2012-11-14 23:32:27 +00:00
|
|
|
{- Credentials storage
|
|
|
|
|
-
|
2015-01-21 16:50:09 +00:00
|
|
|
- Copyright 2012-2014 Joey Hess <id@joeyh.name>
|
2012-11-14 23:32:27 +00:00
|
|
|
-
|
|
|
|
|
- Licensed under the GNU GPL version 3 or higher.
|
|
|
|
|
-}
|
|
|
|
|
|
2014-02-11 18:06:50 +00:00
|
|
|
module Creds (
|
|
|
|
|
module Types.Creds,
|
|
|
|
|
CredPairStorage(..),
|
|
|
|
|
setRemoteCredPair,
|
|
|
|
|
getRemoteCredPairFor,
|
|
|
|
|
getRemoteCredPair,
|
|
|
|
|
getEnvCredPair,
|
|
|
|
|
writeCacheCreds,
|
|
|
|
|
readCacheCreds,
|
2014-04-20 16:46:33 +00:00
|
|
|
removeCreds,
|
2014-10-21 19:09:40 +00:00
|
|
|
includeCredsInfo,
|
2014-02-11 18:06:50 +00:00
|
|
|
) where
|
2012-11-14 23:32:27 +00:00
|
|
|
|
|
|
|
|
import Common.Annex
|
2014-02-11 18:06:50 +00:00
|
|
|
import Types.Creds
|
2012-11-14 23:32:27 +00:00
|
|
|
import Annex.Perms
|
|
|
|
|
import Utility.FileMode
|
|
|
|
|
import Crypto
|
|
|
|
|
import Types.Remote (RemoteConfig, RemoteConfigKey)
|
2014-10-21 19:15:16 +00:00
|
|
|
import Remote.Helper.Encryptable (remoteCipher, remoteCipher', embedCreds, EncryptionIsSetup, extractCipher)
|
2014-02-11 18:06:50 +00:00
|
|
|
import Utility.Env (getEnv)
|
2012-11-14 23:32:27 +00:00
|
|
|
|
|
|
|
|
import qualified Data.ByteString.Lazy.Char8 as L
|
|
|
|
|
import qualified Data.Map as M
|
|
|
|
|
import Utility.Base64
|
|
|
|
|
|
|
|
|
|
{- A CredPair can be stored in a file, or in the environment, or perhaps
|
|
|
|
|
- in a remote's configuration. -}
|
|
|
|
|
data CredPairStorage = CredPairStorage
|
|
|
|
|
{ credPairFile :: FilePath
|
|
|
|
|
, credPairEnvironment :: (String, String)
|
|
|
|
|
, credPairRemoteKey :: Maybe RemoteConfigKey
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-19 21:32:58 +00:00
|
|
|
{- Stores creds in a remote's configuration, if the remote allows
|
2014-10-22 18:28:25 +00:00
|
|
|
- that. Also caches them locally.
|
|
|
|
|
-
|
|
|
|
|
- The creds are found from the CredPairStorage storage if not provided,
|
|
|
|
|
- so may be provided by an environment variable etc.
|
glacier, S3: Fix bug that caused embedded creds to not be encypted using the remote's key.
encryptionSetup must be called before setRemoteCredPair. Otherwise,
the RemoteConfig doesn't have the cipher in it, and so no cipher is used to
encrypt the embedded creds.
This is a security fix for non-shared encryption methods!
For encryption=shared, there's no security problem, just an
inconsistentency in whether the embedded creds are encrypted.
This is very important to get right, so used some types to help ensure that
setRemoteCredPair is only run after encryptionSetup. Note that the external
special remote bypasses the type safety, since creds can be set after the
initial remote config, if the external special remote program requests it.
Also note that IA remotes never use encryption, so encryptionSetup is not
run for them at all, and again the type safety is bypassed.
This leaves two open questions:
1. What to do about S3 and glacier remotes that were set up
using encryption=pubkey/hybrid with embedcreds?
Such a git repo has a security hole embedded in it, and this needs to be
communicated to the user. Is the changelog enough?
2. enableremote won't work in such a repo, because git-annex will
try to decrypt the embedded creds, which are not encrypted, so fails.
This needs to be dealt with, especially for ecryption=shared repos,
which are not really broken, just inconsistently configured.
Noticing that problem for encryption=shared is what led to commit
fbdeeeed5fa276d94be587c8916d725eddcaf546, which tried to
fix the problem by not decrypting the embedded creds.
