Skip to content

Commit 4df404e

Browse files
feat: implement KMS encryption service and integrate it into persistence layer (#173)
1 parent f2d9e55 commit 4df404e

35 files changed

Lines changed: 817 additions & 329 deletions

app/controllers/src/auth/auth.mappers.ts

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,9 @@ export function generateErrorResponseForRefreshUserToken(error: RefreshUserToken
7171
case "unknown_error":
7272
case "quota_check_error":
7373
case "agent_token_generation_failed":
74-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: unknown error`))
74+
case "encryption_failed":
75+
case "decryption_failed":
76+
return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
7577
case "agent_key_decode_error":
7678
case "agent_invalid_uuid":
7779
case "agent_name_empty":
@@ -259,8 +261,11 @@ export function generateErrorResponseForExchangePrivilegeToken(
259261
case "user_duplicate_roles":
260262
case "user_already_exists":
261263
case "auth_invalid_entity":
264+
case "encryption_failed":
265+
case "decryption_failed":
266+
Logger.error(`Error in OIDC step-up token verification: ${context}`, error)
262267
return new InternalServerErrorException(
263-
generateErrorPayload(errorCode, `${context}: OIDC step-up token verification failed`)
268+
generateErrorPayload("UNKNOWN_ERROR", `${context}: OIDC step-up token verification failed`)
264269
)
265270
case "oidc_network_error":
266271
case "oidc_invalid_userinfo_response":
@@ -328,6 +333,8 @@ export function generateErrorResponseForRefreshAgentToken(
328333
case "quota_check_error":
329334
case "agent_token_generation_failed":
330335
case "oidc_unknown_error":
336+
case "encryption_failed":
337+
case "decryption_failed":
331338
Logger.error(`Unknown error: ${errorCode}`)
332339
return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
333340
case "agent_key_decode_error":
@@ -526,6 +533,8 @@ export function generateErrorResponseForGenerateToken(error: GenerateTokenError,
526533
case "unknown_error":
527534
case "auth_invalid_redirect_uri":
528535
case "quota_check_error":
536+
case "encryption_failed":
537+
case "decryption_failed":
529538
return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
530539
case "request_empty_body":
531540
case "request_missing_code":

app/controllers/src/auth/cli-auth.mappers.ts

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -133,7 +133,9 @@ export function generateErrorResponseForCliInitiate(error: CliAuthError, context
133133
case "oidc_userinfo_fetch_failed":
134134
case "pkce_code_generation_failed":
135135
case "pkce_code_storage_failed":
136-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: unknown error`))
136+
case "encryption_failed":
137+
case "decryption_failed":
138+
return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
137139
case "refresh_token_invalid_structure":
138140
case "refresh_token_expire_before_create":
139141
case "refresh_token_invalid_agent_id":
@@ -312,7 +314,9 @@ export function generateErrorResponseForCliGenerateToken(error: CliAuthError, co
312314
case "oidc_userinfo_fetch_failed":
313315
case "pkce_code_generation_failed":
314316
case "pkce_code_storage_failed":
315-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: unknown error`))
317+
case "encryption_failed":
318+
case "decryption_failed":
319+
return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
316320
case "refresh_token_invalid_structure":
317321
case "refresh_token_expire_before_create":
318322
case "refresh_token_invalid_agent_id":
@@ -491,7 +495,9 @@ export function generateErrorResponseForCliRefreshUserToken(error: CliAuthError,
491495
case "oidc_userinfo_fetch_failed":
492496
case "pkce_code_generation_failed":
493497
case "pkce_code_storage_failed":
494-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: unknown error`))
498+
case "encryption_failed":
499+
case "decryption_failed":
500+
return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
495501
case "refresh_token_invalid_structure":
496502
case "refresh_token_expire_before_create":
497503
case "refresh_token_invalid_agent_id":
@@ -669,7 +675,9 @@ export function generateErrorResponseForCliExchangePrivilegeToken(error: CliAuth
669675
case "oidc_userinfo_fetch_failed":
670676
case "pkce_code_generation_failed":
671677
case "pkce_code_storage_failed":
672-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: unknown error`))
678+
case "encryption_failed":
679+
case "decryption_failed":
680+
return new InternalServerErrorException(generateErrorPayload("UNKNOWN_ERROR", `${context}: unknown error`))
673681
case "refresh_token_invalid_structure":
674682
case "refresh_token_expire_before_create":
675683
case "refresh_token_invalid_agent_id":

