@smythos/sre 1.5.0 → 1.5.2

package/src/subsystems/Security/ManagedVault.service/connectors/NullManagedVault.class.ts

@@ -0,0 +1,57 @@
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { Logger } from '@sre/helpers/Log.helper';
+//import { SmythRuntime } from '@sre/Core/SmythRuntime.class';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
+import { OAuthConfig, SmythConfigs } from '@sre/types/Security.types';
+
+import { getM2MToken } from '@sre/utils/oauth.utils';
+import axios, { AxiosInstance } from 'axios';
+import { ManagedVaultConnector } from '../ManagedVaultConnector';
+
+const console = Logger('NullManagedVault');
+export class NullManagedVault extends ManagedVaultConnector {
+    public name: string = 'NullManagedVault';
+
+    constructor(protected _settings: any) {
+        super(_settings);
+    }
+
+    @SecureConnector.AccessControl
+    protected async get(acRequest: AccessRequest, keyId: string) {
+        console.debug(`Ignored operation:NullManagedVault.get: ${keyId}`);
+        return undefined;
+    }
+
+    @SecureConnector.AccessControl
+    protected async set(acRequest: AccessRequest, keyId: string, value: string) {
+        console.debug(`Ignored operation:NullManagedVault.set: ${keyId} = ${value}`);
+    }
+
+    @SecureConnector.AccessControl
+    protected async delete(acRequest: AccessRequest, keyId: string) {
+        console.debug(`Ignored operation:NullManagedVault.delete: ${keyId}`);
+    }
+
+    @SecureConnector.AccessControl
+    protected async exists(acRequest: AccessRequest, keyId: string) {
+        console.debug(`Ignored operation:NullManagedVault.exists: ${keyId}`);
+        return false;
+    }
+
+    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
+        const accountConnector = ConnectorService.getAccountConnector();
+        const teamId = await accountConnector.getCandidateTeam(candidate);
+
+        const acl = new ACL();
+
+        //give just read access by default
+        //Cannot write to null vault
+        acl.addAccess(candidate.role, candidate.id, TAccessLevel.Read);
+
+        return acl;
+    }
+}

package/src/subsystems/Security/ManagedVault.service/connectors/SecretManagerManagedVault.ts

