audit 2

ehsan6sha · ehsan6sha · commit 35c1d4322e47 · 2025-12-08T13:46:32.000-05:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -42,6 +42,8 @@ reqwest = { workspace = true, features = ["json", "multipart"] }
 axum = { workspace = true }
 base64 = { workspace = true }
 md-5 = { workspace = true }
+blake3 = { workspace = true }
+hex = { workspace = true }
 
 [[example]]
 name = "basic_usage"
diff --git a/README.md b/README.md
@@ -262,6 +262,44 @@ cargo run --example flat_namespace_demo
 - Export/backup secret keys securely
 - Lost keys = lost data (no recovery possible)
 
+### Privacy Notice
+
+⚠️ **Important**: For private data, always use the **Encrypted Client SDK** (`EncryptedClient`).
+
+Raw S3 tools (AWS CLI, boto3) do NOT encrypt data - they upload plaintext that gateway operators can see.
+
+**What's encrypted** (with EncryptedClient):
+- ✅ File content
+- ✅ File names (FlatNamespace mode)
+- ✅ Directory structure
+- ✅ User IDs (hashed)
+
+**What remains visible**:
+- ⚠️ Bucket names
+- ⚠️ Approximate file sizes
+- ⚠️ Request timestamps
+
+See [docs/PRIVACY.md](docs/PRIVACY.md) for full privacy policy.
+
+## Production Deployment
+
+For production Ubuntu deployments with security hardening:
+
+```bash
+# Download and run the installer
+curl -fsSL https://raw.githubusercontent.com/functionland/fula-api/main/install.sh | sudo bash
+```
+
+The installer will:
+- Install Docker and dependencies
+- Configure nginx with TLS (Let's Encrypt)
+- Set up rate limiting and fail2ban
+- Configure firewall (UFW)
+- Create systemd service
+- Optionally set up local IPFS node
+
+See [install.sh](install.sh) for details.
+
 ## License
 
 Licensed under either of:
diff --git a/crates/fula-cli/Cargo.toml b/crates/fula-cli/Cargo.toml
@@ -57,6 +57,7 @@ tracing-subscriber = { workspace = true }
 uuid = { workspace = true }
 base64 = { workspace = true }
 hex = { workspace = true }
+blake3 = { workspace = true }
 urlencoding = "2.1"
 url = "2.5"
 mime = "0.3"
diff --git a/crates/fula-cli/src/auth.rs b/crates/fula-cli/src/auth.rs
@@ -99,13 +99,11 @@ pub fn claims_to_session(claims: Claims) -> UserSession {
         .map(|s| s.to_string())
         .collect();
 
-    UserSession {
-        user_id: claims.sub,
-        display_name: claims.name,
-        scopes,
-        expires_at: DateTime::from_timestamp(claims.exp, 0)
-            .unwrap_or_else(|| Utc::now() + Duration::hours(1)),
-    }
+    let expires_at = DateTime::from_timestamp(claims.exp, 0)
+        .unwrap_or_else(|| Utc::now() + Duration::hours(1));
+
+    // Security audit fix A3: Use UserSession::new() to auto-hash user ID
+    UserSession::new(claims.sub, claims.name, scopes, expires_at)
 }
 
 /// Extract bearer token from Authorization header
@@ -129,12 +127,13 @@ pub fn anonymous_user_id() -> String {
 
 /// Create a development/test session
 pub fn dev_session() -> UserSession {
-    UserSession {
-        user_id: "dev-user".to_string(),
-        display_name: Some("Development User".to_string()),
-        scopes: vec!["storage:*".to_string()],
-        expires_at: Utc::now() + Duration::days(365),
-    }
+    // Security audit fix A3: Use UserSession::new() to auto-hash user ID
+    UserSession::new(
+        "dev-user".to_string(),
+        Some("Development User".to_string()),
+        vec!["storage:*".to_string()],
+        Utc::now() + Duration::days(365),
+    )
 }
 
 #[cfg(test)]
diff --git a/crates/fula-cli/src/handlers/bucket.rs b/crates/fula-cli/src/handlers/bucket.rs
@@ -22,8 +22,9 @@ pub async fn create_bucket(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Write access required"));
     }
 
