Merge branch 'release/1.0.0' into main

Author: tobihagemann

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.cryptomator</groupId>
     <artifactId>cloud-access</artifactId>
-    <version>0.3.0</version>
+    <version>1.0.0</version>
 
     <name>Cryptomator CloudAccess in Java</name>
     <description>CloudAccess is used in e.g. Cryptomator for Android to access different cloud providers.</description>
@@ -42,6 +42,8 @@
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <guava.version>29.0-jre</guava.version>
+        <jwt.version>3.10.3</jwt.version>
+        <cryptolib.version>1.4.0</cryptolib.version>
 
         <okhttp.version>4.7.2</okhttp.version>
         <okhttp-digest.version>2.4</okhttp-digest.version>
@@ -85,10 +87,15 @@
             <artifactId>guava</artifactId>
             <version>${guava.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>${jwt.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.cryptomator</groupId>
             <artifactId>cryptolib</artifactId>
-            <version>1.4.0-beta3</version>
+            <version>${cryptolib.version}</version>
         </dependency>
 
         <!-- Logging -->

src/main/java/module-info.java

@@ -10,4 +10,5 @@
 	requires okhttp3;
 	requires okhttp.digest;
 	requires okio;
+	requires java.jwt;
 }

src/main/java/org/cryptomator/cloudaccess/CloudAccess.java

@@ -1,18 +1,30 @@
 package org.cryptomator.cloudaccess;
 
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.exceptions.SignatureVerificationException;
+import com.google.common.base.Preconditions;
 import org.cryptomator.cloudaccess.api.CloudPath;
 import org.cryptomator.cloudaccess.api.CloudProvider;
+import org.cryptomator.cloudaccess.api.ProgressListener;
 import org.cryptomator.cloudaccess.api.exceptions.CloudProviderException;
+import org.cryptomator.cloudaccess.api.exceptions.VaultKeyVerificationFailedException;
+import org.cryptomator.cloudaccess.api.exceptions.VaultVerificationFailedException;
+import org.cryptomator.cloudaccess.api.exceptions.VaultVersionVerificationFailedException;
 import org.cryptomator.cloudaccess.localfs.LocalFsCloudProvider;
 import org.cryptomator.cloudaccess.vaultformat8.VaultFormat8ProviderDecorator;
 import org.cryptomator.cloudaccess.webdav.WebDavCloudProvider;
 import org.cryptomator.cloudaccess.webdav.WebDavCredential;
 import org.cryptomator.cryptolib.Cryptors;
 
+import java.io.IOException;
 import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.time.Duration;
 
 public class CloudAccess {
 
@@ -22,17 +34,30 @@ private CloudAccess() {
 	/**
 	 * Decorates an existing CloudProvider by encrypting paths and file contents using Cryptomator's Vault Format 8.
 	 * Uses an externally managed masterkey, i.e. it will only validate the vault version but not parse any vault config.
+	 * <p>
+	 * This method might return with one of the following exceptions:
+	 * <ul>
+	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.VaultVersionVerificationFailedException} If the version of the vault config isn't 8</li>
+	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.VaultKeyVerificationFailedException} If <code>rawKey</code> doesn't match the key used to create the vault config</li>
+	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.VaultVerificationFailedException} If the <code>ciphermode</code> in the vault config doesn't match SIV_GCM</li>
+	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.CloudProviderException} If the general error occurred</li>
+	 *     <li>{@link CloudProviderException} in case of generic I/O errors</li>
+	 * </ul>
 	 *
 	 * @param cloudProvider A CloudProvider providing access to a storage space on which to store ciphertext data
-	 * @param pathToVault	Path that can be used within the given <code>cloudProvider</code> leading to the vault's root
+	 * @param pathToVault   Path that can be used within the given <code>cloudProvider</code> leading to the vault's root
 	 * @param rawKey        512 bit key used for cryptographic operations
 	 * @return A cleartext view on the given CloudProvider
 	 */
 	public static CloudProvider vaultFormat8GCMCloudAccess(CloudProvider cloudProvider, CloudPath pathToVault, byte[] rawKey) {
+		Preconditions.checkArgument(rawKey.length == 64, "masterkey needs to be 512 bit");
+
 		try {
 			var csprng = SecureRandom.getInstanceStrong();
 			var cryptor = Cryptors.version2(csprng).createFromRawKey(rawKey);
-			// TODO validate vaultFormat.jwt before creating decorator
+
+			verifyVaultFormat8GCMConfig(cloudProvider, pathToVault, rawKey);
+
 			VaultFormat8ProviderDecorator provider = new VaultFormat8ProviderDecorator(cloudProvider, pathToVault.resolve("d"), cryptor);
 			provider.initialize();
 			return new MetadataCachingProviderDecorator(provider);
@@ -44,6 +69,32 @@ public static CloudProvider vaultFormat8GCMCloudAccess(CloudProvider cloudProvid
 		}
 	}
 
