@friggframework/devtools 2.0.0--canary.400.bed3308.0 → 2.0.0--canary.404.e9d4980.0

package/management-ui/server/utils/environment/awsParameterStore.js

@@ -1,264 +0,0 @@
-import AWS from 'aws-sdk';
-
-class AWSParameterStore {
-  constructor(config = {}) {
-    this.ssm = new AWS.SSM({
-      region: config.region || process.env.AWS_REGION || 'us-east-1',
-      ...config.awsConfig
-    });
-    this.prefix = config.prefix || '/frigg';
-    this.kmsKeyId = config.kmsKeyId || process.env.AWS_KMS_KEY_ID;
-  }
-
-  /**
-   * Get all parameters for a specific environment
-   */
-  async getParameters(environment) {
-    const path = `${this.prefix}/${environment}`;
-    const parameters = [];
-    let nextToken;
-
-    try {
-      do {
-        const params = {
-          Path: path,
-          Recursive: true,
-          WithDecryption: true,
-          MaxResults: 10,
-          NextToken: nextToken
-        };
-
-        const response = await this.ssm.getParametersByPath(params).promise();
-        
-        for (const param of response.Parameters) {
-          const key = this.extractKeyFromPath(param.Name, environment);
-          parameters.push({
-            id: `aws-${environment}-${key}`,
-            key,
-            value: param.Value,
-            description: this.getTagValue(param, 'Description'),
-            isSecret: param.Type === 'SecureString',
-            environment,
-            lastModified: param.LastModifiedDate,
-            version: param.Version,
-            awsName: param.Name
-          });
-        }
-
-        nextToken = response.NextToken;
-      } while (nextToken);
-
-      return parameters;
-    } catch (error) {
-      console.error('Error fetching parameters from AWS:', error);
-      throw new Error(`Failed to fetch parameters: ${error.message}`);
-    }
-  }
-
-  /**
-   * Set a parameter in AWS Parameter Store
-   */
-  async setParameter(environment, variable) {
-    const parameterName = `${this.prefix}/${environment}/${variable.key}`;
-    
-    try {
-      const params = {
-        Name: parameterName,
-        Value: variable.value,
-        Type: variable.isSecret ? 'SecureString' : 'String',
-        Overwrite: true,
-        Description: variable.description || `${variable.key} for ${environment} environment`,
-        Tags: [
-          {
-            Key: 'Environment',
-            Value: environment
-          },
-          {
-            Key: 'ManagedBy',
-            Value: 'frigg'
-          },
-          {
-            Key: 'Description',
-            Value: variable.description || ''
-          }
-        ]
-      };
-
-      // Add KMS key for secure strings
-      if (variable.isSecret && this.kmsKeyId) {
-        params.KeyId = this.kmsKeyId;
-      }
-
-      const response = await this.ssm.putParameter(params).promise();
-      
-      return {
-        success: true,
-        version: response.Version,
-        awsName: parameterName
-      };
-    } catch (error) {
-      console.error('Error setting parameter in AWS:', error);
-      throw new Error(`Failed to set parameter: ${error.message}`);
-    }
-  }
-
-  /**
-   * Delete a parameter from AWS Parameter Store
-   */
-  async deleteParameter(environment, key) {
-    const parameterName = `${this.prefix}/${environment}/${key}`;
-    
-    try {
-      await this.ssm.deleteParameter({ Name: parameterName }).promise();
-      return { success: true };
-    } catch (error) {
-      if (error.code === 'ParameterNotFound') {
-        return { success: true, notFound: true };
-      }
-      console.error('Error deleting parameter from AWS:', error);
-      throw new Error(`Failed to delete parameter: ${error.message}`);
-    }
-  }
-
-  /**
-   * Sync all variables for an environment to AWS
-   */
-  async syncEnvironment(environment, variables) {
-    const results = {
-      created: [],
-      updated: [],
-      deleted: [],
-      errors: []
-    };
-
-    try {
-      // Get existing parameters
-      const existingParams = await this.getParameters(environment);
-      const existingKeys = new Set(existingParams.map(p => p.key));
-      const newKeys = new Set(variables.map(v => v.key));
-
-      // Update or create parameters
-      for (const variable of variables) {
-        try {
-          const existing = existingParams.find(p => p.key === variable.key);
-          const result = await this.setParameter(environment, variable);
-          
-          if (existing) {
-            results.updated.push({ key: variable.key, ...result });
-          } else {
-            results.created.push({ key: variable.key, ...result });
-          }
-        } catch (error) {
-          results.errors.push({
-            key: variable.key,
-            error: error.message
-          });
-        }
-      }
-
-      // Delete parameters that no longer exist
-      for (const param of existingParams) {
-        if (!newKeys.has(param.key)) {
-          try {
-            await this.deleteParameter(environment, param.key);
-            results.deleted.push({ key: param.key });
-          } catch (error) {
-            results.errors.push({
