npm - @friggframework/devtools - Versions diffs - 2.0.0-next.44 → 2.0.0-next.46 - Mend

@friggframework/devtools 2.0.0-next.44 → 2.0.0-next.46

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

package/infrastructure/domains/security/kms-builder.test.js ADDED Viewed

@@ -0,0 +1,374 @@
+/**
+ * Tests for KMS Builder
+ *
+ * Tests KMS key creation and configuration
+ */
+const { KmsBuilder } = require('./kms-builder');
+const { ValidationResult } = require('../shared/base-builder');
+describe('KmsBuilder', () => {
+    let kmsBuilder;
+    beforeEach(() => {
+        kmsBuilder = new KmsBuilder();
+        delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
+    });
+    afterEach(() => {
+        delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
+    });
+    describe('shouldExecute()', () => {
+        it('should return true when encryption method is kms', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+            expect(kmsBuilder.shouldExecute(appDefinition)).toBe(true);
+        });
+        it('should return false when encryption method is aes', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'aes',
+                },
+            };
+            expect(kmsBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+        it('should return false when encryption is not defined', () => {
+            const appDefinition = {};
+            expect(kmsBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+        it('should return false when fieldLevelEncryptionMethod is not defined', () => {
+            const appDefinition = {
+                encryption: {},
+            };
+            expect(kmsBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+        it('should return false when FRIGG_SKIP_AWS_DISCOVERY is set (local mode)', () => {
+            process.env.FRIGG_SKIP_AWS_DISCOVERY = 'true';
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+            expect(kmsBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+    });
+    describe('validate()', () => {
+        it('should pass validation for valid KMS config', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+            const result = kmsBuilder.validate(appDefinition);
+            expect(result).toBeInstanceOf(ValidationResult);
+            expect(result.valid).toBe(true);
+            expect(result.errors).toEqual([]);
+        });
+        it('should pass validation when createResourceIfNoneFound is boolean', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: false,
+                },
+            };
+            const result = kmsBuilder.validate(appDefinition);
+            expect(result.valid).toBe(true);
+        });
+        it('should error if encryption configuration is missing', () => {
+            const appDefinition = {};
+            const result = kmsBuilder.validate(appDefinition);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain('Encryption configuration is missing');
+        });
+        it('should pass when encryption method is not kms', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'aes',
+                },
+            };
+            const result = kmsBuilder.validate(appDefinition);
+            expect(result.valid).toBe(true);
+        });
+        it('should error when createResourceIfNoneFound is not boolean', () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: 'yes',
+                },
+            };
+            const result = kmsBuilder.validate(appDefinition);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain(
+                'encryption.createResourceIfNoneFound must be a boolean'
+            );
+        });
+    });
+    describe('build() - with discovered key', () => {
+        it('should use discovered KMS key', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+            const discoveredResources = {
+                defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456:key/abc-123',
+            };
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+            expect(result.environment.KMS_KEY_ARN).toBe('arn:aws:kms:us-east-1:123456:key/abc-123');
+            expect(result.pluginConfig.kmsGrants).toBeUndefined();
+        });
+        it('should add IAM permissions for KMS operations', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+            const discoveredResources = {
+                defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456:key/abc',
+            };
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+            expect(result.iamStatements).toHaveLength(1);
+            expect(result.iamStatements[0]).toEqual({
+                Effect: 'Allow',
+                Action: ['kms:GenerateDataKey', 'kms:Decrypt', 'kms:Encrypt', 'kms:DescribeKey'],
+                Resource: 'arn:aws:kms:us-east-1:123456:key/abc',
+            });
+        });
+        it('should NOT use serverless-kms-grants plugin (deprecated)', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+            const discoveredResources = {
+                defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456:key/abc',
+            };
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+            expect(result.plugins).not.toContain('serverless-kms-grants');
+            expect(result.pluginConfig.kmsGrants).toBeUndefined();
