@friggframework/core 2.0.0--canary.427.04558b7.0 → 2.0.0--canary.427.bd07d1c.0

package/handlers/routers/health.js

@@ -333,6 +333,178 @@ const testEncryption = async () => {
     }
 };
 
+const checkKMSAccess = async () => {
+    const { KMS_KEY_ARN } = process.env;
+
+    if (!KMS_KEY_ARN || KMS_KEY_ARN.trim() === '') {
+        return {
+            status: 'disabled',
+            testResult: 'No KMS key configured',
+            canAccessKey: false,
+        };
+    }
+
+    try {
+        // eslint-disable-next-line no-console
+        console.log('Testing KMS key access with key:', KMS_KEY_ARN.substring(0, 50) + '...');
+
+        const AWS = require('aws-sdk');
+        const kms = new AWS.KMS();
+
+        // First, check if the master key exists and is accessible
+        let keyExists = false;
+        let keyMetadata = null;
+
+        try {
+            // eslint-disable-next-line no-console
+            console.log('Checking if KMS master key exists...');
+            const describeResult = await withTimeout(
+                kms.describeKey({ KeyId: KMS_KEY_ARN }).promise(),
+                5000,
+                'KMS describeKey operation timed out after 5 seconds'
+            );
+
+            keyMetadata = describeResult.KeyMetadata;
+            keyExists = true;
+            // eslint-disable-next-line no-console
+            console.log('KMS master key found:', {
+                KeyId: keyMetadata.KeyId,
+                KeyState: keyMetadata.KeyState,
+                Enabled: keyMetadata.Enabled,
+                KeyUsage: keyMetadata.KeyUsage,
+            });
+        } catch (describeError) {
+            // eslint-disable-next-line no-console
+            console.error('KMS master key does not exist or is not accessible:', describeError.message);
+
+            if (describeError.code === 'NotFoundException') {
+                return {
+                    status: 'unhealthy',
+                    testResult: 'KMS master key not found',
+                    canAccessKey: false,
+                    error: 'Master key does not exist',
+                    keyExists: false,
+                };
+            } else if (describeError.code === 'AccessDeniedException') {
+                return {
+                    status: 'unhealthy',
+                    testResult: 'No permission to access KMS master key',
+                    canAccessKey: false,
+                    error: 'Access denied to master key',
+                    keyExists: 'unknown',
+                };
+            }
+            // Continue to try generateDataKey even if describeKey fails
+            // as permissions might be limited
+        }
+
+        // Check if key is in a usable state
+        if (keyExists && keyMetadata) {
+            // Only 'Enabled' state allows cryptographic operations
+            if (keyMetadata.KeyState !== 'Enabled') {
+                // eslint-disable-next-line no-console
+                console.error(`KMS master key exists but is in state: ${keyMetadata.KeyState}`);
+
+                let testResult = '';
+                switch (keyMetadata.KeyState) {
+                    case 'Disabled':
+                        testResult = 'KMS master key is disabled';
+                        break;
+                    case 'PendingDeletion':
+                        testResult = 'KMS master key is pending deletion';
+                        break;
+                    case 'PendingImport':
+                        testResult = 'KMS master key is pending import';
+                        break;
+                    case 'Unavailable':
+                        testResult = 'KMS master key is unavailable (custom key store disconnected)';
+                        break;
+                    case 'Creating':
+                        testResult = 'KMS master key is still being created';
+                        break;
+                    case 'Updating':
+                        testResult = 'KMS master key is being updated';
+                        break;
+                    default:
+                        testResult = `KMS master key is in unusable state: ${keyMetadata.KeyState}`;
+                }
+
+                return {
+                    status: 'unhealthy',
+                    testResult,
+                    canAccessKey: false,
+                    keyExists: true,
+                    keyState: keyMetadata.KeyState,
+                };
+            }
+        }
+
+        // Try to generate a data key to test full KMS access
+        // eslint-disable-next-line no-console
+        console.log('Attempting to generate data key...');
+        const startTime = Date.now();
+        const result = await withTimeout(
+            kms.generateDataKey({
+                KeyId: KMS_KEY_ARN,
+                KeySpec: 'AES_256'
+            }).promise(),
+            10000,
+            'KMS generateDataKey operation timed out after 10 seconds'
+        );
+
+        const responseTime = Date.now() - startTime;
+
+        // If we got a result with plaintext key, KMS access works
+        if (result && result.Plaintext) {
+            // eslint-disable-next-line no-console
+            console.log(`KMS key access successful, response time: ${responseTime}ms`);
+            return {
+                status: 'healthy',
+                testResult: 'Successfully requested and received decrypt key from KMS',
+                canAccessKey: true,
+                responseTime,
+                keyExists: true,
+                keyState: keyMetadata?.KeyState || 'Enabled',
+            };
+        }
+
+        return {
+            status: 'unhealthy',
+            testResult: 'KMS responded but no key data received',
+            canAccessKey: false,
+            responseTime,
+            keyExists: keyExists,
+        };
+    } catch (error) {
+        // eslint-disable-next-line no-console
+        console.error('KMS generateDataKey failed:', error.message);
+
+        // Provide more specific error messages based on error codes
+        let testResult = `KMS access failed: ${error.message}`;
+        if (error.code === 'NotFoundException') {
+            testResult = 'KMS master key not found during data key generation';
+            // eslint-disable-next-line no-console
+            console.error('Master key does not exist in KMS');
+        } else if (error.code === 'AccessDeniedException') {
+            testResult = 'Access denied - check IAM permissions for kms:GenerateDataKey';
+            // eslint-disable-next-line no-console
+            console.error('IAM permissions insufficient for KMS operations');
+        } else if (error.code === 'InvalidKeyId.NotFound') {
+            testResult = 'Invalid KMS key ID format or key not found';
+            // eslint-disable-next-line no-console
+            console.error('KMS key ID is invalid or does not exist');
+        }
+
+        return {
+            status: 'unhealthy',
+            testResult,
+            canAccessKey: false,
+            error: error.message,
+            errorCode: error.code,
+        };
+    }
+};
+
 const checkEncryptionHealth = async () => {
     const config = getEncryptionConfiguration();
 
