npm - @highstate/backend - Versions diffs - 0.9.26 → 0.9.28 - Mend

@highstate/backend 0.9.26 → 0.9.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

package/src/business/backend-unlock.test.ts ADDED Viewed

@@ -0,0 +1,133 @@
+import { hostname } from "node:os"
+import { describe, expect } from "vitest"
+import { getInitialBackendUnlockMethodMeta } from "../database/local/backend"
+import { test } from "../test-utils"
+import { TestDatabaseManager } from "../test-utils/database"
+import { BackendUnlockService } from "./backend-unlock"
+const backendUnlockTest = test.extend<{
+  encryptedDatabase: TestDatabaseManager
+  backendUnlockService: BackendUnlockService
+}>({
+  encryptedDatabase: [
+    async ({ logger }, use) => {
+      const database = await TestDatabaseManager.create(logger, {
+        isEncryptionEnabled: true,
+      })
+      try {
+        await use(database)
+      } finally {
+        await database.cleanup()
+      }
+    },
+    { scope: "file" },
+  ],
+  backendUnlockService: [
+    async ({ encryptedDatabase, logger }, use) => {
+      const service = new BackendUnlockService(
+        encryptedDatabase,
+        logger.child({ service: "BackendUnlockServiceTest" }),
+      )
+      await use(service)
+    },
+    { scope: "file" },
+  ],
+})
+describe("BackendUnlockService", () => {
+  backendUnlockTest(
+    "seeds an initial unlock method for the local machine",
+    async ({ encryptedDatabase }) => {
+      const methods = await encryptedDatabase.backend.backendUnlockMethod.findMany()
+      expect(methods.length).toBeGreaterThan(0)
+      const [initial] = methods
+      const meta = initial.meta as { title?: string; description?: string }
+      const expectedMeta = getInitialBackendUnlockMethodMeta(hostname())
+      expect(meta.title).toBe(expectedMeta.title)
+      expect(meta.description).toBe(expectedMeta.description)
+    },
+  )
+  backendUnlockTest("lists unlock methods", async ({ encryptedDatabase, backendUnlockService }) => {
+    await encryptedDatabase.backend.backendUnlockMethod.deleteMany()
+    const first = await encryptedDatabase.backend.backendUnlockMethod.create({
+      data: {
+        meta: { title: "Laptop" },
+        recipient: "age1example1",
+      },
+    })
+    const second = await encryptedDatabase.backend.backendUnlockMethod.create({
+      data: {
+        meta: { title: "Desktop", description: "Office" },
+        recipient: "age1example2",
+      },
+    })
+    const methods = await backendUnlockService.listUnlockMethods()
+    expect(methods).toHaveLength(2)
+    expect(methods[0].id).toBe(first.id)
+    expect(methods[0].meta.title).toBe("Laptop")
+    expect(methods[1].recipient).toBe(second.recipient)
+    expect(methods[1].meta.description).toBe("Office")
+  })
+  backendUnlockTest(
+    "adds unlock method and reencrypts master key",
+    async ({ encryptedDatabase, backendUnlockService }) => {
+      await encryptedDatabase.backend.backendUnlockMethod.deleteMany()
+      encryptedDatabase.backendUnlockRecipientUpdates.length = 0
+      const result = await backendUnlockService.addUnlockMethod({
+        meta: { title: "Laptop" },
+        recipient: "age1newrecipient",
+      })
+      expect(result.meta.title).toBe("Laptop")
+      const stored = await encryptedDatabase.backend.backendUnlockMethod.findUniqueOrThrow({
+        where: { id: result.id },
+      })
+      expect(stored.recipient).toBe("age1newrecipient")
+      expect(encryptedDatabase.backendUnlockRecipientUpdates).toHaveLength(1)
+      expect(encryptedDatabase.backendUnlockRecipientUpdates[0]).toEqual(["age1newrecipient"])
+    },
+  )
+  backendUnlockTest(
+    "deletes unlock method and reencrypts master key",
+    async ({ encryptedDatabase, backendUnlockService }) => {
+      await encryptedDatabase.backend.backendUnlockMethod.deleteMany()
+      const keep = await encryptedDatabase.backend.backendUnlockMethod.create({
+        data: {
+          meta: { title: "Primary" },
+          recipient: "age1primary",
+        },
+      })
+      const remove = await encryptedDatabase.backend.backendUnlockMethod.create({
+        data: {
+          meta: { title: "Old" },
+          recipient: "age1old",
+        },
+      })
+      encryptedDatabase.backendUnlockRecipientUpdates.length = 0
+      await backendUnlockService.deleteUnlockMethod(remove.id)
+      const remaining = await encryptedDatabase.backend.backendUnlockMethod.findMany()
+      expect(remaining).toHaveLength(1)
+      expect(remaining[0].id).toBe(keep.id)
+      expect(encryptedDatabase.backendUnlockRecipientUpdates).toHaveLength(1)
+      expect(encryptedDatabase.backendUnlockRecipientUpdates[0]).toEqual(["age1primary"])
+    },
+  )
+})

