feat: encryption key revision includes environment

Author: johnb8

app-config-encryption/src/encryption.test.ts

@@ -22,6 +22,7 @@ import {
   loadTeamMembers,
   trustTeamMember,
   untrustTeamMember,
+  getRevisionNumber,
 } from './encryption';
 
 describe('User Keys', () => {
@@ -185,33 +186,33 @@ const createKey = async () => {
 
 describe('Symmetric Keys', () => {
   it('generates a plain symmetric key', async () => {
-    const symmetricKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
 
-    expect(symmetricKey.revision).toBe(1);
+    expect(symmetricKey.revision).toBe('1');
     expect(symmetricKey.key).toBeInstanceOf(Uint8Array);
     expect(symmetricKey.key.length).toBeGreaterThan(2048);
   });
 
   it('encrypts and decrypts a symmetric key', async () => {
     const privateKey = await createKey();
-    const symmetricKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
     const encryptedKey = await encryptSymmetricKey(symmetricKey, [privateKey]);
 
-    expect(encryptedKey.revision).toBe(1);
+    expect(encryptedKey.revision).toBe('1');
     expect(typeof encryptedKey.key).toBe('string');
     expect(encryptedKey.key.length).toBeGreaterThan(0);
 
     const decryptedKey = await decryptSymmetricKey(encryptedKey, privateKey);
 
-    expect(decryptedKey.revision).toBe(1);
+    expect(decryptedKey.revision).toBe('1');
     expect(decryptedKey.key).toEqual(symmetricKey.key);
   });
 
   it('cannot decrypt a symmetric key that was created by someone else', async () => {
     const privateKey = await createKey();
     const someoneElsesKey = await createKey();
 
-    const symmetricKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
     const encryptedKey = await encryptSymmetricKey(symmetricKey, [someoneElsesKey]);
 
     await expect(decryptSymmetricKey(encryptedKey, privateKey)).rejects.toThrow();
@@ -221,7 +222,7 @@ describe('Symmetric Keys', () => {
     const privateKey = await createKey();
     const someoneElsesKey = await createKey();
 
-    const symmetricKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
     const encryptedKey = await encryptSymmetricKey(symmetricKey, [privateKey, someoneElsesKey]);
 
     await expect(decryptSymmetricKey(encryptedKey, privateKey)).resolves.toEqual(symmetricKey);
@@ -232,7 +233,7 @@ describe('Symmetric Keys', () => {
     const privateKey = await createKey();
     const someoneElsesKey = await createKey();
 
-    const symmetricKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
     const encryptedKey = await encryptSymmetricKey(symmetricKey, [privateKey]);
     const decryptedKey = await decryptSymmetricKey(encryptedKey, privateKey);
     const encryptedKey2 = await encryptSymmetricKey(decryptedKey, [privateKey, someoneElsesKey]);
@@ -244,7 +245,7 @@ describe('Symmetric Keys', () => {
 
   it('validates encoded revision number in keys', async () => {
     const privateKey = await createKey();
-    const symmetricKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
     const encryptedKey = await encryptSymmetricKey(symmetricKey, [privateKey]);
 
     // really go out of our way to mess with the key - this usually results in integrity check failures either way
@@ -261,7 +262,7 @@ describe('Value Encryption', () => {
     const values = ['hello world', 42.42, null, true, { message: 'hello world', nested: {} }];
 
     for (const value of values) {
-      const symmetricKey = await generateSymmetricKey(1);
+      const symmetricKey = await generateSymmetricKey('1');
       const encrypted = await encryptValue(value, symmetricKey);
       const decrypted = await decryptValue(encrypted, symmetricKey);
 
@@ -273,8 +274,8 @@ describe('Value Encryption', () => {
 
   it('cannot decrypt a value with the wrong key', async () => {
     const value = 'hello world';
-    const symmetricKey = await generateSymmetricKey(1);
-    const wrongKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
+    const wrongKey = await generateSymmetricKey('1');
     const encrypted = await encryptValue(value, symmetricKey);
 
     await expect(decryptValue(encrypted, wrongKey)).rejects.toThrow();
@@ -377,8 +378,11 @@ describe('E2E Encrypted Repo', () => {
 
