add unit tests for kms accounts with prool

Author: d4mr

.env.test

@@ -5,4 +5,13 @@ ENCRYPTION_PASSWORD="test"
 ENABLE_KEYPAIR_AUTH="true"
 ENABLE_HTTPS="true"
 REDIS_URL="redis://127.0.0.1:6379/0"
-THIRDWEB_API_SECRET_KEY="my-thirdweb-secret-key"
+THIRDWEB_API_SECRET_KEY="my-thirdweb-secret-key"
+
+TEST_AWS_KMS_KEY_ID=""
+TEST_AWS_KMS_ACCESS_KEY_ID=""
+TEST_AWS_KMS_SECRET_ACCESS_KEY=""
+TEST_AWS_KMS_REGION=""
+
+TEST_GCP_KMS_RESOURCE_PATH=""
+TEST_GCP_KMS_EMAIL=""
+TEST_GCP_KMS_PK=""

package.json

@@ -71,6 +71,7 @@
     "pg": "^8.11.3",
     "prisma": "^5.14.0",
     "prom-client": "^15.1.3",
+    "prool": "^0.0.16",
     "superjson": "^2.2.1",
     "thirdweb": "^5.58.4",
     "uuid": "^9.0.1",

src/db/wallets/createWalletDetails.ts

@@ -1,32 +1,33 @@
 import type { PrismaTransaction } from "../../schema/prisma";
-import type { WalletType } from "../../schema/wallet";
 import { encrypt } from "../../utils/crypto";
 import { getPrismaWithPostgresTx } from "../client";
 
 // TODO: Case on types by wallet type
-interface CreateWalletDetailsParams {
+type CreateWalletDetailsParams = {
   pgtx?: PrismaTransaction;
   address: string;
-  type: WalletType;
   label?: string;
+} & (
+  | {
+      type: "aws-kms";
+      awsKmsKeyId?: string; // depcrecated and unused, todo: remove with next breaking change
+      awsKmsArn: string;
 
-  // AWS KMS
-  awsKmsKeyId?: string; // depcrecated and unused, todo: remove with next breaking change
-  awsKmsArn?: string;
+      awsKmsSecretAccessKey?: string; // will be encrypted and stored, pass plaintext to this function
+      awsKmsAccessKeyId?: string;
+    }
+  | {
+      type: "gcp-kms";
+      gcpKmsResourcePath: string;
+      gcpKmsKeyRingId?: string; // depcrecated and unused, todo: remove with next breaking change
+      gcpKmsKeyId?: string; // depcrecated and unused, todo: remove with next breaking change
+      gcpKmsKeyVersionId?: string; // depcrecated and unused, todo: remove with next breaking change
+      gcpKmsLocationId?: string; // depcrecated and unused, todo: remove with next breaking change
 
-  awsKmsSecretAccessKey?: string; // encrypted
-  awsKmsAccessKeyId?: string;
-
-  // GCP KMS
-  gcpKmsResourcePath?: string;
-  gcpKmsKeyRingId?: string; // depcrecated and unused, todo: remove with next breaking change
-  gcpKmsKeyId?: string; // depcrecated and unused, todo: remove with next breaking change
-  gcpKmsKeyVersionId?: string; // depcrecated and unused, todo: remove with next breaking change
-  gcpKmsLocationId?: string; // depcrecated and unused, todo: remove with next breaking change
-
-  gcpApplicationCredentialPrivateKey?: string; // encrypted
-  gcpApplicationCredentialEmail?: string;
-}
+      gcpApplicationCredentialPrivateKey?: string; // encrypted
+      gcpApplicationCredentialEmail?: string;
+    }
+);
 
 export const createWalletDetails = async ({
   pgtx,
@@ -46,19 +47,30 @@ export const createWalletDetails = async ({
     );
   }
 
-  return prisma.walletDetails.create({
-    data: {
-      ...walletDetails,
-      address: walletDetails.address.toLowerCase(),
+  if (walletDetails.type === "aws-kms") {
+    return prisma.walletDetails.create({
+      data: {
+        ...walletDetails,
+        address: walletDetails.address.toLowerCase(),
 
