passbolt-browser-extension 5.3.2 → 5.4.1

package/src/all/background_page/service/metadata/configureMetadataSettingsService.test.js

@@ -0,0 +1,265 @@
+/**
+ * Passbolt ~ Open source password manager for teams
+ * Copyright (c) Passbolt SA (https://www.passbolt.com)
+ *
+ * Licensed under GNU Affero General Public License version 3 of the or any later version.
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Passbolt SA (https://www.passbolt.com)
+ * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
+ * @link          https://www.passbolt.com Passbolt(tm)
+ * @since         5.4.0
+ */
+import AccountEntity from "../../model/entity/account/accountEntity";
+import BuildApiClientOptionsService from "../account/buildApiClientOptionsService";
+import ConfigureMetadataSettingsService from "./configureMetadataSettingsService";
+import MetadataTypesSettingsEntity from "passbolt-styleguide/src/shared/models/entity/metadata/metadataTypesSettingsEntity";
+import MetadataKeysSettingsEntity from "passbolt-styleguide/src/shared/models/entity/metadata/metadataKeysSettingsEntity";
+import ExternalGpgKeyPairEntity from "passbolt-styleguide/src/shared/models/entity/gpgkey/external/externalGpgKeyPairEntity";
+import {defaultAccountDto} from "../../model/entity/account/accountEntity.test.data";
+import MetadataGettingStartedSettingsEntity from "passbolt-styleguide/src/shared/models/entity/metadata/metadataGettingStartedSettingsEntity";
+import {defaultMetadataGettingStartedSettingsDto, enableMetadataGettingStartedSettingsDto} from "passbolt-styleguide/src/shared/models/entity/metadata/metadataGettingStartedSettingsEntity.test.data";
+
+describe("ConfigureMetadataSettingsService", () => {
+  describe("::enableEncryptedMetadataForNewInstance", () => {
+    it("should orchestrate all the necessary service in order to activate the encryption of metadata", async() => {
+      expect.assertions(8);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const expectedKeySettings = MetadataKeysSettingsEntity.createFromDefault();
+      const expectedTypeSettings = MetadataTypesSettingsEntity.createFromV5Default();
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.generateMetadataKeyService, "generateKey");
+      jest.spyOn(orchestrator.createMetadataKeyService, "create").mockImplementation(() => {});
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveKeysSettings").mockImplementation(() => {});
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveTypesSettings").mockImplementation(() => {});
+
+      await orchestrator.enableEncryptedMetadataForNewInstance(passphrase);
+
+      expect(orchestrator.generateMetadataKeyService.generateKey).toHaveBeenCalledTimes(1);
+      expect(orchestrator.generateMetadataKeyService.generateKey).toHaveBeenCalledWith(passphrase);
+
+      expect(orchestrator.createMetadataKeyService.create).toHaveBeenCalledTimes(1);
+      expect(orchestrator.createMetadataKeyService.create).toHaveBeenCalledWith(expect.any(ExternalGpgKeyPairEntity), passphrase);
+
+      expect(orchestrator.saveMetadaSettingsService.saveKeysSettings).toHaveBeenCalledTimes(1);
+      expect(orchestrator.saveMetadaSettingsService.saveKeysSettings).toHaveBeenCalledWith(expectedKeySettings);
+
+      expect(orchestrator.saveMetadaSettingsService.saveTypesSettings).toHaveBeenCalledTimes(1);
+      expect(orchestrator.saveMetadaSettingsService.saveTypesSettings).toHaveBeenCalledWith(expectedTypeSettings);
+    });
+
+    it("should not intercept errors if anything goes wrong and let the caller manage it: errors from the key generation", async() => {
+      expect.assertions(1);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.createMetadataKeyService, "create").mockImplementation(() => { throw new Error("unexpected error"); });
+
+      await expect(() => orchestrator.enableEncryptedMetadataForNewInstance(passphrase)).rejects.toThrowError();
+    });
+
+    it("should not intercept errors if anything goes wrong and let the caller manage it: errors from the key save", async() => {
+      expect.assertions(1);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.createMetadataKeyService, "create").mockImplementation(() => { throw new Error("unexpected error"); });
+
+      await expect(() => orchestrator.enableEncryptedMetadataForNewInstance(passphrase)).rejects.toThrowError();
+    });
+
+    it("should not intercept errors if anything goes wrong and let the caller manage it: errors from saving the key settings", async() => {
