@aifabrix/builder 2.1.7 → 2.3.0

package/lib/utils/secrets-encryption.js

@@ -0,0 +1,203 @@
+/**
+ * AI Fabrix Builder Secrets Encryption Utilities
+ *
+ * This module provides encryption and decryption functions for secrets
+ * using AES-256-GCM algorithm for ISO 27001 compliance.
+ *
+ * @fileoverview Secrets encryption utilities for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const crypto = require('crypto');
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12; // 96 bits for GCM
+const AUTH_TAG_LENGTH = 16; // 128 bits
+const KEY_LENGTH = 32; // 256 bits for AES-256
+
+/**
+ * Validates encryption key format
+ * Key must be 32 bytes (256 bits) for AES-256
+ * Accepts hex string (64 chars) or base64 string (44 chars)
+ *
+ * @function validateEncryptionKey
+ * @param {string} key - Encryption key to validate
+ * @returns {boolean} True if key is valid
+ * @throws {Error} If key format is invalid
+ */
+function validateEncryptionKey(key) {
+  if (!key || typeof key !== 'string') {
+    throw new Error('Encryption key is required and must be a string');
+  }
+
+  // Try to parse as hex (64 characters = 32 bytes)
+  if (key.length === 64 && /^[0-9a-fA-F]+$/.test(key)) {
+    return true;
+  }
+
+  // Try to parse as base64 (44 characters = 32 bytes)
+  if (key.length === 44) {
+    try {
+      const buffer = Buffer.from(key, 'base64');
+      if (buffer.length === KEY_LENGTH) {
+        return true;
+      }
+    } catch (error) {
+      // Not valid base64
+    }
+  }
+
+  throw new Error(`Encryption key must be 32 bytes (64 hex characters or 44 base64 characters). Got ${key.length} characters`);
+}
+
+/**
+ * Normalizes encryption key to Buffer
+ * Converts hex or base64 string to 32-byte buffer
+ *
+ * @function normalizeKey
+ * @param {string} key - Encryption key (hex or base64)
+ * @returns {Buffer} 32-byte key buffer
+ */
+function normalizeKey(key) {
+  validateEncryptionKey(key);
+
+  // Try hex first (64 characters)
+  if (key.length === 64 && /^[0-9a-fA-F]+$/.test(key)) {
+    return Buffer.from(key, 'hex');
+  }
+
+  // Try base64 (44 characters)
+  if (key.length === 44) {
+    const buffer = Buffer.from(key, 'base64');
+    if (buffer.length === KEY_LENGTH) {
+      return buffer;
+    }
+  }
+
+  throw new Error('Invalid encryption key format');
+}
+
+/**
+ * Encrypts a secret value using AES-256-GCM
+ * Returns encrypted value in format: secure://<iv>:<ciphertext>:<authTag>
+ * All components are base64 encoded
+ *
+ * @function encryptSecret
+ * @param {string} value - Plaintext secret value to encrypt
+ * @param {string} key - Encryption key (hex or base64, 32 bytes)
+ * @returns {string} Encrypted value with secure:// prefix
+ * @throws {Error} If encryption fails or key is invalid
+ *
+ * @example
+ * const encrypted = encryptSecret('my-secret', 'a1b2c3...');
+ * // Returns: 'secure://<iv>:<ciphertext>:<authTag>'
+ */
+function encryptSecret(value, key) {
+  if (typeof value !== 'string') {
+    throw new Error('Value is required and must be a string');
+  }
+
+  const keyBuffer = normalizeKey(key);
+
+  // Generate random IV
+  const iv = crypto.randomBytes(IV_LENGTH);
+
+  // Create cipher
+  const cipher = crypto.createCipheriv(ALGORITHM, keyBuffer, iv);
+
+  // Encrypt
+  let ciphertext = cipher.update(value, 'utf8', 'base64');
+  ciphertext += cipher.final('base64');
+
+  // Get authentication tag
+  const authTag = cipher.getAuthTag();
+
+  // Format: secure://<iv>:<ciphertext>:<authTag>
+  return `secure://${iv.toString('base64')}:${ciphertext}:${authTag.toString('base64')}`;
+}
+
+/**
+ * Decrypts an encrypted secret value
+ * Handles secure:// prefixed values and extracts IV, ciphertext, and auth tag
+ *
+ * @function decryptSecret
