Merge pull request #17 from DEFRA/feature/2831-aes-crypto-transform

krisddefra · web-flow · commit a0436efd9be8 · 2025-09-22T12:58:35.000+01:00
Feature/2831 aes crypto transform
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
@@ -12,6 +12,7 @@ services:
       - StorageConfiguration__ExternalStorage__BucketName=test-external-bucket
       - StorageConfiguration__InternalStorage__BucketName=test-internal-bucket
       - ServiceBusSenderConfiguration__DataBridgeEventsTopic__TopicArn=arn:aws:sns:eu-west-2:000000000000:ls-keeper-data-bridge-events
+      - AesSalt=LD8BB2NNze7qKbVyLutAfGBxhkAApR 
     ports:
       - "8080"
     volumes:
diff --git a/src/KeeperData.Bridge/Setup/ServiceCollectionExtensions.cs b/src/KeeperData.Bridge/Setup/ServiceCollectionExtensions.cs
@@ -1,4 +1,5 @@
 using KeeperData.Application.Setup;
+using KeeperData.Infrastructure.Crypto;
 using KeeperData.Infrastructure.Database.Setup;
 using KeeperData.Infrastructure.Messaging.Setup;
 using KeeperData.Infrastructure.Storage.Setup;
@@ -20,6 +21,8 @@ public static void ConfigureApi(this IServiceCollection services, IConfiguration
             services.AddMessagingDependencies(configuration);
 
             services.AddStorageDependencies(configuration);
+
+            services.AddCrypto(configuration);
         }
 
