@pengzi/kms 1.1.0 → 1.1.1

package/dist/src/utils/config-loader.js

@@ -0,0 +1,125 @@
+"use strict";
+/**
+ * 配置加载工具
+ * 用于从加密配置文件中加载连接字符串
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadEncryptedConfig = loadEncryptedConfig;
+exports.loadConfigFromEnvironment = loadConfigFromEnvironment;
+exports.createClientFromEncryptedConfig = createClientFromEncryptedConfig;
+exports.readPrivateKeyFile = readPrivateKeyFile;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const asymmetric_crypto_1 = require("../core/asymmetric-crypto");
+const asymmetric_crypto_2 = require("../core/asymmetric-crypto");
+/**
+ * 从加密配置文件加载配置
+ * @param configPath 配置文件路径
+ * @param privateKeyPem 私钥（可选，默认从环境变量读取）
+ * @param passphrase 私钥密码（可选，默认从环境变量读取）
+ * @returns KMS 客户端配置
+ */
+function loadEncryptedConfig(configPath, privateKeyPem, passphrase) {
+    // 读取配置文件
+    const config = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+    // 获取私钥
+    const finalPrivateKeyPem = privateKeyPem || process.env.KMS_PRIVATE_KEY;
+    if (!finalPrivateKeyPem) {
+        throw new Error('私钥未提供。请设置 KMS_PRIVATE_KEY 环境变量或传入 privateKeyPem 参数');
+    }
+    // 获取密码
+    const finalPassphrase = passphrase || (0, asymmetric_crypto_1.getPrivateKeyPassphrase)();
+    // 解密连接字符串
+    const connectionString = (0, asymmetric_crypto_2.parseEncryptedConnectionStringConfig)({ encryptedConnectionString: config.encryptedConnectionString }, finalPrivateKeyPem, finalPassphrase);
+    return {
+        connectionString,
+        databaseName: config.databaseName || 'kms',
+        connectionOptions: config.connectionOptions
+    };
+}
+/**
+ * 从环境变量和文件加载配置
+ * 优先级：加密配置文件 > 环境变量
+ * @returns KMS 客户端配置
+ */
+function loadConfigFromEnvironment() {
+    const configPath = process.env.KMS_ENCRYPTED_CONFIG_PATH;
+    if (configPath && fs.existsSync(configPath)) {
+        return loadEncryptedConfig(configPath);
+    }
+    // 回退到环境变量
+    const connectionString = process.env.KMS_CONNECTION_STRING || process.env.MONGO_URL;
+    if (!connectionString) {
+        throw new Error('未找到连接字符串。请设置 KMS_ENCRYPTED_CONFIG_PATH 或 KMS_CONNECTION_STRING 环境变量');
+    }
+    return {
+        connectionString,
+        databaseName: process.env.KMS_DATABASE_NAME || 'kms',
+        connectionOptions: {
+            connectTimeoutMS: process.env.KMS_CONNECT_TIMEOUT
+                ? parseInt(process.env.KMS_CONNECT_TIMEOUT, 10)
+                : undefined,
+            socketTimeoutMS: process.env.KMS_SOCKET_TIMEOUT
+                ? parseInt(process.env.KMS_SOCKET_TIMEOUT, 10)
+                : undefined,
+            maxPoolSize: process.env.KMS_MAX_POOL_SIZE
+                ? parseInt(process.env.KMS_MAX_POOL_SIZE, 10)
+                : undefined
+        }
+    };
+}
+/**
+ * 创建 KMS 客户端（从加密配置）
+ * @param configPath 配置文件路径
+ * @param privateKeyPem 私钥（可选）
+ * @param passphrase 私钥密码（可选）
+ * @returns KMS 客户端选项
+ */
+function createClientFromEncryptedConfig(configPath, privateKeyPem, passphrase) {
+    return loadEncryptedConfig(configPath, privateKeyPem, passphrase);
+}
+/**
+ * 读取私钥文件
+ * @param filePath 私钥文件路径
+ * @returns 私钥内容
+ */
+function readPrivateKeyFile(filePath) {
+    const absolutePath = path.resolve(filePath);
+    if (!fs.existsSync(absolutePath)) {
+        throw new Error(`私钥文件不存在: ${absolutePath}`);
+    }
+    return fs.readFileSync(absolutePath, 'utf-8');
+}

