@gugananuvem/aws-local-simulator 1.0.12 → 1.0.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +594 -257
- package/bin/aws-local-simulator.js +63 -63
- package/package.json +21 -10
- package/src/config/config-loader.js +114 -114
- package/src/config/default-config.js +68 -67
- package/src/config/env-loader.js +68 -68
- package/src/index.js +146 -130
- package/src/index.mjs +123 -123
- package/src/server.js +227 -223
- package/src/services/apigateway/index.js +73 -68
- package/src/services/apigateway/server.js +507 -487
- package/src/services/apigateway/simulator.js +1261 -1251
- package/src/services/athena/index.js +75 -0
- package/src/services/athena/server.js +101 -0
- package/src/services/athena/simulador.js +998 -0
- package/src/services/athena/simulator.js +346 -0
- package/src/services/cloudformation/index.js +106 -0
- package/src/services/cloudformation/server.js +417 -0
- package/src/services/cloudformation/simulador.js +1045 -0
- package/src/services/cloudtrail/index.js +84 -0
- package/src/services/cloudtrail/server.js +235 -0
- package/src/services/cloudtrail/simulador.js +719 -0
- package/src/services/cloudwatch/index.js +84 -0
- package/src/services/cloudwatch/server.js +366 -0
- package/src/services/cloudwatch/simulador.js +1173 -0
- package/src/services/cognito/index.js +79 -65
- package/src/services/cognito/server.js +301 -279
- package/src/services/cognito/simulator.js +1655 -1115
- package/src/services/config/index.js +96 -0
- package/src/services/config/server.js +215 -0
- package/src/services/config/simulador.js +1260 -0
- package/src/services/dynamodb/index.js +74 -70
- package/src/services/dynamodb/server.js +125 -121
- package/src/services/dynamodb/simulator.js +630 -620
- package/src/services/ecs/index.js +65 -65
- package/src/services/ecs/server.js +235 -233
- package/src/services/ecs/simulator.js +844 -844
- package/src/services/eventbridge/index.js +89 -85
- package/src/services/eventbridge/server.js +209 -0
- package/src/services/eventbridge/simulator.js +684 -0
- package/src/services/index.js +45 -19
- package/src/services/kms/index.js +75 -0
- package/src/services/kms/server.js +67 -0
- package/src/services/kms/simulator.js +324 -0
- package/src/services/lambda/handler-loader.js +183 -183
- package/src/services/lambda/index.js +78 -73
- package/src/services/lambda/route-registry.js +274 -274
- package/src/services/lambda/server.js +145 -145
- package/src/services/lambda/simulator.js +199 -172
- package/src/services/parameter-store/index.js +80 -0
- package/src/services/parameter-store/server.js +50 -0
- package/src/services/parameter-store/simulator.js +201 -0
- package/src/services/s3/index.js +73 -69
- package/src/services/s3/server.js +329 -238
- package/src/services/s3/simulator.js +565 -740
- package/src/services/secret-manager/index.js +80 -0
- package/src/services/secret-manager/server.js +50 -0
- package/src/services/secret-manager/simulator.js +171 -0
- package/src/services/sns/index.js +89 -76
- package/src/services/sns/server.js +580 -0
- package/src/services/sns/simulator.js +1482 -0
- package/src/services/sqs/index.js +93 -95
- package/src/services/sqs/server.js +349 -345
- package/src/services/sqs/simulator.js +441 -441
- package/src/services/sts/index.js +37 -37
- package/src/services/sts/server.js +144 -142
- package/src/services/sts/simulator.js +69 -69
