Fix TransitDecryptResponse interfaces (#13)

* Fix TransitDecryptResponse interfaces to match the vault response for empty strings

* Fix batch transit test

* Use default "" instead of undefined

* Add test for empty strings in batch transit

* Prefer await

Co-authored-by: Martin Helmich <[email protected]>

Co-authored-by: Lukas Fritze <[email protected]>
Co-authored-by: Martin Helmich <[email protected]>

Author: 3 people

src/engines/transit.ts

@@ -6,6 +6,7 @@ import {
     ITransitCreateOptions,
     ITransitDecryptOptionsBatch,
     ITransitDecryptOptionsSingle,
+    ITransitDecryptRawResponseBatch,
     ITransitDecryptResponseBatch,
     ITransitDecryptResponseSingle,
     ITransitEncryptOptionsBatch,
@@ -200,11 +201,12 @@ export class TransitVaultClient extends AbstractVaultClient {
         validateKeyName(key);
         return this.rawWrite(["decrypt", key], options).then((res) => {
             if ("batch_input" in options) {
-                transitChecker.ITransitDecryptResponseBatch.check(res);
+                transitChecker.ITransitDecryptRawResponseBatch.check(res);
+                return TransitVaultClient.checkEmptyBatchValues(res as ITransitDecryptRawResponseBatch);
             } else {
                 transitChecker.ITransitDecryptResponseSingle.check(res);
+                return res;
             }
-            return res;
         });
     }
 
@@ -226,6 +228,32 @@ export class TransitVaultClient extends AbstractVaultClient {
      */
     public async decryptText(key: string, ciphertext: string): Promise<string> {
         validateKeyName(key);
-        return this.decrypt(key, { ciphertext }).then((res) => Buffer.from(res.data.plaintext, "base64").toString());
+        const res = await this.decrypt(key, { ciphertext });
+        if (res.data.plaintext === undefined) {
+            return "";
+        }
+        return Buffer.from(res.data.plaintext, "base64").toString();
+    }
+
+    /*
+     * Check to fix undefined plaintext values in a decrypt response.
+     * @see https://github.com/hashicorp/vault/issues/6140
+     *
+     * {plaintext: ""} -> encrypt -> {ciphertext: "abc...yxz"} -> decrypt -> {}
+     */
+    private static checkEmptyBatchValues(res: ITransitDecryptRawResponseBatch): ITransitDecryptResponseBatch {
+        const batchData = res.data.batch_results;
+        return {
+            ...res,
+            data: {
+                ...res.data,
+                batch_results: batchData.map((v) => {
+                    return {
+                        ...v,
+                        plaintext: v.plaintext ?? "",
+                    };
+                }),
+            },
+        };
     }
 }

src/engines/transit_types-ti.ts

@@ -11,6 +11,11 @@ export const ITransitBatchPlaintext = t.array(t.iface([], {
   "context": t.opt("string"),
 }));
 
+export const ITransitRawBatchPlaintext = t.array(t.iface([], {
+  "plaintext": t.opt("string"),
+  "context": t.opt("string"),
+}));
+
 export const ITransitBatchCiphertext = t.array(t.iface([], {
   "ciphertext": "string",
   "context": t.opt("string"),
@@ -125,9 +130,16 @@ export const ITransitDecryptResponseBatch = t.iface([], {
   }),
 });
 
+export const ITransitDecryptRawResponseBatch = t.iface([], {
+  "data": t.iface([], {
+    "batch_results": "ITransitRawBatchPlaintext",
+  }),
+});
+
 const exportedTypeSuite: t.ITypeSuite = {
   ITransitKeyType,
   ITransitBatchPlaintext,
+  ITransitRawBatchPlaintext,
   ITransitBatchCiphertext,
   ITransitCreateOptions,
   ITransitReadResponse,
@@ -143,5 +155,6 @@ const exportedTypeSuite: t.ITypeSuite = {
   ITransitDecryptOptionsBatch,
   ITransitDecryptResponseSingle,
   ITransitDecryptResponseBatch,
+  ITransitDecryptRawResponseBatch,
 };
 export default exportedTypeSuite;

src/engines/transit_types.ts

@@ -4,6 +4,10 @@ export type ITransitBatchPlaintext = Array<{
     plaintext: string;
     context?: string;
 }>;
+export type ITransitRawBatchPlaintext = Array<{
+    plaintext?: string;
+    context?: string;
+}>;
 export type ITransitBatchCiphertext = Array<{
     ciphertext: string;
     context?: string;
@@ -118,3 +122,8 @@ export interface ITransitDecryptResponseBatch {
         batch_results: ITransitBatchPlaintext;
     };
 }
+export interface ITransitDecryptRawResponseBatch {
+    data: {
+        batch_results: ITransitRawBatchPlaintext;
+    };
+}

tests/engines/transit.spec.ts

@@ -86,6 +86,9 @@ describe("Transit Vault Client", () => {
                 {
                     plaintext: text,
                 },
+                {
+                    plaintext: "",
+                },
             ];
 
             const result = await client
@@ -95,7 +98,10 @@ describe("Transit Vault Client", () => {
                 .then((res) => res.data.batch_results);
             const res = await client
                 .decrypt("test", {
-                    batch_input: result,
+                    batch_input: result.map((r) => ({
+                        ciphertext: r.ciphertext,
+                        context: r.context,
+                    })),
                 })
                 .then((res) => res.data.batch_results);