@lifeready/core 1.0.0 → 1.0.1

package/src/lib/trusted-parties/tp-password-reset.service.ts

@@ -0,0 +1,482 @@
+import { Injectable, Injector, NgZone } from '@angular/core';
+import { KeyService } from '../cryptography/key.service';
+import { EncryptionService } from '../cryptography/encryption.service';
+import {
+  CreateTpPasswordResetMutation,
+  DeleteTpPasswordResetMutation,
+  TpPasswordResetQuery,
+  UpdateTpPasswordResetMutation,
+  CancelTpPasswordResetRequestMutation,
+} from './tp-password-reset.gql';
+import { KeyGraphService } from '../cryptography/key-graph.service';
+import * as slip from '../cryptography/slip39.service';
+import {
+  LrBadArgumentException,
+  LrBadLogicException,
+} from '../_common/exceptions';
+import { PartialAssemblyKey } from '../scenario/scenario.types';
+import { JWK } from 'node-jose';
+import { Key } from '../cryptography/cryptography.types';
+import { KeyFactoryService } from '../cryptography/key-factory.service';
+import { LrGraphQLService, LrMutation, LrService } from '../api/lr-graphql';
+import { TpNode } from '../api/types';
+import { RunOutsideAngular } from '../_common/run-outside-angular';
+
+export class CreateSubAssembliesInput {
+  name: string;
+  quorum: number;
+  singleReject: boolean;
+  approverTps: TpNode[];
+}
+
+export class UpdateSubAssembliesInput extends CreateSubAssembliesInput {
+  id: string;
+}
+
+export class CreateTpPasswordResetInput {
+  quorum: number;
+  singleReject: boolean;
+  createSubAssemblies: CreateSubAssembliesInput[];
+}
+
+export class UpdateTpPasswordResetInput extends CreateTpPasswordResetInput {
+  updateSubAssemblies: UpdateSubAssembliesInput[];
+}
+
+export interface TpAssemblyApprovers {
+  id: string;
+  tp: {
+    id: string;
+  };
+  sharedKey: Key;
+  sharedCipherData?: string;
+  sharedCipherDataClearJson?: any;
+  sharedCipherApprovalData?: string;
+  sharedCipherApprovalDataClearJson?: any;
+}
+
+export interface TpSubAssembly {
+  id: string;
+  singleReject: boolean;
+  quorum: number;
+  subjectCipherData: string;
+  plainSubjectCipherData: any;
+  approvers: TpAssemblyApprovers[];
+}
+
+export interface TpAssembly {
+  singleReject: boolean;
+  quorum: number;
+  subjectKey: Key;
+  assemblyKey: Key;
+  assemblyCipherData: string;
+  plainAssemblyCipherData: any;
+  subAssemblies: TpSubAssembly[];
+}
+
+export interface TpPasswordReset {
+  id: string;
+  assembly: TpAssembly;
+  applied: boolean;
+}
+
+export interface RequestResetResult {
+  id: string;
+  associate_reset_user_token: string;
+  reset_username: string;
+}
+
+@RunOutsideAngular({
+  ngZoneName: 'ngZone',
+})
+@Injectable({
+  providedIn: 'root',
+})
+export class TpPasswordResetService extends LrService {
+  public static SLIP39_PASSPHRASE = 'lifeready';
+
+  constructor(
+    private ngZone: NgZone,
+    private injector: Injector,
+    private keyService: KeyService,
+    private keyFactory: KeyFactoryService,
+    private encryptionService: EncryptionService,
+    private keyGraph: KeyGraphService,
+    private slip39Service: slip.Slip39Service
+  ) {
+    super(injector);
+  }
+
+  async getReset() {
+    return (
+      await this.query({
+        query: TpPasswordResetQuery,
+      })
+    ).tpPasswordReset;
+  }
+
+  createReset(input: CreateTpPasswordResetInput) {
+    return this.mutate(this.createResetMutation(input));
+  }
+
+  async createResetMutation(input: CreateTpPasswordResetInput) {
+    const { mutationInput } = await this._createReset(
+      input,
+      async (rawAssemblyKey) => {
+        return this.prepareSlip39(
+          input.createSubAssemblies,
+          input.quorum,
+          rawAssemblyKey
+        );
+      }
+    );
+
+    return new LrMutation({
+      mutation: CreateTpPasswordResetMutation,
+      variables: {
+        input: mutationInput,
+      },
+    });
+  }
+
+  deleteReset() {
+    return this.mutate(this.deleteResetMutation());
+  }
+
+  deleteResetMutation() {
+    return new LrMutation({
+      mutation: DeleteTpPasswordResetMutation,
+    });
+  }
+
+  updateReset(input: UpdateTpPasswordResetInput) {
+    return this.mutate(this.updateResetMutation(input));
+  }
+
+  async updateResetMutation(input: UpdateTpPasswordResetInput) {
+    const passwordReset = await this.getReset();
+
+    const {
+      mutationInput,
+      subjectKey,
+      slipAssembly,
+      assemblyKeyParams,
+    } = await this._createReset(input, async (rawAssemblyKey) => {
+      return this.prepareSlip39(
+        input.createSubAssemblies.concat(input.updateSubAssemblies),
+        input.quorum,
