@geekmidas/cli 0.10.0 → 0.12.0

package/src/secrets/__tests__/encryption.spec.ts

@@ -0,0 +1,226 @@
+import { describe, expect, it } from 'vitest';
+import {
+	decryptSecrets,
+	encryptSecrets,
+	generateDefineOptions,
+} from '../encryption';
+import type { EmbeddableSecrets, EncryptedPayload } from '../types';
+
+describe('encryptSecrets', () => {
+	it('should return encrypted payload with all required fields', () => {
+		const secrets: EmbeddableSecrets = {
+			DATABASE_URL: 'postgresql://test:pass@localhost/db',
+		};
+
+		const payload = encryptSecrets(secrets);
+
+		expect(payload.encrypted).toBeDefined();
+		expect(payload.iv).toBeDefined();
+		expect(payload.masterKey).toBeDefined();
+	});
+
+	it('should generate different ciphertext for same input', () => {
+		const secrets: EmbeddableSecrets = {
+			DATABASE_URL: 'postgresql://test:pass@localhost/db',
+		};
+
+		const payload1 = encryptSecrets(secrets);
+		const payload2 = encryptSecrets(secrets);
+
+		expect(payload1.encrypted).not.toBe(payload2.encrypted);
+		expect(payload1.iv).not.toBe(payload2.iv);
+		expect(payload1.masterKey).not.toBe(payload2.masterKey);
+	});
+
+	it('should generate hex-encoded IV of correct length', () => {
+		const secrets: EmbeddableSecrets = { KEY: 'value' };
+		const payload = encryptSecrets(secrets);
+
+		// 12 bytes = 24 hex characters
+		expect(payload.iv).toHaveLength(24);
+		expect(payload.iv).toMatch(/^[0-9a-f]+$/);
+	});
+
+	it('should generate hex-encoded master key of correct length', () => {
+		const secrets: EmbeddableSecrets = { KEY: 'value' };
+		const payload = encryptSecrets(secrets);
+
+		// 32 bytes = 64 hex characters
+		expect(payload.masterKey).toHaveLength(64);
+		expect(payload.masterKey).toMatch(/^[0-9a-f]+$/);
+	});
+
+	it('should produce base64-encoded ciphertext', () => {
+		const secrets: EmbeddableSecrets = { KEY: 'value' };
+		const payload = encryptSecrets(secrets);
+
+		// Should be valid base64
+		expect(() => Buffer.from(payload.encrypted, 'base64')).not.toThrow();
+	});
+});
+
+describe('decryptSecrets', () => {
+	it('should decrypt back to original secrets', () => {
+		const secrets: EmbeddableSecrets = {
+			DATABASE_URL: 'postgresql://test:pass@localhost/db',
+			REDIS_URL: 'redis://localhost:6379',
+			CUSTOM_KEY: 'custom-value',
+		};
+
+		const payload = encryptSecrets(secrets);
+		const decrypted = decryptSecrets(
+			payload.encrypted,
+			payload.iv,
+			payload.masterKey,
+		);
+
+		expect(decrypted).toEqual(secrets);
+	});
+
+	it('should handle empty secrets', () => {
+		const secrets: EmbeddableSecrets = {};
+
+		const payload = encryptSecrets(secrets);
+		const decrypted = decryptSecrets(
+			payload.encrypted,
+			payload.iv,
+			payload.masterKey,
+		);
+
+		expect(decrypted).toEqual({});
+	});
+
+	it('should handle secrets with special characters', () => {
+		const secrets: EmbeddableSecrets = {
+			PASSWORD: 'p@ss/word!#$%^&*(){}[]|\\:";\'<>,.?/',
+			URL: 'https://user:pass@host.com/path?query=value&foo=bar',
+		};
+
+		const payload = encryptSecrets(secrets);
+		const decrypted = decryptSecrets(
+			payload.encrypted,
+			payload.iv,
+			payload.masterKey,
+		);
+
+		expect(decrypted).toEqual(secrets);
+	});
+
+	it('should handle secrets with unicode characters', () => {
+		const secrets: EmbeddableSecrets = {
+			MESSAGE: '你好世界 🔐 مرحبا',
+		};
+
+		const payload = encryptSecrets(secrets);
+		const decrypted = decryptSecrets(
+			payload.encrypted,
+			payload.iv,
+			payload.masterKey,
+		);
+
+		expect(decrypted).toEqual(secrets);
+	});
+
+	it('should throw with wrong master key', () => {
+		const secrets: EmbeddableSecrets = { KEY: 'value' };
