@pengzi/kms 1.1.0 → 1.2.0

package/dist/cli/src/services/key.service.js

@@ -0,0 +1,137 @@
+"use strict";
+/**
+ * 密钥服务
+ * 负责密钥的业务逻辑
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeyService = void 0;
+const key_model_1 = require("../models/key.model");
+const types_1 = require("../types");
+const types_2 = require("../types");
+const crypto_1 = require("../core/crypto");
+class KeyService {
+    constructor(keyRepo, auditService, permissionService, cryptoService) {
+        this.keyRepo = keyRepo;
+        this.auditService = auditService;
+        this.permissionService = permissionService;
+        this.cryptoService = cryptoService;
+    }
+    /**
+     * 设置 ProjectService 引用（避免循环依赖）
+     */
+    setProjectService(projectService) {
+        this.projectService = projectService;
+    }
+    /**
+     * 创建密钥
+     */
+    async createKey(projectId, userId, masterPassword, keyData) {
+        // 验证权限
+        await this.permissionService.requirePermission(projectId, userId, types_2.Permission.KEY_CREATE);
+        // 验证密钥数据
+        const validation = (0, key_model_1.validateKey)(keyData);
+        if (!validation.valid) {
+            throw new types_1.ValidationError(validation.errors.join(', '));
+        }
+        // 检查密钥名称是否已存在
+        const existingKey = await this.keyRepo.findByProjectAndName(projectId, keyData.keyName);
+        if (existingKey) {
+            throw new types_1.ValidationError('Key with this name already exists');
+        }
+        // 加密密钥值
+        const masterKeyHex = await this.getMasterKey(projectId, masterPassword);
+        const masterKey = (0, crypto_1.hexToBuffer)(masterKeyHex);
+        const encryptedData = await this.cryptoService.encryptKey(keyData.value, masterKey);
+        // 创建密钥
+        const key = (0, key_model_1.createKey)(projectId, keyData, encryptedData, userId);
+        await this.keyRepo.insertOne(key);
+        // 记录审计日志
+        await this.auditService.logKeyCreated(projectId, userId, key.keyId, key.keyName, key.keyType, true);
+        return key;
+    }
+    /**
+     * 获取密钥（解密）
+     */
+    async getKey(projectId, userId, masterPassword, keyId) {
+        // 验证权限
+        await this.permissionService.requirePermission(projectId, userId, types_2.Permission.KEY_READ);
+        // 获取密钥
+        const key = await this.keyRepo.findByKeyId(keyId);
+        if (!key) {
+            throw new types_1.KeyNotFoundError(keyId);
+        }
+        // 验证项目
+        if (key.projectId !== projectId) {
+            throw new types_1.ValidationError('Key does not belong to this project');
+        }
+        // 检查密钥是否可访问
+        if (!(0, key_model_1.isKeyAccessible)(key)) {
+            throw new types_1.ValidationError('Key is not accessible');
+        }
+        // 解密密钥值