@@ -0,0 +1,154 @@
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { Logger } from '@sre/helpers/Log.helper';
+//import { SmythRuntime } from '@sre/Core/SmythRuntime.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
+
+import {
+    CreateSecretCommand,
+    DeleteSecretCommand,
+    GetSecretValueCommand,
+    GetSecretValueCommandOutput,
+    ListSecretsCommand,
+    ListSecretsCommandOutput,
+    PutSecretValueCommand,
+    SecretsManagerClient,
+} from '@aws-sdk/client-secrets-manager';
+import { randomUUID } from 'crypto';
+import { ManagedVaultConnector } from '../ManagedVaultConnector';
+import { SecretsManagerConfig } from '../../Vault.service/connectors/SecretsManager.class';
+
+const console = Logger('SecretManagerManagedVault');
+
+export class SecretManagerManagedVault extends ManagedVaultConnector {
+    public name: string = 'SecretManagerManagedVault';
+    public scope: string = 'smyth-managed-vault';
+    private secretsManager: SecretsManagerClient;
+
+    constructor(protected _settings: SecretsManagerConfig & { vaultName: string }) {
+        super(_settings);
+        //if (!SmythRuntime.Instance) throw new Error('SRE not initialized');
+
+        this.secretsManager = new SecretsManagerClient({
+            region: _settings.region,
+            ...(_settings.awsAccessKeyId && _settings.awsSecretAccessKey
+                ? {
+                      accessKeyId: _settings.awsAccessKeyId,
+                      secretAccessKey: _settings.awsSecretAccessKey,
+                  }
+                : {}),
+        });
+    }
+
+    @SecureConnector.AccessControl
+    protected async get(acRequest: AccessRequest, secretName: string) {
+        const secret = await this.getSecretByName(secretName);
+        return secret?.SecretString;
+    }
+
+    @SecureConnector.AccessControl
+    protected async set(acRequest: AccessRequest, secretName: string, value: string) {
+        const secret = await this.getSecretByName(secretName);
+        if (secret) {
+            await this.secretsManager.send(new PutSecretValueCommand({ SecretId: secret.ARN, SecretString: value }));
+        } else {
+            await this.secretsManager.send(
+                new CreateSecretCommand({
+                    Name: `smyth/${randomUUID()}`,
+                    SecretString: JSON.stringify({ [secretName]: value }),
+                    Tags: [{ Key: this.scope, Value: 'true' }],
+                })
+            );
+        }
+    }
+
+    @SecureConnector.AccessControl
+    protected async delete(acRequest: AccessRequest, secretName: string) {
+        const secret = await this.getSecretByName(secretName);
+        if (secret) {
+            await this.secretsManager.send(new DeleteSecretCommand({ SecretId: secret.ARN }));
+        }
+    }
+
+    @SecureConnector.AccessControl
+    protected async exists(acRequest: AccessRequest, secretName: string) {
+        const secret = await this.get(acRequest, secretName);
+        return !!secret;
+    }
+
+    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
+        const accountConnector = ConnectorService.getAccountConnector();
+        const teamId = await accountConnector.getCandidateTeam(candidate);
+
+        const acl = new ACL();
+
+        acl.addAccess(TAccessRole.Team, teamId, TAccessLevel.Owner)
+            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Read)
+            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Write);
+
+        return acl;
+    }
+
+    private async getSecretByName(secretName: string) {
+        try {
+            const secrets = [];
+            let nextToken: string | undefined;
+            do {
+                const listResponse: ListSecretsCommandOutput = await this.secretsManager.send(
+                    new ListSecretsCommand({ NextToken: nextToken, Filters: [{ Key: 'tag-key', Values: [this.scope] }] })
+                );
+                if (listResponse.SecretList) {
+                    for (const secret of listResponse.SecretList) {
+                        if (secret.Name) {
+                            secrets.push({
+                                ARN: secret.ARN,
+                                Name: secret.Name,
+                                CreatedDate: secret.CreatedDate,
+                            });
+                        }
+                    }
+                }
+                nextToken = listResponse.NextToken;
+            } while (nextToken);
+
+            const formattedSecrets = [];
+            const $promises = [];
+            for (const secret of secrets) {
+                $promises.push(getSpecificSecret(secret, this.secretsManager));
+            }
+            const results = await Promise.all($promises);
+            for (const result of results) {
+                formattedSecrets.push(result);
+            }
+            const secret = formattedSecrets.find((s) => s.Name === secretName);
+            return secret;
+        } catch (error) {
+            console.error(error);
+        }
+
+        async function getSpecificSecret(secret, secretsManager: SecretsManagerClient) {
+            const data: GetSecretValueCommandOutput = await secretsManager.send(new GetSecretValueCommand({ SecretId: secret.ARN }));
+            let secretString = data.SecretString;
+            let secretName = secret.Name;
+
+            if (secretString) {
+                try {
+                    let parsedSecret = JSON.parse(secretString);
+                    if (Object.keys(parsedSecret).length === 1) {
+                        secretName = Object.keys(parsedSecret)[0];
+                        secretString = parsedSecret[secretName];
+                    }
+                } catch (error) {}
+            }
+            return {
+                Name: secretName,
+                ARN: secret.ARN,
+                CreatedDate: secret.CreatedDate,
+                SecretId: secret.Name,
+                SecretString: secretString,
+            };
+        }
+    }
+}

package/src/subsystems/Security/ManagedVault.service/index.ts

@@ -0,0 +1,12 @@
+import { ConnectorService, ConnectorServiceProvider } from '@sre/Core/ConnectorsService';
+import { TConnectorService } from '@sre/types/SRE.types';
+
+import { SecretManagerManagedVault } from './connectors/SecretManagerManagedVault';
+import { NullManagedVault } from './connectors/NullManagedVault.class';
+
+export class ManagedVaultService extends ConnectorServiceProvider {
+    public register() {
+        ConnectorService.register(TConnectorService.ManagedVault, 'SecretManagerManagedVault', SecretManagerManagedVault);
+        ConnectorService.register(TConnectorService.ManagedVault, 'NullManagedVault', NullManagedVault);
+    }
+}

