Merge pull request #92 from passbolt/v5

V5 Support

Author: speatzle

go.mod

@@ -5,62 +5,55 @@ go 1.23.0
 toolchain go1.23.6
 
 require (
-	al.essio.dev/pkg/shellescape v1.5.1
-	github.com/google/cel-go v0.24.1
-	github.com/passbolt/go-passbolt v0.7.2
-	github.com/pterm/pterm v0.12.80
+	al.essio.dev/pkg/shellescape v1.6.0
+	github.com/google/cel-go v0.26.0
+	github.com/passbolt/go-passbolt v0.7.3-0.20250818130824-58240d4bc18c
+	github.com/pterm/pterm v0.12.81
 	github.com/spf13/cobra v1.9.1
-	github.com/spf13/viper v1.19.0
+	github.com/spf13/viper v1.20.1
 	github.com/tobischo/gokeepasslib/v3 v3.6.1
-	golang.org/x/term v0.29.0
+	golang.org/x/term v0.34.0
 )
 
 require (
 	atomicgo.dev/cursor v0.2.0 // indirect
 	atomicgo.dev/keyboard v0.2.9 // indirect
 	atomicgo.dev/schedule v0.1.0 // indirect
-	cel.dev/expr v0.21.2 // indirect
-	github.com/ProtonMail/go-crypto v1.1.6 // indirect
-	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
-	github.com/ProtonMail/gopenpgp/v2 v2.8.3 // indirect
+	cel.dev/expr v0.24.0 // indirect
+	github.com/ProtonMail/go-crypto v1.3.0 // indirect
+	github.com/ProtonMail/gopenpgp/v3 v3.3.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
-	github.com/cloudflare/circl v1.6.0 // indirect
-	github.com/containerd/console v1.0.4 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
-	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/containerd/console v1.0.5 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gookit/color v1.5.4 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
-	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sagikazarmark/locafero v0.7.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
-	github.com/santhosh-tekuri/jsonschema v1.2.4 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.12.0 // indirect
-	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
-	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/sagikazarmark/locafero v0.10.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
+	github.com/spf13/afero v1.14.0 // indirect
+	github.com/spf13/cast v1.9.2 // indirect
+	github.com/spf13/pflag v1.0.7 // indirect
+	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tobischo/argon2 v0.1.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.35.0 // indirect
-	golang.org/x/exp v0.0.0-20250228200357-dead58393ab7 // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 

go.sum

@@ -130,43 +130,62 @@ func KeepassExport(cmd *cobra.Command, args []string) error {
 }
 
 func getKeepassEntry(client *api.Client, resource api.Resource, secret api.Secret, rType api.ResourceType) (*gokeepasslib.Entry, error) {
-	_, _, _, _, pass, desc, err := helper.GetResourceFromData(client, resource, resource.Secrets[0], resource.ResourceType)
+	_, name, username, uri, pass, desc, err := helper.GetResourceFromData(client, resource, resource.Secrets[0], resource.ResourceType)
 	if err != nil {
 		return nil, fmt.Errorf("Get Resource %v: %w", resource.ID, err)
 	}
 
 	entry := gokeepasslib.NewEntry()
 	entry.Values = append(
 		entry.Values,
-		gokeepasslib.ValueData{Key: "Title", Value: gokeepasslib.V{Content: resource.Name}},
-		gokeepasslib.ValueData{Key: "UserName", Value: gokeepasslib.V{Content: resource.Username}},
-		gokeepasslib.ValueData{Key: "URL", Value: gokeepasslib.V{Content: resource.URI}},
+		gokeepasslib.ValueData{Key: "Title", Value: gokeepasslib.V{Content: name}},
+		gokeepasslib.ValueData{Key: "UserName", Value: gokeepasslib.V{Content: username}},
+		gokeepasslib.ValueData{Key: "URL", Value: gokeepasslib.V{Content: uri}},
 		gokeepasslib.ValueData{Key: "Password", Value: gokeepasslib.V{Content: pass, Protected: w.NewBoolWrapper(true)}},
 		gokeepasslib.ValueData{Key: "Notes", Value: gokeepasslib.V{Content: desc}},
 	)
 
-	if resource.ResourceType.Slug == "password-description-totp" || resource.ResourceType.Slug == "totp" {
+	if resource.ResourceType.Slug == "password-description-totp" || resource.ResourceType.Slug == "totp" || resource.ResourceType.Slug == "v5-default-with-totp" || resource.ResourceType.Slug == "v5-totp-standalone" {
 		var totpData api.SecretDataTOTP
 
 		rawSecretData, err := client.DecryptMessage(resource.Secrets[0].Data)
 		if err != nil {
 			return nil, fmt.Errorf("Decrypting Secret Data: %w", err)
 		}
 