       // just for test coverage, create a new symmetric key
       const latestSymmetricKey = await loadLatestSymmetricKey(privateKey);
+
+      const newRevisionNumber = getRevisionNumber(latestSymmetricKey.revision) + 1;
+
       await saveNewSymmetricKey(
-        await generateSymmetricKey(latestSymmetricKey.revision + 1),
+        await generateSymmetricKey(newRevisionNumber.toString()),
         await loadTeamMembers(),
       );
 

app-config-encryption/src/encryption.ts

@@ -293,11 +293,11 @@ export async function loadPublicKeyLazy(environmentOptions?: EnvironmentOptions)
 export { EncryptedSymmetricKey };
 
 export interface DecryptedSymmetricKey {
-  revision: number;
+  revision: string;
   key: Uint8Array;
 }
 
-export async function generateSymmetricKey(revision: number): Promise<DecryptedSymmetricKey> {
+export async function generateSymmetricKey(revision: string): Promise<DecryptedSymmetricKey> {
   // eslint-disable-next-line @typescript-eslint/await-thenable
   const rawPassword = await crypto.random.getRandomBytes(2048);
   const passwordWithRevision = encodeRevisionInPassword(rawPassword, revision);
@@ -372,7 +372,7 @@ export async function loadSymmetricKeys(
 }
 
 export async function loadSymmetricKey(
-  revision: number,
+  revision: string,
   privateKey: Key,
   lazyMeta = true,
   environmentOptions?: EnvironmentOptions,
@@ -387,10 +387,10 @@ export async function loadSymmetricKey(
   return decryptSymmetricKey(symmetricKey, privateKey);
 }
 
-const symmetricKeys = new Map<number, Promise<DecryptedSymmetricKey>>();
+const symmetricKeys = new Map<string, Promise<DecryptedSymmetricKey>>();
 
 export async function loadSymmetricKeyLazy(
-  revision: number,
+  revision: string,
   privateKey: Key,
   environmentOptions?: EnvironmentOptions,
 ): Promise<DecryptedSymmetricKey> {
@@ -493,16 +493,8 @@ export async function decryptValue(
   if (symmetricKeyOverride) {
     symmetricKey = symmetricKeyOverride;
   } else {
-    const revisionNumber = parseFloat(revision);
-
-    if (Number.isNaN(revisionNumber)) {
-      throw new AppConfigError(
-        `Encrypted value was invalid, revision was not a number (${revision})`,
-      );
-    }
-
     symmetricKey = await loadSymmetricKeyLazy(
-      revisionNumber,
+      revision,
       await loadPrivateKeyLazy(environmentOptions),
       environmentOptions,
     );
@@ -583,6 +575,7 @@ export async function trustTeamMember(
     await loadSymmetricKeys(true, environmentOptions),
     newTeamMembers,
     privateKey,
+    environmentOptions,
   );
 
   await saveNewMetaFile((meta) => ({
@@ -606,6 +599,8 @@ export async function untrustTeamMember(
   privateKey: Key,
   environmentOptions?: EnvironmentOptions,
 ) {
+  const environment = currentEnvironment(environmentOptions);
+
   const teamMembers = await loadTeamMembers(environmentOptions);
 
   const removalCandidates = new Set<Key>();
@@ -660,10 +655,22 @@ export async function untrustTeamMember(
     await loadSymmetricKeys(true, environmentOptions),
     newTeamMembers,
     privateKey,
+    environmentOptions,
   );
 
+  const latestRevision = latestSymmetricKeyRevision(newEncryptionKeys);
+  const newRevisionNumber = getRevisionNumber(latestRevision) + 1;
+
+  let newRevision;
+
+  if (environment) {
+    newRevision = `${environment}-${newRevisionNumber}`;
+  } else {
+    newRevision = `${newRevisionNumber}`;
+  }
+
   const newLatestEncryptionKey = await encryptSymmetricKey(
-    await generateSymmetricKey(latestSymmetricKeyRevision(newEncryptionKeys) + 1),
+    await generateSymmetricKey(newRevision),
     newTeamMembers,
   );
 
