@pikku/core 0.12.4 → 0.12.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +21 -1
- package/dist/dev/hot-reload.d.ts +10 -0
- package/dist/dev/hot-reload.js +158 -0
- package/dist/middleware-runner.d.ts +1 -0
- package/dist/middleware-runner.js +5 -0
- package/dist/permissions.d.ts +1 -0
- package/dist/permissions.js +5 -0
- package/dist/services/content-service.d.ts +2 -0
- package/dist/services/in-memory-workflow-service.d.ts +1 -0
- package/dist/services/in-memory-workflow-service.js +16 -11
- package/dist/services/workflow-service.d.ts +1 -0
- package/dist/wirings/ai-agent/ai-agent-prepare.js +16 -1
- package/dist/wirings/channel/channel-middleware-runner.d.ts +1 -0
- package/dist/wirings/channel/channel-middleware-runner.js +5 -0
- package/dist/wirings/http/http-runner.js +1 -1
- package/dist/wirings/workflow/pikku-workflow-service.d.ts +6 -0
- package/dist/wirings/workflow/pikku-workflow-service.js +51 -16
- package/dist/wirings/workflow/workflow.types.d.ts +2 -0
- package/package.json +5 -3
- package/src/crypto-utils.test.ts +214 -0
- package/src/crypto-utils.ts +213 -0
- package/src/dev/hot-reload.test.ts +484 -0
- package/src/dev/hot-reload.ts +212 -0
- package/src/errors/error-handler.ts +62 -0
- package/src/errors/error.test.ts +195 -0
- package/src/errors/errors.ts +374 -0
- package/src/errors/index.ts +2 -0
- package/src/factory-functions.test.ts +109 -0
- package/src/function/function-runner.test.ts +536 -0
- package/src/function/function-runner.ts +365 -0
- package/src/function/functions.types.ts +304 -0
- package/src/function/index.ts +5 -0
- package/src/handle-error.test.ts +424 -0
- package/src/handle-error.ts +69 -0
- package/src/index.ts +118 -0
- package/src/internal.ts +6 -0
- package/src/middleware/auth-apikey.test.ts +363 -0
- package/src/middleware/auth-apikey.ts +47 -0
- package/src/middleware/auth-bearer.test.ts +450 -0
- package/src/middleware/auth-bearer.ts +72 -0
- package/src/middleware/auth-cookie.test.ts +528 -0
- package/src/middleware/auth-cookie.ts +80 -0
- package/src/middleware/cors.test.ts +424 -0
- package/src/middleware/cors.ts +104 -0
- package/src/middleware/index.ts +5 -0
- package/src/middleware/remote-auth.test.ts +488 -0
- package/src/middleware/remote-auth.ts +68 -0
- package/src/middleware/timeout.ts +15 -0
- package/src/middleware-runner.test.ts +418 -0
- package/src/middleware-runner.ts +240 -0
- package/src/permissions.test.ts +434 -0
- package/src/permissions.ts +327 -0
- package/src/pikku-request.ts +23 -0
- package/src/pikku-response.ts +5 -0
- package/src/pikku-state.test.ts +224 -0
- package/src/pikku-state.ts +216 -0
- package/src/run-tests-script.test.ts +49 -0
- package/src/schema.test.ts +249 -0
- package/src/schema.ts +151 -0
- package/src/services/ai-agent-runner-service.ts +41 -0
- package/src/services/ai-run-state-service.ts +20 -0
- package/src/services/ai-storage-service.ts +39 -0
- package/src/services/content-service.ts +81 -0
- package/src/services/deployment-service.ts +22 -0
- package/src/services/gateway-service.ts +20 -0
- package/src/services/gopass-secrets.ts +98 -0
- package/src/services/in-memory-ai-run-state-service.ts +73 -0
- package/src/services/in-memory-trigger-service.ts +64 -0
- package/src/services/in-memory-workflow-service.test.ts +351 -0
- package/src/services/in-memory-workflow-service.ts +512 -0
- package/src/services/index.ts +56 -0
- package/src/services/jwt-service.ts +30 -0
- package/src/services/local-content.ts +120 -0
- package/src/services/local-gateway-service.ts +62 -0
- package/src/services/local-secrets.test.ts +80 -0
- package/src/services/local-secrets.ts +94 -0
- package/src/services/local-variables.test.ts +61 -0
- package/src/services/local-variables.ts +39 -0
