standardnotes-app-web/packages/snjs/mocha/vaults/key_rotation.test.js

import * as Factory from '../lib/factory.js'
import * as Collaboration from '../lib/Collaboration.js'

chai.use(chaiAsPromised)
const expect = chai.expect

describe('shared vault key rotation', function () {
  this.timeout(Factory.TwentySecondTimeout)

  let context

  afterEach(async function () {
    await context.deinit()
    localStorage.clear()
  })

  beforeEach(async function () {
    localStorage.clear()

    context = await Factory.createAppContextWithRealCrypto()

    await context.launch()
    await context.register()
  })

  it('should reencrypt all items keys belonging to key system', async () => {
    const { sharedVault, contactContext, deinitContactContext } =
      await Collaboration.createSharedVaultWithAcceptedInvite(context)

    contactContext.lockSyncing()

    const spy = sinon.spy(context.keys, 'reencryptKeySystemItemsKeysForVault')

    const promise = context.resolveWhenSharedVaultKeyRotationInvitesGetSent(sharedVault)
    await context.vaults.rotateVaultRootKey(sharedVault)
    await promise

    expect(spy.callCount).to.equal(1)

    deinitContactContext()
  })

  it("rotating a vault's key should send an asymmetric message to all members", async () => {
    const { sharedVault, contactContext, deinitContactContext } =
      await Collaboration.createSharedVaultWithAcceptedInvite(context)

    contactContext.lockSyncing()

    const promise = context.resolveWhenSharedVaultKeyRotationInvitesGetSent(sharedVault)
    await context.vaults.rotateVaultRootKey(sharedVault)
    await promise

    const outboundMessages = await context.asymmetric.getOutboundMessages()
    const expectedMessages = ['root key change', 'vault metadata change']
    expect(outboundMessages.length).to.equal(expectedMessages.length)

    const message = outboundMessages[0]
    expect(message).to.not.be.undefined
    expect(message.user_uuid).to.equal(contactContext.userUuid)
    expect(message.encrypted_message).to.not.be.undefined

    await deinitContactContext()
  })

  it('should update recipient vault display listing with new key params', async () => {
    const { sharedVault, contactContext, deinitContactContext } =
      await Collaboration.createSharedVaultWithAcceptedInvite(context)

    contactContext.anticipateConsoleError(
      '(2x) Error decrypting contentKey from parameters',
      'Items keys are encrypted with new root key and are later decrypted in the test',
    )

    contactContext.lockSyncing()

    const promise = context.resolveWhenSharedVaultKeyRotationInvitesGetSent(sharedVault)
    await context.vaults.rotateVaultRootKey(sharedVault)
    await promise

    const rootKey = context.keys.getPrimaryKeySystemRootKey(sharedVault.systemIdentifier)

    contactContext.unlockSyncing()
    await contactContext.sync()

    const vault = await contactContext.vaults.getVault({ keySystemIdentifier: sharedVault.systemIdentifier })
    expect(vault.rootKeyParams).to.eql(rootKey.keyParams)

    await deinitContactContext()
  })

  it('should receive new key system items key', async () => {
    const { sharedVault, contactContext, deinitContactContext } =
      await Collaboration.createSharedVaultWithAcceptedInvite(context)

    contactContext.anticipateConsoleError(
      '(2x) Error decrypting contentKey from parameters',
      'Items keys are encrypted with new root key and are later decrypted in the test',
    )
    contactContext.lockSyncing()

    const previousPrimaryItemsKey = contactContext.keys.getPrimaryKeySystemItemsKey(sharedVault.systemIdentifier)
    expect(previousPrimaryItemsKey).to.not.be.undefined

    const promise = context.resolveWhenSharedVaultKeyRotationInvitesGetSent(sharedVault)
    await context.vaults.rotateVaultRootKey(sharedVault)
    await promise

    const contactPromise = contactContext.resolveWhenAsymmetricMessageProcessingCompletes()
    contactContext.unlockSyncing()
    await contactContext.sync()
    await contactPromise

    const newPrimaryItemsKey = contactContext.keys.getPrimaryKeySystemItemsKey(sharedVault.systemIdentifier)
    expect(newPrimaryItemsKey).to.not.be.undefined

    expect(newPrimaryItemsKey.uuid).to.not.equal(previousPrimaryItemsKey.uuid)
    expect(newPrimaryItemsKey.itemsKey).to.not.eql(previousPrimaryItemsKey.itemsKey)

    await deinitContactContext()
  })

  it("rotating a vault's key with a pending invite should create new invite and delete old", async () => {
    const { sharedVault, contactContext, deinitContactContext } =
      await Collaboration.createSharedVaultWithUnacceptedButTrustedInvite(context)
    contactContext.lockSyncing()

    const originalOutboundInvites = await context.vaultInvites.getOutboundInvites()
    expect(originalOutboundInvites.length).to.equal(1)
    const originalInviteMessage = originalOutboundInvites[0].encrypted_message

    const promise = context.resolveWhenSharedVaultKeyRotationInvitesGetSent(sharedVault)
    await context.vaults.rotateVaultRootKey(sharedVault)
    await promise

