Switch from app_dirs2 to etcetera, upgrade secrecy (#575)

* Switch from app_dirs2 to etcetera. * Start update to secrecy 0.10. * Updates for upgrade to secrecy. * fix: Update all calls to SecretString::new by instead calling .into() to perform the conversion * fix: Update SecretString::new calls to use .into() in crates/sdk/src/vault/gatekeeper.rs * Complete secrecy upgrade. Requires new version of pinentry and age to be published.
saveoursecrets · Oct 26, 2024 · 9746f14 · 9746f14
1 parent ecac0f5
commit 9746f14
Show file tree

Hide file tree

Showing 31 changed files with 266 additions and 307 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -21,7 +21,7 @@ thiserror = "1"
 anyhow = "1"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3.16", features = ["env-filter"] }
-secrecy = { version = "0.8", features = ["serde"] }
+secrecy = { version = "0.10", features = ["serde"] }
 serde = { version = "1", features = ["derive"] }
 tokio = { version = "1", features = ["rt", "rt-multi-thread", "macros", "time", "sync"]}
 serde_json = "1"

diff --git a/crates/integration_tests/tests/local_account/security_report.rs b/crates/integration_tests/tests/local_account/security_report.rs
@@ -93,7 +93,7 @@ async fn simulate_session(
     // Create a weak account secret
     let weak_secret = Secret::Account {
         account: "[email protected]".to_string(),
-        password: secrecy::SecretString::new("test".to_string()),
+        password: "test".to_string().into(),
         url: Default::default(),
         user_data: Default::default(),
     };

diff --git a/crates/sdk/Cargo.toml b/crates/sdk/Cargo.toml
@@ -71,13 +71,13 @@ chacha20poly1305 = { version = "0.10.1", features = ["std"] }
 filetime = "0.2"
 argon2 = { version = "0.5", features = ["std"]}
 balloon-hash = { version = "0.4", features = ["std"]}
-app_dirs2 = "2"
+etcetera = "0.8"
 pem = { version = "3", features = ["serde"] }
 zxcvbn = { version = "3.0.1", features = ["ser"] }
 totp-rs = { version = "5.5", features = ["qr", "serde_support", "zeroize"] }
 vcard4 = { version = "0.5", features = ["serde"] }
 async-once-cell = "0.5"
-age = { version = "0.10", features = ["async"] }
+age = { version = "0.10", features = ["async"], git = "https://github.com/tmpfs/rage", branch = "secrecy-0.10" }
 ed25519-dalek = { version = "2.1.1", features = ["rand_core"] }
 urn = { version = "0.7", features = ["serde"] }
 walkdir = "2"

diff --git a/crates/sdk/src/account/archive/zip.rs b/crates/sdk/src/account/archive/zip.rs
@@ -353,7 +353,6 @@ mod test {
     use super::*;
     use crate::{encode, identity::IdentityFolder, vault::Vault, Paths};
     use anyhow::Result;
-    use secrecy::SecretString;
     use std::io::Cursor;
 
     #[tokio::test]
@@ -366,7 +365,7 @@ mod test {
 
         let identity_vault = IdentityFolder::new(
             "Mock".to_string(),
-            SecretString::new("mock-password".to_string()),
+            "mock-password".to_string().into(),
             Some(dir.path().to_owned()),
         )
         .await?;

diff --git a/crates/sdk/src/crypto/cipher/x25519.rs b/crates/sdk/src/crypto/cipher/x25519.rs
@@ -19,8 +19,9 @@ pub async fn encrypt(
             })
             .collect();
 
-        let encryptor = age::Encryptor::with_recipients(recipients)
-            .ok_or_else(|| Error::NoRecipients)?;
+        let encryptor = age::Encryptor::with_recipients(
+            recipients.iter().map(|r| &**r as _),
+        )?;
         let mut ciphertext = Vec::new();
         let mut writer = encryptor.wrap_async_output(&mut ciphertext).await?;
         let mut reader = BufReader::new(plaintext);
@@ -44,10 +45,8 @@ pub async fn decrypt(
 ) -> Result<Vec<u8>> {
     if let Cipher::X25519 = cipher {
         let mut reader = BufReader::new(aead.ciphertext.as_slice());
-        let decryptor = match age::Decryptor::new_async(&mut reader).await? {
-            age::Decryptor::Recipients(d) => d,
-            _ => return Err(Error::NotRecipientEncryption),
-        };
+        let decryptor =
+            age::Decryptor::new_async_buffered(&mut reader).await?;
 
         let mut plaintext = vec![];
         let mut reader = decryptor

diff --git a/crates/sdk/src/crypto/key_derivation.rs b/crates/sdk/src/crypto/key_derivation.rs
@@ -135,8 +135,8 @@ pub trait Deriver<D: Digest> {
         let password_hash = self.hash_password(buffer.as_slice(), salt)?;
         let password_hash_string = password_hash.serialize();
         let hash = D::digest(password_hash_string.as_bytes());
-        Ok(DerivedPrivateKey::new(secrecy::Secret::new(
-            hash.as_slice().to_vec(),
+        Ok(DerivedPrivateKey::new(secrecy::SecretBox::new(
+            hash.as_slice().to_vec().into(),
         )))
     }
 }