use central redis cache for IAM

Author: devksingh4

src/api/functions/apiKey.ts

@@ -7,8 +7,7 @@ import {
   DynamoDBClient,
   GetItemCommand,
 } from "@aws-sdk/client-dynamodb";
-import { genericConfig } from "common/config.js";
-import { AUTH_DECISION_CACHE_SECONDS as API_KEY_DATA_CACHE_SECONDS } from "./authorization.js";
+import { genericConfig, GENERIC_CACHE_SECONDS } from "common/config.js";
 import { unmarshall } from "@aws-sdk/util-dynamodb";
 import { ApiKeyMaskedEntry, DecomposedApiKey } from "common/types/apiKey.js";
 import { AvailableAuthorizationPolicy } from "common/policies/definition.js";
@@ -105,7 +104,7 @@ export const getApiKeyData = async ({
   });
   const result = await dynamoClient.send(getCommand);
   if (!result || !result.Item) {
-    nodeCache.set(cacheKey, null, API_KEY_DATA_CACHE_SECONDS);
+    nodeCache.set(cacheKey, null, GENERIC_CACHE_SECONDS);
     return undefined;
   }
   const unmarshalled = unmarshall(result.Item) as ApiKeyDynamoEntry;
@@ -124,7 +123,7 @@ export const getApiKeyData = async ({
   if (!("keyHash" in unmarshalled)) {
     return undefined; // bad data, don't cache it
   }
-  let cacheTime = API_KEY_DATA_CACHE_SECONDS;
+  let cacheTime = GENERIC_CACHE_SECONDS;
   if (unmarshalled.expiresAt) {
     const currentEpoch = Date.now();
     cacheTime = min(cacheTime, unmarshalled.expiresAt - currentEpoch);

src/api/functions/authorization.ts

@@ -3,9 +3,6 @@ import { unmarshall } from "@aws-sdk/util-dynamodb";
 import { genericConfig } from "../../common/config.js";
 import { DatabaseFetchError } from "../../common/errors/index.js";
 import { allAppRoles, AppRoles } from "../../common/roles.js";
-import { FastifyInstance } from "fastify";
-
-export const AUTH_DECISION_CACHE_SECONDS = 180;
 
 export async function getUserRoles(
   dynamoClient: DynamoDBClient,

src/api/functions/encryption.ts

@@ -0,0 +1,77 @@
+import { DecryptionError } from "common/errors/index.js";
+import crypto, { createDecipheriv, pbkdf2Sync } from "node:crypto";
+
+const VALID_PREFIX = "VALID:";
+const ITERATIONS = 100000;
+const KEY_LEN = 32;
+const ALGORITHM = "aes-256-gcm";
+const HASH_FUNCTION = "sha512";
+
+export function encrypt({
+  plaintext,
+  encryptionSecret,
+}: {
+  plaintext: string;
+  encryptionSecret: string;
+}) {
+  const salt = crypto.randomBytes(16);
+  const iv = crypto.randomBytes(12);
+  const key = crypto.pbkdf2Sync(
+    encryptionSecret,
+    salt,
+    ITERATIONS,
+    KEY_LEN,
+    HASH_FUNCTION,
+  );
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(`${VALID_PREFIX}${plaintext}`, "utf8"),
+    cipher.final(),
+  ]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([salt, iv, tag, encrypted]).toString("hex");
+}
+
+export function decrypt({
+  cipherText,
+  encryptionSecret,
+}: {
+  cipherText: string;
+  encryptionSecret: string;
+}): string {
+  const data = Buffer.from(cipherText, "hex");
+  const salt = data.subarray(0, 16);
+  const iv = data.subarray(16, 28);
+  const tag = data.subarray(28, 44);
+  const encryptedText = data.subarray(44);
+
+  const key = pbkdf2Sync(
+    encryptionSecret,
+    salt,
+    ITERATIONS,
+    KEY_LEN,
+    HASH_FUNCTION,
+  );
+  let decipher, decryptedBuffer;
+  try {
+    decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(tag);
+    decryptedBuffer = Buffer.concat([
+      decipher.update(encryptedText),
+      decipher.final(),
+    ]);
+  } catch (e) {
+    throw new DecryptionError({
+      message:
+        "Could not decrypt data (check that the encryption secret is correct).",
+    });
+  }
+
+  const candidate = decryptedBuffer.toString("utf8");
+  if (candidate.substring(0, VALID_PREFIX.length) !== VALID_PREFIX) {
+    throw new DecryptionError({
+      message: "Encrypted data is corrupted.",
+    });
+  }
+  return candidate.substring(VALID_PREFIX.length, candidate.length);
+}

src/api/functions/redisCache.ts

@@ -1,34 +1,65 @@
-import { type Redis } from "ioredis";
+import { DecryptionError } from "common/errors/index.js";
+import type RedisModule from "ioredis";
+import { z } from "zod";
+import { decrypt, encrypt } from "./encryption.js";
 
