@apolitical/server 4.0.1 → 4.1.0-pla-305.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +6 -1
- package/src/config.js +3 -1
- package/src/container.js +4 -0
- package/src/secrets.js +10 -0
- package/src/services/secrets.service.js +100 -0
- package/src/services/server.service.js +2 -0
package/package.json
CHANGED
|
@@ -1,10 +1,14 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@apolitical/server",
|
|
3
|
-
"version": "4.0.
|
|
3
|
+
"version": "4.1.0-pla-305.0",
|
|
4
4
|
"description": "Node.js module to encapsulate Apolitical's express server setup",
|
|
5
5
|
"author": "Apolitical Group Limited <engineering@apolitical.co>",
|
|
6
6
|
"license": "MIT",
|
|
7
7
|
"main": "src/index.js",
|
|
8
|
+
"exports": {
|
|
9
|
+
".": "./src/index.js",
|
|
10
|
+
"./secrets": "./src/secrets.js"
|
|
11
|
+
},
|
|
8
12
|
"files": [
|
|
9
13
|
"src"
|
|
10
14
|
],
|
|
@@ -25,6 +29,7 @@
|
|
|
25
29
|
"dependencies": {
|
|
26
30
|
"@apolitical/logger": "2.1.0",
|
|
27
31
|
"@cloudnative/health-connect": "2.1.0",
|
|
32
|
+
"@google-cloud/secret-manager": "^6.1.1",
|
|
28
33
|
"@opentelemetry/api": "1.9.0",
|
|
29
34
|
"@opentelemetry/auto-instrumentations-node": "0.57.1",
|
|
30
35
|
"@opentelemetry/exporter-trace-otlp-grpc": "0.200.0",
|
package/src/config.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
const { NODE_ENV, LOG_LEVEL } = process.env;
|
|
3
|
+
const { NODE_ENV, LOG_LEVEL, GOOGLE_CLOUD_PROJECT, GOOGLE_IMPERSONATE_SERVICE_ACCOUNT } = process.env;
|
|
4
4
|
|
|
5
5
|
const NAME = 'apolitical-server';
|
|
6
6
|
const UUID = '00000000-0000-0000-0000-000000000000';
|
|
@@ -10,6 +10,8 @@ const ADMIN_ROLE = 'administrator';
|
|
|
10
10
|
module.exports = {
|
|
11
11
|
NODE_ENV,
|
|
12
12
|
LOG_LEVEL,
|
|
13
|
+
GOOGLE_CLOUD_PROJECT,
|
|
14
|
+
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT,
|
|
13
15
|
LOGGER_OPTIONS: {
|
|
14
16
|
logLevel: LOG_LEVEL,
|
|
15
17
|
labels: {
|
package/src/container.js
CHANGED
|
@@ -22,6 +22,7 @@ const prerender = require('prerender-node');
|
|
|
22
22
|
const qs = require('qs');
|
|
23
23
|
const swaggerUi = require('swagger-ui-express');
|
|
24
24
|
const xss = require('xss');
|
|
25
|
+
const secretManager = require('@google-cloud/secret-manager');
|
|
25
26
|
// Internal Modules
|
|
26
27
|
const apoliticalLogger = require('@apolitical/logger');
|
|
27
28
|
// Configuration
|
|
@@ -55,6 +56,7 @@ const expressService = require('./services/express.service');
|
|
|
55
56
|
const healthService = require('./services/health.service');
|
|
56
57
|
const jwtService = require('./services/jwt.service');
|
|
57
58
|
const serverService = require('./services/server.service');
|
|
59
|
+
const secretsService = require('./services/secrets.service');
|
|
58
60
|
|
|
59
61
|
// DI container
|
|
60
62
|
const container = createContainer();
|
|
@@ -80,6 +82,7 @@ container.register({
|
|
|
80
82
|
qs: asValue(qs),
|
|
81
83
|
swaggerUi: asValue(swaggerUi),
|
|
82
84
|
xss: asValue(xss),
|
|
85
|
+
secretManager: asValue(secretManager),
|
|
83
86
|
// Internal Modules
|
|
84
87
|
apoliticalLogger: asValue(apoliticalLogger),
|
|
85
88
|
// Configuration
|
|
@@ -113,6 +116,7 @@ container.register({
|
|
|
113
116
|
healthService: asFunction(healthService).singleton(),
|
|
114
117
|
jwtService: asFunction(jwtService).singleton(),
|
|
115
118
|
serverService: asFunction(serverService).singleton(),
|
|
119
|
+
secretsService: asFunction(secretsService).singleton(),
|
|
116
120
|
});
|
|
117
121
|
|
|
118
122
|
module.exports = container;
|
package/src/secrets.js
ADDED
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
const secretManager = require('@google-cloud/secret-manager');
|
|
4
|
+
const secretsServiceFactory = require('./services/secrets.service');
|
|
5
|
+
|
|
6
|
+
module.exports = secretsServiceFactory({
|
|
7
|
+
secretManager,
|
|
8
|
+
config: process.env,
|
|
9
|
+
logger: console,
|
|
10
|
+
});
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
module.exports = ({ secretManager, config, logger }) => {
|
|
4
|
+
const DEV_DEFAULTS = {
|
|
5
|
+
impersonateAccount: 'development-platform@hazel-tea-194609.iam.gserviceaccount.com',
|
|
6
|
+
};
|
|
7
|
+
|
|
8
|
+
const cache = {};
|
|
9
|
+
let client = null;
|
|
10
|
+
|
|
11
|
+
// Resolved once at first client creation; stored in closure so subsequent
|
|
12
|
+
// calls to isImpersonationEnabled() reflect the dev default without
|
|
13
|
+
// re-reading process.env.
