[PM-18243] Improve type safety in decryption (#12885)

* Improve decrypt failure logging

* Rename decryptcontext to decrypttrace

* Improve docs

* PM-16984: Improving type safety of decryption

* Improving type safety of decryption

---------

Co-authored-by: Bernd Schoolmann <mail@quexten.com>

libs/admin-console/src/common/collections/models/collection.ts

@@ -39,11 +39,10 @@ export class Collection extends Domain {
   }
 
   decrypt(orgKey: OrgKey): Promise<CollectionView> {
-    return this.decryptObj(
+    return this.decryptObj<Collection, CollectionView>(
+      this,
       new CollectionView(this),
-      {
+      ["name"],
-        name: null,
-      },
       this.organizationId,
       orgKey,
     );

libs/common/src/platform/models/domain/domain-base.ts

@@ -1,5 +1,3 @@
-// FIXME: Update this file to be type safe and remove this and next line
-// @ts-strict-ignore
 import { ConditionalExcept, ConditionalKeys, Constructor } from "type-fest";
 
 import { EncryptService } from "../../../key-management/crypto/abstractions/encrypt.service";
@@ -15,6 +13,19 @@ export type DecryptedObject<
   TDecryptedKeys extends EncStringKeys<TEncryptedObject>,
 > = Record<TDecryptedKeys, string> & Omit<TEncryptedObject, TDecryptedKeys>;
 
+// extracts shared keys from the domain and view types
+type EncryptableKeys<D extends Domain, V extends View> = (keyof D &
+  ConditionalKeys<D, EncString | null>) &
+  (keyof V & ConditionalKeys<V, string | null>);
+
+type DomainEncryptableKeys<D extends Domain> = {
+  [key in ConditionalKeys<D, EncString | null>]: EncString | null;
+};
+
+type ViewEncryptableKeys<V extends View> = {
+  [key in ConditionalKeys<V, string | null>]: string | null;
+};
+
 // https://contributing.bitwarden.com/architecture/clients/data-model#domain
 export default class Domain {
   protected buildDomainModel<D extends Domain>(
@@ -37,6 +48,7 @@ export default class Domain {
       }
     }
   }
+
   protected buildDataModel<D extends Domain>(
     domain: D,
     dataObj: any,
@@ -58,31 +70,24 @@ export default class Domain {
     }
   }
 
-  protected async decryptObj<T extends View>(
+  protected async decryptObj<D extends Domain, V extends View>(
-    viewModel: T,
+    domain: DomainEncryptableKeys<D>,
-    map: any,
+    viewModel: ViewEncryptableKeys<V>,
-    orgId: string,
+    props: EncryptableKeys<D, V>[],
-    key: SymmetricCryptoKey = null,
+    orgId: string | null,
+    key: SymmetricCryptoKey | null = null,
     objectContext: string = "No Domain Context",
-  ): Promise<T> {
+  ): Promise<V> {
-    const self: any = this;
+    for (const prop of props) {
-
+      viewModel[prop] =
-    for (const prop in map) {
+        (await domain[prop]?.decrypt(
-      // eslint-disable-next-line
-      if (!map.hasOwnProperty(prop)) {
-        continue;
-      }
-
-      const mapProp = map[prop] || prop;
-      if (self[mapProp]) {
-        (viewModel as any)[prop] = await self[mapProp].decrypt(
           orgId,
           key,
-          `Property: ${prop}; ObjectContext: ${objectContext}`,
+          `Property: ${prop as string}; ObjectContext: ${objectContext}`,
-        );
+        )) ?? null;
-      }
     }
-    return viewModel;
+
+    return viewModel as V;
   }
 
   /**
@@ -111,7 +116,7 @@ export default class Domain {
     const decryptedObjects = [];
 
     for (const prop of encryptedProperties) {
-      const value = (this as any)[prop] as EncString;
+      const value = this[prop] as EncString;
       const decrypted = await this.decryptProperty(
         prop,
         value,
@@ -138,11 +143,9 @@ export default class Domain {
     encryptService: EncryptService,
     decryptTrace: string,
   ) {
-    let decrypted: string = null;
+    let decrypted: string | null = null;
     if (value) {
       decrypted = await value.decryptWithKey(key, encryptService, decryptTrace);
-    } else {
-      decrypted = null;
     }
     return {
       [propertyKey]: decrypted,

libs/common/src/platform/models/domain/enc-string.ts

@@ -160,7 +160,7 @@ export class EncString implements Encrypted {
 
   async decrypt(
     orgId: string | null,
-    key: SymmetricCryptoKey = null,
+    key: SymmetricCryptoKey | null = null,
     context?: string,
   ): Promise<string> {
     if (this.decryptedValue != null) {

libs/common/src/tools/send/models/domain/send-access.ts

@@ -54,14 +54,7 @@ export class SendAccess extends Domain {
   async decrypt(key: SymmetricCryptoKey): Promise<SendAccessView> {
     const model = new SendAccessView(this);
 
