Mastercard
diff --git a/‎README.md‎
Lines changed: 32 additions & 27 deletions b/‎README.md‎
Lines changed: 32 additions & 27 deletions
diff --git a/‎lib/mcapi/fle/field-level-encryption.js‎
Lines changed: 85 additions & 32 deletions b/‎lib/mcapi/fle/field-level-encryption.js‎
Lines changed: 85 additions & 32 deletions
diff --git a/‎lib/mcapi/utils/utils.js‎
Lines changed: 40 additions & 10 deletions b/‎lib/mcapi/utils/utils.js‎
Lines changed: 40 additions & 10 deletions
diff --git a/‎test/crypto.test.js‎
Lines changed: 14 additions & 0 deletions b/‎test/crypto.test.js‎
Lines changed: 14 additions & 0 deletions
@@ -97,22 +97,24 @@ const config = {
       path: "/resource",
       toEncrypt: [
         {
-          /* path to element to be encrypted in request object */
+          /* path to element to be encrypted in request json body */
           element: "path.to.foo",
-          /* path to object where to store encryption fields in request object */
+          /* path to object where to store encryption fields in request json body */
           obj: "path.to.encryptedFoo"
         }],
       toDecrypt: [
         {
-          element: "path.to.foo",
-          obj: "path.to.encryptedFoo"
+          /* path to element where to store decrypted fields in response object */
+          element: "path.to.encryptedFoo",
+          /* path to object with encryption fields */
+          obj: "path.to.foo"
         }
       ]
     }
   ],
   ivFieldName: 'iv',
   encryptedKeyFieldName: 'encryptedKey',
-  encryptedValueFieldName: 'encryptedValue',
+  encryptedValueFieldName: 'encryptedData',
   dataEncoding: 'hex',
   encryptionCertificate: "./path/to/public.cert"
   oaepPaddingDigestAlgorithm: 'SHA-256',
@@ -139,8 +141,8 @@ const string payload =
   "path": {
     "to": {
       "foo": {
-        "sensitiveField1": "sensitiveValue1",
-        "sensitiveField2": "sensitiveValue2"
+        "sensitive": "this is a secret!",
+        "sensitive2": "this is a super-secret!"
       }
     }
   }
@@ -153,15 +155,17 @@ Output:
 
 ```json
 {
-    "path": {
-        "to": {
-            "encryptedFoo": {
-                "iv": "7f1105fb0c684864a189fb3709ce3d28",
-                "encryptedKey": "67f467d1b653d98411a0c6d3c(...)ffd4c09dd42f713a51bff2b48f937c8",
-                "encryptedValue": "b73aabd267517fc09ed72455c2(...)dffb5fa04bf6e6ce9ade1ff514ed6141"
-            }
-        }
+  "path": {
+    "to": {
+      "encryptedFoo": {
+        "iv": "7f1105fb0c684864a189fb3709ce3d28",
+        "encryptedKey": "67f467d1b653d98411a0c6d3c(...)ffd4c09dd42f713a51bff2b48f937c8",
+        "encryptedData": "b73aabd267517fc09ed72455c2(...)dffb5fa04bf6e6ce9ade1ff514ed6141",
+        "publicKeyFingerprint": "80810fc13a8319fcf0e2e(...)82cc3ce671176343cfe8160c2279",
+        "oaepHashingAlgorithm": "SHA256"
+      }
     }
+  }
 }
 ```
 
@@ -186,28 +190,29 @@ response.body =
       "encryptedFoo": {
         "iv": "e5d313c056c411170bf07ac82ede78c9",
         "encryptedKey": "e3a56746c0f9109d18b3a2652b76(...)f16d8afeff36b2479652f5c24ae7bd",
-        "encryptedValue": "809a09d78257af5379df0c454dcdf(...)353ed59fe72fd4a7735c69da4080e74f"
+        "encryptedData": "809a09d78257af5379df0c454dcdf(...)353ed59fe72fd4a7735c69da4080e74f",
+        "oaepHashingAlgorithm": "SHA256",
+        "publicKeyFingerprint": "80810fc13a8319fcf0e2e(...)3ce671176343cfe8160c2279"
       }
     }
   }
 };
 const fle = new require('mastercard-client-encryption').FieldLevelEncryption(config);
 let responsePayload = fle.decrypt(response);
-console.log(responsePayload);
 ```
 
 Output:
 
 ```json
 {
-    "path": {
-        "to": {
-            "foo": {
-                "sensitiveField1": "sensitiveValue1",
-                "sensitiveField2": "sensitiveValue2"
-            }
-        }
+  "path": {
+    "to": {
+      "foo": {
+        "sensitive": "this is a secret",
+        "sensitive2": "this is a super secret!"
