@pengzi/kms 1.1.0 → 1.2.0

package/dist/cli/src/index.js

@@ -0,0 +1,50 @@
+"use strict";
+/**
+ * KMS - 密钥管理系统
+ * 主入口文件
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readPrivateKeyFile = exports.createClientFromEncryptedConfig = exports.loadConfigFromEnvironment = exports.loadEncryptedConfig = exports.getPrivateKeyPassphrase = exports.isValidPEMKey = exports.generateKeyId = exports.decryptConnectionString = exports.encryptConnectionString = exports.generateRSAKeyPair = exports.CryptoError = exports.ValidationError = exports.ForbiddenError = exports.AuthenticationError = exports.UserNotFoundError = exports.KeyNotFoundError = exports.ProjectNotFoundError = exports.KMSError = exports.KMSClient = void 0;
+// 导出主类
+var client_1 = require("./client");
+Object.defineProperty(exports, "KMSClient", { enumerable: true, get: function () { return client_1.KMSClient; } });
+// 导出所有类型
+__exportStar(require("./types"), exports);
+// 导出错误类
+var types_1 = require("./types");
+Object.defineProperty(exports, "KMSError", { enumerable: true, get: function () { return types_1.KMSError; } });
+Object.defineProperty(exports, "ProjectNotFoundError", { enumerable: true, get: function () { return types_1.ProjectNotFoundError; } });
+Object.defineProperty(exports, "KeyNotFoundError", { enumerable: true, get: function () { return types_1.KeyNotFoundError; } });
+Object.defineProperty(exports, "UserNotFoundError", { enumerable: true, get: function () { return types_1.UserNotFoundError; } });
+Object.defineProperty(exports, "AuthenticationError", { enumerable: true, get: function () { return types_1.AuthenticationError; } });
+Object.defineProperty(exports, "ForbiddenError", { enumerable: true, get: function () { return types_1.ForbiddenError; } });
+Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return types_1.ValidationError; } });
+Object.defineProperty(exports, "CryptoError", { enumerable: true, get: function () { return types_1.CryptoError; } });
+// 导出加密工具（用于连接字符串加密）
+var asymmetric_crypto_1 = require("./core/asymmetric-crypto");
+Object.defineProperty(exports, "generateRSAKeyPair", { enumerable: true, get: function () { return asymmetric_crypto_1.generateRSAKeyPair; } });
+Object.defineProperty(exports, "encryptConnectionString", { enumerable: true, get: function () { return asymmetric_crypto_1.encryptConnectionString; } });
+Object.defineProperty(exports, "decryptConnectionString", { enumerable: true, get: function () { return asymmetric_crypto_1.decryptConnectionString; } });
+Object.defineProperty(exports, "generateKeyId", { enumerable: true, get: function () { return asymmetric_crypto_1.generateKeyId; } });
+Object.defineProperty(exports, "isValidPEMKey", { enumerable: true, get: function () { return asymmetric_crypto_1.isValidPEMKey; } });
+Object.defineProperty(exports, "getPrivateKeyPassphrase", { enumerable: true, get: function () { return asymmetric_crypto_1.getPrivateKeyPassphrase; } });
+// 导出配置加载工具
+var config_loader_1 = require("./utils/config-loader");
+Object.defineProperty(exports, "loadEncryptedConfig", { enumerable: true, get: function () { return config_loader_1.loadEncryptedConfig; } });
+Object.defineProperty(exports, "loadConfigFromEnvironment", { enumerable: true, get: function () { return config_loader_1.loadConfigFromEnvironment; } });
+Object.defineProperty(exports, "createClientFromEncryptedConfig", { enumerable: true, get: function () { return config_loader_1.createClientFromEncryptedConfig; } });
+Object.defineProperty(exports, "readPrivateKeyFile", { enumerable: true, get: function () { return config_loader_1.readPrivateKeyFile; } });

