@elevasis/core 0.11.2 → 0.13.0

package/src/auth/multi-tenancy/credentials/__tests__/encryption.test.ts

@@ -1,216 +1,217 @@
-import { describe, it, expect } from 'vitest'
-import { encryptCredential, decryptCredential } from '../server/encryption'
-
-// Note: SECRETS_ENCRYPTION_KEY is set in vitest.config.ts env section
-// The encryption module reads it at load time
-
-describe('Credential Encryption', () =>{
-
-  describe('encryptCredential', () => {
-    it('encrypts plaintext to base64-encoded JSON string', () => {
-      const plaintext = 'my-secret-api-key'
-      const encrypted = encryptCredential(plaintext)
-
-      // Should be a valid JSON string
-      expect(() => JSON.parse(encrypted)).not.toThrow()
-
-      const parsed = JSON.parse(encrypted)
-      expect(parsed).toHaveProperty('iv')
-      expect(parsed).toHaveProperty('authTag')
-      expect(parsed).toHaveProperty('data')
-    })
-
-    it('produces different ciphertext for same input (random IV)', () => {
-      const plaintext = 'same-secret'
-
-      const encrypted1 = encryptCredential(plaintext)
-      const encrypted2 = encryptCredential(plaintext)
-
-      // Different IVs mean different ciphertext
-      expect(encrypted1).not.toBe(encrypted2)
-
-      // But both decrypt to same plaintext
-      expect(decryptCredential(encrypted1)).toBe(plaintext)
-      expect(decryptCredential(encrypted2)).toBe(plaintext)
-    })
-
-    it('handles empty string', () => {
-      const plaintext = ''
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe('')
-    })
-
-    it('handles long strings', () => {
-      const plaintext = 'x'.repeat(10000)
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(plaintext)
-    })
-
-    it('handles special characters and unicode', () => {
-      const plaintext = 'Hello 世界! 🔐 Special chars: \n\t\r"\'\\`'
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(plaintext)
-    })
-
-    it('validates key is configured at module load', () => {
-      // We can't test missing key dynamically since MASTER_KEY is set at module load
-      // Instead, verify the key is set and encryption works
-      const encrypted = encryptCredential('test')
-      expect(encrypted).toBeDefined()
-    })
-  })
-
-  describe('decryptCredential', () => {
-    it('decrypts ciphertext back to original plaintext', () => {
-      const plaintext = 'my-secret-api-key'
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(plaintext)
-    })
-
-    it('successfully decrypts with configured key', () => {
-      const encrypted = encryptCredential('test')
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe('test')
-    })
-
-    it('throws error on malformed JSON', () => {
-      expect(() => decryptCredential('not-json')).toThrow()
-    })
-
-    it('throws error on missing fields', () => {
-      const invalidData = JSON.stringify({ iv: 'abc', authTag: 'def' }) // Missing 'data'
-
-      expect(() => decryptCredential(invalidData)).toThrow()
-    })
-
-    it('throws error on tampered ciphertext', () => {
-      const encrypted = encryptCredential('secret')
-      const parsed = JSON.parse(encrypted)
-
-      // Tamper with the data
-      parsed.data = 'tampered-data'
-      const tampered = JSON.stringify(parsed)
-
-      expect(() => decryptCredential(tampered)).toThrow()
-    })
-
-    it('throws error on tampered auth tag', () => {
-      const encrypted = encryptCredential('secret')
-      const parsed = JSON.parse(encrypted)
-
-      // Tamper with the auth tag
-      parsed.authTag = 'AAAAAAAAAAAAAAAAAAAAAA=='
-      const tampered = JSON.stringify(parsed)
-
-      expect(() => decryptCredential(tampered)).toThrow()
-    })
-
-    it('detects tampering via auth tag (GCM mode)', () => {
-      const encrypted = encryptCredential('secret')
-      const parsed = JSON.parse(encrypted)
-
-      // Tamper with just one byte of data
-      const dataBuffer = Buffer.from(parsed.data, 'base64')
-      dataBuffer[0] ^= 0x01 // Flip one bit
-      parsed.data = dataBuffer.toString('base64')
-
-      const tampered = JSON.stringify(parsed)
-
-      // GCM should detect the tampering and throw
-      expect(() => decryptCredential(tampered)).toThrow()
-    })
-
-    it('throws error on invalid base64 encoding', () => {
-      const invalidData = JSON.stringify({
-        iv: 'not-valid-base64!!!',
-        authTag: 'AAAA',
-        data: 'BBBB'
-      })
-
-      expect(() => decryptCredential(invalidData)).toThrow()
-    })
-  })
-
-  describe('Round-trip encryption/decryption', () => {
