com/android/server/backup/encryption/transport/IntermediateEncryptingTransport.java - platform/prebuilts/fullsdk/sources/android-30 - Git at Google

 /*
  * Copyright (C) 2019 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package com.android.server.backup.encryption.transport;

 import static com.android.server.backup.encryption.BackupEncryptionService.TAG;

 import android.app.backup.BackupTransport;
 import android.app.backup.RestoreDescription;
 import android.content.Context;
 import android.content.pm.PackageInfo;
 import android.os.ParcelFileDescriptor;
 import android.os.RemoteException;
 import android.util.Log;

 import com.android.internal.annotations.VisibleForTesting;
 import com.android.internal.backup.IBackupTransport;
 import com.android.server.backup.encryption.KeyValueEncrypter;
 import com.android.server.backup.transport.DelegatingTransport;
 import com.android.server.backup.transport.TransportClient;

 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.concurrent.atomic.AtomicReference;

 /**
  * This is an implementation of {@link IBackupTransport} that encrypts (or decrypts) the data when
  * sending it (or receiving it) from the {@link IBackupTransport} returned by {@link
  * TransportClient.connect(String)}.
  */
 public class IntermediateEncryptingTransport extends DelegatingTransport {
     private static final String BACKUP_TEMP_DIR = "backup";
     private static final String RESTORE_TEMP_DIR = "restore";

     private final TransportClient mTransportClient;
     private final Object mConnectLock = new Object();
     private final Context mContext;
     private volatile IBackupTransport mRealTransport;
     private AtomicReference<String> mNextRestorePackage = new AtomicReference<>();
     private final KeyValueEncrypter mKeyValueEncrypter;
     private final boolean mShouldEncrypt;

     IntermediateEncryptingTransport(
             TransportClient transportClient, Context context, boolean shouldEncrypt) {
         this(transportClient, context, new KeyValueEncrypter(context), shouldEncrypt);
     }

     @VisibleForTesting
     IntermediateEncryptingTransport(
             TransportClient transportClient, Context context, KeyValueEncrypter keyValueEncrypter,
             boolean shouldEncrypt) {
         mTransportClient = transportClient;
         mContext = context;
         mKeyValueEncrypter = keyValueEncrypter;
         mShouldEncrypt = shouldEncrypt;
     }

     @Override
     protected IBackupTransport getDelegate() throws RemoteException {
         if (mRealTransport == null) {
             connect();
         }
         Log.d(TAG, "real transport = " + mRealTransport.name());
         return mRealTransport;
     }

     @Override
     public int performBackup(PackageInfo packageInfo, ParcelFileDescriptor inFd, int flags)
             throws RemoteException {
         if (!mShouldEncrypt) {
             return super.performBackup(packageInfo, inFd, flags);
         }

         File encryptedStorageFile = getBackupTempStorage(packageInfo.packageName);
         if (encryptedStorageFile == null) {
             return BackupTransport.TRANSPORT_ERROR;
         }

         // Encrypt the backup data and write it into a temp file.
         try (OutputStream encryptedOutput = new FileOutputStream(encryptedStorageFile)) {
             mKeyValueEncrypter.encryptKeyValueData(packageInfo.packageName, inFd,
                     encryptedOutput);
         } catch (Throwable e) {
             Log.e(TAG, "Failed to encrypt backup data: ", e);
             return BackupTransport.TRANSPORT_ERROR;
         }

         // Pass the temp file to the real transport for backup.
         try (FileInputStream encryptedInput = new FileInputStream(encryptedStorageFile)) {
             return super.performBackup(
                     packageInfo, ParcelFileDescriptor.dup(encryptedInput.getFD()), flags);
         } catch (IOException e) {
             Log.e(TAG, "Failed to read encrypted data from temp storage: ", e);
             return BackupTransport.TRANSPORT_ERROR;
         }
     }

     @Override
     public int getRestoreData(ParcelFileDescriptor outFd) throws RemoteException {
         if (!mShouldEncrypt) {
             return super.getRestoreData(outFd);
         }

         String nextRestorePackage = mNextRestorePackage.get();
         if (nextRestorePackage == null) {
             Log.e(TAG, "No next restore package set");
             return BackupTransport.TRANSPORT_ERROR;
         }

         File encryptedStorageFile = getRestoreTempStorage(nextRestorePackage);
         if (encryptedStorageFile == null) {
             return BackupTransport.TRANSPORT_ERROR;
         }

         // Get encrypted restore data from the real transport and write it into a temp file.
         try (FileOutputStream outputStream = new FileOutputStream(encryptedStorageFile)) {
             int status = super.getRestoreData(ParcelFileDescriptor.dup(outputStream.getFD()));
             if (status != BackupTransport.TRANSPORT_OK) {
                 Log.e(TAG, "Failed to read restore data from transport, status = " + status);
                 return status;
             }
         } catch (IOException e) {
             Log.e(TAG, "Failed to write encrypted data to temp storage: ", e);
             return BackupTransport.TRANSPORT_ERROR;
         }

