encrypt passwords stored in config files

Author: maxijabase

SourceServerManager/Models/ServerConfig.cs

@@ -1,6 +1,7 @@
 using System.ComponentModel;
 using System.Runtime.CompilerServices;
 using System.Text.Json.Serialization;
+using SourceServerManager.Services;
 
 namespace SourceServerManager.Models;
 
@@ -63,10 +64,60 @@ public int RconPort
         set => SetField(ref _rconPort, value);
     }
 
+    [JsonIgnore]
     public string RconPassword
+    {
+        get 
+        { 
+            // If password is encrypted, decrypt it for UI usage
+            if (!string.IsNullOrEmpty(_rconPassword) && EncryptionService.IsEncrypted(_rconPassword))
+            {
+                try
+                {
+                    return EncryptionService.DecryptString(_rconPassword);
+                }
+                catch
+                {
+                    // If decryption fails, return empty string
+                    return string.Empty;
+                }
+            }
+            // Return as-is (either plain text for migration, or empty)
+            return _rconPassword;
+        }
+        set 
+        {
+            var currentDecrypted = RconPassword;
+            if (!string.Equals(currentDecrypted, value))
+            {
+                // Encrypt and store the password
+                if (!string.IsNullOrEmpty(value))
+                {
+                    try
+                    {
+                        _rconPassword = EncryptionService.EncryptString(value);
+                    }
+                    catch
+                    {
+                        // If encryption fails, store as plain text (fallback)
+                        _rconPassword = value;
+                    }
+                }
+                else
+                {
+                    _rconPassword = string.Empty;
+                }
+                OnPropertyChanged();
+            }
+        }
+    }
+
+    // JSON property - stores the encrypted password directly
+    [JsonPropertyName("rconPassword")]
+    public string RconPasswordStorage
     {
         get => _rconPassword;
-        set => SetField(ref _rconPassword, value);
+        set => _rconPassword = value ?? string.Empty;
     }
 
     // FTP settings
@@ -88,10 +139,60 @@ public string FtpUsername
         set => SetField(ref _ftpUsername, value);
     }
 
+    [JsonIgnore]
     public string FtpPassword
+    {
+        get 
+        { 
+            // If password is encrypted, decrypt it for UI usage
+            if (!string.IsNullOrEmpty(_ftpPassword) && EncryptionService.IsEncrypted(_ftpPassword))
+            {
+                try
+                {
+                    return EncryptionService.DecryptString(_ftpPassword);
+                }
+                catch
+                {
+                    // If decryption fails, return empty string
+                    return string.Empty;
+                }
+            }
+            // Return as-is (either plain text for migration, or empty)
+            return _ftpPassword;
+        }
+        set 
+        {
+            var currentDecrypted = FtpPassword;
+            if (!string.Equals(currentDecrypted, value))
+            {
+                // Encrypt and store the password
+                if (!string.IsNullOrEmpty(value))
+                {
+                    try
+                    {
+                        _ftpPassword = EncryptionService.EncryptString(value);
+                    }
+                    catch
+                    {
+                        // If encryption fails, store as plain text (fallback)
+                        _ftpPassword = value;
+                    }
+                }
+                else
+                {
+                    _ftpPassword = string.Empty;
+                }
+                OnPropertyChanged();
+            }
+        }
+    }
+
+    // JSON property - stores the encrypted password directly
+    [JsonPropertyName("ftpPassword")]
+    public string FtpPasswordStorage
     {
         get => _ftpPassword;
-        set => SetField(ref _ftpPassword, value);
+        set => _ftpPassword = value ?? string.Empty;
     }
 