+		const payload = encryptSecrets(secrets);
+
+		// Generate a different key
+		const wrongKey = '0'.repeat(64);
+
+		expect(() =>
+			decryptSecrets(payload.encrypted, payload.iv, wrongKey),
+		).toThrow();
+	});
+
+	it('should throw with wrong IV', () => {
+		const secrets: EmbeddableSecrets = { KEY: 'value' };
+		const payload = encryptSecrets(secrets);
+
+		// Use wrong IV
+		const wrongIv = '0'.repeat(24);
+
+		expect(() =>
+			decryptSecrets(payload.encrypted, wrongIv, payload.masterKey),
+		).toThrow();
+	});
+
+	it('should throw with tampered ciphertext', () => {
+		const secrets: EmbeddableSecrets = { KEY: 'value' };
+		const payload = encryptSecrets(secrets);
+
+		// Tamper with ciphertext
+		const tamperedBuffer = Buffer.from(payload.encrypted, 'base64');
+		tamperedBuffer[0] = tamperedBuffer[0] ^ 0xff;
+		const tampered = tamperedBuffer.toString('base64');
+
+		expect(() =>
+			decryptSecrets(tampered, payload.iv, payload.masterKey),
+		).toThrow();
+	});
+});
+
+describe('generateDefineOptions', () => {
+	it('should return define options for bundler', () => {
+		const payload: EncryptedPayload = {
+			encrypted: 'base64-ciphertext',
+			iv: 'hex-iv-value',
+			masterKey: 'hex-master-key',
+		};
+
+		const options = generateDefineOptions(payload);
+
+		expect(options.__GKM_ENCRYPTED_CREDENTIALS__).toBe(
+			JSON.stringify('base64-ciphertext'),
+		);
+		expect(options.__GKM_CREDENTIALS_IV__).toBe(JSON.stringify('hex-iv-value'));
+	});
+
+	it('should not include master key in define options', () => {
+		const payload: EncryptedPayload = {
+			encrypted: 'encrypted',
+			iv: 'iv',
+			masterKey: 'secret-key',
+		};
+
+		const options = generateDefineOptions(payload);
+
+		expect(options).not.toHaveProperty('__GKM_MASTER_KEY__');
+		expect(JSON.stringify(options)).not.toContain('secret-key');
+	});
+});
+
+describe('encryption roundtrip', () => {
+	it('should handle large secrets', () => {
+		const secrets: EmbeddableSecrets = {};
+		for (let i = 0; i < 100; i++) {
+			secrets[`KEY_${i}`] = `value-${i}-${'x'.repeat(100)}`;
+		}
+
+		const payload = encryptSecrets(secrets);
+		const decrypted = decryptSecrets(
+			payload.encrypted,
+			payload.iv,
+			payload.masterKey,
+		);
+
+		expect(decrypted).toEqual(secrets);
+	});
+
+	it('should handle secrets with newlines and whitespace', () => {
+		const secrets: EmbeddableSecrets = {
+			MULTILINE: 'line1\nline2\nline3',
+			TABS: 'col1\tcol2\tcol3',
+			SPACES: '  leading and trailing  ',
+		};
+
+		const payload = encryptSecrets(secrets);
+		const decrypted = decryptSecrets(
+			payload.encrypted,
+			payload.iv,
+			payload.masterKey,
+		);
+
+		expect(decrypted).toEqual(secrets);
+	});
+});

package/src/secrets/__tests__/generator.spec.ts

@@ -0,0 +1,319 @@
+import { describe, expect, it } from 'vitest';
+import {
+	createStageSecrets,
+	generateConnectionUrls,
+	generatePostgresUrl,
+	generateRabbitmqUrl,
+	generateRedisUrl,
+	generateSecurePassword,
+	generateServiceCredentials,
+	generateServicesCredentials,
+	rotateServicePassword,
+} from '../generator';
+import type { ServiceCredentials, StageSecrets } from '../types';
+
+describe('generateSecurePassword', () => {
+	it('should generate password of default length (32)', () => {
+		const password = generateSecurePassword();
+		expect(password).toHaveLength(32);
+	});
+
+	it('should generate password of custom length', () => {
+		const password = generateSecurePassword(16);
+		expect(password).toHaveLength(16);
+	});
+
+	it('should generate different passwords each call', () => {
+		const password1 = generateSecurePassword();
+		const password2 = generateSecurePassword();
+		expect(password1).not.toBe(password2);
