Create resource wrapper

cedricherzog-passbolt · cedricherzog-passbolt · commit 4d7d906369b0 · 2025-11-25T14:54:13.000+01:00
diff --git a/api/auth.go b/api/auth.go
@@ -28,6 +28,8 @@ func (c *Client) CheckSession(ctx context.Context) bool {
 
 // Login gets a Session and CSRF Token from Passbolt and Stores them in the Clients Cookie Jar
 func (c *Client) Login(ctx context.Context) error {
+	// Clear any cached data from previous sessions
+	c.ClearCache()
 	c.csrfToken = http.Cookie{}
 
 	data := Login{&GPGAuth{KeyID: c.userPrivateKey.GetFingerprint()}}
@@ -129,5 +131,6 @@ func (c *Client) Logout(ctx context.Context) error {
 	}
 	c.sessionToken = http.Cookie{}
 	c.csrfToken = http.Cookie{}
+	c.ClearCache()
 	return nil
 }
diff --git a/api/client.go b/api/client.go
@@ -59,6 +59,17 @@ type Client struct {
 
 	// Enable Debug Logging
 	Debug bool
+
+	// Cache for resource types (rarely change)
+	resourceTypesCache []ResourceType
+
+	// Cache for metadata keys (includes decrypted private keys)
+	metadataKeysCache []MetadataKey
+	// Cache for decrypted metadata private keys, keyed by metadata key ID
+	decryptedMetadataKeysCache map[string]*crypto.Key
+
+	// Cache for session keys used for metadata decryption, keyed by metadata key ID
+	sessionKeyCache map[string]*crypto.SessionKey
 }
 
 // PublicKeyReponse the Body of a Public Key Api Request
@@ -98,11 +109,13 @@ func NewClient(httpClient *http.Client, UserAgent, BaseURL, UserPrivateKey, User
 
