@contractspec/integration.runtime 1.56.1 → 1.58.0

package/dist/node/secrets/index.js

@@ -0,0 +1,549 @@
+// src/secrets/provider.ts
+import { Buffer as Buffer2 } from "node:buffer";
+
+class SecretProviderError extends Error {
+  provider;
+  reference;
+  code;
+  cause;
+  constructor(params) {
+    super(params.message);
+    this.name = "SecretProviderError";
+    this.provider = params.provider;
+    this.reference = params.reference;
+    this.code = params.code ?? "UNKNOWN";
+    this.cause = params.cause;
+  }
+}
+function parseSecretUri(reference) {
+  if (!reference) {
+    throw new SecretProviderError({
+      message: "Secret reference cannot be empty",
+      provider: "unknown",
+      reference,
+      code: "INVALID"
+    });
+  }
+  const [scheme, rest] = reference.split("://");
+  if (!scheme || !rest) {
+    throw new SecretProviderError({
+      message: `Invalid secret reference: ${reference}`,
+      provider: "unknown",
+      reference,
+      code: "INVALID"
+    });
+  }
+  const queryIndex = rest.indexOf("?");
+  if (queryIndex === -1) {
+    return {
+      provider: scheme,
+      path: rest
+    };
+  }
+  const path = rest.slice(0, queryIndex);
+  const query = rest.slice(queryIndex + 1);
+  const extras = Object.fromEntries(query.split("&").filter(Boolean).map((pair) => {
+    const [keyRaw, valueRaw] = pair.split("=");
+    const key = keyRaw ?? "";
+    const value = valueRaw ?? "";
+    return [decodeURIComponent(key), decodeURIComponent(value)];
+  }));
+  return {
+    provider: scheme,
+    path,
+    extras
+  };
+}
+function normalizeSecretPayload(payload) {
+  if (payload.data instanceof Uint8Array) {
+    return payload.data;
+  }
+  if (payload.encoding === "base64") {
+    return Buffer2.from(payload.data, "base64");
+  }
+  if (payload.encoding === "binary") {
+    return Buffer2.from(payload.data, "binary");
+  }
+  return Buffer2.from(payload.data, "utf-8");
+}
+
+// src/secrets/gcp-secret-manager.ts
+import {
+  SecretManagerServiceClient
+} from "@google-cloud/secret-manager";
+var DEFAULT_REPLICATION = {
+  automatic: {}
+};
+
+class GcpSecretManagerProvider {
+  id = "gcp-secret-manager";
+  client;
+  explicitProjectId;
+  replication;
+  constructor(options = {}) {
+    this.client = options.client ?? new SecretManagerServiceClient(options.clientOptions ?? {});
+    this.explicitProjectId = options.projectId;
+    this.replication = options.defaultReplication ?? DEFAULT_REPLICATION;
+  }
+  canHandle(reference) {
+    try {
+      const parsed = parseSecretUri(reference);
+      return parsed.provider === "gcp";
+    } catch {
+      return false;
+    }
+  }
+  async getSecret(reference, options, callOptions) {
+    const location = this.parseReference(reference);
+    const secretVersionName = this.buildVersionName(location, options?.version);
+    try {
+      const response = await this.client.accessSecretVersion({
+        name: secretVersionName
+      }, callOptions ?? {});
+      const [result] = response;
+      const payload = result.payload;
+      if (!payload?.data) {
+        throw new SecretProviderError({
+          message: `Secret payload empty for ${secretVersionName}`,
+          provider: this.id,
+          reference,
+          code: "UNKNOWN"
+        });
+      }
+      const version = extractVersionFromName(result.name ?? secretVersionName);
+      return {
+        data: payload.data,
+        version,
+        metadata: payload.dataCrc32c ? { crc32c: payload.dataCrc32c.toString() } : undefined,
+        retrievedAt: new Date
+      };
+    } catch (error) {
+      throw toSecretProviderError({
+        error,
+        provider: this.id,
+        reference,
+        operation: "access"
+      });
+    }
+  }
+  async setSecret(reference, payload) {
+    const location = this.parseReference(reference);
+    const { secretName } = this.buildNames(location);
+    const data = normalizeSecretPayload(payload);
+    await this.ensureSecretExists(location, payload);
+    try {
+      const response = await this.client.addSecretVersion({