+        const masterKeyHex = await this.getMasterKey(projectId, masterPassword);
+        const masterKey = (0, crypto_1.hexToBuffer)(masterKeyHex);
+        const decryptedValue = await this.cryptoService.decryptKey(key.encryptedValue, key.iv, key.authTag, masterKey);
+        // 更新最后访问时间
+        await this.keyRepo.updateLastAccessed(keyId);
+        // 记录审计日志
+        await this.auditService.logKeyRead(projectId, userId, keyId, key.keyName, true);
+        return (0, key_model_1.toKeyValue)(key, decryptedValue);
+    }
+    /**
+     * 列出密钥
+     */
+    async listKeys(projectId, userId, filters, options) {
+        // 验证权限
+        await this.permissionService.requirePermission(projectId, userId, types_2.Permission.KEY_LIST);
+        return await this.keyRepo.findByProjectId(projectId, filters, options);
+    }
+    /**
+     * 更新密钥
+     */
+    async updateKey(projectId, userId, masterPassword, keyId, updates) {
+        // 验证权限
+        await this.permissionService.requirePermission(projectId, userId, types_2.Permission.KEY_UPDATE);
+        const key = await this.keyRepo.getByKeyId(keyId);
+        // 验证项目
+        if (key.projectId !== projectId) {
+            throw new types_1.ValidationError('Key does not belong to this project');
+        }
+        let newEncryptedData;
+        // 如果更新密钥值，需要重新加密
+        if (updates.value) {
+            const masterKeyHex = await this.getMasterKey(projectId, masterPassword);
+            const masterKey = (0, crypto_1.hexToBuffer)(masterKeyHex);
+            newEncryptedData = await this.cryptoService.encryptKey(updates.value, masterKey);
+        }
+        const updatedKey = (0, key_model_1.updateKey)(key, updates, newEncryptedData);
+        await this.keyRepo.updateKey(keyId, updatedKey);
+        return updatedKey;
+    }
+    /**
+     * 删除密钥
+     */
+    async deleteKey(projectId, userId, keyId) {
+        // 验证权限
+        await this.permissionService.requirePermission(projectId, userId, types_2.Permission.KEY_DELETE);
+        const key = await this.keyRepo.getByKeyId(keyId);
+        // 验证项目
+        if (key.projectId !== projectId) {
+            throw new types_1.ValidationError('Key does not belong to this project');
+        }
+        await this.keyRepo.softDeleteKey(keyId);
+        // 记录审计日志
+        await this.auditService.logKeyDeleted(projectId, userId, keyId, key.keyName, true);
+    }
+    /**
+     * 获取项目主密钥（需要从项目服务获取）
+     */
+    async getMasterKey(projectId, masterPassword) {
+        if (!this.projectService) {
+            throw new Error('ProjectService not set. Call setProjectService() first.');
+        }
+        const masterKey = await this.projectService.unlockProjectMasterKey(projectId, masterPassword);
+        return masterKey.toString('hex');
+    }
+}
+exports.KeyService = KeyService;

