@vollcrypt/db-guard 0.1.0

package/dist/drizzle.d.ts

@@ -0,0 +1,65 @@
+import { RateLimiterOptions } from './security';
+export interface DrizzleDbGuardOptions {
+    key: Buffer | Record<string, Buffer>;
+    activeKeyVersion?: string;
+    blindIndexes?: {
+        rootSalt: Buffer;
+    };
+    cryptoRbac?: {
+        roles: Record<string, {
+            decrypt: string[];
+            mask?: Record<string, 'credit_card' | 'email' | 'tc_no' | ((v: any) => any) | string>;
+        }>;
+    };
+    rateLimiter?: RateLimiterOptions;
+}
+export declare const createDrizzleGuard: (options: DrizzleDbGuardOptions) => {
+    pgText: (name: string, columnPath?: string) => import("drizzle-orm/pg-core").PgCustomColumnBuilder<{
+        name: string;
+        dataType: "custom";
+        columnType: "PgCustomColumn";
+        data: unknown;
+        driverParam: unknown;
+        enumValues: undefined;
+    }>;
+    mysqlText: (name: string, columnPath?: string) => import("drizzle-orm/mysql-core").MySqlCustomColumnBuilder<{
+        name: string;
+        dataType: "custom";
+        columnType: "MySqlCustomColumn";
+        data: unknown;
+        driverParam: unknown;
+        enumValues: undefined;
+    }>;
+    sqliteText: (name: string, columnPath?: string) => import("drizzle-orm/sqlite-core").SQLiteCustomColumnBuilder<{
+        name: string;
+        dataType: "custom";
+        columnType: "SQLiteCustomColumn";
+        data: unknown;
+        driverParam: unknown;
+        enumValues: undefined;
+    }>;
+    pgBlindIndex: (name: string, columnName: string) => import("drizzle-orm/pg-core").PgCustomColumnBuilder<{
+        name: string;
+        dataType: "custom";
+        columnType: "PgCustomColumn";
+        data: unknown;
+        driverParam: unknown;
+        enumValues: undefined;
+    }>;
+    mysqlBlindIndex: (name: string, columnName: string) => import("drizzle-orm/mysql-core").MySqlCustomColumnBuilder<{
+        name: string;
+        dataType: "custom";
+        columnType: "MySqlCustomColumn";
+        data: unknown;
+        driverParam: unknown;
+        enumValues: undefined;
+    }>;
+    sqliteBlindIndex: (name: string, columnName: string) => import("drizzle-orm/sqlite-core").SQLiteCustomColumnBuilder<{
+        name: string;
+        dataType: "custom";
+        columnType: "SQLiteCustomColumn";
+        data: unknown;
+        driverParam: unknown;
+        enumValues: undefined;
+    }>;
+};