     public string FtpRootDirectory

SourceServerManager/Services/EncryptionService.cs

@@ -0,0 +1,72 @@
+using System;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace SourceServerManager.Services;
+
+public class EncryptionService
+{
+    public static string EncryptString(string plainText)
+    {
+        if (string.IsNullOrEmpty(plainText))
+            return plainText;
+
+        try
+        {
+            byte[] plainTextBytes = Encoding.UTF8.GetBytes(plainText);
+            byte[] encryptedBytes = ProtectedData.Protect(
+                plainTextBytes,
+                null, // No additional entropy
+                DataProtectionScope.CurrentUser // Encrypt for current user only
+            );
+            return Convert.ToBase64String(encryptedBytes);
+        }
+        catch (Exception ex)
+        {
+            throw new Exception($"Failed to encrypt string: {ex.Message}", ex);
+        }
+    }
+
+    public static string DecryptString(string encryptedText)
+    {
+        if (string.IsNullOrEmpty(encryptedText))
+            return encryptedText;
+
+        try
+        {
+            byte[] encryptedBytes = Convert.FromBase64String(encryptedText);
+            byte[] decryptedBytes = ProtectedData.Unprotect(
+                encryptedBytes,
+                null, // No additional entropy
+                DataProtectionScope.CurrentUser // Decrypt for current user only
+            );
+            return Encoding.UTF8.GetString(decryptedBytes);
+        }
+        catch (Exception ex)
+        {
+            throw new Exception($"Failed to decrypt string: {ex.Message}", ex);
+        }
+    }
+
+    public static bool IsEncrypted(string value)
+    {
+        if (string.IsNullOrEmpty(value))
+            return false;
+
+        try
+        {
+            // Try to decode as Base64 - if it fails, it's likely plain text
+            byte[] bytes = Convert.FromBase64String(value);
+            
+            // If it's valid Base64, try to decrypt it
+            // If decryption succeeds, it's encrypted
+            ProtectedData.Unprotect(bytes, null, DataProtectionScope.CurrentUser);
+            return true;
+        }
+        catch
+        {
+            // If Base64 decode or decryption fails, it's plain text
+            return false;
+        }
+    }
+}

SourceServerManager/Services/ServerConfigurationService.cs

@@ -65,12 +65,71 @@ public async Task<List<ServerConfig>> LoadServersAsync()
 
             // Deserialize the server configurations
             var servers = JsonSerializer.Deserialize<List<ServerConfig>>(json, _jsonOptions);
+            var serverList = servers ?? [];
 
-            return servers ?? [];
+            // Check if migration from plain text passwords is needed
+            bool needsMigration = MigratePlainTextPasswords(serverList);
+
+            // If migration occurred, save the updated configurations
+            if (needsMigration)
+            {
+                await SaveServersAsync(serverList);
+            }
+
+            return serverList;
         }
         catch (Exception ex)
         {
             throw new Exception($"Failed to load server configurations: {ex.Message}", ex);
         }
     }
+
+    private bool MigratePlainTextPasswords(List<ServerConfig> servers)
+    {
+        bool migrationOccurred = false;
+
+        try
+        {
+            foreach (var server in servers)
+            {
+                bool serverMigrated = false;
+
+                // Check if RCON password needs migration (plain text to encrypted)
+                var currentRconPassword = GetStoredPassword(server, "_rconPassword");
+                if (!string.IsNullOrEmpty(currentRconPassword) && !EncryptionService.IsEncrypted(currentRconPassword))
+                {
+                    server.RconPassword = currentRconPassword; // This will encrypt it automatically
+                    serverMigrated = true;
+                }
+
+                // Check if FTP password needs migration (plain text to encrypted)
+                var currentFtpPassword = GetStoredPassword(server, "_ftpPassword");
+                if (!string.IsNullOrEmpty(currentFtpPassword) && !EncryptionService.IsEncrypted(currentFtpPassword))
+                {
+                    server.FtpPassword = currentFtpPassword; // This will encrypt it automatically
+                    serverMigrated = true;
+                }
+
+                if (serverMigrated)
+                {
+                    migrationOccurred = true;
+                }
+            }
+        }
+        catch (Exception ex)
+        {
+            // Log the error but don't fail the entire load process
+            Console.WriteLine($"Warning: Password migration failed: {ex.Message}");
+        }
+
+        return migrationOccurred;
+    }
+
+    private string GetStoredPassword(ServerConfig server, string fieldName)
+    {
+        // Access the private field using reflection to get stored password
+        var field = typeof(ServerConfig).GetField(fieldName, 
+            System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance);
+        return field?.GetValue(server) as string ?? string.Empty;
+    }
 }

SourceServerManager/SourceServerManager.csproj

@@ -28,6 +28,7 @@
     <PackageReference Include="FluentFTP" Version="52.0.0" />
     <PackageReference Include="Okolni.Source.Query" Version="2.1.0" />
     <PackageReference Include="SSH.NET" Version="2024.2.0" />
+    <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="8.0.0" />
   </ItemGroup>
 
   <ItemGroup>

global.json

@@ -0,0 +1,5 @@
+{
+  "sdk": {
+    "version": "9.0.304"
+  }
+}