@verii/agentdb-cli 1.0.0-pre.1752076816

package/src/rotate-key/constants.js

@@ -0,0 +1,4 @@
+const DEFAULT_COLLECTION = 'keys';
+const DEFAULT_SECRET_PROP = 'key';
+
+module.exports = { DEFAULT_COLLECTION, DEFAULT_SECRET_PROP };

package/src/rotate-key/index.js

@@ -0,0 +1,55 @@
+const { program } = require('commander');
+const { printInfo, printError } = require('../helpers/common');
+const { initMongoClient } = require('../helpers/init-mongo-client');
+const { reencrypt } = require('./reencrypt');
+
+program
+  .name('agentdb-cli rotate-key')
+  .description('Re-encrypt MongoDB protected data with new key')
+  .usage('[options]')
+  .requiredOption('-o, --old-key <oldKey>', 'Old encryption key')
+  .requiredOption('-n, --new-key <newKey>', 'New encryption key')
+  .requiredOption(
+    '-u, --mongo-uri <mongoUri>',
+    'The url of the mongo database for credential agent'
+  )
+  .option(
+    '-c, --collection <collection>',
+    'Override the default collection to update'
+  )
+  .option(
+    '-p, --secret-prop <secretProp>',
+    'Override the default encrypted property on the collection'
+  )
+  .option(
+    '--dry-run',
+    'Attempt re-encryption but not actually update the database'
+  )
+  .action(async () => {
+    const options = program.opts();
+    let client;
+    printInfo('Starting rotate-key script');
+    printInfo(options);
+    try {
+      client = await initMongoClient(options.mongoUri);
+      await reencrypt(
+        options.oldKey,
+        options.newKey,
+        options.collection,
+        options.secretProp,
+        {
+          ...options,
+          db: client.db(),
+        }
+      );
+    } catch (error) {
+      printError('rotate-key Script Failure');
+      printError(error);
+    } finally {
+      if (client) {
+        await client.close();
+        printInfo('rotate-key Script. Mongo client closed');
+      }
+    }
+  })
+  .parseAsync(process.argv);

package/src/rotate-key/reencrypt-collection-field.js

@@ -0,0 +1,82 @@
+const { map, flow, get, size, each } = require('lodash/fp');
+const { decryptCollection, encryptCollection } = require('@verii/crypto');
+const { printInfo } = require('../helpers/common');
+
+const updateProp = (id, secretProp, encryptedKey, currentTime) => ({
+  updateOne: {
+    filter: {
+      _id: id,
+    },
+    update: {
+      $set: {
+        [secretProp]: encryptedKey,
+        updatedAt: currentTime,
+      },
+    },
+  },
+});
+
+const decryptField = ({ encryptedField, oldKey, entry }, options) => {
+  try {
+    return decryptCollection(encryptedField, oldKey);
+  } catch (e) {
+    printInfo(
+      `Error decrypting '${options.secretProp}' field of _id: ${entry._id}`
+    );
+    throw e;
+  }
+};
+const reencryptCollectionField = async (
+  oldKey,
+  newKey,
+  _collection,
+  secretProp,
+  { db, ...options }
+) => {
+  const currentTime = new Date();
+
+  const collection = db.collection(_collection);
+  const secretPropKey = secretProp;
+  const entries = await collection
+    .find({ [secretPropKey]: { $exists: true } })
+    .toArray();
+  if (!size(entries)) {
+    printInfo('No documents found');
+    return;
+  }
+  const updatedFields = map(
+    (entry) =>
+      flow(
+        get(secretPropKey),
+        (encryptedField) =>
+          decryptField({ encryptedField, oldKey, entry }, options),
+        (decryptedField) => encryptCollection(decryptedField, newKey),
+        (encryptedField) =>
+          updateProp(entry._id, secretPropKey, encryptedField, currentTime)
+      )(entry),
+    entries
+  );
+  const printEntries = () => {
+    each((eW) => printInfo(`${get('_id', eW)}`), entries);
+  };
+  if (options.dryRun) {
+    printInfo('Dry Run: not actually rotating:');
+    printEntries();
+    printInfo(
+      `Dry Run: would have rotated encryption of ${size(entries)} ${
+        options.collection
+      }`
+    );
+    return;
+  }
+  await collection.bulkWrite(updatedFields);
+  printInfo('Rotated encryption of:');
+  printEntries();
+  printInfo(
+    `Rotated encryption of ${size(entries)} '${secretPropKey}' fields in ${
+      options.collection
+    }`
+  );
+};
+
+module.exports = { reencryptCollectionField };

