[management] Move activity store encryption to shared crypt package (#5111)

util/crypt/crypt_test.go

@@ -0,0 +1,139 @@
+package crypt
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGenerateKey(t *testing.T) {
+	key, err := GenerateKey()
+	require.NoError(t, err)
+	assert.NotEmpty(t, key)
+
+	_, err = NewFieldEncrypt(key)
+	assert.NoError(t, err)
+}
+
+func TestNewFieldEncrypt_InvalidKey(t *testing.T) {
+	tests := []struct {
+		name string
+		key  string
+	}{
+		{name: "invalid base64", key: "not-valid-base64!!!"},
+		{name: "too short", key: "c2hvcnQ="},
+		{name: "empty", key: ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := NewFieldEncrypt(tt.key)
+			assert.Error(t, err)
+		})
+	}
+}
+
+func TestEncryptDecrypt(t *testing.T) {
+	key, err := GenerateKey()
+	require.NoError(t, err)
+
+	ec, err := NewFieldEncrypt(key)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name  string
+		input string
+	}{
+		{name: "Empty String", input: ""},
+		{name: "Short String", input: "Hello"},
+		{name: "String with Spaces", input: "Hello, World!"},
+		{name: "Long String", input: "The quick brown fox jumps over the lazy dog."},
+		{name: "Unicode Characters", input: "こんにちは世界"},
+		{name: "Special Characters", input: "!@#$%^&*()_+-=[]{}|;':\",./<>?"},
+		{name: "Numeric String", input: "1234567890"},
+		{name: "Email Address", input: "user@example.com"},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			encrypted, err := ec.Encrypt(tc.input)
+			require.NoError(t, err)
+
+			decrypted, err := ec.Decrypt(encrypted)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.input, decrypted)
+		})
+	}
+}
+
+func TestEncrypt_DifferentCiphertexts(t *testing.T) {
+	key, err := GenerateKey()
+	require.NoError(t, err)
+
+	ec, err := NewFieldEncrypt(key)
+	require.NoError(t, err)
+
+	plaintext := "same plaintext"
+
+	// Encrypt the same plaintext multiple times
+	encrypted1, err := ec.Encrypt(plaintext)
+	require.NoError(t, err)
+
+	encrypted2, err := ec.Encrypt(plaintext)
+	require.NoError(t, err)
+
+	assert.NotEqual(t, encrypted1, encrypted2, "expected different ciphertexts for same plaintext (random nonce)")
+
+	// Both should decrypt to the same plaintext
+	decrypted1, err := ec.Decrypt(encrypted1)
+	require.NoError(t, err)
+
+	decrypted2, err := ec.Decrypt(encrypted2)
+	require.NoError(t, err)
+
+	assert.Equal(t, plaintext, decrypted1)
+	assert.Equal(t, plaintext, decrypted2)
+}
+
+func TestDecrypt_InvalidCiphertext(t *testing.T) {
+	key, err := GenerateKey()
+	assert.NoError(t, err)
+
+	ec, err := NewFieldEncrypt(key)
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name       string
+		ciphertext string
+	}{
+		{name: "invalid base64", ciphertext: "not-valid!!!"},
+		{name: "too short", ciphertext: "c2hvcnQ="},
+		{name: "corrupted", ciphertext: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo="},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			payload, err := ec.Decrypt(tt.ciphertext)
+			assert.Error(t, err)
+			assert.Empty(t, payload)
+		})
+	}
+}
+
+func TestDecrypt_WrongKey(t *testing.T) {
+	key1, _ := GenerateKey()
+	key2, _ := GenerateKey()
+
+	ec1, _ := NewFieldEncrypt(key1)
+	ec2, _ := NewFieldEncrypt(key2)
+
+	plaintext := "secret data"
+	encrypted, _ := ec1.Encrypt(plaintext)
+
+	// Try to decrypt with wrong key
+	payload, err := ec2.Decrypt(encrypted)
+	assert.Error(t, err)
+	assert.Empty(t, payload)
+}

