mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-21 07:56:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
etherpad-lite/src/node/security/SecretRotator.js
Richard Hansen 2bb431e7e5
express-session: Implement and enable key rotation (#5362) by @rhansen 
* SecretRotator: New class to coordinate key rotation

* express-session: Enable key rotation

* Added new entry in docker.adoc

* Move to own package.Removed fallback as Node 16 is now lowest node version.

* Updated package-lock.json

---------

Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
2023-07-03 22:58:49 +02:00

251 lines
12 KiB
JavaScript
Raw Blame History

'use strict';
const {Buffer} = require('buffer');
const crypto = require('./crypto');
const db = require('../db/DB');
const log4js = require('log4js');
class Kdf {
async generateParams() { throw new Error('not implemented'); }
async derive(params, info) { throw new Error('not implemented'); }
}
class LegacyStaticSecret extends Kdf {
async derive(params, info) { return params; }
}
class Hkdf extends Kdf {
constructor(digest, keyLen) {
super();
this._digest = digest;
this._keyLen = keyLen;
}
async generateParams() {
const [secret, salt] = (await Promise.all([
crypto.randomBytes(this._keyLen),
crypto.randomBytes(this._keyLen),
])).map((b) => b.toString('hex'));
return {digest: this._digest, keyLen: this._keyLen, salt, secret};
}
async derive(p, info) {
return Buffer.from(
await crypto.hkdf(p.digest, p.secret, p.salt, info, p.keyLen)).toString('hex');
}
}
// Key derivation algorithms. Do not modify entries in this array, except:
// * It is OK to replace an unused algorithm with `null` after any entries in the database
// using the algorithm have been deleted.
// * It is OK to append a new algorithm to the end.
// If the entries are modified in any other way then key derivation might fail or produce invalid
// results due to broken compatibility with existing database records.
const algorithms = [
new LegacyStaticSecret(),
new Hkdf('sha256', 32),
];
const defaultAlgId = algorithms.length - 1;
// In JavaScript, the % operator is remainder, not modulus.
const mod = (a, n) => ((a % n) + n) % n;
const intervalStart = (t, interval) => t - mod(t, interval);
/**
* Maintains an array of secrets across one or more Etherpad instances sharing the same database,
* periodically rotating in a new secret and removing the oldest secret.
*
* The secrets are generated using a key derivation function (KDF) with input keying material coming
* from a long-lived secret stored in the database (generated if missing).
*/
class SecretRotator {
/**
* @param {string} dbPrefix - Database key prefix to use for tracking secret metadata.
* @param {number} interval - How often to rotate in a new secret.
* @param {number} lifetime - How long after the end of an interval before the secret is no longer
* useful.
* @param {string} [legacyStaticSecret] - Optional secret to facilitate migration to secret
* rotation. If the oldest known secret starts after `lifetime` ago, this secret will cover
* the time period starting `lifetime` ago and ending at the start of that secret.
*/
constructor(dbPrefix, interval, lifetime, legacyStaticSecret = null) {
/**
* The secrets. The first secret in this array is the one that should be used to generate new
* MACs. All of the secrets in this array should be used when attempting to authenticate an
* existing MAC. The contents of this array will be updated every `interval` milliseconds, but
* the Array object itself will never be replaced with a new Array object.
*
* @type {string[]}
* @public
*/
this.secrets = [];
Object.defineProperty(this, 'secrets', {writable: false}); // Defend against bugs.
if (/[*:%]/.test(dbPrefix)) throw new Error(`dbPrefix contains an invalid char: ${dbPrefix}`);
this._dbPrefix = dbPrefix;
this._interval = interval;
this._legacyStaticSecret = legacyStaticSecret;
this._lifetime = lifetime;
this._logger = log4js.getLogger(`secret-rotation ${dbPrefix}`);
this._logger.debug(`new secret rotator (interval ${interval}, lifetime: ${lifetime})`);
this._updateTimeout = null;
// Indirections to facilitate testing.
this._t = {now: Date.now.bind(Date), setTimeout, clearTimeout, algorithms};
}
async _publish(params, id = null) {
// Params are published to the db with a randomly generated key to avoid race conditions with
// other instances.
if (id == null) id = `${this._dbPrefix}:${(await crypto.randomBytes(32)).toString('hex')}`;
await db.set(id, params);
return id;
}
async start() {
this._logger.debug('starting secret rotation');
if (this._updateTimeout != null) return; // Already started.
await this._update();
}
stop() {
this._logger.debug('stopping secret rotation');
this._t.clearTimeout(this._updateTimeout);
this._updateTimeout = null;
}
async _deriveSecrets(p, now) {
this._logger.debug('deriving secrets from', p);
if (!p.interval) return [await algorithms[p.algId].derive(p.algParams, null)];
const t0 = intervalStart(now, p.interval);
// Start of the first interval covered by these params. To accommodate clock skew, p.interval is
// subtracted. If we did not do this, then the following could happen:
// 1. Instance (A) starts up and publishes params starting at the current interval.
// 2. Instance (B) starts up with a clock that is in the previous interval.
// 3. Instance (B) reads the params published by instance (A) and sees that there's no
// coverage of what it thinks is the current interval.
// 4. Instance (B) generates and publishes new params that covers what it thinks is the
// current interval.
// 5. Instance (B) starts generating MACs from a secret derived from the new params.
// 6. Instance (A) fails to validate the MACs generated by instance (B) until it re-reads
// the published params, which might take as long as interval.
// An alternative approach is to backdate p.start by p.interval when creating new params, but
// this could affect the end time of legacy secrets.