package/dist/drizzle.js

@@ -0,0 +1,118 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createDrizzleGuard = void 0;
+const pg_core_1 = require("drizzle-orm/pg-core");
+const mysql_core_1 = require("drizzle-orm/mysql-core");
+const sqlite_core_1 = require("drizzle-orm/sqlite-core");
+const prisma_1 = require("./prisma");
+const blind_index_1 = require("./blind-index");
+const security_1 = require("./security");
+function getKeys(options) {
+    let keys;
+    let activeVersion;
+    if (Buffer.isBuffer(options.key)) {
+        keys = { '1': options.key };
+        activeVersion = '1';
+    }
+    else {
+        keys = options.key;
+        activeVersion = options.activeKeyVersion || Object.keys(keys)[0];
+    }
+    return { keys, activeVersion };
+}
+const createDrizzleGuard = (options) => {
+    const { keys, activeVersion } = getKeys(options);
+    const activeKey = keys[activeVersion];
+    if (!activeKey) {
+        throw new Error(`Active encryption key version "${activeVersion}" is not present in the key map.`);
+    }
+    (0, security_1.registerKeysForZeroization)(keys);
+    const rootSalt = options.blindIndexes?.rootSalt;
+    return {
+        pgText: (name, columnPath) => (0, pg_core_1.customType)({
+            dataType() {
+                return 'text';
+            },
+            toDriver(value) {
+                return (0, prisma_1.encryptValue)(value, activeKey, activeVersion);
+            },
+            fromDriver(value) {
+                const parts = columnPath?.split('.') || [name];
+                const mName = parts[0] || 'Model';
+                const fName = parts[1] || name;
+                return (0, security_1.decryptWithSecurity)(value, (val) => (0, prisma_1.decryptValue)(val, keys), mName, fName, undefined, options);
+            }
+        })(name),
+        mysqlText: (name, columnPath) => (0, mysql_core_1.customType)({
+            dataType() {
+                return 'text';
+            },
+            toDriver(value) {
+                return (0, prisma_1.encryptValue)(value, activeKey, activeVersion);
+            },
+            fromDriver(value) {
+                const parts = columnPath?.split('.') || [name];
+                const mName = parts[0] || 'Model';
+                const fName = parts[1] || name;
+                return (0, security_1.decryptWithSecurity)(value, (val) => (0, prisma_1.decryptValue)(val, keys), mName, fName, undefined, options);
+            }
+        })(name),
+        sqliteText: (name, columnPath) => (0, sqlite_core_1.customType)({
+            dataType() {
+                return 'text';
+            },
+            toDriver(value) {
+                return (0, prisma_1.encryptValue)(value, activeKey, activeVersion);
+            },
+            fromDriver(value) {
+                const parts = columnPath?.split('.') || [name];
+                const mName = parts[0] || 'Model';
+                const fName = parts[1] || name;
+                return (0, security_1.decryptWithSecurity)(value, (val) => (0, prisma_1.decryptValue)(val, keys), mName, fName, undefined, options);
+            }
+        })(name),
+        pgBlindIndex: (name, columnName) => (0, pg_core_1.customType)({
+            dataType() {
+                return 'text';
+            },
+            toDriver(value) {
+                if (!rootSalt) {
+                    throw new Error('Blind index root salt is not configured in Drizzle guard options.');
+                }
+                return (0, blind_index_1.computeBlindIndex)(value, rootSalt, columnName);
+            },
+            fromDriver(value) {
+                return value;
+            }
+        })(name),
+        mysqlBlindIndex: (name, columnName) => (0, mysql_core_1.customType)({
+            dataType() {
+                return 'text';
+            },
+            toDriver(value) {
+                if (!rootSalt) {
+                    throw new Error('Blind index root salt is not configured in Drizzle guard options.');
+                }
+                return (0, blind_index_1.computeBlindIndex)(value, rootSalt, columnName);
+            },
+            fromDriver(value) {
+                return value;
+            }
+        })(name),
+        sqliteBlindIndex: (name, columnName) => (0, sqlite_core_1.customType)({
+            dataType() {
+                return 'text';
+            },
+            toDriver(value) {
+                if (!rootSalt) {
+                    throw new Error('Blind index root salt is not configured in Drizzle guard options.');
+                }
+                return (0, blind_index_1.computeBlindIndex)(value, rootSalt, columnName);
+            },
+            fromDriver(value) {
+                return value;
+            }
+        })(name)
+    };
+};
+exports.createDrizzleGuard = createDrizzleGuard;

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export { prismaDbGuard, PrismaDbGuardOptions, encryptValue, decryptValue, resolveKeys } from './prisma';
+export { mongooseDbGuard, MongooseDbGuardOptions } from './mongoose';
+export { createDrizzleGuard } from './drizzle';
+export { createTypeOrmSubscriber } from './typeorm';
+export { KmsProvider, AwsKmsProvider, GcpKmsProvider, VaultKmsProvider, unwrapDekLocal, Pkcs11KmsProvider } from './kms';
+export { computeBlindIndex } from './blind-index';
+export { dbGuardContextStore, configureAuditLogger, decryptWithSecurity, checkRateLimit, checkPageSize, resetFailClosedStatusForTesting, resetAuditLoggerForTesting, getCachedKey, setCachedKey, resetSecureKeyCacheForTesting, configureBreakGlass, deactivateBreakGlass, isBreakGlassActive, getBreakGlassKey, activateBreakGlass, parseCiphertext, CRYPTO_ALGORITHMS, VERSION_ALGORITHMS } from './security';
+export { auditConfiguration, generateComplianceHtmlReport, ComplianceAuditInput, ComplianceScorecard } from './compliance';

