MatrixAI · CMCDragonkai · Feb 3, 2023 · Feb 3, 2023 · Feb 3, 2023 · Feb 3, 2023
diff --git a/src/PolykeyAgent.ts b/src/PolykeyAgent.ts
@@ -394,6 +394,9 @@ class PolykeyAgent {
           logger: logger.getChild(SessionManager.name),
           fresh,
         }));
+      // If a recovery code is provided then we reset any sessions in case the
+      //  password changed.
+      if (keyRingConfig.recoveryCode != null) await sessionManager.resetKey();
       grpcServerClient =
         grpcServerClient ??
         new GRPCServer({

diff --git a/src/bin/agent/CommandStart.ts b/src/bin/agent/CommandStart.ts
@@ -10,6 +10,7 @@ import type { PolykeyWorkerManagerInterface } from '../../workers/types';
 import path from 'path';
 import childProcess from 'child_process';
 import process from 'process';
+import * as keysErrors from '../../keys/errors';
 import CommandPolykey from '../CommandPolykey';
 import * as binUtils from '../utils';
 import * as binOptions from '../utils/options';
@@ -218,11 +219,18 @@ class CommandStart extends CommandPolykey {
           await workerManager?.destroy();
           await pkAgent?.stop();
         });
-        pkAgent = await PolykeyAgent.createPolykeyAgent({
-          fs: this.fs,
-          logger: this.logger.getChild(PolykeyAgent.name),
-          ...agentConfig,
-        });
+        try {
+          pkAgent = await PolykeyAgent.createPolykeyAgent({
+            fs: this.fs,
+            logger: this.logger.getChild(PolykeyAgent.name),
+            ...agentConfig,
+          });
+        } catch (e) {
+          if (e instanceof keysErrors.ErrorKeyPairParse) {
+            throw new binErrors.ErrorCLIPasswordWrong();
+          }
+          throw e;
+        }
         if (options.workers !== 0) {
           workerManager = await workersUtils.createWorkerManager({
             cores: options.workers,

diff --git a/src/bin/errors.ts b/src/bin/errors.ts
@@ -31,6 +31,11 @@ class ErrorCLIClientOptions<T> extends ErrorCLI<T> {
   exitCode = sysexits.USAGE;
 }
 
+class ErrorCLIPasswordWrong<T> extends ErrorCLI<T> {
+  static description = 'Wrong password, please try again';
+  exitCode = sysexits.USAGE;
+}
+
 class ErrorCLIPasswordMissing<T> extends ErrorCLI<T> {
   static description =
     'Password is necessary, provide it via --password-file, PK_PASSWORD or when prompted';
@@ -90,6 +95,7 @@ export {
   ErrorCLI,
   ErrorCLINodePath,
   ErrorCLIClientOptions,
+  ErrorCLIPasswordWrong,
   ErrorCLIPasswordMissing,
   ErrorCLIPasswordFileRead,
   ErrorCLIRecoveryCodeFileRead,

diff --git a/src/bin/identities/CommandAuthenticate.ts b/src/bin/identities/CommandAuthenticate.ts
@@ -16,15 +16,10 @@ class CommandAuthenticate extends CommandPolykey {
       'Name of the digital identity provider',
       parsers.parseProviderId,
     );
-    this.argument(
-      '<identityId>',
-      'Digital identity to authenticate',
-      parsers.parseIdentityId,
-    );
     this.addOption(binOptions.nodeId);
     this.addOption(binOptions.clientHost);
     this.addOption(binOptions.clientPort);
-    this.action(async (providerId, identityId, options) => {
+    this.action(async (providerId, options) => {
       const { default: PolykeyClient } = await import('../../PolykeyClient');
       const identitiesPB = await import(
         '../../proto/js/polykey/v1/identities/identities_pb'
@@ -59,7 +54,6 @@ class CommandAuthenticate extends CommandPolykey {
         });
         const providerMessage = new identitiesPB.Provider();
         providerMessage.setProviderId(providerId);
-        providerMessage.setIdentityId(identityId);
         await binUtils.retryAuthentication(async (auth) => {
           genReadable = pkClient.grpcClient.identitiesAuthenticate(
             providerMessage,
@@ -90,7 +84,7 @@ class CommandAuthenticate extends CommandPolykey {
               case identitiesPB.AuthenticationProcess.StepCase.RESPONSE: {
                 const authResponse = message.getResponse()!;
                 this.logger.info(
-                  `Authenticated digital identity provider ${providerId} with identity ${identityId}`,
+                  `Authenticated digital identity provider ${providerId}`,
                 );
                 process.stdout.write(
                   binUtils.outputFormatter({