 	// Create Client Object
 	c := &Client{
-		httpClient:     httpClient,
-		baseURL:        u,
-		userAgent:      UserAgent,
-		userPrivateKey: unlockedKey,
-		pgp:            pgp,
+		httpClient:                 httpClient,
+		baseURL:                    u,
+		userAgent:                  UserAgent,
+		userPrivateKey:             unlockedKey,
+		pgp:                        pgp,
+		decryptedMetadataKeysCache: make(map[string]*crypto.Key),
+		sessionKeyCache:            make(map[string]*crypto.SessionKey),
 	}
 	return c, err
 }
@@ -277,3 +290,176 @@ func (c *Client) GetPGPHandle() *crypto.PGPHandle {
 func (c *Client) GetPasswordExpirySettings() PasswordExpirySettings {
 	return c.passwordExpirySettings
 }
+
+// ClearCache clears all cached data
+func (c *Client) ClearCache() {
+	c.ClearResourceTypesCache()
+	c.ClearMetadataKeysCache()
+	c.ClearSessionKeyCache()
+}
+
+// ClearResourceTypesCache clears the resource types cache
+func (c *Client) ClearResourceTypesCache() {
+	c.resourceTypesCache = nil
+}
+
+// ClearMetadataKeysCache clears the metadata keys cache
+func (c *Client) ClearMetadataKeysCache() {
+	c.metadataKeysCache = nil
+	c.decryptedMetadataKeysCache = make(map[string]*crypto.Key)
+}
+
+// ClearSessionKeyCache clears the session key cache used for metadata decryption
+func (c *Client) ClearSessionKeyCache() {
+	c.sessionKeyCache = make(map[string]*crypto.SessionKey)
+}
+
+// GetResourceTypesCached returns cached resource types, fetching from API if cache is empty
+func (c *Client) GetResourceTypesCached(ctx context.Context) ([]ResourceType, error) {
+	if c.resourceTypesCache != nil {
+		return c.resourceTypesCache, nil
+	}
+
+	types, err := c.GetResourceTypes(ctx, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	c.resourceTypesCache = types
+	return types, nil
+}
+
+// GetResourceTypeCached returns a cached resource type by ID, fetching from API if not in cache
+func (c *Client) GetResourceTypeCached(ctx context.Context, typeID string) (*ResourceType, error) {
+	// First check the cache
+	if c.resourceTypesCache != nil {
+		for i := range c.resourceTypesCache {
+			if c.resourceTypesCache[i].ID == typeID {
+				return &c.resourceTypesCache[i], nil
+			}
+		}
+	}
+
+	// Populate cache and search again
+	types, err := c.GetResourceTypesCached(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := range types {
+		if types[i].ID == typeID {
+			return &types[i], nil
+		}
+	}
+
+	return nil, fmt.Errorf("resource type not found: %v", typeID)
+}
+
+// GetResourceTypeBySlugCached returns a cached resource type by slug
+func (c *Client) GetResourceTypeBySlugCached(ctx context.Context, slug string) (*ResourceType, error) {
+	types, err := c.GetResourceTypesCached(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := range types {
+		if types[i].Slug == slug {
+			return &types[i], nil
+		}
+	}
+
+	return nil, fmt.Errorf("resource type not found: %v", slug)
+}
+
+// GetMetadataKeysCached returns cached metadata keys, fetching from API if cache is empty
+func (c *Client) GetMetadataKeysCached(ctx context.Context) ([]MetadataKey, error) {
+	if c.metadataKeysCache != nil {
+		return c.metadataKeysCache, nil
+	}
+
+	keys, err := c.GetMetadataKeys(ctx, &GetMetadataKeysOptions{
+		ContainMetadataPrivateKeys: true,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	c.metadataKeysCache = keys
+	return keys, nil
+}
+
+// GetDecryptedMetadataKeyCached returns a cached decrypted metadata key by ID
+// If not in cache, it will fetch and decrypt the key
+func (c *Client) GetDecryptedMetadataKeyCached(ctx context.Context, id string) (*crypto.Key, error) {
+	// Check decrypted key cache first
+	if key, ok := c.decryptedMetadataKeysCache[id]; ok {
+		return key, nil
+	}
+
+	// Get metadata keys (from cache or API)
+	keys, err := c.GetMetadataKeysCached(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("Get Metadata Keys: %w", err)
+	}
+
+	// Find the key with matching ID
+	var metadataKey *MetadataKey
+	for i := range keys {
+		if keys[i].ID == id {
+			metadataKey = &keys[i]
+			break
+		}
+	}
+
+	if metadataKey == nil {
+		return nil, fmt.Errorf("Metadata key not found: %v", id)
+	}
+
+	if len(metadataKey.MetadataPrivateKeys) == 0 {
+		return nil, fmt.Errorf("No Metadata Private key for our user")
+	}
+
+	// Find our user's private key
+	var privMetadata *MetadataPrivateKey
+	for i := range metadataKey.MetadataPrivateKeys {
+		if metadataKey.MetadataPrivateKeys[i].UserID != nil && *metadataKey.MetadataPrivateKeys[i].UserID == c.userID {
+			privMetadata = &metadataKey.MetadataPrivateKeys[i]
+			break
+		}
+	}
+
+	if privMetadata == nil {
+		return nil, fmt.Errorf("No Metadata Private key for our user id: %v", c.userID)
+	}
+
+	decPrivMetadatakey, err := c.DecryptMessage(privMetadata.Data)
+	if err != nil {
+		return nil, fmt.Errorf("Decrypt Metadata Private Key Data: %w", err)
+	}
+
+	var data MetadataPrivateKeyData
+	err = json.Unmarshal([]byte(decPrivMetadatakey), &data)
+	if err != nil {
+		return nil, fmt.Errorf("Parse Metadata Private Key Data: %w", err)
+	}
+
+	metadataPrivateKeyObj, err := GetPrivateKeyFromArmor(data.ArmoredKey, []byte(data.Passphrase))
+	if err != nil {
+		return nil, fmt.Errorf("Get Metadata Private Key: %w", err)
+	}
+
+	// Cache the decrypted key
+	c.decryptedMetadataKeysCache[id] = metadataPrivateKeyObj
+
+	return metadataPrivateKeyObj, nil
+}
+
+// GetSessionKey retrieves a cached session key for a metadata key ID
+func (c *Client) GetSessionKey(metadataKeyID string) *crypto.SessionKey {
+	return c.sessionKeyCache[metadataKeyID]
+}
+
+// SetSessionKey stores a session key in the cache for a metadata key ID
+func (c *Client) SetSessionKey(metadataKeyID string, sessionKey *crypto.SessionKey) {
+	c.sessionKeyCache[metadataKeyID] = sessionKey
+}
diff --git a/api/metadata.go b/api/metadata.go
@@ -48,26 +48,38 @@ type ResourceMetadataTypeV5TOTPStandalone struct {
 	Description    string   `json:"description,omitempty"`
 }
 
+// DecryptMetadata decrypts metadata using the provided key.
+// For session key caching, use DecryptMetadataWithKeyID instead.
 func (c *Client) DecryptMetadata(metadataKey *crypto.Key, armoredCiphertext string) (string, error) {
-	// TODO Get SessionKey from Cache
-	var sessionKey *crypto.SessionKey = nil
+	return c.DecryptMetadataWithKeyID("", metadataKey, armoredCiphertext)
+}
 
