guardrails changes

Author: github-actions[bot]

core/go.mod

@@ -5,8 +5,8 @@ go 1.24
 toolchain go1.24.3
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.38.0
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10
+	github.com/aws/aws-sdk-go-v2 v1.39.2
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1
 	github.com/aws/aws-sdk-go-v2/config v1.31.0
 	github.com/bytedance/sonic v1.14.0
 	github.com/google/uuid v1.6.0
@@ -21,15 +21,15 @@ require (
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.18.4 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 // indirect
-	github.com/aws/smithy-go v1.22.5 // indirect
+	github.com/aws/smithy-go v1.23.0 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/bytedance/sonic/loader v0.3.0 // indirect

core/go.sum

@@ -2,20 +2,20 @@ cloud.google.com/go/compute/metadata v0.8.0 h1:HxMRIbao8w17ZX6wBnjhcDkW6lTFpgcao
 cloud.google.com/go/compute/metadata v0.8.0/go.mod h1:sYOGTp851OV9bOFJ9CH7elVvyzopvWQFNNghtDQ/Biw=
 github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
 github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
-github.com/aws/aws-sdk-go-v2 v1.38.0 h1:UCRQ5mlqcFk9HJDIqENSLR3wiG1VTWlyUfLDEvY7RxU=
-github.com/aws/aws-sdk-go-v2 v1.38.0/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 h1:zAybnyUQXIZ5mok5Jqwlf58/TFE7uvd3IAsa1aF9cXs=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10/go.mod h1:qqvMj6gHLR/EXWZw4ZbqlPbQUyenf4h82UQUlKc+l14=
+github.com/aws/aws-sdk-go-v2 v1.39.2 h1:EJLg8IdbzgeD7xgvZ+I8M1e0fL0ptn/M47lianzth0I=
+github.com/aws/aws-sdk-go-v2 v1.39.2/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 h1:i8p8P4diljCr60PpJp6qZXNlgX4m2yQFpYk+9ZT+J4E=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1/go.mod h1:ddqbooRZYNoJ2dsTwOty16rM+/Aqmk/GOXrK8cg7V00=
 github.com/aws/aws-sdk-go-v2/config v1.31.0 h1:9yH0xiY5fUnVNLRWO0AtayqwU1ndriZdN78LlhruJR4=
 github.com/aws/aws-sdk-go-v2/config v1.31.0/go.mod h1:VeV3K72nXnhbe4EuxxhzsDc/ByrCSlZwUnWH52Nde/I=
 github.com/aws/aws-sdk-go-v2/credentials v1.18.4 h1:IPd0Algf1b+Qy9BcDp0sCUcIWdCQPSzDoMK3a8pcbUM=
 github.com/aws/aws-sdk-go-v2/credentials v1.18.4/go.mod h1:nwg78FjH2qvsRM1EVZlX9WuGUJOL5od+0qvm0adEzHk=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 h1:GicIdnekoJsjq9wqnvyi2elW6CGMSYKhdozE7/Svh78=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3/go.mod h1:R7BIi6WNC5mc1kfRM7XM/VHC3uRWkjc396sfabq4iOo=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 h1:o9RnO+YZ4X+kt5Z7Nvcishlz0nksIt2PIzDglLMP0vA=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3/go.mod h1:+6aLJzOG1fvMOyzIySYjOFjcguGvVRL68R+uoRencN4=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 h1:joyyUFhiTQQmVK6ImzNU9TQSNRNeD9kOklqTzyk5v6s=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3/go.mod h1:+vNIyZQP3b3B1tSLI0lxvrU9cfM7gpdRXMFfm67ZcPc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 h1:se2vOWGD3dWQUtfn4wEjRQJb1HK1XsNIt825gskZ970=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9/go.mod h1:hijCGH2VfbZQxqCDN7bwz/4dzxV+hkyhjawAtdPWKZA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 h1:6RBnKZLkJM4hQ+kN6E7yWFveOTg8NLPHAkqrs4ZPlTU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9/go.mod h1:V9rQKRmK7AWuEsOMnHzKj8WyrIir1yUJbZxDuZLFvXI=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 h1:6+lZi2JeGKtCraAj1rpoZfKqnQ9SptseRZioejfUOLM=
@@ -28,8 +28,8 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 h1:6csaS/aJmqZQbKhi1EyEMM7y
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0/go.mod h1:59qHWaY5B+Rs7HGTuVGaC32m0rdpQ68N8QCN3khYiqs=
 github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 h1:MG9VFW43M4A8BYeAfaJJZWrroinxeTi2r3+SnmLQfSA=
 github.com/aws/aws-sdk-go-v2/service/sts v1.37.0/go.mod h1:JdeBDPgpJfuS6rU/hNglmOigKhyEZtBmbraLE4GK1J8=
-github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw=
-github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
+github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE=
+github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk=
 github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg=
 github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=

