@znemz/aws-play 0.1.52 → 0.1.54

package/README.md

@@ -20,6 +20,6 @@ AQICAHj/6a1KHdB7qaXDbeWQ9K48M0vQfukO9weGdqwlCJ2ehQE2GJx31AA8adTIcCOKmJf9AAAAYzBh
 `go get github.com/nmccready/aws-play/aws/kms/decrypt`
 
 ```bash
-$ echo abcd | encrypt -e base64 | decrypt -e base64
+$ echo abcd | encrypt -e base64 -k alias/demo | decrypt -e base64
 abcd
 ```

package/aws/index.js

@@ -1,28 +1,30 @@
-const AWS = require('aws-sdk');
-const proxyFact = require('proxy-agent');
+const { fromSSO } = require('@aws-sdk/credential-providers');
+const { KMSClient } = require("@aws-sdk/client-kms");
+const { addProxyToClient } = require("aws-sdk-v3-proxy");
 
 const { HTTP_PROXY, HTTPS_PROXY } = process.env;
 
-const init = ({ proxy, ...rest }) => {
-  AWS.config.update({
-    ...rest,
-    httpOptions: {
-      agent: proxyFact(proxy),
-    },
-  });
-  return AWS;
-};
+const debug = require('../debug').spawn('aws:kms:factory');
 
 const initEnv = () => {
   const proxy = HTTPS_PROXY || HTTP_PROXY;
   if (proxy) {
-    return init({ proxy });
+    debug(() => `Using proxy: ${proxy}`);    
+    return addProxyToClient(new KMSClient());
+  }
+  if (process.env.AWS_SSO_SESSION || process.env.AWS_PROFILE) {
+    debug(() => 'Using SSO credentials');
+    return new KMSClient({
+      credentials: fromSSO(),
+    });
   }
-  return AWS;
+  debug(() => 'No proxy configured, using default KMS client');
+  return new KMSClient();
 };
 
+const getClient = initEnv;
+
 module.exports = {
-  AWS,
-  init,
+  getClient,
   initEnv,
 };

package/aws/kms/args/{main.go → args.go}

@@ -3,10 +3,11 @@ package args
 import (
 	"errors"
 	"flag"
-	. "github.com/nmccready/aws-play/aws"
+
+	"github.com/nmccready/aws-play/internal/logger"
 )
 
-var debug = Spawn("args")
+var debug = logger.Spawn("args")
 
 type Args struct {
 	Encoding   string
@@ -41,6 +42,10 @@ func GetArgs() *Args {
 
 	flag.Parse()
 
+	if args.Encoding == "" {
+		args.Encoding = "base64" // default encoding
+	}
+
 	debug.Log("args: %+v", args)
 
 	return &args

package/aws/kms/args/index.js

@@ -23,6 +23,11 @@ const getArgs = () => {
       type: 'bool',
       description:
         'for decrypt which defaults to false IE uses first key that works, this is to foce a specific key usage',
+    })
+    .option('data', {
+      alias: 'd',
+      type: 'string',
+      description: 'data to encrypt or decrypt, defaults to stdin',
     });
 
   debug(() => argv);

package/aws/kms/decrypt/cli.js

@@ -1,4 +1,17 @@
 #!/usr/bin/env node
-const { decrypt } = require('./index');
+const { decrypt, decryptAsync } = require('./index');
+const getArgs = require('../args');
+const args = getArgs();
+
+if (args.data) {
+  decryptAsync(args.data, args.keyId, (err, result) => {
+    if (err) {
+      console.error('Decryption error:', err);
+      process.exit(1);
+    }
+    console.log(result);
+    process.exit(0);
+  })
+}
 
 process.stdin.pipe(decrypt).pipe(process.stdout).once('error', console.error);

package/aws/kms/decrypt/index.js

@@ -1,41 +1,48 @@
 #!/usr/bin/env node
 
 const through = require('through2');
-const buffer = require('buffer');
-const { initEnv } = require('../..');
-const getArgs = require('../args');
-const { KMS } = initEnv();
+const { DecryptCommand } = require("@aws-sdk/client-kms");
+const kms = require('../..');
+const args = require('../args')();
 
-const args = getArgs();
-const kms = new KMS();
+const debug = require('../../../debug').spawn('aws:kms:decrypt');
 
 const decoders = {
   default: (data) => data, // pass through
   decode: (encoding) => (data) => Buffer.from(data, encoding),
 };
 
-const decrypt = through.obj((text, _, cb) => {
-  decoder = args.encoding ? decoders.decode(args.encoding) : decoders.default;
-  text = decoder(String(text));
+const decryptAsync = async (toDecrypt, keyId = process.env.KMS_ID, cb) => {
+  try {
+    const client = kms.getClient();
+    debug(() => `Decrypting data with key ${keyId}`);
 
-  const opts = { CiphertextBlob: text };
+    const decoder = args.encoding ? decoders.decode(args.encoding) : decoders.default;
+    toDecrypt = decoder(String(toDecrypt));
 