-    await this.decryptObj(
+    await this.decryptObj<SendAccess, SendAccessView>(this, model, ["name"], null, key);
-      model,
-      {
-        name: null,
-      },
-      null,
-      key,
-    );
 
     switch (this.type) {
       case SendType.File:

libs/common/src/tools/send/models/domain/send-file.ts

@@ -34,15 +34,13 @@ export class SendFile extends Domain {
   }
 
   async decrypt(key: SymmetricCryptoKey): Promise<SendFileView> {
-    const view = await this.decryptObj(
+    return await this.decryptObj<SendFile, SendFileView>(
+      this,
       new SendFileView(this),
-      {
+      ["fileName"],
-        fileName: null,
-      },
       null,
       key,
     );
-    return view;
   }
 
   static fromJSON(obj: Jsonify<SendFile>) {

libs/common/src/tools/send/models/domain/send-text.ts

@@ -30,11 +30,10 @@ export class SendText extends Domain {
   }
 
   decrypt(key: SymmetricCryptoKey): Promise<SendTextView> {
-    return this.decryptObj(
+    return this.decryptObj<SendText, SendTextView>(
+      this,
       new SendTextView(this),
-      {
+      ["text"],
-        text: null,
-      },
       null,
       key,
     );

libs/common/src/tools/send/models/domain/send.ts

@@ -87,15 +87,7 @@ export class Send extends Domain {
       // TODO: error?
     }
 
-    await this.decryptObj(
+    await this.decryptObj<Send, SendView>(this, model, ["name", "notes"], null, model.cryptoKey);
-      model,
-      {
-        name: null,
-        notes: null,
-      },
-      null,
-      model.cryptoKey,
-    );
 
     switch (this.type) {
       case SendType.File:

libs/common/src/vault/models/domain/attachment.ts

@@ -43,11 +43,10 @@ export class Attachment extends Domain {
     context = "No Cipher Context",
     encKey?: SymmetricCryptoKey,
   ): Promise<AttachmentView> {
-    const view = await this.decryptObj(
+    const view = await this.decryptObj<Attachment, AttachmentView>(
+      this,
       new AttachmentView(this),
-      {
+      ["fileName"],
-        fileName: null,
-      },
       orgId,
       encKey,
       "DomainType: Attachment; " + context,

libs/common/src/vault/models/domain/card.ts

@@ -42,16 +42,10 @@ export class Card extends Domain {
     context = "No Cipher Context",
     encKey?: SymmetricCryptoKey,
   ): Promise<CardView> {
-    return this.decryptObj(
+    return this.decryptObj<Card, CardView>(
+      this,
       new CardView(),
-      {
+      ["cardholderName", "brand", "number", "expMonth", "expYear", "code"],
-        cardholderName: null,
-        brand: null,
-        number: null,
-        expMonth: null,
-        expYear: null,
-        code: null,
-      },
       orgId,
       encKey,
       "DomainType: Card; " + context,

libs/common/src/vault/models/domain/cipher.ts

@@ -154,12 +154,10 @@ export class Cipher extends Domain implements Decryptable<CipherView> {
       bypassValidation = false;
     }
 
-    await this.decryptObj(
+    await this.decryptObj<Cipher, CipherView>(
+      this,
       model,
-      {
+      ["name", "notes"],
-        name: null,
-        notes: null,
-      },
       this.organizationId,
       encKey,
     );

libs/common/src/vault/models/domain/fido2-credential.ts

@@ -52,41 +52,38 @@ export class Fido2Credential extends Domain {
   }
 
   async decrypt(orgId: string, encKey?: SymmetricCryptoKey): Promise<Fido2CredentialView> {
-    const view = await this.decryptObj(
+    const view = await this.decryptObj<Fido2Credential, Fido2CredentialView>(
+      this,
       new Fido2CredentialView(),
-      {
+      [
-        credentialId: null,
+        "credentialId",
-        keyType: null,
+        "keyType",
-        keyAlgorithm: null,
+        "keyAlgorithm",
-        keyCurve: null,
+        "keyCurve",
-        keyValue: null,
+        "keyValue",
-        rpId: null,
+        "rpId",
-        userHandle: null,
+        "userHandle",
-        userName: null,
+        "userName",
-        rpName: null,
+        "rpName",
-        userDisplayName: null,
+        "userDisplayName",
-        discoverable: null,
+      ],
-      },
       orgId,
       encKey,
     );
 
-    const { counter } = await this.decryptObj(
+    const { counter } = await this.decryptObj<
-      { counter: "" },
+      Fido2Credential,
       {
-        counter: null,
+        counter: string;
-      },
+      }
-      orgId,
+    >(this, { counter: "" }, ["counter"], orgId, encKey);
-      encKey,
-    );
     // Counter will end up as NaN if this fails
     view.counter = parseInt(counter);
 