app/controllers/src/internal/workflow-templates/workflow-templates.mappers.ts

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,10 @@ export function generateErrorResponseForCancelWorkflowsForTemplate(
7171
)
7272

7373
case "unknown_error":
74-
return new InternalServerErrorException(`An unknown error occurred. Context: ${context}`)
74+
case "encryption_failed":
75+
case "decryption_failed":
76+
return new InternalServerErrorException(
77+
generateErrorPayload("UNKNOWN_ERROR", `An unknown error occurred. Context: ${context}`)
78+
)
7579
}
7680
}

app/controllers/src/workflow-templates/workflow-templates.mappers.ts

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -380,7 +380,11 @@ export function generateErrorResponseForCreateWorkflowTemplate(
380380
)
381381
case "quota_check_error":
382382
case "unknown_error":
383-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
383+
case "encryption_failed":
384+
case "decryption_failed":
385+
return new InternalServerErrorException(
386+
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
387+
)
384388
}
385389
}
386390

@@ -397,7 +401,11 @@ export function generateErrorResponseForGetWorkflowTemplate(
397401
case "active_workflow_template_not_found":
398402
return new NotFoundException(generateErrorPayload(errorCode, `${context}: Workflow template not found`))
399403
case "unknown_error":
400-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
404+
case "encryption_failed":
405+
case "decryption_failed":
406+
return new InternalServerErrorException(
407+
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
408+
)
401409
case "approval_rule_and_rule_must_have_rules":
402410
case "approval_rule_group_rule_invalid_group_id":
403411
case "approval_rule_group_rule_invalid_min_count":
@@ -497,7 +505,11 @@ export function generateErrorResponseForUpdateWorkflowTemplate(
497505
)
498506
case "quota_check_error":
499507
case "unknown_error":
500-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
508+
case "encryption_failed":
509+
case "decryption_failed":
510+
return new InternalServerErrorException(
511+
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
512+
)
501513
case "quota_exceeded":
502514
return new ForbiddenException(generateErrorPayload(errorCode, `${context}: quota exceeded`))
503515
case "workflow_template_not_found":
@@ -569,7 +581,11 @@ export function generateErrorResponseForDeprecateWorkflowTemplate(
569581
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
570582
)
571583
case "unknown_error":
572-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
584+
case "encryption_failed":
585+
case "decryption_failed":
586+
return new InternalServerErrorException(
587+
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
588+
)
573589
case "workflow_template_not_found":
574590
return new NotFoundException(generateErrorPayload(errorCode, `${context}: Workflow template not found`))
575591
}