- package/src/services/logger-console.test.ts +118 -0
- package/src/services/logger-console.ts +98 -0
- package/src/services/logger.ts +57 -0
- package/src/services/scheduler-service.ts +86 -0
- package/src/services/schema-service.ts +33 -0
- package/src/services/scoped-secret-service.test.ts +74 -0
- package/src/services/scoped-secret-service.ts +41 -0
- package/src/services/secret-service.ts +38 -0
- package/src/services/trigger-service.ts +17 -0
- package/src/services/typed-secret-service.test.ts +93 -0
- package/src/services/typed-secret-service.ts +70 -0
- package/src/services/typed-variables-service.test.ts +73 -0
- package/src/services/typed-variables-service.ts +81 -0
- package/src/services/user-session-service.test.ts +113 -0
- package/src/services/user-session-service.ts +86 -0
- package/src/services/variables-service.ts +11 -0
- package/src/services/workflow-service.ts +96 -0
- package/src/testing/index.ts +2 -0
- package/src/testing/service-tests.ts +873 -0
- package/src/time-utils.test.ts +56 -0
- package/src/time-utils.ts +107 -0
- package/src/types/core.types.ts +478 -0
- package/src/types/state.types.ts +188 -0
- package/src/utils/hash.test.ts +68 -0
- package/src/utils/hash.ts +26 -0
- package/src/utils.test.ts +350 -0
- package/src/utils.ts +129 -0
- package/src/version.test.ts +80 -0
- package/src/version.ts +25 -0
- package/src/wirings/ai-agent/agent-dynamic-workflow.ts +469 -0
- package/src/wirings/ai-agent/ai-agent-helpers.test.ts +152 -0
- package/src/wirings/ai-agent/ai-agent-helpers.ts +76 -0
- package/src/wirings/ai-agent/ai-agent-memory.ts +310 -0
- package/src/wirings/ai-agent/ai-agent-model-config.test.ts +115 -0
- package/src/wirings/ai-agent/ai-agent-model-config.ts +43 -0
- package/src/wirings/ai-agent/ai-agent-prepare.ts +659 -0
- package/src/wirings/ai-agent/ai-agent-registry.test.ts +37 -0
- package/src/wirings/ai-agent/ai-agent-registry.ts +82 -0
- package/src/wirings/ai-agent/ai-agent-runner.test.ts +319 -0
- package/src/wirings/ai-agent/ai-agent-runner.ts +773 -0
- package/src/wirings/ai-agent/ai-agent-stream.test.ts +859 -0
- package/src/wirings/ai-agent/ai-agent-stream.ts +1153 -0
- package/src/wirings/ai-agent/ai-agent.types.ts +382 -0
- package/src/wirings/ai-agent/index.ts +37 -0
- package/src/wirings/channel/channel-common.ts +90 -0
- package/src/wirings/channel/channel-handler.ts +250 -0
- package/src/wirings/channel/channel-middleware-runner.ts +126 -0
- package/src/wirings/channel/channel-runner.ts +166 -0
- package/src/wirings/channel/channel-store.ts +29 -0
- package/src/wirings/channel/channel.types.ts +172 -0
- package/src/wirings/channel/define-channel-routes.ts +25 -0
- package/src/wirings/channel/eventhub-service.ts +34 -0
- package/src/wirings/channel/eventhub-store.ts +13 -0
- package/src/wirings/channel/index.ts +24 -0
- package/src/wirings/channel/local/index.ts +3 -0
- package/src/wirings/channel/local/local-channel-handler.ts +81 -0
- package/src/wirings/channel/local/local-channel-runner.test.ts +215 -0
- package/src/wirings/channel/local/local-channel-runner.ts +210 -0
- package/src/wirings/channel/local/local-eventhub-service.test.ts +95 -0
- package/src/wirings/channel/local/local-eventhub-service.ts +101 -0
- package/src/wirings/channel/log-channels.ts +20 -0
- package/src/wirings/channel/pikku-abstract-channel-handler.test.ts +54 -0
- package/src/wirings/channel/pikku-abstract-channel-handler.ts +45 -0
- package/src/wirings/channel/serverless/index.ts +5 -0
- package/src/wirings/channel/serverless/serverless-channel-runner.ts +289 -0
- package/src/wirings/cli/channel/cli-channel-runner.ts +136 -0
- package/src/wirings/cli/channel/index.ts +1 -0
- package/src/wirings/cli/cli-runner.test.ts +403 -0
