@shushed/helpers 0.0.202 → 0.0.203-bug-erp-770-20251208112219

package/dist/cjs/src-public/env.js

@@ -1,900 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const crypto = __importStar(require("crypto"));
-const crypto_1 = require("crypto");
-const co_body_1 = __importDefault(require("co-body"));
-const jose_1 = require("jose");
-const lodash_omit_1 = __importDefault(require("lodash.omit"));
-const rate_limiter_flexible_1 = require("rate-limiter-flexible");
-const pubsub_1 = __importDefault(require("./pubsub"));
-const redisClient_1 = require("./redisClient");
-const runtime_1 = __importDefault(require("./runtime"));
-const utils_1 = require("./utils");
-const ENV_NAME_CONTAINING_SERVICE_ACCOUNTS = 'hush_trigger_allowed_service_accounts';
-const ENV_NAME_RN_WORFKLOW_TRIGGER_ID = 'hush_trigger_rn_workflow_trigger_id';
-const ENV_NAME_PUBSUB_PROJECT_ID = 'hush_pubsub_project_id';
-const ENV_NAME_PUBSUB_SERVICE_ACCOUNT = 'hush_pubsub_service_account';
-const ENV_NAME_SECRET_ENCRYPTION_KEY = 'SECRET_ENCRYPTION_KEY';
-global.IN_MEMORY_REF = global.IN_MEMORY_REF || {
-    env: {},
-    workflow: {},
-    trigger: {},
-};
-class EnvEngine extends runtime_1.default {
-    globalInMemoryRef;
-    inMemoryRef;
-    docRef = null;
-    store;
-    _envCache = {};
-    _lockRateLimiter = null;
-    constructor(opts, _) {
-        super(opts);
-        Object.assign(global.IN_MEMORY_REF || {}, {
-            env: { [this.envName]: global.IN_MEMORY_REF?.env?.[this.envName] || {} },
-            workflow: { [this.envName + this.workflowId]: global.IN_MEMORY_REF?.workflow?.[this.envName + this.workflowId] || {} },
-            trigger: { [this.envName + this.workflowId + this.triggerId]: global.IN_MEMORY_REF?.trigger?.[this.envName + this.workflowId + this.triggerId] || {} },
-        });
-        this.globalInMemoryRef = {
-            env: global.IN_MEMORY_REF?.env?.[this.envName] || {},
-            workflow: global.IN_MEMORY_REF?.workflow?.[this.envName + this.workflowId] || {},
-            trigger: global.IN_MEMORY_REF?.trigger?.[this.envName + this.workflowId + this.triggerId] || {},
-        };
-        this.inMemoryRef = {
-            env: {},
-            workflow: {},
-            trigger: {},
-        };
-        this.store = {
-            env: null,
-            workflow: null,
-            trigger: null,
-        };
-    }
-    initializeDocRef() {
-        if (this.docRef) {
-            return;
-        }
-        const firestore = (0, utils_1.getFirestore)(this.systemEnvName);
-        this.docRef = {
-            env: firestore?.doc(`hush-${this.envName}/0-0`),
-            workflow: firestore?.doc(`hush-${this.envName}/${this.workflowId}-0`),
-            trigger: firestore?.doc(`hush-${this.envName}/${this.workflowId}-${this.triggerId}`),
-        };
-    }
-    async set(envs, level = 'trigger', optionsOrEncryptWithValue) {
-        const options = typeof optionsOrEncryptWithValue === 'object' ? optionsOrEncryptWithValue : {
-            encrypted: !!optionsOrEncryptWithValue,
-            encryptionKey: optionsOrEncryptWithValue,
-            ephemeralMs: 0
-        };
-        let expirseAt = 0;
-        if ((options.ephemeralMs || 0) > 3 * 60 * 60 * 1000) {
-            throw new Error('Validation Error. The options.ephemeralMs cannot be set for the duration longer than 3 hours');
-        }
-        const now = Date.now();
-        expirseAt = now + (options.ephemeralMs || 0);
-        if (options.encrypted && !options.encryptionKey) {
-            if (!options.ephemeralMs) {
-                throw new Error(`Invariant while setting the value for ${this.systemEnvName}. If the options.encryptionKey is not set and the encryption with the default key is used, only the ephemeral storage can be used. Set the ephemeralMs`);
-            }
-            else {
-                if (!this._envCache[this.systemEnvName]) {
-                    const jsonEnv = JSON.parse(process.env[`${this.systemEnvName}ProjectEnv`] || JSON.stringify({
-                        __mock_invalid: true
-                    }));
-                    this._envCache[this.systemEnvName] = jsonEnv;
-                }
-                let cachedEnv = this._envCache[this.systemEnvName];
-                if (cachedEnv['__mock_invalid']) {
-                    cachedEnv = process.env;
-                }
-                options.encryptionKey = cachedEnv[ENV_NAME_SECRET_ENCRYPTION_KEY];
-                if (!options.encryptionKey) {
-                    throw new Error(`Invariant while setting the value for ${this.systemEnvName}. If the options.encryptionKey is not set and the encryption with the default key is used, only the ephemeral storage can be used. Set the ephemeralMs. The default key is missing.`);
-                }
-            }
-        }
-        let aes = null;
-        if (options.encryptionKey) {
-            aes = new AES256GCM(Buffer.from(options.encryptionKey, 'utf8'));
-        }
-        const objPlain = envs
-            .filter((env) => !!env.name)
-            .reduce((prev, curr) => {
-            const value = curr.value;
-            return ({ ...prev, [curr.name]: value });