+	});
+
+	it('should only contain URL-safe base64 characters', () => {
+		const password = generateSecurePassword(64);
+		// base64url uses A-Z, a-z, 0-9, -, _
+		expect(password).toMatch(/^[A-Za-z0-9_-]+$/);
+	});
+});
+
+describe('generateServiceCredentials', () => {
+	it('should generate postgres credentials with defaults', () => {
+		const creds = generateServiceCredentials('postgres');
+
+		expect(creds.host).toBe('postgres');
+		expect(creds.port).toBe(5432);
+		expect(creds.username).toBe('app');
+		expect(creds.database).toBe('app');
+		expect(creds.password).toHaveLength(32);
+	});
+
+	it('should generate redis credentials with defaults', () => {
+		const creds = generateServiceCredentials('redis');
+
+		expect(creds.host).toBe('redis');
+		expect(creds.port).toBe(6379);
+		expect(creds.username).toBe('default');
+		expect(creds.password).toHaveLength(32);
+	});
+
+	it('should generate rabbitmq credentials with defaults', () => {
+		const creds = generateServiceCredentials('rabbitmq');
+
+		expect(creds.host).toBe('rabbitmq');
+		expect(creds.port).toBe(5672);
+		expect(creds.username).toBe('app');
+		expect(creds.vhost).toBe('/');
+		expect(creds.password).toHaveLength(32);
+	});
+});
+
+describe('generateServicesCredentials', () => {
+	it('should generate credentials for multiple services', () => {
+		const creds = generateServicesCredentials(['postgres', 'redis']);
+
+		expect(creds.postgres).toBeDefined();
+		expect(creds.redis).toBeDefined();
+		expect(creds.rabbitmq).toBeUndefined();
+	});
+
+	it('should generate unique passwords for each service', () => {
+		const creds = generateServicesCredentials([
+			'postgres',
+			'redis',
+			'rabbitmq',
+		]);
+
+		expect(creds.postgres!.password).not.toBe(creds.redis!.password);
+		expect(creds.redis!.password).not.toBe(creds.rabbitmq!.password);
+	});
+});
+
+describe('generatePostgresUrl', () => {
+	it('should generate valid postgres URL', () => {
+		const creds: ServiceCredentials = {
+			host: 'postgres',
+			port: 5432,
+			username: 'app',
+			password: 'secret123',
+			database: 'mydb',
+		};
+
+		const url = generatePostgresUrl(creds);
+		expect(url).toBe('postgresql://app:secret123@postgres:5432/mydb');
+	});
+
+	it('should encode special characters in password', () => {
+		const creds: ServiceCredentials = {
+			host: 'postgres',
+			port: 5432,
+			username: 'app',
+			password: 'pass@word/test',
+			database: 'mydb',
+		};
+
+		const url = generatePostgresUrl(creds);
+		expect(url).toBe('postgresql://app:pass%40word%2Ftest@postgres:5432/mydb');
+	});
+});
+
+describe('generateRedisUrl', () => {
+	it('should generate valid redis URL', () => {
+		const creds: ServiceCredentials = {
+			host: 'redis',
+			port: 6379,
+			username: 'default',
+			password: 'secret123',
+		};
+
+		const url = generateRedisUrl(creds);
+		expect(url).toBe('redis://:secret123@redis:6379');
+	});
+
+	it('should encode special characters in password', () => {
+		const creds: ServiceCredentials = {
+			host: 'redis',
+			port: 6379,
+			username: 'default',
+			password: 'pass@word/test',
+		};
+
+		const url = generateRedisUrl(creds);
+		expect(url).toBe('redis://:pass%40word%2Ftest@redis:6379');
+	});
+});
+
+describe('generateRabbitmqUrl', () => {
+	it('should generate valid rabbitmq URL with default vhost', () => {
+		const creds: ServiceCredentials = {
+			host: 'rabbitmq',
+			port: 5672,
+			username: 'app',
+			password: 'secret123',
+			vhost: '/',
+		};
+
+		const url = generateRabbitmqUrl(creds);
+		expect(url).toBe('amqp://app:secret123@rabbitmq:5672/%2F');
+	});
+
+	it('should handle custom vhost', () => {
+		const creds: ServiceCredentials = {