diff --git a/src/bin/secrets/CommandGet.ts b/src/bin/secrets/CommandGet.ts
@@ -15,10 +15,6 @@ class CommandGet extends CommandPolykey {
       'Path to where the secret to be retrieved, specified as <vaultName>:<directoryPath>',
       parsers.parseSecretPath,
     );
-    this.option(
-      '-e, --env',
-      'Wrap the secret in an environment variable declaration',
-    );
     this.addOption(binOptions.nodeId);
     this.addOption(binOptions.clientHost);
     this.addOption(binOptions.clientPort);
@@ -54,7 +50,6 @@ class CommandGet extends CommandPolykey {
           port: clientOptions.clientPort,
           logger: this.logger.getChild(PolykeyClient.name),
         });
-        const isEnv: boolean = options.env ?? false;
         const secretMessage = new secretsPB.Secret();
         const vaultMessage = new vaultsPB.Vault();
         vaultMessage.setNameOrId(secretPath[0]);
@@ -64,28 +59,13 @@ class CommandGet extends CommandPolykey {
           (auth) => pkClient.grpcClient.vaultsSecretsGet(secretMessage, auth),
           meta,
         );
-        if (isEnv) {
-          process.stdout.write(
-            binUtils.outputFormatter({
-              type: options.format === 'json' ? 'json' : 'list',
-              data: [
-                `Export ${secretMessage
-                  .getSecretName()
-                  .toUpperCase()
-                  .replace('-', '_')}='${response.getSecretName()}`,
-              ],
-            }),
-          );
-        } else {
-          process.stdout.write(
-            binUtils.outputFormatter({
-              type: options.format === 'json' ? 'json' : 'list',
-              data: [
-                `${secretMessage.getSecretName()}:\t\t${response.getSecretName()}`,
-              ],
-            }),
-          );
-        }
+        const secretContent = response.getSecretContent_asU8();
+        process.stdout.write(
+          binUtils.outputFormatter({
+            type: 'raw',
+            data: secretContent,
+          }),
+        );
       } finally {
         if (pkClient! != null) await pkClient.stop();
       }

diff --git a/src/bin/utils/utils.ts b/src/bin/utils/utils.ts
@@ -26,6 +26,10 @@ function verboseToLogLevel(c: number = 0): LogLevel {
 }
 
 type OutputObject =
+  | {
+      type: 'raw';
+      data: string | Uint8Array;
+    }
   | {
       type: 'list';
       data: Array<string>;
@@ -47,9 +51,11 @@ type OutputObject =
       data: Error;
     };
 
-function outputFormatter(msg: OutputObject): string {
+function outputFormatter(msg: OutputObject): string | Uint8Array {
   let output = '';
-  if (msg.type === 'list') {
+  if (msg.type === 'raw') {
+    return msg.data;
+  } else if (msg.type === 'list') {
     for (let elem in msg.data) {
       // Empty string for null or undefined values
       if (elem == null) {
@@ -127,8 +133,9 @@ function outputFormatter(msg: OutputObject): string {
           output += ` - ${currError.message}`;
         }
         output += '\n';
-        output += `${indent}exitCode\t${currError.exitCode}\n`;
-        output += `${indent}timestamp\t${currError.timestamp}\n`;
+        // Disabled to streamline output
+        // output += `${indent}exitCode\t${currError.exitCode}\n`;
+        // output += `${indent}timestamp\t${currError.timestamp}\n`;
         if (currError.data && !utils.isEmptyObject(currError.data)) {
           output += `${indent}data\t${JSON.stringify(currError.data)}\n`;
         }

