feat(backup): Add backup/restore to the server

2025-08-02 20:35:25 +02:00 · 2021-04-06 22:08:43 +12:00 · 2021-04-06 22:08:43 +12:00 · a3ec2f8e85
commit a3ec2f8e85
parent c04bbb5775
65 changed files with 2394 additions and 564 deletions
--- a/api/crypto/aes.go
+++ b/api/crypto/aes.go
@ -0,0 +1,70 @@
+package crypto
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"io"
+
+	"golang.org/x/crypto/scrypt"
+)
+
+// NOTE: has to go with what is considered to be a simplistic in that it omits any
+// authentication of the encrypted data.
+// Person with better knowledge is welcomed to improve it.
+// sourced from https://golang.org/src/crypto/cipher/example_test.go
+
+var emptySalt []byte = make([]byte, 0, 0)
+
+// AesEncrypt reads from input, encrypts with AES-256 and writes to the output.
+// passphrase is used to generate an encryption key.
+func AesEncrypt(input io.Reader, output io.Writer, passphrase []byte) error {
+	// making a 32 bytes key that would correspond to AES-256
+	// don't necessarily need a salt, so just kept in empty
+	key, err := scrypt.Key(passphrase, emptySalt, 32768, 8, 1, 32)
+	if err != nil {
+		return err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return err
+	}
+
+	// If the key is unique for each ciphertext, then it's ok to use a zero
+	// IV.
+	var iv [aes.BlockSize]byte
+	stream := cipher.NewOFB(block, iv[:])
+
+	writer := &cipher.StreamWriter{S: stream, W: output}
+	// Copy the input to the output, encrypting as we go.
+	if _, err := io.Copy(writer, input); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// AesDecrypt reads from input, decrypts with AES-256 and returns the reader to a read decrypted content from.
+// passphrase is used to generate an encryption key.
+func AesDecrypt(input io.Reader, passphrase []byte) (io.Reader, error) {
+	// making a 32 bytes key that would correspond to AES-256
+	// don't necessarily need a salt, so just kept in empty
+	key, err := scrypt.Key(passphrase, emptySalt, 32768, 8, 1, 32)
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// If the key is unique for each ciphertext, then it's ok to use a zero
+	// IV.
+	var iv [aes.BlockSize]byte
+	stream := cipher.NewOFB(block, iv[:])
+
+	reader := &cipher.StreamReader{S: stream, R: input}
+
+	return reader, nil
+}
--- a/api/crypto/aes_test.go
+++ b/api/crypto/aes_test.go
@ -0,0 +1,131 @@
+package crypto
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
+	tmpdir, _ := os.MkdirTemp("", "encrypt")
+	defer os.RemoveAll(tmpdir)
+
+	var (
+		originFilePath    = filepath.Join(tmpdir, "origin")
+		encryptedFilePath = filepath.Join(tmpdir, "encrypted")
+		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
+	)
+
+	content := []byte("content")
+	ioutil.WriteFile(originFilePath, content, 0600)
+
+	originFile, _ := os.Open(originFilePath)
+	defer originFile.Close()
+
+	encryptedFileWriter, _ := os.Create(encryptedFilePath)
+	defer encryptedFileWriter.Close()
+
+	err := AesEncrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+	assert.Nil(t, err, "Failed to encrypt a file")
+	encryptedContent, err := ioutil.ReadFile(encryptedFilePath)
+	assert.Nil(t, err, "Couldn't read encrypted file")
+	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+
+	encryptedFileReader, _ := os.Open(encryptedFilePath)
+	defer encryptedFileReader.Close()
+
+	decryptedFileWriter, _ := os.Create(decryptedFilePath)
+	defer decryptedFileWriter.Close()
+
+	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte("passphrase"))
+	assert.Nil(t, err, "Failed to decrypt file")
+
+	io.Copy(decryptedFileWriter, decryptedReader)
+
+	decryptedContent, _ := ioutil.ReadFile(decryptedFilePath)
+	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+}
+
+func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {
+	tmpdir, _ := os.MkdirTemp("", "encrypt")
+	defer os.RemoveAll(tmpdir)
+
+	var (
+		originFilePath    = filepath.Join(tmpdir, "origin")
+		encryptedFilePath = filepath.Join(tmpdir, "encrypted")
+		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
+	)
+
+	content := []byte("content")
+	ioutil.WriteFile(originFilePath, content, 0600)
+
+	originFile, _ := os.Open(originFilePath)
+	defer originFile.Close()
+
+	encryptedFileWriter, _ := os.Create(encryptedFilePath)
+	defer encryptedFileWriter.Close()
+
+	err := AesEncrypt(originFile, encryptedFileWriter, []byte(""))
+	assert.Nil(t, err, "Failed to encrypt a file")
+	encryptedContent, err := ioutil.ReadFile(encryptedFilePath)
+	assert.Nil(t, err, "Couldn't read encrypted file")
+	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+
+	encryptedFileReader, _ := os.Open(encryptedFilePath)
+	defer encryptedFileReader.Close()
+
+	decryptedFileWriter, _ := os.Create(decryptedFilePath)
+	defer decryptedFileWriter.Close()
+
+	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte(""))
+	assert.Nil(t, err, "Failed to decrypt file")
+
+	io.Copy(decryptedFileWriter, decryptedReader)
+
+	decryptedContent, _ := ioutil.ReadFile(decryptedFilePath)
+	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+}
+
+func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T) {
+	tmpdir, _ := os.MkdirTemp("", "encrypt")
+	defer os.RemoveAll(tmpdir)
+
+	var (
+		originFilePath    = filepath.Join(tmpdir, "origin")
+		encryptedFilePath = filepath.Join(tmpdir, "encrypted")
+		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
+	)
+
+	content := []byte("content")
+	ioutil.WriteFile(originFilePath, content, 0600)
+
+	originFile, _ := os.Open(originFilePath)
+	defer originFile.Close()
+
+	encryptedFileWriter, _ := os.Create(encryptedFilePath)
+	defer encryptedFileWriter.Close()
+
+	err := AesEncrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+	assert.Nil(t, err, "Failed to encrypt a file")
+	encryptedContent, err := ioutil.ReadFile(encryptedFilePath)
+	assert.Nil(t, err, "Couldn't read encrypted file")
+	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+
+	encryptedFileReader, _ := os.Open(encryptedFilePath)
+	defer encryptedFileReader.Close()
+
+	decryptedFileWriter, _ := os.Create(decryptedFilePath)
+	defer decryptedFileWriter.Close()
+
+	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte("garbage"))
+	assert.Nil(t, err, "Should allow to decrypt with wrong passphrase")
+
+	io.Copy(decryptedFileWriter, decryptedReader)
+
+	decryptedContent, _ := ioutil.ReadFile(decryptedFilePath)
+	assert.NotEqual(t, content, decryptedContent, "Original and decrypted content should NOT match")
+}