@enspirit/emb 0.15.0 → 0.17.5

package/dist/src/secrets/providers/VaultTokenCache.js

@@ -0,0 +1,188 @@
+import { createCipheriv, createDecipheriv, createHash, pbkdf2Sync, randomBytes, } from 'node:crypto';
+import { chmod, mkdir, readFile, rm, writeFile } from 'node:fs/promises';
+import { homedir, hostname, userInfo } from 'node:os';
+import { join } from 'node:path';
+const DEFAULT_EXPIRY_BUFFER = 5 * 60 * 1000; // 5 minutes
+const DEFAULT_CACHE_DIR = join(homedir(), '.emb', 'vault-tokens');
+// Encryption constants
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16;
+const _AUTH_TAG_LENGTH = 16;
+const SALT_LENGTH = 32;
+const KEY_LENGTH = 32;
+const PBKDF2_ITERATIONS = 100_000;
+/**
+ * Derive an encryption key from machine-specific data.
+ * The key is derived from hostname + username + a static pepper,
+ * making the cache file unusable if copied to another machine or user.
+ */
+function deriveKey(salt) {
+    const machineId = `${hostname()}:${userInfo().username}:emb-vault-cache`;
+    return pbkdf2Sync(machineId, salt, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha256');
+}
+/**
+ * Encrypt data using AES-256-GCM.
+ */
+function encrypt(data) {
+    const salt = randomBytes(SALT_LENGTH);
+    const key = deriveKey(salt);
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(data, 'utf8'),
+        cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+    return {
+        version: 1,
+        salt: salt.toString('hex'),
+        iv: iv.toString('hex'),
+        authTag: authTag.toString('hex'),
+        encrypted: encrypted.toString('hex'),
+    };
+}
+/**
+ * Decrypt data using AES-256-GCM.
+ * Returns null if decryption fails (wrong machine, corrupted data, etc.)
+ */
+function decrypt(file) {
+    try {
+        if (file.version !== 1) {
+            return null;
+        }
+        const salt = Buffer.from(file.salt, 'hex');
+        const key = deriveKey(salt);
+        const iv = Buffer.from(file.iv, 'hex');
+        const authTag = Buffer.from(file.authTag, 'hex');
+        const encrypted = Buffer.from(file.encrypted, 'hex');
+        const decipher = createDecipheriv(ALGORITHM, key, iv);
+        decipher.setAuthTag(authTag);
+        const decrypted = Buffer.concat([
+            decipher.update(encrypted),
+            decipher.final(),
+        ]);
+        return decrypted.toString('utf8');
+    }
+    catch {
+        // Decryption failed - wrong key (different machine/user) or corrupted data
+        return null;
+    }
+}
+/**
+ * Generate a cache key for a Vault address and namespace combination.
+ * Uses a hash to create safe filenames.
+ */
+function getCacheKey(vaultAddress, namespace) {
+    const input = namespace ? `${vaultAddress}::${namespace}` : vaultAddress;
+    return createHash('sha256').update(input).digest('hex').slice(0, 16);
+}
+/**
+ * Get the path to the cache file for a given Vault address.
+ */
+function getCachePath(vaultAddress, namespace, cacheDir = DEFAULT_CACHE_DIR) {
+    const key = getCacheKey(vaultAddress, namespace);
+    return join(cacheDir, `${key}.json`);
+}
+/**
+ * Retrieve a cached token if it exists and is still valid.
+ *
+ * @param vaultAddress - The Vault server address
+ * @param namespace - Optional Vault namespace
+ * @param options - Cache options
+ * @returns The cached token or null if not found/expired
+ */
+export async function getCachedToken(vaultAddress, namespace, options = {}) {
