2017-02-24 17:42:30 +00:00
|
|
|
{- git-annex Keys
|
|
|
|
|
-
|
|
|
|
|
- Copyright 2011-2017 Joey Hess <id@joeyh.name>
|
|
|
|
|
-
|
|
|
|
|
- Licensed under the GNU GPL version 3 or higher.
|
|
|
|
|
-}
|
|
|
|
|
|
|
|
|
|
{-# OPTIONS_GHC -fno-warn-orphans #-}
|
|
|
|
|
|
|
|
|
|
module Key (
|
|
|
|
|
Key(..),
|
2017-03-10 17:12:24 +00:00
|
|
|
AssociatedFile(..),
|
2017-02-24 17:42:30 +00:00
|
|
|
stubKey,
|
|
|
|
|
key2file,
|
|
|
|
|
file2key,
|
|
|
|
|
nonChunkKey,
|
|
|
|
|
chunkKeyOffset,
|
|
|
|
|
isChunkKey,
|
|
|
|
|
isKeyPrefix,
|
|
|
|
|
|
|
|
|
|
prop_isomorphic_key_encode,
|
|
|
|
|
prop_isomorphic_key_decode
|
|
|
|
|
) where
|
|
|
|
|
|
|
|
|
|
import Data.Char
|
|
|
|
|
import qualified Data.Text as T
|
|
|
|
|
|
|
|
|
|
import Common
|
|
|
|
|
import Types.Key
|
|
|
|
|
import Utility.QuickCheck
|
|
|
|
|
import Utility.Bloom
|
Fix mangling of --json output of utf-8 characters when not running in a utf-8 locale
As long as all code imports Utility.Aeson rather than Data.Aeson,
and no Strings that may contain utf-8 characters are used for eg, object
keys via T.pack, this is guaranteed to fix the problem everywhere that
git-annex generates json.
It's kind of annoying to need to wrap ToJSON with a ToJSON', especially
since every data type that has a ToJSON instance has to be ported over.
However, that only took 50 lines of code, which is worth it to ensure full
coverage. I initially tried an alternative approach of a newtype FileEncoded,
which had to be used everywhere a String was fed into aeson, and chasing
down all the sites would have been far too hard. Did consider creating an
intentionally overlapping instance ToJSON String, and letting ghc fail
to build anything that passed in a String, but am not sure that wouldn't
pollute some library that git-annex depends on that happens to use ToJSON
String internally.
This commit was supported by the NSF-funded DataLad project.
2018-04-16 19:42:45 +00:00
|
|
|
import Utility.Aeson
|
2017-02-24 17:42:30 +00:00
|
|
|
import qualified Utility.SimpleProtocol as Proto
|
|
|
|
|
|
|
|
|
|
stubKey :: Key
|
|
|
|
|
stubKey = Key
|
|
|
|
|
{ keyName = ""
|
2017-02-24 19:16:56 +00:00
|
|
|
, keyVariety = OtherKey ""
|
2017-02-24 17:42:30 +00:00
|
|
|
, keySize = Nothing
|
|
|
|
|
, keyMtime = Nothing
|
|
|
|
|
, keyChunkSize = Nothing
|
|
|
|
|
, keyChunkNum = Nothing
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-- Gets the parent of a chunk key.
|
|
|
|
|
nonChunkKey :: Key -> Key
|
|
|
|
|
nonChunkKey k = k
|
|
|
|
|
{ keyChunkSize = Nothing
|
|
|
|
|
, keyChunkNum = Nothing
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-- Where a chunk key is offset within its parent.
|
|
|
|
|
chunkKeyOffset :: Key -> Maybe Integer
|
|
|
|
|
chunkKeyOffset k = (*)
|
|
|
|
|
<$> keyChunkSize k
|
|
|
|
|
<*> (pred <$> keyChunkNum k)
|
|
|
|
|
|
|
|
|
|
isChunkKey :: Key -> Bool
|
|
|
|
|
isChunkKey k = isJust (keyChunkSize k) && isJust (keyChunkNum k)
|
|
|
|
|
|
|
|
|
|
-- Checks if a string looks like at least the start of a key.
|
|
|
|
|
isKeyPrefix :: String -> Bool
|
|
|
|
|
isKeyPrefix s = [fieldSep, fieldSep] `isInfixOf` s
|
|
|
|
|
|
|
|
|
|
fieldSep :: Char
|
|
|
|
|
fieldSep = '-'
|
|
|
|
|
|
|
|
|
|
{- Converts a key to a string that is suitable for use as a filename.
