feat: kms support
This commit is contained in:
Daniel Hougaard
157
test/test-kms.ts
Normal file
157
test/test-kms.ts
Normal file
@@ -0,0 +1,157 @@
|
||||
import { InfisicalSDK } from "../src";
|
||||
import { EncryptionAlgorithm, KeyUsage, KmsKey } from "../src/api/types/kms";
|
||||
|
||||
(async () => {
|
||||
const client = new InfisicalSDK({
|
||||
siteUrl: "https://app.infisical.com" // Optional, defaults to https://app.infisical.com
|
||||
});
|
||||
|
||||
const universalAuthClientId = process.env.UNIVERSAL_AUTH_CLIENT_ID;
|
||||
const universalAuthClientSecret = process.env.UNIVERSAL_AUTH_CLIENT_SECRET;
|
||||
const projectId = process.env.PROJECT_ID;
|
||||
|
||||
if (!universalAuthClientId || !universalAuthClientSecret) {
|
||||
throw new Error("UNIVERSAL_AUTH_CLIENT_ID and UNIVERSAL_AUTH_CLIENT_SECRET must be set");
|
||||
}
|
||||
|
||||
if (!projectId) {
|
||||
throw new Error("PROJECT_ID must be set");
|
||||
}
|
||||
|
||||
console.log("Logging in");
|
||||
|
||||
await client.auth().universalAuth.login({
|
||||
clientId: universalAuthClientId,
|
||||
clientSecret: universalAuthClientSecret
|
||||
});
|
||||
console.log("Logged in");
|
||||
|
||||
console.log("Creating keys");
|
||||
|
||||
const keysToCreate = [
|
||||
{
|
||||
name: "test-aes-256-gcm",
|
||||
keyUsage: KeyUsage.ENCRYPTION,
|
||||
encryptionAlgorithm: EncryptionAlgorithm.AES_256_GCM
|
||||
},
|
||||
{
|
||||
name: "test-aes-128-gcm",
|
||||
keyUsage: KeyUsage.ENCRYPTION,
|
||||
encryptionAlgorithm: EncryptionAlgorithm.AES_128_GCM
|
||||
},
|
||||
{
|
||||
name: "test-ecc-nist-p256",
|
||||
keyUsage: KeyUsage.SIGNING,
|
||||
encryptionAlgorithm: EncryptionAlgorithm.ECC_NIST_P256
|
||||
},
|
||||
{
|
||||
name: "test-rsa-4096",
|
||||
keyUsage: KeyUsage.SIGNING,
|
||||
encryptionAlgorithm: EncryptionAlgorithm.RSA_4096
|
||||
}
|
||||
] as const;
|
||||
|
||||
console.log("Creating keys", keysToCreate);
|
||||
|
||||
const createdKeys: KmsKey[] = [];
|
||||
|
||||
// Create all the keys
|
||||
for (const key of keysToCreate) {
|
||||
const createdKey = await client.kms().keys().create({
|
||||
projectId,
|
||||
description: key.name,
|
||||
encryptionAlgorithm: key.encryptionAlgorithm,
|
||||
keyUsage: key.keyUsage,
|
||||
name: key.name
|
||||
});
|
||||
console.log("Created key", createdKey.name);
|
||||
createdKeys.push(createdKey);
|
||||
}
|
||||
|
||||
// Get all the keys by name
|
||||
for (const createdKey of createdKeys) {
|
||||
const key = await client.kms().keys().getByName({
|
||||
projectId: createdKey.projectId,
|
||||
name: createdKey.name
|
||||
});
|
||||
|
||||
console.log(key);
|
||||
console.log("Got key by name", key.name);
|
||||
}
|
||||
|
||||
// Encrypt / decrypt data with encryption keys
|
||||
|
||||
for (const createdKey of createdKeys) {
|
||||
if (createdKey.keyUsage !== KeyUsage.ENCRYPTION) {
|
||||
console.log("Skipping key for encryption mode:", createdKey.name);
|
||||
continue;
|
||||
}
|
||||
|
||||
const encryptedData = await client
|
||||
.kms()
|
||||
.encryption()
|
||||
.encrypt({
|
||||
keyId: createdKey.id,
|
||||
plaintext: Buffer.from("test data").toString("base64")
|
||||
});
|
||||
|
||||
const decryptedData = await client.kms().encryption().decrypt({
|
||||
keyId: createdKey.id,
|
||||
ciphertext: encryptedData
|
||||
});
|
||||
|
||||
console.log("Encrypted data:", {
|
||||
raw: encryptedData
|
||||
});
|
||||
console.log("Decrypted data:", {
|
||||
raw: decryptedData,
|
||||
decoded: Buffer.from(decryptedData, "base64").toString("utf-8")
|
||||
});
|
||||
}
|
||||
|
||||
// Sign / verify data with signing keys
|
||||
for (const createdKey of createdKeys) {
|
||||
if (createdKey.keyUsage !== KeyUsage.SIGNING) {
|
||||
console.log("Skipping key for signing mode:", createdKey.name);
|
||||
continue;
|
||||
}
|
||||
|
||||
const testData = Buffer.from("some test data to sign").toString("base64");
|
||||
|
||||
const publicKey = await client.kms().signing().getPublicKey({
|
||||
keyId: createdKey.id
|
||||
});
|
||||
console.log(`Public key for key ${createdKey.name}:`, publicKey);
|
||||
|
||||
const signingAlgorithms = await client.kms().signing().listSigningAlgorithms({
|
||||
keyId: createdKey.id
|
||||
});
|
||||
|
||||
console.log(`Signing algorithms for key ${createdKey.name}:`, signingAlgorithms);
|
||||
|
||||
for (const signingAlgorithm of signingAlgorithms) {
|
||||
const signedData = await client.kms().signing().sign({
|
||||
keyId: createdKey.id,
|
||||
data: testData,
|
||||
signingAlgorithm: signingAlgorithm
|
||||
});
|
||||
|
||||
console.log("Signed data:", signedData);
|
||||
const verifiedData = await client.kms().signing().verify({
|
||||
keyId: createdKey.id,
|
||||
data: testData,
|
||||
signature: signedData.signature,
|
||||
signingAlgorithm: signingAlgorithm
|
||||
});
|
||||
console.log("Verified data:", verifiedData);
|
||||
}
|
||||
}
|
||||
|
||||
// Delete all the keys
|
||||
for (const createdKey of createdKeys) {
|
||||
await client.kms().keys().delete({
|
||||
keyId: createdKey.id
|
||||
});
|
||||
console.log("Deleted key", createdKey.name);
|
||||
}
|
||||
})();
|
||||
Reference in New Issue
Block a user