diff options
| author |  Joey Hess <joey@kitenet.net> | 2014-08-12 15:35:29 -0400 |
|---|---|---|
| committer | Joey Hess <joey@kitenet.net> | 2014-08-12 15:35:29 -0400 |
| commit | cc54ff9e49260cd94f938e69e926a273e231ef4e (patch) | |
| tree | 18bac6a6b81d29d36999c2ae0f5f58156941671b | |
| parent | 5e8092f5ef4e835cce437954c8313079f0df0baa (diff) | |
S3, Glacier, WebDAV: Fix bug that prevented accessing the creds when the repository was configured with encryption=shared embedcreds=yes.
Since encryption=shared, the encryption key is stored in the git repo, so
there is no point at all in encrypting the creds, also stored in the git
repo with that key. So `initremote` doesn't. The creds are simply stored
base-64 encoded.
However, it then tried to always decrypt creds when encryption was used..
| -rw-r--r-- | Creds.hs | 16 | ||||
| -rw-r--r-- | Remote/Helper/Encryptable.hs | 9 | ||||
| -rw-r--r-- | debian/changelog | 2 |
3 files changed, 18 insertions, 9 deletions
@@ -23,7 +23,7 @@ import Annex.Perms import Utility.FileMode import Crypto import Types.Remote (RemoteConfig, RemoteConfigKey) -import Remote.Helper.Encryptable (remoteCipher, embedCreds) +import Remote.Helper.Encryptable (remoteCipher, remoteCipher', embedCreds) import Utility.Env (getEnv) import qualified Data.ByteString.Lazy.Char8 as L @@ -85,15 +85,19 @@ getRemoteCredPair c storage = maybe fromcache (return . Just) =<< fromenv fromcache = maybe fromconfig (return . Just) =<< readCacheCredPair storage fromconfig = case credPairRemoteKey storage of Just key -> do - mcipher <- remoteCipher c - case (M.lookup key c, mcipher) of - (Nothing, _) -> return Nothing - (Just enccreds, Just cipher) -> do + mcipher <- remoteCipher' c + case (mcipher, M.lookup key c) of + (_, Nothing) -> return Nothing + (Just (_cipher, SharedCipher {}), Just bcreds) -> + -- When using a shared cipher, the + -- creds are not stored encrypted. + fromcreds $ fromB64 bcreds + (Just (cipher, _), Just enccreds) -> do creds <- liftIO $ decrypt cipher (feedBytes $ L.pack $ fromB64 enccreds) (readBytes $ return . L.unpack) fromcreds creds - (Just bcreds, Nothing) -> + (Nothing, Just bcreds) -> fromcreds $ fromB64 bcreds Nothing -> return Nothing fromcreds creds = case decodeCredPair creds of diff --git a/Remote/Helper/Encryptable.hs b/Remote/Helper/Encryptable.hs index dd032ce33..69216a793 100644 --- a/Remote/Helper/Encryptable.hs +++ b/Remote/Helper/Encryptable.hs @@ -71,18 +71,21 @@ encryptionSetup c = maybe genCipher updateCipher $ extractCipher c {- Gets encryption Cipher. The decrypted Ciphers are cached in the Annex - state. -} remoteCipher :: RemoteConfig -> Annex (Maybe Cipher) -remoteCipher c = go $ extractCipher c +remoteCipher = fmap fst <$$> remoteCipher' + +remoteCipher' :: RemoteConfig -> Annex (Maybe (Cipher, StorableCipher)) +remoteCipher' c = go $ extractCipher c where go Nothing = return Nothing go (Just encipher) = do cache <- Annex.getState Annex.ciphers case M.lookup encipher cache of - Just cipher -> return $ Just cipher + Just cipher -> return $ Just (cipher, encipher) Nothing -> do showNote "gpg" cipher <- liftIO $ decryptCipher encipher Annex.changeState (\s -> s { Annex.ciphers = M.insert encipher cipher cache }) - return $ Just cipher + return $ Just (cipher, encipher) {- Checks if the remote's config allows storing creds in the remote's config. - diff --git a/debian/changelog b/debian/changelog index 722e9347e..b1d53a841 100644 --- a/debian/changelog +++ b/debian/changelog @@ -33,6 +33,8 @@ git-annex (5.20140718) UNRELEASED; urgency=medium * direct: Fix ugly warning messages. * WORM backend: When adding a file in a subdirectory, avoid including the subdirectory in the key name. + * S3, Glacier, WebDAV: Fix bug that prevented accessing the creds + when the repository was configured with encryption=shared embedcreds=yes. -- Joey Hess <joeyh@debian.org> Mon, 21 Jul 2014 14:41:26 -0400 |