enabling pgp passphrase cache with authentication (#3124)

* enabling pgp passphrase cache with authentication

* clear passphrase cache on first autofill decrypt after screen off

---------

Co-authored-by: Alexander Grahn <[email protected]>

Author: agrahn

app/src/main/java/app/passwordstore/ui/autofill/AutofillDecryptActivity.kt

@@ -13,6 +13,7 @@ import android.os.Bundle
 import android.view.autofill.AutofillManager
 import androidx.fragment.app.setFragmentResultListener
 import androidx.lifecycle.lifecycleScope
+import app.passwordstore.Application.Companion.screenWasOff
 import app.passwordstore.R
 import app.passwordstore.crypto.PGPIdentifier
 import app.passwordstore.data.crypto.PGPPassphraseCache
@@ -28,6 +29,7 @@ import app.passwordstore.util.autofill.DirectoryStructure
 import app.passwordstore.util.extensions.asLog
 import app.passwordstore.util.features.Feature.EnablePGPPassphraseCache
 import app.passwordstore.util.features.Features
+import app.passwordstore.util.settings.PreferenceKeys
 import com.github.androidpasswordstore.autofillparser.AutofillAction
 import com.github.androidpasswordstore.autofillparser.Credentials
 import com.github.michaelbull.result.getOrElse
@@ -110,6 +112,12 @@ class AutofillDecryptActivity : BasePGPActivity() {
           askPassphrase(filePath, gpgIdentifiers, clientState, action)
         //
         is Result.Success -> {
+          /* clear passphrase cache on first use after application startup or if screen was off;
+          also make sure to purge a stale cache after caching has been disabled via PGP settings */
+          if (screenWasOff && settings.getBoolean(PreferenceKeys.CLEAR_PASSPHRASE_CACHE, true)) {
+            passphraseCache.clearAllCachedPassphrases(this@AutofillDecryptActivity)
+            screenWasOff = false
+          }
           val cachedPassphrase =
             passphraseCache.retrieveCachedPassphrase(
               this@AutofillDecryptActivity,

app/src/main/java/app/passwordstore/ui/crypto/DecryptActivity.kt

@@ -168,8 +168,9 @@ class DecryptActivity : BasePGPActivity() {
           askPassphrase(isError, gpgIdentifiers, authResult)
         //
         is BiometricResult.Success -> {
-          // clear passphrase cache on first use after application startup or if screen was off
-          if (screenWasOff && settings.getBoolean(PreferenceKeys.CLEAR_PASSPHRASE_CACHE, false)) {
+          /* clear passphrase cache on first use after application startup or if screen was off;
+          also make sure to purge a stale cache after caching has been disabled via PGP settings */
+          if (screenWasOff && settings.getBoolean(PreferenceKeys.CLEAR_PASSPHRASE_CACHE, true)) {
             passphraseCache.clearAllCachedPassphrases(this@DecryptActivity)
             screenWasOff = false
           }