package/src/rotate-key/reencrypt.js

@@ -0,0 +1,36 @@
+const { DEFAULT_COLLECTION, DEFAULT_SECRET_PROP } = require('./constants');
+const { reencryptCollectionField } = require('./reencrypt-collection-field');
+
+const reencrypt = async (
+  oldKey,
+  newKey,
+  collection,
+  secretProp,
+  { db, ...options }
+) => {
+  await reencryptCollectionField(
+    oldKey,
+    newKey,
+    collection || DEFAULT_COLLECTION,
+    secretProp || DEFAULT_SECRET_PROP,
+    {
+      db,
+      ...options,
+    }
+  );
+
+  if (!collection && !secretProp) {
+    await reencryptCollectionField(
+      oldKey,
+      newKey,
+      'tenants',
+      'webhookAuth.bearerToken',
+      {
+        db,
+        ...options,
+      }
+    );
+  }
+};
+
+module.exports = { reencrypt };

package/test/.env.test

@@ -0,0 +1 @@
+MONGO_URI=mongodb://0.0.0.0:27017/test-credentialagent

package/test/factories/offers-factory.js

@@ -0,0 +1,54 @@
+const { ObjectId } = require('mongodb');
+
+const persistOfferFactory =
+  (db) =>
+  async (overrides = {}) => {
+    const result = await db.collection('offers').insertOne({
+      type: ['PastEmploymentPosition'],
+      issuer: {
+        id: 'issuerId',
+      },
+      credentialSubject,
+      offerCreationDate: new Date('2020-08-04T21:13:32.019Z'),
+      offerExpirationDate: new Date('2050-08-04T21:13:32.019Z'),
+      offerId: 'offerId',
+      exchangeId: new ObjectId(),
+      updatedAt: new Date(),
+      ...overrides,
+    });
+    return db.collection('offers').findOne(result.insertedId);
+  };
+
+const credentialSubject = {
+  vendorUserId: 'vendorUserId',
+  company: 'company',
+  companyName: {
+    localized: {
+      en: 'Microsoft Corporation',
+    },
+  },
+  title: {
+    localized: {
+      en: 'Director, Communications (HoloLens & Mixed Reality Experiences)',
+    },
+  },
+  startMonthYear: {
+    month: 10,
+    year: 2010,
+  },
+  endMonthYear: {
+    month: 6,
+    year: 2019,
+  },
+  location: {
+    countryCode: 'US',
+    regionCode: 'MA',
+  },
+  description: {
+    localized: {
+      en: 'l Data, AI, Hybrid, IoT, Datacenter, Mixed Reality/HoloLens, D365, Power Platform - all kinds of fun stuff!',
+    },
+  },
+};
+
+module.exports = { persistOfferFactory, credentialSubject };

package/test/factories/tenants-factory.js

@@ -0,0 +1,13 @@
+const persistTenantFactory =
+  (db) =>
+  async (overrides = {}) => {
+    const result = await db.collection('tenants').insertOne({
+      did: 'did:foo:bar',
+      createdAt: new Date(),
+      updatedAt: new Date(),
+      ...overrides,
+    });
+    return db.collection('tenants').findOne(result.insertedId);
+  };
+
+module.exports = { persistTenantFactory };