-		if resource.ResourceType.Slug == "password-description-totp" {
+		switch resource.ResourceType.Slug {
+		case "password-description-totp":
 			var secretData api.SecretDataTypePasswordDescriptionTOTP
 			err = json.Unmarshal([]byte(rawSecretData), &secretData)
 			if err != nil {
 				return nil, fmt.Errorf("Parsing Decrypted Secret Data: %w", err)
 			}
 			totpData = secretData.TOTP
-		} else {
+			break
+		case "totp":
 			var secretData api.SecretDataTypeTOTP
 			err = json.Unmarshal([]byte(rawSecretData), &secretData)
 			if err != nil {
 				return nil, fmt.Errorf("Parsing Decrypted Secret Data: %w", err)
 			}
 			totpData = secretData.TOTP
+			break
+		case "v5-default-with-totp":
+			var secretData api.SecretDataTypeV5DefaultWithTOTP
+			err = json.Unmarshal([]byte(rawSecretData), &secretData)
+			if err != nil {
+				return nil, fmt.Errorf("Parsing Decrypted Secret Data: %w", err)
+			}
+			totpData = secretData.TOTP
+			break
+		case "v5-totp-standalone":
+			var secretData api.SecretDataTypeV5TOTPStandalone
+			err = json.Unmarshal([]byte(rawSecretData), &secretData)
+			if err != nil {
+				return nil, fmt.Errorf("Parsing Decrypted Secret Data: %w", err)
+			}
+			totpData = secretData.TOTP
+			break
 		}
 
 		v := url.Values{}
@@ -175,16 +194,16 @@ func getKeepassEntry(client *api.Client, resource api.Resource, secret api.Secre
 		v.Set("algorithm", totpData.Algorithm)
 		v.Set("digits", fmt.Sprint(totpData.Digits))
 
-		issuer := resource.URI
-		if resource.URI == "" {
-			issuer = resource.Name
+		issuer := uri
+		if uri == "" {
+			issuer = name
 
 		}
 		v.Set("issuer", issuer)
 
-		accountName := resource.Username
-		if resource.Username == "" {
-			accountName = resource.Name
+		accountName := username
+		if username == "" {
+			accountName = name
 		}
 
 		u := url.URL{

keepass/export.go

@@ -25,7 +25,7 @@ func init() {
 	ResourceCreateCmd.Flags().StringP("password", "p", "", "Resource Password")
 	ResourceCreateCmd.Flags().StringP("description", "d", "", "Resource Description")
 	ResourceCreateCmd.Flags().StringP("folderParentID", "f", "", "Folder in which to create the Resource")
-
+	ResourceCreateCmd.Flags().String("expiry", "", "Expiry as RFC3339 (e.g. 2025-12-31T23:59:59Z) or Go duration (e.g. 48h, 30m)")
 	ResourceCreateCmd.MarkFlagRequired("name")
 	ResourceCreateCmd.MarkFlagRequired("password")
 }
@@ -55,6 +55,12 @@ func ResourceCreate(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
+
+	expiry, err := cmd.Flags().GetString("expiry")
+	if err != nil {
+		return err
+	}
+
 	jsonOutput, err := cmd.Flags().GetBool("json")
 	if err != nil {
 		return err
@@ -83,6 +89,13 @@ func ResourceCreate(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("Creating Resource: %w", err)
 	}
 
+	// TODO, Should be done by go-passbolt when the "new" Resource API is done
+	if expiry != "" {
+		if err := SetResourceExpiry(ctx, client, id, expiry); err != nil {
+			return err
+		}
+	}
+
 	if jsonOutput {
 		jsonId, err := json.MarshalIndent(
 			map[string]string{"id": id},

