From 3a9dead640a12d7db70d1fb9fe582e3ba2cfd7d6 Mon Sep 17 00:00:00 2001 From: Matt Gibson Date: Mon, 29 Jan 2024 16:53:01 -0500 Subject: [PATCH] [PM-5533] migrate provider keys (#7649) * Provide RSA encryption in encrypt service * Define state for provider keys * Require cryptoService This is temporary until cryptoService has an observable active user private key. We don't want promise-based values in derive functions * Update crypto service provider keys to observables * Remove provider keys from state service * Migrate provider keys out of state account object * Correct Provider key state types * Prefix migration with current version number --- .../platform/abstractions/crypto.service.ts | 7 +- .../platform/abstractions/encrypt.service.ts | 2 + .../platform/abstractions/state.service.ts | 7 - .../models/domain/account-keys.spec.ts | 12 -- .../src/platform/models/domain/account.ts | 5 - .../src/platform/services/crypto.service.ts | 92 ++++++------ .../encrypt.service.implementation.ts | 38 +++++ .../platform/services/encrypt.service.spec.ts | 74 ++++++++++ .../key-state/provider-keys.state.spec.ts | 83 +++++++++++ .../services/key-state/provider-keys.state.ts | 45 ++++++ .../src/platform/services/state.service.ts | 40 ------ libs/common/src/state-migrations/migrate.ts | 6 +- ...e-provider-keys-to-state-providers.spec.ts | 135 ++++++++++++++++++ ...3-move-provider-keys-to-state-providers.ts | 53 +++++++ libs/common/src/types/guid.ts | 1 + libs/common/src/types/key.ts | 3 + 16 files changed, 485 insertions(+), 118 deletions(-) create mode 100644 libs/common/src/platform/services/key-state/provider-keys.state.spec.ts create mode 100644 libs/common/src/platform/services/key-state/provider-keys.state.ts create mode 100644 libs/common/src/state-migrations/migrations/13-move-provider-keys-to-state-providers.spec.ts create mode 100644 libs/common/src/state-migrations/migrations/13-move-provider-keys-to-state-providers.ts diff --git a/libs/common/src/platform/abstractions/crypto.service.ts b/libs/common/src/platform/abstractions/crypto.service.ts index 2a83eb6887..6e7a2ba771 100644 --- a/libs/common/src/platform/abstractions/crypto.service.ts +++ b/libs/common/src/platform/abstractions/crypto.service.ts @@ -4,7 +4,7 @@ import { ProfileOrganizationResponse } from "../../admin-console/models/response import { ProfileProviderOrganizationResponse } from "../../admin-console/models/response/profile-provider-organization.response"; import { ProfileProviderResponse } from "../../admin-console/models/response/profile-provider.response"; import { KdfConfig } from "../../auth/models/domain/kdf-config"; -import { OrganizationId } from "../../types/guid"; +import { OrganizationId, ProviderId } from "../../types/guid"; import { UserKey, MasterKey, OrgKey, ProviderKey, PinKey, CipherKey } from "../../types/key"; import { KeySuffixOptions, KdfType, HashPurpose } from "../enums"; import { EncArrayBuffer } from "../models/domain/enc-array-buffer"; @@ -229,6 +229,7 @@ export abstract class CryptoService { * provider keys currently in memory * @param providers The providers to set keys for */ + activeUserProviderKeys$: Observable>; setProviderKeys: (orgs: ProfileProviderResponse[]) => Promise; /** * @param providerId The desired provider @@ -236,9 +237,9 @@ export abstract class CryptoService { */ getProviderKey: (providerId: string) => Promise; /** - * @returns A map of the provider Ids to their symmetric keys + * @returns A record of the provider Ids to their symmetric keys */ - getProviderKeys: () => Promise>; + getProviderKeys: () => Promise>; /** * @param memoryOnly Clear only the in-memory keys * @param userId The desired user diff --git a/libs/common/src/platform/abstractions/encrypt.service.ts b/libs/common/src/platform/abstractions/encrypt.service.ts index e76dff59d3..a5120e6898 100644 --- a/libs/common/src/platform/abstractions/encrypt.service.ts +++ b/libs/common/src/platform/abstractions/encrypt.service.ts @@ -13,6 +13,8 @@ export abstract class EncryptService { ) => Promise; abstract decryptToUtf8: (encString: EncString, key: SymmetricCryptoKey) => Promise; abstract decryptToBytes: (encThing: Encrypted, key: SymmetricCryptoKey) => Promise; + abstract