+        parent: secretName,
+        payload: {
+          data
+        }
+      });
+      if (!response) {
+        throw new SecretProviderError({
+          message: `No version returned when adding secret version for ${secretName}`,
+          provider: this.id,
+          reference,
+          code: "UNKNOWN"
+        });
+      }
+      const [version] = response;
+      const versionName = version?.name ?? `${secretName}/versions/latest`;
+      return {
+        reference: `gcp://${versionName}`,
+        version: extractVersionFromName(versionName) ?? "latest"
+      };
+    } catch (error) {
+      throw toSecretProviderError({
+        error,
+        provider: this.id,
+        reference,
+        operation: "addSecretVersion"
+      });
+    }
+  }
+  async rotateSecret(reference, payload) {
+    return this.setSecret(reference, payload);
+  }
+  async deleteSecret(reference) {
+    const location = this.parseReference(reference);
+    const { secretName } = this.buildNames(location);
+    try {
+      await this.client.deleteSecret({
+        name: secretName
+      });
+    } catch (error) {
+      throw toSecretProviderError({
+        error,
+        provider: this.id,
+        reference,
+        operation: "delete"
+      });
+    }
+  }
+  parseReference(reference) {
+    const parsed = parseSecretUri(reference);
+    if (parsed.provider !== "gcp") {
+      throw new SecretProviderError({
+        message: `Unsupported secret provider: ${parsed.provider}`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const segments = parsed.path.split("/").filter(Boolean);
+    if (segments.length < 4 || segments[0] !== "projects") {
+      throw new SecretProviderError({
+        message: `Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const projectIdCandidate = segments[1] ?? this.explicitProjectId;
+    if (!projectIdCandidate) {
+      throw new SecretProviderError({
+        message: `Unable to resolve project or secret from reference "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const indexOfSecrets = segments.indexOf("secrets");
+    if (indexOfSecrets === -1 || indexOfSecrets + 1 >= segments.length) {
+      throw new SecretProviderError({
+        message: `Unable to resolve project or secret from reference "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const resolvedProjectId = projectIdCandidate;
+    const secretIdCandidate = segments[indexOfSecrets + 1];
+    if (!secretIdCandidate) {
+      throw new SecretProviderError({
+        message: `Unable to resolve secret ID from reference "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const secretId = secretIdCandidate;
+    const indexOfVersions = segments.indexOf("versions");
+    const version = parsed.extras?.version ?? (indexOfVersions !== -1 && indexOfVersions + 1 < segments.length ? segments[indexOfVersions + 1] : undefined);
+    return {
+      projectId: resolvedProjectId,
+      secretId,
+      version
+    };
+  }
+  buildNames(location) {
+    const projectId = location.projectId ?? this.explicitProjectId;
+    if (!projectId) {
+      throw new SecretProviderError({
+        message: "Project ID must be provided either in reference or provider configuration",
+        provider: this.id,
+        reference: `gcp://projects//secrets/${location.secretId}`,
+        code: "INVALID"
+      });
+    }
+    const projectParent = `projects/${projectId}`;
+    const secretName = `${projectParent}/secrets/${location.secretId}`;
+    return {
+      projectParent,
+      secretName
+    };
+  }
+  buildVersionName(location, explicitVersion) {
+    const { secretName } = this.buildNames(location);
+    const version = explicitVersion ?? location.version ?? "latest";
+    return `${secretName}/versions/${version}`;
+  }
+  async ensureSecretExists(location, payload) {
+    const { secretName, projectParent } = this.buildNames(location);
+    try {
+      await this.client.getSecret({ name: secretName });
+    } catch (error) {
+      const providerError = toSecretProviderError({
+        error,
