@memberjunction/encryption 0.0.1 → 2.130.0

package/dist/actions/EnableFieldEncryptionAction.js

@@ -0,0 +1,308 @@
+"use strict";
+/**
+ * @fileoverview Action for enabling encryption on an existing entity field.
+ *
+ * When encryption is enabled on a field that already has data, this action:
+ * 1. Verifies the encryption key is valid and accessible
+ * 2. Loads existing records in batches
+ * 3. Encrypts all non-null values
+ * 4. Saves the encrypted values back to the database
+ *
+ * ## Usage
+ *
+ * This action is typically invoked after updating the EntityField metadata
+ * to enable encryption:
+ *
+ * ```typescript
+ * // First, update the EntityField to enable encryption
+ * entityField.Encrypt = true;
+ * entityField.EncryptionKeyID = 'key-uuid';
+ * await entityField.Save();
+ *
+ * // Then, encrypt existing data
+ * const result = await actionEngine.RunAction({
+ *   ActionName: 'Enable Field Encryption',
+ *   Params: [
+ *     { Name: 'EntityFieldID', Value: entityField.ID },
+ *     { Name: 'BatchSize', Value: 100 }
+ *   ],
+ *   ContextUser: currentUser
+ * });
+ * ```
+ *
+ * ## Security Considerations
+ *
+ * - This is a one-way operation - plaintext is replaced with ciphertext
+ * - Ensure backups exist before running
+ * - Values that are already encrypted are skipped
+ * - Empty/null values are not encrypted
+ *
+ * @module @memberjunction/encryption
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EnableFieldEncryptionAction = void 0;
+const global_1 = require("@memberjunction/global");
+const core_1 = require("@memberjunction/core");
+const EncryptionEngine_1 = require("../EncryptionEngine");
+/**
+ * Action for encrypting existing data when encryption is enabled on a field.
+ *
+ * This action handles the initial encryption of existing plaintext data
+ * after the Encrypt flag is set on an EntityField.
+ *
+ * ## Process
+ *
+ * 1. Loads the EntityField metadata to get encryption settings
+ * 2. Validates the encryption key is accessible
+ * 3. Queries for all records where the field is not null
+ * 4. For each record:
+ *    - Skip if already encrypted
+ *    - Encrypt the plaintext value
+ *    - Save the encrypted value
+ * 5. Returns statistics on encrypted/skipped records
+ *
+ * ## Batch Processing
+ *
+ * Records are processed in configurable batches to manage memory
+ * and allow for progress tracking.
+ *
+ * @security This is a privileged operation that modifies data.
+ *           Should be restricted to administrators.
+ */
+let EnableFieldEncryptionAction = class EnableFieldEncryptionAction {
+    /**
+     * Executes the field encryption operation.
+     *
+     * @param params - Action parameters including EntityFieldID and optional BatchSize
+     * @returns Result with counts of encrypted and skipped records
+     */
+    async Run(params) {
+        const { Params, ContextUser } = params;
+        // Extract parameters
+        const entityFieldId = this.getParamValue(Params, 'EntityFieldID');
+        const batchSize = this.getParamValue(Params, 'BatchSize') || 100;
+        // Validate required parameters
+        if (!entityFieldId) {
+            return {
+                Success: false,
+                ResultCode: 'INVALID_PARAMS',
+                Message: 'EntityFieldID is required',
+                Params
+            };
+        }
+        try {
+            const result = await this.enableFieldEncryption({
+                entityFieldId: String(entityFieldId),
+                batchSize: Number(batchSize)
+            }, ContextUser);
+            // Update output parameters
+            const outputParams = [...Params];
+            const encryptedParam = outputParams.find(p => p.Name === 'RecordsEncrypted');
+            if (encryptedParam)
+                encryptedParam.Value = result.recordsEncrypted;
+            const skippedParam = outputParams.find(p => p.Name === 'RecordsSkipped');
+            if (skippedParam)
+                skippedParam.Value = result.recordsSkipped;
+            if (result.success) {
+                return {
+                    Success: true,
+                    ResultCode: 'SUCCESS',
+                    Message: `Field encryption completed. Encrypted ${result.recordsEncrypted} records, skipped ${result.recordsSkipped} already encrypted.`,
+                    Params: outputParams
+                };
+            }
+            else {
+                return {
+                    Success: false,
+                    ResultCode: 'ENCRYPTION_FAILED',
+                    Message: result.error || 'Field encryption failed',
+                    Params: outputParams
+                };
+            }
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            (0, core_1.LogError)(`Enable field encryption failed: ${message}`);
+            return {
+                Success: false,
+                ResultCode: 'ERROR',
+                Message: `Enable field encryption failed: ${message}`,
+                Params
+            };
+        }
+    }
+    /**
+     * Performs the actual field encryption operation.
