attune-system/attune
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ab7d31de2f845beb02722202d925e875750ae725
attune/work-summary/sessions/2024-01-13-secret-management-api.md
David Culbreth 3b14c65998 re-uploading work
2026-02-04 17:46:30 -06:00

15 KiB
Raw Blame History

Work Summary: Secret Management API Implementation

Date: 2024-01-13
Session Duration: ~2 hours
Status: Complete

Overview

Implemented a complete, production-ready Secret Management API for the Attune automation platform. This security-critical component provides encrypted storage and retrieval of sensitive credentials, API keys, tokens, and other secret values using military-grade AES-256-GCM encryption.

What Was Accomplished

1. Created Encryption Module

File: crates/common/src/crypto.rs (229 lines)

Implemented comprehensive encryption utilities using AES-256-GCM:

Functions:

  • encrypt() - Encrypts plaintext using AES-256-GCM with random nonces
  • decrypt() - Decrypts ciphertext and validates authentication
  • derive_key() - Derives 256-bit AES key from encryption key using SHA-256
  • generate_nonce() - Generates random 96-bit nonces for GCM mode
  • hash_encryption_key() - Hashes encryption key for verification

Security Features:

  • AES-256-GCM encryption (NIST-approved, AEAD cipher)
  • Random nonce generation for each encryption (prevents pattern analysis)
  • SHA-256 key derivation from server encryption key
  • Built-in authentication tag prevents tampering
  • Base64 encoding for storage compatibility
  • Comprehensive error handling

Test Coverage:

  • 10 comprehensive unit tests (100% passing)
  • Tests cover: roundtrip encryption, wrong key detection, validation, Unicode support, edge cases

2. Created Secret Management DTOs

File: crates/api/src/dto/key.rs (185 lines)

Key DTOs:

  • KeyResponse: Full key details including decrypted value
  • KeySummary: List view with redacted values (security)
  • CreateKeyRequest: Create payload with validation rules
  • UpdateKeyRequest: Update payload for name/value changes
  • KeyQueryParams: Query parameters with filtering and pagination

Key Features:

  • Automatic value redaction in list views
  • Support for multiple owner types (system, identity, pack, action, sensor)
  • Comprehensive validation (length limits, required fields)
  • Flexible ownership model for organization

3. Implemented Secret Management Routes

File: crates/api/src/routes/keys.rs (303 lines)

Implemented 5 secure endpoints:

  1. POST /api/v1/keys - Create key/secret

    • Validates input
    • Encrypts value with AES-256-GCM
    • Stores encryption key hash for verification
    • Returns decrypted value in response

  2. GET /api/v1/keys - List keys (values redacted)

    • Filter by owner type or owner string
    • Pagination support
    • Never exposes secret values in list view
    • Returns summary objects only

  3. GET /api/v1/keys/:ref - Get key value

    • Retrieves single key by reference
    • Automatically decrypts encrypted values
    • Returns plaintext value in response
    • Handles decryption errors gracefully

  4. PUT /api/v1/keys/:ref - Update key value

    • Updates name and/or value
    • Re-encrypts value if encryption enabled
    • Handles encryption status changes
    • Returns decrypted value in response

  5. DELETE /api/v1/keys/:ref - Delete key

    • Permanently removes key from database
    • Verifies key exists before deletion

Security Measures:

  • JWT authentication required on all endpoints
  • Encryption key accessed from server config
  • Detailed error logging (without exposing secrets)
  • Graceful error handling for decryption failures
  • Value redaction in list responses

4. Enhanced Application State

Modified: crates/api/src/state.rs

  • Added config: Arc<Config> to AppState
  • Enables routes to access encryption key
  • Updated AppState constructor

Modified: crates/api/src/main.rs

  • Pass config to AppState during initialization
  • Maintains backward compatibility

5. Added Cryptography Dependencies

Modified: Cargo.toml (workspace)

Added dependencies:

  • aes-gcm = "0.10" - AES-256-GCM encryption
  • sha2 = "0.10" - SHA-256 hashing

Modified: crates/common/Cargo.toml

  • Added aes-gcm and sha2 to dependencies
  • Added crypto module to lib.rs exports

6. Registered Routes

Modified Files:

  • crates/api/src/routes/mod.rs - Added keys module export
  • crates/api/src/server.rs - Registered key routes in API router
  • crates/api/src/dto/mod.rs - Exported key DTOs

7. Created Comprehensive API Documentation

File: docs/api-secrets.md (772 lines)

Complete documentation including:

  • Security model and encryption details
  • Key model specification with all fields
  • Owner type descriptions and use cases
  • Detailed endpoint documentation with:
    • Request/response examples
    • Query parameters
    • Field validation rules
    • Error responses
    • Security notes
  • Use case examples:
    • Storing API credentials
    • Storing database passwords
    • Storing OAuth tokens
    • Retrieving secrets for actions
    • Updating expired tokens
  • Security best practices:
    • Always encrypt sensitive data
    • Use descriptive references
    • Associate with owners
    • Rotate secrets regularly
    • Never log secret values
    • Limit access
    • Backup encryption key
    • Use environment-specific secrets
  • Encryption algorithm details
  • Error handling reference
  • Future enhancement roadmap

