demo code and readme

Author: nvobilis

modules/example-node/hkr-demo/README.md

@@ -0,0 +1,104 @@
+# H-Keyring Intern Demo Guide
+
+This guide provides detailed instructions on running the intern demos for the H-Keyring.
+
+## Prerequisites
+
+Before running the demos, navigate to the following directory:
+
+```bash
+cd /private-aws-encryption-sdk-javascript-staging/modules/example-node/
+```
+
+**Note:** All file paths in the CLI arguments must be absolute paths.
+
+## Demo 1: Performance Comparison between KMS Keyring and H-Keyring
+
+This demo compares the performance of the KMS Keyring and H-Keyring. In each roundtrip, a random string is generated, encrypted with a keyring, and then decrypted, expecting the original string to be returned.
+
+The program logs roundtrip metrics for both the KMS Keyring and H-Keyring, including runtime, call volume, and success rate.
+
+### Run the Demo
+
+To run the performance comparison demo, use the following command:
+
+```bash
+npx ts-node hkr-demo/hkr_vs_regular.demo.ts --numRoundTrips=<number of roundtrips>
+```
+
+**Note:** The number of roundtrips defaults to 10 if not specified.
+
+## Demo 2: Interoperability Test
+
+This demo demonstrates the interoperability between the JS H-Keyring and other H-Keyrings.
+
+### General Command
+
+To encrypt a data file or decrypt an encrypted file using the JS H-Keyring, use the following command format:
+
+```bash
+npx ts-node hkr-demo/interop.demo.ts <encrypt or decrypt> <input filepath> <output filepath>
+```
+
+### Encrypting a Data File
+
+To encrypt a data file with the JS H-Keyring, run:
+
+```bash
+npx ts-node hkr-demo/interop.demo.ts encrypt <data filepath> <encrypted filepath>
+```
+
+### Decrypting an Encrypted File
+
+To decrypt an encrypted file with the JS H-Keyring, run:
+
+```bash
+npx ts-node hkr-demo/interop.demo.ts decrypt <encrypted filepath> <decrypted filepath>
+```
+
+## Demo 3: Multi-Tenancy
+
+This demo showcases multi-tenant data isolation within a single keyring. You will observe failures when encrypting with tenant A and decrypting with tenant B (or vice versa). Tenant A and B are mapped to hard-coded branch IDs within the demo code in `./hkr-demo/multi_tenant.demo.ts`.
+
+### General Command
+
+To encrypt or decrypt with tenant A or B, use the following command format:
+
+```bash
+npx ts-node hkr-demo/multi_tenant.demo.ts --operation=<encrypt or decrypt> --inputFile=<input filepath> --outputFile=<output filepath> --tenant=<A or B>
+```
+
+### Encrypting with Tenant A
+
+```bash
+npx ts-node hkr-demo/multi_tenant.demo.ts --operation=encrypt --inputFile=<data filepath> --outputFile=<encrypted filepath> --tenant=A
+```
+
+### Decrypting with Tenant A
+
+```bash
+npx ts-node hkr-demo/multi_tenant.demo.ts --operation=decrypt --inputFile=<encrypted filepath> --outputFile=<decrypted filepath> --tenant=A
+```
+
+### Encrypting with Tenant B
+
+```bash
+npx ts-node hkr-demo/multi_tenant.demo.ts --operation=encrypt --inputFile=<data filepath> --outputFile=<encrypted filepath> --tenant=B
+```
+
+### Decrypting with Tenant B
+
+```bash
+npx ts-node hkr-demo/multi_tenant.demo.ts --operation=decrypt --inputFile=<encrypted filepath> --outputFile=<decrypted filepath> --tenant=B
+```
+
+### Example: Demonstrating Tenant Data Isolation
+
+To observe tenant data isolation, run the following commands:
+
+```bash
+npx ts-node hkr-demo/multi_tenant.demo.ts --operation=encrypt --inputFile=<data filepath> --outputFile=<encrypted filepath> --tenant=A
+npx ts-node hkr-demo/multi_tenant.demo.ts --operation=decrypt --inputFile=<encrypted filepath> --outputFile=<decrypted filepath> --tenant=B
+```
+
+An error will occur, demonstrating the isolation between tenant encryption.