-    it('preserves API key format', () => {
-      const apiKey = 'sk_test_1234567890abcdefghijklmnopqrstuvwxyz'
-      const encrypted = encryptCredential(apiKey)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(apiKey)
-    })
-
-    it('preserves database connection strings', () => {
-      const connString = 'postgresql://user:password@localhost:5432/database?sslmode=require'
-      const encrypted = encryptCredential(connString)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(connString)
-    })
-
-    it('preserves JSON credentials', () => {
-      const jsonCreds = JSON.stringify({
-        type: 'service_account',
-        project_id: 'my-project',
-        private_key: '-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----\n'
-      })
-
-      const encrypted = encryptCredential(jsonCreds)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(jsonCreds)
-      expect(JSON.parse(decrypted)).toEqual(JSON.parse(jsonCreds))
-    })
-  })
-
-  describe('Security properties', () => {
-    it('uses AES-256-GCM (authenticated encryption)', () => {
-      const encrypted = encryptCredential('test')
-      const parsed = JSON.parse(encrypted)
-
-      // Auth tag should be present (GCM mode)
-      expect(parsed.authTag).toBeDefined()
-      expect(parsed.authTag.length).toBeGreaterThan(0)
-    })
-
-    it('uses random IV for each encryption', () => {
-      const ivs = new Set()
-
-      for (let i = 0; i < 100; i++) {
-        const encrypted = encryptCredential('test')
-        const parsed = JSON.parse(encrypted)
-        ivs.add(parsed.iv)
-      }
-
-      // All IVs should be unique
-      expect(ivs.size).toBe(100)
-    })
-
-    it('IV is 16 bytes (128 bits)', () => {
-      const encrypted = encryptCredential('test')
-      const parsed = JSON.parse(encrypted)
-
-      // Base64-encoded 16 bytes = 24 characters
-      const ivBuffer = Buffer.from(parsed.iv, 'base64')
-      expect(ivBuffer.length).toBe(16)
-    })
-
-    it('auth tag is 16 bytes (128 bits)', () => {
-      const encrypted = encryptCredential('test')
-      const parsed = JSON.parse(encrypted)
-
-      // Base64-encoded 16 bytes = 24 characters
-      const authTagBuffer = Buffer.from(parsed.authTag, 'base64')
-      expect(authTagBuffer.length).toBe(16)
-    })
-  })
-})
+import crypto from 'crypto'
+import { describe, it, expect, beforeAll } from 'vitest'
+import { encryptCredential, decryptCredential, setKek, CURRENT_KEY_ID } from '../server/encryption'
+
+beforeAll(() => {
+  setKek(CURRENT_KEY_ID, crypto.randomBytes(32))
+})
+
+describe('Credential Encryption', () => {
+  describe('encryptCredential', () => {
+    it('encrypts plaintext to base64-encoded JSON string', () => {
+      const plaintext = 'my-secret-api-key'
+      const encrypted = encryptCredential(plaintext)
+
+      // Should be a valid JSON string
+      expect(() => JSON.parse(encrypted)).not.toThrow()
+
+      const parsed = JSON.parse(encrypted)
+      expect(parsed).toHaveProperty('iv')
+      expect(parsed).toHaveProperty('authTag')
+      expect(parsed).toHaveProperty('data')
+    })
+
+    it('produces different ciphertext for same input (random IV)', () => {
+      const plaintext = 'same-secret'
+
+      const encrypted1 = encryptCredential(plaintext)
+      const encrypted2 = encryptCredential(plaintext)
+
+      // Different IVs mean different ciphertext
+      expect(encrypted1).not.toBe(encrypted2)
+
+      // But both decrypt to same plaintext
+      expect(decryptCredential(encrypted1)).toBe(plaintext)
+      expect(decryptCredential(encrypted2)).toBe(plaintext)
+    })
+
+    it('handles empty string', () => {
+      const plaintext = ''
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe('')
+    })
+
+    it('handles long strings', () => {
+      const plaintext = 'x'.repeat(10000)
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(plaintext)
+    })
+
+    it('handles special characters and unicode', () => {
+      const plaintext = 'Hello 世界! 🔐 Special chars: \n\t\r"\'\\`'
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(plaintext)
+    })
+
+    it('validates key is configured at module load', () => {
+      // We can't test missing key dynamically since MASTER_KEY is set at module load
+      // Instead, verify the key is set and encryption works
+      const encrypted = encryptCredential('test')
+      expect(encrypted).toBeDefined()
+    })
+  })
+
+  describe('decryptCredential', () => {
+    it('decrypts ciphertext back to original plaintext', () => {
