feat: Add @encrypted enhancer

packages/runtime/src/enhancements/edge/encrypted.ts

@@ -0,0 +1,141 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/no-unused-vars */
+
+import { NestedWriteVisitor, enumerate, getModelFields, resolveField, type PrismaWriteActionType } from '../../cross';
+import { DbClientContract } from '../../types';
+import { InternalEnhancementOptions } from './create-enhancement';
+import { DefaultPrismaProxyHandler, PrismaProxyActions, makeProxy } from './proxy';
+import { QueryUtils } from './query-utils';
+
+/**
+ * Gets an enhanced Prisma client that supports `@encrypted` attribute.
+ *
+ * @private
+ */
+export function withEncrypted<DbClient extends object = any>(
+    prisma: DbClient,
+    options: InternalEnhancementOptions
+): DbClient {
+    return makeProxy(
+        prisma,
+        options.modelMeta,
+        (_prisma, model) => new EncryptedHandler(_prisma as DbClientContract, model, options),
+        'encrypted'
+    );
+}
+
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+
+const getKey = async (secret: string): Promise<CryptoKey> => {
+    return crypto.subtle.importKey('raw', encoder.encode(secret).slice(0, 32), 'AES-GCM', false, [
+        'encrypt',
+        'decrypt',
+    ]);
+};
+const encryptFunc = async (data: string, secret: string): Promise<string> => {
+    const key = await getKey(secret);
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+
+    const encrypted = await crypto.subtle.encrypt(
+        {
+            name: 'AES-GCM',
+            iv,
+        },
+        key,
+        encoder.encode(data)
+    );
+
+    // Combine IV and encrypted data into a single array of bytes
+    const bytes = [...iv, ...new Uint8Array(encrypted)];
+
+    // Convert bytes to base64 string
+    return btoa(String.fromCharCode(...bytes));
+};
+
+const decryptFunc = async (encryptedData: string, secret: string): Promise<string> => {
+    const key = await getKey(secret);
+
+    // Convert base64 back to bytes
+    const bytes = Uint8Array.from(atob(encryptedData), (c) => c.charCodeAt(0));
+
+    // First 12 bytes are IV, rest is encrypted data
+    const decrypted = await crypto.subtle.decrypt(
+        {
+            name: 'AES-GCM',
+            iv: bytes.slice(0, 12),
+        },
+        key,
+        bytes.slice(12)
+    );
+
+    return decoder.decode(decrypted);
+};
+
+class EncryptedHandler extends DefaultPrismaProxyHandler {
+    private queryUtils: QueryUtils;
+
+    constructor(prisma: DbClientContract, model: string, options: InternalEnhancementOptions) {
+        super(prisma, model, options);
+
+        this.queryUtils = new QueryUtils(prisma, options);
+    }
+
+    // base override
+    protected async preprocessArgs(action: PrismaProxyActions, args: any) {
+        const actionsOfInterest: PrismaProxyActions[] = ['create', 'createMany', 'update', 'updateMany', 'upsert'];
+        if (args && args.data && actionsOfInterest.includes(action)) {
+            await this.preprocessWritePayload(this.model, action as PrismaWriteActionType, args);
+        }
+        return args;
+    }
+
+    // base override
+    protected async processResultEntity<T>(method: PrismaProxyActions, data: T): Promise<T> {
+        if (!data || typeof data !== 'object') {
+            return data;
+        }
+
+        for (const value of enumerate(data)) {
+            await this.doPostProcess(value, this.model);
+        }
+
+        return data;
+    }
+
+    private async doPostProcess(entityData: any, model: string) {
+        const realModel = this.queryUtils.getDelegateConcreteModel(model, entityData);
+
+        for (const field of getModelFields(entityData)) {
+            const fieldInfo = await resolveField(this.options.modelMeta, realModel, field);
+
+            if (!fieldInfo) {
+                continue;
+            }
+
+            const shouldDecrypt = fieldInfo.attributes?.find((attr) => attr.name === '@encrypted');
+            if (shouldDecrypt) {
+                const descryptSecret = shouldDecrypt.args.find((arg) => arg.name === 'secret')?.value as string;
+
+                entityData[field] = await decryptFunc(entityData[field], descryptSecret);
+            }
+        }
+    }
+
+    private async preprocessWritePayload(model: string, action: PrismaWriteActionType, args: any) {
+        const visitor = new NestedWriteVisitor(this.options.modelMeta, {
+            field: async (field, _action, data, context) => {
+                const encAttr = field.attributes?.find((attr) => attr.name === '@encrypted');
+                if (encAttr && field.type === 'String') {
+                    // encrypt value
+
+                    const secret: string = encAttr.args.find((arg) => arg.name === 'secret')?.value as string;
+
+                    context.parent[field.name] = await encryptFunc(data, secret);
+                }
+            },
+        });
+
+        await visitor.visit(model, action, args);
+    }
+}

packages/runtime/src/enhancements/node/create-enhancement.ts

@@ -14,13 +14,14 @@ import { withJsonProcessor } from './json-processor';
 import { Logger } from './logger';
 import { withOmit } from './omit';
 import { withPassword } from './password';
+import { withEncrypted } from './encrypted';
 import { policyProcessIncludeRelationPayload, withPolicy } from './policy';
 import type { PolicyDef } from './types';
 
