Merge branch 'dev' into add-file-category

src/lib/server/db/file.ts

@@ -1,22 +1,23 @@
-import { SqliteError } from "better-sqlite3";
-import { and, eq, isNull } from "drizzle-orm";
-import db from "./drizzle";
 import { IntegrityError } from "./error";
-import { directory, directoryLog, file, fileLog, fileCategory, hsk, mek } from "./schema";
+import db from "./kysely";
+import type { Ciphertext } from "./schema";
 
 type DirectoryId = "root" | number;
 
-export interface NewDirectoryParams {
+interface Directory {
+  id: number;
   parentId: DirectoryId;
   userId: number;
   mekVersion: number;
   encDek: string;
   dekVersion: Date;
-  encName: string;
-  encNameIv: string;
+  encName: Ciphertext;
 }
 
-export interface NewFileParams {
+export type NewDirectory = Omit<Directory, "id">;
+
+interface File {
+  id: number;
   parentId: DirectoryId;
   userId: number;
   path: string;
@@ -28,217 +29,264 @@ export interface NewFileParams {
   contentType: string;
   encContentIv: string;
   encContentHash: string;
-  encName: string;
-  encNameIv: string;
-  encCreatedAt: string | null;
-  encCreatedAtIv: string | null;
-  encLastModifiedAt: string;
-  encLastModifiedAtIv: string;
+  encName: Ciphertext;
+  encCreatedAt: Ciphertext | null;
+  encLastModifiedAt: Ciphertext;
 }
 
-export const registerDirectory = async (params: NewDirectoryParams) => {
-  await db.transaction(
-    async (tx) => {
-      const meks = await tx
-        .select({ version: mek.version })
-        .from(mek)
-        .where(and(eq(mek.userId, params.userId), eq(mek.state, "active")))
-        .limit(1);
-      if (meks[0]?.version !== params.mekVersion) {
-        throw new IntegrityError("Inactive MEK version");
-      }
+export type NewFile = Omit<File, "id">;
 
-      const newDirectories = await tx
-        .insert(directory)
-        .values({
-          parentId: params.parentId === "root" ? null : params.parentId,
-          userId: params.userId,
-          mekVersion: params.mekVersion,
-          encDek: params.encDek,
-          dekVersion: params.dekVersion,
-          encName: { ciphertext: params.encName, iv: params.encNameIv },
-        })
-        .returning({ id: directory.id });
-      const { id: directoryId } = newDirectories[0]!;
-      await tx.insert(directoryLog).values({
-        directoryId,
+export const registerDirectory = async (params: NewDirectory) => {
+  await db.transaction().execute(async (trx) => {
+    const mek = await trx
+      .selectFrom("master_encryption_key")
+      .select("version")
+      .where("user_id", "=", params.userId)
+      .where("state", "=", "active")
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (mek?.version !== params.mekVersion) {
+      throw new IntegrityError("Inactive MEK version");
+    }
+
+    const { directoryId } = await trx
+      .insertInto("directory")
+      .values({
+        parent_id: params.parentId !== "root" ? params.parentId : null,
+        user_id: params.userId,
+        master_encryption_key_version: params.mekVersion,
+        encrypted_data_encryption_key: params.encDek,
+        data_encryption_key_version: params.dekVersion,
+        encrypted_name: params.encName,
+      })
+      .returning("id as directoryId")
+      .executeTakeFirstOrThrow();
+    await trx
+      .insertInto("directory_log")
+      .values({
+        directory_id: directoryId,
         timestamp: new Date(),
         action: "create",
-        newName: { ciphertext: params.encName, iv: params.encNameIv },
-      });
-    },
-    { behavior: "exclusive" },
-  );
+        new_name: params.encName,
+      })
+      .execute();
+  });
 };
 