-      awsKmsSecretAccessKey: walletDetails.awsKmsSecretAccessKey
-        ? encrypt(walletDetails.awsKmsSecretAccessKey)
-        : undefined,
-
-      gcpApplicationCredentialPrivateKey:
-        walletDetails.gcpApplicationCredentialPrivateKey
-          ? encrypt(walletDetails.gcpApplicationCredentialPrivateKey)
+        awsKmsSecretAccessKey: walletDetails.awsKmsSecretAccessKey
+          ? encrypt(walletDetails.awsKmsSecretAccessKey)
           : undefined,
-    },
-  });
+      },
+    });
+  }
+
+  if (walletDetails.type === "gcp-kms") {
+    return prisma.walletDetails.create({
+      data: {
+        ...walletDetails,
+        address: walletDetails.address.toLowerCase(),
+
+        gcpApplicationCredentialPrivateKey:
+          walletDetails.gcpApplicationCredentialPrivateKey
+            ? encrypt(walletDetails.gcpApplicationCredentialPrivateKey)
+            : undefined,
+      },
+    });
+  }
 };

src/prisma/migrations/20241003051028_wallet_details_credentials/migration.sql

@@ -0,0 +1,5 @@
+-- AlterTable
+ALTER TABLE "wallet_details" ADD COLUMN     "awsKmsAccessKeyId" TEXT,
+ADD COLUMN     "awsKmsSecretAccessKey" TEXT,
+ADD COLUMN     "gcpApplicationCredentialEmail" TEXT,
+ADD COLUMN     "gcpApplicationCredentialPrivateKey" TEXT;

src/prisma/schema.prisma

@@ -30,15 +30,15 @@ model Configuration {
   contractSubscriptionsRetryDelaySeconds String  @default("10") @map("contractSubscriptionsRetryDelaySeconds")
 
   // AWS
-  awsAccessKeyId                     String?  @map("awsAccessKeyId") // global config, precendence goes to WalletDetails
-  awsSecretAccessKey                 String?  @map("awsSecretAccessKey") // global config, precendence goes to WalletDetails
-  awsRegion                          String?  @map("awsRegion") // // global config, treat as "default", store in WalletDetails.awsKmsArn
+  awsAccessKeyId                     String?  @map("awsAccessKeyId") /// global config, precendence goes to WalletDetails
+  awsSecretAccessKey                 String?  @map("awsSecretAccessKey") /// global config, precendence goes to WalletDetails
+  awsRegion                          String?  @map("awsRegion") /// global config, treat as "default", store in WalletDetails.awsKmsArn
   // GCP
-  gcpApplicationProjectId            String?  @map("gcpApplicationProjectId") // global config, treat as "defult", store in WalletDetails.gcpKmsResourcePath
-  gcpKmsLocationId                   String?  @map("gcpKmsLocationId") // global config, treat as "defult", store in WalletDetails.gcpKmsResourcePath
-  gcpKmsKeyRingId                    String?  @map("gcpKmsKeyRingId") // global config, treat as "defult", store in WalletDetails.gcpKmsResourcePath
-  gcpApplicationCredentialEmail      String?  @map("gcpApplicationCredentialEmail") // global config, precendence goes to WalletDetails
-  gcpApplicationCredentialPrivateKey String?  @map("gcpApplicationCredentialPrivateKey") // global config, precendence goes to WalletDetails
+  gcpApplicationProjectId            String?  @map("gcpApplicationProjectId") /// global config, treat as "defult", store in WalletDetails.gcpKmsResourcePath
+  gcpKmsLocationId                   String?  @map("gcpKmsLocationId") /// global config, treat as "defult", store in WalletDetails.gcpKmsResourcePath
+  gcpKmsKeyRingId                    String?  @map("gcpKmsKeyRingId") /// global config, treat as "defult", store in WalletDetails.gcpKmsResourcePath
+  gcpApplicationCredentialEmail      String?  @map("gcpApplicationCredentialEmail") /// global config, precendence goes to WalletDetails
+  gcpApplicationCredentialPrivateKey String?  @map("gcpApplicationCredentialPrivateKey") /// global config, precendence goes to WalletDetails
   // Auth
   authDomain                         String   @default("") @map("authDomain") // TODO: Remove defaults on major
   authWalletEncryptedJson            String   @default("") @map("authWalletEncryptedJson") // TODO: Remove defaults on major
@@ -82,18 +82,18 @@ model WalletDetails {
   // Local
   encryptedJson                      String? @map("encryptedJson")
   // KMS
-  awsKmsKeyId                        String? @map("awsKmsKeyId") // deprecated and unused, todo: remove with next breaking change. Use awsKmsArn
+  awsKmsKeyId                        String? @map("awsKmsKeyId") /// deprecated and unused, todo: remove with next breaking change. Use awsKmsArn
   awsKmsArn                          String? @map("awsKmsArn")
-  awsKmsSecretAccessKey              String? @map("awsKmsSecretAccessKey") // if not available, default to: Configuration.awsSecretAccessKey
-  awsKmsAccessKeyId                  String? @map("awsKmsAccessKeyId") // if not available, default to: Configuration.awsAccessKeyId
+  awsKmsSecretAccessKey              String? @map("awsKmsSecretAccessKey") /// if not available, default to: Configuration.awsSecretAccessKey
+  awsKmsAccessKeyId                  String? @map("awsKmsAccessKeyId") /// if not available, default to: Configuration.awsAccessKeyId
   // GCP
-  gcpKmsKeyRingId                    String? @map("gcpKmsKeyRingId") @db.VarChar(50) // deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
-  gcpKmsKeyId                        String? @map("gcpKmsKeyId") @db.VarChar(50) // deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
-  gcpKmsKeyVersionId                 String? @map("gcpKmsKeyVersionId") @db.VarChar(20) // deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
-  gcpKmsLocationId                   String? @map("gcpKmsLocationId") @db.VarChar(20) // deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
+  gcpKmsKeyRingId                    String? @map("gcpKmsKeyRingId") @db.VarChar(50) /// deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
+  gcpKmsKeyId                        String? @map("gcpKmsKeyId") @db.VarChar(50) /// deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
+  gcpKmsKeyVersionId                 String? @map("gcpKmsKeyVersionId") @db.VarChar(20) /// deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
+  gcpKmsLocationId                   String? @map("gcpKmsLocationId") @db.VarChar(20) /// deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
   gcpKmsResourcePath                 String? @map("gcpKmsResourcePath") @db.Text
-  gcpApplicationCredentialEmail      String? @map("gcpApplicationCredentialEmail") // if not available, default to: Configuration.gcpApplicationCredentialEmail
-  gcpApplicationCredentialPrivateKey String? @map("gcpApplicationCredentialPrivateKey") // if not available, default to: Configuration.gcpApplicationCredentialPrivateKey
+  gcpApplicationCredentialEmail      String? @map("gcpApplicationCredentialEmail") /// if not available, default to: Configuration.gcpApplicationCredentialEmail
+  gcpApplicationCredentialPrivateKey String? @map("gcpApplicationCredentialPrivateKey") /// if not available, default to: Configuration.gcpApplicationCredentialPrivateKey
 
