@friggframework/devtools 2.0.0-next.3 → 2.0.0-next.31

package/management-ui/server/utils/environment/awsParameterStore.js

@@ -0,0 +1,264 @@
+import AWS from 'aws-sdk';
+
+class AWSParameterStore {
+  constructor(config = {}) {
+    this.ssm = new AWS.SSM({
+      region: config.region || process.env.AWS_REGION || 'us-east-1',
+      ...config.awsConfig
+    });
+    this.prefix = config.prefix || '/frigg';
+    this.kmsKeyId = config.kmsKeyId || process.env.AWS_KMS_KEY_ID;
+  }
+
+  /**
+   * Get all parameters for a specific environment
+   */
+  async getParameters(environment) {
+    const path = `${this.prefix}/${environment}`;
+    const parameters = [];
+    let nextToken;
+
+    try {
+      do {
+        const params = {
+          Path: path,
+          Recursive: true,
+          WithDecryption: true,
+          MaxResults: 10,
+          NextToken: nextToken
+        };
+
+        const response = await this.ssm.getParametersByPath(params).promise();
+        
+        for (const param of response.Parameters) {
+          const key = this.extractKeyFromPath(param.Name, environment);
+          parameters.push({
+            id: `aws-${environment}-${key}`,
+            key,
+            value: param.Value,
+            description: this.getTagValue(param, 'Description'),
+            isSecret: param.Type === 'SecureString',
+            environment,
+            lastModified: param.LastModifiedDate,
+            version: param.Version,
+            awsName: param.Name
+          });
+        }
+
+        nextToken = response.NextToken;
+      } while (nextToken);
+
+      return parameters;
+    } catch (error) {
+      console.error('Error fetching parameters from AWS:', error);
+      throw new Error(`Failed to fetch parameters: ${error.message}`);
+    }
+  }
+
+  /**
+   * Set a parameter in AWS Parameter Store
+   */
+  async setParameter(environment, variable) {
+    const parameterName = `${this.prefix}/${environment}/${variable.key}`;
+    
+    try {
+      const params = {
+        Name: parameterName,
+        Value: variable.value,
+        Type: variable.isSecret ? 'SecureString' : 'String',
+        Overwrite: true,
+        Description: variable.description || `${variable.key} for ${environment} environment`,
+        Tags: [
+          {
+            Key: 'Environment',
+            Value: environment
+          },
+          {
+            Key: 'ManagedBy',
+            Value: 'frigg'
+          },
+          {
+            Key: 'Description',
+            Value: variable.description || ''
+          }
+        ]
+      };
+
+      // Add KMS key for secure strings
+      if (variable.isSecret && this.kmsKeyId) {
+        params.KeyId = this.kmsKeyId;
+      }
+
+      const response = await this.ssm.putParameter(params).promise();
+      
+      return {
+        success: true,
+        version: response.Version,
+        awsName: parameterName
+      };
+    } catch (error) {
+      console.error('Error setting parameter in AWS:', error);
+      throw new Error(`Failed to set parameter: ${error.message}`);
+    }
+  }
+
+  /**
+   * Delete a parameter from AWS Parameter Store
+   */
+  async deleteParameter(environment, key) {
+    const parameterName = `${this.prefix}/${environment}/${key}`;
+    
+    try {
+      await this.ssm.deleteParameter({ Name: parameterName }).promise();
+      return { success: true };
+    } catch (error) {
+      if (error.code === 'ParameterNotFound') {
+        return { success: true, notFound: true };
+      }
+      console.error('Error deleting parameter from AWS:', error);
+      throw new Error(`Failed to delete parameter: ${error.message}`);
+    }
+  }
+
+  /**
+   * Sync all variables for an environment to AWS
+   */
+  async syncEnvironment(environment, variables) {
+    const results = {
+      created: [],
+      updated: [],
+      deleted: [],
+      errors: []
+    };
+
+    try {
+      // Get existing parameters
+      const existingParams = await this.getParameters(environment);
+      const existingKeys = new Set(existingParams.map(p => p.key));
+      const newKeys = new Set(variables.map(v => v.key));
+
+      // Update or create parameters
+      for (const variable of variables) {
+        try {
+          const existing = existingParams.find(p => p.key === variable.key);
+          const result = await this.setParameter(environment, variable);
+          
+          if (existing) {
+            results.updated.push({ key: variable.key, ...result });
+          } else {
+            results.created.push({ key: variable.key, ...result });
+          }
+        } catch (error) {
+          results.errors.push({
+            key: variable.key,
+            error: error.message
+          });
+        }
+      }
+
+      // Delete parameters that no longer exist
+      for (const param of existingParams) {
+        if (!newKeys.has(param.key)) {
+          try {
+            await this.deleteParameter(environment, param.key);
+            results.deleted.push({ key: param.key });
+          } catch (error) {
+            results.errors.push({
