浏览代码

Merge pull request #5494 from andelf/feat/add-age-encrypt-to-sync

Feat/add age encrypt to sync
rcmerci 3 年之前
父节点
当前提交
4e8da96f16

+ 4 - 0
ios/App/App.xcodeproj/project.pbxproj

@@ -34,6 +34,7 @@
 		FE647FF627BDFEF500F3206B /* FsWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = FE647FF527BDFEF500F3206B /* FsWatcher.m */; };
 		FE647FF627BDFEF500F3206B /* FsWatcher.m in Sources */ = {isa = PBXBuildFile; fileRef = FE647FF527BDFEF500F3206B /* FsWatcher.m */; };
 		FE8C946B27FD762700C8017B /* FileSync.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE8C946927FD762700C8017B /* FileSync.swift */; };
 		FE8C946B27FD762700C8017B /* FileSync.swift in Sources */ = {isa = PBXBuildFile; fileRef = FE8C946927FD762700C8017B /* FileSync.swift */; };
 		FE8C946C27FD762700C8017B /* FileSync.m in Sources */ = {isa = PBXBuildFile; fileRef = FE8C946A27FD762700C8017B /* FileSync.m */; };
 		FE8C946C27FD762700C8017B /* FileSync.m in Sources */ = {isa = PBXBuildFile; fileRef = FE8C946A27FD762700C8017B /* FileSync.m */; };
+		FEE688A428448F8C0019510E /* AgeEncryption.swift in Sources */ = {isa = PBXBuildFile; fileRef = FEE688A328448F8C0019510E /* AgeEncryption.swift */; };
 /* End PBXBuildFile section */
 /* End PBXBuildFile section */
 
 
 /* Begin PBXContainerItemProxy section */
 /* Begin PBXContainerItemProxy section */
@@ -97,6 +98,7 @@
 		FE647FF527BDFEF500F3206B /* FsWatcher.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = FsWatcher.m; sourceTree = "<group>"; };
 		FE647FF527BDFEF500F3206B /* FsWatcher.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = FsWatcher.m; sourceTree = "<group>"; };
 		FE8C946927FD762700C8017B /* FileSync.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FileSync.swift; sourceTree = "<group>"; };
 		FE8C946927FD762700C8017B /* FileSync.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FileSync.swift; sourceTree = "<group>"; };
 		FE8C946A27FD762700C8017B /* FileSync.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = FileSync.m; sourceTree = "<group>"; };
 		FE8C946A27FD762700C8017B /* FileSync.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = FileSync.m; sourceTree = "<group>"; };
+		FEE688A328448F8C0019510E /* AgeEncryption.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AgeEncryption.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 /* End PBXFileReference section */
 
 
 /* Begin PBXFrameworksBuildPhase section */
 /* Begin PBXFrameworksBuildPhase section */
@@ -205,6 +207,7 @@
 				FE443F1D27FF54AA007ECE65 /* Payload.swift */,
 				FE443F1D27FF54AA007ECE65 /* Payload.swift */,
 				FE443F1B27FF5420007ECE65 /* Extensions.swift */,
 				FE443F1B27FF5420007ECE65 /* Extensions.swift */,
 				FE8C946A27FD762700C8017B /* FileSync.m */,
 				FE8C946A27FD762700C8017B /* FileSync.m */,
+				FEE688A328448F8C0019510E /* AgeEncryption.swift */,
 			);
 			);
 			path = FileSync;
 			path = FileSync;
 			sourceTree = "<group>";
 			sourceTree = "<group>";
@@ -362,6 +365,7 @@
 				5FD5BB71278579F5008E6875 /* DownloadiCloudFiles.swift in Sources */,
 				5FD5BB71278579F5008E6875 /* DownloadiCloudFiles.swift in Sources */,
 				FE443F1E27FF54AA007ECE65 /* Payload.swift in Sources */,
 				FE443F1E27FF54AA007ECE65 /* Payload.swift in Sources */,
 				5FF8632C283B5BFD0047731B /* Utils.m in Sources */,
 				5FF8632C283B5BFD0047731B /* Utils.m in Sources */,
+				FEE688A428448F8C0019510E /* AgeEncryption.swift in Sources */,
 				FE8C946B27FD762700C8017B /* FileSync.swift in Sources */,
 				FE8C946B27FD762700C8017B /* FileSync.swift in Sources */,
 				FE647FF427BDFEDE00F3206B /* FsWatcher.swift in Sources */,
 				FE647FF427BDFEDE00F3206B /* FsWatcher.swift in Sources */,
 				5FF8632A283B5ADB0047731B /* Utils.swift in Sources */,
 				5FF8632A283B5ADB0047731B /* Utils.swift in Sources */,

