Merge pull request #79 from bcgov/feature/multi-bucket

Implement Encrypt/Decrypt component support

Author: TimCsaky

app/config/custom-environment-variables.json

@@ -33,6 +33,7 @@
     "bodyLimit": "SERVER_BODYLIMIT",
     "logFile": "SERVER_LOGFILE",
     "logLevel": "SERVER_LOGLEVEL",
+    "passphrase": "SERVER_PASSPHRASE",
     "port": "SERVER_PORT"
   }
 }

app/src/components/crypt.js

@@ -0,0 +1,57 @@
+const config = require('config');
+const crypto = require('crypto');
+
+// GCM mode is good for situations with random access and authenticity requirements
+// CBC mode is older, but is sufficiently secure with high performance for short payloads
+const algorithm = 'aes-256-cbc';
+const encoding = 'base64';
+const hashAlgorithm = 'sha256';
+
+const crypt = {
+  /**
+   * @function encrypt
+   * Yields an encrypted string containing the iv and ciphertext, separated by a colon.
+   * If no key is provided, ciphertext will be the plaintext in base64 encoding.
+   * @param {string} plaintext The input string contents
+   * @returns {string} The encrypted base64 formatted string in the format `iv:ciphertext`.
+   */
+  encrypt(plaintext) {
+    const passphrase = config.has('server.passphrase') ? config.get('server.passphrase') : undefined;
+    const iv = crypto.randomBytes(16);
+    let content = Buffer.from(plaintext);
+
+    if (passphrase && passphrase.length) {
+      const hash = crypto.createHash(hashAlgorithm);
+      // AES-256 key length must be exactly 32 bytes
+      const key = hash.update(passphrase).digest().subarray(0, 32);
+      const cipher = crypto.createCipheriv(algorithm, key, iv);
+      content = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    }
+    return `${iv.toString(encoding)}:${content.toString(encoding)}`;
+  },
+
+  /**
+   * @function decrypt
+   * Yields the plaintext by accepting an encrypted string containing the iv and
+   * ciphertext, separated by a colon. If no key is provided, the plaintext will be
+   * the ciphertext.
+   * @param {string} ciphertext The input encrypted string contents
+   * @returns {string} The decrypted plaintext string, usually in utf-8
+   */
+  decrypt(ciphertext) {
+    const passphrase = config.has('server.passphrase') ? config.get('server.passphrase') : undefined;
+    const [iv, encrypted] = ciphertext.split(':').map(p => Buffer.from(p, encoding));
+    let content = encrypted;
+
+    if (passphrase && passphrase.length) {
+      const hash = crypto.createHash(hashAlgorithm);
+      // AES-256 key length must be exactly 32 bytes
+      const key = hash.update(passphrase).digest().subarray(0, 32);
+      const decipher = crypto.createDecipheriv(algorithm, key, iv);
+      content = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+    }
+    return Buffer.from(content, encoding).toString();
+  }
+};
+
+module.exports = crypt;