package/src/subsystems/Security/SecureConnector.class.ts

@@ -0,0 +1,110 @@
+import { Connector } from '@sre/Core/Connector.class';
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { Logger } from '@sre/helpers/Log.helper';
+import { ACLAccessDeniedError, IAccessCandidate, TAccessLevel, TAccessResult, TAccessTicket } from '@sre/types/ACL.types';
+import { ACL } from './AccessControl/ACL.class';
+import { AccessCandidate } from './AccessControl/AccessCandidate.class';
+import { AccessRequest } from './AccessControl/AccessRequest.class';
+
+const console = Logger('SecureConnector');
+
+export abstract class SecureConnector<TRequest = any> extends Connector<TRequest> {
+    public abstract name: string;
+
+    //this determines the access rights for the requested resource
+    //the connector should check if the resource exists or not
+    //if the resource exists we read its ACL and return it
+    //if the resource does not exist we return an write access ACL for the candidate
+    public abstract getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL>;
+
+    public async start() {
+        console.info(`Starting ${this.name} connector ...`);
+    }
+
+    public async stop() {
+        console.info(`Stopping ${this.name} connector ...`);
+    }
+
+    protected async hasAccess(acRequest: AccessRequest) {
+        const aclHelper = await this.getResourceACL(acRequest.resourceId, acRequest.candidate).catch((error) => {
+            console.error(`Error getting ACL for ${acRequest.resourceId}: ${error}`);
+            return null;
+        });
+
+        if (!aclHelper) return false;
+
+        //const aclHelper = ACLHelper.from(acl);
+
+        const exactAccess = aclHelper.checkExactAccess(acRequest);
+        if (exactAccess) return true;
+
+        // if the exact access is denied, we check if the candidate has a higher access
+        const ownerRequest = AccessRequest.clone(acRequest).setLevel(TAccessLevel.Owner);
+        const ownerAccess = aclHelper.checkExactAccess(ownerRequest);
+        if (ownerAccess) return true;
+
+        // if the exact access is denied, we check if the requested resource has a public access
+        const publicRequest = AccessRequest.clone(acRequest).setCandidate(AccessCandidate.public());
+        const publicAccess = aclHelper.checkExactAccess(publicRequest);
+        if (publicAccess) return true;
+
+        // if the public access is denied, we check if the candidate's team has access
+        const accountConnector = ConnectorService.getAccountConnector();
+        const teamId = await accountConnector.getCandidateTeam(acRequest.candidate);
+        const teamRequest = AccessRequest.clone(acRequest).setCandidate(AccessCandidate.team(teamId));
+        const teamAccess = aclHelper.checkExactAccess(teamRequest);
+        if (teamAccess) return true;
+
+        // if the team access is denied, we check if the team has a higher access
+        const teamOwnerRequest = AccessRequest.clone(teamRequest).setLevel(TAccessLevel.Owner);
+        const teamOwnerAccess = aclHelper.checkExactAccess(teamOwnerRequest);
+        if (teamOwnerAccess) return true;
+
+        return false;
+    }
+    public async getAccessTicket(resourceId: string, request: AccessRequest): Promise<TAccessTicket> {
+        const sysAcRequest = AccessRequest.clone(request).resource(resourceId);
+        const accessTicket = {
+            request,
+            access: (await this.hasAccess(sysAcRequest)) ? TAccessResult.Granted : TAccessResult.Denied,
+        };
+
+        return accessTicket as TAccessTicket;
+    }
+
+    //#region [ Decorators ]==========================
+
+    //AccessControl decorator
+    //This decorator will inject the access control logic into storage connector methods
+    // in order to work properly, the connector expects the resourceId to be the first argument and the access request to be the second argument
+
+    static AccessControl(target: any, propertyKey: string, descriptor: PropertyDescriptor) {
+        // Store the original method in a variable
+        const originalMethod = descriptor.value;
+
+        // Modify the descriptor's value to wrap the original method
+        descriptor.value = async function (...args: any[]) {
+            // Extract the method arguments
+            const [acRequest, resourceId] = args;
+
+            if (resourceId !== undefined) {
+                //: getAccessTicket requires a resourceId
+                //FIXME: implement different access control for resources listing and methods that do not require a resourceId
+                // Inject the access control logic
+                const accessTicket = await this.getAccessTicket(resourceId, acRequest);
+                if (accessTicket.access !== TAccessResult.Granted) {
+                    console.error(`Access denied for ${acRequest.candidate.id} on ${resourceId}`);
+                    throw new ACLAccessDeniedError('Access Denied');
+                }
+            }
+
+            // Call the original method with the original arguments
+            return originalMethod.apply(this, args);
+        };
+
+        // Return the modified descriptor
+        return descriptor;
+    }
+
+    //#endregion
+}