+ 95 - 0
ios/App/App/FileSync/AgeEncryption.swift

@@ -0,0 +1,95 @@
+//
+//  AgeEncryption.swift
+//  Logseq
+//
+//  Created by Mono Wang on 5/30/R4.
+//
+
+import Foundation
+import AgeEncryption
+
+public enum AgeEncryption {
+    public static func keygen() -> (String, String) {
+        let cSecretKey = UnsafeMutablePointer<UnsafeMutablePointer<CChar>?>.allocate(capacity: 1)
+        let cPublicKey = UnsafeMutablePointer<UnsafeMutablePointer<CChar>?>.allocate(capacity: 1)
+        
+        rust_age_encryption_keygen(cSecretKey, cPublicKey);
+        let secretKey = String(cString: cSecretKey.pointee!)
+        let publicKey = String(cString: cPublicKey.pointee!)
+        
+        rust_age_encryption_free_str(cSecretKey.pointee!)
+        rust_age_encryption_free_str(cPublicKey.pointee!)
+        cSecretKey.deallocate()
+        cPublicKey.deallocate()
+
+        return (secretKey, publicKey)
+    }
+    
+    public static func encryptWithPassphrase(_ plaintext: Data, _ passphrase: String, armor: Bool) -> Data? {
+        plaintext.withUnsafeBytes { (cPlaintext) in
+            let cOutput = UnsafeMutablePointer<UnsafeMutablePointer<CChar>?>.allocate(capacity: 1)
+
+            let ret = rust_age_encrypt_with_user_passphrase(passphrase.cString(using: .utf8), cPlaintext.bindMemory(to: CChar.self).baseAddress, Int32(plaintext.count), armor ? 1 : 0, cOutput)
+            if ret > 0 {
+                let cOutputBuf = UnsafeBufferPointer.init(start: cOutput.pointee, count: Int(ret))
+                let ciphertext = Data.init(buffer: cOutputBuf)
+                rust_age_encryption_free_vec(cOutput.pointee, ret)
+                cOutput.deallocate()
+                return ciphertext
+            } else {
+                return nil
+            }
+        }
+    }
+
+    public static func decryptWithPassphrase(_ ciphertext: Data, _ passphrase: String) -> Data? {
+        ciphertext.withUnsafeBytes { (cCiphertext) in
+            let cOutput = UnsafeMutablePointer<UnsafeMutablePointer<CChar>?>.allocate(capacity: 1)
+
+            let ret = rust_age_decrypt_with_user_passphrase(passphrase.cString(using: .utf8), cCiphertext.bindMemory(to: CChar.self).baseAddress, Int32(ciphertext.count), cOutput)
+            if ret > 0 {
+                let cOutputBuf = UnsafeBufferPointer.init(start: cOutput.pointee, count: Int(ret))
+                let plaintext = Data.init(buffer: cOutputBuf)
+                rust_age_encryption_free_vec(cOutput.pointee, ret)
+                cOutput.deallocate()
+                return plaintext
+            } else {
+                return nil
+            }
+        }
+    }
+    
+    public static func encryptWithX25519(_ plaintext: Data, _ publicKey: String, armor: Bool) -> Data? {
+        plaintext.withUnsafeBytes { (cPlaintext) in
+            let cOutput = UnsafeMutablePointer<UnsafeMutablePointer<CChar>?>.allocate(capacity: 1)
+            
+            let ret = rust_age_encrypt_with_x25519(publicKey.cString(using: .utf8), cPlaintext.bindMemory(to: CChar.self).baseAddress, Int32(plaintext.count), armor ? 1 : 0, cOutput)
+            if ret > 0 {
+                let cOutputBuf = UnsafeBufferPointer.init(start: cOutput.pointee, count: Int(ret))
+                let ciphertext = Data.init(buffer: cOutputBuf)
+                rust_age_encryption_free_vec(cOutput.pointee, ret)
+                cOutput.deallocate()
+                return ciphertext
+            } else {
+                return nil
+            }
+        }
+    }
+    
+    public static func decryptWithX25519(_ ciphertext: Data, _ secretKey: String) -> Data? {
+        ciphertext.withUnsafeBytes { (cCiphertext) in
+            let cOutput = UnsafeMutablePointer<UnsafeMutablePointer<CChar>?>.allocate(capacity: 1)
+
+            let ret = rust_age_decrypt_with_x25519(secretKey.cString(using: .utf8), cCiphertext.bindMemory(to: CChar.self).baseAddress, Int32(ciphertext.count), cOutput)
+            if ret >= 0 {
+                let cOutputBuf = UnsafeBufferPointer.init(start: cOutput.pointee, count: Int(ret))
+                let plaintext = Data.init(buffer: cOutputBuf)
+                rust_age_encryption_free_vec(cOutput.pointee, ret)
+                cOutput.deallocate()
+                return plaintext
+            } else {
+                return nil
+            }
+        }
+    }
+}

+ 45 - 0
ios/App/App/FileSync/Data+ChaChaPoly.swift

@@ -0,0 +1,45 @@
+//
+//  Data+ChaChaPoly.swift
+//  Logseq
+//
+//  Created by Mono Wang on 5/20/R4.
+//
+
+import Foundation
+import CryptoKit
+
+extension Data {
+    /**
+     Encrypts current data using ChaChaPoly cipher.
+     */
+    public func sealChaChaPoly(with passphrase: String) -> Data? {
+        guard let symmetricKey = try? SymmetricKey(passwordString: passphrase) else {
+            return nil
+        }
+
+        let nonce = try? ChaChaPoly.Nonce(data: Data(repeating: 0x00, count: 12))
+        if let encrypted = try? ChaChaPoly.seal(self, using: symmetricKey, nonce: nonce!).combined {
+            var ret = Data(hexEncoded: "4c530031")
+            ret?.append(encrypted)
+            return ret
+        }
+        return nil
+    }
+
+    /**
+     Decrypts current combined ChaChaPoly Selead box data (nonce || ciphertext || tag) using ChaChaPoly cipher.
+     */
+    public func openChaChaPoly(with passphrase: String) -> Data? {
+        if self.count <= 4 {
+            return nil
+        }
+        guard let symmetricKey = try? SymmetricKey(passwordString: passphrase) else {
+            return nil
+        }
+        guard let chaChaPolySealedBox = try? ChaChaPoly.SealedBox(combined: self[4...]) else {
+            return nil
+        }
+
+        return try? ChaChaPoly.open(chaChaPolySealedBox, using: symmetricKey)
+    }
+}

