chore: updated from main

.env-example

@@ -0,0 +1,12 @@
+PORT=3001
+DATABASE_HOST=localhost
+DATABASE_PORT=3306
+DATABASE_USER=mcm
+DATABASE_PASSWORD=mcm
+DATABASE_SCHEMA=mcm
+VAULT_ENDPOINT=http://localhost:8233
+VAULT_AUTH_METHOD=APP_ROLE
+VAULT_ROLE_ID_FILE=./docker/vault/tmp/role-id
+VAULT_ROLE_SECRET_ID_FILE=./docker/vault/tmp/secret-id
+VAULT_PKI_CLIENT_ROLE=example.com
+VAULT_PKI_SERVER_ROLE=example.com

.github/workflows/prWorkflow.yml

@@ -10,27 +10,27 @@ on:
 
 jobs:
   test_lint:
-    uses: modusbox/github-actions-node/.github/workflows/testLintJob.yml@v0.0.4
+    uses: infitx-org/github-actions-node/.github/workflows/testLintJob.yml@v0.0.4
 
   test_dependencies:
-    uses: modusbox/github-actions-node/.github/workflows/testDependencyJob.yml@v0.0.4
+    uses: infitx-org/github-actions-node/.github/workflows/testDependencyJob.yml@v0.0.4
 
   test_audit:
-    uses: modusbox/github-actions-node/.github/workflows/testAuditJob.yml@v0.0.4
+    uses: infitx-org/github-actions-node/.github/workflows/testAuditJob.yml@v0.0.4
 
   test_license:
-    uses: modusbox/github-actions-node/.github/workflows/testLicenseJob.yml@v0.0.4
+    uses: infitx-org/github-actions-node/.github/workflows/testLicenseJob.yml@v0.0.4
 
 # TODO: Uncomment if unit tests added
 #   test_unit:
-#     uses: modusbox/github-actions-node/.github/workflows/testUnitJob.yml@v0.0.4
+#     uses: infitx-org/github-actions-node/.github/workflows/testUnitJob.yml@v0.0.4
 
 # TODO: Test coverage applies to unit tests and since there is none is commentted out
 #   test_coverage:
-#     uses: modusbox/github-actions-node/.github/workflows/testCoverageJob.yml@v0.0.4
+#     uses: infitx-org/github-actions-node/.github/workflows/testCoverageJob.yml@v0.0.4
 
   test_int:
-    uses: modusbox/github-actions-node/.github/workflows/testIntJob.yml@v0.0.4
+    uses: infitx-org/github-actions-node/.github/workflows/testIntJob.yml@v0.0.4
 
   test_func:
     uses: ./.github/workflows/testFuncJob.yml

.github/workflows/testFuncJob.yml

@@ -10,7 +10,7 @@ env:
   APP_CACHE_NAME: cache-app-node-modules
   APP_SCRIPT_DIRECTORY: scripts
   TEST_FUNC_WORK_DIRECTORY: test/functional-tests
-  NODE_VERSION: lts/*
+  NODE_VERSION: 20.15.1
 
 jobs:
 
@@ -94,7 +94,7 @@ jobs:
       - name: Start App
         working-directory: ${{env.APP_WORK_DIRECTORY}}
         run: |
-          VAULT_DIR="`pwd`/.vault"
+          VAULT_DIR="`pwd`/docker/vault/tmp"
           docker run --net=host -d --rm --name ${{env.IMAGE_NAME}} --env-file ./docker/functional-tests.env -v $VAULT_DIR:/tmp/vault ${{env.IMAGE_NAME}}:${{env.IMAGE_TAG}}
       - name: Wait for App
         uses: cygnetdigital/wait_for_response@v2.0.0

.ncurc.yaml

@@ -1,4 +1,5 @@
 ## Add a comment indicating the reason for each rejected dependency upgrade added to this list, and what should be done to resolve it (i.e. handle it through a story, etc).
 reject: [
   "chai", # Chai v.5 now only supports EcmaScript Modules (ESM) - no require('chi')
+  "eslint", # Upgrade is breaking due to peer dependencies
 ]

.nvmrc

@@ -1 +1 @@
-lts/*
+20.15.1

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:16-buster
+FROM node:20-buster
 
