@friggframework/core 2.0.0--canary.404.e9d4980.0 → 2.0.0--canary.405.1f6792c.0

package/encrypt/encrypt.js

@@ -17,7 +17,6 @@ const findOneEvents = [
 const shouldBypassEncryption = (STAGE) => {
     const defaultBypassStages = ['dev', 'test', 'local'];
     const bypassStageEnv = process.env.BYPASS_ENCRYPTION_STAGE;
-    // If the env is set to anything or an empty string, use the env. Otherwise, use the default array
     const useEnv = !String(bypassStageEnv) || !!bypassStageEnv;
     const bypassStages = useEnv
         ? bypassStageEnv.split(',').map((stage) => stage.trim())
@@ -25,19 +24,15 @@ const shouldBypassEncryption = (STAGE) => {
     return bypassStages.includes(STAGE);
 };
 
-// The Mongoose plug-in function
-function Encrypt(schema, options) {
+function Encrypt(schema) {
     const { STAGE, KMS_KEY_ARN, AES_KEY_ID } = process.env;
 
     if (shouldBypassEncryption(STAGE)) {
         return;
     }
 
-    if (KMS_KEY_ARN && AES_KEY_ID) {
-        throw new Error(
-            'Local and AWS encryption keys are both set in the environment.'
-        );
-    }
+    const hasAES = AES_KEY_ID && AES_KEY_ID.trim() !== '';
+    const hasKMS = KMS_KEY_ARN && KMS_KEY_ARN.trim() !== '' && !hasAES;
 
     const fields = Object.values(schema.paths)
         .map(({ path, options }) => (options.lhEncrypt === true ? path : ''))
@@ -48,25 +43,17 @@ function Encrypt(schema, options) {
     }
 
     const cryptor = new Cryptor({
-        // Use AWS if the CMK is present
-        shouldUseAws: !!KMS_KEY_ARN,
-        // Find all the fields in the schema with lhEncrypt === true
+        shouldUseAws: hasKMS,
         fields: fields,
     });
 
-    // ---------------------------------------------
-    // ### Encrypt fields before save/update/insert.
-    // ---------------------------------------------
-
     schema.pre('save', async function encryptionPreSave() {
-        // `this` will be a doc
         await cryptor.encryptFieldsInDocuments([this]);
     });
 
     schema.pre(
         'insertMany',
         async function encryptionPreInsertMany(_, docs, options) {
-            // `this` will be the model
             if (options?.rawResult) {
                 throw new Error(
                     'Raw result not supported for insertMany with Encrypt plugin'
@@ -78,17 +65,14 @@ function Encrypt(schema, options) {
     );
 
     schema.pre(updateOneEvents, async function encryptionPreUpdateOne() {
-        // `this` will be a query
         await cryptor.encryptFieldsInQuery(this);
     });
 
     schema.pre('updateMany', async function encryptionPreUpdateMany() {
-        // `this` will be a query
         cryptor.expectNotToUpdateManyEncrypted(this.getUpdate());
     });
 
     schema.pre('update', async function encryptionPreUpdate() {
-        // `this` will be a query
         const { multiple } = this.getOptions();
 
         if (multiple) {
@@ -99,16 +83,11 @@ function Encrypt(schema, options) {
         await cryptor.encryptFieldsInQuery(this);
     });
 
-    // --------------------------------------------
-    // ### Decrypt documents after they are loaded.
-    // --------------------------------------------
     schema.post('save', async function encryptionPreSave() {
-        // `this` will be a doc
         await cryptor.decryptFieldsInDocuments([this]);
     });
 
     schema.post(findOneEvents, async function encryptionPostFindOne(doc) {
-        // `this` will be a query
         const { rawResult } = this.getOptions();
 
         if (rawResult) {
@@ -119,12 +98,10 @@ function Encrypt(schema, options) {
     });
 
     schema.post('find', async function encryptionPostFind(docs) {
-        // `this` will be a query
         await cryptor.decryptFieldsInDocuments(docs);
     });
 
     schema.post('insertMany', async function encryptionPostInsertMany(docs) {
-        // `this` will be the model
         await cryptor.decryptFieldsInDocuments(docs);
     });
 }

package/handlers/routers/health.js

@@ -71,103 +71,354 @@ const checkExternalAPI = (url, timeout = 5000) => {
     });
 };
 