package/dist/index.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateComplianceHtmlReport = exports.auditConfiguration = exports.VERSION_ALGORITHMS = exports.CRYPTO_ALGORITHMS = exports.parseCiphertext = exports.activateBreakGlass = exports.getBreakGlassKey = exports.isBreakGlassActive = exports.deactivateBreakGlass = exports.configureBreakGlass = exports.resetSecureKeyCacheForTesting = exports.setCachedKey = exports.getCachedKey = exports.resetAuditLoggerForTesting = exports.resetFailClosedStatusForTesting = exports.checkPageSize = exports.checkRateLimit = exports.decryptWithSecurity = exports.configureAuditLogger = exports.dbGuardContextStore = exports.computeBlindIndex = exports.Pkcs11KmsProvider = exports.unwrapDekLocal = exports.VaultKmsProvider = exports.GcpKmsProvider = exports.AwsKmsProvider = exports.createTypeOrmSubscriber = exports.createDrizzleGuard = exports.mongooseDbGuard = exports.resolveKeys = exports.decryptValue = exports.encryptValue = exports.prismaDbGuard = void 0;
+var prisma_1 = require("./prisma");
+Object.defineProperty(exports, "prismaDbGuard", { enumerable: true, get: function () { return prisma_1.prismaDbGuard; } });
+Object.defineProperty(exports, "encryptValue", { enumerable: true, get: function () { return prisma_1.encryptValue; } });
+Object.defineProperty(exports, "decryptValue", { enumerable: true, get: function () { return prisma_1.decryptValue; } });
+Object.defineProperty(exports, "resolveKeys", { enumerable: true, get: function () { return prisma_1.resolveKeys; } });
+var mongoose_1 = require("./mongoose");
+Object.defineProperty(exports, "mongooseDbGuard", { enumerable: true, get: function () { return mongoose_1.mongooseDbGuard; } });
+var drizzle_1 = require("./drizzle");
+Object.defineProperty(exports, "createDrizzleGuard", { enumerable: true, get: function () { return drizzle_1.createDrizzleGuard; } });
+var typeorm_1 = require("./typeorm");
+Object.defineProperty(exports, "createTypeOrmSubscriber", { enumerable: true, get: function () { return typeorm_1.createTypeOrmSubscriber; } });
+var kms_1 = require("./kms");
+Object.defineProperty(exports, "AwsKmsProvider", { enumerable: true, get: function () { return kms_1.AwsKmsProvider; } });
+Object.defineProperty(exports, "GcpKmsProvider", { enumerable: true, get: function () { return kms_1.GcpKmsProvider; } });
+Object.defineProperty(exports, "VaultKmsProvider", { enumerable: true, get: function () { return kms_1.VaultKmsProvider; } });
+Object.defineProperty(exports, "unwrapDekLocal", { enumerable: true, get: function () { return kms_1.unwrapDekLocal; } });
+Object.defineProperty(exports, "Pkcs11KmsProvider", { enumerable: true, get: function () { return kms_1.Pkcs11KmsProvider; } });
+var blind_index_1 = require("./blind-index");
+Object.defineProperty(exports, "computeBlindIndex", { enumerable: true, get: function () { return blind_index_1.computeBlindIndex; } });
+var security_1 = require("./security");
+Object.defineProperty(exports, "dbGuardContextStore", { enumerable: true, get: function () { return security_1.dbGuardContextStore; } });
+Object.defineProperty(exports, "configureAuditLogger", { enumerable: true, get: function () { return security_1.configureAuditLogger; } });
+Object.defineProperty(exports, "decryptWithSecurity", { enumerable: true, get: function () { return security_1.decryptWithSecurity; } });
+Object.defineProperty(exports, "checkRateLimit", { enumerable: true, get: function () { return security_1.checkRateLimit; } });
+Object.defineProperty(exports, "checkPageSize", { enumerable: true, get: function () { return security_1.checkPageSize; } });
+Object.defineProperty(exports, "resetFailClosedStatusForTesting", { enumerable: true, get: function () { return security_1.resetFailClosedStatusForTesting; } });
+Object.defineProperty(exports, "resetAuditLoggerForTesting", { enumerable: true, get: function () { return security_1.resetAuditLoggerForTesting; } });
+Object.defineProperty(exports, "getCachedKey", { enumerable: true, get: function () { return security_1.getCachedKey; } });
+Object.defineProperty(exports, "setCachedKey", { enumerable: true, get: function () { return security_1.setCachedKey; } });
+Object.defineProperty(exports, "resetSecureKeyCacheForTesting", { enumerable: true, get: function () { return security_1.resetSecureKeyCacheForTesting; } });
+Object.defineProperty(exports, "configureBreakGlass", { enumerable: true, get: function () { return security_1.configureBreakGlass; } });
+Object.defineProperty(exports, "deactivateBreakGlass", { enumerable: true, get: function () { return security_1.deactivateBreakGlass; } });
+Object.defineProperty(exports, "isBreakGlassActive", { enumerable: true, get: function () { return security_1.isBreakGlassActive; } });
+Object.defineProperty(exports, "getBreakGlassKey", { enumerable: true, get: function () { return security_1.getBreakGlassKey; } });
+Object.defineProperty(exports, "activateBreakGlass", { enumerable: true, get: function () { return security_1.activateBreakGlass; } });
+Object.defineProperty(exports, "parseCiphertext", { enumerable: true, get: function () { return security_1.parseCiphertext; } });
+Object.defineProperty(exports, "CRYPTO_ALGORITHMS", { enumerable: true, get: function () { return security_1.CRYPTO_ALGORITHMS; } });
+Object.defineProperty(exports, "VERSION_ALGORITHMS", { enumerable: true, get: function () { return security_1.VERSION_ALGORITHMS; } });
+var compliance_1 = require("./compliance");
+Object.defineProperty(exports, "auditConfiguration", { enumerable: true, get: function () { return compliance_1.auditConfiguration; } });
+Object.defineProperty(exports, "generateComplianceHtmlReport", { enumerable: true, get: function () { return compliance_1.generateComplianceHtmlReport; } });

