@friggframework/core 2.0.0--canary.427.9708b13.0 → 2.0.0--canary.427.972de91.0

package/handlers/routers/health.js

@@ -333,6 +333,193 @@ const testEncryption = async () => {
     }
 };
 
+const checkKMSAccess = async () => {
+    const { KMS_KEY_ARN } = process.env;
+
+    if (!KMS_KEY_ARN || KMS_KEY_ARN.trim() === '') {
+        return {
+            status: 'disabled',
+            testResult: 'No KMS key configured',
+            canAccessKey: false,
+        };
+    }
+
+    try {
+        // eslint-disable-next-line no-console
+        console.log(
+            'Testing KMS key access with key:',
+            KMS_KEY_ARN.substring(0, 50) + '...'
+        );
+
+        const AWS = require('aws-sdk');
+        const kms = new AWS.KMS();
+
+        // First, check if the master key exists and is accessible
+        let keyExists = false;
+        let keyMetadata = null;
+
+        try {
+            // eslint-disable-next-line no-console
+            console.log('Checking if KMS master key exists...');
+            const describeResult = await withTimeout(
+                kms.describeKey({ KeyId: KMS_KEY_ARN }).promise(),
+                5000,
+                'KMS describeKey operation timed out after 5 seconds'
+            );
+
+            keyMetadata = describeResult.KeyMetadata;
+            keyExists = true;
+            // eslint-disable-next-line no-console
+            console.log('KMS master key found:', {
+                KeyId: keyMetadata.KeyId,
+                KeyState: keyMetadata.KeyState,
+                Enabled: keyMetadata.Enabled,
+                KeyUsage: keyMetadata.KeyUsage,
+            });
+        } catch (describeError) {
+            // eslint-disable-next-line no-console
+            console.error(
+                'KMS master key does not exist or is not accessible:',
+                describeError.message
+            );
+
+            if (describeError.code === 'NotFoundException') {
+                return {
+                    status: 'unhealthy',
+                    testResult: 'KMS master key not found',
+                    canAccessKey: false,
+                    error: 'Master key does not exist',
+                    keyExists: false,
+                };
+            } else if (describeError.code === 'AccessDeniedException') {
+                return {
+                    status: 'unhealthy',
+                    testResult: 'No permission to access KMS master key',
+                    canAccessKey: false,
+                    error: 'Access denied to master key',
+                    keyExists: 'unknown',
+                };
+            }
+            // Continue to try generateDataKey even if describeKey fails
+            // as permissions might be limited
+        }
+
+        // Check if key is in a usable state
+        if (keyExists && keyMetadata) {
+            // Only 'Enabled' state allows cryptographic operations
+            if (keyMetadata.KeyState !== 'Enabled') {
+                // eslint-disable-next-line no-console
+                console.error(
+                    `KMS master key exists but is in state: ${keyMetadata.KeyState}`
+                );
+
+                let testResult = '';
+                switch (keyMetadata.KeyState) {
+                    case 'Disabled':
+                        testResult = 'KMS master key is disabled';
+                        break;
+                    case 'PendingDeletion':
+                        testResult = 'KMS master key is pending deletion';
+                        break;
+                    case 'PendingImport':
+                        testResult = 'KMS master key is pending import';
+                        break;
+                    case 'Unavailable':
+                        testResult =
+                            'KMS master key is unavailable (custom key store disconnected)';
+                        break;
+                    case 'Creating':
+                        testResult = 'KMS master key is still being created';
+                        break;
+                    case 'Updating':
+                        testResult = 'KMS master key is being updated';
+                        break;
+                    default:
+                        testResult = `KMS master key is in unusable state: ${keyMetadata.KeyState}`;
+                }
+
+                return {
+                    status: 'unhealthy',
+                    testResult,
+                    canAccessKey: false,
+                    keyExists: true,
+                    keyState: keyMetadata.KeyState,
+                };
+            }
+        }
+
+        // Try to generate a data key to test full KMS access
+        // eslint-disable-next-line no-console
+        console.log('Attempting to generate data key...');
+        const startTime = Date.now();
+        const result = await withTimeout(
+            kms
+                .generateDataKey({
+                    KeyId: KMS_KEY_ARN,
+                    KeySpec: 'AES_256',
+                })
+                .promise(),
+            10000,
+            'KMS generateDataKey operation timed out after 10 seconds'
+        );
+
+        const responseTime = Date.now() - startTime;
+
+        // If we got a result with plaintext key, KMS access works
+        if (result && result.Plaintext) {
+            // eslint-disable-next-line no-console
+            console.log(
+                `KMS key access successful, response time: ${responseTime}ms`
+            );
+            return {
+                status: 'healthy',
+                testResult:
+                    'Successfully requested and received decrypt key from KMS',
+                canAccessKey: true,
+                responseTime,
+                keyExists: true,
+                keyState: keyMetadata?.KeyState || 'Enabled',
+            };
+        }
+
+        return {
+            status: 'unhealthy',
+            testResult: 'KMS responded but no key data received',
+            canAccessKey: false,
+            responseTime,
+            keyExists: keyExists,
+        };
+    } catch (error) {
+        // eslint-disable-next-line no-console
+        console.error('KMS generateDataKey failed:', error.message);
+
+        // Provide more specific error messages based on error codes
+        let testResult = `KMS access failed: ${error.message}`;
+        if (error.code === 'NotFoundException') {
+            testResult = 'KMS master key not found during data key generation';
+            // eslint-disable-next-line no-console
+            console.error('Master key does not exist in KMS');
+        } else if (error.code === 'AccessDeniedException') {
+            testResult =
+                'Access denied - check IAM permissions for kms:GenerateDataKey';
+            // eslint-disable-next-line no-console
+            console.error('IAM permissions insufficient for KMS operations');
+        } else if (error.code === 'InvalidKeyId.NotFound') {
+            testResult = 'Invalid KMS key ID format or key not found';
+            // eslint-disable-next-line no-console
+            console.error('KMS key ID is invalid or does not exist');
+        }
+
+        return {
+            status: 'unhealthy',
+            testResult,
+            canAccessKey: false,
+            error: error.message,
+            errorCode: error.code,
+        };
+    }
+};
+
 const checkEncryptionHealth = async () => {
     const config = getEncryptionConfiguration();
 