package/test/metrics.test.js

@@ -0,0 +1,97 @@
+const { buildMongoConnection } = require('@verii/tests-helpers');
+const { getMetrics } = require('../src/metrics/get-metrics');
+const { initMongoClient } = require('../src/helpers/init-mongo-client');
+const { persistOfferFactory } = require('./factories/offers-factory');
+
+describe('metrics test suite', () => {
+  let client;
+  let db;
+  let persistOffer;
+
+  beforeAll(async () => {
+    client = await initMongoClient(
+      buildMongoConnection('test-credentialagent')
+    );
+    db = client.db();
+    persistOffer = persistOfferFactory(db);
+  });
+
+  afterAll(async () => {
+    await client.close();
+  });
+
+  beforeEach(async () => {
+    await db.collection('offers').deleteMany({});
+  });
+
+  it('should get empty metrics', async () => {
+    const start = new Date('2020-05-20T00:00:00.000Z');
+    const end = new Date('2025-05-20T00:00:00.000Z');
+    const did = 'did:ion:1';
+    const { total, unique } = await getMetrics({ start, end, did }, { db });
+
+    expect(total).toEqual(0);
+    expect(unique).toEqual(0);
+  });
+
+  it('should get metrics by filter', async () => {
+    const start = new Date('2020-05-20T00:00:00.000Z');
+    const end = new Date('2025-05-20T00:00:00.000Z');
+    const did = 'did:ion:123654';
+
+    await persistOffer({
+      consentedAt: new Date(1686225410000),
+      issuer: { id: did },
+      credentialSubject: {
+        vendorUserId: 'vendorUserId1',
+      },
+      did: 'mock',
+    });
+    await persistOffer({
+      consentedAt: new Date(1686484610000),
+      issuer: { id: did },
+      credentialSubject: {
+        vendorUserId: 'vendorUserId2',
+      },
+      did: 'mock',
+    });
+    await persistOffer({
+      consentedAt: new Date(1686484610000),
+      issuer: { id: did },
+      credentialSubject: {
+        vendorUserId: 'vendorUserId2',
+      },
+      did: 'mock',
+    });
+    await persistOffer({
+      type: ['IdDocument'],
+      consentedAt: new Date(1686484610000),
+      issuer: { id: did },
+      credentialSubject: {
+        vendorUserId: 'vendorUserId2',
+      },
+      did: 'mock',
+    });
+    await persistOffer({
+      consentedAt: new Date(1686484610000),
+      issuer: { id: 'did:no:1' },
+      credentialSubject: {
+        vendorUserId: 'vendorUserId3',
+      },
+      did: 'mock',
+    });
+    await persistOffer({
+      consentedAt: new Date(1670763410000),
+      issuer: did,
+      credentialSubject: {
+        vendorUserId: 'vendorUserId4',
+      },
+      did: 'mock',
+    });
+    await persistOffer({});
+    const { total, unique } = await getMetrics({ start, end, did }, { db });
+
+    expect(total).toEqual(3);
+    expect(unique).toEqual(2);
+  });
+});

package/test/offers.test.js

@@ -0,0 +1,97 @@
+const { buildMongoConnection } = require('@verii/tests-helpers');
+const {
+  updateOfferExpirationDates,
+} = require('../src/offers/update-offer-expiration-dates');
+const { initMongoClient } = require('../src/helpers/init-mongo-client');
+const { persistOfferFactory } = require('./factories/offers-factory');
+
+describe('offers test suite', () => {
+  let client;
+  let db;
+  let persistOffer;
+  beforeAll(async () => {
+    client = await initMongoClient(buildMongoConnection('test-mockvendor'));
+    db = client.db();
+    persistOffer = persistOfferFactory(db);
+  });
+  afterAll(async () => {
+    await client.close();
+  });
+  beforeEach(async () => {
+    await db.collection('offers').deleteMany({});
+  });
+
+  it('should handle empty set', async () => {
+    await updateOfferExpirationDates({ db });
+
+    const updatedOffers = await db.collection('offers').find({}).toArray();
+    expect(updatedOffers).toEqual([]);
+  });
+
+  it('should update offerExpirationDate on offers', async () => {
+    const offer1 = await persistOffer({
+      offerExpirationDate: new Date('2020-08-04T21:13:32.019Z'),
+    });
+    const offer2 = await persistOffer({});
+
+    await updateOfferExpirationDates({ db });
+
+    const updatedOffers = await db.collection('offers').find({}).toArray();
+    expect(updatedOffers).toEqual([
+      {
+        ...offer1,
+        offerExpirationDate: new Date('2030-01-01T00:00:00.000Z'),
+        updatedAt: expect.any(Date),
+      },
+      {
+        ...offer2,
+        offerExpirationDate: new Date('2030-01-01T00:00:00.000Z'),
+        updatedAt: expect.any(Date),
+      },
+    ]);
+    expect(updatedOffers[0].updatedAt.getTime()).toBeGreaterThan(
+      offer1.updatedAt.getTime()
+    );
+    expect(updatedOffers[1].updatedAt.getTime()).toBeGreaterThan(
+      offer2.updatedAt.getTime()
+    );
+  });
+
+  it('should respect the dids filter on offers', async () => {
+    const offer1 = await persistOffer({
+      offerExpirationDate: new Date('2020-08-04T21:13:32.019Z'),
+      issuer: {
+        id: 'foo',
+      },
+    });
+    const offer2 = await persistOffer({
+      offerExpirationDate: new Date('2020-08-04T21:13:32.019Z'),
+    });
+
+    await updateOfferExpirationDates({ db, dids: ['foo'] });
+
+    const updatedOffers = await db
+      .collection('offers')
+      .find({})
+      .sort({ _id: 1 })
+      .toArray();
+    expect(updatedOffers).toEqual([
+      {
+        ...offer1,
+        offerExpirationDate: new Date('2030-01-01T00:00:00.000Z'),
+        updatedAt: expect.any(Date),
+      },
+      {
+        ...offer2,
+        offerExpirationDate: new Date('2020-08-04T21:13:32.019Z'),
+        updatedAt: expect.any(Date),
+      },
+    ]);
+    expect(updatedOffers[0].updatedAt.getTime()).toBeGreaterThan(
+      offer1.updatedAt.getTime()
+    );
+    expect(updatedOffers[1].updatedAt.getTime()).toEqual(
+      offer2.updatedAt.getTime()
+    );
+  });
+});

