api-beep-onboarding/lib/oci-vault.js

Oracle OCI FaaS for Api Beep Onboarding library

/**
 *
 * BeePay 2.023-2.024 - Oracle OCI FaaS for Api Beep Onboarding
 *                      Read secret from OCI vault
 *
 * Changes:
 *    jlugo: 2024-jan-08. File creation
 *    jlugo: 2024-apr-25. Moved to a library
 */

/* RGVzYXJyb2xsYWRvIHBvciBKb25hdGhhbiBMdWdv */
import { Buffer } from "node:buffer";
import { Region, ResourcePrincipalAuthenticationDetailsProvider } from "oci-common";
import { SecretsClient } from "oci-secrets";

/**
 * Read a secret bundled from OCI Vault by OCID

 * @param {String} ocidSecret - Oracle Cloud ID for requested services
 * @param {Object} debug - node.js console object
 * @returns {Promise<{String}>} - Secret bundled decode from base64
 *
 */
export async function getVaultSecretAsync(ocidSecret, debug) {

   let secret = null;

   // Call to Regions.values() without having contacted IMDS (Instance Metadata Service, only available on
   // OCI instances); if you do need the region from IMDS, call Region.enableInstanceMetadata() 
   // before calling Region.values()
   await Region.enableInstanceMetadata();

   const authProvider = ResourcePrincipalAuthenticationDetailsProvider.builder();
   const client = new SecretsClient({ authenticationDetailsProvider: authProvider });
   client.region = Region.US_ASHBURN_1;

   try {

      const response = await client.getSecretBundle({ secretId: ocidSecret });
      if (response.secretBundle?.secretBundleContent?.content?.length === 0) {
         return null;
      }

      // Decode secret from base64
      const s = Buffer.from(response.secretBundle.secretBundleContent.content, response.secretBundle.secretBundleContent.contentType).
                       toString();

      return s ? JSON.parse(s) : null;
   }
   catch (ex) {
      debug?.log(`OCIERR-SV01: ${ex.message}`);
   }

   return secret;
}