1
0
mirror of https://github.com/laurent22/joplin.git synced 2024-12-21 09:38:01 +02:00
joplin/packages/lib/services/synchronizer/Synchronizer.e2ee.test.ts
Self Not Found aa6348c5c2
All: Add new encryption methods based on native crypto libraries (#10696)
Co-authored-by: Laurent Cozic <laurent22@users.noreply.github.com>
Co-authored-by: Henry Heino <personalizedrefrigerator@gmail.com>
2024-10-26 21:15:10 +01:00

434 lines
17 KiB
TypeScript

import time from '../../time';
import shim from '../../shim';
import Setting from '../../models/Setting';
import { synchronizerStart, allSyncTargetItemsEncrypted, kvStore, supportDir, setupDatabaseAndSynchronizer, synchronizer, fileApi, switchClient, encryptionService, loadEncryptionMasterKey, decryptionWorker, checkThrowAsync } from '../../testing/test-utils';
import Folder from '../../models/Folder';
import Note from '../../models/Note';
import Resource from '../../models/Resource';
import ResourceFetcher from '../../services/ResourceFetcher';
import MasterKey from '../../models/MasterKey';
import BaseItem from '../../models/BaseItem';
import Synchronizer from '../../Synchronizer';
import { fetchSyncInfo, getEncryptionEnabled, localSyncInfo, setEncryptionEnabled } from '../synchronizer/syncInfoUtils';
import { loadMasterKeysFromSettings, setupAndDisableEncryption, setupAndEnableEncryption } from '../e2ee/utils';
import { remoteNotesAndFolders } from '../../testing/test-utils-synchronizer';
import { EncryptionMethod } from '../e2ee/EncryptionService';
let insideBeforeEach = false;
function newResourceFetcher(synchronizer: Synchronizer) {
return new ResourceFetcher(() => { return synchronizer.api(); });
}
describe('Synchronizer.e2ee', () => {
beforeEach(async () => {
insideBeforeEach = true;
await setupDatabaseAndSynchronizer(1);
await setupDatabaseAndSynchronizer(2);
await switchClient(1);
insideBeforeEach = false;
});
it.each([
EncryptionMethod.SJCL1a,
EncryptionMethod.StringV1,
])('notes and folders should get encrypted when encryption is enabled', (async (encryptionMethod) => {
setEncryptionEnabled(true);
encryptionService().defaultEncryptionMethod_ = encryptionMethod;
const masterKey = await loadEncryptionMasterKey();
const folder1 = await Folder.save({ title: 'folder1' });
let note1 = await Note.save({ title: 'un', body: 'to be encrypted', parent_id: folder1.id });
await synchronizerStart();
// After synchronisation, remote items should be encrypted but local ones remain plain text
note1 = await Note.load(note1.id);
expect(note1.title).toBe('un');
await switchClient(2);
await synchronizerStart();
let folder1_2 = await Folder.load(folder1.id);
let note1_2 = await Note.load(note1.id);
const masterKey_2 = await MasterKey.load(masterKey.id);
// On this side however it should be received encrypted
expect(!note1_2.title).toBe(true);
expect(!folder1_2.title).toBe(true);
expect(!!note1_2.encryption_cipher_text).toBe(true);
expect(!!folder1_2.encryption_cipher_text).toBe(true);
// Master key is already encrypted so it does not get re-encrypted during sync
expect(masterKey_2.content).toBe(masterKey.content);
expect(masterKey_2.checksum).toBe(masterKey.checksum);
// Now load the master key we got from client 1 and try to decrypt
await encryptionService().loadMasterKey(masterKey_2, '123456', true);
// Get the decrypted items back
await Folder.decrypt(folder1_2);
await Note.decrypt(note1_2);
folder1_2 = await Folder.load(folder1.id);
note1_2 = await Note.load(note1.id);
// Check that properties match the original items. Also check
// the encryption did not affect the updated_time timestamp.
