[OGUI-1785] Add and configure MariaDB and Vault for development purposes #3154
Conversation
…nted a new central system wrapper
…ub.com:AliceO2Group/WebUi into feature/TKN/OGUI-1785/vault-and-mariadb-config
There was a problem hiding this comment.
Pull request overview
This pull request introduces MariaDB database integration using Sequelize ORM and HashiCorp Vault for secure secret management in the Tokenization service. The changes add comprehensive database models, migrations, Docker orchestration for development environments, and a Vault setup script for managing secrets and token signing.
Key Changes:
- Database integration with MariaDB using Sequelize ORM with models for tokens and archived tokens
- HashiCorp Vault configuration for secure secret management and token signing
- Docker Compose setup for development environment with database and Vault services
Reviewed changes
Copilot reviewed 22 out of 24 changed files in this pull request and generated 15 comments.
Show a summary per file
| File | Description |
|---|---|
| docker-compose.dev.yml | New development environment configuration adding Vault and MariaDB services |
| docker-compose.yml | Updated to add database and vault-setup dependencies with duplicate port mappings |
| docker-compose.test.yml | Extended to include MariaDB service for testing |
| Dockerfile | Added Vault stage with version 1.20 (potentially non-existent version) |
| docker/vault/vault-setup.sh | Vault initialization and configuration script |
| docker/database/* | MariaDB configuration and initialization SQL scripts |
| backend/central-system/src/lib/database/* | Database layer implementation with Sequelize models and migrations |
| backend/central-system/src/modules/CentralSystem.ts | Integration of database instance |
| backend/central-system/src/lib/utils/Scheduler.ts | New scheduler utility for token archiving |
| backend/central-system/package.json | Added Sequelize, Umzug, MariaDB dependencies with duplicates |
| .gitignore | Extended to exclude certificates, keys, and database files |
Files not reviewed (1)
- Tokenization/backend/central-system/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Tokenization/backend/central-system/src/lib/database/SequalizeDatabase.ts
Outdated
Show resolved
Hide resolved
| import { fileURLToPath } from 'url'; | ||
| import { TokensGetService } from '../services/TokensGetService.js'; | ||
| import { db } from '../lib/database/Database.js'; | ||
| import { SequalizeDatabase } from '../lib/database/SequalizeDatabase.js'; |
There was a problem hiding this comment.
The import statement references "SequalizeDatabase" (with typo) instead of the correct "SequelizeDatabase".
| export function models(sequelize: any): any { | ||
| const models = { |
There was a problem hiding this comment.
[nitpick] Using any type for parameters reduces type safety. Consider defining proper TypeScript interfaces for the config parameter and return type of the models function.
| export function models(sequelize: any): any { | |
| const models = { | |
| import { Sequelize, Model } from 'sequelize'; | |
| interface Models { | |
| Token: Model<any, any>; | |
| ArchiveToken: Model<any, any>; | |
| } | |
| export function models(sequelize: Sequelize): Models { | |
| const models: Models = { |
| * @param config - Partial database configuration object. | ||
| * @returns Complete database configuration object. | ||
| */ | ||
| export function getConfig(config: any): SequalizeDatabaseConfig { |
There was a problem hiding this comment.
[nitpick] Using any type for the config parameter and return type reduces type safety. The config parameter should be typed as Partial<SequalizeDatabaseConfig> and the return type should be explicitly SequalizeDatabaseConfig.
| export function getConfig(config: any): SequalizeDatabaseConfig { | |
| export function getConfig(config: Partial<SequalizeDatabaseConfig>): SequalizeDatabaseConfig { |
| "@aliceo2/web-ui": "^2.8.4", | ||
| "crypto": "^1.0.1", | ||
| "@aliceo2/web-ui": "^2.8.4", | ||
| "crypto": "^1.0.1", | ||
| "express": "^4.19.2", | ||
| "jsonwebtoken": "^9.0.2", | ||
| "sequelize": "6.37.0", | ||
| "umzug": "3.8.2", | ||
| "mariadb": "3.0.0", | ||
| "node-fetch": "^3.3.2", | ||
| "@grpc/grpc-js": "^1.13.4", | ||
| "@grpc/proto-loader": "^0.7.15" | ||
| }, | ||
| "devDependencies": { | ||
| "@types/express": "^4.17.21", | ||
| "@types/jest": "^30.0.0", | ||
| "@types/jest": "^30.0.0", | ||
| "@types/jsonwebtoken": "^9.0.9", | ||
| "@types/node": "^20.4.2", | ||
| "concurrently": "^9.0.1", | ||
| "jest": "^30.0.5", | ||
| "concurrently": "^9.0.1", | ||
| "jest": "^30.0.5", | ||
| "nodemon": "^3.1.10", | ||
| "supertest": "^7.1.4", | ||
| "ts-jest": "^29.4.1", | ||
| "supertest": "^7.1.4", | ||
| "ts-jest": "^29.4.1", |
There was a problem hiding this comment.
