[management] Move activity store encryption to shared crypt package (#5111)

2026-04-18 08:16:39 +00:00 · 2026-01-22 13:01:13 +01:00
parent d0221a3e72
commit a1de2b8a98
11 changed files with 392 additions and 460 deletions
--- a/management/server/activity/store/crypt.go
+++ b/management/server/activity/store/crypt.go
@@ -1,136 +0,0 @@
-package store
-
-import (
-	"bytes"
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/rand"
-	"encoding/base64"
-	"errors"
-)
-
-var iv = []byte{10, 22, 13, 79, 05, 8, 52, 91, 87, 98, 88, 98, 35, 25, 13, 05}
-
-type FieldEncrypt struct {
-	block cipher.Block
-	gcm   cipher.AEAD
-}
-
-func GenerateKey() (string, error) {
-	key := make([]byte, 32)
-	_, err := rand.Read(key)
-	if err != nil {
-		return "", err
-	}
-	readableKey := base64.StdEncoding.EncodeToString(key)
-	return readableKey, nil
-}
-
-func NewFieldEncrypt(key string) (*FieldEncrypt, error) {
-	binKey, err := base64.StdEncoding.DecodeString(key)
-	if err != nil {
-		return nil, err
-	}
-
-	block, err := aes.NewCipher(binKey)
-	if err != nil {
-		return nil, err
-	}
-
-	gcm, err := cipher.NewGCM(block)
-	if err != nil {
-		return nil, err
-	}
-
-	ec := &FieldEncrypt{
-		block: block,
-		gcm:   gcm,
-	}
-
-	return ec, nil
-}
-
-func (ec *FieldEncrypt) LegacyEncrypt(payload string) string {
-	plainText := pkcs5Padding([]byte(payload))
-	cipherText := make([]byte, len(plainText))
-	cbc := cipher.NewCBCEncrypter(ec.block, iv)
-	cbc.CryptBlocks(cipherText, plainText)
-	return base64.StdEncoding.EncodeToString(cipherText)
-}
-
-// Encrypt encrypts plaintext using AES-GCM
-func (ec *FieldEncrypt) Encrypt(payload string) (string, error) {
-	plaintext := []byte(payload)
-	nonceSize := ec.gcm.NonceSize()
-
-	nonce := make([]byte, nonceSize, len(plaintext)+nonceSize+ec.gcm.Overhead())
-	if _, err := rand.Read(nonce); err != nil {
-		return "", err
-	}
-
-	ciphertext := ec.gcm.Seal(nonce, nonce, plaintext, nil)
-
-	return base64.StdEncoding.EncodeToString(ciphertext), nil
-}
-
-func (ec *FieldEncrypt) LegacyDecrypt(data string) (string, error) {
-	cipherText, err := base64.StdEncoding.DecodeString(data)
-	if err != nil {
-		return "", err
-	}
-	cbc := cipher.NewCBCDecrypter(ec.block, iv)
-	cbc.CryptBlocks(cipherText, cipherText)
-	payload, err := pkcs5UnPadding(cipherText)
-	if err != nil {
-		return "", err
-	}
-
-	return string(payload), nil
-}
-
-// Decrypt decrypts ciphertext using AES-GCM
-func (ec *FieldEncrypt) Decrypt(data string) (string, error) {
-	cipherText, err := base64.StdEncoding.DecodeString(data)
-	if err != nil {
-		return "", err
-	}
-
-	nonceSize := ec.gcm.NonceSize()
-	if len(cipherText) < nonceSize {
-		return "", errors.New("cipher text too short")
-	}
-
-	nonce, cipherText := cipherText[:nonceSize], cipherText[nonceSize:]
-	plainText, err := ec.gcm.Open(nil, nonce, cipherText, nil)
-	if err != nil {
-		return "", err
-	}
-
-	return string(plainText), nil
-}
-
