@wavo-cloud/aws-secrets-manager-helper 0.1.4 → 0.1.6

package/.circleci/config.yml

@@ -4,7 +4,7 @@ jobs:
 
   test:
     docker:
-      - image: circleci/node:10.15
+      - image: circleci/node:12.13
 
     steps:
       - checkout
@@ -34,7 +34,7 @@ jobs:
 
   module-push:
     docker:
-      - image: circleci/node:10.15
+      - image: circleci/node:12.13
 
     steps:
       - checkout

package/.eslintrc

@@ -0,0 +1,6 @@
+{
+  "extends": ["@wavo-cloud/eslint-config"],
+  "rules": {
+    // You can disable rules here
+  }
+}

package/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:10.15-alpine
+FROM node:12.13-alpine
 
 # Create app directory
 RUN mkdir -p /usr/local/src/cloud-app

package/app/index.js

@@ -1,2 +1 @@
-'use strict'
 module.exports = require('./utils/awsSecretsManager')

package/app/utils/awsSecretsManager.js

@@ -1,12 +1,16 @@
 const AWS = require('aws-sdk')
+const { merge, omit } = require('lodash')
 
-const region = 'us-east-1'
+const secretsManagerRegion = 'us-east-1'
 const clientIdsSecretId = 'wavo/self_serve/client_list'
 const client = new AWS.SecretsManager({
-  region,
+  region: secretsManagerRegion,
 })
 
-// attempts to parse secret
+/**
+ * Attempts to parse secret
+ * @param {String} secretString - The stringified secret
+ */
 async function parseSecret(secretString) {
   let parsedSecret = {}
   try {
@@ -18,8 +22,35 @@ async function parseSecret(secretString) {
   }
 }
 
-// gets a defined secret value from aws secrets manager
-// returns JSON where JSON is the secret
+function handleAWSPromiseError(promiseError) {
+  if (promiseError.code === 'DecryptionFailureException') {
+    promiseError.message =
+      "Secrets Manager can't decrypt the protected secret text using the provided KMS key."
+  } else if (promiseError.code === 'InternalServiceErrorException') {
+    promiseError.message = 'An error occurred on the server side.'
+  } else if (promiseError.code === 'InvalidParameterException') {
+    promiseError.message = 'You provided an invalid value for a parameter.'
+  } else if (promiseError.code === 'InvalidRequestException') {
+    promiseError.message =
+      'You provided a parameter value that is not valid for the current state of the resource.'
+  } else if (promiseError.code === 'ResourceNotFoundException') {
+    promiseError.message = "We can't find the resource that you asked for."
+  } else if (promiseError.code === 'EncryptionFailureException') {
+    promiseError.message =
+      'We could not encrypt your secret. Your KMS/CMK key may be invalid.'
+  } else if (promiseError.code === 'LimitExceededException') {
+    promiseError.message = 'Your request would exceed our AWSSM internal limit.'
+  } else if (promiseError.code === 'ResourceExistsException') {
+    promiseError.message = 'A resource with this identifier already exists.'
+  }
+  throw promiseError
+}
+
+/**
+ * Gets a defined secret value from aws secrets manager
+ * Returns JSON where JSON is the secret
+ * @param {String} secretId - The ID of an existing secret
+ */
 async function getSecretValue(secretId) {
   let promiseError
   const data = await client
@@ -30,24 +61,7 @@ async function getSecretValue(secretId) {
     })
 
   if (promiseError) {
-    if (promiseError.code === 'DecryptionFailureException') {
-      promiseError.message =
-        "Secrets Manager can't decrypt the protected secret text using the provided KMS key."
-      throw promiseError
-    } else if (promiseError.code === 'InternalServiceErrorException') {
-      promiseError.message = 'An error occurred on the server side.'
-      throw promiseError
-    } else if (promiseError.code === 'InvalidParameterException') {
-      promiseError.message = 'You provided an invalid value for a parameter.'
-      throw promiseError
-    } else if (promiseError.code === 'InvalidRequestException') {
-      promiseError.message =
-        'You provided a parameter value that is not valid for the current state of the resource.'
-      throw promiseError
-    } else if (promiseError.code === 'ResourceNotFoundException') {
-      promiseError.message = "We can't find the resource that you asked for."
-      throw promiseError
-    }
+    handleAWSPromiseError(promiseError)
   } else if ('SecretString' in data) {
     return parseSecret(data.SecretString)
   } else {
@@ -56,28 +70,32 @@ async function getSecretValue(secretId) {
   }
 }
 