+ * @param {string} encryptedValue - Encrypted value with secure:// prefix
+ * @param {string} key - Encryption key (hex or base64, 32 bytes)
+ * @returns {string} Decrypted plaintext value
+ * @throws {Error} If decryption fails, key is invalid, or format is incorrect
+ *
+ * @example
+ * const decrypted = decryptSecret('secure://<iv>:<ciphertext>:<authTag>', 'a1b2c3...');
+ * // Returns: 'my-secret'
+ */
+function decryptSecret(encryptedValue, key) {
+  if (!encryptedValue || typeof encryptedValue !== 'string') {
+    throw new Error('Encrypted value is required and must be a string');
+  }
+
+  if (!encryptedValue.startsWith('secure://')) {
+    throw new Error('Encrypted value must start with secure:// prefix');
+  }
+
+  const keyBuffer = normalizeKey(key);
+
+  // Remove secure:// prefix
+  const parts = encryptedValue.substring(9).split(':');
+  if (parts.length !== 3) {
+    throw new Error('Invalid encrypted value format. Expected: secure://<iv>:<ciphertext>:<authTag>');
+  }
+
+  const [ivBase64, ciphertext, authTagBase64] = parts;
+
+  try {
+    // Decode IV and auth tag
+    const iv = Buffer.from(ivBase64, 'base64');
+    const authTag = Buffer.from(authTagBase64, 'base64');
+
+    // Validate lengths
+    if (iv.length !== IV_LENGTH) {
+      throw new Error(`Invalid IV length: expected ${IV_LENGTH} bytes, got ${iv.length}`);
+    }
+
+    if (authTag.length !== AUTH_TAG_LENGTH) {
+      throw new Error(`Invalid auth tag length: expected ${AUTH_TAG_LENGTH} bytes, got ${authTag.length}`);
+    }
+
+    // Create decipher
+    const decipher = crypto.createDecipheriv(ALGORITHM, keyBuffer, iv);
+    decipher.setAuthTag(authTag);
+
+    // Decrypt
+    let plaintext = decipher.update(ciphertext, 'base64', 'utf8');
+    plaintext += decipher.final('utf8');
+
+    return plaintext;
+  } catch (error) {
+    // Don't expose sensitive details in error messages
+    if (error.message.includes('Unsupported state') || error.message.includes('bad decrypt')) {
+      throw new Error('Decryption failed: invalid key or corrupted data');
+    }
+    throw error;
+  }
+}
+
+/**
+ * Checks if a value is encrypted (starts with secure://)
+ *
+ * @function isEncrypted
+ * @param {string} value - Value to check
+ * @returns {boolean} True if value is encrypted
+ */
+function isEncrypted(value) {
+  return typeof value === 'string' && value.startsWith('secure://');
+}
+
+module.exports = {
+  encryptSecret,
+  decryptSecret,
+  isEncrypted,
+  validateEncryptionKey,
+  normalizeKey
+};
+

package/lib/utils/secrets-path.js

@@ -13,6 +13,7 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 const yaml = require('js-yaml');
+const config = require('../config');
 
 /**
  * Resolves secrets file path (backward compatibility)
@@ -56,14 +57,17 @@ function resolveSecretsPath(secretsPath) {
 /**
  * Determines the actual secrets file paths that loadSecrets would use
  * Mirrors the cascading lookup logic from loadSecrets
+ * Checks config.yaml for general secrets-path as fallback
+ *
+ * @async
  * @function getActualSecretsPath
  * @param {string} [secretsPath] - Path to secrets file (optional)
  * @param {string} [appName] - Application name (optional, for variables.yaml lookup)
- * @returns {Object} Object with userPath and buildPath (if configured)
+ * @returns {Promise<Object>} Object with userPath and buildPath (if configured)
  * @returns {string} returns.userPath - User's secrets file path (~/.aifabrix/secrets.local.yaml)
- * @returns {string|null} returns.buildPath - App's build.secrets file path (if configured in variables.yaml)
+ * @returns {string|null} returns.buildPath - App's build.secrets file path (if configured in variables.yaml or config.yaml)
  */