+      expect.assertions(1);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.createMetadataKeyService, "create").mockImplementation(() => {});
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveKeysSettings").mockImplementation(() => { throw new Error("unexpected error"); });
+
+      await expect(() => orchestrator.enableEncryptedMetadataForNewInstance(passphrase)).rejects.toThrowError();
+    });
+
+    it("should not intercept errors if anything goes wrong and let the caller manage it: errors from saving the types settings", async() => {
+      expect.assertions(1);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.createMetadataKeyService, "create").mockImplementation(() => {});
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveKeysSettings").mockImplementation(() => {});
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveTypesSettings").mockImplementation(() => { throw new Error("unexpected error"); });
+
+      await expect(() => orchestrator.enableEncryptedMetadataForNewInstance(passphrase)).rejects.toThrowError();
+    });
+  });
+
+  describe("::enableEncryptedMetadataForExistingInstance", () => {
+    it("should orchestrate all the necessary service in order to activate the encryption of metadata", async() => {
+      expect.assertions(8);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const expectedKeySettings = MetadataKeysSettingsEntity.createFromDefault();
+      const expectedTypeSettings = MetadataTypesSettingsEntity.createFromV5Default({
+        allow_v4_v5_upgrade: true
+      });
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.generateMetadataKeyService, "generateKey");
+      jest.spyOn(orchestrator.createMetadataKeyService, "create").mockImplementation(() => {});
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveKeysSettings").mockImplementation(() => {});
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveTypesSettings").mockImplementation(() => {});
+      jest.spyOn(orchestrator.findMetadataGettingStartedSettingsService, "findGettingStartedSettings").mockImplementation(() => new MetadataGettingStartedSettingsEntity(enableMetadataGettingStartedSettingsDto()));
+
+      await orchestrator.enableEncryptedMetadataForExistingInstance(passphrase);
+
+      expect(orchestrator.generateMetadataKeyService.generateKey).toHaveBeenCalledTimes(1);
+      expect(orchestrator.generateMetadataKeyService.generateKey).toHaveBeenCalledWith(passphrase);
+
+      expect(orchestrator.createMetadataKeyService.create).toHaveBeenCalledTimes(1);
+      expect(orchestrator.createMetadataKeyService.create).toHaveBeenCalledWith(expect.any(ExternalGpgKeyPairEntity), passphrase);
+
+      expect(orchestrator.saveMetadaSettingsService.saveKeysSettings).toHaveBeenCalledTimes(1);
+      expect(orchestrator.saveMetadaSettingsService.saveKeysSettings).toHaveBeenCalledWith(expectedKeySettings);
+
+      expect(orchestrator.saveMetadaSettingsService.saveTypesSettings).toHaveBeenCalledTimes(1);
+      expect(orchestrator.saveMetadaSettingsService.saveTypesSettings).toHaveBeenCalledWith(expectedTypeSettings);
+    });
+
+    it("should not intercept errors if anything goes wrong and let the caller manage it: errors from the key generation", async() => {
+      expect.assertions(1);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.createMetadataKeyService, "create").mockImplementation(() => { throw new Error("unexpected error"); });
+      jest.spyOn(orchestrator.findMetadataGettingStartedSettingsService, "findGettingStartedSettings").mockImplementation(() => new MetadataGettingStartedSettingsEntity(enableMetadataGettingStartedSettingsDto()));
+
+      await expect(() => orchestrator.enableEncryptedMetadataForExistingInstance(passphrase)).rejects.toThrowError();
+    });
+
+    it("should not intercept errors if anything goes wrong and let the caller manage it: errors from the key save", async() => {
+      expect.assertions(1);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.createMetadataKeyService, "create").mockImplementation(() => { throw new Error("unexpected error"); });
+      jest.spyOn(orchestrator.findMetadataGettingStartedSettingsService, "findGettingStartedSettings").mockImplementation(() => new MetadataGettingStartedSettingsEntity(enableMetadataGettingStartedSettingsDto()));
+
+      await expect(() => orchestrator.enableEncryptedMetadataForExistingInstance(passphrase)).rejects.toThrowError();
+    });
+
+    it("should not intercept errors if anything goes wrong and let the caller manage it: errors from saving the key settings", async() => {
