[PM-5533] Migrate Asymmetric User Keys to State Providers (#7665)

2025-12-16 08:13:42 +00:00 · 2024-02-14 15:04:08 -05:00
parent 7a6d7b3a68
commit d8b74b78da
13 changed files with 554 additions and 127 deletions
--- a/libs/common/src/state-migrations/migrate.ts
+++ b/libs/common/src/state-migrations/migrate.ts
@@ -14,6 +14,7 @@ import { LastSyncMigrator } from "./migrations/16-move-last-sync-to-state-provid
 import { EnablePasskeysMigrator } from "./migrations/17-move-enable-passkeys-to-state-providers";
 import { AutofillSettingsKeyMigrator } from "./migrations/18-move-autofill-settings-to-state-providers";
 import { RequirePasswordOnStartMigrator } from "./migrations/19-migrate-require-password-on-start";
+import { PrivateKeyMigrator } from "./migrations/20-move-private-key-to-state-providers";
 import { FixPremiumMigrator } from "./migrations/3-fix-premium";
 import { RemoveEverBeenUnlockedMigrator } from "./migrations/4-remove-ever-been-unlocked";
 import { AddKeyTypeToOrgKeysMigrator } from "./migrations/5-add-key-type-to-org-keys";
@@ -24,7 +25,7 @@ import { MoveBrowserSettingsToGlobal } from "./migrations/9-move-browser-setting
 import { MinVersionMigrator } from "./migrations/min-version";

 export const MIN_VERSION = 2;
-export const CURRENT_VERSION = 19;
+export const CURRENT_VERSION = 20;
 export type MinVersion = typeof MIN_VERSION;

 export function createMigrationBuilder() {
@@ -46,7 +47,8 @@ export function createMigrationBuilder() {
    .with(LastSyncMigrator, 15, 16)
    .with(EnablePasskeysMigrator, 16, 17)
    .with(AutofillSettingsKeyMigrator, 17, 18)
-    .with(RequirePasswordOnStartMigrator, 18, CURRENT_VERSION);
+    .with(RequirePasswordOnStartMigrator, 18, 19)
+    .with(PrivateKeyMigrator, 19, CURRENT_VERSION);
 }

