fix: salting the hash, subject attributes type (#178)

typotter · web-flow · commit 9a64d7d80c74 · 2024-12-12T14:48:29.000-07:00
* fix salting and hashing
* tests for salt
* Context attributes only in the Configuration Wire
diff --git a/src/client/eppo-client.spec.ts b/src/client/eppo-client.spec.ts
@@ -246,11 +246,7 @@ describe('EppoClient E2E test', () => {
 
     it('obfuscates assignments', () => {
       // Use a known salt to produce deterministic hashes
-      setSaltOverrideForTests({
-        base64String: 'BzURTg==',
-        saltString: '0735114e',
-        bytes: new Uint8Array([7, 53, 17, 78]),
-      });
+      setSaltOverrideForTests(new Uint8Array([7, 53, 17, 78]));
 
       const encodedPrecomputedWire = client.getPrecomputedAssignments('subject', {}, true);
       const { precomputed } = JSON.parse(encodedPrecomputedWire) as IConfigurationWire;
@@ -263,23 +259,23 @@ describe('EppoClient E2E test', () => {
       expect(precomputedResponse.salt).toEqual('BzURTg==');
 
       const precomputedFlags = precomputedResponse?.flags ?? {};
-      expect(Object.keys(precomputedFlags)).toContain('ddc24ede545855b9bbae82cfec6a83a1'); // flagKey, md5 hashed
-      expect(Object.keys(precomputedFlags)).toContain('2b439e5a0104d62400dc44c34230f6f2'); // 'anotherFlag', md5 hashed
+      expect(Object.keys(precomputedFlags)).toContain('34863af2a6019c80e054c6997241b3d5'); // flagKey, md5 hashed
+      expect(Object.keys(precomputedFlags)).toContain('076aaf100f76cb2f93205dc6cd05f756'); // 'anotherFlag', md5 hashed
 
       const decodedFirstFlag = decodePrecomputedFlag(
-        precomputedFlags['ddc24ede545855b9bbae82cfec6a83a1'],
+        precomputedFlags['34863af2a6019c80e054c6997241b3d5'],
       );
-      expect(decodedFirstFlag.flagKey).toEqual('ddc24ede545855b9bbae82cfec6a83a1');
+      expect(decodedFirstFlag.flagKey).toEqual('34863af2a6019c80e054c6997241b3d5');
       expect(decodedFirstFlag.variationType).toEqual(VariationType.STRING);
       expect(decodedFirstFlag.variationKey).toEqual('a');
       expect(decodedFirstFlag.variationValue).toEqual('variation-a');
       expect(decodedFirstFlag.doLog).toEqual(true);
       expect(decodedFirstFlag.extraLogging).toEqual({});
 
       const decodedSecondFlag = decodePrecomputedFlag(
-        precomputedFlags['2b439e5a0104d62400dc44c34230f6f2'],
+        precomputedFlags['076aaf100f76cb2f93205dc6cd05f756'],
       );
-      expect(decodedSecondFlag.flagKey).toEqual('2b439e5a0104d62400dc44c34230f6f2');
+      expect(decodedSecondFlag.flagKey).toEqual('076aaf100f76cb2f93205dc6cd05f756');
       expect(decodedSecondFlag.variationType).toEqual(VariationType.STRING);
       expect(decodedSecondFlag.variationKey).toEqual('b');
       expect(decodedSecondFlag.variationValue).toEqual('variation-b');
diff --git a/src/client/eppo-client.ts b/src/client/eppo-client.ts
@@ -939,23 +939,26 @@ export default class EppoClient {
    */
   getPrecomputedAssignments(
     subjectKey: string,
-    subjectAttributes: Attributes = {},
+    subjectAttributes: Attributes | ContextAttributes = {},
     obfuscated = false,
   ): string {
     const configDetails = this.getConfigDetails();
-    const flags = this.getAllAssignments(subjectKey, subjectAttributes);
+
+    const subjectContextualAttributes = this.ensureContextualSubjectAttributes(subjectAttributes);
+    const subjectFlatAttributes = this.ensureNonContextualSubjectAttributes(subjectAttributes);
+    const flags = this.getAllAssignments(subjectKey, subjectFlatAttributes);
 
     const precomputedConfig: IPrecomputedConfiguration = obfuscated
       ? new ObfuscatedPrecomputedConfiguration(
           subjectKey,
           flags,
-          subjectAttributes,
+          subjectContextualAttributes,
           configDetails.configEnvironment,
         )
       : new PrecomputedConfiguration(
           subjectKey,
           flags,
-          subjectAttributes,
+          subjectContextualAttributes,
           configDetails.configEnvironment,
         );
 
diff --git a/src/configuration.ts b/src/configuration.ts
@@ -1,6 +1,6 @@
 import { Environment, FormatEnum, PrecomputedFlag } from './interfaces';
-import { generateSalt, obfuscatePrecomputedFlags, Salt } from './obfuscation';
-import { Attributes, ContextAttributes } from './types';
+import { generateSalt, obfuscatePrecomputedFlags, ISalt } from './obfuscation';
+import { ContextAttributes } from './types';
 