+      expect.assertions(1);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.createMetadataKeyService, "create").mockImplementation(() => {});
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveKeysSettings").mockImplementation(() => { throw new Error("unexpected error"); });
+      jest.spyOn(orchestrator.findMetadataGettingStartedSettingsService, "findGettingStartedSettings").mockImplementation(() => new MetadataGettingStartedSettingsEntity(enableMetadataGettingStartedSettingsDto()));
+
+      await expect(() => orchestrator.enableEncryptedMetadataForExistingInstance(passphrase)).rejects.toThrowError();
+    });
+
+    it("should not intercept errors if anything goes wrong and let the caller manage it: errors from saving the types settings", async() => {
+      expect.assertions(1);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.createMetadataKeyService, "create").mockImplementation(() => {});
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveKeysSettings").mockImplementation(() => {});
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveTypesSettings").mockImplementation(() => { throw new Error("unexpected error"); });
+      jest.spyOn(orchestrator.findMetadataGettingStartedSettingsService, "findGettingStartedSettings").mockImplementation(() => new MetadataGettingStartedSettingsEntity(enableMetadataGettingStartedSettingsDto()));
+
+      await expect(() => orchestrator.enableEncryptedMetadataForExistingInstance(passphrase)).rejects.toThrowError();
+    });
+
+    it("should not proceed if a strategy has already been defined", async() => {
+      expect.assertions(1);
+
+      const passphrase = "ada@passbolt.com";
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.findMetadataGettingStartedSettingsService, "findGettingStartedSettings").mockImplementation(() => new MetadataGettingStartedSettingsEntity(defaultMetadataGettingStartedSettingsDto()));
+
+      await expect(() => orchestrator.enableEncryptedMetadataForExistingInstance(passphrase)).rejects.toThrowError();
+    });
+  });
+
+  describe("::keepCleartextMetadataForExistingInstance", () => {
+    it("should orchestrate all the necessary service in order to deactivate the encryption of metadata", async() => {
+      expect.assertions(2);
+
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const expectedTypeSettings = MetadataTypesSettingsEntity.createFromV4Default();
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveTypesSettings").mockImplementation(() => {});
+      jest.spyOn(orchestrator.findMetadataGettingStartedSettingsService, "findGettingStartedSettings").mockImplementation(() => new MetadataGettingStartedSettingsEntity(enableMetadataGettingStartedSettingsDto()));
+
+      await orchestrator.keepCleartextMetadataForExistingInstance();
+
+      expect(orchestrator.saveMetadaSettingsService.saveTypesSettings).toHaveBeenCalledTimes(1);
+      expect(orchestrator.saveMetadaSettingsService.saveTypesSettings).toHaveBeenCalledWith(expectedTypeSettings);
+    });
+
+    it("should not intercept errors if anything goes wrong and let the caller manage it: errors from saving the types settings", async() => {
+      expect.assertions(1);
+
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.saveMetadaSettingsService, "saveTypesSettings").mockImplementation(() => { throw new Error("unexpected error"); });
+      jest.spyOn(orchestrator.findMetadataGettingStartedSettingsService, "findGettingStartedSettings").mockImplementation(() => new MetadataGettingStartedSettingsEntity(enableMetadataGettingStartedSettingsDto()));
+
+      await expect(() => orchestrator.keepCleartextMetadataForExistingInstance()).rejects.toThrowError();
+    });
+
+    it("should not intercept errors if anything goes wrong and let the caller manage it: errors from saving the types settings", async() => {
+      expect.assertions(1);
+
+      const account = new AccountEntity(defaultAccountDto());
+      const apiClientOptions = BuildApiClientOptionsService.buildFromAccount(account);
+
+      const orchestrator = new ConfigureMetadataSettingsService(account, apiClientOptions);
+      jest.spyOn(orchestrator.findMetadataGettingStartedSettingsService, "findGettingStartedSettings").mockImplementation(() => new MetadataGettingStartedSettingsEntity(defaultMetadataGettingStartedSettingsDto()));
+
+      await expect(() => orchestrator.keepCleartextMetadataForExistingInstance()).rejects.toThrowError();
+    });
+  });
+});

