PageRenderTime 83ms CodeModel.GetById 48ms RepoModel.GetById 0ms app.codeStats 1ms

/ToMigrate/Raven.Database/Bundles/Encryption/Settings/EncryptionSettingsManager.cs

http://github.com/ayende/ravendb
C# | 246 lines | 199 code | 31 blank | 16 comment | 29 complexity | 6856741b52fcdccd6260e8e0a57a2751 MD5 | raw file
Possible License(s): GPL-3.0, MPL-2.0-no-copyleft-exception, LGPL-2.1, Apache-2.0, BSD-3-Clause, CC-BY-SA-3.0 
    

  1. using System;

    2. 

  2. using System.Configuration;

    3. 

  3. using System.IO;

    4. 

  4. using System.Linq;

    5. 

  5. using System.Security.Cryptography;

    6. 

  6. using System.Threading;

    7. 

  7. using Raven.Abstractions.Data;

    8. 

  8. using Raven.Abstractions.Json.Linq;

    9. 

  9. using Raven.Abstractions.Logging;

    10. 

  10. using Raven.Bundles.Encryption.Settings;

    11. 

  11. using Raven.Database.Common;

    12. 

  12. using Raven.Database.Config;

    13. 

  13. using Raven.Database.FileSystem;

    14. 

  14. using Raven.Database.Server.Abstractions;

    15. 

  15. using Raven.Json.Linq;

    16. 

  16. 

    17. 

  17. namespace Raven.Database.Bundles.Encryption.Settings

    18. 

  18. {

    19. 

  19.     internal static class EncryptionSettingsManager

    20. 

  20.     {

    21. 

  21.         private static readonly string EncryptionSettingsKeyInExtensionsState = Guid.NewGuid().ToString();

    22. 

  22.         private static readonly ILog log = LogManager.GetCurrentClassLogger();

    23. 

  23. 

    24. 

  24.         public static EncryptionSettings GetEncryptionSettingsForResource(IResourceStore resource)

    25. 

  25.         {

    26. 

  26.             var result = (EncryptionSettings)resource.ExtensionsState.GetOrAdd(EncryptionSettingsKeyInExtensionsState, _ =>

    27. 

  27.             {

    28. 

  28.                 var type = GetTypeFromName(resource.Configuration.Encryption.AlgorithmType);

    29. 

  29.                 var key = GetKeyFromBase64(resource.Configuration.Encryption.EncryptionKey, resource.Configuration.Encryption.EncryptionKeyBitsPreference);

    30. 

  30.                 var encryptIndexes = resource.Configuration.Encryption.EncryptIndexes;

    31. 

  31. 

    32. 

  32.                 return new EncryptionSettings(key, type, encryptIndexes, resource.Configuration.Encryption.EncryptionKeyBitsPreference);

    33. 

  33.             });

    34. 

  34. 

    35. 

  35.             return result;

    36. 

  36.         }

    37. 

  37. 

    38. 

  38.         /// <summary>

    39. 

  39.         /// A wrapper around Convert.FromBase64String, with extra validation and relevant exception messages.

    40. 

  40.         /// </summary>

    41. 

  41.         private static byte[] GetKeyFromBase64(string base64, int defaultEncryptionKeySize)

    42. 

  42.         {

    43. 

  43.             if (string.IsNullOrWhiteSpace(base64))

    44. 

  44.                 throw new ConfigurationErrorsException("The " + RavenConfiguration.GetKey(x => x.Encryption.EncryptionKey) + " setting must be set to an encryption key. "

    45. 

  45.                     + "The key should be in base 64, and should be at least " + Constants.MinimumAcceptableEncryptionKeyLength

    46. 

  46.                     + " bytes long. You may use EncryptionSettings.GenerateRandomEncryptionKey() to generate a key.\n"

    47. 

  47.                     + "If you'd like, here's a key that was randomly generated:\n"

    48. 

  48.                     + "<add key=\"Raven/Encryption/Key\" value=\""

    49. 

  49.                     + Convert.ToBase64String(EncryptionSettings.GenerateRandomEncryptionKey(defaultEncryptionKeySize))

    50. 

  50.                     + "\" />");

    51. 

  51. 

    52. 

  52.             try

    53. 

  53.             {

    54. 

  54.                 var result = Convert.FromBase64String(base64);

    55. 

  55.                 if (result.Length < Constants.MinimumAcceptableEncryptionKeyLength)

    56. 

  56.                     throw new ConfigurationErrorsException("The " + RavenConfiguration.GetKey(x => x.Encryption.EncryptionKey) + " setting must be at least "

    57. 

  57.                         + Constants.MinimumAcceptableEncryptionKeyLength + " bytes long.");

    58. 

  58. 

    59. 

  59.                 return result;

    60. 

  60.             }

    61. 

  61.             catch (FormatException e)

    62. 

  62.             {

    63. 