 export async function currentVersion(
--- a/libs/common/src/state-migrations/migrations/20-move-private-key-to-state-providers.spec.ts
+++ b/libs/common/src/state-migrations/migrations/20-move-private-key-to-state-providers.spec.ts
@@ -0,0 +1,127 @@
+import { MockProxy, any } from "jest-mock-extended";
+
+import { MigrationHelper } from "../migration-helper";
+import { mockMigrationHelper } from "../migration-helper.spec";
+
+import { PrivateKeyMigrator } from "./20-move-private-key-to-state-providers";
+
+function exampleJSON() {
+  return {
+    global: {
+      otherStuff: "otherStuff1",
+    },
+    authenticatedAccounts: ["user-1", "user-2", "user-3"],
+    "user-1": {
+      keys: {
+        privateKey: {
+          encrypted: "user-1-encrypted-private-key",
+        },
+        otherStuff: "overStuff2",
+      },
+      otherStuff: "otherStuff3",
+    },
+    "user-2": {
+      keys: {
+        otherStuff: "otherStuff4",
+      },
+      otherStuff: "otherStuff5",
+    },
+  };
+}
+
+function rollbackJSON() {
+  return {
+    "user_user-1_crypto_privateKey": "encrypted-private-key",
+    "user_user-2_crypto_privateKey": null as any,
+    global: {
+      otherStuff: "otherStuff1",
+    },
+    authenticatedAccounts: ["user-1", "user-2", "user-3"],
+    "user-1": {
+      keys: {
+        otherStuff: "overStuff2",
+      },
+      otherStuff: "otherStuff3",
+    },
+    "user-2": {
+      keys: {
+        otherStuff: "otherStuff4",
+      },
+      otherStuff: "otherStuff5",
+    },
+  };
+}
+
+describe("privateKeyMigrator", () => {
+  let helper: MockProxy<MigrationHelper>;
+  let sut: PrivateKeyMigrator;
+  const keyDefinitionLike = {
+    key: "privateKey",
+    stateDefinition: {
+      name: "crypto",
+    },
+  };
+
+  describe("migrate", () => {
+    beforeEach(() => {
+      helper = mockMigrationHelper(exampleJSON(), 19);
+      sut = new PrivateKeyMigrator(19, 20);
+    });
+
+    it("should remove privateKey from all accounts", async () => {
+      await sut.migrate(helper);
+      expect(helper.set).toHaveBeenCalledTimes(1);
+      expect(helper.set).toHaveBeenCalledWith("user-1", {
+        keys: {
+          otherStuff: "overStuff2",
+        },
+        otherStuff: "otherStuff3",
+      });
+    });
+
+    it("should set privateKey value for each account", async () => {
+      await sut.migrate(helper);
+
+      expect(helper.setToUser).toHaveBeenCalledTimes(1);
+      expect(helper.setToUser).toHaveBeenCalledWith(
+        "user-1",
+        keyDefinitionLike,
+        "user-1-encrypted-private-key",
+      );
+    });
+  });
+
+  describe("rollback", () => {
+    beforeEach(() => {
+      helper = mockMigrationHelper(rollbackJSON(), 20);
+      sut = new PrivateKeyMigrator(19, 20);
+    });
+
+    it.each(["user-1", "user-2", "user-3"])("should null out new values %s", async (userId) => {
+      await sut.rollback(helper);
+
+      expect(helper.setToUser).toHaveBeenCalledWith(userId, keyDefinitionLike, null);
+    });
+
+    it("should add explicit value back to accounts", async () => {
+      await sut.rollback(helper);
+
+      expect(helper.set).toHaveBeenCalledTimes(1);
+      expect(helper.set).toHaveBeenCalledWith("user-1", {
+        keys: {
+          privateKey: {
+            encrypted: "encrypted-private-key",
+          },
+          otherStuff: "overStuff2",
+        },
+        otherStuff: "otherStuff3",
+      });
+    });
+
+    it("should not try to restore values to missing accounts", async () => {
+      await sut.rollback(helper);
+
+      expect(helper.set).not.toHaveBeenCalledWith("user-3", any());
+    });
+  });
+});
--- a/libs/common/src/state-migrations/migrations/20-move-private-key-to-state-providers.ts
+++ b/libs/common/src/state-migrations/migrations/20-move-private-key-to-state-providers.ts
@@ -0,0 +1,53 @@
+import { KeyDefinitionLike, MigrationHelper } from "../migration-helper";
+import { Migrator } from "../migrator";
+
+type ExpectedAccountType = {
+  keys?: {
+    privateKey?: {
+      encrypted?: string; // EncryptedString
+    };
+  };
+};
+
+const USER_ENCRYPTED_PRIVATE_KEY: KeyDefinitionLike = {
+  key: "privateKey",
+  stateDefinition: {
+    name: "crypto",
+  },
+};
+
+export class PrivateKeyMigrator extends Migrator<19, 20> {
+  async migrate(helper: MigrationHelper): Promise<void> {
+    const accounts = await helper.getAccounts<ExpectedAccountType>();
+    async function migrateAccount(userId: string, account: ExpectedAccountType): Promise<void> {
+      const value = account?.keys?.privateKey?.encrypted;
+      if (value != null) {
+        await helper.setToUser(userId, USER_ENCRYPTED_PRIVATE_KEY, value);
+        delete account.keys.privateKey;
+        await helper.set(userId, account);
+      }
+    }
+
+    await Promise.all([...accounts.map(({ userId, account }) => migrateAccount(userId, account))]);
+  }
+  async rollback(helper: MigrationHelper): Promise<void> {
+    const accounts = await helper.getAccounts<ExpectedAccountType>();
+    async function rollbackAccount(userId: string, account: ExpectedAccountType): Promise<void> {
+      const value = await helper.getFromUser<Record<string, string>>(
+        userId,
+        USER_ENCRYPTED_PRIVATE_KEY,
+      );
+      if (account && value) {
+        account.keys = Object.assign(account.keys ?? {}, {
+          privateKey: {
+            encrypted: value,
+          },
+        });
+        await helper.set(userId, account);
+      }
+      await helper.setToUser(userId, USER_ENCRYPTED_PRIVATE_KEY, null);
+    }
+
+    await Promise.all([...accounts.map(({ userId, account }) => rollbackAccount(userId, account))]);
+  }
+}