+              key: param.key,
+              error: error.message
+            });
+          }
+        }
+      }
+
+      return results;
+    } catch (error) {
+      console.error('Error syncing environment:', error);
+      throw new Error(`Failed to sync environment: ${error.message}`);
+    }
+  }
+
+  /**
+   * Extract key from parameter path
+   */
+  extractKeyFromPath(path, environment) {
+    const prefix = `${this.prefix}/${environment}/`;
+    return path.startsWith(prefix) ? path.substring(prefix.length) : path;
+  }
+
+  /**
+   * Get tag value from parameter
+   */
+  getTagValue(parameter, tagKey) {
+    // Note: Tags are not returned by getParametersByPath, would need separate call
+    // This is a placeholder for when we implement tag fetching
+    return '';
+  }
+
+  /**
+   * Validate AWS credentials and permissions
+   */
+  async validateAccess() {
+    try {
+      // Try to list parameters to check access
+      await this.ssm.describeParameters({ MaxResults: 1 }).promise();
+      return { valid: true };
+    } catch (error) {
+      return {
+        valid: false,
+        error: error.message,
+        code: error.code
+      };
+    }
+  }
+
+  /**
+   * Export parameters to .env format
+   */
+  async exportToEnv(environment) {
+    const parameters = await this.getParameters(environment);
+    let content = `# AWS Parameter Store export for ${environment}\n`;
+    content += `# Generated on ${new Date().toISOString()}\n\n`;
+
+    const sorted = parameters.sort((a, b) => a.key.localeCompare(b.key));
+    
+    for (const param of sorted) {
+      if (param.description) {
+        content += `# ${param.description}\n`;
+      }
+      
+      // Mask secret values in export
+      const value = param.isSecret ? '**REDACTED**' : param.value;
+      content += `${param.key}=${value}\n\n`;
+    }
+
+    return content;
+  }
+
+  /**
+   * Get parameter history
+   */
+  async getParameterHistory(environment, key, maxResults = 10) {
+    const parameterName = `${this.prefix}/${environment}/${key}`;
+    
+    try {
+      const response = await this.ssm.getParameterHistory({
+        Name: parameterName,
+        WithDecryption: false,
+        MaxResults: maxResults
+      }).promise();
+
+      return response.Parameters.map(p => ({
+        version: p.Version,
+        value: p.Type === 'SecureString' ? '**ENCRYPTED**' : p.Value,
+        modifiedDate: p.LastModifiedDate,
+        modifiedBy: p.LastModifiedUser
+      }));
+    } catch (error) {
+      console.error('Error fetching parameter history:', error);
+      throw new Error(`Failed to fetch parameter history: ${error.message}`);
+    }
+  }
+}
+
+export default AWSParameterStore;

package/management-ui/server/utils/environment/encryption.js

@@ -0,0 +1,278 @@
+import crypto from 'crypto'
+
+class EnvironmentEncryption {
+  constructor(options = {}) {
+    this.algorithm = options.algorithm || 'aes-256-gcm'
+    this.keyLength = options.keyLength || 32
+    this.ivLength = options.ivLength || 16
+    this.tagLength = options.tagLength || 16
+    this.saltLength = options.saltLength || 64
+    this.iterations = options.iterations || 100000
+    
+    // Master key should be stored securely (e.g., environment variable, key management service)
+    this.masterKey = this.getMasterKey()
+  }
+
+  /**
+   * Get or generate master encryption key
+   * In production, this should be stored securely (AWS KMS, HashiCorp Vault, etc.)
+   */
+  getMasterKey() {
+    const envKey = process.env.ENCRYPTION_MASTER_KEY
+    if (envKey) {
+      return Buffer.from(envKey, 'base64')
+    }
+    
+    // For development only - generate a key
+    console.warn('No ENCRYPTION_MASTER_KEY found. Generating temporary key for development.')
+    return crypto.randomBytes(this.keyLength)
+  }
+
+  /**
+   * Derive encryption key from master key and salt
+   */
+  deriveKey(salt) {
+    return crypto.pbkdf2Sync(this.masterKey, salt, this.iterations, this.keyLength, 'sha256')
+  }
+
+  /**
+   * Encrypt a value
+   */
+  encrypt(plaintext) {
+    try {
+      // Generate random salt and IV
+      const salt = crypto.randomBytes(this.saltLength)
+      const iv = crypto.randomBytes(this.ivLength)
+      
+      // Derive key from master key and salt
+      const key = this.deriveKey(salt)
+      
+      // Create cipher
+      const cipher = crypto.createCipheriv(this.algorithm, key, iv)
+      
+      // Encrypt the plaintext
+      const encrypted = Buffer.concat([
+        cipher.update(plaintext, 'utf8'),
+        cipher.final()
+      ])
+      
+      // Get the authentication tag
+      const tag = cipher.getAuthTag()
+      
+      // Combine salt, iv, tag, and encrypted data
+      const combined = Buffer.concat([salt, iv, tag, encrypted])
+      
+      // Return base64 encoded string
+      return {
+        encrypted: combined.toString('base64'),
+        algorithm: this.algorithm,
+        isEncrypted: true
+      }
+    } catch (error) {
+      console.error('Encryption error:', error)
+      throw new Error('Failed to encrypt value')
+    }
+  }
+
+  /**
+   * Decrypt a value