+ 28 - 59
ios/App/App/FileSync/Extensions.swift

@@ -50,25 +50,6 @@ extension Array where Element == UInt8 {
   }
   }
 }
 }
 
 
-@available(iOS 13.0, *)
-extension SymmetricKey {
-    public init(passwordString keyString: String) throws {
-        let size = SymmetricKeySize.bits256
-        guard var keyData = keyString.data(using: .utf8) else {
-            print("Could not create raw Data from String.")
-            throw CryptoKitError.incorrectParameterSize
-        }
-            
-        let keySizeBytes = size.bitCount / 8
-        keyData = keyData.subdata(in: 0..<keySizeBytes)
-        guard keyData.count >= keySizeBytes else { throw CryptoKitError.incorrectKeySize }
-        
-        print("debug key \(keyData) \(keyData.hexDescription)")
-        
-        self.init(data: keyData)
-    }
-}
-
 extension Data {
 extension Data {
     public init?(hexEncoded: String) {
     public init?(hexEncoded: String) {
         self.init(Array<UInt8>(hex: hexEncoded))
         self.init(Array<UInt8>(hex: hexEncoded))
@@ -78,38 +59,9 @@ extension Data {
         return map { String(format: "%02hhx", $0) }.joined()
         return map { String(format: "%02hhx", $0) }.joined()
     }
     }
     
     
-    @available(iOS 13.0, *)
-    func aesEncrypt(keyString: String) throws -> Data {
-        let key = try? SymmetricKey(passwordString: keyString)
-        
-        let nonce = Data(hexEncoded: "131348c0987c7eece60fc0bc") // = initialization vector
-        let tag = Data(hexEncoded: "5baa85ff3e7eda3204744ec74b71d523")
-        
-        print("debug tag \(tag?.hexDescription) nonce \(nonce?.hexDescription)")
-        let sealedData = try! AES.GCM.seal(self, using: key!, nonce: AES.GCM.Nonce(data: nonce!), authenticating: tag!)
-            
-        print("debug encrypted \(sealedData)")
-        guard let encryptedContent = sealedData.combined else {
-            throw CryptoKitError.underlyingCoreCryptoError(error: 2)
-        }
-        print("debug encrypted \(encryptedContent)")
-        print("debug encrypted \(encryptedContent.hexDescription)")
-        print("debug tag \(sealedData.tag.hexDescription)")
-        return encryptedContent
-    }
-    
-    @available(iOS 13.0, *)
-    func aesDecrypt(keyString: String) throws -> Data {
-        let key = try! SymmetricKey(passwordString: keyString)
-        let tag = Data(hexEncoded: "5baa85ff3e7eda3204744ec74b71d523")
-        
-        guard let sealedBox = try? AES.GCM.SealedBox(combined: self) else {
-            throw CryptoKitError.authenticationFailure
-        }
-        guard let decryptedData = try? AES.GCM.open(sealedBox, using: key, authenticating: tag!) else {
-            throw CryptoKitError.authenticationFailure
-        }
-        return decryptedData
+    var MD5: String {
+        let computed = Insecure.MD5.hash(data: self)
+        return computed.map { String(format: "%02hhx", $0) }.joined()
     }
     }
 }
 }
 
 
@@ -159,8 +111,8 @@ extension URL {
         return relComponents.joined(separator: "/")
         return relComponents.joined(separator: "/")
     }
     }
     
     
+    // Download a remote URL to a file
     func download(toFile file: URL, completion: @escaping (Error?) -> Void) {
     func download(toFile file: URL, completion: @escaping (Error?) -> Void) {
-        // Download the remote URL to a file
         let task = URLSession.shared.downloadTask(with: self) {
         let task = URLSession.shared.downloadTask(with: self) {
             (tempURL, response, error) in
             (tempURL, response, error) in
             // Early exit on error
             // Early exit on error
@@ -188,14 +140,16 @@ extension URL {
                 // Remove any existing document at file
                 // Remove any existing document at file
                 if FileManager.default.fileExists(atPath: file.path) {
                 if FileManager.default.fileExists(atPath: file.path) {
                     try FileManager.default.removeItem(at: file)
                     try FileManager.default.removeItem(at: file)
+                } else {
+                    let baseURL = file.deletingLastPathComponent()
+                    try FileManager.default.createDirectory(at: baseURL, withIntermediateDirectories: true, attributes: nil)
+                }
+                let rawData = try Data(contentsOf: tempURL)
+                guard let decryptedRawData = maybeDecrypt(rawData) else {
+                    throw NSError(domain: "", code: 0, userInfo: [NSLocalizedDescriptionKey: "can not decrypt remote file"])
                 }
                 }
-                
-                // Copy the tempURL to file
-                try FileManager.default.copyItem(
-                    at: tempURL,
-                    to: file
-                )
-                
+                try decryptedRawData.write(to: file, options: .atomic)
+
                 completion(nil)
                 completion(nil)
             }
             }
             
