chore(vault): migrate Vault plugin to NestJS

Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>

Author: shikanime

apps/server-nestjs/.envrc

@@ -0,0 +1,2 @@
+source_up
+dotenv

apps/server-nestjs/src/modules/vault/vault-client.service.ts

@@ -1,6 +1,5 @@
 import { Inject, Injectable, Logger } from '@nestjs/common'
 import { ConfigurationService } from '@/cpin-module/infrastructure/configuration/configuration.service'
-import { generateKVConfigUpdate } from './vault.utils'
 
 export interface VaultMetadata {
   created_time: string
@@ -28,15 +27,15 @@ export class VaultClientService {
   ) {
   }
 
-  private async request<T = any>(method: string, path: string, options: { body?: any } = {}): Promise<T | null> {
+  private async fetch<T = any>(path: string, options: { method?: string, body?: any } = {}): Promise<T | null> {
     const url = `${this.config.vaultInternalUrl}${path}`
     const headers: Record<string, string> = {
       'Content-Type': 'application/json',
       'X-Vault-Token': this.config.vaultToken,
     }
 
     const response = await fetch(url, {
-      method,
+      method: options.method,
       headers,
       body: options.body ? JSON.stringify(options.body) : undefined,
     })
@@ -53,7 +52,9 @@ export class VaultClientService {
   async read<T = any>(path: string): Promise<VaultSecret<T> | null> {
     if (path.startsWith('/')) path = path.slice(1)
     try {
-      const data = await this.request<VaultResponse<T>>('GET', `/v1/${this.config.vaultKvName}/data/${path}`)
+      const data = await this.fetch<VaultResponse<T>>(`/v1/${this.config.vaultKvName}/data/${path}`, {
+        method: 'GET',
+      })
       if (!data) return null
       return data.data
     } catch (error) {
@@ -65,7 +66,8 @@ export class VaultClientService {
   async write<T = any>(data: T, path: string): Promise<void> {
     if (path.startsWith('/')) path = path.slice(1)
     try {
-      await this.request('POST', `/v1/${this.config.vaultKvName}/data/${path}`, {
+      await this.fetch(`/v1/${this.config.vaultKvName}/data/${path}`, {
+        method: 'POST',
         body: { data },
       })
     } catch (error) {
@@ -77,10 +79,48 @@ export class VaultClientService {
   async destroy(path: string): Promise<void> {
     if (path.startsWith('/')) path = path.slice(1)
     try {
-      await this.request('DELETE', `/v1/${this.config.vaultKvName}/metadata/${path}`)
+      await this.fetch(`/v1/${this.config.vaultKvName}/metadata/${path}`, {
+        method: 'DELETE',
+      })
     } catch (error) {
       this.logger.error(`Failed to destroy vault path ${path}: ${error}`)
       throw error
     }
   }
+
+  async upsertPolicyAcl(policyName: string, data: any) {
+    await this.fetch(`/v1/sys/policies/acl/${policyName}`, {
+      method: 'POST',
+      body: data,
+    })
+  }
+
+  async createMount(name: string, data: any) {
+    this.fetch(`/v1/sys/mounts/${name}/tune`, {
+      method: 'POST',
+      body: data,
+    })
+  }
+
+  async updateMount(name: string, data: any) {
+    this.fetch(`/v1/sys/mounts/${name}/tune`, {
+      method: 'PUT',
+      body: data,
+    })
+  }
+
+  async upsertRole(roleName: string, policies: string[]) {
+    await this.fetch(`/v1/auth/approle/role/${roleName}`, {
+      method: 'POST',
+      body: {
+        secret_id_num_uses: '0',
+        secret_id_ttl: '0',
+        token_max_ttl: '0',
+        token_num_uses: '0',
+        token_ttl: '0',
+        token_type: 'batch',
+        token_policies: policies,
+      },
+    })
+  }
 }

