spencer/envr
1
0
Fork 0
mirror of https://github.com/sbrow/envr.git synced 2026-06-27 10:38:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

feat: All encryption/decryption now happens in-memory.

Browse Source 
Release-as: v0.3.0
This commit is contained in:
Spencer Brower
2026-06-16 10:06:30 -04:00
parent 41decd9cdb
commit fe2b256bd6
8 changed files with 94 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
TODOS.md
View File

@@ -1,7 +1,7 @@
# TODOs # TODOs
1. Encrypt/decrypt the database in memory. 1. Consider giving db its own allocator
2. **db.odin:324-327** — Map iteration (`remote_set`) is non-deterministic. Same file can produce different JSON on each backup, causing spurious DB diffs. Sort remotes before storing. 2. **db.odin:324-327** — Map iteration (`remote_set`) is non-deterministic. Same file can produce different JSON on each backup, causing spurious DB diffs. Sort remotes before storing.

2
config.odin
View File

@@ -75,7 +75,7 @@ envr_dir :: proc(config_path: string) -> string {
return filepath.dir(config_path) return filepath.dir(config_path)
} }
data_encrypted_path :: proc(config_path: string) -> string { data_path :: proc(config_path: string) -> string {
path, _ := filepath.join([]string{envr_dir(config_path), "data.envr"}) path, _ := filepath.join([]string{envr_dir(config_path), "data.envr"})
return path return path
} }

4
config_test.odin
View File

@@ -163,8 +163,8 @@ test_envr_dir :: proc(t: ^testing.T) {
} }
@(test) @(test)
test_data_encrypted_path :: proc(t: ^testing.T) { test_data_path :: proc(t: ^testing.T) {
p := data_encrypted_path("/tmp/envr-fake-home-datapath/config.json") p := data_path("/tmp/envr-fake-home-datapath/config.json")
defer delete(p) defer delete(p)
testing.expectf(t, strings.has_suffix(p, "data.envr"), "should end with data.envr, got %s", p) testing.expectf(t, strings.has_suffix(p, "data.envr"), "should end with data.envr, got %s", p)
testing.expectf(t, strings.contains(p, ".envr"), "should contain .envr dir, got %s", p) testing.expectf(t, strings.contains(p, ".envr"), "should contain .envr dir, got %s", p)