-    const { discoverable } = await this.decryptObj(
+    const { discoverable } = await this.decryptObj<Fido2Credential, { discoverable: string }>(
+      this,
       { discoverable: "" },
-      {
+      ["discoverable"],
-        discoverable: null,
-      },
       orgId,
       encKey,
     );

libs/common/src/vault/models/domain/field.ts

@@ -35,12 +35,10 @@ export class Field extends Domain {
   }
 
   decrypt(orgId: string, encKey?: SymmetricCryptoKey): Promise<FieldView> {
-    return this.decryptObj(
+    return this.decryptObj<Field, FieldView>(
+      this,
       new FieldView(this),
-      {
+      ["name", "value"],
-        name: null,
-        value: null,
-      },
       orgId,
       encKey,
     );

libs/common/src/vault/models/domain/folder.ts

@@ -40,13 +40,7 @@ export class Folder extends Domain {
   }
 
   decrypt(): Promise<FolderView> {
-    return this.decryptObj(
+    return this.decryptObj<Folder, FolderView>(this, new FolderView(this), ["name"], null);
-      new FolderView(this),
-      {
-        name: null,
-      },
-      null,
-    );
   }
 
   async decryptWithKey(

libs/common/src/vault/models/domain/identity.ts

@@ -66,28 +66,29 @@ export class Identity extends Domain {
     context: string = "No Cipher Context",
     encKey?: SymmetricCryptoKey,
   ): Promise<IdentityView> {
-    return this.decryptObj(
+    return this.decryptObj<Identity, IdentityView>(
+      this,
       new IdentityView(),
-      {
+      [
-        title: null,
+        "title",
-        firstName: null,
+        "firstName",
-        middleName: null,
+        "middleName",
-        lastName: null,
+        "lastName",
-        address1: null,
+        "address1",
-        address2: null,
+        "address2",
-        address3: null,
+        "address3",
-        city: null,
+        "city",
-        state: null,
+        "state",
-        postalCode: null,
+        "postalCode",
-        country: null,
+        "country",
-        company: null,
+        "company",
-        email: null,
+        "email",
-        phone: null,
+        "phone",
-        ssn: null,
+        "ssn",
-        username: null,
+        "username",
-        passportNumber: null,
+        "passportNumber",
-        licenseNumber: null,
+        "licenseNumber",
-      },
+      ],
       orgId,
       encKey,
       "DomainType: Identity; " + context,

libs/common/src/vault/models/domain/login-uri.ts

@@ -38,11 +38,10 @@ export class LoginUri extends Domain {
     context: string = "No Cipher Context",
     encKey?: SymmetricCryptoKey,
   ): Promise<LoginUriView> {
-    return this.decryptObj(
+    return this.decryptObj<LoginUri, LoginUriView>(
+      this,
       new LoginUriView(this),
-      {
+      ["uri"],
-        uri: null,
-      },
       orgId,
       encKey,
       context,

libs/common/src/vault/models/domain/login.ts

@@ -58,13 +58,10 @@ export class Login extends Domain {
     context: string = "No Cipher Context",
     encKey?: SymmetricCryptoKey,
   ): Promise<LoginView> {
-    const view = await this.decryptObj(
+    const view = await this.decryptObj<Login, LoginView>(
+      this,
       new LoginView(this),
-      {
+      ["username", "password", "totp"],
-        username: null,
-        password: null,
-        totp: null,
-      },
       orgId,
       encKey,
       `DomainType: Login; ${context}`,

libs/common/src/vault/models/domain/password.ts

@@ -25,11 +25,10 @@ export class Password extends Domain {
   }
 
   decrypt(orgId: string, encKey?: SymmetricCryptoKey): Promise<PasswordHistoryView> {
-    return this.decryptObj(
+    return this.decryptObj<Password, PasswordHistoryView>(
+      this,
       new PasswordHistoryView(this),
-      {
+      ["password"],
-        password: null,
-      },
       orgId,
       encKey,
       "DomainType: PasswordHistory",

libs/common/src/vault/models/domain/ssh-key.ts

@@ -36,13 +36,10 @@ export class SshKey extends Domain {
     context = "No Cipher Context",
     encKey?: SymmetricCryptoKey,
   ): Promise<SshKeyView> {
-    return this.decryptObj(
+    return this.decryptObj<SshKey, SshKeyView>(
+      this,
       new SshKeyView(),
-      {
+      ["privateKey", "publicKey", "keyFingerprint"],
-        privateKey: null,
-        publicKey: null,
-        keyFingerprint: null,
-      },
       orgId,
       encKey,
       "DomainType: SshKey; " + context,