  63.                 throw new ConfigurationErrorsException("The " + RavenConfiguration.GetKey(x => x.Encryption.EncryptionKey) + " setting has an invalid base 64 value.", e);

    64. 

  64.             }

    65. 

  65.         }

    66. 

  66. 

    67. 

  67.         /// <summary>

    68. 

  68.         /// A wrapper around Type.GetType, with extra validation and a default value.

    69. 

  69.         /// </summary>

    70. 

  70.         private static Type GetTypeFromName(string typeName)

    71. 

  71.         {

    72. 

  72.             if (string.IsNullOrWhiteSpace(typeName))

    73. 

  73.                 return Constants.DefaultCryptoServiceProvider;

    74. 

  74. 

    75. 

  75.             var result = Type.GetType(typeName);

    76. 

  76. 

    77. 

  77.             if (result == null)

    78. 

  78.                 throw new ConfigurationErrorsException("Unknown type for encryption: " + typeName);

    79. 

  79. 

    80. 

  80.             if (!result.IsSubclassOf(typeof(System.Security.Cryptography.SymmetricAlgorithm)))

    81. 

  81.                 throw new ConfigurationErrorsException("The encryption algorithm type must be a subclass of System.Security.Cryptography.SymmetricAlgorithm.");

    82. 

  82.             if (result.IsAbstract)

    83. 

  83.                 throw new ConfigurationErrorsException("Cannot use an abstract type for an encryption algorithm.");

    84. 

  84. 

    85. 

  85.             return result;

    86. 

  86.         }

    87. 

  87. 

    88. 

  88.         /// <summary>

    89. 

  89.         /// Uses an encrypted document to verify that the encryption key is correct and decodes it to the right value.

    90. 

  90.         /// </summary>

    91. 

  91.         public static void VerifyEncryptionKey(RavenFileSystem fileSystem, EncryptionSettings settings)

    92. 

  92.         {

    93. 

  93.             RavenJObject config = null;

    94. 

  94.             try

    95. 

  95.             {

    96. 

  96.                 fileSystem.Storage.Batch(accessor =>

    97. 

  97.                 {

    98. 

  98.                     try

    99. 

  99.                     {

    100. 

  100.                         config = accessor.GetConfig(Constants.InResourceKeyVerificationDocumentName);

    101. 

  101.                     }

    102. 

  102.                     catch (FileNotFoundException)

    103. 

  103.                     {

    104. 

  104.                     }

    105. 

  105.                 });

    106. 

  106.             }

    107. 

  107.             catch (CryptographicException e)

    108. 

  108.             {

    109. 

  109.                 throw new ConfigurationErrorsException("The file system is encrypted with a different key and/or algorithm than the ones "

    110. 

  110.                     + "currently in the configuration file.", e);

    111. 

  111.             }

    112. 

  112. 

    113. 

  113.             if (config != null)

    114. 

  114.             {

    115. 

  115.                 if (!RavenJTokenEqualityComparer.Default.Equals(config, Constants.InResourceKeyVerificationDocumentContents))

    116. 

  116.                     throw new ConfigurationErrorsException("The file system is encrypted with a different key and/or algorithm than the ones is currently configured");

    117. 

  117.             }

    118. 

  118.             else

    119. 

  119.             {

    120. 

  120.                 // This is the first time the file system is loaded.

    121. 

  121.                 if (EncryptedFileExist(fileSystem))

    122. 

  122.                     throw new InvalidOperationException("The file system already has existing files, you cannot start using encryption now.");

    123. 

  123. 

    124. 

  124.                 var clonedDoc = (RavenJObject)Constants.InResourceKeyVerificationDocumentContents.CreateSnapshot();

    125. 

  125.                 fileSystem.Storage.Batch(accessor => accessor.SetConfig(Constants.InResourceKeyVerificationDocumentName, clonedDoc));

    126. 

  126.             }

    127. 

  127.         }

    128. 

  128. 

    129. 

  129.         /// <summary>

    130. 

  130.         /// Uses an encrypted document to verify that the encryption key is correct and decodes it to the right value.

    131. 

  131.         /// </summary>

    132. 

  132.         public static void VerifyEncryptionKey(DocumentDatabase database, EncryptionSettings settings)

    133. 

  133.         {

    134. 

  134.             JsonDocument doc;

    135. 

  135.             try

    136. 

  136.             {

    137. 

  137.                 doc = database.Documents.Get(Constants.InResourceKeyVerificationDocumentName);

    138. 

  138.             }

    139. 

  139.             catch (Exception e)

    140. 

  140.             {

    141. 

  141.                 if (e is CryptographicException)

    142. 

  142.                 {

    143. 

  143.                     throw new ConfigurationErrorsException("The database is encrypted with a different key and/or algorithm than the ones "

    144. 

  144.                                                        + "currently in the configuration file.", e);

    145. 

  145.                 }

    146. 

  146.                 if (settings.Codec.UsingSha1)

    147. 

  147.                     throw;

    148. 

  148.                 if (log.IsDebugEnabled)

    149. 