|
|
14
|
+
let resolvedImpersonationTarget = config.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT?.trim() || null;
|
|
15
|
+
|
|
16
|
+
function isImpersonationEnabled() {
|
|
17
|
+
return resolvedImpersonationTarget !== null;
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
function impersonationLogContext() {
|
|
21
|
+
return resolvedImpersonationTarget ? { targetServiceAccount: resolvedImpersonationTarget } : {};
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
function getClient() {
|
|
25
|
+
if (!client) {
|
|
26
|
+
if (config.NODE_ENV !== 'production' && !isImpersonationEnabled()) {
|
|
27
|
+
resolvedImpersonationTarget = DEV_DEFAULTS.impersonateAccount;
|
|
28
|
+
// Set on process.env so the Google Cloud SDK picks it up via ADC
|
|
29
|
+
process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'] = resolvedImpersonationTarget;
|
|
30
|
+
logger.info('[secrets] set default impersonation for development', {
|
|
31
|
+
targetServiceAccount: resolvedImpersonationTarget,
|
|
32
|
+
});
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
if (isImpersonationEnabled()) {
|
|
36
|
+
logger.info('[secrets] using impersonation', impersonationLogContext());
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
client = new secretManager.SecretManagerServiceClient();
|
|
40
|
+
}
|
|
41
|
+
return client;
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
async function loadSecrets(opts) {
|
|
45
|
+
const { secrets } = opts;
|
|
46
|
+
const projectId = opts.projectId ?? config.GOOGLE_CLOUD_PROJECT;
|
|
47
|
+
|
|
48
|
+
if (!projectId) {
|
|
49
|
+
throw new Error('Missing projectId for Secret Manager');
|
|
50
|
+
}
|
|
51
|
+
if (!secrets || secrets.length === 0) {
|
|
52
|
+
return;
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
const secretClient = getClient();
|
|
56
|
+
|
|
57
|
+
for (const spec of secrets) {
|
|
58
|
+
const version = spec.version ?? 'latest';
|
|
59
|
+
const name = `projects/${projectId}/secrets/${spec.name}/versions/${version}`;
|
|
60
|
+
|
|
61
|
+
try {
|
|
62
|
+
const [resp] = await secretClient.accessSecretVersion({ name });
|
|
63
|
+
const payload = resp.payload?.data?.toString('utf8');
|
|
64
|
+
|
|
65
|
+
if (!payload) {
|
|
66
|
+
throw new Error(`Empty payload for secret ${spec.name}`);
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
cache[spec.envVar] = payload;
|
|
70
|
+
|
|
71
|
+
if (spec.exportToEnv) {
|
|
72
|
+
process.env[spec.envVar] = payload;
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
logger.info('[secrets] loaded', {
|
|
76
|
+
name: spec.name,
|
|
77
|
+
envVar: spec.envVar,
|
|
78
|
+
version,
|
|
79
|
+
cached: true,
|
|
80
|
+
exportedToEnv: !!spec.exportToEnv,
|
|
81
|
+
});
|
|
82
|
+
} catch (err) {
|
|
83
|
+
throw new Error(`Failed to load secret "${spec.name}": ${err.message}`);
|
|
84
|
+
}
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
|
|
88
|
+
function getSecret(envVar) {
|
|
89
|
+
const val = cache[envVar] ?? process.env[envVar];
|
|
90
|
+
if (!val) {
|
|
91
|
+
throw new Error(`Secret "${envVar}" not loaded`);
|
|
92
|
+
}
|
|
93
|
+
return val;
|
|
94
|
+
}
|
|
95
|
+
|
|
96
|
+
return {
|
|
97
|
+
loadSecrets,
|
|
98
|
+
getSecret,
|
|
99
|
+
};
|
|
100
|
+
};
|
|
@@ -8,6 +8,7 @@ module.exports = ({
|
|
|
8
8
|
jwtService,
|
|
9
9
|
serverError,
|
|
10
10
|
requestHelper,
|
|
11
|
+
secretsService,
|
|
11
12
|
}) => {
|
|
12
13
|
// Register shutdown to clean up any resources used by the express app
|
|
13
14
|
registerShutdown(shutdown);
|
|
@@ -22,5 +23,6 @@ module.exports = ({
|
|
|
22
23
|
authorisation: authorisationMiddleware,
|
|
23
24
|
},
|
|
24
25
|
request: requestHelper,
|
|
26
|
+
secrets: secretsService,
|
|
25
27
|
};
|
|
26
28
|
};
|