- package/src/services/xray/index.js +83 -0
- package/src/services/xray/server.js +308 -0
- package/src/services/xray/simulador.js +994 -0
- package/src/template/aws-config-template.js +87 -87
- package/src/template/aws-config-template.mjs +90 -90
- package/src/template/config-template.json +203 -203
- package/src/utils/aws-config.js +91 -91
- package/src/utils/cloudtrail-audit.js +129 -0
- package/src/utils/local-store.js +83 -67
- package/src/utils/logger.js +59 -59
package/src/services/index.js
CHANGED
|
@@ -1,19 +1,45 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Barrel export para todos os serviços
|
|
3
|
-
*/
|
|
4
|
-
|
|
5
|
-
const DynamoDBService = require('./dynamodb');
|
|
6
|
-
const S3Service = require('./s3');
|
|
7
|
-
const SQSService = require('./sqs');
|
|
8
|
-
const LambdaService = require('./lambda');
|
|
9
|
-
const
|
|
10
|
-
const
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
};
|
|
1
|
+
/**
|
|
2
|
+
* Barrel export para todos os serviços
|
|
3
|
+
*/
|
|
4
|
+
|
|
5
|
+
const DynamoDBService = require('./dynamodb');
|
|
6
|
+
const S3Service = require('./s3');
|
|
7
|
+
const SQSService = require('./sqs');
|
|
8
|
+
const LambdaService = require('./lambda');
|
|
9
|
+
const CognitoService = require('./cognito');
|
|
10
|
+
const APIGatewayService = require('./apigateway');
|
|
11
|
+
const ECSService = require('./ecs');
|
|
12
|
+
const STSService = require('./sts');
|
|
13
|
+
const { SNSService } = require('./sns');
|
|
14
|
+
const { EventBridgeService } = require('./eventbridge');
|
|
15
|
+
const { CloudWatchService } = require('./cloudwatch');
|
|
16
|
+
const CloudTrailService = require('./cloudtrail');
|
|
17
|
+
const { KMSService } = require('./kms');
|
|
18
|
+
const CloudFormationService = require('./cloudformation');
|
|
19
|
+
const { XRayService } = require('./xray');
|
|
20
|
+
const { SecretManagerService } = require('./secret-manager');
|
|
21
|
+
const { ParameterStoreService } = require('./parameter-store');
|
|
22
|
+
const { ConfigService } = require('./config');
|
|
23
|
+
const { AthenaService } = require('./athena');
|
|
24
|
+
|
|
25
|
+
module.exports = {
|
|
26
|
+
DynamoDBService,
|
|
27
|
+
S3Service,
|
|
28
|
+
SQSService,
|
|
29
|
+
LambdaService,
|
|
30
|
+
CognitoService,
|
|
31
|
+
APIGatewayService,
|
|
32
|
+
ECSService,
|
|
33
|
+
STSService,
|
|
34
|
+
SNSService,
|
|
35
|
+
EventBridgeService,
|
|
36
|
+
CloudWatchService,
|
|
37
|
+
CloudTrailService,
|
|
38
|
+
KMSService,
|
|
39
|
+
CloudFormationService,
|
|
40
|
+
XRayService,
|
|
41
|
+
SecretManagerService,
|
|
42
|
+
ParameterStoreService,
|
|
43
|
+
ConfigService,
|
|
44
|
+
AthenaService,
|
|
45
|
+
};
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const http = require('http');
|
|
4
|
+
const path = require('path');
|
|
5
|
+
const { KMSSimulator } = require('./simulator');
|
|
6
|
+
const { KMSServer } = require('./server');
|
|
7
|
+
const LocalStore = require('../../utils/local-store');
|
|
8
|
+
|
|
9
|
+
class KMSService {
|
|
10
|
+
constructor(config) {
|
|
11
|
+
this.config = config;
|
|
12
|
+
this.logger = require('../../utils/logger');
|
|
13
|
+
this.name = 'kms';
|
|
14
|
+
this.port = config?.ports?.kms || config?.services?.kms?.port || 4000;
|
|
15
|
+
this.store = null;
|
|
16
|
+
this.simulator = null;
|
|
17
|
+
this.httpServer = null;
|
|
18
|
+
this.isRunning = false;
