env-secrets 0.1.10 → 0.3.0

package/__tests__/vaults/secretsmanager.test.ts

@@ -0,0 +1,460 @@
+import {
+  SecretsManagerClient,
+  GetSecretValueCommand
+} from '@aws-sdk/client-secrets-manager';
+import { STSClient, GetCallerIdentityCommand } from '@aws-sdk/client-sts';
+import { fromIni } from '@aws-sdk/credential-providers';
+
+// Mock the AWS SDK and dependencies
+jest.mock('@aws-sdk/client-secrets-manager');
+jest.mock('@aws-sdk/client-sts');
+jest.mock('@aws-sdk/credential-providers');
+jest.mock('debug', () => {
+  const mockDebug = jest.fn();
+  mockDebug.mockReturnValue(jest.fn());
+  return mockDebug;
+});
+
+// Import the module under test after mocking
+import { secretsmanager } from '../../src/vaults/secretsmanager';
+
+// Type the mocked functions
+const mockSecretsManagerClient = SecretsManagerClient as jest.MockedClass<
+  typeof SecretsManagerClient
+>;
+const mockSTSClient = STSClient as jest.MockedClass<typeof STSClient>;
+const mockFromIni = fromIni as jest.MockedFunction<typeof fromIni>;
+
+describe('secretsmanager', () => {
+  let originalEnv: NodeJS.ProcessEnv;
+  let mockSecretsManagerSend: jest.MockedFunction<any>;
+  let mockSTSSend: jest.MockedFunction<any>;
+
+  beforeEach(() => {
+    // Clear all mocks
+    jest.clearAllMocks();
+
+    // Reset process.env
+    originalEnv = { ...process.env };
+    process.env = { ...originalEnv };
+
+    // Setup AWS client mocks
+    mockSecretsManagerSend = jest.fn();
+    mockSTSSend = jest.fn();
+
+    mockSecretsManagerClient.prototype.send = mockSecretsManagerSend;
+    mockSTSClient.prototype.send = mockSTSSend;
+  });
+
+  afterEach(() => {
+    // Restore process.env
+    process.env = originalEnv;
+    jest.restoreAllMocks();
+  });
+
+  describe('AWS connection', () => {
+    it('should successfully connect to AWS and retrieve secrets', async () => {
+      // Mock successful STS connection
+      mockSTSSend.mockResolvedValueOnce({
+        Account: '123456789012',
+        UserId: 'test-user'
+      });
+
+      // Mock successful secret retrieval
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString:
+          '{"API_KEY": "test-key", "DATABASE_URL": "postgres://localhost:5432/db"}'
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(mockSTSSend).toHaveBeenCalledWith(
+        expect.any(GetCallerIdentityCommand)
+      );
+      expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+        expect.any(GetSecretValueCommand)
+      );
+      expect(result).toEqual({
+        API_KEY: 'test-key',
+        DATABASE_URL: 'postgres://localhost:5432/db'
+      });
+    });
+
+    it('should return empty object when AWS connection fails', async () => {
+      // Mock failed STS connection
+      mockSTSSend.mockRejectedValueOnce(new Error('AWS credentials not found'));
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(mockSTSSend).toHaveBeenCalledWith(
+        expect.any(GetCallerIdentityCommand)
+      );
+      expect(mockSecretsManagerSend).not.toHaveBeenCalled();
+      expect(result).toEqual({});
+    });
+  });
+
+  describe('credential handling', () => {
+    beforeEach(() => {
+      // Setup successful connection for credential tests
+      mockSTSSend.mockResolvedValue({
+        Account: '123456789012'
+      });
+    });
+
+    it('should use profile credentials when profile is provided', async () => {
+      const mockCredentials = jest.fn().mockResolvedValue({
+        accessKeyId: 'test',
+        secretAccessKey: 'test'
+      });
+      mockFromIni.mockReturnValueOnce(mockCredentials);
+
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: '{"KEY": "value"}'
+      });
+
+      await secretsmanager({
+        secret: 'test-secret',
+        profile: 'my-profile',
+        region: 'us-east-1'
+      });
+
+      expect(mockFromIni).toHaveBeenCalledWith({ profile: 'my-profile' });
+      expect(mockSecretsManagerClient).toHaveBeenCalledWith({
+        region: 'us-east-1',
+        credentials: mockCredentials
+      });
+    });
+
+    it('should use environment variables when AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are set', async () => {
+      process.env.AWS_ACCESS_KEY_ID = 'env-access-key';
+      process.env.AWS_SECRET_ACCESS_KEY = 'env-secret-key';
+
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: '{"KEY": "value"}'
+      });
+
+      await secretsmanager({
+        secret: 'test-secret',
+        region: 'us-east-1'
+      });
+