-router.get('/health', async (_req, res) => {
-    const status = {
-        status: 'ok',
-        timestamp: new Date().toISOString(),
-        service: 'frigg-core-api'
+const getDatabaseState = () => {
+    const stateMap = {
+        0: 'disconnected',
+        1: 'connected',
+        2: 'connecting',
+        3: 'disconnecting'
     };
+    const readyState = mongoose.connection.readyState;
+    
+    return {
+        readyState,
+        stateName: stateMap[readyState],
+        isConnected: readyState === 1
+    };
+};
 
-    res.status(200).json(status);
-});
+const checkDatabaseHealth = async () => {
+    const { stateName, isConnected } = getDatabaseState();
+    const result = {
+        status: isConnected ? 'healthy' : 'unhealthy',
+        state: stateName
+    };
 
-router.get('/health/detailed', async (_req, res) => {
-    const startTime = Date.now();
-    const checks = {
-        service: 'frigg-core-api',
-        status: 'healthy',
-        timestamp: new Date().toISOString(),
-        checks: {}
+    if (isConnected) {
+        const pingStart = Date.now();
+        await mongoose.connection.db.admin().ping({ maxTimeMS: 2000 });
+        result.responseTime = Date.now() - pingStart;
+    }
+
+    return result;
+};
+
+const getEncryptionConfiguration = () => {
+    const { STAGE, BYPASS_ENCRYPTION_STAGE, KMS_KEY_ARN, AES_KEY_ID } = process.env;
+    
+    const defaultBypassStages = ['dev', 'test', 'local'];
+    const useEnv = BYPASS_ENCRYPTION_STAGE !== undefined;
+    const bypassStages = useEnv
+        ? BYPASS_ENCRYPTION_STAGE.split(',').map((s) => s.trim())
+        : defaultBypassStages;
+    
+    const isBypassed = bypassStages.includes(STAGE);
+    const hasAES = AES_KEY_ID && AES_KEY_ID.trim() !== '';
+    const hasKMS = KMS_KEY_ARN && KMS_KEY_ARN.trim() !== '' && !hasAES;
+    const mode = hasAES ? 'aes' : hasKMS ? 'kms' : 'none';
+    
+    return {
+        stage: STAGE || null,
+        isBypassed,
+        hasAES,
+        hasKMS,
+        mode,
+        kmsKeyArn: KMS_KEY_ARN || '(not set)',
+        aesKeyId: AES_KEY_ID || '(not set)'
+    };
+};
+
+const createTestEncryptionModel = () => {
+    const { Encrypt } = require('./../../encrypt');
+    
+    const testSchema = new mongoose.Schema({
+        testSecret: { type: String, lhEncrypt: true },
+        normalField: { type: String },
+        nestedSecret: {
+            value: { type: String, lhEncrypt: true }
+        }
+    }, { timestamps: false });
+
+    testSchema.plugin(Encrypt);
+    
+    return mongoose.models.TestEncryption || 
+        mongoose.model('TestEncryption', testSchema);
+};
+
+const createTestDocument = async (TestModel) => {
+    const testData = {
+        testSecret: 'This is a secret value that should be encrypted',
+        normalField: 'This is a normal field that should not be encrypted',
+        nestedSecret: {
+            value: 'This is a nested secret that should be encrypted'
+        }
     };
 
