@friggframework/devtools 2.0.0--canary.461.ec909cf.0 → 2.0.0--canary.461.9483dbe.0

package/infrastructure/domains/security/kms-builder.test.js

@@ -0,0 +1,354 @@
+/**
+ * Tests for KMS Builder
+ * 
+ * Tests KMS key creation and configuration
+ */
+
+const { KmsBuilder } = require('./kms-builder');
+const { ValidationResult } = require('../shared/base-builder');
+
+describe('KmsBuilder', () => {
+    let kmsBuilder;
+
+    beforeEach(() => {
+        kmsBuilder = new KmsBuilder();
+        delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
+    });
+
+    afterEach(() => {
+        delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
+    });
+
+    describe('shouldExecute()', () => {
+        it('should return true when encryption method is kms', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+
+            expect(kmsBuilder.shouldExecute(appDefinition)).toBe(true);
+        });
+
+        it('should return false when encryption method is aes', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'aes',
+                },
+            };
+
+            expect(kmsBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+
+        it('should return false when encryption is not defined', () => {
+            const appDefinition = {};
+
+            expect(kmsBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+
+        it('should return false when fieldLevelEncryptionMethod is not defined', () => {
+            const appDefinition = {
+                encryption: {},
+            };
+
+            expect(kmsBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+
+        it('should return false when FRIGG_SKIP_AWS_DISCOVERY is set (local mode)', () => {
+            process.env.FRIGG_SKIP_AWS_DISCOVERY = 'true';
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+
+            expect(kmsBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+    });
+
+    describe('validate()', () => {
+        it('should pass validation for valid KMS config', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+
+            const result = kmsBuilder.validate(appDefinition);
+
+            expect(result).toBeInstanceOf(ValidationResult);
+            expect(result.valid).toBe(true);
+            expect(result.errors).toEqual([]);
+        });
+
+        it('should pass validation when createResourceIfNoneFound is boolean', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: false,
+                },
+            };
+
+            const result = kmsBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(true);
+        });
+
+        it('should error if encryption configuration is missing', () => {
+            const appDefinition = {};
+
+            const result = kmsBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain('Encryption configuration is missing');
+        });
+
+        it('should pass when encryption method is not kms', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'aes',
+                },
+            };
+
+            const result = kmsBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(true);
+        });
+
+        it('should error when createResourceIfNoneFound is not boolean', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: 'yes',
+                },
+            };
+
+            const result = kmsBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain(
+                'encryption.createResourceIfNoneFound must be a boolean'
+            );
+        });
+    });
+
+    describe('build() - with discovered key', () => {
+        it('should use discovered KMS key', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+
+            const discoveredResources = {
+                defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456:key/abc-123',
+            };
+
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.environment.KMS_KEY_ARN).toBe('arn:aws:kms:us-east-1:123456:key/abc-123');
+            expect(result.pluginConfig.kmsGrants.kmsKeyId).toBe('arn:aws:kms:us-east-1:123456:key/abc-123');
+        });
+
+        it('should add IAM permissions for KMS operations', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+
+            const discoveredResources = {
+                defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456:key/abc',
+            };
+
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.iamStatements).toHaveLength(1);
+            expect(result.iamStatements[0]).toEqual({
+                Effect: 'Allow',
+                Action: ['kms:GenerateDataKey', 'kms:Decrypt'],
+                Resource: 'arn:aws:kms:us-east-1:123456:key/abc',
+            });
+        });
+
+        it('should enable serverless-kms-grants plugin', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+
