npm - @lazyapps/encryption - Versions diffs - 0.0.0-init.0 - Mend

@lazyapps/encryption 0.0.0-init.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md +394 -0
package/encryption.js +146 -0
package/envelopeEncryption.js +35 -0
package/fallback.js +23 -0
package/fieldEncryption.js +106 -0
package/forgetSubjectEndpoints.js +90 -0
package/index.js +8 -0
package/keyCache.js +52 -0
package/keystores/inmemory.js +93 -0
package/keystores/mongo.js +125 -0
package/keystores/vault.js +144 -0
package/package.json +52 -0
package/pathUtils.js +13 -0
package/queryDecryptor.js +55 -0
package/schema.js +26 -0
package/storageEncryption.js +162 -0
package/subjectLifecycle.js +34 -0

package/storageEncryption.js ADDED Viewed

@@ -0,0 +1,162 @@
+import { encryptValue } from './fieldEncryption.js';
+import { getLogger } from '@lazyapps/logger';
+export const createStorageEncryptor = (
+  storageFactory,
+  readModelEncryption,
+  envelope,
+) => {
+  const log = getLogger('Encryption/Storage', 'INIT');
+  const encryptFields = (collection, target, subjectIdContext) => {
+    const collectionSchema = readModelEncryption[collection];
+    if (!collectionSchema) return Promise.resolve(target);
+    return Object.entries(collectionSchema).reduce(
+      (promise, [fieldName, fieldConfig]) =>
+        promise.then((t) => {
+          const value = t[fieldName];
+          if (value === undefined || value === null) return t;
+          const subjectId =
+            t[fieldConfig.subjectField] ||
+            (subjectIdContext && subjectIdContext[fieldConfig.subjectField]);
+          if (!subjectId) return t;
+          return envelope
+            .getDEK(subjectId, fieldConfig.context)
+            .then((dek) => ({
+              ...t,
+              [fieldName]: {
+                ...encryptValue(dek.key, value),
+                ctx: fieldConfig.context,
+                kid: subjectId,
+                kv: dek.version,
+              },
+            }));
+        }),
+      Promise.resolve({ ...target }),
+    );
+  };
+  const encryptUpdate = (collection, filter, update) => {
+    if (update.$set) {
+      return encryptFields(collection, update.$set, filter).then(
+        (encryptedSet) => ({ ...update, $set: encryptedSet }),
+      );
+    }
+    const hasOperators = Object.keys(update).some((k) => k.startsWith('$'));
+    if (!hasOperators) {
+      return encryptFields(collection, update, filter);
+    }
+    return Promise.resolve(update);
+  };
+  const encryptBulkOp = (collection, op) => {
+    if (op.insertOne)
+      return encryptFields(collection, op.insertOne.document).then((doc) => ({
+        insertOne: { document: doc },
+      }));
+    if (op.updateOne)
+      return encryptUpdate(
+        collection,
+        op.updateOne.filter,
+        op.updateOne.update,
+      ).then((update) => ({
+        updateOne: { ...op.updateOne, update },
+      }));
+    if (op.updateMany)
+      return encryptUpdate(
+        collection,
+        op.updateMany.filter,
+        op.updateMany.update,
+      ).then((update) => ({
+        updateMany: { ...op.updateMany, update },
+      }));
+    if (op.replaceOne)
+      return encryptFields(
+        collection,
+        op.replaceOne.replacement,
+        op.replaceOne.filter,
+      ).then((replacement) => ({
+        replaceOne: { ...op.replaceOne, replacement },
+      }));
+    return Promise.resolve(op);
+  };
+  const wrapPerRequest = (perRequest) => (correlationId) => {
+    const methods = perRequest(correlationId);
+    const encLog = getLogger('Encryption/Storage', correlationId);
+    return {
+      ...methods,
+      insertOne: (collection, doc) =>
+        encryptFields(collection, doc).then((encrypted) => {
+          encLog.debug(`Encrypting insertOne for ${collection}`);
+          return methods.insertOne(collection, encrypted);
+        }),
+      insertMany: (collection, docs) =>
+        Promise.all(docs.map((doc) => encryptFields(collection, doc))).then(
+          (encrypted) => {
+            encLog.debug(
+              `Encrypting insertMany (${docs.length} docs) ` +
+                `for ${collection}`,
+            );
+            return methods.insertMany(collection, encrypted);
+          },
+        ),
+      updateOne: (collection, filter, update, ...rest) =>
+        encryptUpdate(collection, filter, update).then((encrypted) => {
+          encLog.debug(`Encrypting updateOne for ${collection}`);
+          return methods.updateOne(collection, filter, encrypted, ...rest);
+        }),
+      updateMany: (collection, filter, update, ...rest) =>
+        encryptUpdate(collection, filter, update).then((encrypted) => {
+          encLog.debug(`Encrypting updateMany for ${collection}`);
+          return methods.updateMany(collection, filter, encrypted, ...rest);
+        }),
+      findOneAndUpdate: (collection, filter, update, ...rest) =>
+        encryptUpdate(collection, filter, update).then((encrypted) => {
+          encLog.debug(`Encrypting findOneAndUpdate for ${collection}`);
+          return methods.findOneAndUpdate(
+            collection,
+            filter,
+            encrypted,
+            ...rest,
+          );
+        }),
+      findOneAndReplace: (collection, filter, replacement, ...rest) =>
+        encryptFields(collection, replacement, filter).then((encrypted) => {
+          encLog.debug(`Encrypting findOneAndReplace for ${collection}`);
+          return methods.findOneAndReplace(
+            collection,
+            filter,
+            encrypted,
+            ...rest,
+          );
+        }),
+      bulkWrite: (collection, operations) =>
+        Promise.all(operations.map((op) => encryptBulkOp(collection, op))).then(
+          (encrypted) => {
+            encLog.debug(
+              `Encrypting bulkWrite (${operations.length} ops) ` +
+                `for ${collection}`,
+            );
+            return methods.bulkWrite(collection, encrypted);
+          },
+        ),
+    };
+  };
+  log.info('Storage encryption wrapper initialized');
+  return (...args) =>
+    storageFactory(...args).then((storage) => ({
+      ...storage,
+      perRequest: wrapPerRequest(storage.perRequest),
+    }));
+};

package/subjectLifecycle.js ADDED Viewed

@@ -0,0 +1,34 @@
+const validationError = (message) => {
+  const err = new Error(message);
+  err.name = 'ValidationError';
+  return err;
+};
+export const subjectLifecycleAggregate = {
+  initial: () => ({}),
+  commands: {
+    FORGET_SUBJECT: (aggregate, payload) => {
+      if (!payload.subjectId) {
+        throw validationError('Missing subjectId in payload');
+      }
+      if (aggregate.forgotten) {
+        throw validationError(
+          `Subject ${payload.subjectId} has already been forgotten`,
+        );
+      }
+      return {
+        type: 'SUBJECT_FORGOTTEN',
+        payload,
+      };
+    },
+  },
+  projections: {
+    SUBJECT_FORGOTTEN: (aggregate, event) => ({
+      ...aggregate,
+      forgotten: true,
+      forgottenAt: event.timestamp,
+    }),
+  },
+};