package/dist/src/utils/constants.js

@@ -0,0 +1,118 @@
+"use strict";
+/**
+ * 系统常量定义
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.COLLECTIONS = exports.KEY_TYPES = exports.ROLE_PERMISSIONS = exports.SECURITY_CONFIG = void 0;
+exports.generateId = generateId;
+exports.validatePasswordStrength = validatePasswordStrength;
+const types_1 = require("../types");
+/**
+ * 安全配置常量
+ */
+exports.SECURITY_CONFIG = {
+    // 密钥派生配置
+    KEY_DERIVATION: {
+        ALGORITHM: 'pbkdf2',
+        ITERATIONS: 100000,
+        KEY_LENGTH: 32, // 256 bits
+        DIGEST: 'sha256',
+    },
+    // 加密配置
+    ENCRYPTION: {
+        ALGORITHM: 'aes-256-gcm',
+        KEY_LENGTH: 32, // 256 bits
+        IV_LENGTH: 16, // 128 bits
+        AUTH_TAG_LENGTH: 16, // 128 bits
+    },
+    // 密码策略
+    PASSWORD_POLICY: {
+        MIN_LENGTH: 12,
+        REQUIRE_UPPERCASE: true,
+        REQUIRE_LOWERCASE: true,
+        REQUIRE_NUMBERS: true,
+        REQUIRE_SPECIAL_CHARS: true,
+    },
+    // 速率限制
+    RATE_LIMITING: {
+        WINDOW_MS: 15 * 60 * 1000, // 15分钟
+        MAX_REQUESTS: 100,
+    },
+    // API密钥长度
+    API_KEY_LENGTH: 64,
+};
+/**
+ * 角色-权限映射
+ */
+exports.ROLE_PERMISSIONS = {
+    [types_1.Role.ADMIN]: [
+        types_1.Permission.PROJECT_CREATE,
+        types_1.Permission.PROJECT_UPDATE,
+        types_1.Permission.PROJECT_DELETE,
+        types_1.Permission.KEY_CREATE,
+        types_1.Permission.KEY_READ,
+        types_1.Permission.KEY_UPDATE,
+        types_1.Permission.KEY_DELETE,
+        types_1.Permission.KEY_LIST,
+        types_1.Permission.USER_CREATE,
+        types_1.Permission.USER_UPDATE,
+        types_1.Permission.USER_DELETE,
+        types_1.Permission.AUDIT_READ,
+    ],
+    [types_1.Role.OPERATOR]: [
+        types_1.Permission.KEY_READ,
+        types_1.Permission.KEY_UPDATE,
+        types_1.Permission.KEY_LIST,
+        types_1.Permission.AUDIT_READ,
+    ],
+    [types_1.Role.DEVELOPER]: [types_1.Permission.KEY_READ, types_1.Permission.KEY_LIST],
+    [types_1.Role.READONLY]: [types_1.Permission.KEY_LIST],
+    [types_1.Role.AUDITOR]: [types_1.Permission.AUDIT_READ],
+};
+/**
+ * 密钥类型列表
+ */
+exports.KEY_TYPES = ['mongodb', 'mysql', 'postgresql', 'redis', 'custom'];
+/**
+ * 集合名称
+ */
+exports.COLLECTIONS = {
+    PROJECTS: 'projects',
+    KEYS: 'keys',
+    USERS: 'users',
+    AUDIT_LOGS: 'audit_logs',
+};
+/**
+ * ID生成器
+ */
+function generateId(prefix) {
+    const timestamp = Date.now().toString(36);
+    const random = Math.random().toString(36).substring(2, 11);
+    return `${prefix}_${timestamp}${random}`;
+}
+/**
+ * 密码强度验证
+ */
+function validatePasswordStrength(password) {
+    const errors = [];
+    const policy = exports.SECURITY_CONFIG.PASSWORD_POLICY;
+    if (password.length < policy.MIN_LENGTH) {
+        errors.push(`Password must be at least ${policy.MIN_LENGTH} characters long`);
+    }
+    if (policy.REQUIRE_UPPERCASE && !/[A-Z]/.test(password)) {
+        errors.push('Password must contain at least one uppercase letter');
+    }
+    if (policy.REQUIRE_LOWERCASE && !/[a-z]/.test(password)) {
+        errors.push('Password must contain at least one lowercase letter');
+    }
+    if (policy.REQUIRE_NUMBERS && !/\d/.test(password)) {
+        errors.push('Password must contain at least one number');
+    }
+    if (policy.REQUIRE_SPECIAL_CHARS && !/[!@#$%^&*(),.?":{}|<>]/.test(password)) {
+        errors.push('Password must contain at least one special character');
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}