97
db.odin
View File

@@ -66,7 +66,7 @@ db_open :: proc(cfg_path: string) -> (Db, bool) {
return Db{}, false return Db{}, false
} }
data_path := data_encrypted_path(cfg.config_path) data_path := data_path(cfg.config_path)
_, stat_err := os.stat(data_path, context.allocator) _, stat_err := os.stat(data_path, context.allocator)
db: ^rawptr db: ^rawptr
@@ -95,32 +95,31 @@ db_open :: proc(cfg_path: string) -> (Db, bool) {
} }
db_close :: proc(d: ^Db) { db_close :: proc(d: ^Db) {
defer sqlite.db_close(d.db)
if d.changed { if d.changed {
tmp_path := make_temp_path() rc := sqlite.db_exec(d.db, "VACUUM", nil, nil, nil)
if rc != sqlite.OK {
if !db_vacuum_to_file(d.db, tmp_path) { fmt.printf("Error vacuuming database: %s\n", sqlite.db_errmsg(d.db))
os.remove(tmp_path)
sqlite.db_close(d.db)
return return
} }
sqlite_data, read_err := os.read_entire_file_from_path(tmp_path, context.allocator) sz: i64
os.remove(tmp_path) data := sqlite.serialize(d.db, "main", &sz, 0)
if read_err != nil { if data == nil {
fmt.printf("Error reading vacuumed database: %v\n", read_err) fmt.println("Error: failed to serialize database")
sqlite.db_close(d.db)
return return
} }
defer sqlite.free(data)
sqlite_data := data[:sz]
encrypted, enc_ok := encrypt(sqlite_data, d.cfg.Keys[:]) encrypted, enc_ok := encrypt(sqlite_data, d.cfg.Keys[:])
delete(sqlite_data)
if !enc_ok { if !enc_ok {
fmt.println("Error: encryption failed") fmt.println("Error: encryption failed")
sqlite.db_close(d.db)
return return
} }
data_path := data_encrypted_path(d.cfg.config_path) data_path := data_path(d.cfg.config_path)
envr_d := envr_dir(d.cfg.config_path) envr_d := envr_dir(d.cfg.config_path)
os.mkdir_all(envr_d) os.mkdir_all(envr_d)
@@ -128,13 +127,11 @@ db_close :: proc(d: ^Db) {
delete(encrypted) delete(encrypted)
if write_err != nil { if write_err != nil {
fmt.printf("Error writing encrypted database: %v\n", write_err) fmt.printf("Error writing encrypted database: %v\n", write_err)
sqlite.db_close(d.db)
return return
} }
d.changed = false d.changed = false
} }
sqlite.db_close(d.db)
} }
// Caller is responsible for calling: // Caller is responsible for calling:
@@ -192,22 +189,12 @@ db_list :: proc(d: ^Db, allocator := context.allocator) -> (results: [dynamic]En
return return
} }
db_vacuum_to_file :: proc(db: ^rawptr, path: string) -> bool {
b: strings.Builder
strings.builder_init(&b)
defer strings.builder_destroy(&b)
fmt.sbprintf(&b, "VACUUM INTO '%s'", path)
rc := sqlite.db_exec(db, to_cstring(&b), nil, nil, nil)
if rc != sqlite.OK {
fmt.printf("Error vacuuming database: %s\n", sqlite.db_errmsg(db))
return false
}
return true
}
db_restore_from_encrypted :: proc(db: ^rawptr, cfg: Config) -> bool { db_restore_from_encrypted :: proc(db: ^rawptr, cfg: Config) -> bool {
data_path := data_encrypted_path(cfg.config_path) encrypted_data, read_err := os.read_entire_file_from_path(
encrypted_data, read_err := os.read_entire_file_from_path(data_path, context.temp_allocator) data_path(cfg.config_path),
context.allocator,
)
defer delete(encrypted_data)
if read_err != nil { if read_err != nil {
fmt.printf("Error reading encrypted database: %v\n", read_err) fmt.printf("Error reading encrypted database: %v\n", read_err)
return false return false
@@ -220,50 +207,32 @@ db_restore_from_encrypted :: proc(db: ^rawptr, cfg: Config) -> bool {
} }
defer delete(plaintext) defer delete(plaintext)
tmp_path := make_temp_path() n := i64(len(plaintext))
write_err := os.write_entire_file(tmp_path, plaintext) buf := sqlite.malloc64(n)
if write_err != nil { if buf == nil {
fmt.printf("Error writing temp database: %v\n", write_err) fmt.println("Error: failed to allocate buffer for deserialization")
return false return false
} }
defer os.remove(tmp_path) copy(buf[:len(plaintext)], plaintext)
if !db_attach_and_copy(db, tmp_path) { rc := sqlite.deserialize(
return false db,
} "main",
buf,
return true n,
} n,
sqlite.DESERIALIZE_FREEONCLOSE | sqlite.DESERIALIZE_RESIZEABLE,
db_attach_and_copy :: proc(mem_db: ^rawptr, src_path: string) -> bool {
b: strings.Builder
strings.builder_init(&b)
defer strings.builder_destroy(&b)
fmt.sbprintf(&b, "ATTACH DATABASE '%s' AS source", src_path)
rc := sqlite.db_exec(mem_db, to_cstring(&b), nil, nil, nil)
if rc != sqlite.OK {
fmt.printf("Error attaching database: %s\n", sqlite.db_errmsg(mem_db))
return false
}
rc = sqlite.db_exec(
mem_db,
"INSERT INTO main.envr_env_files SELECT * FROM source.envr_env_files",
nil,
nil,
nil,
) )
if rc != sqlite.OK { if rc != sqlite.OK {
fmt.printf("Error copying data: %s\n", sqlite.db_errmsg(mem_db)) sqlite.free(buf)
sqlite.db_exec(mem_db, "DETACH DATABASE source", nil, nil, nil) fmt.printf("Error deserializing database: %s\n", sqlite.db_errmsg(db))
return false return false
} }
sqlite.db_exec(mem_db, "DETACH DATABASE source", nil, nil, nil)
return true return true
} }
get_git_remotes :: proc(dir: string) -> [dynamic]string { get_git_remotes :: proc(dir: string) -> [dynamic]string {
remotes: [dynamic]string remotes: [dynamic]string
remote_set: map[string]bool remote_set: map[string]bool

