feat: implement KMS encryption service and integrate it into persistence layer (#173)

Author: giovannibaratta

app/controllers/src/auth/auth.mappers.ts

@@ -71,7 +71,9 @@ export function generateErrorResponseForRefreshUserToken(error: RefreshUserToken
     case "unknown_error":
     case "quota_check_error":
     case "agent_token_generation_failed":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: unknown error`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
     case "agent_key_decode_error":
     case "agent_invalid_uuid":
     case "agent_name_empty":
@@ -259,8 +261,11 @@ export function generateErrorResponseForExchangePrivilegeToken(
     case "user_duplicate_roles":
     case "user_already_exists":
     case "auth_invalid_entity":
+    case "encryption_failed":
+    case "decryption_failed":
+      Logger.error(`Error in OIDC step-up token verification: ${context}`, error)
       return new InternalServerErrorException(
-        generateErrorPayload(errorCode, `${context}: OIDC step-up token verification failed`)
+        generateErrorPayload("UNKNOWN_ERROR", `${context}: OIDC step-up token verification failed`)
       )
     case "oidc_network_error":
     case "oidc_invalid_userinfo_response":
@@ -328,6 +333,8 @@ export function generateErrorResponseForRefreshAgentToken(
     case "quota_check_error":
     case "agent_token_generation_failed":
     case "oidc_unknown_error":
+    case "encryption_failed":
+    case "decryption_failed":
       Logger.error(`Unknown error: ${errorCode}`)
       return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
     case "agent_key_decode_error":
@@ -526,6 +533,8 @@ export function generateErrorResponseForGenerateToken(error: GenerateTokenError,
     case "unknown_error":
     case "auth_invalid_redirect_uri":
     case "quota_check_error":
+    case "encryption_failed":
+    case "decryption_failed":
       return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
     case "request_empty_body":
     case "request_missing_code":

app/controllers/src/auth/cli-auth.mappers.ts

@@ -133,7 +133,9 @@ export function generateErrorResponseForCliInitiate(error: CliAuthError, context
     case "oidc_userinfo_fetch_failed":
     case "pkce_code_generation_failed":
     case "pkce_code_storage_failed":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: unknown error`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
     case "refresh_token_invalid_structure":
     case "refresh_token_expire_before_create":
     case "refresh_token_invalid_agent_id":
@@ -312,7 +314,9 @@ export function generateErrorResponseForCliGenerateToken(error: CliAuthError, co
     case "oidc_userinfo_fetch_failed":
     case "pkce_code_generation_failed":
     case "pkce_code_storage_failed":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: unknown error`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
     case "refresh_token_invalid_structure":
     case "refresh_token_expire_before_create":
     case "refresh_token_invalid_agent_id":
@@ -491,7 +495,9 @@ export function generateErrorResponseForCliRefreshUserToken(error: CliAuthError,
     case "oidc_userinfo_fetch_failed":
     case "pkce_code_generation_failed":
     case "pkce_code_storage_failed":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: unknown error`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
     case "refresh_token_invalid_structure":
     case "refresh_token_expire_before_create":
     case "refresh_token_invalid_agent_id":
@@ -669,7 +675,9 @@ export function generateErrorResponseForCliExchangePrivilegeToken(error: CliAuth
     case "oidc_userinfo_fetch_failed":
     case "pkce_code_generation_failed":
     case "pkce_code_storage_failed":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: unknown error`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
     case "refresh_token_invalid_structure":
     case "refresh_token_expire_before_create":
     case "refresh_token_invalid_agent_id":

app/controllers/src/internal/workflow-templates/workflow-templates.mappers.ts

@@ -71,6 +71,10 @@ export function generateErrorResponseForCancelWorkflowsForTemplate(
       )
 
     case "unknown_error":
-      return new InternalServerErrorException(`An unknown error occurred. Context: ${context}`)
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(
+        generateErrorPayload("UNKNOWN_ERROR", `An unknown error occurred. Context: ${context}`)
+      )
   }
 }

app/controllers/src/workflow-templates/workflow-templates.mappers.ts

@@ -380,7 +380,11 @@ export function generateErrorResponseForCreateWorkflowTemplate(
       )
     case "quota_check_error":
     case "unknown_error":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(
+        generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
+      )
   }
 }
 