modules/example-node/hkr-demo/hkr.ts

@@ -0,0 +1,118 @@
+import {
+  buildClient,
+  CommitmentPolicy,
+  KeyringNode,
+  EncryptionContext,
+} from '@aws-crypto/client-node'
+import { randomBytes } from 'crypto'
+import { KMSClient } from '@aws-sdk/client-kms'
+import sinon from 'sinon'
+import { DynamoDBClient } from '@aws-sdk/client-dynamodb'
+
+const { encrypt, decrypt } = buildClient(
+  CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
+)
+const MAX_INPUT_LENGTH = 20
+const MIN_INPUT_LENGTH = 15
+const PURPLE_LOG = '\x1b[35m%s\x1b[0m'
+const YELLO_LOG = '\x1b[33m%s\x1b[0m'
+const GREEN_LOG = '\x1b[32m%s\x1b[0m'
+const RED_LOG = '\x1b[31m%s\x1b[0m'
+
+export function generateRandomString(minLength: number, maxLength: number) {
+  const randomLength =
+    Math.floor(Math.random() * (maxLength - minLength + 1)) + minLength
+  return randomBytes(randomLength).toString('hex').slice(0, randomLength)
+}
+
+export async function roundtrip(
+  keyring: KeyringNode,
+  context: EncryptionContext,
+  cleartext: string
+) {
+  const { result } = await encrypt(keyring, cleartext, {
+    encryptionContext: context,
+  })
+
+  const { plaintext, messageHeader } = await decrypt(keyring, result)
+
+  const { encryptionContext } = messageHeader
+
+  Object.entries(context).forEach(([key, value]) => {
+    if (encryptionContext[key] !== value) {
+      throw new Error('Encryption Context does not match expected values')
+    }
+  })
+
+  return { plaintext, result, cleartext, messageHeader }
+}
+
+export async function runRoundTrips(
+  keyring: KeyringNode,
+  numRoundTrips: number
+) {
+  const kmsSpy = sinon.spy(KMSClient.prototype, 'send')
+  const ddbSpy = sinon.spy(DynamoDBClient.prototype, 'send')
+  const padding = String(numRoundTrips).length
+  let successes = 0
+
+  console.log()
+  console.log(YELLO_LOG, `${keyring.constructor.name} Roundtrips`) // Print constructor name in yellow
+  console.time('Total runtime') // Start the timer
+
+  for (let i = 0; i < numRoundTrips; i++) {
+    const encryptionContext = {
+      roundtrip: i.toString(),
+    }
+    const encryptionInput = generateRandomString(
+      MIN_INPUT_LENGTH,
+      MAX_INPUT_LENGTH
+    )
+
+    let decryptionOutput: string
+    try {
+      const { plaintext } = await roundtrip(
+        keyring,
+        encryptionContext,
+        encryptionInput
+      )
+      decryptionOutput = plaintext.toString()
+    } catch {
+      decryptionOutput = 'ERROR'
+    }
+
+    const encryptionInputPadding = ' '.repeat(
+      MAX_INPUT_LENGTH - encryptionInput.length
+    )
+    const decryptionOutputPadding = ' '.repeat(
+      MAX_INPUT_LENGTH - decryptionOutput.length
+    )
+
+    const logMessage = `Roundtrip ${String(i + 1).padStart(
+      padding,
+      ' '
+    )}: ${encryptionInput}${encryptionInputPadding} ----encrypt & decrypt----> ${decryptionOutput}${decryptionOutputPadding}`
+
+    let logColor: string
+    if (encryptionInput === decryptionOutput) {
+      logColor = GREEN_LOG
+      successes += 1
+    } else {
+      logColor = RED_LOG
+    }
+    console.log(logColor, logMessage) // Print log message in green
+  }
+
+  console.log()
+  console.log(YELLO_LOG, `${keyring.constructor.name} metrics`) // Print constructor name in yellow
+  console.timeEnd('Total runtime')
+  console.log(PURPLE_LOG, `KMS calls: ${kmsSpy.callCount}`)
+  console.log(PURPLE_LOG, `DynamoDB calls: ${ddbSpy.callCount}`)
+  console.log(
+    PURPLE_LOG,
+    `Successful roundtrips: ${successes} / ${numRoundTrips}`
+  )
+
+  kmsSpy.restore()
+  ddbSpy.restore()
+}