package/src/all/background_page/service/metadata/createMetadataKeyService.js

@@ -49,7 +49,7 @@ export default class CreateMetadataKeyService {
    * Note: the service does not handle yet the zero knowledge, the key will be encrypted for the API.
    * @param {ExternalGpgKeyPairEntity} metadataKeyPair The metadata key pair.
    * @param {string} passphrase The user passphrase.
-   * @return {MetadataKeyEntity}
+   * @returns {Promise<MetadataKeyEntity>}
    * @throws {TypeError} if metadataKeyPair argument is not of the expected type
    * @throws {TypeError} if passphrase argument is not a string
    */

package/src/all/background_page/service/metadata/decryptMetadataPrivateKeysService.js

@@ -17,7 +17,6 @@ import MetadataPrivateKeyEntity from "passbolt-styleguide/src/shared/models/enti
 import MetadataPrivateKeyDataEntity from "passbolt-styleguide/src/shared/models/entity/metadata/metadataPrivateKeyDataEntity";
 import MetadataPrivateKeysCollection from "passbolt-styleguide/src/shared/models/entity/metadata/metadataPrivateKeysCollection";
 import MetadataKeysCollection from "passbolt-styleguide/src/shared/models/entity/metadata/metadataKeysCollection";
-import UserPassphraseRequiredError from "passbolt-styleguide/src/shared/error/userPassphraseRequiredError";
 import {assertType} from '../../utils/assertions';
 import DecryptPrivateKeyService from '../crypto/decryptPrivateKeyService';
 import DecryptMessageService from '../crypto/decryptMessageService';
@@ -53,7 +52,7 @@ class DecryptMetadataPrivateKeysService {
 
     const message = await OpenpgpAssertion.readMessageOrFail(metadataPrivateKeyEntity.data);
 
-    passphrase = passphrase || await this.getPassphraseFromSessionStorageOrFail();
+    passphrase = passphrase || await PassphraseStorageService.getOrFail();
 
     const userDecryptedPrivateArmoredKey = await DecryptPrivateKeyService.decryptArmoredKey(this.account.userPrivateArmoredKey, passphrase);
     const userPublicKey = await OpenpgpAssertion.readKeyOrFail(this.account.userPublicArmoredKey);
@@ -88,7 +87,7 @@ class DecryptMetadataPrivateKeysService {
   async decryptAll(metadataPrivateKeysCollection, passphrase = null) {
     assertType(metadataPrivateKeysCollection, MetadataPrivateKeysCollection, "The given collection is not of the type MetadataPrivateKeysCollection");
 
-    passphrase = passphrase || await this.getPassphraseFromSessionStorageOrFail();
+    passphrase = passphrase || await PassphraseStorageService.getOrFail();
 
     const items = metadataPrivateKeysCollection.items;
     for (let i = 0; i < items.length; i++) {
@@ -119,26 +118,11 @@ class DecryptMetadataPrivateKeysService {
       if (!metadataPrivateKeysCollection || !metadataPrivateKeysCollection.length || !metadataKeysCollection?.hasEncryptedKeys()) {
         continue;
       }
-      passphrase = passphrase || await this.getPassphraseFromSessionStorageOrFail();
+      passphrase = passphrase || await PassphraseStorageService.getOrFail();
       await this.decryptAll(metadataPrivateKeysCollection, passphrase);
     }
   }
 
-  /**
-   * Retrieve the user passphrase from the session storage or fail.
-   *
-   * @returns {Promise<string>}
-   * @throws {UserPassphraseRequiredError} if the `passphrase` cannot be retrieved.
-   * @private
-   */
-  async getPassphraseFromSessionStorageOrFail() {
-    const passphrase = await PassphraseStorageService.get();
-    if (!passphrase) {
-      throw new UserPassphraseRequiredError();
-    }
-    return passphrase;
-  }
-
   /**
    * Verify the metadata private key entity fingerprint is equal to the  armored key fingerprint.
    * @param {MetadataPrivateKeyEntity} metadataPrivateKeyEntity the metadata private key entity to decrypt.