package/dist/cli/src/models/audit.model.js

@@ -0,0 +1,82 @@
+"use strict";
+/**
+ * 审计日志数据模型
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuditLog = createAuditLog;
+exports.calculateSeverity = calculateSeverity;
+exports.formatAuditDetails = formatAuditDetails;
+const types_1 = require("../types");
+const constants_1 = require("../utils/constants");
+/**
+ * 创建审计日志
+ */
+function createAuditLog(data) {
+    const timestamp = new Date();
+    return {
+        _id: (0, constants_1.generateId)('audit'),
+        projectId: data.projectId,
+        userId: data.userId,
+        action: data.action,
+        resourceType: data.resourceType,
+        resourceId: data.resourceId,
+        details: {
+            ...data.details,
+        },
+        timestamp,
+        severity: calculateSeverity(data.action, data.details.success),
+    };
+}
+/**
+ * 计算日志严重级别
+ */
+function calculateSeverity(action, success) {
+    if (!success) {
+        const criticalActions = [
+            types_1.AuditAction.DELETE_PROJECT,
+            types_1.AuditAction.DELETE_KEY,
+            types_1.AuditAction.LOGIN_FAILED,
+        ];
+        const warningActions = [
+            types_1.AuditAction.UPDATE_KEY,
+            types_1.AuditAction.UPDATE_PROJECT,
+            types_1.AuditAction.PERMISSION_DENIED,
+        ];
+        if (criticalActions.includes(action)) {
+            return types_1.AuditSeverity.CRITICAL;
+        }
+        if (warningActions.includes(action)) {
+            return types_1.AuditSeverity.WARNING;
+        }
+        return types_1.AuditSeverity.ERROR;
+    }
+    // 成功的操作
+    const criticalActions = [
+        types_1.AuditAction.DELETE_PROJECT,
+        types_1.AuditAction.DELETE_KEY,
+        types_1.AuditAction.DELETE_USER,
+    ];
+    if (criticalActions.includes(action)) {
+        return types_1.AuditSeverity.CRITICAL;
+    }
+    return types_1.AuditSeverity.INFO;
+}
+/**
+ * 格式化审计日志详情
+ */
+function formatAuditDetails(details) {
+    const parts = [];
+    if (details.keyName) {
+        parts.push(`Key: ${details.keyName}`);
+    }
+    if (details.keyType) {
+        parts.push(`Type: ${details.keyType}`);
+    }
+    if (details.ipAddress) {
+        parts.push(`IP: ${details.ipAddress}`);
+    }
+    if (!details.success && details.errorMessage) {
+        parts.push(`Error: ${details.errorMessage}`);
+    }
+    return parts.join(' | ');
+}

