Add context to logs for decryption failures (#11684)

* Add logging to decryption routines * Fix case of uknown encryption type * Add decryption context to log where failures occur * Update log message * Fix linting * Add more context logs * Add more fine grained logging * Update log message * Fix tests
2024-11-21 11:35:34 +01:00 · 2024-10-25 15:22:30 +02:00 · 2024-10-25 15:22:30 +02:00 · 122c3c7809
commit 122c3c7809
parent adabc59c03
7 changed files with 61 additions and 17 deletions
--- a/apps/browser/src/platform/services/local-backed-session-storage.service.spec.ts
+++ b/apps/browser/src/platform/services/local-backed-session-storage.service.spec.ts
@ -48,8 +48,12 @@ describe("LocalBackedSessionStorage", () => {
      localStorage.internalStore["session_test"] = encrypted.encryptedString;
      encryptService.decryptToUtf8.mockResolvedValue(JSON.stringify("decrypted"));
      const result = await sut.get("test");
-      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encrypted, sessionKey);
-      expect(result).toEqual("decrypted");
+      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(
+        encrypted,
+        sessionKey,
+        "browser-session-key",
+      ),
+        expect(result).toEqual("decrypted");
    });

    it("caches the decrypted value when one is stored in local storage", async () => {
@ -65,8 +69,12 @@ describe("LocalBackedSessionStorage", () => {
      localStorage.internalStore["session_test"] = encrypted.encryptedString;
      encryptService.decryptToUtf8.mockResolvedValue(JSON.stringify("decrypted"));
      const result = await sut.get("test");
-      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encrypted, sessionKey);
-      expect(result).toEqual("decrypted");
+      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(
+        encrypted,
+        sessionKey,
+        "browser-session-key",
+      ),
+        expect(result).toEqual("decrypted");
    });

    it("caches the decrypted value when one is stored in local storage", async () => {
--- a/apps/browser/src/platform/services/local-backed-session-storage.service.ts
+++ b/apps/browser/src/platform/services/local-backed-session-storage.service.ts
@ -117,7 +117,11 @@ export class LocalBackedSessionStorageService
      return null;
    }

-    const valueJson = await this.encryptService.decryptToUtf8(new EncString(local), encKey);
+    const valueJson = await this.encryptService.decryptToUtf8(
+      new EncString(local),
+      encKey,
+      "browser-session-key",
+    );
    if (valueJson == null) {
      // error with decryption, value is lost, delete state and start over
      await this.localStorage.remove(this.sessionStorageKey(key));
--- a/apps/cli/src/commands/get.command.ts
+++ b/apps/cli/src/commands/get.command.ts
@ -455,6 +455,7 @@ export class GetCommand extends DownloadCommand {
      decCollection.name = await this.encryptService.decryptToUtf8(
        new EncString(response.name),
        orgKey,
+        `orgkey-${options.organizationId}`,
      );
      const groups =
        response.groups == null
--- a/libs/common/src/platform/abstractions/encrypt.service.ts
+++ b/libs/common/src/platform/abstractions/encrypt.service.ts
@ -8,7 +8,11 @@ import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
 export abstract class EncryptService {
  abstract encrypt(plainValue: string | Uint8Array, key: SymmetricCryptoKey): Promise<EncString>;
  abstract encryptToBytes(plainValue: Uint8Array, key: SymmetricCryptoKey): Promise<EncArrayBuffer>;
-  abstract decryptToUtf8(encString: EncString, key: SymmetricCryptoKey): Promise<string>;
+  abstract decryptToUtf8(
+    encString: EncString,
+    key: SymmetricCryptoKey,
+    decryptContext?: string,
+  ): Promise<string>;
  abstract decryptToBytes(encThing: Encrypted, key: SymmetricCryptoKey): Promise<Uint8Array>;
  abstract rsaEncrypt(data: Uint8Array, publicKey: Uint8Array): Promise<EncString>;
  abstract rsaDecrypt(data: EncString, privateKey: Uint8Array): Promise<Uint8Array>;
--- a/libs/common/src/platform/models/domain/enc-string.spec.ts
+++ b/libs/common/src/platform/models/domain/enc-string.spec.ts
@ -149,7 +149,7 @@ describe("EncString", () => {
      const key = new SymmetricCryptoKey(makeStaticByteArray(32));
      await encString.decryptWithKey(key, encryptService);

