improve fault tolerance of dataprotection

src/fiskaltrust.Launcher.Common/Configuration/Configuration.cs

@@ -270,20 +270,20 @@ internal void SetAlternateNames(string text)
                 }
             }
         }
-
-        private void MapFieldsWithAttribute<T>(Func<object?, object?> action)
+        private void MapFieldsWithAttribute<T>(Func<object?, string, object?> action)
         {
             var errors = new List<Exception>();
 
             foreach (var field in GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance))
             {
                 var value = field.GetValue(this);
+                var name = field.Name;
 
-                if (field.GetCustomAttributes(typeof(T)).Any())
+                if (field.GetCustomAttributes(typeof(T), false).Any())
                 {
                     try
                     {
-                        field.SetValue(this, action(value));
+                        field.SetValue(this, action(value, name));
                     }
                     catch (Exception e)
                     {
@@ -297,24 +297,37 @@ private void MapFieldsWithAttribute<T>(Func<object?, object?> action)
                 throw new AggregateException(errors);
             }
         }
-
         public void Encrypt(IDataProtector dataProtector)
         {
-            MapFieldsWithAttribute<EncryptAttribute>(value =>
+            MapFieldsWithAttribute<EncryptAttribute>((value, name) =>
             {
-                if (value is null) { return null; }
+                if (value is null) return null;
 
-                return dataProtector.Protect((string)value);
+                try
+                {
+                    return dataProtector.Protect((string)value);
+                }
+                catch (Exception e)
+                {
+                    Log.Warning($"Failed to encrypt value of configuration field {name}. Consider using the 'config set' command to set the field's value.", name);
+                    return null;
+                }
             });
         }
-
         public void Decrypt(IDataProtector dataProtector)
         {
-            MapFieldsWithAttribute<EncryptAttribute>((value) =>
+            MapFieldsWithAttribute<EncryptAttribute>((value, name) =>
             {
-                if (value is null) { return null; }
-
-                return dataProtector.Unprotect((string)value);
+                try
+                {
+                    if (value is null) return null;
+                    return dataProtector.Unprotect((string)value);
+                }
+                catch (Exception e)
+                {
+                    Log.Warning("Failed to decrypt value of configuration field {name}. Consider using the 'config set' command to set the fields value.", name);
+                    return null;
+                }
             });
         }
 
@@ -328,7 +341,6 @@ public void Decrypt(IDataProtector dataProtector)
             return null;
         }
     }
-
     public record LauncherConfigurationInCashBoxConfiguration
     {
         [JsonPropertyName("launcher")]
@@ -349,4 +361,4 @@ public record LauncherConfigurationInCashBoxConfiguration
             return configuration;
         }
     }
-}
+}

src/fiskaltrust.Launcher/Commands/Common.cs

@@ -1,5 +1,6 @@
 using System.CommandLine;
 using System.CommandLine.Invocation;
+using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Text.Json;
 using fiskaltrust.Launcher.Common.Configuration;
@@ -10,6 +11,7 @@
 using fiskaltrust.Launcher.Extensions;
 using fiskaltrust.Launcher.Helpers;
 using fiskaltrust.Launcher.Logging;
+using fiskaltrust.Launcher.ServiceInstallation;
 using fiskaltrust.storage.serialization.V0;
 using Microsoft.AspNetCore.DataProtection;
 using Serilog;
@@ -82,6 +84,7 @@ public static async Task<int> HandleAsync<O, S>(
             IHost host,
             Func<CommonOptions, CommonProperties, O, S, Task<int>> handler) where S : notnull
         {
+            // Log messages will be save here and logged later when we have the configuration options to create the logger.
             var collectionSink = new CollectionSink();
             Log.Logger = new LoggerConfiguration()
                 .WriteTo.Sink(collectionSink)
@@ -131,6 +134,7 @@ public static async Task<int> HandleAsync<O, S>(
 
             Log.Verbose("Merging launcher cli args.");
             launcherConfiguration.OverwriteWith(options.ArgsLauncherConfiguration);
+            await EnsureServiceDirectoryExists(launcherConfiguration);
 
             if (!launcherConfiguration.UseOffline!.Value && (launcherConfiguration.CashboxId is null || launcherConfiguration.AccessToken is null))
             {
@@ -153,7 +157,7 @@ public static async Task<int> HandleAsync<O, S>(
             ECDiffieHellman? clientEcdh = null;
             try
             {
-                clientEcdh = await LoadCurve(launcherConfiguration.CashboxId!.Value, launcherConfiguration.AccessToken!, launcherConfiguration.ServiceFolder!, launcherConfiguration.UseOffline!.Value);
+                clientEcdh = await LoadCurve(launcherConfiguration.CashboxId!.Value, launcherConfiguration.AccessToken!, launcherConfiguration.ServiceFolder!, launcherConfiguration.UseOffline!.Value,  useFallback: launcherConfiguration.UseLegacyDataProtection!.Value);
                 using var downloader = new ConfigurationDownloader(launcherConfiguration);
                 var exists = await downloader.DownloadConfigurationAsync(clientEcdh);
                 if (launcherConfiguration.UseOffline!.Value && !exists)
@@ -180,6 +184,7 @@ public static async Task<int> HandleAsync<O, S>(
             }
             catch (Exception e)
             {
+                // will exit with non-zero exit code later.
                 Log.Fatal(e, "Could not read Cashbox configuration file.");
             }
 
@@ -191,9 +196,11 @@ public static async Task<int> HandleAsync<O, S>(
             }
             catch (Exception e)
             {
+                // will exit with non-zero exit code later.
                 Log.Fatal(e, "Could not parse Cashbox configuration.");
             }
 