util/crypt/legacy.go

@@ -0,0 +1,71 @@
+package crypt
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/base64"
+	"fmt"
+)
+
+// legacyIV is the static IV used by the legacy CBC encryption.
+// Deprecated: This is kept only for backward compatibility with existing encrypted data.
+var legacyIV = []byte{10, 22, 13, 79, 05, 8, 52, 91, 87, 98, 88, 98, 35, 25, 13, 05}
+
+// LegacyEncrypt encrypts plaintext using AES-CBC with a static IV.
+// Deprecated: Use Encrypt instead. This method is kept only for backward compatibility.
+func (f *FieldEncrypt) LegacyEncrypt(plaintext string) string {
+	padded := pkcs5Padding([]byte(plaintext))
+	ciphertext := make([]byte, len(padded))
+	cbc := cipher.NewCBCEncrypter(f.block, legacyIV)
+	cbc.CryptBlocks(ciphertext, padded)
+	return base64.StdEncoding.EncodeToString(ciphertext)
+}
+
+// LegacyDecrypt decrypts ciphertext that was encrypted using AES-CBC with a static IV.
+// Deprecated: This method is kept only for backward compatibility with existing encrypted data.
+func (f *FieldEncrypt) LegacyDecrypt(ciphertext string) (string, error) {
+	data, err := base64.StdEncoding.DecodeString(ciphertext)
+	if err != nil {
+		return "", fmt.Errorf("decode ciphertext: %w", err)
+	}
+
+	cbc := cipher.NewCBCDecrypter(f.block, legacyIV)
+	cbc.CryptBlocks(data, data)
+
+	plaintext, err := pkcs5UnPadding(data)
+	if err != nil {
+		return "", fmt.Errorf("unpad plaintext: %w", err)
+	}
+
+	return string(plaintext), nil
+}
+
+// pkcs5Padding adds PKCS#5 padding to the input.
+func pkcs5Padding(data []byte) []byte {
+	padding := aes.BlockSize - len(data)%aes.BlockSize
+	padText := bytes.Repeat([]byte{byte(padding)}, padding)
+	return append(data, padText...)
+}
+
+// pkcs5UnPadding removes PKCS#5 padding from the input.
+func pkcs5UnPadding(data []byte) ([]byte, error) {
+	length := len(data)
+	if length == 0 {
+		return nil, fmt.Errorf("input data is empty")
+	}
+
+	paddingLen := int(data[length-1])
+	if paddingLen == 0 || paddingLen > aes.BlockSize || paddingLen > length {
+		return nil, fmt.Errorf("invalid padding size")
+	}
+
+	// Verify that all padding bytes are the same
+	for i := 0; i < paddingLen; i++ {
+		if data[length-1-i] != byte(paddingLen) {
+			return nil, fmt.Errorf("invalid padding")
+		}
+	}
+
+	return data[:length-paddingLen], nil
+}

