[PM-8155] Keep crypto derive dependencies in lockstep (#9191)

* Keep derive dependencies in lockstep This reduces emissions in general due to updates of multiple inputs and removes decryption errors due to partially updated dependencies * Fix provider encrypted org keys * Fix provider state test types * Type fixes
2025-12-17 16:53:34 +00:00 · 2024-05-15 17:40:16 -04:00
parent c19a640557
commit 4ccf920da8
8 changed files with 112 additions and 103 deletions
--- a/libs/common/src/platform/services/key-state/org-keys.state.ts
+++ b/libs/common/src/platform/services/key-state/org-keys.state.ts
@@ -1,10 +1,10 @@
 import { EncryptedOrganizationKeyData } from "../../../admin-console/models/data/encrypted-organization-key.data";
 import { BaseEncryptedOrganizationKey } from "../../../admin-console/models/domain/encrypted-organization-key";
-import { OrganizationId } from "../../../types/guid";
-import { OrgKey } from "../../../types/key";
-import { CryptoService } from "../../abstractions/crypto.service";
+import { OrganizationId, ProviderId } from "../../../types/guid";
+import { OrgKey, ProviderKey, UserPrivateKey } from "../../../types/key";
+import { EncryptService } from "../../abstractions/encrypt.service";
 import { SymmetricCryptoKey } from "../../models/domain/symmetric-crypto-key";
-import { CRYPTO_DISK, DeriveDefinition, UserKeyDefinition } from "../../state";
+import { CRYPTO_DISK, CRYPTO_MEMORY, DeriveDefinition, UserKeyDefinition } from "../../state";

 export const USER_ENCRYPTED_ORGANIZATION_KEYS = UserKeyDefinition.record<
  EncryptedOrganizationKeyData,
@@ -14,11 +14,15 @@ export const USER_ENCRYPTED_ORGANIZATION_KEYS = UserKeyDefinition.record<
  clearOn: ["logout"],
 });

-export const USER_ORGANIZATION_KEYS = DeriveDefinition.from<
-  Record<OrganizationId, EncryptedOrganizationKeyData>,
+export const USER_ORGANIZATION_KEYS = new DeriveDefinition<
+  [
+    Record<OrganizationId, EncryptedOrganizationKeyData>,
+    UserPrivateKey,
+    Record<ProviderId, ProviderKey>,
+  ],
  Record<OrganizationId, OrgKey>,
-  { cryptoService: CryptoService }
->(USER_ENCRYPTED_ORGANIZATION_KEYS, {
+  { encryptService: EncryptService }
+>(CRYPTO_MEMORY, "organizationKeys", {
  deserializer: (obj) => {
    const result: Record<OrganizationId, OrgKey> = {};
    for (const orgId of Object.keys(obj ?? {}) as OrganizationId[]) {
@@ -26,14 +30,21 @@ export const USER_ORGANIZATION_KEYS = DeriveDefinition.from<
    }
    return result;
  },
-  derive: async (from, { cryptoService }) => {
+  derive: async ([encryptedOrgKeys, privateKey, providerKeys], { encryptService }) => {
    const result: Record<OrganizationId, OrgKey> = {};
-    for (const orgId of Object.keys(from ?? {}) as OrganizationId[]) {
+    for (const orgId of Object.keys(encryptedOrgKeys ?? {}) as OrganizationId[]) {
      if (result[orgId] != null) {
        continue;
      }
-      const encrypted = BaseEncryptedOrganizationKey.fromData(from[orgId]);
-      const decrypted = await encrypted.decrypt(cryptoService);
+      const encrypted = BaseEncryptedOrganizationKey.fromData(encryptedOrgKeys[orgId]);
+
+      let decrypted: OrgKey;
+
+      if (BaseEncryptedOrganizationKey.isProviderEncrypted(encrypted)) {
+        decrypted = await encrypted.decrypt(encryptService, providerKeys);
+      } else {
+        decrypted = await encrypted.decrypt(encryptService, privateKey);
+      }

      result[orgId] = decrypted;
    }