- package/src/wirings/cli/cli-runner.ts +529 -0
- package/src/wirings/cli/cli.types.ts +358 -0
- package/src/wirings/cli/command-parser.test.ts +445 -0
- package/src/wirings/cli/command-parser.ts +504 -0
- package/src/wirings/cli/define-cli-commands.ts +24 -0
- package/src/wirings/cli/index.ts +19 -0
- package/src/wirings/gateway/gateway-runner.test.ts +474 -0
- package/src/wirings/gateway/gateway-runner.ts +411 -0
- package/src/wirings/gateway/gateway.types.ts +149 -0
- package/src/wirings/gateway/index.ts +13 -0
- package/src/wirings/http/http-routes.test.ts +322 -0
- package/src/wirings/http/http-routes.ts +197 -0
- package/src/wirings/http/http-runner.test.ts +144 -0
- package/src/wirings/http/http-runner.ts +588 -0
- package/src/wirings/http/http.types.ts +369 -0
- package/src/wirings/http/index.ts +28 -0
- package/src/wirings/http/log-http-routes.ts +22 -0
- package/src/wirings/http/pikku-fetch-http-request.test.ts +237 -0
- package/src/wirings/http/pikku-fetch-http-request.ts +170 -0
- package/src/wirings/http/pikku-fetch-http-response.test.ts +82 -0
- package/src/wirings/http/pikku-fetch-http-response.ts +147 -0
- package/src/wirings/http/routers/http-router.ts +13 -0
- package/src/wirings/http/routers/path-to-regex.test.ts +319 -0
- package/src/wirings/http/routers/path-to-regex.ts +126 -0
- package/src/wirings/http/web-request.test.ts +236 -0
- package/src/wirings/http/web-request.ts +104 -0
- package/src/wirings/mcp/index.ts +27 -0
- package/src/wirings/mcp/mcp-endpoint-registry.test.ts +389 -0
- package/src/wirings/mcp/mcp-endpoint-registry.ts +159 -0
- package/src/wirings/mcp/mcp-runner.ts +323 -0
- package/src/wirings/mcp/mcp.types.ts +216 -0
- package/src/wirings/node/index.ts +2 -0
- package/src/wirings/node/node.types.ts +23 -0
- package/src/wirings/oauth2/index.ts +3 -0
- package/src/wirings/oauth2/oauth2-client.test.ts +929 -0
- package/src/wirings/oauth2/oauth2-client.ts +335 -0
- package/src/wirings/oauth2/oauth2.types.ts +69 -0
- package/src/wirings/oauth2/wire-oauth2-credential.ts +23 -0
- package/src/wirings/queue/index.ts +31 -0
- package/src/wirings/queue/queue-runner.test.ts +710 -0
- package/src/wirings/queue/queue-runner.ts +192 -0
- package/src/wirings/queue/queue.types.ts +189 -0
- package/src/wirings/queue/register-queue-helper.ts +60 -0
- package/src/wirings/queue/validate-worker-config.test.ts +108 -0
- package/src/wirings/queue/validate-worker-config.ts +116 -0
- package/src/wirings/rpc/index.ts +4 -0
- package/src/wirings/rpc/rpc-runner.ts +460 -0
- package/src/wirings/rpc/rpc-types.ts +56 -0
- package/src/wirings/rpc/wire-addon.ts +21 -0
- package/src/wirings/scheduler/index.ts +11 -0
- package/src/wirings/scheduler/log-schedulers.ts +20 -0
- package/src/wirings/scheduler/scheduler-runner.test.ts +660 -0
- package/src/wirings/scheduler/scheduler-runner.ts +133 -0
- package/src/wirings/scheduler/scheduler.types.ts +53 -0
- package/src/wirings/secret/index.ts +9 -0
- package/src/wirings/secret/secret.types.ts +32 -0
- package/src/wirings/secret/validate-secret-definitions.test.ts +140 -0
- package/src/wirings/secret/validate-secret-definitions.ts +82 -0
- package/src/wirings/trigger/index.ts +10 -0
- package/src/wirings/trigger/pikku-trigger-service.ts +112 -0
- package/src/wirings/trigger/trigger-runner.test.ts +79 -0
- package/src/wirings/trigger/trigger-runner.ts +135 -0
- package/src/wirings/trigger/trigger.types.ts +178 -0
- package/src/wirings/variable/index.ts +8 -0
- package/src/wirings/variable/validate-variable-definitions.test.ts +91 -0
- package/src/wirings/variable/validate-variable-definitions.ts +69 -0
- package/src/wirings/variable/variable.types.ts +22 -0
- package/src/wirings/workflow/dsl/index.ts +31 -0
