@striae-org/striae 4.2.0 → 4.2.1

package/app/utils/data/operations/file-annotation-operations.ts

@@ -0,0 +1,196 @@
+import type { User } from 'firebase/auth';
+import type { AnnotationData } from '~/types';
+
+import { fetchDataApi } from '../../api';
+import { canAccessCase, canModifyCase, validateUserSession } from '../permissions';
+import { removeFileConfirmationSummary, upsertFileConfirmationSummary } from './confirmation-summary-operations';
+import type { DataOperationOptions } from './types';
+
+/**
+ * Get file annotation data from R2 storage.
+ */
+export const getFileAnnotations = async (
+  user: User,
+  caseNumber: string,
+  fileId: string
+): Promise<AnnotationData | null> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      throw new Error(`Access denied: ${accessCheck.reason}`);
+    }
+
+    if (!fileId || typeof fileId !== 'string') {
+      throw new Error('Invalid file ID provided');
+    }
+
+    const response = await fetchDataApi(
+      user,
+      `/${encodeURIComponent(user.uid)}/${encodeURIComponent(caseNumber)}/${encodeURIComponent(fileId)}/data.json`,
+      {
+        method: 'GET'
+      }
+    );
+
+    if (response.status === 404) {
+      return null;
+    }
+
+    if (!response.ok) {
+      throw new Error(`Failed to fetch file annotations: ${response.status} ${response.statusText}`);
+    }
+
+    return await response.json() as AnnotationData;
+  } catch (error) {
+    console.error(`Error fetching annotations for ${caseNumber}/${fileId}:`, error);
+    return null;
+  }
+};
+
+/**
+ * Save file annotation data to R2 storage.
+ */
+export const saveFileAnnotations = async (
+  user: User,
+  caseNumber: string,
+  fileId: string,
+  annotationData: AnnotationData,
+  options: DataOperationOptions = {}
+): Promise<void> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    if (options.skipValidation !== true) {
+      const modifyCheck = await canModifyCase(user, caseNumber);
+      if (!modifyCheck.allowed) {
+        throw new Error(`Modification denied: ${modifyCheck.reason}`);
+      }
+    }
+
+    if (!fileId || typeof fileId !== 'string') {
+      throw new Error('Invalid file ID provided');
+    }
+
+    if (!annotationData || typeof annotationData !== 'object') {
+      throw new Error('Invalid annotation data provided');
+    }
+
+    // Enforce immutability once confirmation data exists on an image.
+    const existingResponse = await fetchDataApi(
+      user,
+      `/${encodeURIComponent(user.uid)}/${encodeURIComponent(caseNumber)}/${encodeURIComponent(fileId)}/data.json`,
+      {
+        method: 'GET'
+      }
+    );
+
+    if (existingResponse.ok) {
+      const existingAnnotations = await existingResponse.json() as AnnotationData;
+      if (existingAnnotations?.confirmationData) {
+        throw new Error('Cannot modify annotations for a confirmed image');
+      }
+    } else if (existingResponse.status !== 404) {
+      throw new Error(`Failed to verify existing annotations: ${existingResponse.status} ${existingResponse.statusText}`);
+    }
+
+    const dataToSave = {
+      ...annotationData,
+      updatedAt: new Date().toISOString()
+    };
+
+    const response = await fetchDataApi(
+      user,
+      `/${encodeURIComponent(user.uid)}/${encodeURIComponent(caseNumber)}/${encodeURIComponent(fileId)}/data.json`,
+      {
+        method: 'PUT',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify(dataToSave)
+      }
+    );
+
+    if (!response.ok) {
+      throw new Error(`Failed to save file annotations: ${response.status} ${response.statusText}`);
+    }
+
+    try {
+      await upsertFileConfirmationSummary(user, caseNumber, fileId, dataToSave);
+    } catch (summaryError) {
+      console.warn(`Failed to update confirmation summary for ${caseNumber}/${fileId}:`, summaryError);
+    }
+  } catch (error) {
+    console.error(`Error saving annotations for ${caseNumber}/${fileId}:`, error);
+    throw error;
+  }
+};
+
+/**
+ * Delete file annotation data from R2 storage.
+ */
+export const deleteFileAnnotations = async (
+  user: User,
+  caseNumber: string,
+  fileId: string,
+  options: { skipValidation?: boolean } = {}
+): Promise<void> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    if (options.skipValidation !== true) {
+      const modifyCheck = await canModifyCase(user, caseNumber);
+      if (!modifyCheck.allowed) {
+        throw new Error(`Delete denied: ${modifyCheck.reason}`);
+      }
+    }
+
+    const response = await fetchDataApi(
+      user,
+      `/${encodeURIComponent(user.uid)}/${encodeURIComponent(caseNumber)}/${encodeURIComponent(fileId)}/data.json`,
+      {
+        method: 'DELETE'
+      }
+    );
+
+    if (!response.ok && response.status !== 404) {
+      throw new Error(`Failed to delete file annotations: ${response.status} ${response.statusText}`);
+    }
+
+    try {
+      await removeFileConfirmationSummary(user, caseNumber, fileId);
+    } catch (summaryError) {
+      console.warn(`Failed to update confirmation summary after delete for ${caseNumber}/${fileId}:`, summaryError);
+    }
+  } catch (error) {
+    console.error(`Error deleting annotations for ${caseNumber}/${fileId}:`, error);
+    throw error;
+  }
+};
+
+/**
+ * Check if a file has annotations.
+ */
+export const fileHasAnnotations = async (
+  user: User,
+  caseNumber: string,
+  fileId: string
+): Promise<boolean> => {
+  try {
+    const annotations = await getFileAnnotations(user, caseNumber, fileId);
+    return annotations !== null;
+  } catch (error) {
+    console.error(`Error checking annotations for ${caseNumber}/${fileId}:`, error);
+    return false;
+  }
+};