-// gets the secret keying where client secrets are stored
-// returns JSON where JSON is the secret
-async function getClientSecretIds() {
-  return getSecretValue(clientIdsSecretId)
+/**
+ * Gets the secret keying where client secrets are stored
+ * Returns JSON where JSON is the secret
+ */
+async function getClientSecretIds(clientIdsSecretIdOverride = null) {
+  return getSecretValue(clientIdsSecretIdOverride || clientIdsSecretId)
 }
 
-// gets a specific client secret holding their API keys
-// returns JSON where JSON is the secret
+/**
+ * Gets a specific client secret holding their API keys
+ * Returns JSON where JSON is the secret
+ * @param {String} clientId - The client ID
+ */
 async function getClientSecret(clientId) {
   const clientSecretIds = await getClientSecretIds()
   return getSecretValue(clientSecretIds[clientId])
 }
 
-// gets all client secrets holding their API keys
-// returns [{ clientId: String, secretId: String, ...secret }]
-// skips all that are missing a region or organization
+/**
+ * Gets all client secrets holding their API keys
+ * Returns [{ clientId: String, secretId: String, ...secret }]
+ * Skips all that are missing a region or organization
+ */
 async function getAllClientSecrets() {
   const clientSecretIds = await getClientSecretIds()
-  if (!clientSecretIds) {
-    console.log('No clients found')
-    return []
-  }
+  if (!clientSecretIds) return []
   const parsedClientSecrets = await Promise.all(
     Object.keys(clientSecretIds).map(async clientId => {
       const result = await getSecretValue(clientSecretIds[clientId])
@@ -89,16 +107,218 @@ async function getAllClientSecrets() {
   return parsedClientSecrets.filter(clientSecret => {
     if (clientSecret.organization && clientSecret.region && !clientSecret.error)
       return true
-    console.log(
-      `Client secret at ${clientSecret.secretId} is missing organization or region`
-    )
     return false
   })
 }
 