-        }, {});
-        const objEncrypted = envs
-            .filter((env) => !!env.name)
-            .reduce((prev, curr) => {
-            let value = curr.value;
-            if (aes) {
-                value = aes.encrypt(curr.value);
-            }
-            return ({ ...prev, [curr.name]: value });
-        }, {});
-        Object.assign(this.inMemoryRef[level], Object.fromEntries(Object.entries(objPlain).map(([k, v]) => [k, `${expirseAt}/${now}/${v}`])));
-        if (options.ephemeralMs) {
-            if (!options.ignoreStores?.includes('global')) {
-                Object.assign(this.globalInMemoryRef[level], Object.fromEntries(Object.entries(objEncrypted).map(([k, v]) => [k, `${expirseAt}/${now}/${v}`])));
-            }
-            if (!options.ignoreStores?.includes('redis')) {
-                (async () => {
-                    const redisClient = await (0, redisClient_1.getConnectedRedisClient)(this.systemEnvName).catch(() => null);
-                    if (redisClient) {
-                        Promise.allSettled(Object.entries(objEncrypted).map(([k, v]) => redisClient.set(k, `${expirseAt}/${now}/${v}`, { PX: expirseAt - Date.now() })));
-                    }
-                })().catch(() => this.logging.error(`Failed to set the ${envs.map(x => x.name).join(', ')} in Redis`));
-            }
-        }
-        else {
-            await this.initializeDocRef();
-            if (this.docRef[level]) {
-                try {
-                    await this.docRef[level].set(objEncrypted, { merge: true });
-                }
-                catch (err) {
-                    throw new Error(`Failed to set the ${envs.map(x => x.name).join(', ')}. Error: ${err.message}`);
-                }
-            }
-            else { }
-        }
-        return undefined;
-    }
-    async getFirestoreStore(level = 'trigger') {
-        await this.initializeDocRef();
-        const store = await this.docRef[level].get();
-        return store.data() || {};
-    }
-    async get(keys, level = 'trigger', decryptWithValueOrOptions) {
-        const options = typeof decryptWithValueOrOptions === 'object' ? decryptWithValueOrOptions : {
-            encrypted: !!decryptWithValueOrOptions,
-            encryptionKey: decryptWithValueOrOptions,
-            isEphemeral: false
-        };
-        const keysParsed = typeof keys === 'string' ? [keys] : keys;
-        const result = await this._get(keysParsed, level, options);
-        if (typeof keys === 'string') {
-            return result[keys].valid ? result[keys].value : '';
-        }
-        return Object.fromEntries(Object.entries(result).map(([k, v]) => [k, v.valid ? v.value : '']));
-    }
-    async _get(keysParsed, level = 'trigger', options) {
-        let aes = null;
-        if (options.encrypted && !options.encryptionKey) {
-            if (!options.isEphemeral) {
-                throw new Error(`Invariant while getting the value for ${this.systemEnvName}. If the options.encryptionKey is not set and the encryption with the default key is used, only the ephemeral storage can be used. Set the ephemeralMs`);
-            }
-            else {
-                if (!this._envCache[this.systemEnvName]) {
-                    let jsonEnv;
-                    if (process.env[`${this.systemEnvName}ProjectEnv`]) {
-                        try {
-                            jsonEnv = JSON.parse(process.env[`${this.systemEnvName}ProjectEnv`] || '');
-                        }
-                        catch (err) {
-                            this.logging.error(`Invariant: Cannot parse the ${this.systemEnvName}ProjectEnv as JSON. ${err?.message}`);
-                        }
-                    }
-                    this._envCache[this.systemEnvName] = jsonEnv || {
-                        __mock_invalid: true
-                    };
-                }
-                let cachedEnv = this._envCache[this.systemEnvName];
-                if (cachedEnv['__mock_invalid']) {
-                    cachedEnv = process.env;
-                }
-                options.encryptionKey = cachedEnv[ENV_NAME_SECRET_ENCRYPTION_KEY];
-                if (!options.encryptionKey) {
-                    throw new Error(`Invariant while getting the value for ${this.systemEnvName}. If the options.encryptionKey is not set and the encryption with the default key is used, only the ephemeral storage can be used. Set the ephemeralMs. The default key is missing.`);
-                }
-            }
-        }
-        if (options.encryptionKey) {
-            aes = new AES256GCM(Buffer.from(options.encryptionKey, 'utf8'));
-        }
-        let store = {};
-        if (options.isEphemeral && !options.store || options.store === 'inMemory') {
-            store = this.inMemoryRef[level];
-        }
-        else if (options.store === 'global') {
-            store = this.globalInMemoryRef[level];
-        }
-        else if (options.store === 'redis') {
-            store = {};
-        }
-        else {
-            store = await this.getFirestoreStore(level);
-        }
-        if (options.store === 'redis') {
