@adobe/helix-config-storage 1.13.0 → 1.14.0

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [1.14.0](https://github.com/adobe/helix-config-storage/compare/v1.13.0...v1.14.0) (2024-12-19)
+
+
+### Features
+
+* secrets store ([1aaf99e](https://github.com/adobe/helix-config-storage/commit/1aaf99e8cd7e41b51ada2f46b4961d2fc2ee26af)), closes [#21](https://github.com/adobe/helix-config-storage/issues/21)
+
 # [1.13.0](https://github.com/adobe/helix-config-storage/compare/v1.12.0...v1.13.0) (2024-12-16)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-config-storage",
-  "version": "1.13.0",
+  "version": "1.14.0",
   "description": "Helix Config Storage",
   "main": "src/index.js",
   "types": "src/index.d.ts",

package/src/config-merge.js

@@ -34,6 +34,7 @@ const ROOT_PROPERTIES = {
   robots: {},
   extends: {},
   tokens: {},
+  secrets: {},
   public: {},
   groups: {},
 };

package/src/config-store.js

@@ -10,6 +10,7 @@
  * governing permissions and limitations under the License.
  */
 /* eslint-disable no-param-reassign */
+import crypto from 'crypto';
 import { isDeepStrictEqual } from 'util';
 import { HelixStorage } from '@adobe/helix-shared-storage';
 import { StatusCodeError } from './status-code-error.js';
@@ -18,7 +19,7 @@ import {
   migrateToken,
   updateCodeSource,
   updateContentSource,
-  deepGetOrCreate, deepPut,
+  deepGetOrCreate, deepPut, prune, createSecret, migrateSecret,
 } from './utils.js';
 import { validate as validateSchema } from './config-validator.js';
 import { getMergedConfig } from './config-merge.js';
@@ -36,6 +37,13 @@ const FRAGMENTS_COMMON = {
     preview: 'object',
     live: 'object',
   },
+  secrets: {
+    '.': 'secrets',
+    '.param': {
+      name: 'id',
+      '.': 'secret',
+    },
+  },
   access: {
     '.': 'object',
     site: 'object',
@@ -84,6 +92,13 @@ const FRAGMENTS = {
   },
   profiles: FRAGMENTS_COMMON,
   org: {
+    secrets: {
+      '.': 'secrets',
+      '.param': {
+        name: 'id',
+        '.': 'secret',
+      },
+    },
     tokens: {
       '.': 'tokens',
       '.param': {
@@ -112,16 +127,23 @@ const FRAGMENTS = {
   },
 };
 
-export function getFragmentInfo(type, relPath) {
+/**
+ * Returns the fragment info for a given type and relative path.
+ * @param {string} type
+ * @param {string|array} relPath
+ * @returns {{relPath}|null}
+ */
+export function getFragmentInfo(type, relPath = '') {
   if (!relPath) {
     return null;
   }
-  const parts = relPath.split('/');
+  relPath = relPath.split('/');
   let fragment = FRAGMENTS[type];
   const info = {
     relPath,
+    name: relPath[relPath.length - 1],
   };
-  for (const part of parts) {
+  for (const part of relPath) {
     let next = fragment[part];
     if (next === '*') {
       fragment = '*';
@@ -145,22 +167,25 @@ export function getFragmentInfo(type, relPath) {
 }
 
 /**
- * Redact / transform the token config
+ * Redact / transform the secret config
  * @param token
  */
-function redactToken(token) {
-  return {
+function redactSecret(token) {
+  return prune({
     id: token.id,
+    type: token.type,
     created: token.created,
-  };
+    lastModified: token.lastModified,
+    description: token.description,
+  });
 }
 
 /**
- * Redact / transform the tokens config
+ * Redact / transform the secrets config
  * @param tokens
  */
-function redactTokens(tokens) {
-  return Object.values(tokens).map(redactToken);
+function redactSecrets(tokens) {
+  return Object.values(tokens).map(redactSecret);
 }
 
 /**
@@ -173,19 +198,52 @@ function redact(config, frag) {
     return config;
   }
   let ret = config;
-  if (frag?.type === 'tokens') {
-    ret = redactTokens(config);
-  }
-  if (frag?.type === 'token') {
-    ret = redactToken(config);
-  }
-  if (ret.tokens) {
+  if (frag?.type === 'secrets' || frag?.type === 'tokens') {
+    ret = redactSecrets(config);
+  } else if (frag?.type === 'secret' || frag?.type === 'token') {
+    ret = redactSecret(config);
+  } else if (ret.secrets) {
+    // eslint-disable-next-line no-param-reassign
+    ret.secrets = redactSecrets(ret.secrets);
+  } else if (ret.tokens) {
     // eslint-disable-next-line no-param-reassign
-    ret.tokens = redactTokens(ret.tokens);
+    ret.tokens = redactSecrets(ret.tokens);
   }
   return ret;
 }
 
