@onlineapps/service-validator-core 1.0.2

package/jest.config.js

@@ -0,0 +1,21 @@
+module.exports = {
+  testEnvironment: 'node',
+  coverageDirectory: 'coverage',
+  collectCoverageFrom: [
+    'src/**/*.js',
+    '!src/**/*.test.js',
+    '!src/**/*.spec.js'
+  ],
+  testMatch: [
+    '<rootDir>/test/**/*.test.js'
+  ],
+  coverageThreshold: {
+    global: {
+      branches: 80,
+      functions: 80,
+      lines: 80,
+      statements: 80
+    }
+  },
+  testTimeout: 10000
+};

package/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "@onlineapps/service-validator-core",
+  "version": "1.0.2",
+  "description": "Core validation logic for microservices",
+  "main": "src/index.js",
+  "scripts": {
+    "test": "jest",
+    "test:coverage": "jest --coverage",
+    "lint": "eslint src/"
+  },
+  "keywords": [
+    "validation",
+    "microservices",
+    "openapi"
+  ],
+  "author": "OnlineApps",
+  "license": "MIT",
+  "dependencies": {
+    "ajv": "^8.12.0",
+    "jsonwebtoken": "^9.0.2",
+    "uuid": "^9.0.1"
+  },
+  "devDependencies": {
+    "jest": "^29.7.0",
+    "eslint": "^8.56.0"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  }
+}

package/src/index.js

@@ -0,0 +1,212 @@
+const OpenApiValidator = require('./validators/openApiValidator');
+const EndpointValidator = require('./validators/endpointValidator');
+const ConnectorValidator = require('./validators/connectorValidator');
+const HealthValidator = require('./validators/healthValidator');
+const TokenManager = require('./security/tokenManager');
+const CertificateManager = require('./security/certificateManager');
+const ValidationProofVerifier = require('./security/ValidationProofVerifier');
+
+class ValidationCore {
+  constructor(config = {}) {
+    this.config = {
+      strictMode: config.strictMode || false,
+      requiredConnectors: config.requiredConnectors || [
+        'connector-logger',
+        'connector-storage',
+        'connector-registry-client',
+        'connector-mq-client',
+        'connector-cookbook'
+      ],
+      ...config
+    };
+
+    this.validators = {
+      openApi: new OpenApiValidator(),
+      endpoints: new EndpointValidator(),
+      connectors: new ConnectorValidator(this.config.requiredConnectors),
+      health: new HealthValidator()
+    };
+
+    this.tokenManager = new TokenManager();
+    this.certificateManager = new CertificateManager();
+    this.proofVerifier = new ValidationProofVerifier({
+      maxProofAge: config.maxProofAge,
+      strictMode: this.config.strictMode
+    });
+  }
+
+  /**
+   * Validates service configuration
+   * @param {object} serviceData - Service data to validate
+   * @returns {Promise<object>} Validation results
+   */
+  async validate(serviceData) {
+    const results = {
+      success: true,
+      validated: false,
+      checks: {},
+      errors: [],
+      warnings: [],
+      timestamp: new Date().toISOString()
+    };
+
+    try {
+      // Run all validators
+      if (serviceData.openApiSpec) {
+        const openApiResult = await this.validators.openApi.validate(serviceData.openApiSpec);
+        results.checks.openApi = openApiResult;
+        if (!openApiResult.valid) {
+          results.errors.push(...openApiResult.errors);
+        }
+      }
+
+      if (serviceData.endpoints) {
+        const endpointsResult = await this.validators.endpoints.validate(serviceData.endpoints);
+        results.checks.endpoints = endpointsResult;
+        if (!endpointsResult.valid) {
+          results.errors.push(...endpointsResult.errors);
+        }
+      }
+
+      if (serviceData.metadata) {
+        const connectorsResult = await this.validators.connectors.validate(serviceData.metadata);
+        results.checks.connectors = connectorsResult;
+        if (!connectorsResult.valid) {
+          results.warnings.push(...connectorsResult.warnings);
+          if (this.config.strictMode) {