This commit was sponsored by Josh Taylor.
2014-09-18 21:07:17 +00:00
|
|
|
-
|
|
|
|
|
- The remote's configuration should have already had a cipher stored in it
|
|
|
|
|
- if that's going to be done, so that the creds can be encrypted using the
|
|
|
|
|
- cipher. The EncryptionIsSetup phantom type ensures that is the case.
|
|
|
|
|
-}
|
|
|
|
|
setRemoteCredPair :: EncryptionIsSetup -> RemoteConfig -> CredPairStorage -> Maybe CredPair -> Annex RemoteConfig
|
|
|
|
|
setRemoteCredPair encsetup c storage Nothing =
|
|
|
|
|
maybe (return c) (setRemoteCredPair encsetup c storage . Just)
|
2013-12-27 20:01:43 +00:00
|
|
|
=<< getRemoteCredPair c storage
|
glacier, S3: Fix bug that caused embedded creds to not be encypted using the remote's key.
encryptionSetup must be called before setRemoteCredPair. Otherwise,
the RemoteConfig doesn't have the cipher in it, and so no cipher is used to
encrypt the embedded creds.
This is a security fix for non-shared encryption methods!
For encryption=shared, there's no security problem, just an
inconsistentency in whether the embedded creds are encrypted.
This is very important to get right, so used some types to help ensure that
setRemoteCredPair is only run after encryptionSetup. Note that the external
special remote bypasses the type safety, since creds can be set after the
initial remote config, if the external special remote program requests it.
Also note that IA remotes never use encryption, so encryptionSetup is not
run for them at all, and again the type safety is bypassed.
This leaves two open questions:
1. What to do about S3 and glacier remotes that were set up
using encryption=pubkey/hybrid with embedcreds?
Such a git repo has a security hole embedded in it, and this needs to be
communicated to the user. Is the changelog enough?
2. enableremote won't work in such a repo, because git-annex will
try to decrypt the embedded creds, which are not encrypted, so fails.
This needs to be dealt with, especially for ecryption=shared repos,
which are not really broken, just inconsistently configured.
Noticing that problem for encryption=shared is what led to commit
fbdeeeed5fa276d94be587c8916d725eddcaf546, which tried to
fix the problem by not decrypting the embedded creds.
This commit was sponsored by Josh Taylor.
2014-09-18 21:07:17 +00:00
|
|
|
setRemoteCredPair _ c storage (Just creds)
|
2013-12-27 20:01:43 +00:00
|
|
|
| embedCreds c = case credPairRemoteKey storage of
|
|
|
|
|
Nothing -> localcache
|
2014-10-22 18:28:25 +00:00
|
|
|
Just key -> storeconfig key =<< remoteCipher =<< localcache
|
2013-12-27 20:01:43 +00:00
|
|
|
| otherwise = localcache
|
|
|
|
|
where
|
|
|
|
|
localcache = do
|
2012-11-19 21:32:58 +00:00
|
|
|
writeCacheCredPair creds storage
|
|
|
|
|
return c
|
|
|
|
|
|
2013-12-27 20:01:43 +00:00
|
|
|
storeconfig key (Just cipher) = do
|
2014-02-06 22:25:31 +00:00
|
|
|
s <- liftIO $ encrypt (getGpgEncParams c) cipher
|
2012-11-19 21:32:58 +00:00
|
|
|
(feedBytes $ L.pack $ encodeCredPair creds)
|
|
|
|
|
(readBytes $ return . L.unpack)
|
|
|
|
|
return $ M.insert key (toB64 s) c
|
2013-12-27 20:01:43 +00:00
|
|
|
storeconfig key Nothing =
|
2012-11-19 21:32:58 +00:00