             
@@ -209,3 +163,18 @@ extension URL {
         task.resume()
         task.resume()
     }
     }
 }
 }
+
+// MARK: Crypto helper
+
+extension SymmetricKey {
+    public init(passwordString keyString: String) throws {
+        guard let keyData = keyString.data(using: .utf8) else {
+            print("ERROR: Could not create raw Data from String")
+            throw CryptoKitError.incorrectParameterSize
+        }
+        // SymmetricKeySize.bits256
+        let keyDigest = SHA256.hash(data: keyData)
+        
+        self.init(data: keyDigest)
+    }
+}

+ 1 - 0
ios/App/App/FileSync/FileSync.m

@@ -9,6 +9,7 @@
 
 
 CAP_PLUGIN(FileSync, "FileSync",
 CAP_PLUGIN(FileSync, "FileSync",
            CAP_PLUGIN_METHOD(setEnv, CAPPluginReturnPromise);
            CAP_PLUGIN_METHOD(setEnv, CAPPluginReturnPromise);
+           CAP_PLUGIN_METHOD(keygen, CAPPluginReturnPromise);
            CAP_PLUGIN_METHOD(getLocalFilesMeta, CAPPluginReturnPromise);
            CAP_PLUGIN_METHOD(getLocalFilesMeta, CAPPluginReturnPromise);
            CAP_PLUGIN_METHOD(getLocalAllFilesMeta, CAPPluginReturnPromise);
            CAP_PLUGIN_METHOD(getLocalAllFilesMeta, CAPPluginReturnPromise);
            CAP_PLUGIN_METHOD(renameLocalFile, CAPPluginReturnPromise);
            CAP_PLUGIN_METHOD(renameLocalFile, CAPPluginReturnPromise);

+ 95 - 35
ios/App/App/FileSync/FileSync.swift

@@ -10,13 +10,18 @@ import Foundation
 import AWSMobileClient
 import AWSMobileClient
 import CryptoKit
 import CryptoKit
 
 
-// MARK: Global variables
+
+// MARK: Global variable
 
 
 // Defualts to dev
 // Defualts to dev
 var URL_BASE = URL(string: "https://api.logseq.com/file-sync/")!
 var URL_BASE = URL(string: "https://api.logseq.com/file-sync/")!
 var BUCKET: String = "logseq-file-sync-bucket"
 var BUCKET: String = "logseq-file-sync-bucket"
 var REGION: String = "us-east-2"
 var REGION: String = "us-east-2"
 
 
+var ENCRYPTION_SECRET_KEY: String? = nil
+var ENCRYPTION_PUBLIC_KEY: String? = nil
+
+// MARK: Metadata type
 
 
 public struct SyncMetadata: CustomStringConvertible, Equatable {
 public struct SyncMetadata: CustomStringConvertible, Equatable {
     var md5: String
     var md5: String
@@ -29,9 +34,9 @@ public struct SyncMetadata: CustomStringConvertible, Equatable {
                 return nil
                 return nil
             }
             }
             size = fileAttributes.fileSize ?? 0
             size = fileAttributes.fileSize ?? 0
-            
-            // incremental MD5sum
-            let bufferSize = 1024 * 1024
+
+            // incremental MD5 checksum
+            let bufferSize = 512 * 1024
             let file = try FileHandle(forReadingFrom: fileURL)
             let file = try FileHandle(forReadingFrom: fileURL)
             defer {
             defer {
                 file.closeFile()
                 file.closeFile()
@@ -46,7 +51,7 @@ public struct SyncMetadata: CustomStringConvertible, Equatable {
                     return false // eof
                     return false // eof
                 }
                 }
             }) {}
             }) {}
-            
+
             let computed = ctx.finalize()
             let computed = ctx.finalize()
             md5 = computed.map { String(format: "%02hhx", $0) }.joined()
             md5 = computed.map { String(format: "%02hhx", $0) }.joined()
         } catch {
         } catch {
@@ -59,6 +64,38 @@ public struct SyncMetadata: CustomStringConvertible, Equatable {
     }
     }
 }
 }
 
 
+// MARK: encryption helper
+
+func maybeEncrypt(_ plaindata: Data) -> Data! {
+    // avoid encryption twice
+    if plaindata.starts(with: "-----BEGIN AGE ENCRYPTED FILE-----".data(using: .utf8)!) ||
+        plaindata.starts(with: "age-encryption.org/v1\n".data(using: .utf8)!) {
+        return plaindata
+    }
+    if let publicKey = ENCRYPTION_PUBLIC_KEY {
+        // use armor = false, for smaller size
+        if let cipherdata = AgeEncryption.encryptWithPassphrase(plaindata, publicKey, armor: false) {
+            return cipherdata
+        }
+        return nil // encryption fail
+    }
+    return plaindata
+}
+
+func maybeDecrypt(_ cipherdata: Data) -> Data! {
+    if let secretKey = ENCRYPTION_SECRET_KEY {
+        if cipherdata.starts(with: "-----BEGIN AGE ENCRYPTED FILE-----".data(using: .utf8)!) ||
+            cipherdata.starts(with: "age-encryption.org/v1\n".data(using: .utf8)!) {
+            if let plaindata = AgeEncryption.decryptWithX25519(cipherdata, secretKey) {
+                return plaindata
+            }
+            return nil
+        }
+        // not an encrypted file
+        return cipherdata
+    }
+    return cipherdata
+}
 
