feat: GCP KMS + refactor

- use multiple wallet types simultaneously
- resourcePath or ARN is source of truth: treat config AWS/GCP details as "default"
- credentials override

Author: d4mr

package.json

@@ -28,6 +28,8 @@
   "dependencies": {
     "@aws-sdk/client-kms": "^3.398.0",
     "@bull-board/fastify": "^5.21.1",
+    "@cloud-cryptographic-wallet/cloud-kms-signer": "^0.1.2",
+    "@cloud-cryptographic-wallet/signer": "^0.0.5",
     "@fastify/basic-auth": "^5.1.1",
     "@fastify/cookie": "^8.3.0",
     "@fastify/express": "^2.3.0",

src/db/configuration/getConfiguration.ts

@@ -1,12 +1,16 @@
-import { Configuration } from "@prisma/client";
-import { Static } from "@sinclair/typebox";
+import type { Configuration } from "@prisma/client";
+import type { Static } from "@sinclair/typebox";
 import { LocalWallet } from "@thirdweb-dev/wallets";
 import { ethers } from "ethers";
-import { Chain } from "thirdweb";
-import { ParsedConfig } from "../../schema/config";
+import type { Chain } from "thirdweb";
+import type {
+  AwsWalletConfiguration,
+  GcpWalletConfiguration,
+  ParsedConfig,
+} from "../../schema/config";
 import { WalletType } from "../../schema/wallet";
 import { mandatoryAllowedCorsUrls } from "../../server/utils/cors-urls";
-import { networkResponseSchema } from "../../utils/cache/getSdk";
+import type { networkResponseSchema } from "../../utils/cache/getSdk";
 import { decrypt } from "../../utils/crypto";
 import { env } from "../../utils/env";
 import { logger } from "../../utils/logger";
@@ -53,6 +57,18 @@ const toParsedConfig = async (config: Configuration): Promise<ParsedConfig> => {
     }
   }
 
+  // LEGACY COMPATIBILITY
+  // legacy behaviour was to check for these in order:
+  // 1. AWS KMS Configuration - if found, wallet type is AWS KMS
+  // 2. GCP KMS Configuration - if found, wallet type is GCP KMS
+  // 3. If neither are found, wallet type is Local
+  // to maintain compatibility where users expect to call create new backend wallet endpoint without an explicit wallet type
+  // we need to preserve the wallet type in the configuration but only as the "default" wallet type
+  let legacyWalletType_removeInNextBreakingChange: WalletType =
+    WalletType.local;
+
+  let awsWalletConfiguration: AwsWalletConfiguration | null = null;
+
   // TODO: Remove backwards compatibility with next breaking change
   if (awsAccessKeyId && awsSecretAccessKey && awsRegion) {
     // First try to load the aws secret using the encryption password
@@ -73,7 +89,8 @@ const toParsedConfig = async (config: Configuration): Promise<ParsedConfig> => {
         logger({
           service: "worker",
           level: "info",
-          message: `[Encryption] Updating awsSecretAccessKey to use ENCRYPTION_PASSWORD`,
+          message:
+            "[Encryption] Updating awsSecretAccessKey to use ENCRYPTION_PASSWORD",
         });
 
         await updateConfiguration({
@@ -85,28 +102,18 @@ const toParsedConfig = async (config: Configuration): Promise<ParsedConfig> => {
     // Renaming contractSubscriptionsRetryDelaySeconds
     // to contractSubscriptionsRequeryDelaySeconds to reflect its purpose
     // as we are requerying (& not retrying) with different delays
-    return {
-      ...restConfig,
-      contractSubscriptionsRequeryDelaySeconds:
-        contractSubscriptionsRetryDelaySeconds,
-      chainOverridesParsed,
-      walletConfiguration: {
-        type: WalletType.awsKms,
-        awsRegion,
-        awsAccessKeyId,
-        awsSecretAccessKey: decryptedSecretAccessKey,
-      },
+    awsWalletConfiguration = {
+      awsAccessKeyId,
+      awsSecretAccessKey: decryptedSecretAccessKey,
+      defaultAwsRegion: awsRegion,
     };
+
+    legacyWalletType_removeInNextBreakingChange = WalletType.awsKms;
   }
 
