get pubkey and encrypt password on login (#1965)

* get pubkey and encrypt password on login

* only encrypt password if insecure context

* fix logic

* fix secure context conditional

* get-pubkey to auth api

* save two lines

* feat: Add the backend to the ui (#1968)

* hide app show if insecure and update copy for LAN

* show install progress when insecure and prevent backup and restore

* ask remove USB

Co-authored-by: Matt Hill <matthewonthemoon@gmail.com>
Co-authored-by: J M <2364004+Blu-J@users.noreply.github.com>

backend/src/auth.rs

@@ -4,6 +4,7 @@ use std::marker::PhantomData;
 use chrono::{DateTime, Utc};
 use clap::ArgMatches;
 use color_eyre::eyre::eyre;
+use josekit::jwk::Jwk;
 use patch_db::{DbHandle, LockReceipt};
 use rpc_toolkit::command;
 use rpc_toolkit::command_helpers::prelude::{RequestParts, ResponseParts};
@@ -15,11 +16,53 @@ use tracing::instrument;
 
 use crate::context::{CliContext, RpcContext};
 use crate::middleware::auth::{AsLogoutSessionId, HasLoggedOutSessions, HashSessionToken};
+use crate::middleware::encrypt::EncryptedWire;
 use crate::util::display_none;
 use crate::util::serde::{display_serializable, IoFormat};
 use crate::{ensure_code, Error, ResultExt};
+#[derive(Clone, Serialize, Deserialize)]
+#[serde(untagged)]
+pub enum PasswordType {
+    EncryptedWire(EncryptedWire),
+    String(String),
+}
+impl PasswordType {
+    pub fn decrypt(self, current_secret: impl AsRef<Jwk>) -> Result<String, Error> {
+        match self {
+            PasswordType::String(x) => Ok(x),
+            PasswordType::EncryptedWire(x) => x.decrypt(current_secret).ok_or_else(|| {
+                Error::new(
+                    color_eyre::eyre::eyre!("Couldn't decode password"),
+                    crate::ErrorKind::Unknown,
+                )
+            }),
+        }
+    }
+}
+impl Default for PasswordType {
+    fn default() -> Self {
+        PasswordType::String(String::default())
+    }
+}
+impl std::fmt::Debug for PasswordType {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "<REDACTED_PASSWORD>")?;
+        Ok(())
+    }
+}
 
-#[command(subcommands(login, logout, session, reset_password))]
+impl std::str::FromStr for PasswordType {
+    type Err = String;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        Ok(match serde_json::from_str(s) {
+            Ok(a) => a,
+            Err(_) => PasswordType::String(s.to_string()),
+        })
+    }
+}
+
+#[command(subcommands(login, logout, session, reset_password, get_pubkey))]
 pub fn auth() -> Result<(), Error> {
     Ok(())
 }
@@ -50,11 +93,11 @@ fn gen_pwd() {
 #[instrument(skip(ctx, password))]
 async fn cli_login(
     ctx: CliContext,
-    password: Option<String>,
+    password: Option<PasswordType>,
     metadata: Value,
 ) -> Result<(), RpcError> {
     let password = if let Some(password) = password {
-        password
+        password.decrypt(&ctx)?
     } else {
         rpassword::prompt_password("Password: ")?
     };
@@ -107,7 +150,7 @@ pub async fn login(
     #[context] ctx: RpcContext,
     #[request] req: &RequestParts,
     #[response] res: &mut ResponseParts,
-    #[arg] password: Option<String>,
+    #[arg] password: Option<PasswordType>,
     #[arg(
         parse(parse_metadata),
         default = "cli_metadata",
@@ -115,7 +158,7 @@ pub async fn login(
     )]
     metadata: Value,
 ) -> Result<(), Error> {
-    let password = password.unwrap_or_default();
+    let password = password.unwrap_or_default().decrypt(&ctx)?;
     let mut handle = ctx.secret_store.acquire().await?;
     check_password_against_db(&mut handle, &password).await?;
 
