Merge pull request #170 from cipherstash/integrate-audit

feat(protect): audit ffi calls

Author: calvinbrewer

.changeset/two-times-marry.md

@@ -0,0 +1,6 @@
+---
+"@cipherstash/protect-dynamodb": minor
+"@cipherstash/protect": minor
+---
+
+Fully implemented audit metadata functionality.

packages/protect-dynamodb/__tests__/audit.test.ts

@@ -0,0 +1,316 @@
+import 'dotenv/config'
+import { describe, expect, it, beforeAll } from 'vitest'
+import { protectDynamoDB } from '../src'
+import { protect, csColumn, csTable, csValue } from '@cipherstash/protect'
+
+const schema = csTable('dynamo_cipherstash_test', {
+  email: csColumn('email').equality(),
+  firstName: csColumn('firstName').equality(),
+  lastName: csColumn('lastName').equality(),
+  phoneNumber: csColumn('phoneNumber'),
+  example: {
+    protected: csValue('example.protected'),
+    deep: {
+      protected: csValue('example.deep.protected'),
+    },
+  },
+})
+
+describe('protect dynamodb helpers', () => {
+  let protectClient: Awaited<ReturnType<typeof protect>>
+  let protectDynamo: ReturnType<typeof protectDynamoDB>
+
+  beforeAll(async () => {
+    protectClient = await protect({
+      schemas: [schema],
+    })
+
+    protectDynamo = protectDynamoDB({
+      protectClient,
+    })
+  })
+
+  it('should encrypt columns', async () => {
+    const testData = {
+      id: '01ABCDEFGHIJKLMNOPQRSTUVWX',
+      email: 'test.user@example.com',
+      address: '123 Main Street',
+      createdAt: '2024-08-15T22:14:49.948Z',
+      firstName: 'John',
+      lastName: 'Smith',
+      phoneNumber: '555-555-5555',
+      companyName: 'Acme Corp',
+      batteryBrands: ['Brand1', 'Brand2'],
+      metadata: { role: 'admin' },
+      example: {
+        protected: 'hello world',
+        notProtected: 'I am not protected',
+        deep: {
+          protected: 'deep protected',
+          notProtected: 'deep not protected',
+        },
+      },
+    }
+
+    const result = await protectDynamo.encryptModel(testData, schema).audit({
+      metadata: { sub: 'cj@cjb.io', type: 'dynamo_encrypt_model' },
+    })
+    if (result.failure) {
+      throw new Error(`Encryption failed: ${result.failure.message}`)
+    }
+
+    const encryptedData = result.data
+
+    // Verify equality columns are encrypted
+    expect(encryptedData).toHaveProperty('email__source')
+    expect(encryptedData).toHaveProperty('email__hmac')
+    expect(encryptedData).toHaveProperty('firstName__source')
+    expect(encryptedData).toHaveProperty('firstName__hmac')
+    expect(encryptedData).toHaveProperty('lastName__source')
+    expect(encryptedData).toHaveProperty('lastName__hmac')
+    expect(encryptedData).toHaveProperty('phoneNumber__source')
+    expect(encryptedData).not.toHaveProperty('phoneNumber__hmac')
+    expect(encryptedData.example).toHaveProperty('protected__source')
+    expect(encryptedData.example.deep).toHaveProperty('protected__source')
+
+    // Verify other fields remain unchanged
+    expect(encryptedData.id).toBe('01ABCDEFGHIJKLMNOPQRSTUVWX')
+    expect(encryptedData.address).toBe('123 Main Street')
+    expect(encryptedData.createdAt).toBe('2024-08-15T22:14:49.948Z')
+    expect(encryptedData.companyName).toBe('Acme Corp')
+    expect(encryptedData.batteryBrands).toEqual(['Brand1', 'Brand2'])
+    expect(encryptedData.example.notProtected).toBe('I am not protected')
+    expect(encryptedData.example.deep.notProtected).toBe('deep not protected')
+    expect(encryptedData.metadata).toEqual({ role: 'admin' })
+  })
+
+  it('should handle null and undefined values', async () => {
+    const testData = {
+      id: '01ABCDEFGHIJKLMNOPQRSTUVWX',
+      email: null,
+      firstName: undefined,
+      lastName: 'Smith',
+      phoneNumber: null,
+      metadata: { role: null },
+      example: {
+        protected: null,
+        notProtected: 'I am not protected',
+        deep: {
+          protected: undefined,
+          notProtected: 'deep not protected',
+        },
+      },
+    }
+
+    const result = await protectDynamo.encryptModel(testData, schema).audit({
+      metadata: { sub: 'cj@cjb.io', type: 'dynamo_encrypt_model' },
+    })
+    if (result.failure) {
+      throw new Error(`Encryption failed: ${result.failure.message}`)
+    }
+
+    const encryptedData = result.data
+
+    // Verify null/undefined equality columns are handled
+    expect(encryptedData).toHaveProperty('lastName__source')
+    expect(encryptedData).toHaveProperty('lastName__hmac')
+
+    // Verify other fields remain unchanged
+    expect(encryptedData.id).toBe('01ABCDEFGHIJKLMNOPQRSTUVWX')
+    expect(encryptedData.phoneNumber).toBeNull()
+    expect(encryptedData.email).toBeNull()
+    expect(encryptedData.firstName).toBeUndefined()
+    expect(encryptedData.metadata).toEqual({ role: null })
+    expect(encryptedData.example.protected).toBeNull()
+    expect(encryptedData.example.deep.protected).toBeUndefined()
+    expect(encryptedData.example.deep.notProtected).toBe('deep not protected')
+  })
+
+  it('should handle empty strings and special characters', async () => {
+    const testData = {
+      id: '01ABCDEFGHIJKLMNOPQRSTUVWX',
+      email: '',
+      firstName: 'John!@#$%^&*()',
+      lastName: 'Smith  ',
+      phoneNumber: '',
+      metadata: { role: 'admin!@#$%^&*()' },
+    }
+
+    const result = await protectDynamo.encryptModel(testData, schema).audit({
+      metadata: { sub: 'cj@cjb.io', type: 'dynamo_encrypt_model' },
+    })
+    if (result.failure) {
+      throw new Error(`Encryption failed: ${result.failure.message}`)
+    }
+
