@apolitical/server 4.1.0-pla-305-0 → 4.1.0-pla-305.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +3 -3
- package/src/config.js +3 -1
- package/src/container.js +0 -2
- package/src/services/secrets.service.js +15 -24
- package/src/helpers/impersonation.helper.js +0 -22
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@apolitical/server",
|
|
3
|
-
"version": "4.1.0-pla-305
|
|
3
|
+
"version": "4.1.0-pla-305.1",
|
|
4
4
|
"description": "Node.js module to encapsulate Apolitical's express server setup",
|
|
5
5
|
"author": "Apolitical Group Limited <engineering@apolitical.co>",
|
|
6
6
|
"license": "MIT",
|
|
@@ -24,8 +24,8 @@
|
|
|
24
24
|
],
|
|
25
25
|
"dependencies": {
|
|
26
26
|
"@apolitical/logger": "2.1.0",
|
|
27
|
-
"@google-cloud/secret-manager": "5.6.0",
|
|
28
27
|
"@cloudnative/health-connect": "2.1.0",
|
|
28
|
+
"@google-cloud/secret-manager": "6.1.1",
|
|
29
29
|
"@opentelemetry/api": "1.9.0",
|
|
30
30
|
"@opentelemetry/auto-instrumentations-node": "0.57.1",
|
|
31
31
|
"@opentelemetry/exporter-trace-otlp-grpc": "0.200.0",
|
|
@@ -40,7 +40,7 @@
|
|
|
40
40
|
"cookie-parser": "1.4.6",
|
|
41
41
|
"cors": "2.8.5",
|
|
42
42
|
"dotenv": "16.0.3",
|
|
43
|
-
"express": "4.
|
|
43
|
+
"express": "4.22.0",
|
|
44
44
|
"express-jwt": "8.3.0",
|
|
45
45
|
"http-status-codes": "2.2.0",
|
|
46
46
|
"http-terminator": "3.2.0",
|
package/src/config.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
const { NODE_ENV, LOG_LEVEL } = process.env;
|
|
3
|
+
const { NODE_ENV, LOG_LEVEL, GOOGLE_CLOUD_PROJECT, GOOGLE_IMPERSONATE_SERVICE_ACCOUNT } = process.env;
|
|
4
4
|
|
|
5
5
|
const NAME = 'apolitical-server';
|
|
6
6
|
const UUID = '00000000-0000-0000-0000-000000000000';
|
|
@@ -10,6 +10,8 @@ const ADMIN_ROLE = 'administrator';
|
|
|
10
10
|
module.exports = {
|
|
11
11
|
NODE_ENV,
|
|
12
12
|
LOG_LEVEL,
|
|
13
|
+
GOOGLE_CLOUD_PROJECT,
|
|
14
|
+
GOOGLE_IMPERSONATE_SERVICE_ACCOUNT,
|
|
13
15
|
LOGGER_OPTIONS: {
|
|
14
16
|
logLevel: LOG_LEVEL,
|
|
15
17
|
labels: {
|
package/src/container.js
CHANGED
|
@@ -37,7 +37,6 @@ const jwtEncodeHelper = require('./helpers/jwt/encode.helper');
|
|
|
37
37
|
const jwtPassportHelper = require('./helpers/jwt/passport.helper');
|
|
38
38
|
const loggerHelper = require('./helpers/logger.helper');
|
|
39
39
|
const requestHelper = require('./helpers/request.helper');
|
|
40
|
-
const impersonationHelper = require('./helpers/impersonation.helper');
|
|
41
40
|
// Loaders
|
|
42
41
|
const documentationLoader = require('./loaders/documentation.loader');
|
|
43
42
|
const expressLoader = require('./loaders/express.loader');
|
|
@@ -98,7 +97,6 @@ container.register({
|
|
|
98
97
|
jwtPassportHelper: asFunction(jwtPassportHelper).singleton(),
|
|
99
98
|
loggerHelper: asFunction(loggerHelper).singleton(),
|
|
100
99
|
requestHelper: asFunction(requestHelper).singleton(),
|
|
101
|
-
impersonationHelper: asFunction(impersonationHelper).singleton(),
|
|
102
100
|
// Loaders
|
|
103
101
|
documentationLoader: asFunction(documentationLoader).singleton(),
|
|
104
102
|
expressLoader: asFunction(expressLoader).singleton(),
|
|
@@ -1,26 +1,22 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
module.exports = ({ secretManager,
|
|
4
|
-
const DEV_DEFAULTS = {
|
|
5
|
-
projectId: 'hazel-tea-194609',
|
|
6
|
-
impersonateAccount: 'development-platform@hazel-tea-194609.iam.gserviceaccount.com',
|
|
7
|
-
};
|
|
8
|
-
|
|
9
|
-
const cache = {};
|
|
3
|
+
module.exports = ({ secretManager, config, logger }) => {
|
|
10
4
|
let client = null;
|
|
11
5
|
|
|
6
|
+
