@cumulus/common/key-pair-provider.js

"use strict";
/**
 * Provides encryption and decryption methods with a consistent API but
 * differing mechanisms for dealing with encryption keys.
 */
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.DefaultProvider = exports.S3KeyPairProvider = void 0;
const noop_1 = __importDefault(require("lodash/noop"));
const aws_sdk_1 = __importDefault(require("aws-sdk"));
const node_forge_1 = __importDefault(require("node-forge"));
const util_1 = require("./util");
const test_utils_1 = require("./test-utils");
var kms_1 = require("./kms");
Object.defineProperty(exports, "KMS", { enumerable: true, get: function () { return kms_1.KMS; } });
const getLocalStackHost = () => {
    if (process.env.LOCAL_S3_HOST) {
        return process.env.LOCAL_S3_HOST;
    }
    if (!process.env.LOCALSTACK_HOST) {
        throw new Error('The LOCALSTACK_HOST environment variable is not set.');
    }
    return process.env.LOCALSTACK_HOST;
};
const buildS3Client = () => {
    var _a;
    const region = (_a = process.env.AWS_DEFAULT_REGION) !== null && _a !== void 0 ? _a : 'us-east-1';
    aws_sdk_1.default.config.update({ region });
    // Workaround upload hangs. See: https://github.com/andrewrk/node-s3-client/issues/74'
    // @ts-expect-error
    aws_sdk_1.default.util.update(aws_sdk_1.default.S3.prototype, { addExpect100Continue: noop_1.default });
    aws_sdk_1.default.config.setPromisesDependency(Promise);
    const options = {
        apiVersion: '2006-03-01',
    };
    if (test_utils_1.inTestMode()) {
        options.accessKeyId = 'my-access-key-id';
        options.endpoint = `http://${getLocalStackHost()}:4572`;
        options.region = 'us-east-1';
        options.s3ForcePathStyle = true;
        options.secretAccessKey = 'my-secret-access-key';
    }
    return new aws_sdk_1.default.S3(options);
};
const getTextObject = async (bucket, key) => {
    const s3 = buildS3Client();
    const { Body } = await s3.getObject({
        Bucket: bucket,
        Key: key,
    }).promise();
    return Body ? Body.toString() : undefined;
};
const retrieveKey = async (keyId, bucket = process.env.system_bucket, stack = process.env.stackName) => {
    if (!bucket) {
        throw new Error('Unable to determine bucket to retrieve key from');
    }
    if (!stack) {
        throw new Error('Unable to determine stack to retrieve key for');
    }
    const key = `${stack}/crypto/${keyId}`;
    try {
        return await getTextObject(bucket, key);
    }
    catch (error) {
        throw new Error(`Failed to retrieve S3KeyPair key from s3://${bucket}/${key}: ${error.message}`);
    }
};
/**
 * Provides encryption and decryption methods using a keypair stored in S3
 */
class S3KeyPairProvider {
    /**
     * Encrypt the given string using the given public key stored in the system_bucket.
     *
     * @param {string} str - The string to encrypt
     * @param {string} [keyId] - The name of the public key to use for encryption
     * @param {string} [bucket] - the optional bucket name. if not provided will
     *                          use env variable "system_bucket"
     * @param {stack} [stack] - the optional stack name. if not provided will
     *                        use env variable "stackName"
     * @returns {Promise.<string>} the encrypted string
     */
    static async encrypt(str, keyId = 'public.pub', bucket, stack) {
        util_1.deprecate('@cumulus/common/key-pair-provider', '1.17.0', '@cumulus/aws-client/KMS.encrypt');
        // Download the publickey
        const pki = node_forge_1.default.pki;
        const pub = await retrieveKey(keyId, bucket, stack);
        if (!pub) {
            throw new Error('Unable to retrieve public key');
        }
        const publicKey = pki.publicKeyFromPem(pub);
        return node_forge_1.default.util.encode64(publicKey.encrypt(str));
    }
    /**
     * Decrypt the given string using a private key stored in S3
     *
     * @param {string} str - The string to decrypt
     * @param {string} [keyId] - The name of the public key to use for decryption
     * @param {string} [bucket] - the optional bucket name. Defaults to the value
     *   of the "system_bucket" environment variable
     * @param {string} [stack] - the optional stack name. Defaults to the value of
     *   the "stackName" environment variable
     * @returns {Promise.<string>} the decrypted string
     */
    static async decrypt(str, keyId = 'private.pem', bucket, stack) {
        util_1.deprecate('@cumulus/common/key-pair-provider', '1.17.0', '@cumulus/aws-client/KMS.decryptBase64String');
        const pki = node_forge_1.default.pki;
        const priv = await retrieveKey(keyId, bucket, stack);
        if (!priv) {
            throw new Error('Unable to retrieve private key');
        }
        const decoded = node_forge_1.default.util.decode64(str);
        const privateKey = pki.privateKeyFromPem(priv);
        return privateKey.decrypt(decoded);
    }
}
exports.S3KeyPairProvider = S3KeyPairProvider;
exports.DefaultProvider = S3KeyPairProvider;
//# sourceMappingURL=key-pair-provider.js.map