fix: add try-catch block to authentication manager#336
Merged
Conversation
blefebvre
approved these changes
Aug 19, 2024
Contributor
blefebvre
left a comment
blefebvre
left a comment
There was a problem hiding this comment.
Minor item with the log statement.
Is an additional test case needed to hit the catch block?
| this.log(`No API key entity found in the data layer for the provided API key: ${apiKeyFromHeader}`, 'error'); | ||
| return null; | ||
| } | ||
| this.log(`API Key entity: ${apiKeyEntity}`, 'debug'); |
Contributor
There was a problem hiding this comment.
Should this object be stringified?
Contributor
Author
There was a problem hiding this comment.
Removing these logs as we might not need them anymore.
|
This PR will trigger a patch release when merged. |
…nager.js Co-authored-by: Bruce Lefebvre <blefebvr@adobe.com>
Contributor
Author
Yes. Added the additional test case to fix the test errors. |
adobe-bot
pushed a commit
that referenced
this pull request
Aug 19, 2024
# [@adobe/spacecat-shared-http-utils-v1.6.7](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-http-utils-v1.6.6...@adobe/spacecat-shared-http-utils-v1.6.7) (2024-08-19) ### Bug Fixes * add try-catch block to authentication manager ([#336](#336)) ([a6cf629](a6cf629))
|
🎉 This issue has been resolved in version @adobe/spacecat-shared-http-utils-v1.6.7 🎉 The release is available on: Your semantic-release bot 📦🚀 |
6 tasks
solaris007
added a commit
that referenced
this pull request
Feb 19, 2026
…#1364) ## Why SpaceCat Lambda functions currently use `@adobe/helix-shared-secrets` to load secrets from AWS Secrets Manager. This couples secret management to AWS administrative access - CAMP's 3 immutable roles (admin, power user, read only) don't allow creating a restricted Secrets Manager-only role, so anyone with AWS admin access can read all secrets. Following the S3 credentials leak incident (MSI0001036), moving secrets to HashiCorp Vault was identified as remediation track #6: Vault provides a separate auth boundary with granular ACLs, audit trail, and short-lived credentials, fully de-coupled from AWS access. This package enables the migration - services switch from `helixSecrets` to `vaultSecrets` in their middleware chain with no other code changes. ## What Adds `@adobe/spacecat-shared-vault-secrets` - a drop-in replacement for `@adobe/helix-shared-secrets` that loads secrets from Vault instead of AWS Secrets Manager. Same `.with()` middleware interface, same caching strategy, different backend. 1. On cold start, reads bootstrap config from AWS Secrets Manager at `/mysticat/bootstrap/{service-name}` (auto-resolved from `ctx.func.name`) to get per-service Vault AppRole credentials 2. Authenticates to Vault via AppRole (role_id + secret_id) 3. Reads secrets from `dx_mysticat/{environment}/{service-name}` (KV V2) 4. Merges into `context.env` and `process.env` 5. Two-tier caching: 60s metadata check, 1h hard expiration **Per-service credential isolation:** Each service gets its own AppRole, its own policy, and its own bootstrap secret. A compromised service credential can only read that service's secrets. **HTTP call budget:** Cold start = 3 calls (AWS SM + AppRole login + secret read). Warm invocation within 60s = 0 calls. Past 60s = 1 call (metadata). Secret rotation = 2 calls (metadata + read). ### Files | File | Purpose | |------|--------- | `src/vault-client.js` | Vault HTTP client with private class fields (AppRole login, KV V2 read, metadata, token renewal) | | `src/bootstrap.js` | AWS Secrets Manager bootstrap loader (aws4-signed, no SDK dependency) | | `src/vault-secrets-wrapper.js` | Middleware wrapper (two-tier caching, path resolution, concurrency lock, env merge) | | `src/index.js` / `src/index.d.ts` | Exports and TypeScript declarations | ### Usage ```js import wrap from '@adobe/helix-shared-wrap'; import vaultSecrets from '@adobe/spacecat-shared-vault-secrets'; // Zero-config: bootstrapPath and Vault path both auto-resolve from ctx.func.name export const main = wrap(run) .with(vaultSecrets) .with(helixStatus); ``` ### Prerequisites Each service in each AWS account (dev/stage/prod) needs: 1. **Per-service AppRole** in Vault - provisioned via `cst-vault/vault_policies` PRs (done) 2. **Per-service bootstrap secret** in AWS Secrets Manager at `/mysticat/bootstrap/{service-name}`: ```json { "role_id": "<service-specific-approle-role-id>", "secret_id": "<service-specific-secret-id>", "vault_addr": "https://vault-amer.adobe.net", "mount_point": "dx_mysticat", "environment": "dev" } ``` 3. **VPC configuration** - Lambda must run in the SpaceCat VPC (private subnets with NAT gateway). Vault rejects AppRole login from non-Adobe IPs with HTTP 403. 4. **IAM permissions** - Lambda role needs `secretsmanager:GetSecretValue` on `/mysticat/bootstrap/*`. Three IAM policies updated in spacecat-infrastructure PR #336. See the [package README](packages/spacecat-shared-vault-secrets/README.md) for full setup details, secret-id rotation procedure, and error reference. ## Test plan - [x] 54 unit tests passing (including 3 new bootstrapPath auto-resolution tests) - [x] 100% statement/function/line coverage - [x] Two rounds of crew review (security, architecture, code quality) - all must-fix items addressed - [x] Lint clean - [x] E2E validated on real Lambda (SM bootstrap -> AppRole auth -> Vault KV read) - [x] CI passes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issues
Add try-catch block to authentication-manager to try and figure out the issue with ScopedApiKeyHandler