package/dist/cli/src/services/permission.service.js

@@ -0,0 +1,142 @@
+"use strict";
+/**
+ * 权限服务
+ * 负责权限验证和访问控制
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionService = void 0;
+const types_1 = require("../types");
+const constants_1 = require("../utils/constants");
+class PermissionService {
+    constructor(userRepo, auditService) {
+        this.userRepo = userRepo;
+        this.auditService = auditService;
+    }
+    /**
+     * 检查用户是否拥有指定权限
+     */
+    async checkPermission(projectId, userId, requiredPermission) {
+        // 先尝试按 username 查找
+        let user = await this.userRepo.findByProjectAndUsername(projectId, userId);
+        // 如果没找到，尝试按 userId 查找
+        if (!user) {
+            user = await this.userRepo.findByUserId(userId);
+        }
+        if (!user) {
+            return false;
+        }
+        if (user.status !== 'active') {
+            return false;
+        }
+        // 检查直接权限
+        if (user.permissions.includes(requiredPermission)) {
+            return true;
+        }
+        // 检查角色权限
+        for (const role of user.roles) {
+            const rolePermissions = constants_1.ROLE_PERMISSIONS[role];
+            if (rolePermissions?.includes(requiredPermission)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * 要求用户必须拥有指定权限，否则抛出异常
+     */
+    async requirePermission(projectId, userId, requiredPermission) {
+        const hasPermission = await this.checkPermission(projectId, userId, requiredPermission);
+        if (!hasPermission) {
+            await this.auditService.log({
+                projectId,
+                userId,
+                action: types_1.AuditAction.PERMISSION_DENIED,
+                resourceType: types_1.ResourceType.KEY,
+                resourceId: requiredPermission,
+                details: {
+                    success: false,
+                    errorMessage: `User ${userId} does not have permission: ${requiredPermission}`,
+                },
+            });
+            throw new types_1.ForbiddenError(`User does not have required permission: ${requiredPermission}`);
+        }
+    }
+    /**
+     * 检查用户是否拥有指定角色
+     */
+    async hasRole(projectId, userId, role) {
+        const user = await this.userRepo.findByProjectAndUsername(projectId, userId);
+        if (!user) {
+            return false;
+        }
+        return user.roles.includes(role);
+    }
+    /**
+     * 授予角色
+     */
+    async grantRole(projectId, adminUserId, targetUserId, role) {
+        // 验证管理员权限
+        await this.requirePermission(projectId, adminUserId, types_1.Permission.USER_UPDATE);
+        const user = await this.userRepo.findByProjectAndUsername(projectId, targetUserId);
+        if (!user) {
+            throw new Error('User not found');
+        }
+        if (user.roles.includes(role)) {
+            return; // 已经拥有该角色
+        }
+        await this.userRepo.updateUser(user.userId, {
+            roles: [...user.roles, role],
+        });
+        await this.auditService.log({
+            projectId,
+            userId: adminUserId,
+            action: types_1.AuditAction.GRANT_ROLE,
+            resourceType: types_1.ResourceType.USER,
+            resourceId: user.userId,
+            details: {
+                success: true,
+            },
+        });
+    }
+    /**
+     * 撤销角色
+     */
+    async revokeRole(projectId, adminUserId, targetUserId, role) {
+        // 验证管理员权限
+        await this.requirePermission(projectId, adminUserId, types_1.Permission.USER_UPDATE);
+        const user = await this.userRepo.findByProjectAndUsername(projectId, targetUserId);
+        if (!user) {
+            throw new Error('User not found');
+        }
+        await this.userRepo.updateUser(user.userId, {
+            roles: user.roles.filter((r) => r !== role),
+        });
+        await this.auditService.log({
+            projectId,
+            userId: adminUserId,
+            action: types_1.AuditAction.REVOKE_ROLE,
+            resourceType: types_1.ResourceType.USER,
+            resourceId: user.userId,
+            details: {
+                success: true,
+            },
+        });
+    }
+    /**
+     * 获取用户的所有权限（包括角色权限）
+     */
+    async getUserPermissions(projectId, userId) {
+        const user = await this.userRepo.findByProjectAndUsername(projectId, userId);
+        if (!user) {
+            return [];
+        }
+        const permissions = new Set(user.permissions);
+        // 添加角色权限
+        for (const role of user.roles) {
+            const rolePermissions = constants_1.ROLE_PERMISSIONS[role] || [];
+            rolePermissions.forEach((p) => permissions.add(p));
+        }
+        return Array.from(permissions);
+    }
+}
+exports.PermissionService = PermissionService;