|
|
|
|
|
- The name field is always shown last, separated by doubled fieldSeps,
|
|
|
|
|
- and is the only field allowed to contain the fieldSep. -}
|
|
|
|
|
key2file :: Key -> FilePath
|
2017-02-24 19:16:56 +00:00
|
|
|
key2file Key { keyVariety = kv, keySize = s, keyMtime = m, keyChunkSize = cs, keyChunkNum = cn, keyName = n } =
|
|
|
|
|
formatKeyVariety kv +++ ('s' ?: s) +++ ('m' ?: m) +++ ('S' ?: cs) +++ ('C' ?: cn) +++ (fieldSep : n)
|
2017-02-24 17:42:30 +00:00
|
|
|
where
|
|
|
|
|
"" +++ y = y
|
|
|
|
|
x +++ "" = x
|
|
|
|
|
x +++ y = x ++ fieldSep:y
|
|
|
|
|
f ?: (Just v) = f : show v
|
|
|
|
|
_ ?: _ = ""
|
|
|
|
|
|
|
|
|
|
file2key :: FilePath -> Maybe Key
|
|
|
|
|
file2key s
|
2017-02-24 19:16:56 +00:00
|
|
|
| key == Just stubKey || (keyName <$> key) == Just "" || (keyVariety <$> key) == Just (OtherKey "") = Nothing
|
2017-02-24 17:42:30 +00:00
|
|
|
| otherwise = key
|
|
|
|
|
where
|
|
|
|
|
key = startbackend stubKey s
|
|
|
|
|
|
2017-02-24 19:16:56 +00:00
|
|
|
startbackend k v = sepfield k v addvariety
|
2017-02-24 17:42:30 +00:00
|
|
|
|
|
|
|
|
sepfield k v a = case span (/= fieldSep) v of
|
|
|
|
|
(v', _:r) -> findfields r $ a k v'
|
|
|
|
|
_ -> Nothing
|
|
|
|
|
|
|
|
|
|
findfields (c:v) (Just k)
|
|
|
|
|
| c == fieldSep = addkeyname k v
|
|
|
|
|
| otherwise = sepfield k v $ addfield c
|
|
|
|
|
findfields _ v = v
|
|
|
|
|
|
2017-02-24 19:16:56 +00:00
|
|
|
addvariety k v = Just k { keyVariety = parseKeyVariety v }
|
2017-02-24 17:42:30 +00:00
|
|
|
|
|
|
|
|
-- This is a strict parser for security reasons; a key
|
|
|
|
|
-- can contain only 4 fields, which all consist only of numbers.
|
|
|
|
|
-- Any key containing other fields, or non-numeric data is
|
|
|
|
|
-- rejected with Nothing.
|
|
|
|
|
--
|
|
|
|
|
-- If a key contained non-numeric fields, they could be used to
|
|
|
|
|
-- embed data used in a SHA1 collision attack, which would be a
|
|
|
|
|
-- problem since the keys are committed to git.
|
|
|
|
|
addfield _ _ v | not (all isDigit v) = Nothing
|
|
|
|
|
addfield 's' k v = do
|
|
|
|
|
sz <- readish v
|
|
|
|
|
return $ k { keySize = Just sz }
|
|
|
|
|
addfield 'm' k v = do
|
|
|
|
|
mtime <- readish v
|
|
|
|
|
return $ k { keyMtime = Just mtime }
|
|
|
|
|
addfield 'S' k v = do
|
|
|
|
|
chunksize <- readish v
|
|
|
|
|
return $ k { keyChunkSize = Just chunksize }
|
|
|
|
|
addfield 'C' k v = case readish v of
|
|
|
|
|
Just chunknum | chunknum > 0 ->
|
|
|
|
|
return $ k { keyChunkNum = Just chunknum }
|
|
|
|
|
_ -> Nothing
|
|
|
|
|
addfield _ _ _ = Nothing
|
|
|
|
|
|
|
|
|
|
addkeyname k v
|
|
|
|
|
| validKeyName k v = Just $ k { keyName = v }
|
|
|
|
|
| otherwise = Nothing
|
|
|
|
|
|
2017-02-24 19:16:56 +00:00
|
|
|
{- When a key HasExt, the length of the extension is limited in order to
|
2017-02-24 23:54:36 +00:00
|
|
|
- mitigate against SHA1 collision attacks.
|
2017-02-24 17:42:30 +00:00
|
|
|
-
|
|
|
|
|
- In such an attack, the extension of the key could be made to contain
|
|
|
|
|
- the collision generation data, with the result that a signed git commit
|
2017-02-24 23:54:36 +00:00
|
|
|
- including such keys would not be secure.