 export const getAllDirectoriesByParent = async (userId: number, parentId: DirectoryId) => {
-  return await db
-    .select()
-    .from(directory)
-    .where(
-      and(
-        eq(directory.userId, userId),
-        parentId === "root" ? isNull(directory.parentId) : eq(directory.parentId, parentId),
-      ),
-    );
+  let query = db.selectFrom("directory").selectAll().where("user_id", "=", userId);
+  query =
+    parentId === "root"
+      ? query.where("parent_id", "is", null)
+      : query.where("parent_id", "=", parentId);
+  const directories = await query.execute();
+  return directories.map(
+    (directory) =>
+      ({
+        id: directory.id,
+        parentId: directory.parent_id ?? "root",
+        userId: directory.user_id,
+        mekVersion: directory.master_encryption_key_version,
+        encDek: directory.encrypted_data_encryption_key,
+        dekVersion: directory.data_encryption_key_version,
+        encName: directory.encrypted_name,
+      }) satisfies Directory,
+  );
 };
 
 export const getDirectory = async (userId: number, directoryId: number) => {
-  const res = await db
-    .select()
-    .from(directory)
-    .where(and(eq(directory.userId, userId), eq(directory.id, directoryId)))
-    .limit(1);
-  return res[0] ?? null;
+  const directory = await db
+    .selectFrom("directory")
+    .selectAll()
+    .where("id", "=", directoryId)
+    .where("user_id", "=", userId)
+    .limit(1)
+    .executeTakeFirst();
+  return directory
+    ? ({
+        id: directory.id,
+        parentId: directory.parent_id ?? "root",
+        userId: directory.user_id,
+        mekVersion: directory.master_encryption_key_version,
+        encDek: directory.encrypted_data_encryption_key,
+        dekVersion: directory.data_encryption_key_version,
+        encName: directory.encrypted_name,
+      } satisfies Directory)
+    : null;
 };
 
 export const setDirectoryEncName = async (
   userId: number,
   directoryId: number,
   dekVersion: Date,
-  encName: string,
-  encNameIv: string,
+  encName: Ciphertext,
 ) => {
-  await db.transaction(
-    async (tx) => {
-      const directories = await tx
-        .select({ version: directory.dekVersion })
-        .from(directory)
-        .where(and(eq(directory.userId, userId), eq(directory.id, directoryId)))
-        .limit(1);
-      if (!directories[0]) {
-        throw new IntegrityError("Directory not found");
-      } else if (directories[0].version.getTime() !== dekVersion.getTime()) {
-        throw new IntegrityError("Invalid DEK version");
-      }
+  await db.transaction().execute(async (trx) => {
+    const directory = await trx
+      .selectFrom("directory")
+      .select("data_encryption_key_version")
+      .where("id", "=", directoryId)
+      .where("user_id", "=", userId)
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (!directory) {
+      throw new IntegrityError("Directory not found");
+    } else if (directory.data_encryption_key_version.getTime() !== dekVersion.getTime()) {
+      throw new IntegrityError("Invalid DEK version");
+    }
 
-      await tx
-        .update(directory)
-        .set({ encName: { ciphertext: encName, iv: encNameIv } })
-        .where(and(eq(directory.userId, userId), eq(directory.id, directoryId)));
-      await tx.insert(directoryLog).values({
-        directoryId,
+    await trx
+      .updateTable("directory")
+      .set({ encrypted_name: encName })
+      .where("id", "=", directoryId)
+      .where("user_id", "=", userId)
+      .execute();
+    await trx
+      .insertInto("directory_log")
+      .values({
+        directory_id: directoryId,
         timestamp: new Date(),
         action: "rename",
-        newName: { ciphertext: encName, iv: encNameIv },
-      });
-    },
-    { behavior: "exclusive" },
-  );
+        new_name: encName,
+      })
+      .execute();
+  });
 };
 