   @@map("wallet_details")
 }

src/server/routes/backend-wallet/create.ts

@@ -3,10 +3,17 @@ import type { FastifyInstance } from "fastify";
 import { StatusCodes } from "http-status-codes";
 import { WalletType } from "../../../schema/wallet";
 import { getConfig } from "../../../utils/cache/getConfig";
+import { createCustomError } from "../../middleware/error";
 import { AddressSchema } from "../../schemas/address";
 import { standardResponseSchema } from "../../schemas/sharedApiSchemas";
-import { createAwsKmsWallet } from "../../utils/wallets/createAwsKmsWallet";
-import { createGcpKmsWallet } from "../../utils/wallets/createGcpKmsWallet";
+import {
+  CreateAwsKmsWalletError,
+  createAwsKmsWallet,
+} from "../../utils/wallets/createAwsKmsWallet";
+import {
+  CreateGcpKmsWalletError,
+  createGcpKmsWallet,
+} from "../../utils/wallets/createGcpKmsWallet";
 import { createLocalWallet } from "../../utils/wallets/createLocalWallet";
 
 const requestBodySchema = Type.Object({
@@ -66,10 +73,32 @@ export const createBackendWallet = async (fastify: FastifyInstance) => {
           walletAddress = await createLocalWallet({ label });
           break;
         case WalletType.awsKms:
-          walletAddress = await createAwsKmsWallet({ label });
+          try {
+            walletAddress = await createAwsKmsWallet({ label });
+          } catch (e) {
+            if (e instanceof CreateAwsKmsWalletError) {
+              throw createCustomError(
+                e.message,
+                StatusCodes.BAD_REQUEST,
+                "CREATE_AWS_KMS_WALLET_ERROR",
+              );
+            }
+            throw e;
+          }
           break;
         case WalletType.gcpKms:
-          walletAddress = await createGcpKmsWallet({ label });
+          try {
+            walletAddress = await createGcpKmsWallet({ label });
+          } catch (e) {
+            if (e instanceof CreateGcpKmsWalletError) {
+              throw createCustomError(
+                e.message,
+                StatusCodes.BAD_REQUEST,
+                "CREATE_GCP_KMS_WALLET_ERROR",
+              );
+            }
+            throw e;
+          }
           break;
       }
 

src/server/routes/backend-wallet/import.ts

@@ -10,89 +10,71 @@ import { importAwsKmsWallet } from "../../utils/wallets/importAwsKmsWallet";
 import { importGcpKmsWallet } from "../../utils/wallets/importGcpKmsWallet";
 import { importLocalWallet } from "../../utils/wallets/importLocalWallet";
 
