From 3b38ac0f9bbcf54f98efae456ce08c07afa8a4f1 Mon Sep 17 00:00:00 2001 From: Jonas Winkler Date: Wed, 25 Nov 2020 20:22:56 +0100 Subject: [PATCH 1/4] Removed ability to encrypt documents. --- docs/administration.rst | 24 ++-------- ...e_storage_type.py => decrypt_documents.py} | 44 +------------------ 2 files changed, 5 insertions(+), 63 deletions(-) rename src/documents/management/commands/{change_storage_type.py => decrypt_documents.py} (59%) diff --git a/docs/administration.rst b/docs/administration.rst index c582e83a0..610d2c9d3 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -353,39 +353,23 @@ Documents can be stored in Paperless using GnuPG encryption. Consider running paperless on an encrypted filesystem instead, which will then at least provide security against physical hardware theft. -.. code:: - - change_storage_type [--passphrase PASSPHRASE] {gpg,unencrypted} {gpg,unencrypted} - - positional arguments: - {gpg,unencrypted} The state you want to change your documents from - {gpg,unencrypted} The state you want to change your documents to - - optional arguments: - --passphrase PASSPHRASE Enabling encryption ------------------- -Basic usage to enable encryption of your document store (**USE A MORE SECURE PASSPHRASE**): - -(Note: If ``PAPERLESS_PASSPHRASE`` isn't set already, you need to specify it here) - -.. code:: - - change_storage_type [--passphrase SECR3TP4SSPHRA$E] unencrypted gpg +Enabling encryption is no longer supported. Disabling encryption -------------------- -Basic usage to enable encryption of your document store: +Basic usage to disable encryption of your document store: -(Note: Again, if ``PAPERLESS_PASSPHRASE`` isn't set already, you need to specify it here) +(Note: If ``PAPERLESS_PASSPHRASE`` isn't set already, you need to specify it here) .. code:: - change_storage_type [--passphrase SECR3TP4SSPHRA$E] gpg unencrypted + decrypt_documents [--passphrase SECR3TP4SSPHRA$E] .. _Pipenv: https://pipenv.pypa.io/en/latest/ \ No newline at end of file diff --git a/src/documents/management/commands/change_storage_type.py b/src/documents/management/commands/decrypt_documents.py similarity index 59% rename from src/documents/management/commands/change_storage_type.py rename to src/documents/management/commands/decrypt_documents.py index 344d3388d..e4d607fa8 100644 --- a/src/documents/management/commands/change_storage_type.py +++ b/src/documents/management/commands/decrypt_documents.py @@ -17,16 +17,6 @@ class Command(BaseCommand): def add_arguments(self, parser): - parser.add_argument( - "from", - choices=("gpg", "unencrypted"), - help="The state you want to change your documents from" - ) - parser.add_argument( - "to", - choices=("gpg", "unencrypted"), - help="The state you want to change your documents to" - ) parser.add_argument( "--passphrase", help="If PAPERLESS_PASSPHRASE isn't set already, you need to " @@ -50,11 +40,6 @@ class Command(BaseCommand): except KeyboardInterrupt: return - if options["from"] == options["to"]: - raise CommandError( - 'The "from" and "to" values can\'t be the same.' - ) - passphrase = options["passphrase"] or settings.PASSPHRASE if not passphrase: raise CommandError( @@ -62,10 +47,7 @@ class Command(BaseCommand): "by declaring it in your environment or your config." ) - if options["from"] == "gpg" and options["to"] == "unencrypted": - self.__gpg_to_unencrypted(passphrase) - elif options["from"] == "unencrypted" and options["to"] == "gpg": - self.__unencrypted_to_gpg(passphrase) + self.__gpg_to_unencrypted(passphrase) @staticmethod def __gpg_to_unencrypted(passphrase): @@ -94,27 +76,3 @@ class Command(BaseCommand): for path in old_paths: os.unlink(path) - - @staticmethod - def __unencrypted_to_gpg(passphrase): - - unencrypted_files = Document.objects.filter( - storage_type=Document.STORAGE_TYPE_UNENCRYPTED) - - for document in unencrypted_files: - - print(coloured("Encrypting {}".format(document), "green")) - - old_paths = [document.source_path, document.thumbnail_path] - with open(document.source_path, "rb") as raw_document: - with open(document.thumbnail_path, "rb") as raw_thumb: - document.storage_type = Document.STORAGE_TYPE_GPG - with open(document.source_path, "wb") as f: - f.write(GnuPG.encrypted(raw_document, passphrase)) - with open(document.thumbnail_path, "wb") as f: - f.write(GnuPG.encrypted(raw_thumb, passphrase)) - - document.save(update_fields=("storage_type",)) - - for path in old_paths: - os.unlink(path) From 2163015d06dc4c50e8dc5aa35fef091d369788a6 Mon Sep 17 00:00:00 2001 From: Jonas Winkler Date: Wed, 25 Nov 2020 20:26:07 +0100 Subject: [PATCH 2/4] changelog --- docs/changelog.