-function getActualSecretsPath(secretsPath, appName) {
+async function getActualSecretsPath(secretsPath, appName) {
   // If explicit path provided, use it (backward compatibility)
   if (secretsPath) {
     const resolvedPath = resolveSecretsPath(secretsPath);
@@ -97,6 +101,21 @@ function getActualSecretsPath(secretsPath, appName) {
     }
   }
 
+  // If no build.secrets found in variables.yaml, check config.yaml for general secrets-path
+  if (!buildSecretsPath) {
+    try {
+      const generalSecretsPath = await config.getSecretsPath();
+      if (generalSecretsPath) {
+        // Resolve relative paths from current working directory
+        buildSecretsPath = path.isAbsolute(generalSecretsPath)
+          ? generalSecretsPath
+          : path.resolve(process.cwd(), generalSecretsPath);
+      }
+    } catch (error) {
+      // Ignore errors, continue
+    }
+  }
+
   // Return both paths (even if files don't exist) for error messages
   return {
     userPath: userSecretsPath,

package/lib/utils/token-manager.js

@@ -0,0 +1,381 @@
+/**
+ * AI Fabrix Builder Token Management Utilities
+ *
+ * Centralized token management for device and client credentials tokens
+ * Handles token retrieval, expiration checking, and refresh logic
+ *
+ * @fileoverview Token management utilities for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const yaml = require('js-yaml');
+const config = require('../config');
+const { makeApiCall, refreshDeviceToken: apiRefreshDeviceToken } = require('./api');
+const logger = require('./logger');
+
+const SECRETS_FILE = path.join(os.homedir(), '.aifabrix', 'secrets.local.yaml');
+
+/**
+ * Load client credentials from secrets.local.yaml
+ * Reads using pattern: <app-name>-client-idKeyVault and <app-name>-client-secretKeyVault
+ * @param {string} appName - Application name
+ * @returns {Promise<{clientId: string, clientSecret: string}|null>} Credentials or null if not found
+ */
+async function loadClientCredentials(appName) {
+  if (!appName || typeof appName !== 'string') {
+    throw new Error('App name is required and must be a string');
+  }
+
+  try {
+    if (!fs.existsSync(SECRETS_FILE)) {
+      return null;
+    }
+
+    const content = fs.readFileSync(SECRETS_FILE, 'utf8');
+    const secrets = yaml.load(content) || {};
+
+    const clientIdKey = `${appName}-client-idKeyVault`;
+    const clientSecretKey = `${appName}-client-secretKeyVault`;
+
+    const clientId = secrets[clientIdKey];
+    const clientSecret = secrets[clientSecretKey];
+
+    if (!clientId || !clientSecret) {
+      return null;
+    }
+
+    return {
+      clientId: clientId,
+      clientSecret: clientSecret
+    };
+  } catch (error) {
+    logger.warn(`Failed to load credentials from secrets.local.yaml: ${error.message}`);
+    return null;
+  }
+}
+
+/**
+ * Get device token for controller
+ * @param {string} controllerUrl - Controller URL
+ * @returns {Promise<{controller: string, token: string, refreshToken: string, expiresAt: string}|null>} Device token info or null
+ */
+async function getDeviceToken(controllerUrl) {
+  return await config.getDeviceToken(controllerUrl);
+}
+
+/**
+ * Get client token for environment and app
+ * @param {string} environment - Environment key
+ * @param {string} appName - Application name
+ * @returns {Promise<{controller: string, token: string, expiresAt: string}|null>} Client token info or null
+ */
+async function getClientToken(environment, appName) {
+  return await config.getClientToken(environment, appName);
+}
+
+/**
+ * Check if token is expired
+ * @param {string} expiresAt - ISO timestamp string
+ * @returns {boolean} True if token is expired
+ */
+function isTokenExpired(expiresAt) {
+  return config.isTokenExpired(expiresAt);
+}
+
+/**