rsaEncrypt: (data: Uint8Array, publicKey: Uint8Array) => Promise; + abstract rsaDecrypt: (data: EncString, privateKey: Uint8Array) => Promise; abstract resolveLegacyKey: (key: SymmetricCryptoKey, encThing: Encrypted) => SymmetricCryptoKey; abstract decryptItems: ( items: Decryptable[], diff --git a/libs/common/src/platform/abstractions/state.service.ts b/libs/common/src/platform/abstractions/state.service.ts index c7d6d6c09d..63f0bdf37a 100644 --- a/libs/common/src/platform/abstractions/state.service.ts +++ b/libs/common/src/platform/abstractions/state.service.ts @@ -216,11 +216,6 @@ export abstract class StateService { setDecryptedPolicies: (value: Policy[], options?: StorageOptions) => Promise; getDecryptedPrivateKey: (options?: StorageOptions) => Promise; setDecryptedPrivateKey: (value: Uint8Array, options?: StorageOptions) => Promise; - getDecryptedProviderKeys: (options?: StorageOptions) => Promise>; - setDecryptedProviderKeys: ( - value: Map, - options?: StorageOptions, - ) => Promise; /** * @deprecated Do not call this directly, use SendService */ @@ -363,8 +358,6 @@ export abstract class StateService { ) => Promise; getEncryptedPrivateKey: (options?: StorageOptions) => Promise; setEncryptedPrivateKey: (value: string, options?: StorageOptions) => Promise; - getEncryptedProviderKeys: (options?: StorageOptions) => Promise; - setEncryptedProviderKeys: (value: any, options?: StorageOptions) => Promise; /** * @deprecated Do not call this directly, use SendService */ diff --git a/libs/common/src/platform/models/domain/account-keys.spec.ts b/libs/common/src/platform/models/domain/account-keys.spec.ts index 553ccccd38..7041acc5ba 100644 --- a/libs/common/src/platform/models/domain/account-keys.spec.ts +++ b/libs/common/src/platform/models/domain/account-keys.spec.ts @@ -57,18 +57,6 @@ describe("AccountKeys", () => { expect(spy).toHaveBeenCalled(); }); - it("should deserialize organizationKeys", () => { - const spy = jest.spyOn(SymmetricCryptoKey, "fromJSON"); - AccountKeys.fromJSON({ organizationKeys: [{ orgId: "keyJSON" }] } as any); - expect(spy).toHaveBeenCalled(); - }); - - it("should deserialize providerKeys", () => { - const spy = jest.spyOn(SymmetricCryptoKey, "fromJSON"); - AccountKeys.fromJSON({ providerKeys: [{ providerId: "keyJSON" }] } as any); - expect(spy).toHaveBeenCalled(); - }); - it("should deserialize privateKey", () => { const spy = jest.spyOn(EncryptionPair, "fromJSON"); AccountKeys.fromJSON({ diff --git a/libs/common/src/platform/models/domain/account.ts b/libs/common/src/platform/models/domain/account.ts index 6dbade6db6..031e32f479 100644 --- a/libs/common/src/platform/models/domain/account.ts +++ b/libs/common/src/platform/models/domain/account.ts @@ -125,10 +125,6 @@ export class AccountKeys { masterKey?: MasterKey; masterKeyEncryptedUserKey?: string; deviceKey?: ReturnType; - providerKeys?: EncryptionPair> = new EncryptionPair< - any, - Record - >(); privateKey?: EncryptionPair = new EncryptionPair(); publicKey?: Uint8Array; apiKeyClientSecret?: string; @@ -167,7 +163,6 @@ export class AccountKeys { obj?.cryptoSymmetricKey, SymmetricCryptoKey.fromJSON, ), - providerKeys: AccountKeys.initRecordEncryptionPairsFromJSON(obj?.providerKeys), privateKey: EncryptionPair.fromJSON(obj?.privateKey, (decObj: string) => Utils.fromByteStringToArray(decObj), ), diff --git a/libs/common/src/platform/services/crypto.service.ts b/libs/common/src/platform/services/crypto.service.ts index 0d0085f1db..c94ced546f 100644 --- a/libs/common/src/platform/services/crypto.service.ts +++ b/libs/common/src/platform/services/crypto.service.ts @@ -8,8 +8,8 @@ import { ProfileProviderResponse } from "../../admin-console/models/response/pro import { AccountService } from "../../auth/abstractions/account.service"; import { KdfConfig } from "../../auth/models/domain/kdf-config"; import { Utils } from "../../platform/misc/utils"; -import { OrganizationId, UserId } from "../../types/guid"; -import { UserKey, MasterKey, OrgKey, ProviderKey, PinKey, CipherKey } from "../../types/key"; +import { OrganizationId, ProviderId, UserId } from "../../types/guid"; +import { OrgKey, UserKey, MasterKey, ProviderKey, PinKey, CipherKey } from "../../types/key"; import { CryptoFunctionService } from "../abstractions/crypto-function.service"; import { CryptoService as CryptoServiceAbstraction } from "../abstractions/crypto.service"; import { EncryptService } from "../abstractions/encrypt.service"; @@ -29,7 +29,7 @@ import { import { sequentialize } from "../misc/sequentialize"; import { EFFLongWordList } from "../misc/wordlist"; import { EncArrayBuffer } from "../models/domain/enc-array-buffer"; -import { EncString } from "../models/domain/enc-string"; +import { EncString, EncryptedString } from "../models/domain/enc-string"; import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key"; import { ActiveUserState, DerivedState, StateProvider } from "../state"; @@ -37,6 +37,7 @@ import { USER_ENCRYPTED_ORGANIZATION_KEYS, USER_ORGANIZATION_KEYS, } from "./key-state/org-keys.state"; +import { USER_ENCRYPTED_PROVIDER_KEYS, USER_PROVIDER_KEYS } from "./key-state/provider-keys.state"; import { USER_EVER_HAD_USER_KEY } from "./key-state/user-key.state"; export class CryptoService implements CryptoServiceAbstraction { @@ -45,8 +46,13 @@ export class CryptoService implements CryptoServiceAbstraction { Record >; private readonly activeUserOrgKeysState: DerivedState>; + private readonly activeUserEncryptedProviderKeysState: ActiveUserState< + Record + >; + private readonly activeUserProviderKeysState: DerivedState>; readonly activeUserOrgKeys$: Observable>; + readonly activeUserProviderKeys$: Observable>; readonly everHadUserKey$; @@ -68,9 +74,18 @@ export class CryptoService implements CryptoServiceAbstraction { USER_ORGANIZATION_KEYS, { cryptoService: this }, ); + this.activeUserEncryptedProviderKeysState = stateProvider.getActive( + USER_ENCRYPTED_PROVIDER_KEYS, + ); + this.activeUserProviderKeysState = stateProvider.getDerived( + this.activeUserEncryptedProviderKeysState.state$, + USER_PROVIDER_KEYS, + { encryptService: this.encryptService, cryptoService: this }, + ); this.everHadUserKey$ = this.activeUserEverHadUserKey.state$.pipe(map((x) => x ?? false)); this.activeUserOrgKeys$ = this.activeUserOrgKeysState.state$; // null handled by `derive` function + this.activeUserProviderKeys$ = this.activeUserProviderKeysState.state$; // null handled by `derive` function } async setUserKey(key: UserKey, userId?: UserId): Promise { @@ -396,65 +411,44 @@ export class CryptoService implements CryptoServiceAbstraction { } async setProviderKeys(providers: ProfileProviderResponse[]): Promise { - const providerKeys: any = {}; - providers.forEach((provider) => { - providerKeys[provider.id] = provider.key; - }); + this.activeUserEncryptedProviderKeysState.update((_) => { + const encProviderKeys: { [providerId: ProviderId]: EncryptedString } = {}; - await this.stateService.setDecryptedProviderKeys(null); - return await this.stateService.setEncryptedProviderKeys(providerKeys); + providers.forEach((provider) => { + encProviderKeys[provider.id as ProviderId] = provider.key as EncryptedString; + }); + + return encProviderKeys; + }); } - async getProviderKey(providerId: string): Promise { + async getProviderKey(providerId: ProviderId): Promise { if (providerId == null) { return null; } - const providerKeys = await this.getProviderKeys(); - if (providerKeys == null || !providerKeys.has(providerId)) { - return null; - } - - return providerKeys.get(providerId); + return (await firstValueFrom(this.activeUserProviderKeys$))[providerId] ?? null; } @sequentialize(() => "getProviderKeys") - async getProviderKeys(): Promise> { - const providerKeys: Map = new Map(); - const decryptedProviderKeys = await this.stateService.getDecryptedProviderKeys(); - if (decryptedProviderKeys != null && decryptedProviderKeys.size > 0) { - return decryptedProviderKeys as Map; - } - - const encProviderKeys = await this.stateService.getEncryptedProviderKeys(); - if (encProviderKeys == null) { - return null; - } - - let setKey = false; - - for (const orgId in encProviderKeys) { - // eslint-disable-next-line - if (!encProviderKeys.hasOwnProperty(orgId)) { - continue; - } - - const decValue = await this.rsaDecrypt(encProviderKeys[orgId]); - providerKeys.set(orgId, new SymmetricCryptoKey(decValue) as ProviderKey); - setKey = true; - } - - if (setKey) { - await this.stateService.setDecryptedProviderKeys(providerKeys); - } - - return providerKeys; + async getProviderKeys(): Promise> { + return await firstValueFrom(this.activeUserProviderKeys$); } async clearProviderKeys(memoryOnly?: boolean, userId?: UserId): Promise { - await this.stateService.setDecryptedProviderKeys(null, { userId: userId }); - if (!memoryOnly) { - await this.stateService.setEncryptedProviderKeys(null, { userId: userId }); + const activeUserId = (await firstValueFrom(this.accountService.activeAccount$))?.id; + const userIdIsActive = userId == null || userId === activeUserId; + if (memoryOnly && userIdIsActive) { + // provider keys are only cached for active users + await this.activeUserProviderKeysState.forceValue({}); + } else { + if (userId == null && activeUserId == null) { + // nothing to do + return; + } + await this.stateProvider + .getUser(userId ?? activeUserId, USER_ENCRYPTED_PROVIDER_KEYS) + .update(() => null); } } diff --git a/libs/common/src/platform/services/cryptography/encrypt.service.implementation.ts b/libs/common/src/platform/services/cryptography/encrypt.service.implementation.ts index 7fd7bebc70..862ae2bc0e 100644 --- a/libs/common/src/platform/services/cryptography/encrypt.service.implementation.ts +++ b/libs/common/src/platform/services/cryptography/encrypt.service.implementation.ts @@ -147,6 +147,44 @@ export class EncryptServiceImplementation implements EncryptService { return result ?? null; } + async rsaEncrypt(data: Uint8Array, publicKey: Uint8Array): Promise { + if (data == null) { + throw new Error("No data provided for encryption."); + } + + if (publicKey == null) { + throw new Error("No public key provided for encryption."); + } + const encrypted = await this.cryptoFunctionService.rsaEncrypt(data, publicKey, "sha1"); + return new EncString(EncryptionType.Rsa2048_OaepSha1_B64, Utils.fromBufferToB64(encrypted)); + } + + async rsaDecrypt(data: EncString, privateKey: Uint8Array): Promise { + if (data == null) { + throw new Error("No data provided for decryption."); + } + + let algorithm: "sha1" | "sha256"; + switch (data.encryptionType) { + case EncryptionType.Rsa2048_OaepSha1_B64: + case EncryptionType.Rsa2048_OaepSha1_HmacSha256_B64: + algorithm = "sha1"; + break; + case EncryptionType.Rsa2048_OaepSha256_B64: + case EncryptionType.Rsa2048_OaepSha256_HmacSha256_B64: + algorithm = "sha256"; + break; + default: + throw new Error("Invalid encryption type."); + } + + if (privateKey == null) { + throw new Error("No private key provided for decryption."); + } + + return this.cryptoFunctionService.rsaDecrypt(data.dataBytes, privateKey, algorithm); + } + async decryptItems( items: Decryptable[], key: SymmetricCryptoKey, diff --git a/libs/common/src/platform/services/encrypt.service.spec.ts b/libs/common/src/platform/services/encrypt.service.spec.ts index b43f202030..609b5100a1 100644 --- a/libs/common/src/platform/services/encrypt.service.spec.ts +++ b/libs/common/src/platform/services/encrypt.service.spec.ts @@ -5,6 +5,7 @@ import { CsprngArray } from "../../types/csprng"; import { CryptoFunctionService } from "../abstractions/crypto-function.service"; import { LogService } from "../abstractions/log.service"; import { EncryptionType } from "../enums"; +import { Utils } from "../misc/utils"; import { EncArrayBuffer } from "../models/domain/enc-array-buffer"; import { EncString } from "../models/domain/enc-string"; import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key"; @@ -163,6 +164,79 @@ describe("EncryptService", () => { }); }); + describe("rsa", () => { + const data = makeStaticByteArray(10, 100); + const encryptedData = makeStaticByteArray(10, 150); + const publicKey = makeStaticByteArray(10, 200); + const privateKey = makeStaticByteArray(10, 250); + const encString = makeEncString(encryptedData); + + function makeEncString(data: Uint8Array): EncString { + return new EncString(EncryptionType.Rsa2048_OaepSha1_B64, Utils.fromBufferToB64(data)); + } + + describe("rsaEncrypt", () => { + it("throws if no data is provided", () => { + return expect(encryptService.rsaEncrypt(null, publicKey)).rejects.toThrow("No data"); + }); + + it("throws if no public key is