         private static void ConfigureHealthChecks(this IServiceCollection services)
diff --git a/src/KeeperData.Core/Crypto/IAesCryptoTransform.cs b/src/KeeperData.Core/Crypto/IAesCryptoTransform.cs
@@ -0,0 +1,30 @@
+namespace KeeperData.Core.Crypto;
+
+public delegate void ProgressCallback(int progressPercentage, string status);
+
+public interface IAesCryptoTransform
+{
+    Task EncryptFileAsync(string inputFilePath, string outputFilePath, string password, byte[] salt,
+        ProgressCallback? progressCallback = null, CancellationToken cancellationToken = default);
+
+    Task EncryptFileAsync(string inputFilePath, string outputFilePath, string password, string salt,
+        ProgressCallback? progressCallback = null, CancellationToken cancellationToken = default);
+
+    Task DecryptFileAsync(string inputFilePath, string outputFilePath, string password, byte[] salt,
+        ProgressCallback? progressCallback = null, CancellationToken cancellationToken = default);
+
+    Task DecryptFileAsync(string inputFilePath, string outputFilePath, string password, string salt,
+        ProgressCallback? progressCallback = null, CancellationToken cancellationToken = default);
+
+    Task EncryptStreamAsync(Stream inputStream, Stream outputStream, string password, byte[] salt,
+        long? totalBytes = null, ProgressCallback? progressCallback = null, CancellationToken cancellationToken = default);
+
+    Task EncryptStreamAsync(Stream inputStream, Stream outputStream, string password, string salt,
+        long? totalBytes = null, ProgressCallback? progressCallback = null, CancellationToken cancellationToken = default);
+
+    Task DecryptStreamAsync(Stream inputStream, Stream outputStream, string password, byte[] salt,
+        long? totalBytes = null, ProgressCallback? progressCallback = null, CancellationToken cancellationToken = default);
+
+    Task DecryptStreamAsync(Stream inputStream, Stream outputStream, string password, string salt,
+        long? totalBytes = null, ProgressCallback? progressCallback = null, CancellationToken cancellationToken = default);
+}
diff --git a/src/KeeperData.Infrastructure/Crypto/AesCryptoTransform.cs b/src/KeeperData.Infrastructure/Crypto/AesCryptoTransform.cs
@@ -0,0 +1,217 @@
+using KeeperData.Core.Crypto;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace KeeperData.Infrastructure.Crypto;
+
+public class AesCryptoTransform : IAesCryptoTransform
+{
+    private const int PbeKeySpecIterationsDefault = 32;
+    private const int PbeKeySpecKeyLenDefault = 256;
+    private const int BufferSize = 64 * 1024;
+    private const int ProgressReportInterval = 1;
+
+    public async Task EncryptFileAsync(string inputFilePath, string outputFilePath, string password, byte[] salt,
+        ProgressCallback? progressCallback = null, CancellationToken cancellationToken = default)
+    {
+        if (!File.Exists(inputFilePath))
+        {
+            throw new FileNotFoundException($"Input file not found: {inputFilePath}");
+        }
+
+        var fileInfo = new FileInfo(inputFilePath);
+        var totalBytes = fileInfo.Length;
+
+        using var inputStream = new FileStream(inputFilePath, FileMode.Open, FileAccess.Read);
+        using var outputStream = new FileStream(outputFilePath, FileMode.Create, FileAccess.Write);
+
+        await EncryptStreamAsync(inputStream, outputStream, password, salt, totalBytes, progressCallback, cancellationToken);
+    }
+
+    public async Task DecryptFileAsync(string inputFilePath,
+                                       string outputFilePath,
+                                       string password,
+                                       byte[] salt,
+                                       ProgressCallback? progressCallback = null,
+                                       CancellationToken cancellationToken = default)
+    {
+        if (!File.Exists(inputFilePath))
+        {
+            throw new FileNotFoundException($"Input file not found: {inputFilePath}");
+        }
+
+        var fileInfo = new FileInfo(inputFilePath);
+        var totalBytes = fileInfo.Length;
+
+        using var inputStream = new FileStream(inputFilePath, FileMode.Open, FileAccess.Read);
+        using var outputStream = new FileStream(outputFilePath, FileMode.Create, FileAccess.Write);
+
+        await DecryptStreamAsync(inputStream, outputStream, password, salt, totalBytes, progressCallback, cancellationToken);
+    }
+
+    public async Task EncryptStreamAsync(Stream inputStream,
+                                         Stream outputStream,
+                                         string password,
+                                         byte[] salt,
+                                         long? totalBytes = null,
+                                         ProgressCallback? progressCallback = null,
+                                         CancellationToken cancellationToken = default)
+    {
+        var key = DeriveKey(password, salt);
+
+        using var aes = Aes.Create();
+        aes.Key = key;
+        aes.Mode = CipherMode.ECB;
+        aes.Padding = PaddingMode.PKCS7;
+
+        using var encryptor = aes.CreateEncryptor();
+        using var cryptoStream = new CryptoStream(outputStream, encryptor, CryptoStreamMode.Write, leaveOpen: true);
+
+        await ProcessStreamAsync(inputStream, cryptoStream, totalBytes, progressCallback, "Encrypting", cancellationToken);
+
+        cryptoStream.FlushFinalBlock();
+    }
+
+    public async Task DecryptStreamAsync(Stream inputStream,
+                                         Stream outputStream,
+                                         string password,
+                                         byte[] salt,
+                                         long? totalBytes = null,
+                                         ProgressCallback? progressCallback = null,
+                                         CancellationToken cancellationToken = default)
+    {
+        var key = DeriveKey(password, salt);
+
+        using var aes = Aes.Create();
+        aes.Key = key;
+        aes.Mode = CipherMode.ECB;
+        aes.Padding = PaddingMode.PKCS7;
+
+        using var decryptor = aes.CreateDecryptor();
+        using var cryptoStream = new CryptoStream(inputStream, decryptor, CryptoStreamMode.Read, leaveOpen: true);
+
+        await ProcessStreamAsync(cryptoStream, outputStream, totalBytes, progressCallback, "Decrypting", cancellationToken);
+    }
+
+    public async Task EncryptFileAsync(string inputFilePath,
+                                       string outputFilePath,
+                                       string password,
+                                       string salt,
+                                       ProgressCallback? progressCallback = null,
+                                       CancellationToken cancellationToken = default)
+    {
+        var saltBytes = string.IsNullOrEmpty(salt) ? new byte[0] : Encoding.UTF8.GetBytes(salt);
+        await EncryptFileAsync(inputFilePath, outputFilePath, password, saltBytes, progressCallback, cancellationToken);
+    }
+
+    public async Task DecryptFileAsync(string inputFilePath,
+                                       string outputFilePath,
+                                       string password,
+                                       string salt,
+                                       ProgressCallback? progressCallback = null,
+                                       CancellationToken cancellationToken = default)
+    {
+        var saltBytes = string.IsNullOrEmpty(salt) ? new byte[0] : Encoding.UTF8.GetBytes(salt);
+        await DecryptFileAsync(inputFilePath, outputFilePath, password, saltBytes, progressCallback, cancellationToken);
+    }
+
+    public async Task EncryptStreamAsync(Stream inputStream,
+                                         Stream outputStream,
+                                         string password,
+                                         string salt,
+                                         long? totalBytes = null,
+                                         ProgressCallback? progressCallback = null,
+                                         CancellationToken cancellationToken = default)
+    {
+        var saltBytes = string.IsNullOrEmpty(salt) ? new byte[0] : Encoding.UTF8.GetBytes(salt);
+        await EncryptStreamAsync(inputStream, outputStream, password, saltBytes, totalBytes, progressCallback, cancellationToken);
+    }
+
+    public async Task DecryptStreamAsync(Stream inputStream,
+                                         Stream outputStream,
+                                         string password,
+                                         string salt,
+                                         long? totalBytes = null,
+                                         ProgressCallback? progressCallback = null,
+                                         CancellationToken cancellationToken = default)
+    {
+        var saltBytes = string.IsNullOrEmpty(salt) ? new byte[0] : Encoding.UTF8.GetBytes(salt);
+        await DecryptStreamAsync(inputStream, outputStream, password, saltBytes, totalBytes, progressCallback, cancellationToken);
+    }
+
+    private static byte[] DeriveKey(string password, byte[] salt)
+    {
+        var actualSalt = salt;
+        if (salt.Length == 0)
+        {
+            actualSalt = new byte[8];
+        }
+        else if (salt.Length < 8)
+        {
+            actualSalt = new byte[8];
+            Array.Copy(salt, actualSalt, salt.Length);
+        }
+
+        using var pbkdf2 = new Rfc2898DeriveBytes(password, actualSalt, PbeKeySpecIterationsDefault, HashAlgorithmName.SHA1);
+        return pbkdf2.GetBytes(PbeKeySpecKeyLenDefault / 8);
+    }
+
+    private static async Task ProcessStreamAsync(Stream inputStream,
+                                                 Stream outputStream,
+                                                 long? totalBytes,
+                                                 ProgressCallback? progressCallback,
+                                                 string operation,
+                                                 CancellationToken cancellationToken = default)
+    {
+        var buffer = new byte[BufferSize];
+        long totalBytesProcessed = 0;
+        var lastReportedProgress = -1;
+
+        progressCallback?.Invoke(0, $"{operation} started");
+
+        int bytesRead;
+        while ((bytesRead = await inputStream.ReadAsync(buffer, cancellationToken)) > 0)
+        {
+            await outputStream.WriteAsync(buffer.AsMemory(0, bytesRead), cancellationToken);
+            totalBytesProcessed += bytesRead;
+
+            if (totalBytes.HasValue && totalBytes.Value > 0 && progressCallback != null)
+            {
+                var progressPercentage = (int)(totalBytesProcessed * 100 / totalBytes.Value);
+
+                if (progressPercentage != lastReportedProgress && progressPercentage % ProgressReportInterval == 0)
+                {
+                    progressCallback.Invoke(progressPercentage,
+                        $"{operation} {progressPercentage}% - {FormatBytes(totalBytesProcessed)} of {FormatBytes(totalBytes.Value)}");
+                    lastReportedProgress = progressPercentage;
+                }
+            }
+            else if (progressCallback != null)
+            {
+                progressCallback.Invoke(0, $"{operation} - {FormatBytes(totalBytesProcessed)} processed");
+            }
+        }
+
+        if (outputStream is not CryptoStream)
+        {
+            await outputStream.FlushAsync(cancellationToken);
+        }
+
+        progressCallback?.Invoke(100, $"{operation} completed - {FormatBytes(totalBytesProcessed)} processed");
+    }
+
+    private static string FormatBytes(long bytes)
+    {
+        const long kb = 1024;
+        const long mb = kb * 1024;
+        const long gb = mb * 1024;
+
+        return bytes switch
+        {
+            >= gb => $"{bytes / (double)gb:F2} GB",
+            >= mb => $"{bytes / (double)mb:F2} MB",
+            >= kb => $"{bytes / (double)kb:F2} KB",
+            _ => $"{bytes} bytes"
+        };
+    }
+}
diff --git a/src/KeeperData.Infrastructure/Crypto/PasswordSaltService.cs b/src/KeeperData.Infrastructure/Crypto/PasswordSaltService.cs
@@ -102,15 +102,6 @@ private string GeneratePassword(FileNameComponents components)
 