-    let owner = Owner::new(&session.user_id)
-        .with_display_name(session.display_name.unwrap_or_default());
+    // Security audit fix A3: Use hashed user ID for privacy
+    let owner = Owner::new(&session.hashed_user_id)
+        .with_display_name(session.display_name.clone().unwrap_or_default());
 
     state.bucket_manager.create_bucket(bucket.clone(), owner).await?;
 
@@ -44,11 +45,11 @@ pub async fn delete_bucket(
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Write access required"));
     }
 
-    // Check ownership
+    // Check ownership (Security audit fix A3: compare hashed IDs)
     let metadata = state.bucket_manager.get_bucket_metadata(&bucket)
         .ok_or_else(|| ApiError::s3(S3ErrorCode::NoSuchBucket, "Bucket not found"))?;
     
-    if metadata.owner_id != session.user_id && !session.has_scope("admin") {
+    if !session.can_access_bucket(&metadata.owner_id) {
         return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Not bucket owner"));
     }
 
diff --git a/crates/fula-cli/src/handlers/multipart.rs b/crates/fula-cli/src/handlers/multipart.rs
@@ -57,10 +57,11 @@ pub async fn create_multipart_upload(
         }
     }
 
+    // Security audit fix A3: Use hashed user ID
     let upload = state.multipart_manager.create_upload_with_metadata(
         bucket.clone(),
         key.clone(),
-        session.user_id.clone(),
+        session.hashed_user_id.clone(),
         content_type,
         metadata,
     );
diff --git a/crates/fula-cli/src/handlers/object.rs b/crates/fula-cli/src/handlers/object.rs
@@ -378,9 +378,10 @@ pub async fn copy_object(
         ))?;
 
     // Copy to destination
+    // Security audit fix A3: Use hashed user ID
     let mut dest_metadata = source_metadata.clone();
     dest_metadata.last_modified = chrono::Utc::now();
-    dest_metadata.owner_id = Some(session.user_id.clone());
+    dest_metadata.owner_id = Some(session.hashed_user_id.clone());
 
     let mut dest_bucket_handle = state.bucket_manager.open_bucket(&dest_bucket).await?;
     
diff --git a/crates/fula-cli/src/handlers/service.rs b/crates/fula-cli/src/handlers/service.rs
@@ -18,15 +18,17 @@ pub async fn list_buckets(
     let buckets = state.bucket_manager.list_buckets();
     
     // Filter to buckets owned by this user (or show all for admin)
+    // Security audit fix A3: Compare using hashed user IDs
     let user_buckets: Vec<_> = buckets
         .into_iter()
-        .filter(|b| b.owner_id == session.user_id || session.has_scope("admin"))
+        .filter(|b| session.can_access_bucket(&b.owner_id))
         .map(|b| (b.name, b.created_at))
         .collect();
 
+    // Return hashed user ID in XML for privacy (Security audit fix A3)
     let xml_response = xml::list_all_my_buckets_result(
-        &session.user_id,
-        session.display_name.as_deref().unwrap_or(&session.user_id),
+        &session.hashed_user_id,
+        session.display_name.as_deref().unwrap_or("User"),
         &user_buckets,
     );
 
diff --git a/crates/fula-cli/src/state.rs b/crates/fula-cli/src/state.rs
@@ -2,6 +2,7 @@
 
 use crate::config::GatewayConfig;
 use crate::multipart::MultipartManager;
+use blake3::Hasher;
 use dashmap::DashMap;
 use fula_blockstore::{
     FlexibleBlockStore, IpfsPinningBlockStore, IpfsPinningConfig, MemoryBlockStore,
@@ -10,6 +11,17 @@ use fula_core::BucketManager;
 use std::sync::Arc;
 use tracing::{info, warn};
 
+/// Hash a user ID for privacy (Security audit fix A3)
+/// This prevents exposing raw user IDs (e.g., email addresses) in stored metadata
+pub fn hash_user_id(user_id: &str) -> String {
+    let mut hasher = Hasher::new();
+    hasher.update(b"fula:user_id:");  // Domain separation
+    hasher.update(user_id.as_bytes());
+    let hash = hasher.finalize();
+    // Use first 16 bytes (128 bits) encoded as hex for reasonable uniqueness
+    hex::encode(&hash.as_bytes()[..16])
+}
+
 /// Application state shared across handlers
 pub struct AppState {
     /// Gateway configuration
@@ -95,6 +107,8 @@ impl AppState {
 pub struct UserSession {
     /// User ID (from JWT sub claim)
     pub user_id: String,
+    /// Hashed user ID for storage (Security audit fix A3)
+    pub hashed_user_id: String,
     /// Display name
     pub display_name: Option<String>,
     /// Scopes
@@ -104,6 +118,18 @@ pub struct UserSession {
 }
 