+ * Refresh client token using credentials from secrets.local.yaml
+ * Gets new token from API and saves it to config.yaml
+ * @param {string} environment - Environment key
+ * @param {string} appName - Application name
+ * @param {string} controllerUrl - Controller URL
+ * @param {string} [clientId] - Optional client ID (if not provided, loads from secrets.local.yaml)
+ * @param {string} [clientSecret] - Optional client secret (if not provided, loads from secrets.local.yaml)
+ * @returns {Promise<{token: string, expiresAt: string}>} New token and expiration
+ * @throws {Error} If credentials are missing or token refresh fails
+ */
+async function refreshClientToken(environment, appName, controllerUrl, clientId, clientSecret) {
+  if (!environment || typeof environment !== 'string') {
+    throw new Error('Environment is required and must be a string');
+  }
+  if (!appName || typeof appName !== 'string') {
+    throw new Error('App name is required and must be a string');
+  }
+  if (!controllerUrl || typeof controllerUrl !== 'string') {
+    throw new Error('Controller URL is required and must be a string');
+  }
+
+  // Load credentials if not provided
+  let credentials = null;
+  if (clientId && clientSecret) {
+    credentials = { clientId, clientSecret };
+  } else {
+    credentials = await loadClientCredentials(appName);
+    if (!credentials) {
+      throw new Error(`Client credentials not found for app '${appName}'. Add them to ~/.aifabrix/secrets.local.yaml as '${appName}-client-idKeyVault' and '${appName}-client-secretKeyVault'`);
+    }
+  }
+
+  // Call login API to get new token
+  const response = await makeApiCall(`${controllerUrl}/api/v1/auth/token`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'x-client-id': credentials.clientId,
+      'x-client-secret': credentials.clientSecret
+    }
+  });
+
+  if (!response.success) {
+    throw new Error(`Failed to refresh token: ${response.error || 'Unknown error'}`);
+  }
+
+  const responseData = response.data;
+  if (!responseData || !responseData.token) {
+    throw new Error('Invalid response: missing token');
+  }
+
+  const token = responseData.token;
+  // Calculate expiration (default to 24 hours if not provided)
+  const expiresIn = responseData.expiresIn || 86400;
+  const expiresAt = responseData.expiresAt || new Date(Date.now() + expiresIn * 1000).toISOString();
+
+  // Save token to config.yaml (NEVER save credentials)
+  await config.saveClientToken(environment, appName, controllerUrl, token, expiresAt);
+
+  return { token, expiresAt };
+}
+
+/**
+ * Get or refresh client token for environment and app
+ * Checks if token exists and is valid, refreshes if expired
+ * @param {string} environment - Environment key
+ * @param {string} appName - Application name
+ * @param {string} controllerUrl - Controller URL
+ * @returns {Promise<{token: string, controller: string}>} Token and controller URL
+ * @throws {Error} If token cannot be retrieved or refreshed
+ */
+async function getOrRefreshClientToken(environment, appName, controllerUrl) {
+  // Try to get existing token
+  const tokenInfo = await getClientToken(environment, appName);
+
+  if (tokenInfo && tokenInfo.controller === controllerUrl && !isTokenExpired(tokenInfo.expiresAt)) {
+    // Token exists, is for correct controller, and is not expired
+    return {
+      token: tokenInfo.token,
+      controller: tokenInfo.controller
+    };
+  }
+
+  // Token missing or expired, refresh it
+  const refreshed = await refreshClientToken(environment, appName, controllerUrl);
+  return {
+    token: refreshed.token,
+    controller: controllerUrl
+  };
+}
+
+/**
+ * Refresh device token using refresh token
+ * Calls API refresh endpoint and saves new token to config
