Merge pull request #2 from openfort-xyz/feat/shared-encryption-key

WIP feat/shared encryption key

.golangci.yml

@@ -29,6 +29,9 @@ linters:
     - unparam
     - unused
     - whitespace
+issues:
+  exclude-files:
+    - ".*_test\\.go"
 
 run:
   timeout: 3m

README.md

@@ -10,10 +10,13 @@ The Project API is a secure interface for managing projects in Shield. Each proj
 ### Endpoints
 
 #### 1. Register a Project
+In case you want to encrypt all the shares you can set `generate_encryption_key` to `true` in the request body. This will generate a new encryption key for the project. This key is split into two parts, one part is stored in the database and the other part is returned in the response. With this configuration the entity that hosts shield will not be able to decrypt the shares. If you want to decrypt the shares you will need to provide the encryption key part.
+> The encryption key can't be recovered if lost. It is recommended to store the encryption key securely.
+
 - **POST**: `https://shield.openfort.xyz/register`
 - **Body**:
   ```json
-  { "name": "Test Project" }
+  { "name": "Test Project", "generate_encryption_key": true }
   ```
 - **Example Request**:
   ```shell
@@ -26,7 +29,8 @@ The Project API is a secure interface for managing projects in Shield. Each proj
     "id": "ca8dec8b-0794-4f2c-adfa-fb7961f2185a",
     "name": "Test Project",
     "api_key": "1cdfc2a3-767c-49dc-be42-f78e3746ec82",
-    "api_secret": "•••••••"
+    "api_secret": "•••••••",
+    "encryption_part": "myRhu0uoymTgFE567285c6gunZa8bRtgUBdOWxp96kg="
   }
   ```
 
@@ -168,6 +172,39 @@ curl --location --request DELETE 'https://shield.openfort.xyz/project/providers/
   { "origin": "someorigin" }
   ```
 
+#### 11. Encrypt Project Shares
+In case you want to encrypt all the shares you can call this endpoint. This will encrypt all the shares that are not encrypted yet.
+> This operation is irreversible. Once the shares are encrypted they can't be decrypted.
+> The encryption key can't be recovered if lost. It is recommended to store the encryption key securely.
+> This operation is only available for projects that have the encryption key generated. You can do it on Project Registration or using the endpoint to generate a new encryption key.
+- **POST**: `https://shield.openfort.xyz/project/encrypt`
+- **Request Headers**:
+    - `x-api-secret`: •••••••
+    - `x-api-key`: d2d617ff-dbb6-480d-993f-dc8ac8307617
+- **Body**:
+    ```json
+    { "encryption_part": "myRhu0uoymTgFE567285c6gunZa8bRtgUBdOWxp96kg=" }
+    ```
+
+#### 12. Generate Encryption Key
+In case you don't set `generate_encryption_key` to `true` in the project registration you can generate a new encryption key using this endpoint. This will generate a new encryption key for the project. This key is split into two parts, one part is stored in the database and the other part is returned in the response. With this configuration the entity that hosts shield will not be able to decrypt the shares. If you want to decrypt the shares you will need to provide the encryption key part.
+> The encryption key can't be recovered if lost. It is recommended to store the encryption key securely.
+- **POST**: `https://shield.openfort.xyz/project/encryption-key`
+- **Request Headers**:
+    - `x-api-secret`: •••••••
+    - `x-api-key`: d2d617ff-dbb6-480d-993f-dc8ac8307617
+- **Example Request**:
+  ```shell
+  curl --location 'https://shield.openfort.xyz/project/encryption-key' \
+    --header 'x-api-secret: •••••••' \
+    --header 'x-api-key: d2d617ff-dbb6-480d-993f-dc8ac8307617'
+    ```
+- **Response**:
+  ```json
+  {
+    "encryption_part": "myRhu0uoymTgFE567285c6gunZa8bRtgUBdOWxp96kg="
+  }
+  ```
 ---
 ## Shares API
 
@@ -180,30 +217,46 @@ The Shares API is part of Shield, dedicated to securely storing and retrieving u
 - **Request Headers**:
     - `Authorization`: Bearer Token
     - `x-auth-provider`: 'openfort' or 'custom'
+    - `x-openfort-provider`: 'firebase' // Optional: Only required if x-auth-provider is 'openfort' and using third-party authentication
+    - `x-openfort-token-type`: 'idToken' // Optional: Only required if x-auth-provider is 'openfort' and using third-party authentication
 - **Body**:
-  ```json
+```json
   {
     "secret": "hjkasdhjkladshjkladhjskladhjskl",
-    "user_entropy": false,
-    ...
+    "entropy": "none",
   }
-
-  OR
-
+``` 
+
+OR
+
+```json  
   {
     "secret": "hjkasdhjkladshjkladhjskladhjskl",
-    "user_entropy": true,
+    "entropy": "user",
     "salt": "somesalt",
     "iterations": 1000,
     "length": 8,
     "digest": "SHA-256"
   }
+```  
+
+OR 
+
+```json  
+  {
+    "secret: "hjkasdhjkladshjkladhjskladhjskl",
+    "entropy": "project",
+    "encryption_part": "myRhu0uoymTgFE567285c6gunZa8bRtgUBdOWxp96kg="
+  }
   ```
 #### 2. Get Share
 - **GET**: `https://shield.openfort.xyz/shares`
 - **Request Headers**:
     - `Authorization`: Bearer Token
     - `x-auth-provider`: 'openfort' or 'custom'
+    - `x-openfort-provider`: 'firebase' // Optional: Only required if x-auth-provider is 'openfort' and using third-party authentication
+    - `x-openfort-token-type`: 'idToken' // Optional: Only required if x-auth-provider is 'openfort' and using third-party authentication
+    - `x-encryption-part`: 'myRhu0uoymTgFE567285c6gunZa8bRtgUBdOWxp96kg=' // Optional: Only required if the share have project entropy
 - **Example Request**:
   ```shell
   curl --location 'https://shield.openfort.xyz/shares' \
@@ -217,6 +270,6 @@ The Shares API is part of Shield, dedicated to securely storing and retrieving u
   ```json
   {
     "secret": "hjkasdhjkladshjkladhjskladhjskl",
-    "user_entropy": false
+    "entropy": "none"
   }
   ```

cmd/main.go

@@ -4,14 +4,16 @@ import (
 	"log/slog"
 	"os"
 
