sos-migrate 0.17.1

Import and export for the Save Our Secrets SDK
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

//! Export an archive of unencrypted secrets that
//! can be used to migrate data to another app.
use crate::Result;
use async_zip::{tokio::write::ZipFileWriter, Compression, ZipEntryBuilder};
use secrecy::{ExposeSecret, SecretBox};
use serde::{Deserialize, Serialize};
use sos_backend::AccessPoint;
use sos_core::{SecretId, VaultId};
use sos_vault::{
    secret::{FileContent, Secret, SecretMeta},
    SecretAccess, Summary, VaultMeta,
};
use std::collections::HashMap;
use tokio::io::AsyncWrite;
use tokio_util::compat::Compat;

/// Public export encapsulates a collection of vaults
/// and their unencrypted secrets.
pub struct PublicExport<W: AsyncWrite + Unpin> {
    writer: ZipFileWriter<W>,
    vault_ids: Vec<VaultId>,
}

impl<W: AsyncWrite + Unpin> PublicExport<W> {
    /// Create a new public migration.
    pub fn new(inner: W) -> Self {
        Self {
            writer: ZipFileWriter::with_tokio(inner),
            vault_ids: Vec::new(),
        }
    }

    async fn append_file_buffer(
        &mut self,
        path: &str,
        buffer: &[u8],
    ) -> Result<()> {
        // FIXME: set last modified time to now
        let entry = ZipEntryBuilder::new(path.into(), Compression::Deflate);
        self.writer.write_entry_whole(entry, buffer).await?;
        Ok(())
    }

    /// Add the secrets in a vault to this migration.
    ///
    /// The passed `AccessPoint` must already be unlocked so the
    /// secrets can be decrypted.
    pub async fn add(&mut self, access: &AccessPoint) -> Result<()> {
        // This verifies decryption early, if the keeper is locked
        // it will error here
        let meta = access.vault_meta().await?;

        let vault_id = access.summary().id();
        let base_path = format!("vaults/{}", vault_id);
        let file_path = format!("{}/files", base_path);

        let store = PublicVaultInfo {
            meta,
            summary: access.summary().clone(),
            secrets: access.vault().keys().copied().collect(),
        };
        let store_path = format!("{}/meta.json", base_path);
        let buffer = serde_json::to_vec_pretty(&store)?;
        self.append_file_buffer(&store_path, buffer.as_slice())
            .await?;

        for id in access.vault().keys() {
            if let Some((meta, mut secret, _)) =
                access.read_secret(id).await?
            {
                // Move contents for file secrets
                self.move_file_buffer(&file_path, &mut secret).await?;

                // Move contents for file attachments
                for field in secret.user_data_mut().fields_mut() {
                    self.move_file_buffer(&file_path, field.secret_mut())
                        .await?;
                }

                let path = format!("{}/{}.json", base_path, id);
                let public_secret = PublicSecret {
                    id: *id,
                    meta,
                    secret,
                };

                let buffer = serde_json::to_vec_pretty(&public_secret)?;
                self.append_file_buffer(&path, buffer.as_slice()).await?;
            }
        }

        self.vault_ids.push(*vault_id);
        Ok(())
    }

    /// Take an embedded file secret and move the
    /// buffer to an entry in the archive.
    async fn move_file_buffer(
        &mut self,
        file_path: &str,
        secret: &mut Secret,
    ) -> Result<()> {
        if let Secret::File { content, .. } = secret {
            if let FileContent::Embedded {
                buffer, checksum, ..
            } = content
            {
                let path = format!("{}/{}", file_path, hex::encode(checksum));

                // Write the file buffer to the archive
                self.append_file_buffer(
                    &path,
                    buffer.expose_secret().as_slice(),
                )
                .await?;

                // Clear the buffer so the export does not encode the bytes
                // in the JSON document
                *buffer = SecretBox::new(vec![].into());
            }
        }
        Ok(())
    }

    /// Append additional files to the archive.
    pub async fn append_files(
        &mut self,
        files: HashMap<&str, &[u8]>,
    ) -> Result<()> {
        for (path, buffer) in files {
            self.append_file_buffer(path, buffer).await?;
        }
        Ok(())
    }

    /// Finish building the archive.
    pub async fn finish(mut self) -> Result<Compat<W>> {
        // Add the collection of vault identifiers
        let path = "vaults.json";
        let buffer = serde_json::to_vec_pretty(&self.vault_ids)?;
        self.append_file_buffer(path, buffer.as_slice()).await?;

        Ok(self.writer.close().await?)
    }
}

/// Public vault info contains meta data about the vault and lists the
/// secret identifiers.
#[derive(Default, Serialize, Deserialize)]
pub struct PublicVaultInfo {
    /// The vault summary information.
    summary: Summary,
    /// The vault meta data.
    meta: VaultMeta,
    /// The collection of secrets in the vault.
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    secrets: Vec<SecretId>,
}

/// Public secret is an insecure, unencrypted representation of a secret.
#[derive(Default, Serialize, Deserialize)]
pub struct PublicSecret {
    /// The secret identifier.
    id: SecretId,
    /// The secret meta data.
    meta: SecretMeta,
    /// The secret data.
    secret: Secret,
}