provided", () => { + return expect(encryptService.rsaEncrypt(data, null)).rejects.toThrow("No public key"); + }); + + it("encrypts data with provided key", async () => { + cryptoFunctionService.rsaEncrypt.mockResolvedValue(encryptedData); + + const actual = await encryptService.rsaEncrypt(data, publicKey); + + expect(cryptoFunctionService.rsaEncrypt).toBeCalledWith( + expect.toEqualBuffer(data), + expect.toEqualBuffer(publicKey), + "sha1", + ); + + expect(actual).toEqual(encString); + expect(actual.dataBytes).toEqualBuffer(encryptedData); + }); + }); + + describe("rsaDecrypt", () => { + it("throws if no data is provided", () => { + return expect(encryptService.rsaDecrypt(null, privateKey)).rejects.toThrow("No data"); + }); + + it("throws if no private key is provided", () => { + return expect(encryptService.rsaDecrypt(encString, null)).rejects.toThrow("No private key"); + }); + + it.each([ + EncryptionType.AesCbc256_B64, + EncryptionType.AesCbc128_HmacSha256_B64, + EncryptionType.AesCbc256_HmacSha256_B64, + ])("throws if encryption type is %s", async (encType) => { + encString.encryptionType = encType; + + await expect(encryptService.rsaDecrypt(encString, privateKey)).rejects.toThrow( + "Invalid encryption type", + ); + }); + + it("decrypts data with provided key", async () => { + cryptoFunctionService.rsaDecrypt.mockResolvedValue(data); + + const actual = await encryptService.rsaDecrypt(makeEncString(data), privateKey); + + expect(cryptoFunctionService.rsaDecrypt).toBeCalledWith( + expect.toEqualBuffer(data), + expect.toEqualBuffer(privateKey), + "sha1", + ); + + expect(actual).toEqualBuffer(data); + }); + }); + }); + describe("resolveLegacyKey", () => { it("creates a legacy key if required", async () => { const key = new SymmetricCryptoKey(makeStaticByteArray(32), EncryptionType.AesCbc256_B64); diff --git a/libs/common/src/platform/services/key-state/provider-keys.state.spec.ts b/libs/common/src/platform/services/key-state/provider-keys.state.spec.ts new file mode 100644 index 0000000000..d4514a2838 --- /dev/null +++ b/libs/common/src/platform/services/key-state/provider-keys.state.spec.ts @@ -0,0 +1,83 @@ +import { mock } from "jest-mock-extended"; + +import { makeStaticByteArray } from "../../../../spec"; +import { ProviderId } from "../../../types/guid"; +import { ProviderKey, UserPrivateKey } from "../../../types/key"; +import { EncryptService } from "../../abstractions/encrypt.service"; +import { EncryptionType } from "../../enums"; +import { Utils } from "../../misc/utils"; +import { EncString, EncryptedString } from "../../models/domain/enc-string"; +import { SymmetricCryptoKey } from "../../models/domain/symmetric-crypto-key"; +import { CryptoService } from "../crypto.service"; + +import { USER_ENCRYPTED_PROVIDER_KEYS, USER_PROVIDER_KEYS } from "./provider-keys.state"; + +function makeEncString(data?: string) { + data ??= Utils.newGuid(); + return new EncString(EncryptionType.AesCbc256_HmacSha256_B64, data, "test", "test"); +} + +describe("encrypted provider keys", () => { + const sut = USER_ENCRYPTED_PROVIDER_KEYS; + + it("should deserialize encrypted provider keys", () => { + const encryptedProviderKeys = { + "provider-id-1": makeEncString().encryptedString, + "provider-id-2": makeEncString().encryptedString, + }; + + const result = sut.deserializer(JSON.parse(JSON.stringify(encryptedProviderKeys))); + + expect(result).toEqual(encryptedProviderKeys); + }); +}); + +describe("derived decrypted provider keys", () => { + const encryptService = mock(); + const cryptoService = mock(); + const userPrivateKey = makeStaticByteArray(64, 0) as UserPrivateKey; + const sut = USER_PROVIDER_KEYS; + + afterEach(() => { + jest.resetAllMocks(); + }); + + it("should deserialize provider keys", async () => { + const decryptedProviderKeys = { + "provider-id-1": new SymmetricCryptoKey(makeStaticByteArray(64, 1)) as ProviderKey, + "provider-id-2": new SymmetricCryptoKey(makeStaticByteArray(64, 2)) as ProviderKey, + }; + + const result = sut.deserialize(JSON.parse(JSON.stringify(decryptedProviderKeys))); + + expect(result).toEqual(decryptedProviderKeys); + }); + + it("should derive provider keys", async () => { + const encryptedProviderKeys = { + "provider-id-1": makeEncString().encryptedString, + "provider-id-2": makeEncString().encryptedString, + }; + + const decryptedProviderKeys = { + "provider-id-1": new SymmetricCryptoKey(makeStaticByteArray(64, 1)) as ProviderKey, + "provider-id-2": new SymmetricCryptoKey(makeStaticByteArray(64, 2)) as ProviderKey, + }; + + encryptService.rsaDecrypt.mockResolvedValueOnce(decryptedProviderKeys["provider-id-1"].key); + encryptService.rsaDecrypt.mockResolvedValueOnce(decryptedProviderKeys["provider-id-2"].key); + cryptoService.getPrivateKey.mockResolvedValueOnce(userPrivateKey); + + const result = await sut.derive(encryptedProviderKeys, { encryptService, cryptoService }); + + expect(result).toEqual(decryptedProviderKeys); + }); + + it("should handle null input values", async () => { + const encryptedProviderKeys: Record = null; + + const result = await sut.derive(encryptedProviderKeys, { encryptService, cryptoService }); + + expect(result).toEqual({}); + }); +}); diff --git a/libs/common/src/platform/services/key-state/provider-keys.state.ts b/libs/common/src/platform/services/key-state/provider-keys.state.ts new file mode 100644 index 0000000000..c89df34c80 --- /dev/null +++ b/libs/common/src/platform/services/key-state/provider-keys.state.ts @@ -0,0 +1,45 @@ +import { ProviderId } from "../../../types/guid"; +import { ProviderKey } from "../../../types/key"; +import { EncryptService } from "../../abstractions/encrypt.service"; +import { EncString, EncryptedString } from "../../models/domain/enc-string"; +import { SymmetricCryptoKey } from "../../models/domain/symmetric-crypto-key"; +import { KeyDefinition, CRYPTO_DISK, DeriveDefinition } from "../../state"; +import { CryptoService } from "../crypto.service"; + +export const USER_ENCRYPTED_PROVIDER_KEYS = KeyDefinition.record( + CRYPTO_DISK, + "providerKeys", + { + deserializer: (obj) => obj, + }, +); + +export const USER_PROVIDER_KEYS = DeriveDefinition.from< + Record, + Record, + { encryptService: EncryptService; cryptoService: CryptoService } // TODO: This should depend on an active user private key observable directly +>(USER_ENCRYPTED_PROVIDER_KEYS, { + deserializer: (obj) => { + const result: Record = {}; + for (const providerId of Object.keys(obj ?? {}) as ProviderId[]) { + result[providerId] = SymmetricCryptoKey.fromJSON(obj[providerId]) as ProviderKey; + } + return result; + }, + derive: async (from, { encryptService, cryptoService }) => { + const result: Record = {}; + for (const providerId of Object.keys(from ?? {}) as ProviderId[]) { + if (result[providerId] != null) { + continue; + } + const encrypted = new EncString(from[providerId]); + const privateKey = await cryptoService.getPrivateKey(); + const decrypted = await encryptService.rsaDecrypt(encrypted, privateKey); + const providerKey = new SymmetricCryptoKey(decrypted) as ProviderKey; + + result[providerId] = providerKey; + } + + return result; + }, +}); diff --git a/libs/common/src/platform/services/state.service.ts b/libs/common/src/platform/services/state.service.ts index e4f162fddb..34ac0aabe6 100644 --- a/libs/common/src/platform/services/state.service.ts +++ b/libs/common/src/platform/services/state.service.ts @@ -1072,29 +1072,6 @@ export class StateService< ); } - async getDecryptedProviderKeys( - options?: StorageOptions, - ): Promise> { - const account = await this.getAccount( - this.reconcileOptions(options, await this.defaultInMemoryOptions()), - ); - return Utils.recordToMap(account?.keys?.providerKeys?.decrypted); - } - - async setDecryptedProviderKeys( - value: Map, - options?: StorageOptions, - ): Promise { - const account = await this.getAccount( - this.reconcileOptions(options, await this.defaultInMemoryOptions()), - ); - account.keys.providerKeys.decrypted = Utils.mapToRecord(value); - await this.saveAccount( - account, - this.reconcileOptions(options, await this.defaultInMemoryOptions()), - ); - } - @withPrototypeForArrayMembers(SendView) async getDecryptedSends(options?: StorageOptions): Promise { return ( @@ -1912,23 +1889,6 @@ export class StateService< ); } - async getEncryptedProviderKeys(options?: StorageOptions): Promise { - return ( - await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions())) - )?.keys?.providerKeys?.encrypted; - } - - async