@@ -685,10 +692,32 @@ export async function untrustTeamMember(
   }));
 }
 
+export function getRevisionNumber(revision: string) {
+  const regex = /^(?:\w*-)?(?<revisionNumber>\d*)$/;
+
+  const match = regex.exec(revision)?.groups?.revisionNumber;
+
+  if (!match) {
+    throw new AppConfigError(
+      `Encryption revision is invalid. Got "${revision}" but expected a number or <Environment Name>-<Revision Number>"`,
+    );
+  }
+
+  const revisionNumber = parseFloat(match);
+
+  if (Number.isNaN(revisionNumber)) {
+    throw new AppConfigError(
+      `Encryption revision is invalid. Got "${revision}" but expected a number or <Environment Name>-<Revision Number>"`,
+    );
+  }
+
+  return revisionNumber;
+}
+
 export function latestSymmetricKeyRevision(
   keys: (EncryptedSymmetricKey | DecryptedSymmetricKey)[],
-): number {
-  keys.sort((a, b) => a.revision - b.revision);
+): string {
+  keys.sort((a, b) => getRevisionNumber(a.revision) - getRevisionNumber(b.revision));
 
   if (keys.length === 0) throw new InvalidEncryptionKey('No symmetric keys were found');
 
@@ -699,11 +728,22 @@ async function reencryptSymmetricKeys(
   previousSymmetricKeys: EncryptedSymmetricKey[],
   newTeamMembers: Key[],
   privateKey: Key,
+  environmentOptions?: EnvironmentOptions,
 ): Promise<EncryptedSymmetricKey[]> {
   const newEncryptionKeys: EncryptedSymmetricKey[] = [];
 
   if (previousSymmetricKeys.length === 0) {
-    const initialKey = await generateSymmetricKey(1);
+    let newRevision = '1';
+
+    if (environmentOptions) {
+      const env = currentEnvironment(environmentOptions);
+
+      if (env) {
+        newRevision = `${env}-1`;
+      }
+    }
+
+    const initialKey = await generateSymmetricKey(newRevision);
     const encrypted = await encryptSymmetricKey(initialKey, newTeamMembers);
 
     newEncryptionKeys.push(encrypted);
@@ -879,8 +919,8 @@ function stringAsTypedArray(str: string): Uint16Array {
   return bufView;
 }
 
-function encodeRevisionInPassword(password: Uint8Array, revision: number): Uint8Array {
-  const revisionBytes = stringAsTypedArray(revision.toString());
+function encodeRevisionInPassword(password: Uint8Array, revision: string): Uint8Array {
+  const revisionBytes = stringAsTypedArray(revision);
   const passwordWithRevision = new Uint8Array(password.length + revisionBytes.length + 1);
 
   // first byte is the revision length, next N bytes is the revision as a string
@@ -891,12 +931,12 @@ function encodeRevisionInPassword(password: Uint8Array, revision: number): Uint8
   return passwordWithRevision;
 }
 
-function verifyEncodedRevision(password: Uint8Array, expectedRevision: number) {
+function verifyEncodedRevision(password: Uint8Array, expectedRevision: string) {
   const revisionBytesLength = password[0];
   const revisionBytes = password.slice(1, 1 + revisionBytesLength);
   const revision = decodeTypedArray(revisionBytes);
 
-  if (parseFloat(revision) !== expectedRevision) {
+  if (revision !== expectedRevision) {
     throw new EncryptionEncoding(oneLine`
       We detected tampering in the encryption key, revision ${expectedRevision}!
       This error occurs when the revision in the 'encryptionKeys' does not match the one that was embedded into the key.

