преди 8 години · c3a2dc5f55
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -189,9 +189,10 @@ Directories and files:
 
				         Default to '~/.config/borg/keys'. This directory contains keys for encrypted repositories.
			
 
				     BORG_KEY_FILE
			
 
				         When set, use the given filename as repository key file.
			
 
				-    BORG_NONCES_DIR
			
 
				-        Default to '~/.config/borg/key-nonces'. This directory contains information borg uses to
			
 
				-        track its usage of NONCES ("numbers used once" - usually in encryption context).
			
 
				+    BORG_SECURITY_DIR
			
 
				+        Default to '~/.config/borg/security'. This directory contains information borg uses to
			
 
				+        track its usage of NONCES ("numbers used once" - usually in encryption context) and other
			
 
				+        security relevant data.
			
 
				     BORG_CACHE_DIR
			
 
				         Default to '~/.cache/borg'. This directory contains the local cache and might need a lot
			
 
				         of space for dealing with big repositories).
			
--- a/src/borg/helpers.py
+++ b/src/borg/helpers.py
@@ -288,15 +288,17 @@ def get_keys_dir():
 
				     return keys_dir
			
 
				 
			
 
				 
			
 
				-def get_nonces_dir():
			
 
				-    """Determine where to store the local nonce high watermark"""
			
 
				+def get_security_dir(repository_id=None):
			
 
				+    """Determine where to store local security information."""
			
 
				 
			
 
				     xdg_config = os.environ.get('XDG_CONFIG_HOME', os.path.join(get_home_dir(), '.config'))
			
 
				-    nonces_dir = os.environ.get('BORG_NONCES_DIR', os.path.join(xdg_config, 'borg', 'key-nonces'))
			
 
				-    if not os.path.exists(nonces_dir):
			
 
				-        os.makedirs(nonces_dir)
			
 
				-        os.chmod(nonces_dir, stat.S_IRWXU)
			
 
				-    return nonces_dir
			
 
				+    security_dir = os.environ.get('BORG_SECURITY_DIR', os.path.join(xdg_config, 'borg', 'security'))
			
 
				+    if repository_id:
			
 
				+        security_dir = os.path.join(security_dir, repository_id)
			
 
				+    if not os.path.exists(security_dir):
			
 
				+        os.makedirs(security_dir)
			
 
				+        os.chmod(security_dir, stat.S_IRWXU)
			
 
				+    return security_dir
			
 
				 
			
 
				 
			
 
				 def get_cache_dir():
			
--- a/src/borg/nonces.py
+++ b/src/borg/nonces.py
@@ -3,7 +3,7 @@ import sys
 
				 from binascii import unhexlify
			
 
				 
			
 
				 from .crypto import bytes_to_long, long_to_bytes
			
 
				-from .helpers import get_nonces_dir
			
 
				+from .helpers import get_security_dir
			
 
				 from .helpers import bin_to_hex
			
 
				 from .platform import SaveFile
			
 
				 from .remote import InvalidRPCMethod
			
@@ -19,7 +19,7 @@ class NonceManager:
 
				         self.enc_cipher = enc_cipher
			
 
				         self.end_of_nonce_reservation = None
			
 
				         self.manifest_nonce = manifest_nonce
			
 
				-        self.nonce_file = os.path.join(get_nonces_dir(), self.repository.id_str)
			
 
				+        self.nonce_file = os.path.join(get_security_dir(self.repository.id_str), 'nonce')
			
 
				 
			
 
				     def get_local_free_nonce(self):
			
 
				         try:
			
--- a/src/borg/testsuite/helpers.py
+++ b/src/borg/testsuite/helpers.py
@@ -15,7 +15,7 @@ from ..helpers import Buffer
 
				 from ..helpers import partial_format, format_file_size, parse_file_size, format_timedelta, format_line, PlaceholderError, replace_placeholders
			
 
				 from ..helpers import make_path_safe, clean_lines
			
 
				 from ..helpers import prune_within, prune_split
			
 
				-from ..helpers import get_cache_dir, get_keys_dir, get_nonces_dir
			
 
				+from ..helpers import get_cache_dir, get_keys_dir, get_security_dir
			
 
				 from ..helpers import is_slow_msgpack
			
 
				 from ..helpers import yes, TRUISH, FALSISH, DEFAULTISH
			
 
				 from ..helpers import StableDict, int_to_bigint, bigint_to_int, bin_to_hex
			
@@ -660,14 +660,15 @@ def test_get_keys_dir(monkeypatch):
 
				     assert get_keys_dir() == '/var/tmp'
			