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
async initialize() {
|
|
22
|
+
this.logger.debug(`Inicializando KMS Service na porta ${this.port}...`);
|
|
23
|
+
const dataDir = process.env.AWS_LOCAL_SIMULATOR_DATA_DIR;
|
|
24
|
+
this.store = new LocalStore(path.join(dataDir, 'kms'));
|
|
25
|
+
this.simulator = new KMSSimulator(this.store, this.logger, this.config);
|
|
26
|
+
await this.simulator.initialize();
|
|
27
|
+
this.app = new KMSServer(this.simulator, this.logger, this.config).getApp();
|
|
28
|
+
this.logger.debug('KMS Service inicializado');
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
injectDependencies(server) {
|
|
32
|
+
const ct = server.getService('cloudtrail');
|
|
33
|
+
if (ct?.simulator) this.simulator.audit.setTrail(ct.simulator);
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
async start() {
|
|
37
|
+
if (this.isRunning) return;
|
|
38
|
+
return new Promise((resolve, reject) => {
|
|
39
|
+
this.httpServer = http.createServer(this.app);
|
|
40
|
+
this.httpServer.listen(this.port, () => {
|
|
41
|
+
this.isRunning = true;
|
|
42
|
+
this.logger.debug(`KMS rodando na porta ${this.port}`);
|
|
43
|
+
resolve();
|
|
44
|
+
});
|
|
45
|
+
this.httpServer.on('error', reject);
|
|
46
|
+
});
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
async stop() {
|
|
50
|
+
if (!this.isRunning || !this.httpServer) return;
|
|
51
|
+
return new Promise((resolve) => {
|
|
52
|
+
this.httpServer.close(() => {
|
|
53
|
+
this.isRunning = false;
|
|
54
|
+
resolve();
|
|
55
|
+
});
|
|
56
|
+
});
|
|
57
|
+
}
|
|
58
|
+
|
|
59
|
+
async reset() {
|
|
60
|
+
await this.simulator.reset();
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
getStatus() {
|
|
64
|
+
return {
|
|
65
|
+
running: this.isRunning,
|
|
66
|
+
port: this.port,
|
|
67
|
+
endpoint: `http://localhost:${this.port}`,
|
|
68
|
+
keys: this.simulator?.keys.size || 0,
|
|
69
|
+
};
|
|
70
|
+
}
|
|
71
|
+
|
|
72
|
+
getSimulator() { return this.simulator; }
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
module.exports = { KMSService };
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const express = require('express');
|
|
4
|
+
const cors = require('cors');
|
|
5
|
+
|
|
6
|
+
class KMSServer {
|
|
7
|
+
constructor(simulator, logger, config) {
|
|
8
|
+
this.simulator = simulator;
|
|
9
|
+
this.logger = logger;
|
|
10
|
+
this.config = config;
|
|
11
|
+
this.app = express();
|
|
12
|
+
this._setupMiddleware();
|
|
13
|
+
this._setupRoutes();
|
|
14
|
+
}
|
|
15
|
+
|
|
16
|
+
_setupMiddleware() {
|
|
17
|
+
if (this.config.cors?.enabled !== false) this.app.use(cors({ origin: this.config.cors?.origin || '*' }));
|
|
18
|
+
this.app.use(express.json({ limit: '5mb', type: ['application/json', 'application/x-amz-json-1.1'] }));
|
|
19
|
+
this.app.use((req, res, next) => { this.logger.debug(`KMS ${req.headers['x-amz-target']}`, 'kms'); next(); });
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
_getOperation(target) {
|
|
23
|
+
const map = {
|
|
24
|
+
'TrentService.CreateKey': 'createKey',
|
|
25
|
+
'TrentService.DescribeKey': 'describeKey',
|
|
26
|
+
'TrentService.ListKeys': 'listKeys',
|
|
27
|
+
'TrentService.EnableKey': 'enableKey',
|
|
28
|
+
'TrentService.DisableKey': 'disableKey',
|
|
29
|
+
'TrentService.ScheduleKeyDeletion': 'scheduleKeyDeletion',
|
|
30
|
+
