lib/uplink-gomobile: extend encryption key capabilities
Change-Id: Id10b14cc34ff983ec451440fe4b0305651115022
This commit is contained in:
parent
a4c554f2ed
commit
d23e03f8a2
@ -4,6 +4,7 @@
|
||||
package mobile
|
||||
|
||||
import (
|
||||
"storj.io/common/encryption"
|
||||
"storj.io/common/paths"
|
||||
"storj.io/common/storj"
|
||||
libuplink "storj.io/storj/lib/uplink"
|
||||
@ -27,12 +28,12 @@ func NewEncryptionAccessWithRoot(bucket, unencryptedPath, encryptedPath string,
|
||||
if err != nil {
|
||||
return nil, safeError(err)
|
||||
}
|
||||
encAccess := libuplink.NewEncryptionAccess()
|
||||
err = encAccess.Store().Add(bucket, paths.NewUnencrypted(unencryptedPath), paths.NewEncrypted(encryptedPath), *key)
|
||||
encAccess := NewEncryptionAccess()
|
||||
err = encAccess.lib.Store().Add(bucket, paths.NewUnencrypted(unencryptedPath), paths.NewEncrypted(encryptedPath), *key)
|
||||
if err != nil {
|
||||
return nil, safeError(err)
|
||||
}
|
||||
return &EncryptionAccess{lib: encAccess}, nil
|
||||
return &EncryptionAccess{lib: encAccess.lib}, nil
|
||||
}
|
||||
|
||||
// SetDefaultKey sets the default key to use when no matching keys are found
|
||||
@ -94,6 +95,23 @@ func (e *EncryptionAccess) Import(other *EncryptionAccess) error {
|
||||
return e.lib.Import(other.lib)
|
||||
}
|
||||
|
||||
// OverrideEncryptionKey overrides the root encryption key for the prefix with encryptionKey.
|
||||
func (e *EncryptionAccess) OverrideEncryptionKey(bucket, prefix string, encryptionKey []byte) error {
|
||||
store := e.lib.Store()
|
||||
|
||||
unencPath := paths.NewUnencrypted(prefix)
|
||||
encPath, err := encryption.EncryptPathWithStoreCipher(bucket, unencPath, store)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
key, err := storj.NewKey(encryptionKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return store.Add(bucket, unencPath, encPath, *key)
|
||||
}
|
||||
|
||||
// EncryptionRestriction represents a scenario where some set of objects
|
||||
// may need to be encrypted/decrypted
|
||||
type EncryptionRestriction struct {
|
||||
@ -126,3 +144,12 @@ func NewEncryptionRestrictions() *EncryptionRestrictions {
|
||||
func (e *EncryptionRestrictions) Add(restriction *EncryptionRestriction) {
|
||||
e.restrictions = append(e.restrictions, *restriction.lib)
|
||||
}
|
||||
|
||||
// DeriveEncryptionKey derives a salted root key for password using the salt.
|
||||
func DeriveEncryptionKey(password, salt []byte) ([]byte, error) {
|
||||
key, err := encryption.DeriveRootKey(password, salt, "", 1)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return key[:], nil
|
||||
}
|
||||
|
@ -444,6 +444,10 @@ public class LibuplinkInstrumentedTest {
|
||||
assertNotNull(scope.encryptionAccess());
|
||||
|
||||
assertEquals(scopeString, scope.serialize());
|
||||
|
||||
byte[] key = Mobile.deriveEncryptionKey("mypass".getBytes(), "salt".getBytes());
|
||||
|
||||
scope.encryptionAccess().overrideEncryptionKey("bucket", "userid", key);
|
||||
}
|
||||
|
||||
|
||||
|
@ -4,6 +4,8 @@
|
||||
package uplink
|
||||
|
||||
import (
|
||||
"strings"
|
||||
|
||||
"github.com/btcsuite/btcutil/base58"
|
||||
"github.com/gogo/protobuf/proto"
|
||||
"github.com/zeebo/errs"
|
||||
@ -90,9 +92,16 @@ func (s *EncryptionAccess) Restrict(apiKey APIKey, restrictions ...EncryptionRes
|
||||
|
||||
access := NewEncryptionAccess()
|
||||
access.SetDefaultPathCipher(s.store.GetDefaultPathCipher())
|
||||
if len(restrictions) == 0 {
|
||||
access.Store().SetDefaultKey(s.store.GetDefaultKey())
|
||||
}
|
||||
|
||||
for _, res := range restrictions {
|
||||
unencPath := paths.NewUnencrypted(res.PathPrefix)
|
||||
// If the share prefix ends in a `/` we need to remove this final slash.
|
||||
// Otherwise, if we the shared prefix is `/bob/`, the encrypted shared
|
||||
// prefix results in `enc("")/enc("bob")/enc("")`. This is an incorrect
|
||||
// encrypted prefix, what we really want is `enc("")/enc("bob")`.
|
||||
unencPath := paths.NewUnencrypted(strings.TrimSuffix(res.PathPrefix, "/"))
|
||||
|
||||
encPath, err := encryption.EncryptPathWithStoreCipher(res.Bucket, unencPath, s.store)
|
||||
if err != nil {
|
||||
|
Loading…
Reference in New Issue
Block a user