npm - @apolitical/server - Versions diffs - 4.0.0 → 4.1.0 - Mend

@apolitical/server 4.0.0 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +2 -1
package/src/container.js +4 -0
package/src/helpers/impersonation.helper.js +42 -0
package/src/services/secrets.service.js +110 -0
package/src/services/server.service.js +2 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@apolitical/server",
-  "version": "4.0.0",
+  "version": "4.1.0",
   "description": "Node.js module to encapsulate Apolitical's express server setup",
   "author": "Apolitical Group Limited <engineering@apolitical.co>",
   "license": "MIT",
@@ -24,6 +24,7 @@
   ],
   "dependencies": {
     "@apolitical/logger": "2.1.0",
+    "@google-cloud/secret-manager": "5.6.0",
     "@cloudnative/health-connect": "2.1.0",
     "@opentelemetry/api": "1.9.0",
     "@opentelemetry/auto-instrumentations-node": "0.57.1",

package/src/container.js CHANGED Viewed

@@ -36,6 +36,7 @@ const jwtEncodeHelper = require('./helpers/jwt/encode.helper');
 const jwtPassportHelper = require('./helpers/jwt/passport.helper');
 const loggerHelper = require('./helpers/logger.helper');
 const requestHelper = require('./helpers/request.helper');
+const impersonationHelper = require('./helpers/impersonation.helper');
 // Loaders
 const documentationLoader = require('./loaders/documentation.loader');
 const expressLoader = require('./loaders/express.loader');
@@ -55,6 +56,7 @@ const expressService = require('./services/express.service');
 const healthService = require('./services/health.service');
 const jwtService = require('./services/jwt.service');
 const serverService = require('./services/server.service');
+const secretsService = require('./services/secrets.service');
 // DI container
 const container = createContainer();
@@ -94,6 +96,7 @@ container.register({
   jwtPassportHelper: asFunction(jwtPassportHelper).singleton(),
   loggerHelper: asFunction(loggerHelper).singleton(),
   requestHelper: asFunction(requestHelper).singleton(),
+  impersonationHelper: asFunction(impersonationHelper).singleton(),
   // Loaders
   documentationLoader: asFunction(documentationLoader).singleton(),
   expressLoader: asFunction(expressLoader).singleton(),
@@ -113,6 +116,7 @@ container.register({
   healthService: asFunction(healthService).singleton(),
   jwtService: asFunction(jwtService).singleton(),
   serverService: asFunction(serverService).singleton(),
+  secretsService: asFunction(secretsService).singleton(),
 });
 module.exports = container;

package/src/helpers/impersonation.helper.js ADDED Viewed

@@ -0,0 +1,42 @@
+'use strict';
+/**
+ * Helpers for Application Default Credentials (ADC) impersonation detection.
+ *
+ * These utilities do not acquire credentials; they only surface intent
+ * based on environment variables so applications can log and enforce policy.
+ */
+/**
+ * Returns the target service account to impersonate if configured via env.
+ * GOOGLE_IMPERSONATE_SERVICE_ACCOUNT is respected by Google client libraries
+ * when acquiring credentials via ADC.
+ * @returns {string|null}
+ */
+function getImpersonationTarget() {
+  const target = process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'];
+  return target && target.trim().length > 0 ? target.trim() : null;
+}
+/**
+ * Whether impersonation is enabled for the current process.
+ * @returns {boolean}
+ */
+function isImpersonationEnabled() {
+  return getImpersonationTarget() !== null;
+}
+/**
+ * Produce a safe log payload for audit visibility.
+ * @returns {{ targetServiceAccount: string } | {}}
+ */
+function impersonationLogContext() {
+  const target = getImpersonationTarget();
+  return target ? { targetServiceAccount: target } : {};
+}
+module.exports = () => ({
+  getImpersonationTarget,
+  isImpersonationEnabled,
+  impersonationLogContext,
+});

