[PM-5533] migrate provider keys (#7649)

* Provide RSA encryption in encrypt service

* Define state for provider keys

* Require cryptoService

This is temporary until cryptoService has an observable active user private key. We don't want promise-based values in derive functions

* Update crypto service provider keys to observables

* Remove provider keys from state service

* Migrate provider keys out of state account object

* Correct Provider key state types

* Prefix migration with current version number

libs/common/src/state-migrations/migrate.ts

@@ -8,6 +8,7 @@ import { MigrationHelper } from "./migration-helper";
 import { EverHadUserKeyMigrator } from "./migrations/10-move-ever-had-user-key-to-state-providers";
 import { OrganizationKeyMigrator } from "./migrations/11-move-org-keys-to-state-providers";
 import { MoveEnvironmentStateToProviders } from "./migrations/12-move-environment-state-to-providers";
+import { ProviderKeyMigrator } from "./migrations/13-move-provider-keys-to-state-providers";
 import { FixPremiumMigrator } from "./migrations/3-fix-premium";
 import { RemoveEverBeenUnlockedMigrator } from "./migrations/4-remove-ever-been-unlocked";
 import { AddKeyTypeToOrgKeysMigrator } from "./migrations/5-add-key-type-to-org-keys";
@@ -18,7 +19,7 @@ import { MoveBrowserSettingsToGlobal } from "./migrations/9-move-browser-setting
 import { MinVersionMigrator } from "./migrations/min-version";
 
 export const MIN_VERSION = 2;
-export const CURRENT_VERSION = 12;
+export const CURRENT_VERSION = 13;
 export type MinVersion = typeof MIN_VERSION;
 
 export async function migrate(
@@ -46,7 +47,8 @@ export async function migrate(
     .with(MoveBrowserSettingsToGlobal, 8, 9)
     .with(EverHadUserKeyMigrator, 9, 10)
     .with(OrganizationKeyMigrator, 10, 11)
-    .with(MoveEnvironmentStateToProviders, 11, CURRENT_VERSION)
+    .with(MoveEnvironmentStateToProviders, 11, 12)
+    .with(ProviderKeyMigrator, 12, CURRENT_VERSION)
 
     .migrate(migrationHelper);
 }

libs/common/src/state-migrations/migrations/13-move-provider-keys-to-state-providers.spec.ts