+/**
+ * Updates a secret based on its type. if type is 'key' the value is updated.
+ * @param {string} type
+ * @param {string} id
+ * @param {object} oldData
+ * @param {object} data
+ * @returns {object} the updated secret data
+ */
+function updateSecret(type, id, oldData, data) {
+  oldData.type = type;
+  oldData.id = id;
+  const now = new Date().toISOString();
+
+  // keep the description if missing in data
+  if ('description' in data) {
+    oldData.description = data.description;
+  }
+
+  // handle value specifically, as we don't allow deletion
+  if (type === 'key' && data.value) {
+    oldData.value = data.value;
+    oldData.lastModified = now;
+  }
+  if (!oldData.created) {
+    oldData.created = now;
+  }
+  if (!oldData.lastModified) {
+    oldData.lastModified = oldData.created;
+  }
+  return prune(oldData);
+}
+
 /**
  * General purpose config store.
  */
@@ -321,6 +379,9 @@ export class ConfigStore {
     if (data.tokens) {
       throw new StatusCodeError(400, 'creating config with tokens not supported yet.');
     }
+    if (data.secrets) {
+      throw new StatusCodeError(400, 'creating config with secrets not supported yet.');
+    }
     if (this.type === 'org' && data.users) {
       throw new StatusCodeError(400, 'creating org config with users is not supported yet.');
     }
@@ -367,12 +428,12 @@ export class ConfigStore {
     }
 
     let ret = null;
-    if (!config && frag?.type !== 'tokens') {
+    if (!config && frag?.type !== 'secrets' && frag?.type !== 'tokens') {
       throw new StatusCodeError(400, 'no config in body.');
     }
     if (frag) {
       if (!old) {
-        if (this.type === 'profiles' && frag.type === 'tokens') {
+        if (this.type === 'profiles' && (frag.type === 'tokens' || frag.type === 'secrets')) {
           old = {};
         } else {
           throw new StatusCodeError(404, 'config not found.');
@@ -396,11 +457,53 @@ export class ConfigStore {
         };
         // don't store token value in the config
         delete data.value;
-        relPath = ['tokens', token.id];
+        frag.name = token.id;
         frag.type = 'token';
+        frag.relPath.push(frag.name);
         ret = token;
         // don't expose hash in return value
         delete ret.hash;
+      }
+      if (frag.type === 'secrets') {
+        // create new secret with random id
+        frag.name = crypto.randomBytes(32).toString('base64url');
+        frag.type = 'secret';
+        frag.relPath.push(frag.name);
+      }
+      if (frag.type === 'secret') {
+        const oldData = deepGetOrCreate(old, frag.relPath);
+        if (oldData) {
+          if (oldData.type === 'hashed') {
+            data = updateSecret('hashed', frag.name, oldData, data);
+          } else {
+            data = updateSecret('key', frag.name, oldData, data);
+          }
+        } else {
+          if (data.value) {
+            data = updateSecret('key', frag.name, { id: frag.name }, data);
+          } else {
+            // TODO: remove support after all helix4 projects are migrated
+            let token;
+            if (data.jwt) {
+              token = await migrateSecret(this.org, data.jwt);
+              frag.name = token.id;
+              frag.relPath.splice(-1, 1, token.id);
+            } else {
+              // create new token
+              token = createSecret(this.org, 'hlx', data);
+              token.id = frag.name;
+            }
+            data = {
+              ...token,
+            };
+            // don't store token value in the config
+            delete data.value;
+            ret = token;
+            // don't expose hash in return value
+            delete ret.hash;
+          }
+          data = prune(data);
+        }
       } else if (frag.type === 'users') {
         // todo: define via "schema"
         if (!old.users) {
@@ -421,11 +524,12 @@ export class ConfigStore {
             ...data,
             ...user,
           };
-          relPath = ['users', user.id];
+          frag.name = user.id;
+          frag.relPath.push(user.id);
           frag.type = 'user';
         }
       } else if (frag.type === 'user') {
-        const user = deepGetOrCreate(old, relPath);
+        const user = deepGetOrCreate(old, frag.relPath);
         if (!user) {
           throw new StatusCodeError(404, 'object not found.');
         }
@@ -437,13 +541,14 @@ export class ConfigStore {
           data.id = user.id;
         }
       }
-      config = deepPut(old, relPath, data);
+      config = deepPut(old, frag.relPath, data);
     }
 
     if (this.type !== 'org') {
       updateContentSource(ctx, config.content);
       updateCodeSource(ctx, config.code);
     }
+
     let oldConfig = buf ? JSON.parse(buf) : null;
     config.created = oldConfig?.created;
     this.#updateTimeStamps(config);