+            results.errors.push(...connectorsResult.warnings);
+          }
+        }
+      }
+
+      if (serviceData.health) {
+        const healthResult = await this.validators.health.validate(serviceData.health);
+        results.checks.health = healthResult;
+        if (!healthResult.valid) {
+          results.warnings.push(...healthResult.warnings);
+        }
+      }
+
+      results.validated = true;
+      results.success = results.errors.length === 0;
+
+    } catch (error) {
+      results.success = false;
+      results.errors.push(`Validation error: ${error.message}`);
+    }
+
+    return results;
+  }
+
+  /**
+   * Generate pre-validation token
+   * @param {object} validationResults - Results from validate()
+   * @param {string} serviceName - Name of the service
+   * @returns {Promise<object>} Token data object with token, secret, and tokenId
+   */
+  async generatePreValidationToken(validationResults, serviceName) {
+    if (!validationResults.success) {
+      throw new Error('Cannot generate token for failed validation');
+    }
+
+    const tokenData = await this.tokenManager.generateToken({
+      serviceName,
+      validationResults,
+      type: 'pre-validation'
+    });
+
+    // Store secret for later verification (in real implementation, store in secure storage)
+    this.tokenSecrets = this.tokenSecrets || new Map();
+    this.tokenSecrets.set(tokenData.token, tokenData.secret);
+
+    // Return full token data object (token, secret, tokenId)
+    return tokenData;
+  }
+
+  /**
+   * Verify pre-validation token
+   * @param {string} token - Token to verify
+   * @param {string} secret - Secret to verify with (optional)
+   * @returns {Promise<object>} Token payload
+   */
+  async verifyPreValidationToken(token, secret = null) {
+    // Use provided secret or lookup from stored secrets
+    const verifySecret = secret || (this.tokenSecrets && this.tokenSecrets.get(token)) || null;
+    return this.tokenManager.verifyToken(token, verifySecret);
+  }
+
+  /**
+   * Generate validation certificate
+   * @param {object} validationResults - Results from validate()
+   * @param {string} serviceName - Name of the service
+   * @param {string} version - Service version
+   * @returns {Promise<object>} Validation certificate
+   */
+  async generateCertificate(validationResults, serviceName, version) {
+    if (!validationResults.success) {
+      throw new Error('Cannot generate certificate for failed validation');
+    }
+
+    return this.certificateManager.generateCertificate({
+      serviceName,
+      version,
+      validationResults,
+      issuedAt: new Date().toISOString(),
+      expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString() // 30 days
+    });
+  }
+
+  /**
+   * Verify validation certificate
+   * @param {object} certificate - Certificate to verify
+   * @returns {Promise<boolean>} Verification result
+   */
+  async verifyCertificate(certificate) {
+    return this.certificateManager.verifyCertificate(certificate);
+  }
+
+  /**
+   * Verify validation proof (SHA256-based from pre-validation)
+   * @param {object} proof - Complete proof object from .validation-proof.json
+   * @returns {object} Verification result with {valid, reason, details}
+   */
+  verifyValidationProof(proof) {
+    return this.proofVerifier.verifyProof(proof);
+  }
+
+  /**
+   * Generate functional tests from OpenAPI spec
+   * @param {object} openApiSpec - OpenAPI specification
+   * @returns {Promise<array>} Generated tests
+   */
+  async generateFunctionalTests(openApiSpec) {
+    const tests = [];
+
+    if (!openApiSpec || !openApiSpec.paths) {
+      return tests;
+    }
+
+    for (const [pathName, pathDef] of Object.entries(openApiSpec.paths)) {
+      for (const [method, operation] of Object.entries(pathDef)) {
+        if (['get', 'post', 'put', 'patch', 'delete'].includes(method.toLowerCase())) {
+          tests.push({