package/app/utils/data/operations/index.ts

@@ -0,0 +1,7 @@
+export * from './types';
+export * from './confirmation-summary-operations';
+export * from './case-operations';
+export * from './file-annotation-operations';
+export * from './batch-operations';
+export * from './validation-operations';
+export * from './signing-operations';

package/app/utils/data/operations/signing-operations.ts

@@ -0,0 +1,225 @@
+import type { User } from 'firebase/auth';
+import type { ConfirmationImportData } from '~/types';
+
+import { fetchDataApi } from '../../api';
+import {
+  AUDIT_EXPORT_SIGNATURE_VERSION,
+  type AuditExportSigningPayload,
+  isValidAuditExportSigningPayload
+} from '../../forensics/audit-export-signature';
+import { CONFIRMATION_SIGNATURE_VERSION } from '../../forensics/confirmation-signature';
+import {
+  type ForensicManifestData,
+  type ForensicManifestSignature,
+  FORENSIC_MANIFEST_VERSION
+} from '../../forensics/SHA256';
+import { canAccessCase, validateUserSession } from '../permissions';
+import type {
+  AuditExportSigningResponse,
+  ConfirmationSigningResponse,
+  ManifestSigningResponse
+} from './types';
+
+/**
+ * Request a server-side signature for a forensic manifest.
+ */
+export const signForensicManifest = async (
+  user: User,
+  caseNumber: string,
+  manifest: ForensicManifestData
+): Promise<ManifestSigningResponse> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      throw new Error(`Manifest signing denied: ${accessCheck.reason}`);
+    }
+
+    const response = await fetchDataApi(user, '/api/forensic/sign-manifest', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        userId: user.uid,
+        caseNumber,
+        manifest
+      })
+    });
+
+    const responseData = await response.json().catch(() => null) as {
+      success?: boolean;
+      error?: string;
+      manifestVersion?: string;
+      signature?: ForensicManifestSignature;
+    } | null;
+
+    if (!response.ok) {
+      throw new Error(
+        responseData?.error ||
+        `Failed to sign forensic manifest: ${response.status} ${response.statusText}`
+      );
+    }
+
+    if (!responseData?.success || !responseData.signature || !responseData.manifestVersion) {
+      throw new Error('Invalid manifest signing response from data worker');
+    }
+
+    if (responseData.manifestVersion !== FORENSIC_MANIFEST_VERSION) {
+      throw new Error(
+        `Unexpected manifest version from signer: ${responseData.manifestVersion}`
+      );
+    }
+
+    return {
+      manifestVersion: responseData.manifestVersion,
+      signature: responseData.signature
+    };
+  } catch (error) {
+    console.error(`Error signing forensic manifest for ${caseNumber}:`, error);
+    throw error;
+  }
+};
+
+/**
+ * Request a server-side signature for confirmation export data.
+ */
+export const signConfirmationData = async (
+  user: User,
+  caseNumber: string,
+  confirmationData: ConfirmationImportData
+): Promise<ConfirmationSigningResponse> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      throw new Error(`Confirmation signing denied: ${accessCheck.reason}`);
+    }
+
+    const response = await fetchDataApi(user, '/api/forensic/sign-confirmation', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        userId: user.uid,