-  if (args.forceKeyId) {
-    const kmsId = args['key-id'] || process.env.KMS_ID;
-    if (kmsId) {
-      opts.KeyId = kmsId;
+    const opts = { CiphertextBlob: toDecrypt };
+
+    if (args.forceKeyId) {
+      if (keyId) {
+        opts.KeyId = keyId;
+      }
     }
+
+    const data = await client.send(new DecryptCommand(opts));
+    debug(() => `Decrypted data with key ${keyId}`);
+    cb(null, Buffer.from(data.Plaintext).toString('utf8'));
+  } catch (err) {
+    debug(() => `Decryption failed: ${err.message}`);
+    cb(err);
   }
+}
 
-  kms.decrypt(opts, (err, data) => {
-    if (err) {
-      cb(err);
-    }
-    cb(null, data.Plaintext);
-  });
+const decrypt = through.obj((toDecrypt, _, cb) => {
+  decryptAsync(toDecrypt, args['key-id'], cb);
 });
 
 module.exports = {
   decoders,
   decrypt,
+  decryptAsync,
 };

package/aws/kms/decrypt/main.go

@@ -2,18 +2,19 @@ package main
 
 import (
 	"bufio"
+	"context"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"os"
 
-	"github.com/aws/aws-sdk-go/aws"
-	. "github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/kms"
-	. "github.com/nmccready/aws-play/aws/kms/args"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/kms"
+	"github.com/nmccready/aws-play/aws/kms/args"
+	"github.com/nmccready/aws-sdk-go-v2-ifaces/service/kms/kms_iface"
 )
 
-func Decrypt(text string, args *Args) (string, error) {
+func DecryptWithClient(client kms_iface.IClient, text string, args *args.Args) (string, error) {
 	var err error
 	var b []byte
 
@@ -31,47 +32,45 @@ func Decrypt(text string, args *Args) (string, error) {
 		}
 		text = string(b)
 	}
-	session, err := NewSession()
-
-	if err != nil {
-		return "", err
-	}
-
-	svc := kms.New(session)
 
 	var keyId *string
-
 	if args.ForceKeyId {
 		maybeKey := os.Getenv("KMS_ID")
-
 		if args.KeyId != "" {
 			maybeKey = args.KeyId
 		}
-
 		if maybeKey != "" {
-			keyId = aws.String(maybeKey)
+			keyId = &maybeKey
 		}
 	}
 
-	out, err := svc.Decrypt(&kms.DecryptInput{KeyId: keyId, CiphertextBlob: []byte(text)})
-
+	input := &kms.DecryptInput{
+		KeyId:          keyId,
+		CiphertextBlob: []byte(text),
+	}
+	out, err := client.Decrypt(context.Background(), input)
 	if err != nil {
 		return "", err
 	}
-
 	return string(out.Plaintext), nil
 }
 
+func Decrypt(text string, args *args.Args) (string, error) {
+	cfg, err := config.LoadDefaultConfig(context.Background())
+	if err != nil {
+		return "", err
+	}
+	client := kms.NewFromConfig(cfg)
+	return DecryptWithClient(client, text, args)
+}
+
 func main() {
 	reader := bufio.NewReader(os.Stdin)
 	text, _ := reader.ReadString('\n')
-
-	args := GetArgs()
+	args := args.GetArgs()
 	out, err := Decrypt(text, args)
-
 	if err != nil {
 		panic(err)
 	}
-
 	fmt.Print(out)
 }

package/aws/kms/encrypt/cli.js

@@ -1,4 +1,18 @@
 #!/usr/bin/env node
-const { encrypt } = require('./index');
+const { encrypt, encryptAsync } = require('./index');
+const getArgs = require('../args');
+
+const args = getArgs();
+
+if (args.data) {
+  encryptAsync(args.data, args.keyId, (err, result) => {
+    if (err) {
+      console.error('Encryption error:', err);
+      process.exit(1);
+    }
+    console.log(result);
+    process.exit(0);
+  })
+}
 
 process.stdin.pipe(encrypt).pipe(process.stdout);

package/aws/kms/encrypt/index.js

@@ -1,36 +1,38 @@
 const through = require('through2');
-
-const { initEnv } = require('../..');
+const { EncryptCommand } = require("@aws-sdk/client-kms");
+const kms = require('../..');
 const getArgs = require('../args');
-const { KMS } = initEnv();
 
 const args = getArgs();
-const kms = new KMS();
+const debug = require('../../../debug').spawn('aws:kms:encrypt');
 
 const encoders = {
   default: (data) => data, // pass through
   encode: (encoding) => (data) => Buffer.from(data, 'utf8').toString(encoding),
 };
 
