creddy/src-tauri/src/state.rs

use std::collections::HashMap;
use std::sync::RwLock;

use serde::{Serialize, Deserialize};
use tokio::sync::oneshot::Sender;
use sqlx::{SqlitePool, sqlite::SqlitePoolOptions, sqlite::SqliteConnectOptions};
use sodiumoxide::crypto::{
        pwhash,
        pwhash::Salt, 
        secretbox, 
        secretbox::{Nonce, Key}
};
use tauri::async_runtime as runtime;

use crate::ipc;
use crate::errors::*;


#[derive(Serialize, Deserialize)]
#[serde(rename_all = "PascalCase")]
#[serde(untagged)]
pub enum Credentials {
    LongLived {
        #[serde(rename = "AccessKeyId")]
        access_key_id: String,
        #[serde(rename = "SecretAccessKey")]
        secret_access_key: String,
    },
    ShortLived {
        #[serde(rename = "AccessKeyId")]
        access_key_id: String,
        #[serde(rename = "SecretAccessKey")]
        secret_access_key: String,
        #[serde(rename = "Token")]
        token: String,
        #[serde(rename = "Expiration")]
        expiration: String,
    },
}


pub struct LockedCredentials {
    access_key_id: String,
    secret_key_enc: Vec<u8>,
    salt: Salt,
    nonce: Nonce,
}


pub enum Session {
    Unlocked(Credentials),
    Locked(LockedCredentials),
    Empty,
}


// #[derive(Serialize, Deserialize)]
// pub enum SessionStatus {
//   Unlocked,
//   Locked,
//   Empty,
// }


pub struct AppState {
    pub session: RwLock<Session>,
    pub request_count: RwLock<u64>,
    pub open_requests: RwLock<HashMap<u64, Sender<ipc::Approval>>>,
    pool: SqlitePool,
}

impl AppState {
    pub fn new() -> Result<Self, SetupError> {
        let conn_opts = SqliteConnectOptions::new()
            .filename("creddy.db")
            .create_if_missing(true);
        let pool_opts = SqlitePoolOptions::new();

        let pool: SqlitePool = runtime::block_on(pool_opts.connect_with(conn_opts))?;
        runtime::block_on(sqlx::migrate!().run(&pool))?;
        let creds = runtime::block_on(Self::load_creds(&pool))?;

        let state = AppState {
            session: RwLock::new(creds),
            request_count: RwLock::new(0),
            open_requests: RwLock::new(HashMap::new()),
            pool,
        };

        Ok(state)
    }

    async fn load_creds(pool: &SqlitePool) -> Result<Session, SetupError> {
        let res = sqlx::query!("SELECT * FROM credentials")
            .fetch_optional(pool)
            .await?;
        let row = match res {
            Some(r) => r,
            None => {return Ok(Session::Empty);}
        };

        let salt_buf: [u8; 32] = row.salt
            .try_into()
            .map_err(|_e| SetupError::InvalidRecord)?;
        let nonce_buf: [u8; 24] = row.nonce
            .try_into()
            .map_err(|_e| SetupError::InvalidRecord)?;

        let creds = LockedCredentials {
            access_key_id: row.access_key_id,
            secret_key_enc: row.secret_key_enc,
            salt: Salt(salt_buf),
            nonce: Nonce(nonce_buf),
        };
        Ok(Session::Locked(creds))
    }

    pub async fn save_creds(&self, creds: Credentials, passphrase: &str) -> Result<(), sqlx::error::Error> {
        let (key_id, secret_key) = match creds {
            Credentials::LongLived {access_key_id, secret_access_key} => {
                (access_key_id, secret_access_key)
            },
            _ => unreachable!(),
        };
        let salt = pwhash::gen_salt();
        let mut key_buf = [0; secretbox::KEYBYTES];
        pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &salt).unwrap();
        let key = Key(key_buf);
        // not sure we need both salt AND nonce given that we generate a
        // fresh salt every time we encrypt, but better safe than sorry
        let nonce = secretbox::gen_nonce();
        let key_enc = secretbox::seal(secret_key.as_bytes(), &nonce, &key);
        // insert into database
        Ok(())
    }