+    const testDoc = new TestModel(testData);
+    await testDoc.save();
+    
+    return { testDoc, testData };
+};
+
+const verifyDecryption = (retrievedDoc, originalData) => {
+    return retrievedDoc && 
+        retrievedDoc.testSecret === originalData.testSecret &&
+        retrievedDoc.normalField === originalData.normalField &&
+        retrievedDoc.nestedSecret?.value === originalData.nestedSecret.value;
+};
+
+const verifyEncryptionInDatabase = async (testDoc, originalData, TestModel) => {
+    const collectionName = TestModel.collection.name;
+    const rawDoc = await mongoose.connection.db
+        .collection(collectionName)
+        .findOne({ _id: testDoc._id });
+
+    const secretIsEncrypted = rawDoc && 
+        typeof rawDoc.testSecret === 'string' && 
+        rawDoc.testSecret.includes(':') && 
+        rawDoc.testSecret !== originalData.testSecret;
+    
+    const nestedIsEncrypted = rawDoc?.nestedSecret?.value && 
+        typeof rawDoc.nestedSecret.value === 'string' &&
+        rawDoc.nestedSecret.value.includes(':') && 
+        rawDoc.nestedSecret.value !== originalData.nestedSecret.value;
+    
+    const normalNotEncrypted = rawDoc && 
+        rawDoc.normalField === originalData.normalField;
+
+    return {
+        secretIsEncrypted,
+        nestedIsEncrypted,
+        normalNotEncrypted
+    };
+};
+
+const evaluateEncryptionTestResults = (decryptionWorks, encryptionResults) => {
+    const { secretIsEncrypted, nestedIsEncrypted, normalNotEncrypted } = encryptionResults;
+    
+    if (decryptionWorks && secretIsEncrypted && nestedIsEncrypted && normalNotEncrypted) {
+        return {
+            status: 'enabled',
+            testResult: 'Encryption and decryption verified successfully'
+        };
+    }
+    
+    if (decryptionWorks && (!secretIsEncrypted || !nestedIsEncrypted)) {
+        return {
+            status: 'unhealthy',
+            testResult: 'Fields are not being encrypted in database'
+        };
+    }
+    
+    if (decryptionWorks && !normalNotEncrypted) {
+        return {
+            status: 'unhealthy',
+            testResult: 'Normal fields are being incorrectly encrypted'
+        };
+    }
+    
+    return {
+        status: 'unhealthy',
+        testResult: 'Decryption failed or data mismatch'
+    };
+};
+
+const testEncryption = async () => {
+    const TestModel = createTestEncryptionModel();
+    const { testDoc, testData } = await createTestDocument(TestModel);
+    
     try {
-        const dbState = mongoose.connection.readyState;
-        const dbStateMap = {
-            0: 'disconnected',
-            1: 'connected',
-            2: 'connecting',
-            3: 'disconnecting'
+        const retrievedDoc = await TestModel.findById(testDoc._id);
+        const decryptionWorks = verifyDecryption(retrievedDoc, testData);
+        const encryptionResults = await verifyEncryptionInDatabase(testDoc, testData, TestModel);
+        
+        const evaluation = evaluateEncryptionTestResults(decryptionWorks, encryptionResults);
+        
+        return {
+            ...evaluation,
+            encryptionWorks: decryptionWorks
         };
+    } finally {
+        await TestModel.deleteOne({ _id: testDoc._id });
+    }
+};
+
+const checkEncryptionHealth = async () => {
+    const config = getEncryptionConfiguration();
+    
+    if (config.isBypassed || config.mode === 'none') {
+        const testResult = config.isBypassed 
+            ? 'Encryption bypassed for this stage' 
+            : 'No encryption keys configured';
         
-        checks.checks.database = {
-            status: dbState === 1 ? 'healthy' : 'unhealthy',
-            state: dbStateMap[dbState]
+        return {
+            status: 'disabled',
+            mode: config.mode,
+            bypassed: config.isBypassed,
+            stage: config.stage,
+            testResult,
+            encryptionWorks: false,
+            debug: {
+                KMS_KEY_ARN: config.kmsKeyArn,
+                AES_KEY_ID: config.aesKeyId,
+                hasKMS: config.hasKMS,
+                hasAES: config.hasAES
+            }
         };
+    }
 