-      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key);
+      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key, "domain-withkey");
    });

    it("fails to decrypt when key is null", async () => {
@ -351,7 +351,7 @@ describe("EncString", () => {
      await encString.decrypt(null, key);

      expect(keyService.getUserKeyWithLegacySupport).not.toHaveBeenCalled();
-      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key);
+      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key, "provided-key");
    });

    it("gets an organization key if required", async () => {
@ -362,7 +362,11 @@ describe("EncString", () => {
      await encString.decrypt("orgId", null);

      expect(keyService.getOrgKey).toHaveBeenCalledWith("orgId");
-      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, orgKey);
+      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(
+        encString,
+        orgKey,
+        "domain-orgkey-orgId",
+      );
    });

    it("gets the user's decryption key if required", async () => {
@ -373,7 +377,11 @@ describe("EncString", () => {
      await encString.decrypt(null, null);

      expect(keyService.getUserKeyWithLegacySupport).toHaveBeenCalledWith();
-      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, userKey);
+      expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(
+        encString,
+        userKey,
+        "domain-withlegacysupport-masterkey",
+      );
    });
  });

--- a/libs/common/src/platform/models/domain/enc-string.ts
+++ b/libs/common/src/platform/models/domain/enc-string.ts
@ -159,16 +159,27 @@ export class EncString implements Encrypted {
      return this.decryptedValue;
    }

+    let keyContext = "provided-key";
    try {
      if (key == null) {
        key = await this.getKeyForDecryption(orgId);
+        keyContext = orgId == null ? `domain-orgkey-${orgId}` : "domain-userkey|masterkey";
+        if (orgId != null) {
+          keyContext = `domain-orgkey-${orgId}`;
+        } else {
+          const cryptoService = Utils.getContainerService().getKeyService();
+          keyContext =
+            (await cryptoService.getUserKey()) == null
+              ? "domain-withlegacysupport-masterkey"
+              : "domain-withlegacysupport-userkey";
+        }
      }
      if (key == null) {
        throw new Error("No key to decrypt EncString with orgId " + orgId);
      }

      const encryptService = Utils.getContainerService().getEncryptService();
-      this.decryptedValue = await encryptService.decryptToUtf8(this, key);
+      this.decryptedValue = await encryptService.decryptToUtf8(this, key, keyContext);
    } catch (e) {
      this.decryptedValue = DECRYPT_ERROR;
    }
@ -181,7 +192,7 @@ export class EncString implements Encrypted {
        throw new Error("No key to decrypt EncString");
      }

-      this.decryptedValue = await encryptService.decryptToUtf8(this, key);
+      this.decryptedValue = await encryptService.decryptToUtf8(this, key, "domain-withkey");
    } catch (e) {
      this.decryptedValue = DECRYPT_ERROR;
    }
--- a/libs/common/src/platform/services/cryptography/encrypt.service.implementation.ts
+++ b/libs/common/src/platform/services/cryptography/encrypt.service.implementation.ts
@ -63,7 +63,11 @@ export class EncryptServiceImplementation implements EncryptService {
    return new EncArrayBuffer(encBytes);
  }

-  async decryptToUtf8(encString: EncString, key: SymmetricCryptoKey): Promise<string> {
+  async decryptToUtf8(
+    encString: EncString,
+    key: SymmetricCryptoKey,
+    decryptContext: string = "no context",
+  ): Promise<string> {
    if (key == null) {
      throw new Error("No key provided for decryption.");
    }
@ -75,8 +79,9 @@ export class EncryptServiceImplementation implements EncryptService {
      this.logService.error(
        "[Encrypt service] Key has mac key but payload is missing mac bytes. Key type " +
          encryptionTypeName(key.encType) +
-          " Payload type " +
+          "Payload type " +
          encryptionTypeName(encString.encryptionType),
+        "Decrypt context: " + decryptContext,
      );
      return null;
    }
@ -85,8 +90,9 @@ export class EncryptServiceImplementation implements EncryptService {
      this.logService.error(
        "[Encrypt service] Key encryption type does not match payload encryption type. Key type " +
          encryptionTypeName(key.encType) +
-          " Payload type " +
+          "Payload type " +
          encryptionTypeName(encString.encryptionType),
+        "Decrypt context: " + decryptContext,
      );
      return null;
    }
@ -108,8 +114,10 @@ export class EncryptServiceImplementation implements EncryptService {
        this.logMacFailed(
          "[Encrypt service] MAC comparison failed. Key or payload has changed. Key type " +
            encryptionTypeName(key.encType) +
-            " Payload type " +
-            encryptionTypeName(encString.encryptionType),
+            "Payload type " +
+            encryptionTypeName(encString.encryptionType) +
+            " Decrypt context: " +
+            decryptContext,
        );
        return null;
      }