         // Decrypt the data and write it into the fd given by the real transport.
         try (InputStream inputStream = new FileInputStream(encryptedStorageFile)) {
             mKeyValueEncrypter.decryptKeyValueData(nextRestorePackage, inputStream, outFd);
             encryptedStorageFile.delete();
         } catch (Exception e) {
             Log.e(TAG, "Failed to decrypt restored data: ", e);
             return BackupTransport.TRANSPORT_ERROR;
         }

         return BackupTransport.TRANSPORT_OK;
     }

     @Override
     public RestoreDescription nextRestorePackage() throws RemoteException {
         if (!mShouldEncrypt) {
             return super.nextRestorePackage();
         }

         RestoreDescription restoreDescription = super.nextRestorePackage();
         mNextRestorePackage.set(restoreDescription.getPackageName());

         return restoreDescription;
     }

     @VisibleForTesting
     protected File getBackupTempStorage(String packageName) {
         return getTempStorage(packageName, BACKUP_TEMP_DIR);
     }

     @VisibleForTesting
     protected File getRestoreTempStorage(String packageName) {
         return getTempStorage(packageName, RESTORE_TEMP_DIR);
     }

     private File getTempStorage(String packageName, String operationType) {
         File encryptedDir = new File(mContext.getFilesDir(), operationType);
         encryptedDir.mkdir();
         File encryptedFile = new File(encryptedDir, packageName);
         try {
             encryptedFile.createNewFile();
         } catch (IOException e) {
             Log.e(TAG, "Failed to create temp file for encrypted data: ", e);
         }
         return encryptedFile;
     }

     private void connect() throws RemoteException {
         Log.i(TAG, "connecting " + mTransportClient);
         synchronized (mConnectLock) {
             if (mRealTransport == null) {
                 mRealTransport = mTransportClient.connect("IntermediateEncryptingTransport");
                 if (mRealTransport == null) {
                     throw new RemoteException("Could not connect: " + mTransportClient);
                 }
             }
         }
     }

     @VisibleForTesting
     TransportClient getClient() {
         return mTransportClient;
     }

     @VisibleForTesting
     void setNextRestorePackage(String nextRestorePackage) {
         mNextRestorePackage.set(nextRestorePackage);
     }
 }
	/*
	* Copyright (C) 2019 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package com.android.server.backup.encryption.transport;

	import static com.android.server.backup.encryption.BackupEncryptionService.TAG;

	import android.app.backup.BackupTransport;
	import android.app.backup.RestoreDescription;
	import android.content.Context;
	import android.content.pm.PackageInfo;
	import android.os.ParcelFileDescriptor;
	import android.os.RemoteException;
	import android.util.Log;

	import com.android.internal.annotations.VisibleForTesting;
	import com.android.internal.backup.IBackupTransport;
	import com.android.server.backup.encryption.KeyValueEncrypter;
	import com.android.server.backup.transport.DelegatingTransport;
	import com.android.server.backup.transport.TransportClient;

	import java.io.File;
	import java.io.FileInputStream;
	import java.io.FileOutputStream;
	import java.io.IOException;
	import java.io.InputStream;
	import java.io.OutputStream;
	import java.util.concurrent.atomic.AtomicReference;

	/**
	* This is an implementation of {@link IBackupTransport} that encrypts (or decrypts) the data when
	* sending it (or receiving it) from the {@link IBackupTransport} returned by {@link
	* TransportClient.connect(String)}.
	*/
	public class IntermediateEncryptingTransport extends DelegatingTransport {
	private static final String BACKUP_TEMP_DIR = "backup";
	private static final String RESTORE_TEMP_DIR = "restore";

	private final TransportClient mTransportClient;
	private final Object mConnectLock = new Object();
	private final Context mContext;
	private volatile IBackupTransport mRealTransport;
	private AtomicReference<String> mNextRestorePackage = new AtomicReference<>();
	private final KeyValueEncrypter mKeyValueEncrypter;
	private final boolean mShouldEncrypt;

	IntermediateEncryptingTransport(
	TransportClient transportClient, Context context, boolean shouldEncrypt) {
	this(transportClient, context, new KeyValueEncrypter(context), shouldEncrypt);
	}

	@VisibleForTesting
	IntermediateEncryptingTransport(
	TransportClient transportClient, Context context, KeyValueEncrypter keyValueEncrypter,
	boolean shouldEncrypt) {
	mTransportClient = transportClient;
	mContext = context;
	mKeyValueEncrypter = keyValueEncrypter;
	mShouldEncrypt = shouldEncrypt;
	}