+      const plaintext = 'my-secret-api-key'
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(plaintext)
+    })
+
+    it('successfully decrypts with configured key', () => {
+      const encrypted = encryptCredential('test')
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe('test')
+    })
+
+    it('throws error on malformed JSON', () => {
+      expect(() => decryptCredential('not-json')).toThrow()
+    })
+
+    it('throws error on missing fields', () => {
+      const invalidData = JSON.stringify({ iv: 'abc', authTag: 'def' }) // Missing 'data'
+
+      expect(() => decryptCredential(invalidData)).toThrow()
+    })
+
+    it('throws error on tampered ciphertext', () => {
+      const encrypted = encryptCredential('secret')
+      const parsed = JSON.parse(encrypted)
+
+      // Tamper with the data
+      parsed.data = 'tampered-data'
+      const tampered = JSON.stringify(parsed)
+
+      expect(() => decryptCredential(tampered)).toThrow()
+    })
+
+    it('throws error on tampered auth tag', () => {
+      const encrypted = encryptCredential('secret')
+      const parsed = JSON.parse(encrypted)
+
+      // Tamper with the auth tag
+      parsed.authTag = 'AAAAAAAAAAAAAAAAAAAAAA=='
+      const tampered = JSON.stringify(parsed)
+
+      expect(() => decryptCredential(tampered)).toThrow()
+    })
+
+    it('detects tampering via auth tag (GCM mode)', () => {
+      const encrypted = encryptCredential('secret')
+      const parsed = JSON.parse(encrypted)
+
+      // Tamper with just one byte of data
+      const dataBuffer = Buffer.from(parsed.data, 'base64')
+      dataBuffer[0] ^= 0x01 // Flip one bit
+      parsed.data = dataBuffer.toString('base64')
+
+      const tampered = JSON.stringify(parsed)
+
+      // GCM should detect the tampering and throw
+      expect(() => decryptCredential(tampered)).toThrow()
+    })
+
+    it('throws error on invalid base64 encoding', () => {
+      const invalidData = JSON.stringify({
+        iv: 'not-valid-base64!!!',
+        authTag: 'AAAA',
+        data: 'BBBB'
+      })
+
+      expect(() => decryptCredential(invalidData)).toThrow()
+    })
+  })
+
+  describe('Round-trip encryption/decryption', () => {
+    it('preserves API key format', () => {
+      const apiKey = 'sk_test_1234567890abcdefghijklmnopqrstuvwxyz'
+      const encrypted = encryptCredential(apiKey)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(apiKey)
+    })
+
+    it('preserves database connection strings', () => {
+      const connString = 'postgresql://user:password@localhost:5432/database?sslmode=require'
+      const encrypted = encryptCredential(connString)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(connString)
+    })
+
+    it('preserves JSON credentials', () => {
+      const jsonCreds = JSON.stringify({
+        type: 'service_account',
+        project_id: 'my-project',
+        private_key: '-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----\n'
+      })
+
+      const encrypted = encryptCredential(jsonCreds)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(jsonCreds)
+      expect(JSON.parse(decrypted)).toEqual(JSON.parse(jsonCreds))
+    })
+  })
+
+  describe('Security properties', () => {
+    it('uses AES-256-GCM (authenticated encryption)', () => {
+      const encrypted = encryptCredential('test')
+      const parsed = JSON.parse(encrypted)
+
+      // Auth tag should be present (GCM mode)
+      expect(parsed.authTag).toBeDefined()
+      expect(parsed.authTag.length).toBeGreaterThan(0)
+    })
+
+    it('uses random IV for each encryption', () => {
+      const ivs = new Set()
+
+      for (let i = 0; i < 100; i++) {
+        const encrypted = encryptCredential('test')
+        const parsed = JSON.parse(encrypted)
+        ivs.add(parsed.iv)
+      }
+
+      // All IVs should be unique
+      expect(ivs.size).toBe(100)
+    })
+
+    it('IV is 16 bytes (128 bits)', () => {
+      const encrypted = encryptCredential('test')
+      const parsed = JSON.parse(encrypted)
+
+      // Base64-encoded 16 bytes = 24 characters
+      const ivBuffer = Buffer.from(parsed.iv, 'base64')
+      expect(ivBuffer.length).toBe(16)
+    })
+
+    it('auth tag is 16 bytes (128 bits)', () => {
+      const encrypted = encryptCredential('test')
+      const parsed = JSON.parse(encrypted)
+
+      // Base64-encoded 16 bytes = 24 characters
+      const authTagBuffer = Buffer.from(parsed.authTag, 'base64')
+      expect(authTagBuffer.length).toBe(16)
+    })
+  })
+})