 /**
  * All enhancement kinds
  */
-const ALL_ENHANCEMENTS: EnhancementKind[] = ['password', 'omit', 'policy', 'validation', 'delegate'];
+const ALL_ENHANCEMENTS: EnhancementKind[] = ['password', 'omit', 'policy', 'validation', 'delegate', 'encrypted'];
 
 /**
  * Options for {@link createEnhancement}
@@ -100,6 +101,7 @@ export function createEnhancement<DbClient extends object>(
     }
 
     const hasPassword = allFields.some((field) => field.attributes?.some((attr) => attr.name === '@password'));
+    const hasEncrypted = allFields.some((field) => field.attributes?.some((attr) => attr.name === '@encrypted'));
     const hasOmit = allFields.some((field) => field.attributes?.some((attr) => attr.name === '@omit'));
     const hasDefaultAuth = allFields.some((field) => field.defaultValueProvider);
     const hasTypeDefField = allFields.some((field) => field.isTypeDef);
@@ -120,13 +122,18 @@ export function createEnhancement<DbClient extends object>(
         }
     }
 
-    // password enhancement must be applied prior to policy because it changes then length of the field
+    // password and encrypted enhancement must be applied prior to policy because it changes then length of the field
     // and can break validation rules like `@length`
     if (hasPassword && kinds.includes('password')) {
         // @password proxy
         result = withPassword(result, options);
     }
 
+    if (hasEncrypted && kinds.includes('encrypted')) {
+        // @encrypted proxy
+        result = withEncrypted(result, options);
+    }
+
     // 'policy' and 'validation' enhancements are both enabled by `withPolicy`
     if (kinds.includes('policy') || kinds.includes('validation')) {
         result = withPolicy(result, options, context);