8. Updated Project Documentation

File: work-summary/TODO.md

  • Marked Secret Management API (section 2.10) as COMPLETE
  • Listed all 5 implemented endpoints
  • Noted encryption implementation

File: CHANGELOG.md

  • Added Phase 2.10 entry with complete feature list
  • Documented security features
  • Listed dependencies added

Technical Details

Encryption Implementation

Algorithm: AES-256-GCM (Galois/Counter Mode)

Process:

  1. Server encryption key (from config) is hashed with SHA-256 → 256-bit AES key
  2. Random 96-bit nonce is generated using cryptographically secure RNG
  3. Plaintext is encrypted using AES-256-GCM with key and nonce
  4. Result: nonce || ciphertext || authentication_tag
  5. Base64 encode for storage in database

Security Properties:

  • Confidentiality: AES-256 prevents unauthorized reading
  • Authenticity: GCM authentication tag prevents tampering
  • Non-deterministic: Random nonces ensure unique ciphertexts
  • Forward Security: Key rotation possible (requires re-encryption)

Key Storage Model

keys table:
  - id: Unique identifier
  - ref: Unique reference (e.g., "github_token")
  - owner_type: system/identity/pack/action/sensor
  - owner_*: Various owner reference fields
  - name: Human-readable name
  - encrypted: Boolean flag
  - encryption_key_hash: SHA-256 hash of encryption key
  - value: Encrypted (base64) or plaintext value
  - created/updated: Timestamps

API Security Features

  1. Value Redaction: List endpoints never expose values
  2. Automatic Encryption: Values encrypted on create/update
  3. Automatic Decryption: Values decrypted on retrieval
  4. Key Validation: Encryption key must be ≥32 characters
  5. Error Handling: Graceful handling of decryption failures
  6. Audit Trail: Creation and modification timestamps

Code Quality

  • Follows established patterns from other route modules
  • Comprehensive error handling with descriptive messages
  • Input validation using validator crate
  • Type-safe with proper Rust idioms
  • Clean separation of concerns (crypto, DTOs, routes)
  • Extensive inline documentation
  • Zero compile errors
  • 10/10 crypto tests passing

Testing Status

  • Compiles successfully with no errors
  • All crypto unit tests passing (10/10)
  • Encryption/decryption roundtrip verified
  • Wrong key detection tested
  • Unicode support tested
  • ⚠️ Only compiler warnings (unused imports - not related)
  • No API integration tests yet (noted for future work)

Use Cases Enabled

1. Store API Credentials

Store third-party API keys for use in actions:

POST /api/v1/keys
{
  "ref": "github_api_token",
  "owner_type": "pack",
  "owner_pack_ref": "github",
  "name": "GitHub Personal Access Token",
  "value": "ghp_abc123...",
  "encrypted": true
}

2. Store Database Credentials

Store database passwords securely:

POST /api/v1/keys
{
  "ref": "prod_db_password",
  "owner_type": "system",
  "name": "Production Database Password",
  "value": "supersecret123!",
  "encrypted": true
}

3. Retrieve Secrets in Actions

Actions can retrieve secrets at runtime:

GET /api/v1/keys/github_api_token
# Returns decrypted value for use

4. Rotate Expired Credentials

Update secrets when credentials change:

PUT /api/v1/keys/github_api_token
{
  "value": "ghp_newtoken_after_rotation"
}
# Automatically re-encrypts

Security Considerations

What We Did Right

  1. Encryption by Default: encrypted: true is the default
  2. Value Redaction: List views never expose values
  3. Strong Encryption: AES-256-GCM is NIST-approved
  4. Random Nonces: Prevents pattern analysis
  5. Authentication: GCM mode prevents tampering
  6. Key Derivation: SHA-256 hashing of server key
  7. Error Handling: No secret exposure in errors
  8. Documentation: Comprehensive security best practices

Important Warnings

⚠️ Encryption Key Management:

  • Key must be at least 32 characters
  • Key must be kept secret and secure
  • Key must be backed up securely
  • Losing the key means encrypted secrets cannot be recovered
  • Key rotation requires re-encrypting all secrets

⚠️ Production Deployment:

  • Always use HTTPS to protect secrets in transit
  • Never commit encryption key to version control
  • Use environment variables or secret management for key
  • Implement key rotation policy
  • Monitor and audit secret access (future enhancement)

Issues Encountered & Resolved

1. AppState Missing Config

Problem: Routes needed access to encryption key from config, but AppState only had database pool and JWT config

Solution: Added config: Arc<Config> to AppState and updated constructor in main.rs

2. Encryption Dependencies

Problem: No AES-GCM or SHA-2 libraries available

Solution: Added aes-gcm and sha2 to workspace and crate dependencies

3. Value Redaction Strategy

Problem: Need to prevent value exposure in list views while allowing retrieval

Solution:

