diff options
author | Joey Hess <joey@kitenet.net> | 2012-09-26 12:06:44 -0400 |
---|---|---|
committer | Joey Hess <joey@kitenet.net> | 2012-09-26 14:42:32 -0400 |
commit | 4e48ea601400dac5f432b1eaa454acd219a029ad (patch) | |
tree | 30b3eb2964e2e3fce4781a50b0d6292fbfedfa28 | |
parent | 70bb36cfc783a27345aa7eba2c9f89ecce748898 (diff) |
store S3 creds in a 600 mode file inside the local git repo
-rw-r--r-- | Locations.hs | 8 | ||||
-rw-r--r-- | Remote/Helper/Encryptable.hs | 5 | ||||
-rw-r--r-- | Remote/S3.hs | 69 | ||||
-rw-r--r-- | debian/changelog | 3 | ||||
-rw-r--r-- | doc/special_remotes/S3.mdwn | 6 |
5 files changed, 63 insertions, 28 deletions
diff --git a/Locations.hs b/Locations.hs index 98eabb172..72baf273b 100644 --- a/Locations.hs +++ b/Locations.hs @@ -20,6 +20,7 @@ module Locations ( gitAnnexUnusedLog, gitAnnexFsckState, gitAnnexTransferDir, + gitAnnexCredsDir, gitAnnexJournalDir, gitAnnexJournalLock, gitAnnexIndex, @@ -135,7 +136,12 @@ gitAnnexUnusedLog prefix r = gitAnnexDir r </> (prefix ++ "unused") gitAnnexFsckState :: Git.Repo -> FilePath gitAnnexFsckState r = gitAnnexDir r </> "fsckstate" -{- .git/annex/transfer/ is used is used to record keys currently +{- .git/annex/creds/ is used to store credentials to access some special + - remotes. -} +gitAnnexCredsDir :: Git.Repo -> FilePath +gitAnnexCredsDir r = addTrailingPathSeparator $ gitAnnexDir r </> "creds" + +{- .git/annex/transfer/ is used to record keys currently - being transferred, and other transfer bookkeeping info. -} gitAnnexTransferDir :: Git.Repo -> FilePath gitAnnexTransferDir r = addTrailingPathSeparator $ gitAnnexDir r </> "transfer" diff --git a/Remote/Helper/Encryptable.hs b/Remote/Helper/Encryptable.hs index 880db5c6a..8ed2fed63 100644 --- a/Remote/Helper/Encryptable.hs +++ b/Remote/Helper/Encryptable.hs @@ -88,6 +88,11 @@ remoteCipher c = go $ extractCipher c Annex.changeState (\s -> s { Annex.ciphers = M.insert encipher cipher cache }) return $ Just cipher +{- Checks if there is a trusted (non-shared) cipher. -} +isTrustedCipher :: RemoteConfig -> Bool +isTrustedCipher c = + isJust (M.lookup "cipherkeys" c) && isJust (M.lookup "cipher" c) + {- Gets encryption Cipher, and encrypted version of Key. -} cipherKey :: Maybe RemoteConfig -> Key -> Annex (Maybe (Cipher, Key)) cipherKey Nothing _ = return Nothing diff --git a/Remote/S3.hs b/Remote/S3.hs index 65346809e..1f33b3323 100644 --- a/Remote/S3.hs +++ b/Remote/S3.hs @@ -27,6 +27,8 @@ import Remote.Helper.Encryptable import Crypto import Annex.Content import Utility.Base64 +import Annex.Perms +import Utility.FileMode remote :: RemoteType remote = RemoteType { @@ -85,12 +87,12 @@ s3Setup u c = handlehost $ M.lookup "host" c use fullconfig = do gitConfigSpecialRemote u fullconfig "s3" "true" - s3SetCreds fullconfig + s3SetCreds fullconfig u defaulthost = do c' <- encryptionSetup c let fullconfig = c' `M.union` defaults - genBucket fullconfig + genBucket fullconfig u use fullconfig archiveorg = do @@ -206,7 +208,7 @@ s3Action r noconn action = do when (isNothing $ config r) $ error $ "Missing configuration for special remote " ++ name r let bucket = M.lookup "bucket" $ fromJust $ config r - conn <- s3Connection $ fromJust $ config r + conn <- s3Connection (fromJust $ config r) (uuid r) case (bucket, conn) of (Just b, Just c) -> action (c, b) _ -> return noconn @@ -235,9 +237,9 @@ iaMunge = (>>= munge) | isSpace c = [] | otherwise = "&" ++ show (ord c) ++ ";" -genBucket :: RemoteConfig -> Annex () -genBucket c = do - conn <- s3ConnectionRequired c +genBucket :: RemoteConfig -> UUID -> Annex () +genBucket c u = do + conn <- s3ConnectionRequired c u showAction "checking bucket" loc <- liftIO $ getBucketLocation conn bucket case loc of @@ -253,13 +255,13 @@ genBucket c = do bucket = fromJust $ M.lookup "bucket" c datacenter = fromJust $ M.lookup "datacenter" c -s3ConnectionRequired :: RemoteConfig -> Annex AWSConnection -s3ConnectionRequired c = - maybe (error "Cannot connect to S3") return =<< s3Connection c +s3ConnectionRequired :: RemoteConfig -> UUID -> Annex AWSConnection +s3ConnectionRequired c u = + maybe (error "Cannot connect to S3") return =<< s3Connection c u -s3Connection :: RemoteConfig -> Annex (Maybe AWSConnection) -s3Connection c = do - creds <- s3GetCreds c +s3Connection :: RemoteConfig -> UUID -> Annex (Maybe AWSConnection) +s3Connection c u = do + creds <- s3GetCreds c u case creds of Just (ak, sk) -> return $ Just $ AWSConnection host port ak sk _ -> do @@ -273,23 +275,32 @@ s3Connection c = do _ -> error $ "bad S3 port value: " ++ s {- S3 creds come from the environment if set. - - Otherwise, might be stored encrypted in the remote's config. -} -s3GetCreds :: RemoteConfig -> Annex (Maybe (String, String)) -s3GetCreds c = maybe fromconfig (return . Just) =<< liftIO getenv + - Otherwise, might be stored encrypted in the remote's config, or + - locally in gitAnnexCredsDir. -} +s3GetCreds :: RemoteConfig -> UUID -> Annex (Maybe (String, String)) +s3GetCreds c u = maybe fromconfig (return . Just) =<< liftIO getenv where getenv = liftM2 (,) <$> get s3AccessKey <*> get s3SecretKey where get = catchMaybeIO . getEnv - setenv (ak, sk) = do + cache (ak, sk) = do setEnv s3AccessKey ak True setEnv s3SecretKey sk True + return $ Just (ak, sk) fromconfig = do mcipher <- remoteCipher c case (M.lookup "s3creds" c, mcipher) of (Just s3creds, Just cipher) -> liftIO $ decrypt s3creds cipher + _ -> fromcredsfile + fromcredsfile = do + d <- fromRepo gitAnnexCredsDir + let f = d </> fromUUID u + v <- liftIO $ catchMaybeIO $ readFile f + case lines <$> v of + Just (ak:sk:[]) -> liftIO $ cache (ak, sk) _ -> return Nothing decrypt s3creds cipher = do creds <- lines <$> @@ -297,25 +308,33 @@ s3GetCreds c = maybe fromconfig (return . Just) =<< liftIO getenv (return $ L.pack $ fromB64 s3creds) (return . L.unpack) case creds of - [ak, sk] -> do - setenv (ak, sk) - return $ Just (ak, sk) + [ak, sk] -> cache (ak, sk) _ -> do error "bad s3creds" -{- Stores S3 creds encrypted in the remote's config if possible. -} -s3SetCreds :: RemoteConfig -> Annex RemoteConfig -s3SetCreds c = do - creds <- s3GetCreds c +{- Stores S3 creds encrypted in the remote's config if possible to do so + - securely, and otherwise locally in gitAnnexCredsDir. -} +s3SetCreds :: RemoteConfig -> UUID -> Annex RemoteConfig +s3SetCreds c u = do + creds <- s3GetCreds c u case creds of Just (ak, sk) -> do mcipher <- remoteCipher c case mcipher of - Just cipher -> do + Just cipher | isTrustedCipher c -> do s <- liftIO $ withEncryptedContent cipher (return $ L.pack $ unlines [ak, sk]) (return . L.unpack) return $ M.insert "s3creds" (toB64 s) c - Nothing -> return c + _ -> do + d <- fromRepo gitAnnexCredsDir + createAnnexDirectory d + let f = d </> fromUUID u + h <- liftIO $ openFile f WriteMode + liftIO $ modifyFileMode f $ removeModes + [groupReadMode, otherReadMode] + liftIO $ hPutStr h $ unlines [ak, sk] + liftIO $ hClose h + return c _ -> return c s3AccessKey :: String diff --git a/debian/changelog b/debian/changelog index 75cb3bf8d..e378311e8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,9 @@ git-annex (3.20120925) UNRELEASED; urgency=low eg, monthly incremental fsck runs in cron jobs. * Fix fallback to ~/Desktop when xdg-user-dir is not available. Closes: #688833 + * S3: When using a shared cipher, S3 credentials are not stored encrypted + in the git repository, as that would allow anyone with access to + the repository access to the S3 account. -- Joey Hess <joeyh@debian.org> Mon, 24 Sep 2012 19:58:07 -0400 diff --git a/doc/special_remotes/S3.mdwn b/doc/special_remotes/S3.mdwn index 333e0bac5..79a8e584a 100644 --- a/doc/special_remotes/S3.mdwn +++ b/doc/special_remotes/S3.mdwn @@ -9,8 +9,10 @@ See [[tips/using_Amazon_S3]] and The standard environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are used to supply login credentials for Amazon. When encryption is enabled, they are stored in encrypted form -by `git annex initremote`, so you do not need to keep the environment -variables set after the initial initalization of the remote. +by `git annex initremote`. Without encryption, they are stored in a +file only you can read inside the local git repository. So you do not +need to keep the environment variables set after the initial +initalization of the remote. A number of parameters can be passed to `git annex initremote` to configure the S3 remote. |