Engine provision and encryption module

narval-xyz · Mar 13, 2024 · cae1222 · cae1222
1 parent af961c4
commit cae1222
Show file tree

Hide file tree

Showing 55 changed files with 1,060 additions and 572 deletions.
diff --git a/apps/policy-engine/Makefile b/apps/policy-engine/Makefile
@@ -14,6 +14,7 @@ policy-engine/setup:
 	make policy-engine/rego/build
 	make policy-engine/db/setup
 	make policy-engine/test/db/setup
+	make policy-engine/cli ARGS=provision
 
 policy-engine/copy-default-env:
 	cp ${POLICY_ENGINE_PROJECT_DIR}/.env.default ${POLICY_ENGINE_PROJECT_DIR}/.env
@@ -119,6 +120,14 @@ policy-engine/test:
 	make policy-engine/test/integration
 	make policy-engine/test/e2e
 
+# === CLI ===
+
+policy-engine/cli:
+	npx dotenv -e ${POLICY_ENGINE_PROJECT_DIR}/.env -- \
+		ts-node -r tsconfig-paths/register \
+		--project ${POLICY_ENGINE_PROJECT_DIR}/tsconfig.app.json \
+		${POLICY_ENGINE_PROJECT_DIR}/src/cli.ts ${ARGS}
+
 # === Open Policy Agent & Rego ===
 
 policy-engine/rego/build:

diff --git a/apps/policy-engine/src/app/__test__/e2e/tenant.spec.ts b/apps/policy-engine/src/app/__test__/e2e/tenant.spec.ts
@@ -1,15 +1,16 @@
+import { EncryptionModuleOptionProvider } from '@narval/encryption-module'
 import { HttpStatus, INestApplication } from '@nestjs/common'
 import { ConfigModule, ConfigService } from '@nestjs/config'
 import { Test, TestingModule } from '@nestjs/testing'
 import request from 'supertest'
 import { v4 as uuid } from 'uuid'
 import { AppModule } from '../../../app/app.module'
-import { EncryptionService } from '../../../encryption/core/encryption.service'
 import { Config, load } from '../../../policy-engine.config'
 import { REQUEST_HEADER_API_KEY } from '../../../policy-engine.constant'
 import { KeyValueRepository } from '../../../shared/module/key-value/core/repository/key-value.repository'
 import { InMemoryKeyValueRepository } from '../../../shared/module/key-value/persistence/repository/in-memory-key-value.repository'
 import { TestPrismaService } from '../../../shared/module/persistence/service/test-prisma.service'
+import { getTestRawAesKeyring } from '../../../shared/testing/encryption.testing'
 import { EngineService } from '../../core/service/engine.service'
 import { CreateTenantDto } from '../../http/rest/dto/create-tenant.dto'
 import { TenantRepository } from '../../persistence/repository/tenant.repository'
@@ -19,7 +20,6 @@ describe('Tenant', () => {
   let module: TestingModule
   let testPrismaService: TestPrismaService
   let tenantRepository: TenantRepository
-  let encryptionService: EncryptionService
   let engineService: EngineService
   let configService: ConfigService<Config, true>
 
@@ -37,20 +37,22 @@ describe('Tenant', () => {
     })
       .overrideProvider(KeyValueRepository)
       .useValue(new InMemoryKeyValueRepository())
+      .overrideProvider(EncryptionModuleOptionProvider)
+      .useValue({
+        keyring: getTestRawAesKeyring()
+      })
       .compile()
 
     app = module.createNestApplication()
 
     engineService = module.get<EngineService>(EngineService)
     tenantRepository = module.get<TenantRepository>(TenantRepository)
     testPrismaService = module.get<TestPrismaService>(TestPrismaService)
-    encryptionService = module.get<EncryptionService>(EncryptionService)
     configService = module.get<ConfigService<Config, true>>(ConfigService)
 
     await testPrismaService.truncateAll()
-    await encryptionService.setup()
 