+        caseNumber,
+        confirmationData,
+        signatureVersion: CONFIRMATION_SIGNATURE_VERSION
+      })
+    });
+
+    const responseData = await response.json().catch(() => null) as {
+      success?: boolean;
+      error?: string;
+      signatureVersion?: string;
+      signature?: ForensicManifestSignature;
+    } | null;
+
+    if (!response.ok) {
+      throw new Error(
+        responseData?.error ||
+        `Failed to sign confirmation data: ${response.status} ${response.statusText}`
+      );
+    }
+
+    if (!responseData?.success || !responseData.signature || !responseData.signatureVersion) {
+      throw new Error('Invalid confirmation signing response from data worker');
+    }
+
+    if (responseData.signatureVersion !== CONFIRMATION_SIGNATURE_VERSION) {
+      throw new Error(
+        `Unexpected confirmation signature version from signer: ${responseData.signatureVersion}`
+      );
+    }
+
+    return {
+      signatureVersion: responseData.signatureVersion,
+      signature: responseData.signature
+    };
+  } catch (error) {
+    console.error(`Error signing confirmation data for ${caseNumber}:`, error);
+    throw error;
+  }
+};
+
+/**
+ * Request a server-side signature for audit export metadata.
+ */
+export const signAuditExportData = async (
+  user: User,
+  auditExport: AuditExportSigningPayload,
+  options: { caseNumber?: string } = {}
+): Promise<AuditExportSigningResponse> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Session validation failed: ${sessionValidation.reason}`);
+    }
+
+    if (!isValidAuditExportSigningPayload(auditExport)) {
+      throw new Error('Invalid audit export payload for signing');
+    }
+
+    const caseNumber = options.caseNumber;
+    if (caseNumber) {
+      const accessCheck = await canAccessCase(user, caseNumber);
+      if (!accessCheck.allowed) {
+        throw new Error(`Audit export signing denied: ${accessCheck.reason}`);
+      }
+    }
+
+    const response = await fetchDataApi(user, '/api/forensic/sign-audit-export', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        userId: user.uid,
+        caseNumber,
+        auditExport,
+        signatureVersion: AUDIT_EXPORT_SIGNATURE_VERSION
+      })
+    });
+
+    const responseData = await response.json().catch(() => null) as {
+      success?: boolean;
+      error?: string;
+      signatureVersion?: string;
+      signature?: ForensicManifestSignature;
+    } | null;
+
+    if (!response.ok) {
+      throw new Error(
+        responseData?.error ||
+        `Failed to sign audit export data: ${response.status} ${response.statusText}`
+      );
+    }
+
+    if (!responseData?.success || !responseData.signature || !responseData.signatureVersion) {
+      throw new Error('Invalid audit export signing response from data worker');
+    }
+
+    if (responseData.signatureVersion !== AUDIT_EXPORT_SIGNATURE_VERSION) {
+      throw new Error(
+        `Unexpected audit export signature version from signer: ${responseData.signatureVersion}`
+      );
+    }
+
+    return {
+      signatureVersion: responseData.signatureVersion,
+      signature: responseData.signature
+    };
+  } catch (error) {
+    console.error('Error signing audit export data:', error);
+    throw error;
+  }
+};

