A Go module to interact with Passbolt, an open-source password manager for teams
There also is a CLI Tool to interact with Passbolt using this module here.
This module tries to support the latest Passbolt Community/PRO server release, PRO Features such as folders are supported. Older versions of Passbolt such as v2 are unsupported (it's a password manager, please update it)
This module is divided into two packages: API and helper.
In the API package, you will find everything to directly interact with the API.
The helper package has simplified functions that use the API package to perform common but complicated tasks such as sharing a password.
To use the API package, please read the Passbolt API docs. Sadly the docs aren't complete so many things here have been found by looking at the source of Passbolt or through trial and error. If you have a question just ask.
PR's are welcome. But be gentle: if it's something bigger or fundamental: please create an issue and ask first.
Disclaimer: This project is community driven and not associated with Passbolt SA
go get github.com/passbolt/go-passbolt
First, you will need to create a client and then log in on the server using the client:
package main
import (
"context"
"fmt"
"github.com/passbolt/go-passbolt/api"
)
const address = "https://passbolt.example.com"
const userPassword = "aStrongPassword"
const userPrivateKey = `
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: OpenPGP.js v4.6.2
Comment: https://openpgpjs.org
klasd...
-----END PGP PRIVATE KEY BLOCK-----`
func main() {
client, err := api.NewClient(nil, "", address, userPrivateKey, userPassword)
if err != nil {
panic(err)
}
ctx := context.TODO()
err = client.Login(ctx)
if err != nil {
panic(err)
}
fmt.Println("Logged in!")
}
Note: if you want to use the client for a long time then you'll have to make sure it is still logged in.
You can do this using the client.CheckSession()
function.
Creating a resource using the helper package is simple. First, add "github.com/passbolt/go-passbolt/helper"
to your imports.
Then you can simply:
resourceID, err := helper.CreateResource(
ctx, // Context
client, // API Client
"", // ID of Parent Folder (PRO only)
"Example Account", // Name
"user123", // Username
"https://test.example.com", // URI
"securePassword123", // Password
"This is an Account for the example test portal", // Description
)
Creating a (legacy) resource without the helper package would look like this:
enc, err := client.EncryptMessage("securePassword123")
if err != nil {
panic(err)
}
res := api.Resource{
Name: "Example Account",
Username: "user123",
URI: "https://test.example.com",
Description: "This is an Account for the example test portal",
Secrets: []api.Secret{
{Data: enc},
},
}
resource, err := client.CreateResource(ctx, res)
if err != nil {
panic(err)
}
Note: Since Passbolt v3 there are resource types. This manual example creates a "password-string" type password where the description is unencrypted. Read more here.
Generally, API GET calls will have parameters that allow specifying filters
and contains
, if you don't want to define those parameters just pass nil.
Filters
just filter by whatever is given, contains
on the other hand specify what information you want to include in the response. Many filters
and contains
are undocumented in the Passbolt docs.
Here we specify that we want to filter by favorites and that the response should contain the permissions for each resource:
favorites, err := client.GetResources(ctx, &api.GetResourcesOptions{
FilterIsFavorite: true,
ContainPermissions: true,
})
We can do the same for users:
users, err := client.GetUsers(ctx, &api.GetUsersOptions{
FilterSearch: "Samuel",
ContainLastLoggedIn: true,
})
Groups:
groups, err := client.GetGroups(ctx, &api.GetGroupsOptions{
FilterHasUsers: []string{"id of user", "id of other user"},
ContainUser: true,
})
And also for folders (PRO only):
folders, err := client.GetFolders(ctx, &api.GetFolderOptions{
FilterSearch: "Test Folder",
ContainChildrenResources: true,
})
Getting by ID is also supported using the singular form:
resource, err := client.GetResource(ctx, "resource ID")
Since the password is encrypted (and sometimes the description too) the helper package has a function to decrypt all encrypted fields automatically:
folderParentID, name, username, uri, password, description, err := helper.GetResource(ctx, client, "resource id")
The helper package has a function to save you from dealing with resource types when updating a resource:
err = helper.UpdateResource(
ctx, // Context
client, // API Client
"id", // Resource ID
"name", // Name
"username", // Username
"url", // URI
"strong", // Password
"very strong", // Description
)
The same goes for Groups:
err = helper.UpdateGroup(
ctx, // Context
client, // API Client
"id", // Group ID
"name", // Group Name
[]helper.GroupMembershipOperation{
{
UserID: "id", // ID of User to Add/Modify/Delete
IsGroupManager: true, // Should User be a Group Manager
Delete: false, // Should this User be Remove from the Group
},
}
)
And for Users:
err = helper.UpdateUser(
ctx, // Context
client, // API Client
"id", // User ID
"user", // Role (user or admin)
"firstname", // FirstName
"lastname", // LastName
)
Note: These helpers will only update fields that are not "".
Helper update functions also exists for Folders.
As sharing resources is very complicated there are multiple helper functions.