package/src/business/backend-unlock.ts ADDED Viewed

@@ -0,0 +1,76 @@
+import type { Logger } from "pino"
+import type { BackendUnlockMethod, DatabaseManager } from "../database"
+import {
+  type BackendUnlockMethodInput,
+  BackendUnlockMethodNotFoundError,
+  CannotDeleteLastBackendUnlockMethodError,
+} from "../shared"
+export class BackendUnlockService {
+  constructor(
+    private readonly database: DatabaseManager,
+    private readonly logger: Logger,
+  ) {}
+  /**
+   * Lists backend unlock methods ordered by creation time.
+   *
+   * @returns The ordered unlock method collection.
+   */
+  async listUnlockMethods(): Promise<BackendUnlockMethod[]> {
+    return await this.database.backend.backendUnlockMethod.findMany({
+      orderBy: { createdAt: "asc" },
+    })
+  }
+  /**
+   * Stores a new unlock method and refreshes master-key recipients.
+   *
+   * @param input Unlock method payload gathered from the CLI or automation.
+   * @returns The persisted unlock method.
+   */
+  async addUnlockMethod(input: BackendUnlockMethodInput): Promise<BackendUnlockMethod> {
+    const record = await this.database.backend.backendUnlockMethod.create({ data: input })
+    await this.reencryptBackendMasterKey()
+    return record
+  }
+  /**
+   * Removes an unlock method by identifier and rotates the encrypted master key.
+   *
+   * @param id Identifier of the unlock method to delete.
+   */
+  async deleteUnlockMethod(id: string): Promise<void> {
+    const methods = await this.database.backend.backendUnlockMethod.findMany()
+    const method = methods.find(m => m.id === id)
+    if (!method) {
+      throw new BackendUnlockMethodNotFoundError(id)
+    }
+    if (methods.length === 1) {
+      throw new CannotDeleteLastBackendUnlockMethodError()
+    }
+    await this.database.backend.backendUnlockMethod.delete({ where: { id } })
+    await this.reencryptBackendMasterKey()
+  }
+  private async reencryptBackendMasterKey(): Promise<void> {
+    if (!this.database.isEncryptionEnabled) {
+      return
+    }
+    const recipients = await this.database.backend.backendUnlockMethod.findMany({
+      select: { recipient: true },
+    })
+    await this.database.updateBackendUnlockRecipients(recipients.map(method => method.recipient))
+    this.logger.debug(
+      { recipientCount: recipients.length },
+      "updated backend master key recipients",
+    )
+  }
+}

package/src/business/index.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 export * from "./api-key"
 export * from "./artifact"
+export * from "./backend-unlock"
 export * from "./instance-lock"
 export * from "./instance-state"
 export * from "./operation"

package/src/business/settings.test.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { createId } from "@paralleldrive/cuid2"
+import { generateIdentity, identityToRecipient } from "age-encryption"
 import { describe } from "vitest"
 import { test } from "../test-utils"
 import { SettingsService } from "./settings"
@@ -460,7 +461,7 @@ describe("SettingsService", () => {
             type: "password",
             meta: { title: "Password Method" },
             encryptedIdentity: "encrypted-pwd",
-            recipient: "user@example.com",
+            recipient: await identityToRecipient(await generateIdentity()),
             createdAt: new Date("2023-01-01"),
             updatedAt: new Date("2023-01-01"),
           },
@@ -472,7 +473,7 @@ describe("SettingsService", () => {
             type: "passkey",
             meta: { title: "Passkey Method" },
             encryptedIdentity: "encrypted-key",
-            recipient: "user@example.com",
+            recipient: await identityToRecipient(await generateIdentity()),
             createdAt: new Date("2023-01-02"),
             updatedAt: new Date("2023-01-02"),
           },

package/src/database/_generated/backend/postgresql/client.ts CHANGED Viewed

@@ -26,8 +26,8 @@ export * as $Enums from './enums.ts'
  * @example
  * ```
  * const prisma = new PrismaClient()
- * // Fetch zero or more UserWorkspaseLayouts
- * const userWorkspaseLayouts = await prisma.userWorkspaseLayout.findMany()
+ * // Fetch zero or more UserWorkspaceLayouts
+ * const userWorkspaceLayouts = await prisma.userWorkspaceLayout.findMany()
  * ```
  *
  * Read more in our [docs](https://www.prisma.io/docs/reference/tools-and-interfaces/prisma-client).
@@ -39,10 +39,10 @@ export { Prisma }
 /**
- * Model UserWorkspaseLayout
+ * Model UserWorkspaceLayout
  *
  */
-export type UserWorkspaseLayout = Prisma.UserWorkspaseLayoutModel
+export type UserWorkspaceLayout = Prisma.UserWorkspaceLayoutModel
 /**
  * Model Library
  *
@@ -68,5 +68,10 @@ export type ProjectModelStorage = Prisma.ProjectModelStorageModel
  *
  */
 export type PulumiBackend = Prisma.PulumiBackendModel
+/**
+ * Model BackendUnlockMethod
+ * Unlock methods describe trusted identities that can decrypt the backend master key.
+ */
+export type BackendUnlockMethod = Prisma.BackendUnlockMethodModel