+        });
+    });
+    describe('build() - create new key', () => {
+        it('should create new KMS key when none found and createResourceIfNoneFound is true', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+            const discoveredResources = {
+                defaultKmsKeyId: null,
+            };
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+            expect(result.resources.FriggKMSKey).toBeDefined();
+            expect(result.resources.FriggKMSKey.Type).toBe('AWS::KMS::Key');
+        });
+        it('should create KMS key alias', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+            const discoveredResources = {};
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+            expect(result.resources.FriggKMSKeyAlias).toBeDefined();
+            expect(result.resources.FriggKMSKeyAlias.Type).toBe('AWS::KMS::Alias');
+        });
+        it('should enable key rotation for new keys', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+            const result = await kmsBuilder.build(appDefinition, {});
+            expect(result.resources.FriggKMSKey.Properties.EnableKeyRotation).toBe(true);
+        });
+        it('should use CloudFormation reference for new key', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+            const result = await kmsBuilder.build(appDefinition, {});
+            expect(result.environment.KMS_KEY_ARN).toEqual({
+                'Fn::GetAtt': ['FriggKMSKey', 'Arn'],
+            });
+        });
+        it('should set DeletionPolicy to Retain for key resources', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+            const result = await kmsBuilder.build(appDefinition, {});
+            expect(result.resources.FriggKMSKey.DeletionPolicy).toBe('Retain');
+            expect(result.resources.FriggKMSKey.UpdateReplacePolicy).toBe('Retain');
+        });
+    });
+    describe('getDependencies()', () => {
+        it('should have no dependencies', () => {
+            const deps = kmsBuilder.getDependencies();
+            expect(deps).toEqual([]);
+        });
+    });
+    describe('getName()', () => {
+        it('should return KmsBuilder', () => {
+            expect(kmsBuilder.getName()).toBe('KmsBuilder');
+        });
+    });
+    describe('Key policies', () => {
+        it('should create key policy allowing root account admin', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+            const result = await kmsBuilder.build(appDefinition, {});
+            const policy = result.resources.FriggKMSKey.Properties.KeyPolicy;
+            const rootStatement = policy.Statement.find(s => s.Sid === 'AllowRootAccountAdmin');
+            expect(rootStatement).toBeDefined();
+            expect(rootStatement.Action).toBe('kms:*');
+        });
+        it('should create key policy allowing Lambda service', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+            const result = await kmsBuilder.build(appDefinition, {});
+            const policy = result.resources.FriggKMSKey.Properties.KeyPolicy;
+            const lambdaStatement = policy.Statement.find(s => s.Sid === 'AllowLambdaService');
+            expect(lambdaStatement).toBeDefined();
+            expect(lambdaStatement.Action).toContain('kms:GenerateDataKey');
+            expect(lambdaStatement.Action).toContain('kms:Decrypt');
+        });
+        it('should create key policy allowing Lambda execution role direct access', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: true,
+                },
+            };
+            const result = await kmsBuilder.build(appDefinition, {});
+            const policy = result.resources.FriggKMSKey.Properties.KeyPolicy;
+            // Should NOT have AllowLambdaExecutionRole statement to avoid circular dependency
+            // (KMS Key → IAM Role → KMS Key = circular)
+            // IAM policies already grant KMS permissions, so key policy doesn't need to reference the role
+            const roleStatement = policy.Statement.find(s => s.Sid === 'AllowLambdaExecutionRole');
+            expect(roleStatement).toBeUndefined();
+        });
+    });
+    describe('Error handling', () => {
+        it('should fallback to environment variable when no key discovered and createResourceIfNoneFound is false', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    createResourceIfNoneFound: false,
+                },
+            };
+            const discoveredResources = {
+                defaultKmsKeyId: null,
+            };
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+            expect(result.environment.KMS_KEY_ARN).toBe('${env:AWS_DISCOVERY_KMS_KEY_ID}');
+        });
+        it('should fallback to environment variable when createResourceIfNoneFound not specified', async () => {
+            const appDefinition = {
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                },
+            };
+            const discoveredResources = {};
+            const result = await kmsBuilder.build(appDefinition, discoveredResources);
+            // Should format env var as ARN for IAM policies
+            expect(result.environment.KMS_KEY_ARN).toBe('arn:aws:kms:${self:provider.region}:${aws:accountId}:key/${env:AWS_DISCOVERY_KMS_KEY_ID}');
+        });
+    });
+});

