[OGUI-1844] Implementation of database service-controller structure and seeding creations #3245
Conversation
…dy for injecting querries for endpoints
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Tokenization/backend/central-system/src/lib/database/utils/expireToken.ts
Fixed
Show fixed
Hide fixed
Tokenization/backend/central-system/src/lib/database/utils/expireToken.ts
Fixed
Show fixed
Hide fixed
Tokenization/backend/central-system/src/lib/database/utils/expireToken.ts
Fixed
Show fixed
Hide fixed
Tokenization/backend/central-system/src/lib/database/utils/expireToken.ts
Fixed
Show fixed
Hide fixed
Tokenization/backend/central-system/src/services/VaultCreateKeyService.ts
Fixed
Show fixed
Hide fixed
Tokenization/backend/central-system/tests/DatabaseTests/DatabaseIntegration.spec.ts
Fixed
Show fixed
Hide fixed
There was a problem hiding this comment.
Pull request overview
This PR implements a comprehensive database and Vault infrastructure for the Tokenization service, including seeding, migrations, integration tests, and CI/CD updates.
Purpose: Establish database service-controller structure with automated seeding for both Vault and the database, along with integration tests to verify seeded data.
Key Changes:
- Database infrastructure with Sequelize ORM, migrations, and seeders
- Vault integration with certificate-based authentication and key management
- Comprehensive test suite including unit and integration tests
- Docker Compose orchestration for local development and testing
Reviewed changes
Copilot reviewed 68 out of 74 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
scripts/actions-certificates-creation.sh |
Generates test certificates for Vault and clients |
docker/vault/vault-setup.sh |
Initializes and configures Vault with policies and secrets |
docker/database/populate/*.sql |
Database and user creation scripts |
docker-compose*.yml |
Updated service orchestration with Vault and database dependencies |
backend/central-system/src/lib/database/* |
Database models, migrations, seeders, and Sequelize configuration |
backend/central-system/src/controllers/VaultController.ts |
Vault operations controller with event bus integration |
backend/central-system/src/services/Vault*.ts |
Vault service implementations (auth, sign, encrypt, credentials) |
backend/central-system/tests/**/*Integration.spec.ts |
Integration tests for Vault and database |
.github/workflows/tokenization.yml |
Updated CI pipeline with certificate generation and extended tests |
Files not reviewed (2)
- Tokenization/backend/central-system/package-lock.json: Language not supported
- Tokenization/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,135 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
The title in the PR metadata contains a typo: "[OGUI-1844}" should use a closing bracket "]" instead of a closing brace "}".
| ).rejects.toThrow('error'); | ||
| }); | ||
|
|
||
| it('renew() connects with proper token and reutrns renwed token', async () => { |
There was a problem hiding this comment.
There's a typo in the comment. "reutrns" should be "returns".
| import {importSPKI, CompactEncrypt } from 'jose'; | ||
|
|
||
|
|
||
| /** * @description Encrypts data using a provided public key with RSA-OAEP-256 and A256GCM. |
There was a problem hiding this comment.
The comment has inconsistent spacing. There's an extra space between "/" and the actual comment text. Should be formatted as "/ * @description..." without the extra space.
|
|
||
| /** | ||
| * @description Registers the event handlers for vault-related operations. | ||
| * This method sets up handlers for signing tokens, logging in, renewing tokens, encyption, |
There was a problem hiding this comment.
Typo in comment: "encyption" should be "encryption".
| * This method sets up handlers for signing tokens, logging in, renewing tokens, encyption, | |
| * This method sets up handlers for signing tokens, logging in, renewing tokens, encryption, |
| * or submit itself to any jurisdiction. | ||
| */ | ||
|
|
||
| import { log } from 'console'; |
There was a problem hiding this comment.
Unused import log.
| import { log } from 'console'; |
|
|
||
| type Method = 'GET' | 'POST' | 'PUT' | 'DELETE' | string; | ||
|
|
||
| const logger = LogManager.getLogger('database/utils/expireToken'); |
There was a problem hiding this comment.
Unused variable logger.
| body: Buffer | string | NodeJS.ReadableStream | null | ||
| ): Promise<void> { | ||
| try { | ||
| const resp = await axios.post(url, body, { |
There was a problem hiding this comment.
Unused variable resp.
| import { db } from '../../dist/lib/database/Database.js'; | ||
|
|
||
| describe('Database - integration (seed verification)', () => { | ||
| let database: SequelizeDatabase; |
There was a problem hiding this comment.
Unused variable database.
| echo "$init_output" | sed -n '1,50p' | ||
|
|
There was a problem hiding this comment.
vault-setup.sh logs the full output of vault operator init, which includes the unseal key and initial root token, directly to stdout. Anyone with access to container logs or CI logs can recover these secrets and fully compromise the Vault instance (read/modify any secrets, sign/encrypt data, etc.). Remove the logging of the raw init output and ensure unseal keys/root tokens are only stored in secured locations (e.g., files or secret stores) without ever being printed to logs.
| echo "[Vault CI] .env contents:" | ||
| cat "$BACKEND_ENV" |
There was a problem hiding this comment.
This script prints the generated .env file to stdout, which includes the database password and base64-encoded Vault certificates/keys. Exposing these secrets in CI logs or terminal output allows anyone with log access to reuse the DB credentials or impersonate the Vault client using the leaked private key. Avoid logging the full contents of the .env file and instead only log non-sensitive metadata (e.g., path, presence of variables) while keeping credentials and private keys out of logs.
dwedr
changed the title
I have JIRA issue created
Implementation of database call structure, including seeding for both Vault and the database, along with integration tests verifying the seeded data. Updated related files and configurations accordingly.