Merge pull request #59 from aleh-douhi/feature/first-level-node-jwe-encryption-decryption

Add ability to encrypt and decrypt first level field with JWE

Author: rfeelin

README.md

@@ -239,6 +239,7 @@ Output:
 - [Performing JWE Decryption](#performing-jwe-decryption)
 - [Encrypting Entire Payloads](#encrypting-entire-payloads-jwe)
 - [Decrypting Entire Payloads](#decrypting-entire-payloads-jwe)
+- [First Level Field Encryption and Decryption](#encrypting-decrypting-first-level-field-jwe)
 
 ##### • Introduction <a name="jwe-introduction"></a>
 
@@ -466,6 +467,86 @@ Output:
 }
 ```
 
+##### • First Level Field Encryption and Decryption <a name="encrypting-decrypting-first-level-field-jwe"></a>
+
+To have encrypted results in the first level field or to decrypt the first level field, specify `encryptedValueFieldName` to be the same as `obj` (for encryption) or `element` (for decryption):
+
+Example of configuration:
+
+```js
+const config = {
+  paths: [
+    {
+      path: "/resource1",
+      toEncrypt: [
+        {
+          /* path to element to be encrypted in request json body */
+          element: "sensitive",
+          /* path to object where to store encryption fields in request json body */
+          obj: "encryptedData",
+        },
+      ],
+      toDecrypt: [
+        {
+          /* path to element where to store decrypted fields in response object */
+          element: "encryptedData",
+          /* path to object with encryption fields */
+          obj: "sensitive",
+        },
+      ],
+    },
+  ],
+  mode: "JWE",
+  encryptedValueFieldName: "encryptedData",
+  encryptionCertificate: "./path/to/public.cert",
+  privateKey: "./path/to/your/private.key",
+};
+```
+
+Example of encryption:
+
+```js
+const payload = {
+  sensitive: "this is a secret!",
+  notSensitive: "not a secret",
+};
+const jwe = new (require("mastercard-client-encryption").JweEncryption)(config);
+// …
+let responsePayload = jwe.encrypt("/resource1", header, payload);
+```
+
+Output:
+
+```json
+{
+  "encryptedData": "eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw",
+  "notSensitive": "not a secret"
+}
+```
+
+Example of decryption:
+
+```js
+const response = {};
+response.request = { url: "/resource1" };
+response.body =
+  "{" +
+  '    "encryptedData": "eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw",' +
+  '    "notSensitive": "not a secret"' +
+  "}";
+const jwe = new (require("mastercard-client-encryption").JweEncryption)(config);
+let responsePayload = jwe.decrypt(response);
+```
+
+Output:
+
+```json
+{
+  "sensitive": "this is a secret",
+  "notSensitive": "not a secret"
+}
+```
+
 ### Integrating with OpenAPI Generator API Client Libraries <a name="integrating-with-openapi-generator-api-client-libraries"></a>
 
 [OpenAPI Generator](https://github.com/OpenAPITools/openapi-generator) generates API client libraries from [OpenAPI Specs](https://github.com/OAI/OpenAPI-Specification).

lib/mcapi/crypto/jwe-crypto.js

@@ -156,7 +156,7 @@ function JweCrypto(config) {
     let data = decipher.update(encryptedText, c.BASE64, c.UTF8);
     data += decipher.final(c.UTF8);
 
-    return JSON.parse(data);
+    return utils.stringToJson(data);
   };
 }
 

lib/mcapi/encryption/jwe-encryption.js

@@ -83,9 +83,9 @@ function encryptBody(path, body) {
 function decryptBody(path, body) {
   const elem = utils.elemFromPath(path.element, body);
   if (elem && elem.node) {
-    const decryptedObj = this.crypto.decryptData(
-      elem.node[this.config.encryptedValueFieldName]
-    );
+    const encryptedValue = (path.element === this.config.encryptedValueFieldName) ?
+      elem.node : elem.node[this.config.encryptedValueFieldName];
+    const decryptedObj = this.crypto.decryptData(encryptedValue);
     return utils.mutateObjectProperty(
       path.obj,
       decryptedObj,

lib/mcapi/utils/utils.js

@@ -76,8 +76,8 @@ module.exports.jsonToString = function (data) {
   }
   if (data === "") throw new Error("Json not valid");
   try {
-    if ((typeof data === "string" || data instanceof String) && isJson(data)) {
-      return JSON.stringify(JSON.parse(data));
+    if (typeof data === "string" || data instanceof String) {
+      return isJson(data) ? JSON.stringify(JSON.parse(data)) : data.valueOf();
     } else {
       return JSON.stringify(data);
     }
@@ -86,6 +86,28 @@ module.exports.jsonToString = function (data) {
   }
 };
 
+/**
+ * Convert Json string to Json object if it is a valid Json
