@apolitical/server 4.0.1 → 4.1.0-pla-305-0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/package.json +3 -2
  2. package/src/container.js +6 -0
  3. package/src/helpers/impersonation.helper.js +22 -0
  4. package/src/services/secrets.service.js +86 -0
  5. package/src/services/server.service.js +2 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@apolitical/server",
3
- "version": "4.0.1",
3
+ "version": "4.1.0-pla-305-0",
4
4
  "description": "Node.js module to encapsulate Apolitical's express server setup",
5
5
  "author": "Apolitical Group Limited <engineering@apolitical.co>",
6
6
  "license": "MIT",
@@ -24,6 +24,7 @@
24
24
  ],
25
25
  "dependencies": {
26
26
  "@apolitical/logger": "2.1.0",
27
+ "@google-cloud/secret-manager": "5.6.0",
27
28
  "@cloudnative/health-connect": "2.1.0",
28
29
  "@opentelemetry/api": "1.9.0",
29
30
  "@opentelemetry/auto-instrumentations-node": "0.57.1",
@@ -39,7 +40,7 @@
39
40
  "cookie-parser": "1.4.6",
40
41
  "cors": "2.8.5",
41
42
  "dotenv": "16.0.3",
42
- "express": "4.22.0",
43
+ "express": "4.18.2",
43
44
  "express-jwt": "8.3.0",
44
45
  "http-status-codes": "2.2.0",
45
46
  "http-terminator": "3.2.0",
package/src/container.js CHANGED
@@ -22,6 +22,7 @@ const prerender = require('prerender-node');
22
22
  const qs = require('qs');
23
23
  const swaggerUi = require('swagger-ui-express');
24
24
  const xss = require('xss');
25
+ const secretManager = require('@google-cloud/secret-manager');
25
26
  // Internal Modules
26
27
  const apoliticalLogger = require('@apolitical/logger');
27
28
  // Configuration
@@ -36,6 +37,7 @@ const jwtEncodeHelper = require('./helpers/jwt/encode.helper');
36
37
  const jwtPassportHelper = require('./helpers/jwt/passport.helper');
37
38
  const loggerHelper = require('./helpers/logger.helper');
38
39
  const requestHelper = require('./helpers/request.helper');
40
+ const impersonationHelper = require('./helpers/impersonation.helper');
39
41
  // Loaders
40
42
  const documentationLoader = require('./loaders/documentation.loader');
41
43
  const expressLoader = require('./loaders/express.loader');
@@ -55,6 +57,7 @@ const expressService = require('./services/express.service');
55
57
  const healthService = require('./services/health.service');
56
58
  const jwtService = require('./services/jwt.service');
57
59
  const serverService = require('./services/server.service');
60
+ const secretsService = require('./services/secrets.service');
58
61
 
59
62
  // DI container
60
63
  const container = createContainer();
@@ -80,6 +83,7 @@ container.register({
80
83
  qs: asValue(qs),
81
84
  swaggerUi: asValue(swaggerUi),
82
85
  xss: asValue(xss),
86
+ secretManager: asValue(secretManager),
83
87
  // Internal Modules
84
88
  apoliticalLogger: asValue(apoliticalLogger),
85
89
  // Configuration
@@ -94,6 +98,7 @@ container.register({
94
98
  jwtPassportHelper: asFunction(jwtPassportHelper).singleton(),
95
99
  loggerHelper: asFunction(loggerHelper).singleton(),
96
100
  requestHelper: asFunction(requestHelper).singleton(),
101
+ impersonationHelper: asFunction(impersonationHelper).singleton(),
97
102
  // Loaders
98
103
  documentationLoader: asFunction(documentationLoader).singleton(),
99
104
  expressLoader: asFunction(expressLoader).singleton(),
@@ -113,6 +118,7 @@ container.register({
113
118
  healthService: asFunction(healthService).singleton(),
114
119
  jwtService: asFunction(jwtService).singleton(),
115
120
  serverService: asFunction(serverService).singleton(),
121
+ secretsService: asFunction(secretsService).singleton(),
116
122
  });
117
123
 
118
124
  module.exports = container;
package/src/helpers/impersonation.helper.js ADDED
@@ -0,0 +1,22 @@
1
+ 'use strict';
2
+
3
+ module.exports = () => {
4
+ // Returns the target service account to impersonate if configured via env
