nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-27 10:44:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

backups: Don't send passphrase on the command line

Browse Source 
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
This commit is contained in:
Sunil Mohan Adapa 2019-06-25 12:48:40 -07:00 committed by Joseph Nuthalapati
parent fa3e2ea86b
commit dd5d93637f
No known key found for this signature in database
GPG Key ID: 5398F00A2FA43C35
4 changed files with 66 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
actions/backups
View File

@ -76,8 +76,6 @@ def parse_arguments():
required=False) required=False)
cmd.add_argument('--ssh-keyfile', help='Path of private ssh key', cmd.add_argument('--ssh-keyfile', help='Path of private ssh key',
default=None) default=None)
cmd.add_argument('--encryption-passphrase',
help='Encryption passphrase', default=None)
get_exported_archive_apps = subparsers.add_parser( get_exported_archive_apps = subparsers.add_parser(
'get-exported-archive-apps', 'get-exported-archive-apps',
@ -98,7 +96,7 @@ def parse_arguments():
def subcommand_setup(arguments): def subcommand_setup(arguments):
"""Create repository if it does not already exist.""" """Create repository if it does not already exist."""
try: try:
run(['borg', 'info', arguments.path], arguments=arguments, check=True) run(['borg', 'info', arguments.path], arguments, check=True)
except subprocess.CalledProcessError: except subprocess.CalledProcessError:
path = os.path.dirname(arguments.path) path = os.path.dirname(arguments.path)
if not os.path.exists(path): if not os.path.exists(path):
@ -110,12 +108,11 @@ def subcommand_setup(arguments):
def init_repository(arguments, encryption): def init_repository(arguments, encryption):
"""Initialize a local or remote borg repository""" """Initialize a local or remote borg repository"""
if encryption != 'none': if encryption != 'none':
if not hasattr(arguments, 'encryption_passphrase') or not \ if not _read_encryption_passphrase(arguments):
arguments.encryption_passphrase:
raise ValueError('No encryption passphrase provided') raise ValueError('No encryption passphrase provided')
cmd = ['borg', 'init', '--encryption', encryption, arguments.path] cmd = ['borg', 'init', '--encryption', encryption, arguments.path]
run(cmd, arguments=arguments) run(cmd, arguments)
def subcommand_init(arguments): def subcommand_init(arguments):
@ -125,19 +122,18 @@ def subcommand_init(arguments):
def subcommand_info(arguments): def subcommand_info(arguments):
"""Show repository information.""" """Show repository information."""
run(['borg', 'info', '--json', arguments.path], arguments=arguments) run(['borg', 'info', '--json', arguments.path], arguments)
def subcommand_list_repo(arguments): def subcommand_list_repo(arguments):
"""List repository contents.""" """List repository contents."""
run(['borg', 'list', '--json', arguments.path], arguments=arguments) run(['borg', 'list', '--json', arguments.path], arguments)
def subcommand_create_archive(arguments): def subcommand_create_archive(arguments):
"""Create archive.""" """Create archive."""
paths = filter(os.path.exists, arguments.paths) paths = filter(os.path.exists, arguments.paths)
run(['borg', 'create', '--json', arguments.path] + list(paths), run(['borg', 'create', '--json', arguments.path] + list(paths), arguments)
arguments=arguments)
def subcommand_delete_archive(arguments): def subcommand_delete_archive(arguments):
@ -145,23 +141,20 @@ def subcommand_delete_archive(arguments):
run(['borg', 'delete', arguments.path], arguments) run(['borg', 'delete', arguments.path], arguments)
def _extract(archive_path, destination, locations=None, env=None): def _extract(archive_path, destination, arguments, locations=None):
"""Extract archive contents.""" """Extract archive contents."""