package/dist/cli/src/services/project.service.js

@@ -0,0 +1,102 @@
+"use strict";
+/**
+ * 项目服务
+ * 负责项目的业务逻辑
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProjectService = void 0;
+const types_1 = require("../types");
+const project_model_1 = require("../models/project.model");
+const user_model_1 = require("../models/user.model");
+const key_derivation_1 = require("../core/key-derivation");
+const types_2 = require("../types");
+const constants_1 = require("../utils/constants");
+const types_3 = require("../types");
+const bcrypt_1 = require("bcrypt");
+class ProjectService {
+    constructor(projectRepo, userRepo, auditService, cryptoService) {
+        this.projectRepo = projectRepo;
+        this.userRepo = userRepo;
+        this.auditService = auditService;
+        this.cryptoService = cryptoService;
+    }
+    /**
+     * 创建项目
+     */
+    async createProject(options, userId) {
+        // 验证密码强度
+        const passwordValidation = (0, constants_1.validatePasswordStrength)(options.masterPassword);
+        if (!passwordValidation.valid) {
+            throw new types_2.ValidationError(passwordValidation.errors.join(', '));
+        }
+        // 验证项目名称唯一性
+        const existingProject = await this.projectRepo.findByProjectName(options.projectName);
+        if (existingProject) {
+            throw new types_2.ValidationError('Project name already exists');
+        }
+        // 派生主密钥
+        const salt = (0, key_derivation_1.generateSalt)();
+        const masterKey = await this.cryptoService.deriveMasterKey(options.masterPassword, salt);
+        const masterKeyHash = await this.cryptoService.hashMasterKey(masterKey);
+        // 加密主密钥（这里简化处理，实际应该使用系统主密钥加密）
+        // 为了安全，我们存储哈希用于验证，不存储加密的主密钥
+        // 使用时需要用户重新提供密码来派生主密钥
+        const project = (0, project_model_1.createProject)(options, '', // 加密后的主密钥（可选实现）
+        masterKeyHash, salt);
+        await this.projectRepo.insertOne(project);
+        // 自动创建项目所有者用户（管理员）
+        // 使用 userId 作为用户名，这样 setCurrentUser 后可以直接使用
+        const ownerUser = (0, user_model_1.createUser)(project.projectId, {
+            username: userId, // 使用调用者的 userId 作为用户名
+            password: options.masterPassword,
+            roles: [types_1.Role.ADMIN]
+        }, await (0, bcrypt_1.hash)(options.masterPassword, 10));
+        await this.userRepo.insertOne(ownerUser);
+        // 记录审计日志
+        await this.auditService.logProjectCreated(project.projectId, userId, project.projectName, true);
+        return project;
+    }
+    /**
+     * 获取项目
+     */
+    async getProject(projectId) {
+        const project = await this.projectRepo.findByProjectId(projectId);
+        if (!project) {
+            throw new types_2.ProjectNotFoundError(projectId);
+        }
+        return project;
+    }
+    /**
+     * 列出所有项目
+     */
+    async listProjects() {
+        return await this.projectRepo.findProjects();
+    }
+    /**
+     * 删除项目
+     */
+    async deleteProject(projectId, userId) {
+        const project = await this.getProject(projectId);
+        await this.projectRepo.softDeleteProject(projectId);
+        await this.auditService.log({
+            projectId,
+            userId,
+            action: types_3.AuditAction.DELETE_PROJECT,
+            resourceType: types_3.ResourceType.PROJECT,
+            resourceId: projectId,
+            details: {
+                keyName: project.projectName,
+                success: true,
+            },
+        });
+    }
+    /**
+     * 解锁项目主密钥（使用主密码）
+     */
+    async unlockProjectMasterKey(projectId, masterPassword) {
+        const project = await this.getProject(projectId);
+        const masterKey = await this.cryptoService.unlockProjectMasterKey(masterPassword, project.salt, project.masterKeyHash);
+        return masterKey.toString('hex');
+    }
+}
+exports.ProjectService = ProjectService;