         var password = $"{part1}_{part2}";
 
-        if (!string.IsNullOrEmpty(components.AfterDate))
-        {
-            var afterDateParts = components.AfterDate.Split('_');
-            Array.Reverse(afterDateParts);
-            password += "_" + string.Join("_", afterDateParts);
-        }
-
-        password += components.FileExtension;
-
         return password;
     }
 
diff --git a/src/KeeperData.Infrastructure/Crypto/ServiceCollectionExtensions.cs b/src/KeeperData.Infrastructure/Crypto/ServiceCollectionExtensions.cs
@@ -0,0 +1,19 @@
+using KeeperData.Core.Crypto;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using System.Diagnostics.CodeAnalysis;
+
+namespace KeeperData.Infrastructure.Crypto;
+
+[ExcludeFromCodeCoverage]
+public static class ServiceCollectionExtensions
+{
+    public static void AddCrypto(this IServiceCollection services, IConfiguration configuration)
+    {
+        services.TryAddSingleton(TimeProvider.System);
+        services.TryAddSingleton<IPasswordSaltService, PasswordSaltService>();
+        services.TryAddSingleton<IAesCryptoTransform, AesCryptoTransform>();
+    }
+
+}
diff --git a/tests/KeeperData.Infrastructure.Tests.Unit/Crypto/AesCryptoTransformTests.cs b/tests/KeeperData.Infrastructure.Tests.Unit/Crypto/AesCryptoTransformTests.cs
diff --git a/tests/KeeperData.Infrastructure.Tests.Unit/Crypto/PasswordSaltServiceTests.cs b/tests/KeeperData.Infrastructure.Tests.Unit/Crypto/PasswordSaltServiceTests.cs