+            // Previous log messages will be logged here using this logger.
             Log.Logger = new LoggerConfiguration()
                 .AddLoggingConfiguration(launcherConfiguration)
                 .AddFileLoggingConfiguration(launcherConfiguration, new[] { "fiskaltrust.Launcher", launcherConfiguration.CashboxId?.ToString() })
@@ -205,6 +212,9 @@ public static async Task<int> HandleAsync<O, S>(
                 Log.Write(logEvent);
             }
 
+            // If any critical errors occured, we exit with a non-zero exit code.
+            // In many cases we don't want to immediately exit the application,
+            // but we want to log the error and continue and see what else is going on before we exit.
             if (collectionSink.Events.Where(e => e.Level == LogEventLevel.Fatal).Any())
             {
                 return 1;
@@ -229,6 +239,50 @@ public static async Task<int> HandleAsync<O, S>(
             return await handler(options, new CommonProperties(launcherConfiguration, cashboxConfiguration, clientEcdh, dataProtectionProvider), specificOptions, host.Services.GetRequiredService<S>());
         }
 
+        private static async Task EnsureServiceDirectoryExists(LauncherConfiguration config)
+        {
+            var serviceDirectory = config.ServiceFolder;
+            try
+            {
+                if (!Directory.Exists(serviceDirectory))
+                {
+                    Directory.CreateDirectory(serviceDirectory);
+
+                    if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux) || RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
+                    {
+                        var user = Environment.GetEnvironmentVariable("USER");
+                        if (!string.IsNullOrEmpty(user))
+                        {
+                            var chownResult = await ProcessHelper.RunProcess("chown", new[] { user, serviceDirectory }, LogEventLevel.Debug);
+                            if (chownResult.exitCode != 0)
+                            {
+                                Log.Warning("Failed to change owner of the service directory.");
+                            }
+
+                            var chmodResult = await ProcessHelper.RunProcess("chmod", new[] { "774", serviceDirectory }, LogEventLevel.Debug);
+                            if (chmodResult.exitCode != 0)
+                            {
+                                Log.Warning("Failed to change permissions of the service directory.");
+                            }
+                        }
+                        else
+                        {
+                            Log.Warning("Service user name is not set. Owner of the service directory will not be changed.");
+                        }
+                    }
+                    else
+                    {
+                        Log.Debug("Changing owner and permissions is skipped on non-Unix operating systems.");
+                    }
+                }
+            }
+            catch (UnauthorizedAccessException e)
+            {
+                // will exit with non-zero exit code later.
+                Log.Fatal(e, "Access to the path '{ServiceDirectory}' is denied. Please run the application with sufficient permissions.", serviceDirectory);
+            }
+        }
+
         public static async Task<ECDiffieHellman> LoadCurve(Guid cashboxId, string accessToken, string serviceFolder, bool useOffline = false, bool dryRun = false, bool useFallback = false)
         {
             Log.Verbose("Loading Curve.");
@@ -237,34 +291,38 @@ public static async Task<ECDiffieHellman> LoadCurve(Guid cashboxId, string acces
 
             if (File.Exists(clientEcdhPath))
             {
-                return ECDiffieHellmanExt.Deserialize(dataProtector.Unprotect(await File.ReadAllTextAsync(clientEcdhPath)));
-            }
-            else
-            {
-                const string offlineClientEcdhPath = "/client.ecdh";
-                ECDiffieHellman clientEcdh;
-
-                if (!dryRun && useOffline && File.Exists(offlineClientEcdhPath))
+                try
                 {
-                    clientEcdh = ECDiffieHellmanExt.Deserialize(await File.ReadAllTextAsync(offlineClientEcdhPath));
-                    try
-                    {
-                        File.Delete(offlineClientEcdhPath);
-                    }
-                    catch { }
+                    return ECDiffieHellmanExt.Deserialize(dataProtector.Unprotect(await File.ReadAllTextAsync(clientEcdhPath)));
                 }
-                else
+                catch (Exception e)
                 {
-                    clientEcdh = CashboxConfigEncryption.CreateCurve();
+                    Log.Warning($"Error loading or decrypting ECDH curve: {e.Message}. Regenerating new curve.");
                 }
+            }
 
-                if (!dryRun)
+            // Handling offline client ECDH path
+            const string offlineClientEcdhPath = "/client.ecdh";
+            if (!dryRun && useOffline && File.Exists(offlineClientEcdhPath))
+            {
+                var clientEcdh = ECDiffieHellmanExt.Deserialize(await File.ReadAllTextAsync(offlineClientEcdhPath));
+                try
                 {
-                    await File.WriteAllTextAsync(clientEcdhPath, dataProtector.Protect(clientEcdh.Serialize()));
+                    File.Delete(offlineClientEcdhPath);
                 }
+                catch { }
 
                 return clientEcdh;
             }
+
+            // Regenerating the curve if it's not loaded or in case of an error
+            var newClientEcdh = CashboxConfigEncryption.CreateCurve();
+            if (!dryRun)
+            {
+                await File.WriteAllTextAsync(clientEcdhPath, dataProtector.Protect(newClientEcdh.Serialize()));
+            }
+
+            return newClientEcdh;
         }
     }
 }

src/fiskaltrust.Launcher/Commands/DoctorCommand.cs

@@ -90,7 +90,9 @@ public static async Task<int> HandleAsync(CommonOptions commonOptions, CommonPro
                 ftCashBoxConfiguration cashboxConfiguration = new();
 
                 if (clientEcdh is null)
-                { }
+                {
+                    Log.Warning("Failed to load ECDH curve. Skipping some related doctor checks.");
+                }
                 else
                 {
                     using var downloader = new ConfigurationDownloader(launcherConfiguration);