@commercetools-frontend/vault-utils 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) commercetools GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,27 @@
+# @commercetools-frontend/vault-utils
+
+> This package provide utilities to integrate with Vault to retrieve secrets.
+
+## Installation
+
+```bash
+$ npm install --save @commercetools-frontend/vault-utils
+```
+
+## Usage
+
+### `getCredentialsForCI`
+
+Retrieve credentials for a given secret path, given that the `CI` environment variable is set.
+
+Credentials are returned as a JSON object.
+
+```ts
+const credentialsFromVault = await getCredentialsForCI({
+  vaultAddr: '',
+  repositoryName: '',
+  secretPath: '',
+});
+```
+
+When running within CircleCI, the method uses the `CIRCLE_OIDC_TOKEN` environment variable for authentication.

package/dist/commercetools-frontend-vault-utils.cjs.d.ts

@@ -0,0 +1,2 @@
+export * from "./declarations/src/index";
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29tbWVyY2V0b29scy1mcm9udGVuZC12YXVsdC11dGlscy5janMuZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4vZGVjbGFyYXRpb25zL3NyYy9pbmRleC5kLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBIn0=

package/dist/commercetools-frontend-vault-utils.cjs.dev.js

@@ -0,0 +1,71 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var _JSON$stringify = require('@babel/runtime-corejs3/core-js-stable/json/stringify');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { 'default': e }; }
+
+var _JSON$stringify__default = /*#__PURE__*/_interopDefault(_JSON$stringify);
+
+async function getAccessToken(params) {
+  const vaultAddr = params.vaultAddr ?? process.env.VAULT_ADDR;
+  const jwt = params.jwt ?? process.env.CIRCLE_OIDC_TOKEN;
+  const vaultAuthUrl = [vaultAddr, 'v1', 'auth/oidc/circleci/login'].join('/');
+  const response = await fetch(vaultAuthUrl, {
+    method: 'POST',
+    body: _JSON$stringify__default["default"]({
+      role: params.role,
+      jwt
+    })
+  });
+  const result = await response.json();
+  if (response.ok) {
+    return result.auth.client_token;
+  }
+  const error = new Error(response.statusText);
+  // @ts-ignore
+  error.body = result;
+  throw error;
+}
+
+async function getSecret(params) {
+  const vaultAddr = params.vaultAddr ?? process.env.VAULT_ADDR;
+  const vaultKV2Url = [vaultAddr, 'v1', params.mount, 'data', params.secretPath].join('/');
+  const response = await fetch(vaultKV2Url, {
+    method: 'GET',
+    headers: {
+      'X-Vault-Token': params.token
+    }
+  });
+  const result = await response.json();
+  if (response.ok) {
+    return result.data.data;
+  }
+  const error = new Error(response.statusText);
+  // @ts-ignore
+  error.body = result;
+  throw error;
+}
+
+async function getCredentialsForCI(params) {
+  if (String(process.env.CI) === 'true') {
+    console.log(`ℹ️ 'CI' environment variable is defined. Reading secrets from Vault ${params.secretPath}.`);
+    const token = await getAccessToken({
+      role: `${params.repositoryName}_merchant-center`,
+      vaultAddr: params.vaultAddr
+    });
+    const secret = await getSecret({
+      token,
+      mount: `kv2/repositories/${params.repositoryName}`,
+      secretPath: params.secretPath,
+      vaultAddr: params.vaultAddr
+    });
+    return secret;
+  }
+  return {};
+}
+
+exports.getAccessToken = getAccessToken;
+exports.getCredentialsForCI = getCredentialsForCI;
+exports.getSecret = getSecret;

package/dist/commercetools-frontend-vault-utils.cjs.js

@@ -0,0 +1,7 @@
+'use strict';
+
+if (process.env.NODE_ENV === "production") {
+  module.exports = require("./commercetools-frontend-vault-utils.cjs.prod.js");
+} else {
+  module.exports = require("./commercetools-frontend-vault-utils.cjs.dev.js");
+}