33
db_integration_test.odin
View File

@@ -136,7 +136,7 @@ test_encrypt_write_read_decrypt :: proc(t: ^testing.T) {
} }
@(test) @(test)
test_decrypt_then_attach_sqlite :: proc(t: ^testing.T) { test_decrypt_then_deserialize_sqlite :: proc(t: ^testing.T) {
cfg := fixture_config() cfg := fixture_config()
defer { defer {
delete(cfg.Keys) delete(cfg.Keys)
@@ -164,14 +164,6 @@ test_decrypt_then_attach_sqlite :: proc(t: ^testing.T) {
} }
defer delete(plaintext) defer delete(plaintext)
tmp_db_path := fmt.tprintf("/tmp/envr-test-attach-%d.db", os.get_pid())
write_err := os.write_entire_file(tmp_db_path, plaintext)
testing.expectf(t, write_err == nil, "failed to write temp db: %v", write_err)
if write_err != nil {
return
}
defer os.remove(tmp_db_path)
mem_db: ^rawptr mem_db: ^rawptr
rc := sqlite.db_open(":memory:", &mem_db) rc := sqlite.db_open(":memory:", &mem_db)
testing.expectf(t, rc == sqlite.OK, "failed to open in-memory db") testing.expectf(t, rc == sqlite.OK, "failed to open in-memory db")
@@ -180,12 +172,25 @@ test_decrypt_then_attach_sqlite :: proc(t: ^testing.T) {
} }
defer sqlite.db_close(mem_db) defer sqlite.db_close(mem_db)
create_sql: cstring = "CREATE TABLE IF NOT EXISTS envr_env_files (path TEXT PRIMARY KEY NOT NULL, remotes TEXT, sha256 TEXT NOT NULL, contents TEXT NOT NULL)" n := i64(len(plaintext))
rc = sqlite.db_exec(mem_db, create_sql, nil, nil, nil) buf := sqlite.malloc64(n)
testing.expect(t, rc == sqlite.OK, "failed to create table") testing.expect(t, buf != nil, "malloc64 should succeed")
if buf == nil do return
copy(buf[:len(plaintext)], plaintext)
attach_ok := db_attach_and_copy(mem_db, tmp_db_path) rc = sqlite.deserialize(
testing.expect(t, attach_ok, "failed to attach and copy") mem_db,
"main",
buf,
n,
n,
sqlite.DESERIALIZE_FREEONCLOSE | sqlite.DESERIALIZE_RESIZEABLE,
)
testing.expect(t, rc == sqlite.OK, "deserialize should succeed")
if rc != sqlite.OK {
sqlite.free(buf)
return
}
sql: cstring = "SELECT path FROM envr_env_files" sql: cstring = "SELECT path FROM envr_env_files"
stmt: ^rawptr stmt: ^rawptr

