You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by rc...@apache.org on 2021/11/01 04:20:52 UTC

[james-project] 07/08: JAMES-3539 PushListener should encrypt payloads if required

This is an automated email from the ASF dual-hosted git repository.

rcordier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git

commit 789dc08e5bab35c029e901208411ca65814a6e67
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Thu Oct 28 14:28:40 2021 +0700

    JAMES-3539 PushListener should encrypt payloads if required
---
 .../james/jmap/pushsubscription/PushListener.scala | 16 ++++---
 .../jmap/pushsubscription/PushListenerTest.scala   | 52 +++++++++++++++++++++-
 2 files changed, 61 insertions(+), 7 deletions(-)

diff --git a/server/protocols/jmap-rfc-8621/src/main/scala/org/apache/james/jmap/pushsubscription/PushListener.scala b/server/protocols/jmap-rfc-8621/src/main/scala/org/apache/james/jmap/pushsubscription/PushListener.scala
index ff0dc01..857cc64 100644
--- a/server/protocols/jmap-rfc-8621/src/main/scala/org/apache/james/jmap/pushsubscription/PushListener.scala
+++ b/server/protocols/jmap-rfc-8621/src/main/scala/org/apache/james/jmap/pushsubscription/PushListener.scala
@@ -58,11 +58,17 @@ class PushListener @Inject()(pushRepository: PushSubscriptionRepository,
     stateChangeEvent
       .asStateChange
       .filter(pushSubscription.types.toSet)
-      .fold(SMono.empty[Unit])(stateChange => SMono(webPushClient.push(pushSubscription.url, asPushRequest(stateChange))))
+      .fold(SMono.empty[Unit])(stateChange => SMono(webPushClient.push(pushSubscription.url, asPushRequest(stateChange, pushSubscription))))
 
-  private def asPushRequest(stateChange: StateChange): PushRequest =
-    PushRequest(ttl = PushTTL.MAX, payload = asBytes(stateChange))
+  private def asPushRequest(stateChange: StateChange, pushSubscription: PushSubscription): PushRequest =
+    PushRequest(ttl = PushTTL.MAX,
+      contentCoding = pushSubscription.keys.map(_ => Aes128gcm),
+      payload = asBytes(stateChange, pushSubscription))
 
-  private def asBytes(stateChange: StateChange) =
-    Json.stringify(pushSerializer.serializeSSE(stateChange)).getBytes(StandardCharsets.UTF_8)
+  private def asBytes(stateChange: StateChange, pushSubscription: PushSubscription) = {
+    val clearTextPayload = Json.stringify(pushSerializer.serializeSSE(stateChange)).getBytes(StandardCharsets.UTF_8)
+    pushSubscription.keys
+      .map(keys => keys.encrypt(clearTextPayload))
+      .getOrElse(clearTextPayload)
+  }
 }
diff --git a/server/protocols/jmap-rfc-8621/src/test/scala/org/apache/james/jmap/pushsubscription/PushListenerTest.scala b/server/protocols/jmap-rfc-8621/src/test/scala/org/apache/james/jmap/pushsubscription/PushListenerTest.scala
index b281a6c..b962dc3 100644
--- a/server/protocols/jmap-rfc-8621/src/test/scala/org/apache/james/jmap/pushsubscription/PushListenerTest.scala
+++ b/server/protocols/jmap-rfc-8621/src/test/scala/org/apache/james/jmap/pushsubscription/PushListenerTest.scala
@@ -20,13 +20,18 @@
 package org.apache.james.jmap.pushsubscription
 
 import java.nio.charset.StandardCharsets
+import java.security.interfaces.{ECPrivateKey, ECPublicKey}
 import java.time.Clock
-import java.util.UUID
+import java.util.{Base64, UUID}
 