package/src/config-validator.js

@@ -33,6 +33,7 @@ import headersSchema from './schemas/headers.schema.cjs';
 import markupSchema from './schemas/content-source-markup.schema.cjs';
 import metadataSchema from './schemas/metadata-source.schema.cjs';
 import orgAccessSchema from './schemas/org-access.schema.cjs';
+import secretsSchema from './schemas/secrets.schema.cjs';
 import orgSchema from './schemas/org.schema.cjs';
 import onedriveSchema from './schemas/content-source-onedrive.schema.cjs';
 import publicSchema from './schemas/public.schema.cjs';
@@ -47,13 +48,18 @@ import userSchema from './schemas/user.schema.cjs';
 import usersSchema from './schemas/users.schema.cjs';
 
 export const SCHEMAS = [
-  accessSchema,
   accessAdminSchema,
+  accessSchema,
   accessSiteSchema,
+  cdnProdAkamaiSchema,
+  cdnProdCloudflareSchema,
+  cdnProdCloudfrontSchema,
+  cdnProdFastlySchema,
+  cdnProdManagedSchema,
   cdnSchema,
+  codeSchema,
   commonSchema,
   contentSchema,
-  codeSchema,
   eventsSchema,
   foldersSchema,
   googleSchema,
@@ -61,24 +67,20 @@ export const SCHEMAS = [
   headersSchema,
   markupSchema,
   metadataSchema,
-  orgSchema,
-  orgAccessSchema,
   onedriveSchema,
-  publicSchema,
+  orgAccessSchema,
+  orgSchema,
   profileSchema,
   profilesSchema,
+  publicSchema,
   robotsSchema,
+  secretsSchema,
   sidekickSchema,
   siteSchema,
   sitesSchema,
   tokensSchema,
   userSchema,
   usersSchema,
-  cdnProdFastlySchema,
-  cdnProdCloudflareSchema,
-  cdnProdAkamaiSchema,
-  cdnProdManagedSchema,
-  cdnProdCloudfrontSchema,
 ];
 
 const SCHEMA_TYPES = {

package/src/schemas/access-site.schema.json

@@ -12,8 +12,16 @@
         "type": "string"
       }
     },
+    "secretId": {
+      "description": "IDs of the org secrets (tokens) that are allowed.",
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
     "apiKeyId": {
-      "description": "IDs of the api keys (tokens) that are allowed.",
+      "description": "IDs of the api keys (tokens) that are allowed. This is deprecated. use `secretId` instead.",
+      "deprecated": true,
       "type": "array",
       "items": {
         "type": "string"

package/src/schemas/org-access.schema.json

@@ -9,7 +9,7 @@
       "type": "object",
       "properties": {
         "apiKeyId": {
-          "description": "the id of the API key(s). this is used to validate the API KEYS and allows to invalidate them.",
+          "description": "the id of the API key(s) that are allowed to access this org (admin).",
           "type": "array",
           "items": {
             "type": "string"

package/src/schemas/org.schema.json

@@ -20,6 +20,9 @@
     "groups": {
       "$ref": "https://ns.adobe.com/helix/config/groups"
     },
+    "secrets": {
+      "$ref": "https://ns.adobe.com/helix/config/secrets"
+    },
     "tokens": {
       "$ref": "https://ns.adobe.com/helix/config/tokens"
     },

package/src/schemas/profile.schema.json

@@ -35,6 +35,9 @@
     "tokens": {
       "$ref": "https://ns.adobe.com/helix/config/tokens"
     },
+    "secrets": {
+      "$ref": "https://ns.adobe.com/helix/config/secrets"
+    },
     "groups": {
       "$ref": "https://ns.adobe.com/helix/config/groups"
     },

package/src/schemas/secrets.schema.cjs

@@ -0,0 +1,12 @@
+/*
+ * Copyright 2024 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+module.exports = require('./secrets.schema.json');