package/src/subsystems/Security/Vault.service/Vault.helper.ts

@@ -0,0 +1,30 @@
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { AccessCandidate } from '../AccessControl/AccessCandidate.class';
+import axios from 'axios';
+import config from '@sre/config';
+import qs from 'qs';
+
+export class VaultHelper {
+    static async getTeamKey(key: string, teamId: string): Promise<string> {
+        const vaultConnector = ConnectorService.getVaultConnector();
+        return await vaultConnector.requester(AccessCandidate.team(teamId)).get(key);
+    }
+
+    static async getUserKey(key: string, userId: string): Promise<string> {
+        const vaultConnector = ConnectorService.getVaultConnector();
+        const accountConnector = ConnectorService.getAccountConnector();
+
+        const teamId = await accountConnector.getCandidateTeam(AccessCandidate.user(userId));
+
+        return await vaultConnector.requester(AccessCandidate.team(teamId)).get(key);
+    }
+
+    static async getAgentKey(key: string, agentId: string): Promise<string> {
+        const vaultConnector = ConnectorService.getVaultConnector();
+        const accountConnector = ConnectorService.getAccountConnector();
+
+        const teamId = await accountConnector.getCandidateTeam(AccessCandidate.agent(agentId));
+
+        return await vaultConnector.requester(AccessCandidate.team(teamId)).get(key);
+    }
+}

package/src/subsystems/Security/Vault.service/VaultConnector.ts

@@ -0,0 +1,26 @@
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, IACL } from '@sre/types/ACL.types';
+
+export interface IVaultRequest {
+    get(keyId: string): Promise<string>;
+    exists(keyId: string): Promise<boolean>;
+    listKeys(): Promise<string[]>;
+}
+
+export abstract class VaultConnector extends SecureConnector {
+    requester(candidate: AccessCandidate): IVaultRequest {
+        return {
+            get: async (keyId: string) => this.get(candidate.readRequest, keyId),
+            exists: async (keyId: string) => this.exists(candidate.readRequest, keyId),
+            listKeys: async () => this.listKeys(candidate.readRequest),
+        };
+    }
+
+    public abstract getResourceACL(resourceId: string, candidate: IAccessCandidate): Promise<ACL>;
+    protected abstract get(acRequest: AccessRequest, keyId: string): Promise<string>;
+    protected abstract exists(acRequest: AccessRequest, keyId: string): Promise<boolean>;
+    protected abstract listKeys(acRequest: AccessRequest): Promise<string[]>;
+}

package/src/subsystems/Security/Vault.service/connectors/HashicorpVault.class.ts

@@ -0,0 +1,46 @@
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { Logger } from '@sre/helpers/Log.helper';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
+import { IVaultRequest, VaultConnector } from '../VaultConnector';
+
+const console = Logger('HashicorpVault');
+export class HashicorpVault extends VaultConnector {
+    public name: string = 'HashicorpVault';
+
+    constructor(protected _settings: any) {
+        super(_settings);
+        //hashicorp client/api
+    }
+
+    @SecureConnector.AccessControl
+    protected async get(acRequest: AccessRequest, keyId: string) {
+        return null;
+    }
+
+    @SecureConnector.AccessControl
+    protected async exists(acRequest: AccessRequest, keyId: string) {
+        return false;
+    }
+
+    @SecureConnector.AccessControl
+    protected async listKeys(acRequest: AccessRequest) {
+        return [];
+    }
+
+    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
+        //FIXME : this is for dev, it always give full access, we must update the logic
+        const accountConnector = ConnectorService.getAccountConnector();
+        const teamId = await accountConnector.getCandidateTeam(candidate);
+        const acl = new ACL();
+
+        acl.addAccess(TAccessRole.Team, teamId, TAccessLevel.Owner)
+            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Read)
+            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Write);
+
+        return acl;
+    }
+}