+      }
     }
+  }
 }
 ```
 
@@ -236,15 +241,15 @@ See also:
 
 To use it:
 
-1. Generate the OpenAPI client, as (above)[#openapi-generator]
+1. Generate the OpenAPI client, as [above](#openapi-generator)
 
 2. Import the **mastercard-client-encryption** library
 
    ```js
    const mcapi = require('mastercard-client-encryption');
    ```
 
-3. Import the OpenAPI Client using our decorator object:
+3. Import the OpenAPI Client using the `Service` decorator object:
 
    ```js
    const openAPIClient = require('./path/to/generated/openapi/client');
@@ -262,7 +267,7 @@ To use it:
    let merchant = /* ... */
    api.createMerchants(merchant, (error, data, response) => {
      // requests and responses will be automatically encrypted and decrypted
-     // accordingly to the configuration used to instantiate the mcapi.Service.
+     // accordingly with the configuration used to instantiate the mcapi.Service.
 
      /* use response/data object here */
    });
 
@@ -14,6 +14,8 @@ function FieldLevelEncryption(config) {
   this.config = config;
   this.crypto = new Crypto(config);
   this.isWithHeader = config.hasOwnProperty("ivHeaderName") && config.hasOwnProperty("encryptedKeyHeaderName");
+  this.encryptionResponseProperties = [this.config.ivFieldName, this.config.encryptedKeyFieldName,
+    this.config.publicKeyFingerprintFieldName, this.config.oaepHashingAlgorithmFieldName];
 }
 
 /**
@@ -83,18 +85,12 @@ function encrypt(endpoint, header, body) {
   if (fleConfig) {
     if (!this.isWithHeader) {
       fleConfig.toEncrypt.forEach((v) => {
-        let elem = elemFromPath(v.element, body).node;
-        let encryptedData = this.crypto.encryptData({data: elem});
-        utils.mutateObjectProperty(v.obj,
-          encryptedData,
-          body);
+        encryptBody.call(this, v, body);
       });
     } else {
       let encParams = this.crypto.newEncryptionParams({});
       fleConfig.toEncrypt.forEach((v) => {
-        let elem = elemFromPath(v.element, body).node;
-        let encrypted = this.crypto.encryptData({data: elem}, encParams);
-        body = {[v.obj]: {[this.config.encryptedValueFieldName]: encrypted[this.config.encryptedValueFieldName]}};
+        body = encryptWithHeader.call(this, encParams, v, body);
       });
       setHeader.call(this, header, encParams);
     }
@@ -118,37 +114,94 @@ function decrypt(response) {
   if (fleConfig) {
     if (!this.isWithHeader) {
       fleConfig.toDecrypt.forEach((v) => {
-        const elemEncryptedNode = elemFromPath(v.element, body);
-        if (elemEncryptedNode) {
-          // TODO v.obj could have sub-tree
-          ((v.obj) ? body[v.obj] : body)[this.config.encryptedValueFieldName] = this.crypto.decryptData(
-            elemEncryptedNode.node, // encrypted data
-            elemEncryptedNode.parent[this.config.ivFieldName], // iv field
-            elemEncryptedNode.parent[this.config.oaepHashingAlgorithmFieldName], // oaepHashingAlgorithm
-            elemEncryptedNode.parent[this.config.encryptedKeyFieldName] // encryptedKey
-          );
-        }
+        decryptBody.call(this, v, body);
       });
     } else {
       fleConfig.toDecrypt.forEach((v) => {
-        const elemEncryptedNode = elemFromPath(v.element, body);
-        if (elemEncryptedNode.node[v.obj]) {
-          const encryptedData = elemEncryptedNode.node[v.obj][this.config.encryptedValueFieldName];
-          for (let k in body) {
-            // noinspection JSUnfilteredForInLoop
-            delete body[k];
-          }
-          Object.assign(body, this.crypto.decryptData(
-            encryptedData,
-            response.header[this.config.ivHeaderName],
-            response.header[this.config.oaepHashingAlgorithmHeaderName],
-            response.header[this.config.encryptedKeyHeaderName]
-          ));
-        }
+        decryptWithHeader.call(this, v, body, response);
       });
     }
   }
   return body;
 }
 
+/**
+ * Encrypt body nodes inplace with given path
+ *
+ * @private
+ * @param path Config json path
+ * @param body Body to encrypt
+ */
+function encryptBody(path, body) {
+  let elem = elemFromPath(path.element, body);
+  let encryptedData = this.crypto.encryptData({data: elem.node});
+  utils.mutateObjectProperty(path.obj,
+    encryptedData,
+    body);
+  // delete encrypted field if not overridden
+  if (path.element !== path.obj + "." + this.config.encryptedValueFieldName) {
+    utils.deleteNode(path.element, body);
+  }
+}
+
+/**
+ * Encrypt body nodes inplace with given path, without setting crypto info in the body
+ *
+ * @private
+ * @param encParams encoding params to use
+ * @param path Config json path
+ * @param body body to encrypt
+ * @returns {Object} Encrypted body