-    await engineService.create({
+    await engineService.save({
       id: configService.get('engine.id', { infer: true }),
       masterKey: 'unsafe-test-master-key',
       adminApiKey

diff --git a/apps/policy-engine/src/app/app.module.ts b/apps/policy-engine/src/app/app.module.ts
@@ -1,16 +1,21 @@
+import { RawAesKeyringNode, RawAesWrappingSuiteIdentifier } from '@aws-crypto/client-node'
+import { EncryptionModule, decryptMasterKey, generateKeyEncryptionKey, isolateBuffer } from '@narval/encryption-module'
+import { toBytes } from '@narval/policy-engine-shared'
 import { HttpModule } from '@nestjs/axios'
 import { Module, OnApplicationBootstrap, ValidationPipe } from '@nestjs/common'
-import { ConfigModule } from '@nestjs/config'
+import { ConfigModule, ConfigService } from '@nestjs/config'
 import { APP_PIPE } from '@nestjs/core'
-import { EncryptionModule } from '../encryption/encryption.module'
-import { load } from '../policy-engine.config'
+import { Config, load } from '../policy-engine.config'
+import { ENCRYPTION_KEY_NAME, ENCRYPTION_KEY_NAMESPACE } from '../policy-engine.constant'
 import { KeyValueModule } from '../shared/module/key-value/key-value.module'
+import { getTestRawAesKeyring } from '../shared/testing/encryption.testing'
 import { AppController } from './app.controller'
 import { AppService } from './app.service'
 import { DataStoreRepositoryFactory } from './core/factory/data-store-repository.factory'
 import { BootstrapService } from './core/service/bootstrap.service'
 import { DataStoreService } from './core/service/data-store.service'
 import { EngineService } from './core/service/engine.service'
+import { ProvisionService } from './core/service/provision.service'
 import { SigningService } from './core/service/signing.service'
 import { TenantService } from './core/service/tenant.service'
 import { TenantController } from './http/rest/controller/tenant.controller'
@@ -28,8 +33,42 @@ import { TenantRepository } from './persistence/repository/tenant.repository'
       isGlobal: true
     }),
     HttpModule,
-    EncryptionModule,
-    KeyValueModule
+    KeyValueModule,
+    EncryptionModule.registerAsync({
+      imports: [AppModule],
+      inject: [EngineService, ConfigService],
+      useFactory: async (engineService: EngineService, configService: ConfigService<Config, true>) => {
+        const keyring = configService.get('keyring', { infer: true })
+        const engine = await engineService.getEngine()
+
+        if (!engine) {
+          // Return a place holder keyring. This must only happen during provisoning.
+          return {
+            keyring: getTestRawAesKeyring()
+          }
+        }
+
+        if (keyring.type === 'raw') {
+          if (!engine.masterKey) {
+            throw new Error('Master key not set')
+          }
+
+          const kek = generateKeyEncryptionKey(keyring.masterPassword, engine.id)
+          const unencryptedMasterKey = await decryptMasterKey(kek, toBytes(engine.masterKey))
+
+          return {
+            keyring: new RawAesKeyringNode({
+              unencryptedMasterKey: isolateBuffer(unencryptedMasterKey),
+              keyName: ENCRYPTION_KEY_NAME,
+              keyNamespace: ENCRYPTION_KEY_NAMESPACE,
+              wrappingSuite: RawAesWrappingSuiteIdentifier.AES256_GCM_IV12_TAG16_NO_PADDING
+            })
+          }
+        }
+
+        throw new Error('Unsupported keyring type')
+      }
+    })
   ],
   controllers: [AppController, TenantController],
   providers: [
@@ -39,18 +78,22 @@ import { TenantRepository } from './persistence/repository/tenant.repository'
     DataStoreService,
     EngineRepository,
     EngineService,
-    SigningService,
     EntityRepository,
     FileSystemDataStoreRepository,
     HttpDataStoreRepository,
     OpaService,
+    ProvisionService,
+    SigningService,
     TenantRepository,
     TenantService,
     {
       provide: APP_PIPE,
       useClass: ValidationPipe
     }
-  ]
+  ],
+  // - The EngineService is required by the EncryptionModule async registration.
+  // - The ProvisionService is required by the CliModule.
+  exports: [EngineService, ProvisionService]
 })
 export class AppModule implements OnApplicationBootstrap {
   constructor(private bootstrapService: BootstrapService) {}