+            name: operation.summary || `${method.toUpperCase()} ${pathName}`,
+            method: method.toUpperCase(),
+            path: pathName,
+            description: operation.description || '',
+            parameters: operation.parameters || [],
+            requestBody: operation.requestBody || null,
+            expectedResponses: Object.keys(operation.responses || {}),
+            expectedSuccessResponse: operation.responses?.['200'] ? '200' :
+                                    operation.responses?.['201'] ? '201' : null
+          });
+        }
+      }
+    }
+
+    return tests;
+  }
+}
+
+module.exports = ValidationCore;
+module.exports.ValidationProofVerifier = ValidationProofVerifier;

package/src/security/ValidationProofVerifier.js

@@ -0,0 +1,178 @@
+const crypto = require('crypto');
+
+/**
+ * ValidationProofVerifier - Verifies SHA256 validation proofs from pre-validation
+ *
+ * This class verifies validation proofs generated by ValidationProofGenerator
+ * from the conn-e2e-testing package. It validates:
+ * - Hash integrity (SHA256)
+ * - Proof structure and format
+ * - Test results (passed/failed counts)
+ * - Proof age (max 7 days)
+ * - Validator identity
+ */
+class ValidationProofVerifier {
+  constructor(options = {}) {
+    this.maxProofAge = options.maxProofAge || 7 * 24 * 60 * 60 * 1000; // 7 days default
+    this.strictMode = options.strictMode || false;
+  }
+
+  /**
+   * Verify validation proof
+   * @param {object} proof - Complete proof object from .validation-proof.json
+   * @returns {object} Verification result with {valid, reason, details}
+   */
+  verifyProof(proof) {
+    console.log('[ValidationProofVerifier] Starting proof verification');
+    console.log('[ValidationProofVerifier] Proof hash:', proof.validationProof?.substring(0, 16) + '...');
+
+    // 1. Check proof structure
+    if (!proof || typeof proof !== 'object') {
+      console.error('[ValidationProofVerifier] ❌ Invalid proof structure: not an object');
+      return { valid: false, reason: 'INVALID_STRUCTURE', details: 'Proof must be an object' };
+    }
+
+    if (!proof.validationProof || typeof proof.validationProof !== 'string') {
+      console.error('[ValidationProofVerifier] ❌ Missing or invalid validationProof field');
+      return { valid: false, reason: 'MISSING_HASH', details: 'validationProof field is required' };
+    }
+
+    if (!proof.validationData || typeof proof.validationData !== 'object') {
+      console.error('[ValidationProofVerifier] ❌ Missing or invalid validationData field');
+      return { valid: false, reason: 'MISSING_DATA', details: 'validationData field is required' };
+    }
+
+    // 2. Check hash format (SHA256 = 64 hex characters)
+    if (!/^[a-f0-9]{64}$/i.test(proof.validationProof)) {
+      console.error('[ValidationProofVerifier] ❌ Invalid hash format:', proof.validationProof);
+      return { valid: false, reason: 'INVALID_HASH_FORMAT', details: 'Hash must be 64-character hex string (SHA256)' };
+    }
+    console.log('[ValidationProofVerifier] ✓ Hash format valid (SHA256)');
+
+    // 3. Verify hash integrity
+    const data = proof.validationData;
+    const recomputedHash = this._generateHash(data);
+
+    if (recomputedHash !== proof.validationProof) {
+      console.error('[ValidationProofVerifier] ❌ Hash mismatch');
+      console.error('[ValidationProofVerifier]   Expected:', proof.validationProof);
+      console.error('[ValidationProofVerifier]   Computed:', recomputedHash);
+      return {
+        valid: false,
+        reason: 'HASH_MISMATCH',
+        details: 'Validation data does not match hash (data may have been tampered with)'
+      };
+    }
+    console.log('[ValidationProofVerifier] ✓ Hash integrity verified');
+
+    // 4. Check required validationData fields
+    const requiredFields = ['serviceName', 'version', 'testsRun', 'testsPassed', 'testsFailed', 'validator', 'timestamp'];