+        rawAssemblyKey
+      );
+    });
+
+    const updateSubAssemblies = await Promise.all(
+      input.updateSubAssemblies.map(async (sa, saIndex) => {
+        const subjectCipherData = await this.encryptionService.encryptToString(
+          subjectKey,
+          {
+            name: sa.name,
+          }
+        );
+
+        // Get the existing sub-assembly
+        const existingSa = passwordReset.assembly.subAssemblies.edges.find(
+          (edge) => edge.node.id === sa.id
+        ).node;
+
+        // Get approvers that do not exist yet
+        const createApprovers = [];
+        const updateApprovers = [];
+
+        sa.approverTps.forEach((tp) => {
+          const approver = existingSa.approvers.edges.find(
+            (edge) => edge.node.tp.id === tp.id
+          )?.node;
+          if (approver) {
+            updateApprovers.push({
+              tp,
+              approverId: approver.id,
+            });
+          } else {
+            createApprovers.push({
+              tp,
+            });
+          }
+        });
+
+        return {
+          subAssemblyId: sa.id,
+          singleReject: sa.singleReject,
+          quorum: sa.quorum,
+          subjectCipherData,
+          createApprovers: await Promise.all(
+            createApprovers.map(async ({ tp }, approverIndex) =>
+              this.prepareApprover({
+                tp,
+                approverIndex,
+                saIndex: saIndex + input.createSubAssemblies.length, // slipAssembly is all sub-assemblies combined
+                slipAssembly,
+                assemblyKeyParams,
+                subjectKey,
+              })
+            )
+          ),
+          updateApprovers: await Promise.all(
+            updateApprovers.map(async ({ tp, approverId }, approverIndex) =>
+              this.prepareApprover({
+                approverId,
+                tp,
+                approverIndex: approverIndex + createApprovers.length,
+                saIndex: saIndex + input.createSubAssemblies.length, // slipAssembly is all sub-assemblies combined
+                slipAssembly,
+                assemblyKeyParams,
+                subjectKey,
+              })
+            )
+          ),
+        };
+      })
+    );
+
+    return new LrMutation({
+      mutation: UpdateTpPasswordResetMutation,
+      variables: {
+        input: {
+          ...mutationInput,
+          assembly: {
+            ...mutationInput.assembly,
+            updateSubAssemblies,
+          },
+        },
+      },
+    });
+  }
+
+  cancelResetRequest() {
+    return this.mutate(this.cancelResetRequestMutation());
+  }
+
+  cancelResetRequestMutation() {
+    return new LrMutation({
+      mutation: CancelTpPasswordResetRequestMutation,
+    });
+  }
+
+  validateApprovers(approvers: TpNode[]): void {
+    // Ensure all approvers have mkSharedKey.
+    for (const tp of approvers) {
+      if (!tp.currentUserSharedKey.userSharedKey.mkSharedKey) {
+        const msg = `tp ${tp.other.username} does not have mkSharedKey`;
+        console.log(msg);
+        throw new LrBadArgumentException(msg);
+      }
+    }
+  }
+
+  private async prepareApprover({
+    approverId,
+    tp,
+    approverIndex,
+    saIndex,
+    slipAssembly,
+    assemblyKeyParams,
+    subjectKey,
+  }: {
+    approverId?: string;
+    tp: TpNode;
+    approverIndex: number;
+    saIndex: number;
+    slipAssembly: slip.Assembly;
+    assemblyKeyParams: object;
+    subjectKey: JWK.Key;
+  }) {
+    if (!tp.currentUserSharedKey.userSharedKey.mkSharedKey) {
+      throw new LrBadArgumentException(
+        `Tp ${tp.other.username} does not have mkSharedKey. Need to reshared it first.`
+      );
+    }
+
+    const sharedKey = await this.keyFactory.createKey();
+    const tpMkSharedKey = await this.keyGraph.getKey(
+      tp.currentUserSharedKey.userSharedKey.mkSharedKey.id
+    );
+    // For TP to access shared_key
+    const tpMkSharedKeyWrappedSharedKey = await this.encryptionService.encryptToString(
+      tpMkSharedKey.jwk,
+      sharedKey.toJSON(true)
+    );
+    // For subject to access shared_key
+    const subjectKeyWrappedSharedKey = await this.encryptionService.encryptToString(
+      subjectKey,
+      sharedKey.toJSON(true)
+    );
+
+    const saSlip = slipAssembly.subAssemblies[saIndex];
+    if (saSlip.index !== saIndex) {
+      // Paranoia
+      throw new LrBadLogicException(
+        'slip sub assembly index should match with array index'
+      );
+    }
+
+    // If quorum is 1, then using the same share for every member.