-        if (dbState === 1) {
-            const pingStart = Date.now();
-            await mongoose.connection.db.admin().ping({ maxTimeMS: 2000 });
-            checks.checks.database.responseTime = Date.now() - pingStart;
-        } else {
-            checks.status = 'unhealthy';
-        }
+    try {
+        const testResults = await testEncryption();
+        
+        return {
+            ...testResults,
+            mode: config.mode,
+            bypassed: config.isBypassed,
+            stage: config.stage,
+            debug: {
+                KMS_KEY_ARN: config.kmsKeyArn,
+                AES_KEY_ID: config.aesKeyId,
+                hasKMS: config.hasKMS,
+                hasAES: config.hasAES
+            }
+        };
     } catch (error) {
-        checks.checks.database = {
+        return {
             status: 'unhealthy',
-            error: error.message
+            mode: config.mode,
+            bypassed: config.isBypassed,
+            stage: config.stage,
+            testResult: `Encryption test failed: ${error.message}`,
+            encryptionWorks: false,
+            debug: {
+                KMS_KEY_ARN: config.kmsKeyArn,
+                AES_KEY_ID: config.aesKeyId,
+                hasKMS: config.hasKMS,
+                hasAES: config.hasAES
+            }
         };
-        checks.status = 'unhealthy';
     }
+};
 
-    const externalAPIs = [
+const checkExternalAPIs = async () => {
+    const apis = [
         { name: 'github', url: 'https://api.github.com/status' },
         { name: 'npm', url: 'https://registry.npmjs.org' }
     ];
 
-    checks.checks.externalApis = {};
-    
-    const apiChecks = await Promise.all(
-        externalAPIs.map(api => 
+    const results = await Promise.all(
+        apis.map(api => 
             checkExternalAPI(api.url).then(result => ({ name: api.name, ...result }))
         )
     );
     
-    apiChecks.forEach(result => {
-        const { name, ...checkResult } = result;
-        checks.checks.externalApis[name] = checkResult;
+    const apiStatuses = {};
+    let allReachable = true;
+    
+    results.forEach(({ name, ...checkResult }) => {
+        apiStatuses[name] = checkResult;
         if (!checkResult.reachable) {
-            checks.status = 'unhealthy';
+            allReachable = false;
         }
     });
+    
+    return { apiStatuses, allReachable };
+};
+
+const checkIntegrations = () => {
+    const moduleTypes = Array.isArray(moduleFactory.moduleTypes)
+        ? moduleFactory.moduleTypes
+        : [];
+    
+    const integrationTypes = Array.isArray(integrationFactory.integrationTypes)
+        ? integrationFactory.integrationTypes
+        : [];
+
+    return {
+        status: 'healthy',
+        modules: {
+            count: moduleTypes.length,
+            available: moduleTypes,
+        },
+        integrations: {
+            count: integrationTypes.length,
+            available: integrationTypes,
+        },
+    };
+};
+
+const buildHealthCheckResponse = (startTime) => {
+    return {
+        service: 'frigg-core-api',
+        status: 'healthy',
+        timestamp: new Date().toISOString(),
+        checks: {},
+        calculateResponseTime: () => Date.now() - startTime
+    };
+};
+
+router.get('/health', async (_req, res) => {
+    const status = {
+        status: 'ok',
+        timestamp: new Date().toISOString(),
+        service: 'frigg-core-api'
+    };
+
+    res.status(200).json(status);
+});
+
+router.get('/health/detailed', async (_req, res) => {
+    const startTime = Date.now();
+    const response = buildHealthCheckResponse(startTime);
 
     try {
-        const availableModules = moduleFactory.getAll();
-        const availableIntegrations = integrationFactory.getAll();
-        
-        checks.checks.integrations = {
-            status: 'healthy',
-            modules: {
-                count: Object.keys(availableModules).length,
-                available: Object.keys(availableModules)
-            },
-            integrations: {
-                count: Object.keys(availableIntegrations).length,
-                available: Object.keys(availableIntegrations)
-            }
+        response.checks.database = await checkDatabaseHealth();
+        const dbState = getDatabaseState();
+        if (!dbState.isConnected) {
+            response.status = 'unhealthy';
+        }
+    } catch (error) {
+        response.checks.database = {
+            status: 'unhealthy',
+            error: error.message
         };
+        response.status = 'unhealthy';
+    }
+
+    try {
+        response.checks.encryption = await checkEncryptionHealth();
+        if (response.checks.encryption.status === 'unhealthy') {
+            response.status = 'unhealthy';
+        }
     } catch (error) {
-        checks.checks.integrations = {
+        response.checks.encryption = {
             status: 'unhealthy',
             error: error.message
         };
-        checks.status = 'unhealthy';
+        response.status = 'unhealthy';
+    }
+
+    const { apiStatuses, allReachable } = await checkExternalAPIs();
+    response.checks.externalApis = apiStatuses;
+    if (!allReachable) {
+        response.status = 'unhealthy';
     }
 
