// Copyright (C) 2020 Storj Labs, Inc. // See LICENSE for copying information. package uplink import ( "storj.io/common/encryption" "storj.io/common/paths" "storj.io/common/pb" "storj.io/common/storj" ) // encryptionAccess represents an encryption access context. It holds // information about how various buckets and objects should be // encrypted and decrypted. type encryptionAccess struct { store *encryption.Store } // newEncryptionAccess creates an encryption access context func newEncryptionAccess() *encryptionAccess { store := encryption.NewStore() return &encryptionAccess{store: store} } // newEncryptionAccessWithDefaultKey creates an encryption access context with // a default key set. // Use (*Project).SaltedKeyFromPassphrase to generate a default key func newEncryptionAccessWithDefaultKey(defaultKey *storj.Key) *encryptionAccess { ec := newEncryptionAccess() ec.setDefaultKey(defaultKey) return ec } // Store returns the underlying encryption store for the access context. func (s *encryptionAccess) Store() *encryption.Store { return s.store } // setDefaultKey sets the default key for the encryption access context. // Use (*Project).SaltedKeyFromPassphrase to generate a default key func (s *encryptionAccess) setDefaultKey(defaultKey *storj.Key) { s.store.SetDefaultKey(defaultKey) } func (s *encryptionAccess) setDefaultPathCipher(defaultPathCipher storj.CipherSuite) { s.store.SetDefaultPathCipher(defaultPathCipher) } func (s *encryptionAccess) toProto() (*pb.EncryptionAccess, error) { var storeEntries []*pb.EncryptionAccess_StoreEntry err := s.store.IterateWithCipher(func(bucket string, unenc paths.Unencrypted, enc paths.Encrypted, key storj.Key, pathCipher storj.CipherSuite) error { storeEntries = append(storeEntries, &pb.EncryptionAccess_StoreEntry{ Bucket: []byte(bucket), UnencryptedPath: []byte(unenc.Raw()), EncryptedPath: []byte(enc.Raw()), Key: key[:], PathCipher: pb.CipherSuite(pathCipher), }) return nil }) if err != nil { return nil, packageError.Wrap(err) } var defaultKey []byte if key := s.store.GetDefaultKey(); key != nil { defaultKey = key[:] } return &pb.EncryptionAccess{ DefaultKey: defaultKey, StoreEntries: storeEntries, DefaultPathCipher: pb.CipherSuite(s.store.GetDefaultPathCipher()), }, nil } func parseEncryptionAccessFromProto(p *pb.EncryptionAccess) (*encryptionAccess, error) { access := newEncryptionAccess() if len(p.DefaultKey) > 0 { if len(p.DefaultKey) != len(storj.Key{}) { return nil, packageError.New("invalid default key in encryption access") } var defaultKey storj.Key copy(defaultKey[:], p.DefaultKey) access.setDefaultKey(&defaultKey) } access.setDefaultPathCipher(storj.CipherSuite(p.DefaultPathCipher)) // Unspecified cipher suite means that most probably access was serialized // before path cipher was moved to encryption access if p.DefaultPathCipher == pb.CipherSuite_ENC_UNSPECIFIED { access.setDefaultPathCipher(storj.EncAESGCM) } for _, entry := range p.StoreEntries { if len(entry.Key) != len(storj.Key{}) { return nil, packageError.New("invalid key in encryption access entry") } var key storj.Key copy(key[:], entry.Key) err := access.store.AddWithCipher( string(entry.Bucket), paths.NewUnencrypted(string(entry.UnencryptedPath)), paths.NewEncrypted(string(entry.EncryptedPath)), key, storj.CipherSuite(entry.PathCipher), ) if err != nil { return nil, packageError.New("invalid encryption access entry: %v", err) } } return access, nil }