+ * Return back input string if it is not a Json
+ *
+ * @param {string} Json string or string
+ * @returns {Object|string}
+ */
+module.exports.stringToJson = function (data) {
+  if (typeof data === "undefined" || data === null) {
+    throw new Error("Input not valid");
+  }
+  if (data === "") throw new Error("String is empty");
+  if (!(typeof data === "string" || data instanceof String)) {
+    throw new Error("Input should be a string");
+  }
+  try {
+    return JSON.parse(data);
+  } catch (e) {
+    return data.valueOf();
+  }
+};
+
 function isJson(str) {
   try {
     JSON.parse(str);
@@ -432,6 +454,9 @@ module.exports.addEncryptedDataToBody = function(encryptedData, path, encryptedV
   ) {
     this.deleteNode(path.element, body);
   }
+  if (encryptedValueFieldName === path.obj) {
+    encryptedData = encryptedData[encryptedValueFieldName];
+  }
   body = this.mutateObjectProperty(path.obj, encryptedData, body);
   return body;
 };

test/jwe-crypto.test.js

@@ -189,6 +189,24 @@ describe("JWE Crypto", () => {
       assert.ok(resp[3].length === 24);
       assert.ok(resp[4].length === 22);
     });
+
+    it("encrypt primitive string", () => {
+      const data = "message";
+      let resp = crypto.encryptData({
+        data: data,
+      });
+      resp = resp[testConfig.encryptedValueFieldName].split(".");
+      assert.ok(resp.length === 5);
+      //Header is always constant
+      assert.strictEqual(
+        resp[0],
+        "eyJraWQiOiJnSUVQd1RxREdmenc0dXd5TElLa3d3UzNnc3c4NW5FWFkwUFA2QllNSW5rPSIsImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0"
+      );
+      assert.ok(resp[1].length === 342);
+      assert.ok(resp[2].length === 22);
+      assert.ok(resp[3].length === 10);
+      assert.ok(resp[4].length === 22);
+    });
   });
 
   describe("#decryptData()", () => {
@@ -230,6 +248,13 @@ describe("JWE Crypto", () => {
       assert.ok(JSON.stringify(resp) === JSON.stringify({ foo: "bar" }));
     });
 
+    it("with valid encrypted string", () => {
+      const resp = crypto.decryptData(
+        "eyJraWQiOiJnSUVQd1RxREdmenc0dXd5TElLa3d3UzNnc3c4NW5FWFkwUFA2QllNSW5rPSIsImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.vZBAXJC5Xcr0LaxdTRooLrbKc0B2cqjqAv3Dfz70s2EdUHf-swWPFe6QE-gb8PW7PQ-PZxkkIE5MhP6IMH4e/NH79V5j27c6Tno3R1/DfWQjRoN8xNm4sZver4FXESBiQia-PZip4D/hVmDWLKbom4SCD6ibLLmB9WcDVXpQEmX5G-lmd6kuEoBNOKQy08/QfVhqEr2H/2Q7PAcOjizPWUw6QK0SYzkaQIgTC6nlN/swa82zZa9NJeeTxJ1sJVmXzd4J-qjxwWjtzuRqb-kh4t/CUYT/lpf5NRaktBjXFyZFJ1dir5OgfdoA6-oIh8oUNMCt26SCCuYg-ev8sfHGDA.rxP1lOVCy4hIDwi5ETr2Bw.a3IIS9/6lA.77pOElwKjHBEwaPgRfHI4w"
+      );
+      assert.strictEqual(resp, "message");
+    });
+
   });
 
   describe("#readPublicCertificate", () => {

test/jwe-encryption.test.js

@@ -50,6 +50,15 @@ describe("JWE Encryption", () => {
         !Object.prototype.hasOwnProperty.call(res.foo, "encryptedData")
       );
     });
+
+    it("decrypt first level element in response", () => {
+      const encryption = new JweEncryption(testConfig);
+      const decrypt = JweEncryption.__get__("decrypt");
+      const response = require("./mock/jwe-response");
+      const res = decrypt.call(encryption, response);
+      assert.ok(res.decryptedData.accountNumber === "5123456789012345");
+      assert.ok(!res.encryptedData);
+    });
   });
 
   describe("#import JweEncryption", () => {

test/mock/jwe-config.js

@@ -13,6 +13,10 @@ module.exports = {
           element: "foo.elem1",
           obj: "foo",
         },
+        {
+          element: "encryptedData",
+          obj: "decryptedData",
+        },
       ],
     },
     {

test/mock/jwe-response.js

@@ -1,6 +1,7 @@
 module.exports = {
   request: { url: "/resource" },
   body: {
+    encryptedData : "eyJraWQiOiJnSUVQd1RxREdmenc0dXd5TElLa3d3UzNnc3c4NW5FWFkwUFA2QllNSW5rPSIsImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.bg6UTkMY9omV6CpXZnTsLNDQgKHVSOf7pO4KxhjkQfYSM6I2WBLNL8TMVFuVnOwGnq7jXwBBtszIj0Enk7nmwme2VNKnBEyoe-1t99j1VPX7CVQIdezNnJbwFl746Vi-izt6fatRPHUbp47pvZ7qL8u_xS9Ucv8-1HxuykoVbiHcY1lb-Mm_dzEJf-2eG0fkJxuVJBtUktrO0nu6BC_D53UULTxju6goGcjmgOqrAzf4Yg0NRrzObLchWisbzVcbzO0Lnv0rxDYYIeN54BSKpKowglQ8EElKqLx3rCZ8is6Un2nKqhzsY52-DAZ5-HLSCDCyjEO6CB1w8Y2CXvANZg.B5pVI2hqtwLFuiCNnzonAw.ZDnLiPNy63ocuwhYQFfSneS13Ff5GlFc87kegf8mnAJxGsYS.YFistvxKLMfLGVY5vWV_Dw",
     foo: {
       elem1: {
         encryptedData:

test/utils.test.js

@@ -140,6 +140,58 @@ describe("Utils", () => {
       const res = utils.jsonToString('{"field": "value"}');
       assert.strictEqual(res, '{"field":"value"}');
