[DB-21] added variable fetching flow and awsSecretsManagerProvider

package.json

@@ -254,6 +254,7 @@
     "rimraf": "^3.0.2",
     "sass": "^1.42.1",
     "sass-loader": "^12.2.0",
+    "source-map-support": "^0.5.21",
     "style-loader": "^3.3.0",
     "terser-webpack-plugin": "^5.2.4",
     "ts-loader": "^9.2.6",
@@ -263,10 +264,10 @@
     "webpack-bundle-analyzer": "^4.5.0",
     "webpack-cli": "^4.9.0",
     "webpack-dev-server": "^4.3.1",
-    "webpack-merge": "^5.8.0",
-    "source-map-support": "^0.5.21"
+    "webpack-merge": "^5.8.0"
   },
   "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.969.0",
     "@devicefarmer/adbkit": "^3.2.6",
     "@electron/remote": "^2.1.2",
     "@requestly/requestly-core": "1.1.1",

src/lib/secretsManager/providerService/AbstractSecretProvider.ts

@@ -1,27 +1,98 @@
-import { CachedSecret, ProviderSpecificConfig, SecretProviderType, SecretReference } from "../types";
+import {
+  ProviderSpecificConfig,
+  SecretProviderType,
+  SecretReference,
+  SecretValue,
+} from "../types";
+
+const DEFAULT_CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour
+const DEFAULT_MAX_CACHE_SIZE = 100;
 
 export abstract class AbstractSecretProvider {
-  protected cache: Map<string, CachedSecret> = new Map();
+  protected cache: Map<string, SecretValue> = new Map();
+
+  /** Cache TTL in milliseconds. Subclasses can override. */
+  protected cacheTtlMs: number = DEFAULT_CACHE_TTL_MS;
+
+  /** Maximum cache size (Size of the map). Subclasses can override. */
+  protected maxCacheSize: number = DEFAULT_MAX_CACHE_SIZE;
 
   abstract readonly type: SecretProviderType;
 
   abstract readonly id: string;
 
-  protected config: ProviderSpecificConfig;
+  protected abstract config: ProviderSpecificConfig;
 
-  protected abstract getSecretIdentfier(ref: SecretReference): string;
+  protected abstract getCacheKey(_ref: SecretReference): string;
 
   abstract testConnection(): Promise<boolean>;
 
-  abstract getSecret(ref: SecretReference): Promise<string>;
+  abstract getSecret(_ref: SecretReference): Promise<SecretValue | null>;
 
-  abstract getSecrets(): Promise<string[]>;
+  abstract getSecrets(
+    _refs: SecretReference[]
+  ): Promise<(SecretValue | null)[]>;
 
   abstract setSecret(): Promise<void>;
 
   abstract setSecrets(): Promise<void>;
 
+  abstract removeSecret(): Promise<void>;
+
+  abstract removeSecrets(): Promise<void>;
+
+  protected invalidateCache(): void {
+    this.cache.clear();
+  }
+
+  protected getCachedSecret(key: string): SecretValue | null {
+    const cached = this.cache.get(key);
+    if (cached && cached.fetchedAt + this.cacheTtlMs > Date.now()) {
+      return cached;
+    }
+    return null;
+  }
+
+  protected setCacheEntry(key: string, value: SecretValue): void {
+    if (this.maxCacheSize <= 0) {
+      return;
+    }
+
+    this.evictExpiredEntries();
+
+    while (this.cache.size >= this.maxCacheSize) {
+      const oldestKey = this.cache.keys().next().value;
+      if (!oldestKey) {
+        break;
+      }
+      this.cache.delete(oldestKey);
+    }
+
+    this.cache.set(key, value);
+  }
+
+  protected evictExpiredEntries(): void {
+    const now = Date.now();
+    const keysToDelete: string[] = [];
+
+    this.cache.forEach((value, key) => {
+      if (value.fetchedAt + this.cacheTtlMs <= now) {
+        keysToDelete.push(key);
+      }
+    });
+
+    keysToDelete.forEach((key) => this.cache.delete(key));
+  }
+
+  abstract refreshSecrets(): Promise<(SecretValue | null)[]>;
+
   static validateConfig(config: any): boolean {
-    throw new Error("Not implemented");
+    // Base implementation rejects all configs as a fail-safe.
+    // Provider implementations must override with specific validation.
+    if (!config) {
+      return false;
+    }
+
+    return false;
   }
 }

src/lib/secretsManager/providerService/awsSecretManagerProvider.ts

@@ -1,4 +1,156 @@
-/* eslint-disable class-methods-use-this */
+import {
+  AwsSecretReference,
+  AWSSecretsManagerConfig,
+  AwsSecretValue,
+  SecretProviderConfig,
+  SecretProviderType,
+} from "../types";
 import { AbstractSecretProvider } from "./AbstractSecretProvider";
+import {
+  GetSecretValueCommand,
+  ListSecretsCommand,
+  SecretsManagerClient,
+} from "@aws-sdk/client-secrets-manager";
 