@@ -265,17 +308,17 @@ pub async fn kill(
 #[instrument(skip(ctx, old_password, new_password))]
 async fn cli_reset_password(
     ctx: CliContext,
-    old_password: Option<String>,
-    new_password: Option<String>,
+    old_password: Option<PasswordType>,
+    new_password: Option<PasswordType>,
 ) -> Result<(), RpcError> {
     let old_password = if let Some(old_password) = old_password {
-        old_password
+        old_password.decrypt(&ctx)?
     } else {
         rpassword::prompt_password("Current Password: ")?
     };
 
     let new_password = if let Some(new_password) = new_password {
-        new_password
+        new_password.decrypt(&ctx)?
     } else {
         let new_password = rpassword::prompt_password("New Password: ")?;
         if new_password != rpassword::prompt_password("Confirm: ")? {
@@ -354,11 +397,11 @@ where
 #[instrument(skip(ctx, old_password, new_password))]
 pub async fn reset_password(
     #[context] ctx: RpcContext,
-    #[arg(rename = "old-password")] old_password: Option<String>,
-    #[arg(rename = "new-password")] new_password: Option<String>,
+    #[arg(rename = "old-password")] old_password: Option<PasswordType>,
+    #[arg(rename = "new-password")] new_password: Option<PasswordType>,
 ) -> Result<(), Error> {
-    let old_password = old_password.unwrap_or_default();
-    let new_password = new_password.unwrap_or_default();
+    let old_password = old_password.unwrap_or_default().decrypt(&ctx)?;
+    let new_password = new_password.unwrap_or_default().decrypt(&ctx)?;
 
     let mut secrets = ctx.secret_store.acquire().await?;
     check_password_against_db(&mut secrets, &old_password).await?;
@@ -371,3 +414,11 @@ pub async fn reset_password(
 
     Ok(())
 }
+
+#[command(rename = "get-pubkey", display(display_none))]
+#[instrument(skip(ctx))]
+pub async fn get_pubkey(#[context] ctx: RpcContext) -> Result<Jwk, RpcError> {
+    let secret = ctx.as_ref().clone();
+    let pub_key = secret.to_public_key()?;
+    Ok(pub_key)
+}

backend/src/backup/backup_bulk.rs

@@ -125,23 +125,31 @@ fn parse_comma_separated(arg: &str, _: &ArgMatches) -> Result<BTreeSet<PackageId
 pub async fn backup_all(
     #[context] ctx: RpcContext,
     #[arg(rename = "target-id")] target_id: BackupTargetId,
-    #[arg(rename = "old-password", long = "old-password")] old_password: Option<String>,
+    #[arg(rename = "old-password", long = "old-password")] old_password: Option<
+        crate::auth::PasswordType,
+    >,
     #[arg(
         rename = "package-ids",
         long = "package-ids",
         parse(parse_comma_separated)
     )]
     package_ids: Option<BTreeSet<PackageId>>,
-    #[arg] password: String,
+    #[arg] password: crate::auth::PasswordType,
 ) -> Result<(), Error> {
     let mut db = ctx.db.handle();
+    let old_password_decrypted = old_password
+        .as_ref()
+        .unwrap_or(&password)
+        .clone()
+        .decrypt(&ctx)?;
+    let password = password.decrypt(&ctx)?;
     check_password_against_db(&mut ctx.secret_store.acquire().await?, &password).await?;
     let fs = target_id
         .load(&mut ctx.secret_store.acquire().await?)
         .await?;
     let mut backup_guard = BackupMountGuard::mount(
         TmpMountGuard::mount(&fs, ReadWrite).await?,
-        old_password.as_ref().unwrap_or(&password),
+        &old_password_decrypted,
     )
     .await?;
     let all_packages = crate::db::DatabaseModel::new()

backend/src/context/cli.rs

@@ -7,6 +7,7 @@ use std::sync::Arc;
 use clap::ArgMatches;
 use color_eyre::eyre::eyre;
 use cookie_store::CookieStore;
+use josekit::jwk::Jwk;
 use reqwest::Proxy;
 use reqwest_cookie_store::CookieStoreMutex;
 use rpc_toolkit::reqwest::{Client, Url};
@@ -18,6 +19,8 @@ use tracing::instrument;
 use crate::util::config::{load_config_from_paths, local_config_path};
 use crate::ResultExt;
 
+use super::setup::CURRENT_SECRET;
+
 #[derive(Debug, Default, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct CliContextConfig {
@@ -126,6 +129,11 @@ impl CliContext {
         })))
     }
 }
+impl AsRef<Jwk> for CliContext {
+    fn as_ref(&self) -> &Jwk {
+        &*CURRENT_SECRET
+    }
+}
 impl std::ops::Deref for CliContext {
     type Target = CliContextSeed;
     fn deref(&self) -> &Self::Target {

backend/src/context/rpc.rs

@@ -8,6 +8,7 @@ use std::time::Duration;
 
 use bollard::Docker;
 use helpers::to_tmp_path;
+use josekit::jwk::Jwk;
 use patch_db::json_ptr::JsonPointer;
 use patch_db::{DbHandle, LockReceipt, LockType, PatchDb, Revision};
 use reqwest::Url;
@@ -36,6 +37,8 @@ use crate::status::{MainStatus, Status};
 use crate::util::config::load_config_from_paths;
 use crate::{Error, ErrorKind, ResultExt};
 