+        provider: this.id,
+        reference: `gcp://${secretName}`,
+        operation: "getSecret",
+        suppressThrow: true
+      });
+      if (!providerError || providerError.code !== "NOT_FOUND") {
+        if (providerError) {
+          throw providerError;
+        }
+        throw error;
+      }
+      try {
+        await this.client.createSecret({
+          parent: projectParent,
+          secretId: location.secretId,
+          secret: {
+            replication: this.replication,
+            labels: payload.labels
+          }
+        });
+      } catch (creationError) {
+        const creationProviderError = toSecretProviderError({
+          error: creationError,
+          provider: this.id,
+          reference: `gcp://${secretName}`,
+          operation: "createSecret"
+        });
+        throw creationProviderError;
+      }
+    }
+  }
+}
+function extractVersionFromName(name) {
+  const segments = name.split("/").filter(Boolean);
+  const index = segments.indexOf("versions");
+  if (index === -1 || index + 1 >= segments.length) {
+    return;
+  }
+  return segments[index + 1];
+}
+function toSecretProviderError(params) {
+  const { error, provider, reference, operation, suppressThrow } = params;
+  if (error instanceof SecretProviderError) {
+    return error;
+  }
+  const code = deriveErrorCode(error);
+  const message = error instanceof Error ? error.message : `Unknown error during ${operation}`;
+  const providerError = new SecretProviderError({
+    message,
+    provider,
+    reference,
+    code,
+    cause: error
+  });
+  if (suppressThrow) {
+    return providerError;
+  }
+  throw providerError;
+}
+function deriveErrorCode(error) {
+  if (typeof error !== "object" || error === null) {
+    return "UNKNOWN";
+  }
+  const errorAny = error;
+  const code = errorAny.code;
+  if (code === 5 || code === "NOT_FOUND")
+    return "NOT_FOUND";
+  if (code === 6 || code === "ALREADY_EXISTS")
+    return "INVALID";
+  if (code === 7 || code === "PERMISSION_DENIED" || code === 403) {
+    return "FORBIDDEN";
+  }
+  if (code === 3 || code === "INVALID_ARGUMENT")
+    return "INVALID";
+  return "UNKNOWN";
+}
+
+// src/secrets/env-secret-provider.ts
+class EnvSecretProvider {
+  id = "env";
+  aliases;
+  constructor(options = {}) {
+    this.aliases = options.aliases ?? {};
+  }
+  canHandle(reference) {
+    const envKey = this.resolveEnvKey(reference);
+    return envKey !== undefined && process.env[envKey] !== undefined;
+  }
+  async getSecret(reference) {
+    const envKey = this.resolveEnvKey(reference);
+    if (!envKey) {
+      throw new SecretProviderError({
+        message: `Unable to resolve environment variable for reference "${reference}".`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const value = process.env[envKey];
+    if (value === undefined) {
+      throw new SecretProviderError({
+        message: `Environment variable "${envKey}" not found for reference "${reference}".`,
+        provider: this.id,
+        reference,
+        code: "NOT_FOUND"
+      });
+    }
+    return {
+      data: Buffer.from(value, "utf-8"),
+      version: "current",
+      metadata: {
+        source: "env",
+        envKey
+      },
+      retrievedAt: new Date
+    };
+  }
+  async setSecret(reference, _payload) {
+    throw this.forbiddenError("setSecret", reference);
+  }
+  async rotateSecret(reference, _payload) {
+    throw this.forbiddenError("rotateSecret", reference);
+  }
+  async deleteSecret(reference) {
+    throw this.forbiddenError("deleteSecret", reference);
+  }
+  resolveEnvKey(reference) {
+    if (!reference) {
+      return;
+    }
+    if (this.aliases[reference]) {
+      return this.aliases[reference];
+    }
+    if (!reference.includes("://")) {
+      return reference;
+    }
+    try {
+      const parsed = parseSecretUri(reference);
+      if (parsed.provider === "env") {
+        return parsed.path;
+      }
+      if (parsed.extras?.env) {
+        return parsed.extras.env;
+      }
+      return this.deriveEnvKey(parsed.path);