setEncryptedProviderKeys(value: any, options?: StorageOptions): Promise { - const account = await this.getAccount( - this.reconcileOptions(options, await this.defaultOnDiskOptions()), - ); - account.keys.providerKeys.encrypted = value; - await this.saveAccount( - account, - this.reconcileOptions(options, await this.defaultOnDiskOptions()), - ); - } - @withPrototypeForObjectValues(SendData) async getEncryptedSends(options?: StorageOptions): Promise<{ [id: string]: SendData }> { return ( diff --git a/libs/common/src/state-migrations/migrate.ts b/libs/common/src/state-migrations/migrate.ts index 4f8597608e..6942796372 100644 --- a/libs/common/src/state-migrations/migrate.ts +++ b/libs/common/src/state-migrations/migrate.ts @@ -8,6 +8,7 @@ import { MigrationHelper } from "./migration-helper"; import { EverHadUserKeyMigrator } from "./migrations/10-move-ever-had-user-key-to-state-providers"; import { OrganizationKeyMigrator } from "./migrations/11-move-org-keys-to-state-providers"; import { MoveEnvironmentStateToProviders } from "./migrations/12-move-environment-state-to-providers"; +import { ProviderKeyMigrator } from "./migrations/13-move-provider-keys-to-state-providers"; import { FixPremiumMigrator } from "./migrations/3-fix-premium"; import { RemoveEverBeenUnlockedMigrator } from "./migrations/4-remove-ever-been-unlocked"; import { AddKeyTypeToOrgKeysMigrator } from "./migrations/5-add-key-type-to-org-keys"; @@ -18,7 +19,7 @@ import { MoveBrowserSettingsToGlobal } from "./migrations/9-move-browser-setting import { MinVersionMigrator } from "./migrations/min-version"; export const MIN_VERSION = 2; -export const CURRENT_VERSION = 12; +export const CURRENT_VERSION = 13; export type MinVersion = typeof MIN_VERSION; export async function migrate( @@ -46,7 +47,8 @@ export async function migrate( .with(MoveBrowserSettingsToGlobal, 8, 9) .with(EverHadUserKeyMigrator, 9, 10) .with(OrganizationKeyMigrator, 10, 11) - .with(MoveEnvironmentStateToProviders, 11, CURRENT_VERSION) + .with(MoveEnvironmentStateToProviders, 11, 12) + .with(ProviderKeyMigrator, 12, CURRENT_VERSION) .migrate(migrationHelper); } diff --git a/libs/common/src/state-migrations/migrations/13-move-provider-keys-to-state-providers.spec.ts b/libs/common/src/state-migrations/migrations/13-move-provider-keys-to-state-providers.spec.ts new file mode 100644 index 0000000000..0fa5ee1bd0 --- /dev/null +++ b/libs/common/src/state-migrations/migrations/13-move-provider-keys-to-state-providers.spec.ts @@ -0,0 +1,135 @@ +import { MockProxy, any } from "jest-mock-extended"; + +import { MigrationHelper } from "../migration-helper"; +import { mockMigrationHelper } from "../migration-helper.spec"; + +import { ProviderKeyMigrator } from "./13-move-provider-keys-to-state-providers"; + +function exampleJSON() { + return { + global: { + otherStuff: "otherStuff1", + }, + authenticatedAccounts: ["user-1", "user-2", "user-3"], + "user-1": { + keys: { + providerKeys: { + encrypted: { + "provider-id-1": "provider-key-1", + "provider-id-2": "provider-key-2", + }, + }, + otherStuff: "overStuff2", + }, + otherStuff: "otherStuff3", + }, + "user-2": { + keys: { + otherStuff: "otherStuff4", + }, + otherStuff: "otherStuff5", + }, + }; +} + +function rollbackJSON() { + return { + "user_user-1_crypto_providerKeys": { + "provider-id-1": "provider-key-1", + "provider-id-2": "provider-key-2", + }, + "user_user-2_crypto_providerKeys": null as any, + global: { + otherStuff: "otherStuff1", + }, + authenticatedAccounts: ["user-1", "user-2", "user-3"], + "user-1": { + keys: { + otherStuff: "overStuff2", + }, + otherStuff: "otherStuff3", + }, + "user-2": { + keys: { + otherStuff: "otherStuff4", + }, + otherStuff: "otherStuff5", + }, + }; +} + +describe("ProviderKeysMigrator", () => { + let helper: MockProxy; + let sut: ProviderKeyMigrator; + const keyDefinitionLike = { + key: "providerKeys", + stateDefinition: { + name: "crypto", + }, + }; + + describe("migrate", () => { + beforeEach(() => { + helper = mockMigrationHelper(exampleJSON(), 12); + sut = new ProviderKeyMigrator(12, 13); + }); + + it("should remove providerKeys from all accounts", async () => { + await