@koralabs/kora-labs-common 6.7.1 → 6.7.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/aws/index.d.ts +1 -1
- package/aws/index.js +2 -1
- package/aws/kmsEnvironment.d.ts +14 -0
- package/aws/kmsEnvironment.js +31 -4
- package/package.json +1 -1
package/aws/index.d.ts
CHANGED
|
@@ -1,3 +1,3 @@
|
|
|
1
|
-
export { decryptKmsCiphertext, hydrateKmsEnvironment, loadAfterHydratingKmsEnvironment } from './kmsEnvironment';
|
|
1
|
+
export { decryptKmsCiphertext, hydrateKmsEnvironment, isKmsDisabled, loadAfterHydratingKmsEnvironment } from './kmsEnvironment';
|
|
2
2
|
export type { KmsClientLike } from './kmsEnvironment';
|
|
3
3
|
export { signRs256, verifyRs256, isLocalJwtSigner } from './jwtSigner';
|
package/aws/index.js
CHANGED
|
@@ -1,9 +1,10 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.isLocalJwtSigner = exports.verifyRs256 = exports.signRs256 = exports.loadAfterHydratingKmsEnvironment = exports.hydrateKmsEnvironment = exports.decryptKmsCiphertext = void 0;
|
|
3
|
+
exports.isLocalJwtSigner = exports.verifyRs256 = exports.signRs256 = exports.loadAfterHydratingKmsEnvironment = exports.isKmsDisabled = exports.hydrateKmsEnvironment = exports.decryptKmsCiphertext = void 0;
|
|
4
4
|
var kmsEnvironment_1 = require("./kmsEnvironment");
|
|
5
5
|
Object.defineProperty(exports, "decryptKmsCiphertext", { enumerable: true, get: function () { return kmsEnvironment_1.decryptKmsCiphertext; } });
|
|
6
6
|
Object.defineProperty(exports, "hydrateKmsEnvironment", { enumerable: true, get: function () { return kmsEnvironment_1.hydrateKmsEnvironment; } });
|
|
7
|
+
Object.defineProperty(exports, "isKmsDisabled", { enumerable: true, get: function () { return kmsEnvironment_1.isKmsDisabled; } });
|
|
7
8
|
Object.defineProperty(exports, "loadAfterHydratingKmsEnvironment", { enumerable: true, get: function () { return kmsEnvironment_1.loadAfterHydratingKmsEnvironment; } });
|
|
8
9
|
var jwtSigner_1 = require("./jwtSigner");
|
|
9
10
|
Object.defineProperty(exports, "signRs256", { enumerable: true, get: function () { return jwtSigner_1.signRs256; } });
|
package/aws/kmsEnvironment.d.ts
CHANGED
|
@@ -1,6 +1,20 @@
|
|
|
1
1
|
/// <reference types="node" />
|
|
2
|
+
/// <reference types="node" />
|
|
3
|
+
/// <reference types="node" />
|
|
4
|
+
/// <reference types="node" />
|
|
5
|
+
/// <reference types="node" />
|
|
6
|
+
/// <reference types="node" />
|
|
7
|
+
/// <reference types="node" />
|
|
8
|
+
/// <reference types="node" />
|
|
2
9
|
import { KMSClient } from '@aws-sdk/client-kms';
|
|
3
10
|
export type KmsClientLike = Pick<KMSClient, 'send'>;
|
|
11
|
+
/**
|
|
12
|
+
* True when AWS KMS is intentionally disabled. On the self-hosted deployment there is no
|
|
13
|
+
* KMS — the environment is decrypted at DEPLOY time by SOPS/age (the bootstrap) and handed
|
|
14
|
+
* to the process as plaintext, so there is nothing to decrypt at runtime. Set
|
|
15
|
+
* KORA_KMS_DISABLED=true there. Legacy AWS deploys leave it unset and keep using KMS.
|
|
16
|
+
*/
|
|
17
|
+
export declare const isKmsDisabled: (env?: NodeJS.ProcessEnv) => boolean;
|
|
4
18
|
export declare function decryptKmsCiphertext(ciphertext: string, client?: KmsClientLike): Promise<string>;
|
|
5
19
|
export declare function hydrateKmsEnvironment({ env, client, keys }?: {
|
|
6
20
|
env?: NodeJS.ProcessEnv;
|
package/aws/kmsEnvironment.js
CHANGED
|
@@ -1,8 +1,17 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.loadAfterHydratingKmsEnvironment = exports.hydrateKmsEnvironment = exports.decryptKmsCiphertext = void 0;
|
|
3
|
+
exports.loadAfterHydratingKmsEnvironment = exports.hydrateKmsEnvironment = exports.decryptKmsCiphertext = exports.isKmsDisabled = void 0;
|
|
4
4
|
const client_kms_1 = require("@aws-sdk/client-kms");
|
|
5
5
|
const KMS_ENV_BUNDLE_KEY = 'KMS_ENV_BUNDLE_ENC';
|
|
6
|
+
const KMS_DISABLED_KEY = 'KORA_KMS_DISABLED';
|
|
7
|
+
/**
|
|
8
|
+
* True when AWS KMS is intentionally disabled. On the self-hosted deployment there is no
|
|
9
|
+
* KMS — the environment is decrypted at DEPLOY time by SOPS/age (the bootstrap) and handed
|
|
10
|
+
* to the process as plaintext, so there is nothing to decrypt at runtime. Set
|
|
11
|
+
* KORA_KMS_DISABLED=true there. Legacy AWS deploys leave it unset and keep using KMS.
