Ability to encrypt/decrypt array bodies (#29)

* Added ability to encrypt/decrypt array bodies and fixed minor eslint warnings.
* Fixed sonar scan not running on pull requests and addressed report
* Refactored function to reduce its cognitive complexity

Author: ech0s7r

.eslintrc

@@ -3,6 +3,8 @@ extends:
   - prettier
 env:
   es6: true
+  node: true
+  jest: true
 rules:
   semi: 2
   no-console: 2

.github/workflows/sonar-scanner.yml

@@ -3,15 +3,13 @@ name: Sonar
   push:
     branches:
       - main
-  pull_request_target:
-    types:
-      - opened
-      - synchronize
-      - reopened
+  pull_request:
+    branches:
+      - main
   schedule:
     - cron: 0 16 * * *
 jobs:
-  build:
+  sonarcloud:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -32,11 +30,6 @@ jobs:
           SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
         with:
           args: >
-            -Dsonar.organization=mastercard
-            -Dsonar.projectName=client-encryption-nodejs
-            -Dsonar.projectKey=Mastercard_client-encryption-nodejs
             -Dsonar.sources=./lib -Dsonar.tests=./test
             -Dsonar.coverage.jacoco.xmlReportPaths=test-results.xml
             -Dsonar.javascript.lcov.reportPaths=.nyc_output/coverage.lcov
-            -Dsonar.host.url=https://sonarcloud.io  -Dsonar.login=${{
-            secrets.SONAR_TOKEN }}

.gitignore

@@ -74,3 +74,4 @@ test-results.xml
 #Sonar
 .scannerwork
 sonar-*
+!sonar-project.properties

lib/mcapi/crypto/crypto.js

@@ -101,7 +101,7 @@ function Crypto(config) {
 
     try {
       return JSON.parse(decipher.output.data);
-    } catch (e){
+    } catch (e) {
       return decipher.output.data;
     }
   };
@@ -145,7 +145,7 @@ function Crypto(config) {
  * @private
  */
 function createOAEPOptions(asymmetricCipher, oaepHashingAlgorithm) {
-  if (asymmetricCipher.includes('OAEP') && oaepHashingAlgorithm != null) {
+  if (asymmetricCipher.includes('OAEP') && oaepHashingAlgorithm !== null) {
     const mdForOaep = createMessageDigest(oaepHashingAlgorithm);
     return {
       md: mdForOaep,
@@ -299,8 +299,6 @@ function isValidConfig(config) {
   const propertiesBasic = ["oaepPaddingDigestAlgorithm", "dataEncoding", "encryptionCertificate", "encryptedValueFieldName"];
   const propertiesField = ["ivFieldName", "encryptedKeyFieldName"];
   const propertiesHeader = ["ivHeaderName", "encryptedKeyHeaderName", "oaepHashingAlgorithmHeaderName"];
-  const propertiesFingerprint = ["publicKeyFingerprintType", "publicKeyFingerprintFieldName", "publicKeyFingerprintHeaderName"];
-  const propertiesOptionalFingerprint = ["publicKeyFingerprint"];
   const contains = (props) => {
     return props.every((elem) => {
       return config[elem] !== null && typeof config[elem] !== "undefined";
@@ -309,7 +307,7 @@ function isValidConfig(config) {
   if (typeof config !== 'object' || config === null) {
     throw Error("Config not valid: config should be an object.");
   }
-  if (config["paths"] == null || typeof config["paths"] === "undefined" ||
+  if (config["paths"] === null || typeof config["paths"] === "undefined" ||
     !(config["paths"] instanceof Array)) {
     throw Error("Config not valid: paths should be an array of path element.");
   }
@@ -322,11 +320,32 @@ function isValidConfig(config) {
   if (config["dataEncoding"] !== "hex" && config["dataEncoding"] !== "base64") {
     throw Error("Config not valid: dataEncoding should be 'hex' or 'base64'");
   }
+  validateFingerprint(config, contains);
+  validateRootMapping(config);
+}
+
+function validateFingerprint(config, contains) {
+  const propertiesFingerprint = ["publicKeyFingerprintType", "publicKeyFingerprintFieldName", "publicKeyFingerprintHeaderName"];
+  const propertiesOptionalFingerprint = ["publicKeyFingerprint"];
   if (!contains(propertiesOptionalFingerprint)
     && (config[propertiesFingerprint[1]] || config[propertiesFingerprint[2]])
     && config[propertiesFingerprint[0]] !== "certificate" && config[propertiesFingerprint[0]] !== "publicKey") {
     throw Error("Config not valid: propertiesFingerprint should be: 'certificate' or 'publicKey'");
   }
 }
 
