summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/leap/soledad/__init__.py36
-rw-r--r--src/leap/soledad/tests/test_encrypted.py32
2 files changed, 68 insertions, 0 deletions
diff --git a/src/leap/soledad/__init__.py b/src/leap/soledad/__init__.py
index 5fe49d0a..d883a8d0 100644
--- a/src/leap/soledad/__init__.py
+++ b/src/leap/soledad/__init__.py
@@ -66,6 +66,7 @@ class Soledad(object):
'shared_db_url': '',
}
+ # TODO: separate username from provider, currently in user_email.
def __init__(self, user_email, prefix=None, gnupg_home=None,
secret_path=None, local_db_path=None,
config_file=None, shared_db_url=None, auth_token=None,
@@ -447,5 +448,40 @@ class Soledad(object):
# TODO: create authentication scheme for sync with server.
return self._db.sync(url, creds=None, autocreate=True)
+ #-------------------------------------------------------------------------
+ # Recovery document export and import
+ #-------------------------------------------------------------------------
+
+ def export_recovery_document(self, passphrase):
+ """
+ Exports username, provider, private key and key for symmetric
+ encryption, optionally encrypted with a password.
+
+ The LEAP client gives the user the option to export a text file with a
+ complete copy of their private keys and authorization information,
+ either password protected or not. This "recovery document" can be
+ printed or saved electronically as the user sees fit. If the user
+ needs to recover their data, they can load this recover document into
+ any LEAP client. The user can also type the recovery document in
+ manually, although it will be long and very painful to copy manually.
+
+ Contents of recovery document:
+
+ - username
+ - provider
+ - private key.
+ - key for symmetric encryption
+ """
+ data = json.dumps([
+ self._user_email,
+ self._gpg.export_keys(self._fingerprint, secret=True),
+ self._secret
+ ])
+ if passphrase:
+ data = str(self._gpg.encrypt(data, None, sign=None,
+ passphrase=passphrase,
+ symmetric=True))
+ return data
+
__all__ = ['backends', 'util', 'server', 'shared_db']
diff --git a/src/leap/soledad/tests/test_encrypted.py b/src/leap/soledad/tests/test_encrypted.py
index 4a48266e..0a4eb9cc 100644
--- a/src/leap/soledad/tests/test_encrypted.py
+++ b/src/leap/soledad/tests/test_encrypted.py
@@ -37,3 +37,35 @@ class EncryptedSyncTestCase(BaseSoledadTest):
True,
self._soledad._gpg.is_encrypted_sym(enc_json),
"could not encrypt with passphrase.")
+
+ def test_export_recovery_document_raw(self):
+ rd = self._soledad.export_recovery_document(None)
+ self.assertEqual(
+ [
+ self._soledad._user_email,
+ self._soledad._gpg.export_keys(self._soledad._fingerprint,
+ secret=True),
+ self._soledad._secret
+ ],
+ json.loads(rd),
+ "Could not export raw recovery document."
+ )
+
+ def test_export_recovery_document_crypt(self):
+ rd = self._soledad.export_recovery_document('123456')
+ self.assertEqual(True,
+ self._soledad._gpg.is_encrypted_sym(rd))
+ data = [
+ self._soledad._user_email,
+ self._soledad._gpg.export_keys(self._soledad._fingerprint,
+ secret=True),
+ self._soledad._secret,
+ ]
+ raw_data = json.loads(str(self._soledad._gpg.decrypt(
+ rd,
+ passphrase='123456')))
+ self.assertEqual(
+ raw_data,
+ data,
+ "Could not export raw recovery document."
+ )