summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Joey Hess <joey@kitenet.net>2014-08-12 15:35:29 -0400
committerGravatar Joey Hess <joey@kitenet.net>2014-08-12 15:35:29 -0400
commitcc54ff9e49260cd94f938e69e926a273e231ef4e (patch)
tree18bac6a6b81d29d36999c2ae0f5f58156941671b
parent5e8092f5ef4e835cce437954c8313079f0df0baa (diff)
S3, Glacier, WebDAV: Fix bug that prevented accessing the creds when the repository was configured with encryption=shared embedcreds=yes.
Since encryption=shared, the encryption key is stored in the git repo, so there is no point at all in encrypting the creds, also stored in the git repo with that key. So `initremote` doesn't. The creds are simply stored base-64 encoded. However, it then tried to always decrypt creds when encryption was used..
-rw-r--r--Creds.hs16
-rw-r--r--Remote/Helper/Encryptable.hs9
-rw-r--r--debian/changelog2
3 files changed, 18 insertions, 9 deletions
diff --git a/Creds.hs b/Creds.hs
index 7273ed966..73d631ff7 100644
--- a/Creds.hs
+++ b/Creds.hs
@@ -23,7 +23,7 @@ import Annex.Perms
import Utility.FileMode
import Crypto
import Types.Remote (RemoteConfig, RemoteConfigKey)
-import Remote.Helper.Encryptable (remoteCipher, embedCreds)
+import Remote.Helper.Encryptable (remoteCipher, remoteCipher', embedCreds)
import Utility.Env (getEnv)
import qualified Data.ByteString.Lazy.Char8 as L
@@ -85,15 +85,19 @@ getRemoteCredPair c storage = maybe fromcache (return . Just) =<< fromenv
fromcache = maybe fromconfig (return . Just) =<< readCacheCredPair storage
fromconfig = case credPairRemoteKey storage of
Just key -> do
- mcipher <- remoteCipher c
- case (M.lookup key c, mcipher) of
- (Nothing, _) -> return Nothing
- (Just enccreds, Just cipher) -> do
+ mcipher <- remoteCipher' c
+ case (mcipher, M.lookup key c) of
+ (_, Nothing) -> return Nothing
+ (Just (_cipher, SharedCipher {}), Just bcreds) ->
+ -- When using a shared cipher, the
+ -- creds are not stored encrypted.
+ fromcreds $ fromB64 bcreds
+ (Just (cipher, _), Just enccreds) -> do
creds <- liftIO $ decrypt cipher
(feedBytes $ L.pack $ fromB64 enccreds)
(readBytes $ return . L.unpack)
fromcreds creds
- (Just bcreds, Nothing) ->
+ (Nothing, Just bcreds) ->
fromcreds $ fromB64 bcreds
Nothing -> return Nothing
fromcreds creds = case decodeCredPair creds of
diff --git a/Remote/Helper/Encryptable.hs b/Remote/Helper/Encryptable.hs
index dd032ce33..69216a793 100644
--- a/Remote/Helper/Encryptable.hs
+++ b/Remote/Helper/Encryptable.hs
@@ -71,18 +71,21 @@ encryptionSetup c = maybe genCipher updateCipher $ extractCipher c
{- Gets encryption Cipher. The decrypted Ciphers are cached in the Annex
- state. -}
remoteCipher :: RemoteConfig -> Annex (Maybe Cipher)
-remoteCipher c = go $ extractCipher c
+remoteCipher = fmap fst <$$> remoteCipher'
+
+remoteCipher' :: RemoteConfig -> Annex (Maybe (Cipher, StorableCipher))
+remoteCipher' c = go $ extractCipher c
where
go Nothing = return Nothing
go (Just encipher) = do
cache <- Annex.getState Annex.ciphers
case M.lookup encipher cache of
- Just cipher -> return $ Just cipher
+ Just cipher -> return $ Just (cipher, encipher)
Nothing -> do
showNote "gpg"
cipher <- liftIO $ decryptCipher encipher
Annex.changeState (\s -> s { Annex.ciphers = M.insert encipher cipher cache })
- return $ Just cipher
+ return $ Just (cipher, encipher)
{- Checks if the remote's config allows storing creds in the remote's config.
-
diff --git a/debian/changelog b/debian/changelog
index 722e9347e..b1d53a841 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -33,6 +33,8 @@ git-annex (5.20140718) UNRELEASED; urgency=medium
* direct: Fix ugly warning messages.
* WORM backend: When adding a file in a subdirectory, avoid including the
subdirectory in the key name.
+ * S3, Glacier, WebDAV: Fix bug that prevented accessing the creds
+ when the repository was configured with encryption=shared embedcreds=yes.
-- Joey Hess <joeyh@debian.org> Mon, 21 Jul 2014 14:41:26 -0400