package/test/pii-purge.test.js

@@ -0,0 +1,112 @@
+const { buildMongoConnection } = require('@verii/tests-helpers');
+const {
+  removePiiFromFinalizedOffers,
+} = require('../src/pii-purge/remove-pii-from-finalized-offers');
+const { initMongoClient } = require('../src/helpers/init-mongo-client');
+const {
+  persistOfferFactory,
+  credentialSubject,
+} = require('./factories/offers-factory');
+
+describe('pii-purge test suite', () => {
+  let client;
+  let db;
+  let persistOffer;
+  beforeAll(async () => {
+    client = await initMongoClient(
+      buildMongoConnection('test-credentialagent')
+    );
+    db = client.db();
+    persistOffer = persistOfferFactory(db);
+  });
+  afterAll(async () => {
+    await client.close();
+  });
+  beforeEach(async () => {
+    await db.collection('offers').deleteMany({});
+  });
+
+  it('should remove pii from offers which have consentedAt or rejectedAt', async () => {
+    const offer1 = await persistOffer({
+      consentedAt: new Date('2020-08-04T21:13:32.019Z'),
+      credentialSubject: {
+        ...credentialSubject,
+        vendorUserId: 'vendorUserId_1',
+      },
+    });
+    const offer2 = await persistOffer({
+      rejectedAt: new Date('2020-08-04T21:13:32.019Z'),
+      credentialSubject: {
+        ...credentialSubject,
+        vendorUserId: 'vendorUserId_2',
+      },
+    });
+    const offer3 = await persistOffer({
+      credentialSubject: {
+        ...credentialSubject,
+        vendorUserId: 'vendorUserId_3',
+      },
+    });
+    const offer4 = await persistOffer({
+      credentialSubject: {
+        ...credentialSubject,
+        vendorUserId: 'vendorUserId_4',
+      },
+      offerExpirationDate: new Date('2020-08-04T21:13:32.019Z'),
+    });
+
+    await removePiiFromFinalizedOffers({ db });
+
+    const updatedOffers = await db
+      .collection('offers')
+      .find({})
+      .sort({ _id: 1 })
+      .toArray();
+    expect(updatedOffers).toEqual([
+      {
+        ...offer1,
+        credentialSubject: {
+          vendorUserId: offer1.credentialSubject.vendorUserId,
+        },
+        updatedAt: expect.any(Date),
+      },
+      {
+        ...offer2,
+        credentialSubject: {
+          vendorUserId: offer2.credentialSubject.vendorUserId,
+        },
+        updatedAt: expect.any(Date),
+      },
+      offer3,
+      {
+        ...offer4,
+        credentialSubject: {
+          vendorUserId: offer4.credentialSubject.vendorUserId,
+        },
+        updatedAt: expect.any(Date),
+      },
+    ]);
+  });
+
+  it('should not remove pii if offers active', async () => {
+    const offers = await Promise.all([
+      persistOffer({
+        credentialSubject: {
+          ...credentialSubject,
+          vendorUserId: 'vendorUserId_1',
+        },
+      }),
+      persistOffer({
+        credentialSubject: {
+          ...credentialSubject,
+          vendorUserId: 'vendorUserId_2',
+        },
+      }),
+    ]);
+
+    await removePiiFromFinalizedOffers({ db });
+
+    const updatedOffers = await db.collection('offers').find({}).toArray();
+    expect(updatedOffers).toEqual(offers);
+  });
+});