+ * @param {string} controllerUrl - Controller URL
+ * @param {string} refreshToken - Refresh token
+ * @returns {Promise<{token: string, refreshToken: string, expiresAt: string}>} New token info
+ * @throws {Error} If refresh fails
+ */
+async function refreshDeviceToken(controllerUrl, refreshToken) {
+  if (!controllerUrl || typeof controllerUrl !== 'string') {
+    throw new Error('Controller URL is required');
+  }
+  if (!refreshToken || typeof refreshToken !== 'string') {
+    throw new Error('Refresh token is required');
+  }
+
+  // Call API refresh endpoint
+  const tokenResponse = await apiRefreshDeviceToken(controllerUrl, refreshToken);
+
+  const token = tokenResponse.access_token;
+  const newRefreshToken = tokenResponse.refresh_token || refreshToken; // Use new refresh token if provided, otherwise keep old one
+  const expiresIn = tokenResponse.expires_in || 3600;
+  const expiresAt = new Date(Date.now() + expiresIn * 1000).toISOString();
+
+  // Save new token and refresh token to config
+  await config.saveDeviceToken(controllerUrl, token, newRefreshToken, expiresAt);
+
+  return {
+    token,
+    refreshToken: newRefreshToken,
+    expiresAt
+  };
+}
+
+/**
+ * Get or refresh device token for controller
+ * Checks if token exists and is valid, refreshes if expired using refresh token
+ * @param {string} controllerUrl - Controller URL
+ * @returns {Promise<{token: string, controller: string}|null>} Token and controller URL, or null if not available
+ */
+async function getOrRefreshDeviceToken(controllerUrl) {
+  // Try to get existing token
+  const tokenInfo = await getDeviceToken(controllerUrl);
+
+  if (!tokenInfo) {
+    return null;
+  }
+
+  // Check if token is expired
+  if (!isTokenExpired(tokenInfo.expiresAt)) {
+    // Token is valid
+    return {
+      token: tokenInfo.token,
+      controller: tokenInfo.controller
+    };
+  }
+
+  // Token is expired, try to refresh if refresh token exists
+  if (!tokenInfo.refreshToken) {
+    // No refresh token available
+    return null;
+  }
+
+  try {
+    const refreshed = await refreshDeviceToken(controllerUrl, tokenInfo.refreshToken);
+    return {
+      token: refreshed.token,
+      controller: controllerUrl
+    };
+  } catch (error) {
+    // Refresh failed, return null
+    logger.warn(`Failed to refresh device token: ${error.message}`);
+    return null;
+  }
+}
+
+/**
+ * Get deployment authentication configuration with priority:
+ * 1. Device token (Bearer) - for user-level audit tracking (preferred)
+ * 2. Client token (Bearer) - for application-level authentication
+ * 3. Client credentials (x-client-id/x-client-secret) - direct credential authentication
+ *
+ * @param {string} controllerUrl - Controller URL
+ * @param {string} environment - Environment key
+ * @param {string} appName - Application name
+ * @returns {Promise<{type: 'bearer'|'credentials', token?: string, clientId?: string, clientSecret?: string, controller: string}>} Auth configuration
+ * @throws {Error} If no authentication method is available
+ */
+async function getDeploymentAuth(controllerUrl, environment, appName) {
+  if (!controllerUrl || typeof controllerUrl !== 'string') {
+    throw new Error('Controller URL is required');
+  }
+  if (!environment || typeof environment !== 'string') {
+    throw new Error('Environment is required');
+  }
+  if (!appName || typeof appName !== 'string') {
+    throw new Error('App name is required');
+  }
+
+  // Priority 1: Try device token (for user-level audit)
+  const deviceToken = await getOrRefreshDeviceToken(controllerUrl);
+  if (deviceToken && deviceToken.token) {
+    return {
+      type: 'bearer',
+      token: deviceToken.token,
+      controller: deviceToken.controller