 
 // MARK: FileSync Plugin
 // MARK: FileSync Plugin
 
 
@@ -66,6 +103,7 @@ public struct SyncMetadata: CustomStringConvertible, Equatable {
 public class FileSync: CAPPlugin, SyncDebugDelegate {
 public class FileSync: CAPPlugin, SyncDebugDelegate {
     override public func load() {
     override public func load() {
         print("debug File sync iOS plugin loaded!")
         print("debug File sync iOS plugin loaded!")
+
         AWSMobileClient.default().initialize { (userState, error) in
         AWSMobileClient.default().initialize { (userState, error) in
             guard error == nil else {
             guard error == nil else {
                 print("error initializing AWSMobileClient. Error: \(error!.localizedDescription)")
                 print("error initializing AWSMobileClient. Error: \(error!.localizedDescription)")
@@ -73,17 +111,40 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
             }
             }
         }
         }
     }
     }
-    
+
     // NOTE: for debug, or an activity indicator
     // NOTE: for debug, or an activity indicator
     public func debugNotification(_ message: [String: Any]) {
     public func debugNotification(_ message: [String: Any]) {
         self.notifyListeners("debug", data: message)
         self.notifyListeners("debug", data: message)
     }
     }
-    
+
+    @objc func keygen(_ call: CAPPluginCall) {
+        let (secretKey, publicKey) = AgeEncryption.keygen()
+        call.resolve(["secretKey": secretKey,
+                      "publicKey": publicKey])
+    }
+
+    @objc func setKey(_ call: CAPPluginCall) {
+        let secretKey = call.getString("secretKey")
+        let publicKey = call.getString("publicKey")
+        if secretKey == nil && publicKey == nil {
+            ENCRYPTION_SECRET_KEY = nil
+            ENCRYPTION_PUBLIC_KEY = nil
+        }
+        guard let secretKey = secretKey, let publicKey = publicKey else {
+            call.reject("both secretKey and publicKey should be provided")
+            return
+        }
+        ENCRYPTION_SECRET_KEY = secretKey
+        ENCRYPTION_PUBLIC_KEY = publicKey
+    }
+
     @objc func setEnv(_ call: CAPPluginCall) {
     @objc func setEnv(_ call: CAPPluginCall) {
         guard let env = call.getString("env") else {
         guard let env = call.getString("env") else {
             call.reject("required parameter: env")
             call.reject("required parameter: env")
             return
             return
         }
         }
+        self.setKey(call)
+
         switch env {
         switch env {
         case "production", "product", "prod":
         case "production", "product", "prod":
             URL_BASE = URL(string: "https://api-prod.logseq.com/file-sync/")!
             URL_BASE = URL(string: "https://api-prod.logseq.com/file-sync/")!
@@ -97,10 +158,11 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
             call.reject("invalid env: \(env)")
             call.reject("invalid env: \(env)")
             return
             return
         }
         }
+
         self.debugNotification(["event": "setenv:\(env)"])
         self.debugNotification(["event": "setenv:\(env)"])
         call.resolve(["ok": true])
         call.resolve(["ok": true])
     }
     }
-    
+
     @objc func getLocalFilesMeta(_ call: CAPPluginCall) {
     @objc func getLocalFilesMeta(_ call: CAPPluginCall) {
         guard let basePath = call.getString("basePath"),
         guard let basePath = call.getString("basePath"),
               let filePaths = call.getArray("filePaths") as? [String] else {
               let filePaths = call.getArray("filePaths") as? [String] else {
@@ -111,7 +173,7 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
             call.reject("invalid basePath")
             call.reject("invalid basePath")
             return
             return
         }
         }
-        
+
         var fileMetadataDict: [String: [String: Any]] = [:]
         var fileMetadataDict: [String: [String: Any]] = [:]
         for filePath in filePaths {
         for filePath in filePaths {
             let url = baseURL.appendingPathComponent(filePath)
             let url = baseURL.appendingPathComponent(filePath)
@@ -120,20 +182,20 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
                                               "size": meta.size]
                                               "size": meta.size]
             }
             }
         }
         }
-        
+
         call.resolve(["result": fileMetadataDict])
         call.resolve(["result": fileMetadataDict])
     }
     }
-    
+
     @objc func getLocalAllFilesMeta(_ call: CAPPluginCall) {
     @objc func getLocalAllFilesMeta(_ call: CAPPluginCall) {
         guard let basePath = call.getString("basePath"),
         guard let basePath = call.getString("basePath"),
               let baseURL = URL(string: basePath) else {
               let baseURL = URL(string: basePath) else {
                   call.reject("invalid basePath")
                   call.reject("invalid basePath")
                   return
                   return
               }
               }
-        
+
         var fileMetadataDict: [String: [String: Any]] = [:]
         var fileMetadataDict: [String: [String: Any]] = [:]
         if let enumerator = FileManager.default.enumerator(at: baseURL, includingPropertiesForKeys: [.isRegularFileKey], options: [.skipsPackageDescendants, .skipsHiddenFiles]) {
         if let enumerator = FileManager.default.enumerator(at: baseURL, includingPropertiesForKeys: [.isRegularFileKey], options: [.skipsPackageDescendants, .skipsHiddenFiles]) {
-            
+
             for case let fileURL as URL in enumerator {
             for case let fileURL as URL in enumerator {
                 if !fileURL.isSkipped() {
                 if !fileURL.isSkipped() {
                     if let meta = SyncMetadata(of: fileURL) {
                     if let meta = SyncMetadata(of: fileURL) {
@@ -147,8 +209,8 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
         }
         }
         call.resolve(["result": fileMetadataDict])
         call.resolve(["result": fileMetadataDict])
     }
     }
-    
-    
+
+
     @objc func renameLocalFile(_ call: CAPPluginCall) {
     @objc func renameLocalFile(_ call: CAPPluginCall) {
         guard let basePath = call.getString("basePath"),
         guard let basePath = call.getString("basePath"),
               let baseURL = URL(string: basePath) else {
               let baseURL = URL(string: basePath) else {
@@ -163,10 +225,10 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
             call.reject("invalid to file")
             call.reject("invalid to file")
             return
             return
         }
         }
-        
+
         let fromUrl = baseURL.appendingPathComponent(from)
         let fromUrl = baseURL.appendingPathComponent(from)
         let toUrl = baseURL.appendingPathComponent(to)
         let toUrl = baseURL.appendingPathComponent(to)
-        
+
         do {
         do {
             try FileManager.default.moveItem(at: fromUrl, to: toUrl)
             try FileManager.default.moveItem(at: fromUrl, to: toUrl)
         } catch {
         } catch {
@@ -174,23 +236,23 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
             return
             return
         }
         }
         call.resolve(["ok": true])
         call.resolve(["ok": true])
-        
+
     }
     }
-    
+
     @objc func deleteLocalFiles(_ call: CAPPluginCall) {
     @objc func deleteLocalFiles(_ call: CAPPluginCall) {
         guard let baseURL = call.getString("basePath").flatMap({path in URL(string: path)}),
         guard let baseURL = call.getString("basePath").flatMap({path in URL(string: path)}),
               let filePaths = call.getArray("filePaths") as? [String] else {
               let filePaths = call.getArray("filePaths") as? [String] else {
                   call.reject("required paremeters: basePath, filePaths")
                   call.reject("required paremeters: basePath, filePaths")
                   return
                   return
               }
               }
-        
+
         for filePath in filePaths {
         for filePath in filePaths {
             let fileUrl = baseURL.appendingPathComponent(filePath)
             let fileUrl = baseURL.appendingPathComponent(filePath)
             try? FileManager.default.removeItem(at: fileUrl) // ignore any delete errors
             try? FileManager.default.removeItem(at: fileUrl) // ignore any delete errors
         }
         }
         call.resolve(["ok": true])
         call.resolve(["ok": true])
     }
     }
-    
+
     /// remote -> local
     /// remote -> local
     @objc func updateLocalFiles(_ call: CAPPluginCall) {
     @objc func updateLocalFiles(_ call: CAPPluginCall) {
         guard let baseURL = call.getString("basePath").flatMap({path in URL(string: path)}),
         guard let baseURL = call.getString("basePath").flatMap({path in URL(string: path)}),
@@ -200,10 +262,10 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
                   call.reject("required paremeters: basePath, filePaths, graphUUID, token")
                   call.reject("required paremeters: basePath, filePaths, graphUUID, token")
                   return
                   return
               }
               }
-        
+
         let client = SyncClient(token: token, graphUUID: graphUUID)
         let client = SyncClient(token: token, graphUUID: graphUUID)
         client.delegate = self // receives notification
         client.delegate = self // receives notification
-        
+
         client.getFiles(at: filePaths) {  (fileURLs, error) in
         client.getFiles(at: filePaths) {  (fileURLs, error) in
             if let error = error {
             if let error = error {
                 print("debug getFiles error \(error)")
                 print("debug getFiles error \(error)")
@@ -212,9 +274,9 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
             } else {
             } else {
                 // handle multiple completionHandlers
                 // handle multiple completionHandlers
                 let group = DispatchGroup()
                 let group = DispatchGroup()
-                
+
                 var downloaded: [String] = []
                 var downloaded: [String] = []
-                
+
                 for (filePath, remoteFileURL) in fileURLs {
                 for (filePath, remoteFileURL) in fileURLs {
                     group.enter()
                     group.enter()
 
