@blamejs/core 0.14.27 → 0.15.0

package/lib/audit-sign.js

@@ -63,6 +63,7 @@ var nodePath = require("node:path");
 var nodeCrypto = require("node:crypto");
 var atomicFile = require("./atomic-file");
 var { sha3Hash } = require("./crypto");
+var frameworkFiles = require("./framework-files");
 var { defineClass } = require("./framework-error");
 var { boot } = require("./log");
 var safeBuffer = require("./safe-buffer");
@@ -118,11 +119,73 @@ var log = boot("audit-sign");
 function resolvePaths(dataDir) {
   return {
     dataDir:    dataDir,
-    plaintext:  nodePath.join(dataDir, "audit-sign.key"),
-    sealed:     nodePath.join(dataDir, "audit-sign.key.sealed"),
+    plaintext:  nodePath.join(dataDir, frameworkFiles.fileName("auditSignKey")),
+    sealed:     nodePath.join(dataDir, frameworkFiles.fileName("auditSignKey") + ".sealed"),
+    // Unsealed registry of rotated-out PUBLIC keys (public keys are not
+    // secret). It lets verify-time code (b.audit.verifyCheckpoints) resolve
+    // the public key for a checkpoint signed under a now-rotated key WITHOUT
+    // the old passphrase, so a rotation does not strand historical checkpoints.
+    publicHistory: nodePath.join(dataDir, "audit-sign.pubkeys.json"),
   };
 }
 
+// Append a rotated-out public key to the unsealed public-key history. Public
+// keys carry no secret, so storing them in the clear is safe and is what
+// makes passphrase-free historical verification possible. De-duplicated by
+// fingerprint; best-effort (a write failure must not abort the rotation, the
+// sealed private-key history is the durable archive of record).
+function _appendPublicHistory(entry) {
+  if (!paths || !paths.publicHistory) return;
+  var list = [];
+  try {
+    if (nodeFs.existsSync(paths.publicHistory)) {
+      var parsed = safeJson.parse(atomicFile.readSync(paths.publicHistory));
+      if (Array.isArray(parsed)) list = parsed;
+    }
+  } catch (_e) { list = []; }   // corrupt registry — rebuild from this entry
+  for (var i = 0; i < list.length; i += 1) {
+    if (list[i] && list[i].fingerprint === entry.fingerprint) return;   // already recorded
+  }
+  list.push(entry);
+  try {
+    atomicFile.writeSync(paths.publicHistory, JSON.stringify(list, null, 2), { fileMode: 0o600 });
+  } catch (_e) { /* best-effort */ }
+}
+
+/**
+ * @primitive b.auditSign.getPublicKeyByFingerprint
+ * @signature b.auditSign.getPublicKeyByFingerprint(fingerprint)
+ * @since     0.14.29
+ * @status    stable
+ * @related   b.auditSign.getPublicKey, b.auditSign.verify, b.auditSign.rotateSigningKey
+ *
+ * Resolve the audit-signing public key (SPKI PEM) for a fingerprint: the
+ * live key, or a rotated-out key recorded in the unsealed public-key history
+ * that `rotateSigningKey` maintains. Returns `null` when no key matches. Only
+ * public material is consulted, so no passphrase is needed - this is what
+ * lets `b.audit.verifyCheckpoints` verify a checkpoint signed under a
+ * now-rotated key without stranding history.
+ *
+ * @example
+ *   var pem = b.auditSign.getPublicKeyByFingerprint(checkpoint.publicKeyFingerprint);
+ *   // -> "-----BEGIN PUBLIC KEY-----\n..." (or null if the key is unknown)
+ */
+function getPublicKeyByFingerprint(fp) {
+  _requireInit();
+  if (fp === keys.fingerprint) return keys.publicKey;
+  if (!paths || !paths.publicHistory || !nodeFs.existsSync(paths.publicHistory)) return null;
+  var list;
+  try { list = safeJson.parse(atomicFile.readSync(paths.publicHistory)); }
+  catch (_e) { return null; }
+  if (!Array.isArray(list)) return null;
+  for (var i = 0; i < list.length; i += 1) {
+    if (list[i] && list[i].fingerprint === fp && typeof list[i].publicKey === "string") {
+      return list[i].publicKey;
+    }
+  }
+  return null;
+}
+
 function _computeFingerprint(publicKeyPem) {
   return sha3Hash(publicKeyPem);
 }
@@ -677,6 +740,17 @@ async function rotateSigningKey(rotOpts) {
     catch (_e) { /* history copy is best-effort */ }
   }
 