 export interface IPrecomputedConfigurationResponse {
   // `format` is always `PRECOMPUTED`
@@ -19,7 +19,7 @@ export interface IPrecomputedConfiguration {
   readonly response: string;
   readonly subjectKey: string;
   // Optional in case server does not want to expose attributes to a client.
-  readonly subjectAttributes?: Attributes | ContextAttributes;
+  readonly subjectAttributes?: ContextAttributes;
 }
 
 export class PrecomputedConfiguration implements IPrecomputedConfiguration {
@@ -29,7 +29,7 @@ export class PrecomputedConfiguration implements IPrecomputedConfiguration {
   constructor(
     readonly subjectKey: string,
     flags: Record<string, PrecomputedFlag>,
-    readonly subjectAttributes?: Attributes | ContextAttributes,
+    readonly subjectAttributes?: ContextAttributes,
     environment?: Environment,
   ) {
     const precomputedResponse: IPrecomputedConfigurationResponse = {
@@ -47,12 +47,12 @@ export class PrecomputedConfiguration implements IPrecomputedConfiguration {
 export class ObfuscatedPrecomputedConfiguration implements IPrecomputedConfiguration {
   readonly format = FormatEnum.PRECOMPUTED;
   readonly response: string;
-  private saltBase: Salt;
+  private saltBase: ISalt;
 
   constructor(
     readonly subjectKey: string,
     flags: Record<string, PrecomputedFlag>,
-    readonly subjectAttributes?: Attributes | ContextAttributes,
+    readonly subjectAttributes?: ContextAttributes,
     environment?: Environment,
   ) {
     this.saltBase = generateSalt();
diff --git a/src/obfuscation.spec.ts b/src/obfuscation.spec.ts
@@ -1,4 +1,4 @@
-import { decodeBase64, encodeBase64 } from './obfuscation';
+import { decodeBase64, encodeBase64, Salt } from './obfuscation';
 
 describe('obfuscation', () => {
   it('encodes strings to base64', () => {
@@ -16,4 +16,14 @@ describe('obfuscation', () => {
       expect(decodeBase64(encodeBase64(regex))).toEqual(regex);
     });
   });
+
+  describe('salt', () => {
+    it('converts from bytes to string and base64 string', () => {
+      const chars = new Uint8Array([101, 112, 112, 111]); // eppo
+      const eppoSalt = new Salt(chars);
+
+      expect(eppoSalt.saltString).toEqual('eppo');
+      expect(eppoSalt.base64String).toEqual('ZXBwbw==');
+    });
+  });
 });
diff --git a/src/obfuscation.ts b/src/obfuscation.ts
@@ -3,12 +3,8 @@ import * as SparkMD5 from 'spark-md5';
 
 import { PrecomputedFlag } from './interfaces';
 
-export function getMD5Hash(input: string): string {
-  return SparkMD5.hash(input);
-}
-
-function saltedHasher(salt: string) {
-  return (input: string) => getMD5Hash(salt + input);
+export function getMD5Hash(input: string, salt = ''): string {
+  return new SparkMD5().append(salt).append(input).end();
 }
 
 export function encodeBase64(input: string) {
@@ -24,7 +20,6 @@ export function obfuscatePrecomputedFlags(
   precomputedFlags: Record<string, PrecomputedFlag>,
 ): Record<string, PrecomputedFlag> {
   const response: Record<string, PrecomputedFlag> = {};
-  const hash = saltedHasher(salt);
 
   Object.keys(precomputedFlags).map((flagKey) => {
     const assignment = precomputedFlags[flagKey];
@@ -34,7 +29,7 @@ export function obfuscatePrecomputedFlags(
       Object.entries(assignment.extraLogging).map((kvArr) => kvArr.map(encodeBase64)),
     );
 
-    const hashedKey = hash(flagKey);
+    const hashedKey = getMD5Hash(flagKey, salt);
     response[hashedKey] = {
       flagKey: hashedKey,
       variationType: assignment.variationType,
@@ -48,30 +43,29 @@ export function obfuscatePrecomputedFlags(
   return response;
 }
 
-export interface Salt {
+export interface ISalt {
   saltString: string;
   base64String: string;
   bytes: Uint8Array;
 }
 
-let _saltOverride: Salt | null = null;
-export function setSaltOverrideForTests(salt: Salt | null) {
-  _saltOverride = salt;
+export class Salt implements ISalt {
+  public readonly saltString: string;
+  public readonly base64String: string;
+  constructor(public readonly bytes: Uint8Array) {
+    this.saltString = String.fromCharCode(...bytes);
+    this.base64String = encodeBase64(this.saltString);
+  }
+}
+
+let _saltOverride: ISalt | null = null;
+export function setSaltOverrideForTests(salt: Uint8Array | null) {
+  _saltOverride = salt ? new Salt(salt) : null;
 }
 
-export function generateSalt(length = 16): Salt {
+export function generateSalt(length = 16): ISalt {
   if (_saltOverride) return _saltOverride;
   const array = new Uint8Array(length);
   crypto.getRandomValues(array);
-
-  const saltString = Array.from(array)
-    .map((byte) => byte.toString(16).padStart(2, '0'))
-    .join('');
-  const base64String = encodeBase64(String.fromCharCode(...array));
-
-  return {
-    saltString,
-    base64String,
-    bytes: array,
-  };
+  return new Salt(array);
 }