 
@@ -235,11 +297,11 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
                     self.debugNotification(["event": "download:done"])
                     self.debugNotification(["event": "download:done"])
                     call.resolve(["ok": true, "data": downloaded])
                     call.resolve(["ok": true, "data": downloaded])
                 }
                 }
-                
+
             }
             }
         }
         }
     }
     }
-    
+
     @objc func deleteRemoteFiles(_ call: CAPPluginCall) {
     @objc func deleteRemoteFiles(_ call: CAPPluginCall) {
         guard let filePaths = call.getArray("filePaths") as? [String],
         guard let filePaths = call.getArray("filePaths") as? [String],
               let graphUUID = call.getString("graphUUID"),
               let graphUUID = call.getString("graphUUID"),
@@ -252,7 +314,7 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
             call.reject("empty filePaths")
             call.reject("empty filePaths")
             return
             return
         }
         }
-        
+
         let client = SyncClient(token: token, graphUUID: graphUUID, txid: txid)
         let client = SyncClient(token: token, graphUUID: graphUUID, txid: txid)
         client.deleteFiles(filePaths) { txid, error in
         client.deleteFiles(filePaths) { txid, error in
             guard error == nil else {
             guard error == nil else {
@@ -266,7 +328,7 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
             call.resolve(["ok": true, "txid": txid])
             call.resolve(["ok": true, "txid": txid])
         }
         }
     }
     }
-    
+
     /// local -> remote
     /// local -> remote
     @objc func updateRemoteFiles(_ call: CAPPluginCall) {
     @objc func updateRemoteFiles(_ call: CAPPluginCall) {
         guard let baseURL = call.getString("basePath").flatMap({path in URL(string: path)}),
         guard let baseURL = call.getString("basePath").flatMap({path in URL(string: path)}),
@@ -280,12 +342,10 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
         guard !filePaths.isEmpty else {
         guard !filePaths.isEmpty else {
             return call.reject("empty filePaths")
             return call.reject("empty filePaths")
         }
         }
-        
-        print("debug begin updateRemoteFiles \(filePaths)")
-        
+
         let client = SyncClient(token: token, graphUUID: graphUUID, txid: txid)
         let client = SyncClient(token: token, graphUUID: graphUUID, txid: txid)
         client.delegate = self
         client.delegate = self
-        
+
         // 1. refresh_temp_credential
         // 1. refresh_temp_credential
         client.getTempCredential() { (credentials, error) in
         client.getTempCredential() { (credentials, error) in
             guard error == nil else {
             guard error == nil else {
@@ -293,14 +353,14 @@ public class FileSync: CAPPlugin, SyncDebugDelegate {
                 call.reject("error(getTempCredential): \(error!)")
                 call.reject("error(getTempCredential): \(error!)")
                 return
                 return
             }
             }
-            
+
             var files: [String: URL] = [:]
             var files: [String: URL] = [:]
             for filePath in filePaths {
             for filePath in filePaths {
                 // NOTE: filePath from js may contain spaces
                 // NOTE: filePath from js may contain spaces
                 let fileURL = baseURL.appendingPathComponent(filePath)
                 let fileURL = baseURL.appendingPathComponent(filePath)
                 files[filePath.encodeAsFname()] = fileURL
                 files[filePath.encodeAsFname()] = fileURL
             }
             }
-            
+
             // 2. upload_temp_file
             // 2. upload_temp_file
             client.uploadTempFiles(files, credentials: credentials!) { (uploadedFileKeyDict, error) in
             client.uploadTempFiles(files, credentials: credentials!) { (uploadedFileKeyDict, error) in
                 guard error == nil else {
                 guard error == nil else {

