fix legacy forwarder loading logic

bitwarden · Nov 27, 2024 · 312ebee · 312ebee
1 parent 0406eae
commit 312ebee
Show file tree

Hide file tree

Showing 8 changed files with 116 additions and 58 deletions.
diff --git a/libs/common/src/tools/state/object-key.ts b/libs/common/src/tools/state/object-key.ts
@@ -5,6 +5,17 @@ import type { StateDefinition } from "../../platform/state/state-definition";
 import { ClassifiedFormat } from "./classified-format";
 import { Classifier } from "./classifier";
 
+/** Determines the format of persistent storage.
+ *  `plain` storage is a plain-old javascript object. Use this type
+ *    when you are performing your own encryption and decryption.
+ *  `classified` uses the `ClassifiedFormat` type as its format.
+ *  `secret-state` uses `Array<ClassifiedFormat>` with a length of 1.
+ *  @remarks - CAUTION! If your on-disk data is not in a correct format,
+ *   the storage system treats the data as corrupt and returns your initial
+ *   value.
+ */
+export type ObjectStorageFormat = "plain" | "classified" | "secret-state";
+
 /** A key for storing JavaScript objects (`{ an: "example" }`)
  * in a UserStateSubject.
  */
@@ -20,7 +31,7 @@ export type ObjectKey<State, Secret = State, Disclosed = Record<string, never>>
   key: string;
   state: StateDefinition;
   classifier: Classifier<State, Disclosed, Secret>;
-  format: "plain" | "classified";
+  format: ObjectStorageFormat;
   options: UserKeyDefinitionOptions<State>;
   initial?: State;
 };
@@ -47,6 +58,18 @@ export function toUserKeyDefinition<State, Secret, Disclosed>(
       },
     );
 
+    return classified;
+  } else if (key.format === "secret-state") {
+    const classified = new UserKeyDefinition<[ClassifiedFormat<void, Disclosed>]>(
+      key.state,
+      key.key,
+      {
+        cleanupDelayMs: key.options.cleanupDelayMs,
+        deserializer: (jsonValue) => jsonValue as [ClassifiedFormat<void, Disclosed>],
+        clearOn: key.options.clearOn,
+      },
+    );
+
     return classified;
   } else {
     throw new Error(`unknown format: ${key.format}`);

diff --git a/libs/common/src/tools/state/user-state-subject.ts b/libs/common/src/tools/state/user-state-subject.ts
@@ -304,36 +304,63 @@ export class UserStateSubject<
       return (input$) => input$ as Observable<State>;
     }
 
-    // if the key supports encryption, enable encryptor support
+    // all other keys support encryption; enable encryptor support
+    return pipe(
+      this.mapToClassifiedFormat(),
+      combineLatestWith(encryptor$),
+      concatMap(async ([input, encryptor]) => {
+        // pass through null values
+        if (input === null || input === undefined) {
+          return null;
+        }
+
+        // decrypt classified data
+        const { secret, disclosed } = input;
+        const encrypted = EncString.fromJSON(secret);
+        const decryptedSecret = await encryptor.decrypt<Secret>(encrypted);
+
+        // assemble into proper state
+        const declassified = this.objectKey.classifier.declassify(disclosed, decryptedSecret);
+        const state = this.objectKey.options.deserializer(declassified);
+
+        return state;
+      }),
+    );
+  }
+
+  private mapToClassifiedFormat(): OperatorFunction<unknown, ClassifiedFormat<unknown, unknown>> {
+    // FIXME: warn when data is dropped in the console and/or report an error
+    //   through the observable; consider redirecting dropped data to a recovery
+    //   location
+
+    // user-state subject's default format is object-aware
     if (this.objectKey && this.objectKey.format === "classified") {
-      return pipe(
-        combineLatestWith(encryptor$),
-        concatMap(async ([input, encryptor]) => {
-          // pass through null values
-          if (input === null || input === undefined) {
-            return null;
-          }
+      return map((input) => {
+        if (!isClassifiedFormat(input)) {
+          return null;
+        }
 
-          // fail fast if the format is incorrect
-          if (!isClassifiedFormat(input)) {
-            throw new Error(`Cannot declassify ${this.key.key}; unknown format.`);
-          }
+        return input;
+      });
+    }
 
-          // decrypt classified data
-          const { secret, disclosed } = input;
-          const encrypted = EncString.fromJSON(secret);
-          const decryptedSecret = await encryptor.decrypt<Secret>(encrypted);
+    // secret state's format wraps objects in an array
+    if (this.objectKey && this.objectKey.format === "secret-state") {
+      return map((input) => {
+        if (!Array.isArray(input)) {
+          return null;
+        }
 
-          // assemble into proper state
-          const declassified = this.objectKey.classifier.declassify(disclosed, decryptedSecret);
-          const state = this.objectKey.options.deserializer(declassified);
+        const [unwrapped] = input;
+        if (!isClassifiedFormat(unwrapped)) {
+          return null;
+        }
 
-          return state;
-        }),
-      );
+        return unwrapped;
+      });
     }
 
-    throw new Error(`unknown serialization format: ${this.objectKey.format}`);
+    throw new Error(`unsupported serialization format: ${this.objectKey.format}`);
   }
 
   private classify(encryptor$: Observable<UserEncryptor>): OperatorFunction<State, unknown> {
@@ -346,41 +373,49 @@ export class UserStateSubject<
       );
     }
 