During sharing you will encounter the permission type.
The permissionType
can be:
Code | Meaning |
---|---|
1 |
"Read-only" |
7 |
"Can update" |
15 |
"Owner" |
-1 |
Delete existing permission |
The ShareResourceWithUsersAndGroups
function shares the resource with all provided users and groups with the given permissionType
.
err := helper.ShareResourceWithUsersAndGroups(ctx, client, "resource id", []string{"user 1 id"}, []string{"group 1 id"}, 7)
Note: Existing permission of users and groups will be adjusted to be of the provided permissionType
.
If you need to do something more complicated like setting users/groups to different types then you can use ShareResource
directly:
changes := []helper.ShareOperation{}
// Make this user Owner
changes = append(changes, ShareOperation{
Type: 15,
ARO: "User",
AROID: "user 1 id",
})
// Make this user "Can Update"
changes = append(changes, ShareOperation{
Type: 5,
ARO: "User",
AROID: "user 2 id",
})
// Delete this users current permission
changes = append(changes, ShareOperation{
Type: -1,
ARO: "User",
AROID: "user 3 id",
})
// Make this group "Read-only"
changes = append(changes, ShareOperation{
Type: 1,
ARO: "Group",
AROID: "group 1 id",
})
err := helper.ShareResource(ctx, c, resourceID, changes)
Note: These functions are also available for folders (PRO)
In Passbolt PRO there are folders, during the creation of resources and folders you can specify in which folder you want to create the resource/folder inside. But if you want to change which folder the resource/folder is in then you can't use the Update
function (it is/was possible to update the parent folder using the Update
function but that breaks things). Instead, you use the Move
function.
err := client.MoveResource(ctx, "resource id", "parent folder id")
err := client.MoveFolder(ctx, "folder id", "parent folder id")
You can setup a Account using a Invite Link like this:
// Get the UserID and Token from the Invite Link
userID, token, err := ParseInviteUrl(url)
// Make a Client for Registration
rClient, err := api.NewClient(nil, "", "https://localhost", "", "")
// Complete Account Setup
privkey, err := SetupAccount(ctx, rClient, userID, token, "password123")
You can Verify that the Server hasen't changed, for that you need to initially setup the Verification and save the returned values. Then you can Verify that the serverkey hasen't changed since you setup the Verification. Note this Only Works if the client is not logged in.
// Setup the Verification
token, encToken, err := client.SetupServerVerification(ctx)
if err != nil {
panic(err)
}
// You Need to save these
fmt.Println("Token: ", token)
fmt.Println("enc Token: ", encToken)
// Now you can Verify the Server
err = client.VerifyServer(ctx, token, encToken)
if err != nil {
panic(err)
}
go-passbolt now supports MFA! You can set it up using the Client's MFACallback
function, it will provide everything you need to complete any MFA challenges. When your done you just need to return the new MFA Cookie (usually called passbolt_mfa). The helper package has a example implementation for a noninteractive TOTP Setup under helper/mfa.go in the function AddMFACallbackTOTP
.
These examples are just the main use cases of these Modules, many more API calls are supported. Look at the reference for more information.
This example:
- Creates a resource;
- Searches for a user named "Test User";
- Checks that it's not itself; and,
- Shares the password with the "Test User" if necessary:
package main
import (
"context"
"fmt"
"github.com/passbolt/go-passbolt/api"
"github.com/passbolt/go-passbolt/helper"
)
const address = "https://passbolt.example.com"
const userPassword = "aStrongPassword"
const userPrivateKey = `
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: OpenPGP.js v4.6.2
Comment: https://openpgpjs.org
klasd...
-----END PGP PRIVATE KEY BLOCK-----`
func main() {
ctx := context.TODO()
client, err := api.NewClient(nil, "", address, userPrivateKey, userPassword)
if err != nil {
panic(err)
}
err = client.Login(ctx)
if err != nil {
panic(err)
}
fmt.Println("Logged in!")
resourceID, err := helper.CreateResource(
ctx, // Context
client, // API Client
"", // ID of Parent Folder (PRO only)
"Example Account", // Name
"user123", // Username
"https://test.example.com", // URI
"securePassword123", // Password
"This is an Account for the example test portal", // Description
)
if err != nil {
panic(err)
}
fmt.Println("Created Resource")
users, err := client.GetUsers(ctx, &api.GetUsersOptions{
FilterSearch: "Test User",
})
if err != nil {
panic(err)
}
if len(users) == 0 {
panic("Cannot Find Test User")
}
if client.GetUserID() == users[0].ID {
fmt.Println("I am the Test User, No Need to Share Password With myself")
client.Logout(ctx)
return
}
helper.ShareResourceWithUsersAndGroups(ctx, client, resourceID, []string{users[0].ID}, []string{}, 7)
if err != nil {
panic(err)
}
fmt.Printf("Shared Resource With Test User %v\n", users[0].ID)
client.Logout(ctx)
}