const tA = intervalStart(p.start - p.interval, p.interval);
const tZ = intervalStart(p.end - 1, p.interval);
this._logger.debug('now:', now, 't0:', t0, 'tA:', tA, 'tZ:', tZ);
// Starts of intervals to derive keys for.
const tNs = [];
// Whether the derived secret for the interval starting at tN is still relevant. If there was no
// clock skew, a derived secret is relevant until p.lifetime has elapsed since the end of the
// interval. To accommodate clock skew, this end time is extended by p.interval.
const expired = (tN) => now >= tN + (2 * p.interval) + p.lifetime;
// Walk from t0 back until either the start of coverage or the derived secret is expired. t0
// must always be the first entry in case p is the current params. (The first derived secret is
// used for generating MACs, so the secret derived for t0 must be before the secrets derived for
// other times.)
for (let tN = Math.min(t0, tZ); tN >= tA && !expired(tN); tN -= p.interval) tNs.push(tN);
// Include a future derived secret to accommodate clock skew.
if (t0 + p.interval <= tZ) tNs.push(t0 + p.interval);
this._logger.debug('deriving secrets for intervals with start times:', tNs);
return await Promise.all(
tNs.map(async (tN) => await algorithms[p.algId].derive(p.algParams, `${tN}`)));
}
async _update() {
const now = this._t.now();
const t0 = intervalStart(now, this._interval);
let next = t0 + this._interval; // When this._update() should be called again.
let legacyEnd = now;
// TODO: This is racy. If two instances start up at the same time and there are no existing
// matching publications, each will generate and publish their own paramters. In practice this
// is unlikely to happen, and if it does it can be fixed by restarting both Etherpad instances.
const dbKeys = await db.findKeys(`${this._dbPrefix}:*`, null);
let currentParams = null;
let currentId = null;
const dbWrites = [];
const allParams = [];
const legacyParams = [];
await Promise.all(dbKeys.map(async (dbKey) => {
const p = await db.get(dbKey);
if (p.algId === 0 && p.algParams === this._legacyStaticSecret) legacyParams.push(p);
if (p.start < legacyEnd) legacyEnd = p.start;
// Check if the params have expired. Params are still useful if a MAC generated by a secret
// derived from the params is still valid, which can be true up to p.end + p.lifetime if
// there was no clock skew. The p.interval factor is added to accommodate clock skew.
// p.interval is null for legacy secrets, so fall back to this._interval.
if (now >= p.end + p.lifetime + (p.interval || this._interval)) {
// This initial keying material (or legacy secret) is expired.
dbWrites.push(db.remove(dbKey));
dbWrites[dbWrites.length - 1].catch(() => {}); // Prevent unhandled Promise rejections.
return;
}
const t1 = p.interval && intervalStart(now, p.interval) + p.interval; // Start of next intrvl.
const tA = intervalStart(p.start, p.interval); // Start of interval containing p.start.
if (p.interval) next = Math.min(next, t1);
// Determine if these params can be used to generate the current (active) secret. Note that
// p.start is allowed to be in the next interval in case there is clock skew.
if (p.interval && p.interval === this._interval && p.lifetime === this._lifetime &&
tA <= t1 && p.end > now && (currentParams == null || p.start > currentParams.start)) {
if (currentParams) allParams.push(currentParams);
currentParams = p;
currentId = dbKey;
} else {
allParams.push(p);
}
}));
if (this._legacyStaticSecret && now < legacyEnd + this._lifetime + this._interval &&
!legacyParams.find((p) => p.end + p.lifetime >= legacyEnd + this._lifetime)) {
const d = new Date(legacyEnd).toJSON();
this._logger.debug(`adding legacy static secret for ${d} with lifetime ${this._lifetime}`);
const p = {
algId: 0,
algParams: this._legacyStaticSecret,
// The start time is equal to the end time so that this legacy secret does not affect the
// end times of any legacy secrets published by other instances.
start: legacyEnd,
end: legacyEnd,
interval: null,
lifetime: this._lifetime,
};
allParams.push(p);
dbWrites.push(this._publish(p));
dbWrites[dbWrites.length - 1].catch(() => {}); // Prevent unhandled Promise rejections.
}
if (currentParams == null) {
currentParams = {
algId: defaultAlgId,
algParams: await algorithms[defaultAlgId].generateParams(),
start: now,
end: now, // Extended below.
interval: this._interval,
lifetime: this._lifetime,
};
}
// Advance currentParams's expiration time to the end of the next interval if needed. (The next
// interval is used so that the parameters never expire under normal circumstances.) This must
// be done before deriving any secrets from currentParams so that a secret for the next interval
// can be included (in case there is clock skew).
currentParams.end = Math.max(currentParams.end, t0 + (2 * this._interval));
dbWrites.push(this._publish(currentParams, currentId));
dbWrites[dbWrites.length - 1].catch(() => {}); // Prevent unhandled Promise rejections.
// The secrets derived from currentParams MUST be the first secrets.
const secrets = await this._deriveSecrets(currentParams, now);
await Promise.all(
allParams.map(async (p) => secrets.push(...await this._deriveSecrets(p, now))));
// Update this.secrets all at once to avoid race conditions.
this.secrets.length = 0;
this.secrets.push(...secrets);
this._logger.debug('active secrets:', this.secrets);
// Wait for db writes to finish after updating this.secrets so that the new secrets become
// active as soon as possible.
await Promise.all(dbWrites);
// Use an async function so that test code can tell when it's done publishing the new secrets.
// The standard setTimeout() function ignores the callback's return value, but some of the tests
// await the returned Promise.
this._updateTimeout =
this._t.setTimeout(async () => await this._update(), next - this._t.now());
}
}
module.exports = SecretRotator;
Reference in a new issue View git blame Copy permalink