if not env:
env = dict(os.environ)
env['LANG'] = 'C.UTF-8'
prev_dir = os.getcwd() prev_dir = os.getcwd()
borg_call = ['borg', 'extract', archive_path] borg_call = ['borg', 'extract', archive_path]
# do not extract any files when we get an empty locations list # do not extract any files when we get an empty locations list
if locations is not None: if locations is not None:
borg_call.extend(locations) borg_call.extend(locations)
try: try:
os.chdir(os.path.expanduser(destination)) os.chdir(os.path.expanduser(destination))
# TODO: with python 3.7 use subprocess.run with the 'capture_output' # TODO: with python 3.7 use subprocess.run with the 'capture_output'
# argument # argument
process = subprocess.run(borg_call, env=env, stdout=subprocess.PIPE, process = run(borg_call, arguments, check=False,
stderr=subprocess.PIPE) stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if process.returncode != 0: if process.returncode != 0:
error = process.stderr.decode() error = process.stderr.decode()
# Don't fail on the borg error when no files were matched # Don't fail on the borg error when no files were matched
@ -175,47 +168,44 @@ def _extract(archive_path, destination, locations=None, env=None):
def subcommand_export_tar(arguments): def subcommand_export_tar(arguments):
"""Export archive contents as tar stream on stdout.""" """Export archive contents as tar stream on stdout."""
run(['borg', 'export-tar', arguments.path, '-', '--tar-filter=gzip'], run(['borg', 'export-tar', arguments.path, '-', '--tar-filter=gzip'],
arguments=arguments) arguments)
def _read_archive_file(archive, filepath, env=None): def _read_archive_file(archive, filepath, arguments):
"""Read the content of a file inside an archive""" """Read the content of a file inside an archive"""
arguments = ['borg', 'extract', archive, filepath, '--stdout'] borg_call = ['borg', 'extract', archive, filepath, '--stdout']
return subprocess.check_output(arguments, env=env).decode() return run(borg_call, arguments, stdout=subprocess.PIPE).stdout.decode()
def subcommand_get_archive_apps(arguments): def subcommand_get_archive_apps(arguments):
"""Get list of apps included in archive.""" """Get list of apps included in archive."""
env = get_env(arguments)
manifest_folder = os.path.relpath(MANIFESTS_FOLDER, '/') manifest_folder = os.path.relpath(MANIFESTS_FOLDER, '/')
borg_call = [ borg_call = [
'borg', 'list', arguments.path, manifest_folder, '--format', 'borg', 'list', arguments.path, manifest_folder, '--format',
'{path}{NEWLINE}' '{path}{NEWLINE}'
] ]
timeout = None
if 'BORG_RSH' in env and 'SSHPASS' not in env:
timeout = TIMEOUT
try: try:
manifest_path = subprocess.check_output(borg_call, env=env, borg_process = run(borg_call, arguments, stdout=subprocess.PIPE)
timeout=timeout).decode()\ manifest_path = borg_process.stdout.decode().strip()
.strip()
except subprocess.CalledProcessError: except subprocess.CalledProcessError:
sys.exit(1) sys.exit(1)
manifest = None manifest = None
if manifest_path: if manifest_path:
manifest_data = _read_archive_file(arguments.path, manifest_path, manifest_data = _read_archive_file(arguments.path, manifest_path,
env=env) arguments)
manifest = json.loads(manifest_data) manifest = json.loads(manifest_data)
if manifest: if manifest:
for app in _get_apps_of_manifest(manifest): for app in _get_apps_of_manifest(manifest):
print(app['name']) print(app['name'])
def _get_apps_of_manifest(manifest): def _get_apps_of_manifest(manifest):
""" """Get apps of a manifest.
Get apps of a manifest.
Supports both dict format as well as list format of plinth <=0.42 Supports both dict format as well as list format of plinth <=0.42
""" """
if isinstance(manifest, list): if isinstance(manifest, list):
apps = manifest apps = manifest