package/dist/commercetools-frontend-vault-utils.cjs.prod.js

@@ -0,0 +1,71 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var _JSON$stringify = require('@babel/runtime-corejs3/core-js-stable/json/stringify');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { 'default': e }; }
+
+var _JSON$stringify__default = /*#__PURE__*/_interopDefault(_JSON$stringify);
+
+async function getAccessToken(params) {
+  const vaultAddr = params.vaultAddr ?? process.env.VAULT_ADDR;
+  const jwt = params.jwt ?? process.env.CIRCLE_OIDC_TOKEN;
+  const vaultAuthUrl = [vaultAddr, 'v1', 'auth/oidc/circleci/login'].join('/');
+  const response = await fetch(vaultAuthUrl, {
+    method: 'POST',
+    body: _JSON$stringify__default["default"]({
+      role: params.role,
+      jwt
+    })
+  });
+  const result = await response.json();
+  if (response.ok) {
+    return result.auth.client_token;
+  }
+  const error = new Error(response.statusText);
+  // @ts-ignore
+  error.body = result;
+  throw error;
+}
+
+async function getSecret(params) {
+  const vaultAddr = params.vaultAddr ?? process.env.VAULT_ADDR;
+  const vaultKV2Url = [vaultAddr, 'v1', params.mount, 'data', params.secretPath].join('/');
+  const response = await fetch(vaultKV2Url, {
+    method: 'GET',
+    headers: {
+      'X-Vault-Token': params.token
+    }
+  });
+  const result = await response.json();
+  if (response.ok) {
+    return result.data.data;
+  }
+  const error = new Error(response.statusText);
+  // @ts-ignore
+  error.body = result;
+  throw error;
+}
+
+async function getCredentialsForCI(params) {
+  if (String(process.env.CI) === 'true') {
+    console.log(`ℹ️ 'CI' environment variable is defined. Reading secrets from Vault ${params.secretPath}.`);
+    const token = await getAccessToken({
+      role: `${params.repositoryName}_merchant-center`,
+      vaultAddr: params.vaultAddr
+    });
+    const secret = await getSecret({
+      token,
+      mount: `kv2/repositories/${params.repositoryName}`,
+      secretPath: params.secretPath,
+      vaultAddr: params.vaultAddr
+    });
+    return secret;
+  }
+  return {};
+}
+
+exports.getAccessToken = getAccessToken;
+exports.getCredentialsForCI = getCredentialsForCI;
+exports.getSecret = getSecret;

package/dist/commercetools-frontend-vault-utils.esm.js

@@ -0,0 +1,61 @@
+import _JSON$stringify from '@babel/runtime-corejs3/core-js-stable/json/stringify';
+
+async function getAccessToken(params) {
+  const vaultAddr = params.vaultAddr ?? process.env.VAULT_ADDR;
+  const jwt = params.jwt ?? process.env.CIRCLE_OIDC_TOKEN;
+  const vaultAuthUrl = [vaultAddr, 'v1', 'auth/oidc/circleci/login'].join('/');
+  const response = await fetch(vaultAuthUrl, {
+    method: 'POST',
+    body: _JSON$stringify({
+      role: params.role,
+      jwt
+    })
+  });
+  const result = await response.json();
+  if (response.ok) {
+    return result.auth.client_token;
+  }
+  const error = new Error(response.statusText);
+  // @ts-ignore
+  error.body = result;
+  throw error;
+}
+
+async function getSecret(params) {
+  const vaultAddr = params.vaultAddr ?? process.env.VAULT_ADDR;
+  const vaultKV2Url = [vaultAddr, 'v1', params.mount, 'data', params.secretPath].join('/');
+  const response = await fetch(vaultKV2Url, {
+    method: 'GET',
+    headers: {
+      'X-Vault-Token': params.token
+    }
+  });
+  const result = await response.json();
+  if (response.ok) {
+    return result.data.data;
+  }
+  const error = new Error(response.statusText);
+  // @ts-ignore
+  error.body = result;
+  throw error;
+}
+
+async function getCredentialsForCI(params) {
+  if (String(process.env.CI) === 'true') {
+    console.log(`ℹ️ 'CI' environment variable is defined. Reading secrets from Vault ${params.secretPath}.`);
+    const token = await getAccessToken({
+      role: `${params.repositoryName}_merchant-center`,
+      vaultAddr: params.vaultAddr
+    });
+    const secret = await getSecret({
+      token,
+      mount: `kv2/repositories/${params.repositoryName}`,
+      secretPath: params.secretPath,
+      vaultAddr: params.vaultAddr
+    });
+    return secret;
+  }
+  return {};
+}
+
+export { getAccessToken, getCredentialsForCI, getSecret };