package/src/subsystems/Security/Vault.service/connectors/JSONFileVault.class.ts

@@ -0,0 +1,166 @@
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { Logger } from '@sre/helpers/Log.helper';
+import { SmythRuntime } from '@sre/Core/SmythRuntime.class';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
+import { EncryptionSettings } from '@sre/types/Security.types';
+import { IVaultRequest, VaultConnector } from '../VaultConnector';
+import os from 'os';
+import crypto from 'crypto';
+import fs from 'fs';
+import * as readlineSync from 'readline-sync';
+import path from 'path';
+
+const console = Logger('JSONFileVault');
+
+export type JSONFileVaultConfig = {
+    file?: string;
+    fileKey?: string;
+    shared?: boolean;
+};
+
+export class JSONFileVault extends VaultConnector {
+    public name: string = 'JSONFileVault';
+    private vaultData: any;
+    private index: any;
+    private sharedVault: boolean;
+
+    constructor(protected _settings: JSONFileVaultConfig) {
+        super(_settings);
+        //if (!SmythRuntime.Instance) throw new Error('SRE not initialized');
+
+        this.sharedVault = _settings.shared || false; //if config.shared, all keys are accessible to all teams, and they are set under the 'shared' teamId
+
+        let vaultFile = this.findVaultFile(_settings.file);
+        this.vaultData = {};
+        if (fs.existsSync(vaultFile)) {
+            try {
+                if (_settings.fileKey && fs.existsSync(_settings.fileKey)) {
+                    try {
+                        const privateKey = fs.readFileSync(_settings.fileKey, 'utf8');
+                        const encryptedVault = fs.readFileSync(vaultFile, 'utf8').toString();
+                        const decryptedBuffer = crypto.privateDecrypt(
+                            {
+                                key: privateKey,
+                                padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+                            },
+                            Buffer.from(encryptedVault, 'base64')
+                        );
+                        this.vaultData = JSON.parse(decryptedBuffer.toString('utf8'));
+                    } catch (error) {
+                        throw new Error('Failed to decrypt vault');
+                    }
+                } else {
+                    this.vaultData = JSON.parse(fs.readFileSync(vaultFile).toString());
+                }
+            } catch (e) {
+                this.vaultData = {};
+            }
+
+            if (this.vaultData?.encrypted && this.vaultData?.algorithm && this.vaultData?.data) {
+                //this is an encrypted vault we need to request the master key
+                this.setInteraction(this.getMasterKeyInteractive.bind(this));
+            }
+
+            for (let teamId in this.vaultData) {
+                for (let resourceId in this.vaultData[teamId]) {
+                    if (!this.index) this.index = {};
+                    if (!this.index[resourceId]) this.index[resourceId] = {};
+                    const value = this.vaultData[teamId][resourceId];
+                    this.index[resourceId][teamId] = value;
+                }
+            }
+        }
+    }
+
+    private findVaultFile(vaultFile) {
+        let _vaultFile = vaultFile;
+
+        if (fs.existsSync(_vaultFile)) {
+            return _vaultFile;
+        }
+        console.warn('Vault file not found in:', _vaultFile, 'trying to find in local .smyth directory');
+
+        //try local directory
+        _vaultFile = path.join(process.cwd(), '.smyth', '.sre', 'vault.json');
+        if (fs.existsSync(_vaultFile)) {
+            console.warn('Using alternative vault file found in : ', _vaultFile);
+            return _vaultFile;
+        }
+
+        console.warn('Vault file not found in:', _vaultFile, 'trying to find in user home directory');
+        //try to find the vault file in the .smyth directory
+        _vaultFile = path.join(os.homedir(), '.smyth', '.sre', 'vault.json');
+        if (fs.existsSync(_vaultFile)) {
+            console.warn('Using alternative vault file found in : ', _vaultFile);
+            return _vaultFile;
+        }
+
+        console.warn('Vault file not found in:', _vaultFile);
+        console.warn('!!! All attempts to find the vault file failed !!!');
+        console.warn('!!! Will continue without vault !!!');
+        console.warn('!!! Many features might not work !!!');
+
+        return null;
+    }
+
+    private getMasterKeyInteractive(): string {
+        //read master key using readline-sync (blocking)
+
+        process.stdout.write('\x1b[1;37m===[ Encrypted Vault Detected ]=================================\x1b[0m\n');
+        const masterKey = readlineSync.question('Enter master key: ', {
+            hideEchoBack: true,
+            mask: '*',
+        });
+        console.info('Master key entered');
+        return masterKey;
+    }
+
+    @SecureConnector.AccessControl
+    protected async get(acRequest: AccessRequest, keyId: string) {
+        const accountConnector = ConnectorService.getAccountConnector();
+        const teamId = await accountConnector.getCandidateTeam(acRequest.candidate);
+
+        return this.vaultData?.[teamId]?.[keyId] || this.vaultData?.['shared']?.[keyId];
+    }
+
+    @SecureConnector.AccessControl
+    protected async exists(acRequest: AccessRequest, keyId: string) {
+        const accountConnector = ConnectorService.getAccountConnector();
+        const teamId = await accountConnector.getCandidateTeam(acRequest.candidate);
+        return !!(this.vaultData?.[teamId]?.[keyId] || this.vaultData?.['shared']?.[keyId]);
+    }
+
+    @SecureConnector.AccessControl
+    protected async listKeys(acRequest: AccessRequest) {
+        return Object.keys(this.vaultData);
+    }
+
+    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
+        const accountConnector = ConnectorService.getAccountConnector();
+        const teamId = /*this.sharedVault ? 'shared' : */ await accountConnector.getCandidateTeam(candidate);
+
+        const acl = new ACL();
+
+        if (resourceId && typeof this.vaultData?.[teamId]?.[resourceId] !== 'string') {
+            if (this.sharedVault && typeof this.vaultData?.['shared']?.[resourceId] === 'string') {
+                acl.addAccess(candidate.role, candidate.id, TAccessLevel.Read);
+            }
+
+            return acl;
+        }
+
+        acl.addAccess(TAccessRole.Team, teamId, TAccessLevel.Owner)
+            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Read)
+            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Write);
+
+        if (this.sharedVault && typeof this.vaultData?.['shared']?.[resourceId] === 'string') {
+            acl.addAccess(candidate.role, candidate.id, TAccessLevel.Read);
+        }
+
+        return acl;
+    }
+}