+      expect(mockSecretsManagerClient).toHaveBeenCalledWith({
+        region: 'us-east-1',
+        credentials: undefined
+      });
+    });
+
+    it('should use default profile when no profile or environment variables are provided', async () => {
+      const mockCredentials = jest.fn().mockResolvedValue({
+        accessKeyId: 'default',
+        secretAccessKey: 'default'
+      });
+      mockFromIni.mockReturnValueOnce(mockCredentials);
+
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: '{"KEY": "value"}'
+      });
+
+      await secretsmanager({
+        secret: 'test-secret',
+        region: 'us-east-1'
+      });
+
+      expect(mockFromIni).toHaveBeenCalledWith({ profile: 'default' });
+      expect(mockSecretsManagerClient).toHaveBeenCalledWith({
+        region: 'us-east-1',
+        credentials: mockCredentials
+      });
+    });
+  });
+
+  describe('secret retrieval', () => {
+    beforeEach(() => {
+      // Setup successful connection for secret retrieval tests
+      mockSTSSend.mockResolvedValue({
+        Account: '123456789012'
+      });
+    });
+
+    it('should retrieve and parse JSON secret successfully', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString:
+          '{"API_KEY": "test-api-key", "DATABASE_URL": "postgres://localhost:5432/db"}'
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({
+        API_KEY: 'test-api-key',
+        DATABASE_URL: 'postgres://localhost:5432/db'
+      });
+    });
+
+    it('should handle non-JSON secret values', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: 'plain-text-secret'
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({});
+    });
+
+    it('should handle empty secret values', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: ''
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({});
+    });
+
+    it('should handle undefined secret values', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: undefined
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({});
+    });
+
+    it('should handle malformed JSON in secret values', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: '{"invalid": json}'
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({});
+    });
+
+    it('should handle secrets with special characters', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: '{"SPECIAL_KEY": "value with spaces & symbols!@#$%"}'
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({
+        SPECIAL_KEY: 'value with spaces & symbols!@#$%'
+      });
+    });
+
+    it('should handle secrets with numeric and boolean values', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: '{"PORT": 5432, "DEBUG": true, "TIMEOUT": 30000}'
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({
+        PORT: 5432,
+        DEBUG: true,
+        TIMEOUT: 30000
+      });
+    });
+  });
+
+  describe('error handling', () => {
+    beforeEach(() => {
+      // Setup successful connection for error handling tests
+      mockSTSSend.mockResolvedValue({
+        Account: '123456789012'
+      });
+    });
+
+    it('should handle ResourceNotFoundException', async () => {
+      const error = new Error('Secret not found');
+      (error as any).name = 'ResourceNotFoundException';
+
+      mockSecretsManagerSend.mockRejectedValueOnce(error);
+
+      const result = await secretsmanager({
+        secret: 'non-existent-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({});
+    });
+
+    it('should handle ConfigError', async () => {
+      const error = new Error('Invalid configuration');
+      (error as any).name = 'ConfigError';
+      (error as any).message = 'Invalid AWS configuration';
+
+      mockSecretsManagerSend.mockRejectedValueOnce(error);
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({});
+    });
+
+    it('should handle generic AWS errors', async () => {
+      const error = new Error('Generic AWS error');
+      (error as any).name = 'GenericError';
+
+      mockSecretsManagerSend.mockRejectedValueOnce(error);
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({});
+    });
+
+    it('should handle errors without name property', async () => {
+      const error = new Error('Error without name');
+
+      mockSecretsManagerSend.mockRejectedValueOnce(error);
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({});
+    });
+
+    it('should handle non-Error objects', async () => {
+      const error = 'String error';
+