|
|
|
return $ M.insert key (toB64 $ encodeCredPair creds) c
|
|
|
|
|
|
2012-11-14 23:32:27 +00:00
|
|
|
{- Gets a remote's credpair, from the environment if set, otherwise
|
2012-11-19 21:32:58 +00:00
|
|
|
- from the cache in gitAnnexCredsDir, or failing that, from the
|
2012-11-14 23:32:27 +00:00
|
|
|
- value in RemoteConfig. -}
|
2012-11-28 17:31:49 +00:00
|
|
|
getRemoteCredPairFor :: String -> RemoteConfig -> CredPairStorage -> Annex (Maybe CredPair)
|
|
|
|
|
getRemoteCredPairFor this c storage = maybe missing (return . Just) =<< getRemoteCredPair c storage
|
2012-11-20 20:43:58 +00:00
|
|
|
where
|
|
|
|
|
(loginvar, passwordvar) = credPairEnvironment storage
|
|
|
|
|
missing = do
|
|
|
|
|
warning $ unwords
|
|
|
|
|
[ "Set both", loginvar
|
|
|
|
|
, "and", passwordvar
|
|
|
|
|
, "to use", this
|
|
|
|
|
]
|
|
|
|
|
return Nothing
|
|
|
|
|
|
2012-11-28 17:31:49 +00:00
|
|
|
getRemoteCredPair :: RemoteConfig -> CredPairStorage -> Annex (Maybe CredPair)
|
|
|
|
|
getRemoteCredPair c storage = maybe fromcache (return . Just) =<< fromenv
|
2012-11-14 23:32:27 +00:00
|
|
|
where
|
|
|
|
|
fromenv = liftIO $ getEnvCredPair storage
|
|
|
|
|
fromcache = maybe fromconfig (return . Just) =<< readCacheCredPair storage
|
|
|
|
|
fromconfig = case credPairRemoteKey storage of
|
|
|
|
|
Just key -> do
|
2014-09-18 21:58:03 +00:00
|
|
|
mcipher <- remoteCipher' c
|
2014-09-18 19:18:52 +00:00
|
|
|
case (M.lookup key c, mcipher) of
|
|
|
|
|
(Nothing, _) -> return Nothing
|
2014-09-18 21:58:03 +00:00
|
|
|
(Just enccreds, Just (cipher, storablecipher)) ->
|
|
|
|
|
fromenccreds enccreds cipher storablecipher
|
2014-09-18 19:18:52 +00:00
|
|
|
(Just bcreds, Nothing) ->
|
2012-11-19 21:32:58 +00:00
|
|
|
fromcreds $ fromB64 bcreds
|
2012-11-14 23:32:27 +00:00
|
|
|
Nothing -> return Nothing
|
2014-09-18 21:58:03 +00:00
|
|
|
fromenccreds enccreds cipher storablecipher = do
|
|
|
|
|
mcreds <- liftIO $ catchMaybeIO $ decrypt cipher
|
|
|
|
|
(feedBytes $ L.pack $ fromB64 enccreds)
|
|
|
|
|
(readBytes $ return . L.unpack)
|
|
|
|
|
case mcreds of
|
|
|
|
|
Just creds -> fromcreds creds
|
|
|
|
|
Nothing -> do
|
|
|
|
|
-- Work around un-encrypted creds storage
|
|
|
|
|
-- bug in old S3 and glacier remotes.
|
|
|
|
|
-- Not a problem for shared cipher.
|
|
|
|
|
case storablecipher of
|
|
|
|
|
SharedCipher {} -> showLongNote "gpg error above was caused by an old git-annex bug in credentials storage. Working around it.."
|
2014-09-18 23:03:15 +00:00
|
|
|
_ -> error "*** Insecure credentials storage detected for this remote! See https://git-annex.branchable.com/upgrades/insecure_embedded_creds/"
|
2014-09-18 21:58:03 +00:00
|
|
|
fromcreds $ fromB64 enccreds
|
2012-11-19 21:32:58 +00:00
|
|
|
fromcreds creds = case decodeCredPair creds of
|
|
|
|
|
Just credpair -> do
|
|
|
|
|
writeCacheCredPair credpair storage
|
2014-09-18 21:58:03 +00:00
|
|
|
|
2012-11-19 21:32:58 +00:00
|
|
|
return $ Just credpair
|
2013-04-03 07:52:41 +00:00
|
|
|
_ -> error "bad creds"
|
2012-11-14 23:32:27 +00:00
|
|
|
|
|
|
|
|
{- Gets a CredPair from the environment. -}
|
|
|
|
|
getEnvCredPair :: CredPairStorage -> IO (Maybe CredPair)
