Testing and terraform

lightningkite · Oct 9, 2023 · 605208e · 605208e
1 parent 3decf71
commit 605208e
Show file tree

Hide file tree

Showing 9 changed files with 58 additions and 10 deletions.
diff --git a/demo/terraform2/example/lambda.tf b/demo/terraform2/example/lambda.tf
@@ -162,6 +162,7 @@ resource "local_sensitive_file" "settings_raw" {
     cache = {
         url = "dynamodb://${var.deployment_location}/demo_example"
     }
+    secretBasis = random_password.secretBasis.result
     jwt = {
         expiration = var.jwt_expiration 
         emailExpiration = var.jwt_emailExpiration 
@@ -180,6 +181,7 @@ resource "local_sensitive_file" "settings_raw" {
     database = {
       url = "mongodb+srv://demoexampledatabase-main:${random_password.database.result}@${replace(mongodbatlas_serverless_instance.database.connection_strings_standard_srv, "mongodb+srv://", "")}/default?retryWrites=true&w=majority"
     }
+    sms = var.sms
     logging = var.logging
     files = {
         storageUrl = "s3://${aws_s3_bucket.files.id}.s3-${aws_s3_bucket.files.region}.amazonaws.com"

diff --git a/demo/terraform2/example/metrics.tf b/demo/terraform2/example/metrics.tf
@@ -5,7 +5,7 @@
 
 variable "metrics_tracked" {
     type = list(string)
-    default = ["Health Checks Run", "Execution Time"]
+    default = ["Execution Time", "Health Checks Run"]
     nullable = false
 }
 variable "metrics_namespace" {

diff --git a/demo/terraform2/example/project.json b/demo/terraform2/example/project.json
@@ -9,12 +9,14 @@
     "createBeforeDestroy": false,
     "handlers": {
         "cache": "DynamoDB",
+        "secretBasis": "Standard",
         "jwt": "Standard",
         "oauth_github": "Direct",
         "exceptions": "Direct",
         "oauth_apple": "Direct",
         "general": "Standard",
         "database": "MongoDB Serverless",
+        "sms": "Direct",
         "logging": "Direct",
         "files": "S3",
         "metrics": "Cloudwatch",

diff --git a/server-aws/src/main/kotlin/com/lightningkite/lightningserver/aws/terraform.kt b/server-aws/src/main/kotlin/com/lightningkite/lightningserver/aws/terraform.kt
@@ -756,9 +756,9 @@ internal fun handlers() {
             appendLine(
                 """
                 resource "random_password" "${key}" {
-                  length           = 32
+                  length           = 88
                   special          = true
-                  override_special = "!#${'$'}%&*()-_=+[]{}<>:?"
+                  override_special = "+/"
                 }
             """.trimIndent()
             )

diff --git a/server-core/src/main/kotlin/com/lightningkite/lightningserver/encryption/Encryptor.kt b/server-core/src/main/kotlin/com/lightningkite/lightningserver/encryption/Encryptor.kt
@@ -82,4 +82,7 @@ interface Encryptor {
         override fun encryptSize(size: Int): Int = size + GCM_IV_LENGTH + GCM_TAG_LENGTH
         override fun decryptSize(size: Int): Int = size - GCM_IV_LENGTH - GCM_TAG_LENGTH
     }
-}
+}
+
+fun Encryptor.encrypt(string: String): String = Base64.getEncoder().encodeToString(encrypt(string.toByteArray(Charsets.UTF_8)))
+fun Encryptor.decrypt(string: String): String = decrypt(Base64.getDecoder().decode(string)).toString(Charsets.UTF_8)
diff --git a/server-core/src/main/kotlin/com/lightningkite/lightningserver/encryption/SecureHasher.kt b/server-core/src/main/kotlin/com/lightningkite/lightningserver/encryption/SecureHasher.kt
@@ -43,6 +43,19 @@ interface SecureHasher {
         }
     }
 