    pub fn register_request(&self, chan: Sender<ipc::Approval>) -> u64 {
        let count = {
            let mut c = self.request_count.write().unwrap();
            *c += 1;
            c
        };

        let mut open_requests = self.open_requests.write().unwrap();
        open_requests.insert(*count, chan); // `count` is the request id
        *count
    }

    pub fn send_response(&self, response: ipc::RequestResponse) -> Result<(), SendResponseError> {
        let mut open_requests = self.open_requests.write().unwrap();
        let chan = open_requests
            .remove(&response.id)
            .ok_or(SendResponseError::NotFound)
            ?;

        chan.send(response.approval)
            .map_err(|_e| SendResponseError::Abandoned)
    }

    pub async fn decrypt(&self, passphrase: &str) -> Result<(), UnlockError> {
        let session = self.session.read().unwrap();
        let locked = match *session {
            Session::Empty => {return Err(UnlockError::NoCredentials);},
            Session::Unlocked(_) => {return Err(UnlockError::NotLocked);},
            Session::Locked(ref c) => c,
        };

        let mut key_buf = [0; secretbox::KEYBYTES];
        // pretty sure this only fails if we're out of memory
        pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &locked.salt).unwrap();
        let decrypted = secretbox::open(&locked.secret_key_enc, &locked.nonce, &Key(key_buf))
            .map_err(|_e| UnlockError::BadPassphrase)?;

        let secret_str = String::from_utf8(decrypted).map_err(|_e| UnlockError::InvalidUtf8)?;
        let mut session = self.session.write().unwrap();
        let creds = Credentials::LongLived {
            access_key_id: locked.access_key_id.clone(),
            secret_access_key: secret_str,
        };
        *session = Session::Unlocked(creds);
        Ok(())
    }

    pub fn get_creds_serialized(&self) -> Result<String, GetCredentialsError> {
        let session = self.session.read().unwrap();
        match *session {
            Session::Unlocked(ref creds) => Ok(serde_json::to_string(creds).unwrap()),
            Session::Locked(_) => Err(GetCredentialsError::Locked),
            Session::Empty => Err(GetCredentialsError::Empty),
        }
    }
}
reorganize backend 2022-11-28 16:16:33 -08:00			`use std::collections::HashMap;`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`use std::sync::RwLock;`

			`use serde::{Serialize, Deserialize};`
			`use tokio::sync::oneshot::Sender;`
connect to db on startup 2022-12-02 22:59:13 -08:00			`use sqlx::{SqlitePool, sqlite::SqlitePoolOptions, sqlite::SqliteConnectOptions};`
encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`use sodiumoxide::crypto::{`
			`pwhash,`
			`pwhash::Salt,`
			`secretbox,`
			`secretbox::{Nonce, Key}`
			`};`
			`use tauri::async_runtime as runtime;`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00
			`use crate::ipc;`
reorganize backend 2022-11-28 16:16:33 -08:00			`use crate::errors::*;`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00

			`#[derive(Serialize, Deserialize)]`
reorganize backend 2022-11-28 16:16:33 -08:00			`#[serde(rename_all = "PascalCase")]`
			`#[serde(untagged)]`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`pub enum Credentials {`
			`LongLived {`
add credentials entry view 2022-12-13 21:50:34 -08:00			`#[serde(rename = "AccessKeyId")]`
reorganize backend 2022-11-28 16:16:33 -08:00			`access_key_id: String,`
add credentials entry view 2022-12-13 21:50:34 -08:00			`#[serde(rename = "SecretAccessKey")]`
reorganize backend 2022-11-28 16:16:33 -08:00			`secret_access_key: String,`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`},`
			`ShortLived {`
add credentials entry view 2022-12-13 21:50:34 -08:00			`#[serde(rename = "AccessKeyId")]`
reorganize backend 2022-11-28 16:16:33 -08:00			`access_key_id: String,`
add credentials entry view 2022-12-13 21:50:34 -08:00			`#[serde(rename = "SecretAccessKey")]`
reorganize backend 2022-11-28 16:16:33 -08:00			`secret_access_key: String,`
add credentials entry view 2022-12-13 21:50:34 -08:00			`#[serde(rename = "Token")]`
reorganize backend 2022-11-28 16:16:33 -08:00			`token: String,`
add credentials entry view 2022-12-13 21:50:34 -08:00			`#[serde(rename = "Expiration")]`
reorganize backend 2022-11-28 16:16:33 -08:00			`expiration: String,`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`},`
			`}`


encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`pub struct LockedCredentials {`
			`access_key_id: String,`
			`secret_key_enc: Vec<u8>,`
			`salt: Salt,`
			`nonce: Nonce,`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`}`


encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`pub enum Session {`
			`Unlocked(Credentials),`
			`Locked(LockedCredentials),`
			`Empty,`
			`}`


			`// #[derive(Serialize, Deserialize)]`
			`// pub enum SessionStatus {`
			`// Unlocked,`
			`// Locked,`
			`// Empty,`
			`// }`


all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`pub struct AppState {`
encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`pub session: RwLock<Session>,`
			`pub request_count: RwLock<u64>,`
			`pub open_requests: RwLock<HashMap<u64, Sender<ipc::Approval>>>,`
connect to db on startup 2022-12-02 22:59:13 -08:00			`pool: SqlitePool,`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`}`

			`impl AppState {`
encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`pub fn new() -> Result<Self, SetupError> {`
connect to db on startup 2022-12-02 22:59:13 -08:00			`let conn_opts = SqliteConnectOptions::new()`
			`.filename("creddy.db")`
			`.create_if_missing(true);`
			`let pool_opts = SqlitePoolOptions::new();`

encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`let pool: SqlitePool = runtime::block_on(pool_opts.connect_with(conn_opts))?;`
			`runtime::block_on(sqlx::migrate!().run(&pool))?;`
			`let creds = runtime::block_on(Self::load_creds(&pool))?;`
connect to db on startup 2022-12-02 22:59:13 -08:00
			`let state = AppState {`
encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`session: RwLock::new(creds),`
reorganize backend 2022-11-28 16:16:33 -08:00			`request_count: RwLock::new(0),`
			`open_requests: RwLock::new(HashMap::new()),`
connect to db on startup 2022-12-02 22:59:13 -08:00			`pool,`
			`};`
encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00
connect to db on startup 2022-12-02 22:59:13 -08:00			`Ok(state)`
			`}`

encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`async fn load_creds(pool: &SqlitePool) -> Result<Session, SetupError> {`
			`let res = sqlx::query!("SELECT * FROM credentials")`
			`.fetch_optional(pool)`
connect to db on startup 2022-12-02 22:59:13 -08:00			`.await?;`
encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`let row = match res {`
			`Some(r) => r,`
			`None => {return Ok(Session::Empty);}`
			`};`
connect to db on startup 2022-12-02 22:59:13 -08:00
encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`let salt_buf: [u8; 32] = row.salt`
			`.try_into()`
			`.map_err(\|_e\| SetupError::InvalidRecord)?;`
			`let nonce_buf: [u8; 24] = row.nonce`
			`.try_into()`
			`.map_err(\|_e\| SetupError::InvalidRecord)?;`

			`let creds = LockedCredentials {`
			`access_key_id: row.access_key_id,`
			`secret_key_enc: row.secret_key_enc,`
			`salt: Salt(salt_buf),`
			`nonce: Nonce(nonce_buf),`
			`};`
			`Ok(Session::Locked(creds))`
			`}`