+function validateRootMapping(config) {
+  function multipleRoots(elem) {
+    return elem.length !== 1 && elem.some((item) => {
+      return item.obj === "$" || item.element === "$";
+    });
+  }
+
+  config.paths.forEach((path) => {
+    if (multipleRoots(path.toEncrypt) || multipleRoots(path.toDecrypt)) {
+      throw Error("Config not valid: found multiple configurations encrypt/decrypt with root mapping");
+    }
+  });
+}
+
 module.exports = Crypto;

lib/mcapi/fle/field-level-encryption.js

@@ -13,7 +13,8 @@ function FieldLevelEncryption(config) {
   this.decrypt = decrypt;
   this.config = config;
   this.crypto = new Crypto(config);
-  this.isWithHeader = config.hasOwnProperty("ivHeaderName") && config.hasOwnProperty("encryptedKeyHeaderName");
+  this.isWithHeader = Object.prototype.hasOwnProperty.call(config, "ivHeaderName") &&
+    Object.prototype.hasOwnProperty.call(config, "encryptedKeyHeaderName");
   this.encryptionResponseProperties = [this.config.ivFieldName, this.config.encryptedKeyFieldName,
     this.config.publicKeyFingerprintFieldName, this.config.oaepHashingAlgorithmFieldName];
 }
@@ -25,7 +26,6 @@ function hasConfig(config, endpoint) {
   if (config && endpoint) {
     endpoint = endpoint.split("?").shift();
     const conf = config.paths.find((elem) => {
-        // TODO grep from last index
         const regex = new RegExp(elem.path, "g");
         return endpoint.match(regex);
       }
@@ -45,7 +45,7 @@ function elemFromPath(path, obj) {
     if (path && paths.length > 0) {
       paths.forEach((e) => {
           parent = obj;
-          obj = obj[e];
+          obj = isJsonRoot(e) ? obj : obj[e];
         }
       );
     }
@@ -59,7 +59,7 @@ function elemFromPath(path, obj) {
 }
 
 /**
- * Set encrpytion header parameters
+ * Set encryption header parameters
  *
  * @param header HTTP header
  * @param params Encryption parameters
@@ -81,23 +81,24 @@ function setHeader(header, params) {
  * @returns {{header: *, body: *}}
  */
 function encrypt(endpoint, header, body) {
+  let bodyMap = body;
   const fleConfig = hasConfig(this.config, endpoint);
   if (fleConfig) {
     if (!this.isWithHeader) {
-      fleConfig.toEncrypt.forEach((v) => {
-        encryptBody.call(this, v, body);
+      bodyMap = fleConfig.toEncrypt.map((v) => {
+        return encryptBody.call(this, v, body);
       });
     } else {
       const encParams = this.crypto.newEncryptionParams({});
-      fleConfig.toEncrypt.forEach((v) => {
-        body = encryptWithHeader.call(this, encParams, v, body);
+      bodyMap = fleConfig.toEncrypt.map((v) => {
+        return encryptWithHeader.call(this, encParams, v, body);
       });
       setHeader.call(this, header, encParams);
     }
   }
   return {
     header: header,
-    body: body
+    body: fleConfig ? computeBody(fleConfig.toEncrypt, body, bodyMap) : body
   };
 }
 
@@ -110,44 +111,44 @@ function encrypt(endpoint, header, body) {
  */
 function decrypt(response) {
   const body = response.body;
+  let bodyMap = response.body;
   const fleConfig = hasConfig(this.config, response.request.url);
   if (fleConfig) {
-    if (!this.isWithHeader) {
-      fleConfig.toDecrypt.forEach((v) => {
-        decryptBody.call(this, v, body);
-      });
-    } else {
-      fleConfig.toDecrypt.forEach((v) => {
-        decryptWithHeader.call(this, v, body, response);
-      });
-    }
+    bodyMap = fleConfig.toDecrypt.map((v) => {
+      if (!this.isWithHeader) {
+        return decryptBody.call(this, v, body);
+      } else {
+        return decryptWithHeader.call(this, v, body, response);
+      }
+    });
   }
-  return body;
+  return fleConfig ? computeBody(fleConfig.toDecrypt, body, bodyMap) : body
 }
 
 /**
- * Encrypt body nodes inplace with given path
+ * Encrypt body nodes with given path
  *
  * @private
  * @param path Config json path
  * @param body Body to encrypt
  */
 function encryptBody(path, body) {
   const elem = elemFromPath(path.element, body);
-  if (elem && elem.node){
+  if (elem && elem.node) {
     const encryptedData = this.crypto.encryptData({data: elem.node});
-    utils.mutateObjectProperty(path.obj,
+    body = utils.mutateObjectProperty(path.obj,
       encryptedData,
       body);
     // delete encrypted field if not overridden
-    if (path.element !== path.obj + "." + this.config.encryptedValueFieldName) {
+    if (!isJsonRoot(path.obj) && path.element !== path.obj + "." + this.config.encryptedValueFieldName) {
       utils.deleteNode(path.element, body);
     }
   }
+  return body;
 }
 
 /**
- * Encrypt body nodes inplace with given path, without setting crypto info in the body
+ * Encrypt body nodes with given path, without setting crypto info in the body
  *
  * @private
  * @param encParams encoding params to use
@@ -158,15 +159,17 @@ function encryptBody(path, body) {
 function encryptWithHeader(encParams, path, body) {
   const elem = elemFromPath(path.element, body).node;
   const encrypted = this.crypto.encryptData({data: elem}, encParams);
-  return {[path.obj]: {[this.config.encryptedValueFieldName]: encrypted[this.config.encryptedValueFieldName]}};
+  const data = {[this.config.encryptedValueFieldName]: encrypted[this.config.encryptedValueFieldName]};
+  return isJsonRoot(path.obj) ? data : {[path.obj]: data};
 }
 