-export async function getRedisKey<T>({
+export type GetFromCacheInput = {
+  redisClient: RedisModule.default;
+  key: string;
+  encryptionSecret?: string;
+};
+
+export type SetInCacheInput = {
+  redisClient: RedisModule.default;
+  key: string;
+  data: string;
+  expiresIn?: number;
+  encryptionSecret?: string;
+};
+
+const redisEntrySchema = z.object({
+  isEncrypted: z.boolean(),
+  data: z.string(),
+});
+
+export async function getKey<T extends object>({
   redisClient,
   key,
-  parseJson = false,
-}: {
-  redisClient: Redis;
-  key: string;
-  parseJson?: boolean;
-}) {
-  const resp = await redisClient.get(key);
-  if (!resp) {
+  encryptionSecret,
+}: GetFromCacheInput): Promise<T | null> {
+  const data = await redisClient.get(key);
+  if (!data) {
     return null;
   }
-  return parseJson ? (JSON.parse(resp) as T) : (resp as string);
+  const decoded = await redisEntrySchema.parseAsync(JSON.parse(data));
+  if (!decoded.isEncrypted) {
+    return JSON.parse(decoded.data) as T;
+  }
+  if (!encryptionSecret) {
+    throw new DecryptionError({
+      message: "Encrypted data found but no decryption key provided.",
+    });
+  }
+  const decryptedData = decrypt({ cipherText: decoded.data, encryptionSecret });
+  return JSON.parse(decryptedData) as T;
 }
 
-export async function setRedisKey({
+export async function setKey({
   redisClient,
   key,
-  value,
-  expiresSec,
-}: {
-  redisClient: Redis;
-  key: string;
-  value: string;
-  expiresSec?: number;
-}) {
-  if (expiresSec) {
-    return await redisClient.set(key, value, "EX", expiresSec);
-  }
-  return await redisClient.set(key, value);
+  encryptionSecret,
+  data,
+  expiresIn,
+}: SetInCacheInput) {
+  const realData = encryptionSecret
+    ? encrypt({ plaintext: data, encryptionSecret })
+    : data;
+  const redisPayload: z.infer<typeof redisEntrySchema> = {
+    isEncrypted: !!encryptionSecret,
+    data: realData,
+  };
+  const strRedisPayload = JSON.stringify(redisPayload);
+  return expiresIn
+    ? await redisClient.set(key, strRedisPayload, "EX", expiresIn)
+    : await redisClient.set(key, strRedisPayload);
 }

src/api/plugins/auth.ts

@@ -13,13 +13,14 @@ import {
   UnauthenticatedError,
   UnauthorizedError,
 } from "../../common/errors/index.js";
-import { SecretConfig, SecretTesting } from "../../common/config.js";
 import {
-  AUTH_DECISION_CACHE_SECONDS,
-  getGroupRoles,
-  getUserRoles,
-} from "../functions/authorization.js";
+  SecretConfig,
+  SecretTesting,
+  GENERIC_CACHE_SECONDS,
+} from "../../common/config.js";
+import { getGroupRoles, getUserRoles } from "../functions/authorization.js";
 import { getApiKeyData, getApiKeyParts } from "api/functions/apiKey.js";
+import { getKey, setKey } from "api/functions/redisCache.js";
 
 export function intersection<T>(setA: Set<T>, setB: Set<T>): Set<T> {
   const _intersection = new Set<T>();
@@ -155,6 +156,8 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
       validRoles: AppRoles[],
       disableApiKeyAuth: boolean,
     ): Promise<Set<AppRoles>> => {
+      const { redisClient } = fastify;
+      const encryptionSecret = fastify.secretConfig.encryption_key;
       const startTime = new Date().getTime();
       try {
         if (!disableApiKeyAuth) {
@@ -225,11 +228,13 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
             header: decoded?.header,
             audience: `api://${AadClientId}`,
           };
-          const cachedJwksSigningKey = await fastify.redisClient.get(
-            `jwksKey:${header.kid}`,
-          );
+          const { redisClient } = fastify;
+          const cachedJwksSigningKey = await getKey<{ key: string }>({
+            redisClient,
+            key: `jwksKey:${header.kid}`,
+          });
           if (cachedJwksSigningKey) {
-            signingKey = cachedJwksSigningKey;
+            signingKey = cachedJwksSigningKey.key;
             request.log.debug("Got JWKS signing key from cache.");
           } else {
             const client = jwksClient({
@@ -239,12 +244,12 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
             signingKey = (
               await client.getSigningKey(header.kid)
             ).getPublicKey();
-            await fastify.redisClient.set(
-              `jwksKey:${header.kid}`,
-              signingKey,
-              "EX",
-              JWKS_CACHE_SECONDS,
-            );
+            await setKey({
+              redisClient,
+              key: `jwksKey:${header.kid}`,
+              data: JSON.stringify({ key: signingKey }),
+              expiresIn: JWKS_CACHE_SECONDS,
+            });
             request.log.debug("Got JWKS signing key from server.");
           }
         }
@@ -263,11 +268,12 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
           verifiedTokenData.upn?.replace("acm.illinois.edu", "illinois.edu") ||
           verifiedTokenData.sub;
         const expectedRoles = new Set(validRoles);
-        const cachedRoles = await fastify.redisClient.get(
-          `authCache:${request.username}:roles`,
-        );
+        const cachedRoles = await getKey<string[]>({
+          key: `authCache:${request.username}:roles`,
+          redisClient,
+        });
         if (cachedRoles) {
-          request.userRoles = new Set(JSON.parse(cachedRoles));
+          request.userRoles = new Set(cachedRoles as AppRoles[]);
           request.log.debug("Retrieved user roles from cache.");
         } else {
           const userRoles = new Set([] as AppRoles[]);
@@ -317,12 +323,12 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
             }
           }
           request.userRoles = userRoles;
-          fastify.redisClient.set(
-            `authCache:${request.username}:roles`,
-            JSON.stringify([...userRoles]),
-            "EX",
-            AUTH_DECISION_CACHE_SECONDS,
-          );
+          setKey({
+            key: `authCache:${request.username}:roles`,
+            data: JSON.stringify([...userRoles]),
+            redisClient,
+            expiresIn: GENERIC_CACHE_SECONDS,
+          });
           request.log.debug("Retrieved user roles from database.");
         }
         if (