-              key: param.key,
-              error: error.message
-            });
-          }
-        }
-      }
-
-      return results;
-    } catch (error) {
-      console.error('Error syncing environment:', error);
-      throw new Error(`Failed to sync environment: ${error.message}`);
-    }
-  }
-
-  /**
-   * Extract key from parameter path
-   */
-  extractKeyFromPath(path, environment) {
-    const prefix = `${this.prefix}/${environment}/`;
-    return path.startsWith(prefix) ? path.substring(prefix.length) : path;
-  }
-
-  /**
-   * Get tag value from parameter
-   */
-  getTagValue(parameter, tagKey) {
-    // Note: Tags are not returned by getParametersByPath, would need separate call
-    // This is a placeholder for when we implement tag fetching
-    return '';
-  }
-
-  /**
-   * Validate AWS credentials and permissions
-   */
-  async validateAccess() {
-    try {
-      // Try to list parameters to check access
-      await this.ssm.describeParameters({ MaxResults: 1 }).promise();
-      return { valid: true };
-    } catch (error) {
-      return {
-        valid: false,
-        error: error.message,
-        code: error.code
-      };
-    }
-  }
-
-  /**
-   * Export parameters to .env format
-   */
-  async exportToEnv(environment) {
-    const parameters = await this.getParameters(environment);
-    let content = `# AWS Parameter Store export for ${environment}\n`;
-    content += `# Generated on ${new Date().toISOString()}\n\n`;
-
-    const sorted = parameters.sort((a, b) => a.key.localeCompare(b.key));
-    
-    for (const param of sorted) {
-      if (param.description) {
-        content += `# ${param.description}\n`;
-      }
-      
-      // Mask secret values in export
-      const value = param.isSecret ? '**REDACTED**' : param.value;
-      content += `${param.key}=${value}\n\n`;
-    }
-
-    return content;
-  }
-
-  /**
-   * Get parameter history
-   */
-  async getParameterHistory(environment, key, maxResults = 10) {
-    const parameterName = `${this.prefix}/${environment}/${key}`;
-    
-    try {
-      const response = await this.ssm.getParameterHistory({
-        Name: parameterName,
-        WithDecryption: false,
-        MaxResults: maxResults
-      }).promise();
-
-      return response.Parameters.map(p => ({
-        version: p.Version,
-        value: p.Type === 'SecureString' ? '**ENCRYPTED**' : p.Value,
-        modifiedDate: p.LastModifiedDate,
-        modifiedBy: p.LastModifiedUser
-      }));
-    } catch (error) {
-      console.error('Error fetching parameter history:', error);
-      throw new Error(`Failed to fetch parameter history: ${error.message}`);
-    }
-  }
-}
-
-export default AWSParameterStore;

package/management-ui/server/utils/environment/encryption.js

@@ -1,278 +0,0 @@
-import crypto from 'crypto'
-
-class EnvironmentEncryption {
-  constructor(options = {}) {
-    this.algorithm = options.algorithm || 'aes-256-gcm'
-    this.keyLength = options.keyLength || 32
-    this.ivLength = options.ivLength || 16
-    this.tagLength = options.tagLength || 16
-    this.saltLength = options.saltLength || 64
-    this.iterations = options.iterations || 100000
-    
-    // Master key should be stored securely (e.g., environment variable, key management service)
-    this.masterKey = this.getMasterKey()
-  }
-
-  /**
-   * Get or generate master encryption key
-   * In production, this should be stored securely (AWS KMS, HashiCorp Vault, etc.)
-   */
-  getMasterKey() {
-    const envKey = process.env.ENCRYPTION_MASTER_KEY
-    if (envKey) {
-      return Buffer.from(envKey, 'base64')
-    }
-    
-    // For development only - generate a key
-    console.warn('No ENCRYPTION_MASTER_KEY found. Generating temporary key for development.')
-    return crypto.randomBytes(this.keyLength)
-  }
-
-  /**
-   * Derive encryption key from master key and salt
-   */
-  deriveKey(salt) {
-    return crypto.pbkdf2Sync(this.masterKey, salt, this.iterations, this.keyLength, 'sha256')
-  }
-
-  /**
-   * Encrypt a value
-   */
-  encrypt(plaintext) {
-    try {
-      // Generate random salt and IV
-      const salt = crypto.randomBytes(this.saltLength)
-      const iv = crypto.randomBytes(this.ivLength)
-      
-      // Derive key from master key and salt
-      const key = this.deriveKey(salt)
-      
-      // Create cipher
-      const cipher = crypto.createCipheriv(this.algorithm, key, iv)
-      
-      // Encrypt the plaintext
-      const encrypted = Buffer.concat([
-        cipher.update(plaintext, 'utf8'),
-        cipher.final()
-      ])
-      
-      // Get the authentication tag
-      const tag = cipher.getAuthTag()
-      
-      // Combine salt, iv, tag, and encrypted data
-      const combined = Buffer.concat([salt, iv, tag, encrypted])
-      
-      // Return base64 encoded string
-      return {
-        encrypted: combined.toString('base64'),
-        algorithm: this.algorithm,
-        isEncrypted: true
-      }
-    } catch (error) {
-      console.error('Encryption error:', error)
-      throw new Error('Failed to encrypt value')
-    }
-  }
-
-  /**