+    } catch {
+      return reference;
+    }
+  }
+  deriveEnvKey(path) {
+    if (!path)
+      return;
+    return path.split(/[/:\-.]/).filter(Boolean).map((segment) => segment.replace(/[^a-zA-Z0-9]/g, "_").replace(/_{2,}/g, "_").toUpperCase()).join("_");
+  }
+  forbiddenError(operation, reference) {
+    return new SecretProviderError({
+      message: `EnvSecretProvider is read-only. "${operation}" is not allowed for ${reference}.`,
+      provider: this.id,
+      reference,
+      code: "FORBIDDEN"
+    });
+  }
+}
+
+// src/secrets/manager.ts
+class SecretProviderManager {
+  id;
+  providers = [];
+  registrationCounter = 0;
+  constructor(options = {}) {
+    this.id = options.id ?? "secret-provider-manager";
+    const initialProviders = options.providers ?? [];
+    for (const entry of initialProviders) {
+      this.register(entry.provider, { priority: entry.priority });
+    }
+  }
+  register(provider, options = {}) {
+    this.providers.push({
+      provider,
+      priority: options.priority ?? 0,
+      order: this.registrationCounter++
+    });
+    this.providers.sort((a, b) => {
+      if (a.priority !== b.priority) {
+        return b.priority - a.priority;
+      }
+      return a.order - b.order;
+    });
+    return this;
+  }
+  canHandle(reference) {
+    return this.providers.some(({ provider }) => safeCanHandle(provider, reference));
+  }
+  async getSecret(reference, options) {
+    const errors = [];
+    for (const { provider } of this.providers) {
+      if (!safeCanHandle(provider, reference)) {
+        continue;
+      }
+      try {
+        return await provider.getSecret(reference, options);
+      } catch (error) {
+        if (error instanceof SecretProviderError) {
+          errors.push(error);
+          if (error.code !== "NOT_FOUND") {
+            break;
+          }
+          continue;
+        }
+        throw error;
+      }
+    }
+    throw this.composeError("getSecret", reference, errors, options?.version);
+  }
+  async setSecret(reference, payload) {
+    return this.delegateToFirst("setSecret", reference, (provider) => provider.setSecret(reference, payload));
+  }
+  async rotateSecret(reference, payload) {
+    return this.delegateToFirst("rotateSecret", reference, (provider) => provider.rotateSecret(reference, payload));
+  }
+  async deleteSecret(reference) {
+    await this.delegateToFirst("deleteSecret", reference, (provider) => provider.deleteSecret(reference));
+  }
+  async delegateToFirst(operation, reference, invoker) {
+    const errors = [];
+    for (const { provider } of this.providers) {
+      if (!safeCanHandle(provider, reference)) {
+        continue;
+      }
+      try {
+        return await invoker(provider);
+      } catch (error) {
+        if (error instanceof SecretProviderError) {
+          errors.push(error);
+          continue;
+        }
+        throw error;
+      }
+    }
+    throw this.composeError(operation, reference, errors);
+  }
+  composeError(operation, reference, errors, version) {
+    if (errors.length === 1) {
+      const [singleError] = errors;
+      if (singleError) {
+        return singleError;
+      }
+    }
+    const messageParts = [
+      `No registered secret provider could ${operation}`,
+      `reference "${reference}"`
+    ];
+    if (version) {
+      messageParts.push(`(version: ${version})`);
+    }
+    if (errors.length > 1) {
+      messageParts.push(`Attempts: ${errors.map((error) => `${error.provider}:${error.code}`).join(", ")}`);
+    }
+    return new SecretProviderError({
+      message: messageParts.join(" "),
+      provider: this.id,
+      reference,
+      code: errors.length > 0 ? errors[errors.length - 1].code : "UNKNOWN",
+      cause: errors
+    });
+  }
+}
+function safeCanHandle(provider, reference) {
+  try {
+    return provider.canHandle(reference);
+  } catch {
+    return false;
+  }
+}
+export {
+  parseSecretUri,
+  normalizeSecretPayload,
+  SecretProviderManager,
+  SecretProviderError,
+  GcpSecretManagerProvider,
+  EnvSecretProvider
+};