From b30d838c49caeeb2c5958093a24185b20d3612b2 Mon Sep 17 00:00:00 2001 From: Jakob Ackermann Date: Wed, 22 Feb 2023 09:17:37 +0000 Subject: [PATCH] Merge pull request #11858 from overleaf/jpa-access-token-encryptor-cleanup [access-token-encryptor] drop support for encryption scheme v2 GitOrigin-RevId: b720997e01239a7b6443138c68485d5ab0c813ed --- .../lib/js/AccessTokenEncryptor.js | 23 +------- .../test/unit/js/AccessTokenEncryptorTests.js | 52 +++---------------- 2 files changed, 10 insertions(+), 65 deletions(-) diff --git a/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js b/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js index a19cc49437..0a87522880 100644 --- a/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js +++ b/libraries/access-token-encryptor/lib/js/AccessTokenEncryptor.js @@ -4,7 +4,6 @@ const crypto = require('crypto') const ALGORITHM = 'aes-256-ctr' const cryptoHkdf = promisify(crypto.hkdf) -const cryptoPbkdf2 = promisify(crypto.pbkdf2) const cryptoRandomBytes = promisify(crypto.randomBytes) class AbstractAccessTokenScheme { @@ -78,12 +77,6 @@ class AccessTokenSchemeWithGenericKeyFn extends AbstractAccessTokenScheme { } } -class AccessTokenSchemeV2 extends AccessTokenSchemeWithGenericKeyFn { - async keyFn(salt) { - return cryptoPbkdf2(this.cipherPassword, salt, 10000, 32, 'sha1') - } -} - class AccessTokenSchemeV3 extends AccessTokenSchemeWithGenericKeyFn { async keyFn(salt) { const optionalInfo = '' @@ -103,7 +96,7 @@ class AccessTokenEncryptor { `cipherLabel must not contain a colon (:), got ${cipherLabel}` ) } - const [cipherLabelNoVersion, version] = cipherLabel.split('-') + const [, version] = cipherLabel.split('-') if (!version) { throw new Error( `cipherLabel must contain version suffix (e.g. 2042.1-v42), got ${cipherLabel}` @@ -118,27 +111,15 @@ class AccessTokenEncryptor { throw new Error(`cipherPasswords['${cipherLabel}'] is too short`) } - let scheme, schemeNoVersion + let scheme switch (version) { - case 'v2': - scheme = new AccessTokenSchemeV2(cipherLabel, cipherPassword) - schemeNoVersion = new AccessTokenSchemeV2( - cipherLabelNoVersion, - cipherPassword - ) - break case 'v3': scheme = new AccessTokenSchemeV3(cipherLabel, cipherPassword) - schemeNoVersion = new AccessTokenSchemeV3( - cipherLabelNoVersion, - cipherPassword - ) break default: throw new Error(`unknown version '${version}' for ${cipherLabel}`) } this.schemeByCipherLabel.set(cipherLabel, scheme) - this.schemeByCipherLabel.set(cipherLabelNoVersion, schemeNoVersion) } this.defaultScheme = this.schemeByCipherLabel.get(settings.cipherLabel) diff --git a/libraries/access-token-encryptor/test/unit/js/AccessTokenEncryptorTests.js b/libraries/access-token-encryptor/test/unit/js/AccessTokenEncryptorTests.js index 8dd15d3b07..6f5820d7d3 100644 --- a/libraries/access-token-encryptor/test/unit/js/AccessTokenEncryptorTests.js +++ b/libraries/access-token-encryptor/test/unit/js/AccessTokenEncryptorTests.js @@ -13,17 +13,14 @@ describe('AccessTokenEncryptor', function () { '2016.1:76a7d64a444ccee1a515b49c44844a69:m5YSkexUsLjcF4gLncm72+k=' this.encrypted2019 = '2019.1:627143b2ab185a020c8720253a4c984e:7gnY6Ez3/Y3UWgLHLfBtJsE=:bf75cecb6aeea55b3c060e1122d2a82d' - this.encrypted2019v2 = - '2019.1-v2:627143b2ab185a020c8720253a4c984e:7gnY6Ez3/Y3UWgLHLfBtJsE=:bf75cecb6aeea55b3c060e1122d2a82d' this.encrypted2023 = '2023.1-v3:a6dd3781dd6ce93a4134874b505a209c:9TdIDAc8V9SeR0ffSn63Jj4=:d8b2de0b733c81b949993dce229abb4c' this.badLabel = 'xxxxxx:c7a39310056b694c:jQf+Uh5Den3JREtvc82GW5Q=' this.badKey = '2015.1:d7a39310056b694c:jQf+Uh5Den3JREtvc82GW5Q=' this.badCipherText = '2015.1:c7a39310056b694c:xQf+Uh5Den3JREtvc82GW5Q=' this.settings = { - cipherLabel: '2019.1', + cipherLabel: '2023.1-v3', cipherPasswords: { - '2019.1-v2': '33333333333333333333333333333333333333', '2023.1-v3': '44444444444444444444444444444444444444', }, } @@ -130,7 +127,7 @@ describe('AccessTokenEncryptor', function () { this.encryptor.encryptJson(this.testObject, (err, encrypted) => { expect(err).to.be.null encrypted.should.match( - /^2019.1:[0-9a-f]{32}:[a-zA-Z0-9=+/]+:[0-9a-f]{32}$/ + /^2023.1-v3:[0-9a-f]{32}:[a-zA-Z0-9=+/]+:[0-9a-f]{32}$/ ) done() }) @@ -146,34 +143,6 @@ describe('AccessTokenEncryptor', function () { }) }) }) - - describe('v3', function () { - beforeEach(function () { - this.settings.cipherLabel = '2023.1-v3' - this.encryptor = new this.AccessTokenEncryptor(this.settings) - }) - - it('should encrypt the object', function (done) { - this.encryptor.encryptJson(this.testObject, (err, encrypted) => { - expect(err).to.be.null - encrypted.should.match( - /^2023.1-v3:[0-9a-f]{32}:[a-zA-Z0-9=+/]+:[0-9a-f]{32}$/ - ) - done() - }) - }) - - it('should encrypt the object differently the next time', function (done) { - this.encryptor.encryptJson(this.testObject, (err, encrypted1) => { - expect(err).to.be.null - this.encryptor.encryptJson(this.testObject, (err, encrypted2) => { - expect(err).to.be.null - encrypted1.should.not.equal(encrypted2) - done() - }) - }) - }) - }) }) describe('decrypt', function () { @@ -210,18 +179,13 @@ describe('AccessTokenEncryptor', function () { }) }) - it('should decrypt an 2019 string to get the same object', function (done) { + it('should not be able to decrypt a 2019 string', function (done) { this.encryptor.decryptToJson(this.encrypted2019, (err, decrypted) => { - expect(err).to.be.null - expect(decrypted).to.deep.equal(this.testObject) - done() - }) - }) - - it('should decrypt an 2019 string with version to get the same object', function (done) { - this.encryptor.decryptToJson(this.encrypted2019v2, (err, decrypted) => { - expect(err).to.be.null - expect(decrypted).to.deep.equal(this.testObject) + expect(err).to.exist + expect(err.message).to.equal( + 'unknown access-token-encryptor label 2019.1' + ) + expect(decrypted).to.not.exist done() }) })