+			host: 'rabbitmq',
+			port: 5672,
+			username: 'app',
+			password: 'secret123',
+			vhost: '/myapp',
+		};
+
+		const url = generateRabbitmqUrl(creds);
+		expect(url).toBe('amqp://app:secret123@rabbitmq:5672/%2Fmyapp');
+	});
+});
+
+describe('generateConnectionUrls', () => {
+	it('should generate DATABASE_URL for postgres', () => {
+		const urls = generateConnectionUrls({
+			postgres: {
+				host: 'postgres',
+				port: 5432,
+				username: 'app',
+				password: 'secret',
+				database: 'app',
+			},
+		});
+
+		expect(urls.DATABASE_URL).toBe('postgresql://app:secret@postgres:5432/app');
+		expect(urls.REDIS_URL).toBeUndefined();
+		expect(urls.RABBITMQ_URL).toBeUndefined();
+	});
+
+	it('should generate all URLs when all services present', () => {
+		const urls = generateConnectionUrls({
+			postgres: {
+				host: 'postgres',
+				port: 5432,
+				username: 'app',
+				password: 'pg-pass',
+				database: 'app',
+			},
+			redis: {
+				host: 'redis',
+				port: 6379,
+				username: 'default',
+				password: 'redis-pass',
+			},
+			rabbitmq: {
+				host: 'rabbitmq',
+				port: 5672,
+				username: 'app',
+				password: 'rmq-pass',
+				vhost: '/',
+			},
+		});
+
+		expect(urls.DATABASE_URL).toBeDefined();
+		expect(urls.REDIS_URL).toBeDefined();
+		expect(urls.RABBITMQ_URL).toBeDefined();
+	});
+});
+
+describe('createStageSecrets', () => {
+	it('should create stage secrets with stage name', () => {
+		const secrets = createStageSecrets('production', ['postgres']);
+
+		expect(secrets.stage).toBe('production');
+		expect(secrets.createdAt).toBeDefined();
+		expect(secrets.updatedAt).toBeDefined();
+		expect(secrets.custom).toEqual({});
+	});
+
+	it('should include service credentials', () => {
+		const secrets = createStageSecrets('staging', ['postgres', 'redis']);
+
+		expect(secrets.services.postgres).toBeDefined();
+		expect(secrets.services.redis).toBeDefined();
+		expect(secrets.services.rabbitmq).toBeUndefined();
+	});
+
+	it('should generate connection URLs', () => {
+		const secrets = createStageSecrets('production', [
+			'postgres',
+			'redis',
+			'rabbitmq',
+		]);
+
+		expect(secrets.urls.DATABASE_URL).toBeDefined();
+		expect(secrets.urls.REDIS_URL).toBeDefined();
+		expect(secrets.urls.RABBITMQ_URL).toBeDefined();
+	});
+});
+
+describe('rotateServicePassword', () => {
+	it('should rotate password for specified service', () => {
+		const original = createStageSecrets('production', ['postgres', 'redis']);
+		const originalPassword = original.services.postgres!.password;
+
+		const rotated = rotateServicePassword(original, 'postgres');
+
+		expect(rotated.services.postgres!.password).not.toBe(originalPassword);
+		expect(rotated.services.redis!.password).toBe(
+			original.services.redis!.password,
+		);
+	});
+
+	it('should update updatedAt timestamp', () => {
+		// Create with a fixed past timestamp
+		const original: StageSecrets = {
+			stage: 'production',
+			createdAt: '2024-01-01T00:00:00.000Z',
+			updatedAt: '2024-01-01T00:00:00.000Z',
+			services: {
+				postgres: {
+					host: 'postgres',
+					port: 5432,
+					username: 'app',
+					password: 'original-pass',
+					database: 'app',
+				},
+			},
+			urls: {
+				DATABASE_URL: 'postgresql://app:original-pass@postgres:5432/app',
+			},
+			custom: {},
+		};
+
+		const rotated = rotateServicePassword(original, 'postgres');
+
+		expect(rotated.updatedAt).not.toBe(original.updatedAt);
+	});
+
+	it('should regenerate connection URL', () => {
+		const original = createStageSecrets('production', ['postgres']);
+		const originalUrl = original.urls.DATABASE_URL;
+
+		const rotated = rotateServicePassword(original, 'postgres');
