From 478384aae90fa4d605ac2141dc46af4d173a285b Mon Sep 17 00:00:00 2001
From: James Eversole <james@eversole.co>
Date: Fri, 29 Jul 2022 20:31:58 -0500
Subject: [PATCH] Secrets are now stored as AES encrypted -> Base64 encoded
 strings, retrieval is still plaintext and will need to be updated to reflect
 the required unencoding and decryption process

---
 Purr.cabal                    | 21 +++++++++++++++------
 examples/config.dhall         |  2 +-
 package.yaml                  |  7 +++++--
 src/Core/SQLite.hs            |  5 +++++
 src/Core/Types.hs             |  2 +-
 src/Feature/Sharing/SQLite.hs | 27 ++++++++++++++++++---------
 stack.yaml                    |  3 +--
 stack.yaml.lock               | 15 ++++-----------
 8 files changed, 50 insertions(+), 32 deletions(-)

diff --git a/Purr.cabal b/Purr.cabal
index 528c24a..cef8c8a 100644
--- a/Purr.cabal
+++ b/Purr.cabal
@@ -48,8 +48,11 @@ library
       ScopedTypeVariables
   build-depends:
       base >=4.7
+    , base64-bytestring >=1.2.0.0
     , blaze-html >=0.9.1.0
-    , containers
+    , bytestring >=0.10.12.1
+    , containers >=0.6.4.1
+    , crypto-simple >=0.1.0.0
     , dhall >=1.40 && <1.41.2
     , http-types >=0.12.3
     , iso8601-time >=0.1.5
@@ -58,7 +61,7 @@ library
     , scotty ==0.12
     , shakespeare >=2.0.20
     , sqlite-simple >=0.4.18.0
-    , text >=1.2
+    , text >=1.2.5.0
     , time >=1.9
     , wai-extra >=3.1.12.1
     , wai-middleware-static >=0.5
@@ -82,8 +85,11 @@ executable Purr-exe
   build-depends:
       Purr
     , base >=4.7
+    , base64-bytestring >=1.2.0.0
     , blaze-html >=0.9.1.0
-    , containers
+    , bytestring >=0.10.12.1
+    , containers >=0.6.4.1
+    , crypto-simple >=0.1.0.0
     , dhall >=1.40 && <1.41.2
     , http-types >=0.12.3
     , iso8601-time >=0.1.5
@@ -92,7 +98,7 @@ executable Purr-exe
     , scotty ==0.12
     , shakespeare >=2.0.20
     , sqlite-simple >=0.4.18.0
-    , text >=1.2
+    , text >=1.2.5.0
     , time >=1.9
     , wai-extra >=3.1.12.1
     , wai-middleware-static >=0.5
@@ -117,8 +123,11 @@ test-suite Purr-test
   build-depends:
       Purr
     , base >=4.7
+    , base64-bytestring >=1.2.0.0
     , blaze-html >=0.9.1.0
-    , containers
+    , bytestring >=0.10.12.1
+    , containers >=0.6.4.1
+    , crypto-simple >=0.1.0.0
     , dhall >=1.40 && <1.41.2
     , http-types >=0.12.3
     , iso8601-time >=0.1.5
@@ -127,7 +136,7 @@ test-suite Purr-test
     , scotty ==0.12
     , shakespeare >=2.0.20
     , sqlite-simple >=0.4.18.0
-    , text >=1.2
+    , text >=1.2.5.0
     , time >=1.9
     , wai-extra >=3.1.12.1
     , wai-middleware-static >=0.5
diff --git a/examples/config.dhall b/examples/config.dhall
index 385c1e6..712f79d 100644
--- a/examples/config.dhall
+++ b/examples/config.dhall
@@ -10,6 +10,6 @@
 , applicationHost = "REPLACEME"
 , applicationPort = +3000
 , dbFile          = "data/Purr.sqlite"
-, dbSalt          = "REPLACEME!!!!!"
+, dbKey           = "REPLACEME!!!!!"
 , linkLength      = +24
 }
diff --git a/package.yaml b/package.yaml
index 875439d..5354205 100644
--- a/package.yaml
+++ b/package.yaml
@@ -29,8 +29,11 @@ description:         https://git.eversole.co/James/Purr
 
 dependencies:
 - base >= 4.7 
+- base64-bytestring >= 1.2.0.0
 - blaze-html >= 0.9.1.0
-- containers
+- bytestring >= 0.10.12.1
+- containers >= 0.6.4.1
+- crypto-simple >= 0.1.0.0
 - dhall >= 1.40 && < 1.41.2
 - http-types >= 0.12.3
 - iso8601-time >= 0.1.5 
@@ -40,7 +43,7 @@ dependencies:
 - shakespeare >= 2.0.20
 - sqlite-simple >= 0.4.18.0
 - time >= 1.9
-- text >= 1.2
+- text >= 1.2.5.0
 - wai-extra >= 3.1.12.1
 - wai-middleware-static >= 0.5 
 