	@Override
	protected IBackupTransport getDelegate() throws RemoteException {
	if (mRealTransport == null) {
	connect();
	}
	Log.d(TAG, "real transport = " + mRealTransport.name());
	return mRealTransport;
	}

	@Override
	public int performBackup(PackageInfo packageInfo, ParcelFileDescriptor inFd, int flags)
	throws RemoteException {
	if (!mShouldEncrypt) {
	return super.performBackup(packageInfo, inFd, flags);
	}

	File encryptedStorageFile = getBackupTempStorage(packageInfo.packageName);
	if (encryptedStorageFile == null) {
	return BackupTransport.TRANSPORT_ERROR;
	}

	// Encrypt the backup data and write it into a temp file.
	try (OutputStream encryptedOutput = new FileOutputStream(encryptedStorageFile)) {
	mKeyValueEncrypter.encryptKeyValueData(packageInfo.packageName, inFd,
	encryptedOutput);
	} catch (Throwable e) {
	Log.e(TAG, "Failed to encrypt backup data: ", e);
	return BackupTransport.TRANSPORT_ERROR;
	}

	// Pass the temp file to the real transport for backup.
	try (FileInputStream encryptedInput = new FileInputStream(encryptedStorageFile)) {
	return super.performBackup(
	packageInfo, ParcelFileDescriptor.dup(encryptedInput.getFD()), flags);
	} catch (IOException e) {
	Log.e(TAG, "Failed to read encrypted data from temp storage: ", e);
	return BackupTransport.TRANSPORT_ERROR;
	}
	}

	@Override
	public int getRestoreData(ParcelFileDescriptor outFd) throws RemoteException {
	if (!mShouldEncrypt) {
	return super.getRestoreData(outFd);
	}

	String nextRestorePackage = mNextRestorePackage.get();
	if (nextRestorePackage == null) {
	Log.e(TAG, "No next restore package set");
	return BackupTransport.TRANSPORT_ERROR;
	}

	File encryptedStorageFile = getRestoreTempStorage(nextRestorePackage);
	if (encryptedStorageFile == null) {
	return BackupTransport.TRANSPORT_ERROR;
	}

	// Get encrypted restore data from the real transport and write it into a temp file.
	try (FileOutputStream outputStream = new FileOutputStream(encryptedStorageFile)) {
	int status = super.getRestoreData(ParcelFileDescriptor.dup(outputStream.getFD()));
	if (status != BackupTransport.TRANSPORT_OK) {
	Log.e(TAG, "Failed to read restore data from transport, status = " + status);
	return status;
	}
	} catch (IOException e) {
	Log.e(TAG, "Failed to write encrypted data to temp storage: ", e);
	return BackupTransport.TRANSPORT_ERROR;
	}

	// Decrypt the data and write it into the fd given by the real transport.
	try (InputStream inputStream = new FileInputStream(encryptedStorageFile)) {
	mKeyValueEncrypter.decryptKeyValueData(nextRestorePackage, inputStream, outFd);
	encryptedStorageFile.delete();
	} catch (Exception e) {
	Log.e(TAG, "Failed to decrypt restored data: ", e);
	return BackupTransport.TRANSPORT_ERROR;
	}

	return BackupTransport.TRANSPORT_OK;
	}

	@Override
	public RestoreDescription nextRestorePackage() throws RemoteException {
	if (!mShouldEncrypt) {
	return super.nextRestorePackage();
	}

	RestoreDescription restoreDescription = super.nextRestorePackage();
	mNextRestorePackage.set(restoreDescription.getPackageName());

	return restoreDescription;
	}

	@VisibleForTesting
	protected File getBackupTempStorage(String packageName) {
	return getTempStorage(packageName, BACKUP_TEMP_DIR);
	}

	@VisibleForTesting
	protected File getRestoreTempStorage(String packageName) {
	return getTempStorage(packageName, RESTORE_TEMP_DIR);
	}

	private File getTempStorage(String packageName, String operationType) {
	File encryptedDir = new File(mContext.getFilesDir(), operationType);
	encryptedDir.mkdir();
	File encryptedFile = new File(encryptedDir, packageName);
	try {
	encryptedFile.createNewFile();
	} catch (IOException e) {
	Log.e(TAG, "Failed to create temp file for encrypted data: ", e);
	}
	return encryptedFile;
	}

	private void connect() throws RemoteException {
	Log.i(TAG, "connecting " + mTransportClient);
	synchronized (mConnectLock) {
	if (mRealTransport == null) {
	mRealTransport = mTransportClient.connect("IntermediateEncryptingTransport");
	if (mRealTransport == null) {
	throw new RemoteException("Could not connect: " + mTransportClient);
	}
	}
	}
	}

	@VisibleForTesting
	TransportClient getClient() {
	return mTransportClient;
	}

	@VisibleForTesting
	void setNextRestorePackage(String nextRestorePackage) {
	mNextRestorePackage.set(nextRestorePackage);
	}
	}