package/dist/declarations/src/auth.d.ts

@@ -0,0 +1,16 @@
+export type TVaultGetAccessTokenParams = {
+    /**
+     * The role name of the JWT/OIDC auth backend. The format is `<circleci-project>_<circleci-context>`.
+     */
+    role: string;
+    /**
+     * The URL of the Vault server, usually exported as environment variable `VAULT_ADDR`.
+     */
+    vaultAddr?: string;
+    /**
+     * The JWT to authenticate to Vault. If used from CircleCI the variable is exported as `CIRCLE_OIDC_TOKEN`.
+     */
+    jwt?: string;
+};
+declare function getAccessToken(params: TVaultGetAccessTokenParams): Promise<string>;
+export { getAccessToken };

package/dist/declarations/src/credentials.d.ts

@@ -0,0 +1,16 @@
+export type TVaultGetCredentialsParams = {
+    /**
+     * The name of the repository
+     */
+    repositoryName: string;
+    /**
+     * The path to the secret to read.
+     */
+    secretPath: string;
+    /**
+     * The URL of the Vault server, usually exported as environment variable `VAULT_ADDR`.
+     */
+    vaultAddr?: string;
+};
+declare function getCredentialsForCI(params: TVaultGetCredentialsParams): Promise<Record<string, string>>;
+export { getCredentialsForCI };

package/dist/declarations/src/index.d.ts

@@ -0,0 +1,3 @@
+export { getAccessToken } from "./auth.js";
+export { getCredentialsForCI } from "./credentials.js";
+export { getSecret } from "./secrets.js";

package/dist/declarations/src/secrets.d.ts

@@ -0,0 +1,20 @@
+type TVaultGetSecretParams = {
+    /**
+     * The Vault token. Use the `getAccessToken` method to get one.
+     */
+    token: string;
+    /**
+     * The path to the KV mount containing the secret to read.
+     */
+    mount: string;
+    /**
+     * The path to the secret to read.
+     */
+    secretPath: string;
+    /**
+     * The URL of the Vault server, usually exported as environment variable `VAULT_ADDR`.
+     */
+    vaultAddr?: string;
+};
+declare function getSecret(params: TVaultGetSecretParams): Promise<unknown>;
+export { getSecret };

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@commercetools-frontend/vault-utils",
+  "version": "1.0.0",
+  "description": "Utilities to integrate with Vault",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "typecheck": "tsc --noEmit"
+  },
+  "main": "dist/commercetools-frontend-vault-utils.cjs.js",
+  "module": "dist/commercetools-frontend-vault-utils.esm.js",
+  "files": [
+    "dist",
+    "package.json",
+    "LICENSE",
+    "README.md"
+  ],
+  "dependencies": {
+    "@babel/runtime": "^7.21.0",
+    "@babel/runtime-corejs3": "^7.21.0"
+  },
+  "devDependencies": {
+    "@tsconfig/node20": "20.1.2",
+    "@types/node": "20.11.25",
+    "typescript": "5.2.2"
+  },
+  "engines": {
+    "node": ">=18",
+    "npm": ">=5"
+  }
+}