Lib.rs

Web programmingHTTP serverSvanill
#user #s3 #bucket #db #sqlite #svanill

bin+lib svanill-vault-server

svanill-vault, the server

by Riccardo Attilio Galli

1 unstable release

0.1.0 Oct 10, 2020

#989 in HTTP server

AGPL-3.0-or-later

64KB
1.5K SLoC

svanill-vault-server

An HTTP server to store/retrieve files produced by svanill (cli or web).

An authenticated user can push, list or remove files to a dedicated S3 bucket.

Third party services

Required:

  • an S3 compatible service (AWS S3, minio, ...)

Optional:

  • Sentry (to log errors)

Currently users data is read from a SQLite db, so no external db is required.

Build

You will need cargo, the Rust package manager.

cargo build

Run

The build artifacts end in the target folder at the root of the project (as usual for multicrate Rust repositories).

AWS credential by default are read by env variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, but there are other fallbacks, see rusoto doc. You can also pass them as args (see --help).

cargo run # or execute the binary from `../target/debug` or `../target/release`

# most params can be provided as env variables, here we just use arguments
RUST_LOG=trace,actix_server=trace,actix_web=trace cargo run -- \
    --s3-access-key-id=test_s3_access_key \
    --s3-secret-access-key=test_s3_secret_key \
    --s3-bucket testbucket \
    --s3-region=us-east-1 \
    --s3-endpoint=http://localhost:9000 \
    -H 127.0.0.1 \
    -P 5000 \
    -d test.db \
    -v

Database

svanill-vault-server access a read only SQLite database file. If the database file does not exist, it will be created and a migration will run automatically. You can add users by running a query such as

sqlite3 test.db
sqlite> .schema
CREATE TABLE __diesel_schema_migrations (version VARCHAR(50) PRIMARY KEY NOT NULL,run_on TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP);
CREATE TABLE user (
  username VARCHAR(50) NOT NULL PRIMARY KEY,
  challenge VARCHAR(255) NOT NULL,
  answer VARCHAR(32) NOT NULL
);
sqlite> INSERT INTO user VALUES ('your username', 'the challenge', 'the answer');

Authentication

Users authenticate by requesting a challenge and then providing the answer to that challenge.

answer should be a random string, e.g. generated with hexdump -n 16 -e '4/4 "%08X" 1 "\n"' /dev/random

challenge is the answer encrypted with a symmetric algorithm (supposedly using Svanill (web or cli).

It works this way so that a Svanill user can use a single password to both encrypt/decrypt files and login securely (Svanill encrypt using AES-GCM which doesn't suffer from known-plaintext attack).

Dependencies

~74MB
~1.5M SLoC