Random fixes

Version2-Ideas.md

@@ -18,24 +18,6 @@ These are the things I'd like to change someday.
 
 There should be one program, with subcommands that have names that make more sense:
 
-* `blackbox init`
-* `blackbox info`
-* `blackbox admin add <key>`
-* `blackbox admin remove <key>`
-* `blackbox admin list`
-* `blackbox files add`
-* `blackbox files list`
-* `blackbox files remove`
-* `blackbox encrypt <filename> ...`
-* `blackbox decrypt <filename> ...`
-* `blackbox cat <filename> ...`
-* `blackbox edit <filename> ...`
-* `blackbox reencrypt`
-* `blackbox shred`
-* `blackbox diff <filename> ...`
-* `blackbox files list-unchanged`
-* `blackbox files list-changed`
-
 * `blackbox admin add <key>`
 * `blackbox admin list`
 * `blackbox admin remove <key>`
@@ -44,23 +26,14 @@ There should be one program, with subcommands that have names that make more sen
 * `blackbox diff <filename> ...`
 * `blackbox edit <filename> ...`
 * `blackbox encrypt <filename> ...`
-* `blackbox file add`
+* `blackbox file add <filename> ...`
 * `blackbox file list`
-* `blackbox file remove`
+* `blackbox file remove <filename> ...`
 * `blackbox info`
 * `blackbox init`
 * `blackbox reencrypt`
-* `blackbox shred`
-* `blackbox status all`
-* `blackbox status changed`
-* `blackbox status unchanged`
-
-
-Flags where appropriate
-
-* -verbose -v
-* -noshred
-* -debug
+* `blackbox shred --all|<filename> ...`
+* `blackbox status --all|<filename> ...`
 
 Backwards compatibility: The old scripts will be rewritten to use the new commands.
 

integrationTest/NOTES.txt

@@ -0,0 +1,83 @@
+
+
+
+Something like...
+
+# Startup
+* Create a repo (git, none)
+
+# Test basic operations:
+* As Alice:
+  * initialize blackbox, add her keys to it, see that the usual files
+    exist. See her name in bb-admins.txt
+  * encrypt a file, see that the plaintext is deleted, see the file in bb-files.txt
+  * decrypt the file, see the original plaintext is recovered.
+  * Encrypt a file --noshred.
+  * Decrypt the file, it should fail as the plaintext exists.
+  * Remove the plaintext.
+  * Decrypt the file, it should fail as the plaintext exists.
+
+# Test hand-off from Alice to Bob.
+* As Bob
+    * add himself to the admins.
+* As Alice
+    * Update-all-files
+    * Create a new file. Encrypt it.
+* As Bob
+    * Decrypt both files
+    * Verify contents of the new file, and the file from previous.
+    * Create a new file. Encrypt it.
+* As Alice:
+    * Decrypt all files.
+    * Verify contents of the 3 plaintext files.
+
+# Test a git-less directory
+* Copy the old repo somewhere. Remove the .git directory.
+* As Alice:
+    * Decrypt all
+    * Verify plaintext contents
+
+# Test post-deploy with/without GID
+* Back at the original repo:
+* Shred all
+* Run post-deploy. Verify.
+* Shred all
+* Run post-deploy with a custom GID. Verify.
+
+# Test removing an admin
+* As Bob:
+    * removes Alice. (Verify)
+    * Re-encrypt
+    * Decrypt all & verify.
+* As alice
+    * Decrypting should fail.
+
+# Test funny names and paths
+    * my/path/to/relsecrets.txt
+    * cwd=other/place ../../my/path/to/relsecrets.txt
+    * !important!.txt
+    * #andpounds.txt
+    * stars*bars?.txt
+    * space space.txt
+* Do add/encrypt/decrypt
+* Do blackbox_update_all_files
+* Do remove them all
+
+# When people start asking for commands to work with relative paths
+# Test from outside the repo
+* mkdir ../other/place
+* cd    ../other/place
+* decrypt ../../secret1.txt
+* encrypt ../../secret1.txt
+
+# Test specific commands:
+# blackbox admins list
+# blackbox file list
+# blackbox status --name-only (create 1 of each "type")
+# blackbox status --type=FOO
+
+# These should all fail:
+# blackbox file list --all
+# blackbox file list blah
+# blackbox shred list --all
+# blackbox shred list blah

pkg/box/verbs.go

@@ -143,14 +143,18 @@ func (bx *Box) Info() error {
 		logErr.Printf("getFiles error: %v", err)
 	}
 