package/src/auth/multi-tenancy/credentials/server/encryption.ts

@@ -1,39 +1,69 @@
-import crypto from 'crypto'
-
-const MASTER_KEY = process.env.SECRETS_ENCRYPTION_KEY
-const ALGORITHM = 'aes-256-gcm'
-
-interface EncryptedData {
-  iv: string
-  authTag: string
-  data: string
-}
-
-export function encryptCredential(plaintext: string): string {
-  if (!MASTER_KEY) {
-    throw new Error('SECRETS_ENCRYPTION_KEY not configured')
-  }
-
-  const iv = crypto.randomBytes(16)
-  const cipher = crypto.createCipheriv(ALGORITHM, Buffer.from(MASTER_KEY, 'hex'), iv)
-  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])
-  const authTag = cipher.getAuthTag()
-
-  return JSON.stringify({
-    iv: iv.toString('base64'),
-    authTag: authTag.toString('base64'),
-    data: encrypted.toString('base64')
-  })
-}
-
-export function decryptCredential(encrypted: string): string {
-  if (!MASTER_KEY) {
-    throw new Error('SECRETS_ENCRYPTION_KEY not configured')
-  }
-
-  const { iv, authTag, data } = JSON.parse(encrypted) as EncryptedData
-  const decipher = crypto.createDecipheriv(ALGORITHM, Buffer.from(MASTER_KEY, 'hex'), Buffer.from(iv, 'base64'))
-  decipher.setAuthTag(Buffer.from(authTag, 'base64'))
-
-  return Buffer.concat([decipher.update(Buffer.from(data, 'base64')), decipher.final()]).toString('utf8')
-}
+import crypto from 'crypto'
+
+const ALGORITHM = 'aes-256-gcm'
+
+// keyId stamped on all newly encrypted ciphertexts.
+export const CURRENT_KEY_ID = 'platform-v1'
+
+// Implicit keyId for pre-Vault ciphertext rows that lack a keyId field. All
+// known rows were restamped with CURRENT_KEY_ID during the re-encryption
+// migration; this constant remains only so any unexpected legacy blob produces
+// a clear "KEK not loaded" error rather than a silent default-key decrypt.
+export const LEGACY_KEY_ID = 'platform-v0-legacy'
+
+interface EncryptedData {
+  iv: string
+  authTag: string
+  data: string
+  keyId?: string
+}
+
+const kekMap = new Map<string, Buffer>()
+
+export function setKek(keyId: string, key: Buffer): void {
+  if (key.length !== 32) {
+    throw new Error(`KEK must be 32 bytes (256 bits); got ${key.length}`)
+  }
+  kekMap.set(keyId, key)
+}
+
+export function clearKeks(): void {
+  kekMap.clear()
+}
+
+function resolveKek(keyId: string): Buffer | undefined {
+  return kekMap.get(keyId)
+}
+
+export function encryptCredential(plaintext: string): string {
+  const key = resolveKek(CURRENT_KEY_ID)
+  if (!key) {
+    throw new Error(`Encryption KEK '${CURRENT_KEY_ID}' not loaded; call setKek() at boot`)
+  }
+
+  const iv = crypto.randomBytes(16)