package/app/utils/data/operations/types.ts

@@ -0,0 +1,42 @@
+import type { User } from 'firebase/auth';
+import type { ForensicManifestSignature } from '~/utils/forensics/SHA256';
+
+import type { AnnotationData } from '~/types';
+
+export interface DataAccessResult {
+  allowed: boolean;
+  reason?: string;
+}
+
+export interface FileUpdate {
+  fileId: string;
+  annotations: AnnotationData;
+}
+
+export interface BatchUpdateResult {
+  successful: string[];
+  failed: { fileId: string; error: string }[];
+}
+
+export interface DataOperationOptions {
+  includeTimestamp?: boolean;
+  retryCount?: number;
+  skipValidation?: boolean;
+}
+
+export interface ManifestSigningResponse {
+  manifestVersion: string;
+  signature: ForensicManifestSignature;
+}
+
+export interface ConfirmationSigningResponse {
+  signatureVersion: string;
+  signature: ForensicManifestSignature;
+}
+
+export interface AuditExportSigningResponse {
+  signatureVersion: string;
+  signature: ForensicManifestSignature;
+}
+
+export type DataOperation<T> = (user: User, ...args: unknown[]) => Promise<T>;

package/app/utils/data/operations/validation-operations.ts

@@ -0,0 +1,48 @@
+import type { User } from 'firebase/auth';
+
+import { canAccessCase, validateUserSession } from '../permissions';
+import type { DataAccessResult, DataOperation } from './types';
+
+/**
+ * Validate data access permissions for a user and case.
+ */
+export const validateDataAccess = async (
+  user: User,
+  caseNumber: string
+): Promise<DataAccessResult> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      return { allowed: false, reason: sessionValidation.reason };
+    }
+
+    const accessCheck = await canAccessCase(user, caseNumber);
+    if (!accessCheck.allowed) {
+      return { allowed: false, reason: accessCheck.reason };
+    }
+
+    return { allowed: true };
+  } catch (error) {
+    console.error('Error validating data access:', error);
+    return { allowed: false, reason: 'Access validation failed' };
+  }
+};
+
+/**
+ * Higher-order function for consistent data operation patterns.
+ */
+export const withDataOperation = <T>(
+  operation: DataOperation<T>
+) => async (user: User, ...args: unknown[]): Promise<T> => {
+  try {
+    const sessionValidation = await validateUserSession(user);
+    if (!sessionValidation.valid) {
+      throw new Error(`Operation failed: ${sessionValidation.reason}`);
+    }
+
+    return await operation(user, ...args);
+  } catch (error) {
+    console.error('Data operation failed:', error);
+    throw error;
+  }
+};

package/app/utils/forensics/export-verification.ts

@@ -674,6 +674,7 @@ export async function verifyCasePackageIntegrity(
   input: CasePackageIntegrityInput
 ): Promise<CasePackageIntegrityResult> {
   const manifestData = extractForensicManifestData(input.forensicManifest);
+  const verificationPublicKeyPem = input.verificationPublicKeyPem;
 
   if (!manifestData) {
     return {
@@ -694,9 +695,28 @@ export async function verifyCasePackageIntegrity(
     };
   }
 
+  if (!verificationPublicKeyPem) {
+    return {
+      isValid: false,
+      signatureResult: {
+        isValid: false,
+        error: 'Missing verification public key'
+      },
+      integrityResult: {
+        isValid: false,
+        dataValid: false,
+        imageValidation: {},
+        manifestValid: false,
+        errors: ['Missing verification public key'],
+        summary: 'Manifest validation failed'
+      },
+      bundledAuditVerification: null
+    };
+  }
+
   const signatureResult = await verifyForensicManifestSignature(
     input.forensicManifest,
-    input.verificationPublicKeyPem
+    verificationPublicKeyPem
   );
 
   const integrityResult = await validateCaseIntegritySecure(
@@ -706,117 +726,26 @@ export async function verifyCasePackageIntegrity(
   );
 
