feat(backend): encrypt structure's files

Author: pYassine

packages/backend/src/_migrations/1746974453999-manual-migration.ts

@@ -0,0 +1,30 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+import { domifaConfig } from "../config";
+
+export class AutoMigration1747256357377 implements MigrationInterface {
+  name = "AutoMigration1747256357377";
+
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    if (
+      domifaConfig().envId === "prod" ||
+      domifaConfig().envId === "preprod" ||
+      domifaConfig().envId === "local"
+    ) {
+      await queryRunner.query(
+        `ALTER TABLE "structure_doc" ADD "encryptionContext" text`
+      );
+      await queryRunner.query(
+        `ALTER TABLE "structure_doc" ADD "encryptionVersion" integer`
+      );
+    }
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(
+      `ALTER TABLE "structure_doc" DROP COLUMN "encryptionVersion"`
+    );
+    await queryRunner.query(
+      `ALTER TABLE "structure_doc" DROP COLUMN "encryptionContext"`
+    );
+  }
+}

packages/backend/src/_migrations/1747256357377-auto-migration.ts

@@ -0,0 +1,133 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+import { appLogger, cleanPath } from "../util";
+import { structureDocRepository } from "../database";
+import { join } from "node:path";
+import { FileManagerService } from "../util/file-manager/file-manager.service";
+import { StructureDoc } from "@domifa/common";
+
+export class EncryptStructureDocsMigration1748264444997
+  implements MigrationInterface
+{
+  public fileManagerService: FileManagerService;
+
+  constructor() {
+    this.fileManagerService = new FileManagerService();
+  }
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  public async up(_queryRunner: QueryRunner): Promise<void> {
+    appLogger.warn(
+      "[MIGRATION] Début du chiffrement des documents de structure"
+    );
+
+    await structureDocRepository.update({}, { encryptionContext: null });
+    type Docs = StructureDoc & {
+      structureUuid: string;
+    };
+
+    const unencryptedDocs: Docs[] = await structureDocRepository
+      .createQueryBuilder("structure_doc")
+      .leftJoin(
+        "structure",
+        "structure",
+        `structure."id" = structure_doc."structureId"`
+      )
+      .where(`structure_doc."encryptionContext" IS NULL`)
+      .select([
+        `structure_doc."uuid" as "uuid"`,
+        `structure_doc."structureId" as "structureId"`,
+        `structure_doc."path" as "path"`,
+        `structure_doc."filetype" as "filetype"`,
+        `structure_doc."encryptionContext" as "encryptionContext"`,
+        `structure."uuid" as "structureUuid"`,
+      ])
+      .getRawMany();
+
+    appLogger.warn(
+      `[MIGRATION] ${unencryptedDocs.length} documents à chiffrer`
+    );
+
+    let processedCount = 0;
+    let notFoundCount = 0;
+    let errorCount = 0;
+
+    const errors: Array<{ filePath: string; error: string }> = [];
+    for (const doc of unencryptedDocs) {
+      const filePath = join(
+        "structure-documents",
+        cleanPath(`${doc.structureId}`),
+        doc.path
+      );
+
+      try {
+        const fileExists = await this.fileManagerService.fileExists(filePath);
+        if (!fileExists) {
+          appLogger.error(`🔴 File not found: ${filePath}`);
+          notFoundCount++;
+          continue;
+        }
+
+        appLogger.info(`⌛ Processing : ${filePath}`);
+
+        const encryptionContext = crypto.randomUUID();
+        const newFilePath = join(
+          "structure-documents-encrypted",
+          cleanPath(`${doc.structureUuid}`),
+          `${doc.path}.sfe`
+        );
+
+        const object = await this.fileManagerService.getFileBody(filePath);
+        await this.fileManagerService.saveEncryptedFile(
+          newFilePath,
+          { ...doc, encryptionContext },
+          object
+        );
+
+        await structureDocRepository.update(
+          { uuid: doc.uuid },
+          {
+            encryptionContext,
+            encryptionVersion: 0,
+          }
+        );
+
+        appLogger.info(`✅ encypt done : ${doc.structureUuid} ${filePath}`);
+        processedCount++;
+      } catch (error) {
+        appLogger.error(
+          `🟠 Error during encryption: ${doc.structureUuid}   ${filePath} - ${error.message}`
+        );
+        errors.push({ filePath, error: error.message });
+        errorCount++;
+      }
+    }
+
+    const totalDocs = unencryptedDocs.length;
+    const successRate =
+      totalDocs > 0 ? ((processedCount / totalDocs) * 100).toFixed(1) : "0";
+
+    const migrationSummary = {
+      "Total documents": totalDocs,
+      "✅ Success": processedCount,
+      "🔴 Files not found": notFoundCount,
+      "🟠 Processing errors": errorCount,
+      "📊 Success rate": `${successRate}%`,
+    };
+
+    appLogger.warn("MIGRATION SUMMARY");
+    console.table(migrationSummary);
+
+    if (errors.length > 0) {
+      appLogger.error("Error details:");
+      console.table(errors);
+    }
+
+    if (processedCount === totalDocs) {
+      appLogger.info("🎉 Migration completed successfully!");
+    } else {
+      appLogger.warn("⚠️ Migration completed with errors");
+    }
+  }
+
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  public async down(_queryRunner: QueryRunner): Promise<void> {}
+}

