[Telemetry] update crypto packages (#62469)

* update crypto packages

* as type for return value

* get default export

* add if checks

* wrap errors in i18n

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

package.json

@@ -126,7 +126,7 @@
     "@elastic/filesaver": "1.1.2",
     "@elastic/good": "8.1.1-kibana2",
     "@elastic/numeral": "2.4.0",
-    "@elastic/request-crypto": "^1.0.2",
+    "@elastic/request-crypto": "1.1.2",
     "@elastic/ui-ace": "0.2.3",
     "@hapi/good-squeeze": "5.2.1",
     "@hapi/wreck": "^15.0.2",

typings/elastic__node_crypto.d.ts

@@ -1,20 +0,0 @@
-/*
- * Licensed to Elasticsearch B.V. under one or more contributor
- * license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright
- * ownership. Elasticsearch B.V. licenses this file to you under
- * the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-declare module '@elastic/node-crypto';

x-pack/legacy/plugins/reporting/export_types/common/execute_job/decrypt_job_headers.ts

@@ -6,7 +6,7 @@
 
 import { i18n } from '@kbn/i18n';
 import { cryptoFactory } from '../../../server/lib/crypto';
-import { CryptoFactory, Logger } from '../../../types';
+import { Logger } from '../../../types';
 
 interface HasEncryptedHeaders {
   headers?: string;
@@ -25,9 +25,16 @@ export const decryptJobHeaders = async <
   job: JobDocPayloadType;
   logger: Logger;
 }): Promise<Record<string, string>> => {
-  const crypto: CryptoFactory = cryptoFactory(encryptionKey);
   try {
-    const decryptedHeaders: Record<string, string> = await crypto.decrypt(job.headers);
+    if (typeof job.headers !== 'string') {
+      throw new Error(
+        i18n.translate('xpack.reporting.exportTypes.common.missingJobHeadersErrorMessage', {
+          defaultMessage: 'Job headers are missing',
+        })
+      );
+    }
+    const crypto = cryptoFactory(encryptionKey);
+    const decryptedHeaders = (await crypto.decrypt(job.headers)) as Record<string, string>;
     return decryptedHeaders;
   } catch (err) {
     logger.error(err);

x-pack/legacy/plugins/reporting/export_types/csv/server/execute_job.ts

@@ -43,9 +43,18 @@ export const executeJobFactory: ExecuteJobFactory<ESQueueWorkerExecuteFn<
     } = job;
 
     const decryptHeaders = async () => {
-      let decryptedHeaders;
       try {
-        decryptedHeaders = await crypto.decrypt(headers);
+        if (typeof headers !== 'string') {
+          throw new Error(
+            i18n.translate(
+              'xpack.reporting.exportTypes.csv.executeJob.missingJobHeadersErrorMessage',
+              {
+                defaultMessage: 'Job headers are missing',
+              }
+            )
+          );
+        }
+        return await crypto.decrypt(headers);
       } catch (err) {
         logger.error(err);
         throw new Error(
@@ -58,7 +67,6 @@ export const executeJobFactory: ExecuteJobFactory<ESQueueWorkerExecuteFn<
           )
         ); // prettier-ignore
       }
-      return decryptedHeaders;
     };
 
     const fakeRequest = KibanaRequest.from({

x-pack/legacy/plugins/reporting/export_types/csv_from_savedobject/server/execute_job.ts

@@ -58,7 +58,20 @@ export const executeJobFactory: ExecuteJobFactory<ImmediateExecuteFn<
       let decryptedHeaders: Record<string, unknown>;
       const serializedEncryptedHeaders = job.headers;
       try {
-        decryptedHeaders = await crypto.decrypt(serializedEncryptedHeaders);
+        if (typeof serializedEncryptedHeaders !== 'string') {
+          throw new Error(
+            i18n.translate(
+              'xpack.reporting.exportTypes.csv_from_savedobject.executeJob.missingJobHeadersErrorMessage',
+              {
+                defaultMessage: 'Job headers are missing',
+              }
+            )
+          );
+        }
+        decryptedHeaders = (await crypto.decrypt(serializedEncryptedHeaders)) as Record<
+          string,
+          unknown
+        >;
       } catch (err) {
         jobLogger.error(err);
         throw new Error(

x-pack/legacy/plugins/reporting/server/lib/crypto.ts

@@ -6,6 +6,10 @@
 
 import nodeCrypto from '@elastic/node-crypto';
 
-export function cryptoFactory(encryptionKey: string | undefined) {
+export function cryptoFactory(encryptionKey?: string) {
+  if (typeof encryptionKey !== 'string') {
+    throw new Error('Encryption Key required.');
+  }
+
   return nodeCrypto({ encryptionKey });
 }

x-pack/legacy/plugins/reporting/types.d.ts

@@ -116,10 +116,6 @@ export interface ConditionalHeadersConditions {
   basePath: string;
 }
 
-export interface CryptoFactory {
-  decrypt: (headers?: string) => any;
-}
-
 export interface IndexPatternSavedObject {
   attributes: {
     fieldFormatMap: string;

x-pack/package.json

@@ -185,7 +185,7 @@
     "@elastic/eui": "21.0.1",
     "@elastic/filesaver": "1.1.2",
     "@elastic/maki": "6.2.0",
-    "@elastic/node-crypto": "^1.0.0",
+    "@elastic/node-crypto": "1.1.1",
     "@elastic/numeral": "2.4.0",
     "@kbn/babel-preset": "1.0.0",
     "@kbn/config-schema": "1.0.0",

x-pack/plugins/encrypted_saved_objects/server/crypto/encrypted_saved_objects_service.test.ts