|
|
12
|
+
*/
|
|
13
|
+
const isKmsDisabled = (env = process.env) => env[KMS_DISABLED_KEY] === 'true' || env[KMS_DISABLED_KEY] === '1';
|
|
14
|
+
exports.isKmsDisabled = isKmsDisabled;
|
|
6
15
|
async function decryptKmsCiphertext(ciphertext, client = new client_kms_1.KMSClient({})) {
|
|
7
16
|
const response = await client.send(new client_kms_1.DecryptCommand({
|
|
8
17
|
CiphertextBlob: Buffer.from(ciphertext, 'base64')
|
|
@@ -13,11 +22,29 @@ async function decryptKmsCiphertext(ciphertext, client = new client_kms_1.KMSCli
|
|
|
13
22
|
return Buffer.from(response.Plaintext).toString('utf8');
|
|
14
23
|
}
|
|
15
24
|
exports.decryptKmsCiphertext = decryptKmsCiphertext;
|
|
16
|
-
async function hydrateKmsEnvironment({ env = process.env, client
|
|
25
|
+
async function hydrateKmsEnvironment({ env = process.env, client, keys } = {}) {
|
|
26
|
+
// Self-host: SOPS/age decrypts the env at deploy time, so the values are already
|
|
27
|
+
// plaintext and there is no KMS to call. Skip decryption entirely (don't even
|
|
28
|
+
// construct a KMS client). Warn — but don't fail — if a *_ENC ciphertext (or the
|
|
29
|
+
// bundle) is present without its plaintext counterpart: that means an encrypted value
|
|
30
|
+
// was left in the env instead of supplying the decrypted one via SOPS.
|
|
31
|
+
if ((0, exports.isKmsDisabled)(env)) {
|
|
32
|
+
const undecrypted = [
|
|
33
|
+
...(env[KMS_ENV_BUNDLE_KEY] ? [KMS_ENV_BUNDLE_KEY] : []),
|
|
34
|
+
...Object.keys(env).filter((k) => k.endsWith('_ENC') && k !== KMS_ENV_BUNDLE_KEY && !env[k.slice(0, -4)])
|
|
35
|
+
];
|
|
36
|
+
if (undecrypted.length) {
|
|
37
|
+
// eslint-disable-next-line no-console
|
|
38
|
+
console.warn(`[kmsEnvironment] ${KMS_DISABLED_KEY} set — skipping AWS KMS; supply decrypted ` +
|
|
39
|
+
`values via SOPS at deploy. Left undecrypted: ${undecrypted.join(', ')}`);
|
|
40
|
+
}
|
|
41
|
+
return [];
|
|
42
|
+
}
|
|
17
43
|
const hydratedKeys = [];
|
|
44
|
+
const kms = client !== null && client !== void 0 ? client : new client_kms_1.KMSClient({});
|
|
18
45
|
const bundleCiphertext = env[KMS_ENV_BUNDLE_KEY];
|
|
19
46
|
if (bundleCiphertext) {
|
|
20
|
-
const plaintext = await decryptKmsCiphertext(bundleCiphertext,
|
|
47
|
+
const plaintext = await decryptKmsCiphertext(bundleCiphertext, kms);
|
|
21
48
|
let bundle;
|
|
22
49
|
try {
|
|
23
50
|
bundle = JSON.parse(plaintext);
|
|
@@ -51,7 +78,7 @@ async function hydrateKmsEnvironment({ env = process.env, client = new client_km
|
|
|
51
78
|
if (!ciphertext) {
|
|
52
79
|
continue;
|
|
53
80
|
}
|
|
54
|
-
env[key] = await decryptKmsCiphertext(ciphertext,
|
|
81
|
+
env[key] = await decryptKmsCiphertext(ciphertext, kms);
|
|
55
82
|
hydratedKeys.push(key);
|
|
56
83
|
}
|
|
57
84
|
return hydratedKeys;
|