app/tests/unit/components/crypt.spec.js

@@ -0,0 +1,96 @@
+const config = require('config');
+const crypt = require('../../../src/components/crypt');
+
+// Mock config library - @see {@link https://stackoverflow.com/a/64819698}
+jest.mock('config');
+
+beforeEach(() => {
+  jest.resetAllMocks();
+});
+
+afterAll(() => {
+  jest.restoreAllMocks();
+});
+
+// General testing constants
+const passphrase = 'passphrase';
+
+describe('encrypt', () => {
+  describe('without a passphrase', () => {
+    beforeEach(() => {
+      config.has.mockReturnValueOnce(false); // server.passphrase
+    });
+
+    it.each([
+      [''],
+      ['foobar'],
+      ['1bazbam']
+    ])('should return a string given %j', (plaintext) => {
+      const result = crypt.encrypt(plaintext);
+      expect(result).toBeTruthy();
+      expect(typeof result).toEqual('string');
+      expect(result).toContain(':');
+
+      const [iv, encrypted] = result.split(':');
+      expect(iv).toEqual(expect.any(String));
+      expect(encrypted).toEqual(expect.any(String));
+    });
+  });
+
+  describe('with a passphrase', () => {
+    beforeEach(() => {
+      config.has.mockReturnValueOnce(true); // server.passphrase
+      config.get.mockReturnValueOnce(passphrase); // server.passphrase
+    });
+
+    it.each([
+      [''],
+      ['foobar'],
+      ['1bazbam']
+    ])('should return a string given %j', (plaintext) => {
+      const result = crypt.encrypt(plaintext);
+      expect(result).toBeTruthy();
+      expect(typeof result).toEqual('string');
+      expect(result).toContain(':');
+
+      const [iv, encrypted] = result.split(':');
+      expect(iv).toEqual(expect.any(String));
+      expect(encrypted).toEqual(expect.any(String));
+    });
+  });
+});
+
+describe('decrypt', () => {
+  describe('without a passphrase', () => {
+    beforeEach(() => {
+      config.has.mockReturnValueOnce(false); // server.passphrase
+    });
+
+    it.each([
+      ['qYSUumi8L5ypY920HES5sQ==:', ''],
+      ['JWzCHAxVecObsBLSMG/Cdg==:Zm9vYmFy', 'foobar'],
+      ['xCEUr5OoZOnOj87XGRU74Q==:MWJhemJhbQ==', '1bazbam']
+    ])('should return a string given %j', (ciphertext, plaintext) => {
+      const result = crypt.decrypt(ciphertext);
+      expect(typeof result).toEqual('string');
+      expect(result).toMatch(plaintext);
+    });
+  });
+
+  describe('with a passphrase', () => {
+    beforeEach(() => {
+      config.has.mockReturnValueOnce(true); // server.passphrase
+      config.get.mockReturnValueOnce(passphrase); // server.passphrase
+    });
+
+    it.each([
+      ['ZOWviyZrzhIhjSo38rtpag==:4Lq5+MmjDjK5JE7J1osSJA==', ''],
+      ['V8nPQy/0b+Rj2NefzaY+rg==:9p1TC9i4jFZX7OXcUgUSrA==', 'foobar'],
+      ['WnF471CEo8U4BVcHXAe2bA==:2iER6Is+gtPPCVCoAYzkOw==', '1bazbam']
+    ])('should return a string given %j', (ciphertext, plaintext) => {
+      const result = crypt.decrypt(ciphertext);
+      expect(typeof result).toEqual('string');
+      expect(result).toMatch(plaintext);
+    });
+  });
+});

charts/coms/Chart.yaml

@@ -3,7 +3,7 @@ name: common-object-management-service
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.5
+version: 0.0.6
 kubeVersion: ">= 1.13.0"
 description: A microservice for managing access control to S3 Objects
 # A chart can be either an 'application' or a 'library' chart.

charts/coms/templates/deploymentconfig.yaml

@@ -151,6 +151,11 @@ spec:
                 secretKeyRef:
                   key: password
                   name: {{ include "coms.configname" . }}-objectstorage
+            - name: SERVER_PASSPHRASE
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: {{ include "coms.fullname" . }}-passphrase
           envFrom:
             - configMapRef:
                 name: {{ include "coms.configname" . }}-config

charts/coms/templates/secret.yaml

@@ -1,19 +1,38 @@
-{{- $password := (randAlphaNum 32) | b64enc }}
-{{- $username := (randAlphaNum 32) | b64enc }}
+{{- $bPassword := (randAlphaNum 32) | b64enc }}
+{{- $bUsername := (randAlphaNum 32) | b64enc }}
+{{- $pPassword := (randAlphaNum 32) | b64enc }}
+{{- $pUsername := (randAlphaNum 32) | b64enc }}
 
-{{- $secretName := printf "%s-%s" (include "coms.fullname" .) "basicauth" }}
-{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName ) }}
-{{- if not $secret }}
+{{- $bSecretName := printf "%s-%s" (include "coms.fullname" .) "basicauth" }}
+{{- $bSecret := (lookup "v1" "Secret" .Release.Namespace $bSecretName ) }}
+{{- $pSecretName := printf "%s-%s" (include "coms.fullname" .) "passphrase" }}
+{{- $pSecret := (lookup "v1" "Secret" .Release.Namespace $pSecretName ) }}
+
+{{- if not $bSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  name: {{ $bSecretName }}
+  labels: {{ include "coms.labels" . | nindent 4 }}
+type: kubernetes.io/basic-auth
+data:
+  password: {{ $bPassword }}
+  username: {{ $bUsername }}
+{{- end }}
+{{- if not $pSecret }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   annotations:
     "helm.sh/resource-policy": keep
-  name: {{ $secretName }}
+  name: {{ $pSecretName }}
   labels: {{ include "coms.labels" . | nindent 4 }}
 type: kubernetes.io/basic-auth
 data:
-  password: {{ $password }}
-  username: {{ $username }}
+  password: {{ $pPassword }}
+  username: {{ $pUsername }}
 {{- end }}