feat!: Allow E2EE rooms to reset its room key (#33328)

Co-authored-by: Guilherme Gazzo <[email protected]> Co-authored-by: Matheus Barbosa Silva <[email protected]>
RocketChat · Oct 14, 2024 · bfefe41 · bfefe41
1 parent 1343dff
commit bfefe41
Show file tree

Hide file tree

Showing 20 changed files with 514 additions and 42 deletions.
diff --git a/.changeset/smooth-horses-draw.md b/.changeset/smooth-horses-draw.md
@@ -0,0 +1,11 @@
+---
+"@rocket.chat/meteor": major
+"@rocket.chat/core-services": patch
+"@rocket.chat/core-typings": patch
+"@rocket.chat/ddp-client": patch
+"@rocket.chat/i18n": patch
+"@rocket.chat/model-typings": patch
+"@rocket.chat/rest-typings": patch
+---
+
+Allows authorized users to reset the encryption key for end-to-end encrypted rooms. This aims to prevent situations where all users of a room have lost the encryption key, and as such, the access to the room.
diff --git a/apps/meteor/app/api/server/v1/e2e.ts b/apps/meteor/app/api/server/v1/e2e.ts
@@ -7,14 +7,23 @@ import {
 	ise2eUpdateGroupKeyParamsPOST,
 	isE2EProvideUsersGroupKeyProps,
 	isE2EFetchUsersWaitingForGroupKeyProps,
+	isE2EResetRoomKeyProps,
 } from '@rocket.chat/rest-typings';
+import ExpiryMap from 'expiry-map';
 import { Meteor } from 'meteor/meteor';
 
+import { canAccessRoomIdAsync } from '../../../authorization/server/functions/canAccessRoom';
+import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { handleSuggestedGroupKey } from '../../../e2e/server/functions/handleSuggestedGroupKey';
 import { provideUsersSuggestedGroupKeys } from '../../../e2e/server/functions/provideUsersSuggestedGroupKeys';
+import { resetRoomKey } from '../../../e2e/server/functions/resetRoomKey';
 import { settings } from '../../../settings/server';
 import { API } from '../api';
 
+// After 10s the room lock will expire, meaning that if for some reason the process never completed
+// The next reset will be available 10s after
+const LockMap = new ExpiryMap<string, boolean>(10000);
+
 API.v1.addRoute(
 	'e2e.fetchMyKeys',
 	{
@@ -284,3 +293,36 @@ API.v1.addRoute(
 		},
 	},
 );
+
+// This should have permissions
+API.v1.addRoute(
+	'e2e.resetRoomKey',
+	{ authRequired: true, validateParams: isE2EResetRoomKeyProps },
+	{
+		async post() {
+			const { rid, e2eKey, e2eKeyId } = this.bodyParams;
+			if (!(await hasPermissionAsync(this.userId, 'toggle-room-e2e-encryption', rid))) {
+				return API.v1.unauthorized();
+			}
+			if (LockMap.has(rid)) {
+				throw new Error('error-e2e-key-reset-in-progress');
+			}
+
+			LockMap.set(rid, true);
+
+			if (!(await canAccessRoomIdAsync(rid, this.userId))) {
+				throw new Error('error-not-allowed');
+			}
+
+			try {
+				await resetRoomKey(rid, this.userId, e2eKey, e2eKeyId);
+				return API.v1.success();
+			} catch (e) {
+				console.error(e);
+				return API.v1.failure('error-e2e-key-reset-failed');
+			} finally {
+				LockMap.delete(rid);
+			}
+		},
+	},
+);
diff --git a/apps/meteor/app/e2e/client/helper.js b/apps/meteor/app/e2e/client/helper.js
@@ -147,9 +147,14 @@ export async function generateMnemonicPhrase(n, sep = ' ') {
 	return result.join(sep);
 }
 
-export async function createSha256Hash(data) {
+export async function createSha256HashFromText(data) {
 	const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(data));
 	return Array.from(new Uint8Array(hash))
 		.map((b) => b.toString(16).padStart(2, '0'))
 		.join('');
 }
+
+export async function sha256HashFromArrayBuffer(arrayBuffer) {
+	const hashArray = Array.from(new Uint8Array(await crypto.subtle.digest('SHA-256', arrayBuffer)));
+	return hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+}