package/dist/src/utils/error-handler.js

@@ -0,0 +1,108 @@
+"use strict";
+/**
+ * 错误处理工具
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ErrorCode = void 0;
+exports.createKMSError = createKMSError;
+exports.asyncError = asyncError;
+exports.formatErrorMessage = formatErrorMessage;
+const types_1 = require("../types");
+/**
+ * 错误代码枚举
+ */
+var ErrorCode;
+(function (ErrorCode) {
+    // 项目错误 (1xxx)
+    ErrorCode["PROJECT_NOT_FOUND"] = "PROJECT_NOT_FOUND";
+    ErrorCode["PROJECT_ALREADY_EXISTS"] = "PROJECT_ALREADY_EXISTS";
+    ErrorCode["PROJECT_SUSPENDED"] = "PROJECT_SUSPENDED";
+    // 密钥错误 (2xxx)
+    ErrorCode["KEY_NOT_FOUND"] = "KEY_NOT_FOUND";
+    ErrorCode["KEY_ALREADY_EXISTS"] = "KEY_ALREADY_EXISTS";
+    ErrorCode["KEY_EXPIRED"] = "KEY_EXPIRED";
+    ErrorCode["KEY_DISABLED"] = "KEY_DISABLED";
+    // 用户错误 (3xxx)
+    ErrorCode["USER_NOT_FOUND"] = "USER_NOT_FOUND";
+    ErrorCode["USER_ALREADY_EXISTS"] = "USER_ALREADY_EXISTS";
+    ErrorCode["USER_LOCKED"] = "USER_LOCKED";
+    // 认证错误 (4xxx)
+    ErrorCode["AUTHENTICATION_FAILED"] = "AUTHENTICATION_FAILED";
+    ErrorCode["INVALID_PASSWORD"] = "INVALID_PASSWORD";
+    ErrorCode["INVALID_API_KEY"] = "INVALID_API_KEY";
+    // 权限错误 (5xxx)
+    ErrorCode["PERMISSION_DENIED"] = "PERMISSION_DENIED";
+    ErrorCode["INSUFFICIENT_PERMISSIONS"] = "INSUFFICIENT_PERMISSIONS";
+    // 验证错误 (6xxx)
+    ErrorCode["VALIDATION_ERROR"] = "VALIDATION_ERROR";
+    ErrorCode["INVALID_INPUT"] = "INVALID_INPUT";
+    ErrorCode["MISSING_REQUIRED_FIELD"] = "MISSING_REQUIRED_FIELD";
+    // 加密错误 (7xxx)
+    ErrorCode["CRYPTO_ERROR"] = "CRYPTO_ERROR";
+    ErrorCode["ENCRYPTION_FAILED"] = "ENCRYPTION_FAILED";
+    ErrorCode["DECRYPTION_FAILED"] = "DECRYPTION_FAILED";
+    // 数据库错误 (8xxx)
+    ErrorCode["DATABASE_ERROR"] = "DATABASE_ERROR";
+    ErrorCode["CONNECTION_FAILED"] = "CONNECTION_FAILED";
+    // 通用错误 (9xxx)
+    ErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
+    ErrorCode["NOT_IMPLEMENTED"] = "NOT_IMPLEMENTED";
+})(ErrorCode || (exports.ErrorCode = ErrorCode = {}));
+/**
+ * 创建KMS错误
+ */
+function createKMSError(code, message) {
+    const messages = {
+        [ErrorCode.PROJECT_NOT_FOUND]: 'Project not found',
+        [ErrorCode.PROJECT_ALREADY_EXISTS]: 'Project already exists',
+        [ErrorCode.PROJECT_SUSPENDED]: 'Project is suspended',
+        [ErrorCode.KEY_NOT_FOUND]: 'Key not found',
+        [ErrorCode.KEY_ALREADY_EXISTS]: 'Key already exists',
+        [ErrorCode.KEY_EXPIRED]: 'Key has expired',
+        [ErrorCode.KEY_DISABLED]: 'Key is disabled',