-   * Decrypt a value
-   */
-  decrypt(encryptedData) {
-    try {
-      // Decode from base64
-      const combined = Buffer.from(encryptedData.encrypted, 'base64')
-      
-      // Extract components
-      const salt = combined.slice(0, this.saltLength)
-      const iv = combined.slice(this.saltLength, this.saltLength + this.ivLength)
-      const tag = combined.slice(
-        this.saltLength + this.ivLength,
-        this.saltLength + this.ivLength + this.tagLength
-      )
-      const encrypted = combined.slice(this.saltLength + this.ivLength + this.tagLength)
-      
-      // Derive key from master key and salt
-      const key = this.deriveKey(salt)
-      
-      // Create decipher
-      const decipher = crypto.createDecipheriv(this.algorithm, key, iv)
-      decipher.setAuthTag(tag)
-      
-      // Decrypt the data
-      const decrypted = Buffer.concat([
-        decipher.update(encrypted),
-        decipher.final()
-      ])
-      
-      return decrypted.toString('utf8')
-    } catch (error) {
-      console.error('Decryption error:', error)
-      throw new Error('Failed to decrypt value')
-    }
-  }
-
-  /**
-   * Check if a value is encrypted
-   */
-  isEncrypted(value) {
-    if (typeof value === 'object' && value.isEncrypted === true) {
-      return true
-    }
-    
-    // Check if string looks like encrypted data (base64 with minimum length)
-    if (typeof value === 'string') {
-      try {
-        const decoded = Buffer.from(value, 'base64')
-        return decoded.length >= this.saltLength + this.ivLength + this.tagLength + 16
-      } catch {
-        return false
-      }
-    }
-    
-    return false
-  }
-
-  /**
-   * Encrypt sensitive environment variables
-   */
-  encryptVariables(variables, patterns = []) {
-    const defaultPatterns = [
-      /password/i,
-      /secret/i,
-      /key/i,
-      /token/i,
-      /credential/i,
-      /private/i,
-      /auth/i
-    ]
-    
-    const allPatterns = [...defaultPatterns, ...patterns]
-    
-    return variables.map(variable => {
-      // Check if variable should be encrypted
-      const shouldEncrypt = allPatterns.some(pattern => 
-        pattern.test(variable.key)
-      )
-      
-      if (shouldEncrypt && variable.value && !this.isEncrypted(variable.value)) {
-        const encrypted = this.encrypt(variable.value)
-        return {
-          ...variable,
-          value: encrypted.encrypted,
-          encrypted: true,
-          algorithm: encrypted.algorithm
-        }
-      }
-      
-      return variable
-    })
-  }
-
-  /**
-   * Decrypt variables for use
-   */
-  decryptVariables(variables) {
-    return variables.map(variable => {
-      if (variable.encrypted && variable.value) {
-        try {
-          const decrypted = this.decrypt({
-            encrypted: variable.value,
-            algorithm: variable.algorithm || this.algorithm
-          })
-          return {
-            ...variable,
-            value: decrypted,
-            encrypted: false
-          }
-        } catch (error) {
-          console.error(`Failed to decrypt variable ${variable.key}:`, error)
-          return variable
-        }
-      }
-      
-      return variable
-    })
-  }
-
-  /**
-   * Rotate encryption keys
-   */
-  async rotateKeys(variables) {
-    // Decrypt all variables with old key
-    const decrypted = this.decryptVariables(variables)
-    
-    // Generate new master key
-    this.masterKey = crypto.randomBytes(this.keyLength)
-    
-    // Re-encrypt with new key
-    return this.encryptVariables(decrypted)
-  }
-
-  /**
-   * Generate encryption key for export
-   */
-  exportKey() {
-    return {
-      key: this.masterKey.toString('base64'),
-      algorithm: this.algorithm,
-      generated: new Date().toISOString()
-    }
-  }
-
-  /**
-   * Import encryption key
-   */
-  importKey(keyData) {
-    if (!keyData.key) {
-      throw new Error('Invalid key data')
-    }
-    
-    this.masterKey = Buffer.from(keyData.key, 'base64')
-    this.algorithm = keyData.algorithm || this.algorithm
-  }
-}
-
-// Singleton instance
-let encryptionInstance = null
-
-/**
- * Get encryption instance
- */
-export function getEncryption(options) {
-  if (!encryptionInstance) {
-    encryptionInstance = new EnvironmentEncryption(options)
-  }
-  return encryptionInstance
-}
-
-/**
- * Middleware to decrypt variables on read
- */
-export function decryptMiddleware(req, res, next) {
-  const originalJson = res.json
-  
-  res.json = function(data) {
-    if (data && data.variables && Array.isArray(data.variables)) {
-      const encryption = getEncryption()
-      data.variables = encryption.decryptVariables(data.variables)
-    }
-    
-    return originalJson.call(this, data)
-  }
-  
-  next()
-}
-
-/**
- * Middleware to encrypt variables on write
- */
-export function encryptMiddleware(req, res, next) {
-  if (req.body && req.body.variables && Array.isArray(req.body.variables)) {
-    const encryption = getEncryption()
-    req.body.variables = encryption.encryptVariables(req.body.variables)
-  }
-  
-  next()
-}
-
-export default EnvironmentEncryption