Fix AI Gateway logpush decryption tutorial (#17578)

Author: G4brym

src/content/docs/ai-gateway/observability/logging/logpush.mdx

@@ -13,14 +13,24 @@ You can toggle Logpush on and off in the [Cloudflare dashboard](https://dash.clo
 
 This guide explains how to set up Logpush for AI Gateway, generate an RSA key pair for encryption, and decrypt the logs once they are received.
 
-You can store up to 10 million logs per gateway. If your limit is reached, new logs will stop being saved and will not be exported through Logpush. To continue saving and exporting logs, you must delete older logs to free up space for new logs. Logpush has a limit of 4 jobs. 
+You can store up to 10 million logs per gateway. If your limit is reached, new logs will stop being saved and will not be exported through Logpush. To continue saving and exporting logs, you must delete older logs to free up space for new logs. Logpush has a limit of 4 jobs.
 
 :::note[Note]
 
 To export logs using Logpush, you must have logs turned on for the gateway.
 
 :::
 
+## How logs are encrypted
+
+We employ a hybrid encryption model efficiency and security. Initially, an AES key is generated for each log. This AES key is what actually encrypts the bulk of your data, chosen for its speed and security in handling large datasets efficiently.
+
+Now, for securely sharing this AES key, we use RSA encryption. Here's what happens: the AES key, although lightweight, needs to be transmitted securely to the recipient. We encrypt this key with the recipient's RSA public key. This step leverages RSA's strength in secure key distribution, ensuring that only someone with the corresponding RSA private key can decrypt and use the AES key.
+
+Once encrypted, both the AES-encrypted data and the RSA-encrypted AES key are sent together. Upon arrival, the recipient's system uses the RSA private key to decrypt the AES key. With the AES key now accessible, it's straightforward to decrypt the main data payload.
+
+This method combines the best of both worlds: the efficiency of AES for data encryption with the secure key exchange capabilities of RSA, ensuring data integrity, confidentiality, and performance are all optimally maintained throughout the data lifecycle.
+
 ## Setting up Logpush
 
 To configure Logpush for AI Gateway, follow these steps:
@@ -57,7 +67,7 @@ node {file name}
 
 ## 2. Upload public key to gateway settings
 
-Once you have generated the key pair, upload the public key to your AI Gateway settings. This key will be used to encrypt your logs. In order to enable Logpush, you will need logs enabled for that gateway. 
+Once you have generated the key pair, upload the public key to your AI Gateway settings. This key will be used to encrypt your logs. In order to enable Logpush, you will need logs enabled for that gateway.
 
 ## 3. Set up Logpush
 
@@ -69,49 +79,98 @@ After configuring Logpush, logs will be sent encrypted using the public key you
 
 ## 5. Decrypt logs
 
-To decrypt the encrypted log bodies and metadata from AI Gateway, you can use the following Node.js script:
+To decrypt the encrypted log bodies and metadata from AI Gateway, download the logs to a folder, in this case its named `my_log.log.gz`.
+
+Then copy this javascript file into the same folder and place your private key in the top variable.
 
 ```js title="JavaScript"
-const privateKey = `-----BEGIN RSA PRIVATE KEY-----
+const privateKeyStr = `-----BEGIN RSA PRIVATE KEY-----
 ....
 -----END RSA PRIVATE KEY-----`;
 
 const crypto = require("crypto");
-const key = crypto.createPrivateKey(privateKey);
+const privateKey = crypto.createPrivateKey(privateKeyStr);
 
 const fs = require("fs");
 const zlib = require("zlib");
 const readline = require("readline");
 
-function decryptBase64(key, string) {
-	const decryptedData = crypto.privateDecrypt(
-		{
-			key: key,
-			oaepHash: "SHA256",
-		},
-		Buffer.from(string, "base64"),
-	);
+async function importAESGCMKey(keyBuffer) {
+    try {
+        // Ensure the key length is valid for AES
+        if ([128, 192, 256].includes(256)) {
+            return await crypto.webcrypto.subtle.importKey(
+                'raw',
+                keyBuffer,
+                {
+                    name: 'AES-GCM',
+                    length: 256
+                },
+                true, // Whether the key is extractable (true in this case to allow for export later if needed)
+                ['encrypt', 'decrypt'] // Use for encryption and decryption
+            );
+        } else {
+            throw new Error('Invalid AES key length. Must be 128, 12, or 256 bits.');
+        }
+    } catch (error) {
+        console.error('Failed to import key:', error);
+        throw error;
+    }
+}
 
-	return decryptedData.toString();
+async function decryptData(encryptedData, aesKey, iv) {
+    const decryptedData = await crypto.subtle.decrypt(
+        {name: "AES-GCM", iv: iv},
+        aesKey,
+        encryptedData
+    );
+    return new TextDecoder().decode(decryptedData);
 }
 
-let lineReader = readline.createInterface({
-	input: fs.createReadStream("my_log.log.gz").pipe(zlib.createGunzip()),
-});
+async function decryptBase64(privateKey, data) {
+    if (data.key === undefined) {
+        return data
+    }
+
+    const aesKeyBuf = crypto.privateDecrypt(
+        {
+            key: privateKey,
+            oaepHash: "SHA256",
+        },
+        Buffer.from(data.key, "base64"),
+    );
+    const aesKey = await importAESGCMKey(aesKeyBuf)
+
+    const decryptedData = await decryptData(
+        Buffer.from(data.data, "base64"),
+        aesKey,
+        Buffer.from(data.iv, "base64")
+    )
+
+    return decryptedData.toString();
+}
 
-lineReader.on("line", (line) => {
-	line = JSON.parse(line);
+async function run() {
+    let lineReader = readline.createInterface({
+        input: fs.createReadStream("my_log.log.gz").pipe(zlib.createGunzip()),
+    });
 
-	const { Metadata, RequestBody, ResponseBody, ...remaining } = line;
+    lineReader.on("line", async (line) => {
+        line = JSON.parse(line);
 
-	console.log({
-		...remaining,
-		Metadata: decryptBase64(key, Metadata.data),
-		RequestBody: decryptBase64(key, RequestBody.data),
-		ResponseBody: decryptBase64(key, ResponseBody.data),
-	});
-	console.log("--");
-});
+        const {Metadata, RequestBody, ResponseBody, ...remaining} = line;
+
+        console.log({
+            ...remaining,
+            Metadata: await decryptBase64(privateKey, Metadata),
+            RequestBody: await decryptBase64(privateKey, RequestBody),
+            ResponseBody: await decryptBase64(privateKey, ResponseBody),
+        });
+        console.log("--");
+    });
+}
+
+run()
 ```
 
 Run the script by executing the below code on your terminal. Replace `file name` with the name of your JavaScript file.