app/controllers/src/workflows/workflows.mappers.ts

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,11 @@ export function generateErrorResponseForCreateWorkflow(
129129
case "workflow_status_invalid":
130130
case "quota_check_error":
131131
case "unknown_error":
132-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
132+
case "encryption_failed":
133+
case "decryption_failed":
134+
return new InternalServerErrorException(
135+
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
136+
)
133137
case "name_missing":
134138
case "name_not_string":
135139
case "description_not_string":
@@ -187,7 +191,11 @@ export function generateErrorResponseForGetWorkflow(
187191
case "workflow_not_found":
188192
return new NotFoundException(generateErrorPayload(errorCode, `${context}: Workflow not found`))
189193
case "unknown_error":
190-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
194+
case "encryption_failed":
195+
case "decryption_failed":
196+
return new InternalServerErrorException(
197+
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
198+
)
191199
case "approval_rule_and_rule_must_have_rules":
192200
case "approval_rule_group_rule_invalid_group_id":
193201
case "approval_rule_group_rule_invalid_min_count":
@@ -281,7 +289,11 @@ export function generateErrorResponseForListWorkflows(
281289
case "malformed_object":
282290
return new BadRequestException(generateErrorPayload(errorCode, `${context}: Invalid request parameter`))
283291
case "unknown_error":
284-
return new InternalServerErrorException(generateErrorPayload(errorCode, `${context}: An unknown error occurred`))
292+
case "encryption_failed":
293+
case "decryption_failed":
294+
return new InternalServerErrorException(
295+
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unknown error occurred`)
296+
)
285297
case "approval_rule_and_rule_must_have_rules":
286298
case "approval_rule_group_rule_invalid_group_id":
287299
case "approval_rule_group_rule_invalid_min_count":
@@ -507,6 +519,8 @@ export function generateErrorResponseForCanVote(error: CanVoteError, context: st
507519
generateErrorPayload(errorCode, `${context}: Invalid parameters for vote eligibility check`)
508520
)
509521
case "unknown_error":
522+
case "encryption_failed":
523+
case "decryption_failed":
510524
return new InternalServerErrorException(
511525
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unexpected error occurred`)
512526
)
@@ -648,8 +662,10 @@ export function generateErrorResponseForCastVote(
648662
return new ForbiddenException(generateErrorPayload(errorCode, `${context}: User is not eligible to vote`))
649663
case "quota_check_error":
650664
case "unknown_error":
665+
case "encryption_failed":
666+
case "decryption_failed":
651667
return new InternalServerErrorException(
652-
generateErrorPayload("VOTE_CAST_FAILED", `${context}: An unexpected error occurred while casting vote`)
668+
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unexpected error occurred while casting vote`)
653669
)
654670
case "malformed_request":
655671
case "vote_type_missing":
@@ -806,6 +822,8 @@ export function generateErrorResponseForListVotes(error: FindVotesError, context
806822
case "workflow_not_found":
807823
return new NotFoundException(generateErrorPayload("WORKFLOW_NOT_FOUND", `${context}: Workflow not found`))
808824
case "unknown_error":
825+
case "encryption_failed":
826+
case "decryption_failed":
809827
return new InternalServerErrorException(
810828
generateErrorPayload("UNKNOWN_ERROR", `${context}: An unexpected error occurred`)
811829
)

app/external/src/database/database-client.ts

Lines changed: 19 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -88,23 +88,7 @@ export class DatabaseClient implements OnModuleInit, OnModuleDestroy {
8888
})
8989
)()
9090
},
91-
auditLog: {
92-
async update() {
93-
throw new Error("Audit logs are immutable. Action update is not allowed.")
94-
},
95-
async updateMany() {
96-
throw new Error("Audit logs are immutable. Action updateMany is not allowed.")
97-
},
98-
async delete() {
99-
throw new Error("Audit logs are immutable. Action delete is not allowed.")
100-
},
101-
async deleteMany() {
102-
throw new Error("Audit logs are immutable. Action deleteMany is not allowed.")
103-
},
104-
async upsert() {
105-
throw new Error("Audit logs are immutable. Action upsert is not allowed.")
106-
}
107-
}
91+
auditLog: auditLogExtension
10892
}
10993
}) as PrismaClient
11094
}
@@ -197,3 +181,21 @@ export class DatabaseClient implements OnModuleInit, OnModuleDestroy {
197181
)
198182
}
199183
}
184+
185+
const auditLogExtension = {
186+
async update() {
187+
throw new Error("Audit logs are immutable. Action update is not allowed.")
188+
},
189+
async updateMany() {
190+
throw new Error("Audit logs are immutable. Action updateMany is not allowed.")
191+
},
192+
async delete() {
193+
throw new Error("Audit logs are immutable. Action delete is not allowed.")
194+
},
195+
async deleteMany() {
196+
throw new Error("Audit logs are immutable. Action deleteMany is not allowed.")
197+
},
198+
async upsert() {
199+
throw new Error("Audit logs are immutable. Action upsert is not allowed.")
200+
}
201+
}

0 commit comments

Comments
 (0)