'TrentService.CancelKeyDeletion': 'cancelKeyDeletion',
|
|
31
|
+
'TrentService.CreateAlias': 'createAlias',
|
|
32
|
+
'TrentService.DeleteAlias': 'deleteAlias',
|
|
33
|
+
'TrentService.ListAliases': 'listAliases',
|
|
34
|
+
'TrentService.Encrypt': 'encrypt',
|
|
35
|
+
'TrentService.Decrypt': 'decrypt',
|
|
36
|
+
'TrentService.GenerateDataKey': 'generateDataKey',
|
|
37
|
+
'TrentService.GenerateDataKeyWithoutPlaintext': 'generateDataKeyWithoutPlaintext',
|
|
38
|
+
'TrentService.GenerateDataKeyPair': 'generateDataKeyPair',
|
|
39
|
+
'TrentService.Sign': 'sign',
|
|
40
|
+
'TrentService.Verify': 'verify',
|
|
41
|
+
'TrentService.GenerateRandom': 'generateRandom',
|
|
42
|
+
};
|
|
43
|
+
return map[target];
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
_setupRoutes() {
|
|
47
|
+
this.app.get('/__admin/health', (req, res) => res.json({ status: 'healthy', service: 'kms', timestamp: new Date().toISOString() }));
|
|
48
|
+
this.app.get('/__admin/keys', async (req, res) => { const r = await this.simulator.listKeys({}); res.json(r); });
|
|
49
|
+
|
|
50
|
+
this.app.post('/', async (req, res) => {
|
|
51
|
+
const target = req.headers['x-amz-target'];
|
|
52
|
+
const operation = this._getOperation(target);
|
|
53
|
+
if (!operation) return res.status(400).json({ __type: 'UnknownOperationException', message: `Unknown: ${target}` });
|
|
54
|
+
try {
|
|
55
|
+
const result = await this.simulator[operation](req.body || {});
|
|
56
|
+
res.json(result || {});
|
|
57
|
+
} catch (err) {
|
|
58
|
+
this.logger.error(`KMS ${target}: ${err.message}`, 'kms');
|
|
59
|
+
res.status(err.code === 'NotFoundException' ? 404 : 400).json({ __type: err.code || 'KMSInternalException', message: err.message });
|
|
60
|
+
}
|
|
61
|
+
});
|
|
62
|
+
}
|
|
63
|
+
|
|
64
|
+
getApp() { return this.app; }
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
module.exports = { KMSServer };
|
|
@@ -0,0 +1,324 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const crypto = require('crypto');
|
|
4
|
+
const { v4: uuidv4 } = require('uuid');
|
|
5
|
+
const { CloudTrailAudit } = require('../../utils/cloudtrail-audit');
|
|
6
|
+
|
|
7
|
+
/**
|
|
8
|
+
* KMS Simulator - Criptografia real com crypto nativo
|
|
9
|
+
*/
|
|
10
|
+
class KMSSimulator {
|
|
11
|
+
constructor(store, logger, config) {
|
|
12
|
+
this.store = store;
|
|
13
|
+
this.logger = logger;
|
|
14
|
+
this.config = config;
|
|
15
|
+
this.keys = new Map();
|
|
16
|
+
this.aliases = new Map();
|
|
17
|
+
this.keyMaterial = new Map();
|
|
18
|
+
this.audit = new CloudTrailAudit('kms.amazonaws.com');
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
async initialize() {
|
|
22
|
+
try {
|
|
23
|
+
const keys = await this.store.read('kms/keys');
|
|
24
|
+
if (Array.isArray(keys)) {
|
|
25
|
+
for (const k of keys) {
|
|
26
|
+
this.keys.set(k.KeyId, k);
|
|
27
|
+
// Re-gerar material da chave a partir do seed
|
|
28
|
+
if (k._keySeed) {
|
|
29
|
+
this.keyMaterial.set(k.KeyId, Buffer.from(k._keySeed, 'hex'));
|
|
30
|
+
}
|
|
31
|
+
}
|
|
32
|
+
}
|
|
33
|
+
const aliases = await this.store.read('kms/aliases');
|
|
34
|
+
if (Array.isArray(aliases)) {
|
|
35
|
+
for (const a of aliases) this.aliases.set(a.AliasName, a);
|
|
36
|
+
}
|
|
37
|
+
this.logger.info('KMS: dados carregados', 'kms');
|
|
38
|
+
} catch { this.logger.debug('KMS: sem dados anteriores', 'kms'); }
