@dishantlangayan/sc-cli-core 0.2.0 → 0.3.0

package/README.md

@@ -20,6 +20,9 @@ The ScCommand abstract class extends [@oclif/core's Command class](https://githu
 ## ScConnection Class
 The ScConnection class provide abstraction functions for Solace Cloud API REST calls. It handles the access token and base URL for each REST call, avoiding the need to set these on each Command.
 
+## BrokerAuthManager
+The BrokerAuthManager class provides utility functions to store and retrieve broker SEMP management authentication information from user's home directory: `~/.sf/` or `%USERPROFILE%\sf\`. The implementation uses AES-256-GCM for authenticated encryption and provides machine-bound encryption that combines OS-level security (keychain) with machine-specific identifiers, making credentials non-transferable between machines.
+
 # Contributing
 Contributions are encouraged! Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us.
 

package/lib/auth/auth-manager.d.ts

@@ -1,5 +1,6 @@
 import { ScConnection } from '../util/sc-connection.js';
 import { type BrokerAuth } from './auth-types.js';
+import { KeychainService } from './keychain.js';
 /**
  * Manager for broker authentication storage
  * Handles encrypted storage of broker credentials
@@ -8,14 +9,17 @@ export declare class BrokerAuthManager {
     private static instance;
     private readonly configDir;
     private readonly configFile;
-    private currentPassword;
     private encryptionKey;
+    private readonly keychainService;
+    private machineId;
+    private masterKey;
     private storage;
     private constructor();
     /**
      * Get singleton instance
+     * @param keychainService - Optional keychain service for testing
      */
-    static getInstance(): BrokerAuthManager;
+    static getInstance(keychainService?: KeychainService): BrokerAuthManager;
     /**
      * Add a new broker configuration
      * @param broker - Broker authentication configuration
@@ -50,10 +54,9 @@ export declare class BrokerAuthManager {
      */
     getBroker(name: string): Promise<BrokerAuth | null>;
     /**
-     * Initialize the auth manager with encryption key
-     * @param password - Password to derive encryption key
+     * Initialize the auth manager with encryption key derived from OS keychain and machine ID
      */
-    initialize(password: string): Promise<void>;
+    initialize(): Promise<void>;
     /**
      * List all broker names
      * @returns Array of broker names
@@ -80,7 +83,7 @@ export declare class BrokerAuthManager {
     private fileExists;
     /**
      * Load storage from encrypted file
-     * @param password - Password to decrypt
+     * @param combinedKey - Combined master key and machine ID for decryption
      */
     private loadStorage;
     /**

package/lib/auth/auth-manager.js

@@ -4,6 +4,9 @@ import { join } from 'node:path';
 import { ScConnection } from '../util/sc-connection.js';
 import { BrokerAuthEncryption } from './auth-encryption.js';
 import { AuthType, BrokerAuthError, BrokerAuthErrorCode, } from './auth-types.js';
+import { KeychainService } from './keychain.js';
+const SERVICE_NAME = 'local';
+const KEY_NAME = 'sc-cli';
 /**
  * Manager for broker authentication storage
  * Handles encrypted storage of broker credentials
@@ -12,20 +15,24 @@ export class BrokerAuthManager {
     static instance = null;
     configDir;
     configFile;
-    currentPassword = null;
     encryptionKey = null;
+    keychainService;
+    machineId = null;
+    masterKey = null;
     storage = null;
-    constructor() {
+    constructor(keychainService) {
         const homeDirectory = homedir();
         this.configDir = join(homeDirectory, '.sc');
         this.configFile = join(this.configDir, 'brokers.json');
+        this.keychainService = keychainService ?? new KeychainService();
     }
     /**
      * Get singleton instance
+     * @param keychainService - Optional keychain service for testing
      */
-    static getInstance() {
+    static getInstance(keychainService) {
         if (!BrokerAuthManager.instance) {
-            BrokerAuthManager.instance = new BrokerAuthManager();
+            BrokerAuthManager.instance = new BrokerAuthManager(keychainService);
         }
         return BrokerAuthManager.instance;
     }
@@ -100,23 +107,31 @@ export class BrokerAuthManager {
         return broker ?? null;
     }
     /**
-     * Initialize the auth manager with encryption key
-     * @param password - Password to derive encryption key
+     * Initialize the auth manager with encryption key derived from OS keychain and machine ID
      */
-    async initialize(password) {
+    async initialize() {
         try {
-            // Store password for re-encryption
-            this.currentPassword = password;
+            // Get machine ID
+            this.machineId = this.keychainService.getMachineId();
+            // Get or create master key from OS keychain
+            this.masterKey = await this.keychainService.getPassword(KEY_NAME, SERVICE_NAME);
+            if (!this.masterKey) {
+                // Generate new master key and store in OS keychain
+                this.masterKey = this.keychainService.generateMasterKey();
+                await this.keychainService.setPassword(KEY_NAME, SERVICE_NAME, this.masterKey);
+            }
+            // Combine master key with machine ID for encryption
+            const combinedKey = `${this.masterKey}:${this.machineId}`;
             // Try to load existing storage
             const fileExists = await this.fileExists();
             if (fileExists) {
                 // Load existing file and derive key from stored salt
-                await this.loadStorage(password);
+                await this.loadStorage(combinedKey);
             }
             else {
                 // Create new storage with new salt
                 const salt = BrokerAuthEncryption.generateSalt();
-                this.encryptionKey = await BrokerAuthEncryption.deriveKey(password, salt);
+                this.encryptionKey = await BrokerAuthEncryption.deriveKey(combinedKey, salt);
                 this.storage = {
                     brokers: [],
                     version: '1.0.0',
@@ -199,15 +214,15 @@ export class BrokerAuthManager {
     }
     /**
      * Load storage from encrypted file
-     * @param password - Password to decrypt
+     * @param combinedKey - Combined master key and machine ID for decryption
      */
-    async loadStorage(password) {
+    async loadStorage(combinedKey) {
         try {
             const fileContent = await readFile(this.configFile, 'utf8');
             const encryptedData = JSON.parse(fileContent);
-            // Derive key from password and stored salt
+            // Derive key from combined key and stored salt
             const salt = Buffer.from(encryptedData.salt, 'base64');
-            this.encryptionKey = await BrokerAuthEncryption.deriveKey(password, salt);
+            this.encryptionKey = await BrokerAuthEncryption.deriveKey(combinedKey, salt);
             // Decrypt storage
             this.storage = await BrokerAuthEncryption.decrypt(encryptedData, this.encryptionKey);
         }
@@ -223,16 +238,17 @@ export class BrokerAuthManager {
      */
     async saveStorage() {
         try {
-            if (!this.currentPassword) {
-                throw new BrokerAuthError('Password not set', BrokerAuthErrorCode.NOT_INITIALIZED);
+            if (!this.masterKey || !this.machineId) {
+                throw new BrokerAuthError('Auth manager not initialized', BrokerAuthErrorCode.NOT_INITIALIZED);
             }
             // Ensure directory exists
             await mkdir(this.configDir, { mode: 0o700, recursive: true });
             // Encrypt data
             const encrypted = await BrokerAuthEncryption.encrypt(this.storage, this.encryptionKey);
             // Re-derive key with new salt for next save
+            const combinedKey = `${this.masterKey}:${this.machineId}`;
             const newSalt = Buffer.from(encrypted.salt, 'base64');
-            this.encryptionKey = await BrokerAuthEncryption.deriveKey(this.currentPassword, newSalt);
+            this.encryptionKey = await BrokerAuthEncryption.deriveKey(combinedKey, newSalt);
             // Write to temp file first (atomic write)
             const jsonData = JSON.stringify(encrypted, null, 2);
             const tempFile = `${this.configFile}.tmp`;