+	private static void verifyVaultFormat8GCMConfig(CloudProvider cloudProvider, CloudPath pathToVault, byte[] rawKey) {
+		var vaultConfigPath = pathToVault.resolve("vaultconfig.jwt");
+		var algorithm = Algorithm.HMAC256(rawKey);
+		var verifier = JWT.require(algorithm)
+				.withClaim("version", 8)
+				.withClaim("ciphermode", "SIV_GCM")
+				.build();
+
+		var read = cloudProvider.read(vaultConfigPath, ProgressListener.NO_PROGRESS_AWARE);
+		try (var in = read.toCompletableFuture().join()) {
+			var vaultConfigContents = in.readAllBytes();
+			var token = new String(vaultConfigContents, StandardCharsets.US_ASCII);
+			verifier.verify(token);
+		} catch (SignatureVerificationException e) {
+			throw new VaultKeyVerificationFailedException(e);
+		} catch (JWTVerificationException e) {
+			if (e.getMessage().equals("The Claim 'version' value doesn't match the required one.")) {
+				throw new VaultVersionVerificationFailedException(e);
+			} else {
+				throw new VaultVerificationFailedException(e);
+			}
+		} catch (CloudProviderException | IOException e) {
+			throw new CloudProviderException(e);
+		}
+	}
+
 	/**
 	 * Creates a new CloudProvider which provides access to the given URL via WebDAV.
 	 *
@@ -53,7 +104,6 @@ public static CloudProvider vaultFormat8GCMCloudAccess(CloudProvider cloudProvid
 	 * @return A cloud access provider that provides access to the given WebDAV URL
 	 */
 	public static CloudProvider toWebDAV(URL url, String username, CharSequence password) {
-		// TODO can we pass though CharSequence to the auth mechanism?
 		return WebDavCloudProvider.from(WebDavCredential.from(url, username, password.toString()));
 	}
 

src/main/java/org/cryptomator/cloudaccess/MetadataCachingProviderDecorator.java

@@ -7,6 +7,7 @@
 import org.cryptomator.cloudaccess.api.CloudPath;
 import org.cryptomator.cloudaccess.api.CloudProvider;
 import org.cryptomator.cloudaccess.api.ProgressListener;
+import org.cryptomator.cloudaccess.api.Quota;
 import org.cryptomator.cloudaccess.api.exceptions.NotFoundException;
 
 import java.io.InputStream;
@@ -18,21 +19,27 @@
 
 public class MetadataCachingProviderDecorator implements CloudProvider {
 
-	final Cache<CloudPath, Optional<CloudItemMetadata>> metadataCache;
+	private final static int DEFAULT_CACHE_TIMEOUT_SECONDS = 10;
+
+	final Cache<CloudPath, Optional<CloudItemMetadata>> itemMetadataCache;
+	final Cache<CloudPath, Optional<Quota>> quotaCache;
 	private final CloudProvider delegate;
 
 	public MetadataCachingProviderDecorator(CloudProvider delegate) {
-		this(delegate, Duration.ofSeconds(10));
+		this(delegate, Duration.ofSeconds( //
+				Integer.getInteger("org.cryptomator.cloudaccess.metadatacachingprovider.timeoutSeconds", DEFAULT_CACHE_TIMEOUT_SECONDS)
+		));
 	}
 
 	public MetadataCachingProviderDecorator(CloudProvider delegate, Duration cacheEntryMaxAge) {
 		this.delegate = delegate;
-		this.metadataCache = CacheBuilder.newBuilder().expireAfterWrite(cacheEntryMaxAge).build();
+		this.itemMetadataCache = CacheBuilder.newBuilder().expireAfterWrite(cacheEntryMaxAge).build();
+		this.quotaCache = CacheBuilder.newBuilder().expireAfterWrite(cacheEntryMaxAge).build();
 	}
 