@@ -466,64 +653,113 @@ router.get('/health/detailed', async (_req, res) => {
     const startTime = Date.now();
     const response = buildHealthCheckResponse(startTime);
 
-    try {
-        response.checks.database = await checkDatabaseHealth();
+    // Run all health checks in parallel for faster response
+    // eslint-disable-next-line no-console
+    console.log('Running all health checks in parallel...');
+
+    const [
+        kmsResult,
+        databaseResult,
+        encryptionResult,
+        externalApisResult,
+        integrationsResult,
+    ] = await Promise.allSettled([
+        checkKMSAccess(),
+        checkDatabaseHealth(),
+        checkEncryptionHealth(),
+        checkExternalAPIs(),
+        Promise.resolve(checkIntegrations()), // Wrap sync function in Promise
+    ]);
+
+    // Process KMS check result
+    if (kmsResult.status === 'fulfilled') {
+        response.checks.kmsAccess = kmsResult.value;
+        if (kmsResult.value.status === 'unhealthy') {
+            response.status = 'unhealthy';
+        }
+        // eslint-disable-next-line no-console
+        console.log('KMS access check completed:', response.checks.kmsAccess);
+    } else {
+        response.checks.kmsAccess = {
+            status: 'unhealthy',
+            error: kmsResult.reason?.message || 'KMS check failed',
+        };
+        response.status = 'unhealthy';
+        // eslint-disable-next-line no-console
+        console.log('KMS access check error:', kmsResult.reason?.message);
+    }
+
+    // Process database check result
+    if (databaseResult.status === 'fulfilled') {
+        response.checks.database = databaseResult.value;
         const dbState = getDatabaseState();
         if (!dbState.isConnected) {
             response.status = 'unhealthy';
         }
         // eslint-disable-next-line no-console
         console.log('Database check completed:', response.checks.database);
-    } catch (error) {
+    } else {
         response.checks.database = {
             status: 'unhealthy',
-            error: error.message,
+            error: databaseResult.reason?.message || 'Database check failed',
         };
         response.status = 'unhealthy';
         // eslint-disable-next-line no-console
-        console.log('Database check error:', error.message);
+        console.log('Database check error:', databaseResult.reason?.message);
     }
 