- package/src/wirings/workflow/dsl/workflow-dsl.types.ts +320 -0
- package/src/wirings/workflow/dsl/workflow-runner.ts +28 -0
- package/src/wirings/workflow/graph/graph-node.ts +222 -0
- package/src/wirings/workflow/graph/graph-runner.test.ts +487 -0
- package/src/wirings/workflow/graph/graph-runner.ts +816 -0
- package/src/wirings/workflow/graph/graph-validation.test.ts +170 -0
- package/src/wirings/workflow/graph/graph-validation.ts +237 -0
- package/src/wirings/workflow/graph/index.ts +19 -0
- package/src/wirings/workflow/graph/template.test.ts +49 -0
- package/src/wirings/workflow/graph/template.ts +42 -0
- package/src/wirings/workflow/graph/wire-workflow-graph.ts +29 -0
- package/src/wirings/workflow/graph/workflow-graph.types.ts +104 -0
- package/src/wirings/workflow/index.ts +82 -0
- package/src/wirings/workflow/pikku-workflow-service.test.ts +200 -0
- package/src/wirings/workflow/pikku-workflow-service.ts +1229 -0
- package/src/wirings/workflow/workflow-helpers.test.ts +129 -0
- package/src/wirings/workflow/workflow-helpers.ts +79 -0
- package/src/wirings/workflow/workflow.types.ts +276 -0
- package/tsconfig.json +14 -0
- package/tsconfig.tsbuildinfo +1 -0
- package/lcov.info +0 -18891
|
@@ -0,0 +1,214 @@
|
|
|
1
|
+
import { describe, test } from 'node:test'
|
|
2
|
+
import assert from 'node:assert'
|
|
3
|
+
import {
|
|
4
|
+
encryptJSON,
|
|
5
|
+
decryptJSON,
|
|
6
|
+
generateDEK,
|
|
7
|
+
wrapDEK,
|
|
8
|
+
unwrapDEK,
|
|
9
|
+
envelopeEncrypt,
|
|
10
|
+
envelopeDecrypt,
|
|
11
|
+
envelopeRewrap,
|
|
12
|
+
} from './crypto-utils.js'
|
|
13
|
+
|
|
14
|
+
describe('encryptJSON / decryptJSON', () => {
|
|
15
|
+
const secret = 'test-secret-key-for-encryption'
|
|
16
|
+
|
|
17
|
+
test('should round-trip a simple object', async () => {
|
|
18
|
+
const original = { hello: 'world', num: 42 }
|
|
19
|
+
const encrypted = await encryptJSON(secret, original)
|
|
20
|
+
const decrypted = await decryptJSON(secret, encrypted)
|
|
21
|
+
assert.deepStrictEqual(decrypted, original)
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
test('should round-trip a string value', async () => {
|
|
25
|
+
const original = 'just a string'
|
|
26
|
+
const encrypted = await encryptJSON(secret, original)
|
|
27
|
+
const decrypted = await decryptJSON(secret, encrypted)
|
|
28
|
+
assert.strictEqual(decrypted, original)
|
|
29
|
+
})
|
|
30
|
+
|
|
31
|
+
test('should round-trip a number', async () => {
|
|
32
|
+
const original = 12345
|
|
33
|
+
const encrypted = await encryptJSON(secret, original)
|
|
34
|
+
const decrypted = await decryptJSON(secret, encrypted)
|
|
35
|
+
assert.strictEqual(decrypted, original)
|
|
36
|
+
})
|
|
37
|
+
|
|
38
|
+
test('should round-trip null', async () => {
|
|
39
|
+
const encrypted = await encryptJSON(secret, null)
|
|
40
|
+
const decrypted = await decryptJSON(secret, encrypted)
|
|
41
|
+
assert.strictEqual(decrypted, null)
|
|
42
|
+
})
|
|
43
|
+
|
|
44
|
+
test('should round-trip a boolean', async () => {
|
|
45
|
+
const encrypted = await encryptJSON(secret, true)
|
|
46
|
+
const decrypted = await decryptJSON(secret, encrypted)
|
|
47
|
+
assert.strictEqual(decrypted, true)
|
|
48
|
+
})
|
|
49
|
+
|
|
50
|
+
test('should round-trip a nested object', async () => {
|
|
51
|
+
const original = { user: { id: 1, roles: ['admin', 'user'] }, active: true }
|
|
52
|
+
const encrypted = await encryptJSON(secret, original)
|
|
53
|
+
const decrypted = await decryptJSON(secret, encrypted)
|
|
54
|
+
assert.deepStrictEqual(decrypted, original)
|
|
55
|
+
})
|
|
56
|
+
|
|
57
|
+
test('should round-trip an array', async () => {
|
|
58
|
+
const original = [1, 'two', { three: 3 }]
|
|
59
|
+
const encrypted = await encryptJSON(secret, original)