+ 2 - 1
ios/App/App/FileSync/SyncClient.swift

@@ -303,13 +303,14 @@ public class SyncClient {
         for (filePath, fileLocalURL) in files {
         for (filePath, fileLocalURL) in files {
             print("debug, upload temp \(fileLocalURL) \(filePath)")
             print("debug, upload temp \(fileLocalURL) \(filePath)")
             guard let rawData = try? Data(contentsOf: fileLocalURL) else { continue }
             guard let rawData = try? Data(contentsOf: fileLocalURL) else { continue }
+            guard let encryptedRawDat = maybeEncrypt(rawData) else { continue }
             group.enter()
             group.enter()
             
             
             let randFileName = String.random(length: 15).appending(".").appending(fileLocalURL.pathExtension)
             let randFileName = String.random(length: 15).appending(".").appending(fileLocalURL.pathExtension)
             let key = "\(self.s3prefix!)/ios\(randFileName)"
             let key = "\(self.s3prefix!)/ios\(randFileName)"
 
 
             keyFileDict[key] = filePath
             keyFileDict[key] = filePath
-            transferUtility?.uploadData(rawData, key: key, contentType: "application/octet-stream", expression: uploadExpression, completionHandler: uploadCompletionHandler)
+            transferUtility?.uploadData(encryptedRawDat, key: key, contentType: "application/octet-stream", expression: uploadExpression, completionHandler: uploadCompletionHandler)
                 .continueWith(block: { (task) in
                 .continueWith(block: { (task) in
                     if let error = task.error {
                     if let error = task.error {
                         completionHandler([:], error)
                         completionHandler([:], error)

+ 0 - 4
ios/App/App/capacitor.config.json

@@ -17,9 +17,5 @@
 	},
 	},
 	"ios": {
 	"ios": {
 		"scheme": "Logseq"
 		"scheme": "Logseq"
-	},
-	"server": {
-		"url": "http://192.168.1.59:3001",
-		"cleartext": true
 	}
 	}
 }
 }

