Handle RSA token handling in Rust (#915)

* Split out queue and cache config * Update usages of cache config, * Update default * Cleanup * Make queue optional. * config updates. * changelog * update spec config * Update tests * tweak import * Update default config. * fixup test * Update config.sample.yml Co-authored-by: Andrew Ferrazzutti <andrewf@element.io> Signed-off-by: Will Hunt <will@half-shot.uk> * Update encryption.md Signed-off-by: Will Hunt <will@half-shot.uk> * Clear up worker config Signed-off-by: Will Hunt <will@half-shot.uk> * Update src/config/Config.ts Co-authored-by: Andrew Ferrazzutti <andrewf@element.io> Signed-off-by: Will Hunt <will@half-shot.uk> * update helm config * move UserTokenStore.ts * Port all the imports to new path. * Port RSA handling to rust. * Add tests. * linting * lint rust * Remove unwraps / panics * fix build script * Ensure we store and check with algorithm and key was used. * quieten false deadcode warnings * changelog * fix test imports * lazy mock out UTS * Refactor so that UserTokenStore is initiated by the time Bridge is created. * update defaults * replace if with match * Use the magic of ? * fmt --------- Signed-off-by: Will Hunt <will@half-shot.uk> Co-authored-by: Andrew Ferrazzutti <andrewf@element.io>
matrix-org · Apr 8, 2024 · 6482c7e · 6482c7e
1 parent 6618ab6
commit 6482c7e
Show file tree

Hide file tree

Showing 33 changed files with 413 additions and 69 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,6 +22,7 @@ atom_syndication = "0.12"
 ruma = { version = "0.9", features = ["events", "html"] }
 reqwest = "0.11"
 rand = "0.8.5"
-
+rsa = "0.9.6"
+base64ct = { version = "1.6.0", features = ["alloc"] }
 [build-dependencies]
 napi-build = "2"
diff --git a/changelog.d/915.misc b/changelog.d/915.misc
@@ -0,0 +1 @@
+Track which key was used to encrypt secrets in storage, and encrypt/decrypt secrets in Rust.
diff --git a/config.sample.yml b/config.sample.yml
@@ -10,7 +10,7 @@ bridge:
 passFile:
   # A passkey used to encrypt tokens stored inside the bridge.
   # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
-  passkey.pem
+  ./passkey.pem
 logging:
   # Logging settings. You can have a severity debug,info,warn,error
   level: info

diff --git a/scripts/build-app.sh b/scripts/build-app.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # exit when any command fails
 set -e

diff --git a/spec/basic.spec.ts b/spec/basic.spec.ts
@@ -19,12 +19,12 @@ describe('Basic test setup', () => {
         const user = testEnv.getUser('user');
         const roomId = await user.createRoom({ name: 'Test room', invite:[testEnv.botMxid] });
         await user.waitForRoomJoin({sender: testEnv.botMxid, roomId });
-        await user.sendText(roomId, "!hookshot help");
-        const msg = await user.waitForRoomEvent<MessageEventContent>({
+        const msg = user.waitForRoomEvent<MessageEventContent>({
             eventType: 'm.room.message', sender: testEnv.botMxid, roomId
         });
+        await user.sendText(roomId, "!hookshot help");
         // Expect help text.
-        expect(msg.data.content.body).to.include('!hookshot help` - This help text\n');
+        expect((await msg).data.content.body).to.include('!hookshot help` - This help text\n');
     });
 
     // TODO: Move test to it's own generic connections file.

diff --git a/src/AdminRoom.ts b/src/AdminRoom.ts
@@ -16,7 +16,7 @@ import { Intent } from "matrix-bot-sdk";
 import { JiraBotCommands } from "./jira/AdminCommands";
 import { NotifFilter, NotificationFilterStateContent } from "./NotificationFilters";
 import { ProjectsListResponseData } from "./github/Types";
-import { UserTokenStore } from "./UserTokenStore";
+import { UserTokenStore } from "./tokens/UserTokenStore";
 import { Logger } from "matrix-appservice-bridge";
 import markdown from "markdown-it";
 type ProjectsListForRepoResponseData = Endpoints["GET /repos/{owner}/{repo}/projects"]["response"];

diff --git a/src/AdminRoomCommandHandler.ts b/src/AdminRoomCommandHandler.ts
@@ -1,7 +1,7 @@
 import EventEmitter from "events";
 import { Intent } from "matrix-bot-sdk";
 import { BridgeConfig } from "./config/Config";
-import { UserTokenStore } from "./UserTokenStore";
+import { UserTokenStore } from "./tokens/UserTokenStore";
 
 
 export enum Category {

diff --git a/src/App/BridgeApp.ts b/src/App/BridgeApp.ts
@@ -9,6 +9,7 @@ import { getAppservice } from "../appservice";
 import BotUsersManager from "../Managers/BotUsersManager";
 import * as Sentry from '@sentry/node';
 import { GenericHookConnection } from "../Connections";
+import { UserTokenStore } from "../tokens/UserTokenStore";
 
 Logger.configure({console: "info"});
 const log = new Logger("App");
@@ -50,7 +51,8 @@ export async function start(config: BridgeConfig, registration: IAppserviceRegis
 
     const botUsersManager = new BotUsersManager(config, appservice);
 
-    const bridgeApp = new Bridge(config, listener, appservice, storage, botUsersManager);
+    const tokenStore = await UserTokenStore.fromKeyPath(config.passFile , appservice.botIntent, config);
+    const bridgeApp = new Bridge(config, tokenStore, listener, appservice, storage, botUsersManager);
 
     process.once("SIGTERM", () => {
         log.error("Got SIGTERM");