[ADR-16] Refactor Folders

[Hinton]

Type of change

- [ ] Bug fix
- [ ] New feature development
- [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Refactors the Folder domain to follow the new method described in ADR-16. Please read the ADR for some background and the motivation for this move.

This PR focuses on introducing the core services needed for the new data model, and migrates the Folder domain.

The way this is implemented is by adding a generic method decryptDomain to CryptoService. Which currently fetches the relevant encryption key and calls decryptDomain on EncryptionService. Which in turns calls the static method FolderView.decrypt(encryptionService, key, domain). Which performs the actual mapping from domain to view.

Fetching of the encryption key is implemented for organizations and personal owned items. Personal items gets a null value assigned while organization items provides the organization ID as the identifier. In the future we can support more keys by adding more lookup locations.

Encryption works in a similar fashion using the encryptView which fetches the key and proxies the request to EncryptionService which calls decrypt on the view.

Why not just put the decrypt on FolderService? The FolderService already has a responsibility, and that is to maintain the state of Folders. We shouldn't give it more responsibilities, particularly not when the EncryptService is already responsible for encrypting and decrypting things.

Before you submit

• Please add unit tests where it makes sense to do so (encouraged but not required)
• If this change requires a documentation update - notify the documentation team
• If this change has particular deployment requirements - notify the DevOps team

[eliykat]

I've also been noodling away on this, please review #3738 as an alternative proposal and let me know what you think. We can line up a call to discuss in more detail if it's useful.

The biggest difference is that I don't want to have this pattern where we:

• pass an object to a decrypt method
• that method passes a service into a method on the object
• there are several levels of nested decrypt calls, passing down the same parameters each time, which you have to trace to find the actual decryption call still nested in EncString.

To me that is the real source of the tech debt here, it feels like decryption happens from the inside out, it's difficult to understand and extend. ContainerService is just a symptom of that. I'd like to flatten it out to a method which acts on an object.

[Hinton]

One goal that hasn't been noted in this PR, is the potential use case for a domain model to have multiple views with different amount of data.

I kept the decrypt method for a few reasons,

1. to limit the scope of the refactor.
2. Support objects that decrypt differently attachments seems to have some custom logic, and there has been some discussion around potentially having an EncObject which contains a json blob instead of individual fields.

[eliykat]

Support objects that decrypt differently attachments seems to have some custom logic, and there has been some discussion around potentially having an EncObject which contains a json blob instead of individual fields.

Just a note on this topic, I'd like to avoid having lots of custom logic here or different ways of encrypting objects. I'd rather define a few ways of encrypting objects (e.g. individual EncStrings or an encrypted blob) and make people implement those, rather than give every object the ability to do something different.

I probably have to experiment with more complex objects though to make sure that we can impose this kind of uniformity across our domain objects.

One goal that hasn't been noted in this PR, is the potential use case for a domain model to have multiple views with different amount of data.

Nice idea!

[MGibson1]

I don't particularly like that it's the View's responsibility to determine what data on the Domain is encrypted and what is not. To me, #3738 and this are complimentary -- #3732 describes the data flow and #3738 is a better interface for defining encrypted data/decryption. @eliykat, the big change that would be necessary in your PR is updating the decryptable interface to belong on the View instead of the Domain. This would enable @Hinton's idea of multiple views for a given domain. The issue is how do we expose to the encryptservice which fields to decrypt and which are not needed? Not sure on that one, yet...

The other issue I see here is this doesn't solve the central issue of how to grab the key to my liking. I think I'd like to see an interface on Domain that determines the appropriate key, given a 2d array of [Id, Key][].

[Hinton]

Having an interface on Domain to determine which key is used to encrypt things seems reasonable, it could be argued it's part of the domain model.

Something that came to mind are Attachments, Name is an EncString, but the key has custom logic, and the data is encrypted using the key. Not sure if we have more edge cases for how things are encrypted/decrypted.

[eliykat]

Only one minor comment so far, unfortunately I didn't get to spend a lot of time on this today. Although no surprises immediately jump out at me, which is good. I'll continue Monday.

[eliykat]

I'm still a little unsure what the end state of CryptoService and EncryptService is. The duplicated interfaces between them are starting to get messy.

iirc, the last we discussed was potentially changing CryptoService to be KeyService, then have EncryptService depend on KeyService so that it can fetch its own keys (with a static key store for web workers). That brought up circular dependency issues that we did not fully resolve. (see my notes). While we don't need to do all of this in 1 PR, I'd like to know where we're going with it.

[Hinton]

@eliykat I understand and I didn't want to muddle this PR with any refactoring of CryptoService.

I agree with the move to KeyService and have EncryptService depend on KeyService. But I view that as something we'll get around to at a later stage. I would like to refactor CryptoService to observables and do this refactor prior which should make that change fairly simple.

[Hinton]

I've removed the Cipher changes from this again, and changed the target to a new feature branch. My thinking is that we'll review this to ratify the general patterns, get QA to begin testing folders while I move the cipher portions to a new PR and we can review it prior to merging the feature branch.

This lets QA test both potions in isolation and we don't introduce the change until we've migrated Ciphers which prevents us from having 3 ways of doing encryption/decryption of domain models.

[eliykat]

Mostly minor comments given that the cipher changes have been taken out and I think we've discussed the folder stuff quite a bit already.

To be honest I'm struggling with the various type/interface names (Decryptable/Encryptable) etc, but I don't have any better suggestions for them. I'll chew on it though.

[eliykat]

I think we can also use NullableFactory here as well, right?

[Hinton]

Not really, it's not a constructor. We could make a nullable factory that accepts an argument with a factory in it.

[eliykat]

True. It's a similar pattern though (call a method if value isn't null), and this ternary condition will be repeated 100 times as we encrypt properties on objects under this new pattern.

[eliykat]

nullableFactory seems broadly useful to me, I think it should stand outside of the crypto-specific code.

[Hinton]

We can discuss it in the future PR, but I don't want to mix in any knowledge of views in the domain. Since domain is in the center and the ambition to support multiple views per domain.

[eliykat]

Looks good to me, but I'd like a final review from @MGibson1.

[eliykat]

Removing myself from reviewers on the understanding this will be done in the SDK instead.