|
|
|
|
|
getEnvCredPair storage = liftM2 (,)
|
2013-09-22 18:13:31 +00:00
|
|
|
<$> getEnv uenv
|
|
|
|
|
<*> getEnv penv
|
2012-11-14 23:32:27 +00:00
|
|
|
where
|
|
|
|
|
(uenv, penv) = credPairEnvironment storage
|
|
|
|
|
|
|
|
|
|
writeCacheCredPair :: CredPair -> CredPairStorage -> Annex ()
|
|
|
|
|
writeCacheCredPair credpair storage =
|
|
|
|
|
writeCacheCreds (encodeCredPair credpair) (credPairFile storage)
|
|
|
|
|
|
|
|
|
|
{- Stores the creds in a file inside gitAnnexCredsDir that only the user
|
|
|
|
|
- can read. -}
|
|
|
|
|
writeCacheCreds :: Creds -> FilePath -> Annex ()
|
|
|
|
|
writeCacheCreds creds file = do
|
|
|
|
|
d <- fromRepo gitAnnexCredsDir
|
|
|
|
|
createAnnexDirectory d
|
2013-05-09 17:57:31 +00:00
|
|
|
liftIO $ writeFileProtected (d </> file) creds
|
2012-11-14 23:32:27 +00:00
|
|
|
|
|
|
|
|
readCacheCredPair :: CredPairStorage -> Annex (Maybe CredPair)
|
|
|
|
|
readCacheCredPair storage = maybe Nothing decodeCredPair
|
|
|
|
|
<$> readCacheCreds (credPairFile storage)
|
|
|
|
|
|
|
|
|
|
readCacheCreds :: FilePath -> Annex (Maybe Creds)
|
2014-10-21 19:09:40 +00:00
|
|
|
readCacheCreds f = liftIO . catchMaybeIO . readFile =<< cacheCredsFile f
|
|
|
|
|
|
|
|
|
|
cacheCredsFile :: FilePath -> Annex FilePath
|
|
|
|
|
cacheCredsFile basefile = do
|
2012-11-14 23:32:27 +00:00
|
|
|
d <- fromRepo gitAnnexCredsDir
|
2014-10-21 19:09:40 +00:00
|
|
|
return $ d </> basefile
|
|
|
|
|
|
|
|
|
|
existsCacheCredPair :: CredPairStorage -> Annex Bool
|
|
|
|
|
existsCacheCredPair storage =
|
|
|
|
|
liftIO . doesFileExist =<< cacheCredsFile (credPairFile storage)
|
2012-11-14 23:32:27 +00:00
|
|
|
|
|
|
|
|
encodeCredPair :: CredPair -> Creds
|
|
|
|
|
encodeCredPair (l, p) = unlines [l, p]
|
|
|
|
|
|
|
|
|
|
decodeCredPair :: Creds -> Maybe CredPair
|
|
|
|
|
decodeCredPair creds = case lines creds of
|
|
|
|
|
l:p:[] -> Just (l, p)
|
|
|
|
|
_ -> Nothing
|
2014-04-20 16:46:33 +00:00
|
|
|
|
|
|
|
|
removeCreds :: FilePath -> Annex ()
|
|
|
|
|
removeCreds file = do
|
|
|
|
|
d <- fromRepo gitAnnexCredsDir
|
|
|
|
|
let f = d </> file
|
|
|
|
|
liftIO $ nukeFile f
|
2014-10-21 19:09:40 +00:00
|
|
|
|
|
|
|
|
includeCredsInfo :: RemoteConfig -> CredPairStorage -> [(String, String)] -> Annex [(String, String)]
|
|
|
|
|
includeCredsInfo c storage info = do
|
|
|
|
|
v <- liftIO $ getEnvCredPair storage
|
|
|
|
|
case v of
|
|
|
|
|
Just _ -> do
|
|
|
|
|
let (uenv, penv) = credPairEnvironment storage
|
|
|
|
|
ret $ "from environment variables (" ++ unwords [uenv, penv] ++ ")"
|
2015-04-11 04:10:34 +00:00
|
|
|
Nothing -> case (`M.lookup` c) =<< credPairRemoteKey storage of
|
2014-10-21 19:09:40 +00:00
|
|
|
Nothing -> ifM (existsCacheCredPair storage)
|
|
|
|
|
( ret "stored locally"
|
|
|
|
|
, ret "not available"
|
|
|
|
|
)
|
2014-10-21 19:15:16 +00:00
|
|
|
Just _ -> case extractCipher c of
|
2015-04-11 04:10:34 +00:00
|
|
|
Just (EncryptedCipher {}) -> ret "embedded in git repository (gpg encrypted)"
|
2014-10-21 19:15:16 +00:00
|
|
|
_ -> ret "embedded in git repository (not encrypted)"
|
2014-10-21 19:09:40 +00:00
|
|
|
where
|
|
|
|
|
ret s = return $ ("creds", s) : info
|