expect(note1_2.title).toBe(note1.title);
expect(note1_2.body).toBe(note1.body);
expect(note1_2.updated_time).toBe(note1.updated_time);
expect(!note1_2.encryption_cipher_text).toBe(true);
expect(folder1_2.title).toBe(folder1.title);
expect(folder1_2.updated_time).toBe(folder1.updated_time);
expect(!folder1_2.encryption_cipher_text).toBe(true);
}));
it('should not encrypt structural properties', (async () => {
setEncryptionEnabled(true);
await loadEncryptionMasterKey();
const folder1 = await Folder.save({});
const folder2 = await Folder.save({});
const note1 = await Note.save({ parent_id: folder1.id });
const note2 = await Note.save({ parent_id: folder2.id });
await Folder.delete(folder2.id, { toTrash: true, deleteChildren: true });
await synchronizerStart();
const remoteItems = await remoteNotesAndFolders();
expect(remoteItems.find(i => i.id === folder1.id).deleted_time).toBe(0);
expect(remoteItems.find(i => i.id === folder2.id).deleted_time).toBeGreaterThan(0);
expect(remoteItems.find(i => i.id === note1.id).deleted_time).toBe(0);
expect(remoteItems.find(i => i.id === note2.id).deleted_time).toBeGreaterThan(0);
}));
it('should mark the key has having been used when synchronising the first time', (async () => {
setEncryptionEnabled(true);
await loadEncryptionMasterKey();
await Folder.save({ title: 'folder1' });
await synchronizerStart();
const localInfo = localSyncInfo();
const remoteInfo = await fetchSyncInfo(fileApi());
expect(localInfo.masterKeys[0].hasBeenUsed).toBe(true);
expect(remoteInfo.masterKeys[0].hasBeenUsed).toBe(true);
}));
it('should mark the key has having been used when synchronising after enabling encryption', (async () => {
await Folder.save({ title: 'folder1' });
await synchronizerStart();
setEncryptionEnabled(true);
await loadEncryptionMasterKey();
await synchronizerStart();
const localInfo = localSyncInfo();
const remoteInfo = await fetchSyncInfo(fileApi());
expect(localInfo.masterKeys[0].hasBeenUsed).toBe(true);
expect(remoteInfo.masterKeys[0].hasBeenUsed).toBe(true);
}));
it('should enable encryption automatically when downloading new master key (and none was previously available)', (async () => {
// Enable encryption on client 1 and sync an item
setEncryptionEnabled(true);
await loadEncryptionMasterKey();
let folder1 = await Folder.save({ title: 'folder1' });
await synchronizerStart();
await switchClient(2);
// Synchronising should enable encryption since we're going to get a master key
expect(getEncryptionEnabled()).toBe(false);
await synchronizerStart();
expect(getEncryptionEnabled()).toBe(true);
// Check that we got the master key from client 1
const masterKey = (await MasterKey.all())[0];
expect(!!masterKey).toBe(true);
// Since client 2 hasn't supplied a password yet, no master key is currently loaded
expect(encryptionService().loadedMasterKeyIds().length).toBe(0);
// If we sync now, nothing should be sent to target since we don't have a password.
// Technically it's incorrect to set the property of an encrypted variable but it allows confirming
// that encryption doesn't work if user hasn't supplied a password.
await BaseItem.forceSync(folder1.id);
await synchronizerStart();
await switchClient(1);
await synchronizerStart();
folder1 = await Folder.load(folder1.id);
expect(folder1.title).toBe('folder1'); // Still at old value
await switchClient(2);
// Now client 2 set the master key password
Setting.setObjectValue('encryption.passwordCache', masterKey.id, '123456');
await loadMasterKeysFromSettings(encryptionService());
// Now that master key should be loaded
expect(encryptionService().loadedMasterKeyIds()[0]).toBe(masterKey.id);
// Decrypt all the data. Now change the title and sync again - this time the changes should be transmitted
await decryptionWorker().start();
await Folder.save({ id: folder1.id, title: 'change test' });
// If we sync now, this time client 1 should get the changes we did earlier
await synchronizerStart();
await switchClient(1);
await synchronizerStart();
// Decrypt the data we just got
await decryptionWorker().start();
folder1 = await Folder.load(folder1.id);
expect(folder1.title).toBe('change test'); // Got title from client 2
}));
it('should encrypt existing notes too when enabling E2EE', (async () => {
// First create a folder, without encryption enabled, and sync it
await Folder.save({ title: 'folder1' });
await synchronizerStart();
let files = await fileApi().list('', { includeDirs: false, syncItemsOnly: true });
let content = await fileApi().get(files.items[0].path);
expect(content.indexOf('folder1') >= 0).toBe(true);
// Then enable encryption and sync again
let masterKey = await encryptionService().generateMasterKey('123456');
masterKey = await MasterKey.save(masterKey);
await setupAndEnableEncryption(encryptionService(), masterKey, '123456');
await loadMasterKeysFromSettings(encryptionService());
await synchronizerStart();
// Even though the folder has not been changed it should have been synced again so that
// an encrypted version of it replaces the decrypted version.