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
async _persistKeys() {
|
|
42
|
+
await this.store.write('kms/keys', null, Array.from(this.keys.values()));
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
async _persistAliases() {
|
|
46
|
+
await this.store.write('kms/aliases', null, Array.from(this.aliases.values()));
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
_requireKey(keyId) {
|
|
50
|
+
// Resolver alias
|
|
51
|
+
if (keyId.startsWith('alias/')) {
|
|
52
|
+
const alias = this.aliases.get(keyId);
|
|
53
|
+
if (!alias) { const err = new Error(`Alias not found: ${keyId}`); err.code = 'NotFoundException'; throw err; }
|
|
54
|
+
keyId = alias.TargetKeyId;
|
|
55
|
+
}
|
|
56
|
+
// Resolver por ARN
|
|
57
|
+
if (keyId.startsWith('arn:')) {
|
|
58
|
+
keyId = keyId.split('/').pop();
|
|
59
|
+
}
|
|
60
|
+
const key = this.keys.get(keyId);
|
|
61
|
+
if (!key) { const err = new Error(`Key not found: ${keyId}`); err.code = 'NotFoundException'; throw err; }
|
|
62
|
+
if (key.KeyState === 'Disabled') { const err = new Error('Key is disabled'); err.code = 'DisabledException'; throw err; }
|
|
63
|
+
if (key.KeyState === 'PendingDeletion') { const err = new Error('Key is pending deletion'); err.code = 'KMSInvalidStateException'; throw err; }
|
|
64
|
+
return key;
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
async createKey(params) {
|
|
68
|
+
const { Description, KeyUsage = 'ENCRYPT_DECRYPT', KeySpec = 'SYMMETRIC_DEFAULT', Tags = [], MultiRegion = false } = params || {};
|
|
69
|
+
const keyId = uuidv4();
|
|
70
|
+
const keyArn = `arn:aws:kms:local:000000000000:key/${keyId}`;
|
|
71
|
+
let keyMaterial;
|
|
72
|
+
let publicKey = null;
|
|
73
|
+
let privateKey = null;
|
|
74
|
+
|
|
75
|
+
if (KeySpec === 'SYMMETRIC_DEFAULT') {
|
|
76
|
+
keyMaterial = crypto.randomBytes(32);
|
|
77
|
+
} else if (KeySpec.startsWith('RSA_')) {
|
|
78
|
+
const bits = KeySpec === 'RSA_2048' ? 2048 : KeySpec === 'RSA_3072' ? 3072 : 4096;
|
|
79
|
+
const pair = crypto.generateKeyPairSync('rsa', {
|
|
80
|
+
modulusLength: bits,
|
|
81
|
+
publicKeyEncoding: { type: 'spki', format: 'pem' },
|
|
82
|
+
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
|
|
83
|
+
});
|
|
84
|
+
publicKey = pair.publicKey;
|
|
85
|
+
privateKey = pair.privateKey;
|
|
86
|
+
keyMaterial = Buffer.from(privateKey);
|
|
87
|
+
} else if (KeySpec.startsWith('ECC_')) {
|
|
88
|
+
const curve = KeySpec.includes('P256') ? 'prime256v1' : KeySpec.includes('P384') ? 'secp384r1' : 'secp521r1';
|
|
89
|
+
const pair = crypto.generateKeyPairSync('ec', {
|
|
90
|
+
namedCurve: curve,
|
|
91
|
+
publicKeyEncoding: { type: 'spki', format: 'pem' },
|
|
92
|
+
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
|
|
93
|
+
});
|
|
94
|
+
publicKey = pair.publicKey;
|
|
95
|
+
privateKey = pair.privateKey;
|
|
96
|
+
keyMaterial = Buffer.from(privateKey);
|
|
97
|
+
} else {
|
|
98
|
+
keyMaterial = crypto.randomBytes(32);
|
|
99
|
+
}
|
|
100
|
+
|
|
101
|
+
this.keyMaterial.set(keyId, keyMaterial);
|
|
102
|
+
const key = {
|
|
103
|
+
KeyId: keyId,
|
|
104
|
+
KeyArn: keyArn,
|
|
105
|
+
Description: Description || '',
|
|
106
|
+
KeyUsage,
|
|
107
|
+
KeySpec,
|
|
108
|
+
KeyState: 'Enabled',
|
|
109
|
+
Enabled: true,
|
|
110
|
+
CreationDate: new Date().toISOString(),
|
|
111
|
+
MultiRegion,
|
|
112
|
+
Tags,
|
|
113
|
