@friggframework/core 2.0.0--canary.405.b87f8d8.0 → 2.0.0--canary.405.b81908d.0

package/encrypt/encrypt.js

@@ -17,7 +17,6 @@ const findOneEvents = [
 const shouldBypassEncryption = (STAGE) => {
     const defaultBypassStages = ['dev', 'test', 'local'];
     const bypassStageEnv = process.env.BYPASS_ENCRYPTION_STAGE;
-    // If the env is set to anything or an empty string, use the env. Otherwise, use the default array
     const useEnv = !String(bypassStageEnv) || !!bypassStageEnv;
     const bypassStages = useEnv
         ? bypassStageEnv.split(',').map((stage) => stage.trim())
@@ -25,19 +24,15 @@ const shouldBypassEncryption = (STAGE) => {
     return bypassStages.includes(STAGE);
 };
 
-// The Mongoose plug-in function
-function Encrypt(schema, options) {
+function Encrypt(schema) {
     const { STAGE, KMS_KEY_ARN, AES_KEY_ID } = process.env;
 
     if (shouldBypassEncryption(STAGE)) {
         return;
     }
 
-    if (KMS_KEY_ARN && AES_KEY_ID) {
-        throw new Error(
-            'Local and AWS encryption keys are both set in the environment.'
-        );
-    }
+    const hasAES = AES_KEY_ID && AES_KEY_ID.trim() !== '';
+    const hasKMS = KMS_KEY_ARN && KMS_KEY_ARN.trim() !== '' && !hasAES;
 
     const fields = Object.values(schema.paths)
         .map(({ path, options }) => (options.lhEncrypt === true ? path : ''))
@@ -48,25 +43,17 @@ function Encrypt(schema, options) {
     }
 
     const cryptor = new Cryptor({
-        // Use AWS if the CMK is present
-        shouldUseAws: !!KMS_KEY_ARN,
-        // Find all the fields in the schema with lhEncrypt === true
+        shouldUseAws: hasKMS,
         fields: fields,
     });
 
-    // ---------------------------------------------
-    // ### Encrypt fields before save/update/insert.
-    // ---------------------------------------------
-
     schema.pre('save', async function encryptionPreSave() {
-        // `this` will be a doc
         await cryptor.encryptFieldsInDocuments([this]);
     });
 
     schema.pre(
         'insertMany',
         async function encryptionPreInsertMany(_, docs, options) {
-            // `this` will be the model
             if (options?.rawResult) {
                 throw new Error(
                     'Raw result not supported for insertMany with Encrypt plugin'
@@ -78,17 +65,14 @@ function Encrypt(schema, options) {
     );
 
     schema.pre(updateOneEvents, async function encryptionPreUpdateOne() {
-        // `this` will be a query
         await cryptor.encryptFieldsInQuery(this);
     });
 
     schema.pre('updateMany', async function encryptionPreUpdateMany() {
-        // `this` will be a query
         cryptor.expectNotToUpdateManyEncrypted(this.getUpdate());
     });
 
     schema.pre('update', async function encryptionPreUpdate() {
-        // `this` will be a query
         const { multiple } = this.getOptions();
 
         if (multiple) {
@@ -99,16 +83,11 @@ function Encrypt(schema, options) {
         await cryptor.encryptFieldsInQuery(this);
     });
 
-    // --------------------------------------------
-    // ### Decrypt documents after they are loaded.
-    // --------------------------------------------
     schema.post('save', async function encryptionPreSave() {
-        // `this` will be a doc
         await cryptor.decryptFieldsInDocuments([this]);
     });
 
     schema.post(findOneEvents, async function encryptionPostFindOne(doc) {
-        // `this` will be a query
         const { rawResult } = this.getOptions();
 
         if (rawResult) {
@@ -119,12 +98,10 @@ function Encrypt(schema, options) {
     });
 
     schema.post('find', async function encryptionPostFind(docs) {
-        // `this` will be a query
         await cryptor.decryptFieldsInDocuments(docs);
     });
 
     schema.post('insertMany', async function encryptionPostInsertMany(docs) {
-        // `this` will be the model
         await cryptor.decryptFieldsInDocuments(docs);
     });
 }

package/handlers/routers/health.js

@@ -71,147 +71,346 @@ const checkExternalAPI = (url, timeout = 5000) => {
     });
 };
 