diff --git a/apps/policy-engine/src/app/core/service/__test__/unit/bootstrap.service.spec.ts b/apps/policy-engine/src/app/core/service/__test__/unit/bootstrap.service.spec.ts
@@ -1,6 +1,13 @@
+import { ConfigModule } from '@nestjs/config'
 import { Test } from '@nestjs/testing'
 import { MockProxy, mock } from 'jest-mock-extended'
+import { EngineRepository } from '../../../../../app/persistence/repository/engine.repository'
+import { load } from '../../../../../policy-engine.config'
+import { KeyValueRepository } from '../../../../../shared/module/key-value/core/repository/key-value.repository'
+import { KeyValueService } from '../../../../../shared/module/key-value/core/service/key-value.service'
+import { InMemoryKeyValueRepository } from '../../../../../shared/module/key-value/persistence/repository/in-memory-key-value.repository'
 import { BootstrapService } from '../../bootstrap.service'
+import { EngineService } from '../../engine.service'
 import { TenantService } from '../../tenant.service'
 
 describe(BootstrapService.name, () => {
@@ -41,8 +48,21 @@ describe(BootstrapService.name, () => {
     tenantServiceMock.findAll.mockResolvedValue([tenantOne, tenantTwo])
 
     const module = await Test.createTestingModule({
+      imports: [
+        ConfigModule.forRoot({
+          load: [load],
+          isGlobal: true
+        })
+      ],
       providers: [
         BootstrapService,
+        EngineService,
+        EngineRepository,
+        KeyValueService,
+        {
+          provide: KeyValueRepository,
+          useClass: InMemoryKeyValueRepository
+        },
         {
           provide: TenantService,
           useValue: tenantServiceMock

diff --git a/apps/policy-engine/src/app/core/service/__test__/unit/tenant.service.spec.ts b/apps/policy-engine/src/app/core/service/__test__/unit/tenant.service.spec.ts
@@ -1,8 +1,11 @@
+import { EncryptionModule } from '@narval/encryption-module'
 import { DataStoreConfiguration, FIXTURE } from '@narval/policy-engine-shared'
 import { Test } from '@nestjs/testing'
 import { MockProxy, mock } from 'jest-mock-extended'
-import { KeyValueService } from '../../../../../shared/module/key-value/core/service/key-value.service'
+import { KeyValueRepository } from '../../../../../shared/module/key-value/core/repository/key-value.repository'
+import { EncryptKeyValueService } from '../../../../../shared/module/key-value/core/service/encrypt-key-value.service'
 import { InMemoryKeyValueRepository } from '../../../../../shared/module/key-value/persistence/repository/in-memory-key-value.repository'
+import { getTestRawAesKeyring } from '../../../../../shared/testing/encryption.testing'
 import { Tenant } from '../../../../../shared/type/domain.type'
 import { TenantRepository } from '../../../../persistence/repository/tenant.repository'
 import { DataStoreService } from '../../data-store.service'
@@ -48,15 +51,21 @@ describe(TenantService.name, () => {
     dataStoreServiceMock.fetch.mockResolvedValue(stores)
 
     const module = await Test.createTestingModule({
+      imports: [
+        EncryptionModule.register({
+          keyring: getTestRawAesKeyring()
+        })
+      ],
       providers: [
         TenantService,
         TenantRepository,
+        EncryptKeyValueService,
         {
           provide: DataStoreService,
           useValue: dataStoreServiceMock
         },
         {
-          provide: KeyValueService,
+          provide: KeyValueRepository,
           useClass: InMemoryKeyValueRepository
         }
       ]

diff --git a/apps/policy-engine/src/app/core/service/bootstrap.service.ts b/apps/policy-engine/src/app/core/service/bootstrap.service.ts
@@ -8,30 +8,7 @@ export class BootstrapService {
   constructor(private tenantService: TenantService) {}
 
