record encryption (#1058)

* record encryption * move paserk impl * implicit assertions * move wrapped cek * add another test * use host * undo stray change * more tests and docs * fmt * Update atuin-client/src/record/encryption.rs Co-authored-by: Matteo Martellini <matteo@mercxry.me> * Update atuin-client/src/record/encryption.rs Co-authored-by: Matteo Martellini <matteo@mercxry.me> * typo --------- Co-authored-by: Matteo Martellini <matteo@mercxry.me>
atuinsh · Jun 26, 2023 · 6c53242 · 6c53242 · vercel · Jun 26, 2023
1 parent 1a63649
commit 6c53242
Show file tree

Hide file tree

Showing 11 changed files with 976 additions and 89 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/atuin-client/Cargo.toml b/atuin-client/Cargo.toml
@@ -18,7 +18,6 @@ sync = [
   "reqwest",
   "sha2",
   "hex",
-  "base64",
   "generic-array",
   "xsalsa20poly1305",
 ]
@@ -27,6 +26,7 @@ sync = [
 atuin-common = { path = "../atuin-common", version = "15.0.0" }
 
 log = { workspace = true }
+base64 = { workspace = true }
 chrono = { workspace = true }
 clap = { workspace = true }
 eyre = { workspace = true }
@@ -52,15 +52,18 @@ lazy_static = "1"
 memchr = "2.5"
 rmp = { version = "0.8.11" }
 typed-builder = "0.14.0"
+tokio = { workspace = true }
+semver = { workspace = true }
+
+# encryption
+rusty_paseto = { version = "0.5.0", default-features = false }
+rusty_paserk = { version = "0.2.0", default-features = false, features = ["v4", "serde"] }
 
 # sync
 urlencoding = { version = "2.1.0", optional = true }
 reqwest = { workspace = true, optional = true }
 hex = { version = "0.4", optional = true }
 sha2 = { version = "0.10", optional = true }
-base64 = { workspace = true, optional = true }
-tokio = { workspace = true }
-semver = { workspace = true }
 xsalsa20poly1305 = { version = "0.9.0", optional = true }
 generic-array = { version = "0.14", optional = true, features = ["serde"] }
 

diff --git a/atuin-client/record-migrations/20230619235421_add_content_encrytion_key.sql b/atuin-client/record-migrations/20230619235421_add_content_encrytion_key.sql
@@ -0,0 +1,3 @@
+-- store content encryption keys in the record
+alter table records
+  add column cek text;
diff --git a/atuin-client/src/kv.rs b/atuin-client/src/kv.rs
@@ -1,5 +1,7 @@
+use atuin_common::record::DecryptedData;
 use eyre::{bail, ensure, eyre, Result};
 
+use crate::record::encryption::PASETO_V4;
 use crate::record::store::Store;
 use crate::settings::Settings;
 
@@ -14,7 +16,7 @@ pub struct KvRecord {
 }
 
 impl KvRecord {
-    pub fn serialize(&self) -> Result<Vec<u8>> {
+    pub fn serialize(&self) -> Result<DecryptedData> {
         use rmp::encode;
 
         let mut output = vec![];
@@ -26,10 +28,10 @@ impl KvRecord {
         encode::write_str(&mut output, &self.key)?;
         encode::write_str(&mut output, &self.value)?;
 
-        Ok(output)
+        Ok(DecryptedData(output))
     }
 
-    pub fn deserialize(data: &[u8], version: &str) -> Result<Self> {
+    pub fn deserialize(data: &DecryptedData, version: &str) -> Result<Self> {
         use rmp::decode;
 
         fn error_report<E: std::fmt::Debug>(err: E) -> eyre::Report {
@@ -38,7 +40,7 @@ impl KvRecord {
 
         match version {
             KV_VERSION => {
-                let mut bytes = decode::Bytes::new(data);
+                let mut bytes = decode::Bytes::new(&data.0);
 
                 let nfields = decode::read_array_len(&mut bytes).map_err(error_report)?;
                 ensure!(nfields == 3, "too many entries in v0 kv record");
@@ -84,6 +86,7 @@ impl KvStore {
     pub async fn set(
         &self,
         store: &mut (impl Store + Send + Sync),
+        encryption_key: &[u8; 32],
         namespace: &str,
         key: &str,
         value: &str,
@@ -111,7 +114,9 @@ impl KvStore {
             .data(bytes)
             .build();
 
-        store.push(&record).await?;
+        store
+            .push(&record.encrypt::<PASETO_V4>(encryption_key))
+            .await?;
 
         Ok(())
     }
@@ -121,6 +126,7 @@ impl KvStore {
     pub async fn get(
         &self,
         store: &impl Store,
+        encryption_key: &[u8; 32],
         namespace: &str,
         key: &str,
     ) -> Result<Option<KvRecord>> {
@@ -137,12 +143,17 @@ impl KvStore {
         };
 
         loop {
-            let kv = KvRecord::deserialize(&record.data, &record.version)?;
+            let decrypted = match record.version.as_str() {
+                KV_VERSION => record.decrypt::<PASETO_V4>(encryption_key)?,
+                version => bail!("unknown version {version:?}"),
+            };
+
+            let kv = KvRecord::deserialize(&decrypted.data, &decrypted.version)?;
             if kv.key == key && kv.namespace == namespace {
                 return Ok(Some(kv));
             }
 
-            if let Some(parent) = record.parent {
+            if let Some(parent) = decrypted.parent {
                 record = store.get(parent.as_str()).await?;
             } else {
                 break;
@@ -172,7 +183,7 @@ mod tests {
         let encoded = kv.serialize().unwrap();
         let decoded = KvRecord::deserialize(&encoded, KV_VERSION).unwrap();
 
-        assert_eq!(encoded, &snapshot);
+        assert_eq!(encoded.0, &snapshot);
         assert_eq!(decoded, kv);
     }
 }