files = await fileApi().list('', { includeDirs: false, syncItemsOnly: true });
expect(files.items.length).toBe(1);
// By checking that the folder title is not present, we can confirm that the item has indeed been encrypted
content = await fileApi().get(files.items[0].path);
expect(content.indexOf('folder1') < 0).toBe(true);
}));
it('should upload decrypted items to sync target after encryption disabled', (async () => {
setEncryptionEnabled(true);
await loadEncryptionMasterKey();
await Folder.save({ title: 'folder1' });
await synchronizerStart();
let allEncrypted = await allSyncTargetItemsEncrypted();
expect(allEncrypted).toBe(true);
await setupAndDisableEncryption(encryptionService());
await synchronizerStart();
allEncrypted = await allSyncTargetItemsEncrypted();
expect(allEncrypted).toBe(false);
}));
it('should not upload any item if encryption was enabled, and items have not been decrypted, and then encryption disabled', (async () => {
// For some reason I can't explain, this test is sometimes executed before beforeEach is finished
// which means it's going to fail in unexpected way. So the loop below wait for beforeEach to be done.
while (insideBeforeEach) await time.msleep(100);
setEncryptionEnabled(true);
const masterKey = await loadEncryptionMasterKey();
await Folder.save({ title: 'folder1' });
await synchronizerStart();
await switchClient(2);
await synchronizerStart();
expect(getEncryptionEnabled()).toBe(true);
// If we try to disable encryption now, it should throw an error because some items are
// currently encrypted. They must be decrypted first so that they can be sent as
// plain text to the sync target.
// let hasThrown = await checkThrowAsync(async () => await setupAndDisableEncryption(encryptionService()));
// expect(hasThrown).toBe(true);
// Now supply the password, and decrypt the items
Setting.setObjectValue('encryption.passwordCache', masterKey.id, '123456');
await loadMasterKeysFromSettings(encryptionService());
await decryptionWorker().start();
// Try to disable encryption again
const hasThrown = await checkThrowAsync(async () => await setupAndDisableEncryption(encryptionService()));
expect(hasThrown).toBe(false);
// If we sync now the target should receive the decrypted items
await synchronizerStart();
const allEncrypted = await allSyncTargetItemsEncrypted();
expect(allEncrypted).toBe(false);
}));
it.each([
[EncryptionMethod.SJCL1a, EncryptionMethod.SJCL1a],
[EncryptionMethod.StringV1, EncryptionMethod.FileV1],
])('should set the resource file size after decryption', (async (stringEncryptionMethod, fileEncryptionMethod) => {
setEncryptionEnabled(true);
encryptionService().defaultEncryptionMethod_ = stringEncryptionMethod;
encryptionService().defaultFileEncryptionMethod_ = fileEncryptionMethod;
const masterKey = await loadEncryptionMasterKey();
const folder1 = await Folder.save({ title: 'folder1' });
const note1 = await Note.save({ title: 'ma note', parent_id: folder1.id });
await shim.attachFileToNote(note1, `${supportDir}/photo.jpg`);
const resource1 = (await Resource.all())[0];
await Resource.setFileSizeOnly(resource1.id, -1);
Resource.fullPath(resource1);
await synchronizerStart();
await switchClient(2);
await synchronizerStart();
Setting.setObjectValue('encryption.passwordCache', masterKey.id, '123456');
await loadMasterKeysFromSettings(encryptionService());
const fetcher = newResourceFetcher(synchronizer());
fetcher.queueDownload_(resource1.id);
await fetcher.waitForAllFinished();
await decryptionWorker().start();
const resource1_2 = await Resource.load(resource1.id);
expect(resource1_2.size).toBe(2720);
}));
it.each([
[EncryptionMethod.SJCL1a, EncryptionMethod.SJCL1a],
[EncryptionMethod.StringV1, EncryptionMethod.FileV1],
])('should encrypt remote resources after encryption has been enabled', (async (stringEncryptionMethod, fileEncryptionMethod) => {
while (insideBeforeEach) await time.msleep(100);
encryptionService().defaultEncryptionMethod_ = stringEncryptionMethod;
encryptionService().defaultFileEncryptionMethod_ = fileEncryptionMethod;
const folder1 = await Folder.save({ title: 'folder1' });
const note1 = await Note.save({ title: 'ma note', parent_id: folder1.id });
await shim.attachFileToNote(note1, `${supportDir}/photo.jpg`);
await synchronizerStart();
expect(await allSyncTargetItemsEncrypted()).toBe(false);
const masterKey = await loadEncryptionMasterKey();
await setupAndEnableEncryption(encryptionService(), masterKey, '123456');
await loadMasterKeysFromSettings(encryptionService());