+     *
+     * @private
+     */
+    async enableFieldEncryption(params, contextUser) {
+        const { entityFieldId, batchSize = 100 } = params;
+        const engine = EncryptionEngine_1.EncryptionEngine.Instance;
+        await engine.Config(false, contextUser);
+        const md = new core_1.Metadata();
+        const rv = new core_1.RunView();
+        let recordsEncrypted = 0;
+        let recordsSkipped = 0;
+        try {
+            // Step 1: Load the EntityField metadata
+            const fieldResult = await rv.RunView({
+                EntityName: 'Entity Fields',
+                ExtraFilter: `ID = '${entityFieldId}'`,
+                ResultType: 'simple'
+            }, contextUser);
+            if (!fieldResult.Success || fieldResult.Results.length === 0) {
+                return {
+                    success: false,
+                    recordsEncrypted: 0,
+                    recordsSkipped: 0,
+                    error: `EntityField not found: ${entityFieldId}`
+                };
+            }
+            const fieldInfo = fieldResult.Results[0];
+            const entityName = fieldInfo.Entity;
+            const fieldName = fieldInfo.Name;
+            const encryptionKeyId = fieldInfo.EncryptionKeyID;
+            // Validate that encryption is enabled
+            if (!fieldInfo.Encrypt) {
+                return {
+                    success: false,
+                    recordsEncrypted: 0,
+                    recordsSkipped: 0,
+                    error: `Field ${entityName}.${fieldName} does not have encryption enabled. Set Encrypt=true first.`
+                };
+            }
+            if (!encryptionKeyId) {
+                return {
+                    success: false,
+                    recordsEncrypted: 0,
+                    recordsSkipped: 0,
+                    error: `Field ${entityName}.${fieldName} does not have an EncryptionKeyID set.`
+                };
+            }
+            (0, core_1.LogStatus)(`Enabling encryption for field: ${entityName}.${fieldName}`);
+            // Step 2: Validate the encryption key is accessible
+            // This will throw if the key is not valid
+            await engine.ValidateKeyMaterial(fieldInfo.KeyLookupValue || fieldInfo.EncryptionKeyID, // fallback to key ID if no lookup value in field
+            encryptionKeyId, contextUser);
+            (0, core_1.LogStatus)('Encryption key validated successfully');
+            // Step 3: Get entity info for proper querying
+            const entityInfo = md.Entities.find(e => e.Name === entityName);
+            if (!entityInfo) {
+                return {
+                    success: false,
+                    recordsEncrypted: 0,
+                    recordsSkipped: 0,
+                    error: `Entity not found: ${entityName}`
+                };
+            }
+            // Step 4: Process records in batches
+            let hasMore = true;
+            let offset = 0;
+            while (hasMore) {
+                // Query for records where field is not null and not already encrypted
+                // We check for NOT LIKE '$ENC$%' to find unencrypted values
+                const batchResult = await rv.RunView({
+                    EntityName: entityName,
+                    ExtraFilter: `${fieldName} IS NOT NULL AND ${fieldName} NOT LIKE '$ENC$%'`,
+                    OrderBy: entityInfo.PrimaryKeys.map(pk => pk.Name).join(', '),
+                    MaxRows: batchSize,
+                    ResultType: 'entity_object'
+                }, contextUser);
+                if (!batchResult.Success) {
+                    (0, core_1.LogError)(`Failed to query records for ${entityName}.${fieldName}`);
+                    hasMore = false;