app/src/main/java/app/passwordstore/ui/settings/PGPSettings.kt

@@ -5,13 +5,15 @@
 
 package app.passwordstore.ui.settings
 
+import androidx.core.content.edit
 import androidx.fragment.app.FragmentActivity
 import androidx.lifecycle.lifecycleScope
 import app.passwordstore.R
 import app.passwordstore.data.crypto.PGPPassphraseCache
 import app.passwordstore.ui.pgp.PGPKeyListActivity
 import app.passwordstore.util.auth.BiometricAuthenticator
 import app.passwordstore.util.extensions.launchActivity
+import app.passwordstore.util.extensions.sharedPrefs
 import app.passwordstore.util.features.Feature
 import app.passwordstore.util.settings.PreferenceKeys
 import de.Maxr1998.modernpreferences.PreferenceScreen
@@ -46,16 +48,24 @@ class PGPSettings(
         summaryRes = R.string.pref_passphrase_cache_summary
         defaultValue = false
         onCheckedChange { checked ->
-          if (!checked && BiometricAuthenticator.canAuthenticate(activity)) {
-            BiometricAuthenticator.authenticate(
-              activity,
-              R.string.pref_passphrase_cache_authenticate_clear,
-            ) {
-              if (it is BiometricAuthenticator.Result.Success)
-                activity.lifecycleScope.launch {
-                  passphraseCache.clearAllCachedPassphrases(activity)
-                }
-            }
+          if (checked) {
+            if (BiometricAuthenticator.canAuthenticate(activity)) {
+              BiometricAuthenticator.authenticate(
+                activity,
+                R.string.pref_passphrase_cache_authenticate_enable,
+              ) {
+                if (!(it is BiometricAuthenticator.Result.Success))
+                  activity.sharedPrefs.edit {
+                    putBoolean(Feature.EnablePGPPassphraseCache.configKey, false)
+                  }
+              }
+            } else
+              activity.sharedPrefs.edit {
+                putBoolean(Feature.EnablePGPPassphraseCache.configKey, false)
+              }
+          } else {
+            activity.sharedPrefs.edit { remove(PreferenceKeys.CLEAR_PASSPHRASE_CACHE) }
+            activity.lifecycleScope.launch { passphraseCache.clearAllCachedPassphrases(activity) }
           }
           true
         }
@@ -64,21 +74,12 @@ class PGPSettings(
         dependency = Feature.EnablePGPPassphraseCache.configKey
         titleRes = R.string.pref_passphrase_cache_auto_clear_title
         summaryRes = R.string.pref_passphrase_cache_auto_clear_summary
-        defaultValue = false
+        defaultValue = true
         /* clear cache once when unchecking; this is to prevent a malicious user
          * from bypassing cache clearing via the settings */
         onCheckedChange { checked ->
-          if (!checked && BiometricAuthenticator.canAuthenticate(activity)) {
-            BiometricAuthenticator.authenticate(
-              activity,
-              R.string.pref_passphrase_cache_authenticate_clear,
-            ) {
-              if (it is BiometricAuthenticator.Result.Success)
-                activity.lifecycleScope.launch {
-                  passphraseCache.clearAllCachedPassphrases(activity)
-                }
-            }
-          }
+          if (!checked)
+            activity.lifecycleScope.launch { passphraseCache.clearAllCachedPassphrases(activity) }
           true
         }
       }

app/src/main/res/values-gl/strings.xml

@@ -120,7 +120,7 @@
   <string name="pref_pgp_ascii_armor_title">Cifrar co modo ASCII armor</string>
   <string name="pref_passphrase_cache_title">Permitir usar a caché para frase de paso</string>
   <string name="pref_passphrase_cache_summary">AVISO: esta característica funciona ben pero é experimental. Require que a pantalla estea bloqueada.</string>
-  <string name="pref_passphrase_cache_authenticate_clear">Autenticarse para poder baleirar a cache</string>
+  <string name="pref_passphrase_cache_authenticate_enable">Autenticarse para activar a caché</string>
   <string name="pref_passphrase_cache_auto_clear_title">Limpar automáticamente a frase de paso da caché</string>
   <string name="pref_passphrase_cache_auto_clear_summary">Retira automáticamente a frase de paso da caché ao apagarse a pantalla</string>
   <!-- PasswordGenerator fragment -->

app/src/main/res/values-pl-rPL/strings.xml

@@ -116,7 +116,7 @@
   <string name="pref_pgp_key_manager_title">Menedżer kluczy</string>
   <string name="pref_pgp_ascii_armor_title">Szyfruj w trybie ASCII-armor</string>
   <string name="pref_passphrase_cache_summary">UWAGA: ta funkcjonalność powinna działać poprawnie, ale jest bardzo eksperymentalna. Wymaga aktywnej blokady ekranu.</string>
-  <string name="pref_passphrase_cache_authenticate_clear">Uwierzytelnij aby wyczyścić pamięć podręczną</string>
+  <string name="pref_passphrase_cache_authenticate_enable">Uwierzytelnij aby włączyć pamięć podręczną</string>
   <string name="pref_passphrase_cache_auto_clear_title">Automatycznie wyczyść pamięć podręczną haseł</string>
   <string name="pref_passphrase_cache_auto_clear_summary">Czyści pamięć podręczną haseł po wyłączeniu ekranu</string>
   <!-- PasswordGenerator fragment -->

app/src/main/res/values/strings.xml

@@ -137,7 +137,7 @@
   <string name="pref_pgp_ascii_armor_title">Encrypt in ASCII armor mode</string>
   <string name="pref_passphrase_cache_title">Enable passphrase caching</string>
   <string name="pref_passphrase_cache_summary">WARNING: this feature is functional but very experimental. Requires an active screen lock.</string>
-  <string name="pref_passphrase_cache_authenticate_clear">Authenticate to clear cache</string>
+  <string name="pref_passphrase_cache_authenticate_enable">Authenticate to enable cache</string>
   <string name="pref_passphrase_cache_auto_clear_title">Automatically clear passphrase cache</string>
   <string name="pref_passphrase_cache_auto_clear_summary">Clears the passphrase cache when the screen is turned off</string>