-    // if the key supports encryption, enable encryptor support
-    if (this.objectKey && this.objectKey.format === "classified") {
-      return pipe(
-        withLatestReady(encryptor$),
-        concatMap(async ([input, encryptor]) => {
-          // fail fast if there's no value
-          if (input === null || input === undefined) {
-            return null;
-          }
+    // all other keys support encryption; enable encryptor support
+    return pipe(
+      withLatestReady(encryptor$),
+      concatMap(async ([input, encryptor]) => {
+        // fail fast if there's no value
+        if (input === null || input === undefined) {
+          return null;
+        }
 
-          // split data by classification level
-          const serialized = JSON.parse(JSON.stringify(input));
-          const classified = this.objectKey.classifier.classify(serialized);
+        // split data by classification level
+        const serialized = JSON.parse(JSON.stringify(input));
+        const classified = this.objectKey.classifier.classify(serialized);
 
-          // protect data
-          const encrypted = await encryptor.encrypt(classified.secret);
-          const secret = JSON.parse(JSON.stringify(encrypted));
+        // protect data
+        const encrypted = await encryptor.encrypt(classified.secret);
+        const secret = JSON.parse(JSON.stringify(encrypted));
 
-          // wrap result in classified format envelope for storage
-          const envelope = {
-            id: null as void,
-            secret,
-            disclosed: classified.disclosed,
-          } satisfies ClassifiedFormat<void, Disclosed>;
+        // wrap result in classified format envelope for storage
+        const envelope = {
+          id: null as void,
+          secret,
+          disclosed: classified.disclosed,
+        } satisfies ClassifiedFormat<void, Disclosed>;
 
-          // deliberate type erasure; the type is restored during `declassify`
-          return envelope as unknown;
-        }),
-      );
+        // deliberate type erasure; the type is restored during `declassify`
+        return envelope as ClassifiedFormat<unknown, unknown>;
+      }),
+      this.mapToStorageFormat(),
+    );
+  }
+
+  private mapToStorageFormat(): OperatorFunction<ClassifiedFormat<unknown, unknown>, unknown> {
+    // user-state subject's default format is object-aware
+    if (this.objectKey && this.objectKey.format === "classified") {
+      return map((input) => input as unknown);
     }
 
-    // FIXME: add "encrypted" format --> key contains encryption logic
-    // CONSIDER: should "classified format" algorithm be embedded in subject keys...?
+    // secret state's format wraps objects in an array
+    if (this.objectKey && this.objectKey.format === "secret-state") {
+      return map((input) => [input] as unknown);
+    }
 
-    throw new Error(`unknown serialization format: ${this.objectKey.format}`);
+    throw new Error(`unsupported serialization format: ${this.objectKey.format}`);
   }
 
   /** The userId to which the subject is bound.

diff --git a/libs/tools/generator/core/src/integration/addy-io.ts b/libs/tools/generator/core/src/integration/addy-io.ts
@@ -66,7 +66,7 @@ const forwarder = Object.freeze({
       // e.g. key: "forwarder.AddyIo.local.settings",
       key: "addyIoForwarder",
       target: "object",
-      format: "classified",
+      format: "secret-state",
       classifier: new PrivateClassifier<AddyIoSettings>(),
       state: GENERATOR_DISK,
       initial: defaultSettings,

diff --git a/libs/tools/generator/core/src/integration/duck-duck-go.ts b/libs/tools/generator/core/src/integration/duck-duck-go.ts
@@ -55,7 +55,7 @@ const forwarder = Object.freeze({
       // e.g. key: "forwarder.DuckDuckGo.local.settings",
       key: "duckDuckGoForwarder",
       target: "object",
-      format: "classified",
+      format: "secret-state",
       classifier: new PrivateClassifier<DuckDuckGoSettings>(),
       state: GENERATOR_DISK,
       initial: defaultSettings,

diff --git a/libs/tools/generator/core/src/integration/fastmail.ts b/libs/tools/generator/core/src/integration/fastmail.ts
@@ -123,7 +123,7 @@ const forwarder = Object.freeze({
       // e.g. key: "forwarder.Fastmail.local.settings"
       key: "fastmailForwarder",
       target: "object",
-      format: "classified",
+      format: "secret-state",
       classifier: new PrivateClassifier<FastmailSettings>(),
       state: GENERATOR_DISK,
       initial: defaultSettings,

diff --git a/libs/tools/generator/core/src/integration/firefox-relay.ts b/libs/tools/generator/core/src/integration/firefox-relay.ts
@@ -59,7 +59,7 @@ const forwarder = Object.freeze({
       // e.g. key: "forwarder.Firefox.local.settings",
       key: "firefoxRelayForwarder",
       target: "object",
-      format: "classified",
+      format: "secret-state",
       classifier: new PrivateClassifier<FirefoxRelaySettings>(),
       state: GENERATOR_DISK,
       initial: defaultSettings,

diff --git a/libs/tools/generator/core/src/integration/forward-email.ts b/libs/tools/generator/core/src/integration/forward-email.ts
@@ -62,7 +62,7 @@ const forwarder = Object.freeze({
       // e.g. key: "forwarder.ForwardEmail.local.settings",
       key: "forwardEmailForwarder",
       target: "object",
-      format: "classified",
+      format: "secret-state",
       classifier: new PrivateClassifier<ForwardEmailSettings>(),
       state: GENERATOR_DISK,
       initial: defaultSettings,

diff --git a/libs/tools/generator/core/src/integration/simple-login.ts b/libs/tools/generator/core/src/integration/simple-login.ts
@@ -65,7 +65,7 @@ const forwarder = Object.freeze({
       // e.g. key: "forwarder.SimpleLogin.local.settings",
       key: "simpleLoginForwarder",
       target: "object",
-      format: "classified",
+      format: "secret-state",
       classifier: new PrivateClassifier<SimpleLoginSettings>(),
       state: GENERATOR_DISK,
       initial: defaultSettings,