package/src/all/background_page/service/metadata/decryptMetadataService.js

@@ -87,12 +87,13 @@ class DecryptMetadataService {
 
     try {
       sessionKeys = await this.getOrFindSessionKeysService.getOrFindAllByForeignModelAndForeignIds("Resource", collection.ids, passphrase);
-      for (const sessionKey of sessionKeys) {
+      for (let i = sessionKeys.items.length - 1; i >= 0; i--) {
+        const sessionKey = sessionKeys.items[i];
         try {
           const entity = collection.getFirst("id", sessionKey.foreignId);
           await this.decryptMetadataWithSessionKey(entity, sessionKey.sessionKey);
         } catch (error) {
-          sessionKeys.remove(sessionKey);
+          sessionKeys.items.splice(i, 1);
           console.debug(`Metadata of the entity "${sessionKey.foreignModel}:${sessionKey.foreignId}" cannot be decrypted with session key.`, {cause: error});
         }
       }
@@ -267,7 +268,8 @@ class DecryptMetadataService {
     return {
       foreign_model: "Resource",
       foreign_id: entity.id,
-      session_key: sessionKeyString
+      session_key: sessionKeyString,
+      modified: entity.modified
     };
   }
 

package/src/all/background_page/service/metadata/decryptMetadataService.test.js

@@ -31,7 +31,6 @@ import {
 import SessionKeysCollection from "passbolt-styleguide/src/shared/models/entity/sessionKey/sessionKeysCollection";
 import {metadata} from "passbolt-styleguide/test/fixture/encryptedMetadata/metadata";
 import {defaultSessionKeyDto} from "passbolt-styleguide/src/shared/models/entity/sessionKey/sessionKeyEntity.test.data";
-import SessionKeyEntity from "passbolt-styleguide/src/shared/models/entity/sessionKey/sessionKeyEntity";
 import ResourceEntity from "../../model/entity/resource/resourceEntity";
 import {defaultResourceDto} from "passbolt-styleguide/src/shared/models/entity/resource/resourceEntity.test.data";
 import EntityValidationError from "passbolt-styleguide/src/shared/models/entity/abstract/entityValidationError";
@@ -396,8 +395,8 @@ describe("DecryptMetadataService", () => {
       await expect(service.decryptAllFromForeignModels(collection, pgpKeys.ada.passphrase, {ignoreDecryptionError: true})).resolves.toBeUndefined();
     });
 
-    it("should remove the invalid session keys from the collection", async() => {
-      expect.assertions(3);
+    it("should not update the session storage with the session keys when discovering a new session key if not specifically requested", async() => {
+      expect.assertions(1);
 
       const metadataKeysDtos = defaultDecryptedSharedMetadataKeysDtos();
       const metadataKeys = new MetadataKeysCollection(metadataKeysDtos);
@@ -405,29 +404,24 @@ describe("DecryptMetadataService", () => {
         metadata_key_id: metadataKeysDtos[0].id
       });
       const collection = new ResourcesCollection(collectionDto);
-      const sessionsKeysForeignIds = collection.items.map(resource => ({foreign_id: resource.id}));
-      const sessionKeysCount = collection.length;
-      const sessionKeysDtos = sharedResourcesSessionKeys(sessionsKeysForeignIds, {count: sessionKeysCount});
 
-      //invalid session key
-      sessionKeysDtos[3] = defaultSessionKeyDto({...sessionKeysDtos[3], session_key: "9:901D6ED579AFF935F9F157A5198BCE48B50AD87345DEADBA06F42C5D018C78CC"});
-      const invalidSessionKeyEntity = new SessionKeyEntity(sessionKeysDtos[3]);
 
+      const sessionsKeysForeignIds = collection.items.map(resource => ({foreign_id: resource.id}));
+      const sessionKeysDtos = sharedResourcesSessionKeys(sessionsKeysForeignIds, {count: collection.length});
+      sessionKeysDtos[3] = defaultSessionKeyDto({...sessionKeysDtos[3], session_key: "9:901D6ED579AFF935F9F157A5198BCE48B50AD87345DEADBA06F42C5D018C78CC"});
       const sessionKeys = new SessionKeysCollection(sessionKeysDtos);
 
-      jest.spyOn(sessionKeys, "remove");
+      jest.spyOn(service.saveSessionKeysService, "save");
       jest.spyOn(service.getOrFindMetadataKeysService, "getOrFindAll").mockImplementation(() => metadataKeys);
       jest.spyOn(service.getOrFindSessionKeysService, "getOrFindAllByForeignModelAndForeignIds").mockImplementation(() => sessionKeys);
 
       await service.decryptAllFromForeignModels(collection);
 