await synchronizerStart();
expect(await allSyncTargetItemsEncrypted()).toBe(true);
}));
it('should upload encrypted resource, but it should not mark the blob as encrypted locally', (async () => {
while (insideBeforeEach) await time.msleep(100);
const folder1 = await Folder.save({ title: 'folder1' });
const note1 = await Note.save({ title: 'ma note', parent_id: folder1.id });
await shim.attachFileToNote(note1, `${supportDir}/photo.jpg`);
const masterKey = await loadEncryptionMasterKey();
await setupAndEnableEncryption(encryptionService(), masterKey, '123456');
await loadMasterKeysFromSettings(encryptionService());
// await synchronizerStart();
// const resource1 = (await Resource.all())[0];
// expect(resource1.encryption_blob_encrypted).toBe(0);
}));
it('should decrypt the resource metadata, but not try to decrypt the file, if it is not present', (async () => {
const note1 = await Note.save({ title: 'note' });
await shim.attachFileToNote(note1, `${supportDir}/photo.jpg`);
const masterKey = await loadEncryptionMasterKey();
await setupAndEnableEncryption(encryptionService(), masterKey, '123456');
await loadMasterKeysFromSettings(encryptionService());
await synchronizerStart();
expect(await allSyncTargetItemsEncrypted()).toBe(true);
await switchClient(2);
await synchronizerStart();
Setting.setObjectValue('encryption.passwordCache', masterKey.id, '123456');
await loadMasterKeysFromSettings(encryptionService());
await decryptionWorker().start();
let resource = (await Resource.all())[0];
expect(!!resource.encryption_applied).toBe(false);
expect(!!resource.encryption_blob_encrypted).toBe(true);
const resourceFetcher = newResourceFetcher(synchronizer());
await resourceFetcher.start();
await resourceFetcher.waitForAllFinished();
const ls = await Resource.localState(resource);
expect(ls.fetch_status).toBe(Resource.FETCH_STATUS_DONE);
await decryptionWorker().start();
resource = (await Resource.all())[0];
expect(!!resource.encryption_blob_encrypted).toBe(false);
}));
it.each([
EncryptionMethod.SJCL1a,
EncryptionMethod.StringV1,
])('should stop trying to decrypt item after a few attempts', (async (encryptionMethod) => {
let hasThrown;
encryptionService().defaultEncryptionMethod_ = encryptionMethod;
const note = await Note.save({ title: 'ma note' });
const masterKey = await loadEncryptionMasterKey();
await setupAndEnableEncryption(encryptionService(), masterKey, '123456');
await loadMasterKeysFromSettings(encryptionService());
await synchronizerStart();
await switchClient(2);
await synchronizerStart();
// First, simulate a broken note and check that the decryption worker
// gives up decrypting after a number of tries. This is mainly relevant
// for data that crashes the mobile application - we don't want to keep
// decrypting these.
const encryptedNote = await Note.load(note.id);
const goodCipherText = encryptedNote.encryption_cipher_text;
await Note.save({ id: note.id, encryption_cipher_text: 'doesntlookright' });
Setting.setObjectValue('encryption.passwordCache', masterKey.id, '123456');
await loadMasterKeysFromSettings(encryptionService());
hasThrown = await checkThrowAsync(async () => await decryptionWorker().start({ errorHandler: 'throw' }));
expect(hasThrown).toBe(true);
hasThrown = await checkThrowAsync(async () => await decryptionWorker().start({ errorHandler: 'throw' }));
expect(hasThrown).toBe(true);
// Third time, an error is logged and no error is thrown
hasThrown = await checkThrowAsync(async () => await decryptionWorker().start({ errorHandler: 'throw' }));
expect(hasThrown).toBe(false);
const disabledItems = await decryptionWorker().decryptionDisabledItems();
expect(disabledItems.length).toBe(1);
expect(disabledItems[0].id).toBe(note.id);
expect((await kvStore().all()).length).toBe(1);
await kvStore().clear();
// Now check that if it fails once but succeed the second time, the note
// is correctly decrypted and the counters are cleared.
hasThrown = await checkThrowAsync(async () => await decryptionWorker().start({ errorHandler: 'throw' }));
expect(hasThrown).toBe(true);
await Note.save({ id: note.id, encryption_cipher_text: goodCipherText });
hasThrown = await checkThrowAsync(async () => await decryptionWorker().start({ errorHandler: 'throw' }));
expect(hasThrown).toBe(false);
const decryptedNote = await Note.load(note.id);
expect(decryptedNote.title).toBe('ma note');
expect((await kvStore().all()).length).toBe(0);
expect((await decryptionWorker().decryptionDisabledItems()).length).toBe(0);
}));
});