+    const share =
+      saSlip.threshold === 1 ? saSlip.shares[0] : saSlip.shares[approverIndex];
+
+    const partialAssemblyKey: PartialAssemblyKey = {
+      slip39: {
+        share,
+        subAssembly: {
+          quorum: saSlip.threshold,
+          size: saSlip.size,
+        },
+      },
+      assemblyKeyParams,
+    };
+
+    console.log('partialAssemblyKey', partialAssemblyKey);
+
+    return {
+      tpMkSharedKeyId: tpMkSharedKey.id,
+      tpMkSharedKeyWrappedSharedKey,
+      subjectKeyWrappedSharedKey,
+      sharedCipherData: await this.encryptionService.encryptToString(
+        sharedKey,
+        { a: '123' }
+      ),
+      sharedCipherApprovalData: '',
+      sharedCipherPartialAssemblyKey: await this.encryptionService.encryptToString(
+        sharedKey,
+        partialAssemblyKey
+      ),
+      approverId: approverId || void 0,
+      tpId: approverId ? void 0 : tp.id,
+    };
+  }
+
+  // Prepare slip39
+  private async prepareSlip39(
+    subAssemblies,
+    assemblyQuorum: number,
+    rawAssemblyKey: string
+  ): Promise<slip.Assembly> {
+    // Is there enough sub assemblies to meet quorum
+    if (subAssemblies.length < assemblyQuorum) {
+      throw new LrBadArgumentException(
+        'Not enough sub assemblies to meet quorum'
+      );
+    }
+
+    const slipAssembly = new slip.Assembly(assemblyQuorum);
+
+    subAssemblies.forEach((sa, index) => {
+      let approverCount = sa.approverTps.length;
+
+      // slip39 restricts quorum == 1 to have only 1 member. So we just share the same
+      // partial key for all sub assembly members.
+      if (sa.quorum === 1) {
+        approverCount = 1;
+      }
+      slipAssembly.addSubAssembly(
+        new slip.SubAssembly(index, sa.quorum, approverCount)
+      );
+    });
+
+    await this.slip39Service.generateShares(
+      rawAssemblyKey,
+      TpPasswordResetService.SLIP39_PASSPHRASE,
+      slipAssembly
+    );
+    return slipAssembly;
+  }
+
+  private async _createReset(
+    input: CreateTpPasswordResetInput,
+    createSlipAssembly
+  ): Promise<any> {
+    // Create subject key
+    const masterKey = await this.keyService.getCurrentMasterKey();
+    const subjectKey = await this.keyFactory.createKey();
+    const assemblyKey = await this.keyFactory.createKey();
+    const { k: rawAssemblyKey, ...assemblyKeyParams } = assemblyKey.toJSON(
+      true
+    ) as any;
+    const assemblyKeyVerifierPrk = await this.keyFactory.createPkcSignKey();
+    const wrappedAssemblyKeyVerifierPrk = await this.encryptionService.encryptToString(
+      assemblyKey,
+      assemblyKeyVerifierPrk.toJSON(true)
+    );
+
+    const masterKeyWrappedSubjectKey = await this.encryptionService.encryptToString(
+      masterKey.jwk,
+      subjectKey.toJSON(true)
+    );
+    const subjectKeyWrappedAssemblyKey = await this.encryptionService.encryptToString(
+      subjectKey,
+      assemblyKey.toJSON(true)
+    );
+
+    // Encrypt the rootKey with the assemblyKey
+    const rootKey = await this.keyService.getCurrentRootKey();
+
+    const assemblyCipherData = await this.encryptionService.encryptToString(
+      assemblyKey,
+      {
+        rootKey: rootKey.jwk.toJSON(true),
+      }
+    );
+
+    const slipAssembly = await createSlipAssembly(rawAssemblyKey);
+    // const slipAssembly = await this.prepareSlip39(input.createSubAssemblies, input.quorum, rawAssemblyKey);
+
+    const createSubAssemblies = await Promise.all(
+      input.createSubAssemblies.map(async (sa, saIndex) => {
+        const subjectCipherData = await this.encryptionService.encryptToString(
+          subjectKey,
+          {
+            name: sa.name,
+          }
+        );
+
+        return {
+          singleReject: sa.singleReject,
+          quorum: sa.quorum,
+          subjectCipherData,
+          createApprovers: await Promise.all(
+            sa.approverTps.map(async (approverTp, approverIndex) =>
+              this.prepareApprover({
+                tp: approverTp,