 /**
- * Decrypt body nodes inplace with given path
+ * Decrypt body nodes with given path
  *
  * @private
  * @param path Config json path
  * @param body encrypted body
+ * @returns {Object} Decrypted body
  */
 function decryptBody(path, body) {
   const elem = elemFromPath(path.element, body);
@@ -177,12 +180,13 @@ function decryptBody(path, body) {
       elem.node[this.config.oaepHashingAlgorithmFieldName], // oaepHashingAlgorithm
       elem.node[this.config.encryptedKeyFieldName] // encryptedKey
     );
-    utils.mutateObjectProperty(path.obj, decryptedObj, body, path.element, this.encryptionResponseProperties);
+    return utils.mutateObjectProperty(path.obj, decryptedObj, body, path.element, this.encryptionResponseProperties);
   }
+  return body;
 }
 
 /**
- * Decrypt body nodes inplace with given path, getting crypto info from the header
+ * Decrypt body nodes with given path, getting crypto info from the header
  *
  * @private
  * @param path Config json path
@@ -191,19 +195,33 @@ function decryptBody(path, body) {
  */
 function decryptWithHeader(path, body, response) {
   const elemEncryptedNode = elemFromPath(path.obj, body);
-  if (elemEncryptedNode.node[path.element]) {
-    const encryptedData = elemEncryptedNode.node[path.element][this.config.encryptedValueFieldName];
+  const node = isJsonRoot(path.element) ? elemEncryptedNode.node : elemEncryptedNode.node[path.element];
+  if (node) {
+    const encryptedData = node[this.config.encryptedValueFieldName];
     for (const k in body) {
       // noinspection JSUnfilteredForInLoop
       delete body[k];
     }
-    Object.assign(body, this.crypto.decryptData(
+    const decrypted = this.crypto.decryptData(
       encryptedData,
       response.header[this.config.ivHeaderName],
       response.header[this.config.oaepHashingAlgorithmHeaderName],
       response.header[this.config.encryptedKeyHeaderName]
-    ));
+    );
+    return isJsonRoot(path.obj) ? decrypted : Object.assign(body, decrypted);
   }
 }
 
+function isJsonRoot(elem) {
+  return elem === "$";
+}
+
+function computeBody(configParam, body, bodyMap){
+  return (hasEncryptionParam(configParam, bodyMap)) ? bodyMap.pop() : body;
+}
+
+function hasEncryptionParam(encParams, bodyMap){
+  return encParams && encParams.length === 1 && bodyMap && bodyMap[0];
+}
+
 module.exports = FieldLevelEncryption;

lib/mcapi/utils/utils.js

@@ -85,14 +85,16 @@ module.exports.mutateObjectProperty = function (path, value, obj, srcPath, prope
     }
     const paths = path.split(".");
     paths.forEach((e) => {
-      if (!tmp.hasOwnProperty(e)) {
+      if (!Object.prototype.hasOwnProperty.call(tmp, e)) {
         tmp[e] = {};
       }
       prev = tmp;
       tmp = tmp[e];
     });
     const elem = path.split(".").pop();
-    if (typeof value === 'object' && !(value instanceof Array)) { // decrypted value
+    if (elem === "$"){
+      obj = value; // replace root
+    } else if (typeof value === 'object' && !(value instanceof Array)) { // decrypted value
       if (typeof prev[elem] !== 'object') {
         prev[elem] = {};
       }
@@ -101,6 +103,7 @@ module.exports.mutateObjectProperty = function (path, value, obj, srcPath, prope
       prev[elem] = value;
     }
   }
+  return obj;
 };
 
 module.exports.deleteNode = function (path, obj, properties) {
@@ -111,18 +114,14 @@ module.exports.deleteNode = function (path, obj, properties) {
     const toDelete = paths[paths.length - 1];
     paths.forEach((e, index) => {
       prev = obj;
-      if (obj.hasOwnProperty(e)) {
+      if (Object.prototype.hasOwnProperty.call(obj, e)) {
         obj = obj[e];
         if (obj && index === paths.length - 1) {
           delete prev[toDelete];
         }
       }
     });
-    if (paths.length === 1 && paths[0] === "") {
-      properties.forEach((e) => {
-        delete obj[e];
-      });
-    }
+    deleteRoot(obj, paths, properties);
   }
 };
 
@@ -131,3 +130,12 @@ function overrideProperties(target, obj) {
     target[k] = obj[k];
   }
 }
+
+function deleteRoot(obj, paths, properties){
+  if (paths.length === 1) {
+    properties = paths[0] === "$" ? Object.keys(obj) : properties;
+    properties.forEach((e) => {
+      delete obj[e];
+    });
+  }
+}

sonar-project.properties

@@ -0,0 +1,4 @@
+sonar.projectKey=Mastercard_client-encryption-nodejs
+sonar.organization=mastercard
+sonar.projectName=client-encryption-nodejs
+sonar.host.url=https://sonarcloud.io