framework/encrypt/encrypt.go

@@ -0,0 +1,148 @@
+// Package encrypt provides reversible AES-256-GCM encryption and decryption utilities
+// for securing sensitive data like API keys and credentials.
+package encrypt
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/maximhq/bifrost/core/schemas"
+)
+
+var encryptionKey []byte
+var logger schemas.Logger
+
+const DefaultKey = "bifrost-default-encryption-key-32b"
+
+// Init initializes the encryption key from environment variable
+func Init(key string, _logger schemas.Logger) {
+	logger = _logger
+	if key == "" {
+		// In this case encryption will be disabled
+		logger.Warn("encryption key is not set, encryption will be disabled. To set encryption key: use the encryption_key field in the configuration file or set the BIFROST_ENCRYPTION_KEY environment variable. Note that - once encryption key is set, it cannot be changed later unless you clean up the database.")
+		return
+	}
+	// Ensure key is exactly 32 bytes for AES-256
+	if len(key) < 32 {
+		// Pad with zeros if too short
+		encryptionKey = make([]byte, 32)
+		copy(encryptionKey, []byte(key))
+	} else {
+		// Truncate if too long
+		encryptionKey = []byte(key)[:32]
+	}
+}
+
+// IsRedacted checks if a secret is redacted
+func IsRedacted(secret string) bool {
+	if secret == "" {
+		return false
+	}
+
+	// Check if completely redacted (all asterisks)
+	if secret == strings.Repeat("*", len(secret)) {
+		return true
+	}
+
+	// Check if partially redacted (starts with asterisks, ends with visible chars)
+	if len(secret) > 4 && strings.HasPrefix(secret, strings.Repeat("*", len(secret)-4)) {
+		return true
+	}
+
+	return false
+}
+
+// RedactSecret redacts a secret string, keeping the last 4 characters visible
+func RedactSecret(secret string) string {
+	if secret == "" {
+		return ""
+	}
+	length := len(secret)
+	if length <= 4 {
+		// If secret is 4 chars or less, redact completely
+		return strings.Repeat("*", length)
+	}
+	// Show last 4 characters
+	visiblePart := secret[length-4:]
+	redactedPart := strings.Repeat("*", length-4)
+	return redactedPart + visiblePart
+}
+
+// Encrypt encrypts a plaintext string using AES-256-GCM and returns a base64-encoded ciphertext
+func Encrypt(plaintext string) string {
+	if encryptionKey == nil {
+		return plaintext
+	}
+	if plaintext == "" {
+		return ""
+	}
+
+	block, err := aes.NewCipher(encryptionKey)
+	if err != nil {
+		return plaintext // Fallback to plaintext on error
+	}
+
+	aesGCM, err := cipher.NewGCM(block)
+	if err != nil {
+		return plaintext
+	}
+
+	// Create a nonce (number used once)
+	nonce := make([]byte, aesGCM.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return plaintext
+	}
+
+	// Encrypt the data
+	ciphertext := aesGCM.Seal(nonce, nonce, []byte(plaintext), nil)
+
+	// Encode to base64 for storage
+	return base64.StdEncoding.EncodeToString(ciphertext)
+}
+
+// Decrypt decrypts a base64-encoded ciphertext using AES-256-GCM and returns the plaintext
+func Decrypt(ciphertext string) (string, error) {
+	if encryptionKey == nil {
+		return ciphertext, nil
+	}
+	if ciphertext == "" {
+		return "", nil
+	}
+
+	// Decode from base64
+	data, err := base64.StdEncoding.DecodeString(ciphertext)
+	if err != nil {
+		return "", fmt.Errorf("failed to decode base64: %w", err)
+	}
+
+	block, err := aes.NewCipher(encryptionKey)
+	if err != nil {
+		return "", fmt.Errorf("failed to create cipher: %w", err)
+	}
+
+	aesGCM, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", fmt.Errorf("failed to create GCM: %w", err)
+	}
+
+	// Extract nonce
+	nonceSize := aesGCM.NonceSize()
+	if len(data) < nonceSize {
+		return "", fmt.Errorf("ciphertext too short")
+	}
+
+	nonce, ciphertextBytes := data[:nonceSize], data[nonceSize:]
+
+	// Decrypt the data
+	plaintext, err := aesGCM.Open(nil, nonce, ciphertextBytes, nil)
+	if err != nil {
+		return "", fmt.Errorf("failed to decrypt: %w", err)
+	}
+
+	return string(plaintext), nil
+}