-export class AWSSecretsManagerProvider extends AbstractSecretProvider {}
+export class AWSSecretsManagerProvider extends AbstractSecretProvider {
+  readonly type = SecretProviderType.AWS_SECRETS_MANAGER;
+
+  readonly id: string;
+
+  protected config: AWSSecretsManagerConfig;
+
+  private client: SecretsManagerClient;
+
+  constructor(providerConfig: SecretProviderConfig) {
+    super();
+    this.id = providerConfig.id;
+    this.config = providerConfig.config as AWSSecretsManagerConfig;
+    this.client = new SecretsManagerClient({
+      region: this.config.region,
+      credentials: {
+        accessKeyId: this.config.accessKeyId,
+        secretAccessKey: this.config.secretAccessKey,
+        sessionToken: this.config.sessionToken,
+      },
+    });
+  }
+
+  protected getCacheKey(ref: AwsSecretReference): string {
+    return `name:${ref.identifier};version:${ref.version ?? "latest"}`;
+  }
+
+  async testConnection(): Promise<boolean> {
+    if (!AWSSecretsManagerProvider.validateConfig(this.config)) {
+      return false;
+    }
+
+    try {
+      const listSecretsCommand = new ListSecretsCommand({ MaxResults: 1 });
+      const res = await this.client.send(listSecretsCommand);
+      console.log("!!!debug", "aws result", res);
+
+      if (res.$metadata.httpStatusCode !== 200) {
+        return false;
+      }
+
+      return true;
+    } catch (err) {
+      console.error(
+        "!!!debug",
+        "aws secrets manager test connection error",
+        err
+      );
+      return false;
+    }
+  }
+
+  async getSecret(ref: AwsSecretReference): Promise<AwsSecretValue | null> {
+    if (!this.client) {
+      throw new Error("AWS Secrets Manager client is not initialized.");
+    }
+
+    const cacheKey = this.getCacheKey(ref);
+    const cachedSecret = this.getCachedSecret(cacheKey) as AwsSecretValue | null;
+
+    if (cachedSecret) {
+      console.log("!!!debug", "returning from cache", cachedSecret);
+      return cachedSecret;
+    }
+
+    const getSecretCommand = new GetSecretValueCommand({
+      SecretId: ref.identifier,
+      VersionId: ref.version,
+    });
+
+    const secretResponse = await this.client.send(getSecretCommand);
+
+    if (secretResponse.$metadata.httpStatusCode !== 200) {
+      console.error("!!!debug", "Failed to fetch secret", secretResponse);
+      return null;
+    }
+
+    if (!secretResponse.SecretString) {
+      console.error("!!!debug", "SecretString is empty", secretResponse);
+      return null;
+    }
+
+    const awsSecret: AwsSecretValue = {
+      providerId: this.id,
+      secretReference: ref,
+      fetchedAt: Date.now(),
+      name: secretResponse.Name,
+      value: secretResponse.SecretString,
+      ARN: secretResponse.ARN,
+      versionId: secretResponse.VersionId,
+    };
+
+    console.log("!!!debug", "returning after fetching", awsSecret);
+
+    this.setCacheEntry(cacheKey, awsSecret);
+
+    return awsSecret;
+  }
+
+  async getSecrets(
+    refs: AwsSecretReference[]
+  ): Promise<(AwsSecretValue | null)[]> {
+    if (!this.client) {
+      throw new Error("AWS Secrets Manager client is not initialized.");
+    }
+
+    // Not using BatchGetSecretValueCommand as it would require additional permissions
+    return Promise.all(refs.map((ref) => this.getSecret(ref)));
+  }
+
+  async setSecret(): Promise<void> {
+    throw new Error("Method not implemented.");
+  }
+
+  async setSecrets(): Promise<void> {
+    throw new Error("Method not implemented.");
+  }
+
+  async removeSecret(): Promise<void> {
+    throw new Error("Method not implemented.");
+  }
+
+  async removeSecrets(): Promise<void> {
+    throw new Error("Method not implemented.");
+  }
+
+  async refreshSecrets(): Promise<(AwsSecretValue | null)[]> {
+    const allSecretRefs = Array.from(this.cache.values()).map(
+      (secret) => secret.secretReference
+    );
+
+    this.invalidateCache();
+
+    return this.getSecrets(allSecretRefs);
+  }
+
+  static validateConfig(config: AWSSecretsManagerConfig): boolean {
+    return Boolean(
+      config.accessKeyId && config.secretAccessKey && config.region
+    );
+  }
+}