-            const redisClient = await (0, redisClient_1.getConnectedRedisClient)(this.systemEnvName).catch(() => null);
-            if (redisClient) {
-                const values = await Promise.race([
-                    redisClient.mGet(keysParsed),
-                    new Promise((resolve) => setTimeout(() => {
-                        resolve(keysParsed.map(() => null));
-                    }, 30))
-                ]);
-                for (let i = 0; i < keysParsed.length; i++) {
-                    store[keysParsed[i]] = values[i] || '';
-                }
-            }
-        }
-        const parseEphemeral = !!options.isEphemeral;
-        const result = keysParsed.reduce((acc, k) => {
-            let v = store?.[k] || '';
-            let expiresAt = 0;
-            let createdAt = 0;
-            if (parseEphemeral && v.includes('/')) {
-                const valueParts = v.split('/');
-                v = valueParts.slice(2).join('/');
-                createdAt = parseInt(valueParts[1]);
-                expiresAt = parseInt(valueParts[0]);
-            }
-            let finalValue = '';
-            if (aes && v && typeof v === 'string' && options.store !== 'inMemory') {
-                try {
-                    finalValue = aes.decrypt(v);
-                }
-                catch (err) {
-                    finalValue = '';
-                }
-            }
-            else {
-                finalValue = typeof v !== 'string' ? `${(v === null || typeof v === 'undefined') ? '' : `${v}`}` : v;
-            }
-            acc[k] = {
-                createdAt,
-                expiresAt,
-                value: finalValue,
-                valid: parseEphemeral ? (expiresAt > Date.now() - (options.expirationMarginMs || 0) && finalValue !== '') : (finalValue !== '')
-            };
-            return acc;
-        }, {});
-        return result;
-    }
-    withGoogleAccessToken() {
-        const serviceName = process.env.K_SERVICE || '<not-cloud-run>';
-        return this.with(`google_access_token_${serviceName}`, 'env', { encrypted: true, ephemeralMs: 10 * 60 * 1000, fetch: () => (0, utils_1.getAccessToken)() });
-    }
-    withGoogleIdentityToken(audience) {
-        const audienceNorm = {
-            workflowId: audience ? (audience.workflowId || this.workflowId) : null,
-            triggerId: audience ? (audience.triggerId || this.triggerId) : null
-        };
-        const serviceName = process.env.K_SERVICE || '<not-cloud-run>';
-        console.log('JAKUB8', serviceName);
-        const expectedAudience = [process.env.GCLOUD_PROJECT, audienceNorm.workflowId, audienceNorm.triggerId].filter(x => x !== null).join('-');
-        return this.with(`google_identity_token_${serviceName}_${expectedAudience}`, 'env', { encrypted: true, ephemeralMs: 10 * 60 * 1000, fetch: () => (0, utils_1.getIdentityToken)(expectedAudience) });
-    }
-    resolveEnvName(envName) {
-        if (envName.startsWith('process.env.')) {
-            envName = envName.slice('process.env.'.length);
-        }
-        if (!this._envCache[this.systemEnvName]) {
-            const jsonEnv = JSON.parse(process.env[`${this.systemEnvName}ProjectEnv`] || '{ "__mock_invalid": true }');
-            this._envCache[this.systemEnvName] = jsonEnv;
-        }
-        const envObj = this._envCache[this.systemEnvName];
-        return envObj[envName] || envName;
-    }
-    async checkGoogleIdentiyToken(accessToken, audience, allowedServiceAccounts = [`runtime@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`]) {
-        if (!accessToken) {
-            return false;
-        }
-        function equalToWildcard(stringWithWildcard, str) {
-            const escaped = stringWithWildcard.replace(/[-/\\^$+?.()|[\]{}]/g, '\\$&');
-            const pattern = '^' + escaped.replace(/\*/g, '.*') + '$';
-            const regex = new RegExp(pattern);
-            return regex.test(str);
-        }
-        const audienceNorm = {
-            workflowId: audience ? (audience.workflowId || this.workflowId) : null,
-            triggerId: audience ? (audience.triggerId || this.triggerId) : null
-        };
-        const expectedAudience = [process.env.GCLOUD_PROJECT, audienceNorm.triggerId, audienceNorm.workflowId].filter(x => x !== null).join('-');
-        const splitted = accessToken.split(".");
-        let keyMeta;
-        let meta;
-        try {
-            keyMeta = JSON.parse(Buffer.from(splitted[0], "base64").toString('utf-8')) || {};
-            meta = JSON.parse(Buffer.from(splitted[1], "base64").toString('utf-8')) || {};
-        }
-        catch (err) {
-            this.logging.error(`Authorization header - Malformed Token. ${err.message}`);
-            return false;
-        }
-        let tokenExpirationTime = meta.exp;
-        if (!tokenExpirationTime) {
-            this.logging.error(`Authorization header - Expiration time is missing`);
-            return false;
-        }
-        tokenExpirationTime = tokenExpirationTime * 1000;
-        if (tokenExpirationTime < Date.now()) {
-            this.logging.error(`Authorization header - Token expired`);
-            return false;