package/dist/cli/src/models/key.model.js

@@ -0,0 +1,119 @@
+"use strict";
+/**
+ * 密钥数据模型
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createKey = createKey;
+exports.validateKey = validateKey;
+exports.updateKey = updateKey;
+exports.toKeyValue = toKeyValue;
+exports.isKeyExpired = isKeyExpired;
+exports.isKeyAccessible = isKeyAccessible;
+const types_1 = require("../types");
+const constants_1 = require("../utils/constants");
+/**
+ * 创建新密钥
+ */
+function createKey(projectId, keyData, encryptedData, createdBy) {
+    const now = new Date();
+    return {
+        keyId: (0, constants_1.generateId)('key'),
+        projectId,
+        keyName: keyData.keyName,
+        keyType: keyData.keyType,
+        encryptedValue: encryptedData.encrypted,
+        iv: encryptedData.iv,
+        authTag: encryptedData.authTag,
+        version: 1,
+        tags: keyData.tags || [],
+        description: keyData.description,
+        createdBy,
+        createdAt: now,
+        updatedAt: now,
+        expiresAt: keyData.expiresAt,
+        status: types_1.KeyStatus.ACTIVE,
+    };
+}
+/**
+ * 验证密钥数据
+ */
+function validateKey(keyData) {
+    const errors = [];
+    if (!keyData.keyName || keyData.keyName.trim().length === 0) {
+        errors.push('Key name is required');
+    }
+    if (keyData.keyName && keyData.keyName.length > 100) {
+        errors.push('Key name must be less than 100 characters');
+    }
+    if (!keyData.keyType) {
+        errors.push('Key type is required');
+    }
+    if (!keyData.value || keyData.value.trim().length === 0) {
+        errors.push('Key value is required');
+    }
+    if (keyData.value && keyData.value.length > 2000) {
+        errors.push('Key value must be less than 2000 characters');
+    }
+    if (keyData.expiresAt && keyData.expiresAt < new Date()) {
+        errors.push('Expiration date must be in the future');
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+/**
+ * 更新密钥
+ */
+function updateKey(key, updates, newEncryptedData) {
+    const updatedKey = { ...key };
+    if (newEncryptedData) {
+        updatedKey.encryptedValue = newEncryptedData.encrypted;
+        updatedKey.iv = newEncryptedData.iv;
+        updatedKey.authTag = newEncryptedData.authTag;
+        updatedKey.version += 1;
+        updatedKey.lastRotatedAt = new Date();
+    }
+    if (updates.tags !== undefined) {
+        updatedKey.tags = updates.tags;
+    }
+    if (updates.description !== undefined) {
+        updatedKey.description = updates.description;
+    }
+    if (updates.expiresAt !== undefined) {
+        updatedKey.expiresAt = updates.expiresAt;
+    }
+    if (updates.status !== undefined) {
+        updatedKey.status = updates.status;
+    }
+    updatedKey.updatedAt = new Date();
+    return updatedKey;
+}
+/**
+ * 转换密钥为KeyValue（包含解密值）
+ */
+function toKeyValue(key, decryptedValue) {
+    const { encryptedValue, iv, authTag, ...keyValue } = key;
+    return {
+        ...keyValue,
+        value: decryptedValue,
+    };
+}
+/**
+ * 检查密钥是否已过期
+ */
+function isKeyExpired(key) {
+    return key.expiresAt !== undefined && key.expiresAt < new Date();
+}
+/**
+ * 检查密钥是否可用
+ */
+function isKeyAccessible(key) {
+    if (key.status !== types_1.KeyStatus.ACTIVE) {
+        return false;
+    }
+    if (isKeyExpired(key)) {
+        return false;
+    }
+    return true;
+}

package/dist/cli/src/models/project.model.js

@@ -0,0 +1,53 @@
+"use strict";
+/**
+ * 项目数据模型
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createProject = createProject;
+exports.validateProject = validateProject;
+exports.toSafeProject = toSafeProject;
+const types_1 = require("../types");
+const constants_1 = require("../utils/constants");
+/**
+ * 创建新项目
+ */
+function createProject(options, masterKeyEncrypted, masterKeyHash, salt) {
+    const now = new Date();
+    return {
+        projectId: (0, constants_1.generateId)('proj'),
+        projectName: options.projectName,
+        masterKeyHash,
+        masterKeyEncrypted,
+        salt,
+        createdAt: now,
+        updatedAt: now,
+        status: types_1.ProjectStatus.ACTIVE,
+        metadata: options.metadata,
+    };
+}
+/**
+ * 验证项目数据
+ */
+function validateProject(project) {
+    const errors = [];
+    if (!project.projectName || project.projectName.trim().length === 0) {
+        errors.push('Project name is required');
+    }
+    if (project.projectName && project.projectName.length > 100) {
+        errors.push('Project name must be less than 100 characters');
+    }
+    if (!project.projectId || project.projectId.trim().length === 0) {
+        errors.push('Project ID is required');
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+/**
+ * 转换项目为安全格式（不包含敏感信息）
+ */
+function toSafeProject(project) {
+    const { masterKeyHash, masterKeyEncrypted, salt, ...safeProject } = project;
+    return safeProject;
+}