+    for (const field of requiredFields) {
+      if (data[field] === undefined || data[field] === null) {
+        console.error(`[ValidationProofVerifier] ❌ Missing required field: ${field}`);
+        return {
+          valid: false,
+          reason: 'MISSING_FIELD',
+          details: `Required field missing: ${field}`
+        };
+      }
+    }
+    console.log('[ValidationProofVerifier] ✓ All required fields present');
+
+    // 5. Check proof age
+    const proofDate = new Date(data.timestamp);
+    const now = new Date();
+    const age = now - proofDate;
+
+    if (isNaN(proofDate.getTime())) {
+      console.error('[ValidationProofVerifier] ❌ Invalid timestamp:', data.timestamp);
+      return { valid: false, reason: 'INVALID_TIMESTAMP', details: 'Timestamp is not a valid date' };
+    }
+
+    if (age > this.maxProofAge) {
+      const maxDays = Math.floor(this.maxProofAge / (24 * 60 * 60 * 1000));
+      const ageDays = Math.floor(age / (24 * 60 * 60 * 1000));
+      console.error(`[ValidationProofVerifier] ❌ Proof too old: ${ageDays} days (max ${maxDays} days)`);
+      return {
+        valid: false,
+        reason: 'PROOF_EXPIRED',
+        details: `Proof is ${ageDays} days old (max ${maxDays} days)`
+      };
+    }
+    console.log(`[ValidationProofVerifier] ✓ Proof age valid: ${Math.floor(age / (60 * 60 * 1000))} hours old`);
+
+    // 6. Check test results
+    if (data.testsRun <= 0) {
+      console.error('[ValidationProofVerifier] ❌ No tests were run');
+      return { valid: false, reason: 'NO_TESTS', details: 'At least one test must be run' };
+    }
+
+    if (data.testsFailed > 0) {
+      console.error(`[ValidationProofVerifier] ❌ Some tests failed: ${data.testsFailed}/${data.testsRun}`);
+      return {
+        valid: false,
+        reason: 'TESTS_FAILED',
+        details: `${data.testsFailed} out of ${data.testsRun} tests failed`
+      };
+    }
+
+    if (data.testsPassed !== data.testsRun) {
+      console.error('[ValidationProofVerifier] ❌ Test count mismatch');
+      return {
+        valid: false,
+        reason: 'TEST_COUNT_MISMATCH',
+        details: `Passed (${data.testsPassed}) + Failed (${data.testsFailed}) ≠ Total (${data.testsRun})`
+      };
+    }
+    console.log(`[ValidationProofVerifier] ✓ All tests passed: ${data.testsPassed}/${data.testsRun}`);
+
+    // 7. Check validator identity
+    if (!data.validator || typeof data.validator !== 'string') {
+      console.error('[ValidationProofVerifier] ❌ Invalid validator identity');
+      return { valid: false, reason: 'INVALID_VALIDATOR', details: 'Validator identity is required' };
+    }
+    console.log('[ValidationProofVerifier] ✓ Validator:', data.validator);
+
+    // 8. All checks passed
+    console.log('[ValidationProofVerifier] ✅ Proof verification successful');
+    console.log(`[ValidationProofVerifier]   Service: ${data.serviceName} v${data.version}`);
+    console.log(`[ValidationProofVerifier]   Tests: ${data.testsPassed}/${data.testsRun} passed`);
+    console.log(`[ValidationProofVerifier]   Validator: ${data.validator}`);
+    console.log(`[ValidationProofVerifier]   Timestamp: ${data.timestamp}`);
+
+    return {
+      valid: true,
+      reason: 'VALID',
+      details: {
+        serviceName: data.serviceName,
+        version: data.version,
+        testsRun: data.testsRun,
+        testsPassed: data.testsPassed,
+        validator: data.validator,
+        timestamp: data.timestamp,
+        fingerprint: data.fingerprint
+      }
+    };
+  }
+
+  /**
+   * Generate SHA256 hash from validation data (must match ValidationProofGenerator)
+   * @private
+   */
+  _generateHash(data) {
+    const hashInput = JSON.stringify({
+      serviceName: data.serviceName,
+      version: data.version,
+      testsRun: data.testsRun,
+      testsPassed: data.testsPassed,
+      testsFailed: data.testsFailed,
+      validator: data.validator,