-        }
-        if (!meta.email_verified) {
-            this.logging.error(`Authorization header - Email not verified`);
-            return false;
-        }
-        if (!allowedServiceAccounts.some(x => equalToWildcard(x, meta.email))) {
-            this.logging.error(`Authorization header - Wrong service account, got ${meta?.email}, expected one of ${allowedServiceAccounts.join(', ')}`);
-            return false;
-        }
-        if (!keyMeta.kid || !keyMeta.alg) {
-            this.logging.error(`Authorization header - Malformed Authorization Header. KID is missing`);
-            return false;
-        }
-        if (meta.aud !== expectedAudience) {
-            const receivedMoreSpecific = (expectedAudience + '-' + this.triggerId) === meta.aud || (expectedAudience + '-' + this.workflowId + '-' + this.triggerId) === meta.aud || (expectedAudience + '-' + this.workflowId) === meta.aud || (expectedAudience + '/' + this.workflowId + '/' + this.triggerId) === meta.aud || (expectedAudience + '/' + this.workflowId) === meta.aud || (expectedAudience + '/' + this.triggerId) === meta.aud;
-            if (!receivedMoreSpecific) {
-                this.logging.error(`Authorization header - Wrong audience, got ${meta?.aud}, expected ${expectedAudience}`);
-                return false;
-            }
-        }
-        const tokenSignature = (0, crypto_1.createHash)('sha256').update(accessToken).digest('hex');
-        const tokensServiceAccount = await this.get('google_identity_token_signature_' + tokenSignature, 'env', { encrypted: false, isEphemeral: true, store: 'global' });
-        if (tokensServiceAccount && allowedServiceAccounts.some(x => equalToWildcard(x, tokensServiceAccount))) {
-            return tokensServiceAccount;
-        }
-        const publicKey = await this.with('google_public_keys', 'env', {
-            encrypted: false,
-            ephemeralMs: 20 * 60 * 1000,
-            fetch: async () => {
-                const res = await fetch('https://www.googleapis.com/oauth2/v3/certs');
-                if (!res.ok) {
-                    throw new Error(`Failed to fetch public keys: ${await res.text().catch(() => 'Unknown error')}`);
-                }
-                return res.text();
-            }
-        })(async (publicKeys) => {
-            const jwks = JSON.parse(publicKeys);
-            const keyInStorage = jwks?.keys.find((x) => x.kid === keyMeta.kid);
-            if (!keyInStorage) {
-                throw new Error('Google JWKS - Key not found in the Google JWKS set');
-            }
-            return keyInStorage;
-        });
-        try {
-            await (0, jose_1.jwtVerify)(accessToken, await (0, jose_1.importJWK)(publicKey, keyMeta.alg), {
-                issuer: ['https://accounts.google.com', 'accounts.google.com'],
-                clockTolerance: 0,
-                audience: [expectedAudience, expectedAudience + '-' + this.workflowId, expectedAudience + '-' + this.workflowId + '-' + this.triggerId, expectedAudience + '/' + this.workflowId + '/' + this.triggerId, expectedAudience + '/' + this.workflowId, expectedAudience + '/' + this.triggerId, expectedAudience + '-' + this.triggerId],
-            });
-        }
-        catch (err) {
-            this.logging.log(`Authorization header - Signature verification failed: ${err.message}`);
-            return false;
-        }
-        await this.set([{
-                name: 'google_identity_token_signature_' + tokenSignature,
-                value: meta.email
-            }], 'env', { encrypted: false, ephemeralMs: Math.max(tokenExpirationTime - Date.now(), 5 * 60 * 1000), ignoreStores: ['redis'] });
-        return meta.email;
-    }
-    withSecret(key) {
-        if (key.startsWith('process.secret.')) {
-            key = key.slice('process.secret.'.length);
-        }
-        return this.with('__secret_' + key, 'env', {
-            encrypted: true,
-            ephemeralMs: 5 * 60 * 1000,
-            fetch: () => {
-                return this.withGoogleAccessToken()(async (accessToken) => {
-                    const secret = await (0, utils_1.getSecret)(this, key, accessToken);
-                    return secret;
-                });
-            }
-        });
-    }
-    with(key, level = 'trigger', options) {
-        return async (fn) => {
-            let lastError;
-            let lastResult;
-            let valueFoundAndWorking = false;
-            const injectedFunction = async (value) => {
-                let nextValueFoundAndWorking = true;
-                const requestCacheRefresh = () => {
-                    nextValueFoundAndWorking = false;
-                };
-                try {
-                    const result = await fn(value, requestCacheRefresh);
-                    lastResult = result;
-                    lastError = undefined;
-                }
-                catch (err) {
-                    lastError = err;
-                    lastResult = undefined;
-                    requestCacheRefresh();
-                }
-                valueFoundAndWorking = nextValueFoundAndWorking;
-                return valueFoundAndWorking;