+/**
+ * Creates a new secret
+ * @param {String} secretName - The friendly name of the secret
+ * @param {String} secretDescription - The description of the secret
+ * @param {String} secretValue - The JSON string secret value
+ */
+async function createSecret(secretName, secretDescription, secretValue) {
+  let promiseError
+  if (typeof secretValue !== 'string')
+    throw new Error('Secret value must be a JSON string.')
+  const regex = new RegExp('^[a-z0-9-_/]*$')
+  if (!regex.test(secretName))
+    throw new Error(
+      'The secret name can only include lowercase alphanumerics, underscores, and dashes.'
+    )
+  const data = await client
+    .createSecret({
+      Name: secretName,
+      Description: secretDescription,
+      SecretString: secretValue,
+    })
+    .promise()
+    .catch(error => {
+      promiseError = error
+    })
+
+  if (promiseError) handleAWSPromiseError(promiseError)
+  else return data
+}
+
+/**
+ * Edits an existing secret
+ * @param {String} secretName - The friendly name of the secret
+ * @param {Object} secretValue - The new JSON string secret value
+ */
+async function editSecret(secretName, secretValue) {
+  let promiseError
+  if (typeof secretValue !== 'string')
+    throw new Error('Secret value must be a JSON string.')
+  const data = await client
+    .updateSecret({
+      SecretId: secretName,
+      SecretString: secretValue,
+    })
+    .promise()
+    .catch(error => {
+      promiseError = error
+    })
+
+  if (promiseError) handleAWSPromiseError(promiseError)
+  else return data
+}
+
+/**
+ * Adds a client to the client list and does data validation
+ * @param {String} clientId - The ID of the client
+ * @param {String} clientName - The display name of the client
+ * @param {String} organization - The location of the organization's data in S3
+ * @param {String} region - The sub location of the organization's data in S3
+ * @param {Object} keyValuePairs - The secret to store for the client
+ */
+async function createClient(
+  clientId,
+  clientName,
+  organization,
+  region,
+  keyValuePairs,
+  clientIdsSecretIdOverride = null
+) {
+  if (!clientId || !clientName || !organization || !region)
+    throw new Error('Client ID, name, organization, and region are required.')
+  const regex = new RegExp('^[a-z0-9-_]*$')
+  if (!regex.test(organization) || !regex.test(region))
+    throw new Error(
+      'Organization and region can only include lowercase alphanumerics, underscores, and dashes.'
+    )
+  // get client list secret
+  const currentClientList = await getClientSecretIds(
+    clientIdsSecretIdOverride || clientIdsSecretId
+  )
+  // if client is already in list, throw error
+  if (currentClientList[clientId])
+    throw new Error('A client with this ID already exists.')
+  // create client secret
+  const createSecretResults = await createSecret(
+    `${organization}/ad_platforms/api`,
+    `${clientName} Ad Platform API Keys`,
+    JSON.stringify({
+      client_name: clientName,
+      organization,
+      region,
+      ...keyValuePairs,
+    })
+  )
+  // add to client list
+  const editClientListResults = await editSecret(
+    clientIdsSecretIdOverride || clientIdsSecretId,
+    JSON.stringify({
+      [clientId]: `${organization}/ad_platforms/api`,
+      ...currentClientList,
+    })
+  )
+
+  return { createSecretResults, editClientListResults }
+}
+
+/**
+ * Directly sets the secret value of an existing secret
+ * @param {String} clientId - The ID of the client
+ * @param {String} clientName - The display name of the client
+ * @param {String} organization - The location of the organization's data in S3
+ * @param {String} region - The sub location of the organization's data in S3
+ * @param {Object} keyValuePairs - The secret to store for the client
+ */
+async function setClient(
+  clientId,
+  clientName,
+  organization,
+  region,
+  keyValuePairs,
+  clientIdsSecretIdOverride = null
+) {
+  if (!clientId || !clientName || !organization || !region)
+    throw new Error('Client ID, name, organization, and region are required.')
+  const regex = new RegExp('^[a-z0-9-_]*$')
+  if (
+    (organization && !regex.test(organization)) ||
+    (region && !regex.test(region))
+  )
+    throw new Error(
+      'Organization and region can only include lowercase alphanumerics, underscores, and dashes.'
+    )
+  // get client secret location
+  const currentClientList = await getClientSecretIds(clientIdsSecretIdOverride)
+  const clientSecretId = currentClientList[clientId]
+  // set client
+  const setClientResults = await editSecret(
+    clientSecretId,
+    JSON.stringify({
+      client_name: clientName,
+      organization,
+      region,
+      ...keyValuePairs,
+    })
+  )
+
+  return { setClientResults }
+}
+
+/**
+ * Edits a secret value of an existing secret
+ * It merges keyValuePairsToAdd
+ * It omits keysToDelete
+ * @param {String} clientId - The ID of the client
+ * @param {String} clientName - The display name of the client
+ * @param {String} organization - The location of the organization's data in S3
+ * @param {String} region - The sub location of the organization's data in S3
+ * @param {Object} keyValuePairsToAdd
+ * @param {Array} keysToDelete
+ */
+async function editClient(
+  clientId,
+  keyValuePairsToAdd,
+  keysToDelete,
+  clientIdsSecretIdOverride
+) {
+  if (!clientId) throw new Error('Client ID is required.')
+  if (
+    keysToDelete.some(key =>
+      ['organization', 'region', 'client_name'].includes(key)
+    )
+  )
+    throw new Error('You cannot unset the organization, region, or client_name')
+  const regex = new RegExp('^[a-z0-9-_]*$')
+  const keysToAdd = Object.keys(keyValuePairsToAdd)
+  if (
+    (keysToAdd.includes('organization') &&
+      (!regex.test(keyValuePairsToAdd.organization) ||
+        !keyValuePairsToAdd.organization)) ||
+    (keysToAdd.includes('region') &&
+      (!regex.test(keyValuePairsToAdd.region) || !keyValuePairsToAdd.region)) ||
+    (keysToAdd.includes('client_name') && !keyValuePairsToAdd.client_name)
+  )
+    throw new Error(
+      'Organization, region, and client_name can only include lowercase alphanumerics, underscores, and dashes and must be non-null if included.'
+    )
+  // get client secret location
+  const currentClientList = await getClientSecretIds(clientIdsSecretIdOverride)
+  const clientSecretId = currentClientList[clientId]
+  const keyValuePairs = await getSecretValue(clientSecretId)
+  merge(keyValuePairs, keyValuePairsToAdd)
+  // edit client
+  const editClientResults = await editSecret(
+    clientSecretId,
+    JSON.stringify({
+      ...omit(keyValuePairs, keysToDelete),
+    })
+  )
+
+  return { editClientResults }
+}
+
 module.exports = {
   getClientSecretIds,
   getClientSecret,
   getAllClientSecrets,
   getSecretValue,
+  createClient,
+  setClient,
+  editClient,
 }