+      timestamp: data.timestamp,
+      fingerprint: data.fingerprint || ''
+    }, null, 0); // No whitespace for consistency
+
+    return crypto.createHash('sha256').update(hashInput).digest('hex');
+  }
+}
+
+module.exports = ValidationProofVerifier;

package/src/security/certificateManager.js

@@ -0,0 +1,239 @@
+const crypto = require('crypto');
+
+class CertificateManager {
+  constructor(config = {}) {
+    this.algorithm = config.algorithm || 'RSA-SHA256';
+    this.keyPair = config.keyPair || this.generateKeyPair();
+    this.issuer = config.issuer || 'validation-service';
+    this.validityDays = config.validityDays || 30;
+  }
+
+  /**
+   * Generate RSA key pair for signing certificates
+   * @returns {object} Key pair
+   */
+  generateKeyPair() {
+    const { publicKey, privateKey } = crypto.generateKeyPairSync('rsa', {
+      modulusLength: 2048,
+      publicKeyEncoding: {
+        type: 'spki',
+        format: 'pem'
+      },
+      privateKeyEncoding: {
+        type: 'pkcs8',
+        format: 'pem'
+      }
+    });
+
+    return { publicKey, privateKey };
+  }
+
+  /**
+   * Generate a validation certificate
+   * @param {object} data - Certificate data
+   * @returns {Promise<object>} Generated certificate
+   */
+  async generateCertificate(data) {
+    const certificateId = crypto.randomBytes(16).toString('hex');
+    const issuedAt = new Date();
+    const expiresAt = new Date(issuedAt);
+    expiresAt.setDate(expiresAt.getDate() + this.validityDays);
+
+    const certificate = {
+      id: certificateId,
+      version: '1.0',
+      issuer: this.issuer,
+      subject: {
+        serviceName: data.serviceName,
+        serviceVersion: data.version
+      },
+      issuedAt: issuedAt.toISOString(),
+      expiresAt: expiresAt.toISOString(),
+      validationResults: {
+        timestamp: data.validationResults.timestamp,
+        success: data.validationResults.success,
+        checks: data.validationResults.checks
+      },
+      fingerprint: this.generateFingerprint(data.validationResults),
+      extensions: {
+        allowedOperations: data.allowedOperations || ['register', 'heartbeat', 'workflow'],
+        restrictions: data.restrictions || [],
+        metadata: data.metadata || {}
+      }
+    };
+
+    // Sign the certificate
+    certificate.signature = this.signData(certificate);
+
+    return certificate;
+  }
+
+  /**
+   * Verify a validation certificate
+   * @param {object} certificate - Certificate to verify
+   * @returns {Promise<boolean>} Verification result
+   */
+  async verifyCertificate(certificate) {
+    try {
+      // Check expiration
+      const now = new Date();
+      const expiresAt = new Date(certificate.expiresAt);
+      if (now > expiresAt) {
+        throw new Error('Certificate has expired');
+      }
+
+      // Check issued date (not in future)
+      const issuedAt = new Date(certificate.issuedAt);
+      if (now < issuedAt) {
+        throw new Error('Certificate issued in the future');
+      }
+
+      // Verify signature
+      const certCopy = { ...certificate };
+      const providedSignature = certCopy.signature;
+      delete certCopy.signature;
+
+      const calculatedSignature = this.signData(certCopy);
+      if (providedSignature !== calculatedSignature) {
+        throw new Error('Invalid certificate signature');
+      }
+
+      // Verify fingerprint
+      const calculatedFingerprint = this.generateFingerprint(certificate.validationResults);
+      if (certificate.fingerprint !== calculatedFingerprint) {
+        throw new Error('Certificate data has been tampered with');
+      }
+
+      // Check issuer
+      if (certificate.issuer !== this.issuer) {
+        throw new Error(`Unknown certificate issuer: ${certificate.issuer}`);
+      }
+
+      return true;
+    } catch (error) {
+      console.error('Certificate verification failed:', error.message);
+      return false;