packages/runtime/src/enhancements/node/encrypted.ts

@@ -0,0 +1,141 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/no-unused-vars */
+
+import { NestedWriteVisitor, enumerate, getModelFields, resolveField, type PrismaWriteActionType } from '../../cross';
+import { DbClientContract } from '../../types';
+import { InternalEnhancementOptions } from './create-enhancement';
+import { DefaultPrismaProxyHandler, PrismaProxyActions, makeProxy } from './proxy';
+import { QueryUtils } from './query-utils';
+
+/**
+ * Gets an enhanced Prisma client that supports `@encrypted` attribute.
+ *
+ * @private
+ */
+export function withEncrypted<DbClient extends object = any>(
+    prisma: DbClient,
+    options: InternalEnhancementOptions
+): DbClient {
+    return makeProxy(
+        prisma,
+        options.modelMeta,
+        (_prisma, model) => new EncryptedHandler(_prisma as DbClientContract, model, options),
+        'encrypted'
+    );
+}
+
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+
+const getKey = async (secret: string): Promise<CryptoKey> => {
+    return crypto.subtle.importKey('raw', encoder.encode(secret).slice(0, 32), 'AES-GCM', false, [
+        'encrypt',
+        'decrypt',
+    ]);
+};
+const encryptFunc = async (data: string, secret: string): Promise<string> => {
+    const key = await getKey(secret);
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+
+    const encrypted = await crypto.subtle.encrypt(
+        {
+            name: 'AES-GCM',
+            iv,
+        },
+        key,
+        encoder.encode(data)
+    );
+
+    // Combine IV and encrypted data into a single array of bytes
+    const bytes = [...iv, ...new Uint8Array(encrypted)];
+
+    // Convert bytes to base64 string
+    return btoa(String.fromCharCode(...bytes));
+};
+
+const decryptFunc = async (encryptedData: string, secret: string): Promise<string> => {
+    const key = await getKey(secret);
+
+    // Convert base64 back to bytes
+    const bytes = Uint8Array.from(atob(encryptedData), (c) => c.charCodeAt(0));
+
+    // First 12 bytes are IV, rest is encrypted data
+    const decrypted = await crypto.subtle.decrypt(
+        {
+            name: 'AES-GCM',
+            iv: bytes.slice(0, 12),
+        },
+        key,
+        bytes.slice(12)
+    );
+
+    return decoder.decode(decrypted);
+};
+
+class EncryptedHandler extends DefaultPrismaProxyHandler {
+    private queryUtils: QueryUtils;
+
+    constructor(prisma: DbClientContract, model: string, options: InternalEnhancementOptions) {
+        super(prisma, model, options);
+
+        this.queryUtils = new QueryUtils(prisma, options);
+    }
+
+    // base override
+    protected async preprocessArgs(action: PrismaProxyActions, args: any) {
+        const actionsOfInterest: PrismaProxyActions[] = ['create', 'createMany', 'update', 'updateMany', 'upsert'];
+        if (args && args.data && actionsOfInterest.includes(action)) {
+            await this.preprocessWritePayload(this.model, action as PrismaWriteActionType, args);
+        }
+        return args;
+    }
+
+    // base override
+    protected async processResultEntity<T>(method: PrismaProxyActions, data: T): Promise<T> {
+        if (!data || typeof data !== 'object') {
+            return data;
+        }
+
+        for (const value of enumerate(data)) {
+            await this.doPostProcess(value, this.model);
+        }
+
+        return data;
+    }
+
+    private async doPostProcess(entityData: any, model: string) {
+        const realModel = this.queryUtils.getDelegateConcreteModel(model, entityData);
+
+        for (const field of getModelFields(entityData)) {
+            const fieldInfo = await resolveField(this.options.modelMeta, realModel, field);
+
+            if (!fieldInfo) {
+                continue;
+            }
+
+            const shouldDecrypt = fieldInfo.attributes?.find((attr) => attr.name === '@encrypted');
+            if (shouldDecrypt) {
+                const descryptSecret = shouldDecrypt.args.find((arg) => arg.name === 'secret')?.value as string;
+
+                entityData[field] = await decryptFunc(entityData[field], descryptSecret);
+            }
+        }
+    }
+
+    private async preprocessWritePayload(model: string, action: PrismaWriteActionType, args: any) {
+        const visitor = new NestedWriteVisitor(this.options.modelMeta, {
+            field: async (field, _action, data, context) => {
+                const encAttr = field.attributes?.find((attr) => attr.name === '@encrypted');
+                if (encAttr && field.type === 'String') {
+                    // encrypt value
+
+                    const secret: string = encAttr.args.find((arg) => arg.name === 'secret')?.value as string;
+
+                    context.parent[field.name] = await encryptFunc(data, secret);
+                }
+            },
+        });
+
+        await visitor.visit(model, action, args);
+    }
+}

packages/runtime/src/types.ts

@@ -145,7 +145,7 @@ export type EnhancementContext<User extends AuthUser = AuthUser> = {
 /**
  * Kinds of enhancements to `PrismaClient`
  */
-export type EnhancementKind = 'password' | 'omit' | 'policy' | 'validation' | 'delegate';
+export type EnhancementKind = 'password' | 'omit' | 'policy' | 'validation' | 'delegate' | 'encrypted';
 
 /**
  * Function for transforming errors.

packages/schema/src/res/stdlib.zmodel

@@ -552,6 +552,14 @@ attribute @@auth() @@@supportTypeDef
  */
 attribute @password(saltLength: Int?, salt: String?) @@@targetField([StringField])
 
+
+/**
+ * Indicates that the field is encrypted when storing in the DB and should be decrypted when read
+ * 
+ * ZenStack uses the Web Crypto API to encrypt and decrypt the field. 
+ */
+attribute @encrypted(secret: String) @@@targetField([StringField])
+
 /**
  * Indicates that the field should be omitted when read from the generated services.
  */

tests/integration/tests/enhancements/with-encrypted/with-encrypted.test.ts

@@ -0,0 +1,44 @@
+import { loadSchema } from '@zenstackhq/testtools';
+import path from 'path';
+
+describe('Encrypted test', () => {
+    let origDir: string;
+
+    beforeAll(async () => {
+        origDir = path.resolve('.');
+    });
+
+    afterEach(async () => {
+        process.chdir(origDir);
+    });
+
+    it('encrypted tests', async () => {
+        const ENCRYPTION_KEY = 'c558Gq0YQK2QcqtkMF9BGXHCQn4dMF8w';
+
+        const { enhance } = await loadSchema(`
+    model User {
+        id String @id @default(cuid())
+        encrypted_value String @encrypted(secret: "${ENCRYPTION_KEY}")
+
+        @@allow('all', true)
+    }`);
+
+        const db = enhance();
+
+        const create = await db.user.create({
+            data: {
+                id: '1',
+                encrypted_value: 'abc123',
+            },
+        });
+
+        const read = await db.user.findUnique({
+            where: {
+                id: '1',
+            },
+        });
+
+        expect(create.encrypted_value).toBe('abc123');
+        expect(read.encrypted_value).toBe('abc123');
+    });
+});