 	@Override
 	public CompletionStage<CloudItemMetadata> itemMetadata(CloudPath node) {
-		var cachedMetadata = metadataCache.getIfPresent(node);
+		var cachedMetadata = itemMetadataCache.getIfPresent(node);
 		if (cachedMetadata != null) {
 			return cachedMetadata //
 					.map(CompletableFuture::completedFuture) //
@@ -42,11 +49,33 @@ public CompletionStage<CloudItemMetadata> itemMetadata(CloudPath node) {
 					.whenComplete((metadata, exception) -> {
 						if (exception == null) {
 							assert metadata != null;
-							metadataCache.put(node, Optional.of(metadata));
+							itemMetadataCache.put(node, Optional.of(metadata));
+						} else if (exception instanceof NotFoundException) {
+							itemMetadataCache.put(node, Optional.empty());
+						} else {
+							itemMetadataCache.invalidate(node);
+						}
+					});
+		}
+	}
+
+	@Override
+	public CompletionStage<Quota> quota(CloudPath folder) {
+		var cachedMetadata = quotaCache.getIfPresent(folder);
+		if (cachedMetadata != null) {
+			return cachedMetadata //
+					.map(CompletableFuture::completedFuture) //
+					.orElseGet(() -> CompletableFuture.failedFuture(new NotFoundException()));
+		} else {
+			return delegate.quota(folder) //
+					.whenComplete((quota, exception) -> {
+						if (exception == null) {
+							assert quota != null;
+							quotaCache.put(folder, Optional.of(quota));
 						} else if (exception instanceof NotFoundException) {
-							metadataCache.put(node, Optional.empty());
+							quotaCache.put(folder, Optional.empty());
 						} else {
-							metadataCache.invalidate(node);
+							quotaCache.invalidate(folder);
 						}
 					});
 		}
@@ -59,7 +88,7 @@ public CompletionStage<CloudItemList> list(CloudPath folder, Optional<String> pa
 					evictIncludingDescendants(folder);
 					if (exception == null) {
 						assert cloudItemList != null;
-						cloudItemList.getItems().forEach(metadata -> metadataCache.put(metadata.getPath(), Optional.of(metadata)));
+						cloudItemList.getItems().forEach(metadata -> itemMetadataCache.put(metadata.getPath(), Optional.of(metadata)));
 					}
 				});
 	}
@@ -69,7 +98,7 @@ public CompletionStage<InputStream> read(CloudPath file, ProgressListener progre
 		return delegate.read(file, progressListener) //
 				.whenComplete((metadata, exception) -> {
 					if (exception != null) {
-						metadataCache.invalidate(file);
+						itemMetadataCache.invalidate(file);
 					}
 				});
 	}
@@ -79,7 +108,7 @@ public CompletionStage<InputStream> read(CloudPath file, long offset, long count
 		return delegate.read(file, offset, count, progressListener) //
 				.whenComplete((inputStream, exception) -> {
 					if (exception != null) {
-						metadataCache.invalidate(file);
+						itemMetadataCache.invalidate(file);
 					}
 				});
 	}
@@ -89,7 +118,8 @@ public CompletionStage<Void> write(CloudPath file, boolean replace, InputStream
 		return delegate.write(file, replace, data, size, lastModified, progressListener) //
 				.whenComplete((nullReturn, exception) -> {
 					if (exception != null) {
-						metadataCache.invalidate(file);
+						itemMetadataCache.invalidate(file);
+						quotaCache.invalidateAll();
 					}
 				});
 	}
@@ -98,7 +128,7 @@ public CompletionStage<Void> write(CloudPath file, boolean replace, InputStream
 	public CompletionStage<CloudPath> createFolder(CloudPath folder) {
 		return delegate.createFolder(folder) //
 				.whenComplete((metadata, exception) -> {
-					metadataCache.invalidate(folder);
+					itemMetadataCache.invalidate(folder);
 				});
 	}
 
@@ -107,22 +137,24 @@ public CompletionStage<Void> delete(CloudPath node) {
 		return delegate.delete(node) //
 				.whenComplete((nullReturn, exception) -> {
 					evictIncludingDescendants(node);
+					quotaCache.invalidateAll();
 				});
 	}
 
 	@Override
 	public CompletionStage<CloudPath> move(CloudPath source, CloudPath target, boolean replace) {
 		return delegate.move(source, target, replace) //
 				.whenComplete((path, exception) -> {
-					metadataCache.invalidate(source);
-					metadataCache.invalidate(target);
+					itemMetadataCache.invalidate(source);
+					itemMetadataCache.invalidate(target);
+					quotaCache.invalidateAll();
 				});
 	}
 
 	private void evictIncludingDescendants(CloudPath cleartextPath) {
-		for (var path : metadataCache.asMap().keySet()) {
+		for (var path : itemMetadataCache.asMap().keySet()) {
 			if (path.startsWith(cleartextPath)) {
-				metadataCache.invalidate(path);
+				itemMetadataCache.invalidate(path);
 			}
 		}
 	}

src/main/java/org/cryptomator/cloudaccess/api/CloudProvider.java

@@ -34,6 +34,21 @@ public interface CloudProvider {
 	 */
 	CompletionStage<CloudItemMetadata> itemMetadata(CloudPath node);
 