@@ -466,129 +638,81 @@ router.get('/health/detailed', async (_req, res) => {
     const startTime = Date.now();
     const response = buildHealthCheckResponse(startTime);
 
-    // Run all async health checks concurrently
-    const [
-        databaseResult,
-        encryptionResult,
-        externalApisResult,
-        integrationsResult,
-    ] = await Promise.allSettled([
-        checkDatabaseHealth().catch((error) => ({
-            status: 'unhealthy',
-            error: error.message,
-        })),
-        checkEncryptionHealth().catch((error) => ({
-            status: 'unhealthy',
-            error: error.message,
-        })),
-        checkExternalAPIs(),
-        Promise.resolve().then(() => {
-            try {
-                return checkIntegrations();
-            } catch (error) {
-                return {
-                    status: 'unhealthy',
-                    error: error.message,
-                };
-            }
-        }),
-    ]);
-
-    // Process database check results
-    if (databaseResult.status === 'fulfilled') {
-        response.checks.database = databaseResult.value;
+    try {
+        response.checks.database = await checkDatabaseHealth();
         const dbState = getDatabaseState();
-        if (
-            !dbState.isConnected ||
-            response.checks.database.status === 'unhealthy'
-        ) {
+        if (!dbState.isConnected) {
             response.status = 'unhealthy';
         }
         // eslint-disable-next-line no-console
         console.log('Database check completed:', response.checks.database);
-    } else {
+    } catch (error) {
         response.checks.database = {
             status: 'unhealthy',
-            error: databaseResult.reason?.message || 'Database check failed',
+            error: error.message,
         };
         response.status = 'unhealthy';
         // eslint-disable-next-line no-console
-        console.log('Database check error:', databaseResult.reason?.message);
+        console.log('Database check error:', error.message);
     }
 
