@highstate/backend 0.9.16 → 0.9.19

package/src/business/project-unlock.ts

@@ -1,37 +1,43 @@
-import type { StateBatch, StateManager } from "../state"
 import type { Logger } from "pino"
-import type { HotStateManager } from "../hotstate"
+import type { DatabaseManager } from "../database"
 import type { PubSubManager } from "../pubsub"
+import type { ProjectUnlockBackend } from "../unlock"
 import { randomBytes } from "node:crypto"
 import { armor, Decrypter, Encrypter } from "age-encryption"
-import { type ProjectUnlockState, type UnlockMethod } from "../shared"
+import { z } from "zod"
+import { createProjectLogger } from "../common"
+import {
+  CannotDeleteLastUnlockMethodError,
+  ProjectNotFoundError,
+  type ProjectUnlockState,
+  type ProjectUnlockSuite,
+  type UnlockMethodInput,
+} from "../shared"
 
 type UnlockTask = {
   name: string
   handler: (projectId: string) => Promise<void> | void
 }
 
+export const projectUnlockServiceConfig = z.object({
+  HIGHSTATE_ENCRYPTION_ENABLED: z.stringbool().default(true),
+  HIGHSTATE_DEV_AUTO_UNLOCK_PROJECT_IDS: z
+    .string()
+    .transform(val => val?.split(",") ?? [])
+    .default([]),
+})
+
 export class ProjectUnlockService {
   constructor(
-    private readonly stateManager: StateManager,
-    private readonly hotStateManager: HotStateManager,
+    private readonly database: DatabaseManager,
     private readonly pubsubManager: PubSubManager,
+    private readonly projectUnlockBackend: ProjectUnlockBackend,
+    private readonly config: z.infer<typeof projectUnlockServiceConfig>,
     private readonly logger: Logger,
   ) {}
 
   private readonly unlockTasks: UnlockTask[] = []
 
-  /**
-   * Checks if the project is unlocked.
-   * A project is considered locked if it has no master key set in memory.
-   *
-   * @param projectId The ID of the project to check.
-   * @returns True if the project is locked, false otherwise.
-   */
-  async isProjectUnlocked(projectId: string): Promise<boolean> {
-    return await this.hotStateManager.exists(["project-master-key", projectId])
-  }
-
   /**
    * Gets the current unlock state of the project.
    * If the project is unlocked, it returns an object with type "unlocked".
@@ -41,41 +47,59 @@ export class ProjectUnlockService {
    * @returns The unlock state of the project.
    */
   async getProjectUnlockState(projectId: string): Promise<ProjectUnlockState> {
-    const isUnlocked = await this.isProjectUnlocked(projectId)
+    const isUnlocked = await this.projectUnlockBackend.checkProjectUnlocked(projectId)
     if (isUnlocked) {
       return { type: "unlocked" }
     }
 
-    const unlockSuite = await this.stateManager.getProjectUnlockSuiteRepository().get(projectId)
+    const project = await this.database.backend.project.findUnique({
+      where: { id: projectId },
+      select: { unlockSuite: true },
+    })
+
+    if (!project) {
+      throw new ProjectNotFoundError(projectId)
+    }
+
     return {
       type: "locked",
-      unlockSuite,
+      unlockSuite: project.unlockSuite,
     }
   }
 
   /**
-   * Creates a new project state and generates a master key for it.
+   * Sets up the project database by creating a master key and unlock suite with the provided unlock method.
+   *
+   * Creates databases, configures encryption and persists the unlock method inside the project database.
+   *
+   * Then returns the encrypted master key and the unlock suite for further persisting in the backend database.
    *
    * @param projectId The ID of the project to create the state for.
    * @param unlockMethod The unlock method to use to encrypt the master key. Should be provided by the frontend.
    */
-  async createProjectState(projectId: string, unlockMethod: UnlockMethod): Promise<void> {
+  async setupProjectDatabase(
+    projectId: string,
+    unlockMethodInput: UnlockMethodInput,
+  ): Promise<[encryptedMasterKey: string, unlockSuite: ProjectUnlockSuite]> {
+    // generate a new master key for the project
     const masterKey = randomBytes(32)
-    await using batch = this.stateManager.batch()
 