-	fmt.Println("BLACKBOX:")
-	fmt.Printf("bx.ConfigDir=%q\n", bx.ConfigDir)
 	//fmt.Printf("bx.Admins=%q\n", bx.Admins)
-	fmt.Printf("len(bx.Admins)=%v\n", len(bx.Admins))
 	//fmt.Printf("bx.Files=%q\n", bx.Files)
-	fmt.Printf("len(bx.Files)=%v\n", len(bx.Files))
-	fmt.Printf("bx.Vcs=%v\n", bx.Vcs)
-	fmt.Printf("bx.VcsName=%q\n", bx.VcsName)
+
+	fmt.Println("BLACKBOX:")
+	fmt.Printf("      ConfigDir: %q\n", bx.ConfigDir)
+	fmt.Printf("    RepoBaseDir: %q\n", bx.RepoBaseDir)
+	fmt.Printf("         Admins: count=%v\n", len(bx.Admins))
+	fmt.Printf("          Files: count=%v\n", len(bx.Files))
+	fmt.Printf("            Vcs: %v\n", bx.Vcs)
+	fmt.Printf("        VcsName: %q\n", bx.VcsName)
+	fmt.Printf("        Crypter: %v\n", bx.Crypter)
+	fmt.Printf("    CrypterName: %q\n", bx.CrypterName)
 
 	return nil
 }

pkg/crypters/gnupg/gnupg.go

@@ -3,6 +3,7 @@ package gnupg
 import (
 	"os"
 	"os/exec"
+	"syscall"
 
 	"github.com/StackExchange/blackbox/v2/pkg/bbutil"
 	"github.com/StackExchange/blackbox/v2/pkg/crypters"
@@ -41,16 +42,14 @@ func (crypt CrypterHandle) Decrypt(name string, overwrite bool, umask int) error
 		_ = os.Remove(name)
 	}
 
-	crypt.prepareKeyChain()
-
-	//oldumask := syscall.Umask(umask)
+	oldumask := syscall.Umask(umask)
 	err := bbutil.RunBash(crypt.GPGCmd,
 		"--use-agent",
 		"-q",
 		"--decrypt",
 		"-o", name,
 		name+".gpg",
 	)
-	//syscall.Umask(oldumask)
+	syscall.Umask(oldumask)
 	return err
 }