+   */
+  decrypt(encryptedData) {
+    try {
+      // Decode from base64
+      const combined = Buffer.from(encryptedData.encrypted, 'base64')
+      
+      // Extract components
+      const salt = combined.slice(0, this.saltLength)
+      const iv = combined.slice(this.saltLength, this.saltLength + this.ivLength)
+      const tag = combined.slice(
+        this.saltLength + this.ivLength,
+        this.saltLength + this.ivLength + this.tagLength
+      )
+      const encrypted = combined.slice(this.saltLength + this.ivLength + this.tagLength)
+      
+      // Derive key from master key and salt
+      const key = this.deriveKey(salt)
+      
+      // Create decipher
+      const decipher = crypto.createDecipheriv(this.algorithm, key, iv)
+      decipher.setAuthTag(tag)
+      
+      // Decrypt the data
+      const decrypted = Buffer.concat([
+        decipher.update(encrypted),
+        decipher.final()
+      ])
+      
+      return decrypted.toString('utf8')
+    } catch (error) {
+      console.error('Decryption error:', error)
+      throw new Error('Failed to decrypt value')
+    }
+  }
+
+  /**
+   * Check if a value is encrypted
+   */
+  isEncrypted(value) {
+    if (typeof value === 'object' && value.isEncrypted === true) {
+      return true
+    }
+    
+    // Check if string looks like encrypted data (base64 with minimum length)
+    if (typeof value === 'string') {
+      try {
+        const decoded = Buffer.from(value, 'base64')
+        return decoded.length >= this.saltLength + this.ivLength + this.tagLength + 16
+      } catch {
+        return false
+      }
+    }
+    
+    return false
+  }
+
+  /**
+   * Encrypt sensitive environment variables
+   */
+  encryptVariables(variables, patterns = []) {
+    const defaultPatterns = [
+      /password/i,
+      /secret/i,
+      /key/i,
+      /token/i,
+      /credential/i,
+      /private/i,
+      /auth/i
+    ]
+    
+    const allPatterns = [...defaultPatterns, ...patterns]
+    
+    return variables.map(variable => {
+      // Check if variable should be encrypted
+      const shouldEncrypt = allPatterns.some(pattern => 
+        pattern.test(variable.key)
+      )
+      
+      if (shouldEncrypt && variable.value && !this.isEncrypted(variable.value)) {
+        const encrypted = this.encrypt(variable.value)
+        return {
+          ...variable,
+          value: encrypted.encrypted,
+          encrypted: true,
+          algorithm: encrypted.algorithm
+        }
+      }
+      
+      return variable
+    })
+  }
+
+  /**
+   * Decrypt variables for use
+   */
+  decryptVariables(variables) {
+    return variables.map(variable => {
+      if (variable.encrypted && variable.value) {
+        try {
+          const decrypted = this.decrypt({
+            encrypted: variable.value,
+            algorithm: variable.algorithm || this.algorithm
+          })
+          return {
+            ...variable,
+            value: decrypted,
+            encrypted: false
+          }
+        } catch (error) {
+          console.error(`Failed to decrypt variable ${variable.key}:`, error)
+          return variable
+        }
+      }
+      
+      return variable
+    })
+  }
+
+  /**
+   * Rotate encryption keys
+   */
+  async rotateKeys(variables) {
+    // Decrypt all variables with old key
+    const decrypted = this.decryptVariables(variables)
+    
+    // Generate new master key
+    this.masterKey = crypto.randomBytes(this.keyLength)
+    
+    // Re-encrypt with new key
+    return this.encryptVariables(decrypted)
+  }
+
+  /**
+   * Generate encryption key for export
+   */
+  exportKey() {
+    return {
+      key: this.masterKey.toString('base64'),
+      algorithm: this.algorithm,
+      generated: new Date().toISOString()
+    }
+  }
+
+  /**
+   * Import encryption key
+   */
+  importKey(keyData) {
+    if (!keyData.key) {
+      throw new Error('Invalid key data')
+    }
+    
+    this.masterKey = Buffer.from(keyData.key, 'base64')
+    this.algorithm = keyData.algorithm || this.algorithm
+  }
+}
+
+// Singleton instance
+let encryptionInstance = null
+
+/**
+ * Get encryption instance
+ */
+export function getEncryption(options) {
+  if (!encryptionInstance) {
+    encryptionInstance = new EnvironmentEncryption(options)
+  }
+  return encryptionInstance
+}
+
+/**
+ * Middleware to decrypt variables on read
+ */
+export function decryptMiddleware(req, res, next) {
+  const originalJson = res.json
+  
+  res.json = function(data) {
+    if (data && data.variables && Array.isArray(data.variables)) {
+      const encryption = getEncryption()
+      data.variables = encryption.decryptVariables(data.variables)
+    }
+    
+    return originalJson.call(this, data)
+  }
+  
+  next()
+}
+
+/**
+ * Middleware to encrypt variables on write
+ */
+export function encryptMiddleware(req, res, next) {
+  if (req.body && req.body.variables && Array.isArray(req.body.variables)) {
+    const encryption = getEncryption()
+    req.body.variables = encryption.encryptVariables(req.body.variables)
+  }
+  
+  next()
+}
+
+export default EnvironmentEncryption