-const encrypt = through.obj((text, _, cb) => {
-  kms.encrypt(
-    {
-      KeyId: args['key-id'] || process.env.KMS_ID,
-      Plaintext: text,
-    },
-    (err, data) => {
-      if (err) {
-        cb(err);
-      }
+const encryptAsync = async (toEncrypt, keyId = process.env.KMS_ID, cb) => {
+  try {
+    const client = kms.getClient();
+    debug(() => `Encrypting data with key ${keyId}`);
+    const data = await client.send(new EncryptCommand({ KeyId: keyId, Plaintext: toEncrypt }));
+    debug(() => `Encrypted data with key ${keyId}`);
+    const encoder = args.encoding ? encoders.encode(args.encoding) : encoders.default;
+    const encrypted = encoder(data.CiphertextBlob);
+    cb(null, encrypted);
+  } catch (err) {
+    debug(() => `Encryption failed: ${err.message}`);
+    cb(err);
+  }
+}
 
-      encoder = args.encoding ? encoders.encode(args.encoding) : encoders.default;
-      encrypted = encoder(data.CiphertextBlob);
-      cb(null, encrypted);
-    }
-  );
+const encrypt = through.obj((toEncrypt, _, cb) => {
+  encryptAsync(toEncrypt, args['key-id'], cb)
 });
 
+
 module.exports = {
   encoders,
   encrypt,
+  encryptAsync,
 };

package/aws/kms/encrypt/main.go

@@ -7,36 +7,27 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/aws/aws-sdk-go/aws"
-	. "github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/kms"
-	. "github.com/nmccready/aws-play/aws/kms/args"
-)
-
-func Encrypt(text string, args *Args) (string, error) {
-	session, err := NewSession()
-
-	if err != nil {
-		return "", err
-	}
+	"context"
 
-	svc := kms.New(session)
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/kms"
+	"github.com/nmccready/aws-play/aws/kms/args"
+	"github.com/nmccready/aws-sdk-go-v2-ifaces/service/kms/kms_iface"
+)
 
+func EncryptWithClient(client kms_iface.IClient, text string, args *args.Args) (string, error) {
 	keyId := os.Getenv("KMS_ID")
-
-	if args.KeyId != "" {
+	if args != nil && args.KeyId != "" {
 		keyId = args.KeyId
 	}
-
-	out, err := svc.Encrypt(&kms.EncryptInput{
-		KeyId:     aws.String(keyId),
+	input := &kms.EncryptInput{
+		KeyId:     &keyId,
 		Plaintext: []byte(text),
-	})
-
+	}
+	out, err := client.Encrypt(context.Background(), input)
 	if err != nil {
 		return "", err
 	}
-
 	if args == nil || args.Encoding == "" {
 		return string(out.CiphertextBlob), nil
 	}
@@ -46,16 +37,22 @@ func Encrypt(text string, args *Args) (string, error) {
 	return hex.EncodeToString(out.CiphertextBlob), nil
 }
 
+func Encrypt(text string, args *args.Args) (string, error) {
+	cfg, err := config.LoadDefaultConfig(context.Background())
+	if err != nil {
+		return "", err
+	}
+	client := kms.NewFromConfig(cfg)
+	return EncryptWithClient(client, text, args)
+}
+
 func main() {
 	reader := bufio.NewReader(os.Stdin)
 	text, _ := reader.ReadString('\n')
-
-	args := GetArgs()
+	args := args.GetArgs()
 	out, err := Encrypt(text, args)
-
 	if err != nil {
 		panic(err)
 	}
-
 	fmt.Print(out)
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@znemz/aws-play",
-  "version": "0.1.52",
+  "version": "0.1.54",
   "description": "",
   "license": "MIT",
   "author": "",
@@ -13,20 +13,26 @@
     "debug.js"
   ],
   "scripts": {
-    "lint": "golangci-lint run --fix",
+    "lint": "npm run lint:go && npm run lint:js",
+    "lint:go": "golangci-lint run --fix",
+    "lint:js": "eslint . --ext .js,.ts,.mjs,.cjs",
     "prepare": "go mod tidy -e && go mod vendor && sort-package-json",
     "test": "npm run test:go",
     "test:go": "go test ./aws/..."
   },
   "dependencies": {
-    "aws-sdk": "^2.781.0",
+    "@aws-sdk/client-kms": "^3.400.0",
+    "@aws-sdk/credential-providers": "^3.400.0",
+    "aws-sdk-v3-proxy": "2.1.4",
     "debug-fabulous": "^2.0.1",
-    "proxy-agent": "6.5.0",
     "through2": "^4.0.2",
     "yargs": "^17.7.2"
   },
   "devDependencies": {
-    "sort-package-json": "2.15",
+    "@eslint/js": "9.27.0",
+    "@znemz/aws-play": "file:./",
+    "eslint": "9.27.0",
+    "sort-package-json": "3.0",
     "standard-version": "9.5"
   }
 }

package/aws/debug.go

@@ -1,7 +0,0 @@
-package aws
-
-import debug "github.com/nmccready/go-debug"
-
-var RootDebug = debug.Debug("@znemz/aws-play")
-
-var Spawn = RootDebug.Spawn