package/dist/cli/src/types/audit.types.js

@@ -0,0 +1,54 @@
+"use strict";
+/**
+ * 审计日志相关类型定义
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditSeverity = exports.ResourceType = exports.AuditAction = void 0;
+/**
+ * 操作类型
+ */
+var AuditAction;
+(function (AuditAction) {
+    // 项目操作
+    AuditAction["CREATE_PROJECT"] = "CREATE_PROJECT";
+    AuditAction["UPDATE_PROJECT"] = "UPDATE_PROJECT";
+    AuditAction["DELETE_PROJECT"] = "DELETE_PROJECT";
+    // 密钥操作
+    AuditAction["CREATE_KEY"] = "CREATE_KEY";
+    AuditAction["READ_KEY"] = "READ_KEY";
+    AuditAction["UPDATE_KEY"] = "UPDATE_KEY";
+    AuditAction["DELETE_KEY"] = "DELETE_KEY";
+    AuditAction["LIST_KEYS"] = "LIST_KEYS";
+    AuditAction["ROTATE_KEY"] = "ROTATE_KEY";
+    // 用户操作
+    AuditAction["CREATE_USER"] = "CREATE_USER";
+    AuditAction["UPDATE_USER"] = "UPDATE_USER";
+    AuditAction["DELETE_USER"] = "DELETE_USER";
+    AuditAction["GRANT_ROLE"] = "GRANT_ROLE";
+    AuditAction["REVOKE_ROLE"] = "REVOKE_ROLE";
+    // 认证操作
+    AuditAction["LOGIN"] = "LOGIN";
+    AuditAction["LOGOUT"] = "LOGOUT";
+    AuditAction["LOGIN_FAILED"] = "LOGIN_FAILED";
+    // 权限
+    AuditAction["PERMISSION_DENIED"] = "PERMISSION_DENIED";
+})(AuditAction || (exports.AuditAction = AuditAction = {}));
+/**
+ * 资源类型
+ */
+var ResourceType;
+(function (ResourceType) {
+    ResourceType["PROJECT"] = "project";
+    ResourceType["KEY"] = "key";
+    ResourceType["USER"] = "user";
+})(ResourceType || (exports.ResourceType = ResourceType = {}));
+/**
+ * 日志严重级别
+ */
+var AuditSeverity;
+(function (AuditSeverity) {
+    AuditSeverity["INFO"] = "info";
+    AuditSeverity["WARNING"] = "warning";
+    AuditSeverity["ERROR"] = "error";
+    AuditSeverity["CRITICAL"] = "critical";
+})(AuditSeverity || (exports.AuditSeverity = AuditSeverity = {}));

package/dist/cli/src/types/crypto.types.js

@@ -0,0 +1,5 @@
+"use strict";
+/**
+ * 加密相关类型定义
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cli/src/types/index.js

@@ -0,0 +1,90 @@
+"use strict";
+/**
+ * 类型定义统一导出
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CryptoError = exports.ValidationError = exports.ForbiddenError = exports.AuthenticationError = exports.UserNotFoundError = exports.KeyNotFoundError = exports.ProjectNotFoundError = exports.KMSError = void 0;
+// 加密相关
+__exportStar(require("./crypto.types"), exports);
+// 项目相关
+__exportStar(require("./project.types"), exports);
+// 密钥相关
+__exportStar(require("./key.types"), exports);
+// 用户相关
+__exportStar(require("./user.types"), exports);
+// 审计日志相关
+__exportStar(require("./audit.types"), exports);
+/**
+ * 错误类型
+ */
+class KMSError extends Error {
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+        this.name = 'KMSError';
+    }
+}
+exports.KMSError = KMSError;
+class ProjectNotFoundError extends KMSError {
+    constructor(projectId) {
+        super(`Project not found: ${projectId}`, 'PROJECT_NOT_FOUND');
+        this.name = 'ProjectNotFoundError';
+    }
+}
+exports.ProjectNotFoundError = ProjectNotFoundError;
+class KeyNotFoundError extends KMSError {
+    constructor(keyId) {
+        super(`Key not found: ${keyId}`, 'KEY_NOT_FOUND');
+        this.name = 'KeyNotFoundError';
+    }
+}
+exports.KeyNotFoundError = KeyNotFoundError;
+class UserNotFoundError extends KMSError {
+    constructor(userId) {
+        super(`User not found: ${userId}`, 'USER_NOT_FOUND');
+        this.name = 'UserNotFoundError';
+    }
+}
+exports.UserNotFoundError = UserNotFoundError;
+class AuthenticationError extends KMSError {
+    constructor(message = 'Authentication failed') {
+        super(message, 'AUTHENTICATION_FAILED');
+        this.name = 'AuthenticationError';
+    }
+}
+exports.AuthenticationError = AuthenticationError;
+class ForbiddenError extends KMSError {
+    constructor(message = 'Permission denied') {
+        super(message, 'PERMISSION_DENIED');
+        this.name = 'ForbiddenError';
+    }
+}
+exports.ForbiddenError = ForbiddenError;
+class ValidationError extends KMSError {
+    constructor(message) {
+        super(message, 'VALIDATION_ERROR');
+        this.name = 'ValidationError';
+    }
+}
+exports.ValidationError = ValidationError;
+class CryptoError extends KMSError {
+    constructor(message) {
+        super(message, 'CRYPTO_ERROR');
+        this.name = 'CryptoError';
+    }
+}
+exports.CryptoError = CryptoError;