|
2017-02-24 17:42:30 +00:00
|
|
|
-
|
|
|
|
|
- The maximum extension length ever generated for such a key was 8
|
|
|
|
|
- characters; 20 is used here to give a little future wiggle-room.
|
2017-02-24 19:16:56 +00:00
|
|
|
- The SHA1 common-prefix attack needs 128 bytes of data.
|
2017-02-24 17:42:30 +00:00
|
|
|
-}
|
|
|
|
|
validKeyName :: Key -> String -> Bool
|
2017-02-24 19:16:56 +00:00
|
|
|
validKeyName k name
|
|
|
|
|
| hasExt (keyVariety k) = length (takeExtensions name) <= 20
|
2017-02-24 17:42:30 +00:00
|
|
|
| otherwise = True
|
|
|
|
|
|
|
|
|
|
instance Arbitrary Key where
|
|
|
|
|
arbitrary = Key
|
|
|
|
|
<$> (listOf1 $ elements $ ['A'..'Z'] ++ ['a'..'z'] ++ ['0'..'9'] ++ "-_\r\n \t")
|
2017-02-24 19:16:56 +00:00
|
|
|
<*> (parseKeyVariety <$> (listOf1 $ elements ['A'..'Z'])) -- BACKEND
|
2017-02-24 17:42:30 +00:00
|
|
|
<*> ((abs <$>) <$> arbitrary) -- size cannot be negative
|
2017-06-17 17:04:48 +00:00
|
|
|
<*> ((abs . fromInteger <$>) <$> arbitrary) -- mtime cannot be negative
|
2017-02-24 17:42:30 +00:00
|
|
|
<*> ((abs <$>) <$> arbitrary) -- chunksize cannot be negative
|
|
|
|
|
<*> ((succ . abs <$>) <$> arbitrary) -- chunknum cannot be 0 or negative
|
|
|
|
|
|
|
|
|
|
instance Hashable Key where
|
|
|
|
|
hashIO32 = hashIO32 . key2file
|
|
|
|
|
hashIO64 = hashIO64 . key2file
|
|
|
|
|
|
Fix mangling of --json output of utf-8 characters when not running in a utf-8 locale
As long as all code imports Utility.Aeson rather than Data.Aeson,
and no Strings that may contain utf-8 characters are used for eg, object
keys via T.pack, this is guaranteed to fix the problem everywhere that
git-annex generates json.
It's kind of annoying to need to wrap ToJSON with a ToJSON', especially
since every data type that has a ToJSON instance has to be ported over.
However, that only took 50 lines of code, which is worth it to ensure full
coverage. I initially tried an alternative approach of a newtype FileEncoded,
which had to be used everywhere a String was fed into aeson, and chasing
down all the sites would have been far too hard. Did consider creating an
intentionally overlapping instance ToJSON String, and letting ghc fail
to build anything that passed in a String, but am not sure that wouldn't
pollute some library that git-annex depends on that happens to use ToJSON
String internally.
This commit was supported by the NSF-funded DataLad project.
2018-04-16 19:42:45 +00:00
|
|
|
instance ToJSON' Key where
|
|
|
|
|
toJSON' = toJSON' . key2file
|
2017-02-24 17:42:30 +00:00
|
|
|
|
|
|
|
|
instance FromJSON Key where
|
|
|
|
|
parseJSON (String t) = maybe mempty pure $ file2key $ T.unpack t
|
|
|
|
|
parseJSON _ = mempty
|
|
|
|
|
|
|
|
|
|
instance Proto.Serializable Key where
|
|
|
|
|
serialize = key2file
|
|
|
|
|
deserialize = file2key
|
|
|
|
|
|
|
|
|
|
prop_isomorphic_key_encode :: Key -> Bool
|
|
|
|
|
prop_isomorphic_key_encode k = Just k == (file2key . key2file) k
|
|
|
|
|
|
|
|
|
|
prop_isomorphic_key_decode :: FilePath -> Bool
|
|
|
|
|
prop_isomorphic_key_decode f
|
|
|
|
|
| normalfieldorder = maybe True (\k -> key2file k == f) (file2key f)
|
|
|
|
|
| otherwise = True
|
|
|
|
|
where
|
|
|
|
|
-- file2key will accept the fields in any order, so don't
|
|
|
|
|
-- try the test unless the fields are in the normal order
|
|
|
|
|
normalfieldorder = fields `isPrefixOf` "smSC"
|
|
|
|
|
fields = map (f !!) $ filter (< length f) $ map succ $
|
|
|
|
|
elemIndices fieldSep f
|