package/src/schemas/secrets.schema.json

@@ -0,0 +1,86 @@
+{
+  "$comment": "https://github.com/adobe/helix-config/blob/main/LICENSE.txt",
+  "$schema": "https://json-schema.org/draft/2019-09/schema",
+  "$id": "https://ns.adobe.com/helix/config/secrets",
+  "title": "Secrets",
+  "type": "object",
+  "description": "Defines organization level secrets.",
+  "patternProperties": {
+    "^[a-zA-Z0-9-_=]+$": {
+      "oneOf": [
+        {
+          "type": "object",
+          "properties": {
+            "hash": {
+              "type": "string",
+              "pattern": "^[a-zA-Z0-9-_=]+$"
+            },
+            "id": {
+              "type": "string",
+              "pattern": "^[a-zA-Z0-9-_=]+$"
+            },
+            "type": {
+              "type": "string",
+              "enum": ["hashed", "key"]
+            },
+            "created": {
+              "type": "string",
+              "format": "date-time"
+            },
+            "lastModified": {
+              "type": "string",
+              "format": "date-time"
+            },
+            "description": {
+              "type": "string"
+            }
+          },
+          "required": [
+            "hash",
+            "id",
+            "type",
+            "created",
+            "lastModified"
+          ],
+          "additionalProperties": false
+        },
+        {
+          "type": "object",
+          "properties": {
+            "value": {
+              "type": "string"
+            },
+            "id": {
+              "type": "string",
+              "pattern": "^[a-zA-Z0-9-_=]+$"
+            },
+            "type": {
+              "type": "string",
+              "enum": ["hashed", "key"]
+            },
+            "created": {
+              "type": "string",
+              "format": "date-time"
+            },
+            "lastModified": {
+              "type": "string",
+              "format": "date-time"
+            },
+            "description": {
+              "type": "string"
+            }
+          },
+          "required": [
+            "value",
+            "id",
+            "type",
+            "created",
+            "lastModified"
+          ],
+          "additionalProperties": false
+        }
+      ]
+    }
+  },
+  "additionalProperties": false
+}

package/src/schemas/site.schema.json

@@ -41,6 +41,9 @@
     "tokens": {
       "$ref": "https://ns.adobe.com/helix/config/tokens"
     },
+    "secrets": {
+      "$ref": "https://ns.adobe.com/helix/config/secrets"
+    },
     "groups": {
       "$ref": "https://ns.adobe.com/helix/config/groups"
     },

package/src/schemas/tokens.schema.json

@@ -4,6 +4,8 @@
   "$id": "https://ns.adobe.com/helix/config/tokens",
   "title": "tokens",
   "type": "object",
+  "deprecated": true,
+  "description": "site tokens. deprecated: use the org secrets instead.",
   "patternProperties": {
     "^[a-zA-Z0-9-_=]+$": {
       "type": "object",

package/src/utils.js

@@ -111,6 +111,30 @@ export function updateCodeSource(ctx, code) {
   return modified;
 }
 
+/**
+ * prunes a structure recursively by removing all empty values.
+ * @param obj
+ * @param path
+ * @returns {*}
+ */
+export function prune(obj, path = '') {
+  for (const key of Object.keys(obj)) {
+    const itemPath = `${path}.${key}`;
+    const prop = obj[key];
+    if ((prop === undefined || prop === '')) {
+      delete obj[key];
+    } else if (Array.isArray(prop)) {
+      // ignore
+    } else if (typeof prop === 'object') {
+      prune(prop, itemPath);
+      if (Object.keys(prop).length === 0) {
+        delete obj[key];
+      }
+    }
+  }
+  return obj;
+}
+
 /**
  * Creates a random token and hashes it with the given key
  * @param {string} key
@@ -135,6 +159,33 @@ export function createToken(key, pfx = 'hlx') {
   };
 }
 
+/**
+ * Creates a random token and hashes it with the given key
+ * @param {string} key
+ * @param {string} [pfx='hlx'] the prefix of the token
+ * @param {object} [data] additional token data.
+ * @returns {object} the token
+ */
+export function createSecret(key, pfx = 'hlx', data = {}) {
+  const secret = crypto.randomBytes(32).toString('base64url');
+  const value = `${pfx}_${secret}`;
+  const hash = crypto
+    .createHmac('sha512', key)
+    .update(value, 'utf-8')
+    .digest()
+    .toString('base64url');
+  const created = new Date().toISOString();
+  return prune({
+    type: 'hashed',
+    value,
+    hash,
+    created,
+    lastModified: created,
+    title: data.title,
+    description: data.description,
+  });
+}
+
 export function createUser() {
   const id = crypto.randomBytes(16).toString('base64url');
   return {
@@ -176,6 +227,19 @@ export async function migrateToken(key, jwt) {
   };
 }
 
+/**
+ * migrates an existing jwt token
+ * @param key
+ * @param jwt
+ * @returns {Promise<object>}
+ */
+export async function migrateSecret(key, jwt) {
+  const token = await migrateToken(key, jwt);
+  token.type = 'hashed';
+  token.lastModified = new Date().toISOString();
+  return token;
+}
+
 /**
  * Returns the property addressed by the given path in the object.
  * If {@code create} is {@code true}, intermediate objects will be created if they do not exist.

package/validate-json-schemas.sh

@@ -22,6 +22,7 @@ npx ajv-cli --spec=draft2019 -c ajv-formats compile \
 -s src/schemas/metadata-source.schema.json \
 -s src/schemas/user.schema.json \
 -s src/schemas/users.schema.json \
+-s src/schemas/secrets.schema.json \
 -s src/schemas/tokens.schema.json \
 -s src/schemas/org-access.schema.json \
 -s src/schemas/org.schema.json \