diff --git a/src/Core/SQLite.hs b/src/Core/SQLite.hs
index 5ce0bf5..cdc5aff 100644
--- a/src/Core/SQLite.hs
+++ b/src/Core/SQLite.hs
@@ -22,3 +22,8 @@ dbPath :: PurrAction String
 dbPath = do
   conf  <- lift ask
   return $ dbFile conf
+
+encKey :: PurrAction String
+encKey = do
+  conf  <- lift ask
+  return $ dbKey conf
diff --git a/src/Core/Types.hs b/src/Core/Types.hs
index de6b03e..75ffa95 100644
--- a/src/Core/Types.hs
+++ b/src/Core/Types.hs
@@ -20,6 +20,6 @@ data DhallConfig = DhallConfig
   , applicationHost :: String
   , applicationPort :: Int
   , dbFile          :: String
-  , dbSalt          :: String
+  , dbKey           :: String
   , linkLength      :: Int
   } deriving (Generic, Show)
diff --git a/src/Feature/Sharing/SQLite.hs b/src/Feature/Sharing/SQLite.hs
index 0b0a75e..86869d8 100644
--- a/src/Feature/Sharing/SQLite.hs
+++ b/src/Feature/Sharing/SQLite.hs
@@ -4,14 +4,18 @@ import Core.Types
 import Core.SQLite
 import Feature.Sharing.Types
 
-import Control.Monad.Reader (ask, lift, liftIO)
-import Data.Maybe (listToMaybe)
-import Data.Time.Clock.POSIX (getPOSIXTime)
+import Control.Monad.Reader           (ask, lift, liftIO)
+import Crypto.Simple.CBC              (encrypt, decrypt)
+import Data.Maybe                     (listToMaybe)
+import Data.Time.Clock.POSIX          (getPOSIXTime)
 import Database.SQLite.Simple
 import Database.SQLite.Simple.FromRow
 
-import qualified Data.Text      as T
-import qualified Data.Text.Lazy as LT
+import qualified Data.ByteString.Base64 as B64
+import qualified Data.ByteString.Char8  as B
+import qualified Data.Text              as T
+import qualified Data.Text.Encoding     as ET
+import qualified Data.Text.Lazy         as LT
 
 findByLink :: String -> PurrAction (Maybe SecretEntry)
 findByLink link = do
@@ -23,13 +27,18 @@ findByLink link = do
 
 insertNewSecret :: T.Text -> T.Text -> PurrAction ()
 insertNewSecret sec link = do
-  db   <- dbPath
-  conn <- liftIO $ open db
-  time <- liftIO $ epochTime
+  db     <- dbPath
+  key    <- encKey
+  encSec <- liftIO $ encrypt (B.pack key) (ET.encodeUtf8 sec)
+  conn   <- liftIO $ open db
+  time   <- liftIO $ epochTime
   liftIO $ execute conn 
     "INSERT INTO pws (link, secret, date) VALUES (?, ?, ?)"
-      (SecretEntry link sec time)
+      (SecretEntry link (encodeSecret encSec) time)
   liftIO $ close conn
 
 epochTime :: IO Integer
 epochTime = fmap round getPOSIXTime
+
+encodeSecret :: B.ByteString -> T.Text
+encodeSecret b = ET.decodeUtf8 $ B64.encode b
diff --git a/stack.yaml b/stack.yaml
index 2a8eac2..a7018e6 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -36,8 +36,7 @@ packages:
 # forks / in-progress versions pinned to a git hash. For example:
 #
 extra-deps:
-- AesonBson-0.4.1@sha256:30a4ecb39e8da94dc1e1e8945eb0d4e33a833ae4342841b3c87c56b5918a90a1,1398
-- bson-generic-0.0.9@sha256:ea6685daa618b2bbe6e189c33e195e812501baf42f53183eedc16f011690895a,817
+- crypto-simple-0.1.0.0@sha256:5c0e1e04a814d903743d7543245951a91a46817230fdf478fadca57116805fc1,1502
 
 ghc-options:
   '$everything': -haddock
diff --git a/stack.yaml.lock b/stack.yaml.lock
index 496ef46..4f86da1 100644
--- a/stack.yaml.lock
+++ b/stack.yaml.lock
@@ -5,19 +5,12 @@
 
 packages:
 - completed:
-    hackage: AesonBson-0.4.1@sha256:30a4ecb39e8da94dc1e1e8945eb0d4e33a833ae4342841b3c87c56b5918a90a1,1398
+    hackage: crypto-simple-0.1.0.0@sha256:5c0e1e04a814d903743d7543245951a91a46817230fdf478fadca57116805fc1,1502
     pantry-tree:
-      size: 378
-      sha256: 10c7444de357f7fc1473542d8b3307811420889be32d5a2033d0dbc2d32a375d
+      size: 472
+      sha256: 66c4ac2c2ddb74d31370026799a44fa78dc3b64d82cec0a1bc87b30e816195a4
   original:
-    hackage: AesonBson-0.4.1@sha256:30a4ecb39e8da94dc1e1e8945eb0d4e33a833ae4342841b3c87c56b5918a90a1,1398
-- completed:
-    hackage: bson-generic-0.0.9@sha256:ea6685daa618b2bbe6e189c33e195e812501baf42f53183eedc16f011690895a,817
-    pantry-tree:
-      size: 220
-      sha256: 46d452c35c2c762af25bf4d85b5248a94cbbe5b282bc4b1217d0ab3451011ae9
-  original:
-    hackage: bson-generic-0.0.9@sha256:ea6685daa618b2bbe6e189c33e195e812501baf42f53183eedc16f011690895a,817
+    hackage: crypto-simple-0.1.0.0@sha256:5c0e1e04a814d903743d7543245951a91a46817230fdf478fadca57116805fc1,1502
 snapshots:
 - completed:
     size: 618740