-router.get('/health', async (_req, res) => {
-    const status = {
-        status: 'ok',
-        timestamp: new Date().toISOString(),
-        service: 'frigg-core-api'
+const getDatabaseState = () => {
+    const stateMap = {
+        0: 'disconnected',
+        1: 'connected',
+        2: 'connecting',
+        3: 'disconnecting'
     };
+    const readyState = mongoose.connection.readyState;
+    
+    return {
+        readyState,
+        stateName: stateMap[readyState],
+        isConnected: readyState === 1
+    };
+};
 
-    res.status(200).json(status);
-});
+const checkDatabaseHealth = async () => {
+    const { stateName, isConnected } = getDatabaseState();
+    const result = {
+        status: isConnected ? 'healthy' : 'unhealthy',
+        state: stateName
+    };
 
-router.get('/health/detailed', async (_req, res) => {
-    const startTime = Date.now();
-    const checks = {
-        service: 'frigg-core-api',
-        status: 'healthy',
-        timestamp: new Date().toISOString(),
-        checks: {}
+    if (isConnected) {
+        const pingStart = Date.now();
+        await mongoose.connection.db.admin().ping({ maxTimeMS: 2000 });
+        result.responseTime = Date.now() - pingStart;
+    }
+
+    return result;
+};
+
+const getEncryptionConfiguration = () => {
+    const { STAGE, BYPASS_ENCRYPTION_STAGE, KMS_KEY_ARN, AES_KEY_ID } = process.env;
+    
+    const defaultBypassStages = ['dev', 'test', 'local'];
+    const useEnv = BYPASS_ENCRYPTION_STAGE !== undefined;
+    const bypassStages = useEnv
+        ? BYPASS_ENCRYPTION_STAGE.split(',').map((s) => s.trim())
+        : defaultBypassStages;
+    
+    const isBypassed = bypassStages.includes(STAGE);
+    const hasAES = AES_KEY_ID && AES_KEY_ID.trim() !== '';
+    const hasKMS = KMS_KEY_ARN && KMS_KEY_ARN.trim() !== '' && !hasAES;
+    const mode = hasAES ? 'aes' : hasKMS ? 'kms' : 'none';
+    
+    return {
+        stage: STAGE || null,
+        isBypassed,
+        hasAES,
+        hasKMS,
+        mode,
     };
+};
 
-    try {
-        const dbState = mongoose.connection.readyState;
-        const dbStateMap = {
-            0: 'disconnected',
-            1: 'connected',
-            2: 'connecting',
-            3: 'disconnecting'
-        };
-        
-        checks.checks.database = {
-            status: dbState === 1 ? 'healthy' : 'unhealthy',
-            state: dbStateMap[dbState]
-        };
+const createTestEncryptionModel = () => {
+    const { Encrypt } = require('./../../encrypt');
+    
+    const testSchema = new mongoose.Schema({
+        testSecret: { type: String, lhEncrypt: true },
+        normalField: { type: String },
+        nestedSecret: {
+            value: { type: String, lhEncrypt: true }
+        }
+    }, { timestamps: false });
+
+    testSchema.plugin(Encrypt);
+    
+    return mongoose.models.TestEncryption || 
+        mongoose.model('TestEncryption', testSchema);
+};
 