-func pkcs5Padding(ciphertext []byte) []byte {
-	padding := aes.BlockSize - len(ciphertext)%aes.BlockSize
-	padText := bytes.Repeat([]byte{byte(padding)}, padding)
-	return append(ciphertext, padText...)
-}
-func pkcs5UnPadding(src []byte) ([]byte, error) {
-	srcLen := len(src)
-	if srcLen == 0 {
-		return nil, errors.New("input data is empty")
-	}
-
-	paddingLen := int(src[srcLen-1])
-	if paddingLen == 0 || paddingLen > aes.BlockSize || paddingLen > srcLen {
-		return nil, errors.New("invalid padding size")
-	}
-
-	// Verify that all padding bytes are the same
-	for i := 0; i < paddingLen; i++ {
-		if src[srcLen-1-i] != byte(paddingLen) {
-			return nil, errors.New("invalid padding")
-		}
-	}
-
-	return src[:srcLen-paddingLen], nil
-}
--- a/management/server/activity/store/crypt_test.go
+++ b/management/server/activity/store/crypt_test.go
@@ -1,310 +0,0 @@
-package store
-
-import (
-	"bytes"
-	"testing"
-)
-
-func TestGenerateKey(t *testing.T) {
-	testData := "exampl@netbird.io"
-	key, err := GenerateKey()
-	if err != nil {
-		t.Fatalf("failed to generate key: %s", err)
-	}
-	ee, err := NewFieldEncrypt(key)
-	if err != nil {
-		t.Fatalf("failed to init email encryption: %s", err)
-	}
-
-	encrypted, err := ee.Encrypt(testData)
-	if err != nil {
-		t.Fatalf("failed to encrypt data: %s", err)
-	}
-
-	if encrypted == "" {
-		t.Fatalf("invalid encrypted text")
-	}
-
-	decrypted, err := ee.Decrypt(encrypted)
-	if err != nil {
-		t.Fatalf("failed to decrypt data: %s", err)
-	}
-
-	if decrypted != testData {
-		t.Fatalf("decrypted data is not match with test data: %s, %s", testData, decrypted)
-	}
-}
-
-func TestGenerateKeyLegacy(t *testing.T) {
-	testData := "exampl@netbird.io"
-	key, err := GenerateKey()
-	if err != nil {
-		t.Fatalf("failed to generate key: %s", err)
-	}
-	ee, err := NewFieldEncrypt(key)
-	if err != nil {
-		t.Fatalf("failed to init email encryption: %s", err)
-	}
-
-	encrypted := ee.LegacyEncrypt(testData)
-	if encrypted == "" {
-		t.Fatalf("invalid encrypted text")
-	}
-
-	decrypted, err := ee.LegacyDecrypt(encrypted)
-	if err != nil {
-		t.Fatalf("failed to decrypt data: %s", err)
-	}
-
-	if decrypted != testData {
-		t.Fatalf("decrypted data is not match with test data: %s, %s", testData, decrypted)
-	}
-}
-
-func TestCorruptKey(t *testing.T) {
-	testData := "exampl@netbird.io"
-	key, err := GenerateKey()
-	if err != nil {
-		t.Fatalf("failed to generate key: %s", err)
-	}
-	ee, err := NewFieldEncrypt(key)
-	if err != nil {
-		t.Fatalf("failed to init email encryption: %s", err)
-	}
-
-	encrypted, err := ee.Encrypt(testData)
-	if err != nil {
-		t.Fatalf("failed to encrypt data: %s", err)
-	}
-
-	if encrypted == "" {
-		t.Fatalf("invalid encrypted text")
-	}
-
-	newKey, err := GenerateKey()
-	if err != nil {
-		t.Fatalf("failed to generate key: %s", err)
-	}
-
-	ee, err = NewFieldEncrypt(newKey)
-	if err != nil {
-		t.Fatalf("failed to init email encryption: %s", err)