+use super::setup::CURRENT_SECRET;
+
 #[derive(Debug, Default, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct RpcContextConfig {
@@ -134,6 +137,7 @@ pub struct RpcContextSeed {
     pub open_authed_websockets: Mutex<BTreeMap<HashSessionToken, Vec<oneshot::Sender<()>>>>,
     pub rpc_stream_continuations: Mutex<BTreeMap<RequestGuid, RpcContinuation>>,
     pub wifi_manager: Option<Arc<RwLock<WpaCli>>>,
+    pub current_secret: Arc<Jwk>,
 }
 
 pub struct RpcCleanReceipts {
@@ -269,6 +273,16 @@ impl RpcContext {
             wifi_manager: base
                 .wifi_interface
                 .map(|i| Arc::new(RwLock::new(WpaCli::init(i)))),
+            current_secret: Arc::new(
+                Jwk::generate_ec_key(josekit::jwk::alg::ec::EcCurve::P256).map_err(|e| {
+                    tracing::debug!("{:?}", e);
+                    tracing::error!("Couldn't generate ec key");
+                    Error::new(
+                        color_eyre::eyre::eyre!("Couldn't generate ec key"),
+                        crate::ErrorKind::Unknown,
+                    )
+                })?,
+            ),
         });
 
         let res = Self(seed);
@@ -424,6 +438,11 @@ impl RpcContext {
         }
     }
 }
+impl AsRef<Jwk> for RpcContext {
+    fn as_ref(&self) -> &Jwk {
+        &*CURRENT_SECRET
+    }
+}
 impl Context for RpcContext {}
 impl Deref for RpcContext {
     type Target = RpcContextSeed;

backend/src/context/setup.rs

@@ -22,6 +22,14 @@ use crate::setup::{password_hash, SetupStatus};
 use crate::util::config::load_config_from_paths;
 use crate::{Error, ResultExt};
 
+lazy_static::lazy_static! {
+    pub static ref CURRENT_SECRET: Jwk = Jwk::generate_ec_key(josekit::jwk::alg::ec::EcCurve::P256).unwrap_or_else(|e| {
+        tracing::debug!("{:?}", e);
+        tracing::error!("Couldn't generate ec key");
+        panic!("Couldn't generate ec key")
+    });
+}
+
 #[derive(Clone, Serialize, Deserialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct SetupResult {
@@ -69,9 +77,6 @@ pub struct SetupContextSeed {
     pub migration_prefetch_rows: usize,
     pub shutdown: Sender<()>,
     pub datadir: PathBuf,
-    /// Used to encrypt for hidding from snoopers for setups create password
-    /// Set via path
-    pub current_secret: Arc<Jwk>,
     pub selected_v2_drive: RwLock<Option<PathBuf>>,
     pub cached_product_key: RwLock<Option<Arc<String>>>,
     pub setup_status: RwLock<Option<Result<SetupStatus, RpcError>>>,
@@ -80,7 +85,7 @@ pub struct SetupContextSeed {
 
 impl AsRef<Jwk> for SetupContextSeed {
     fn as_ref(&self) -> &Jwk {
-        &self.current_secret
+        &*CURRENT_SECRET
     }
 }
 
@@ -99,16 +104,6 @@ impl SetupContext {
             migration_prefetch_rows: cfg.migration_prefetch_rows.unwrap_or(100_000),
             shutdown,
             datadir,
-            current_secret: Arc::new(
-                Jwk::generate_ec_key(josekit::jwk::alg::ec::EcCurve::P256).map_err(|e| {
-                    tracing::debug!("{:?}", e);
-                    tracing::error!("Couldn't generate ec key");
-                    Error::new(
-                        color_eyre::eyre::eyre!("Couldn't generate ec key"),
-                        crate::ErrorKind::Unknown,
-                    )
-                })?,
-            ),
             selected_v2_drive: RwLock::new(None),
             cached_product_key: RwLock::new(None),
             setup_status: RwLock::new(None),

backend/src/setup.rs

@@ -197,7 +197,7 @@ pub async fn status(#[context] ctx: SetupContext) -> Result<Option<SetupStatus>,
 /// since it is fine to share the public, and encrypt against the public.
 #[command(rename = "get-pubkey", rpc_only, metadata(authenticated = false))]
 pub async fn get_pubkey(#[context] ctx: SetupContext) -> Result<Jwk, RpcError> {
-    let secret = ctx.current_secret.clone();
+    let secret = ctx.as_ref().clone();
     let pub_key = secret.to_public_key()?;
     Ok(pub_key)
 }