-        if (dbState === 1) {
-            const pingStart = Date.now();
-            await mongoose.connection.db.admin().ping({ maxTimeMS: 2000 });
-            checks.checks.database.responseTime = Date.now() - pingStart;
-        } else {
-            checks.status = 'unhealthy';
+const createTestDocument = async (TestModel) => {
+    const testData = {
+        testSecret: 'This is a secret value that should be encrypted',
+        normalField: 'This is a normal field that should not be encrypted',
+        nestedSecret: {
+            value: 'This is a nested secret that should be encrypted'
         }
-    } catch (error) {
-        checks.checks.database = {
+    };
+
+    const testDoc = new TestModel(testData);
+    await testDoc.save();
+    
+    return { testDoc, testData };
+};
+
+const verifyDecryption = (retrievedDoc, originalData) => {
+    return retrievedDoc && 
+        retrievedDoc.testSecret === originalData.testSecret &&
+        retrievedDoc.normalField === originalData.normalField &&
+        retrievedDoc.nestedSecret?.value === originalData.nestedSecret.value;
+};
+
+const verifyEncryptionInDatabase = async (testDoc, originalData, TestModel) => {
+    const collectionName = TestModel.collection.name;
+    const rawDoc = await mongoose.connection.db
+        .collection(collectionName)
+        .findOne({ _id: testDoc._id });
+
+    const secretIsEncrypted = rawDoc && 
+        typeof rawDoc.testSecret === 'string' && 
+        rawDoc.testSecret.includes(':') && 
+        rawDoc.testSecret !== originalData.testSecret;
+    
+    const nestedIsEncrypted = rawDoc?.nestedSecret?.value && 
+        typeof rawDoc.nestedSecret.value === 'string' &&
+        rawDoc.nestedSecret.value.includes(':') && 
+        rawDoc.nestedSecret.value !== originalData.nestedSecret.value;
+    
+    const normalNotEncrypted = rawDoc && 
+        rawDoc.normalField === originalData.normalField;
+
+    return {
+        secretIsEncrypted,
+        nestedIsEncrypted,
+        normalNotEncrypted
+    };
+};
+
+const evaluateEncryptionTestResults = (decryptionWorks, encryptionResults) => {
+    const { secretIsEncrypted, nestedIsEncrypted, normalNotEncrypted } = encryptionResults;
+    
+    if (decryptionWorks && secretIsEncrypted && nestedIsEncrypted && normalNotEncrypted) {
+        return {
+            status: 'enabled',
+            testResult: 'Encryption and decryption verified successfully'
+        };
+    }
+    
+    if (decryptionWorks && (!secretIsEncrypted || !nestedIsEncrypted)) {
+        return {
             status: 'unhealthy',
-            error: error.message
+            testResult: 'Fields are not being encrypted in database'
+        };
+    }
+    
+    if (decryptionWorks && !normalNotEncrypted) {
+        return {
+            status: 'unhealthy',
+            testResult: 'Normal fields are being incorrectly encrypted'
         };
-        checks.status = 'unhealthy';
     }
+    
+    return {
+        status: 'unhealthy',
+        testResult: 'Decryption failed or data mismatch'
+    };
+};
 
+const testEncryption = async () => {
+    const TestModel = createTestEncryptionModel();
+    const { testDoc, testData } = await createTestDocument(TestModel);
+    
     try {
-        const { STAGE, BYPASS_ENCRYPTION_STAGE, KMS_KEY_ARN, AES_KEY_ID } =
-            process.env;
-        const defaultBypassStages = ['dev', 'test', 'local'];
-        const useEnv = BYPASS_ENCRYPTION_STAGE !== undefined;
-        const bypassStages = useEnv
-            ? BYPASS_ENCRYPTION_STAGE.split(',').map((s) => s.trim())
-            : defaultBypassStages;
-        const bypassed = bypassStages.includes(STAGE);
-        const mode = KMS_KEY_ARN ? 'kms' : AES_KEY_ID ? 'aes' : 'none';
-
-        let status = 'disabled';
-        // Having both KMS_KEY_ARN and AES_KEY_ID present is considered unhealthy,
-        // as only one encryption method should be configured at a time to avoid ambiguity
-        // and potential security misconfiguration.
-        if (KMS_KEY_ARN && AES_KEY_ID) {
-            status = 'unhealthy';
-        } else if (!bypassed && mode !== 'none') {
-            status = 'enabled';
-        } else {
-            status = 'disabled';
-        }
+        const retrievedDoc = await TestModel.findById(testDoc._id);
+        const decryptionWorks = verifyDecryption(retrievedDoc, testData);
+        const encryptionResults = await verifyEncryptionInDatabase(testDoc, testData, TestModel);
+        
+        const evaluation = evaluateEncryptionTestResults(decryptionWorks, encryptionResults);
+        
+        return {
+            ...evaluation,
+            encryptionWorks: decryptionWorks
+        };
+    } finally {
+        await TestModel.deleteOne({ _id: testDoc._id });
+    }
+};
 