package/infrastructure/domains/security/kms-discovery.js ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * KMS Discovery Service
+ *
+ * Domain Service - Hexagonal Architecture
+ *
+ * Discovers KMS encryption keys using the cloud provider adapter.
+ * Adds domain-specific validation and key selection logic.
+ */
+class KmsDiscovery {
+    /**
+     * @param {CloudProviderAdapter} provider - Cloud provider adapter instance
+     */
+    constructor(provider) {
+        this.provider = provider;
+    }
+    /**
+     * Discover KMS encryption keys
+     *
+     * @param {Object} config - Discovery configuration
+     * @param {string} [config.keyId] - Specific key ID to discover
+     * @param {string} [config.keyAlias] - Key alias to search for
+     * @param {string} [config.serviceName] - Service name for filtering
+     * @param {string} [config.stage] - Deployment stage
+     * @returns {Promise<Object>} Discovered KMS key resources
+     */
+    async discover(config) {
+        console.log('🔍 Discovering KMS keys...');
+        try {
+            const rawResources = await this.provider.discoverKmsKeys(config);
+            const result = {
+                kmsKeyId: null,
+                kmsKeyArn: null,
+                kmsKeyAlias: null,
+                keys: rawResources.keys,
+                aliases: rawResources.aliases,
+            };
+            // Use default key if found
+            if (rawResources.defaultKey) {
+                result.kmsKeyId = rawResources.defaultKey.Arn;
+                result.kmsKeyArn = rawResources.defaultKey.Arn;
+                result.defaultKmsKeyId = rawResources.defaultKey.Arn;
+                // Find alias for this key
+                const keyAlias = rawResources.aliases.find(
+                    a => a.TargetKeyId === rawResources.defaultKey.KeyId
+                );
+                if (keyAlias) {
+                    result.kmsKeyAlias = keyAlias.AliasName;
+                }
+                console.log(`  ✓ Found KMS key: ${result.kmsKeyId}`);
+                if (result.kmsKeyAlias) {
+                    console.log(`  ✓ Key alias: ${result.kmsKeyAlias}`);
+                }
+            } else {
+                console.log('  ℹ No KMS key found');
+            }
+            return result;
+        } catch (error) {
+            console.error('  ✗ KMS discovery failed:', error.message);
+            return {
+                kmsKeyId: null,
+                kmsKeyArn: null,
+                defaultKmsKeyId: null,
+                kmsKeyAlias: null,
+            };
+        }
+    }
+}
+module.exports = {
+    KmsDiscovery,
+};