5
+ function getImpersonationTarget() {
6
+ const target = process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'];
7
+ return target && target.trim().length > 0 ? target.trim() : null;
8
+ }
9
+
10
+ // Whether impersonation is enabled for the current process
11
+ function isImpersonationEnabled() {
12
+ return getImpersonationTarget() !== null;
13
+ }
14
+
15
+ // Produce a safe log payload for audit visibility
16
+ function impersonationLogContext() {
17
+ const target = getImpersonationTarget();
18
+ return target ? { targetServiceAccount: target } : {};
19
+ }
20
+
21
+ return { getImpersonationTarget, isImpersonationEnabled, impersonationLogContext };
22
+ };
package/src/services/secrets.service.js ADDED
@@ -0,0 +1,86 @@
1
+ 'use strict';
2
+
3
+ module.exports = ({ secretManager, impersonationHelper, logger }) => {
4
+ const DEV_DEFAULTS = {
5
+ projectId: 'hazel-tea-194609',
6
+ impersonateAccount: 'development-platform@hazel-tea-194609.iam.gserviceaccount.com',
7
+ };
8
+
9
+ const cache = {};
10
+ let client = null;
11
+
12
+ function getClient() {
13
+ if (!client) {
14
+ // Auto-configure impersonation for non-production environments
15
+ if (process.env['NODE_ENV'] !== 'production' && !impersonationHelper.isImpersonationEnabled()) {
16
+ process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'] = DEV_DEFAULTS.impersonateAccount;
17
+ logger.info('[secrets] set default impersonation for development', {
18
+ targetServiceAccount: DEV_DEFAULTS.impersonateAccount,
19
+ });
20
+ }
21
+
22
+ if (impersonationHelper.isImpersonationEnabled()) {
23
+ logger.info('[secrets] using impersonation', impersonationHelper.impersonationLogContext());
24
+ }
25
+
26
+ client = new secretManager.SecretManagerServiceClient();
27
+ }
28
+ return client;
29
+ }
30
+
31
+ async function loadSecrets(opts) {
32
+ const { secrets } = opts;
33
+ const projectId =
34
+ opts.projectId ??
35
+ process.env['GOOGLE_CLOUD_PROJECT'] ??
36
+ (process.env['NODE_ENV'] !== 'production' ? DEV_DEFAULTS.projectId : undefined);
37
+
38
+ if (!projectId) {
39
+ throw new Error('Missing projectId for Secret Manager');
40
+ }
41
+ if (!secrets || secrets.length === 0) {
42
+ return;
43
+ }
44
+
45
+ const secretClient = getClient();
46
+
47
+ for (const spec of secrets) {
48
+ const version = spec.version ?? 'latest';
49
+ const name = `projects/${projectId}/secrets/${spec.name}/versions/${version}`;
50
+
51
+ try {
52
+ const [resp] = await secretClient.accessSecretVersion({ name });
53
+ const payload = resp.payload?.data?.toString('utf8');
54
+
55
+ if (!payload) {
56
+ throw new Error(`Empty payload for secret ${spec.name}`);
57
+ }
58
+
59
+ cache[spec.envVar] = payload;
60
+ process.env[spec.envVar] = payload;
61
+
62
+ logger.info('[secrets] loaded', {
63
+ name: spec.name,
64
+ envVar: spec.envVar,
65
+ version,
66
+ });
67
+ } catch (err) {
68
+ throw new Error(`Failed to load secret "${spec.name}": ${err.message}`);
69
+ }
70
+ }
71
+ }
72
+
73
+ function getSecret(envVar) {
74
+ const val = cache[envVar] ?? process.env[envVar];
75
+ if (!val) {
76
+ throw new Error(`Secret "${envVar}" not loaded`);
77
+ }
78
+ return val;
79
+ }
80
+
81
+ return {
82
+ loadSecrets,
83
+ getSecret,
84
+ impersonation: impersonationHelper,
85
+ };
86
+ };
package/src/services/server.service.js CHANGED
@@ -8,6 +8,7 @@ module.exports = ({
8
8
  jwtService,
9
9
  serverError,
10
10
  requestHelper,
11
+ secretsService,
11
12
  }) => {
12
13
  // Register shutdown to clean up any resources used by the express app
13
14
  registerShutdown(shutdown);
@@ -22,5 +23,6 @@ module.exports = ({
22
23
  authorisation: authorisationMiddleware,
23
24
  },
24
25
  request: requestHelper,
26
+ secrets: secretsService,
25
27
  };
26
28
  };