   async boot(): Promise<void> {
-    this.logger.log('Start application bootstrap procedure')
-
-    await this.tenantService.onboard(
-      {
-        clientId: '012553b0-34e9-4b48-b217-ced3c906cd39',
-        clientSecret: 'unsafe-dev-secret',
-        dataStore: {
-          entity: {
-            dataUrl: 'http://127.0.0.1:4200/api/data-store',
-            signatureUrl: 'http://127.0.0.1:4200/api/data-store',
-            keys: []
-          },
-          policy: {
-            dataUrl: 'http://127.0.0.1:4200/api/data-store',
-            signatureUrl: 'http://127.0.0.1:4200/api/data-store',
-            keys: []
-          }
-        },
-        createdAt: new Date(),
-        updatedAt: new Date()
-      },
-      // Disable sync after the onboard because we'll sync it as part of the boot.
-      { syncAfter: false }
-    )
+    this.logger.log('Start engine bootstrap')
 
     await this.syncTenants()
   }

diff --git a/apps/policy-engine/src/app/core/service/engine.service.ts b/apps/policy-engine/src/app/core/service/engine.service.ts
@@ -12,8 +12,8 @@ export class EngineService {
     private engineRepository: EngineRepository
   ) {}
 
-  async getEngine(): Promise<Engine> {
-    const engine = await this.engineRepository.findById(this.getId())
+  async getEngineOrThrow(): Promise<Engine> {
+    const engine = await this.getEngine()
 
     if (engine) {
       return engine
@@ -22,8 +22,18 @@ export class EngineService {
     throw new EngineNotProvisionedException()
   }
 
-  async create(engine: Engine): Promise<Engine> {
-    return this.engineRepository.create(engine)
+  async getEngine(): Promise<Engine | null> {
+    const engine = await this.engineRepository.findById(this.getId())
+
+    if (engine) {
+      return engine
+    }
+
+    return null
+  }
+
+  async save(engine: Engine): Promise<Engine> {
+    return this.engineRepository.save(engine)
   }
 
   private getId(): string {

diff --git a/apps/policy-engine/src/app/core/service/provision.service.ts b/apps/policy-engine/src/app/core/service/provision.service.ts
@@ -0,0 +1,65 @@
+import { generateKeyEncryptionKey, generateMasterKey } from '@narval/encryption-module'
+import { Injectable, Logger } from '@nestjs/common'
+import { ConfigService } from '@nestjs/config'
+import { randomBytes } from 'crypto'
+import { Config } from '../../../policy-engine.config'
+import { EngineService } from './engine.service'
+
+@Injectable()
+export class ProvisionService {
+  private logger = new Logger(ProvisionService.name)
+
+  constructor(
+    private configService: ConfigService<Config, true>,
+    private engineService: EngineService
+  ) {}
+
+  async provision(): Promise<void> {
+    this.logger.log('Start engine provision')
+
+    const engine = await this.engineService.getEngine()
+
+    const isFirstTime = engine === null
+
+    // IMPORTANT: The order of internal methods call matters.
+
+    if (isFirstTime) {
+      await this.createEngine()
+      await this.maybeSetupEncryption()
+    }
+  }
+
+  private async createEngine(): Promise<void> {
+    this.logger.log('Generate admin API key and save engine')
+
+    await this.engineService.save({
+      id: this.getEngineId(),
+      adminApiKey: randomBytes(20).toString('hex')
+    })
+  }
+
+  private async maybeSetupEncryption(): Promise<void> {
+    // Get the engine's latest state.
+    const engine = await this.engineService.getEngineOrThrow()
+
+    if (engine.masterKey) {
+      return this.logger.log('Skip master key set up because it already exists')
+    }
+
+    const keyring = this.configService.get('keyring', { infer: true })
+
+    if (keyring.type === 'raw') {
+      this.logger.log('Generate and save engine master key')
+
+      const { masterPassword } = keyring
+      const kek = generateKeyEncryptionKey(masterPassword, this.getEngineId())
+      const masterKey = await generateMasterKey(kek)
+
+      await this.engineService.save({ ...engine, masterKey })
+    }
+  }
+
+  private getEngineId(): string {
+    return this.configService.get('engine.id', { infer: true })
+  }
+}