+      mockSecretsManagerSend.mockRejectedValueOnce(error);
+
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        region: 'us-east-1'
+      });
+
+      expect(result).toEqual({});
+    });
+  });
+
+  describe('region handling', () => {
+    beforeEach(() => {
+      mockSTSSend.mockResolvedValue({
+        Account: '123456789012'
+      });
+    });
+
+    it('should use provided region', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: '{"KEY": "value"}'
+      });
+
+      await secretsmanager({
+        secret: 'my-secret',
+        region: 'ap-southeast-1'
+      });
+
+      expect(mockSecretsManagerClient).toHaveBeenCalledWith({
+        region: 'ap-southeast-1',
+        credentials: undefined
+      });
+    });
+
+    it('should handle undefined region', async () => {
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: '{"KEY": "value"}'
+      });
+
+      await secretsmanager({
+        secret: 'my-secret'
+      });
+
+      expect(mockSecretsManagerClient).toHaveBeenCalledWith({
+        region: undefined,
+        credentials: undefined
+      });
+    });
+  });
+
+  describe('integration scenarios', () => {
+    it('should handle complete successful flow with profile credentials', async () => {
+      const mockCredentials = jest.fn().mockResolvedValue({
+        accessKeyId: 'test',
+        secretAccessKey: 'test'
+      });
+      mockFromIni.mockReturnValueOnce(mockCredentials);
+
+      mockSTSSend.mockResolvedValueOnce({
+        Account: '123456789012',
+        UserId: 'test-user'
+      });
+
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: '{"API_KEY": "test-key", "DB_PASSWORD": "secret123"}'
+      });
+
+      const result = await secretsmanager({
+        secret: 'my-app-secrets',
+        profile: 'production',
+        region: 'us-west-2'
+      });
+
+      expect(mockFromIni).toHaveBeenCalledWith({ profile: 'production' });
+      expect(mockSTSClient).toHaveBeenCalledWith({ region: 'us-west-2' });
+      expect(mockSecretsManagerClient).toHaveBeenCalledWith({
+        region: 'us-west-2',
+        credentials: mockCredentials
+      });
+      expect(result).toEqual({
+        API_KEY: 'test-key',
+        DB_PASSWORD: 'secret123'
+      });
+    });
+
+    it('should handle complete flow with environment variables', async () => {
+      process.env.AWS_ACCESS_KEY_ID = 'env-key';
+      process.env.AWS_SECRET_ACCESS_KEY = 'env-secret';
+
+      mockSTSSend.mockResolvedValueOnce({
+        Account: '123456789012'
+      });
+
+      mockSecretsManagerSend.mockResolvedValueOnce({
+        SecretString: '{"ENV_VAR": "env-value"}'
+      });
+
+      const result = await secretsmanager({
+        secret: 'env-secrets',
+        region: 'eu-central-1'
+      });
+
+      expect(result).toEqual({ ENV_VAR: 'env-value' });
+    });
+  });
+});

package/__tests__/vaults/utils.test.ts

@@ -0,0 +1,183 @@
+import * as os from 'os';
+import {
+  replaceWithAstrisk,
+  objectToExport,
+  objectToEnv
+} from '../../src/vaults/utils';
+
+describe('vaults utils', () => {
+  describe('replaceWithAstrisk', () => {
+    test('should return undefined for undefined input', () => {
+      expect(replaceWithAstrisk(undefined)).toBeUndefined();
+    });
+
+    test('should return undefined for empty string', () => {
+      expect(replaceWithAstrisk('')).toBeUndefined();
+    });
+
+    test('should mask middle characters for strings longer than 4 characters', () => {
+      expect(replaceWithAstrisk('password123')).toBe('p******d123');
+      expect(replaceWithAstrisk('secretkey')).toBe('s****tkey');
+      expect(replaceWithAstrisk('verylongpassword')).toBe('v***********word');
+    });
+
+    test('should not mask characters for strings 4 characters or shorter', () => {
+      expect(replaceWithAstrisk('1234')).toBe('1234');
+      expect(replaceWithAstrisk('abc')).toBe('abc');
+      expect(replaceWithAstrisk('a')).toBe('a');
+    });
+
+    test('should preserve first and last 4 characters for longer strings', () => {
+      expect(replaceWithAstrisk('abcdefghijklmnop')).toBe('a***********mnop');
+      expect(replaceWithAstrisk('1234567890123456')).toBe('1***********3456');
+    });
+
+    test('should handle special characters and unicode', () => {
+      expect(replaceWithAstrisk('p@ssw0rd!')).toBe('p****0rd!');
+      expect(replaceWithAstrisk('🔑secret🔒')).toBe('🔑*****t🔒');
+    });
+  });
+
+  describe('objectToExport', () => {