|
|
60
|
+
const decrypted = await decryptJSON(secret, encrypted)
|
|
61
|
+
assert.deepStrictEqual(decrypted, original)
|
|
62
|
+
})
|
|
63
|
+
|
|
64
|
+
test('should produce different ciphertexts for same input (random IV)', async () => {
|
|
65
|
+
const value = { same: 'data' }
|
|
66
|
+
const enc1 = await encryptJSON(secret, value)
|
|
67
|
+
const enc2 = await encryptJSON(secret, value)
|
|
68
|
+
assert.notStrictEqual(enc1, enc2)
|
|
69
|
+
})
|
|
70
|
+
|
|
71
|
+
test('should produce a base64url string (no +, /, or = characters)', async () => {
|
|
72
|
+
const encrypted = await encryptJSON(secret, { test: 'base64url' })
|
|
73
|
+
assert.ok(!/[+/=]/.test(encrypted), `Expected base64url, got: ${encrypted}`)
|
|
74
|
+
})
|
|
75
|
+
|
|
76
|
+
test('should fail to decrypt with wrong secret', async () => {
|
|
77
|
+
const encrypted = await encryptJSON(secret, { data: 'sensitive' })
|
|
78
|
+
await assert.rejects(
|
|
79
|
+
() => decryptJSON('wrong-secret', encrypted),
|
|
80
|
+
(err: any) => err instanceof Error
|
|
81
|
+
)
|
|
82
|
+
})
|
|
83
|
+
|
|
84
|
+
test('should reject an invalid encrypted payload (too short)', async () => {
|
|
85
|
+
await assert.rejects(() => decryptJSON(secret, 'dG9vc2hvcnQ'), {
|
|
86
|
+
message: 'Invalid encrypted payload',
|
|
87
|
+
})
|
|
88
|
+
})
|
|
89
|
+
|
|
90
|
+
test('should reject empty string', async () => {
|
|
91
|
+
await assert.rejects(() => decryptJSON(secret, ''), {
|
|
92
|
+
message: 'Invalid encrypted payload',
|
|
93
|
+
})
|
|
94
|
+
})
|
|
95
|
+
|
|
96
|
+
test('should reject corrupted ciphertext', async () => {
|
|
97
|
+
const encrypted = await encryptJSON(secret, { data: 'test' })
|
|
98
|
+
const corrupted = encrypted.slice(0, -4) + 'XXXX'
|
|
99
|
+
await assert.rejects(
|
|
100
|
+
() => decryptJSON(secret, corrupted),
|
|
101
|
+
(err: any) => err instanceof Error
|
|
102
|
+
)
|
|
103
|
+
})
|
|
104
|
+
|
|
105
|
+
test('should handle unicode content', async () => {
|
|
106
|
+
const original = { emoji: '🎉', japanese: 'こんにちは', arabic: 'مرحبا' }
|
|
107
|
+
const encrypted = await encryptJSON(secret, original)
|
|
108
|
+
const decrypted = await decryptJSON(secret, encrypted)
|
|
109
|
+
assert.deepStrictEqual(decrypted, original)
|
|
110
|
+
})
|
|
111
|
+
|
|
112
|
+
test('should handle empty object', async () => {
|
|
113
|
+
const original = {}
|
|
114
|
+
const encrypted = await encryptJSON(secret, original)
|
|
115
|
+
const decrypted = await decryptJSON(secret, encrypted)
|
|
116
|
+
assert.deepStrictEqual(decrypted, original)
|
|
117
|
+
})
|
|
118
|
+
|
|
119
|
+
test('should handle large payload', async () => {
|
|
120
|
+
const original = { data: 'x'.repeat(10000) }
|
|
121
|
+
const encrypted = await encryptJSON(secret, original)
|
|
122
|
+
const decrypted = await decryptJSON(secret, encrypted)
|
|
123
|
+
assert.deepStrictEqual(decrypted, original)
|
|
124
|
+
})
|
|
125
|
+
})
|
|
126
|
+
|
|
127
|
+
describe('envelope encryption', () => {
|
|
128
|
+
const kek = 'my-key-encryption-key'
|
|
129
|
+
|
|
130
|
+
test('generateDEK produces unique keys', async () => {
|
|
131
|
+
const dek1 = await generateDEK()
|
|
132
|
+
const dek2 = await generateDEK()
|
|
133
|
+
assert.notStrictEqual(dek1, dek2)
|
|
134
|
+
assert.ok(dek1.length > 0)
|
|
135
|
+
})
|
|
136
|
+
|
|
137
|
+
test('wrapDEK / unwrapDEK round-trip', async () => {
|
|
138
|
+
const dek = await generateDEK()
|
|
139
|
+
const wrapped = await wrapDEK(kek, dek)
|
|
140
|
+
const unwrapped = await unwrapDEK(kek, wrapped)
|
|
141
|
+
assert.strictEqual(unwrapped, dek)
|
|
142
|
+
})
|
|
143
|
+
|
|
144
|
+
test('unwrapDEK fails with wrong KEK', async () => {
|
|
145
|
+
const dek = await generateDEK()