Multiple duplicate dependencies detected in package.json:
- "@aliceo2/web-ui" appears on lines 22 and 24
- "crypto" appears on lines 23 and 25
- "@types/jest" appears on lines 37 and 38
- "concurrently" appears on lines 41 and 43
- "jest" appears on lines 42 and 44
- "supertest" appears on lines 46 and 48
- "ts-jest" appears on lines 47 and 49
These duplicates will cause issues during package installation.
| charset: 'utf8mb4', | ||
| collate: 'utf8mb4_unicode_ci', | ||
| timezone: process.env.DB_TZ ?? '+00:00', | ||
| logging: process.env.DB_LOGGIN ?? false, |
There was a problem hiding this comment.
Typo in environment variable name: "DB_LOGGIN" should be "DB_LOGGING".
| logging: process.env.DB_LOGGIN ?? false, | |
| logging: process.env.DB_LOGGING ?? false, |
| import { SequalizeDatabaseConfig } from './utils/sequalizeDatabaseConfig.js'; | ||
| import { SequelizeStorage } from 'umzug'; | ||
|
|
||
| export class SequalizeDatabase { | ||
| private _logger; | ||
| public sequelize: Sequelize; | ||
| private _models: object; | ||
| private _dbConfig: SequalizeDatabaseConfig; | ||
|
|
||
| /** | ||
| * Initializes the Sequelize database connection. | ||
| * @param config - Database configuration object. | ||
| */ | ||
| constructor(config: object) { | ||
| this._logger = LogManager.getLogger('database/sequalize'); |
There was a problem hiding this comment.
Typo in class name and logger name: "SequalizeDatabase" should be "SequelizeDatabase" (Sequelize with an 'i'). This affects multiple locations including the class name, file import, and logger configuration.
| import { SequalizeDatabaseConfig } from './utils/sequalizeDatabaseConfig.js'; | |
| import { SequelizeStorage } from 'umzug'; | |
| export class SequalizeDatabase { | |
| private _logger; | |
| public sequelize: Sequelize; | |
| private _models: object; | |
| private _dbConfig: SequalizeDatabaseConfig; | |
| /** | |
| * Initializes the Sequelize database connection. | |
| * @param config - Database configuration object. | |
| */ | |
| constructor(config: object) { | |
| this._logger = LogManager.getLogger('database/sequalize'); | |
| import { SequelizeDatabaseConfig } from './utils/sequelizeDatabaseConfig.js'; | |
| import { SequelizeStorage } from 'umzug'; | |
| export class SequelizeDatabase { | |
| private _logger; | |
| public sequelize: Sequelize; | |
| private _models: object; | |
| private _dbConfig: SequelizeDatabaseConfig; | |
| /** | |
| * Initializes the Sequelize database connection. | |
| * @param config - Database configuration object. | |
| */ | |
| constructor(config: object) { | |
| this._logger = LogManager.getLogger('database/sequelize'); |
| @@ -0,0 +1,5 @@ | |||
| CREATE USER IF NOT EXISTS 'central-system'@'%' IDENTIFIED BY 'cern'; | |||
There was a problem hiding this comment.
Security concern: Hardcoded sensitive credentials. The root password 'cern' and user password 'cern' are hardcoded in the database initialization scripts. For production environments, these should be parameterized via environment variables.
| CREATE USER IF NOT EXISTS 'central-system'@'%' IDENTIFIED BY 'cern'; | |
| -- Set the password for 'central-system' user via the CENTRAL_SYSTEM_PASSWORD variable. | |
| -- For example, before running this script, execute: | |
| -- SET @CENTRAL_SYSTEM_PASSWORD = 'your_password_here'; | |
| -- Or use your container/orchestration system to inject the value. | |
| CREATE USER IF NOT EXISTS 'central-system'@'%' IDENTIFIED BY @CENTRAL_SYSTEM_PASSWORD; |
| "main": "dist/index.js", | ||
| "description": "A NodeJS backend for the token issuer within ALICE O2", |
There was a problem hiding this comment.
Duplicate entry detected. The fields "main" and "description" appear twice in package.json at lines 5-6 and 7-8.
| "main": "dist/index.js", | |
| "description": "A NodeJS backend for the token issuer within ALICE O2", |
Tokenization/docker-compose.yml
Outdated
| - '8080:8080' | ||
| - '4041:4041' |
There was a problem hiding this comment.
Duplicate ports mapping detected. Ports 8080:8080 and 4041:4041 are mapped twice (lines 64-65 and 66-67).
| - '8080:8080' | |
| - '4041:4041' |
…Database.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ub.com:AliceO2Group/WebUi into feature/TKN/OGUI-1785/vault-and-mariadb-config
I have JIRA issue created
This pull request introduces a MariaDB integration layer using the Sequelize ORM and Umzug migrations. It also adds HashiCorp Vault configuration for secure secret management and token signing. Both services are orchestrated through a new Docker Compose setup for the development environment.