@ -246,19 +236,16 @@ def subcommand_get_exported_archive_apps(arguments):
def subcommand_restore_archive(arguments): def subcommand_restore_archive(arguments):
"""Restore files from an archive.""" """Restore files from an archive."""
env = get_env(arguments) _locations = json.loads(arguments.stdin)
locations_data = ''.join(sys.stdin)
_locations = json.loads(locations_data)
locations = _locations['directories'] + _locations['files'] locations = _locations['directories'] + _locations['files']
locations = [os.path.relpath(location, '/') for location in locations] locations = [os.path.relpath(location, '/') for location in locations]
_extract(arguments.path, arguments.destination, locations=locations, _extract(arguments.path, arguments.destination, arguments,
env=env) locations=locations)
def subcommand_restore_exported_archive(arguments): def subcommand_restore_exported_archive(arguments):
"""Restore files from an exported archive.""" """Restore files from an exported archive."""
locations_data = ''.join(sys.stdin) locations = json.loads(arguments.stdin)
locations = json.loads(locations_data)
with tarfile.open(arguments.path) as tar_handle: with tarfile.open(arguments.path) as tar_handle:
for member in tar_handle.getmembers(): for member in tar_handle.getmembers():
@ -272,51 +259,39 @@ def subcommand_restore_exported_archive(arguments):
break break
def read_password(): def _read_encryption_passphrase(arguments):
"""Read the password from stdin.""" """Read encryption passphrase from stdin."""
if sys.stdin.isatty(): if arguments.stdin:
return '' try:
return json.loads(arguments.stdin)['encryption_passphrase']
except KeyError:
pass
return ''.join(sys.stdin) return None
def get_env(arguments, use_credentials=False): def get_env(arguments):
"""Create encryption and ssh kwargs out of given arguments""" """Create encryption and ssh kwargs out of given arguments"""
env = dict(os.environ, BORG_RELOCATED_REPO_ACCESS_IS_OK='yes') env = dict(os.environ, BORG_RELOCATED_REPO_ACCESS_IS_OK='yes',
# always provide BORG_PASSPHRASE (also if empty) so borg does not get stuck LANG='C.UTF-8')
# Always provide BORG_PASSPHRASE (also if empty) so borg does not get stuck
# while asking for a passphrase. # while asking for a passphrase.
passphrase = arguments.encryption_passphrase or '' encryption_passphrase = _read_encryption_passphrase(arguments)
env['BORG_PASSPHRASE'] = passphrase env['BORG_PASSPHRASE'] = encryption_passphrase or ''
if use_credentials:
if arguments.ssh_keyfile:
env['BORG_RSH'] = 'ssh -i %s' % arguments.ssh_keyfile
else:
password = read_password()
if password:
env['SSHPASS'] = password
env['BORG_RSH'] = 'sshpass -e ssh -o StrictHostKeyChecking=yes'
else:
raise ValueError('could not find credentials')
return env return env
def run(cmd, arguments, check=True): def run(cmd, arguments, check=True, **kwargs):
"""Wrap the command with ssh password or keyfile authentication""" """Wrap the command with extra encryption passphrase handling."""
# Set a timeout to not get stuck if the remote server asks for a password. env = get_env(arguments)
timeout = None return subprocess.run(cmd, check=check, env=env, **kwargs)
use_credentials = False
if '@' in arguments.path:
timeout = TIMEOUT
use_credentials = True
env = get_env(arguments, use_credentials=use_credentials)
subprocess.run(cmd, check=check, env=env, timeout=timeout)
def main(): def main():
"""Parse arguments and perform all duties.""" """Parse arguments and perform all duties."""
arguments = parse_arguments() arguments = parse_arguments()
arguments.stdin = sys.stdin.read()
subcommand = arguments.subcommand.replace('-', '_') subcommand = arguments.subcommand.replace('-', '_')
subcommand_method = globals()['subcommand_' + subcommand] subcommand_method = globals()['subcommand_' + subcommand]