+  let gcpWalletConfiguration: GcpWalletConfiguration | null = null;
   // TODO: Remove backwards compatibility with next breaking change
-  if (
-    gcpApplicationProjectId &&
-    gcpKmsLocationId &&
-    gcpKmsKeyRingId &&
-    gcpApplicationCredentialEmail &&
-    gcpApplicationCredentialPrivateKey
-  ) {
+  if (gcpApplicationCredentialEmail && gcpApplicationCredentialPrivateKey) {
     // First try to load the gcp secret using the encryption password
     let decryptedGcpKey = decrypt(
       gcpApplicationCredentialPrivateKey,
@@ -125,7 +132,8 @@ const toParsedConfig = async (config: Configuration): Promise<ParsedConfig> => {
         logger({
           service: "worker",
           level: "info",
-          message: `[Encryption] Updating gcpApplicationCredentialPrivateKey to use ENCRYPTION_PASSWORD`,
+          message:
+            "[Encryption] Updating gcpApplicationCredentialPrivateKey to use ENCRYPTION_PASSWORD",
         });
 
         await updateConfiguration({
@@ -134,20 +142,24 @@ const toParsedConfig = async (config: Configuration): Promise<ParsedConfig> => {
       }
     }
 
-    return {
-      ...restConfig,
-      contractSubscriptionsRequeryDelaySeconds:
-        contractSubscriptionsRetryDelaySeconds,
-      chainOverridesParsed,
-      walletConfiguration: {
-        type: WalletType.gcpKms,
-        gcpApplicationProjectId,
-        gcpKmsLocationId,
-        gcpKmsKeyRingId,
-        gcpApplicationCredentialEmail,
-        gcpApplicationCredentialPrivateKey: decryptedGcpKey,
-      },
+    if (!gcpKmsLocationId || !gcpKmsKeyRingId || !gcpApplicationProjectId) {
+      throw new Error(
+        "GCP KMS location ID, project ID, and key ring ID are required configuration for this wallet type",
+      );
+    }
+
+    gcpWalletConfiguration = {
+      gcpApplicationCredentialEmail,
+      gcpApplicationCredentialPrivateKey: decryptedGcpKey,
+
+      // TODO: Remove these with the next breaking change
+      // These are used because import endpoint does not yet support GCP KMS resource path
+      defaultGcpKmsLocationId: gcpKmsLocationId,
+      defaultGcpKmsKeyRingId: gcpKmsKeyRingId,
+      defaultGcpApplicationProjectId: gcpApplicationProjectId,
     };
+
+    legacyWalletType_removeInNextBreakingChange = WalletType.gcpKms;
   }
 
   return {
@@ -156,7 +168,9 @@ const toParsedConfig = async (config: Configuration): Promise<ParsedConfig> => {
       contractSubscriptionsRetryDelaySeconds,
     chainOverridesParsed,
     walletConfiguration: {
-      type: WalletType.local,
+      aws: awsWalletConfiguration,
+      gcp: gcpWalletConfiguration,
+      legacyWalletType_removeInNextBreakingChange,
     },
   };
 };

src/db/wallets/createWalletDetails.ts

@@ -1,5 +1,6 @@
-import { PrismaTransaction } from "../../schema/prisma";
+import type { PrismaTransaction } from "../../schema/prisma";
 import type { WalletType } from "../../schema/wallet";
+import { encrypt } from "../../utils/crypto";
 import { getPrismaWithPostgresTx } from "../client";
 
 // TODO: Case on types by wallet type
@@ -8,13 +9,23 @@ interface CreateWalletDetailsParams {
   address: string;
   type: WalletType;
   label?: string;
-  awsKmsKeyId?: string;
+
+  // AWS KMS
+  awsKmsKeyId?: string; // depcrecated and unused, todo: remove with next breaking change
   awsKmsArn?: string;
-  gcpKmsKeyRingId?: string;
-  gcpKmsKeyId?: string;
-  gcpKmsKeyVersionId?: string;
-  gcpKmsLocationId?: string;
+
+  awsKmsSecretAccessKey?: string; // encrypted
+  awsKmsAccessKeyId?: string;
+
+  // GCP KMS
   gcpKmsResourcePath?: string;
+  gcpKmsKeyRingId?: string; // depcrecated and unused, todo: remove with next breaking change
+  gcpKmsKeyId?: string; // depcrecated and unused, todo: remove with next breaking change
+  gcpKmsKeyVersionId?: string; // depcrecated and unused, todo: remove with next breaking change
+  gcpKmsLocationId?: string; // depcrecated and unused, todo: remove with next breaking change
+
+  gcpApplicationCredentialPrivateKey?: string; // encrypted
+  gcpApplicationCredentialEmail?: string;
 }
 