-    // Process encryption check results
-    if (encryptionResult.status === 'fulfilled') {
-        response.checks.encryption = encryptionResult.value;
+    try {
+        response.checks.encryption = await checkEncryptionHealth();
         if (response.checks.encryption.status === 'unhealthy') {
             response.status = 'unhealthy';
         }
         // eslint-disable-next-line no-console
         console.log('Encryption check completed:', response.checks.encryption);
-    } else {
+    } catch (error) {
         response.checks.encryption = {
             status: 'unhealthy',
-            error:
-                encryptionResult.reason?.message || 'Encryption check failed',
+            error: error.message,
         };
         response.status = 'unhealthy';
         // eslint-disable-next-line no-console
-        console.log(
-            'Encryption check error:',
-            encryptionResult.reason?.message
-        );
+        console.log('Encryption check error:', error.message);
     }
 
-    // Process external APIs check results
-    if (externalApisResult.status === 'fulfilled') {
-        const { apiStatuses, allReachable } = externalApisResult.value;
-        response.checks.externalApis = apiStatuses;
-        if (!allReachable) {
+    try {
+        response.checks.kmsAccess = await checkKMSAccess();
+        if (response.checks.kmsAccess.status === 'unhealthy') {
             response.status = 'unhealthy';
         }
         // eslint-disable-next-line no-console
-        console.log(
-            'External APIs check completed:',
-            response.checks.externalApis
-        );
-    } else {
-        response.checks.externalApis = {
+        console.log('KMS access check completed:', response.checks.kmsAccess);
+    } catch (error) {
+        response.checks.kmsAccess = {
             status: 'unhealthy',
-            error:
-                externalApisResult.reason?.message ||
-                'External APIs check failed',
+            error: error.message,
         };
         response.status = 'unhealthy';
         // eslint-disable-next-line no-console
-        console.log(
-            'External APIs check error:',
-            externalApisResult.reason?.message
-        );
+        console.log('KMS access check error:', error.message);
     }
 
-    // Process integrations check results
-    if (integrationsResult.status === 'fulfilled') {
-        response.checks.integrations = integrationsResult.value;
-        if (response.checks.integrations.status === 'unhealthy') {
-            response.status = 'unhealthy';
-        }
+    const { apiStatuses, allReachable } = await checkExternalAPIs();
+    response.checks.externalApis = apiStatuses;
+    if (!allReachable) {
+        response.status = 'unhealthy';
+    }
+    // eslint-disable-next-line no-console
+    console.log('External APIs check completed:', response.checks.externalApis);
+
+    try {
+        response.checks.integrations = checkIntegrations();
         // eslint-disable-next-line no-console
         console.log(
             'Integrations check completed:',
             response.checks.integrations
         );
-    } else {
+    } catch (error) {
         response.checks.integrations = {
             status: 'unhealthy',
-            error:
-                integrationsResult.reason?.message ||
-                'Integrations check failed',
+            error: error.message,
         };
         response.status = 'unhealthy';
         // eslint-disable-next-line no-console
-        console.log(
-            'Integrations check error:',
-            integrationsResult.reason?.message
-        );
+        console.log('Integrations check error:', error.message);
     }
 
     response.responseTime = response.calculateResponseTime();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/core",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.427.04558b7.0",
+  "version": "2.0.0--canary.427.bd07d1c.0",
   "dependencies": {
     "@hapi/boom": "^10.0.1",
     "aws-sdk": "^2.1200.0",
@@ -22,9 +22,9 @@
     "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.427.04558b7.0",
-    "@friggframework/prettier-config": "2.0.0--canary.427.04558b7.0",
-    "@friggframework/test": "2.0.0--canary.427.04558b7.0",
+    "@friggframework/eslint-config": "2.0.0--canary.427.bd07d1c.0",
+    "@friggframework/prettier-config": "2.0.0--canary.427.bd07d1c.0",
+    "@friggframework/test": "2.0.0--canary.427.bd07d1c.0",
     "@types/lodash": "4.17.15",
     "@typescript-eslint/eslint-plugin": "^8.0.0",
     "chai": "^4.3.6",
@@ -56,5 +56,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "04558b7a08b166c687327d9635bf872ca33f8b94"
+  "gitHead": "bd07d1c1eee5c2cc2881ba62beeeef06d17c4abf"
 }