pkg/crypters/gnupg/keychain.go

@@ -0,0 +1,107 @@
+package gnupg
+
+/*
+
+# How does Blackbox manage key rings?
+
+Blackbox uses the user's .gnupg directory for most actions, such as decrypting data.
+Decrypting requires the user's private key, which is stored by the user in their
+home directory (and up to them to store safely).
+Black box does not store the user's private key in the repo.
+
+When encrypting data, black needs the public key of all the admins, not just the users.
+To assure that the user's `.gnupg` has all these public keys, prior to
+encrypting data the public keys are imported from .blackbox, which stores
+a keychain that stores the public (not private!) keys of all the admins.
+
+FYI: v1 does this import before decrypting, because I didn't know any better.
+
+# Binary compatibility:
+
+When writing v1, we didn't realize that the pubkey.gpg file is a binary format
+that is not intended to be portable. In fact, it is intentionally not portable.
+This means that all admins must use the exact same version of GnuPG
+or the files (pubring.gpg or pubring.kbx) may get corrupted.
+
+In v2, we store the public keys in the portable ascii format
+in a file called `.blackbox/public-keys-db.asc`.
+It will also update the binary files if they exist.
+If `.blackbox/public-keys-db.asc` doesn't exist, it will be created.
+
+Eventually we will stop updating the binary files.
+
+# Importing public keys to the user
+
+How to import the public keys to the user's GPG system:
+
+If pubkeyring-ascii.txt exists:
+	gpg --import pubkeyring-ascii.asc
+Else if pubring.kbx
+	gpg --import pubring.kbx
+Else if pubring.gpg
+	gpg --import pubring.gpg
+
+This is what v1 does:
+  #if gpg2 is installed next to gpg like on ubuntu 16
+  if [[ "$GPG" != "gpg2" ]]; then
+    $GPG --export --no-default-keyring --keyring "$(get_pubring_path)" >"$keyringasc"
+    $GPG --import "$keyringasc" 2>&1 | egrep -v 'not changed$' >&2
+  else
+    $GPG --keyring "$(get_pubring_path)" --export | $GPG --import
+  fi
+
+# How to add a key to the keyring?
+
+Old, binary format:
+    # Get the key they want to add:
+        FOO is a user-specified directory, otherwise $HOME/.gnupg:
+	    $GPG --homedir="FOO" --export -a "$KEYNAME" >TEMPFILE
+	# Import into the binary files:
+	    KEYRINGDIR is .blackbox
+        $GPG --no-permission-warning --homedir="$KEYRINGDIR" --import TEMPFILE
+	# Git add any of these files if they exist:
+	    pubring.gpg pubring.kbx trustdb.gpg blackbox-admins.txt
+	# Tell the user to git commit them.
+
+New, ascii format:
+	# Get the key to be added.  Write to a TEMPFILE
+        FOO is a user-specified directory, otherwise $HOME/.gnupg:
+	    $GPG --homedir="FOO" --export -a "$KEYNAME" >TEMPFILE
+	# Make a tempdir called TEMPDIR
+	# Import the pubkeyring-ascii.txt to TEMPDIR's keyring. (Skip if file not found)
+	# Import the temp1 data to TEMPDIR
+	# Export the TEMPDIR to create a new .blackbox/pubkeyring-ascii.txt
+	    PATH_TO_BINARY is the path to .blackbox/pubring.gpg; if that's not found then pubring.kbx
+        $GPG --keyring PATH_TO_BINARY --export -a --output .blackbox/pubkeyring-ascii.txt
+	# Git add .blackbox/pubkeyring-ascii.txt and .blackbox/blackbox-admins.txt
+	# Tell the user to git commit them.
+	# Delete TEMPDIR
+
+# How to remove a key from the keyring?
+
+Old, binary format:
+    # Remove key from the binary file
+    $GPG --no-permission-warning --homedir="$KEYRINGDIR" --batch --yes --delete-key "$KEYNAME" || true
+	# Git add any of these files if they exist:
+	    pubring.gpg pubring.kbx trustdb.gpg blackbox-admins.txt
+	# Tell the user to git commit them.
+
+New, ascii format:
+	# Make a tempdir called TEMPDIR
+	# Import the pubkeyring-ascii.txt to TEMPDIR's keyring. (Skip if file not found)
+    # Remove key from the ring file
+    $GPG --no-permission-warning --homedir="$KEYRINGDIR" --batch --yes --delete-key "$KEYNAME" || true
+	# Export the TEMPDIR to create a new .blackbox/pubkeyring-ascii.txt
+	    PATH_TO_BINARY is the path to .blackbox/pubring.gpg; if that's not found then pubring.kbx
+        $GPG --keyring PATH_TO_BINARY --export -a --output .blackbox/pubkeyring-ascii.txt
+	# Git add .blackbox/pubkeyring-ascii.txt and .blackbox/blackbox-admins.txt
+	# Update the .blackbox copy of pubring.gpg, pubring.kbx, or trustdb.gpg (if they exist)
+	#     with copies from TEMPDIR (if they exist).  Git add any files that are updated.
+	# Tell the user to git commit them.
+	# Delete TEMPDIR
+
+*/
+
+func prepareUserKeychain() error {
+	return nil
+}