 export const createWalletDetails = async ({
@@ -39,6 +50,15 @@ export const createWalletDetails = async ({
     data: {
       ...walletDetails,
       address: walletDetails.address.toLowerCase(),
+
+      awsKmsSecretAccessKey: walletDetails.awsKmsSecretAccessKey
+        ? encrypt(walletDetails.awsKmsSecretAccessKey)
+        : undefined,
+
+      gcpApplicationCredentialPrivateKey:
+        walletDetails.gcpApplicationCredentialPrivateKey
+          ? encrypt(walletDetails.gcpApplicationCredentialPrivateKey)
+          : undefined,
     },
   });
 };

src/db/wallets/getWalletDetails.ts

@@ -1,4 +1,4 @@
-import { PrismaTransaction } from "../../schema/prisma";
+import type { PrismaTransaction } from "../../schema/prisma";
 import { getPrismaWithPostgresTx } from "../client";
 
 interface GetWalletDetailsParams {

src/prisma/schema.prisma

@@ -30,15 +30,15 @@ model Configuration {
   contractSubscriptionsRetryDelaySeconds String  @default("10") @map("contractSubscriptionsRetryDelaySeconds")
 
   // AWS
-  awsAccessKeyId                     String?  @map("awsAccessKeyId")
-  awsSecretAccessKey                 String?  @map("awsSecretAccessKey")
-  awsRegion                          String?  @map("awsRegion")
+  awsAccessKeyId                     String?  @map("awsAccessKeyId") // global config, precendence goes to WalletDetails
+  awsSecretAccessKey                 String?  @map("awsSecretAccessKey") // global config, precendence goes to WalletDetails
+  awsRegion                          String?  @map("awsRegion") // // global config, treat as "default", store in WalletDetails.awsKmsArn
   // GCP
-  gcpApplicationProjectId            String?  @map("gcpApplicationProjectId")
-  gcpKmsLocationId                   String?  @map("gcpKmsLocationId")
-  gcpKmsKeyRingId                    String?  @map("gcpKmsKeyRingId")
-  gcpApplicationCredentialEmail      String?  @map("gcpApplicationCredentialEmail")
-  gcpApplicationCredentialPrivateKey String?  @map("gcpApplicationCredentialPrivateKey")
+  gcpApplicationProjectId            String?  @map("gcpApplicationProjectId") // global config, treat as "defult", store in WalletDetails.gcpKmsResourcePath
+  gcpKmsLocationId                   String?  @map("gcpKmsLocationId") // global config, treat as "defult", store in WalletDetails.gcpKmsResourcePath
+  gcpKmsKeyRingId                    String?  @map("gcpKmsKeyRingId") // global config, treat as "defult", store in WalletDetails.gcpKmsResourcePath
+  gcpApplicationCredentialEmail      String?  @map("gcpApplicationCredentialEmail") // global config, precendence goes to WalletDetails
+  gcpApplicationCredentialPrivateKey String?  @map("gcpApplicationCredentialPrivateKey") // global config, precendence goes to WalletDetails
   // Auth
   authDomain                         String   @default("") @map("authDomain") // TODO: Remove defaults on major
   authWalletEncryptedJson            String   @default("") @map("authWalletEncryptedJson") // TODO: Remove defaults on major
@@ -76,20 +76,24 @@ model Tokens {
 }
 
 model WalletDetails {
-  address            String  @id @map("address")
-  type               String  @map("type")
-  label              String? @map("label")
+  address                            String  @id @map("address")
+  type                               String  @map("type")
+  label                              String? @map("label")
   // Local
-  encryptedJson      String? @map("encryptedJson")
+  encryptedJson                      String? @map("encryptedJson")
   // KMS
-  awsKmsKeyId        String? @map("awsKmsKeyId")
-  awsKmsArn          String? @map("awsKmsArn")
+  awsKmsKeyId                        String? @map("awsKmsKeyId") // deprecated and unused, todo: remove with next breaking change. Use awsKmsArn
+  awsKmsArn                          String? @map("awsKmsArn")
+  awsKmsSecretAccessKey              String? @map("awsKmsSecretAccessKey") // if not available, default to: Configuration.awsSecretAccessKey
+  awsKmsAccessKeyId                  String? @map("awsKmsAccessKeyId") // if not available, default to: Configuration.awsAccessKeyId
   // GCP
-  gcpKmsKeyRingId    String? @map("gcpKmsKeyRingId") @db.VarChar(50)
-  gcpKmsKeyId        String? @map("gcpKmsKeyId") @db.VarChar(50)
-  gcpKmsKeyVersionId String? @map("gcpKmsKeyVersionId") @db.VarChar(20)
-  gcpKmsLocationId   String? @map("gcpKmsLocationId") @db.VarChar(20)
-  gcpKmsResourcePath String? @map("gcpKmsResourcePath") @db.Text
+  gcpKmsKeyRingId                    String? @map("gcpKmsKeyRingId") @db.VarChar(50) // deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
+  gcpKmsKeyId                        String? @map("gcpKmsKeyId") @db.VarChar(50) // deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
+  gcpKmsKeyVersionId                 String? @map("gcpKmsKeyVersionId") @db.VarChar(20) // deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
+  gcpKmsLocationId                   String? @map("gcpKmsLocationId") @db.VarChar(20) // deprecated and unused. Use gcpKmsResourcePath instead, todo: remove with next breaking change
+  gcpKmsResourcePath                 String? @map("gcpKmsResourcePath") @db.Text
+  gcpApplicationCredentialEmail      String? @map("gcpApplicationCredentialEmail") // if not available, default to: Configuration.gcpApplicationCredentialEmail
+  gcpApplicationCredentialPrivateKey String? @map("gcpApplicationCredentialPrivateKey") // if not available, default to: Configuration.gcpApplicationCredentialPrivateKey
 