-            };
-            let possibleValue = null;
-            let stores;
-            if (options?.ephemeralMs) {
-                stores = ['inMemory', 'global', 'redis'];
-            }
-            else {
-                stores = ['firestore'];
-            }
-            const checkedStores = [];
-            for (let i = 0; i < stores.length; i++) {
-                const store = stores[i];
-                checkedStores.push(store);
-                const value = await this._get([key], level, { ...options, store: store, isEphemeral: true });
-                if (value[key].valid) {
-                    possibleValue = Object.assign({}, value[key], {
-                        checkedStores
-                    });
-                    if (await injectedFunction(value[key].value)) {
-                        if (store === 'redis') {
-                            this.set([{
-                                    name: key,
-                                    value: value[key].value
-                                }], level, { encrypted: options?.encrypted || false, ephemeralMs: value[key].expiresAt - Date.now(), ignoreStores: ['redis'] });
-                        }
-                        return lastResult;
-                    }
-                    possibleValue = null;
-                }
-            }
-            if (!possibleValue && options?.fetch) {
-                this.logging.log(`Value ${key} not found in the cache, fetching from the source`);
-                const value = await options?.fetch?.();
-                possibleValue = {
-                    value: value,
-                    valid: true,
-                    createdAt: Date.now(),
-                    expiresAt: Date.now() + (options?.ephemeralMs || 0),
-                };
-                await injectedFunction(value);
-                this.set([{
-                        name: key,
-                        value: value
-                    }], level, { encrypted: options?.encrypted || false, ephemeralMs: options?.ephemeralMs || 0 });
-            }
-            if (lastError) {
-                throw lastError;
-            }
-            return lastResult;
-        };
-    }
-    pauseRespectfulNudge(subscriptionName, partialConfig) {
-        const workflowTriggerId = this.resolveEnvName(ENV_NAME_RN_WORFKLOW_TRIGGER_ID);
-        if (!workflowTriggerId) {
-            throw new Error('RN Workflow Trigger ID is not set. Please set the ' + ENV_NAME_RN_WORFKLOW_TRIGGER_ID + ' environment variable.');
-        }
-        const pubSubProjectId = this.resolveEnvName(ENV_NAME_PUBSUB_PROJECT_ID);
-        if (!pubSubProjectId) {
-            throw new Error('PubSub Project ID is not set. Please set the ' + ENV_NAME_PUBSUB_PROJECT_ID + ' environment variable.');
-        }
-        const rnConfig = Object.assign({}, {
-            workflowTriggerId: workflowTriggerId,
-            pubSubProjectId: pubSubProjectId,
-        }, partialConfig);
-        const subscriptionQualifiedName = `projects/${rnConfig.pubSubProjectId}/subscriptions/${subscriptionName}`;
-        return this.withGoogleIdentityToken({
-            workflowId: rnConfig.workflowTriggerId.split('/')[0],
-            triggerId: rnConfig.workflowTriggerId.split('/')[1],
-        })(async (token) => {
-            if (!(await fetch(this.runtimeUrl + `/executeWorkflow/${rnConfig.workflowTriggerId}`, {
-                method: 'POST',
-                headers: {
-                    'X-Buildship-Trigger-Authorization': `Bearer ${token}`,
-                    Authorization: `Bearer ${token}`,
-                    'Content-Type': 'application/json'
-                },
-                body: JSON.stringify({
-                    subscriptionName: subscriptionQualifiedName,
-                    operation: 'pause',
-                })
-            })).ok) {
-                throw new Error('Failed to deactivate the main subscription with respectful nudge');
-            }
-            return true;
-        });
-    }
-    getRespectfulNudgeConfig(subscriptionName, rnPartialConfig) {
-        const workflowTriggerId = this.resolveEnvName(ENV_NAME_RN_WORFKLOW_TRIGGER_ID);
-        if (!workflowTriggerId) {
-            throw new Error('RN Workflow Trigger ID is not set. Please set the ' + ENV_NAME_RN_WORFKLOW_TRIGGER_ID + ' environment variable.');
-        }
-        const pubSubProjectId = this.resolveEnvName(ENV_NAME_PUBSUB_PROJECT_ID);
-        if (!pubSubProjectId) {
-            throw new Error('PubSub Project ID is not set. Please set the ' + ENV_NAME_PUBSUB_PROJECT_ID + ' environment variable.');
-        }
-        const rnConfig = Object.assign({}, {
-            pubSubProjectId: pubSubProjectId,
-            noAllowedWorkers: 1,
-            workflowTriggerId: this.workflowId + '/' + this.triggerId,
-            workerGroup: this.envName,
-            errorThreshold: 0.80,
-            error429Threshold: 0.30,
-            pauseOnErrorThresholdExceededSeconds: 60 * 10,
-            pauseOnError429ThresholdExceededSeconds: 60 * 10,
-            pauseBeforeProcessingMessagesSeconds: 0,
-            maxOutstandingMessages: 5,