diff --git a/src/identities/IdentitiesManager.ts b/src/identities/IdentitiesManager.ts
@@ -243,7 +243,9 @@ class IdentitiesManager {
     }
     const identities = await provider.getAuthIdentityIds();
     if (!identities.includes(identityId)) {
-      throw new identitiesErrors.ErrorProviderUnauthenticated();
+      throw new identitiesErrors.ErrorProviderIdentityMissing(
+        `Authenticated identities: ${JSON.stringify(identities)}`,
+      );
     }
     // Create identity claim on our node
     const publishedClaimProm = promise<IdentitySignedClaim>();
@@ -258,11 +260,11 @@ class IdentitiesManager {
         async (token) => {
           // Publishing in the callback to avoid adding bad claims
           const claim = token.toSigned();
-          const asd = await provider.publishClaim(
+          const identitySignedClaim = await provider.publishClaim(
             identityId,
             claim as SignedClaim<ClaimLinkIdentity>,
           );
-          publishedClaimProm.resolveP(asd);
+          publishedClaimProm.resolveP(identitySignedClaim);
           return token;
         },
         tran,

diff --git a/src/identities/errors.ts b/src/identities/errors.ts
@@ -38,6 +38,11 @@ class ErrorProviderUnauthenticated<T> extends ErrorIdentities<T> {
   exitCode = sysexits.NOPERM;
 }
 
+class ErrorProviderIdentityMissing<T> extends ErrorIdentities<T> {
+  static description = 'Identity is not authenticated with the provider';
+  exitCode = sysexits.NOPERM;
+}
+
 class ErrorProviderUnimplemented<T> extends ErrorIdentities<T> {
   static description = 'Functionality is unavailable';
   exitCode = sysexits.USAGE;
@@ -58,5 +63,6 @@ export {
   ErrorProviderAuthentication,
   ErrorProviderUnauthenticated,
   ErrorProviderUnimplemented,
+  ErrorProviderIdentityMissing,
   ErrorProviderMissing,
 };
diff --git a/src/keys/utils/symmetric.ts b/src/keys/utils/symmetric.ts
@@ -83,15 +83,21 @@ function decryptWithKey(
   const plainText = Buffer.allocUnsafeSlow(
     macAndCipherText.byteLength - macSize,
   );
-  // This returns the number of bytes that has been decrypted
-  const decrypted = sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(
-    plainText,
-    null,
-    macAndCipherText,
-    additionalData,
-    nonce,
-    key,
-  );
+  let decrypted: number;
+  try {
+    // This returns the number of bytes that has been decrypted
+    // It will throw if the MAC cannot be authenticated
+    decrypted = sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(
+      plainText,
+      null,
+      macAndCipherText,
+      additionalData,
+      nonce,
+      key,
+    );
+  } catch {
+    return;
+  }
   if (decrypted !== plainText.byteLength) {
     return;
   }

diff --git a/src/nodes/NodeManager.ts b/src/nodes/NodeManager.ts
@@ -144,7 +144,7 @@ class NodeManager {
     const seedNodes = this.nodeConnectionManager.getSeedNodes();
     const allInactive = !seedNodes
       .map((nodeId) => this.nodeConnectionManager.hasConnection(nodeId))
-      .reduce((a, b) => a || b);
+      .reduce((a, b) => a || b, false);
     try {
       if (allInactive) {
         this.logger.debug(

diff --git a/src/utils/utils.ts b/src/utils/utils.ts
@@ -68,7 +68,7 @@ async function dirEmpty(fs: FileSystem, path): Promise<boolean> {
     return entries.length === 0;
   } catch (e) {
     if (e.code === 'ENOENT') {
-      return false;
+      return true;
     }
     throw e;
   }

diff --git a/tests/bin/secrets/secrets.test.ts b/tests/bin/secrets/secrets.test.ts
@@ -134,6 +134,7 @@ describe('CLI secrets', () => {
           env: {},
           cwd: dataDir,
         });
+        expect(result.stdout).toBe('this is the secret');
         expect(result.exitCode).toBe(0);
       },
     );