  149.                     log.Debug("Couldn't decrypt the database using MD5. Trying with SHA1.");

    150. 

  150.                 settings.Codec.UseSha1();

    151. 

  151.                 VerifyEncryptionKey(database, settings);

    152. 

  152.                 return;

    153. 

  153.             }

    154. 

  154. 

    155. 

  155.             if (doc != null)

    156. 

  156.             {

    157. 

  157.                 if (!RavenJTokenEqualityComparer.Default.Equals(doc.DataAsJson, Constants.InResourceKeyVerificationDocumentContents))

    158. 

  158.                     throw new ConfigurationErrorsException("The database is encrypted with a different key and/or algorithm than the ones "

    159. 

  159.                         + "currently in the configuration file.");

    160. 

  160.             }

    161. 

  161.             else

    162. 

  162.             {

    163. 

  163.                 // This is the first time the database is loaded.

    164. 

  164.                 if (EncryptedDocumentsExist(database))

    165. 

  165.                     throw new InvalidOperationException("The database already has existing documents, you cannot start using encryption now.");

    166. 

  166. 

    167. 

  167.                 var clonedDoc = (RavenJObject)Constants.InResourceKeyVerificationDocumentContents.CreateSnapshot();

    168. 

  168.                 database.Documents.Put(Constants.InResourceKeyVerificationDocumentName, null, clonedDoc, new RavenJObject(), null);

    169. 

  169.             }

    170. 

  170.         }

    171. 

  171. 

    172. 

  172.         private static bool EncryptedDocumentsExist(DocumentDatabase database)

    173. 

  173.         {

    174. 

  174.             const int pageSize = 10;

    175. 

  175.             int index = 0;

    176. 

  176.             while (true)

    177. 

  177.             {

    178. 

  178.                 var array = database.Documents.GetDocumentsAsJson(index, index + pageSize, null, CancellationToken.None);

    179. 

  179.                 if (array.Length == 0)

    180. 

  180.                 {

    181. 

  181.                     // We've gone over all the documents in the database, and none of them are encrypted.

    182. 

  182.                     return false;

    183. 

  183.                 }

    184. 

  184. 

    185. 

  185.                 if (array.All(x => EncryptionSettings.DontEncrypt(x.Value<RavenJObject>("@metadata").Value<string>("@id"))))

    186. 

  186.                 {

    187. 

  187.                     index += array.Length;

    188. 

  188.                     continue;

    189. 

  189.                 }

    190. 

  190.                 // Found a document which is encrypted

    191. 

  191.                 return true;

    192. 

  192.             }

    193. 

  193.         }

    194. 

  194. 

    195. 

  195.         private static bool EncryptedFileExist(RavenFileSystem fileSystem)

    196. 

  196.         {

    197. 

  197.             const int pageSize = 10;

    198. 

  198.             var start = Guid.Empty;

    199. 

  199. 

    200. 

  200.             bool foundEncryptedDoc = false;

    201. 

  201. 

    202. 

  202.             while (true)

    203. 

  203.             {

    204. 

  204.                 var foundMoreDocs = false;

    205. 

  205. 

    206. 

  206.                 fileSystem.Storage.Batch(accessor =>

    207. 

  207.                 {

    208. 

  208.                     var fileHeaders = accessor.GetFilesAfter(start, pageSize);

    209. 

  209. 

    210. 

  210.                     foreach (var fileHeader in fileHeaders)

    211. 

  211.                     {

    212. 

  212.                         foundMoreDocs = true;

    213. 

  213. 

    214. 

  214.                         if (EncryptionSettings.DontEncrypt(fileHeader.Name) == false)

    215. 

  215.                         {

    216. 

  216.                             foundEncryptedDoc = true;

    217. 

  217.                             break;

    218. 

  218.                         }

    219. 

  219. 

    220. 

  220.                         start = fileHeader.Etag;

    221. 

  221.                     }

    222. 

  222.                 });

    223. 

  223. 

    224. 

  224.                 if (foundEncryptedDoc || foundMoreDocs == false)

    225. 

  225.                     break;

    226. 

  226.             }

    227. 

  227. 

    228. 

  228.             return foundEncryptedDoc;

    229. 

  229.         }

    230. 

  230. 

    231. 

  231.         private static bool GetEncryptIndexesFromString(string value, bool defaultValue)

    232. 

  232.         {

    233. 

  233.             if (string.IsNullOrWhiteSpace(value))

    234. 

  234.                 return defaultValue;

    235. 

  235. 

    236. 

  236.             try

    237. 

  237.             {

    238. 

  238.                 return Convert.ToBoolean(value);

    239. 

  239.             }

    240. 

  240.             catch (Exception e)

    241. 

  241.             {

    242. 

  242.                 throw new ConfigurationErrorsException("Invalid boolean value for setting EncryptIndexes: " + value, e);

    243. 

  243.             }

    244. 

  244.         }

    245. 

  245.     }

    246. 

  246. }

    247. 

  247.