From bf86e740bd1f025af3158ffdaaa05c25d7a2a37a Mon Sep 17 00:00:00 2001
From: jaseg <git@jaseg.net>
Date: Wed, 26 Jun 2019 16:36:20 +0900
Subject: Improve encrypt command line interface, add progress bar

---
 encrypt.py   | 44 +++++++++++++++++++++++++++++++++++++-------
 filecrypt.py | 35 +++++++++++++++++++----------------
 server.py    |  3 ++-
 3 files changed, 58 insertions(+), 24 deletions(-)

diff --git a/encrypt.py b/encrypt.py
index e813d36..e13df79 100644
--- a/encrypt.py
+++ b/encrypt.py
@@ -1,20 +1,50 @@
 #!/usr/bin/env python3
 
-import os
-
-from filecrypt import encrypt_file
-
 if __name__ == '__main__':
+    import os
+    import configparser
     import argparse
-    parser = argparse.ArgumentParser()
+
+    from tqdm import tqdm
+
+    from filecrypt import generate_keys, payload_size
+
+    parser = argparse.ArgumentParser(description='Filecrypt secure file download encryption tool.'
+            'Encrypts a file for use with the filecrypt server, and output the generated download link.')
     parser.add_argument('infile')
+    parser.add_argument('-c', '--config', default=None, help='Config file location (default; $XDG_CONFIG_HOME/filecrypt.conf)')
+    parser.add_argument('-b', '--base-url', default=None, help='Base URL for link (also as config option)')
+    parser.add_argument('-q', '--no-progress', action='store_true', help='Hide progress bar')
+    parser.add_argument('-p', '--progress', action='store_true', help='Show progress bar (default, also as config option)')
     args = parser.parse_args()
 
+    progress = (not args.no_progress) or args.progress
+    config_path = args.config or os.environ.get('XDG_CONFIG_HOME', os.environ.get('HOME') + '/.config') + '/filecrypt.conf'
+    base_url = args.base_url
+    if os.path.isfile(config_path):
+        with open(config_path) as f:
+            config = configparser.ConfigParser(defaults={'url_base': ''})
+            config.read_string('[DEFAULT]\n'+f.read()) # doesn't parse simple key=value file by default m(
+
+            if base_url is None:
+                base_url = config.get('DEFAULT', 'base_url', fallback='').rstrip('/')
+            if not (args.no_progress or args.progress):
+                progress = config.getboolean('DEFAULT', 'progress', fallback=True)
+
     if not os.path.isfile(args.infile):
         print(f'{infile} is not a file or directory, exiting.')
         os.exit(2)
 
     download_filename = os.path.basename(args.infile)
-    file_id, token = encrypt_file(args.infile, download_filename)
-    print(f'/{file_id}/{token}/{download_filename}')
+
+    file_id, token, encrypt = generate_keys(download_filename)
+    print(f'{base_url}/{file_id}/{token}/{download_filename}')
+
+    if progress:
+        with tqdm(total=payload_size(args.infile), unit='B', unit_scale=True) as pbar:
+            for progress in encrypt(args.infile):
+                pbar.update(progress)
+    else:
+        for _progress in encrypt(args.infile):
+            pass
     
diff --git a/filecrypt.py b/filecrypt.py
index da0db9b..755e857 100644
--- a/filecrypt.py
+++ b/filecrypt.py
@@ -5,12 +5,13 @@ import struct
 import subprocess
 import binascii
 import os
+from contextlib import contextmanager
 
 FILE_ID_LENGTH = 22
 TOKEN_LENGTH = 22
 HEADER_LENGTH = 56
 
-def encrypt_file(filename_in, download_filename, chunk_size=1000000//16):
+def generate_keys(download_filename, chunk_size=1000000//16):
     file_id = secrets.token_urlsafe(16)
     auth_secret = secrets.token_bytes(16)
     key = secrets.token_bytes(16)
@@ -19,25 +20,27 @@ def encrypt_file(filename_in, download_filename, chunk_size=1000000//16):
     token_cipher = AES.new(auth_secret, AES.MODE_GCM)
     token_cipher.update(download_filename.encode())
     ciphertext, token_tag = token_cipher.encrypt_and_digest(key)
-    token = base64.b64encode(ciphertext).rstrip(b'=').decode()
+    token = base64.b64encode(ciphertext, b'+-').rstrip(b'=').decode()
 
-    with open(f'{file_id}.enc', 'wb') as fout, open(filename_in, 'rb') as fin:
-        fout.write(token_cipher.nonce) # 16 bytes
-        fout.write(token_tag) # 16 bytes
-        fout.write(auth_secret) # 16 bytes
-        fout.write(data_nonce) # 8 bytes
-        assert fout.tell() == HEADER_LENGTH
+    def encrypt(filename_in):
+        with open(f'{file_id}.enc', 'wb') as fout, open(filename_in, 'rb') as fin:
+            fout.write(token_cipher.nonce) # 16 bytes
+            fout.write(token_tag) # 16 bytes
+            fout.write(auth_secret) # 16 bytes
+            fout.write(data_nonce) # 8 bytes
+            assert fout.tell() == HEADER_LENGTH
 
-        cipher = AES.new(key, AES.MODE_CTR,
-                initial_value=struct.pack('<Q', 0), nonce=data_nonce)
+            cipher = AES.new(key, AES.MODE_CTR,
+                    initial_value=struct.pack('<Q', 0), nonce=data_nonce)
 
-        block = fin.read(cipher.block_size*chunk_size)
-        while block:
-            data = cipher.encrypt(block)
-            fout.write(data)
             block = fin.read(cipher.block_size*chunk_size)
+            while block:
+                data = cipher.encrypt(block)
+                fout.write(data)
+                yield len(data)
+                block = fin.read(cipher.block_size*chunk_size)
 
-    return file_id, token
+    return file_id, token, encrypt
 
 def payload_size(path):
     return os.stat(path).st_size - HEADER_LENGTH
@@ -50,7 +53,7 @@ def decrypt_generator(filename, download_filename, token, seek=0, end=None, chun
         data_nonce = fin.read(8)
         assert fin.tell() == HEADER_LENGTH
 
-    ciphertext = base64.b64decode(token + '='*((3-len(token)%3)%3))
+    ciphertext = base64.b64decode(token + '='*((3-len(token)%3)%3), b'+-')
     token_cipher = AES.new(auth_secret, AES.MODE_GCM, nonce=token_nonce)
     token_cipher.update(download_filename.encode())
     key = token_cipher.decrypt_and_verify(ciphertext, token_tag)
diff --git a/server.py b/server.py
index 694b1ac..4d8e4dc 100644
--- a/server.py
+++ b/server.py
@@ -8,6 +8,7 @@ from flask import Flask, abort, request, Response
 import filecrypt
 
 app = Flask(__name__)
+app.config.from_envvar('SECURE_DOWNLOAD_SETTINGS')
 BASE64_RE = re.compile('^[A-Za-z0-9+-_]+=*$')
 
 @app.route('/<file_id>/<token>/<filename>')
@@ -17,7 +18,7 @@ def download(file_id, token, filename):
     if not BASE64_RE.match(token) or len(token) != filecrypt.TOKEN_LENGTH:
         abort(400, 'Invalid token format')
 
-    path = f'{file_id}.enc'
+    path = f'{app.config["SERVE_PATH"]}/{file_id}.enc'
     if not os.path.isfile(path):
         abort(403) # forbidden
 
-- 
cgit