package/dist/kms.d.ts

@@ -0,0 +1,46 @@
+export interface KmsProvider {
+    decrypt(ciphertext: Buffer): Promise<Buffer>;
+}
+export declare class AwsKmsProvider implements KmsProvider {
+    private config;
+    constructor(config: {
+        region: string;
+        keyId?: string;
+        credentials?: any;
+    });
+    decrypt(ciphertext: Buffer): Promise<Buffer>;
+}
+export declare class GcpKmsProvider implements KmsProvider {
+    private config;
+    constructor(config: {
+        keyName: string;
+        clientOptions?: any;
+    });
+    decrypt(ciphertext: Buffer): Promise<Buffer>;
+}
+export declare class VaultKmsProvider implements KmsProvider {
+    private config;
+    constructor(config: {
+        url: string;
+        token: string;
+        keyName: string;
+    });
+    decrypt(ciphertext: Buffer): Promise<Buffer>;
+}
+/**
+ * Local Envelope Decryption wrapper using AES-256-Key-Wrap (AES-KW)
+ */
+export declare function unwrapDekLocal(wrappedDek: Buffer, unwrappedKek: Buffer): Buffer;
+/**
+ * On-Premises HSM Provider using the standard PKCS#11 protocol
+ */
+export declare class Pkcs11KmsProvider implements KmsProvider {
+    private config;
+    constructor(config: {
+        libraryPath: string;
+        pin: string;
+        slotId?: number;
+        keyId: string;
+    });
+    decrypt(ciphertext: Buffer): Promise<Buffer>;
+}