			`pub async fn save_creds(&self, creds: Credentials, passphrase: &str) -> Result<(), sqlx::error::Error> {`
			`let (key_id, secret_key) = match creds {`
			`Credentials::LongLived {access_key_id, secret_access_key} => {`
			`(access_key_id, secret_access_key)`
			`},`
			`_ => unreachable!(),`
			`};`
			`let salt = pwhash::gen_salt();`
			`let mut key_buf = [0; secretbox::KEYBYTES];`
			`pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &salt).unwrap();`
			`let key = Key(key_buf);`
			`// not sure we need both salt AND nonce given that we generate a`
			`// fresh salt every time we encrypt, but better safe than sorry`
			`let nonce = secretbox::gen_nonce();`
			`let key_enc = secretbox::seal(secret_key.as_bytes(), &nonce, &key);`
			`// insert into database`
connect to db on startup 2022-12-02 22:59:13 -08:00			`Ok(())`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`}`

reorganize backend 2022-11-28 16:16:33 -08:00			`pub fn register_request(&self, chan: Sender<ipc::Approval>) -> u64 {`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`let count = {`
fix some things 2022-11-29 16:13:09 -08:00			`let mut c = self.request_count.write().unwrap();`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`*c += 1;`
			`c`
			`};`

fix some things 2022-11-29 16:13:09 -08:00			`let mut open_requests = self.open_requests.write().unwrap();`
encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			open_requests.insert(*count, chan); // `count` is the request id
reorganize backend 2022-11-28 16:16:33 -08:00			`*count`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`}`

reorganize backend 2022-11-28 16:16:33 -08:00			`pub fn send_response(&self, response: ipc::RequestResponse) -> Result<(), SendResponseError> {`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`let mut open_requests = self.open_requests.write().unwrap();`
reorganize backend 2022-11-28 16:16:33 -08:00			`let chan = open_requests`
			`.remove(&response.id)`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`.ok_or(SendResponseError::NotFound)`
			`?;`

reorganize backend 2022-11-28 16:16:33 -08:00			`chan.send(response.approval)`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`.map_err(\|_e\| SendResponseError::Abandoned)`
			`}`

encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`pub async fn decrypt(&self, passphrase: &str) -> Result<(), UnlockError> {`
			`let session = self.session.read().unwrap();`
			`let locked = match *session {`
			`Session::Empty => {return Err(UnlockError::NoCredentials);},`
			`Session::Unlocked(_) => {return Err(UnlockError::NotLocked);},`
			`Session::Locked(ref c) => c,`
			`};`

			`let mut key_buf = [0; secretbox::KEYBYTES];`
			`// pretty sure this only fails if we're out of memory`
			`pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &locked.salt).unwrap();`
			`let decrypted = secretbox::open(&locked.secret_key_enc, &locked.nonce, &Key(key_buf))`
			`.map_err(\|_e\| UnlockError::BadPassphrase)?;`

			`let secret_str = String::from_utf8(decrypted).map_err(\|_e\| UnlockError::InvalidUtf8)?;`
			`let mut session = self.session.write().unwrap();`
			`let creds = Credentials::LongLived {`
			`access_key_id: locked.access_key_id.clone(),`
			`secret_access_key: secret_str,`
			`};`
			`*session = Session::Unlocked(creds);`
			`Ok(())`
fix some things 2022-11-29 16:13:09 -08:00			`}`

encrypt/decrypt and db interaction 2022-12-03 21:47:09 -08:00			`pub fn get_creds_serialized(&self) -> Result<String, GetCredentialsError> {`
			`let session = self.session.read().unwrap();`
			`match *session {`
			`Session::Unlocked(ref creds) => Ok(serde_json::to_string(creds).unwrap()),`
			`Session::Locked(_) => Err(GetCredentialsError::Locked),`
			`Session::Empty => Err(GetCredentialsError::Empty),`
			`}`
reorganize backend 2022-11-28 16:16:33 -08:00			`}`
all is change; in change is all again made new 2022-11-27 22:03:15 -08:00			`}`