+    test('should convert object to env vars', () => {
+      const obj = {
+        API_KEY: 'abc123',
+        DATABASE_URL: 'postgres://localhost:5432/db',
+        DEBUG: 'true'
+      };
+
+      const result = objectToExport(obj);
+      const expected = `API_KEY=abc123${os.EOL}DATABASE_URL=postgres://localhost:5432/db${os.EOL}DEBUG=true${os.EOL}`;
+
+      expect(result).toBe(expected);
+    });
+
+    test('should handle empty object', () => {
+      const obj = {};
+      const result = objectToExport(obj);
+      expect(result).toBe('');
+    });
+
+    test('should handle object with various value types', () => {
+      const obj = {
+        STRING: 'hello',
+        NUMBER: 42,
+        BOOLEAN: true,
+        NULL: null,
+        UNDEFINED: undefined
+      };
+
+      const result = objectToExport(obj);
+      const expected = `STRING=hello${os.EOL}NUMBER=42${os.EOL}BOOLEAN=true${os.EOL}NULL=null${os.EOL}UNDEFINED=undefined${os.EOL}`;
+
+      expect(result).toBe(expected);
+    });
+
+    test('should handle object with special characters in keys and values', () => {
+      const obj = {
+        'API-KEY': 'abc-123',
+        DATABASE_URL: 'postgres://user:pass@localhost:5432/db',
+        DEBUG_MODE: 'true'
+      };
+
+      const result = objectToExport(obj);
+      const expected = `API-KEY=abc-123${os.EOL}DATABASE_URL=postgres://user:pass@localhost:5432/db${os.EOL}DEBUG_MODE=true${os.EOL}`;
+
+      expect(result).toBe(expected);
+    });
+  });
+
+  describe('objectToEnv', () => {
+    let originalEnv: NodeJS.ProcessEnv;
+
+    beforeEach(() => {
+      originalEnv = { ...process.env };
+    });
+
+    afterEach(() => {
+      process.env = originalEnv;
+    });
+
+    test('should set environment variables from object', () => {
+      const obj = {
+        API_KEY: 'abc123',
+        DATABASE_URL: 'postgres://localhost:5432/db',
+        DEBUG: 'true'
+      };
+
+      const result = objectToEnv(obj);
+
+      expect(process.env.API_KEY).toBe('abc123');
+      expect(process.env.DATABASE_URL).toBe('postgres://localhost:5432/db');
+      expect(process.env.DEBUG).toBe('true');
+      expect(result).toEqual([
+        'abc123',
+        'postgres://localhost:5432/db',
+        'true'
+      ]);
+    });
+
+    test('should handle empty object', () => {
+      const obj = {};
+      const result = objectToEnv(obj);
+
+      expect(result).toEqual([]);
+    });
+
+    test('should handle object with various value types', () => {
+      const obj = {
+        STRING: 'hello',
+        NUMBER: 42,
+        BOOLEAN: true,
+        NULL: null,
+        UNDEFINED: undefined
+      };
+
+      const result = objectToEnv(obj);
+
+      expect(process.env.STRING).toBe('hello');
+      expect(process.env.NUMBER).toBe('42');
+      expect(process.env.BOOLEAN).toBe('true');
+      expect(process.env.NULL).toBe('null');
+      expect(process.env.UNDEFINED).toBe('undefined');
+      expect(result).toEqual(['hello', '42', 'true', 'null', 'undefined']);
+    });
+
+    test('should overwrite existing environment variables', () => {
+      // Set initial environment variable
+      process.env.EXISTING_VAR = 'old_value';
+
+      const obj = {
+        EXISTING_VAR: 'new_value',
+        NEW_VAR: 'new_var_value'
+      };
+
+      const result = objectToEnv(obj);
+
+      expect(process.env.EXISTING_VAR).toBe('new_value');
+      expect(process.env.NEW_VAR).toBe('new_var_value');
+      expect(result).toEqual(['new_value', 'new_var_value']);
+    });
+
+    test('should handle object with special characters in keys and values', () => {
+      const obj = {
+        'API-KEY': 'abc-123',
+        DATABASE_URL: 'postgres://user:pass@localhost:5432/db',
+        DEBUG_MODE: 'true'
+      };
+
+      const result = objectToEnv(obj);
+
+      expect(process.env['API-KEY']).toBe('abc-123');
+      expect(process.env['DATABASE_URL']).toBe(
+        'postgres://user:pass@localhost:5432/db'
+      );
+      expect(process.env['DEBUG_MODE']).toBe('true');
+      expect(result).toEqual([
+        'abc-123',
+        'postgres://user:pass@localhost:5432/db',
+        'true'
+      ]);
+    });
+  });
+});

package/__tests__/version.test.ts

@@ -0,0 +1,8 @@
+import { LIB_VERSION } from '../src/version';
+import packageJson from '../package.json';
+
+describe('LIB_VERSION', () => {
+  it('should match the version in package.json', () => {
+    expect(LIB_VERSION).toBe(packageJson.version);
+  });
+});