-            ackDeadline: 10,
-            retryMinDelay: 60,
-            retryMaxDelay: 60 * 10,
-            retryLimit: 5,
-            topicName: subscriptionName,
-            tableName: '',
-            tableAckDeadline: 60,
-            tableRetryMinDelay: 60 * 5,
-            tableRetryMaxDelay: 60 * 10,
-            tableRetryLimit: 10,
-            orderingIndexFields: [],
-            orderingSortField: '',
-            batchSize: 1,
-            subscriptionFilter: null,
-            batchWindowSeconds: 10,
-        }, Object.fromEntries(Object.entries(rnPartialConfig).filter(x => !(x === null || x === undefined))));
-        return rnConfig;
-    }
-    createOrUpdateRespectfulNudge(subscriptionName, rnPartialConfig) {
-        const workflowTriggerId = this.resolveEnvName(ENV_NAME_RN_WORFKLOW_TRIGGER_ID);
-        if (!workflowTriggerId) {
-            throw new Error('RN Workflow Trigger ID is not set. Please set the ' + ENV_NAME_RN_WORFKLOW_TRIGGER_ID + ' environment variable.');
-        }
-        const pubSubProjectId = this.resolveEnvName(ENV_NAME_PUBSUB_PROJECT_ID);
-        if (!pubSubProjectId) {
-            throw new Error('PubSub Project ID is not set. Please set the ' + ENV_NAME_PUBSUB_PROJECT_ID + ' environment variable.');
-        }
-        const rnConfig = this.getRespectfulNudgeConfig(subscriptionName, rnPartialConfig);
-        const subscriptionQualifiedName = `projects/${rnConfig.pubSubProjectId}/subscriptions/${subscriptionName}`;
-        return this.withGoogleIdentityToken({
-            workflowId: workflowTriggerId.split('/')[0],
-            triggerId: workflowTriggerId.split('/')[1],
-        })(async (token) => {
-            const response = await fetch(this.runtimeUrl + `/executeWorkflow/${workflowTriggerId}`, {
-                method: 'POST',
-                headers: {
-                    'X-Buildship-Trigger-Authorization': `Bearer ${token}`,
-                    Authorization: `Bearer ${token}`,
-                    'Content-Type': 'application/json'
-                },
-                body: JSON.stringify({
-                    ...rnConfig,
-                    subscriptionName: subscriptionQualifiedName,
-                    operation: 'upsert',
-                })
-            });
-            if (!response.ok) {
-                throw new Error('Failed to register the main subscription with respectful nudge');
-            }
-            return true;
-        });
-    }
-    getRequestSource(request) {
-        const reqIsRespectfulNudge = (0, utils_1.isRespectfulNudge)(request.headers);
-        if (reqIsRespectfulNudge) {
-            return 'respectful-nudge';
-        }
-        const reqIsPubSub = (0, utils_1.isPubSubRequest)(request.headers);
-        if (reqIsPubSub) {
-            return 'pubsub';
-        }
-        const reqIsScheduler = (0, utils_1.isCronMessage)(request.headers);
-        if (reqIsScheduler) {
-            return 'scheduler';
-        }
-        const reqIsCloudTask = (0, utils_1.isCloudTask)(request.headers);
-        if (reqIsCloudTask) {
-            return 'cloud-task';
-        }
-        return 'direct';
-    }
-    async validateAuthorizationHeader(request) {
-        const authHeader = request.headers.authorization;
-        if (!authHeader || typeof authHeader !== 'string') {
-            throw new Error('Missing Authorization Header');
-        }
-        const allowedServiceAccounts = this.resolveEnvName(ENV_NAME_CONTAINING_SERVICE_ACCOUNTS).split(";").map(x => {
-            const [serviceAccount, ...flags] = x.trim().split(",").map(y => y.trim());
-            return {
-                flags,
-                serviceAccount
-            };
-        });
-        const serviceAccount = await this.checkGoogleIdentiyToken(authHeader.slice('Bearer '.length), undefined, allowedServiceAccounts.map(x => x.serviceAccount));
-        if (!serviceAccount) {
-            throw new Error('Invalid Authorization Header');
-        }
-        const flags = allowedServiceAccounts.find(x => x.serviceAccount === serviceAccount)?.flags || [];
-        if (!flags.includes('env-' + this.envName)) {
-            throw new Error('No permissions to access the environment ' + this.envName);
-        }
-        return {
-            serviceAccount,
-            flags: flags
-        };
-    }
-    async decodeRequests(request, nodeReq) {
-        const requestSource = this.getRequestSource(request);
-        let requestBody = null;
-        const rawRequestBody = null;
-        if (requestSource === 'pubsub' || requestSource === 'respectful-nudge' || request.headers['content-type'] === 'application/json') {
-            const rawRequestBody = co_body_1.default.text(nodeReq, {
-                limit: '2mb'
-            });
-            requestBody = await (rawRequestBody.then(x => JSON.parse(x || 'null')).catch(err => {
-                throw new Error('Could not parse the request of the body. Body provided: ' + requestBody + '. Error message: ' + err.message);
-            }));
-        }
-        const receivedArrayOfRequests = Array.isArray(requestBody);
-        const requestBodies = receivedArrayOfRequests ? requestBody : [requestBody];
