feat: team.getIntegrations() function (#281)

## What does this PR do? - Replaces `team.getBopsSubmissionURL()` for the more generic `team.getIntegrations()` - Handles decryption of secrets from db to plaintext for use in `planx-new` - Implemented in theopensystemslab/planx-new#2703
theopensystemslab · Jan 29, 2024 · 02c3999 · 02c3999
1 parent 1c88948
commit 02c3999
Show file tree

Hide file tree

Showing 6 changed files with 124 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@ The package is structured by functional responsibility. Here is a summary of wha
     ├── exports   # data processing functions to convert application data into third-party data formats
     ├── templates # data processing functions to convert application data into various document formats
     └── types     # a set of Typescript types for the exported functions and structures of this package
+    └── utils     # utility functions
 
 ## Conventions
 

diff --git a/src/index.ts b/src/index.ts
@@ -2,3 +2,4 @@ export * from "./export";
 export * from "./models";
 export * from "./requests";
 export * from "./templates";
+export * from "./utils";
diff --git a/src/requests/team.ts b/src/requests/team.ts
@@ -3,6 +3,7 @@ import { gql } from "graphql-request";
 
 import { TeamRole } from "../types/roles";
 import { Team, TeamTheme } from "../types/team";
+import { decrypt } from "../utils/encryption";
 
 interface UpsertMember {
   userId: number;
@@ -65,11 +66,12 @@ export class TeamClient {
     return getBySlug(this.client, slug);
   }
 
-  async getBopsSubmissionURL(
-    slug: string,
-    env: PlanXEnv,
-  ): Promise<string | null> {
-    return getBopsSubmissionURL(this.client, slug, env);
+  async getIntegrations(args: {
+    slug: string;
+    env: PlanXEnv;
+    encryptionKey: string;
+  }): Promise<DecryptedIntegrations> {
+    return getIntegrations({ client: this.client, ...args });
   }
 
   async updateTheme(
@@ -271,34 +273,55 @@ async function getBySlug(client: GraphQLClient, slug: string) {
   return response.teams[0];
 }
 
-interface GetBopsSubmissionURL {
+interface GetEncryptedIntegrations {
   teams: {
     integrations: {
       bopsSubmissionURL: string | null;
+      bopsSecret: string | null;
     } | null;
   }[];
 }
 
-async function getBopsSubmissionURL(
-  client: GraphQLClient,
-  slug: string,
-  env: PlanXEnv,
-) {
+interface DecryptedIntegrations {
+  bopsSubmissionURL?: string;
+  bopsToken?: string;
+}
+
+/**
+ * Return integration details for a team
+ *
+ * XXX: Why do we need env? Why are there columns for staging and production secrets?
+ * Please see https://github.com/theopensystemslab/planx-new/pull/2499
+ * @returns Integration details, decrypted
+ */
+async function getIntegrations({
+  client,
+  slug,
+  env,
+  encryptionKey,
+}: {
+  client: GraphQLClient;
+  slug: string;
+  env: PlanXEnv;
+  encryptionKey: string;
+}): Promise<DecryptedIntegrations> {
   const stagingQuery = gql`
-    query GetStagingBopsSubmissionURL($slug: String!) {
+    query GetStagingIntegrations($slug: String!) {
       teams(where: { slug: { _eq: $slug } }) {
         integrations {
           bopsSubmissionURL: staging_bops_submission_url
+          bopsSecret: staging_bops_secret
         }
       }
     }
   `;
 
   const productionQuery = gql`
-    query GetProductionBopsSubmissionURL($slug: String!) {
+    query GetProductionIntegrations($slug: String!) {
       teams(where: { slug: { _eq: $slug } }) {
         integrations {
           bopsSubmissionURL: production_bops_submission_url
+          bopsSecret: production_bops_secret
         }
       }
     }
@@ -308,9 +331,18 @@ async function getBopsSubmissionURL(
 
   const {
     teams: [team],
-  } = await client.request<GetBopsSubmissionURL>(query, { slug });
+  } = await client.request<GetEncryptedIntegrations>(query, { slug });
+
+  if (!team) throw Error(`No team matching "${slug}" found.`);
+  if (!team.integrations)
+    throw Error(`Integrations not set up for team "${slug}".`);
+
+  const decryptedIntegrations: DecryptedIntegrations = {
+    bopsSubmissionURL: team.integrations.bopsSubmissionURL ?? undefined,
+    bopsToken: decrypt(team.integrations.bopsSecret, encryptionKey),
+  };
 
-  return team?.integrations?.bopsSubmissionURL ?? null;
+  return decryptedIntegrations;
 }
 
 async function updateTheme(

diff --git a/src/utils/encryption.test.ts b/src/utils/encryption.test.ts
@@ -0,0 +1,30 @@
+import { decrypt, encrypt } from "./encryption";
+
+const key = "mySecretKey".padEnd(32, "0");
+
+describe("encrypt function", () => {
+  it("should correctly encrypt a secret", () => {
+    const originalSecret = "sensitiveInformation";
+
+    const encrypted = encrypt(originalSecret, key);
+    expect(encrypted).toMatch(/:/);
+
+    const decryptedResult = decrypt(encrypted, key);
+    expect(decryptedResult).toBe(originalSecret);
+  });
+});
+
+describe("decrypt function", () => {
+  it("should return undefined when secret is null", () => {
+    const result = decrypt(null, "someKey");
+    expect(result).toBeUndefined();
+  });
+
+  it("should correctly decrypt a valid secret", () => {
+    const originalSecret = "sensitiveInformation";
+    const encryptedSecret = encrypt(originalSecret, key);
+
+    const result = decrypt(encryptedSecret, key);
+    expect(result).toBe(originalSecret);
+  });
+});
diff --git a/src/utils/encryption.ts b/src/utils/encryption.ts
@@ -0,0 +1,44 @@
+import * as crypto from "crypto";
+
+/**
+ * Encrypts a secret using AES-256-CBC encryption
+ *
+ * @param secret - The secret to be encrypted
+ * @param key - The encryption key - a 32-byte string
+ * @returns The encrypted secret along with the initialization vector (IV), separated by a colon
+ */
+export function encrypt(secret: string, key: string): string {
+  const keyBuffer = Buffer.from(key);
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv("AES-256-CBC", keyBuffer, iv);
+  let encrypted = cipher.update(secret, "utf-8", "hex");
+  encrypted += cipher.final("hex");
+  const ivString = iv.toString("hex");
+
+  return `${encrypted}:${ivString}`;
+}
+
+/**
+ * Decrypts a secret that was encrypted using AES-256-CBC encryption
+ *
+ * @param secret - The secret to be decrypted. If null, returns undefined.
+ * @param key - The encryption key - a 32-byte string
+ * @returns The decrypted secret
+ */
+export function decrypt(
+  secret: string | null,
+  key: string,
+): string | undefined {
+  if (!secret) return undefined;
+
+  const [encryptedToken, iv] = secret.split(":");
+  const decipher = crypto.createDecipheriv(
+    "AES-256-CBC",
+    Buffer.from(key, "utf-8"),
+    Buffer.from(iv, "hex"),
+  );
+  let decryptedToken = decipher.update(encryptedToken, "hex", "utf-8");
+  decryptedToken += decipher.final("utf-8");
+
+  return decryptedToken;
+}
diff --git a/src/utils/index.ts b/src/utils/index.ts
@@ -0,0 +1 @@
+export * from "./encryption";