 export const unregisterDirectory = async (userId: number, directoryId: number) => {
-  return await db.transaction(
-    async (tx) => {
+  return await db
+    .transaction()
+    .setIsolationLevel("repeatable read") // TODO: Sufficient?
+    .execute(async (trx) => {
       const unregisterFiles = async (parentId: number) => {
-        return await tx
-          .delete(file)
-          .where(and(eq(file.userId, userId), eq(file.parentId, parentId)))
-          .returning({ id: file.id, path: file.path });
+        return await trx
+          .deleteFrom("file")
+          .where("parent_id", "=", parentId)
+          .where("user_id", "=", userId)
+          .returning(["id", "path"])
+          .execute();
       };
       const unregisterDirectoryRecursively = async (
         directoryId: number,
       ): Promise<{ id: number; path: string }[]> => {
         const files = await unregisterFiles(directoryId);
-        const subDirectories = await tx
-          .select({ id: directory.id })
-          .from(directory)
-          .where(and(eq(directory.userId, userId), eq(directory.parentId, directoryId)));
+        const subDirectories = await trx
+          .selectFrom("directory")
+          .select("id")
+          .where("parent_id", "=", directoryId)
+          .where("user_id", "=", userId)
+          .execute();
         const subDirectoryFilePaths = await Promise.all(
           subDirectories.map(async ({ id }) => await unregisterDirectoryRecursively(id)),
         );
 
-        const deleteRes = await tx.delete(directory).where(eq(directory.id, directoryId));
-        if (deleteRes.changes === 0) {
+        const deleteRes = await trx
+          .deleteFrom("directory")
+          .where("id", "=", directoryId)
+          .where("user_id", "=", userId)
+          .executeTakeFirst();
+        if (deleteRes.numDeletedRows === 0n) {
           throw new IntegrityError("Directory not found");
         }
         return files.concat(...subDirectoryFilePaths);
       };
       return await unregisterDirectoryRecursively(directoryId);
-    },
-    { behavior: "exclusive" },
-  );
+    });
 };
 
-export const registerFile = async (params: NewFileParams) => {
-  if (
-    (params.hskVersion && !params.contentHmac) ||
-    (!params.hskVersion && params.contentHmac) ||
-    (params.encCreatedAt && !params.encCreatedAtIv) ||
-    (!params.encCreatedAt && params.encCreatedAtIv)
-  ) {
+export const registerFile = async (params: NewFile) => {
+  if ((params.hskVersion && !params.contentHmac) || (!params.hskVersion && params.contentHmac)) {
     throw new Error("Invalid arguments");
   }
 
-  await db.transaction(
-    async (tx) => {
-      const meks = await tx
-        .select({ version: mek.version })
-        .from(mek)
-        .where(and(eq(mek.userId, params.userId), eq(mek.state, "active")))
-        .limit(1);
-      if (meks[0]?.version !== params.mekVersion) {
-        throw new IntegrityError("Inactive MEK version");
-      }
+  await db.transaction().execute(async (trx) => {
+    const mek = await trx
+      .selectFrom("master_encryption_key")
+      .select("version")
+      .where("user_id", "=", params.userId)
+      .where("state", "=", "active")
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (mek?.version !== params.mekVersion) {
+      throw new IntegrityError("Inactive MEK version");
+    }
 
-      if (params.hskVersion) {
-        const hsks = await tx
-          .select({ version: hsk.version })
-          .from(hsk)
-          .where(and(eq(hsk.userId, params.userId), eq(hsk.state, "active")))
-          .limit(1);
-        if (hsks[0]?.version !== params.hskVersion) {
-          throw new IntegrityError("Inactive HSK version");
-        }
+    if (params.hskVersion) {
+      const hsk = await trx
+        .selectFrom("hmac_secret_key")
+        .select("version")
+        .where("user_id", "=", params.userId)
+        .where("state", "=", "active")
+        .limit(1)
+        .forUpdate()
+        .executeTakeFirst();
+      if (hsk?.version !== params.hskVersion) {
+        throw new IntegrityError("Inactive HSK version");
       }
+    }
 