-	}
-
-	res, _ := ee.Decrypt(encrypted)
-	if res == testData {
-		t.Fatalf("incorrect decryption, the result is: %s", res)
-	}
-}
-
-func TestEncryptDecrypt(t *testing.T) {
-	// Generate a key for encryption/decryption
-	key, err := GenerateKey()
-	if err != nil {
-		t.Fatalf("Failed to generate key: %v", err)
-	}
-
-	// Initialize the FieldEncrypt with the generated key
-	ec, err := NewFieldEncrypt(key)
-	if err != nil {
-		t.Fatalf("Failed to create FieldEncrypt: %v", err)
-	}
-
-	// Test cases
-	testCases := []struct {
-		name  string
-		input string
-	}{
-		{
-			name:  "Empty String",
-			input: "",
-		},
-		{
-			name:  "Short String",
-			input: "Hello",
-		},
-		{
-			name:  "String with Spaces",
-			input: "Hello, World!",
-		},
-		{
-			name:  "Long String",
-			input: "The quick brown fox jumps over the lazy dog.",
-		},
-		{
-			name:  "Unicode Characters",
-			input: "こんにちは世界",
-		},
-		{
-			name:  "Special Characters",
-			input: "!@#$%^&*()_+-=[]{}|;':\",./<>?",
-		},
-		{
-			name:  "Numeric String",
-			input: "1234567890",
-		},
-		{
-			name:  "Repeated Characters",
-			input: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
-		},
-		{
-			name:  "Multi-block String",
-			input: "This is a longer string that will span multiple blocks in the encryption algorithm.",
-		},
-		{
-			name:  "Non-ASCII and ASCII Mix",
-			input: "Hello 世界 123",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name+" - Legacy", func(t *testing.T) {
-			// Legacy Encryption
-			encryptedLegacy := ec.LegacyEncrypt(tc.input)
-			if encryptedLegacy == "" {
-				t.Errorf("LegacyEncrypt returned empty string for input '%s'", tc.input)
-			}
-
-			// Legacy Decryption
-			decryptedLegacy, err := ec.LegacyDecrypt(encryptedLegacy)
-			if err != nil {
-				t.Errorf("LegacyDecrypt failed for input '%s': %v", tc.input, err)
-			}
-
-			// Verify that the decrypted value matches the original input
-			if decryptedLegacy != tc.input {
-				t.Errorf("LegacyDecrypt output '%s' does not match original input '%s'", decryptedLegacy, tc.input)
-			}
-		})
-
-		t.Run(tc.name+" - New", func(t *testing.T) {
-			// New Encryption
-			encryptedNew, err := ec.Encrypt(tc.input)
-			if err != nil {
-				t.Errorf("Encrypt failed for input '%s': %v", tc.input, err)
-			}
-			if encryptedNew == "" {
-				t.Errorf("Encrypt returned empty string for input '%s'", tc.input)
-			}
-
-			// New Decryption
-			decryptedNew, err := ec.Decrypt(encryptedNew)
-			if err != nil {
-				t.Errorf("Decrypt failed for input '%s': %v", tc.input, err)
-			}
-
-			// Verify that the decrypted value matches the original input
-			if decryptedNew != tc.input {
-				t.Errorf("Decrypt output '%s' does not match original input '%s'", decryptedNew, tc.input)
-			}
-		})
-	}
-}
-
-func TestPKCS5UnPadding(t *testing.T) {
-	tests := []struct {
-		name        string
-		input       []byte
-		expected    []byte
-		expectError bool