package/dist/cli/src/types/key.types.js

@@ -0,0 +1,27 @@
+"use strict";
+/**
+ * 密钥相关类型定义
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeyStatus = exports.KeyType = void 0;
+/**
+ * 密钥类型
+ */
+var KeyType;
+(function (KeyType) {
+    KeyType["MONGODB"] = "mongodb";
+    KeyType["MYSQL"] = "mysql";
+    KeyType["POSTGRESQL"] = "postgresql";
+    KeyType["REDIS"] = "redis";
+    KeyType["CUSTOM"] = "custom";
+})(KeyType || (exports.KeyType = KeyType = {}));
+/**
+ * 密钥状态
+ */
+var KeyStatus;
+(function (KeyStatus) {
+    KeyStatus["ACTIVE"] = "active";
+    KeyStatus["DISABLED"] = "disabled";
+    KeyStatus["EXPIRED"] = "expired";
+    KeyStatus["DELETED"] = "deleted";
+})(KeyStatus || (exports.KeyStatus = KeyStatus = {}));

package/dist/cli/src/types/project.types.js

@@ -0,0 +1,15 @@
+"use strict";
+/**
+ * 项目相关类型定义
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProjectStatus = void 0;
+/**
+ * 项目状态
+ */
+var ProjectStatus;
+(function (ProjectStatus) {
+    ProjectStatus["ACTIVE"] = "active";
+    ProjectStatus["SUSPENDED"] = "suspended";
+    ProjectStatus["DELETED"] = "deleted";
+})(ProjectStatus || (exports.ProjectStatus = ProjectStatus = {}));

package/dist/cli/src/types/user.types.js

@@ -0,0 +1,48 @@
+"use strict";
+/**
+ * 用户相关类型定义
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserStatus = exports.Permission = exports.Role = void 0;
+/**
+ * 用户角色
+ */
+var Role;
+(function (Role) {
+    Role["ADMIN"] = "admin";
+    Role["OPERATOR"] = "operator";
+    Role["DEVELOPER"] = "developer";
+    Role["READONLY"] = "readonly";
+    Role["AUDITOR"] = "auditor";
+})(Role || (exports.Role = Role = {}));
+/**
+ * 用户权限
+ */
+var Permission;
+(function (Permission) {
+    // 项目管理
+    Permission["PROJECT_CREATE"] = "project:create";
+    Permission["PROJECT_UPDATE"] = "project:update";
+    Permission["PROJECT_DELETE"] = "project:delete";
+    // 密钥管理
+    Permission["KEY_CREATE"] = "key:create";
+    Permission["KEY_READ"] = "key:read";
+    Permission["KEY_UPDATE"] = "key:update";
+    Permission["KEY_DELETE"] = "key:delete";
+    Permission["KEY_LIST"] = "key:list";
+    // 用户管理
+    Permission["USER_CREATE"] = "user:create";
+    Permission["USER_UPDATE"] = "user:update";
+    Permission["USER_DELETE"] = "user:delete";
+    // 审计
+    Permission["AUDIT_READ"] = "audit:read";
+})(Permission || (exports.Permission = Permission = {}));
+/**
+ * 用户状态
+ */
+var UserStatus;
+(function (UserStatus) {
+    UserStatus["ACTIVE"] = "active";
+    UserStatus["INACTIVE"] = "inactive";
+    UserStatus["LOCKED"] = "locked";
+})(UserStatus || (exports.UserStatus = UserStatus = {}));