mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

feat(#353): Create VaultService NestJS module for OpenBao Transit
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
Implements secure credential encryption using OpenBao Transit API with
automatic fallback to AES-256-GCM when OpenBao is unavailable.

Features:
- AppRole authentication with automatic token renewal at 50% TTL
- Transit encrypt/decrypt with 4 named keys
- Automatic fallback to CryptoService when OpenBao unavailable
- Auto-detection of ciphertext format (vault:v1: vs AES)
- Request timeout protection (5s default)
- Health indicator for monitoring
- Backward compatible with existing AES-encrypted data

Security:
- ERROR-level logging for fallback
- Proper error propagation (no silent failures)
- Request timeouts prevent hung operations
- Secure credential file reading

Migrations:
- Account encryption middleware uses VaultService
- Uses TransitKey.ACCOUNT_TOKENS for OAuth tokens
- Backward compatible with existing encrypted data

Tests: 56 tests passing (36 VaultService + 20 middleware)

Closes #353

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-07 16:13:05 -06:00
parent d4d1e59885
commit dd171b287f
11 changed files with 1431 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
apps/api/src/prisma/prisma.service.spec.ts
View File

@@ -2,6 +2,7 @@ import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { ConfigService } from "@nestjs/config";
import { PrismaService } from "./prisma.service";
import { VaultService } from "../vault/vault.service";
import { CryptoService } from "../federation/crypto.service";
describe("PrismaService", () => {
@@ -12,11 +13,13 @@ describe("PrismaService", () => {
// Mock ConfigService with a valid test encryption key
mockConfigService = {
get: vi.fn((key: string) => {
if (key === "ENCRYPTION_KEY") {
// Valid 64-character hex string (32 bytes)
return "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
}
return null;
const config: Record<string, string> = {
ENCRYPTION_KEY: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
OPENBAO_ADDR: "http://localhost:8200",
OPENBAO_ROLE_ID: "test-role-id",
OPENBAO_SECRET_ID: "test-secret-id",
};
return config[key] || null;
}),
};
@@ -27,6 +30,7 @@ describe("PrismaService", () => {
provide: ConfigService,
useValue: mockConfigService,
},
VaultService,
CryptoService,
],
}).compile();