+    const encryptedData = result.data
+
+    // Verify equality columns are encrypted
+    expect(encryptedData).toHaveProperty('email__source')
+    expect(encryptedData).toHaveProperty('email__hmac')
+    expect(encryptedData).toHaveProperty('firstName__source')
+    expect(encryptedData).toHaveProperty('firstName__hmac')
+    expect(encryptedData).toHaveProperty('lastName__source')
+    expect(encryptedData).toHaveProperty('lastName__hmac')
+    expect(encryptedData).toHaveProperty('phoneNumber__source')
+    expect(encryptedData).not.toHaveProperty('phoneNumber__hmac')
+
+    // Verify other fields remain unchanged
+    expect(encryptedData.id).toBe('01ABCDEFGHIJKLMNOPQRSTUVWX')
+    expect(encryptedData.metadata).toEqual({ role: 'admin!@#$%^&*()' })
+  })
+
+  it('should handle bulk encryption', async () => {
+    const testData = [
+      {
+        id: '01ABCDEFGHIJKLMNOPQRSTUVWX',
+        email: 'test1@example.com',
+        firstName: 'John',
+        lastName: 'Smith',
+        phoneNumber: '555-555-5555',
+      },
+      {
+        id: '02ABCDEFGHIJKLMNOPQRSTUVWX',
+        email: 'test2@example.com',
+        firstName: 'Jane',
+        lastName: 'Doe',
+        phoneNumber: '555-555-5556',
+      },
+    ]
+
+    const result = await protectDynamo
+      .bulkEncryptModels(testData, schema)
+      .audit({
+        metadata: {
+          sub: 'cj@cjb.io',
+          type: 'dynamo_bulk_encrypt_models',
+        },
+      })
+    if (result.failure) {
+      throw new Error(`Bulk encryption failed: ${result.failure.message}`)
+    }
+
+    const encryptedData = result.data
+
+    // Verify both items are encrypted
+    expect(encryptedData).toHaveLength(2)
+
+    // Verify first item
+    expect(encryptedData[0]).toHaveProperty('email__source')
+    expect(encryptedData[0]).toHaveProperty('email__hmac')
+    expect(encryptedData[0]).toHaveProperty('firstName__source')
+    expect(encryptedData[0]).toHaveProperty('firstName__hmac')
+    expect(encryptedData[0]).toHaveProperty('lastName__source')
+    expect(encryptedData[0]).toHaveProperty('lastName__hmac')
+    expect(encryptedData[0]).toHaveProperty('phoneNumber__source')
+
+    // Verify second item
+    expect(encryptedData[1]).toHaveProperty('email__source')
+    expect(encryptedData[1]).toHaveProperty('email__hmac')
+    expect(encryptedData[1]).toHaveProperty('firstName__source')
+    expect(encryptedData[1]).toHaveProperty('firstName__hmac')
+    expect(encryptedData[1]).toHaveProperty('lastName__source')
+    expect(encryptedData[1]).toHaveProperty('lastName__hmac')
+    expect(encryptedData[1]).toHaveProperty('phoneNumber__source')
+  })
+
+  it('should handle decryption of encrypted data', async () => {
+    const originalData = {
+      id: '01ABCDEFGHIJKLMNOPQRSTUVWX',
+      email: 'test.user@example.com',
+      firstName: 'John',
+      lastName: 'Smith',
+      phoneNumber: '555-555-5555',
+      example: {
+        protected: 'hello world',
+        notProtected: 'I am not protected',
+        deep: {
+          protected: 'deep protected',
+          notProtected: 'deep not protected',
+        },
+      },
+    }
+
+    // First encrypt
+    const encryptResult = await protectDynamo
+      .encryptModel(originalData, schema)
+      .audit({
+        metadata: { sub: 'cj@cjb.io', type: 'dynamo_encrypt_model' },
+      })
+
+    if (encryptResult.failure) {
+      throw new Error(`Encryption failed: ${encryptResult.failure.message}`)
+    }
+
+    // Then decrypt
+    const decryptResult = await protectDynamo
+      .decryptModel(encryptResult.data, schema)
+      .audit({
+        metadata: { sub: 'cj@cjb.io', type: 'dynamo_decrypt_model' },
+      })
+    if (decryptResult.failure) {
+      throw new Error(`Decryption failed: ${decryptResult.failure.message}`)
+    }
+
+    const decryptedData = decryptResult.data
+
+    // Verify all fields match original data
+    expect(decryptedData).toEqual(originalData)
+  })
+
+  it('should handle decryption of bulk encrypted data', async () => {
+    const originalData = [
+      {
+        id: '01ABCDEFGHIJKLMNOPQRSTUVWX',
+        email: 'test1@example.com',
+        firstName: 'John',
+        lastName: 'Smith',
+        phoneNumber: '555-555-5555',
+      },
+      {
+        id: '02ABCDEFGHIJKLMNOPQRSTUVWX',
+        email: 'test2@example.com',
+        firstName: 'Jane',
+        lastName: 'Doe',
+        phoneNumber: '555-555-5556',
+        example: {
+          protected: 'hello world',
+          notProtected: 'I am not protected',
+          deep: {
+            protected: 'deep protected',
+            notProtected: 'deep not protected',
+          },
+        },
+      },
+    ]
+
+    // First encrypt
+    const encryptResult = await protectDynamo
+      .bulkEncryptModels(originalData, schema)
+      .audit({
+        metadata: { sub: 'cj@cjb.io', type: 'dynamo_bulk_encrypt_models' },
+      })
+    if (encryptResult.failure) {
+      throw new Error(
+        `Bulk encryption failed: ${encryptResult.failure.message}`,
+      )
+    }
+
+    // Then decrypt
+    const decryptResult = await protectDynamo
+      .bulkDecryptModels(encryptResult.data, schema)
+      .audit({
+        metadata: { sub: 'cj@cjb.io', type: 'dynamo_bulk_decrypt_models' },
+      })
+    if (decryptResult.failure) {
+      throw new Error(
+        `Bulk decryption failed: ${decryptResult.failure.message}`,
+      )
+    }
+
+    const decryptedData = decryptResult.data
+
+    // Verify all items match original data
+    expect(decryptedData).toEqual(originalData)
+  })
+})