sut.migrate(helper); + expect(helper.set).toHaveBeenCalledTimes(1); + expect(helper.set).toHaveBeenCalledWith("user-1", { + keys: { + otherStuff: "overStuff2", + }, + otherStuff: "otherStuff3", + }); + }); + + it("should set providerKeys value for each account", async () => { + await sut.migrate(helper); + + expect(helper.setToUser).toHaveBeenCalledTimes(1); + expect(helper.setToUser).toHaveBeenCalledWith("user-1", keyDefinitionLike, { + "provider-id-1": "provider-key-1", + "provider-id-2": "provider-key-2", + }); + }); + }); + + describe("rollback", () => { + beforeEach(() => { + helper = mockMigrationHelper(rollbackJSON(), 11); + sut = new ProviderKeyMigrator(12, 13); + }); + + it.each(["user-1", "user-2", "user-3"])("should null out new values %s", async (userId) => { + await sut.rollback(helper); + + expect(helper.setToUser).toHaveBeenCalledWith(userId, keyDefinitionLike, null); + }); + + it("should add explicit value back to accounts", async () => { + await sut.rollback(helper); + + expect(helper.set).toHaveBeenCalledTimes(1); + expect(helper.set).toHaveBeenCalledWith("user-1", { + keys: { + providerKeys: { + encrypted: { + "provider-id-1": "provider-key-1", + "provider-id-2": "provider-key-2", + }, + }, + otherStuff: "overStuff2", + }, + otherStuff: "otherStuff3", + }); + }); + + it("should not try to restore values to missing accounts", async () => { + await sut.rollback(helper); + + expect(helper.set).not.toHaveBeenCalledWith("user-3", any()); + }); + }); +}); diff --git a/libs/common/src/state-migrations/migrations/13-move-provider-keys-to-state-providers.ts b/libs/common/src/state-migrations/migrations/13-move-provider-keys-to-state-providers.ts new file mode 100644 index 0000000000..623bbf60fb --- /dev/null +++ b/libs/common/src/state-migrations/migrations/13-move-provider-keys-to-state-providers.ts @@ -0,0 +1,53 @@ +import { KeyDefinitionLike, MigrationHelper } from "../migration-helper"; +import { Migrator } from "../migrator"; + +type ExpectedAccountType = { + keys?: { + providerKeys?: { + encrypted?: Record; // Record where EncryptedString is the ProviderKey encrypted by the UserKey. + }; + }; +}; + +const USER_ENCRYPTED_PROVIDER_KEYS: KeyDefinitionLike = { + key: "providerKeys", + stateDefinition: { + name: "crypto", + }, +}; + +export class ProviderKeyMigrator extends Migrator<12, 13> { + async migrate(helper: MigrationHelper): Promise { + const accounts = await helper.getAccounts(); + async function migrateAccount(userId: string, account: ExpectedAccountType): Promise { + const value = account?.keys?.providerKeys?.encrypted; + if (value != null) { + await helper.setToUser(userId, USER_ENCRYPTED_PROVIDER_KEYS, value); + delete account.keys.providerKeys; + await helper.set(userId, account); + } + } + + await Promise.all([...accounts.map(({ userId, account }) => migrateAccount(userId, account))]); + } + async rollback(helper: MigrationHelper): Promise { + const accounts = await helper.getAccounts(); + async function rollbackAccount(userId: string, account: ExpectedAccountType): Promise { + const value = await helper.getFromUser>( + userId, + USER_ENCRYPTED_PROVIDER_KEYS, + ); + if (account && value) { + account.keys = Object.assign(account.keys ?? {}, { + providerKeys: { + encrypted: value, + }, + }); + await helper.set(userId, account); + } + await helper.setToUser(userId, USER_ENCRYPTED_PROVIDER_KEYS, null); + } + + await Promise.all([...accounts.map(({ userId, account }) => rollbackAccount(userId, account))]); + } +} diff --git a/libs/common/src/types/guid.ts b/libs/common/src/types/guid.ts index c828e7a29c..7f20899908 100644 --- a/libs/common/src/types/guid.ts +++ b/libs/common/src/types/guid.ts @@ -4,3 +4,4 @@ export type Guid = Opaque; export type UserId = Opaque; export type OrganizationId = Opaque; +export type ProviderId = Opaque; diff --git a/libs/common/src/types/key.ts b/libs/common/src/types/key.ts index d22c9134a7..3b2448224e 100644 --- a/libs/common/src/types/key.ts +++ b/libs/common/src/types/key.ts @@ -11,3 +11,6 @@ export type PinKey = Opaque; export type OrgKey = Opaque; export type ProviderKey = Opaque; export type CipherKey = Opaque; + +// asymmetric keys +export type UserPrivateKey = Opaque;