+ */
+function encryptWithHeader(encParams, path, body) {
+  let elem = elemFromPath(path.element, body).node;
+  let encrypted = this.crypto.encryptData({data: elem}, encParams);
+  return {[path.obj]: {[this.config.encryptedValueFieldName]: encrypted[this.config.encryptedValueFieldName]}};
+}
+
+/**
+ * Decrypt body nodes inplace with given path
+ *
+ * @private
+ * @param path Config json path
+ * @param body encrypted body
+ */
+function decryptBody(path, body) {
+  const elem = elemFromPath(path.element, body);
+  if (elem && elem.node) {
+    let decryptedObj = this.crypto.decryptData(
+      elem.node[this.config.encryptedValueFieldName], // encrypted data
+      elem.node[this.config.ivFieldName], // iv field
+      elem.node[this.config.oaepHashingAlgorithmFieldName], // oaepHashingAlgorithm
+      elem.node[this.config.encryptedKeyFieldName] // encryptedKey
+    );
+    utils.mutateObjectProperty(path.obj, decryptedObj, body, path.element, this.encryptionResponseProperties);
+  }
+}
+
+/**
+ * Decrypt body nodes inplace with given path, getting crypto info from the header
+ *
+ * @private
+ * @param path Config json path
+ * @param body encrypted body
+ * @param response Response with header to update
+ */
+function decryptWithHeader(path, body, response) {
+  const elemEncryptedNode = elemFromPath(path.obj, body);
+  if (elemEncryptedNode.node[path.element]) {
+    const encryptedData = elemEncryptedNode.node[path.element][this.config.encryptedValueFieldName];
+    for (let k in body) {
+      // noinspection JSUnfilteredForInLoop
+      delete body[k];
+    }
+    Object.assign(body, this.crypto.decryptData(
+      encryptedData,
+      response.header[this.config.ivHeaderName],
+      response.header[this.config.oaepHashingAlgorithmHeaderName],
+      response.header[this.config.encryptedKeyHeaderName]
+    ));
+  }
+}
+
 module.exports = FieldLevelEncryption;
@@ -76,28 +76,58 @@ module.exports.jsonToString = function (data) {
   }
 };
 
-module.exports.mutateObjectProperty = function (path, value, obj) {
+module.exports.mutateObjectProperty = function (path, value, obj, srcPath, properties) {
   let tmp = obj;
   let prev = null;
-  let paths = path.split(".");
-  paths.forEach((e) => {
-    if (tmp.hasOwnProperty(e)) {
+  if (path) {
+    if (srcPath !== null && srcPath !== undefined) {
+      this.deleteNode(srcPath, obj, properties); // delete src
+    }
+    let paths = path.split(".");
+    paths.forEach((e) => {
+      if (!tmp.hasOwnProperty(e)) {
+        tmp[e] = {};
+      }
       prev = tmp;
       tmp = tmp[e];
-    }
-  });
-  let elem = path.split(".").pop();
-  if (prev && prev.hasOwnProperty(elem)) {
-    if (typeof value === 'object') {
+    });
+    let elem = path.split(".").pop();
+    if (typeof value === 'object' && !(value instanceof Array)) { // decrypted value
+      if (typeof prev[elem] !== 'object') {
+        prev[elem] = {};
+      }
       overrideProperties(prev[elem], value);
     } else {
       prev[elem] = value;
     }
   }
 };
 
+module.exports.deleteNode = function (path, obj, properties) {
+  properties = properties || [];
+  let prev = obj;
+  if (path !== null && path !== undefined && obj !== null && obj !== undefined) {
+    let paths = path.split('.');
+    let toDelete = paths[paths.length - 1];
+    paths.forEach((e, index) => {
+      prev = obj;
+      if (obj.hasOwnProperty(e)) {
+        obj = obj[e];
+        if (obj && index === paths.length - 1) {
+          delete prev[toDelete];
+        }
+      }
+    });
+    if (paths.length === 1 && paths[0] === "") {
+      properties.forEach((e) => {
+        delete obj[e];
+      });
+    }
+  }
+};
+
 function overrideProperties(target, obj) {
   for (let k in obj) {
     target[k] = obj[k];
   }
-}
+};
@@ -289,6 +289,10 @@ describe("Crypto", () => {
 
   describe("#computePublicFingerprint", () => {
     let computePublicFingerprint = Crypto.__get__("computePublicFingerprint");
+    let crypto;
+    before(() => {
+      crypto = new Crypto(testConfig);
+    });
 
     it("not valid config", () => {
       assert.ok(!computePublicFingerprint());
@@ -298,6 +302,16 @@ describe("Crypto", () => {
       assert.ok(!computePublicFingerprint({}));
     });
 
+    it("compute public fingerprint: certificate", () => {
+      assert.ok("80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279",
+        computePublicFingerprint.call(crypto, {publicKeyFingerprintType: "certificate"}));
+    });
+
+    it("compute public fingerprint: publicKey", () => {
+      assert.ok("80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279",
+        computePublicFingerprint.call(crypto, {publicKeyFingerprintType: "publicKey"}));
+    });
+
   });
 
 });