@apolitical/server 3.0.1 → 4.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@apolitical/server",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "4.1.0",
|
|
4
4
|
"description": "Node.js module to encapsulate Apolitical's express server setup",
|
|
5
5
|
"author": "Apolitical Group Limited <engineering@apolitical.co>",
|
|
6
6
|
"license": "MIT",
|
|
@@ -15,8 +15,7 @@
|
|
|
15
15
|
"lint": "eslint --ext .js ./src",
|
|
16
16
|
"format": "prettier --write 'src/**/*.+(js|json)'",
|
|
17
17
|
"lint-format": "lint-staged",
|
|
18
|
-
"audit": "audit-ci -h"
|
|
19
|
-
"prepare": "cd ../../../../ && husky install backend/modules/v1/apolitical-server/.husky"
|
|
18
|
+
"audit": "audit-ci -h"
|
|
20
19
|
},
|
|
21
20
|
"keywords": [
|
|
22
21
|
"Backend",
|
|
@@ -25,7 +24,16 @@
|
|
|
25
24
|
],
|
|
26
25
|
"dependencies": {
|
|
27
26
|
"@apolitical/logger": "2.1.0",
|
|
27
|
+
"@google-cloud/secret-manager": "5.6.0",
|
|
28
28
|
"@cloudnative/health-connect": "2.1.0",
|
|
29
|
+
"@opentelemetry/api": "1.9.0",
|
|
30
|
+
"@opentelemetry/auto-instrumentations-node": "0.57.1",
|
|
31
|
+
"@opentelemetry/exporter-trace-otlp-grpc": "0.200.0",
|
|
32
|
+
"@opentelemetry/resources": "2.0.0",
|
|
33
|
+
"@opentelemetry/sdk-metrics": "2.0.0",
|
|
34
|
+
"@opentelemetry/sdk-node": "0.200.0",
|
|
35
|
+
"@opentelemetry/sdk-trace-node": "2.0.0",
|
|
36
|
+
"@opentelemetry/semantic-conventions": "1.30.0",
|
|
29
37
|
"awilix": "8.0.0",
|
|
30
38
|
"body-parser": "1.20.1",
|
|
31
39
|
"compression": "1.7.4",
|
|
@@ -52,7 +60,6 @@
|
|
|
52
60
|
"@apolitical/eslint-config": "2.1.0",
|
|
53
61
|
"@apolitical/testing": "2.1.0",
|
|
54
62
|
"audit-ci": "6.6.0",
|
|
55
|
-
"husky": "8.0.3",
|
|
56
63
|
"lint-staged": "13.1.0",
|
|
57
64
|
"mock-jwks": "1.0.9",
|
|
58
65
|
"nock": "13.2.9"
|
package/src/container.js
CHANGED
|
@@ -36,11 +36,13 @@ const jwtEncodeHelper = require('./helpers/jwt/encode.helper');
|
|
|
36
36
|
const jwtPassportHelper = require('./helpers/jwt/passport.helper');
|
|
37
37
|
const loggerHelper = require('./helpers/logger.helper');
|
|
38
38
|
const requestHelper = require('./helpers/request.helper');
|
|
39
|
+
const impersonationHelper = require('./helpers/impersonation.helper');
|
|
39
40
|
// Loaders
|
|
40
41
|
const documentationLoader = require('./loaders/documentation.loader');
|
|
41
42
|
const expressLoader = require('./loaders/express.loader');
|
|
42
43
|
const loggerLoader = require('./loaders/logger.loader');
|
|
43
44
|
const middlewaresLoader = require('./loaders/middlewares.loader');
|
|
45
|
+
const otelLoader = require('./loaders/otel.loader');
|
|
44
46
|
const probesLoader = require('./loaders/probes.loader');
|
|
45
47
|
const fallbackLoader = require('./loaders/fallback.loader');
|
|
46
48
|
// Middleware
|
|
@@ -54,6 +56,7 @@ const expressService = require('./services/express.service');