@@ -0,0 +1,135 @@
+import { MockProxy, any } from "jest-mock-extended";
+
+import { MigrationHelper } from "../migration-helper";
+import { mockMigrationHelper } from "../migration-helper.spec";
+
+import { ProviderKeyMigrator } from "./13-move-provider-keys-to-state-providers";
+
+function exampleJSON() {
+  return {
+    global: {
+      otherStuff: "otherStuff1",
+    },
+    authenticatedAccounts: ["user-1", "user-2", "user-3"],
+    "user-1": {
+      keys: {
+        providerKeys: {
+          encrypted: {
+            "provider-id-1": "provider-key-1",
+            "provider-id-2": "provider-key-2",
+          },
+        },
+        otherStuff: "overStuff2",
+      },
+      otherStuff: "otherStuff3",
+    },
+    "user-2": {
+      keys: {
+        otherStuff: "otherStuff4",
+      },
+      otherStuff: "otherStuff5",
+    },
+  };
+}
+
+function rollbackJSON() {
+  return {
+    "user_user-1_crypto_providerKeys": {
+      "provider-id-1": "provider-key-1",
+      "provider-id-2": "provider-key-2",
+    },
+    "user_user-2_crypto_providerKeys": null as any,
+    global: {
+      otherStuff: "otherStuff1",
+    },
+    authenticatedAccounts: ["user-1", "user-2", "user-3"],
+    "user-1": {
+      keys: {
+        otherStuff: "overStuff2",
+      },
+      otherStuff: "otherStuff3",
+    },
+    "user-2": {
+      keys: {
+        otherStuff: "otherStuff4",
+      },
+      otherStuff: "otherStuff5",
+    },
+  };
+}
+
+describe("ProviderKeysMigrator", () => {
+  let helper: MockProxy<MigrationHelper>;
+  let sut: ProviderKeyMigrator;
+  const keyDefinitionLike = {
+    key: "providerKeys",
+    stateDefinition: {
+      name: "crypto",
+    },
+  };
+
+  describe("migrate", () => {
+    beforeEach(() => {
+      helper = mockMigrationHelper(exampleJSON(), 12);
+      sut = new ProviderKeyMigrator(12, 13);
+    });
+
+    it("should remove providerKeys from all accounts", async () => {
+      await sut.migrate(helper);
+      expect(helper.set).toHaveBeenCalledTimes(1);
+      expect(helper.set).toHaveBeenCalledWith("user-1", {
+        keys: {
+          otherStuff: "overStuff2",
+        },
+        otherStuff: "otherStuff3",
+      });
+    });
+
+    it("should set providerKeys value for each account", async () => {
+      await sut.migrate(helper);
+
+      expect(helper.setToUser).toHaveBeenCalledTimes(1);
+      expect(helper.setToUser).toHaveBeenCalledWith("user-1", keyDefinitionLike, {
+        "provider-id-1": "provider-key-1",
+        "provider-id-2": "provider-key-2",
+      });
+    });
+  });
+
+  describe("rollback", () => {
+    beforeEach(() => {
+      helper = mockMigrationHelper(rollbackJSON(), 11);
+      sut = new ProviderKeyMigrator(12, 13);
+    });
+
+    it.each(["user-1", "user-2", "user-3"])("should null out new values %s", async (userId) => {
+      await sut.rollback(helper);
+
+      expect(helper.setToUser).toHaveBeenCalledWith(userId, keyDefinitionLike, null);
+    });
+
+    it("should add explicit value back to accounts", async () => {
+      await sut.rollback(helper);
+
+      expect(helper.set).toHaveBeenCalledTimes(1);
+      expect(helper.set).toHaveBeenCalledWith("user-1", {
+        keys: {
+          providerKeys: {
+            encrypted: {
+              "provider-id-1": "provider-key-1",
+              "provider-id-2": "provider-key-2",
+            },
+          },
+          otherStuff: "overStuff2",
+        },
+        otherStuff: "otherStuff3",
+      });
+    });
+
+    it("should not try to restore values to missing accounts", async () => {
+      await sut.rollback(helper);
+
+      expect(helper.set).not.toHaveBeenCalledWith("user-3", any());
+    });
+  });
+});

libs/common/src/state-migrations/migrations/13-move-provider-keys-to-state-providers.ts

@@ -0,0 +1,53 @@
+import { KeyDefinitionLike, MigrationHelper } from "../migration-helper";
+import { Migrator } from "../migrator";
+
+type ExpectedAccountType = {
+  keys?: {
+    providerKeys?: {
+      encrypted?: Record<string, string>; // Record<ProviderId, EncryptedString> where EncryptedString is the ProviderKey encrypted by the UserKey.
+    };
+  };
+};
+
+const USER_ENCRYPTED_PROVIDER_KEYS: KeyDefinitionLike = {
+  key: "providerKeys",
+  stateDefinition: {
+    name: "crypto",
+  },
+};
+
+export class ProviderKeyMigrator extends Migrator<12, 13> {
+  async migrate(helper: MigrationHelper): Promise<void> {
+    const accounts = await helper.getAccounts<ExpectedAccountType>();
+    async function migrateAccount(userId: string, account: ExpectedAccountType): Promise<void> {
+      const value = account?.keys?.providerKeys?.encrypted;
+      if (value != null) {
+        await helper.setToUser(userId, USER_ENCRYPTED_PROVIDER_KEYS, value);
+        delete account.keys.providerKeys;
+        await helper.set(userId, account);
+      }
+    }
+
+    await Promise.all([...accounts.map(({ userId, account }) => migrateAccount(userId, account))]);
+  }
+  async rollback(helper: MigrationHelper): Promise<void> {
+    const accounts = await helper.getAccounts<ExpectedAccountType>();
+    async function rollbackAccount(userId: string, account: ExpectedAccountType): Promise<void> {
+      const value = await helper.getFromUser<Record<string, string>>(
+        userId,
+        USER_ENCRYPTED_PROVIDER_KEYS,
+      );
+      if (account && value) {
+        account.keys = Object.assign(account.keys ?? {}, {
+          providerKeys: {
+            encrypted: value,
+          },
+        });
+        await helper.set(userId, account);
+      }
+      await helper.setToUser(userId, USER_ENCRYPTED_PROVIDER_KEYS, null);
+    }
+
+    await Promise.all([...accounts.map(({ userId, account }) => rollbackAccount(userId, account))]);
+  }
+}