started working on adding support for encrypted scraper users

Author: mjarkk

.vscode/settings.json

@@ -0,0 +1,4 @@
+{
+    "deno.enable": true,
+    "deno.unstable": true
+}

README.md

@@ -53,13 +53,18 @@ go install github.com/script-development/rtcv_scraper_client/v2@v2.3.0
 
 ### *2.* Obtain a `env.json`
 
-Create a `env.json` file with the following content **(this file can also be obtained from the RTCV dashboard, tough note that you might need to add login_users yourself)**
+Create a `env.json` file with the following content **(this file can also be obtained from the RTCV dashboard, tough note that you need to add the `private_key` and `public_key` yourself)**
+
+The public and private key pair can be generated using the go program inside the [gen_key](./gen_key/) folder
+
 ```js
 {
     "primary_server": {
         "server_location": "http://localhost:4000",
         "api_key_id": "aa",
-        "api_key": "bbb"
+        "api_key": "bbb",
+        "private_key": "......",
+        "public_key": "......"
     },
     "alternative_servers": [
         // If you want to send CVs to multiple servers you can add additional servers here

crypto/crypto.go

@@ -0,0 +1,90 @@
+package crypto
+
+import (
+	crypto_rand "crypto/rand"
+	"encoding/base64"
+	"errors"
+	"log"
+
+	"golang.org/x/crypto/nacl/box"
+)
+
+func CreateKeys() (pubBase64 string, privBase64 string) {
+	pub, priv, err := box.GenerateKey(crypto_rand.Reader)
+	if err != nil {
+		log.Fatal(err)
+	}
+	return base64.StdEncoding.EncodeToString(pub[:]), base64.StdEncoding.EncodeToString(priv[:])
+}
+
+func LoadAndVerivyKeys(pubBase64 string, privBase64 string) *Key {
+	pubBytes, err := base64.StdEncoding.DecodeString(pubBase64)
+	if err != nil {
+		log.Fatal(err)
+	}
+	privBytes, err := base64.StdEncoding.DecodeString(privBase64)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if len(pubBytes) != 32 {
+		log.Fatal("base64 decoded public key is not 32 bytes long")
+	}
+	if len(privBytes) != 32 {
+		log.Fatal("base64 decoded private key is not 32 bytes long")
+	}
+
+	k := &Key{
+		pub:          new([32]byte),
+		PublicBase64: pubBase64,
+		priv:         new([32]byte),
+	}
+
+	copy(k.pub[:], pubBytes)
+	copy(k.priv[:], privBytes)
+
+	encryptedTest, err := box.SealAnonymous(nil, []byte("test"), k.pub, crypto_rand.Reader)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	decryptedTest, err := k.rawDecrypt(encryptedTest)
+	if err != nil {
+		log.Fatal("decryption failed, private and/or public key are probably incorrect")
+	}
+
+	if string(decryptedTest) != "test" {
+		log.Fatal("decrypted test message does not match the original message")
+	}
+
+	return k
+}
+
+type Key struct {
+	pub          *[32]byte
+	PublicBase64 string
+	priv         *[32]byte
+}
+
+func (k *Key) rawDecrypt(val []byte) ([]byte, error) {
+	decryptedValue, ok := box.OpenAnonymous(nil, val, k.pub, k.priv)
+	if !ok {
+		return nil, errors.New("decryption failed, either private/public/message are incorrect")
+	}
+	return decryptedValue, nil
+}
+
+func (k *Key) DecryptScraperPassword(encryptedPassword string) (string, error) {
+	encryptedPasswordBytes, err := base64.StdEncoding.DecodeString(encryptedPassword)
+	if err != nil {
+		return "", nil
+	}
+
+	passwordBytes, err := k.rawDecrypt(encryptedPasswordBytes)
+	if err != nil {
+		return "", nil
+	}
+
+	// Note that the first 32 bytes of a encrypted bytes are just junk to make the encrypted value harder to guess "hopefully"
+	return string(passwordBytes[32:]), nil
+}

gen_key/README.md

@@ -0,0 +1,5 @@
+# Generate scraper users encryption key pair
+
+```sh
+go run .
+```

gen_key/go.mod

@@ -0,0 +1,11 @@
+module github.com/script-development/gen_key
+
+go 1.18
+
+replace github.com/script-development/rtcv_scraper_client/v2 => ../
+
+require (
+	github.com/script-development/rtcv_scraper_client/v2 v2.4.0 // indirect
+	golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8 // indirect
+	golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 // indirect
+)

gen_key/go.sum

@@ -0,0 +1,27 @@
+github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