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])
+  const authTag = cipher.getAuthTag()
+
+  return JSON.stringify({
+    iv: iv.toString('base64'),
+    authTag: authTag.toString('base64'),
+    data: encrypted.toString('base64'),
+    keyId: CURRENT_KEY_ID
+  })
+}
+
+export function decryptCredential(encrypted: string): string {
+  const { iv, authTag, data, keyId } = JSON.parse(encrypted) as EncryptedData
+  const resolvedKeyId = keyId ?? LEGACY_KEY_ID
+  const key = resolveKek(resolvedKeyId)
+  if (!key) {
+    throw new Error(`Decryption KEK '${resolvedKeyId}' not loaded`)
+  }
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'base64'))
+  decipher.setAuthTag(Buffer.from(authTag, 'base64'))
+
+  return Buffer.concat([decipher.update(Buffer.from(data, 'base64')), decipher.final()]).toString('utf8')
+}

package/src/auth/multi-tenancy/credentials/server/kek-loader.ts

@@ -0,0 +1,37 @@
+import { getSupabaseClient } from '../../../../supabase/server/client'
+import { setKek, CURRENT_KEY_ID } from './encryption'
+
+let loaded = false
+
+/**
+ * Loads the platform credential KEK from Supabase Vault and registers it under
+ * `CURRENT_KEY_ID` ('platform-v1').
+ *
+ * Idempotent: subsequent calls are no-ops.
+ *
+ * Fails fast on missing / malformed Vault KEK so misconfigured deploys do not
+ * silently start without a usable encryption key.
+ */
+export async function loadCredentialKEKs(): Promise<void> {
+  if (loaded) return
+
+  const supabase = await getSupabaseClient()
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- RPC isn't in generated types yet (run `supabase gen types` post-merge)
+  const { data, error } = await (supabase.rpc as any)('get_platform_credential_kek')
+  if (error) {
+    throw new Error(
+      `Failed to load platform credential KEK from Vault: ${error.message}. ` +
+        `Did you run provision-credential-kek.sql against this environment?`
+    )
+  }
+  if (typeof data !== 'string' || data.length === 0) {
+    throw new Error('Vault returned null/empty platform credential KEK')
+  }
+  const vaultKek = Buffer.from(data, 'hex')
+  if (vaultKek.length !== 32) {
+    throw new Error(`Vault KEK is ${vaultKek.length} bytes, expected 32`)
+  }
+  setKek(CURRENT_KEY_ID, vaultKek)
+
+  loaded = true
+}

package/src/auth/multi-tenancy/index.ts

@@ -4,6 +4,9 @@ export * from './types'
 // Permission catalog (canonical PERMISSIONS constant + types)
 export * from './permissions'
 
+// Role management schemas
+export * from './role-management/index'
+
 // Organization types
 export * from './organizations/index'