feat(hashicorp): implement hashicorp secrets manager solution (#3297)

Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>
2025-10-28 12:15:40 +08:00 · 2024-01-24 14:06:52 +05:30
parent cc7e33a575
commit 629d546aa7
28 changed files with 1094 additions and 84 deletions
--- a/crates/router/src/services/authentication.rs
+++ b/crates/router/src/services/authentication.rs
@ -3,9 +3,13 @@ use api_models::{payment_methods::PaymentMethodListRequest, payments};
 use async_trait::async_trait;
 use common_utils::date_time;
 use error_stack::{report, IntoReport, ResultExt};
+#[cfg(feature = "hashicorp-vault")]
+use external_services::hashicorp_vault::decrypt::VaultFetch;
 #[cfg(feature = "kms")]
 use external_services::kms::{self, decrypt::KmsDecrypt};
 use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
+#[cfg(feature = "hashicorp-vault")]
+use masking::ExposeInterface;
 use masking::{PeekInterface, StrongSecret};
 use serde::Serialize;

@ -222,6 +226,10 @@ where
                &config.api_keys,
                #[cfg(feature = "kms")]
                kms::get_kms_client(&config.kms).await,
+                #[cfg(feature = "hashicorp-vault")]
+                external_services::hashicorp_vault::get_hashicorp_client(&config.hc_vault)
+                    .await
+                    .change_context(errors::ApiErrorResponse::InternalServerError)?,
            )
            .await?
        };
@ -281,9 +289,14 @@ static ADMIN_API_KEY: tokio::sync::OnceCell<StrongSecret<String>> =
 pub async fn get_admin_api_key(
    secrets: &settings::Secrets,
    #[cfg(feature = "kms")] kms_client: &kms::KmsClient,
+    #[cfg(feature = "hashicorp-vault")]
+    hc_client: &external_services::hashicorp_vault::HashiCorpVault,
 ) -> RouterResult<&'static StrongSecret<String>> {
    ADMIN_API_KEY
        .get_or_try_init(|| async {
+            #[cfg(not(feature = "kms"))]
+            let admin_api_key = secrets.admin_api_key.clone();
+
            #[cfg(feature = "kms")]
            let admin_api_key = secrets
                .kms_encrypted_admin_api_key
@ -292,8 +305,13 @@ pub async fn get_admin_api_key(
                .change_context(errors::ApiErrorResponse::InternalServerError)
                .attach_printable("Failed to KMS decrypt admin API key")?;

-            #[cfg(not(feature = "kms"))]
-            let admin_api_key = secrets.admin_api_key.clone();
+            #[cfg(feature = "hashicorp-vault")]
+            let admin_api_key = masking::Secret::new(admin_api_key)
+                .fetch_inner::<external_services::hashicorp_vault::Kv2>(hc_client)
+                .await
+                .change_context(errors::ApiErrorResponse::InternalServerError)
+                .attach_printable("Failed to KMS decrypt admin API key")?
+                .expose();

            Ok(StrongSecret::new(admin_api_key))
        })
@ -348,6 +366,11 @@ where
            &conf.secrets,
            #[cfg(feature = "kms")]
            kms::get_kms_client(&conf.kms).await,
+            #[cfg(feature = "hashicorp-vault")]
+            external_services::hashicorp_vault::get_hashicorp_client(&conf.hc_vault)
+                .await
+                .change_context(errors::ApiErrorResponse::InternalServerError)
+                .attach_printable("Failed while getting admin api key")?,
        )
        .await?;