-    try {
-        response.checks.encryption = await checkEncryptionHealth();
-        if (response.checks.encryption.status === 'unhealthy') {
+    // Process encryption check result
+    if (encryptionResult.status === 'fulfilled') {
+        response.checks.encryption = encryptionResult.value;
+        if (encryptionResult.value.status === 'unhealthy') {
             response.status = 'unhealthy';
         }
         // eslint-disable-next-line no-console
         console.log('Encryption check completed:', response.checks.encryption);
-    } catch (error) {
+    } else {
         response.checks.encryption = {
             status: 'unhealthy',
-            error: error.message,
+            error: encryptionResult.reason?.message || 'Encryption check failed',
         };
         response.status = 'unhealthy';
         // eslint-disable-next-line no-console
-        console.log('Encryption check error:', error.message);
+        console.log('Encryption check error:', encryptionResult.reason?.message);
     }
 
-    const { apiStatuses, allReachable } = await checkExternalAPIs();
-    response.checks.externalApis = apiStatuses;
-    if (!allReachable) {
+    // Process external APIs check result
+    if (externalApisResult.status === 'fulfilled') {
+        const { apiStatuses, allReachable } = externalApisResult.value;
+        response.checks.externalApis = apiStatuses;
+        if (!allReachable) {
+            response.status = 'unhealthy';
+        }
+        // eslint-disable-next-line no-console
+        console.log('External APIs check completed:', response.checks.externalApis);
+    } else {
+        response.checks.externalApis = {
+            error: externalApisResult.reason?.message || 'External APIs check failed',
+        };
         response.status = 'unhealthy';
+        // eslint-disable-next-line no-console
+        console.log('External APIs check error:', externalApisResult.reason?.message);
     }
-    // eslint-disable-next-line no-console
-    console.log('External APIs check completed:', response.checks.externalApis);
 
-    try {
-        response.checks.integrations = checkIntegrations();
+    // Process integrations check result
+    if (integrationsResult.status === 'fulfilled') {
+        response.checks.integrations = integrationsResult.value;
         // eslint-disable-next-line no-console
         console.log(
             'Integrations check completed:',
             response.checks.integrations
         );
-    } catch (error) {
+    } else {
         response.checks.integrations = {
             status: 'unhealthy',
-            error: error.message,
+            error: integrationsResult.reason?.message || 'Integrations check failed',
         };
         response.status = 'unhealthy';
         // eslint-disable-next-line no-console
-        console.log('Integrations check error:', error.message);
+        console.log('Integrations check error:', integrationsResult.reason?.message);
     }
 
     response.responseTime = response.calculateResponseTime();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/core",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.427.9708b13.0",
+  "version": "2.0.0--canary.427.972de91.0",
   "dependencies": {
     "@hapi/boom": "^10.0.1",
     "aws-sdk": "^2.1200.0",
@@ -22,9 +22,9 @@
     "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.427.9708b13.0",
-    "@friggframework/prettier-config": "2.0.0--canary.427.9708b13.0",
-    "@friggframework/test": "2.0.0--canary.427.9708b13.0",
+    "@friggframework/eslint-config": "2.0.0--canary.427.972de91.0",
+    "@friggframework/prettier-config": "2.0.0--canary.427.972de91.0",
+    "@friggframework/test": "2.0.0--canary.427.972de91.0",
     "@types/lodash": "4.17.15",
     "@typescript-eslint/eslint-plugin": "^8.0.0",
     "chai": "^4.3.6",
@@ -56,5 +56,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "9708b13e311605ac2620ee524dd2f19859fda32e"
+  "gitHead": "972de918c8273da9f1ffb85e1eedfc088f880f54"
 }