packages/protect-dynamodb/src/operations/base-operation.ts

@@ -5,6 +5,10 @@ export type AuditConfig = {
   metadata?: Record<string, unknown>
 }
 
+export type AuditData = {
+  metadata?: Record<string, unknown>
+}
+
 export type DynamoDBOperationOptions = {
   logger?: {
     error: (message: string, error: Error) => void
@@ -33,8 +37,10 @@ export abstract class DynamoDBOperation<T> {
   /**
    * Get the audit metadata for this operation.
    */
-  protected getAuditMetadata(): Record<string, unknown> | undefined {
-    return this.auditMetadata
+  protected getAuditData(): AuditData {
+    return {
+      metadata: this.auditMetadata,
+    }
   }
 
   /**

packages/protect-dynamodb/src/operations/bulk-decrypt-models.ts

@@ -42,17 +42,9 @@ export class BulkDecryptModelsOperation<
           toItemWithEqlPayloads(item, encryptedAttrs),
         )
 
-        const operation = this.protectClient.bulkDecryptModels<T>(
-          itemsWithEqlPayloads as T[],
-        )
-
-        // Apply audit metadata if it exists
-        const auditMetadata = this.getAuditMetadata()
-        if (auditMetadata) {
-          operation.audit({ metadata: auditMetadata })
-        }
-
-        const decryptResult = await operation
+        const decryptResult = await this.protectClient
+          .bulkDecryptModels<T>(itemsWithEqlPayloads as T[])
+          .audit(this.getAuditData())
 
         if (decryptResult.failure) {
           throw new Error(`[protect]: ${decryptResult.failure.message}`)

packages/protect-dynamodb/src/operations/bulk-encrypt-models.ts

@@ -33,18 +33,12 @@ export class BulkEncryptModelsOperation<
   public async execute(): Promise<Result<T[], ProtectDynamoDBError>> {
     return await withResult(
       async () => {
-        const operation = this.protectClient.bulkEncryptModels(
-          this.items.map((item) => deepClone(item)),
-          this.protectTable,
-        )
-
-        // Apply audit metadata if it exists
-        const auditMetadata = this.getAuditMetadata()
-        if (auditMetadata) {
-          operation.audit({ metadata: auditMetadata })
-        }
-
-        const encryptResult = await operation
+        const encryptResult = await this.protectClient
+          .bulkEncryptModels(
+            this.items.map((item) => deepClone(item)),
+            this.protectTable,
+          )
+          .audit(this.getAuditData())
 
         if (encryptResult.failure) {
           throw new Error(`encryption error: ${encryptResult.failure.message}`)