util/crypt/legacy_test.go

@@ -0,0 +1,164 @@
+package crypt
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLegacyEncryptDecrypt(t *testing.T) {
+	testData := "exampl@netbird.io"
+	key, err := GenerateKey()
+	require.NoError(t, err)
+
+	ec, err := NewFieldEncrypt(key)
+	require.NoError(t, err)
+
+	encrypted := ec.LegacyEncrypt(testData)
+	assert.NotEmpty(t, encrypted)
+
+	decrypted, err := ec.LegacyDecrypt(encrypted)
+	require.NoError(t, err)
+
+	assert.Equal(t, testData, decrypted)
+}
+
+func TestLegacyEncryptDecryptVariousInputs(t *testing.T) {
+	key, err := GenerateKey()
+	require.NoError(t, err)
+
+	ec, err := NewFieldEncrypt(key)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name  string
+		input string
+	}{
+		{name: "Empty String", input: ""},
+		{name: "Short String", input: "Hello"},
+		{name: "String with Spaces", input: "Hello, World!"},
+		{name: "Long String", input: "The quick brown fox jumps over the lazy dog."},
+		{name: "Unicode Characters", input: "こんにちは世界"},
+		{name: "Special Characters", input: "!@#$%^&*()_+-=[]{}|;':\",./<>?"},
+		{name: "Numeric String", input: "1234567890"},
+		{name: "Repeated Characters", input: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
+		{name: "Multi-block String", input: "This is a longer string that will span multiple blocks in the encryption algorithm."},
+		{name: "Non-ASCII and ASCII Mix", input: "Hello 世界 123"},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			encrypted := ec.LegacyEncrypt(tc.input)
+			assert.NotEmpty(t, encrypted)
+
+			decrypted, err := ec.LegacyDecrypt(encrypted)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.input, decrypted)
+		})
+	}
+}
+
+func TestPKCS5UnPadding(t *testing.T) {
+	tests := []struct {
+		name        string
+		input       []byte
+		expected    []byte
+		expectError bool
+	}{
+		{
+			name:     "Valid Padding",
+			input:    append([]byte("Hello, World!"), bytes.Repeat([]byte{4}, 4)...),
+			expected: []byte("Hello, World!"),
+		},
+		{
+			name:        "Empty Input",
+			input:       []byte{},
+			expectError: true,
+		},
+		{
+			name:        "Padding Length Zero",
+			input:       append([]byte("Hello, World!"), bytes.Repeat([]byte{0}, 4)...),
+			expectError: true,
+		},
+		{
+			name:        "Padding Length Exceeds Block Size",
+			input:       append([]byte("Hello, World!"), bytes.Repeat([]byte{17}, 17)...),
+			expectError: true,
+		},
+		{
+			name:        "Padding Length Exceeds Input Length",
+			input:       []byte{5, 5, 5},
+			expectError: true,
+		},
+		{
+			name:        "Invalid Padding Bytes",
+			input:       append([]byte("Hello, World!"), []byte{2, 3, 4, 5}...),
+			expectError: true,
+		},
+		{
+			name:     "Valid Single Byte Padding",
+			input:    append([]byte("Hello, World!"), byte(1)),
+			expected: []byte("Hello, World!"),
+		},
+		{
+			name:        "Invalid Mixed Padding Bytes",
+			input:       append([]byte("Hello, World!"), []byte{3, 3, 2}...),
+			expectError: true,
+		},
+		{
+			name:     "Valid Full Block Padding",
+			input:    append([]byte("Hello, World!"), bytes.Repeat([]byte{16}, 16)...),
+			expected: []byte("Hello, World!"),
+		},
+		{
+			name:        "Non-Padding Byte at End",
+			input:       append([]byte("Hello, World!"), []byte{4, 4, 4, 5}...),
+			expectError: true,
+		},
+		{
+			name:     "Valid Padding with Different Text Length",
+			input:    append([]byte("Test"), bytes.Repeat([]byte{12}, 12)...),
+			expected: []byte("Test"),
+		},
+		{
+			name:     "Padding Length Equal to Input Length",
+			input:    bytes.Repeat([]byte{8}, 8),
+			expected: []byte{},
+		},
+		{
+			name:        "Invalid Padding Length Zero (Again)",
+			input:       append([]byte("Test"), byte(0)),
+			expectError: true,
+		},
+		{
+			name:        "Padding Length Greater Than Input",
+			input:       []byte{10},
+			expectError: true,
+		},
+		{
+			name:     "Input Length Not Multiple of Block Size",
+			input:    append([]byte("Invalid Length"), byte(1)),
+			expected: []byte("Invalid Length"),
+		},
+		{
+			name:     "Valid Padding with Non-ASCII Characters",
+			input:    append([]byte("こんにちは"), bytes.Repeat([]byte{2}, 2)...),
+			expected: []byte("こんにちは"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := pkcs5UnPadding(tt.input)
+			if tt.expectError {
+				assert.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				assert.Equal(t, tt.expected, result)
+			}
+		})
+	}
+}