-    // unlock the project by storing the master key in memory
-    await this.hotStateManager.set(["project-master-key", projectId], masterKey)
+    // set the master key to setup the database encryption
+    await this.projectUnlockBackend.unlockProject(projectId, masterKey)
+
+    const encryptedMasterKey = await this.encryptProjectMasterKey(projectId, [unlockMethodInput])
 
-    // store the master key in the backend
-    await this.updateUnlockSuite(projectId, [unlockMethod], batch)
-    await this.updateEncryptedMasterKey(projectId, [unlockMethod], batch, masterKey)
+    const database = await this.database.setupDatabase(projectId)
 
-    // persist the unlock method as any other project data
-    await this.stateManager
-      .getUnlockMethodRepository(projectId)
-      .put(unlockMethod.id, unlockMethod, batch)
+    // persist unlock method (now we can do it since the database is set up and unlocked)
+    await database.unlockMethod.create({ data: unlockMethodInput })
 
-    await batch.write()
+    const unlockSuite: ProjectUnlockSuite = {
+      encryptedIdentities: [unlockMethodInput.encryptedIdentity],
+      hasPasskey: unlockMethodInput.type === "passkey",
+    }
+
+    return [encryptedMasterKey, unlockSuite]
   }
 
   /**
@@ -85,7 +109,7 @@ export class ProjectUnlockService {
    * @param decryptedIdentity The decrypted identity to use for unlocking the project. Should be provided by the frontend.
    */
   async unlockProject(projectId: string, decryptedIdentity: string): Promise<void> {
-    if (await this.isProjectUnlocked(projectId)) {
+    if (await this.projectUnlockBackend.checkProjectUnlocked(projectId)) {
       this.logger.warn(
         { projectId },
         `project "%s" is already unlocked, skipping unlock operation`,
@@ -95,12 +119,24 @@ export class ProjectUnlockService {
     }
 
     // load the encrypted master key for the project
-    const armoredMasterKey = await this.stateManager.getProjectMasterKeyRepository().get(projectId)
-    if (!armoredMasterKey) {
-      throw new Error(`Project ${projectId} does not have a master key set.`)
+    const project = await this.database.backend.project.findUnique({
+      where: { id: projectId },
+      select: { encryptedMasterKey: true },
+    })
+
+    if (!project) {
+      throw new ProjectNotFoundError(projectId)
     }
 
-    const encryptedMasterKey = armor.decode(armoredMasterKey)
+    if (!this.config.HIGHSTATE_ENCRYPTION_ENABLED) {
+      // no cryptography, just unlock with an empty master key
+      await this.projectUnlockBackend.unlockProject(projectId, Buffer.alloc(0))
+      await this.pubsubManager.publish(["project-unlock-state", projectId], { type: "unlocked" })
+      await this.runUnlockTasks(projectId)
+      return
+    }
+
+    const encryptedMasterKey = armor.decode(project.encryptedMasterKey)
 
     const decrypter = new Decrypter()
     decrypter.addIdentity(decryptedIdentity)
@@ -108,20 +144,8 @@ export class ProjectUnlockService {
     // decrypt the master key using the provided identity
     const masterKey = await decrypter.decrypt(encryptedMasterKey)
 
-    // store the master key in memory to unlock the project
-    await this.hotStateManager.set(["project-master-key", projectId], masterKey)
-
-    // load instance states to the hot state
-    // TODO: this should be done by something else, ideally lazy-loaded when needed
-    const instanceStates = await this.stateManager
-      .getInstanceStateRepository(projectId)
-      .getAllItems()
-
-    await this.hotStateManager.hmset(
-      ["instance-states", projectId],
-      instanceStates.map(state => [state.id, state]),
-    )
-
+    // unlock the project in the backend
+    await this.projectUnlockBackend.unlockProject(projectId, Buffer.from(masterKey))
     await this.pubsubManager.publish(["project-unlock-state", projectId], { type: "unlocked" })
 
