atuin-client/src/record/encryption/none.rs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

use std::io::Write;

use atuin_common::record::{AdditonalData, DecryptedData, EncryptedData, Encryption};
use base64::{engine::general_purpose, write::EncoderStringWriter, Engine};
use eyre::{ensure, Context, ContextCompat, Result};

/// Store record data unencrypted. Only for very specific use cases of record data not being sensitive.
/// If in doubt, use [`super::paseto_v4::PASETO_V4`].
pub struct UnsafeNoEncryption;

static CONTENT_HEADER: &str = "v0.none.";
static CEK_HEADER: &str = "k0.none.";

impl Encryption for UnsafeNoEncryption {
    fn re_encrypt(
        data: EncryptedData,
        _ad: AdditonalData,
        _old_key: &[u8; 32],
        _new_key: &[u8; 32],
    ) -> Result<EncryptedData> {
        Ok(data)
    }

    fn encrypt(data: DecryptedData, _ad: AdditonalData, _key: &[u8; 32]) -> EncryptedData {
        let mut token = EncoderStringWriter::from_consumer(
            CONTENT_HEADER.to_owned(),
            &general_purpose::URL_SAFE_NO_PAD,
        );
        token
            .write_all(&data.0)
            .expect("base64 encoding should always succeed");
        EncryptedData {
            data: token.into_inner(),
            content_encryption_key: CEK_HEADER.to_owned(),
        }
    }

    fn decrypt(data: EncryptedData, _ad: AdditonalData, _key: &[u8; 32]) -> Result<DecryptedData> {
        ensure!(
            data.content_encryption_key == CEK_HEADER,
            "exected unencrypted data, found a content encryption key"
        );
        let content = data
            .data
            .strip_prefix(CONTENT_HEADER)
            .context("exected unencrypted data, found an encrypted token")?;
        let data = general_purpose::URL_SAFE_NO_PAD
            .decode(content)
            .context("could not decode data")?;
        Ok(DecryptedData(data))
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    const AD: AdditonalData<'static> = AdditonalData {
        id: "foo",
        version: "v0",
        tag: "kv",
        host: "1234",
    };

    #[test]
    fn round_trip() {
        let key = [0x55; 32];

        let data = DecryptedData(vec![1, 2, 3, 4]);

        let encrypted = UnsafeNoEncryption::encrypt(data.clone(), AD, &key);
        let decrypted = UnsafeNoEncryption::decrypt(encrypted, AD, &key).unwrap();
        assert_eq!(decrypted, data);
    }
}