store
 	FileAdministrativePassword string // filename to store
+	SecretKey                  []byte // key to encrypt the local files as []bytes
 }
 
-func NewSysclient(identity Identity, url string, timeout time.Duration, insecureSkipVerify bool, mux *http.ServeMux, fileSysclientPassword string, fileAdministrativePassword string) (*Sysclient, error) {
+func NewSysclient(identity Identity, url string, timeout time.Duration, insecureSkipVerify bool, mux *http.ServeMux, fileSysclientPassword string, fileAdministrativePassword string, secretkey string) (*Sysclient, error) {
 	if fileSysclientPassword == "" {
 		return nil, errors.New("fileSysclientPassword cant be empty")
 	}
@@ -47,6 +47,7 @@ func NewSysclient(identity Identity, url string, timeout time.Duration, insecure
 
 		FileSysclientPassword:      fileSysclientPassword,
 		FileAdministrativePassword: fileAdministrativePassword,
+		SecretKey:                  []byte(secretkey),
 	}
 
 	return sysclient, nil
@@ -242,16 +243,16 @@ func (sc *Sysclient) HandleAdminMessage(messageIn *AdminMessage) (*AdminMessage,
 		return nil, fmt.Errorf("unknown Admin Message of Type %v", messageIn.Type)
 
 	case bytes.Equal(messageIn.Command, AdminReceiveSysclientPassword):
-		err := messageIn.HandleAdminReceiveSysclientPassword(sc.FileSysclientPassword)
+		err := messageIn.HandleAdminReceiveSysclientPassword(sc.SecretKey, sc.FileSysclientPassword)
 		if err != nil {
 			return nil, err
 		}
 		return nil, nil
 	case bytes.Equal(messageIn.Command, AdminReceiveChallenge):
-		return messageIn.HandleAdminReceiveChallenge(&sc.Identity, sc.FileSysclientPassword)
+		return messageIn.HandleAdminReceiveChallenge(sc.SecretKey, &sc.Identity, sc.FileSysclientPassword)
 
 	case bytes.Equal(messageIn.Command, AdminReceiveNewAdminPassword):
-		err := messageIn.handleAdminReceiveNewAdministrativePassword(sc.FileSysclientPassword, sc.FileAdministrativePassword)
+		err := messageIn.handleAdminReceiveNewAdministrativePassword(sc.SecretKey, sc.FileSysclientPassword, sc.FileAdministrativePassword)
 		if err != nil {
 			return nil, err
 		}

sysclient/sysclient_test.go

@@ -1,35 +1,35 @@
 package sysclient_test
 
 import (
-	"io/ioutil"
 	"net/http"
 	"os"
 	"testing"
 	"time"
 
+	"github.com/ricoschulte/go-myapps/encryption"
 	"github.com/ricoschulte/go-myapps/sysclient"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestResponseTypesToAdminMessages(t *testing.T) {
 	sysclientpassword := "2jjH!u3ucXscEzHq8X!l83BX3!U8TPwA"
-
+	secretkey := "to encrypt the local files"
 	// create a dummy password file
-	sysclientpassword_file, err := ioutil.TempFile("", "sysclientpassword*.txt")
+	sysclientpassword_file, err := os.CreateTemp("", "sysclientpassword*.txt")
 	if err != nil {
 		panic(err)
 	}
 	defer os.Remove(sysclientpassword_file.Name()) // remove the file after the test is done
 
 	// create a dummy admin password file
-	administrativepassword_file, err := ioutil.TempFile("", "sysclient_administrativepassword*.txt")
+	administrativepassword_file, err := os.CreateTemp("", "sysclient_administrativepassword*.txt")
 	if err != nil {
 		panic(err)
 	}
 	defer os.Remove(administrativepassword_file.Name()) // remove the file after the test is done
 
 	// reset the content after the test
-	_, err = sysclientpassword_file.Write([]byte(sysclientpassword))
+	err = encryption.EncryptFileSha256AES256([]byte(secretkey), []byte(sysclientpassword), sysclientpassword_file.Name(), 0644)
 	if err != nil {
 		panic(err)
 	}
@@ -135,6 +135,7 @@ func TestResponseTypesToAdminMessages(t *testing.T) {
 				http.NewServeMux(),
 				sysclientpassword_file.Name(),
 				administrativepassword_file.Name(),
+				secretkey,
 			)
 			if err_creating_client != nil {
 				t.Fatalf("Error creating client: %v", err_creating_client)