     });
+
+    it("string from string", () => {
+      const res = utils.jsonToString('value');
+      assert.strictEqual(res, 'value');
+    });
+
+    it("string from string object", () => {
+      const res = utils.jsonToString(new String("value"));
+      assert.strictEqual(res, 'value');
+    });
+  });
+
+  describe("#stringToJson", () => {
+    it("when null", () => {
+      assert.throws(() => {
+        utils.stringToJson(null);
+      });
+    });
+
+    it("when undefined", () => {
+      assert.throws(() => {
+        utils.stringToJson(undefined);
+      });
+    });
+
+    it("when empty obj", () => {
+      const res = utils.stringToJson('{}');
+      assert.strictEqual(JSON.stringify(res), JSON.stringify({}));
+    });
+
+    it("when empty str", () => {
+      assert.throws(() => utils.stringToJson(""));
+    });
+
+    it("when Json object", () => {
+      assert.throws(() => utils.stringToJson({ field: "value" }));
+    });
+
+    it("string from string", () => {
+      const res = utils.stringToJson('value');
+      assert.strictEqual(res, "value");
+    });
+
+    it("string from string object", () => {
+      const res = utils.stringToJson(new String("value"));
+      assert.strictEqual(res, "value");
+    });
+
+    it("correct json object from string", () => {
+      const res = utils.stringToJson('{"field": "value"}');
+      assert.strictEqual(JSON.stringify(res), JSON.stringify({ field: 'value' }));
+    });
   });
 
   describe("#mutateObjectProperty", () => {
@@ -314,6 +366,93 @@ describe("Utils", () => {
     });
   });
 
+  describe("#addEncryptedDataToBody", () => {
+    it("encrypting first level field", () => {
+      const body = {
+        firstLevelField: "secret",
+        anotherFirstLevelField: "value"
+      };
+      const expected = JSON.stringify({
+        anotherFirstLevelField: "value",
+        encryptedData: "changed"
+      });
+      const value = { encryptedData: "changed" };
+      const path = { element: 'firstLevelField', obj: 'encryptedData' };
+      utils.addEncryptedDataToBody(value, path, "encryptedData", body);
+      assert.strictEqual(JSON.stringify(body), expected);
+    });
+
+    it("encryptedValueFieldName is not in the path", () => {
+      const body = {
+        field: "secret",
+        anotherField: "value"
+      };
+      const expected = JSON.stringify({
+        anotherField: "value",
+        encryptedField: {
+          encryptedData: "changed"
+        }
+      });
+      const value = { encryptedData: "changed" };
+      const path = { element: 'field', obj: 'encryptedField' };
+      utils.addEncryptedDataToBody(value, path, "encryptedData", body);
+      assert.strictEqual(JSON.stringify(body), expected);
+    });
+
+    it("encrypting to existing field", () => {
+      const body = {
+        field: "secret",
+        anotherField: "value"
+      };
+      const expected = JSON.stringify({
+        anotherField: "value",
+        field: "changed"
+      });
+      const value = { field: "changed" };
+      const path = { element: 'field', obj: 'field' };
+      utils.addEncryptedDataToBody(value, path, "field", body);
+      assert.strictEqual(JSON.stringify(body), expected);
+    });
+
+    it("encrypting to existing subfield", () => {
+      const body = {
+        field: {
+          subField: "secret"
+        },
+        anotherField: "value"
+      };
+      const expected = JSON.stringify({
+        field: {
+          subField: "changed"
+        },
+        anotherField: "value"
+      });
+      const value = { subField: "changed" };
+      const path = { element: 'field.subField', obj: 'field' };
+      utils.addEncryptedDataToBody(value, path, "subField", body);
+      assert.strictEqual(JSON.stringify(body), expected);
+    });
+
+    it("encrypting to new subfield", () => {
+      const body = {
+        field: {
+          subField: "secret"
+        },
+        anotherField: "value"
+      };
+      const expected = JSON.stringify({
+        field: {
+          encryptedData: "changed"
+        },
+        anotherField: "value"
+      });
+      const value = { encryptedData: "changed" };
+      const path = { element: 'field.subField', obj: 'field' };
+      utils.addEncryptedDataToBody(value, path, "encryptedData", body);
+      assert.strictEqual(JSON.stringify(body), expected);
+    });
+  });
+
   describe("#getPrivateKey12", () => {
     it("empty alias", () => {
       assert.throws(() => {