     // run unlock tasks
@@ -143,24 +167,37 @@ export class ProjectUnlockService {
    * The project must be unlocked.
    *
    * @param projectId The ID of the project to add the unlock method to.
-   * @param unlockMethod The unlock method to add. Should be provided by the frontend.
+   * @param inputUnlockMethod The unlock method to add. Should be provided by the frontend.
    */
-  async addProjectUnlockMethod(projectId: string, unlockMethod: UnlockMethod): Promise<void> {
-    await using batch = this.stateManager.batch()
-
-    // add the unlock method to the repository
-    await this.stateManager
-      .getUnlockMethodRepository(projectId)
-      .put(unlockMethod.id, unlockMethod, batch)
-
-    // get all existing unlock methods
-    const existingMethods = await this.stateManager
-      .getUnlockMethodRepository(projectId)
-      .getAllItems()
-
-    // update the encrypted master identity set and master key
-    await this.updateUnlockSuite(projectId, existingMethods, batch)
-    await this.updateEncryptedMasterKey(projectId, existingMethods, batch)
+  async addProjectUnlockMethod(
+    projectId: string,
+    inputUnlockMethod: UnlockMethodInput,
+  ): Promise<void> {
+    const database = await this.database.forProject(projectId)
+
+    await database.$transaction(async tx => {
+      // 1. fetch all unlock method recipients for the project
+      const unlockMethods = await tx.unlockMethod.findMany({
+        select: { type: true, recipient: true, encryptedIdentity: true },
+      })
+
+      const allUnlockMethods = [...unlockMethods, inputUnlockMethod]
+
+      // 2. encrypt the project data for all recipients + the new recipient
+      const encryptedMasterKey = await this.encryptProjectMasterKey(projectId, allUnlockMethods)
+
+      // 3. persist the new unlock method
+      await tx.unlockMethod.create({ data: inputUnlockMethod })
+
+      // 4. update the project with the new master key and unlock suite
+      await this.database.backend.project.update({
+        where: { id: projectId },
+        data: {
+          encryptedMasterKey,
+          unlockSuite: ProjectUnlockService.createUnlockSuite(allUnlockMethods),
+        },
+      })
+    })
   }
 
   /**
@@ -171,25 +208,34 @@ export class ProjectUnlockService {
    * @param unlockMethodId The ID of the unlock method to remove.
    */
   async removeProjectUnlockMethod(projectId: string, unlockMethodId: string): Promise<void> {
-    await using batch = this.stateManager.batch()
-
-    // get all existing unlock methods
-    let existingMethods = await this.stateManager.getUnlockMethodRepository(projectId).getAllItems()
-
-    // do not allow removing the last unlock method under any circumstances
-    if (existingMethods.length === 1) {
-      throw new Error("Rejected removing the last unlock method!")
-    }
+    const database = await this.database.forProject(projectId)
 
-    // remove the unlock method from the repository
-    await this.stateManager.getUnlockMethodRepository(projectId).delete(unlockMethodId, batch)
-    existingMethods = existingMethods.filter(method => method.id !== unlockMethodId)
+    await database.$transaction(async tx => {
+      // 1. fetch all unlock methods except the one to remove
+      const unlockMethods = await tx.unlockMethod.findMany({
+        where: { id: { not: unlockMethodId } },
+        select: { type: true, recipient: true, encryptedIdentity: true },
+      })
 