|
|
|
54
56
|
const healthService = require('./services/health.service');
|
|
55
57
|
const jwtService = require('./services/jwt.service');
|
|
56
58
|
const serverService = require('./services/server.service');
|
|
59
|
+
const secretsService = require('./services/secrets.service');
|
|
57
60
|
|
|
58
61
|
// DI container
|
|
59
62
|
const container = createContainer();
|
|
@@ -93,11 +96,13 @@ container.register({
|
|
|
93
96
|
jwtPassportHelper: asFunction(jwtPassportHelper).singleton(),
|
|
94
97
|
loggerHelper: asFunction(loggerHelper).singleton(),
|
|
95
98
|
requestHelper: asFunction(requestHelper).singleton(),
|
|
99
|
+
impersonationHelper: asFunction(impersonationHelper).singleton(),
|
|
96
100
|
// Loaders
|
|
97
101
|
documentationLoader: asFunction(documentationLoader).singleton(),
|
|
98
102
|
expressLoader: asFunction(expressLoader).singleton(),
|
|
99
103
|
loggerLoader: asFunction(loggerLoader).singleton(),
|
|
100
104
|
middlewaresLoader: asFunction(middlewaresLoader).singleton(),
|
|
105
|
+
otelLoader: asFunction(otelLoader).singleton(),
|
|
101
106
|
probesLoader: asFunction(probesLoader).singleton(),
|
|
102
107
|
fallbackLoader: asFunction(fallbackLoader).singleton(),
|
|
103
108
|
// Middlewares
|
|
@@ -111,6 +116,7 @@ container.register({
|
|
|
111
116
|
healthService: asFunction(healthService).singleton(),
|
|
112
117
|
jwtService: asFunction(jwtService).singleton(),
|
|
113
118
|
serverService: asFunction(serverService).singleton(),
|
|
119
|
+
secretsService: asFunction(secretsService).singleton(),
|
|
114
120
|
});
|
|
115
121
|
|
|
116
122
|
module.exports = container;
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
/**
|
|
4
|
+
* Helpers for Application Default Credentials (ADC) impersonation detection.
|
|
5
|
+
*
|
|
6
|
+
* These utilities do not acquire credentials; they only surface intent
|
|
7
|
+
* based on environment variables so applications can log and enforce policy.
|
|
8
|
+
*/
|
|
9
|
+
|
|
10
|
+
/**
|
|
11
|
+
* Returns the target service account to impersonate if configured via env.
|
|
12
|
+
* GOOGLE_IMPERSONATE_SERVICE_ACCOUNT is respected by Google client libraries
|
|
13
|
+
* when acquiring credentials via ADC.
|
|
14
|
+
* @returns {string|null}
|
|
15
|
+
*/
|
|
16
|
+
function getImpersonationTarget() {
|
|
17
|
+
const target = process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'];
|
|
18
|
+
return target && target.trim().length > 0 ? target.trim() : null;
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
/**
|
|
22
|
+
* Whether impersonation is enabled for the current process.
|
|
23
|
+
* @returns {boolean}
|
|
24
|
+
*/
|
|
25
|
+
function isImpersonationEnabled() {
|
|
26
|
+
return getImpersonationTarget() !== null;
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
/**
|
|
30
|
+
* Produce a safe log payload for audit visibility.