 impl UserSession {
+    /// Create a new user session with automatic ID hashing
+    pub fn new(user_id: String, display_name: Option<String>, scopes: Vec<String>, expires_at: chrono::DateTime<chrono::Utc>) -> Self {
+        let hashed_user_id = hash_user_id(&user_id);
+        Self {
+            user_id,
+            hashed_user_id,
+            display_name,
+            scopes,
+            expires_at,
+        }
+    }
+
     /// Check if the session has expired
     pub fn is_expired(&self) -> bool {
         chrono::Utc::now() > self.expires_at
@@ -130,7 +156,8 @@ impl UserSession {
     }
 
     /// Check if user can access a bucket (owner or admin)
+    /// Security audit fix A3: Uses hashed user ID for comparison
     pub fn can_access_bucket(&self, bucket_owner_id: &str) -> bool {
-        self.user_id == bucket_owner_id || self.is_admin()
+        self.hashed_user_id == bucket_owner_id || self.is_admin()
     }
 }
diff --git a/docs/PRIVACY.md b/docs/PRIVACY.md
@@ -0,0 +1,105 @@
+# Privacy Policy & Data Protection
+
+## Overview
+
+Fula API is designed with privacy as a core principle. This document explains what data is encrypted, what remains visible, and potential privacy considerations.
+
+## What Is Encrypted
+
+When using the **Encrypted Client SDK** (recommended for private data):
+
+| Data Type | Encryption Status | Details |
+|-----------|------------------|---------|
+| **File Content** | ✅ Encrypted | AES-256-GCM or ChaCha20-Poly1305 with per-file DEKs |
+| **File Names** | ✅ Encrypted | Stored using cryptographic flat keys (no structure hints) |
+| **Directory Structure** | ✅ Hidden | FlatNamespace mode prevents structure inference |
+| **File Metadata** | ✅ Encrypted | Content-type, custom headers encrypted |
+| **DEKs (Data Encryption Keys)** | ✅ Encrypted | Wrapped with RFC 9180 HPKE using user's KEK |
+| **User IDs** | ✅ Hashed | BLAKE3 hashed before storage (audit fix A3) |
+
+## What Is NOT Encrypted
+
+The following metadata **remains visible** to gateway operators and storage nodes:
+
+| Data Type | Visibility | Reason |
+|-----------|-----------|--------|
+| **Bucket Names** | Visible | Required for S3 API compatibility |
+| **Object Sizes** | Approximate | Encrypted size visible (includes AEAD overhead) |
+| **Timestamps** | Visible | Created/modified times for S3 compliance |
+| **Request Patterns** | Visible | Upload/download timing and frequency |
+| **IP Addresses** | Visible | Network-level information |
+| **Data Volume** | Visible | Total storage used per bucket |
+
+## Privacy Recommendations
+
+### For Maximum Privacy
+
+1. **Use non-identifying bucket names**
+   - ❌ Bad: `john-doe-medical-records`
+   - ✅ Good: `b7f4a2e8-9c1d-4b3a-8f5e-1a2b3c4d5e6f`
+
+2. **Use the Encrypted Client SDK**
+   - Never upload sensitive data via raw S3 tools
+   - Always use `EncryptedClient` with FlatNamespace mode
+
+3. **Consider padding strategies**
+   - If file sizes could reveal information, pad files to standard sizes
+   - Example: Pad all files to nearest 1MB boundary
+
+4. **Randomize access patterns**
+   - If access timing is sensitive, add random delays
+   - Batch uploads/downloads when possible
+
+5. **Use dedicated buckets**
+   - Don't mix sensitive and non-sensitive data
+   - Use separate buckets for different data classifications
+
+## Threat Model
+
+### Protected Against
+
+- ✅ **Storage Node Operators** - Cannot decrypt file contents
+- ✅ **Gateway Operators** - Cannot read encrypted data (with encrypted client)
+- ✅ **Network Observers** - TLS protects data in transit
+- ✅ **Database Breaches** - All content encrypted client-side
+- ✅ **User ID Enumeration** - IDs are hashed before storage
+
+### NOT Protected Against
+
+- ⚠️ **Traffic Analysis** - Request patterns visible to gateway
+- ⚠️ **Metadata Correlation** - Bucket names and sizes may reveal information
+- ⚠️ **Timing Attacks** - Upload/download times observable
+- ⚠️ **Device Compromise** - Keys on compromised devices are vulnerable
+
+## Legal Considerations
+
+This software provides technical privacy protections. However:
+
+1. **No Warranty**: Privacy features are provided "as-is"
+2. **User Responsibility**: Users must evaluate if protections meet their requirements
+3. **Jurisdiction**: Privacy laws vary by location
+4. **Compliance**: Users are responsible for regulatory compliance (GDPR, HIPAA, etc.)
+
+## Data Retention
+
+- **Encrypted Content**: Stored on IPFS until explicitly deleted
+- **Metadata**: Retained in gateway database until bucket deletion
+- **Logs**: Configurable retention (default: no sensitive data logged)
+- **IPFS Note**: Due to IPFS content-addressing, data may persist on other nodes
+
+## Security Audit Status
+
+This implementation has been security audited. Key findings addressed:
+
+- ✅ User IDs hashed for privacy (Finding A3)
+- ✅ RFC 9180 HPKE for key wrapping (Finding #4)
+- ✅ AAD binding prevents ciphertext swapping (Finding #5)
+- ✅ No sensitive data in logs (Finding #2)
+
+## Contact
+
+For privacy concerns or security issues, please contact the project maintainers.
+
+---
+
+*Last Updated: December 2024*
diff --git a/docs/audit-report2.md b/docs/audit-report2.md
diff --git a/docs/audit-result2.md b/docs/audit-result2.md
diff --git a/install.sh b/install.sh
diff --git a/tests/security_audit_tests.rs b/tests/security_audit_tests.rs