-    // update the encrypted master identity set and master key
-    await this.updateUnlockSuite(projectId, existingMethods, batch)
-    await this.updateEncryptedMasterKey(projectId, existingMethods, batch)
+      if (unlockMethods.length === 0) {
+        throw new CannotDeleteLastUnlockMethodError(projectId)
+      }
 
-    await batch.write()
+      // 2. encrypt the project data for remaining recipients
+      const encryptedMasterKey = await this.encryptProjectMasterKey(projectId, unlockMethods)
+
+      // 3. delete the unlock method
+      await tx.unlockMethod.delete({ where: { id: unlockMethodId } })
+
+      // 4. update the project with the new master key and unlock suite
+      await this.database.backend.project.update({
+        where: { id: projectId },
+        data: {
+          encryptedMasterKey,
+          unlockSuite: ProjectUnlockService.createUnlockSuite(unlockMethods),
+        },
+      })
+    })
   }
 
   /**
@@ -203,40 +249,54 @@ export class ProjectUnlockService {
     this.unlockTasks.push({ name, handler })
   }
 
-  private async updateUnlockSuite(
+  private async encryptProjectMasterKey(
     projectId: string,
-    unlockMethods: UnlockMethod[],
-    batch: StateBatch,
-  ): Promise<void> {
-    // write new encrypted master identity set
-    await this.stateManager.getProjectUnlockSuiteRepository().put(
-      projectId,
-      {
-        encryptedIdentities: unlockMethods.map(method => method.encryptedIdentity),
-        hasPasskey: unlockMethods.some(method => method.type === "passkey"),
-      },
-      batch,
-    )
-  }
-
-  private async updateEncryptedMasterKey(
-    projectId: string,
-    unlockMethods: UnlockMethod[],
-    batch: StateBatch,
-    masterKey?: Uint8Array,
-  ): Promise<void> {
-    masterKey ??= await this.stateManager.getProjectMasterKey(projectId)
+    unlockMethods: { recipient: string }[],
+  ): Promise<string> {
+    const masterKey = await this.database.getProjectMasterKey(projectId)
+    if (!masterKey) {
+      // окак
+      return "encryption disabled"
+    }
 
+    // encrypt the master key for all unlock methods
     const encrypter = new Encrypter()
-    for (const method of unlockMethods) {
-      encrypter.addRecipient(method.recipient)
+    for (const unlockMethod of unlockMethods) {
+      encrypter.addRecipient(unlockMethod.recipient)
     }
 
-    // encrypt the master key for all unlock methods
     const encryptedMasterKey = await encrypter.encrypt(masterKey)
-
-    // set the encrypted master key in the backend
     const armoredMasterKey = armor.encode(encryptedMasterKey)
-    await this.stateManager.getProjectMasterKeyRepository().put(projectId, armoredMasterKey, batch)
+
+    return armoredMasterKey
+  }
+
+  /**
+   * Auto-unlocks the projects for the development environment.
+   */
+  async autoUnlockProjects(): Promise<void> {
+    // just mark the projects as unlocked with an empty master key and run unlock tasks
+    for (const projectId of this.config.HIGHSTATE_DEV_AUTO_UNLOCK_PROJECT_IDS) {
+      const logger = createProjectLogger(this.logger, projectId)
+
+      try {
+        logger.info("auto-unlocking project (dev mode)")
+
+        await this.projectUnlockBackend.unlockProject(projectId, Buffer.alloc(0))
+        await this.pubsubManager.publish(["project-unlock-state", projectId], { type: "unlocked" })
+        await this.runUnlockTasks(projectId)
+      } catch (error) {
+        logger.error({ error }, "failed to auto-unlock project")
+      }
+    }
+  }
+
+  private static createUnlockSuite(
+    unlockMethods: { type: string; encryptedIdentity: string }[],
+  ): ProjectUnlockSuite {
+    return {
+      encryptedIdentities: unlockMethods.map(method => method.encryptedIdentity),
+      hasPasskey: unlockMethods.some(method => method.type === "passkey"),
+    }
   }
 }