-	}{
-		{
-			name:     "Valid Padding",
-			input:    append([]byte("Hello, World!"), bytes.Repeat([]byte{4}, 4)...),
-			expected: []byte("Hello, World!"),
-		},
-		{
-			name:        "Empty Input",
-			input:       []byte{},
-			expectError: true,
-		},
-		{
-			name:        "Padding Length Zero",
-			input:       append([]byte("Hello, World!"), bytes.Repeat([]byte{0}, 4)...),
-			expectError: true,
-		},
-		{
-			name:        "Padding Length Exceeds Block Size",
-			input:       append([]byte("Hello, World!"), bytes.Repeat([]byte{17}, 17)...),
-			expectError: true,
-		},
-		{
-			name:        "Padding Length Exceeds Input Length",
-			input:       []byte{5, 5, 5},
-			expectError: true,
-		},
-		{
-			name:        "Invalid Padding Bytes",
-			input:       append([]byte("Hello, World!"), []byte{2, 3, 4, 5}...),
-			expectError: true,
-		},
-		{
-			name:     "Valid Single Byte Padding",
-			input:    append([]byte("Hello, World!"), byte(1)),
-			expected: []byte("Hello, World!"),
-		},
-		{
-			name:        "Invalid Mixed Padding Bytes",
-			input:       append([]byte("Hello, World!"), []byte{3, 3, 2}...),
-			expectError: true,
-		},
-		{
-			name:     "Valid Full Block Padding",
-			input:    append([]byte("Hello, World!"), bytes.Repeat([]byte{16}, 16)...),
-			expected: []byte("Hello, World!"),
-		},
-		{
-			name:        "Non-Padding Byte at End",
-			input:       append([]byte("Hello, World!"), []byte{4, 4, 4, 5}...),
-			expectError: true,
-		},
-		{
-			name:     "Valid Padding with Different Text Length",
-			input:    append([]byte("Test"), bytes.Repeat([]byte{12}, 12)...),
-			expected: []byte("Test"),
-		},
-		{
-			name:     "Padding Length Equal to Input Length",
-			input:    bytes.Repeat([]byte{8}, 8),
-			expected: []byte{},
-		},
-		{
-			name:        "Invalid Padding Length Zero (Again)",
-			input:       append([]byte("Test"), byte(0)),
-			expectError: true,
-		},
-		{
-			name:        "Padding Length Greater Than Input",
-			input:       []byte{10},
-			expectError: true,
-		},
-		{
-			name:     "Input Length Not Multiple of Block Size",
-			input:    append([]byte("Invalid Length"), byte(1)),
-			expected: []byte("Invalid Length"),
-		},
-		{
-			name:     "Valid Padding with Non-ASCII Characters",
-			input:    append([]byte("こんにちは"), bytes.Repeat([]byte{2}, 2)...),
-			expected: []byte("こんにちは"),
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result, err := pkcs5UnPadding(tt.input)
-			if tt.expectError {
-				if err == nil {
-					t.Errorf("Expected error but got nil")
-				}
-			} else {
-				if err != nil {
-					t.Errorf("Did not expect error but got: %v", err)
-				}
-				if !bytes.Equal(result, tt.expected) {
-					t.Errorf("Expected output %v, got %v", tt.expected, result)
-				}
-			}
-		})
-	}
-}
--- a/management/server/activity/store/migration.go
+++ b/management/server/activity/store/migration.go
@@ -10,9 +10,10 @@ import (