 import com.google.common.collect.ImmutableSet
+import com.google.common.hash.Hashing
+import com.google.crypto.tink.apps.webpush.WebPushHybridDecrypt
+import com.google.crypto.tink.subtle.EllipticCurves.CurveType
+import com.google.crypto.tink.subtle.{EllipticCurves, Random}
 import org.apache.james.core.Username
 import org.apache.james.events.Event.EventId
-import org.apache.james.jmap.api.model.{DeviceClientId, PushSubscriptionCreationRequest, PushSubscriptionServerURL, TypeName}
+import org.apache.james.jmap.api.model.{DeviceClientId, PushSubscriptionCreationRequest, PushSubscriptionKeys, PushSubscriptionServerURL, TypeName}
 import org.apache.james.jmap.api.pushsubscription.PushSubscriptionRepository
 import org.apache.james.jmap.change.{EmailDeliveryTypeName, EmailTypeName, MailboxTypeName, StateChangeEvent, TypeStateFactory}
 import org.apache.james.jmap.core.UuidState
@@ -145,4 +150,47 @@ class PushListenerTest {
         .isEqualTo(s"""{"@type":"StateChange","changed":{"$bobAccountId":{"Email":"${state1.value.toString}","Mailbox":"${state2.value.toString}"}}}""")
     })
   }
+
+  @Test
+  def pushShouldEncryptMessages(): Unit = {
+    val uaKeyPair = EllipticCurves.generateKeyPair(CurveType.NIST_P256)
+    val uaPrivateKey: ECPrivateKey = uaKeyPair.getPrivate.asInstanceOf[ECPrivateKey]
+    val uaPublicKey: ECPublicKey = uaKeyPair.getPublic.asInstanceOf[ECPublicKey]
+    val authSecret = Random.randBytes(16)
+
+    val hybridDecrypt = new WebPushHybridDecrypt.Builder()
+      .withAuthSecret(authSecret)
+      .withRecipientPublicKey(uaPublicKey)
+      .withRecipientPrivateKey(uaPrivateKey)
+      .build
+
+    val id = SMono(pushSubscriptionRepository.save(bob, PushSubscriptionCreationRequest(
+      deviceClientId = DeviceClientId("junit"),
+      keys = Some(PushSubscriptionKeys(p256dh = Base64.getEncoder.encodeToString(uaPublicKey.getEncoded),
+        auth = Base64.getEncoder.encodeToString(authSecret))),
+      url = url,
+      types = Seq(EmailTypeName, MailboxTypeName)))).block().id
+    SMono(pushSubscriptionRepository.validateVerificationCode(bob, id)).block()
+
+    val state1 = UuidState(UUID.randomUUID())
+    val state2 = UuidState(UUID.randomUUID())
+    val state3 = UuidState(UUID.randomUUID())
+    SMono(testee.reactiveEvent(StateChangeEvent(EventId.random(), bob,
+      Map(EmailTypeName -> state1, MailboxTypeName -> state2, EmailDeliveryTypeName -> state3)))).block()
+
+    val argumentCaptor: ArgumentCaptor[PushRequest] = ArgumentCaptor.forClass(classOf[PushRequest])
+    verify(webPushClient).push(ArgumentMatchers.eq(url), argumentCaptor.capture())
+    val decryptedPayload = s"""{"@type":"StateChange","changed":{"$bobAccountId":{"Email":"${state1.value.toString}","Mailbox":"${state2.value.toString}"}}}"""
+    val encryptedPayload = argumentCaptor.getValue.payload
+    SoftAssertions.assertSoftly(softly => {
+      // We positionned well the Content-Encoding header
+      softly.assertThat(argumentCaptor.getValue.contentCoding.toJava).contains(Aes128gcm)
+      // We are able to decrypt the payload
+      softly.assertThat(new String(hybridDecrypt.decrypt(encryptedPayload, null), StandardCharsets.UTF_8))
+        .isEqualTo(decryptedPayload)
+      // The content had been well modified by the encryption
+      softly.assertThat(Hashing.sha256().hashBytes(encryptedPayload))
+        .isNotEqualTo(Hashing.sha256().hashBytes(decryptedPayload.getBytes(StandardCharsets.UTF_8)))
+    })
+  }
 }

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org