+                    continue;
+                }
+                const records = batchResult.Results;
+                hasMore = records.length === batchSize;
+                if (records.length === 0) {
+                    break;
+                }
+                (0, core_1.LogStatus)(`Processing batch of ${records.length} records (offset: ${offset})`);
+                // Encrypt each record
+                for (const record of records) {
+                    const plainValue = record.Get(fieldName);
+                    // Double-check: skip null/empty values
+                    if (plainValue === null || plainValue === undefined || plainValue === '') {
+                        continue;
+                    }
+                    // Double-check: skip if somehow already encrypted
+                    if (typeof plainValue === 'string' && engine.IsEncrypted(plainValue)) {
+                        recordsSkipped++;
+                        continue;
+                    }
+                    try {
+                        // Convert to string if needed
+                        const stringValue = typeof plainValue === 'string'
+                            ? plainValue
+                            : JSON.stringify(plainValue);
+                        // Encrypt the value
+                        const encryptedValue = await engine.Encrypt(stringValue, encryptionKeyId, contextUser);
+                        // Update and save the record
+                        record.Set(fieldName, encryptedValue);
+                        const saveResult = await record.Save();
+                        if (saveResult) {
+                            recordsEncrypted++;
+                        }
+                        else {
+                            (0, core_1.LogError)(`Failed to save encrypted record in ${entityName}.${fieldName}`);
+                        }
+                    }
+                    catch (recordError) {
+                        const msg = recordError instanceof Error ? recordError.message : String(recordError);
+                        (0, core_1.LogError)(`Failed to encrypt record in ${entityName}.${fieldName}: ${msg}`);
+                    }
+                }
+                offset += batchSize;
+            }
+            // Also count records that were already encrypted (query separately)
+            const alreadyEncryptedResult = await rv.RunView({
+                EntityName: entityName,
+                ExtraFilter: `${fieldName} LIKE '$ENC$%'`,
+                MaxRows: 1, // Just checking count
+                ResultType: 'simple'
+            }, contextUser);
+            if (alreadyEncryptedResult.Success) {
+                // The query itself would return count, but for simplicity we note there are some
+                (0, core_1.LogStatus)(`Some records in ${entityName}.${fieldName} were already encrypted`);
+            }
+            (0, core_1.LogStatus)(`Field encryption completed for ${entityName}.${fieldName}. ` +
+                `Encrypted: ${recordsEncrypted}, Skipped: ${recordsSkipped}`);
+            return {
+                success: true,
+                recordsEncrypted,
+                recordsSkipped
+            };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            (0, core_1.LogError)(`Enable field encryption error: ${message}`);
+            return {
+                success: false,
+                recordsEncrypted,
+                recordsSkipped,
+                error: message
+            };
+        }
+    }
+    /**
+     * Helper to extract parameter value by name.
+     * @private
+     */
+    getParamValue(params, name) {
+        const param = params.find(p => p.Name === name);
+        return param?.Value ?? null;
+    }
+};