framework/encrypt/encrypt_test.go

@@ -0,0 +1,139 @@
+package encrypt
+
+import (
+	"testing"
+
+	bifrost "github.com/maximhq/bifrost/core"
+	"github.com/maximhq/bifrost/core/schemas"
+)
+
+func TestEncryptDecrypt(t *testing.T) {
+	// Set a test encryption key
+	testKey := "test-encryption-key-for-testing-32bytes"
+	Init(testKey, bifrost.NewDefaultLogger(schemas.LogLevelInfo))
+
+	testCases := []struct {
+		name      string
+		plaintext string
+	}{
+		{
+			name:      "Simple text",
+			plaintext: "hello world",
+		},
+		{
+			name:      "AWS Access Key",
+			plaintext: "AKIAIOSFODNN7EXAMPLE",
+		},
+		{
+			name:      "AWS Secret Key",
+			plaintext: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+		},
+		{
+			name:      "Empty string",
+			plaintext: "",
+		},
+		{
+			name:      "Special characters",
+			plaintext: "!@#$%^&*()_+-=[]{}|;':\",./<>?`~",
+		},
+		{
+			name:      "Long text",
+			plaintext: "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Encrypt
+			encrypted := Encrypt(tc.plaintext)
+
+			// For empty strings, encryption should return empty
+			if tc.plaintext == "" {
+				if encrypted != "" {
+					t.Errorf("Expected empty string for empty input, got: %s", encrypted)
+				}
+				return
+			}
+
+			// Encrypted text should be different from plaintext
+			if encrypted == tc.plaintext {
+				t.Errorf("Encrypted text should be different from plaintext")
+			}
+
+			// Decrypt
+			decrypted, err := Decrypt(encrypted)
+			if err != nil {
+				t.Fatalf("Failed to decrypt: %v", err)
+			}
+
+			// Decrypted text should match original plaintext
+			if decrypted != tc.plaintext {
+				t.Errorf("Decrypted text does not match original.\nExpected: %s\nGot: %s", tc.plaintext, decrypted)
+			}
+		})
+	}
+}
+
+func TestEncryptDeterminism(t *testing.T) {
+	// Set a test encryption key
+	testKey := "test-encryption-key-for-testing-32bytes"
+	Init(testKey, bifrost.NewDefaultLogger(schemas.LogLevelInfo))
+
+	plaintext := "test-plaintext"
+
+	// Encrypt the same text twice
+	encrypted1 := Encrypt(plaintext)
+	encrypted2 := Encrypt(plaintext)
+
+	// They should be different (due to random nonce)
+	if encrypted1 == encrypted2 {
+		t.Errorf("Two encryptions of the same plaintext should produce different ciphertexts (due to random nonce)")
+	}
+
+	// But both should decrypt to the same plaintext
+	decrypted1, err := Decrypt(encrypted1)
+	if err != nil {
+		t.Fatalf("Failed to decrypt first: %v", err)
+	}
+	decrypted2, err := Decrypt(encrypted2)
+	if err != nil {
+		t.Fatalf("Failed to decrypt second: %v", err)
+	}
+
+	if decrypted1 != plaintext || decrypted2 != plaintext {
+		t.Errorf("Both decryptions should match original plaintext")
+	}
+}
+
+func TestDecryptInvalidData(t *testing.T) {
+	// Set a test encryption key
+	testKey := "test-encryption-key-for-testing-32bytes"
+	Init(testKey, bifrost.NewDefaultLogger(schemas.LogLevelInfo))
+
+	testCases := []struct {
+		name       string
+		ciphertext string
+	}{
+		{
+			name:       "Invalid base64",
+			ciphertext: "not-valid-base64!@#$",
+		},
+		{
+			name:       "Valid base64 but invalid ciphertext",
+			ciphertext: "YWJjZGVmZ2hpamtsbW5vcA==",
+		},
+		{
+			name:       "Too short ciphertext",
+			ciphertext: "YWJj",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := Decrypt(tc.ciphertext)
+			if err == nil {
+				t.Errorf("Expected error when decrypting invalid data, got nil")
+			}
+		})
+	}
+}

framework/go.mod

@@ -16,7 +16,7 @@ require (
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/pgx/v5 v5.6.0 // indirect
@@ -29,19 +29,19 @@ require (
 	cloud.google.com/go/compute/metadata v0.8.0 // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.38.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.39.2 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.31.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.18.4 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.28.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.33.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.37.0 // indirect
-	github.com/aws/smithy-go v1.22.5 // indirect
+	github.com/aws/smithy-go v1.23.0 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/bytedance/sonic v1.14.0 // indirect