-    checks.responseTime = Date.now() - startTime;
+    try {
+        response.checks.integrations = checkIntegrations();
+    } catch (error) {
+        response.checks.integrations = {
+            status: 'unhealthy',
+            error: error.message
+        };
+        response.status = 'unhealthy';
+    }
 
-    const statusCode = checks.status === 'healthy' ? 200 : 503;
+    response.responseTime = response.calculateResponseTime();
+    delete response.calculateResponseTime;
 
-    res.status(statusCode).json(checks);
+    const statusCode = response.status === 'healthy' ? 200 : 503;
+    res.status(statusCode).json(response);
 });
 
 router.get('/health/live', (_req, res) => {
@@ -178,26 +429,29 @@ router.get('/health/live', (_req, res) => {
 });
 
 router.get('/health/ready', async (_req, res) => {
-    const checks = {
-        ready: true,
-        timestamp: new Date().toISOString(),
-        checks: {}
-    };
-
-    const dbState = mongoose.connection.readyState;
-    checks.checks.database = dbState === 1;
+    const dbState = getDatabaseState();
+    const isDbReady = dbState.isConnected;
     
+    let areModulesReady = false;
     try {
-        const modules = moduleFactory.getAll();
-        checks.checks.modules = Object.keys(modules).length > 0;
+        const moduleTypes = Array.isArray(moduleFactory.moduleTypes)
+            ? moduleFactory.moduleTypes
+            : [];
+        areModulesReady = moduleTypes.length > 0;
     } catch (error) {
-        checks.checks.modules = false;
+        areModulesReady = false;
     }
 
-    checks.ready = checks.checks.database && checks.checks.modules;
+    const isReady = isDbReady && areModulesReady;
 
-    const statusCode = checks.ready ? 200 : 503;
-    res.status(statusCode).json(checks);
+    res.status(isReady ? 200 : 503).json({
+        ready: isReady,
+        timestamp: new Date().toISOString(),
+        checks: {
+            database: isDbReady,
+            modules: areModulesReady
+        }
+    });
 });
 
 const handler = createAppHandler('HTTP Event: Health', router);

package/handlers/routers/health.test.js

@@ -14,16 +14,10 @@ jest.mock('mongoose', () => ({
 
 jest.mock('./../backend-utils', () => ({
     moduleFactory: {
-        getAll: () => ({
-            'test-module': {},
-            'another-module': {}
-        })
+        moduleTypes: ['test-module', 'another-module']
     },
     integrationFactory: {
-        getAll: () => ({
-            'test-integration': {},
-            'another-integration': {}
-        })
+        integrationTypes: ['test-integration', 'another-integration']
     }
 }));
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/core",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.404.e9d4980.0",
+  "version": "2.0.0--canary.405.1f6792c.0",
   "dependencies": {
     "@hapi/boom": "^10.0.1",
     "aws-sdk": "^2.1200.0",
@@ -22,9 +22,9 @@
     "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.404.e9d4980.0",
-    "@friggframework/prettier-config": "2.0.0--canary.404.e9d4980.0",
-    "@friggframework/test": "2.0.0--canary.404.e9d4980.0",
+    "@friggframework/eslint-config": "2.0.0--canary.405.1f6792c.0",
+    "@friggframework/prettier-config": "2.0.0--canary.405.1f6792c.0",
+    "@friggframework/test": "2.0.0--canary.405.1f6792c.0",
     "@types/lodash": "4.17.15",
     "@typescript-eslint/eslint-plugin": "^8.0.0",
     "chai": "^4.3.6",
@@ -53,5 +53,5 @@
   },
   "homepage": "https://github.com/friggframework/frigg#readme",
   "description": "",
-  "gitHead": "e9d4980828d7deda79e33dfbb2fed93cb6fef84d"
+  "gitHead": "1f6792ccfcbd08502e14072f07ccbebdf99394cb"
 }