+
+		expect(rotated.urls.DATABASE_URL).not.toBe(originalUrl);
+	});
+
+	it('should throw for unconfigured service', () => {
+		const secrets = createStageSecrets('production', ['postgres']);
+
+		expect(() => rotateServicePassword(secrets, 'redis')).toThrow(
+			'Service "redis" not configured in secrets',
+		);
+	});
+
+	it('should preserve other service credentials', () => {
+		const original = createStageSecrets('production', [
+			'postgres',
+			'redis',
+			'rabbitmq',
+		]);
+
+		const rotated = rotateServicePassword(original, 'postgres');
+
+		expect(rotated.services.redis).toEqual(original.services.redis);
+		expect(rotated.services.rabbitmq).toEqual(original.services.rabbitmq);
+	});
+});

package/src/secrets/__tests__/index.spec.ts

@@ -0,0 +1,91 @@
+import { describe, expect, it } from 'vitest';
+import { getServicesFromConfig, maskUrl } from '../index';
+
+describe('getServicesFromConfig', () => {
+	it('should return empty array when services is undefined', () => {
+		const result = getServicesFromConfig(undefined);
+		expect(result).toEqual([]);
+	});
+
+	it('should return array as-is when services is an array', () => {
+		const services = ['postgres', 'redis'] as const;
+		const result = getServicesFromConfig([...services]);
+		expect(result).toEqual(['postgres', 'redis']);
+	});
+
+	it('should extract service names from object config', () => {
+		const services = {
+			postgres: true,
+			redis: { port: 6379 },
+			rabbitmq: false,
+		};
+		const result = getServicesFromConfig(services);
+		expect(result).toContain('postgres');
+		expect(result).toContain('redis');
+		expect(result).not.toContain('rabbitmq');
+	});
+
+	it('should handle empty object', () => {
+		const result = getServicesFromConfig({});
+		expect(result).toEqual([]);
+	});
+
+	it('should handle all falsy values in object', () => {
+		const services = {
+			postgres: false,
+			redis: null,
+			rabbitmq: undefined,
+		};
+		const result = getServicesFromConfig(services as Record<string, unknown>);
+		expect(result).toEqual([]);
+	});
+});
+
+describe('maskUrl', () => {
+	it('should mask password in URL', () => {
+		const url = 'postgres://user:secretpassword@localhost:5432/db';
+		const masked = maskUrl(url);
+		expect(masked).not.toContain('secretpassword');
+		expect(masked).toContain('user');
+		expect(masked).toContain('localhost');
+		expect(masked).toContain('5432');
+		expect(masked).toContain('db');
+	});
+
+	it('should handle URL without password', () => {
+		const url = 'redis://localhost:6379';
+		const masked = maskUrl(url);
+		// URL object normalizes the format
+		expect(masked).toContain('redis://');
+		expect(masked).toContain('localhost:6379');
+	});
+
+	it('should handle URL with username only', () => {
+		const url = 'postgres://user@localhost:5432/db';
+		const masked = maskUrl(url);
+		expect(masked).toContain('user');
+		expect(masked).toContain('localhost');
+	});
+
+	it('should return original string for invalid URL', () => {
+		const invalid = 'not-a-url';
+		const result = maskUrl(invalid);
+		expect(result).toBe('not-a-url');
+	});
+
+	it('should handle amqp URLs', () => {
+		const url = 'amqp://guest:guestpass@localhost:5672/vhost';
+		const masked = maskUrl(url);
+		expect(masked).not.toContain('guestpass');
+		expect(masked).toContain('guest');
+		expect(masked).toContain('vhost');
+	});
+
+	it('should handle https URLs with credentials', () => {
+		const url = 'https://user:apikey123@api.example.com/v1';
+		const masked = maskUrl(url);
+		expect(masked).not.toContain('apikey123');
+		expect(masked).toContain('user');
+		expect(masked).toContain('api.example.com');
+	});
+});