 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/migration"
+	"github.com/netbirdio/netbird/util/crypt"
 )

-func migrate(ctx context.Context, crypt *FieldEncrypt, db *gorm.DB) error {
+func migrate(ctx context.Context, crypt *crypt.FieldEncrypt, db *gorm.DB) error {
 	migrations := getMigrations(ctx, crypt)

 	for _, m := range migrations {
@@ -26,7 +27,7 @@ func migrate(ctx context.Context, crypt *FieldEncrypt, db *gorm.DB) error {

 type migrationFunc func(*gorm.DB) error

-func getMigrations(ctx context.Context, crypt *FieldEncrypt) []migrationFunc {
+func getMigrations(ctx context.Context, crypt *crypt.FieldEncrypt) []migrationFunc {
 	return []migrationFunc{
 		func(db *gorm.DB) error {
 			return migration.MigrateNewField[activity.DeletedUser](ctx, db, "name", "")
@@ -45,7 +46,7 @@ func getMigrations(ctx context.Context, crypt *FieldEncrypt) []migrationFunc {

 // migrateLegacyEncryptedUsersToGCM migrates previously encrypted data using
 // legacy CBC encryption with a static IV to the new GCM encryption method.
-func migrateLegacyEncryptedUsersToGCM(ctx context.Context, db *gorm.DB, crypt *FieldEncrypt) error {
+func migrateLegacyEncryptedUsersToGCM(ctx context.Context, db *gorm.DB, crypt *crypt.FieldEncrypt) error {
 	model := &activity.DeletedUser{}

 	if !db.Migrator().HasTable(model) {
@@ -80,7 +81,7 @@ func migrateLegacyEncryptedUsersToGCM(ctx context.Context, db *gorm.DB, crypt *F
 	return nil
 }

-func updateDeletedUserData(transaction *gorm.DB, user activity.DeletedUser, crypt *FieldEncrypt) error {
+func updateDeletedUserData(transaction *gorm.DB, user activity.DeletedUser, crypt *crypt.FieldEncrypt) error {
 	var err error
 	var decryptedEmail, decryptedName string

--- a/management/server/activity/store/migration_test.go
+++ b/management/server/activity/store/migration_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/migration"
 	"github.com/netbirdio/netbird/management/server/testutil"
+	"github.com/netbirdio/netbird/util/crypt"
 )

 const (
@@ -40,10 +41,10 @@ func setupDatabase(t *testing.T) *gorm.DB {
 func TestMigrateLegacyEncryptedUsersToGCM(t *testing.T) {
 	db := setupDatabase(t)

-	key, err := GenerateKey()
+	key, err := crypt.GenerateKey()
 	require.NoError(t, err, "Failed to generate key")

-	crypt, err := NewFieldEncrypt(key)
+	crypt, err := crypt.NewFieldEncrypt(key)
 	require.NoError(t, err, "Failed to initialize FieldEncrypt")

 	t.Run("empty table, no migration required", func(t *testing.T) {
--- a/management/server/activity/store/sql_store.go
+++ b/management/server/activity/store/sql_store.go
@@ -18,6 +18,7 @@ import (

 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/util/crypt"
 )

 const (
@@ -45,12 +46,12 @@ type eventWithNames struct {
 // Store is the implementation of the activity.Store interface backed by SQLite
 type Store struct {
 	db           *gorm.DB
-	fieldEncrypt *FieldEncrypt
+	fieldEncrypt *crypt.FieldEncrypt
 }

 // NewSqlStore creates a new Store with an event table if not exists.
 func NewSqlStore(ctx context.Context, dataDir string, encryptionKey string) (*Store, error) {
-	crypt, err := NewFieldEncrypt(encryptionKey)
+	fieldEncrypt, err := crypt.NewFieldEncrypt(encryptionKey)
 	if err != nil {

 		return nil, err
@@ -61,7 +62,7 @@ func NewSqlStore(ctx context.Context, dataDir string, encryptionKey string) (*St
 		return nil, fmt.Errorf("initialize database: %w", err)
 	}

-	if err = migrate(ctx, crypt, db); err != nil {
+	if err = migrate(ctx, fieldEncrypt, db); err != nil {
 		return nil, fmt.Errorf("events database migration: %w", err)
 	}

@@ -72,7 +73,7 @@ func NewSqlStore(ctx context.Context, dataDir string, encryptionKey string) (*St

 	return &Store{
 		db:           db,
-		fieldEncrypt: crypt,
+		fieldEncrypt: fieldEncrypt,
 	}, nil
 }

--- a/management/server/activity/store/sql_store_test.go
+++ b/management/server/activity/store/sql_store_test.go
@@ -9,11 +9,12 @@ import (
 	"github.com/stretchr/testify/assert"

 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/util/crypt"
 )

 func TestNewSqlStore(t *testing.T) {
 	dataDir := t.TempDir()
-	key, _ := GenerateKey()
+	key, _ := crypt.GenerateKey()
 	store, err := NewSqlStore(context.Background(), dataDir, key)
 	if err != nil {
 		t.Fatal(err)