src/api/routes/iam.ts

@@ -32,22 +32,18 @@ import {
   EntraGroupActions,
   entraProfilePatchRequest,
 } from "../../common/types/iam.js";
-import {
-  AUTH_DECISION_CACHE_SECONDS,
-  getGroupRoles,
-} from "../functions/authorization.js";
+import { getGroupRoles } from "../functions/authorization.js";
 import { getRoleCredentials } from "api/functions/sts.js";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
 import { createAuditLogEntry } from "api/functions/auditLog.js";
 import { Modules } from "common/modules.js";
 import { groupId, withRoles, withTags } from "api/components/index.js";
 import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
 import { z } from "zod";
-import { AvailableSQSFunctions, SQSPayload } from "common/types/sqsMessage.js";
+import { AvailableSQSFunctions } from "common/types/sqsMessage.js";
 import { SendMessageBatchCommand, SQSClient } from "@aws-sdk/client-sqs";
-import { v4 as uuidv4 } from "uuid";
 import { randomUUID } from "crypto";
-import { getRedisKey, setRedisKey } from "api/functions/redisCache.js";
+import { getKey, setKey } from "api/functions/redisCache.js";
 
 const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
   const getAuthorizedClients = async () => {
@@ -186,7 +182,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
         fastify.nodeCache.set(
           `grouproles-${groupId}`,
           request.body.roles,
-          AUTH_DECISION_CACHE_SECONDS,
+          GENERIC_CACHE_SECONDS,
         );
       } catch (e: unknown) {
         fastify.nodeCache.del(`grouproles-${groupId}`);
@@ -584,9 +580,9 @@ No action is required from you at this time.
       );
       const { redisClient } = fastify;
       const key = `entra_manageable_groups_${fastify.environmentConfig.EntraServicePrincipalId}`;
-      const redisResponse = await getRedisKey<
-        { displayName: string; id: string }[]
-      >({ redisClient, key, parseJson: true });
+      const redisResponse = await getKey<{ displayName: string; id: string }[]>(
+        { redisClient, key },
+      );
       if (redisResponse) {
         request.log.debug("Got manageable groups from Redis cache.");
         return reply.status(200).send(redisResponse);
@@ -605,11 +601,11 @@ No action is required from you at this time.
       request.log.debug(
         "Got manageable groups from Entra ID, setting to cache.",
       );
-      await setRedisKey({
+      await setKey({
         redisClient,
         key,
-        value: JSON.stringify(freshData),
-        expiresSec: GENERIC_CACHE_SECONDS,
+        data: JSON.stringify(freshData),
+        expiresIn: GENERIC_CACHE_SECONDS,
       });
       return reply.status(200).send(freshData);
     },

src/common/config.ts

@@ -8,7 +8,7 @@ type ValueOrArray<T> = T | ArrayOfValueOrArray<T>;
 
 type AzureRoleMapping = Record<string, readonly AppRoles[]>;
 
-export const GENERIC_CACHE_SECONDS = 120;
+export const GENERIC_CACHE_SECONDS = 300;
 
 export type ConfigType = {
   UserFacingUrl: string;
@@ -159,6 +159,7 @@ export type SecretConfig = {
   stripe_endpoint_secret: string;
   stripe_links_endpoint_secret: string;
   redis_url: string;
+  encryption_key: string;
 };
 
 export type SecretTesting = {