+    };
+  }
+
+  // Priority 2: Try client token (application-level)
+  try {
+    const clientToken = await getOrRefreshClientToken(environment, appName, controllerUrl);
+    if (clientToken && clientToken.token) {
+      return {
+        type: 'bearer',
+        token: clientToken.token,
+        controller: clientToken.controller
+      };
+    }
+  } catch (error) {
+    // Client token unavailable, continue to credentials
+    logger.warn(`Client token unavailable: ${error.message}`);
+  }
+
+  // Priority 3: Use client credentials directly
+  const credentials = await loadClientCredentials(appName);
+  if (credentials && credentials.clientId && credentials.clientSecret) {
+    return {
+      type: 'credentials',
+      clientId: credentials.clientId,
+      clientSecret: credentials.clientSecret,
+      controller: controllerUrl
+    };
+  }
+
+  throw new Error(`No authentication method available. Run 'aifabrix login' for device token, or add credentials to ~/.aifabrix/secrets.local.yaml as '${appName}-client-idKeyVault' and '${appName}-client-secretKeyVault'`);
+}
+
+/**
+ * Extracts client credentials from authConfig, loading from secrets if needed
+ * Used for validation and deployment endpoints that require clientId/clientSecret
+ * @async
+ * @param {Object} authConfig - Authentication configuration
+ * @param {string} appKey - Application key for loading credentials
+ * @param {string} envKey - Environment key
+ * @param {Object} options - Options with controllerId
+ * @returns {Promise<{clientId: string, clientSecret: string}>} Client credentials
+ * @throws {Error} If credentials cannot be obtained
+ */
+async function extractClientCredentials(authConfig, appKey, envKey, _options = {}) {
+  if (authConfig.type === 'credentials') {
+    if (!authConfig.clientId || !authConfig.clientSecret) {
+      throw new Error('Client ID and Client Secret are required');
+    }
+    return {
+      clientId: authConfig.clientId,
+      clientSecret: authConfig.clientSecret
+    };
+  }
+
+  if (authConfig.type === 'bearer') {
+    if (authConfig.clientId && authConfig.clientSecret) {
+      return {
+        clientId: authConfig.clientId,
+        clientSecret: authConfig.clientSecret
+      };
+    }
+
+    // Try to load from secrets.local.yaml
+    const credentials = await loadClientCredentials(appKey);
+    if (credentials && credentials.clientId && credentials.clientSecret) {
+      // Store in authConfig so they're available for deployment step
+      authConfig.clientId = credentials.clientId;
+      authConfig.clientSecret = credentials.clientSecret;
+      return {
+        clientId: credentials.clientId,
+        clientSecret: credentials.clientSecret
+      };
+    }
+
+    // Construct clientId from controller, environment, and application key
+    // (not used, but shown in error message for reference)
+    throw new Error(`Client ID and Client Secret are required. Add credentials to ~/.aifabrix/secrets.local.yaml as '${appKey}-client-idKeyVault' and '${appKey}-client-secretKeyVault', or use credentials authentication.`);
+  }
+
+  throw new Error('Invalid authentication type');
+}
+
+module.exports = {
+  getDeviceToken,
+  getClientToken,
+  isTokenExpired,
+  refreshClientToken,
+  refreshDeviceToken,
+  loadClientCredentials,
+  getOrRefreshClientToken,
+  getOrRefreshDeviceToken,
+  getDeploymentAuth,
+  extractClientCredentials
+};
+

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.1.7",
+  "version": "2.3.0",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {
@@ -32,7 +32,7 @@
     "container"
   ],
   "author": "eSystems Nordic Ltd",
-  "license": "UNLICENSED",
+  "license": "MIT",
   "engines": {
     "node": ">=18.0.0"
   },