|
|
31
|
+
* @returns {{ targetServiceAccount: string } | {}}
|
|
32
|
+
*/
|
|
33
|
+
function impersonationLogContext() {
|
|
34
|
+
const target = getImpersonationTarget();
|
|
35
|
+
return target ? { targetServiceAccount: target } : {};
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
module.exports = () => ({
|
|
39
|
+
getImpersonationTarget,
|
|
40
|
+
isImpersonationEnabled,
|
|
41
|
+
impersonationLogContext,
|
|
42
|
+
});
|
package/src/index.js
CHANGED
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const { NodeSDK } = require('@opentelemetry/sdk-node');
|
|
4
|
+
const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-grpc');
|
|
5
|
+
const { getNodeAutoInstrumentations } = require('@opentelemetry/auto-instrumentations-node');
|
|
6
|
+
const { resourceFromAttributes } = require('@opentelemetry/resources');
|
|
7
|
+
const { ATTR_SERVICE_NAME } = require('@opentelemetry/semantic-conventions');
|
|
8
|
+
|
|
9
|
+
module.exports = ({ logger }) => {
|
|
10
|
+
return async function load() {
|
|
11
|
+
const otlpHost = process.env.OPENTELEMETRY_COLLECTOR_SERVICE_HOST;
|
|
12
|
+
const otlpPort = process.env.OPENTELEMETRY_COLLECTOR_SERVICE_PORT;
|
|
13
|
+
if (!otlpHost || !otlpPort) {
|
|
14
|
+
return;
|
|
15
|
+
}
|
|
16
|
+
const oltpEndpoint = `http://${otlpHost}:${otlpPort}`;
|
|
17
|
+
const serviceName = process.env.CONTAINER_NAME || 'unknown-v1-service';
|
|
18
|
+
const sdk = new NodeSDK({
|
|
19
|
+
resource: resourceFromAttributes({
|
|
20
|
+
[ATTR_SERVICE_NAME]: serviceName,
|
|
21
|
+
}),
|
|
22
|
+
traceExporter: new OTLPTraceExporter({ url: oltpEndpoint }),
|
|
23
|
+
instrumentations: [getNodeAutoInstrumentations()],
|
|
24
|
+
});
|
|
25
|
+
sdk.start();
|
|
26
|
+
const log = logger.where(__filename, 'load');
|
|
27
|
+
log.info(`OpenTelemetry SDK started with service name ${serviceName} and endpoint ${oltpEndpoint}`);
|
|
28
|
+
|
|
29
|
+
process.on('SIGTERM', async () => {
|
|
30
|
+
await sdk.shutdown();
|
|
31
|
+
process.exit(0);
|
|
32
|
+
});
|
|
33
|
+
};
|
|
34
|
+
};
|
|
@@ -0,0 +1,110 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
|
|
4
|
+
|
|
5
|
+
const DEV_DEFAULTS = {
|
|
6
|
+
projectId: 'hazel-tea-194609',
|
|
7
|
+
impersonateAccount: 'development-platform@hazel-tea-194609.iam.gserviceaccount.com',
|
|
8
|
+
};
|
|
9
|
+
|
|
10
|
+
/**
|
|
11
|
+
* GCP Secret Manager service for loading secrets at runtime.
|
|
12
|
+
* Uses Application Default Credentials (ADC) with service account impersonation
|
|
13
|
+
* for local development.
|
|
14
|
+
*/
|
|
15
|
+
module.exports = ({ impersonationHelper, logger }) => {
|
|
16
|
+
const cache = {};
|
|
17
|
+
let client = null;
|
|
18
|
+
|
|
19
|
+
/**
|
|
20
|
+
* Get or create the Secret Manager client.
|
|
21
|
+
* In non-production, auto-configures impersonation if not already set.
|
|
22
|
+
* @returns {SecretManagerServiceClient}
|
|
23
|
+
*/
|
|
24
|
+
function getClient() {
|
|
25
|
+
if (!client) {
|
|
26
|
+
if (process.env['NODE_ENV'] !== 'production' && !impersonationHelper.isImpersonationEnabled()) {
|
|
27
|
+
process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'] = DEV_DEFAULTS.impersonateAccount;
|
|
28
|
+
logger.info('[secrets] set default impersonation for development', {
|
|
29
|
+
targetServiceAccount: DEV_DEFAULTS.impersonateAccount,
|
|
30
|
+
});
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
if (impersonationHelper.isImpersonationEnabled()) {
|
|
34
|
+
logger.info('[secrets] using impersonation', impersonationHelper.impersonationLogContext());
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
client = new SecretManagerServiceClient();
|
|
38
|
+
}
|
|
39
|
+
return client;
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
/**
|
|
43
|
+
* Load secrets from Google Secret Manager and set them as environment variables.