+	/**
+	 * Fetches the available, used and or total quota for a folder
+	 * <p>
+	 * The returned CompletionStage might complete exceptionally with one of the following exceptions:
+	 * <ul>
+	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.NotFoundException} If no item exists for the given path</li>
+	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.QuotaNotAvailableException} If the quota could not be queried. </li>
+	 *     <li>{@link CloudProviderException} in case of generic I/O errors</li>
+	 * </ul>
+	 *
+	 * @param folder The remote path of the folder, whose quota to fetch.
+	 * @return CompletionStage with the quota info for a folder. If the fetch fails, it completes exceptionally.
+	 */
+	CompletionStage<Quota> quota(CloudPath folder);
+
 	/**
 	 * Starts fetching the contents of a folder.
 	 * If the result's <code>CloudItemList</code> has a <code>nextPageToken</code>, calling this method again with the provided token will continue listing.
@@ -81,7 +96,7 @@ private CompletionStage<CloudItemList> listExhaustively(CloudPath folder, CloudI
 	 * The returned CompletionStage might complete exceptionally with the same exceptions as specified in {@link #read(CloudPath, long, long, ProgressListener)}.
 	 *
 	 * @param file             A remote path referencing a file
-	 * @param progressListener TODO Future use
+	 * @param progressListener Future use
 	 * @return CompletionStage with an InputStream to read from. If accessing the file fails, it'll complete exceptionally.
 	 * @see #read(CloudPath, long, long, ProgressListener)
 	 */
@@ -102,7 +117,7 @@ default CompletionStage<InputStream> read(CloudPath file, ProgressListener progr
 	 * @param file             A remote path referencing a file
 	 * @param offset           The first byte (inclusive) to read.
 	 * @param count            The number of bytes requested. Can exceed the actual file length. Set to {@link Long#MAX_VALUE} to read till EOF.
-	 * @param progressListener TODO Future use
+	 * @param progressListener Future use
 	 * @return CompletionStage with an InputStream to read from. If accessing the file fails, it'll complete exceptionally. If the requested range cannot be fulfilled, an inputstream with 0 bytes is returned
 	 */
 	CompletionStage<InputStream> read(CloudPath file, long offset, long count, ProgressListener progressListener);
@@ -115,6 +130,7 @@ default CompletionStage<InputStream> read(CloudPath file, ProgressListener progr
 	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.NotFoundException} If the parent directory of this file doesn't exist</li>
 	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.TypeMismatchException} If the path points to a node that isn't a file</li>
 	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.AlreadyExistsException} If a node with the given path already exists and <code>replace</code> is false</li>
+	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.ParentFolderDoesNotExistException} If the parent folder of a node doesn't exists</li>
 	 *     <li>{@link CloudProviderException} in case of generic I/O errors</li>
 	 * </ul>
 	 *
@@ -123,7 +139,7 @@ default CompletionStage<InputStream> read(CloudPath file, ProgressListener progr
 	 * @param data             A data source from which to copy contents to the remote file
 	 * @param size             The size of data
 	 * @param lastModified     The lastModified which should be provided to the server
-	 * @param progressListener TODO Future use
+	 * @param progressListener Future use
 	 * @return CompletionStage that will be completed after writing all <code>data</code>.
 	 */
 	CompletionStage<Void> write(CloudPath file, boolean replace, InputStream data, long size, Optional<Instant> lastModified, ProgressListener progressListener);
@@ -185,6 +201,7 @@ default CompletionStage<CloudPath> createFolderIfNonExisting(CloudPath folder) {
 	 * <ul>
 	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.NotFoundException} If no item exists for the given source path</li>
 	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.AlreadyExistsException} If a node with the given target path already exists and <code>replace</code> is false</li>
+	 *     <li>{@link org.cryptomator.cloudaccess.api.exceptions.ParentFolderDoesNotExistException} If the parent folder of a node doesn't exists</li>
 	 *     <li>{@link CloudProviderException} in case of generic I/O errors</li>
 	 * </ul>
 	 *