apps/server-nestjs/src/modules/vault/vault-datastore.service.ts

@@ -0,0 +1,43 @@
+import { Inject, Injectable } from '@nestjs/common'
+import type { Prisma } from '@prisma/client'
+import { PrismaService } from '@/cpin-module/infrastructure/database/prisma.service'
+
+export const projectSelect = {
+  id: true,
+  name: true,
+  slug: true,
+  description: true,
+  environments: {
+    select: {
+      id: true,
+      name: true,
+      clusterId: true,
+      cpu: true,
+      gpu: true,
+      memory: true,
+      autosync: true,
+    },
+  },
+} satisfies Prisma.ProjectSelect
+
+export type ProjectWithDetails = Prisma.ProjectGetPayload<{
+  select: typeof projectSelect
+}>
+
+@Injectable()
+export class VaultDatastoreService {
+  constructor(@Inject(PrismaService) private readonly prisma: PrismaService) {}
+
+  async getAllProjects(): Promise<ProjectWithDetails[]> {
+    return this.prisma.project.findMany({
+      select: projectSelect,
+    })
+  }
+
+  async getProject(id: string): Promise<ProjectWithDetails | null> {
+    return this.prisma.project.findUnique({
+      where: { id },
+      select: projectSelect,
+    })
+  }
+}

apps/server-nestjs/src/modules/vault/vault.service.ts

@@ -2,6 +2,8 @@ import { Inject, Injectable, Logger } from '@nestjs/common'
 import { ConfigurationService } from '@/cpin-module/infrastructure/configuration/configuration.service'
 import { VaultClientService } from './vault-client.service'
 import type { VaultSecret } from './vault-client.service'
+import { generateAppAdminPolicyName, generateTechnicalReadOnlyPolicyName, generateZoneName } from './vault.utils'
+import type { ProjectWithDetails } from './vault-datastore.service'
 
 @Injectable()
 export class VaultService {
@@ -32,4 +34,55 @@ export class VaultService {
   async destroy(path: string): Promise<void> {
     await this.vaultClientService.destroy(path)
   }
+
+  async upsertMount(kvName: string) {
+    const body = {
+      type: 'kv',
+      config: {
+        force_no_cache: true,
+      },
+      options: {
+        version: 2,
+      },
+    }
+    try {
+      await this.vaultClientService.updateMount(kvName, body)
+    } catch (_error) {
+      await this.vaultClientService.createMount(kvName, body)
+    }
+  }
+
+  async createZone(project: ProjectWithDetails, environment: ProjectWithDetails['environments'][number]) {
+    const kvName = generateZoneName(environment.name)
+    await this.upsertMount(kvName)
+    const techName = generateTechnicalReadOnlyPolicyName(project)
+    const appName = generateAppAdminPolicyName(project)
+    await Promise.all([
+      this.createTechnicalReadOnlyPolicy(techName, project.slug),
+      this.createAppAdminPolicy(appName, project.slug),
+    ])
+    await this.vaultClientService.upsertRole(kvName, [
+      techName,
+      appName,
+    ])
+  }
+
+  async createTechnicalReadOnlyPolicy(name: string, projectSlug: string) {
+    await this.vaultClientService.upsertPolicyAcl(
+      name,
+      {
+        policy: `path "${projectSlug}/*" { capabilities = ["create", "read", "update", "delete", "list"] }`,
+      },
+    )
+  }
+
+  async createAppAdminPolicy(name: string, projectSlug: string) {
+    await this.vaultClientService.upsertPolicyAcl(
+      name,
+      {
+        policy:
+      `path "${this.config.vaultKvName}/data/${this.config.projectRootPath}/${projectSlug}/REGISTRY/ro-robot" { capabilities = ["read"] }`,
+      },
+    )
+  }
 }

apps/server-nestjs/src/modules/vault/vault.utils.ts

@@ -0,0 +1,13 @@
+import type { ProjectWithDetails } from './vault-datastore.service'
+
+export function generateTechnicalReadOnlyPolicyName(project: ProjectWithDetails) {
+  return `tech--${project.slug}--ro`
+}
+
+export function generateAppAdminPolicyName(project: ProjectWithDetails) {
+  return `app--${project.slug}--admin`
+}
+
+export function generateZoneName(name: string) {
+  return `zone-${name}`
+}