  • Created separate KeySummary DTO without value field
  • List endpoint returns summaries
  • Individual GET endpoint returns full KeyResponse with decrypted value

Dependencies Added

  • aes-gcm 0.10: AES-256-GCM authenticated encryption
  • sha2 0.10: SHA-256 hashing for key derivation
  • base64 (already present): Base64 encoding for storage

Next Steps

Immediate (Complete Phase 2)

  1. API Documentation (Phase 2.11)

    • Add OpenAPI/Swagger annotations
    • Generate interactive API docs
    • Serve docs at /docs endpoint

  2. API Testing (Phase 2.12)

    • Write integration tests for secret endpoints
    • Test encryption/decryption flow
    • Test value redaction
    • Test access control

Future Enhancements (Security)

  1. Key Rotation: Implement re-encryption when changing keys
  2. Access Control Lists: Fine-grained permissions on secrets
  3. Audit Logging: Detailed logs of all secret access
  4. Secret Expiration: Time-to-live (TTL) for temporary secrets
  5. Secret Versioning: Keep history of value changes
  6. Vault Integration: Support HashiCorp Vault, AWS Secrets Manager
  7. Secret References: Reference secrets from other secrets
  8. Import/Export: Secure bulk operations with encryption

Move to Phase 4 (After Phase 2 Complete)

  1. Executor Service
    • Event consumption from RabbitMQ
    • Rule evaluation engine
    • Enforcement creation
    • Execution scheduling
    • Use secrets from Key API

Files Created/Modified

Created

  • crates/common/src/crypto.rs (229 lines) - Encryption utilities
  • crates/api/src/dto/key.rs (185 lines) - Key DTOs
  • crates/api/src/routes/keys.rs (303 lines) - Secret management routes
  • docs/api-secrets.md (772 lines) - API documentation
  • work-summary/2024-01-13-secret-management-api.md (this file)

Modified

  • Cargo.toml - Added aes-gcm and sha2 dependencies
  • crates/common/Cargo.toml - Added crypto dependencies
  • crates/common/src/lib.rs - Added crypto module export
  • crates/api/src/state.rs - Added config to AppState
  • crates/api/src/main.rs - Pass config to AppState
  • crates/api/src/dto/mod.rs - Added key exports
  • crates/api/src/routes/mod.rs - Added keys module
  • crates/api/src/server.rs - Registered key routes
  • work-summary/TODO.md - Marked Phase 2.10 complete
  • CHANGELOG.md - Added Phase 2.10 entry

Total Lines Added: ~1,489 lines (code + documentation)

Configuration Required

Server Configuration

Add to config.yaml or environment variables:

security:
  encryption_key: "your-encryption-key-must-be-at-least-32-characters-long"

Or:

export ATTUNE__SECURITY__ENCRYPTION_KEY="your-encryption-key-must-be-at-least-32-characters-long"

Requirements:

  • Minimum 32 characters
  • Keep secret and secure
  • Back up securely
  • Never commit to version control

Conclusion

Successfully implemented a complete, production-ready Secret Management API with military-grade encryption for the Attune platform. The implementation provides secure storage and retrieval of sensitive credentials while following security best practices.

The secret management system now supports:

  • AES-256-GCM encrypted storage
  • Automatic encryption/decryption
  • Value redaction in list views
  • Multiple ownership models
  • Flexible organization
  • Comprehensive documentation
  • Security best practices guide

Phase 2.10 (Secret Management API) is now complete! 🎉

This completes all major CRUD APIs for Phase 2. The API Service now has:

  • Authentication & Authorization
  • Pack Management
  • Action Management
  • Trigger & Sensor Management
  • Rule Management
  • Execution Queries
  • Inquiry Management (Human-in-the-Loop)
  • Event & Enforcement Queries
  • Secret Management (Encrypted Credentials)

Next: API Documentation (OpenAPI/Swagger) and Testing, then move to Phase 4 (Executor Service) to make the automation actually run!

Verification Commands

# Build API service
cargo build -p attune-api

# Check for errors
cargo check -p attune-api

# Run crypto tests
cargo test -p attune-common --lib crypto

# Run all tests (when implemented)
cargo test -p attune-api

# Run clippy for linting
cargo clippy -p attune-api

Testing the API

# Set encryption key
export ATTUNE__SECURITY__ENCRYPTION_KEY="test-encryption-key-32-chars-min"

# Start API server
cargo run -p attune-api

# Create a secret
curl -X POST "http://localhost:8080/api/v1/keys" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "ref": "test_secret",
    "owner_type": "system",
    "name": "Test Secret",
    "value": "my_secret_password",
    "encrypted": true
  }'

# List secrets (values redacted)
curl -X GET "http://localhost:8080/api/v1/keys" \
  -H "Authorization: Bearer <token>"

# Get secret value (decrypted)
curl -X GET "http://localhost:8080/api/v1/keys/test_secret" \
  -H "Authorization: Bearer <token>"
Reference in New Issue View Git Blame Copy Permalink