    const updatedOutboundInvites = await context.vaultInvites.getOutboundInvites()
    expect(updatedOutboundInvites.length).to.equal(1)

    const joinInvite = updatedOutboundInvites[0]
    expect(joinInvite.encrypted_message).to.not.be.undefined
    expect(joinInvite.encrypted_message).to.not.equal(originalInviteMessage)

    await deinitContactContext()
  })

  it('new key system items key in rotated shared vault should belong to shared vault', async () => {
    const sharedVault = await Collaboration.createSharedVault(context)

    await context.vaults.rotateVaultRootKey(sharedVault)

    const keySystemItemsKeys = context.keys
      .getAllKeySystemItemsKeys()
      .filter((key) => key.key_system_identifier === sharedVault.systemIdentifier)

    expect(keySystemItemsKeys.length).to.equal(2)

    for (const key of keySystemItemsKeys) {
      expect(key.shared_vault_uuid).to.equal(sharedVault.sharing.sharedVaultUuid)
    }
  })

  it('should update existing key-change messages instead of creating new ones', async () => {
    const { sharedVault, contactContext, deinitContactContext } =
      await Collaboration.createSharedVaultWithAcceptedInvite(context)

    contactContext.lockSyncing()

    const firstPromise = context.resolveWhenSharedVaultKeyRotationInvitesGetSent(sharedVault)
    await context.vaults.rotateVaultRootKey(sharedVault)
    await firstPromise

    const asymmetricMessageAfterFirstChange = await context.asymmetric.getOutboundMessages()
    const expectedMessages = ['root key change', 'vault metadata change']
    expect(asymmetricMessageAfterFirstChange.length).to.equal(expectedMessages.length)

    const messageAfterFirstChange = asymmetricMessageAfterFirstChange[0]

    const secondPromise = context.resolveWhenSharedVaultKeyRotationInvitesGetSent(sharedVault)
    await context.vaults.rotateVaultRootKey(sharedVault)
    await secondPromise

    const asymmetricMessageAfterSecondChange = await context.asymmetric.getOutboundMessages()
    expect(asymmetricMessageAfterSecondChange.length).to.equal(expectedMessages.length)

    const messageAfterSecondChange = asymmetricMessageAfterSecondChange[0]
    expect(messageAfterSecondChange.encrypted_message).to.not.equal(messageAfterFirstChange.encrypted_message)
    expect(messageAfterSecondChange.uuid).to.not.equal(messageAfterFirstChange.uuid)

    await deinitContactContext()
  })

  it('key change messages should be automatically processed by trusted contacts', async () => {
    const { sharedVault, contactContext, deinitContactContext } =
      await Collaboration.createSharedVaultWithAcceptedInvite(context)

    contactContext.anticipateConsoleError(
      '(2x) Error decrypting contentKey from parameters',
      'Items keys are encrypted with new root key and are later decrypted in the test',
    )
    contactContext.lockSyncing()

    const promise = context.resolveWhenSharedVaultKeyRotationInvitesGetSent(sharedVault)
    await context.vaults.rotateVaultRootKey(sharedVault)
    await promise

    const acceptMessage = sinon.spy(contactContext.asymmetric, 'handleTrustedSharedVaultRootKeyChangedMessage')

    contactContext.unlockSyncing()
    await contactContext.sync()

    expect(acceptMessage.callCount).to.equal(1)

    await deinitContactContext()
  })

  it('should rotate key system root key after removing vault member', async () => {
    const { sharedVault, contactContext, deinitContactContext } =
      await Collaboration.createSharedVaultWithAcceptedInvite(context)

    const originalKeySystemRootKey = context.keys.getPrimaryKeySystemRootKey(sharedVault.systemIdentifier)

    await context.vaultUsers.removeUserFromSharedVault(sharedVault, contactContext.userUuid)

    const newKeySystemRootKey = context.keys.getPrimaryKeySystemRootKey(sharedVault.systemIdentifier)

    expect(newKeySystemRootKey.keyParams.creationTimestamp).to.be.greaterThan(
      originalKeySystemRootKey.keyParams.creationTimestamp,
    )
    expect(newKeySystemRootKey.key).to.not.equal(originalKeySystemRootKey.key)

    await deinitContactContext()
  })

  it('should throw if attempting to change password of locked vault', async () => {
    console.error('TODO: implement')
  })

  it('should respect storage preference when rotating key system root key', async () => {
    console.error('TODO: implement')
  })

  it('should change storage preference from synced to local', async () => {
    console.error('TODO: implement')
  })

  it('should change storage preference from local to synced', async () => {
    console.error('TODO: implement')
  })

  it('should resync key system items key if it is encrypted with noncurrent key system root key', async () => {
    console.error('TODO: implement')
  })

  it('should change password type from user inputted to randomized', async () => {
    console.error('TODO: implement')
  })

  it('should change password type from randomized to user inputted', async () => {
    console.error('TODO: implement')
  })

  it('should not be able to change storage mode of third party vault', async () => {
    console.error('TODO: implement')
  })
})