package/src/services/secrets.service.js ADDED Viewed

@@ -0,0 +1,110 @@
+'use strict';
+const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
+const DEV_DEFAULTS = {
+  projectId: 'hazel-tea-194609',
+  impersonateAccount: 'development-platform@hazel-tea-194609.iam.gserviceaccount.com',
+};
+/**
+ * GCP Secret Manager service for loading secrets at runtime.
+ * Uses Application Default Credentials (ADC) with service account impersonation
+ * for local development.
+ */
+module.exports = ({ impersonationHelper, logger }) => {
+  const cache = {};
+  let client = null;
+  /**
+   * Get or create the Secret Manager client.
+   * In non-production, auto-configures impersonation if not already set.
+   * @returns {SecretManagerServiceClient}
+   */
+  function getClient() {
+    if (!client) {
+      if (process.env['NODE_ENV'] !== 'production' && !impersonationHelper.isImpersonationEnabled()) {
+        process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'] = DEV_DEFAULTS.impersonateAccount;
+        logger.info('[secrets] set default impersonation for development', {
+          targetServiceAccount: DEV_DEFAULTS.impersonateAccount,
+        });
+      }
+      if (impersonationHelper.isImpersonationEnabled()) {
+        logger.info('[secrets] using impersonation', impersonationHelper.impersonationLogContext());
+      }
+      client = new SecretManagerServiceClient();
+    }
+    return client;
+  }
+  /**
+   * Load secrets from Google Secret Manager and set them as environment variables.
+   * @param {Object} opts
+   * @param {string} [opts.projectId] - GCP project ID (defaults to DEV_DEFAULTS in non-production)
+   * @param {Array<{name: string, envVar: string, version?: string}>} opts.secrets - Secrets to load
+   * @throws {Error} If projectId is missing or secret cannot be loaded
+   */
+  async function loadSecrets(opts) {
+    const { secrets } = opts;
+    const projectId =
+      opts.projectId ??
+      process.env['GOOGLE_CLOUD_PROJECT'] ??
+      (process.env['NODE_ENV'] !== 'production' ? DEV_DEFAULTS.projectId : undefined);
+    if (!projectId) {
+      throw new Error('Missing projectId for Secret Manager');
+    }
+    if (!secrets || secrets.length === 0) {
+      return;
+    }
+    const secretClient = getClient();
+    for (const spec of secrets) {
+      const version = spec.version ?? 'latest';
+      const name = `projects/${projectId}/secrets/${spec.name}/versions/${version}`;
+      try {
+        const [resp] = await secretClient.accessSecretVersion({ name });
+        const payload = resp.payload?.data?.toString('utf8');
+        if (!payload) {
+          throw new Error(`Empty payload for secret ${spec.name}`);
+        }
+        cache[spec.envVar] = payload;
+        process.env[spec.envVar] = payload;
+        logger.info('[secrets] loaded', {
+          name: spec.name,
+          envVar: spec.envVar,
+          version,
+        });
+      } catch (err) {
+        throw new Error(`Failed to load secret "${spec.name}": ${err.message}`);
+      }
+    }
+  }
+  /**
+   * Get a secret value from cache or environment.
+   * @param {string} envVar - The environment variable name
+   * @returns {string} The secret value
+   * @throws {Error} If secret is not loaded
+   */
+  function getSecret(envVar) {
+    const val = cache[envVar] ?? process.env[envVar];
+    if (!val) {
+      throw new Error(`Secret "${envVar}" not loaded`);
+    }
+    return val;
+  }
+  return {
+    loadSecrets,
+    getSecret,
+    impersonation: impersonationHelper,
+  };
+};

package/src/services/server.service.js CHANGED Viewed

@@ -8,6 +8,7 @@ module.exports = ({
   jwtService,
   serverError,
   requestHelper,
+  secretsService,
 }) => {
   // Register shutdown to clean up any resources used by the express app
   registerShutdown(shutdown);
@@ -22,5 +23,6 @@ module.exports = ({
       authorisation: authorisationMiddleware,
     },
     request: requestHelper,
+    secrets: secretsService,
   };
 };