+
PublicKey: publicKey,
|
|
114
|
+
_keySeed: keyMaterial.toString('hex')
|
|
115
|
+
};
|
|
116
|
+
this.keys.set(keyId, key);
|
|
117
|
+
await this._persistKeys();
|
|
118
|
+
this.logger.info(`KMS: chave criada: ${keyId}`, 'kms');
|
|
119
|
+
this.audit.record({ eventName: 'CreateKey', readOnly: false, resources: [{ ARN: keyArn, type: 'AWS::KMS::Key' }], requestParameters: { description: Description, keyUsage: KeyUsage, keySpec: KeySpec } });
|
|
120
|
+
return { KeyMetadata: this._sanitizeKey(key) };
|
|
121
|
+
}
|
|
122
|
+
|
|
123
|
+
async describeKey(params) {
|
|
124
|
+
const key = this._requireKey(params.KeyId);
|
|
125
|
+
return { KeyMetadata: this._sanitizeKey(key) };
|
|
126
|
+
}
|
|
127
|
+
|
|
128
|
+
async listKeys(params) {
|
|
129
|
+
const { Limit = 100 } = params || {};
|
|
130
|
+
const keys = Array.from(this.keys.values()).slice(0, Limit);
|
|
131
|
+
return { Keys: keys.map(k => ({ KeyId: k.KeyId, KeyArn: k.KeyArn })) };
|
|
132
|
+
}
|
|
133
|
+
|
|
134
|
+
async enableKey(params) {
|
|
135
|
+
const key = this._requireKey(params.KeyId);
|
|
136
|
+
key.KeyState = 'Enabled'; key.Enabled = true;
|
|
137
|
+
await this._persistKeys();
|
|
138
|
+
return {};
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
async disableKey(params) {
|
|
142
|
+
const key = this._requireKey(params.KeyId);
|
|
143
|
+
key.KeyState = 'Disabled'; key.Enabled = false;
|
|
144
|
+
await this._persistKeys();
|
|
145
|
+
return {};
|
|
146
|
+
}
|
|
147
|
+
|
|
148
|
+
async scheduleKeyDeletion(params) {
|
|
149
|
+
const { KeyId, PendingWindowInDays = 30 } = params;
|
|
150
|
+
const key = this._requireKey(KeyId);
|
|
151
|
+
key.KeyState = 'PendingDeletion';
|
|
152
|
+
key.DeletionDate = new Date(Date.now() + PendingWindowInDays * 86400000).toISOString();
|
|
153
|
+
await this._persistKeys();
|
|
154
|
+
return { KeyId: key.KeyId, DeletionDate: key.DeletionDate };
|
|
155
|
+
}
|
|
156
|
+
|
|
157
|
+
async cancelKeyDeletion(params) {
|
|
158
|
+
const keyId = params.KeyId.startsWith('arn:') ? params.KeyId.split('/').pop() : params.KeyId;
|
|
159
|
+
const key = this.keys.get(keyId);
|
|
160
|
+
if (!key) { const err = new Error('Key not found'); err.code = 'NotFoundException'; throw err; }
|
|
161
|
+
key.KeyState = 'Disabled'; key.DeletionDate = null;
|
|
162
|
+
await this._persistKeys();
|
|
163
|
+
return { KeyId: key.KeyId };
|
|
164
|
+
}
|
|
165
|
+
|
|
166
|
+
async createAlias(params) {
|
|
167
|
+
const { AliasName, TargetKeyId } = params;
|
|
168
|
+
const key = this._requireKey(TargetKeyId);
|
|
169
|
+
if (!AliasName.startsWith('alias/')) {
|
|
170
|
+
const err = new Error('Alias must start with alias/'); err.code = 'InvalidAliasNameException'; throw err;
|
|
171
|
+
}
|
|
172
|
+
const alias = { AliasName, TargetKeyId: key.KeyId, AliasArn: `arn:aws:kms:local:000000000000:${AliasName}`, CreationDate: new Date().toISOString() };
|
|
173
|
+
this.aliases.set(AliasName, alias);
|
|
174
|
+
await this._persistAliases();
|
|
175
|
+
return {};
|
|
176
|
+
}
|
|
177
|
+
|
|
178
|
+
async deleteAlias(params) {
|
|
179
|
+
this.aliases.delete(params.AliasName);
|
|
180
|
+
await this._persistAliases();
|
|
181
|
+
return {};
|
|
182
|
+
}
|
|
183
|
+
|
|
184
|
+
async listAliases(params) {
|
|
185
|
+
const { KeyId } = params || {};
|
|
186
|
+
let aliases = Array.from(this.aliases.values());
|
|
187