-        checks.checks.encryption = {
-            status,
-            mode,
-            bypassed,
-            stage: STAGE || null,
+const checkEncryptionHealth = async () => {
+    const config = getEncryptionConfiguration();
+    
+    if (config.isBypassed || config.mode === 'none') {
+        const testResult = config.isBypassed 
+            ? 'Encryption bypassed for this stage' 
+            : 'No encryption keys configured';
+        
+        return {
+            status: 'disabled',
+            mode: config.mode,
+            bypassed: config.isBypassed,
+            stage: config.stage,
+            testResult,
+            encryptionWorks: false,
+            debug: {
+                hasKMS: config.hasKMS,
+                hasAES: config.hasAES
+            }
+        };
+    }
+
+    try {
+        const testResults = await testEncryption();
+        
+        return {
+            ...testResults,
+            mode: config.mode,
+            bypassed: config.isBypassed,
+            stage: config.stage,
+            debug: {
+                hasKMS: config.hasKMS,
+                hasAES: config.hasAES
+            }
         };
-        if (status === 'unhealthy') checks.status = 'unhealthy';
     } catch (error) {
-        checks.checks.encryption = {
+        return {
             status: 'unhealthy',
-            error: error.message,
+            mode: config.mode,
+            bypassed: config.isBypassed,
+            stage: config.stage,
+            testResult: `Encryption test failed: ${error.message}`,
+            encryptionWorks: false,
+            debug: {
+                hasKMS: config.hasKMS,
+                hasAES: config.hasAES
+            }
         };
-        checks.status = 'unhealthy';
     }
+};
 
-    const externalAPIs = [
+const checkExternalAPIs = async () => {
+    const apis = [
         { name: 'github', url: 'https://api.github.com/status' },
         { name: 'npm', url: 'https://registry.npmjs.org' }
     ];
 
-    checks.checks.externalApis = {};
-    
-    const apiChecks = await Promise.all(
-        externalAPIs.map(api => 
+    const results = await Promise.all(
+        apis.map(api => 
             checkExternalAPI(api.url).then(result => ({ name: api.name, ...result }))
         )
     );
     
-    apiChecks.forEach(result => {
-        const { name, ...checkResult } = result;
-        checks.checks.externalApis[name] = checkResult;
+    const apiStatuses = {};
+    let allReachable = true;
+    
+    results.forEach(({ name, ...checkResult }) => {
+        apiStatuses[name] = checkResult;
         if (!checkResult.reachable) {
-            checks.status = 'unhealthy';
+            allReachable = false;
         }
     });
+    
+    return { apiStatuses, allReachable };
+};
 
-    try {
-        const moduleTypes = Array.isArray(moduleFactory.moduleTypes)
-            ? moduleFactory.moduleTypes
-            : [];
-        const integrationTypes = Array.isArray(
-            integrationFactory.integrationTypes
-        )
-            ? integrationFactory.integrationTypes
-            : [];
+const checkIntegrations = () => {
+    const moduleTypes = Array.isArray(moduleFactory.moduleTypes)
+        ? moduleFactory.moduleTypes
+        : [];
+    
+    const integrationTypes = Array.isArray(integrationFactory.integrationTypes)
+        ? integrationFactory.integrationTypes
+        : [];
+
+    return {
+        status: 'healthy',
+        modules: {
+            count: moduleTypes.length,
+            available: moduleTypes,
+        },
+        integrations: {
+            count: integrationTypes.length,
+            available: integrationTypes,
+        },
+    };
+};
+
+const buildHealthCheckResponse = (startTime) => {
+    return {
+        service: 'frigg-core-api',
+        status: 'healthy',
+        timestamp: new Date().toISOString(),
+        checks: {},
+        calculateResponseTime: () => Date.now() - startTime
+    };
+};
+
+router.get('/health', async (_req, res) => {
+    const status = {
+        status: 'ok',
+        timestamp: new Date().toISOString(),
+        service: 'frigg-core-api'
+    };
 