-        const messages = [];
-        for (let i = 0; i < requestBodies.length; i++) {
-            const requestBody = requestBodies[i];
-            let messageBody;
-            let messageBodyRaw = null;
-            if (typeof requestBody?.message?.data === 'string' && Buffer.from(requestBody.message.data, "base64").toString('base64') === requestBody.message.data) {
-                messageBodyRaw = Buffer.from(requestBody.message.data, "base64").toString('utf-8');
-                messageBody = await (Promise.resolve(messageBodyRaw).then(x => JSON.parse(x)).catch((_) => ({
-                    error: 'Could not parse the message body. Original body: ' + messageBodyRaw + ' . Error: ' + _.message,
-                })));
-            }
-            else if (typeof requestBody?.message?.data === 'object' && typeof requestBody.subscription === 'string') {
-                messageBodyRaw = JSON.stringify(requestBody.message.data);
-                messageBody = requestBody.message.data;
-            }
-            else {
-                messageBody = requestBody;
-                messageBodyRaw = receivedArrayOfRequests ? rawRequestBody : JSON.stringify(requestBody);
-            }
-            const message = {
-                requestSource: requestSource,
-                messageId: requestBody?.message?.messageId || undefined,
-                sourceSystem: requestBody?.message?.attributes?.source_system || 'unknown',
-                targetSystem: requestBody?.message?.attributes?.target_system || 'unknown',
-                buildshipId: requestBody?.message?.attributes?.buildship_id || 'unknown',
-                publishTime: (0, utils_1.parseDateOrDefault)(requestBody?.message?.publish_time),
-                body: messageBody,
-                bodyTxt: messageBodyRaw,
-                exportableToBigQuery: !!requestBody?.message?.attributes?.bigquery,
-                extraAttributes: Object.assign({}, request.query, (0, lodash_omit_1.default)(requestBody?.message?.attributes || {}, ['source_system', 'target_system', 'buildship_id', 'bigquery'])),
-                subscriptionName: (requestBody?.subscription?.split('/')?.pop() || request.query.subscriptionName)?.replace(/^rn\./, ''),
-            };
-            messages.push(message);
-        }
-        return messages;
-    }
-    async decodeRequest(request, nodeReq) {
-        const requests = await this.decodeRequests(request, nodeReq);
-        if (requests.length > 0) {
-            this.logging.error('Received multiple requests in the same batch. This is not supported. Picking the first message from the request');
-        }
-        return requests[0];
-    }
-    async fetchLogEntries(triggerId, retries = 3, delay = 1000, filterOverride = null) {
-        const getAccessToken = async () => {
-            const response = await fetch("http://metadata/computeMetadata/v1/instance/service-accounts/default/token", {
-                headers: { "Metadata-Flavor": "Google" },
-            });
-            if (!response.ok) {
-                throw new Error(`Failed to obtain access token: ${response.statusText}`);
-            }
-            const data = await response.json();
-            return {
-                accessToken: data.access_token,
-                expiresAt: new Date(new Date().getTime() + ((data.expires_in * 1000)) - ((data.expires_in * 1000) * 9 / 10))
-            };
-        };
-        const projectId = process.env.GCLOUD_PROJECT;
-        const accessToken = (await getAccessToken()).accessToken;
-        let filter = `logName="projects/${projectId}/logs/buildship-node-io" AND jsonPayload.nId="${triggerId}"`;
-        if (filterOverride) {
-            filter = filterOverride;
-        }
-        const requestBody = {
-            resourceNames: [`projects/${projectId}`],
-            filter: filter,
-            pageSize: 1,
-            orderBy: "timestamp desc",
-        };
-        for (let attempt = 1; attempt <= retries; attempt++) {
-            try {
-                const response = await fetch("https://logging.googleapis.com/v2/entries:list", {
-                    method: "POST",
-                    headers: {
-                        Authorization: `Bearer ${accessToken}`,
-                        "Content-Type": "application/json",
-                    },
-                    body: JSON.stringify(requestBody),
-                });
-                if (!response.ok) {
-                    const errorText = await response.text();
-                    throw new Error(`Error fetching log entries: ${response.statusText} - ${errorText}`);
-                }
-                const data = await response.json();
-                const entries = data.entries || [];
-                if (entries.length > 0) {
-                    return entries;
-                }
-                if (attempt < retries) {
-                    await new Promise((resolve) => setTimeout(resolve, delay));
-                }
-            }
-            catch (error) {
-                console.error(`Attempt ${attempt} failed due to an error:`, error);
-                if (attempt < retries) {