-      expect(sessionKeys.remove).toHaveBeenCalledTimes(1);
-      expect(sessionKeys.remove).toHaveBeenCalledWith(invalidSessionKeyEntity);
-      expect(sessionKeys.length).toStrictEqual(sessionKeysCount - 1);
+      expect(service.saveSessionKeysService.save).not.toHaveBeenCalled();
     });
 
-    it("should not update the session storage with the session keys", async() => {
-      expect.assertions(1);
+    it("should update the session storage with the session keys when a new session key is discovered if the option `updateSessionKeys` is passed", async() => {
+      expect.assertions(3);
 
       const metadataKeysDtos = defaultDecryptedSharedMetadataKeysDtos();
       const metadataKeys = new MetadataKeysCollection(metadataKeysDtos);
@@ -436,23 +430,28 @@ describe("DecryptMetadataService", () => {
       });
       const collection = new ResourcesCollection(collectionDto);
 
-
       const sessionsKeysForeignIds = collection.items.map(resource => ({foreign_id: resource.id}));
       const sessionKeysDtos = sharedResourcesSessionKeys(sessionsKeysForeignIds, {count: collection.length});
-      sessionKeysDtos[3] = defaultSessionKeyDto({...sessionKeysDtos[3], session_key: "9:901D6ED579AFF935F9F157A5198BCE48B50AD87345DEADBA06F42C5D018C78CC"});
+      const sessionKeyDiscovered = sessionKeysDtos[3];
+      sessionKeysDtos.splice(3, 1);
       const sessionKeys = new SessionKeysCollection(sessionKeysDtos);
+      sessionKeyDiscovered.modified = collection.resources[3].modified;
+      const expectedSessionKeysDto = [...sessionKeysDtos, sessionKeyDiscovered];
 
       jest.spyOn(service.saveSessionKeysService, "save");
       jest.spyOn(service.getOrFindMetadataKeysService, "getOrFindAll").mockImplementation(() => metadataKeys);
       jest.spyOn(service.getOrFindSessionKeysService, "getOrFindAllByForeignModelAndForeignIds").mockImplementation(() => sessionKeys);
 
-      await service.decryptAllFromForeignModels(collection);
+      await service.decryptAllFromForeignModels(collection, null, {updateSessionKeys: true});
 
-      expect(service.saveSessionKeysService.save).not.toHaveBeenCalled();
+      const [[savedSessionKeys, passphraseArg]] = service.saveSessionKeysService.save.mock.calls;
+      expect(service.saveSessionKeysService.save).toHaveBeenCalledTimes(1);
+      expect(savedSessionKeys.toDto()).toEqual(expectedSessionKeysDto);
+      expect(passphraseArg).toBe(null);
     });
 
-    it("should update the session storage with the session keys if the option `updateSessionKeys` is passed", async() => {
-      expect.assertions(2);
+    it("should remove invalid session key and add newly discovered to the list of session keys to save", async() => {
+      expect.assertions(3);
 
       const metadataKeysDtos = defaultDecryptedSharedMetadataKeysDtos();
       const metadataKeys = new MetadataKeysCollection(metadataKeysDtos);
@@ -461,11 +460,17 @@ describe("DecryptMetadataService", () => {
       });
       const collection = new ResourcesCollection(collectionDto);
 
-
       const sessionsKeysForeignIds = collection.items.map(resource => ({foreign_id: resource.id}));
       const sessionKeysDtos = sharedResourcesSessionKeys(sessionsKeysForeignIds, {count: collection.length});
-      sessionKeysDtos[3] = defaultSessionKeyDto({...sessionKeysDtos[3], session_key: "9:901D6ED579AFF935F9F157A5198BCE48B50AD87345DEADBA06F42C5D018C78CC"});
+      const sessionKeyDiscovered = sessionKeysDtos[3]; // Copy the working session key.
+      sessionKeysDtos[3] = JSON.parse(JSON.stringify(sessionKeysDtos[3]));
+      sessionKeysDtos[3].session_key = "9:901D6ED579AFF935F9F157A5198BCE48B50AD87345DEADBA06F42C5D018C78CC"; // Replace session key with a non working one
       const sessionKeys = new SessionKeysCollection(sessionKeysDtos);
+      // Expected sessions keys arry.
+      sessionKeyDiscovered.modified = collection.resources[3].modified;
+      const expectedSessionKeysDto = JSON.parse(JSON.stringify(sessionKeysDtos));
+      expectedSessionKeysDto.splice(3, 1);
+      expectedSessionKeysDto.push(sessionKeyDiscovered);
 