+	"go.openfort.xyz/shield/pkg/logger"
+
 	"go.openfort.xyz/shield/cmd/cli"
 )
 
 func main() {
 	slog.Info("Starting OpenFort Shield")
 	rootCmd := cli.NewCmdRoot()
 	if err := rootCmd.Execute(); err != nil {
-		slog.Info("Error executing command", slog.String("error", err.Error()))
+		slog.Info("Error executing command", logger.Error(err))
 		os.Exit(1)
 	}
 }

di/wire.go

@@ -6,7 +6,7 @@ package di
 import (
 	"github.com/google/wire"
 	"go.openfort.xyz/shield/internal/applications/projectapp"
-	"go.openfort.xyz/shield/internal/applications/userapp"
+	"go.openfort.xyz/shield/internal/applications/shareapp"
 	"go.openfort.xyz/shield/internal/core/ports/repositories"
 	"go.openfort.xyz/shield/internal/core/ports/services"
 	"go.openfort.xyz/shield/internal/core/services/projectsvc"
@@ -114,14 +114,12 @@ func ProvideProviderManager() (pm *providersmgr.Manager, err error) {
 	return
 }
 
-func ProvideUserApplication() (a *userapp.UserApplication, err error) {
+func ProvideShareApplication() (a *shareapp.ShareApplication, err error) {
 	wire.Build(
-		userapp.New,
-		ProvideUserService,
+		shareapp.New,
 		ProvideShareService,
-		ProvideProjectService,
-		ProvideProviderService,
-		ProvideProviderManager,
+		ProvideSQLShareRepository,
+		ProvideSQLProjectRepository,
 	)
 
 	return
@@ -131,7 +129,10 @@ func ProvideProjectApplication() (a *projectapp.ProjectApplication, err error) {
 	wire.Build(
 		projectapp.New,
 		ProvideProjectService,
+		ProvideSQLProjectRepository,
 		ProvideProviderService,
+		ProvideSQLProviderRepository,
+		ProvideSQLShareRepository,
 	)
 
 	return
@@ -152,7 +153,7 @@ func ProvideRESTServer() (s *rest.Server, err error) {
 	wire.Build(
 		rest.New,
 		rest.GetConfigFromEnv,
-		ProvideUserApplication,
+		ProvideShareApplication,
 		ProvideProjectApplication,
 		ProvideAuthenticationManager,
 	)

go.mod

@@ -5,6 +5,7 @@ go 1.22.0
 require (
 	github.com/MicahParks/keyfunc/v3 v3.2.9
 	github.com/caarlos0/env/v10 v10.0.0
+	github.com/codahale/sss v0.0.0-20160501174526-0cb9f6d3f7f1
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/uuid v1.6.0
 	github.com/google/wire v0.6.0
@@ -22,6 +23,7 @@ require (
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/MicahParks/jwkset v0.5.15 // indirect
+	github.com/benbjohnson/clock v1.3.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-sql-driver/mysql v1.8.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -37,6 +39,7 @@ require (
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
+	go.uber.org/ratelimit v0.3.1 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect

go.sum

@@ -4,8 +4,12 @@ github.com/MicahParks/jwkset v0.5.15 h1:ACJY045Zuvo2TVWikeFLnKTIsEDQQHUHrNYiMW+g
 github.com/MicahParks/jwkset v0.5.15/go.mod h1:q8ptTGn/Z9c4MwbcfeCDssADeVQb3Pk7PnVxrvi+2QY=
 github.com/MicahParks/keyfunc/v3 v3.2.9 h1:juKYzZvb5q4mWnox3439WNq6cusvSdt2fJ5nj+osgCk=
 github.com/MicahParks/keyfunc/v3 v3.2.9/go.mod h1:Yx3jN/pn7ZMCxwFsyIrsmSqRfp0HGHAcyezBlhYi1Ew=
+github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
+github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/caarlos0/env/v10 v10.0.0 h1:yIHUBZGsyqCnpTkbjk8asUlx6RFhhEs+h7TOBdgdzXA=
 github.com/caarlos0/env/v10 v10.0.0/go.mod h1:ZfulV76NvVPw3tm591U4SwL3Xx9ldzBP9aGxzeN7G18=
+github.com/codahale/sss v0.0.0-20160501174526-0cb9f6d3f7f1 h1:PJJtqFbZH8ZW9PtsfB+ALZKVPRiRwNbPrNe+gliLpGo=
+github.com/codahale/sss v0.0.0-20160501174526-0cb9f6d3f7f1/go.mod h1:0Vm/twPonvi1fkJ3kW8TbuttPQ4EyspL1xHUVr1I3uU=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -68,6 +72,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.uber.org/ratelimit v0.3.1 h1:K4qVE+byfv/B3tC+4nYWP7v/6SimcO7HzHekoMNBma0=
+go.uber.org/ratelimit v0.3.1/go.mod h1:6euWsTB6U/Nb3X++xEUXA8ciPJvr19Q/0h1+oDcJhRk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=