feat: integration-node can produce decrypt manifests (#1580)

For a given encrypt manifest,
integration-node now takes
`—-decryptManifest` | `-d`

This will create a zipped decrypt manifest
that can be consumed by decrypt.

Author: seebees

.gitignore

@@ -47,4 +47,5 @@ package.json.decrypt
 # they track the package.json version
 /modules/kms-keyring-browser/src/version.ts
 /modules/kms-keyring-node/src/version.ts
-/modules/branch-keystore-node/src/version.ts
+/modules/branch-keystore-node/src/version.ts
+/modules/integration-node/src/version.ts

modules/integration-node/package.json

@@ -2,6 +2,8 @@
   "name": "@aws-crypto/integration-node",
   "version": "4.1.0",
   "scripts": {
+    "prepublishOnly": "npm run generate-version.ts; npm run build",
+    "generate-version.ts": "npx genversion --es6  src/version.ts",
     "build": "tsc -b tsconfig.json",
     "lint": "run-s lint-*",
     "lint-eslint": "eslint src/*.ts test/*.ts",
@@ -24,7 +26,8 @@
     "got": "^11.8.0",
     "stream-to-promise": "^3.0.0",
     "tslib": "^2.3.0",
-    "yargs": "^17.0.1"
+    "yargs": "^17.0.1",
+    "yazl": "^3.3.1"
   },
   "sideEffects": false,
   "main": "./build/main/src/index.js",

modules/integration-node/src/cli.ts

@@ -47,7 +47,13 @@ const cli = yargs
       .option('decryptOracle', {
         alias: 'o',
         describe: 'a url to the decrypt oracle',
-        demandOption: true,
+        demandOption: false,
+        type: 'string',
+      })
+      .option('decryptManifest', {
+        alias: 'd',
+        describe: 'a file path for to create a decrypt manifest zip file',
+        demandOption: false,
         type: 'string',
       })
   )
@@ -103,15 +109,18 @@ const cli = yargs
       concurrency
     )
   } else if (command === 'encrypt') {
-    const { manifestFile, keyFile, decryptOracle } = argv as unknown as {
-      manifestFile: string
-      keyFile: string
-      decryptOracle: string
-    }
+    const { manifestFile, keyFile, decryptOracle, decryptManifest } =
+      argv as unknown as {
+        manifestFile: string
+        keyFile: string
+        decryptOracle?: string
+        decryptManifest?: string
+      }
     result = await integrationEncryptTestVectors(
       manifestFile,
       keyFile,
       decryptOracle,
+      decryptManifest,
       tolerateFailures,
       testName,
       concurrency

modules/integration-node/src/constants.ts

@@ -0,0 +1,10 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+export const KEYS_MANIFEST_NAME_FILENAME = 'keys.json'
+export const MANIFEST_NAME_FILENAME = 'manifest.json'
+export const DECRYPT_MANIFEST_TYPE = 'awses-decrypt'
+export const DECRYPT_MANIFEST_CLIENT_NAME = 'aws/aws-encryption-sdk-javascript'
+export const MANIFEST_URI_PREFIX = 'file://'
+export const MANIFEST_PLAINTEXT_PATH = 'plaintexts/'
+export const MANIFEST_CIPHERTEXT_PATH = 'ciphertexts/'

modules/integration-node/src/get_encrypt_test_iterator.ts

@@ -14,28 +14,51 @@ import {
 import { URL } from 'url'
 import { readFileSync } from 'fs'
 import got from 'got'
+import { ZipFile } from 'yazl'
+import {
+  KEYS_MANIFEST_NAME_FILENAME,
+  MANIFEST_PLAINTEXT_PATH,
+} from './constants'
 
 export async function getEncryptTestVectorIterator(
   manifestFile: string,
-  keyFile: string
+  keyFile: string,
+  manifestZip?: ZipFile
 ) {
   const [manifest, keys]: [EncryptManifestList, KeyList] = await Promise.all([
     getParsedJSON(manifestFile),
     getParsedJSON(keyFile),
   ])
 
-  return _getEncryptTestVectorIterator(manifest, keys)
+  return _getEncryptTestVectorIterator(manifest, keys, manifestZip)
 }
 
 /* Just a simple more testable function */
 export function _getEncryptTestVectorIterator(
   { tests, plaintexts }: EncryptManifestList,
-  { keys }: KeyList
+  keysManifest: KeyList,
+  manifestZip?: ZipFile
 ) {
+  if (manifestZip) {
+    // We assume that the keys manifest given for encrypt
+    // has all the keys required for decrypt.
+    manifestZip.addBuffer(
+      Buffer.from(JSON.stringify(keysManifest)),
+      `${KEYS_MANIFEST_NAME_FILENAME}`
+    )
+  }
+  const { keys } = keysManifest
   const plaintextBytes: { [name: string]: Buffer } = {}
 
   Object.keys(plaintexts).forEach((name) => {
     plaintextBytes[name] = randomBytes(plaintexts[name])
+
+    if (manifestZip) {
+      manifestZip.addBuffer(
+        plaintextBytes[name],
+        `${MANIFEST_PLAINTEXT_PATH}${name}`
+      )
+    }
   })
 
   return (function* nextTest(): IterableIterator<EncryptTestVectorInfo> {
@@ -60,6 +83,7 @@ export function _getEncryptTestVectorIterator(
         name,
         keysInfo,
         plainTextData: plaintextBytes[plaintext],
+        plaintextName: plaintext,
         encryptOp: { suiteId, frameLength, encryptionContext },
       }
     }
@@ -70,6 +94,7 @@ export interface EncryptTestVectorInfo {
   name: string
   keysInfo: KeyInfoTuple[]
   plainTextData: Buffer
+  plaintextName: string
   encryptOp: {
     suiteId: AlgorithmSuiteIdentifier
     frameLength: number