|
+
if (KeyId) aliases = aliases.filter(a => a.TargetKeyId === KeyId);
|
|
188
|
+
return { Aliases: aliases };
|
|
189
|
+
}
|
|
190
|
+
|
|
191
|
+
// ===================== CRYPTO OPERATIONS =====================
|
|
192
|
+
|
|
193
|
+
async encrypt(params) {
|
|
194
|
+
const { KeyId, Plaintext, EncryptionContext } = params;
|
|
195
|
+
const key = this._requireKey(KeyId);
|
|
196
|
+
if (key.KeyUsage !== 'ENCRYPT_DECRYPT') {
|
|
197
|
+
const err = new Error('Key not for encryption'); err.code = 'InvalidKeyUsageException'; throw err;
|
|
198
|
+
}
|
|
199
|
+
const material = this.keyMaterial.get(key.KeyId);
|
|
200
|
+
const iv = crypto.randomBytes(12);
|
|
201
|
+
const cipher = crypto.createCipheriv('aes-256-gcm', material.slice(0, 32), iv);
|
|
202
|
+
const plainBuf = Buffer.isBuffer(Plaintext) ? Plaintext : Buffer.from(Plaintext, 'base64');
|
|
203
|
+
const encrypted = Buffer.concat([cipher.update(plainBuf), cipher.final()]);
|
|
204
|
+
const tag = cipher.getAuthTag();
|
|
205
|
+
// Format: iv(12) + tag(16) + ciphertext
|
|
206
|
+
const ciphertext = Buffer.concat([iv, tag, encrypted]);
|
|
207
|
+
this.audit.record({ eventName: 'Encrypt', readOnly: false, isDataEvent: true, resources: [{ ARN: key.KeyArn, type: 'AWS::KMS::Key' }], requestParameters: { keyId: key.KeyId } });
|
|
208
|
+
return {
|
|
209
|
+
KeyId: key.KeyId,
|
|
210
|
+
CiphertextBlob: ciphertext.toString('base64'),
|
|
211
|
+
EncryptionAlgorithm: 'SYMMETRIC_DEFAULT'
|
|
212
|
+
};
|
|
213
|
+
}
|
|
214
|
+
|
|
215
|
+
async decrypt(params) {
|
|
216
|
+
const { KeyId, CiphertextBlob, EncryptionContext } = params;
|
|
217
|
+
let key;
|
|
218
|
+
if (KeyId) {
|
|
219
|
+
key = this._requireKey(KeyId);
|
|
220
|
+
} else {
|
|
221
|
+
// Tentar todas as chaves simétricas
|
|
222
|
+
key = Array.from(this.keys.values()).find(k => k.KeySpec === 'SYMMETRIC_DEFAULT' && k.KeyState === 'Enabled');
|
|
223
|
+
if (!key) { const err = new Error('No key available'); err.code = 'NotFoundException'; throw err; }
|
|
224
|
+
}
|
|
225
|
+
const material = this.keyMaterial.get(key.KeyId);
|
|
226
|
+
const buf = Buffer.isBuffer(CiphertextBlob) ? CiphertextBlob : Buffer.from(CiphertextBlob, 'base64');
|
|
227
|
+
const iv = buf.slice(0, 12);
|
|
228
|
+
const tag = buf.slice(12, 28);
|
|
229
|
+
const ciphertext = buf.slice(28);
|
|
230
|
+
try {
|
|
231
|
+
const decipher = crypto.createDecipheriv('aes-256-gcm', material.slice(0, 32), iv);
|
|
232
|
+
decipher.setAuthTag(tag);
|
|
233
|
+
const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
|
|
234
|
+
return { KeyId: key.KeyId, Plaintext: decrypted.toString('base64'), EncryptionAlgorithm: 'SYMMETRIC_DEFAULT' };
|
|
235
|
+
} catch (e) {
|
|
236
|
+
const err = new Error('Decryption failed - invalid ciphertext or wrong key'); err.code = 'InvalidCiphertextException'; throw err;
|
|
237
|
+
}
|
|
238
|
+
}
|
|
239
|
+
|
|
240
|
+
async generateDataKey(params) {
|
|
241
|
+
const { KeyId, KeySpec = 'AES_256', NumberOfBytes } = params;
|
|
242
|
+
const key = this._requireKey(KeyId);
|
|
243
|
+
const dataKeyBytes = NumberOfBytes || (KeySpec === 'AES_128' ? 16 : 32);
|
|
244
|
+
const plaintext = crypto.randomBytes(dataKeyBytes);
|
|
245
|
+
const encrypted = await this.encrypt({ KeyId: key.KeyId, Plaintext: plaintext });
|
|
246
|
+
return {
|
|
247
|
+
KeyId: key.KeyId,
|
|
248
|
+