const resolvedImpersonationTarget = config.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT?.trim() || null;
|
|
7
|
+
|
|
8
|
+
function isImpersonationEnabled() {
|
|
9
|
+
return resolvedImpersonationTarget !== null;
|
|
10
|
+
}
|
|
11
|
+
|
|
12
|
+
function impersonationLogContext() {
|
|
13
|
+
return resolvedImpersonationTarget ? { targetServiceAccount: resolvedImpersonationTarget } : {};
|
|
14
|
+
}
|
|
15
|
+
|
|
12
16
|
function getClient() {
|
|
13
17
|
if (!client) {
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'] = DEV_DEFAULTS.impersonateAccount;
|
|
17
|
-
logger.info('[secrets] set default impersonation for development', {
|
|
18
|
-
targetServiceAccount: DEV_DEFAULTS.impersonateAccount,
|
|
19
|
-
});
|
|
20
|
-
}
|
|
21
|
-
|
|
22
|
-
if (impersonationHelper.isImpersonationEnabled()) {
|
|
23
|
-
logger.info('[secrets] using impersonation', impersonationHelper.impersonationLogContext());
|
|
18
|
+
if (isImpersonationEnabled()) {
|
|
19
|
+
logger.info('[secrets] using impersonation', impersonationLogContext());
|
|
24
20
|
}
|
|
25
21
|
|
|
26
22
|
client = new secretManager.SecretManagerServiceClient();
|
|
@@ -30,10 +26,7 @@ module.exports = ({ secretManager, impersonationHelper, logger }) => {
|
|
|
30
26
|
|
|
31
27
|
async function loadSecrets(opts) {
|
|
32
28
|
const { secrets } = opts;
|
|
33
|
-
const projectId =
|
|
34
|
-
opts.projectId ??
|
|
35
|
-
process.env['GOOGLE_CLOUD_PROJECT'] ??
|
|
36
|
-
(process.env['NODE_ENV'] !== 'production' ? DEV_DEFAULTS.projectId : undefined);
|
|
29
|
+
const projectId = opts.projectId ?? config.GOOGLE_CLOUD_PROJECT;
|
|
37
30
|
|
|
38
31
|
if (!projectId) {
|
|
39
32
|
throw new Error('Missing projectId for Secret Manager');
|
|
@@ -56,7 +49,6 @@ module.exports = ({ secretManager, impersonationHelper, logger }) => {
|
|
|
56
49
|
throw new Error(`Empty payload for secret ${spec.name}`);
|
|
57
50
|
}
|
|
58
51
|
|
|
59
|
-
cache[spec.envVar] = payload;
|
|
60
52
|
process.env[spec.envVar] = payload;
|
|
61
53
|
|
|
62
54
|
logger.info('[secrets] loaded', {
|
|
@@ -71,7 +63,7 @@ module.exports = ({ secretManager, impersonationHelper, logger }) => {
|
|
|
71
63
|
}
|
|
72
64
|
|
|
73
65
|
function getSecret(envVar) {
|
|
74
|
-
const val =
|
|
66
|
+
const val = process.env[envVar];
|
|
75
67
|
if (!val) {
|
|
76
68
|
throw new Error(`Secret "${envVar}" not loaded`);
|
|
77
69
|
}
|
|
@@ -81,6 +73,5 @@ module.exports = ({ secretManager, impersonationHelper, logger }) => {
|
|
|
81
73
|
return {
|
|
82
74
|
loadSecrets,
|
|
83
75
|
getSecret,
|
|
84
|
-
impersonation: impersonationHelper,
|
|
85
76
|
};
|
|
86
77
|
};
|
|
@@ -1,22 +0,0 @@
|
|
|
1
|
-
'use strict';
|
|
2
|
-
|
|
3
|
-
module.exports = () => {
|
|
4
|
-
// Returns the target service account to impersonate if configured via env
|
|
5
|
-
function getImpersonationTarget() {
|
|
6
|
-
const target = process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'];
|
|
7
|
-
return target && target.trim().length > 0 ? target.trim() : null;
|
|
8
|
-
}
|
|
9
|
-
|
|
10
|
-
// Whether impersonation is enabled for the current process
|
|
11
|
-
function isImpersonationEnabled() {
|
|
12
|
-
return getImpersonationTarget() !== null;
|
|
13
|
-
}
|
|
14
|
-
|
|
15
|
-
// Produce a safe log payload for audit visibility
|
|
16
|
-
function impersonationLogContext() {
|
|
17
|
-
const target = getImpersonationTarget();
|
|
18
|
-
return target ? { targetServiceAccount: target } : {};
|
|
19
|
-
}
|
|
20
|
-
|
|
21
|
-
return { getImpersonationTarget, isImpersonationEnabled, impersonationLogContext };
|
|
22
|
-
};
|