package/infrastructure/domains/security/kms-discovery.test.js ADDED Viewed

@@ -0,0 +1,177 @@
+/**
+ * Tests for KMS Discovery Service
+ *
+ * Tests KMS encryption key discovery with mocked cloud provider
+ */
+const { KmsDiscovery } = require('./kms-discovery');
+describe('KmsDiscovery', () => {
+    let mockProvider;
+    let kmsDiscovery;
+    beforeEach(() => {
+        mockProvider = {
+            discoverKmsKeys: jest.fn(),
+            getName: jest.fn().mockReturnValue('aws'),
+        };
+        kmsDiscovery = new KmsDiscovery(mockProvider);
+    });
+    describe('discover()', () => {
+        it('should delegate to provider and transform results', async () => {
+            const mockProviderResponse = {
+                keys: [
+                    {
+                        KeyId: 'key-123',
+                        Arn: 'arn:aws:kms:us-east-1:123456:key/key-123',
+                        Enabled: true,
+                    },
+                ],
+                aliases: [
+                    {
+                        AliasName: 'alias/frigg-key',
+                        TargetKeyId: 'key-123',
+                    },
+                ],
+                defaultKey: {
+                    KeyId: 'key-123',
+                    Arn: 'arn:aws:kms:us-east-1:123456:key/key-123',
+                    Enabled: true,
+                },
+            };
+            mockProvider.discoverKmsKeys.mockResolvedValue(mockProviderResponse);
+            const result = await kmsDiscovery.discover({});
+            expect(mockProvider.discoverKmsKeys).toHaveBeenCalledWith({});
+            expect(result.kmsKeyId).toBe('arn:aws:kms:us-east-1:123456:key/key-123');
+            expect(result.kmsKeyArn).toBe('arn:aws:kms:us-east-1:123456:key/key-123');
+            expect(result.defaultKmsKeyId).toBe('arn:aws:kms:us-east-1:123456:key/key-123');
+            expect(result.kmsKeyAlias).toBe('alias/frigg-key');
+        });
+        it('should handle no KMS keys found', async () => {
+            mockProvider.discoverKmsKeys.mockResolvedValue({
+                keys: [],
+                aliases: [],
+                defaultKey: null,
+            });
+            const result = await kmsDiscovery.discover({});
+            // When no keys found, properties are undefined (not explicitly set to null)
+            expect(result.kmsKeyId).toBeFalsy();
+            expect(result.kmsKeyArn).toBeFalsy();
+            expect(result.defaultKmsKeyId).toBeFalsy();
+            expect(result.kmsKeyAlias).toBeFalsy();
+        });
+        it('should handle KMS key without alias', async () => {
+            mockProvider.discoverKmsKeys.mockResolvedValue({
+                keys: [
+                    {
+                        KeyId: 'key-456',
+                        Arn: 'arn:aws:kms:us-east-1:123456:key/key-456',
+                        Enabled: true,
+                    },
+                ],
+                aliases: [],
+                defaultKey: {
+                    KeyId: 'key-456',
+                    Arn: 'arn:aws:kms:us-east-1:123456:key/key-456',
+                    Enabled: true,
+                },
+            });
+            const result = await kmsDiscovery.discover({});
+            expect(result.kmsKeyId).toBe('arn:aws:kms:us-east-1:123456:key/key-456');
+            expect(result.kmsKeyAlias).toBeNull();
+        });
+        it('should pass config to provider', async () => {
+            mockProvider.discoverKmsKeys.mockResolvedValue({
+                keys: [],
+                aliases: [],
+                defaultKey: null,
+            });
+            const config = {
+                keyId: 'key-specific',
+                keyAlias: 'alias/custom',
+                serviceName: 'test-service',
+            };
+            await kmsDiscovery.discover(config);
+            expect(mockProvider.discoverKmsKeys).toHaveBeenCalledWith(config);
+        });
+        it('should handle discovery errors gracefully', async () => {
+            mockProvider.discoverKmsKeys.mockRejectedValue(new Error('KMS API Error'));
+            const result = await kmsDiscovery.discover({});
+            expect(result.kmsKeyId).toBeNull();
+            expect(result.kmsKeyArn).toBeNull();
+            expect(result.defaultKmsKeyId).toBeNull();
+            expect(result.kmsKeyAlias).toBeNull();
+        });
+        it('should find alias for discovered key', async () => {
+            mockProvider.discoverKmsKeys.mockResolvedValue({
+                keys: [
+                    {
+                        KeyId: 'key-789',
+                        Arn: 'arn:aws:kms:eu-west-1:123456:key/key-789',
+                        Enabled: true,
+                    },
+                ],
+                aliases: [
+                    {
+                        AliasName: 'alias/other-key',
+                        TargetKeyId: 'key-999',
+                    },
+                    {
+                        AliasName: 'alias/my-key',
+                        TargetKeyId: 'key-789',
+                    },
+                ],
+                defaultKey: {
+                    KeyId: 'key-789',
+                    Arn: 'arn:aws:kms:eu-west-1:123456:key/key-789',
+                    Enabled: true,
+                },
+            });
+            const result = await kmsDiscovery.discover({});
+            expect(result.kmsKeyAlias).toBe('alias/my-key');
+        });
+        it('should return all keys and aliases for reference', async () => {
+            const mockKeys = [
+                { KeyId: 'key-1', Arn: 'arn:1', Enabled: true },
+                { KeyId: 'key-2', Arn: 'arn:2', Enabled: true },
+            ];
+            const mockAliases = [
+                { AliasName: 'alias/one', TargetKeyId: 'key-1' },
+                { AliasName: 'alias/two', TargetKeyId: 'key-2' },
+            ];
+            mockProvider.discoverKmsKeys.mockResolvedValue({
+                keys: mockKeys,
+                aliases: mockAliases,
+                defaultKey: mockKeys[0],
+            });
+            const result = await kmsDiscovery.discover({});
+            expect(result.keys).toEqual(mockKeys);
+            expect(result.aliases).toEqual(mockAliases);
+        });
+    });
+});