+        [ErrorCode.USER_NOT_FOUND]: 'User not found',
+        [ErrorCode.USER_ALREADY_EXISTS]: 'User already exists',
+        [ErrorCode.USER_LOCKED]: 'User account is locked',
+        [ErrorCode.AUTHENTICATION_FAILED]: 'Authentication failed',
+        [ErrorCode.INVALID_PASSWORD]: 'Invalid password',
+        [ErrorCode.INVALID_API_KEY]: 'Invalid API key',
+        [ErrorCode.PERMISSION_DENIED]: 'Permission denied',
+        [ErrorCode.INSUFFICIENT_PERMISSIONS]: 'Insufficient permissions',
+        [ErrorCode.VALIDATION_ERROR]: 'Validation error',
+        [ErrorCode.INVALID_INPUT]: 'Invalid input',
+        [ErrorCode.MISSING_REQUIRED_FIELD]: 'Missing required field',
+        [ErrorCode.CRYPTO_ERROR]: 'Cryptographic error',
+        [ErrorCode.ENCRYPTION_FAILED]: 'Encryption failed',
+        [ErrorCode.DECRYPTION_FAILED]: 'Decryption failed',
+        [ErrorCode.DATABASE_ERROR]: 'Database error',
+        [ErrorCode.CONNECTION_FAILED]: 'Connection failed',
+        [ErrorCode.INTERNAL_ERROR]: 'Internal error',
+        [ErrorCode.NOT_IMPLEMENTED]: 'Not implemented',
+    };
+    return new types_1.KMSError(message || messages[code], code);
+}
+/**
+ * 包装异步错误
+ */
+function asyncError(fn) {
+    return (async (...args) => {
+        try {
+            return await fn(...args);
+        }
+        catch (error) {
+            if (error instanceof types_1.KMSError) {
+                throw error;
+            }
+            throw createKMSError(ErrorCode.INTERNAL_ERROR, error instanceof Error ? error.message : 'Unknown error');
+        }
+    });
+}
+/**
+ * 格式化错误消息
+ */
+function formatErrorMessage(error) {
+    if (error instanceof types_1.KMSError) {
+        return `[${error.code}] ${error.message}`;
+    }
+    return error.message;
+}

package/package.json

@@ -1,16 +1,21 @@
 {
   "name": "@pengzi/kms",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "High-security Key Management System for Node.js applications",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
+  "bin": {
+    "kms": "./dist/cli/kms.js",
+    "kms-cli": "./dist/cli/kms.js"
+  },
   "scripts": {
     "build": "tsc",
+    "build:cli": "tsc cli/kms.ts --outDir dist --module commonjs --target es2020 --moduleResolution node --esModuleInterop --rootDir .",
     "test": "jest",
     "test:coverage": "jest --coverage",
     "lint": "eslint src/**/*.ts",
     "format": "prettier --write src/**/*.ts",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build && npm run build:cli"
   },
   "keywords": [
     "kms",