app-config-encryption/src/index.test.ts

@@ -4,7 +4,7 @@ import encryptedDirective from './index';
 
 describe('encryptedDirective', () => {
   it('loads an encrypted value', async () => {
-    const symmetricKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
 
     const source = new LiteralSource({
       foo: await encryptValue('foobar', symmetricKey),
@@ -16,7 +16,7 @@ describe('encryptedDirective', () => {
   });
 
   it('loads an array of encrypted values', async () => {
-    const symmetricKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
 
     const source = new LiteralSource({
       foo: [

app-config-encryption/src/secret-agent.test.ts

@@ -28,7 +28,7 @@ describe('Decryption', () => {
     });
 
     const privateKey = await loadPrivateKey(privateKeyArmored);
-    const symmetricKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
     const encryptedSymmetricKey = await encryptSymmetricKey(symmetricKey, [privateKey]);
 
     const port = await getPort();
@@ -84,7 +84,7 @@ describe('Unix Sockets', () => {
     });
 
     const privateKey = await loadPrivateKey(privateKeyArmored);
-    const symmetricKey = await generateSymmetricKey(1);
+    const symmetricKey = await generateSymmetricKey('1');
     const encryptedSymmetricKey = await encryptSymmetricKey(symmetricKey, [privateKey]);
 
     const socket = resolve('./temporary-socket-file');

app-config-encryption/src/secret-agent.ts

@@ -139,15 +139,8 @@ export async function connectAgent(
       keepAlive();
 
       const revision = text.split(':')[1];
-      const revisionNumber = parseFloat(revision);
 
-      if (Number.isNaN(revisionNumber)) {
-        throw new AppConfigError(
-          `Encrypted value was invalid, revision was not a number (${revision})`,
-        );
-      }
-
-      const symmetricKey = await loadEncryptedKey(revisionNumber, environmentOptions);
+      const symmetricKey = await loadEncryptedKey(revision, environmentOptions);
       const decrypted = await client.Decrypt({ text, symmetricKey });
 
       keepAlive();
@@ -248,7 +241,7 @@ export async function getAgentPortOrSocket(
 }
 
 async function loadSymmetricKey(
-  revision: number,
+  revision: string,
   environmentOptions?: EnvironmentOptions,
 ): Promise<EncryptedSymmetricKey> {
   const symmetricKeys = await loadSymmetricKeys(true, environmentOptions);

app-config-meta/src/index.ts

@@ -27,7 +27,7 @@ export interface TeamMember {
 }
 
 export interface EncryptedSymmetricKey {
-  revision: number;
+  revision: string;
   key: string;
 }
 

app-config-schema/src/index.test.ts

@@ -488,7 +488,7 @@ describe('Validation', () => {
         },
         async (inDir) => {
           const { validate } = await loadSchema({ directory: inDir('.') });
-          const symmetricKey = await generateSymmetricKey(1);
+          const symmetricKey = await generateSymmetricKey('1');
 
           const parsed = await ParsedValue.parseLiteral(
             {
@@ -515,7 +515,7 @@ describe('Validation', () => {
         },
         async (inDir) => {
           const { validate } = await loadSchema({ directory: inDir('.') });
-          const symmetricKey = await generateSymmetricKey(1);
+          const symmetricKey = await generateSymmetricKey('1');
 
           const parsed = await ParsedValue.parseLiteral(
             [
@@ -542,7 +542,7 @@ describe('Validation', () => {
         },
         async (inDir) => {
           const { validate } = await loadSchema({ directory: inDir('.') });
-          const symmetricKey = await generateSymmetricKey(1);
+          const symmetricKey = await generateSymmetricKey('1');
 
           const parsed = await ParsedValue.parseLiteral(
             [
@@ -573,7 +573,7 @@ describe('Validation', () => {
         },
         async (inDir) => {
           const { validate } = await loadSchema({ directory: inDir('.') });
-          const symmetricKey = await generateSymmetricKey(1);
+          const symmetricKey = await generateSymmetricKey('1');
 
           const parsed = await ParsedValue.parseLiteral(
             {