Fail when trying to double-encrypt a document (#95)

* Fail when trying to double-encrypt a document

* Update CHANGELOG.md

Co-authored-by: Murph Murphy <murph@clurictec.com>

---------

Co-authored-by: Murph Murphy <murph@clurictec.com>

Author: giarc3

CHANGELOG.md

@@ -1,3 +1,9 @@
+## 4.0.0
+
+-   Encryption now throws a `TscException` when trying to encrypt a document that has already been IronCore encrypted.
+    -   If you have a use case for double-encrypting a document, please open an issue explaining and we can work on accommodating you.
+    -   If you aren't double-encrypting documents there are no breaking changes affecting you in this version bump
+
 ## 3.0.1
 
 -   Fixed issue with constructing `FieldMetadata`.

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@ironcorelabs/tenant-security-nodejs",
-    "version": "3.0.1",
+    "version": "4.0.0",
     "description": "NodeJS client library for the IronCore Labs Tenant Security Proxy.",
     "homepage": "https://ironcorelabs.com/docs",
     "main": "src/index.js",

src/kms/Crypto.ts

@@ -116,6 +116,16 @@ const verifyHeaderSignature = (header: ironcorelabs.proto.Iv3DocumentHeader | un
  * Encrypt the provided document with the provided DEK. Encrypts all fields within the document with the same key but with separate IVs per field.
  */
 export const encryptDocument = (document: PlaintextDocument, dek: Base64String, tenantId: string): Future<TenantSecurityException, EncryptedDocument> => {
+    const invalidDocuments = Object.entries(document).filter(([, value]) => Util.isCmkEncryptedDocument(value));
+    if (invalidDocuments.length > 0) {
+        const invalidKeys = invalidDocuments.map(([key]) => `\`${key}\``);
+        return Future.reject(
+            new TscException(
+                TenantSecurityErrorCode.DOCUMENT_ENCRYPT_FAILED,
+                `One or more provided documents is already IronCore encrypted. IDs: ${invalidKeys.join(", ")}`
+            )
+        );
+    }
     const dekBytes = Buffer.from(dek, "base64");
     const futuresMap = Object.entries(document).reduce((currentMap, [fieldId, fieldBytes]) => {
         currentMap[fieldId] = encryptField(fieldBytes, dekBytes, {tenantId});

src/tests/DevIntegration.test.ts

@@ -81,6 +81,21 @@ describe("INTEGRATION dev environment tests", () => {
             await TestUtils.runSingleDocumentRoundTripForTenant(client, AZURE_TENANT_ID);
             await TestUtils.runSingleExistingDocumentRoundTripForTenant(client, AZURE_TENANT_ID);
         });
+
+        it("fails to double encrypt data", async () => {
+            const data = TestUtils.getDocumentToEncrypt();
+            const meta = TestUtils.getMetadata(GCP_TENANT_ID);
+            const encrypted = await client.encryptDocument(data, meta);
+
+            try {
+                await client.encryptDocument(encrypted.encryptedDocument, meta);
+                fail("Should fail because documents are double encrypted");
+            } catch (e) {
+                expect(e).toBeInstanceOf(TenantSecurityException);
+                expect(e.errorCode).toEqual(TenantSecurityErrorCode.DOCUMENT_ENCRYPT_FAILED);
+                expect(e.message).toContain("`field1`, `field2`, `field3`");
+            }
+        });
     });
 
     describe("roundtrip streaming encrypt and decrypt", () => {