+            const discoveredResources = {
+                defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456:key/abc',
+            };
+
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.plugins).toContain('serverless-kms-grants');
+        });
+    });
+
+    describe('build() - create new key', () => {
+        it('should create new KMS key when none found and createResourceIfNoneFound is true', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+
+            const discoveredResources = {
+                defaultKmsKeyId: null,
+            };
+
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.resources.FriggKMSKey).toBeDefined();
+            expect(result.resources.FriggKMSKey.Type).toBe('AWS::KMS::Key');
+        });
+
+        it('should create KMS key alias', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+
+            const discoveredResources = {};
+
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.resources.FriggKMSKeyAlias).toBeDefined();
+            expect(result.resources.FriggKMSKeyAlias.Type).toBe('AWS::KMS::Alias');
+        });
+
+        it('should enable key rotation for new keys', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+
+            const result = await kmsBuilder.build(appDefinition, {});
+
+            expect(result.resources.FriggKMSKey.Properties.EnableKeyRotation).toBe(true);
+        });
+
+        it('should use CloudFormation reference for new key', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+
+            const result = await kmsBuilder.build(appDefinition, {});
+
+            expect(result.environment.KMS_KEY_ARN).toEqual({
+                'Fn::GetAtt': ['FriggKMSKey', 'Arn'],
+            });
+        });
+
+        it('should set DeletionPolicy to Retain for key resources', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+
+            const result = await kmsBuilder.build(appDefinition, {});
+
+            expect(result.resources.FriggKMSKey.DeletionPolicy).toBe('Retain');
+            expect(result.resources.FriggKMSKey.UpdateReplacePolicy).toBe('Retain');
+        });
+    });
+
+    describe('getDependencies()', () => {
+        it('should have no dependencies', () => {
+            const deps = kmsBuilder.getDependencies();
+
+            expect(deps).toEqual([]);
+        });
+    });
+
+    describe('getName()', () => {
+        it('should return KmsBuilder', () => {
+            expect(kmsBuilder.getName()).toBe('KmsBuilder');
+        });
+    });
+
+    describe('Key policies', () => {
+        it('should create key policy allowing root account admin', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+
+            const result = await kmsBuilder.build(appDefinition, {});
+
+            const policy = result.resources.FriggKMSKey.Properties.KeyPolicy;
+            const rootStatement = policy.Statement.find(s => s.Sid === 'AllowRootAccountAdmin');
+
+            expect(rootStatement).toBeDefined();
+            expect(rootStatement.Action).toBe('kms:*');
+        });
+
+        it('should create key policy allowing Lambda service', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+
+            const result = await kmsBuilder.build(appDefinition, {});
+
+            const policy = result.resources.FriggKMSKey.Properties.KeyPolicy;
+            const lambdaStatement = policy.Statement.find(s => s.Sid === 'AllowLambdaService');
+
+            expect(lambdaStatement).toBeDefined();
+            expect(lambdaStatement.Action).toContain('kms:GenerateDataKey');
+            expect(lambdaStatement.Action).toContain('kms:Decrypt');
+        });
+    });
+
+    describe('Error handling', () => {
+        it('should fallback to environment variable when no key discovered and createResourceIfNoneFound is false', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: false,
+                },
+            };
+
+            const discoveredResources = {
+                defaultKmsKeyId: null,
+            };
+
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.environment.KMS_KEY_ARN).toBe('${env:AWS_DISCOVERY_KMS_KEY_ID}');
+        });
+
+        it('should fallback to environment variable when createResourceIfNoneFound not specified', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+
+            const discoveredResources = {};
+
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.environment.KMS_KEY_ARN).toBe('${env:AWS_DISCOVERY_KMS_KEY_ID}');
+        });
+    });
+});
+

package/infrastructure/domains/security/kms-discovery.js

@@ -0,0 +1,80 @@
+/**
+ * KMS Discovery Service
+ * 
+ * Domain Service - Hexagonal Architecture
+ * 
+ * Discovers KMS encryption keys using the cloud provider adapter.
+ * Adds domain-specific validation and key selection logic.