modules/example-node/hkr-demo/hkr_vs_regular.demo.ts

@@ -0,0 +1,47 @@
+// import chalk from 'chalk'
+import {
+  BranchKeyStoreNode,
+  SrkCompatibilityKmsConfig,
+  KmsHierarchicalKeyRingNode,
+  KmsKeyringNode,
+} from '@aws-crypto/client-node'
+import { runRoundTrips } from './hkr'
+import minimist from 'minimist'
+
+const args = minimist(process.argv.slice(2))
+const NUM_ROUNDTRIPS = args.numRoundTrips || 10
+
+async function runKmsKeyring() {
+  const generatorKeyId =
+    'arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'
+  const keyring = new KmsKeyringNode({ generatorKeyId })
+
+  await runRoundTrips(keyring, NUM_ROUNDTRIPS)
+}
+
+async function runKmsHkrKeyring() {
+  const branchKeyArn =
+    'arn:aws:kms:us-west-2:370957321024:key/9d989aa2-2f9c-438c-a745-cc57d3ad0126'
+  const branchKeyId = '2c583585-5770-467d-8f59-b346d0ed1994'
+
+  const keyStore = new BranchKeyStoreNode({
+    ddbTableName: 'KeyStoreDdbTable',
+    logicalKeyStoreName: 'KeyStoreDdbTable',
+    kmsConfiguration: new SrkCompatibilityKmsConfig(branchKeyArn),
+  })
+
+  const keyring = new KmsHierarchicalKeyRingNode({
+    branchKeyId,
+    keyStore,
+    cacheLimitTtl: 60,
+  })
+
+  await runRoundTrips(keyring, NUM_ROUNDTRIPS)
+}
+
+async function main() {
+  await runKmsKeyring()
+  await runKmsHkrKeyring()
+}
+
+main()

modules/example-node/hkr-demo/interop.demo.ts

@@ -0,0 +1,92 @@
+import * as fs from 'fs'
+import {
+  BranchKeyStoreNode,
+  buildClient,
+  CommitmentPolicy,
+  KmsHierarchicalKeyRingNode,
+  SrkCompatibilityKmsConfig,
+} from '@aws-crypto/client-node'
+import { exit } from 'process'
+
+const { encrypt, decrypt } = buildClient(
+  CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
+)
+
+const branchKeyArn =
+  'arn:aws:kms:us-west-2:370957321024:key/9d989aa2-2f9c-438c-a745-cc57d3ad0126'
+const branchKeyId = '38853b56-19c6-4345-9cb5-afc2a25dcdd1'
+
+const keyStore = new BranchKeyStoreNode({
+  ddbTableName: 'KeyStoreDdbTable',
+  logicalKeyStoreName: 'KeyStoreDdbTable',
+  kmsConfiguration: new SrkCompatibilityKmsConfig(branchKeyArn),
+})
+
+const keyring = new KmsHierarchicalKeyRingNode({
+  branchKeyId,
+  keyStore,
+  cacheLimitTtl: 60,
+})
+
+async function decryptEncryptedData(encryptedData: Buffer) {
+  const { plaintext: decryptedData, messageHeader } = await decrypt(
+    keyring,
+    encryptedData
+  )
+
+  const { encryptionContext } = messageHeader
+
+  Object.entries(encryptionContext).forEach(([key, value]) => {
+    if (encryptionContext[key] !== value) {
+      throw new Error('Encryption Context does not match expected values')
+    }
+  })
+
+  return decryptedData
+}
+
+async function encryptData(data: Buffer) {
+  const { result } = await encrypt(keyring, data, {
+    encryptionContext: { successful: 'demo' },
+  })
+
+  return result
+}
+
+async function main() {
+  const args = process.argv.slice(2)
+  const operation = args[0]
+  const inFile = args[1]
+  const outFile = args[2]
+
+  let inData = Buffer.alloc(0)
+  try {
+    inData = fs.readFileSync(inFile)
+  } catch (err) {
+    console.error(err)
+    exit(1)
+  }
+
+  let outData: Buffer
+  let msg: string
+  if (operation === 'encrypt') {
+    const data = inData
+    outData = await encryptData(data)
+    msg = 'JS has completed encryption'
+  } else {
+    const encryptedData = inData
+    outData = await decryptEncryptedData(encryptedData)
+    msg = 'JS has completed decryption'
+  }
+
+  try {
+    fs.writeFileSync(outFile, outData)
+  } catch (err) {
+    console.error(err)
+    exit(1)
+  }
+
+  console.log(msg)
+}
+
+main()