-      const newFiles = await tx
-        .insert(file)
-        .values({
-          path: params.path,
-          parentId: params.parentId === "root" ? null : params.parentId,
-          userId: params.userId,
-          mekVersion: params.mekVersion,
-          hskVersion: params.hskVersion,
-          encDek: params.encDek,
-          dekVersion: params.dekVersion,
-          contentHmac: params.contentHmac,
-          contentType: params.contentType,
-          encContentIv: params.encContentIv,
-          encContentHash: params.encContentHash,
-          encName: { ciphertext: params.encName, iv: params.encNameIv },
-          encCreatedAt:
-            params.encCreatedAt && params.encCreatedAtIv
-              ? { ciphertext: params.encCreatedAt, iv: params.encCreatedAtIv }
-              : null,
-          encLastModifiedAt: {
-            ciphertext: params.encLastModifiedAt,
-            iv: params.encLastModifiedAtIv,
-          },
-        })
-        .returning({ id: file.id });
-      const { id: fileId } = newFiles[0]!;
-      await tx.insert(fileLog).values({
-        fileId,
+    const { fileId } = await trx
+      .insertInto("file")
+      .values({
+        parent_id: params.parentId !== "root" ? params.parentId : null,
+        user_id: params.userId,
+        path: params.path,
+        master_encryption_key_version: params.mekVersion,
+        encrypted_data_encryption_key: params.encDek,
+        data_encryption_key_version: params.dekVersion,
+        hmac_secret_key_version: params.hskVersion,
+        content_hmac: params.contentHmac,
+        content_type: params.contentType,
+        encrypted_content_iv: params.encContentIv,
+        encrypted_content_hash: params.encContentHash,
+        encrypted_name: params.encName,
+        encrypted_created_at: params.encCreatedAt,
+        encrypted_last_modified_at: params.encLastModifiedAt,
+      })
+      .returning("id as fileId")
+      .executeTakeFirstOrThrow();
+    await trx
+      .insertInto("file_log")
+      .values({
+        file_id: fileId,
         timestamp: new Date(),
         action: "create",
-        newName: { ciphertext: params.encName, iv: params.encNameIv },
-      });
-    },
-    { behavior: "exclusive" },
-  );
+        new_name: params.encName,
+      })
+      .execute();
+  });
 };
 
 export const getAllFilesByParent = async (userId: number, parentId: DirectoryId) => {
-  return await db
-    .select()
-    .from(file)
-    .where(
-      and(
-        eq(file.userId, userId),
-        parentId === "root" ? isNull(file.parentId) : eq(file.parentId, parentId),
-      ),
-    );
+  let query = db.selectFrom("file").selectAll().where("user_id", "=", userId);
+  query =
+    parentId === "root"
+      ? query.where("parent_id", "is", null)
+      : query.where("parent_id", "=", parentId);
+  const files = await query.execute();
+  return files.map(
+    (file) =>
+      ({
+        id: file.id,
+        parentId: file.parent_id ?? "root",
+        userId: file.user_id,
+        path: file.path,
+        mekVersion: file.master_encryption_key_version,
+        encDek: file.encrypted_data_encryption_key,
+        dekVersion: file.data_encryption_key_version,
+        hskVersion: file.hmac_secret_key_version,
+        contentHmac: file.content_hmac,
+        contentType: file.content_type,
+        encContentIv: file.encrypted_content_iv,
+        encContentHash: file.encrypted_content_hash,
+        encName: file.encrypted_name,
+        encCreatedAt: file.encrypted_created_at,
+        encLastModifiedAt: file.encrypted_last_modified_at,
+      }) satisfies File,
+  );
 };
 
 export const getAllFilesByCategory = async (userId: number, categoryId: number) => {
@@ -254,71 +302,95 @@ export const getAllFileIdsByContentHmac = async (
   hskVersion: number,
   contentHmac: string,
 ) => {
-  return await db
-    .select({ id: file.id })
-    .from(file)
-    .where(
-      and(
-        eq(file.userId, userId),
-        eq(file.hskVersion, hskVersion),
-        eq(file.contentHmac, contentHmac),
-      ),
-    );
+  const files = await db
+    .selectFrom("file")
+    .select("id")
+    .where("user_id", "=", userId)
+    .where("hmac_secret_key_version", "=", hskVersion)
+    .where("content_hmac", "=", contentHmac)
+    .execute();
+  return files.map(({ id }) => ({ id }));
 };
 