packages/backend/src/_migrations/1748264444997-encrypt-structure-docs-migration.ts

@@ -54,6 +54,12 @@ export class StructureDocTable
   @Column({ type: "text", nullable: false })
   public path!: string;
 
+  @Column({ type: "text", nullable: true })
+  public encryptionContext: string;
+
+  @Column({ type: "integer", nullable: true })
+  public encryptionVersion: number;
+
   public constructor(entity?: Partial<StructureDocTable>) {
     super(entity);
     Object.assign(this, entity);

packages/backend/src/database/entities/structure-doc/StructureDocTable.typeorm.ts

@@ -23,10 +23,11 @@ import {
 } from "../../../../database";
 import { InteractionsService } from "../../../interactions/services";
 import { PageOptionsDto } from "../../../../usagers/dto";
-import { appLogger } from "../../../../util";
+import { appLogger, cleanPath } from "../../../../util";
 import { FileManagerService } from "../../../../util/file-manager/file-manager.service";
 import { AppLogsService } from "../../../app-logs/app-logs.service";
 import { Response } from "express";
+import { join } from "node:path";
 
 @Controller("portail-usagers/profile")
 @UseGuards(AuthGuard("jwt"), AppUserGuard)
@@ -158,10 +159,16 @@ export class PortailUsagersProfileController {
     });
 
     try {
+      const filePath = join(
+        "usager-documents",
+        cleanPath(currentUser.structure.uuid),
+        cleanPath(doc.usagerUUID),
+        `${doc.path}.sfe`
+      );
+
       return await this.fileManagerService.dowloadEncryptedFile(
         res,
-        currentUser.structure.uuid,
-        currentUser.usager.uuid,
+        filePath,
         doc
       );
     } catch (e) {

packages/backend/src/modules/portail-usagers/controllers/postail-usagers-profile/portail-usagers-profile.controller.ts

@@ -60,11 +60,16 @@ export class StructureDocController {
       });
 
       const filePath = join(
-        "structure-documents",
-        cleanPath(`${user.structureId}`),
-        doc.path
+        "structure-documents-encrypted",
+        cleanPath(`${user.structure.uuid}`),
+        `${doc.path}.sfe`
+      );
+
+      return await this.fileManagerService.dowloadEncryptedFile(
+        res,
+        filePath,
+        doc
       );
-      return await this.fileManagerService.downloadObject(filePath, res);
     } catch (e) {
       return res
         .status(HttpStatus.BAD_REQUEST)
@@ -125,13 +130,7 @@ export class StructureDocController {
     }
 
     const path = randomName(file);
-
-    const filePath = join(
-      "structure-documents",
-      cleanPath(`${user.structureId}`),
-      path
-    );
-    await this.fileManagerService.uploadFile(filePath, file.buffer);
+    const encryptionContext = crypto.randomUUID();
 
     const newDoc = new StructureDocTable({
       createdAt: new Date(),
@@ -140,6 +139,7 @@ export class StructureDocController {
         nom: user.nom,
         prenom: user.prenom,
       },
+      encryptionContext,
       displayInPortailUsager: false,
       filetype: file.mimetype,
       path,
@@ -149,6 +149,21 @@ export class StructureDocController {
       customDocType: structureDocDto.customDocType,
     });
 
+    const filePath = join(
+      "structure-documents-encrypted",
+      cleanPath(`${user.structure.uuid}`),
+      `${path}.sfe`
+    );
+
+    try {
+      await this.fileManagerService.saveEncryptedFile(filePath, newDoc, file);
+    } catch (e) {
+      console.log(e);
+      return res
+        .status(HttpStatus.INTERNAL_SERVER_ERROR)
+        .json({ message: "CANNOT_ENCRYPT_FILE" });
+    }
+
     try {
       await structureDocRepository.insert(newDoc);
       const docs = await structureDocRepository.findBy({