+github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/klauspost/compress v1.15.0 h1:xqfchp4whNFxn5A4XFyyYtitiWI8Hy5EW59jEwcyL6U=
+github.com/klauspost/compress v1.15.0/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/script-development/rtcv_scraper_client/v2 v2.4.0 h1:ZdxB15fyW1nTSdGg8K6ksiX/pWgrGHa74aO6XvbGMME=
+github.com/script-development/rtcv_scraper_client/v2 v2.4.0/go.mod h1:xP4vAvJLoCDkH5LLN2QM2xLE2zkTex0fu01o/zIffs0=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasthttp v1.37.0 h1:7WHCyI7EAkQMVmrfBhWTCOaeROb1aCBiTopx63LkMbE=
+github.com/valyala/fasthttp v1.37.0/go.mod h1:t/G+3rLek+CyY9bnIE+YlMRddxVAAGjhxndDB4i4C0I=
+github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
+golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8 h1:GIAS/yBem/gq2MUqgNIzUHW7cJMmx3TGZOrnyYaNQ6c=
+golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 h1:nhht2DYV/Sn3qOayu8lM+cU1ii9sTLUeBQwQQfUHtrs=
+golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

gen_key/main.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/script-development/rtcv_scraper_client/v2/crypto"
+)
+
+func main() {
+	pub, priv := crypto.CreateKeys()
+
+	fmt.Println("Generated keys:")
+	fmt.Println("don't lose these keys!!")
+
+	fmt.Println()
+	fmt.Println("Public key:")
+	fmt.Println(pub)
+	fmt.Println("Private key:")
+	fmt.Println(priv)
+
+	fmt.Println()
+	fmt.Println("Add them here your scrapers `env.json` file using")
+	envAddition, _ := json.MarshalIndent(map[string]any{
+		"primary_server": map[string]string{
+			"server_location": "..",
+			"api_key_id":      "..",
+			"api_key":         "..",
+			"private_key":     priv,
+			"public_key":      pub,
+		},
+	}, "", "  ")
+	fmt.Println(string(envAddition))
+
+	fmt.Println()
+	fmt.Println("Don't forget to add the Public Key to the scraper api key on the RT-CV dashboard")
+}

go.mod

@@ -1,11 +1,13 @@
 module github.com/script-development/rtcv_scraper_client/v2
 
-go 1.17
+go 1.18
 
 require github.com/valyala/fasthttp v1.37.0
 
 require (
 	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/klauspost/compress v1.15.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8 // indirect
+	golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 // indirect
 )

go.sum

@@ -8,12 +8,15 @@ github.com/valyala/fasthttp v1.37.0 h1:7WHCyI7EAkQMVmrfBhWTCOaeROb1aCBiTopx63LkM
 github.com/valyala/fasthttp v1.37.0/go.mod h1:t/G+3rLek+CyY9bnIE+YlMRddxVAAGjhxndDB4i4C0I=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8 h1:GIAS/yBem/gq2MUqgNIzUHW7cJMmx3TGZOrnyYaNQ6c=
+golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 h1:nhht2DYV/Sn3qOayu8lM+cU1ii9sTLUeBQwQQfUHtrs=
 golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

main.go

@@ -10,6 +10,8 @@ import (
 	"os/exec"
 	"sync"
 	"syscall"
+
+	"github.com/script-development/rtcv_scraper_client/v2/crypto"
 )
 
 // Env contains the structure of the .env file
@@ -23,22 +25,22 @@ type Env struct {
 func (e *Env) validate() error {
 	if e.MockMode {
 		if len(e.MockUsers) == 0 {
-			fmt.Println("\"mock_users\" is empty in env.json, most scrapers require at least one user to login.")
-			fmt.Println("For documentation about mocking see https://github.com/script-development/rtcv_scraper_client")
+			fmt.Println(`"mock_users" is empty in env.json, most scrapers require at least one user to login.`)
+			fmt.Println(`For documentation about mocking see https://github.com/script-development/rtcv_scraper_client`)
 			if e.MockUsers == nil {
 				e.MockUsers = []EnvUser{}
 			}
 		}
 		return nil
 	}
 
-	err := e.PrimaryServer.validate()
+	err := e.PrimaryServer.validate(true)
 	if err != nil {
 		return fmt.Errorf("primary_server.%s", err.Error())
 	}
 
 	for idx, server := range e.AlternativeServers {
-		err := server.validate()
+		err := server.validate(false)
 		if err != nil {
 			return fmt.Errorf("%s[%d].%s", "alternative_servers", idx, err.Error())
 		}
@@ -52,9 +54,11 @@ type EnvServer struct {
 	ServerLocation string `json:"server_location"`
 	APIKeyID       string `json:"api_key_id"`
 	APIKey         string `json:"api_key"`
+	PrivateKey     string `json:"private_key"`
+	PublicKey      string `json:"public_key"`