package/app/utils/awsSecretsManagerDeleteHelper.js

@@ -0,0 +1,108 @@
+const AWS = require('aws-sdk')
+const { omit } = require('lodash')
+const { getClientSecretIds } = require('./awsSecretsManager')
+
+const secretsManagerRegion = 'us-east-1'
+const clientIdsSecretId = 'wavo/self_serve/client_list'
+const client = new AWS.SecretsManager({
+  region: secretsManagerRegion,
+})
+
+function handleAWSPromiseError(promiseError) {
+  if (promiseError.code === 'DecryptionFailureException') {
+    promiseError.message =
+      "Secrets Manager can't decrypt the protected secret text using the provided KMS key."
+  } else if (promiseError.code === 'InternalServiceErrorException') {
+    promiseError.message = 'An error occurred on the server side.'
+  } else if (promiseError.code === 'InvalidParameterException') {
+    promiseError.message = 'You provided an invalid value for a parameter.'
+  } else if (promiseError.code === 'InvalidRequestException') {
+    promiseError.message =
+      'You provided a parameter value that is not valid for the current state of the resource.'
+  } else if (promiseError.code === 'ResourceNotFoundException') {
+    promiseError.message = "We can't find the resource that you asked for."
+  } else if (promiseError.code === 'EncryptionFailureException') {
+    promiseError.message =
+      'We could not encrypt your secret. Your KMS/CMK key may be invalid.'
+  } else if (promiseError.code === 'LimitExceededException') {
+    promiseError.message = 'Your request would exceed our AWSSM internal limit.'
+  } else if (promiseError.code === 'ResourceExistsException') {
+    promiseError.message = 'A resource with this identifier already exists.'
+  }
+  throw promiseError
+}
+
+/**
+ * Edits an existing secret
+ * @param {String} secretName - The friendly name of the secret
+ * @param {Object} secretValue - The new JSON string secret value
+ */
+async function editSecret(secretName, secretValue) {
+  let promiseError
+  if (typeof secretValue !== 'string')
+    throw new Error('Secret value must be a JSON string.')
+  const data = await client
+    .updateSecret({
+      SecretId: secretName,
+      SecretString: secretValue,
+    })
+    .promise()
+    .catch(error => {
+      promiseError = error
+    })
+
+  if (promiseError) handleAWSPromiseError(promiseError)
+  else return data
+}
+
+/**
+ * Delete a secret
+ * @param {String} secretId - The ID of the secret
+ * @param {Boolean} force - If true, the secret cannot be recovered
+ * @param {Number} recoveryWindow - The recovery window
+ */
+async function deleteSecret(secretId, force = false, recoveryWindow = 30) {
+  let promiseError
+  if (!secretId) throw new Error('Secret value must be a JSON string.')
+
+  const data = await client
+    .deleteSecret({
+      ForceDeleteWithoutRecovery: force,
+      RecoveryWindowInDays: force ? undefined : recoveryWindow,
+      SecretId: secretId,
+    })
+    .promise()
+    .catch(error => {
+      promiseError = error
+    })
+
+  if (promiseError) handleAWSPromiseError(promiseError)
+  else return data
+}
+
+async function deleteClient(
+  clientId,
+  force,
+  recoveryWindow,
+  clientIdsSecretIdOverride = null,
+) {
+  if (!clientId) throw new Error('Client ID is required')
+  // get current client list
+  const currentClientList = await getClientSecretIds(clientIdsSecretIdOverride)
+  const secretId = currentClientList[clientId]
+  if (!secretId)
+    throw new Error('The client ID could not be found or is invalid')
+  // delete the client secret
+  const deleteSecretResult = await deleteSecret(secretId, force, recoveryWindow)
+  // remove them from client list
+  const editClientListResult = await editSecret(
+    clientIdsSecretIdOverride || clientIdsSecretId,
+    JSON.stringify(omit(currentClientList, [clientId]))
+  )
+
+  return { deleteSecretResult, editClientListResult }
+}
+
+module.exports = {
+  deleteClient,
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wavo-cloud/aws-secrets-manager-helper",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Wavo Cloud Infallible AWS Secrets Manager Helper",
   "license": "UNLICENSED",
   "repository": {
@@ -24,16 +24,18 @@
     "ci-test": "yarn docker-test"
   },
   "devDependencies": {
+    "@wavo-cloud/eslint-config": "^0.0.9",
     "@wavo-cloud/generator-microservice": "^2.5.0",
     "chai": "^4.2.0",
-    "eslint": "^5.6.0",
+    "eslint": "^7.6.0",
     "eslint-config-prettier": "^3.1.0",
     "mocha": "^5.2.0",
     "mock-local-storage": "^1.1.12",
     "prettier": "^1.14.3"
   },
   "dependencies": {
-    "aws-sdk": "^2.713.0"
+    "aws-sdk": "^2.713.0",
+    "lodash": "^4.17.19"
   },
   "bugs": {
     "url": "https://github.com/Wavo/wavo-cloud.aws-secrets-manager-helper/issues"
@@ -47,5 +49,8 @@
     "secrets",
     "manager"
   ],
-  "author": "Zain Virani"
+  "author": "Zain Virani",
+  "engines": {
+    "node": ">=12.13"
+  }
 }