+    const { expiryBuffer = DEFAULT_EXPIRY_BUFFER, cacheDir } = options;
+    const cachePath = getCachePath(vaultAddress, namespace, cacheDir);
+    try {
+        const content = await readFile(cachePath, 'utf8');
+        const encryptedFile = JSON.parse(content);
+        // Decrypt the cached data
+        const decrypted = decrypt(encryptedFile);
+        if (!decrypted) {
+            // Decryption failed - likely different machine/user or corrupted
+            await clearCachedToken(vaultAddress, namespace, options);
+            return null;
+        }
+        const cached = JSON.parse(decrypted);
+        // Verify the cached token matches the requested address/namespace
+        if (cached.vaultAddress !== vaultAddress ||
+            cached.namespace !== namespace) {
+            return null;
+        }
+        // Check if token is expired or close to expiry
+        const now = Date.now();
+        if (cached.expiresAt - expiryBuffer <= now) {
+            // Token is expired or about to expire, clear it
+            await clearCachedToken(vaultAddress, namespace, options);
+            return null;
+        }
+        return cached;
+    }
+    catch {
+        // File doesn't exist or is invalid
+        return null;
+    }
+}
+/**
+ * Cache a Vault token to disk (encrypted).
+ *
+ * @param vaultAddress - The Vault server address
+ * @param token - The Vault client token
+ * @param ttlSeconds - Token TTL in seconds (from Vault's lease_duration)
+ * @param namespace - Optional Vault namespace
+ * @param options - Cache options
+ */
+// eslint-disable-next-line max-params
+export async function cacheToken(vaultAddress, token, ttlSeconds, namespace, options = {}) {
+    const { cacheDir = DEFAULT_CACHE_DIR } = options;
+    const cachePath = getCachePath(vaultAddress, namespace, cacheDir);
+    const now = Date.now();
+    const cached = {
+        token,
+        expiresAt: now + ttlSeconds * 1000,
+        createdAt: now,
+        namespace,
+        vaultAddress,
+    };
+    // Encrypt the token data
+    const encryptedFile = encrypt(JSON.stringify(cached));
+    // Ensure cache directory exists
+    await mkdir(cacheDir, { recursive: true, mode: 0o700 });
+    // Write the encrypted cache file with restricted permissions
+    await writeFile(cachePath, JSON.stringify(encryptedFile, null, 2), {
+        mode: 0o600,
+        encoding: 'utf8',
+    });
+    // Ensure permissions are correct (writeFile mode may not work on all platforms)
+    await chmod(cachePath, 0o600);
+}
+/**
+ * Clear a cached token.
+ *
+ * @param vaultAddress - The Vault server address
+ * @param namespace - Optional Vault namespace
+ * @param options - Cache options
+ */
+export async function clearCachedToken(vaultAddress, namespace, options = {}) {
+    const { cacheDir } = options;
+    const cachePath = getCachePath(vaultAddress, namespace, cacheDir);
+    try {
+        await rm(cachePath);
+    }
+    catch {
+        // Ignore errors if file doesn't exist
+    }
+}
+/**
+ * Check if a cached token exists and is valid (without returning the token).
+ *
+ * @param vaultAddress - The Vault server address
+ * @param namespace - Optional Vault namespace
+ * @param options - Cache options
+ * @returns True if a valid cached token exists
+ */
+export async function hasCachedToken(vaultAddress, namespace, options = {}) {
+    const cached = await getCachedToken(vaultAddress, namespace, options);
+    return cached !== null;
+}