+exports.EnableFieldEncryptionAction = EnableFieldEncryptionAction;
+exports.EnableFieldEncryptionAction = EnableFieldEncryptionAction = __decorate([
+    (0, global_1.RegisterClass)(Object, 'Enable Field Encryption')
+], EnableFieldEncryptionAction);
+//# sourceMappingURL=EnableFieldEncryptionAction.js.map

package/dist/actions/EnableFieldEncryptionAction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"EnableFieldEncryptionAction.js","sourceRoot":"","sources":["../../src/actions/EnableFieldEncryptionAction.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;;;;;;;;;AAEH,mDAAuD;AACvD,+CAAwF;AAExF,0DAAuD;AAGvD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEI,IAAM,2BAA2B,GAAjC,MAAM,2BAA2B;IACpC;;;;;OAKG;IACI,KAAK,CAAC,GAAG,CAAC,MAAuB;QACpC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAEvC,qBAAqB;QACrB,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QAClE,MAAM,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,WAAW,CAAC,IAAI,GAAG,CAAC;QAEjE,+BAA+B;QAC/B,IAAI,CAAC,aAAa,EAAE,CAAC;YACjB,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,UAAU,EAAE,gBAAgB;gBAC5B,OAAO,EAAE,2BAA2B;gBACpC,MAAM;aACT,CAAC;QACN,CAAC;QAED,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC;gBAC5C,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC;gBACpC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC;aAC/B,EAAE,WAAW,CAAC,CAAC;YAEhB,2BAA2B;YAC3B,MAAM,YAAY,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;YACjC,MAAM,cAAc,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;YAC7E,IAAI,cAAc;gBAAE,cAAc,CAAC,KAAK,GAAG,MAAM,CAAC,gBAAgB,CAAC;YACnE,MAAM,YAAY,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,gBAAgB,CAAC,CAAC;YACzE,IAAI,YAAY;gBAAE,YAAY,CAAC,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC;YAE7D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjB,OAAO;oBACH,OAAO,EAAE,IAAI;oBACb,UAAU,EAAE,SAAS;oBACrB,OAAO,EAAE,yCAAyC,MAAM,CAAC,gBAAgB,qBAAqB,MAAM,CAAC,cAAc,qBAAqB;oBACxI,MAAM,EAAE,YAAY;iBACvB,CAAC;YACN,CAAC;iBAAM,CAAC;gBACJ,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,UAAU,EAAE,mBAAmB;oBAC/B,OAAO,EAAE,MAAM,CAAC,KAAK,IAAI,yBAAyB;oBAClD,MAAM,EAAE,YAAY;iBACvB,CAAC;YACN,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,IAAA,eAAQ,EAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;YAEvD,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,UAAU,EAAE,OAAO;gBACnB,OAAO,EAAE,mCAAmC,OAAO,EAAE;gBACrD,MAAM;aACT,CAAC;QACN,CAAC;IACL,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,qBAAqB,CAC/B,MAAmC,EACnC,WAAsB;QAEtB,MAAM,EAAE,aAAa,EAAE,SAAS,GAAG,GAAG,EAAE,GAAG,MAAM,CAAC;QAClD,MAAM,MAAM,GAAG,mCAAgB,CAAC,QAAQ,CAAC;QACzC,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QACxC,MAAM,EAAE,GAAG,IAAI,eAAQ,EAAE,CAAC;QAC1B,MAAM,EAAE,GAAG,IAAI,cAAO,EAAE,CAAC;QAEzB,IAAI,gBAAgB,GAAG,CAAC,CAAC;QACzB,IAAI,cAAc,GAAG,CAAC,CAAC;QAEvB,IAAI,CAAC;YACD,wCAAwC;YACxC,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;gBACjC,UAAU,EAAE,eAAe;gBAC3B,WAAW,EAAE,SAAS,aAAa,GAAG;gBACtC,UAAU,EAAE,QAAQ;aACvB,EAAE,WAAW,CAAC,CAAC;YAEhB,IAAI,CAAC,WAAW,CAAC,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC3D,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,gBAAgB,EAAE,CAAC;oBACnB,cAAc,EAAE,CAAC;oBACjB,KAAK,EAAE,0BAA0B,aAAa,EAAE;iBACnD,CAAC;YACN,CAAC;YAED,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YACzC,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC;YACpC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC;YACjC,MAAM,eAAe,GAAG,SAAS,CAAC,eAAe,CAAC;YAElD,sCAAsC;YACtC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;gBACrB,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,gBAAgB,EAAE,CAAC;oBACnB,cAAc,EAAE,CAAC;oBACjB,KAAK,EAAE,SAAS,UAAU,IAAI,SAAS,4DAA4D;iBACtG,CAAC;YACN,CAAC;YAED,IAAI,CAAC,eAAe,EAAE,CAAC;gBACnB,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,gBAAgB,EAAE,CAAC;oBACnB,cAAc,EAAE,CAAC;oBACjB,KAAK,EAAE,SAAS,UAAU,IAAI,SAAS,wCAAwC;iBAClF,CAAC;YACN,CAAC;YAED,IAAA,gBAAS,EAAC,kCAAkC,UAAU,IAAI,SAAS,EAAE,CAAC,CAAC;YAEvE,oDAAoD;YACpD,0CAA0C;YAC1C,MAAM,MAAM,CAAC,mBAAmB,CAC5B,SAAS,CAAC,cAAc,IAAI,SAAS,CAAC,eAAe,EAAE,iDAAiD;YACxG,eAAe,EACf,WAAW,CACd,CAAC;YACF,IAAA,gBAAS,EAAC,uCAAuC,CAAC,CAAC;YAEnD,8CAA8C;YAC9C,MAAM,UAAU,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;YAChE,IAAI,CAAC,UAAU,EAAE,CAAC;gBACd,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,gBAAgB,EAAE,CAAC;oBACnB,cAAc,EAAE,CAAC;oBACjB,KAAK,EAAE,qBAAqB,UAAU,EAAE;iBAC3C,CAAC;YACN,CAAC;YAED,qCAAqC;YACrC,IAAI,OAAO,GAAG,IAAI,CAAC;YACnB,IAAI,MAAM,GAAG,CAAC,CAAC;YAEf,OAAO,OAAO,EAAE,CAAC;gBACb,sEAAsE;gBACtE,4DAA4D;gBAC5D,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;oBACjC,UAAU,EAAE,UAAU;oBACtB,WAAW,EAAE,GAAG,SAAS,oBAAoB,SAAS,oBAAoB;oBAC1E,OAAO,EAAE,UAAU,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;oBAC7D,OAAO,EAAE,SAAS;oBAClB,UAAU,EAAE,eAAe;iBAC9B,EAAE,WAAW,CAAC,CAAC;gBAEhB,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;oBACvB,IAAA,eAAQ,EAAC,+BAA+B,UAAU,IAAI,SAAS,EAAE,CAAC,CAAC;oBACnE,OAAO,GAAG,KAAK,CAAC;oBAChB,SAAS;gBACb,CAAC;gBAED,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC;gBACpC,OAAO,GAAG,OAAO,CAAC,MAAM,KAAK,SAAS,CAAC;gBAEvC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACvB,MAAM;gBACV,CAAC;gBAED,IAAA,gBAAS,EAAC,uBAAuB,OAAO,CAAC,MAAM,qBAAqB,MAAM,GAAG,CAAC,CAAC;gBAE/E,sBAAsB;gBACtB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;oBAC3B,MAAM,UAAU,GAAG,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;oBAEzC,uCAAuC;oBACvC,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,KAAK,EAAE,EAAE,CAAC;wBACvE,SAAS;oBACb,CAAC;oBAED,kDAAkD;oBAClD,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;wBACnE,cAAc,EAAE,CAAC;wBACjB,SAAS;oBACb,CAAC;oBAED,IAAI,CAAC;wBACD,8BAA8B;wBAC9B,MAAM,WAAW,GAAG,OAAO,UAAU,KAAK,QAAQ;4BAC9C,CAAC,CAAC,UAAU;4BACZ,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;wBAEjC,oBAAoB;wBACpB,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,OAAO,CACvC,WAAW,EACX,eAAe,EACf,WAAW,CACd,CAAC;wBAEF,6BAA6B;wBAC7B,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;wBACtC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;wBAEvC,IAAI,UAAU,EAAE,CAAC;4BACb,gBAAgB,EAAE,CAAC;wBACvB,CAAC;6BAAM,CAAC;4BACJ,IAAA,eAAQ,EAAC,sCAAsC,UAAU,IAAI,SAAS,EAAE,CAAC,CAAC;wBAC9E,CAAC;oBACL,CAAC;oBAAC,OAAO,WAAW,EAAE,CAAC;wBACnB,MAAM,GAAG,GAAG,WAAW,YAAY,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;wBACrF,IAAA,eAAQ,EAAC,+BAA+B,UAAU,IAAI,SAAS,KAAK,GAAG,EAAE,CAAC,CAAC;oBAC/E,CAAC;gBACL,CAAC;gBAED,MAAM,IAAI,SAAS,CAAC;YACxB,CAAC;YAED,oEAAoE;YACpE,MAAM,sBAAsB,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;gBAC5C,UAAU,EAAE,UAAU;gBACtB,WAAW,EAAE,GAAG,SAAS,gBAAgB;gBACzC,OAAO,EAAE,CAAC,EAAE,sBAAsB;gBAClC,UAAU,EAAE,QAAQ;aACvB,EAAE,WAAW,CAAC,CAAC;YAEhB,IAAI,sBAAsB,CAAC,OAAO,EAAE,CAAC;gBACjC,iFAAiF;gBACjF,IAAA,gBAAS,EAAC,mBAAmB,UAAU,IAAI,SAAS,yBAAyB,CAAC,CAAC;YACnF,CAAC;YAED,IAAA,gBAAS,EACL,kCAAkC,UAAU,IAAI,SAAS,IAAI;gBAC7D,cAAc,gBAAgB,cAAc,cAAc,EAAE,CAC/D,CAAC;YAEF,OAAO;gBACH,OAAO,EAAE,IAAI;gBACb,gBAAgB;gBAChB,cAAc;aACjB,CAAC;QAEN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,IAAA,eAAQ,EAAC,kCAAkC,OAAO,EAAE,CAAC,CAAC;YAEtD,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,gBAAgB;gBAChB,cAAc;gBACd,KAAK,EAAE,OAAO;aACjB,CAAC;QACN,CAAC;IACL,CAAC;IAED;;;OAGG;IACK,aAAa,CAAC,MAAqB,EAAE,IAAY;QACrD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QAChD,OAAO,KAAK,EAAE,KAAK,IAAI,IAAI,CAAC;IAChC,CAAC;CACJ,CAAA;AA3QY,kEAA2B;sCAA3B,2BAA2B;IADvC,IAAA,sBAAa,EAAC,MAAM,EAAE,yBAAyB,CAAC;GACpC,2BAA2B,CA2QvC"}

package/dist/actions/RotateEncryptionKeyAction.d.ts

@@ -0,0 +1,79 @@
+/**
+ * @fileoverview Action for rotating encryption keys with full data re-encryption.