   const bundledAuditVerification = input.bundledAuditFiles
-    ? await (async () => {
-        const { auditTrailContent, auditSignatureContent } = input.bundledAuditFiles ?? {};
-
-        if (!auditTrailContent && !auditSignatureContent) {
-          return null;
-        }
-
-        if (!auditTrailContent || !auditSignatureContent) {
-          return createVerificationResult(
-            false,
-            'The archive ZIP contains incomplete bundled audit verification files.',
-            'case-zip'
-          );
-        }
-
-        try {
-          const auditTrailExport = JSON.parse(auditTrailContent) as BundledAuditExportFile;
-          const auditSignatureExport = JSON.parse(auditSignatureContent) as {
-            signatureMetadata?: Partial<AuditExportSigningPayload>;
-            signature?: NonNullable<BundledAuditExportFile['metadata']>['signature'];
-          };
-
-          const metadata = auditTrailExport.metadata;
-          if (!metadata?.signature || typeof metadata.hash !== 'string') {
-            return createVerificationResult(
-              false,
-              'The bundled audit export is missing required hash or signature metadata.',
-              'case-zip'
-            );
-          }
-
-          const unsignedAuditExport = auditTrailExport.auditTrail !== undefined
-            ? {
-                metadata: {
-                  exportTimestamp: metadata.exportTimestamp,
-                  exportVersion: metadata.exportVersion,
-                  totalEntries: metadata.totalEntries,
-                  application: metadata.application,
-                  exportType: metadata.exportType,
-                  scopeType: metadata.scopeType,
-                  scopeIdentifier: metadata.scopeIdentifier,
-                },
-                auditTrail: auditTrailExport.auditTrail,
-              }
-            : {
-                metadata: {
-                  exportTimestamp: metadata.exportTimestamp,
-                  exportVersion: metadata.exportVersion,
-                  totalEntries: metadata.totalEntries,
-                  application: metadata.application,
-                  exportType: metadata.exportType,
-                  scopeType: metadata.scopeType,
-                  scopeIdentifier: metadata.scopeIdentifier,
-                },
-                auditEntries: auditTrailExport.auditEntries,
-              };
-
-          const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
-          if (recalculatedHash.toUpperCase() !== metadata.hash.toUpperCase()) {
-            return createVerificationResult(
-              false,
-              'The bundled audit export failed integrity verification.',
-              'case-zip'
-            );
-          }
-
-          const embeddedSignaturePayload: Partial<AuditExportSigningPayload> = metadata.signatureMetadata ?? {
-            signatureVersion: metadata.signatureVersion,
-            exportFormat: 'json',
-            exportType: metadata.exportType,
-            scopeType: metadata.scopeType,
-            scopeIdentifier: metadata.scopeIdentifier,
-            generatedAt: metadata.exportTimestamp,
-            totalEntries: metadata.totalEntries,
-            hash: metadata.hash,
-          };
-
-          const signatureVerification = await verifyAuditExportSignature(
-            embeddedSignaturePayload,
-            metadata.signature,
-            input.verificationPublicKeyPem
-          );
-
-          if (!signatureVerification.isValid) {
-            return createVerificationResult(
-              false,
-              getSignatureFailureMessage(signatureVerification.error, 'export ZIP'),
-              'case-zip'
-            );
+    ? await verifyBundledAuditExport(
+        {
+          file: (path: string) => {
+            const content = path === 'audit/case-audit-trail.json'
+              ? input.bundledAuditFiles?.auditTrailContent
+              : path === 'audit/case-audit-signature.json'
+                ? input.bundledAuditFiles?.auditSignatureContent
+                : undefined;
+
+            if (content === undefined) {
+              return null;
+            }
+
+            return {
+              async: async () => content,
+            };
           }
-
-          if (
-            JSON.stringify(auditSignatureExport.signatureMetadata ?? null) !== JSON.stringify(metadata.signatureMetadata ?? null) ||
-            JSON.stringify(auditSignatureExport.signature ?? null) !== JSON.stringify(metadata.signature ?? null)
-          ) {
-            return createVerificationResult(
-              false,
-              'The bundled audit signature artifact does not match the signed audit export.',
-              'case-zip'
-            );
-          }
-
-          return null;
-        } catch {
-          return createVerificationResult(
-            false,
-            'The bundled audit export could not be parsed for verification.',
-            'case-zip'
-          );
-        }
-      })()
+        },
+        verificationPublicKeyPem
+      )
     : null;
 
   return {