package/dist/kms.js

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Pkcs11KmsProvider = exports.VaultKmsProvider = exports.GcpKmsProvider = exports.AwsKmsProvider = void 0;
+exports.unwrapDekLocal = unwrapDekLocal;
+const security_1 = require("./security");
+class AwsKmsProvider {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async decrypt(ciphertext) {
+        try {
+            const { KMSClient, DecryptCommand } = require('@aws-sdk/client-kms');
+            const client = new KMSClient(this.config);
+            const command = new DecryptCommand({
+                CiphertextBlob: ciphertext,
+                KeyId: this.config.keyId,
+            });
+            const res = await client.send(command);
+            if (!res.Plaintext) {
+                throw new Error('AWS KMS returned empty plaintext');
+            }
+            return Buffer.from(res.Plaintext);
+        }
+        catch (err) {
+            throw new Error(`AWS KMS decryption failed: ${err.message}`);
+        }
+    }
+}
+exports.AwsKmsProvider = AwsKmsProvider;
+class GcpKmsProvider {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async decrypt(ciphertext) {
+        try {
+            const { KeyManagementServiceClient } = require('@google-cloud/kms');
+            const client = new KeyManagementServiceClient(this.config.clientOptions);
+            const [res] = await client.decrypt({
+                name: this.config.keyName,
+                ciphertext: ciphertext,
+            });
+            if (!res.plaintext) {
+                throw new Error('GCP KMS returned empty plaintext');
+            }
+            return Buffer.from(res.plaintext);
+        }
+        catch (err) {
+            throw new Error(`GCP KMS decryption failed: ${err.message}`);
+        }
+    }
+}
+exports.GcpKmsProvider = GcpKmsProvider;
+class VaultKmsProvider {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async decrypt(ciphertext) {
+        try {
+            const vault = require('node-vault')({
+                endpoint: this.config.url,
+                token: this.config.token,
+            });
+            // Decrypt using Transit engine api
+            const payload = ciphertext.toString('utf8');
+            const res = await vault.customOp({
+                method: 'POST',
+                path: `/v1/transit/decrypt/${this.config.keyName}`,
+                data: { ciphertext: payload },
+            });
+            if (!res.data || !res.data.plaintext) {
+                throw new Error('HashiCorp Vault returned empty plaintext');
+            }
+            return Buffer.from(res.data.plaintext, 'base64');
+        }
+        catch (err) {
+            throw new Error(`HashiCorp Vault decryption failed: ${err.message}`);
+        }
+    }
+}
+exports.VaultKmsProvider = VaultKmsProvider;
+/**
+ * Local Envelope Decryption wrapper using AES-256-Key-Wrap (AES-KW)
+ */
+function unwrapDekLocal(wrappedDek, unwrappedKek) {
+    try {
+        return (0, security_1.unwrapKey)(unwrappedKek, wrappedDek);
+    }
+    catch (err) {
+        throw new Error(`Local AES-KW DEK unwrap failed: ${err.message}`);
+    }
+}
+/**
+ * On-Premises HSM Provider using the standard PKCS#11 protocol
+ */
+class Pkcs11KmsProvider {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async decrypt(ciphertext) {
+        try {
+            // Lazy load pkcs11js
+            const pkcs11js = require('pkcs11js');
+            const pkcs11 = new pkcs11js.PKCS11();
+            pkcs11.load(this.config.libraryPath);
+            pkcs11.C_Initialize();
+            const slots = pkcs11.C_GetSlotList(true);
+            const slotIndex = this.config.slotId !== undefined ? this.config.slotId : 0;
+            if (!slots || slots.length <= slotIndex) {
+                throw new Error(`PKCS#11 slot index ${slotIndex} not found or slot list is empty.`);
+            }
+            const session = pkcs11.C_OpenSession(slots[slotIndex], pkcs11js.CKF_SERIAL_SESSION | pkcs11js.CKF_RW_SESSION);
+            pkcs11.C_Login(session, pkcs11js.CKU_USER, this.config.pin);
+            try {
+                const keyIdBuf = Buffer.from(this.config.keyId, 'hex');
+                pkcs11.C_FindObjectsInit(session, [
+                    { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
+                    { type: pkcs11js.CKA_ID, value: keyIdBuf }
+                ]);
+                const objects = pkcs11.C_FindObjects(session, 1);
+                pkcs11.C_FindObjectsFinal(session);
+                if (!objects || objects.length === 0) {
+                    throw new Error(`Secret key with ID ${this.config.keyId} not found in HSM.`);
+                }
+                const keyHandle = objects[0];
+                // Extract 16-byte IV for CKM_AES_CBC_PAD, otherwise fallback to zeros
+                let iv = Buffer.alloc(16, 0);
+                let actualCiphertext = ciphertext;
+                if (ciphertext.length > 16) {
+                    iv = ciphertext.subarray(0, 16);
+                    actualCiphertext = ciphertext.subarray(16);
+                }
+                pkcs11.C_DecryptInit(session, {
+                    mechanism: pkcs11js.CKM_AES_CBC_PAD,
+                    parameter: iv
+                }, keyHandle);
+                const decrypted = pkcs11.C_Decrypt(session, actualCiphertext, Buffer.alloc(actualCiphertext.length + 16));
+                return Buffer.from(decrypted);
+            }
+            finally {
+                pkcs11.C_Logout(session);
+                pkcs11.C_CloseSession(session);
+                pkcs11.C_Finalize();
+            }
+        }
+        catch (err) {
+            throw new Error(`PKCS#11 HSM decryption failed: ${err.message}`);
+        }
+    }
+}
+exports.Pkcs11KmsProvider = Pkcs11KmsProvider;

package/dist/mongoose.d.ts

@@ -0,0 +1,30 @@
+import { Schema } from 'mongoose';
+import { RateLimiterOptions } from './security';
+export interface MongooseDbGuardOptions {
+    key: Buffer | Record<string, Buffer>;
+    activeKeyVersion?: string;
+    fields: string[];
+    blindIndexes?: {
+        rootSalt: Buffer;
+        fields: string[];
+        modelName?: string;
+    };
+    cryptoRbac?: {
+        roles: Record<string, {
+            decrypt: string[];
+            mask?: Record<string, 'credit_card' | 'email' | 'tc_no' | ((v: any) => any) | string>;
+        }>;
+    };
+    rateLimiter?: RateLimiterOptions;
+    multiTenant?: {
+        tenants?: Record<string, {
+            key?: Buffer | Record<string, Buffer>;
+            kms?: any;
+        }>;
+        getTenantConfig?: (tenantId: string) => Promise<{
+            key?: Buffer | Record<string, Buffer>;
+            kms?: any;
+        } | undefined>;
+    };
+}
+export declare function mongooseDbGuard(schema: Schema, options: MongooseDbGuardOptions): void;