-        checks.checks.integrations = {
-            status: 'healthy',
-            modules: {
-                count: moduleTypes.length,
-                available: moduleTypes,
-            },
-            integrations: {
-                count: integrationTypes.length,
-                available: integrationTypes,
-            },
+    res.status(200).json(status);
+});
+
+router.get('/health/detailed', async (_req, res) => {
+    const startTime = Date.now();
+    const response = buildHealthCheckResponse(startTime);
+
+    try {
+        response.checks.database = await checkDatabaseHealth();
+        const dbState = getDatabaseState();
+        if (!dbState.isConnected) {
+            response.status = 'unhealthy';
+        }
+    } catch (error) {
+        response.checks.database = {
+            status: 'unhealthy',
+            error: error.message
         };
+        response.status = 'unhealthy';
+    }
+
+    try {
+        response.checks.encryption = await checkEncryptionHealth();
+        if (response.checks.encryption.status === 'unhealthy') {
+            response.status = 'unhealthy';
+        }
     } catch (error) {
-        checks.checks.integrations = {
+        response.checks.encryption = {
             status: 'unhealthy',
             error: error.message
         };
-        checks.status = 'unhealthy';
+        response.status = 'unhealthy';
+    }
+
+    const { apiStatuses, allReachable } = await checkExternalAPIs();
+    response.checks.externalApis = apiStatuses;
+    if (!allReachable) {
+        response.status = 'unhealthy';
     }
 
-    checks.responseTime = Date.now() - startTime;
+    try {
+        response.checks.integrations = checkIntegrations();
+    } catch (error) {
+        response.checks.integrations = {
+            status: 'unhealthy',
+            error: error.message
+        };
+        response.status = 'unhealthy';
+    }
 
-    const statusCode = checks.status === 'healthy' ? 200 : 503;
+    response.responseTime = response.calculateResponseTime();
+    delete response.calculateResponseTime;
 
-    res.status(statusCode).json(checks);
+    const statusCode = response.status === 'healthy' ? 200 : 503;
+    res.status(statusCode).json(response);
 });
 
 router.get('/health/live', (_req, res) => {
@@ -222,28 +421,29 @@ router.get('/health/live', (_req, res) => {
 });
 
 router.get('/health/ready', async (_req, res) => {
-    const checks = {
-        ready: true,
-        timestamp: new Date().toISOString(),
-        checks: {}
-    };
-
-    const dbState = mongoose.connection.readyState;
-    checks.checks.database = dbState === 1;
+    const dbState = getDatabaseState();
+    const isDbReady = dbState.isConnected;
     
+    let areModulesReady = false;
     try {
         const moduleTypes = Array.isArray(moduleFactory.moduleTypes)
             ? moduleFactory.moduleTypes
             : [];
-        checks.checks.modules = moduleTypes.length > 0;
+        areModulesReady = moduleTypes.length > 0;
     } catch (error) {
-        checks.checks.modules = false;
+        areModulesReady = false;
     }
 
-    checks.ready = checks.checks.database && checks.checks.modules;
+    const isReady = isDbReady && areModulesReady;
 
-    const statusCode = checks.ready ? 200 : 503;
-    res.status(statusCode).json(checks);
+    res.status(isReady ? 200 : 503).json({
+        ready: isReady,
+        timestamp: new Date().toISOString(),
+        checks: {
+            database: isDbReady,
+            modules: areModulesReady
+        }
+    });
 });
 
 const handler = createAppHandler('HTTP Event: Health', router);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/core",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.405.b87f8d8.0",
+  "version": "2.0.0--canary.405.b81908d.0",
   "dependencies": {
     "@hapi/boom": "^10.0.1",
     "aws-sdk": "^2.1200.0",
@@ -22,9 +22,9 @@
     "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.405.b87f8d8.0",
-    "@friggframework/prettier-config": "2.0.0--canary.405.b87f8d8.0",
-    "@friggframework/test": "2.0.0--canary.405.b87f8d8.0",
+    "@friggframework/eslint-config": "2.0.0--canary.405.b81908d.0",
+    "@friggframework/prettier-config": "2.0.0--canary.405.b81908d.0",
+    "@friggframework/test": "2.0.0--canary.405.b81908d.0",
     "@types/lodash": "4.17.15",
     "@typescript-eslint/eslint-plugin": "^8.0.0",
     "chai": "^4.3.6",
@@ -53,5 +53,5 @@
   },
   "homepage": "https://github.com/friggframework/frigg#readme",
   "description": "",
-  "gitHead": "b87f8d874639f6fbb52c8a7efc7841c879a1286f"
+  "gitHead": "b81908d5f795baf937e4b382dff63dedd40ddceb"
 }