 
				 
			
 
				 
			
 
				-def test_get_nonces_dir(monkeypatch):
			
 
				-    """test that get_nonces_dir respects environment"""
			
 
				+def test_get_security_dir(monkeypatch):
			
 
				+    """test that get_security_dir respects environment"""
			
 
				     monkeypatch.delenv('XDG_CONFIG_HOME', raising=False)
			
 
				-    assert get_nonces_dir() == os.path.join(os.path.expanduser('~'), '.config', 'borg', 'key-nonces')
			
 
				+    assert get_security_dir() == os.path.join(os.path.expanduser('~'), '.config', 'borg', 'security')
			
 
				+    assert get_security_dir(repository_id='1234') == os.path.join(os.path.expanduser('~'), '.config', 'borg', 'security', '1234')
			
 
				     monkeypatch.setenv('XDG_CONFIG_HOME', '/var/tmp/.config')
			
 
				-    assert get_nonces_dir() == os.path.join('/var/tmp/.config', 'borg', 'key-nonces')
			
 
				-    monkeypatch.setenv('BORG_NONCES_DIR', '/var/tmp')
			
 
				-    assert get_nonces_dir() == '/var/tmp'
			
 
				+    assert get_security_dir() == os.path.join('/var/tmp/.config', 'borg', 'security')
			
 
				+    monkeypatch.setenv('BORG_SECURITY_DIR', '/var/tmp')
			
 
				+    assert get_security_dir() == '/var/tmp'
			
 
				 
			
 
				 
			
 
				 def test_file_size():
			
--- a/src/borg/testsuite/key.py
+++ b/src/borg/testsuite/key.py
@@ -10,7 +10,7 @@ from ..crypto import bytes_to_long, num_aes_blocks
 
				 from ..helpers import Location
			
 
				 from ..helpers import Chunk
			
 
				 from ..helpers import IntegrityError
			
 
				-from ..helpers import get_nonces_dir
			
 
				+from ..helpers import get_security_dir
			
 
				 from ..key import PlaintextKey, PassphraseKey, KeyfileKey, RepoKey, Blake2KeyfileKey, Blake2RepoKey, AuthenticatedKey
			
 
				 from ..key import Passphrase, PasswordRetriesExceeded, bin_to_hex
			
 
				 
			
@@ -118,7 +118,7 @@ class TestKey:
 
				     def test_keyfile_nonce_rollback_protection(self, monkeypatch, keys_dir):
			
 
				         monkeypatch.setenv('BORG_PASSPHRASE', 'test')
			
 
				         repository = self.MockRepository()
			
 
				-        with open(os.path.join(get_nonces_dir(), repository.id_str), "w") as fd:
			
 
				+        with open(os.path.join(get_security_dir(repository.id_str), 'nonce'), "w") as fd:
			
 
				             fd.write("0000000000002000")
			
 
				         key = KeyfileKey.create(repository, self.MockArgs())
			
 
				         data = key.encrypt(Chunk(b'ABC'))
			
--- a/src/borg/testsuite/nonces.py
+++ b/src/borg/testsuite/nonces.py
@@ -2,7 +2,7 @@ import os.path
 
				 
			
 
				 import pytest
			
 
				 
			
 
				-from ..helpers import get_nonces_dir
			
 
				+from ..helpers import get_security_dir
			
 
				 from ..key import bin_to_hex
			
 
				 from ..nonces import NonceManager
			
 
				 from ..remote import InvalidRPCMethod
			
@@ -61,11 +61,11 @@ class TestNonceManager:
 
				         self.repository = None
			
 
				 
			
 
				     def cache_nonce(self):
			
 
				-        with open(os.path.join(get_nonces_dir(), self.repository.id_str), "r") as fd:
			
 
				+        with open(os.path.join(get_security_dir(self.repository.id_str), 'nonce'), "r") as fd:
			
 
				             return fd.read()
			
 
				 
			
 
				     def set_cache_nonce(self, nonce):
			
 
				-        with open(os.path.join(get_nonces_dir(), self.repository.id_str), "w") as fd:
			
 
				+        with open(os.path.join(get_security_dir(self.repository.id_str), 'nonce'), "w") as fd:
			
 
				             assert fd.write(nonce)
			
 
				 
			
 
				     def test_empty_cache_and_old_server(self, monkeypatch):