+    class HS512(val secret: ByteArray) : SecureHasher {
+        init {
+            SecureHasher
+        }
+
+        override val name: String = "HS512"
+        override fun sign(bytes: ByteArray): ByteArray {
+            return Mac.getInstance("HmacSHA512").apply {
+                init(SecretKeySpec(secret, "HmacSHA512"))
+            }.doFinal(bytes)
+        }
+    }
+
     class ECDSA256(privateKey: String) : SecureHasher {
         init {
             SecureHasher

diff --git a/...r-core/src/main/kotlin/com/lightningkite/lightningserver/encryption/secretBasisSetting.kt b/...r-core/src/main/kotlin/com/lightningkite/lightningserver/encryption/secretBasisSetting.kt
@@ -7,14 +7,19 @@ import kotlin.random.Random
 
 @Serializable
 @JvmInline value class SecretBasis(val string: String) {
-    constructor():this(Base64.getEncoder().encodeToString(Random.nextBytes(24)))
-    val bytes: ByteArray get() = Base64.getDecoder().decode(string)
-    fun derive(key: String): ByteArray = bytes
+    companion object {
+        const val BITS = 512
+        const val BYTES = BITS / 8
+        const val BASE64_CHARS = 66
+    }
+    constructor():this(Base64.getEncoder().encodeToString(Random.nextBytes(BYTES)))
+    val bytes: ByteArray get() = Base64.getDecoder().decode(string).sliceArray(0 until BYTES)
+    fun derive(key: String): ByteArray = SecureHasher.HS512(bytes).sign(key.toByteArray())
 }
 
 val secretBasis = setting("secretBasis", SecretBasis())
 
-fun SecretBasis.hasher(variant: String): SecureHasher = SecureHasher.HS256(this.derive(variant))
-fun SecretBasis.encryptor(variant: String): Encryptor = Encryptor.AesCbcPkcs5Padding(this.derive(variant))
+fun SecretBasis.hasher(variant: String): SecureHasher = SecureHasher.HS512(this.derive(variant))
+fun SecretBasis.encryptor(variant: String): Encryptor = Encryptor.AesCbcPkcs5Padding(this.derive(variant).sliceArray(0 until 32))
 fun (()->SecretBasis).hasher(variant: String): ()->SecureHasher = { this().hasher(variant) }
 fun (()->SecretBasis).encryptor(variant: String): ()->Encryptor = { this().encryptor(variant) }
diff --git a/server-core/src/test/kotlin/com/lightningkite/lightningserver/encryption/SecretBasisTest.kt b/server-core/src/test/kotlin/com/lightningkite/lightningserver/encryption/SecretBasisTest.kt
@@ -0,0 +1,19 @@
+package com.lightningkite.lightningserver.encryption
+
+import org.junit.Assert.*
+import kotlin.test.Test
+import kotlin.test.assertContentEquals
+
+class SecretBasisTest {
+    @Test fun derive() {
+        val basis = SecretBasis()
+        assertContentEquals(basis.bytes, SecretBasis(basis.string.replace('=', '0')).bytes)
+        assertNotEquals(basis.bytes, basis.derive("test"))
+        assertEquals(SecretBasis.BYTES, basis.bytes.size)
+        assertEquals(SecretBasis.BYTES, basis.derive("test").size)
+        assertContentEquals(basis.derive("test"), basis.derive("test"))
+        assertTrue(basis.hasher("test").verify("content", basis.hasher("test").sign("content")))
+        assertFalse(basis.hasher("test2").verify("content", basis.hasher("test").sign("content")))
+        assertEquals("content", basis.encryptor("test").decrypt(basis.encryptor("test").encrypt("content")))
+    }
+}
diff --git a/...r-core/src/test/kotlin/com/lightningkite/lightningserver/encryption/SecureHasherKtTest.kt b/...r-core/src/test/kotlin/com/lightningkite/lightningserver/encryption/SecureHasherKtTest.kt
@@ -5,7 +5,7 @@ import org.junit.Assert.*
 import org.junit.Test
 
 class SecureHasherKtTest {
-    @Test fun sign() {
+    @Test fun signJwt() {
         val hasher = SecretBasis().hasher("test")
         assertTrue(hasher.verify("TEST", hasher.sign("TEST")))
         val claims = JwtClaims(
@@ -17,4 +17,8 @@ class SecureHasherKtTest {
         )
         assertEquals(claims, hasher.verifyJwt(hasher.signJwt(claims)))
     }
+    @Test fun signRepeated() {
+        val hasher = SecureHasher.HS256(SecretBasis().bytes)
+        assertEquals(hasher.sign("TEST"), hasher.sign("TEST"))
+    }
 }