+  // Record the rotated-out PUBLIC key (unsealed) so b.audit.verifyCheckpoints
+  // can verify a checkpoint signed under it after rotation without the old
+  // passphrase. Without this the public key only lives inside the sealed
+  // history archive and verification of pre-rotation checkpoints is stranded.
+  _appendPublicHistory({
+    fingerprint: prevFingerprint,
+    publicKey:   prevPublicKey,
+    algorithm:   prevAlgorithm,
+    rotatedAt:   new Date().toISOString(),
+  });
+
   // Persist the new keypair through the same path as boot — sealed
   // mode re-wraps with the operator's passphrase; plaintext mode
   // writes JSON. We don't accept a passphrase override here; the
@@ -740,6 +814,7 @@ module.exports = {
   reSignAll:                reSignAll,
   getPublicKey:             getPublicKey,
   getPublicKeyFingerprint:  getPublicKeyFingerprint,
+  getPublicKeyByFingerprint: getPublicKeyByFingerprint,
   getMode:                  getMode,
   getAlgorithm:             getAlgorithm,
   DEFAULT_SIGNING_ALG:      DEFAULT_SIGNING_ALG,

package/lib/audit-tools.js

@@ -63,9 +63,11 @@ var canonicalJson = require("./canonical-json");
 var auditSign = require("./audit-sign");
 var backupCrypto = require("./backup/crypto");
 var clusterStorage = require("./cluster-storage");
+var frameworkFiles = require("./framework-files");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var safeJson = require("./safe-json");
+var sql = require("./sql");
 var { defineClass } = require("./framework-error");
 
 var FRAMEWORK_VERSION = (pkg && pkg.version) || "unknown";
@@ -79,6 +81,17 @@ var audit = lazyRequire(function () { return require("./audit"); });
 
 var AuditToolsError = defineClass("AuditToolsError", { alwaysPermanent: true });
 
+// b.sql opts for every framework-table statement: thread the ACTIVE backend
+// dialect (clusterStorage.dialect() — "sqlite" single-node, "postgres" |
+// "mysql" in cluster mode) so the emitted identifier quoting + dialect
+// idioms (ON CONFLICT vs ON DUPLICATE KEY) match the backend the SQL
+// dispatches to. Defaulting to "sqlite" works on Postgres only by accident
+// (both double-quote identifiers) and emits the wrong quoting on MySQL.
+// clusterStorage.execute still rewrites table names + translates `?`
+// placeholders at dispatch; this controls only the builder-side quoting +
+// idiom selection.
+function _sqlOpts() { return { dialect: clusterStorage.dialect() }; }
+
 // Dual-control gate constants for the audit_log physical purge. The
 // purge erases signed audit history, so when an operator has declared
 // audit_log under b.db.declareRequireDualControl the deletion requires
@@ -274,42 +287,48 @@ function _verifyChainSlice(rows, startPrevHash) {
 // cluster-storage reader so the tooling works in both single-node and
 // cluster deployments without the caller knowing which mode is active.
 async function _defaultReadRows(criteria) {
-  var sql = 'SELECT * FROM "audit_log"';
-  var conds = [];
-  var params = [];
-  if (criteria.fromMs != null)        { conds.push("recordedAt >= ?"); params.push(criteria.fromMs); }
-  if (criteria.toMs != null)          { conds.push("recordedAt <= ?"); params.push(criteria.toMs); }
-  if (criteria.beforeMs != null)      { conds.push("recordedAt < ?");  params.push(criteria.beforeMs); }
-  if (criteria.action)                { conds.push("action = ?");      params.push(criteria.action); }
-  if (criteria.firstCounter != null)  { conds.push("monotonicCounter >= ?"); params.push(criteria.firstCounter); }
-  if (criteria.lastCounter != null)   { conds.push("monotonicCounter <= ?"); params.push(criteria.lastCounter); }
-  if (conds.length > 0) sql += " WHERE " + conds.join(" AND ");
-  sql += " ORDER BY monotonicCounter ASC";
-  return clusterStorage.executeAll(sql, params);
+  // Compose the criteria onto a b.sql SELECT with a BARE logical table name
+  // (clusterStorage rewrites the framework name + placeholderizes); b.sql
+  // quotes the camelCase columns + binds every value.
+  var qb = sql.select("audit_log", _sqlOpts());
+  if (criteria.fromMs != null)       qb.whereOp("recordedAt", ">=", criteria.fromMs);
+  if (criteria.toMs != null)         qb.whereOp("recordedAt", "<=", criteria.toMs);
+  if (criteria.beforeMs != null)     qb.whereOp("recordedAt", "<", criteria.beforeMs);
+  if (criteria.action)               qb.where("action", criteria.action);
+  if (criteria.firstCounter != null) qb.whereOp("monotonicCounter", ">=", criteria.firstCounter);
+  if (criteria.lastCounter != null)  qb.whereOp("monotonicCounter", "<=", criteria.lastCounter);
+  qb.orderBy("monotonicCounter", "asc");
+  var built = qb.toSql();
+  return clusterStorage.executeAll(built.sql, built.params);
 }
 