package/dist/cli/src/models/user.model.js

@@ -0,0 +1,140 @@
+"use strict";
+/**
+ * 用户数据模型
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createUser = createUser;
+exports.validateUser = validateUser;
+exports.updateLastLogin = updateLastLogin;
+exports.lockUser = lockUser;
+exports.activateUser = activateUser;
+exports.addRole = addRole;
+exports.removeRole = removeRole;
+exports.addPermission = addPermission;
+exports.removePermission = removePermission;
+exports.toSafeUser = toSafeUser;
+const types_1 = require("../types");
+const constants_1 = require("../utils/constants");
+/**
+ * 创建新用户
+ */
+function createUser(projectId, userData, passwordHash, apiKeyHash) {
+    const now = new Date();
+    return {
+        userId: (0, constants_1.generateId)('user'),
+        projectId,
+        username: userData.username,
+        passwordHash,
+        roles: userData.roles || [],
+        permissions: userData.permissions || [],
+        apiKeyHash,
+        createdAt: now,
+        updatedAt: now,
+        status: types_1.UserStatus.ACTIVE,
+    };
+}
+/**
+ * 验证用户数据
+ */
+function validateUser(userData) {
+    const errors = [];
+    if (!userData.username || userData.username.trim().length === 0) {
+        errors.push('Username is required');
+    }
+    if (userData.username && (userData.username.length < 3 || userData.username.length > 50)) {
+        errors.push('Username must be between 3 and 50 characters');
+    }
+    if (!userData.password || userData.password.length === 0) {
+        errors.push('Password is required');
+    }
+    if (userData.roles && userData.roles.length === 0) {
+        errors.push('At least one role is required');
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+/**
+ * 更新用户最后登录时间
+ */
+function updateLastLogin(user) {
+    return {
+        ...user,
+        lastLoginAt: new Date(),
+        updatedAt: new Date(),
+    };
+}
+/**
+ * 锁定用户
+ */
+function lockUser(user) {
+    return {
+        ...user,
+        status: types_1.UserStatus.LOCKED,
+        updatedAt: new Date(),
+    };
+}
+/**
+ * 激活用户
+ */
+function activateUser(user) {
+    return {
+        ...user,
+        status: types_1.UserStatus.ACTIVE,
+        updatedAt: new Date(),
+    };
+}
+/**
+ * 添加角色
+ */
+function addRole(user, role) {
+    if (user.roles.includes(role)) {
+        return user;
+    }
+    return {
+        ...user,
+        roles: [...user.roles, role],
+        updatedAt: new Date(),
+    };
+}
+/**
+ * 移除角色
+ */
+function removeRole(user, role) {
+    return {
+        ...user,
+        roles: user.roles.filter((r) => r !== role),
+        updatedAt: new Date(),
+    };
+}
+/**
+ * 添加权限
+ */
+function addPermission(user, permission) {
+    if (user.permissions.includes(permission)) {
+        return user;
+    }
+    return {
+        ...user,
+        permissions: [...user.permissions, permission],
+        updatedAt: new Date(),
+    };
+}
+/**
+ * 移除权限
+ */
+function removePermission(user, permission) {
+    return {
+        ...user,
+        permissions: user.permissions.filter((p) => p !== permission),
+        updatedAt: new Date(),
+    };
+}
+/**
+ * 转换用户为安全格式（不包含敏感信息）
+ */
+function toSafeUser(user) {
+    const { passwordHash, apiKeyHash, ...safeUser } = user;
+    return safeUser;
+}

