refactor: kms decrypt analytics config (#3984)

2025-10-29 17:19:15 +08:00 · 2024-03-06 18:11:17 +05:30
parent 34c1b905b1
commit cfade55e69
6 changed files with 66 additions and 5 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -349,6 +349,7 @@ dependencies = [
 "error-stack",
 "external_services",
 "futures 0.3.28",
+ "hyperswitch_interfaces",
 "masking",
 "once_cell",
 "reqwest",
--- a/crates/analytics/Cargo.toml
+++ b/crates/analytics/Cargo.toml
@ -11,8 +11,9 @@ edition = "2021"
 # First party crates
 api_models = { version = "0.1.0", path = "../api_models" , features = ["errors"]}
 storage_impl = { version = "0.1.0", path = "../storage_impl", default-features = false }
-common_utils = { version = "0.1.0", path = "../common_utils"}
-external_services = { version = "0.1.0", path = "../external_services", default-features = false}
+common_utils = { version = "0.1.0", path = "../common_utils" }
+external_services = { version = "0.1.0", path = "../external_services", default-features = false }
+hyperswitch_interfaces = { version = "0.1.0", path = "../hyperswitch_interfaces" }
 masking = { version = "0.1.0", path = "../masking" }
 router_env = { version = "0.1.0", path = "../router_env", features = ["log_extra_implicit_fields", "log_custom_entries_to_extra"] }
 diesel_models = { version = "0.1.0", path = "../diesel_models", features = ["kv_store"] }
--- a/crates/analytics/src/lib.rs
+++ b/crates/analytics/src/lib.rs
@ -15,7 +15,13 @@ pub mod sdk_events;
 mod sqlx;
 mod types;
 use api_event::metrics::{ApiEventMetric, ApiEventMetricRow};
+use common_utils::errors::CustomResult;
 use disputes::metrics::{DisputeMetric, DisputeMetricRow};
+use hyperswitch_interfaces::secrets_interface::{
+    secret_handler::SecretsHandler,
+    secret_state::{RawSecret, SecretStateContainer, SecuredSecret},
+    SecretManagementInterface, SecretsManagementError,
+};
 pub use types::AnalyticsDomain;
 pub mod lambda_utils;
 pub mod utils;
@ -598,6 +604,51 @@ pub enum AnalyticsConfig {
    },
 }

+#[async_trait::async_trait]
+impl SecretsHandler for AnalyticsConfig {
+    async fn convert_to_raw_secret(
+        value: SecretStateContainer<Self, SecuredSecret>,
+        secret_management_client: &dyn SecretManagementInterface,
+    ) -> CustomResult<SecretStateContainer<Self, RawSecret>, SecretsManagementError> {
+        let analytics_config = value.get_inner();
+        let decrypted_password = match analytics_config {
+            // Todo: Perform kms decryption of clickhouse password
+            Self::Clickhouse { .. } => masking::Secret::new(String::default()),
+            Self::Sqlx { sqlx }
+            | Self::CombinedCkh { sqlx, .. }
+            | Self::CombinedSqlx { sqlx, .. } => {
+                secret_management_client
+                    .get_secret(sqlx.password.clone())
+                    .await?
+            }
+        };
+
+        Ok(value.transition_state(|conf| match conf {
+            Self::Sqlx { sqlx } => Self::Sqlx {
+                sqlx: Database {
+                    password: decrypted_password,
+                    ..sqlx
+                },
+            },
+            Self::Clickhouse { clickhouse } => Self::Clickhouse { clickhouse },
+            Self::CombinedCkh { sqlx, clickhouse } => Self::CombinedCkh {
+                sqlx: Database {
+                    password: decrypted_password,
+                    ..sqlx
+                },
+                clickhouse,
+            },
+            Self::CombinedSqlx { sqlx, clickhouse } => Self::CombinedSqlx {
+                sqlx: Database {
+                    password: decrypted_password,
+                    ..sqlx
+                },
+                clickhouse,
+            },
+        }))
+    }
+}
+
 impl Default for AnalyticsConfig {
    fn default() -> Self {
        Self::Sqlx {
--- a/crates/router/src/configs/secrets_transformers.rs
+++ b/crates/router/src/configs/secrets_transformers.rs
@ -233,6 +233,13 @@ pub(crate) async fn fetch_raw_secrets(
            .await
            .expect("Failed to decrypt master database configuration");

+    #[cfg(feature = "olap")]
+    #[allow(clippy::expect_used)]
+    let analytics =
+        analytics::AnalyticsConfig::convert_to_raw_secret(conf.analytics, secret_management_client)
+            .await
+            .expect("Failed to decrypt analytics configuration");
+
    #[cfg(feature = "olap")]
    #[allow(clippy::expect_used)]
    let replica_database =
@ -342,7 +349,7 @@ pub(crate) async fn fetch_raw_secrets(
        temp_locker_enable_config: conf.temp_locker_enable_config,
        payment_link: conf.payment_link,
        #[cfg(feature = "olap")]
-        analytics: conf.analytics,
+        analytics,
        #[cfg(feature = "kv_store")]
        kv_config: conf.kv_config,
        #[cfg(feature = "frm")]
--- a/crates/router/src/configs/settings.rs
+++ b/crates/router/src/configs/settings.rs
@ -105,7 +105,7 @@ pub struct Settings<S: SecretState> {
    pub temp_locker_enable_config: TempLockerEnableConfig,
    pub payment_link: PaymentLink,
    #[cfg(feature = "olap")]
-    pub analytics: AnalyticsConfig,
+    pub analytics: SecretStateContainer<AnalyticsConfig, S>,
    #[cfg(feature = "kv_store")]
    pub kv_config: KvConfig,
    #[cfg(feature = "frm")]
--- a/crates/router/src/routes/app.rs
+++ b/crates/router/src/routes/app.rs
@ -200,7 +200,8 @@ impl AppState {
            };

            #[cfg(feature = "olap")]
-            let pool = crate::analytics::AnalyticsProvider::from_conf(&conf.analytics).await;
+            let pool =
+                crate::analytics::AnalyticsProvider::from_conf(conf.analytics.get_inner()).await;

            #[cfg(feature = "email")]
            let email_client = Arc::new(create_email_client(&conf).await);