resource/create.go

@@ -0,0 +1,100 @@
+package resource
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/passbolt/go-passbolt/api"
+)
+
+// SetResourceExpiry updates only the expiry date of a resource.
+func SetResourceExpiry(ctx context.Context, client *api.Client, id string, expiryInput string) error {
+	if expiryInput == "" {
+		return nil
+	}
+
+	// Safety: ensure the resource id is a UUID to avoid unsafe URL construction
+	if !isUUID(id) {
+		return fmt.Errorf("invalid resource id: %q", id)
+	}
+
+	// allow a single keyword to clear expiry (no TrimSpace: flags shouldn't need quoting spaces)
+	switch strings.ToLower(expiryInput) {
+	case "none":
+		// TODO: Should be handled in go-passbolt when the planned new Resource API is available
+		_, _, err := client.DoCustomRequestAndReturnRawResponse(
+			ctx,
+			"PUT",
+			fmt.Sprintf("resources/%s.json", id),
+			"v2",
+			map[string]*string{"expired": nil},
+			nil,
+		)
+		if err != nil {
+			return fmt.Errorf("Clearing expiry: %w", err)
+		}
+		return nil
+	}
+
+	isoExpiry, err := ParseExpiry(expiryInput)
+	if err != nil {
+		return err
+	}
+	// TODO: Should be handled in go-passbolt when the planned new Resource API is available
+	_, _, err = client.DoCustomRequestAndReturnRawResponse(
+		ctx,
+		"PUT",
+		fmt.Sprintf("resources/%s.json", id),
+		"v2",
+		map[string]string{"expired": isoExpiry},
+		nil,
+	)
+	if err != nil {
+		return fmt.Errorf("Setting expiry: %w", err)
+	}
+	return nil
+}
+
+// ParseExpiry accepts either an absolute time (ISO8601/RFC3339) or a human duration like "7d", "12h", "30m", or combinations like "1w2d3h".
+// It returns an ISO8601 (RFC3339) timestamp string in UTC suitable for the API.
+func ParseExpiry(input string) (string, error) {
+	if input == "" {
+		return "", nil
+	}
+	// Try absolute timestamp first
+	if t, err := tryParseAbsoluteTime(input); err == nil {
+		return t.UTC().Format(time.RFC3339), nil
+	}
+	// Fallback to human duration(s)
+	d, err := time.ParseDuration(input)
+	if err != nil {
+		return "", fmt.Errorf("invalid expiry value %q: %w", input, err)
+	}
+	return time.Now().UTC().Add(d).Format(time.RFC3339), nil
+}
+
+func tryParseAbsoluteTime(s string) (time.Time, error) {
+	// Try RFC3339 variants only (avoid nonstandard timestamp formats)
+	layouts := []string{
+		time.RFC3339,
+		time.RFC3339Nano,
+	}
+	var lastErr error
+	for _, layout := range layouts {
+		if t, err := time.Parse(layout, s); err == nil {
+			return t, nil
+		} else {
+			lastErr = err
+		}
+	}
+	return time.Time{}, lastErr
+}
+
+// isUUID performs a basic UUID validation in canonical 8-4-4-4-12 hex format.
+func isUUID(s string) bool {
+	re := regexp.MustCompile(`(?i)^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`)
+	return re.MatchString(s)
+}

resource/expiry.go

@@ -5,8 +5,6 @@ import (
 	"fmt"
 
 	"github.com/google/cel-go/cel"
-	"github.com/google/cel-go/common/types"
-	"github.com/google/cel-go/common/types/ref"
 	"github.com/passbolt/go-passbolt-cli/util"
 	"github.com/passbolt/go-passbolt/api"
 	"github.com/passbolt/go-passbolt/helper"
@@ -38,28 +36,20 @@ func filterResources(resources *[]api.Resource, celCmd string, ctx context.Conte
 
 	filteredResources := []api.Resource{}
 	for _, resource := range *resources {
+		// TODO We should decrypt the secret only when required for performance reasonse
+		_, name, username, uri, pass, desc, err := helper.GetResource(ctx, client, resource.ID)
+		if err != nil {
+			return nil, fmt.Errorf("Get Resource %w", err)
+		}
+
 		val, _, err := (*program).ContextEval(ctx, map[string]any{
-			"Id":             resource.ID,
-			"FolderParentID": resource.FolderParentID,
-			"Name":           resource.Name,
-			"Username":       resource.Username,
-			"URI":            resource.URI,
-			"Password": func() ref.Val {
-				_, _, _, _, pass, _, err := helper.GetResource(ctx, client, resource.ID)
-				if err != nil {
-					fmt.Printf("Get Resource %v", err)
-					return types.String("")
-				}
-				return types.String(pass)
-			},
-			"Description": func() ref.Val {
-				_, _, _, _, _, descr, err := helper.GetResource(ctx, client, resource.ID)
-				if err != nil {
-					fmt.Printf("Get Resource %v", err)
-					return types.String("")
-				}
-				return types.String(descr)
-			},
+			"Id":                resource.ID,
+			"FolderParentID":    resource.FolderParentID,
+			"Name":              name,
+			"Username":          username,
+			"URI":               uri,
+			"Password":          pass,
+			"Description":       desc,
 			"CreatedTimestamp":  resource.Created.Time,
 			"ModifiedTimestamp": resource.Modified.Time,
 		})