       jest.spyOn(service.saveSessionKeysService, "save");
       jest.spyOn(service.getOrFindMetadataKeysService, "getOrFindAll").mockImplementation(() => metadataKeys);
@@ -473,8 +478,10 @@ describe("DecryptMetadataService", () => {
 
       await service.decryptAllFromForeignModels(collection, null, {updateSessionKeys: true});
 
+      const [[savedSessionKeys, passphraseArg]] = service.saveSessionKeysService.save.mock.calls;
       expect(service.saveSessionKeysService.save).toHaveBeenCalledTimes(1);
-      expect(service.saveSessionKeysService.save).toHaveBeenCalledWith(sessionKeys, null);
+      expect(savedSessionKeys.toDto()).toEqual(expectedSessionKeysDto);
+      expect(passphraseArg).toBe(null);
     });
   });
 

package/src/all/background_page/service/metadata/encryptMetadataService.js

@@ -12,7 +12,6 @@
  * @since         4.10.0
  */
 import PassphraseStorageService from '../session_storage/passphraseStorageService';
-import UserPassphraseRequiredError from "passbolt-styleguide/src/shared/error/userPassphraseRequiredError";
 import GetOrFindMetadataKeysService from "./getOrFindMetadataKeysService";
 import EncryptMessageService from "../crypto/encryptMessageService";
 import {OpenpgpAssertion} from "../../utils/openpgp/openpgpAssertions";
@@ -70,7 +69,7 @@ class EncryptMetadataService {
     // Prevent future issue if an encrypted metadata is stored without object_type, this will fail the decryption validation of the entity
     this.assertValidMetadataObjectType(entity);
 
-    passphrase = passphrase || await this.getPassphraseFromLocalStorageOrFail();
+    passphrase = passphrase || await PassphraseStorageService.getOrFail();
     const userPrivateKey = await DecryptPrivateKeyService.decryptArmoredKey(this.account.userPrivateArmoredKey, passphrase);
     const serializedMetadata = JSON.stringify(entity.metadata.toDto(entity.metadata.constructor.DEFAULT_CONTAIN));
 
@@ -116,7 +115,7 @@ class EncryptMetadataService {
     }
 
     const canUsePersonalKeys = await this.allowUsageOfPersonalKeys();
-    passphrase = passphrase || await this.getPassphraseFromLocalStorageOrFail();
+    passphrase = passphrase || await PassphraseStorageService.getOrFail();
 
     const userDecryptedPrivateKey = await DecryptPrivateKeyService.decryptArmoredKey(this.account.userPrivateArmoredKey, passphrase);
 
@@ -222,21 +221,6 @@ class EncryptMetadataService {
     return {metadataKeyId, metadataPublicKey, metadataPrivateKey};
   }
 
-  /**
-   * Retrieve the user passphrase from the local storage or fail.
-   *
-   * @returns {Promise<string>}
-   * @throws {UserPassphraseRequiredError} if the `passphrase` is not set and cannot be retrieved.
-   * @private
-   */
-  async getPassphraseFromLocalStorageOrFail() {
-    const passphrase = await PassphraseStorageService.get();
-    if (!passphrase) {
-      throw new UserPassphraseRequiredError();
-    }
-    return passphrase;
-  }
-
   /**
    * Allow usage of personal keys
    * @returns {Promise<boolean>}

package/src/all/background_page/service/metadata/findAndUpdateMetadataKeysSessionStorageService.js

@@ -14,6 +14,7 @@
 import FindMetadataKeysService from "./findMetadataKeysService";
 import MetadataKeysSessionStorage from "../session_storage/metadataKeysSessionStorage";
 import MetadataKeysCollection from "passbolt-styleguide/src/shared/models/entity/metadata/metadataKeysCollection";
+import DecryptMetadataPrivateKeysService from "./decryptMetadataPrivateKeysService";
 
 const FIND_AND_UPDATE_METADATA_KEYS_SS_LOCK_PREFIX = "FIND_AND_UPDATE_METADATA_KEYS_SS_LOCK-";
 