|
|
44
|
+
* @param {Object} opts
|
|
45
|
+
* @param {string} [opts.projectId] - GCP project ID (defaults to DEV_DEFAULTS in non-production)
|
|
46
|
+
* @param {Array<{name: string, envVar: string, version?: string}>} opts.secrets - Secrets to load
|
|
47
|
+
* @throws {Error} If projectId is missing or secret cannot be loaded
|
|
48
|
+
*/
|
|
49
|
+
async function loadSecrets(opts) {
|
|
50
|
+
const { secrets } = opts;
|
|
51
|
+
const projectId =
|
|
52
|
+
opts.projectId ??
|
|
53
|
+
process.env['GOOGLE_CLOUD_PROJECT'] ??
|
|
54
|
+
(process.env['NODE_ENV'] !== 'production' ? DEV_DEFAULTS.projectId : undefined);
|
|
55
|
+
|
|
56
|
+
if (!projectId) {
|
|
57
|
+
throw new Error('Missing projectId for Secret Manager');
|
|
58
|
+
}
|
|
59
|
+
if (!secrets || secrets.length === 0) {
|
|
60
|
+
return;
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
const secretClient = getClient();
|
|
64
|
+
|
|
65
|
+
for (const spec of secrets) {
|
|
66
|
+
const version = spec.version ?? 'latest';
|
|
67
|
+
const name = `projects/${projectId}/secrets/${spec.name}/versions/${version}`;
|
|
68
|
+
|
|
69
|
+
try {
|
|
70
|
+
const [resp] = await secretClient.accessSecretVersion({ name });
|
|
71
|
+
const payload = resp.payload?.data?.toString('utf8');
|
|
72
|
+
|
|
73
|
+
if (!payload) {
|
|
74
|
+
throw new Error(`Empty payload for secret ${spec.name}`);
|
|
75
|
+
}
|
|
76
|
+
|
|
77
|
+
cache[spec.envVar] = payload;
|
|
78
|
+
process.env[spec.envVar] = payload;
|
|
79
|
+
|
|
80
|
+
logger.info('[secrets] loaded', {
|
|
81
|
+
name: spec.name,
|
|
82
|
+
envVar: spec.envVar,
|
|
83
|
+
version,
|
|
84
|
+
});
|
|
85
|
+
} catch (err) {
|
|
86
|
+
throw new Error(`Failed to load secret "${spec.name}": ${err.message}`);
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
/**
|
|
92
|
+
* Get a secret value from cache or environment.
|
|
93
|
+
* @param {string} envVar - The environment variable name
|
|
94
|
+
* @returns {string} The secret value
|
|
95
|
+
* @throws {Error} If secret is not loaded
|
|
96
|
+
*/
|
|
97
|
+
function getSecret(envVar) {
|
|
98
|
+
const val = cache[envVar] ?? process.env[envVar];
|
|
99
|
+
if (!val) {
|
|
100
|
+
throw new Error(`Secret "${envVar}" not loaded`);
|
|
101
|
+
}
|
|
102
|
+
return val;
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
return {
|
|
106
|
+
loadSecrets,
|
|
107
|
+
getSecret,
|
|
108
|
+
impersonation: impersonationHelper,
|
|
109
|
+
};
|
|
110
|
+
};
|
|
@@ -8,6 +8,7 @@ module.exports = ({
|
|
|
8
8
|
jwtService,
|
|
9
9
|
serverError,
|
|
10
10
|
requestHelper,
|
|
11
|
+
secretsService,
|
|
11
12
|
}) => {
|
|
12
13
|
// Register shutdown to clean up any resources used by the express app
|
|
13
14
|
registerShutdown(shutdown);
|
|
@@ -22,5 +23,6 @@ module.exports = ({
|
|
|
22
23
|
authorisation: authorisationMiddleware,
|
|
23
24
|
},
|
|
24
25
|
request: requestHelper,
|
|
26
|
+
secrets: secretsService,
|
|
25
27
|
};
|
|
26
28
|
};
|