+ */
+
+class KmsDiscovery {
+    /**
+     * @param {CloudProviderAdapter} provider - Cloud provider adapter instance
+     */
+    constructor(provider) {
+        this.provider = provider;
+    }
+
+    /**
+     * Discover KMS encryption keys
+     * 
+     * @param {Object} config - Discovery configuration
+     * @param {string} [config.keyId] - Specific key ID to discover
+     * @param {string} [config.keyAlias] - Key alias to search for
+     * @param {string} [config.serviceName] - Service name for filtering
+     * @param {string} [config.stage] - Deployment stage
+     * @returns {Promise<Object>} Discovered KMS key resources
+     */
+    async discover(config) {
+        console.log('🔍 Discovering KMS keys...');
+
+        try {
+            const rawResources = await this.provider.discoverKmsKeys(config);
+
+            const result = {
+                kmsKeyId: null,
+                kmsKeyArn: null,
+                kmsKeyAlias: null,
+                keys: rawResources.keys,
+                aliases: rawResources.aliases,
+            };
+
+            // Use default key if found
+            if (rawResources.defaultKey) {
+                result.kmsKeyId = rawResources.defaultKey.Arn;
+                result.kmsKeyArn = rawResources.defaultKey.Arn;
+                result.defaultKmsKeyId = rawResources.defaultKey.Arn;
+
+                // Find alias for this key
+                const keyAlias = rawResources.aliases.find(
+                    a => a.TargetKeyId === rawResources.defaultKey.KeyId
+                );
+                if (keyAlias) {
+                    result.kmsKeyAlias = keyAlias.AliasName;
+                }
+
+                console.log(`  ✓ Found KMS key: ${result.kmsKeyId}`);
+                if (result.kmsKeyAlias) {
+                    console.log(`  ✓ Key alias: ${result.kmsKeyAlias}`);
+                }
+            } else {
+                console.log('  ℹ No KMS key found');
+            }
+
+            return result;
+        } catch (error) {
+            console.error('  ✗ KMS discovery failed:', error.message);
+            return {
+                kmsKeyId: null,
+                kmsKeyArn: null,
+                defaultKmsKeyId: null,
+                kmsKeyAlias: null,
+            };
+        }
+    }
+}
+
+module.exports = {
+    KmsDiscovery,
+};
+

package/infrastructure/domains/security/kms-discovery.test.js

@@ -0,0 +1,176 @@
+/**
+ * Tests for KMS Discovery Service
+ * 
+ * Tests KMS encryption key discovery with mocked cloud provider
+ */
+
+const { KmsDiscovery } = require('./kms-discovery');
+
+describe('KmsDiscovery', () => {
+    let mockProvider;
+    let kmsDiscovery;
+
+    beforeEach(() => {
+        mockProvider = {
+            discoverKmsKeys: jest.fn(),
+            getName: jest.fn().mockReturnValue('aws'),
+        };
+        kmsDiscovery = new KmsDiscovery(mockProvider);
+    });
+
+    describe('discover()', () => {
+        it('should delegate to provider and transform results', async () => {
+            const mockProviderResponse = {
+                keys: [
+                    {
+                        KeyId: 'key-123',
+                        Arn: 'arn:aws:kms:us-east-1:123456:key/key-123',
+                        Enabled: true,
+                    },
+                ],
+                aliases: [
+                    {
+                        AliasName: 'alias/frigg-key',
+                        TargetKeyId: 'key-123',
+                    },
+                ],
+                defaultKey: {
+                    KeyId: 'key-123',
+                    Arn: 'arn:aws:kms:us-east-1:123456:key/key-123',
+                    Enabled: true,
+                },
+            };
+
+            mockProvider.discoverKmsKeys.mockResolvedValue(mockProviderResponse);
+
+            const result = await kmsDiscovery.discover({});
+
+            expect(mockProvider.discoverKmsKeys).toHaveBeenCalledWith({});
+            expect(result.kmsKeyId).toBe('arn:aws:kms:us-east-1:123456:key/key-123');
+            expect(result.kmsKeyArn).toBe('arn:aws:kms:us-east-1:123456:key/key-123');
+            expect(result.defaultKmsKeyId).toBe('arn:aws:kms:us-east-1:123456:key/key-123');
+            expect(result.kmsKeyAlias).toBe('alias/frigg-key');