Plaintext: plaintext.toString('base64'),
|
|
249
|
+
CiphertextBlob: encrypted.CiphertextBlob
|
|
250
|
+
};
|
|
251
|
+
}
|
|
252
|
+
|
|
253
|
+
async generateDataKeyWithoutPlaintext(params) {
|
|
254
|
+
const result = await this.generateDataKey(params);
|
|
255
|
+
const { Plaintext, ...rest } = result;
|
|
256
|
+
return rest;
|
|
257
|
+
}
|
|
258
|
+
|
|
259
|
+
async generateDataKeyPair(params) {
|
|
260
|
+
const { KeyId, KeyPairSpec } = params;
|
|
261
|
+
const key = this._requireKey(KeyId);
|
|
262
|
+
const bits = KeyPairSpec === 'RSA_2048' ? 2048 : 4096;
|
|
263
|
+
const pair = crypto.generateKeyPairSync('rsa', {
|
|
264
|
+
modulusLength: bits,
|
|
265
|
+
publicKeyEncoding: { type: 'spki', format: 'pem' },
|
|
266
|
+
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
|
|
267
|
+
});
|
|
268
|
+
const encrypted = await this.encrypt({ KeyId: key.KeyId, Plaintext: Buffer.from(pair.privateKey) });
|
|
269
|
+
return {
|
|
270
|
+
KeyId: key.KeyId,
|
|
271
|
+
KeyPairSpec,
|
|
272
|
+
PublicKey: Buffer.from(pair.publicKey).toString('base64'),
|
|
273
|
+
PrivateKeyPlaintext: Buffer.from(pair.privateKey).toString('base64'),
|
|
274
|
+
PrivateKeyCiphertextBlob: encrypted.CiphertextBlob
|
|
275
|
+
};
|
|
276
|
+
}
|
|
277
|
+
|
|
278
|
+
async sign(params) {
|
|
279
|
+
const { KeyId, Message, MessageType = 'RAW', SigningAlgorithm } = params;
|
|
280
|
+
const key = this._requireKey(KeyId);
|
|
281
|
+
if (key.KeyUsage !== 'SIGN_VERIFY') {
|
|
282
|
+
const err = new Error('Key not for signing'); err.code = 'InvalidKeyUsageException'; throw err;
|
|
283
|
+
}
|
|
284
|
+
const material = this.keyMaterial.get(key.KeyId);
|
|
285
|
+
const msgBuf = Buffer.isBuffer(Message) ? Message : Buffer.from(Message, 'base64');
|
|
286
|
+
const sign = crypto.createSign('SHA256');
|
|
287
|
+
sign.update(msgBuf);
|
|
288
|
+
const signature = sign.sign(material.toString(), 'base64');
|
|
289
|
+
return { KeyId: key.KeyId, Signature: signature, SigningAlgorithm };
|
|
290
|
+
}
|
|
291
|
+
|
|
292
|
+
async verify(params) {
|
|
293
|
+
const { KeyId, Message, Signature, SigningAlgorithm } = params;
|
|
294
|
+
const key = this._requireKey(KeyId);
|
|
295
|
+
const material = this.keyMaterial.get(key.KeyId);
|
|
296
|
+
const msgBuf = Buffer.isBuffer(Message) ? Message : Buffer.from(Message, 'base64');
|
|
297
|
+
const verify = crypto.createVerify('SHA256');
|
|
298
|
+
verify.update(msgBuf);
|
|
299
|
+
try {
|
|
300
|
+
const valid = verify.verify(material.toString(), Signature, 'base64');
|
|
301
|
+
return { KeyId: key.KeyId, SignatureValid: valid, SigningAlgorithm };
|
|
302
|
+
} catch { return { KeyId: key.KeyId, SignatureValid: false, SigningAlgorithm }; }
|
|
303
|
+
}
|
|
304
|
+
|
|
305
|
+
async generateRandom(params) {
|
|
306
|
+
const { NumberOfBytes = 32 } = params;
|
|
307
|
+
const bytes = crypto.randomBytes(NumberOfBytes);
|
|
308
|
+
return { Plaintext: bytes.toString('base64') };
|
|
309
|
+
}
|
|
310
|
+
|
|
311
|
+
_sanitizeKey(key) {
|
|
312
|
+
const { _keySeed, PublicKey: pk, ...clean } = key;
|
|
313
|
+
return clean;
|
|
314
|
+
}
|
|
315
|
+
|
|
316
|
+
async reset() {
|
|
317
|
+
this.keys.clear();
|
|
318
|
+
this.aliases.clear();
|
|
319
|
+
this.keyMaterial.clear();
|
|
320
|
+
await this.store.clear('kms');
|
|
321
|
+
}
|
|
322
|
+
}
|
|
323
|
+
|
|
324
|
+
module.exports = { KMSSimulator };
|