|
|
146
|
+
const wrapped = await wrapDEK(kek, dek)
|
|
147
|
+
await assert.rejects(
|
|
148
|
+
() => unwrapDEK('wrong-kek', wrapped),
|
|
149
|
+
(err: any) => err instanceof Error
|
|
150
|
+
)
|
|
151
|
+
})
|
|
152
|
+
|
|
153
|
+
test('envelopeEncrypt / envelopeDecrypt round-trip', async () => {
|
|
154
|
+
const original = {
|
|
155
|
+
apiKey: 'sk-secret-123',
|
|
156
|
+
endpoint: 'https://api.example.com',
|
|
157
|
+
}
|
|
158
|
+
const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, original)
|
|
159
|
+
const decrypted = await envelopeDecrypt(kek, ciphertext, wrappedDEK)
|
|
160
|
+
assert.deepStrictEqual(decrypted, original)
|
|
161
|
+
})
|
|
162
|
+
|
|
163
|
+
test('envelopeEncrypt produces unique ciphertexts and DEKs per call', async () => {
|
|
164
|
+
const value = { same: 'data' }
|
|
165
|
+
const r1 = await envelopeEncrypt(kek, value)
|
|
166
|
+
const r2 = await envelopeEncrypt(kek, value)
|
|
167
|
+
assert.notStrictEqual(r1.ciphertext, r2.ciphertext)
|
|
168
|
+
assert.notStrictEqual(r1.wrappedDEK, r2.wrappedDEK)
|
|
169
|
+
})
|
|
170
|
+
|
|
171
|
+
test('envelopeDecrypt fails with wrong KEK', async () => {
|
|
172
|
+
const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, 'secret')
|
|
173
|
+
await assert.rejects(
|
|
174
|
+
() => envelopeDecrypt('wrong-kek', ciphertext, wrappedDEK),
|
|
175
|
+
(err: any) => err instanceof Error
|
|
176
|
+
)
|
|
177
|
+
})
|
|
178
|
+
|
|
179
|
+
test('envelopeRewrap allows decryption with new KEK', async () => {
|
|
180
|
+
const newKEK = 'my-new-kek'
|
|
181
|
+
const original = { token: 'abc-123' }
|
|
182
|
+
const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, original)
|
|
183
|
+
|
|
184
|
+
const rewrapped = await envelopeRewrap(kek, newKEK, wrappedDEK)
|
|
185
|
+
|
|
186
|
+
await assert.rejects(
|
|
187
|
+
() => envelopeDecrypt(kek, ciphertext, rewrapped),
|
|
188
|
+
(err: any) => err instanceof Error
|
|
189
|
+
)
|
|
190
|
+
|
|
191
|
+
const decrypted = await envelopeDecrypt(newKEK, ciphertext, rewrapped)
|
|
192
|
+
assert.deepStrictEqual(decrypted, original)
|
|
193
|
+
})
|
|
194
|
+
|
|
195
|
+
test('envelopeRewrap does not change the ciphertext', async () => {
|
|
196
|
+
const original = { data: 'important' }
|
|
197
|
+
const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, original)
|
|
198
|
+
const rewrapped = await envelopeRewrap(kek, 'new-kek', wrappedDEK)
|
|
199
|
+
|
|
200
|
+
assert.notStrictEqual(rewrapped, wrappedDEK)
|
|
201
|
+
|
|
202
|
+
const decrypted = await envelopeDecrypt('new-kek', ciphertext, rewrapped)
|
|
203
|
+
assert.deepStrictEqual(decrypted, original)
|
|
204
|
+
})
|
|
205
|
+
|
|
206
|
+
test('envelope handles string secrets', async () => {
|
|
207
|
+
const { ciphertext, wrappedDEK } = await envelopeEncrypt(
|
|
208
|
+
kek,
|
|
209
|
+
'plain-string-secret'
|
|
210
|
+
)
|
|
211
|
+
const decrypted = await envelopeDecrypt<string>(kek, ciphertext, wrappedDEK)
|
|
212
|
+
assert.strictEqual(decrypted, 'plain-string-secret')
|
|
213
|
+
})
|
|
214
|
+
})
|
|
@@ -0,0 +1,213 @@
|
|
|
1
|
+
const encoder = new TextEncoder()
|
|
2
|
+
const decoder = new TextDecoder()
|
|
3
|
+
|
|
4
|
+
const getSubtle = () => {
|
|
5
|
+
const crypto = globalThis.crypto
|
|
6
|
+
if (!crypto?.subtle) {
|
|
7
|
+
throw new Error('WebCrypto not available')
|
|
8
|
+
}
|
|
9
|
+
return crypto.subtle
|
|
10
|
+
}
|
|
11
|
+
|
|
12
|
+
const base64Encode = (bytes: Uint8Array): string => {
|
|
13
|
+
if (typeof Buffer !== 'undefined') {
|
|
14
|
+
return Buffer.from(bytes).toString('base64')
|
|
15
|
+
}
|
|
16
|
+
let binary = ''
|
|
17
|
+
for (let i = 0; i < bytes.length; i++) {
|
|
18
|
+
binary += String.fromCharCode(bytes[i]!)