-	if sessionKey != nil {
-		message, err := c.DecryptMessageWithSessionKey(sessionKey, armoredCiphertext)
-		// If Decrypt was successfull
-		if err == nil {
-			return message, nil
+// DecryptMetadataWithKeyID decrypts metadata using the provided key and caches the session key.
+// The metadataKeyID is used as the cache key for session key caching.
+// If metadataKeyID is empty, session key caching is disabled.
+func (c *Client) DecryptMetadataWithKeyID(metadataKeyID string, metadataKey *crypto.Key, armoredCiphertext string) (string, error) {
+	// Try to get session key from cache
+	if metadataKeyID != "" {
+		if sessionKey := c.GetSessionKey(metadataKeyID); sessionKey != nil {
+			message, err := c.DecryptMessageWithSessionKey(sessionKey, armoredCiphertext)
+			// If decrypt was successful, return immediately
+			if err == nil {
+				return message, nil
+			}
+			// If failed, fall through to full decryption
+			c.log("Session key cache miss for metadata key %v, falling back to full decryption", metadataKeyID)
 		}
-		// if this failed, fall through
 	}
 
 	metadata, newSessionKey, err := c.DecryptMessageWithPrivateKeyAndReturnSessionKey(metadataKey, armoredCiphertext)
 	if err != nil {
 		return "", fmt.Errorf("Decrypting Metadata: %w", err)
 	}
 
-	// TODO Save newSessionKey to cache
-	_ = newSessionKey
+	// Cache the session key for future use
+	if metadataKeyID != "" && newSessionKey != nil {
+		c.SetSessionKey(metadataKeyID, newSessionKey)
+	}
 
 	return metadata, nil
 }
@@ -78,7 +90,5 @@ func (c *Client) EncryptMetadata(metadataKey *crypto.Key, data string) (string,
 		return "", fmt.Errorf("Encrypting Metadata: %w", err)
 	}
 
-	// TODO save Session Key to cache
-
 	return armoredCiphertext, nil
 }
diff --git a/helper/metadata.go b/helper/metadata.go
@@ -12,21 +12,27 @@ import (
 
 func GetResourceMetadata(ctx context.Context, c *api.Client, resource *api.Resource, rType *api.ResourceType) (string, error) {
 	var metadatakey *crypto.Key
+	var metadataKeyID string
+
 	if resource.MetadataKeyType == api.MetadataKeyTypeUserKey {
 		tmp, err := c.GetUserPrivateKeyCopy()
 		if err != nil {
 			return "", fmt.Errorf("Get Private Key Copy: %w", err)
 		}
 		metadatakey = tmp
+		// For user keys, we don't use session key caching (metadataKeyID stays empty)
 	} else {
-		key, err := c.GetMetadataKeyById(ctx, resource.MetadataKeyID)
+		// Use cached decrypted metadata key
+		metadataKeyID = resource.MetadataKeyID
+		key, err := c.GetDecryptedMetadataKeyCached(ctx, metadataKeyID)
 		if err != nil {
 			return "", fmt.Errorf("Get Metadata Key by ID: %w", err)
 		}
 		metadatakey = key
 	}
 
-	decMetadata, err := c.DecryptMetadata(metadatakey, resource.Metadata)
+	// Use the version that caches session keys
+	decMetadata, err := c.DecryptMetadataWithKeyID(metadataKeyID, metadatakey, resource.Metadata)
 	if err != nil {
 		return "", fmt.Errorf("Decrypt Metadata: %w", err)
 	}
diff --git a/helper/resource_wrapper.go b/helper/resource_wrapper.go

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@ func (c *Client) CheckSession(ctx context.Context) bool {`
`28`	`28`
`29`	`29`	`// Login gets a Session and CSRF Token from Passbolt and Stores them in the Clients Cookie Jar`
`30`	`30`	`func (c *Client) Login(ctx context.Context) error {`
	`31`	`+ // Clear any cached data from previous sessions`
	`32`	`+ c.ClearCache()`
`31`	`33`	`c.csrfToken = http.Cookie{}`
`32`	`34`
`33`	`35`	`data := Login{&GPGAuth{KeyID: c.userPrivateKey.GetFingerprint()}}`
`@@ -129,5 +131,6 @@ func (c *Client) Logout(ctx context.Context) error {`
`129`	`131`	`}`
`130`	`132`	`c.sessionToken = http.Cookie{}`
`131`	`133`	`c.csrfToken = http.Cookie{}`
	`134`	`+ c.ClearCache()`
`132`	`135`	`return nil`
`133`	`136`	`}`