-const RequestBodySchema = Type.Union([
+const RequestBodySchema = Type.Intersect([
   Type.Object({
     label: Type.Optional(
       Type.String({
         description: "Optional label for the imported wallet",
       }),
     ),
-    awsKmsArn: Type.String({
-      description: "AWS KMS key ARN",
-      examples: [
-        "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
-      ],
-    }),
-    credentials: Type.Object(
-      {
-        awsAccessKeyId: Type.String({ description: "AWS Access Key ID" }),
-        awsSecretAccessKey: Type.String({
-          description: "AWS Secret Access Key",
-        }),
-      },
-      {
-        description:
-          "Optional AWS credentials to use for importing the wallet, if not provided, the default AWS credentials will be used (if available).",
-      },
-    ),
   }),
-  // TODO: with next breaking change, only require GCP KMS resource path
-  Type.Object({
-    label: Type.Optional(
-      Type.String({
-        description: "Optional label for the imported wallet",
+  Type.Union([
+    Type.Object({
+      awsKmsArn: Type.String({
+        description: "AWS KMS key ARN",
+        examples: [
+          "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
+        ],
       }),
-    ),
-    gcpKmsKeyId: Type.String({
-      description: "GCP KMS key ID",
-      examples: ["12345678-1234-1234-1234-123456789012"],
-    }),
-    gcpKmsKeyVersionId: Type.String({
-      description: "GCP KMS key version ID",
-      examples: ["1"],
-    }),
-    credentials: Type.Optional(
-      Type.Object(
+      credentials: Type.Object(
         {
-          email: Type.String({ description: "GCP service account email" }),
-          privateKey: Type.String({
-            description: "GCP service account private key",
+          awsAccessKeyId: Type.String({ description: "AWS Access Key ID" }),
+          awsSecretAccessKey: Type.String({
+            description: "AWS Secret Access Key",
           }),
         },
         {
           description:
-            "Optional GCP credentials to use for importing the wallet, if not provided, the default GCP credentials will be used (if available).",
+            "Optional AWS credentials to use for importing the wallet, if not provided, the default AWS credentials will be used (if available).",
         },
       ),
-    ),
-  }),
-  Type.Union([
+    }),
+    // TODO: with next breaking change, only require GCP KMS resource path
     Type.Object({
-      label: Type.Optional(
-        Type.String({
-          description: "Optional label for the imported wallet",
-        }),
+      gcpKmsKeyId: Type.String({
+        description: "GCP KMS key ID",
+        examples: ["12345678-1234-1234-1234-123456789012"],
+      }),
+      gcpKmsKeyVersionId: Type.String({
+        description: "GCP KMS key version ID",
+        examples: ["1"],
+      }),
+      credentials: Type.Optional(
+        Type.Object(
+          {
+            email: Type.String({ description: "GCP service account email" }),
+            privateKey: Type.String({
+              description: "GCP service account private key",
+            }),
+          },
+          {
+            description:
+              "Optional GCP credentials to use for importing the wallet, if not provided, the default GCP credentials will be used (if available).",
+          },
+        ),
       ),
+    }),
+    Type.Object({
       privateKey: Type.String({
         description: "The private key of the wallet to import",
       }),
     }),
     Type.Object({
-      label: Type.Optional(
-        Type.String({
-          description: "Optional label for the imported wallet",
-        }),
-      ),
       mnemonic: Type.String({
         description: "The mnemonic phrase of the wallet to import",
       }),
     }),
     Type.Object({
-      label: Type.Optional(
-        Type.String({
-          description: "Optional label for the imported wallet",
-        }),
-      ),
       encryptedJson: Type.String({
         description: "The encrypted JSON of the wallet to import",
       }),

src/server/routes/configuration/wallets/get.ts

@@ -9,14 +9,14 @@ export const responseBodySchema = Type.Object({
   result: Type.Object({
     type: Type.Enum(WalletType),
 
-    awsAccessKeyId: Type.String().Optional(),
-    awsRegion: Type.String().Optional(),
+    awsAccessKeyId: Type.Union([Type.String(), Type.Null()]),
+    awsRegion: Type.Union([Type.String(), Type.Null()]),
 
     // Omit awsSecretAccessKey
-    gcpApplicationProjectId: Type.String().Optional(),
-    gcpKmsLocationId: Type.String().Optional(),
-    gcpKmsKeyRingId: Type.String().Optional(),
-    gcpApplicationCredentialEmail: Type.String().Optional(),
+    gcpApplicationProjectId: Type.Union([Type.String(), Type.Null()]),
+    gcpKmsLocationId: Type.Union([Type.String(), Type.Null()]),
+    gcpKmsKeyRingId: Type.Union([Type.String(), Type.Null()]),
+    gcpApplicationCredentialEmail: Type.Union([Type.String(), Type.Null()]),
     // Omit gcpApplicationCredentialPrivateKey
   }),
 });