@@ -28,8 +29,9 @@ export default class FindAndUpdateMetadataKeysSessionStorageService {
    */
   constructor(account, apiClientOptions) {
     this.account = account;
-    this.findMetadataKeysService = new FindMetadataKeysService(apiClientOptions, account);
+    this.findMetadataKeysService = new FindMetadataKeysService(apiClientOptions);
     this.metadataKeysSessionStorage = new MetadataKeysSessionStorage(account);
+    this.decryptMetadataPrivateKeysService = new DecryptMetadataPrivateKeysService(account);
   }
 
   /**
@@ -51,7 +53,8 @@ export default class FindAndUpdateMetadataKeysSessionStorageService {
       }
 
       // Lock is granted, retrieve the metadata keys and update the session storage.
-      const metadataKeys = await this.findMetadataKeysService.findAllForSessionStorage(passphrase);
+      const metadataKeys = await this.findMetadataKeysService.findAllForSessionStorage();
+      await this.decryptMetadataPrivateKeysService.decryptAllFromMetadataKeysCollection(metadataKeys, passphrase);
       await this.metadataKeysSessionStorage.set(metadataKeys);
       return metadataKeys;
     });

package/src/all/background_page/service/metadata/findAndUpdateMetadataKeysSessionStorageService.test.js

@@ -16,9 +16,6 @@ import AccountEntity from "../../model/entity/account/accountEntity";
 import {defaultAccountDto} from "../../model/entity/account/accountEntity.test.data";
 import {defaultApiClientOptions} from "passbolt-styleguide/src/shared/lib/apiClient/apiClientOptions.test.data";
 import FindAndUpdateMetadataKeysSessionStorageService from "./findAndUpdateMetadataKeysSessionStorageService";
-import {
-  defaultMetadataKeysDtos
-} from "passbolt-styleguide/src/shared/models/entity/metadata/metadataKeysCollection.test.data";
 import UserPassphraseRequiredError from "passbolt-styleguide/src/shared/error/userPassphraseRequiredError";
 import PassphraseStorageService from "../session_storage/passphraseStorageService";
 import {pgpKeys} from "passbolt-styleguide/test/fixture/pgpKeys/keys";
@@ -49,13 +46,15 @@ describe("FindAndUpdateMetadataKeysSessionStorageService", () => {
   describe("::findAndUpdateAll", () => {
     it("should throw an error if the user passphrase is not set and is required", async() => {
       expect.assertions(1);
-      const metadataKeysDto = defaultMetadataKeysDtos(1, {}, {withMetadataPrivateKeys: true});
+      const id = uuidv4();
+      const metadataPrivateKeysDto = [defaultMetadataPrivateKeyDto({metadata_key_id: id, data: pgpKeys.metadataKey.encryptedMetadataPrivateKeyDataMessage})];
+      const metadataKeysDto = [defaultMetadataKeyDto({id: id, metadata_private_keys: metadataPrivateKeysDto, fingerprint: "c0dce0aaea4d8cce961c26bddfb6e74e598f025c"})];
       jest.spyOn(findAndUpdateKeysSessionStorageService.findMetadataKeysService.metadataKeysApiService, "findAll").mockImplementation(() => metadataKeysDto);
 
       await expect(() => findAndUpdateKeysSessionStorageService.findAndUpdateAll()).rejects.toThrow(UserPassphraseRequiredError);
     });
 
-    it("retrieves the metadata keys from the API and store them into the session storage using the passphrase from the session storage.", async() => {
+    it("retrieves the metadata keys from the API and store them into the session storage and decrypt them using the passphrase from the session storage.", async() => {
       expect.assertions(7);
 
       const id = uuidv4();
@@ -97,7 +96,6 @@ describe("FindAndUpdateMetadataKeysSessionStorageService", () => {
       expect(PassphraseStorageService.get).not.toHaveBeenCalled();
     });
 
-
     it("overrides session storage with a second update call.", async() => {
       expect.assertions(2);