package/test/aws.test.js

@@ -1,8 +1,17 @@
+/* eslint-disable */
 const {
   getAllClientSecrets,
+  getClientSecretIds,
+  getSecretValue,
+  createClient,
+  setClient,
+  editClient,
 } = require('../app/utils/awsSecretsManager')
+const { deleteClient } = require('../app/utils/awsSecretsManagerDeleteHelper')
 const expect = require('chai').expect
 
+const clientIdsSecretId = 'wavo/self_serve/client_list_test'
+
 describe('Test Secrets Manager Helper', async () => {
   /**
    * This function call tests all of the helper functions
@@ -14,4 +23,89 @@ describe('Test Secrets Manager Helper', async () => {
     expect(clientSecrets[0].clientId).to.not.be.null
     expect(clientSecrets[0].secretId).to.not.be.null
   })
-})
+
+  it('should create a new client', async () => {
+    const createClientResult = await createClient(
+      'test_client_id',
+      'test_client_name',
+      'test_organization',
+      'test_region',
+      { test_secret_key: 'test_secret_value' },
+      clientIdsSecretId
+    )
+    expect(createClientResult.createSecretResults.Name).to.equal(
+      'test_organization/ad_platforms/api'
+    )
+
+    const clientList = await getClientSecretIds(clientIdsSecretId)
+    expect(clientList['test_client_id']).to.equal(
+      'test_organization/ad_platforms/api'
+    )
+  })
+
+  it('should set a client', async () => {
+    await setClient(
+      'test_client_id',
+      'test_client_name_2',
+      'test_organization',
+      'test_region_new',
+      { test_secret_key_new: 'test_secret_value_new', to_delete: 'to_delete' },
+      clientIdsSecretId
+    )
+
+    const testSecret = await getSecretValue(
+      'test_organization/ad_platforms/api'
+    )
+    expect(testSecret.client_name).to.equal('test_client_name_2')
+    expect(testSecret.organization).to.equal('test_organization')
+    expect(testSecret.region).to.equal('test_region_new')
+    expect(testSecret.test_secret_key).to.equal(undefined)
+    expect(testSecret.test_secret_key_new).to.equal('test_secret_value_new')
+    expect(testSecret.to_delete).to.equal('to_delete')
+  })
+
+  it('should edit, add, and delete a client key/value secret', async () => {
+    await editClient(
+      'test_client_id',
+      {
+        test_secret_key_new: 'edit',
+        new_key: 'add',
+        organization: 'test_organization_new'
+      },
+      ['to_delete'],
+      clientIdsSecretId
+    )
+
+    const testSecret = await getSecretValue(
+      'test_organization/ad_platforms/api'
+    )
+
+    expect(testSecret.client_name).to.equal('test_client_name_2')
+    expect(testSecret.organization).to.equal('test_organization_new')
+    expect(testSecret.region).to.equal('test_region_new')
+    expect(testSecret.test_secret_key_new).to.equal('edit')
+    expect(testSecret.new_key).to.equal('add')
+    expect(testSecret.to_delete).to.equal(undefined)
+  })
+
+  it('should delete a client', async () => {
+    //let clientList
+    await deleteClient(
+      'test_client_id',
+      true,
+      30,
+      clientIdsSecretId,
+    )
+
+    const clientList = await getClientSecretIds(clientIdsSecretId)
+
+    try {
+      await getSecretValue(
+        'test_organization/ad_platforms/api'
+      )
+      expect.fail("'test_organization/ad_platforms/api' should not be a valid secret value")
+    } catch (error) {
+      expect(clientList['test_client_id']).to.equal(undefined)
+    }
+  })
+})