package/dist/src/secrets/providers/index.d.ts

@@ -0,0 +1,2 @@
+export * from './VaultProvider.js';
+export * from './VaultTokenCache.js';

package/dist/src/secrets/providers/index.js

@@ -0,0 +1,2 @@
+export * from './VaultProvider.js';
+export * from './VaultTokenCache.js';

package/dist/src/types.d.ts

@@ -1,6 +1,7 @@
 import type Docker from 'dockerode';
 import { AppsV1Api, CoreV1Api, KubeConfig } from '@kubernetes/client-node';
 import { Monorepo } from './monorepo/index.js';
+import { SecretManager } from './secrets/index.js';
 import { DockerComposeClient } from './docker/index.js';
 /**
  * The context is meant to be what all plugins can decorate
@@ -18,4 +19,5 @@ export interface EmbContext {
         core: CoreV1Api;
     };
     monorepo: Monorepo;
+    secrets: SecretManager;
 }

package/dist/src/utils/TemplateExpander.d.ts

@@ -1,6 +1,18 @@
+/**
+ * An async source is a function that returns a promise resolving to the value.
+ */
+type AsyncSource = (key: string) => Promise<unknown>;
+/**
+ * A static source is a simple key-value record.
+ */
+type StaticSource = Record<string, unknown>;
+/**
+ * A source can be either static or async.
+ */
+type Source = AsyncSource | StaticSource;
 type ExpandOptions = {
     default?: string;
-    sources?: Record<string, Record<string, unknown>>;
+    sources?: Record<string, Source>;
 };
 export type ExpansionHistory = {
     source: string;

package/dist/src/utils/TemplateExpander.js

@@ -1,31 +1,84 @@
-const TPL_REGEX = /(?<!\\)\${(?:(\w+):)?(\w+)(?::-(.*?))?}/g;
+// Matches ${source:key} or ${key} patterns
+// - Source name: word characters only (e.g., "vault", "env")
+// - Key: word characters, slashes, hashes, dots, with hyphens allowed between segments
+//   (e.g., "secret/path#field", "MY_VAR", "secret/my-app#key")
+// - Optional fallback: :-value
+// The key pattern uses (?:-[\w/#.]+)* to allow hyphens only between valid segments,
+// preventing the key from consuming the :- fallback delimiter.
+const TPL_REGEX = /(?<!\\)\${(?:(\w+):)?([\w/#.]+(?:-[\w/#.]+)*)(?::-(.*?))?}/g;
+/**
+ * Check if a source is async (a function).
+ */
+function isAsyncSource(source) {
+    return typeof source === 'function';
+}
 export class TemplateExpander {
     expansions = [];
     get expansionCount() {
         return this.expansions.length;
     }
     async expand(str, options = {}) {
-        return (str || '')
-            .toString()
-            .replaceAll(TPL_REGEX, (match, source, key, fallback) => {
-            const src = source ?? options.default ?? '';
-            const provider = options.sources?.[src];
-            if (!provider) {
+        const input = (str || '').toString();
+        // Collect all matches with their positions
+        const matches = [...input.matchAll(TPL_REGEX)];
+        if (matches.length === 0) {
+            return input.replaceAll('\\${', '${');
+        }
+        // Resolve all values (async for function sources, sync for objects)
+        const resolutions = await Promise.all(matches.map(async (match) => {
+            const [fullMatch, sourceName, key, fallback] = match;
+            const src = sourceName ?? options.default ?? '';
+            const source = options.sources?.[src];
+            // No source found
+            if (!source) {
                 if (fallback !== undefined) {
-                    return this.track(src, key, fallback);
+                    return {
+                        match: fullMatch,
+                        value: this.track(src, key, fallback),
+                    };
+                }
+                throw new Error(`Invalid expand provider '${sourceName}' ('${fullMatch}')`);
+            }
+            // Resolve value based on source type
+            let val;
+            if (isAsyncSource(source)) {
+                try {
+                    val = await source(key);
                 }
-                throw new Error(`Invalid expand provider '${source}' ('${match}')`);
+                catch (error) {
+                    if (fallback !== undefined) {
+                        return {
+                            match: fullMatch,
+                            value: this.track(src, key, fallback),
+                        };
+                    }
+                    throw error;
+                }
+            }
+            else {
+                val = source[key];
             }
-            const val = provider[key];
+            // Handle missing values
             if (!val && fallback === undefined) {
-                throw new Error(`Could not expand '${match}' and no default value provided`);
+                throw new Error(`Could not expand '${fullMatch}' and no default value provided`);
             }
             if (val !== undefined && val !== null) {
-                return this.track(src, key, val);
+                return {
+                    match: fullMatch,
+                    value: this.track(src, key, val),
+                };
             }
-            return this.track(src, key, fallback ?? '');
-        })
-            .replaceAll('\\${', '${');
+            return {
+                match: fullMatch,
+                value: this.track(src, key, fallback ?? ''),
+            };
+        }));
+        // Build result string by replacing matches with resolved values
+        let result = input;
+        for (const { match, value } of resolutions) {
+            result = result.replace(match, value);
+        }
+        return result.replaceAll('\\${', '${');
     }
     async expandRecord(record, options) {
         if (typeof record === 'string') {