+        });
+
+        it('should handle no KMS keys found', async () => {
+            mockProvider.discoverKmsKeys.mockResolvedValue({
+                keys: [],
+                aliases: [],
+                defaultKey: null,
+            });
+
+            const result = await kmsDiscovery.discover({});
+
+            expect(result.kmsKeyId).toBeNull();
+            expect(result.kmsKeyArn).toBeNull();
+            expect(result.defaultKmsKeyId).toBeNull();
+            expect(result.kmsKeyAlias).toBeNull();
+        });
+
+        it('should handle KMS key without alias', async () => {
+            mockProvider.discoverKmsKeys.mockResolvedValue({
+                keys: [
+                    {
+                        KeyId: 'key-456',
+                        Arn: 'arn:aws:kms:us-east-1:123456:key/key-456',
+                        Enabled: true,
+                    },
+                ],
+                aliases: [],
+                defaultKey: {
+                    KeyId: 'key-456',
+                    Arn: 'arn:aws:kms:us-east-1:123456:key/key-456',
+                    Enabled: true,
+                },
+            });
+
+            const result = await kmsDiscovery.discover({});
+
+            expect(result.kmsKeyId).toBe('arn:aws:kms:us-east-1:123456:key/key-456');
+            expect(result.kmsKeyAlias).toBeNull();
+        });
+
+        it('should pass config to provider', async () => {
+            mockProvider.discoverKmsKeys.mockResolvedValue({
+                keys: [],
+                aliases: [],
+                defaultKey: null,
+            });
+
+            const config = {
+                keyId: 'key-specific',
+                keyAlias: 'alias/custom',
+                serviceName: 'test-service',
+            };
+
+            await kmsDiscovery.discover(config);
+
+            expect(mockProvider.discoverKmsKeys).toHaveBeenCalledWith(config);
+        });
+
+        it('should handle discovery errors gracefully', async () => {
+            mockProvider.discoverKmsKeys.mockRejectedValue(new Error('KMS API Error'));
+
+            const result = await kmsDiscovery.discover({});
+
+            expect(result.kmsKeyId).toBeNull();
+            expect(result.kmsKeyArn).toBeNull();
+            expect(result.defaultKmsKeyId).toBeNull();
+            expect(result.kmsKeyAlias).toBeNull();
+        });
+
+        it('should find alias for discovered key', async () => {
+            mockProvider.discoverKmsKeys.mockResolvedValue({
+                keys: [
+                    {
+                        KeyId: 'key-789',
+                        Arn: 'arn:aws:kms:eu-west-1:123456:key/key-789',
+                        Enabled: true,
+                    },
+                ],
+                aliases: [
+                    {
+                        AliasName: 'alias/other-key',
+                        TargetKeyId: 'key-999',
+                    },
+                    {
+                        AliasName: 'alias/my-key',
+                        TargetKeyId: 'key-789',
+                    },
+                ],
+                defaultKey: {
+                    KeyId: 'key-789',
+                    Arn: 'arn:aws:kms:eu-west-1:123456:key/key-789',
+                    Enabled: true,
+                },
+            });
+
+            const result = await kmsDiscovery.discover({});
+
+            expect(result.kmsKeyAlias).toBe('alias/my-key');
+        });
+
+        it('should return all keys and aliases for reference', async () => {
+            const mockKeys = [
+                { KeyId: 'key-1', Arn: 'arn:1', Enabled: true },
+                { KeyId: 'key-2', Arn: 'arn:2', Enabled: true },
+            ];
+            const mockAliases = [
+                { AliasName: 'alias/one', TargetKeyId: 'key-1' },
+                { AliasName: 'alias/two', TargetKeyId: 'key-2' },
+            ];
+
+            mockProvider.discoverKmsKeys.mockResolvedValue({
+                keys: mockKeys,
+                aliases: mockAliases,
+                defaultKey: mockKeys[0],
+            });
+
+            const result = await kmsDiscovery.discover({});
+
+            expect(result.keys).toEqual(mockKeys);
+            expect(result.aliases).toEqual(mockAliases);
+        });
+    });
+});
+