+                approverIndex,
+                saIndex,
+                slipAssembly,
+                assemblyKeyParams,
+                subjectKey,
+              })
+            )
+          ),
+        };
+      })
+    );
+
+    return {
+      subjectKey,
+      slipAssembly,
+      assemblyKeyParams,
+      mutationInput: {
+        assembly: {
+          singleReject: input.singleReject,
+          quorum: input.quorum,
+          masterKeyId: masterKey.id,
+          masterKeyWrappedSubjectKey,
+          subjectKeyWrappedAssemblyKey,
+          subjectCipherData: '',
+          assemblyCipherData,
+          createSubAssemblies,
+          assemblyKeyVerifierPbk: JSON.stringify(
+            assemblyKeyVerifierPrk.toJSON()
+          ),
+          wrappedAssemblyKeyVerifierPrk,
+        },
+      },
+    };
+  }
+}

package/src/lib/trusted-parties/trusted-party.gql.ts

@@ -0,0 +1,159 @@
+import gql from 'graphql-tag';
+import { KeyGraphField } from '../_common/queries.gql';
+import {
+  KeyExchangeFields,
+  UserSharedKeyFields,
+} from '../api/key-exchange.gql';
+import { SharedContactCardFields } from '../api/shared-contact-card.service';
+
+export const TrustedPartyProperties = `
+  id
+  user {
+    id
+    username
+  }
+  other{
+    id
+    username,
+    features {
+      shareVault
+    }
+  }
+  sharedContactCard {
+    ${SharedContactCardFields}
+  }
+  myContactCard {
+    ${SharedContactCardFields}
+  }
+  sharedScenarios {
+    edges {
+      node {
+        id
+      }
+    }
+  }
+  sharedItems {
+    directories {
+      edges {
+        node {
+          id
+        }
+      }
+    }
+  }
+  currentUserSharedKey {
+    userSharedKey {
+      keyExchange {
+        ${KeyExchangeFields}
+      }
+      ${UserSharedKeyFields}
+    }
+  }`;
+
+export const GetTrustedPartiesQuery = gql`
+query GetTrustedPartiesQuery {
+  tps {
+    edges {
+      node {
+        ${TrustedPartyProperties}
+      }
+    }
+  }
+  ${KeyGraphField}
+}`;
+
+export const GetAllTrustedPartiesQuery = gql`
+query GetAllTrustedPartiesQuery($userId: ID, $isExpired: Boolean, $inviteState: String, $sentInviteState: String) {
+  tps {
+    edges {
+      node {
+        ${TrustedPartyProperties}
+      }
+    }
+  }
+  invites: keyExchanges(
+    responder: $userId
+    isExpired: $isExpired
+    state: $inviteState
+    orderBy: "state,-created"
+  ) {
+    edges {
+      node {
+        ${KeyExchangeFields}
+      }
+    }
+  }
+  sentInvites: keyExchanges(
+    initiator: $userId
+    isExpired: $isExpired
+    state: $sentInviteState
+    orderBy: "state,-created"
+  ) {
+    edges {
+      node {
+        ${KeyExchangeFields}
+      }
+    }
+  }
+  ${KeyGraphField}
+}`;
+
+export const GetTrustedPartyQuery = gql`
+query GetTrustedPartyQuery($partyId: LrRelayIdInput!) {
+  tp(id: $partyId) {
+    ${TrustedPartyProperties}
+  }
+  ${KeyGraphField}
+}`;
+
+export const DeclineTrustedPartyInvitationMutation = gql`
+  mutation DeclineKeyExchange($input: DeclineKeyExchangeInput!) {
+    declineKeyExchange(input: $input) {
+      keyExchange {
+        id
+      }
+    }
+  }
+`;
+
+export const CancelTrustedPartyInvitationMutation = gql`
+  mutation CancelKeyExchange($input: CancelKeyExchangeInput!) {
+    cancelKeyExchange(input: $input) {
+      keyExchange {
+        id
+      }
+    }
+  }
+`;
+
+export const DeleteTrustedPartyMutation = gql`
+  mutation DeleteTpMutation($input: DeleteTpInput!) {
+    deleteTp(input: $input) {
+      id
+    }
+  }
+`;
+
+export const ShareCategoryMutation = gql`
+  mutation ShareDirectory($input: ShareDirectoryInput!) {
+    shareDirectory(input: $input) {
+      tpDirectory {
+        item {
+          plainMeta
+        }
+      }
+    }
+  }
+`;
+
+export const UnshareCategoryMutation = gql`
+  mutation UnshareDirectory($input: UnshareDirectoryInput!) {
+    unshareDirectory(input: $input) {
+      tpDirectory {
+        item {
+          plainMeta
+        }
+      }
+    }
+  }
+`;