 async function _defaultReadCoveringCheckpoint(lastCounter) {
-  return clusterStorage.executeOne(
-    "SELECT * FROM audit_checkpoints " +
-    "WHERE atMonotonicCounter >= ? " +
-    "ORDER BY atMonotonicCounter ASC LIMIT 1",
-    [lastCounter]
-  );
+  var built = sql.select("audit_checkpoints", _sqlOpts())
+    .whereOp("atMonotonicCounter", ">=", lastCounter)
+    .orderBy("atMonotonicCounter", "asc")
+    .limit(1)
+    .toSql();
+  return clusterStorage.executeOne(built.sql, built.params);
 }
 
 async function _defaultReadPredecessorRowHash(firstCounter) {
   if (firstCounter <= 1) return auditChain.ZERO_HASH;
-  var row = await clusterStorage.executeOne(
-    "SELECT rowHash FROM audit_log WHERE monotonicCounter = ?",
-    [firstCounter - 1]
-  );
+  var rowBuilt = sql.select("audit_log", _sqlOpts())
+    .columns(["rowHash"])
+    .where("monotonicCounter", firstCounter - 1)
+    .toSql();
+  var row = await clusterStorage.executeOne(rowBuilt.sql, rowBuilt.params);
   if (!row) {
     // First row of the slice is right after a purged range. Read the
-    // purge anchor's lastRowHash instead.
-    var anchor = await clusterStorage.executeOne(
-      "SELECT lastPurgedRowHash, lastPurgedCounter FROM _blamejs_audit_purge_anchor " +
-      "WHERE scope = 'audit'"
-    );
+    // purge anchor's lastRowHash instead. The anchor is an external-only
+    // table whose LOGICAL name IS the `_blamejs_`-prefixed name (it maps
+    // to itself in LOCAL_TO_EXTERNAL); b.sql must receive it bare so
+    // clusterStorage rewrites it. allow:hand-rolled-sql — bare logical key.
+    var anchorBuilt = sql.select("_blamejs_audit_purge_anchor", _sqlOpts())   // allow:hand-rolled-sql
+      .columns(["lastPurgedRowHash", "lastPurgedCounter"])
+      .where("scope", "audit")
+      .toSql();
+    var anchor = await clusterStorage.executeOne(anchorBuilt.sql, anchorBuilt.params);
     if (anchor && Number(anchor.lastPurgedCounter) === firstCounter - 1) {
       return anchor.lastPurgedRowHash;
     }
@@ -343,7 +362,7 @@ async function _buildBundle(args) {
     return JSON.stringify(_rowToWireForm(r));
   }).join("\n") + "\n";
   var rowsEnc = await backupCrypto.encryptWithFreshSalt(jsonl, passphrase);
-  files["rows.enc"] = rowsEnc.encrypted;
+  files[frameworkFiles.fileName("rowsEnc")] = rowsEnc.encrypted;
 
   // 2. (archive) Encrypt the checkpoint JSON
   var checkpointSalt = null;
@@ -351,7 +370,7 @@ async function _buildBundle(args) {
   if (checkpoint) {
     var ckptJson = _canonicalize(_rowToWireForm(checkpoint));
     var ckptEnc = await backupCrypto.encryptWithFreshSalt(ckptJson, passphrase);
-    files["checkpoint.enc"] = ckptEnc.encrypted;
+    files[frameworkFiles.fileName("checkpointEnc")] = ckptEnc.encrypted;
     checkpointSalt = ckptEnc.salt;
     checkpointEncrypted = ckptEnc.encrypted;
   }
@@ -401,9 +420,9 @@ async function _writeBundle(args) {
   var built  = await _buildBundle(args);
 
   atomicFile.ensureDir(outDir);
-  atomicFile.writeSync(nodePath.join(outDir, "rows.enc"), built.files["rows.enc"], { fileMode: 0o600 });
-  if (built.files["checkpoint.enc"]) {
-    atomicFile.writeSync(nodePath.join(outDir, "checkpoint.enc"), built.files["checkpoint.enc"], { fileMode: 0o600 });
+  atomicFile.writeSync(nodePath.join(outDir, frameworkFiles.fileName("rowsEnc")), built.files[frameworkFiles.fileName("rowsEnc")], { fileMode: 0o600 });
+  if (built.files[frameworkFiles.fileName("checkpointEnc")]) {
+    atomicFile.writeSync(nodePath.join(outDir, frameworkFiles.fileName("checkpointEnc")), built.files[frameworkFiles.fileName("checkpointEnc")], { fileMode: 0o600 });
   }
   var manifestPath = nodePath.join(outDir, "manifest.json");
   atomicFile.writeSync(manifestPath, built.files["manifest.json"], { fileMode: 0o600 });
@@ -432,7 +451,7 @@ async function _readBundle(inDir, passphrase) {
       "manifest.kind must be one of " + Object.keys(VALID_KINDS).join(", "));
   }
 