 export const getFile = async (userId: number, fileId: number) => {
-  const res = await db
-    .select()
-    .from(file)
-    .where(and(eq(file.userId, userId), eq(file.id, fileId)))
-    .limit(1);
-  return res[0] ?? null;
+  const file = await db
+    .selectFrom("file")
+    .selectAll()
+    .where("id", "=", fileId)
+    .where("user_id", "=", userId)
+    .limit(1)
+    .executeTakeFirst();
+  return file
+    ? ({
+        id: file.id,
+        parentId: file.parent_id ?? "root",
+        userId: file.user_id,
+        path: file.path,
+        mekVersion: file.master_encryption_key_version,
+        encDek: file.encrypted_data_encryption_key,
+        dekVersion: file.data_encryption_key_version,
+        hskVersion: file.hmac_secret_key_version,
+        contentHmac: file.content_hmac,
+        contentType: file.content_type,
+        encContentIv: file.encrypted_content_iv,
+        encContentHash: file.encrypted_content_hash,
+        encName: file.encrypted_name,
+        encCreatedAt: file.encrypted_created_at,
+        encLastModifiedAt: file.encrypted_last_modified_at,
+      } satisfies File)
+    : null;
 };
 
 export const setFileEncName = async (
   userId: number,
   fileId: number,
   dekVersion: Date,
-  encName: string,
-  encNameIv: string,
+  encName: Ciphertext,
 ) => {
-  await db.transaction(
-    async (tx) => {
-      const files = await tx
-        .select({ version: file.dekVersion })
-        .from(file)
-        .where(and(eq(file.userId, userId), eq(file.id, fileId)))
-        .limit(1);
-      if (!files[0]) {
-        throw new IntegrityError("File not found");
-      } else if (files[0].version.getTime() !== dekVersion.getTime()) {
-        throw new IntegrityError("Invalid DEK version");
-      }
+  await db.transaction().execute(async (trx) => {
+    const file = await trx
+      .selectFrom("file")
+      .select("data_encryption_key_version")
+      .where("id", "=", fileId)
+      .where("user_id", "=", userId)
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (!file) {
+      throw new IntegrityError("File not found");
+    } else if (file.data_encryption_key_version.getTime() !== dekVersion.getTime()) {
+      throw new IntegrityError("Invalid DEK version");
+    }
 
-      await tx
-        .update(file)
-        .set({ encName: { ciphertext: encName, iv: encNameIv } })
-        .where(and(eq(file.userId, userId), eq(file.id, fileId)));
-      await tx.insert(fileLog).values({
-        fileId,
+    await trx
+      .updateTable("file")
+      .set({ encrypted_name: encName })
+      .where("id", "=", fileId)
+      .where("user_id", "=", userId)
+      .execute();
+    await trx
+      .insertInto("file_log")
+      .values({
+        file_id: fileId,
         timestamp: new Date(),
         action: "rename",
-        newName: { ciphertext: encName, iv: encNameIv },
-      });
-    },
-    { behavior: "exclusive" },
-  );
+        new_name: encName,
+      })
+      .execute();
+  });
 };
 
 export const unregisterFile = async (userId: number, fileId: number) => {
-  const files = await db
-    .delete(file)
-    .where(and(eq(file.userId, userId), eq(file.id, fileId)))
-    .returning({ path: file.path });
-  if (!files[0]) {
+  const file = await db
+    .deleteFrom("file")
+    .where("id", "=", fileId)
+    .where("user_id", "=", userId)
+    .returning("path")
+    .executeTakeFirst();
+  if (!file) {
     throw new IntegrityError("File not found");
   }
-  return files[0].path;
+  return { path: file.path };
 };
 
 export const addFileToCategory = async (fileId: number, categoryId: number) => {