package/src/subsystems/Security/Vault.service/connectors/NullVault.class.ts

@@ -0,0 +1,54 @@
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { Logger } from '@sre/helpers/Log.helper';
+import { SmythRuntime } from '@sre/Core/SmythRuntime.class';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
+
+import { IVaultRequest, VaultConnector } from '../VaultConnector';
+import crypto from 'crypto';
+import fs from 'fs';
+import * as readlineSync from 'readline-sync';
+
+const console = Logger('NullVault');
+export class NullVault extends VaultConnector {
+    public name: string = 'NullVault';
+    private vaultData: any;
+    private index: any;
+    private sharedVault: boolean;
+
+    constructor(protected _settings: any) {
+        super(_settings);
+        console.warn('NullVault is used : Vault features will not be available');
+    }
+
+    @SecureConnector.AccessControl
+    protected async get(acRequest: AccessRequest, keyId: string) {
+        console.debug(`Ignored operation:NullVault.get: ${keyId}`);
+        return 'NULLKEY';
+    }
+
+    @SecureConnector.AccessControl
+    protected async exists(acRequest: AccessRequest, keyId: string) {
+        console.debug(`Ignored operation:NullVault.exists: ${keyId}`);
+        return false;
+    }
+
+    @SecureConnector.AccessControl
+    protected async listKeys(acRequest: AccessRequest) {
+        console.debug(`Ignored operation:NullVault.listKeys`);
+        return [];
+    }
+
+    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
+        const acl = new ACL();
+
+        //give just read access by default
+        //Cannot write to null vault
+        acl.addAccess(candidate.role, candidate.id, TAccessLevel.Read);
+
+        return acl;
+    }
+}