Merge pull request #60 from luis5tb/dcr-enc-key

fix: fail-fast on missing or invalid DCR_ENCRYPTION_KEY

Author: luis5tb

src/lightspeed_agent/dcr/service.py

@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 import logging
+import os
 from typing import TYPE_CHECKING
 
 import httpx
@@ -73,13 +74,28 @@ def __init__(
         self._client_repository = client_repository or get_dcr_client_repository()
         self._settings = get_settings()
 
-        # Fernet cipher for encrypting client secrets
+        # Fernet cipher for encrypting client secrets.
+        # In production (Cloud Run), DCR_ENCRYPTION_KEY is required to prevent
+        # silent data loss from missing encryption configuration.
         self._fernet: Fernet | None = None
         if self._settings.dcr_encryption_key:
             try:
                 self._fernet = Fernet(self._settings.dcr_encryption_key.encode())
             except Exception as e:
-                logger.error("Invalid DCR encryption key: %s", e)
+                raise ValueError(
+                    f"Invalid DCR_ENCRYPTION_KEY: {e}. "
+                    "Generate a valid key with: "
+                    "python -c 'from cryptography.fernet import Fernet; "
+                    "print(Fernet.generate_key().decode())'"
+                ) from e
+        elif os.getenv("K_SERVICE"):
+            raise ValueError(
+                "DCR_ENCRYPTION_KEY is required in production "
+                f"(K_SERVICE={os.getenv('K_SERVICE')}). "
+                "Client secrets cannot be stored without an encryption key. "
+                "Generate a key with: python -c 'from cryptography.fernet import Fernet; "
+                "print(Fernet.generate_key().decode())'"
+            )
 
     def _get_gma_client(self) -> GMAClient:
         """Get the GMA client (lazy initialization)."""
@@ -95,10 +111,15 @@ def _encrypt_secret(self, secret: str) -> str:
 
         Returns:
             Encrypted secret as base64 string.
+
+        Raises:
+            RuntimeError: If DCR_ENCRYPTION_KEY is not configured.
         """
         if not self._fernet:
-            logger.warning("DCR_ENCRYPTION_KEY not set, using ephemeral key")
-            self._fernet = Fernet(Fernet.generate_key())
+            raise RuntimeError(
+                "Cannot encrypt client secret: DCR_ENCRYPTION_KEY is not configured. "
+                "Set DCR_ENCRYPTION_KEY to a valid Fernet key before performing DCR operations."
+            )
         return self._fernet.encrypt(secret.encode()).decode()
 
     def _decrypt_secret(self, encrypted_secret: str) -> str | None:

src/lightspeed_agent/marketplace/app.py

@@ -37,6 +37,19 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
         logger.error("Failed to initialize database: %s", e)
         raise
 
+    # Startup: Validate DCR configuration (fail-fast on Cloud Run)
+    # This ensures DCR_ENCRYPTION_KEY is valid BEFORE the service becomes ready,
+    # preventing silent failures when the first DCR request arrives.
+    try:
+        from lightspeed_agent.dcr import get_dcr_service
+
+        logger.info("Validating DCR service configuration")
+        get_dcr_service()  # Triggers DCRService.__init__() validation
+        logger.info("DCR service initialized successfully")
+    except Exception as e:
+        logger.error("Failed to initialize DCR service: %s", e)
+        raise
+
     yield
 
     # Shutdown: Close database connection

tests/conftest.py

@@ -18,6 +18,10 @@
 os.environ["DCR_ENABLED"] = "false"  # Use pre-seeded credentials for tests
 os.environ["RED_HAT_SSO_CLIENT_ID"] = "test-static-client-id"
 os.environ["RED_HAT_SSO_CLIENT_SECRET"] = "test-static-client-secret"
+# Stable Fernet key for tests — secrets encrypted in one test can be decrypted in another
+from cryptography.fernet import Fernet as _Fernet  # noqa: E402
+
+os.environ["DCR_ENCRYPTION_KEY"] = _Fernet.generate_key().decode()
 
 
 @pytest.fixture

tests/test_dcr.py

@@ -277,6 +277,39 @@ async def test_get_client(self, service):
         assert client.account_id == "valid-account-123"
 
 
+class TestDCRServiceEncryptionValidation:
+    """Tests for DCR service encryption key validation."""
+
+    def test_dcr_service_missing_key_on_cloud_run(self, monkeypatch, db_session):
+        """Test DCRService raises ValueError when DCR_ENCRYPTION_KEY is missing on Cloud Run."""
+        from lightspeed_agent.config import get_settings
+
+        settings = get_settings()
+        monkeypatch.setenv("K_SERVICE", "test-marketplace-handler")
+        monkeypatch.setattr(settings, "dcr_encryption_key", "")
+
+        with pytest.raises(ValueError, match="DCR_ENCRYPTION_KEY is required in production"):
+            DCRService()
+
+    def test_dcr_service_invalid_encryption_key(self, monkeypatch, db_session):
+        """Test that DCRService raises ValueError for invalid DCR_ENCRYPTION_KEY."""
+        from lightspeed_agent.config import get_settings
+
+        settings = get_settings()
+        monkeypatch.setattr(settings, "dcr_encryption_key", "not-a-valid-fernet-key")
+
+        with pytest.raises(ValueError, match="Invalid DCR_ENCRYPTION_KEY"):
+            DCRService()
+
+    def test_encrypt_secret_without_key_raises(self, db_session):
+        """Test that _encrypt_secret raises RuntimeError when _fernet is None."""
+        service = DCRService()
+        service._fernet = None
+
+        with pytest.raises(RuntimeError, match="Cannot encrypt client secret"):
+            service._encrypt_secret("test-secret")
+
+
 class TestDCRServiceDelete:
     """Tests for DCR service client deletion."""