@@ -19,9 +19,10 @@ beforeEach(() => {
   mockAuditLogger = encryptedSavedObjectsAuditLoggerMock.create();
 
   // Call actual `@elastic/node-crypto` by default, but allow to override implementation in tests.
-  jest
-    .requireMock('@elastic/node-crypto')
-    .mockImplementation((...args: any[]) => jest.requireActual('@elastic/node-crypto')(...args));
+  jest.requireMock('@elastic/node-crypto').mockImplementation((...args: any[]) => {
+    const { default: nodeCrypto } = jest.requireActual('@elastic/node-crypto');
+    return nodeCrypto(...args);
+  });
 
   service = new EncryptedSavedObjectsService(
     'encryption-key-abc',

x-pack/plugins/encrypted_saved_objects/server/crypto/encrypted_saved_objects_service.ts

@@ -4,8 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-// @ts-ignore
-import nodeCrypto from '@elastic/node-crypto';
+import nodeCrypto, { Crypto } from '@elastic/node-crypto';
 import stringify from 'json-stable-stringify';
 import typeDetect from 'type-detect';
 import { Logger } from 'src/core/server';
@@ -49,10 +48,7 @@ export function descriptorToArray(descriptor: SavedObjectDescriptor) {
  * attributes.
  */
 export class EncryptedSavedObjectsService {
-  private readonly crypto: Readonly<{
-    encrypt<T>(valueToEncrypt: T, aad?: string): Promise<string>;
-    decrypt<T>(valueToDecrypt: string, aad?: string): Promise<T>;
-  }>;
+  private readonly crypto: Readonly<Crypto>;
 
   /**
    * Map of all registered saved object types where the `key` is saved object type and the `value`
@@ -229,10 +225,10 @@ export class EncryptedSavedObjectsService {
       }
 
       try {
-        decryptedAttributes[attributeName] = await this.crypto.decrypt(
+        decryptedAttributes[attributeName] = (await this.crypto.decrypt(
           attributeValue,
           encryptionAAD
-        );
+        )) as string;
       } catch (err) {
         this.logger.error(`Failed to decrypt "${attributeName}" attribute: ${err.message || err}`);
         this.audit.decryptAttributeFailure(attributeName, descriptor);

x-pack/typings/elastic__node_crypto.d.ts

@@ -1,7 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-declare module '@elastic/node-crypto';

yarn.lock

@@ -1343,27 +1343,22 @@
   resolved "https://registry.yarnpkg.com/@elastic/maki/-/maki-6.2.0.tgz#d0a85aa248bdc14dca44e1f9430c0b670f65e489"
   integrity sha512-QkmRNpEY4Dy6eqwDimR5X9leMgdPFjdANmpEIwEW1XVUG2U4YtB2BXhDxsnMmNTUrJUjtnjnwgwBUyg0pU0FTg==
 
-"@elastic/node-crypto@^0.1.2":
-  version "0.1.2"
-  resolved "https://registry.yarnpkg.com/@elastic/node-crypto/-/node-crypto-0.1.2.tgz#c18ac282f635e88f041cc1555d806e492ca8f3b1"
-  integrity sha1-wYrCgvY16I8EHMFVXYBuSSyo87E=
-
-"@elastic/node-crypto@^1.0.0":
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/@elastic/node-crypto/-/node-crypto-1.0.0.tgz#4d325df333fe1319556bb4d54214098ada1171d4"
-  integrity sha512-bbjbEyILPRTRt0xnda18OttLtlkJBPuXx3CjISUSn9jhWqHoFMzfOaZ73D5jxZE2SaFZUrJYfPpqXP6qqPufAQ==
+"@elastic/node-crypto@1.1.1":
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/@elastic/node-crypto/-/node-crypto-1.1.1.tgz#619b70322c9cce4a7ee5fbf8f678b1baa7f06095"
+  integrity sha512-F6tIk8Txdqjg8Siv60iAvXzO9ZdQI87K3sS/fh5xd2XaWK+T5ZfqeTvsT7srwG6fr6uCBfuQEJV1KBBl+JpLZA==
 
 "@elastic/numeral@2.4.0":
   version "2.4.0"
   resolved "https://registry.yarnpkg.com/@elastic/numeral/-/numeral-2.4.0.tgz#883197b7f4bf3c2dd994f53b274769ddfa2bf79a"
   integrity sha512-uGBKGCNghTgUZPHClji/00v+AKt5nidPTGOIbcT+lbTPVxNB6QPpPLGWtXyrg3QZAxobPM/LAZB1mAqtJeq44Q==
 
-"@elastic/request-crypto@^1.0.2":
-  version "1.0.2"
-  resolved "https://registry.yarnpkg.com/@elastic/request-crypto/-/request-crypto-1.0.2.tgz#bf27bf009227166f3eeb2b5193a108752335ebd3"
-  integrity sha512-8FtGYl7LebhmJmEDWiGn3MorvNiGWSYPqhvgRlKXjNakEuLoPBBe0DHxbwLkj08CMLWczXcO2ixqBPY7fEhJpA==
+"@elastic/request-crypto@1.1.2":
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/@elastic/request-crypto/-/request-crypto-1.1.2.tgz#2e323550f546f6286994126d462a9ea480a3bfb1"
+  integrity sha512-i73wjj1Qi8dGJIy170Z8xyJ760mFNjTbdmcp/nEczqWD0miNW6I5wZ5MNrv7M6CXn2m1wMXiT6qzDYd93Hv1Dw==
   dependencies:
-    "@elastic/node-crypto" "^0.1.2"
+    "@elastic/node-crypto" "1.1.1"
     "@types/node-jose" "1.1.0"
     node-jose "1.1.0"