   @@map("wallet_details")
 }

src/schema/config.ts

@@ -1,6 +1,25 @@
-import { Configuration } from "@prisma/client";
-import { Chain } from "thirdweb";
-import { WalletType } from "./wallet";
+import type { Configuration } from "@prisma/client";
+import type { Chain } from "thirdweb";
+import type { WalletType } from "./wallet";
+
+export type AwsWalletConfiguration = {
+  awsAccessKeyId: string;
+  awsSecretAccessKey: string;
+
+  defaultAwsRegion: string;
+};
+
+export type GcpWalletConfiguration = {
+  gcpApplicationCredentialEmail: string;
+  gcpApplicationCredentialPrivateKey: string;
+
+  // these values are used as default so users don't need to specify them every time to the create wallet endpoint
+  // for fetching a wallet, always trust the resource path in the wallet details
+  // only use these values for creating a new wallet, when the resource path is not known
+  defaultGcpKmsLocationId: string;
+  defaultGcpKmsKeyRingId: string;
+  defaultGcpApplicationProjectId: string;
+};
 
 export interface ParsedConfig
   extends Omit<
@@ -15,24 +34,11 @@ export interface ParsedConfig
     | "gcpApplicationCredentialPrivateKey"
     | "contractSubscriptionsRetryDelaySeconds"
   > {
-  walletConfiguration:
-    | {
-        type: WalletType.local;
-      }
-    | {
-        type: WalletType.awsKms;
-        awsAccessKeyId: string;
-        awsSecretAccessKey: string;
-        awsRegion: string;
-      }
-    | {
-        type: WalletType.gcpKms;
-        gcpApplicationProjectId: string;
-        gcpKmsLocationId: string;
-        gcpKmsKeyRingId: string;
-        gcpApplicationCredentialEmail: string;
-        gcpApplicationCredentialPrivateKey: string;
-      };
+  walletConfiguration: {
+    aws: AwsWalletConfiguration | null;
+    gcp: GcpWalletConfiguration | null;
+    legacyWalletType_removeInNextBreakingChange: WalletType;
+  };
   contractSubscriptionsRequeryDelaySeconds: string;
   chainOverridesParsed: Chain[];
 }

src/server/routes/backend-wallet/create.ts

@@ -11,6 +11,12 @@ import { createLocalWallet } from "../../utils/wallets/createLocalWallet";
 
 const requestBodySchema = Type.Object({
   label: Type.Optional(Type.String()),
+  type: Type.Optional(
+    Type.Enum(WalletType, {
+      description:
+        "Optional wallet type. If not provided, the default wallet type will be used.",
+    }),
+  ),
 });
 
 const responseSchema = Type.Object({
@@ -28,7 +34,7 @@ responseSchema.example = {
 };
 
 export const createBackendWallet = async (fastify: FastifyInstance) => {
-  fastify.route<{
+  fastify.withTypeProvider().route<{
     Body: Static<typeof requestBodySchema>;
     Reply: Static<typeof responseSchema>;
   }>({
@@ -50,7 +56,12 @@ export const createBackendWallet = async (fastify: FastifyInstance) => {
 
       let walletAddress: string;
       const config = await getConfig();
-      switch (config.walletConfiguration.type) {
+
+      const walletType =
+        req.body.type ??
+        config.walletConfiguration.legacyWalletType_removeInNextBreakingChange;
+
+      switch (walletType) {
         case WalletType.local:
           walletAddress = await createLocalWallet({ label });
           break;