|
|
19
|
+
}
|
|
20
|
+
return btoa(binary)
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
const base64Decode = (input: string): Uint8Array => {
|
|
24
|
+
if (typeof Buffer !== 'undefined') {
|
|
25
|
+
return new Uint8Array(Buffer.from(input, 'base64'))
|
|
26
|
+
}
|
|
27
|
+
const binary = atob(input)
|
|
28
|
+
const bytes = new Uint8Array(binary.length)
|
|
29
|
+
for (let i = 0; i < binary.length; i++) {
|
|
30
|
+
bytes[i] = binary.charCodeAt(i)
|
|
31
|
+
}
|
|
32
|
+
return bytes
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
const toBase64Url = (bytes: Uint8Array): string => {
|
|
36
|
+
return base64Encode(bytes)
|
|
37
|
+
.replace(/\+/g, '-')
|
|
38
|
+
.replace(/\//g, '_')
|
|
39
|
+
.replace(/=+$/g, '')
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
const fromBase64Url = (input: string): Uint8Array => {
|
|
43
|
+
let base64 = input.replace(/-/g, '+').replace(/_/g, '/')
|
|
44
|
+
while (base64.length % 4 !== 0) base64 += '='
|
|
45
|
+
return base64Decode(base64)
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
const deriveKey = async (secret: string): Promise<CryptoKey> => {
|
|
49
|
+
const subtle = getSubtle()
|
|
50
|
+
const hash = await subtle.digest('SHA-256', encoder.encode(secret))
|
|
51
|
+
return subtle.importKey('raw', hash, { name: 'AES-GCM' }, false, [
|
|
52
|
+
'encrypt',
|
|
53
|
+
'decrypt',
|
|
54
|
+
])
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
export const encryptJSON = async (
|
|
58
|
+
secret: string,
|
|
59
|
+
value: unknown
|
|
60
|
+
): Promise<string> => {
|
|
61
|
+
const crypto = globalThis.crypto
|
|
62
|
+
if (!crypto?.getRandomValues) {
|
|
63
|
+
throw new Error('WebCrypto not available')
|
|
64
|
+
}
|
|
65
|
+
const subtle = getSubtle()
|
|
66
|
+
const iv = crypto.getRandomValues(new Uint8Array(12))
|
|
67
|
+
const key = await deriveKey(secret)
|
|
68
|
+
const plaintext = encoder.encode(JSON.stringify(value))
|
|
69
|
+
const encrypted = await subtle.encrypt(
|
|
70
|
+
{ name: 'AES-GCM', iv },
|
|
71
|
+
key,
|
|
72
|
+
plaintext
|
|
73
|
+
)
|
|
74
|
+
const cipherBytes = new Uint8Array(encrypted)
|
|
75
|
+
const out = new Uint8Array(iv.length + cipherBytes.length)
|
|
76
|
+
out.set(iv, 0)
|
|
77
|
+
out.set(cipherBytes, iv.length)
|
|
78
|
+
return toBase64Url(out)
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
export const decryptJSON = async <T>(
|
|
82
|
+
secret: string,
|
|
83
|
+
token: string
|
|
84
|
+
): Promise<T> => {
|
|
85
|
+
const subtle = getSubtle()
|
|
86
|
+
const data = fromBase64Url(token)
|
|
87
|
+
if (data.length < 13) {
|
|
88
|
+
throw new Error('Invalid encrypted payload')
|
|
89
|
+
}
|
|
90
|
+
const iv = data.slice(0, 12)
|
|
91
|
+
const ciphertext = data.slice(12)
|
|
92
|
+
const key = await deriveKey(secret)
|
|
93
|
+
const decrypted = await subtle.decrypt(
|
|
94
|
+
{ name: 'AES-GCM', iv },
|
|
95
|
+
key,
|
|
96
|
+
ciphertext
|
|
97
|
+
)
|
|
98
|
+
return JSON.parse(decoder.decode(new Uint8Array(decrypted))) as T
|
|
99
|
+
}
|
|
100
|
+
|
|
101
|
+
/**
|
|
102
|
+
* Envelope encryption utilities.
|
|
103
|
+
*
|
|
104
|
+
* Each secret gets its own random DEK (data encryption key).
|
|
105
|
+
* The DEK is wrapped (encrypted) by a KEK (key encryption key) — typically an env var.
|
|
106
|
+
* The actual secret is encrypted with the DEK.
|
|
107
|
+
*
|
|
108
|
+
* KEK rotation only re-wraps the DEK, never touches the ciphertext.