+    }
+  }
+
+  /**
+   * Sign data with private key
+   * @param {object} data - Data to sign
+   * @returns {string} Signature
+   */
+  signData(data) {
+    const sign = crypto.createSign(this.algorithm);
+    sign.update(JSON.stringify(data, Object.keys(data).sort()));
+    sign.end();
+    return sign.sign(this.keyPair.privateKey, 'hex');
+  }
+
+  /**
+   * Verify data signature with public key
+   * @param {object} data - Data to verify
+   * @param {string} signature - Signature to verify
+   * @returns {boolean} Verification result
+   */
+  verifySignature(data, signature) {
+    const verify = crypto.createVerify(this.algorithm);
+    verify.update(JSON.stringify(data, Object.keys(data).sort()));
+    verify.end();
+    return verify.verify(this.keyPair.publicKey, signature, 'hex');
+  }
+
+  /**
+   * Generate fingerprint for data
+   * @param {object} data - Data to fingerprint
+   * @returns {string} Fingerprint
+   */
+  generateFingerprint(data) {
+    const sortedData = JSON.stringify(data, Object.keys(data).sort());
+    return crypto.createHash('sha256').update(sortedData).digest('hex');
+  }
+
+  /**
+   * Revoke a certificate (would need persistent storage in production)
+   * @param {string} certificateId - Certificate ID to revoke
+   * @returns {Promise<void>}
+   */
+  async revokeCertificate(certificateId) {
+    // In production, this would update a revocation list in database
+    // For now, we'll just log it
+    console.log(`Certificate ${certificateId} has been revoked`);
+  }
+
+  /**
+   * Check if a certificate is revoked
+   * @param {string} certificateId - Certificate ID to check
+   * @returns {Promise<boolean>} True if revoked
+   */
+  async isCertificateRevoked(certificateId) {
+    // In production, this would check against a revocation list
+    // For now, always return false
+    return false;
+  }
+
+  /**
+   * Export public key for distribution
+   * @returns {string} Public key in PEM format
+   */
+  exportPublicKey() {
+    return this.keyPair.publicKey;
+  }
+
+  /**
+   * Generate a certificate chain (for future use with intermediate CAs)
+   * @param {object} certificate - Leaf certificate
+   * @param {Array} chain - Certificate chain
+   * @returns {object} Complete chain
+   */
+  generateCertificateChain(certificate, chain = []) {
+    return {
+      certificate,
+      chain,
+      rootCA: this.exportPublicKey()
+    };
+  }
+
+  /**
+   * Validate certificate permissions
+   * @param {object} certificate - Certificate to check
+   * @param {string} operation - Operation to validate
+   * @returns {boolean} True if operation is allowed
+   */
+  validatePermissions(certificate, operation) {
+    if (!certificate.extensions || !certificate.extensions.allowedOperations) {
+      return false;
+    }
+
+    return certificate.extensions.allowedOperations.includes(operation);
+  }
+
+  /**
+   * Generate a validation report from certificate
+   * @param {object} certificate - Certificate to analyze
+   * @returns {object} Validation report
+   */
+  generateValidationReport(certificate) {
+    const now = new Date();
+    const expiresAt = new Date(certificate.expiresAt);
+    const daysRemaining = Math.floor((expiresAt - now) / (1000 * 60 * 60 * 24));
+
+    return {
+      certificateId: certificate.id,
+      serviceName: certificate.subject.serviceName,
+      serviceVersion: certificate.subject.serviceVersion,
+      issuer: certificate.issuer,
+      issuedAt: certificate.issuedAt,
+      expiresAt: certificate.expiresAt,
+      daysRemaining,
+      isExpired: daysRemaining < 0,
+      validationPassed: certificate.validationResults.success,
+      checksPerformed: Object.keys(certificate.validationResults.checks || {}),
+      allowedOperations: certificate.extensions.allowedOperations,
+      restrictions: certificate.extensions.restrictions
+    };
+  }
+}
+
+module.exports = CertificateManager;