@@ -397,7 +401,11 @@ export function generateErrorResponseForGetWorkflowTemplate(
     case "active_workflow_template_not_found":
       return new NotFoundException(generateErrorPayload(errorCode, `${context}: Workflow template not found`))
     case "unknown_error":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(
+        generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
+      )
     case "approval_rule_and_rule_must_have_rules":
     case "approval_rule_group_rule_invalid_group_id":
     case "approval_rule_group_rule_invalid_min_count":
@@ -497,7 +505,11 @@ export function generateErrorResponseForUpdateWorkflowTemplate(
       )
     case "quota_check_error":
     case "unknown_error":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(
+        generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
+      )
     case "quota_exceeded":
       return new ForbiddenException(generateErrorPayload(errorCode, `${context}: quota exceeded`))
     case "workflow_template_not_found":
@@ -569,7 +581,11 @@ export function generateErrorResponseForDeprecateWorkflowTemplate(
         generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
       )
     case "unknown_error":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(
+        generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
+      )
     case "workflow_template_not_found":
       return new NotFoundException(generateErrorPayload(errorCode, `${context}: Workflow template not found`))
   }

app/controllers/src/workflows/workflows.mappers.ts

@@ -129,7 +129,11 @@ export function generateErrorResponseForCreateWorkflow(
     case "workflow_status_invalid":
     case "quota_check_error":
     case "unknown_error":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(
+        generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
+      )
     case "name_missing":
     case "name_not_string":
     case "description_not_string":
@@ -187,7 +191,11 @@ export function generateErrorResponseForGetWorkflow(
     case "workflow_not_found":
       return new NotFoundException(generateErrorPayload(errorCode, `${context}: Workflow not found`))
     case "unknown_error":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(
+        generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
+      )
     case "approval_rule_and_rule_must_have_rules":
     case "approval_rule_group_rule_invalid_group_id":
     case "approval_rule_group_rule_invalid_min_count":
@@ -281,7 +289,11 @@ export function generateErrorResponseForListWorkflows(
     case "malformed_object":
       return new BadRequestException(generateErrorPayload(errorCode, `${context}: Invalid request parameter`))
     case "unknown_error":
-      return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
+    case "encryption_failed":
+    case "decryption_failed":
+      return new InternalServerErrorException(
+        generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
+      )
     case "approval_rule_and_rule_must_have_rules":
     case "approval_rule_group_rule_invalid_group_id":
     case "approval_rule_group_rule_invalid_min_count":
@@ -507,6 +519,8 @@ export function generateErrorResponseForCanVote(error: CanVoteError, context: st
         generateErrorPayload(errorCode, `${context}: Invalid parameters for vote eligibility check`)
       )
     case "unknown_error":
+    case "encryption_failed":
+    case "decryption_failed":
       return new InternalServerErrorException(
         generateErrorPayload("UNKNOWN_ERROR", `${context}: An unexpected error occurred`)
       )
@@ -648,8 +662,10 @@ export function generateErrorResponseForCastVote(
       return new ForbiddenException(generateErrorPayload(errorCode, `${context}: User is not eligible to vote`))
     case "quota_check_error":
     case "unknown_error":
+    case "encryption_failed":
+    case "decryption_failed":
       return new InternalServerErrorException(
-        generateErrorPayload("VOTE_CAST_FAILED", `${context}: An unexpected error occurred while casting vote`)
+        generateErrorPayload("UNKNOWN_ERROR", `${context}: An unexpected error occurred while casting vote`)
       )
     case "malformed_request":
     case "vote_type_missing":
@@ -806,6 +822,8 @@ export function generateErrorResponseForListVotes(error: FindVotesError, context
     case "workflow_not_found":
       return new NotFoundException(generateErrorPayload("WORKFLOW_NOT_FOUND", `${context}: Workflow not found`))
     case "unknown_error":
+    case "encryption_failed":
+    case "decryption_failed":
       return new InternalServerErrorException(
         generateErrorPayload("UNKNOWN_ERROR", `${context}: An unexpected error occurred`)
       )

app/external/src/database/database-client.ts

@@ -88,23 +88,7 @@ export class DatabaseClient implements OnModuleInit, OnModuleDestroy {
             })
           )()
         },
-        auditLog: {
-          async update() {
-            throw new Error("Audit logs are immutable. Action update is not allowed.")
-          },
-          async updateMany() {
-            throw new Error("Audit logs are immutable. Action updateMany is not allowed.")
-          },
-          async delete() {
-            throw new Error("Audit logs are immutable. Action delete is not allowed.")
-          },
-          async deleteMany() {
-            throw new Error("Audit logs are immutable. Action deleteMany is not allowed.")
-          },
-          async upsert() {
-            throw new Error("Audit logs are immutable. Action upsert is not allowed.")
-          }
-        }
+        auditLog: auditLogExtension
       }
     }) as PrismaClient
   }
@@ -197,3 +181,21 @@ export class DatabaseClient implements OnModuleInit, OnModuleDestroy {
     )
   }
 }
+
+const auditLogExtension = {
+  async update() {
+    throw new Error("Audit logs are immutable. Action update is not allowed.")
+  },
+  async updateMany() {
+    throw new Error("Audit logs are immutable. Action updateMany is not allowed.")
+  },
+  async delete() {
+    throw new Error("Audit logs are immutable. Action delete is not allowed.")
+  },
+  async deleteMany() {
+    throw new Error("Audit logs are immutable. Action deleteMany is not allowed.")
+  },
+  async upsert() {
+    throw new Error("Audit logs are immutable. Action upsert is not allowed.")
+  }
+}