16
plinth/modules/backups/__init__.py
View File

@ -108,9 +108,13 @@ def _backup_handler(packet, encryption_passphrase=None):
paths = packet.directories + packet.files paths = packet.directories + packet.files
paths.append(manifest_path) paths.append(manifest_path)
arguments = ['create-archive', '--path', packet.path, '--paths'] + paths arguments = ['create-archive', '--path', packet.path, '--paths'] + paths
input_data = ''
if encryption_passphrase: if encryption_passphrase:
arguments += ['--encryption-passphrase', encryption_passphrase] input_data = json.dumps({
actions.superuser_run('backups', arguments) 'encryption_passphrase': encryption_passphrase
})
actions.superuser_run('backups', arguments, input=input_data.encode())
def get_exported_archive_apps(path): def get_exported_archive_apps(path):
@ -131,13 +135,15 @@ def _restore_exported_archive_handler(packet, encryption_passphrase=None):
def restore_archive_handler(packet, encryption_passphrase=None): def restore_archive_handler(packet, encryption_passphrase=None):
"""Perform restore operation on packet.""" """Perform restore operation on packet."""
locations = {'directories': packet.directories, 'files': packet.files} locations = {
'directories': packet.directories,
'files': packet.files,
'encryption_passphrase': encryption_passphrase
}
locations_data = json.dumps(locations) locations_data = json.dumps(locations)
arguments = [ arguments = [
'restore-archive', '--path', packet.path, '--destination', '/' 'restore-archive', '--path', packet.path, '--destination', '/'
] ]
if encryption_passphrase:
arguments += ['--encryption-passphrase', encryption_passphrase]
actions.superuser_run('backups', arguments, input=locations_data.encode()) actions.superuser_run('backups', arguments, input=locations_data.encode())

17
plinth/modules/backups/repository.py
View File

@ -93,13 +93,13 @@ class BorgRepository():
self.credentials = credentials self.credentials = credentials
@staticmethod @staticmethod
def _get_encryption_arguments(credentials): def _get_encryption_data(credentials):
"""Return '--encryption-passphrase' argument to backups call.""" """Return additional dictionary data to send to backups call."""
passphrase = credentials.get('encryption_passphrase', None) passphrase = credentials.get('encryption_passphrase', None)
if passphrase: if passphrase:
return ['--encryption-passphrase', passphrase] return {'encryption_passphrase': passphrase}
return [] return {}
@property @property
def repo_path(self): def repo_path(self):
@ -177,8 +177,10 @@ class BorgRepository():
return chunk return chunk
args = ['export-tar', '--path', self._get_archive_path(archive_name)] args = ['export-tar', '--path', self._get_archive_path(archive_name)]
args += self._get_encryption_arguments(self.credentials) input_data = json.dumps(self._get_encryption_data(self.credentials))
proc = self._run('backups', args, run_in_background=True) proc = self._run('backups', args, run_in_background=True)
proc.stdin.write(input_data.encode())
proc.stdin.close()
return BufferedReader(proc.stdout) return BufferedReader(proc.stdout)
def get_archive(self, name): def get_archive(self, name):
@ -375,8 +377,9 @@ class SshBorgRepository(BorgRepository):
if key not in self.KNOWN_CREDENTIALS: if key not in self.KNOWN_CREDENTIALS:
raise ValueError('Unknown credentials entry: %s' % key) raise ValueError('Unknown credentials entry: %s' % key)
arguments += self._get_encryption_arguments(self.credentials) input_data = json.dumps(self._get_encryption_data(self.credentials))
return self._run('backups', arguments, superuser=superuser) return self._run('backups', arguments, superuser=superuser,
input=input_data.encode())
def get_ssh_repositories(): def get_ssh_repositories():

5
plinth/modules/backups/tests/test_backups.py
View File

@ -146,10 +146,7 @@ def _append_borg_arguments(arguments, credentials):
kwargs = {} kwargs = {}
passphrase = credentials.get('encryption_passphrase', None) passphrase = credentials.get('encryption_passphrase', None)
if passphrase: if passphrase:
arguments += ['--encryption-passphrase', passphrase] kwargs['input'] = json.dumps({'encryption_passphrase': passphrase})
if 'ssh_password' in credentials and credentials['ssh_password']:
kwargs['input'] = credentials['ssh_password'].encode()
if 'ssh_keyfile' in credentials and credentials['ssh_keyfile']: if 'ssh_keyfile' in credentials and credentials['ssh_keyfile']:
arguments += ['--ssh-keyfile', credentials['ssh_keyfile']] arguments += ['--ssh-keyfile', credentials['ssh_keyfile']]