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/changelog.rst b/docs/changelog.rst index c494cecb9..e2df92863 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -12,7 +12,8 @@ next You have to specify your username. * Added a simple sanity checker that checks your documents for missing or orphaned files, files with wrong checksums, inaccessible files, and documents with empty content. - +* It is no longer possible to encrypt your documents. For the time being, paperless will + continue to operate with already encrypted documents. paperless-ng 0.9.2 ################## From ef15de18a97acdffd97c52a9fde3079fd7e0c7e0 Mon Sep 17 00:00:00 2001 From: Jonas Winkler Date: Wed, 25 Nov 2020 21:03:06 +0100 Subject: [PATCH 3/4] Paperless will continue to operate with encrypted files, however, all new files will be stored unencrypted. --- src/documents/consumer.py | 11 ++------- .../management/commands/document_importer.py | 23 +++---------------- 2 files changed, 5 insertions(+), 29 deletions(-) diff --git a/src/documents/consumer.py b/src/documents/consumer.py index 65febc937..8fed01c30 100755 --- a/src/documents/consumer.py +++ b/src/documents/consumer.py @@ -208,10 +208,7 @@ class Consumer(LoggingMixin): created = file_info.created or date or timezone.make_aware( datetime.datetime.fromtimestamp(stats.st_mtime)) - if settings.PASSPHRASE: - storage_type = Document.STORAGE_TYPE_GPG - else: - storage_type = Document.STORAGE_TYPE_UNENCRYPTED + storage_type = Document.STORAGE_TYPE_UNENCRYPTED with open(self.path, "rb") as f: document = Document.objects.create( @@ -260,8 +257,4 @@ class Consumer(LoggingMixin): def _write(self, document, source, target): with open(source, "rb") as read_file: with open(target, "wb") as write_file: - if document.storage_type == Document.STORAGE_TYPE_UNENCRYPTED: - write_file.write(read_file.read()) - return - self.log("debug", "Encrypting") - write_file.write(GnuPG.encrypted(read_file)) + write_file.write(read_file.read()) diff --git a/src/documents/management/commands/document_importer.py b/src/documents/management/commands/document_importer.py index 208a0ef37..5f50f08f6 100644 --- a/src/documents/management/commands/document_importer.py +++ b/src/documents/management/commands/document_importer.py @@ -82,8 +82,6 @@ class Command(Renderable, BaseCommand): def _import_files_from_manifest(self): storage_type = Document.STORAGE_TYPE_UNENCRYPTED - if settings.PASSPHRASE: - storage_type = Document.STORAGE_TYPE_GPG for record in self.manifest: @@ -105,23 +103,8 @@ class Command(Renderable, BaseCommand): create_source_path_directory(document.source_path) - if settings.PASSPHRASE: - - with open(document_path, "rb") as unencrypted: - with open(document.source_path, "wb") as encrypted: - print("Encrypting {} and saving it to {}".format( - doc_file, document.source_path)) - encrypted.write(GnuPG.encrypted(unencrypted)) - - with open(thumbnail_path, "rb") as unencrypted: - with open(document.thumbnail_path, "wb") as encrypted: - print("Encrypting {} and saving it to {}".format( - thumb_file, document.thumbnail_path)) - encrypted.write(GnuPG.encrypted(unencrypted)) - - else: - print(f"Moving {document_path} to {document.source_path}") - shutil.copy(document_path, document.source_path) - shutil.copy(thumbnail_path, document.thumbnail_path) + print(f"Moving {document_path} to {document.source_path}") + shutil.copy(document_path, document.source_path) + shutil.copy(thumbnail_path, document.thumbnail_path) document.save() From 2a4fe4dceb35db00a48f8cbc11171e026f269678 Mon Sep 17 00:00:00 2001 From: Jonas Winkler Date: Wed, 25 Nov 2020 21:10:50 +0100 Subject: [PATCH 4/4] fixed the decryption code, but its still untested. --- .../management/commands/decrypt_documents.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/documents/management/commands/decrypt_documents.py b/src/documents/management/commands/decrypt_documents.py index e4d607fa8..f9b4edcdc 100644 --- a/src/documents/management/commands/decrypt_documents.py +++ b/src/documents/management/commands/decrypt_documents.py @@ -61,18 +61,28 @@ class Command(BaseCommand): document).encode('utf-8'), "green")) old_paths = [document.source_path, document.thumbnail_path] + raw_document = GnuPG.decrypted(document.source_file, passphrase) raw_thumb = GnuPG.decrypted(document.thumbnail_file, passphrase) document.storage_type = Document.STORAGE_TYPE_UNENCRYPTED + ext = os.path.splitext(document.filename)[1] + + if not ext == '.gpg': + raise CommandError( + f"Abort: encrypted file {document.source_path} does not " + f"end with .gpg") + + document.filename = os.path.splitext(document.source_path)[0] + with open(document.source_path, "wb") as f: f.write(raw_document) with open(document.thumbnail_path, "wb") as f: f.write(raw_thumb) - document.save(update_fields=("storage_type",)) + document.save(update_fields=("storage_type", "filename")) for path in old_paths: os.unlink(path)