package/dist/cli/src/repositories/audit.repository.js

@@ -0,0 +1,115 @@
+"use strict";
+/**
+ * 审计日志仓储
+ * 负责审计日志的数据访问
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditRepository = void 0;
+const base_repository_1 = require("./base.repository");
+const types_1 = require("../types");
+class AuditRepository extends base_repository_1.BaseRepository {
+    constructor(db) {
+        super(db, 'audit_logs');
+        this.initializeIndexes();
+    }
+    /**
+     * 初始化索引
+     */
+    async initializeIndexes() {
+        await this.createIndexes([
+            { projectId: 1 },
+            { userId: 1 },
+            { action: 1 },
+            { resourceType: 1 },
+            { resourceId: 1 },
+            { timestamp: -1 },
+            { severity: 1 },
+            { projectId: 1, timestamp: -1 },
+            { userId: 1, timestamp: -1 },
+        ]);
+    }
+    /**
+     * 查询审计日志
+     */
+    async findAuditLogs(projectId, query) {
+        const filter = { projectId };
+        if (query.startDate) {
+            filter.timestamp = { ...filter.timestamp, $gte: query.startDate };
+        }
+        if (query.endDate) {
+            filter.timestamp = { ...filter.timestamp, $lte: query.endDate };
+        }
+        if (query.action) {
+            filter.action = query.action;
+        }
+        if (query.resourceType) {
+            filter.resourceType = query.resourceType;
+        }
+        if (query.userId) {
+            filter.userId = query.userId;
+        }
+        if (query.severity) {
+            filter.severity = query.severity;
+        }
+        if (query.success !== undefined) {
+            filter['details.success'] = query.success;
+        }
+        const total = await this.count(filter);
+        const page = query.page || 1;
+        const limit = query.limit || 50;
+        const skip = (page - 1) * limit;
+        const logs = await this.findMany(filter, {
+            sort: { timestamp: -1 },
+            skip,
+            limit,
+        });
+        return { logs, total };
+    }
+    /**
+     * 查询最近的审计日志
+     */
+    async findRecentLogs(projectId, limit = 100) {
+        return await this.findMany({ projectId }, { sort: { timestamp: -1 }, limit });
+    }
+    /**
+     * 统计特定操作的次数
+     */
+    async countByAction(projectId, action, startDate, endDate) {
+        const filter = { projectId, action };
+        if (startDate || endDate) {
+            filter.timestamp = {};
+            if (startDate)
+                filter.timestamp.$gte = startDate;
+            if (endDate)
+                filter.timestamp.$lte = endDate;
+        }
+        return await this.count(filter);
+    }
+    /**
+     * 统计失败的登录尝试
+     */
+    async countFailedLogins(projectId, userId, since) {
+        const filter = {
+            projectId,
+            action: types_1.AuditAction.LOGIN_FAILED,
+        };
+        if (userId) {
+            filter.userId = userId;
+        }
+        if (since) {
+            filter.timestamp = { $gte: since };
+        }
+        return await this.count(filter);
+    }
+    /**
+     * 删除旧日志（用于归档）
+     */
+    async deleteOldLogs(beforeDate) {
+        const collection = this.getCollection();
+        const result = await collection.deleteMany({
+            timestamp: { $lt: beforeDate },
+        });
+        return result.deletedCount;
+    }
+}
+exports.AuditRepository = AuditRepository;

package/dist/cli/src/repositories/base.repository.js

@@ -0,0 +1,94 @@
+"use strict";
+/**
+ * 基础仓储类
+ * 提供通用的数据库操作
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BaseRepository = void 0;
+/**
+ * 基础仓储类
+ */
+class BaseRepository {
+    constructor(db, collectionName) {
+        this.db = db;
+        this.collectionName = collectionName;
+    }
+    /**
+     * 获取集合
+     */
+    getCollection() {
+        return this.db.collection(this.collectionName);
+    }
+    /**
+     * 创建索引
+     */
+    async createIndexes(indexes) {
+        const collection = this.getCollection();
+        for (const index of indexes) {
+            await collection.createIndex(index);
+        }
+    }
+    /**
+     * 插入单个文档
+     */
+    async insertOne(document) {
+        const collection = this.getCollection();
+        const result = await collection.insertOne(document);
+        return { ...document, _id: result.insertedId.toString() };
+    }
+    /**
+     * 查询单个文档
+     */
+    async findOne(filter) {
+        const collection = this.getCollection();
+        return await collection.findOne(filter);
+    }
+    /**
+     * 查询多个文档
+     */
+    async findMany(filter = {}, options) {
+        const collection = this.getCollection();
+        let query = collection.find(filter);
+        if (options?.sort) {
+            query = query.sort(options.sort);
+        }
+        if (options?.skip) {
+            query = query.skip(options.skip);
+        }
+        if (options?.limit) {
+            query = query.limit(options.limit);
+        }
+        return await query.toArray();
+    }
+    /**
+     * 更新单个文档
+     */
+    async updateOne(filter, update) {
+        const collection = this.getCollection();
+        const result = await collection.updateOne(filter, update);
+        return result.modifiedCount > 0;
+    }
+    /**
+     * 删除单个文档
+     */
+    async deleteOne(filter) {
+        const collection = this.getCollection();
+        const result = await collection.deleteOne(filter);
+        return result.deletedCount > 0;
+    }
+    /**
+     * 统计文档数量
+     */
+    async count(filter = {}) {
+        const collection = this.getCollection();
+        return await collection.countDocuments(filter);
+    }
+    /**
+     * 检查文档是否存在
+     */
+    async exists(filter) {
+        const count = await this.count(filter);
+        return count > 0;
+    }
+}
+exports.BaseRepository = BaseRepository;