Original file line number	Diff line number	Diff line change
`@@ -22,8 +22,9 @@ pub async fn create_bucket(`
`22`	`22`	`return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Write access required"));`
`23`	`23`	`}`
`24`	`24`
`25`		`- let owner = Owner::new(&session.user_id)`
`26`		`- .with_display_name(session.display_name.unwrap_or_default());`
	`25`	`+ // Security audit fix A3: Use hashed user ID for privacy`
	`26`	`+ let owner = Owner::new(&session.hashed_user_id)`
	`27`	`+ .with_display_name(session.display_name.clone().unwrap_or_default());`
`27`	`28`
`28`	`29`	`state.bucket_manager.create_bucket(bucket.clone(), owner).await?;`
`29`	`30`
`@@ -44,11 +45,11 @@ pub async fn delete_bucket(`
`44`	`45`	`return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Write access required"));`
`45`	`46`	`}`
`46`	`47`
`47`		`- // Check ownership`
	`48`	`+ // Check ownership (Security audit fix A3: compare hashed IDs)`
`48`	`49`	`let metadata = state.bucket_manager.get_bucket_metadata(&bucket)`
`49`	`50`	`.ok_or_else(\|\| ApiError::s3(S3ErrorCode::NoSuchBucket, "Bucket not found"))?;`
`50`	`51`
`51`		`- if metadata.owner_id != session.user_id && !session.has_scope("admin") {`
	`52`	`+ if !session.can_access_bucket(&metadata.owner_id) {`
`52`	`53`	`return Err(ApiError::s3(S3ErrorCode::AccessDenied, "Not bucket owner"));`
`53`	`54`	`}`
`54`	`55`
Original file line number	Diff line number	Diff line change
`@@ -57,10 +57,11 @@ pub async fn create_multipart_upload(`
`57`	`57`	`}`
`58`	`58`	`}`
`59`	`59`
	`60`	`+ // Security audit fix A3: Use hashed user ID`
`60`	`61`	`let upload = state.multipart_manager.create_upload_with_metadata(`
`61`	`62`	`bucket.clone(),`
`62`	`63`	`key.clone(),`
`63`		`- session.user_id.clone(),`
	`64`	`+ session.hashed_user_id.clone(),`
`64`	`65`	`content_type,`
`65`	`66`	`metadata,`
`66`	`67`	`);`