+ 23 - 0
ios/App/LogseqSpecs/AgeEncryption.podspec

@@ -0,0 +1,23 @@
+Pod::Spec.new do |s|
+    s.name             = "AgeEncryption"
+    s.version          = "1.0.3"
+    s.summary          = "AgeEncryption for Logseq"
+    s.description      = <<-DESC
+                         TODO: Add description
+                         DESC
+    s.homepage         = "https://github.com/andelf/AgeEncryption"
+    s.license          = 'MIT'
+    s.author           = { "Andelf" => "[email protected]" }
+    s.source           = { :http => "https://github.com/andelf/AgeEncryption/releases/download/1.0.3/AgeEncryption.xcframework.zip" }
+    #s.source = { }
+
+    s.requires_arc          = true
+
+    s.platform = :ios
+    s.ios.deployment_target = '12.0'
+
+    s.vendored_frameworks = "AgeEncryption.xcframework"
+    s.static_framework = true
+
+    s.swift_version = '5.1'
+  end

+ 1 - 0
ios/App/Podfile

@@ -27,4 +27,5 @@ target 'Logseq' do
   # Add your Pods here
   # Add your Pods here
   pod 'AWSMobileClient'
   pod 'AWSMobileClient'
   pod 'AWSS3'
   pod 'AWSS3'
+  pod 'AgeEncryption', :podspec => './LogseqSpecs/AgeEncryption.podspec'
 end
 end

+ 12 - 6
src/main/frontend/fs/sync.cljs

@@ -523,7 +523,9 @@
   (key-gen [_] (go (js->clj (<! (p->c (ipc/ipc "key-gen")))
   (key-gen [_] (go (js->clj (<! (p->c (ipc/ipc "key-gen")))
                             :keywordize-keys true)))
                             :keywordize-keys true)))
   (set-env [_ prod? private-key public-key]
   (set-env [_ prod? private-key public-key]
-    (p->c (ipc/ipc "set-env" (if prod? "prod" "dev") private-key public-key)))
+    (when (not-empty private-key)
+      (print "[sync] setting sync age-encryption passphrase..."))
+    (go (<! (p->c (ipc/ipc "set-env" (if prod? "prod" "dev") private-key public-key)))))
   (get-local-all-files-meta [_ graph-uuid base-path]
   (get-local-all-files-meta [_ graph-uuid base-path]
     (go
     (go
       (let [r (<! (retry-rsapi #(p->c (ipc/ipc "get-local-all-files-meta" graph-uuid base-path))))]
       (let [r (<! (retry-rsapi #(p->c (ipc/ipc "get-local-all-files-meta" graph-uuid base-path))))]
@@ -589,10 +591,14 @@
       (state/get-auth-id-token)))
       (state/get-auth-id-token)))
 
 
   IRSAPI
   IRSAPI
-  (key-gen [_] ;; TODO
-    )
-  (set-env [_ prod? _private-key _public-key] ;; TODO
-    (go (<! (p->c (.setEnv mobile-util/file-sync (clj->js {:env (if prod? "prod" "dev")}))))))
+  (key-gen [_]
+    (go (let [r (<! (p->c (.keygen mobile-util/file-sync #js {})))]
+          (->> r
+               (js->clj :keywordize-keys true)))))
+  (set-env [_ prod? secret-key public-key]
+    (go (<! (p->c (.setEnv mobile-util/file-sync (clj->js {:env (if prod? "prod" "dev")
+                                                           :secretKey secret-key
+                                                           :publicKey public-key}))))))
 
 
   (get-local-all-files-meta [_ _graph-uuid base-path]
   (get-local-all-files-meta [_ _graph-uuid base-path]
     (go
     (go
@@ -1384,7 +1390,7 @@
                             (map #(relative-path %))
                             (map #(relative-path %))
                             (filter #(not (contains-path? ignore-files %))))
                             (filter #(not (contains-path? ignore-files %))))
               paths (sequence es->paths-xf es)]
               paths (sequence es->paths-xf es)]
-          (println "sync-local->remote" paths)
+          (println "sync-local->remote" type paths)
           (let [r (case type
           (let [r (case type
                     ("add" "change")
                     ("add" "change")
                     (update-remote-files rsapi graph-uuid base-path paths @*txid)
                     (update-remote-files rsapi graph-uuid base-path paths @*txid)

+ 4 - 0
src/main/frontend/handler/file_sync.cljs

@@ -73,6 +73,10 @@
 (defn init-graph [graph-uuid]
 (defn init-graph [graph-uuid]
   (let [repo (state/get-current-repo)
   (let [repo (state/get-current-repo)
         user-uuid (user/user-uuid)]
         user-uuid (user/user-uuid)]
+    ;; FIXME: when switching graph, sync-start is not called. set-env is not called as well.
+    (sync/set-env sync/rsapi config/FILE-SYNC-PROD?
+                  "AGE-SECRET-KEY-1RRP2D43M00FTPARY5MJNN0Z4D6K8NDWC9ME5P60ZE59EDKMXP9PQK0P6YA"
+                  "age1sk2zx4lxcy47tjcgmfdz65sxcpw92k8fjpdencmcgyncxtexfupsz38tcg")
     (sync/update-graphs-txid! 0 graph-uuid user-uuid repo)
     (sync/update-graphs-txid! 0 graph-uuid user-uuid repo)
     (swap! refresh-file-sync-component not)
     (swap! refresh-file-sync-component not)
     (state/pub-event! [:graph/switch repo {:persist? false}])))
     (state/pub-event! [:graph/switch repo {:persist? false}])))