-                    await new Promise((resolve) => setTimeout(resolve, delay));
-                }
-                else {
-                    throw new Error(`Failed to get data after ${retries} attempts.`);
-                }
-            }
-        }
-        throw new Error("No data found. Send a request to the API and try again.");
-    }
-    ;
-    getPubSubHelper(PubSubClass) {
-        const pubSubProjectId = this.resolveEnvName(ENV_NAME_PUBSUB_PROJECT_ID);
-        if (!pubSubProjectId) {
-            throw new Error('PubSub Project ID is not set. Please set the ' + ENV_NAME_PUBSUB_PROJECT_ID + ' environment variable.');
-        }
-        const serviceAccount = this.resolveEnvName(ENV_NAME_PUBSUB_SERVICE_ACCOUNT);
-        if (!serviceAccount) {
-            throw new Error('PubSub Service Account is not set. Please set the ' + ENV_NAME_PUBSUB_SERVICE_ACCOUNT + ' environment variable.');
-        }
-        const pubSub = global.HUSH_PUBSUB_INSTANCE || new PubSubClass({
-            projectId: pubSubProjectId
-        });
-        global.HUSH_PUBSUB_INSTANCE = pubSub;
-        this.logging.log('getPubSubHelper', {
-            serviceAccountEmail: serviceAccount,
-        });
-        return new pubsub_1.default(this, {
-            serviceAccountEmail: serviceAccount
-        }, pubSub);
-    }
-    static LOCK_NOT_ACQUIRED_ERROR = Symbol('Lock not acquired');
-    async withLock(key, maxWaitTimeMs = 200, fn) {
-        let result = EnvEngine.LOCK_NOT_ACQUIRED_ERROR;
-        if (await this.acquireLock(key, maxWaitTimeMs)) {
-            try {
-                result = await fn();
-            }
-            catch (err) {
-                await this.releaseLock(key);
-                throw err;
-            }
-            await this.releaseLock(key);
-        }
-        return result;
-    }
-    async acquireLock(key, maxWaitTimeMs = 200) {
-        if (!this._lockRateLimiter) {
-            return true;
-        }
-        try {
-            await this._lockRateLimiter.consume(key);
-        }
-        catch (err) {
-            if (err instanceof Error) {
-                throw err;
-            }
-            if (maxWaitTimeMs > 0) {
-                await new Promise((resolve) => setTimeout(resolve, maxWaitTimeMs));
-                return this.acquireLock(key, 0);
-            }
-            else {
-                return false;
-            }
-        }
-        return true;
-    }
-    async releaseLock(key) {
-        if (this._lockRateLimiter) {
-            await this._lockRateLimiter.reward(key, 1);
-        }
-        return true;
-    }
-    async getLockRateLimiter() {
-        const redisClient = await (0, redisClient_1.getConnectedRedisClient)(this.systemEnvName);
-        if (!redisClient) {
-            return null;
-        }
-        if (!this._lockRateLimiter) {
-            const lockMemory = new rate_limiter_flexible_1.RateLimiterMemory({
-                points: 1,
-                duration: 60 * 3,
-            });
-            const lockRedis = new rate_limiter_flexible_1.RateLimiterRedis({
-                storeClient: redisClient,
-                points: 1,
-                duration: 60 * 3,
-                insuranceLimiter: lockMemory,
-            });
-            this._lockRateLimiter = lockRedis;
-        }
-        return this._lockRateLimiter;
-    }
-}
-class AES256GCM {
-    normalizedKey;
-    constructor(key) {
-        this.normalizedKey = crypto
-            .createHash("sha256")
-            .update(key)
-            .digest()
-            .slice(0, 32);
-    }
-    pad(payload) {
-        const padLength = 8 - (payload.length % 8);
-        return Buffer.concat([payload, Buffer.alloc(padLength, padLength)]);
-    }
-    getNormalizedKey() {
-        return this.getNormalizedKey;
-    }
-    encrypt(payload) {
-        const normalizedWrappingKey = this.normalizedKey;
-        const paddedPayload = this.pad(Buffer.from(payload));
-        const iv = crypto.randomBytes(12);
-        const cipher = crypto.createCipheriv("aes-256-gcm", normalizedWrappingKey, iv);
-        const encryptedPayload = Buffer.concat([
-            cipher.update(paddedPayload),
-            cipher.final(),
-        ]);
-        const authTag = cipher.getAuthTag();
-        return (encryptedPayload.toString("base64") +
-            "." +
-            iv.toString("base64") +
-            "." +
-            authTag.toString("base64"));
-    }
-    decrypt(payload) {
-        const [encryptedKey64, iv64, authTag64] = payload.split(".");
-        const encryptedPayload = Buffer.from(encryptedKey64, "base64");
-        const iv = Buffer.from(iv64, "base64");
-        const authTag = Buffer.from(authTag64, "base64");
-        const decipher = crypto.createDecipheriv("aes-256-gcm", this.normalizedKey, iv);
-        decipher.setAuthTag(authTag);
-        const paddedKey = Buffer.concat([
-            decipher.update(encryptedPayload),
-            decipher.final(),
-        ]);
-        const padLength = paddedKey[paddedKey.length - 1];
-        return paddedKey.slice(0, -padLength).toString();
-    }
-}
-exports.default = EnvEngine;