-  var rowsEncPath = nodePath.join(inDir, "rows.enc");
+  var rowsEncPath = nodePath.join(inDir, frameworkFiles.fileName("rowsEnc"));
   if (!nodeFs.existsSync(rowsEncPath)) {
     throw new AuditToolsError("audit-tools/no-rows-blob",
       "rows.enc missing in " + inDir);
@@ -450,7 +469,7 @@ async function _readBundle(inDir, passphrase) {
 
   var checkpoint = null;
   if (manifest.kind === KIND_ARCHIVE) {
-    var ckptPath = nodePath.join(inDir, "checkpoint.enc");
+    var ckptPath = nodePath.join(inDir, frameworkFiles.fileName("checkpointEnc"));
     if (!nodeFs.existsSync(ckptPath)) {
       throw new AuditToolsError("audit-tools/no-checkpoint-blob",
         "checkpoint.enc missing in " + inDir + " (archive bundles must include the covering checkpoint)");
@@ -945,26 +964,35 @@ async function purge(opts) {
 }
 
 async function _defaultReadPurgeAnchor() {
-  return clusterStorage.executeOne(
-    "SELECT * FROM _blamejs_audit_purge_anchor WHERE scope = 'audit'"
-  );
+  // External-only table — its logical name IS the `_blamejs_`-prefixed name
+  // (self-mapped in LOCAL_TO_EXTERNAL); b.sql receives it bare so
+  // clusterStorage rewrites it. allow:hand-rolled-sql — bare logical key.
+  var built = sql.select("_blamejs_audit_purge_anchor", _sqlOpts())   // allow:hand-rolled-sql
+    .where("scope", "audit")
+    .toSql();
+  return clusterStorage.executeOne(built.sql, built.params);
 }
 
 async function _defaultApplyPurge(args) {
   var del = await db().purgeAuditChain({ lastPurgedCounter: args.lastPurgedCounter });
-  // UPSERT the single-row anchor. SQLite + Postgres both support
-  // INSERT ... ON CONFLICT(scope) DO UPDATE.
-  await clusterStorage.execute(
-    "INSERT INTO _blamejs_audit_purge_anchor " +
-    "(scope, lastPurgedCounter, lastPurgedRowHash, archiveBundleId, purgedAt) " +
-    "VALUES ('audit', ?, ?, ?, ?) " +
-    "ON CONFLICT(scope) DO UPDATE SET " +
-    "lastPurgedCounter = excluded.lastPurgedCounter, " +
-    "lastPurgedRowHash = excluded.lastPurgedRowHash, " +
-    "archiveBundleId   = excluded.archiveBundleId, " +
-    "purgedAt          = excluded.purgedAt",
-    [args.lastPurgedCounter, args.lastPurgedRowHash, args.archiveBundleId, args.purgedAt]
-  );
+  // UPSERT the single-row anchor via b.sql ON CONFLICT(scope) DO UPDATE
+  // (SQLite + Postgres). The anchor is external-only; its logical name IS
+  // the `_blamejs_`-prefixed name (self-mapped), passed bare so
+  // clusterStorage rewrites + placeholderizes. b.sql quotes the camelCase
+  // columns + binds 'audit'. allow:hand-rolled-sql — bare logical key.
+  var built = sql.upsert("_blamejs_audit_purge_anchor", _sqlOpts())   // allow:hand-rolled-sql
+    .columns(["scope", "lastPurgedCounter", "lastPurgedRowHash", "archiveBundleId", "purgedAt"])
+    .values({
+      scope:             "audit",
+      lastPurgedCounter: args.lastPurgedCounter,
+      lastPurgedRowHash: args.lastPurgedRowHash,
+      archiveBundleId:   args.archiveBundleId,
+      purgedAt:          args.purgedAt,
+    })
+    .onConflict(["scope"])
+    .doUpdateFromExcluded(["lastPurgedCounter", "lastPurgedRowHash", "archiveBundleId", "purgedAt"])
+    .toSql();
+  await clusterStorage.execute(built.sql, built.params);
   return {
     rowsDeleted:        del.rowsDeleted,
     checkpointsDeleted: del.checkpointsDeleted,
@@ -1047,7 +1075,7 @@ async function forensicSnapshot(opts) {
     reason:            opts.reason,
     actor:             opts.actor || null,
     composedAt:        new Date().toISOString(),
-    auditSliceFile:    returnBytes ? "rows.enc" : (sliceResult && sliceResult.manifestPath),
+    auditSliceFile:    returnBytes ? frameworkFiles.fileName("rowsEnc") : (sliceResult && sliceResult.manifestPath),
     auditSliceCount:   sliceResult && sliceResult.rowCount,
     runtime: {
       nodeVersion: process.version,