 }
 
-func (e *EnvServer) validate() error {
+func (e *EnvServer) validate(isPrimary bool) error {
 	if e.ServerLocation == "" {
 		return errors.New("server_location is required")
 	}
@@ -64,6 +68,23 @@ func (e *EnvServer) validate() error {
 	if e.APIKey == "" {
 		return errors.New("api_key is required")
 	}
+	if isPrimary {
+		if e.PrivateKey == "" && e.PublicKey == "" {
+			return errors.New(`"public_key" and "private_key" required by "primary_server"`)
+		} else if e.PrivateKey == "" {
+			return errors.New(`"private_key" required by "primary_server"`)
+		} else if e.PublicKey == "" {
+			return errors.New(`"public_key" required by "primary_server"`)
+		}
+	} else {
+		if e.PrivateKey != "" && e.PublicKey != "" {
+			fmt.Println("WARN: public_key and private_key pairs are not used by alternative servers")
+		} else if e.PrivateKey != "" {
+			fmt.Println("WARN: private_key not used by alternative servers")
+		} else if e.PublicKey != "" {
+			fmt.Println("WARN: public_key not used by alternative servers")
+		}
+	}
 
 	return nil
 }
@@ -79,8 +100,9 @@ func (e *EnvServer) toCredArg(isPrimary bool) SetCredentialsArg {
 
 // EnvUser contains the structure of the login_users inside the .env file
 type EnvUser struct {
-	Username string `json:"username"`
-	Password string `json:"password"`
+	Username          string `json:"username"`
+	Password          string `json:"password"`
+	EncryptedPassword string `json:"encryptedPassword,omitempty"`
 }
 
 func main() {
@@ -120,16 +142,17 @@ func main() {
 		credentials = append(credentials, server.toCredArg(false))
 	}
 
-	loginUsers := []EnvUser{}
+	var loginUsers []EnvUser
 	if !env.MockMode {
 		err = api.SetCredentials(credentials)
 		if err != nil {
 			log.Fatal(err)
 		}
+		decryptionKey := crypto.LoadAndVerivyKeys(env.PrimaryServer.PublicKey, env.PrimaryServer.PrivateKey)
 
 		fmt.Println("credentials set")
 		fmt.Println("testing connections..")
-		loginUsers = testServerConnections(api, credentials[0].APIKeyID)
+		loginUsers = testServerConnections(api, credentials[0].APIKeyID, decryptionKey)
 		fmt.Println("connected to RTCV")
 	} else {
 		api.SetMockMode()
@@ -165,7 +188,7 @@ func main() {
 	}
 }
 
-func testServerConnections(api *API, apiKeyID string) []EnvUser {
+func testServerConnections(api *API, apiKeyID string, decryptionKey *crypto.Key) []EnvUser {
 	var wg sync.WaitGroup
 
 	for _, conn := range api.connections {
@@ -201,17 +224,38 @@ func testServerConnections(api *API, apiKeyID string) []EnvUser {
 	}
 
 	scraperUsers := struct {
-		Users []EnvUser `json:"users"`
+		ScraperPublicKey string    `json:"scraperPubKey"`
+		Users            []EnvUser `json:"users"`
 	}{}
 	err := api.connections[0].Get("/api/v1/scraperUsers/"+apiKeyID, &scraperUsers)
-
-	// Wait for the connections above to complete checking before we do this error check but do the request already so we don't have to wait for that
-	// If one of the connections has an error they will throw
-	wg.Wait()
-
 	if err != nil {
+		// Wait for the connections above to complete checking before we do this error check but do the request already so we don't have to wait for that
+		// If one of the connections has an error they will throw
+		wg.Wait()
 		log.Fatal(err)
 	}
 
-	return scraperUsers.Users
+	if scraperUsers.ScraperPublicKey != "" && scraperUsers.ScraperPublicKey != decryptionKey.PublicBase64 {
+		log.Fatal("the env.json provided contains a diffrent public key than registered in RTCV, scraper users won't be able to be decrypted")
+	}
+
+	loginUsers := []EnvUser{}
+	for _, user := range scraperUsers.Users {
+		if user.EncryptedPassword != "" {
+			user.Password, err = decryptionKey.DecryptScraperPassword(user.EncryptedPassword)
+			if err != nil {
+				log.Fatal("unable to decrypt password for user " + user.Username + ", error: " + err.Error())
+			}
+			loginUsers = append(loginUsers, user)
+		} else if user.Password != "" {
+			loginUsers = append(loginUsers, user)
+		} else {
+			fmt.Println("WARN: unusable login user", user.Username)
+		}
+		loginUsers = append(loginUsers, user)
+	}
+
+	wg.Wait()
+
+	return loginUsers
 }