21
db_test.odin
View File

@@ -215,7 +215,7 @@ test_db_delete_sets_changed :: proc(t: ^testing.T) {
} }
@(test) @(test)
test_db_vacuum_to_file :: proc(t: ^testing.T) { test_db_serialize :: proc(t: ^testing.T) {
d, ok := make_test_db() d, ok := make_test_db()
testing.expect(t, ok, "failed to create test db") testing.expect(t, ok, "failed to create test db")
if !ok do return if !ok do return
@@ -225,20 +225,13 @@ test_db_vacuum_to_file :: proc(t: ^testing.T) {
defer delete(f.Remotes) defer delete(f.Remotes)
db_insert(&d, f) db_insert(&d, f)
vacuum_path := fmt.tprintf("/tmp/envr-test-vacuum-%d.db", os.get_pid()) sz: i64
defer os.remove(vacuum_path) data := sqlite.serialize(d.db, "main", &sz, 0)
testing.expect(t, data != nil, "serialize should return non-nil")
if data == nil do return
defer sqlite.free(data)
testing.expect(t, db_vacuum_to_file(d.db, vacuum_path), "vacuum should succeed") testing.expect(t, sz > 0, "serialized size should be > 0")
info, stat_err := os.stat(vacuum_path, context.allocator)
defer os.file_info_delete(info, context.allocator)
testing.expect(t, stat_err == nil, "vacuumed file should exist")
data, read_err := os.read_entire_file_from_path(vacuum_path, context.allocator)
testing.expect(t, read_err == nil, "should read vacuumed file")
defer delete(data)
testing.expect(t, len(data) > 0, "vacuumed file should be non-empty")
} }
@(test) @(test)

28
flake.nix
View File

@@ -11,11 +11,12 @@
}; };
outputs = outputs =
inputs@{ flake-parts inputs@{
, nixpkgs flake-parts,
, nixpkgs-unstable nixpkgs,
, self nixpkgs-unstable,
, treefmt-nix self,
treefmt-nix,
}: }:
flake-parts.lib.mkFlake { inherit inputs; } { flake-parts.lib.mkFlake { inherit inputs; } {
imports = [ imports = [
@@ -29,7 +30,18 @@
]; ];
perSystem = perSystem =
{ pkgs, system, inputs', ... }: { {
pkgs,
system,
inputs',
...
}:
let
mysqlite = pkgs.sqlite.overrideAttrs (old: {
configureFlags = (old.configureFlags or [ ]) ++ [ "--enable-deserialize" ];
});
in
{
_module.args.pkgs = import nixpkgs { _module.args.pkgs = import nixpkgs {
inherit system; inherit system;
config.allowUnfree = true; config.allowUnfree = true;
@@ -64,7 +76,7 @@
buildInputs = [ buildInputs = [
pkgs.libsodium pkgs.libsodium
pkgs.sqlite mysqlite
]; ];
buildPhase = '' buildPhase = ''
@@ -87,7 +99,7 @@
nushell nushell
libsodium libsodium
sqlite mysqlite
unstable.odin unstable.odin
unstable.ols unstable.ols

11
sqlite/sqlite.odin
View File

@@ -8,6 +8,9 @@ OK :: 0
ROW :: 100 ROW :: 100
DONE :: 101 DONE :: 101
DESERIALIZE_FREEONCLOSE :: 1
DESERIALIZE_RESIZEABLE :: 2
foreign lib { foreign lib {
@(link_name="sqlite3_open") @(link_name="sqlite3_open")
db_open :: proc(filename: cstring, ppDb: ^^rawptr) -> c.int --- db_open :: proc(filename: cstring, ppDb: ^^rawptr) -> c.int ---
@@ -31,4 +34,12 @@ foreign lib {
bind_text :: proc(stmt: ^rawptr, idx: c.int, val: cstring, n: c.int, destructor: rawptr) -> c.int --- bind_text :: proc(stmt: ^rawptr, idx: c.int, val: cstring, n: c.int, destructor: rawptr) -> c.int ---
@(link_name="sqlite3_changes") @(link_name="sqlite3_changes")
changes :: proc(db: ^rawptr) -> c.int --- changes :: proc(db: ^rawptr) -> c.int ---
@(link_name="sqlite3_serialize")
serialize :: proc(db: ^rawptr, zSchema: cstring, piSize: ^i64, mFlags: u32) -> [^]u8 ---
@(link_name="sqlite3_deserialize")
deserialize :: proc(db: ^rawptr, zSchema: cstring, pData: [^]u8, szDb: i64, szBuf: i64, mFlags: u32) -> c.int ---
@(link_name="sqlite3_malloc64")
malloc64 :: proc(n: i64) -> [^]u8 ---
@(link_name="sqlite3_free")
free :: proc(p: rawptr) ---
} }