|
|
109
|
+
*/
|
|
110
|
+
|
|
111
|
+
const importRawKey = async (rawBytes: Uint8Array): Promise<CryptoKey> => {
|
|
112
|
+
const subtle = getSubtle()
|
|
113
|
+
return subtle.importKey(
|
|
114
|
+
'raw',
|
|
115
|
+
rawBytes.buffer as ArrayBuffer,
|
|
116
|
+
{ name: 'AES-GCM' },
|
|
117
|
+
true,
|
|
118
|
+
['encrypt', 'decrypt']
|
|
119
|
+
)
|
|
120
|
+
}
|
|
121
|
+
|
|
122
|
+
export const generateDEK = async (): Promise<string> => {
|
|
123
|
+
const raw = globalThis.crypto.getRandomValues(new Uint8Array(32))
|
|
124
|
+
return toBase64Url(raw)
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
export const wrapDEK = async (
|
|
128
|
+
kek: string,
|
|
129
|
+
plaintextDEK: string
|
|
130
|
+
): Promise<string> => {
|
|
131
|
+
return encryptJSON(kek, plaintextDEK)
|
|
132
|
+
}
|
|
133
|
+
|
|
134
|
+
export const unwrapDEK = async (
|
|
135
|
+
kek: string,
|
|
136
|
+
wrappedDEK: string
|
|
137
|
+
): Promise<string> => {
|
|
138
|
+
return decryptJSON<string>(kek, wrappedDEK)
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
const encryptWithDEK = async (
|
|
142
|
+
dekBase64: string,
|
|
143
|
+
value: unknown
|
|
144
|
+
): Promise<string> => {
|
|
145
|
+
const crypto = globalThis.crypto
|
|
146
|
+
const subtle = getSubtle()
|
|
147
|
+
const iv = crypto.getRandomValues(new Uint8Array(12))
|
|
148
|
+
const key = await importRawKey(fromBase64Url(dekBase64))
|
|
149
|
+
const plaintext = encoder.encode(JSON.stringify(value))
|
|
150
|
+
const encrypted = await subtle.encrypt(
|
|
151
|
+
{ name: 'AES-GCM', iv },
|
|
152
|
+
key,
|
|
153
|
+
plaintext
|
|
154
|
+
)
|
|
155
|
+
const cipherBytes = new Uint8Array(encrypted)
|
|
156
|
+
const out = new Uint8Array(iv.length + cipherBytes.length)
|
|
157
|
+
out.set(iv, 0)
|
|
158
|
+
out.set(cipherBytes, iv.length)
|
|
159
|
+
return toBase64Url(out)
|
|
160
|
+
}
|
|
161
|
+
|
|
162
|
+
const decryptWithDEK = async <T>(
|
|
163
|
+
dekBase64: string,
|
|
164
|
+
token: string
|
|
165
|
+
): Promise<T> => {
|
|
166
|
+
const subtle = getSubtle()
|
|
167
|
+
const data = fromBase64Url(token)
|
|
168
|
+
if (data.length < 13) {
|
|
169
|
+
throw new Error('Invalid encrypted payload')
|
|
170
|
+
}
|
|
171
|
+
const iv = data.slice(0, 12)
|
|
172
|
+
const ciphertext = data.slice(12)
|
|
173
|
+
const key = await importRawKey(fromBase64Url(dekBase64))
|
|
174
|
+
const decrypted = await subtle.decrypt(
|
|
175
|
+
{ name: 'AES-GCM', iv },
|
|
176
|
+
key,
|
|
177
|
+
ciphertext
|
|
178
|
+
)
|
|
179
|
+
return JSON.parse(decoder.decode(new Uint8Array(decrypted))) as T
|
|
180
|
+
}
|
|
181
|
+
|
|
182
|
+
export interface EnvelopeEncryptResult {
|
|
183
|
+
ciphertext: string
|
|
184
|
+
wrappedDEK: string
|
|
185
|
+
}
|
|
186
|
+
|
|
187
|
+
export const envelopeEncrypt = async (
|
|
188
|
+
kek: string,
|
|
189
|
+
value: unknown
|
|
190
|
+
): Promise<EnvelopeEncryptResult> => {
|
|
191
|
+
const dek = await generateDEK()
|
|
192
|
+
const ciphertext = await encryptWithDEK(dek, value)
|
|
193
|
+
const wrappedDEK = await wrapDEK(kek, dek)
|
|
194
|
+
return { ciphertext, wrappedDEK }
|
|
195
|
+
}
|
|
196
|
+
|
|
197
|
+
export const envelopeDecrypt = async <T>(
|
|
198
|
+
kek: string,
|
|
199
|
+
ciphertext: string,
|
|
200
|
+
wrappedDEK: string
|
|
201
|
+
): Promise<T> => {
|
|
202
|
+
const dek = await unwrapDEK(kek, wrappedDEK)
|
|
203
|
+
return decryptWithDEK<T>(dek, ciphertext)
|
|
204
|
+
}
|
|
205
|
+
|
|
206
|
+
export const envelopeRewrap = async (
|
|
207
|
+
oldKEK: string,
|
|
208
|
+
newKEK: string,
|
|
209
|
+
wrappedDEK: string
|
|
210
|
+
): Promise<string> => {
|
|
211
|
+
const dek = await unwrapDEK(oldKEK, wrappedDEK)
|
|
212
|
+
return wrapDEK(newKEK, dek)
|
|
213
|
+
}
|