+ *
+ * Key rotation is a critical security operation that:
+ * 1. Validates the new key material is accessible
+ * 2. Decrypts all data encrypted with the old key
+ * 3. Re-encrypts with the new key in a transactional manner
+ * 4. Updates the key metadata to point to the new key material
+ *
+ * ## Usage
+ *
+ * This action is typically invoked via the MemberJunction Actions framework:
+ *
+ * ```typescript
+ * const result = await actionEngine.RunAction({
+ *   ActionName: 'Rotate Encryption Key',
+ *   Params: [
+ *     { Name: 'EncryptionKeyID', Value: 'key-uuid' },
+ *     { Name: 'NewKeyLookupValue', Value: 'MJ_ENCRYPTION_KEY_PII_V2' },
+ *     { Name: 'BatchSize', Value: 100 }
+ *   ],
+ *   ContextUser: currentUser
+ * });
+ * ```
+ *
+ * ## Security Considerations
+ *
+ * - The new key must be accessible before starting rotation
+ * - Rotation is transactional - all or nothing
+ * - Key status is set to 'Rotating' during the operation
+ * - On success, key version is incremented
+ * - On failure, original key continues to work
+ *
+ * @module @memberjunction/encryption
+ */
+import { ActionResultSimple, RunActionParams } from '@memberjunction/actions-base';
+/**
+ * Action for rotating encryption keys with full re-encryption of affected data.
+ *
+ * Key rotation involves:
+ * 1. Validating the new key is accessible
+ * 2. Setting key status to 'Rotating'
+ * 3. For each entity field using this key:
+ *    - Loading all records in batches
+ *    - Decrypting with old key
+ *    - Re-encrypting with new key
+ *    - Updating records
+ * 4. Updating key metadata (lookup value, version)
+ * 5. Setting key status back to 'Active'
+ *
+ * ## Transaction Safety
+ *
+ * - Each batch is processed within a transaction
+ * - On batch failure, the entire rotation is rolled back
+ * - Key status is reset to 'Active' on failure
+ *
+ * @security This is a privileged operation that should be restricted to administrators.
+ */
+export declare class RotateEncryptionKeyAction {
+    /**
+     * Executes the key rotation operation.
+     *
+     * @param params - Action parameters including EncryptionKeyID and NewKeyLookupValue
+     * @returns Result with success status and details about rotated fields/records
+     */
+    Run(params: RunActionParams): Promise<ActionResultSimple>;
+    /**
+     * Performs the actual key rotation operation.
+     *
+     * @private
+     */
+    private rotateKey;
+    /**
+     * Helper to extract parameter value by name.
+     * @private
+     */
+    private getParamValue;
+}
+//# sourceMappingURL=RotateEncryptionKeyAction.d.ts.map

package/dist/actions/RotateEncryptionKeyAction.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RotateEncryptionKeyAction.d.ts","sourceRoot":"","sources":["../../src/actions/RotateEncryptionKeyAction.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAIH,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAe,MAAM,8BAA8B,CAAC;AAKhG;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBACa,yBAAyB;IAClC;;;;;OAKG;IACU,GAAG,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAyEtE;;;;OAIG;YACW,SAAS;IAyNvB;;;OAGG;IACH,OAAO,CAAC,aAAa;CAIxB"}