package/lib/auth/keychain.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Keychain service for storing and retrieving encryption keys
+ * This abstraction allows for easier testing and mocking
+ */
+export declare class KeychainService {
+    /**
+     * Delete a password from the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @returns True if deleted, false if not found
+     */
+    deletePassword(service: string, account: string): Promise<boolean>;
+    /**
+     * Generate a random master key
+     * @returns Base64-encoded random key
+     */
+    generateMasterKey(): string;
+    /**
+     * Get unique machine identifier
+     * @returns Machine ID string
+     */
+    getMachineId(): string;
+    /**
+     * Get a password from the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @returns Password string or null if not found
+     */
+    getPassword(service: string, account: string): Promise<null | string>;
+    /**
+     * Set a password in the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @param password - Password to store
+     */
+    setPassword(service: string, account: string, password: string): Promise<void>;
+    /**
+     * Lazy load keytar module
+     * @returns keytar module
+     */
+    private loadKeytar;
+    /**
+     * Lazy load node-machine-id module
+     * @returns node-machine-id module
+     */
+    private loadMachineId;
+}

package/lib/auth/keychain.js

@@ -0,0 +1,71 @@
+import { randomBytes } from 'node:crypto';
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+/**
+ * Keychain service for storing and retrieving encryption keys
+ * This abstraction allows for easier testing and mocking
+ */
+export class KeychainService {
+    /**
+     * Delete a password from the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @returns True if deleted, false if not found
+     */
+    async deletePassword(service, account) {
+        const keytar = await this.loadKeytar();
+        return keytar.deletePassword(service, account);
+    }
+    /**
+     * Generate a random master key
+     * @returns Base64-encoded random key
+     */
+    generateMasterKey() {
+        return randomBytes(32).toString('base64');
+    }
+    /**
+     * Get unique machine identifier
+     * @returns Machine ID string
+     */
+    getMachineId() {
+        const machineIdPkg = this.loadMachineId();
+        return machineIdPkg.machineIdSync();
+    }
+    /**
+     * Get a password from the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @returns Password string or null if not found
+     */
+    async getPassword(service, account) {
+        const keytar = await this.loadKeytar();
+        return keytar.getPassword(service, account);
+    }
+    /**
+     * Set a password in the keychain
+     * @param service - Service name
+     * @param account - Account name
+     * @param password - Password to store
+     */
+    async setPassword(service, account, password) {
+        const keytar = await this.loadKeytar();
+        return keytar.setPassword(service, account, password);
+    }
+    /**
+     * Lazy load keytar module
+     * @returns keytar module
+     */
+    async loadKeytar() {
+        const keytar = await import('keytar');
+        return keytar.default;
+    }
+    /**
+     * Lazy load node-machine-id module
+     * @returns node-machine-id module
+     */
+    loadMachineId() {
+        // Use require for CommonJS module (node-machine-id)
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        return require('node-machine-id');
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dishantlangayan/sc-cli-core",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Base library for the Solace Cloud CLI and plugins",
   "license": "Apache-2.0",
   "author": "Dishant Langayan",
@@ -54,6 +54,8 @@
   "dependencies": {
     "@oclif/core": "^4.8.0",
     "axios": "^1.13.2",
+    "keytar": "^7.9.0",
+    "node-machine-id": "^1.1.12",
     "table": "^6.9.0"
   }
 }