 # APP
 WORKDIR /usr/src/app

docker-compose.yaml

@@ -0,0 +1,41 @@
+version: '3'
+services:
+
+  connection-manager-db:
+    image: mysql/mysql-server
+    ports:
+      - "3306:3306"
+    volumes:
+      - ./docker/sql-init/:/docker-entrypoint-initdb.d/
+    environment:
+      - MYSQL_USER=${DBUSER:-mcm}
+      - MYSQL_PASSWORD=${DBPASS:-mcm}
+      - MYSQL_DATABASE=${DBUSER:-mcm}
+      - MYSQL_ALLOW_EMPTY_PASSWORD=true
+    healthcheck:
+      test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"]
+      timeout: 20s
+      retries: 10
+      start_period: 40s
+      interval: 30s
+
+  vault-dev:
+    image: vault:1.2.1
+    restart: always
+    environment:
+      VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8233
+      VAULT_ADDR: http://127.0.0.1:8233
+      VAULT_DEV_ROOT_TOKEN_ID: "myroot"
+      VAULT_LOCAL_CONFIG: '{"backend": {"file": {"path": "/vault/file"}}, "default_lease_ttl": "168h", "max_lease_ttl": "720h"}'
+    ports:
+      - "8233:8233"
+    volumes:
+      - ./docker/vault/tmp:/vault/tmp
+      - ./docker/vault/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
+    cap_add:
+      - IPC_LOCK
+    healthcheck:
+      test: ["CMD-SHELL", "test -f /tmp/service_started"]
+      timeout: 1s
+      retries: 20
+

docker/sql-init/01_permissions.sql

@@ -0,0 +1,2 @@
+ALTER USER 'central_ledger'@'%' identified WITH mysql_native_password by 'password';
+FLUSH PRIVILEGES;

docker/vault/docker-entrypoint.sh

@@ -0,0 +1,164 @@
+#!/usr/bin/dumb-init /bin/sh
+set -e
+
+# Note above that we run dumb-init as PID 1 in order to reap zombie processes
+# as well as forward signals to all processes in its session. Normally, sh
+# wouldn't do either of these functions so we'd leak zombies as well as do
+# unclean termination of all our sub-processes.
+
+# Prevent core dumps
+ulimit -c 0
+
+# Allow setting VAULT_REDIRECT_ADDR and VAULT_CLUSTER_ADDR using an interface
+# name instead of an IP address. The interface name is specified using
+# VAULT_REDIRECT_INTERFACE and VAULT_CLUSTER_INTERFACE environment variables. If
+# VAULT_*_ADDR is also set, the resulting URI will combine the protocol and port
+# number with the IP of the named interface.
+get_addr () {
+    local if_name=$1
+    local uri_template=$2
+    ip addr show dev $if_name | awk -v uri=$uri_template '/\s*inet\s/ { \
+      ip=gensub(/(.+)\/.+/, "\\1", "g", $2); \
+      print gensub(/^(.+:\/\/).+(:.+)$/, "\\1" ip "\\2", "g", uri); \
+      exit}'
+}
+
+if [ -n "$VAULT_REDIRECT_INTERFACE" ]; then
+    export VAULT_REDIRECT_ADDR=$(get_addr $VAULT_REDIRECT_INTERFACE ${VAULT_REDIRECT_ADDR:-"http://0.0.0.0:8200"})
+    echo "Using $VAULT_REDIRECT_INTERFACE for VAULT_REDIRECT_ADDR: $VAULT_REDIRECT_ADDR"
+fi
+if [ -n "$VAULT_CLUSTER_INTERFACE" ]; then
+    export VAULT_CLUSTER_ADDR=$(get_addr $VAULT_CLUSTER_INTERFACE ${VAULT_CLUSTER_ADDR:-"https://0.0.0.0:8201"})
+    echo "Using $VAULT_CLUSTER_INTERFACE for VAULT_CLUSTER_ADDR: $VAULT_CLUSTER_ADDR"
+fi
+
+rm -f /tmp/service_started
+
+# VAULT_CONFIG_DIR isn't exposed as a volume but you can compose additional
+# config files in there if you use this image as a base, or use
+# VAULT_LOCAL_CONFIG below.
+VAULT_CONFIG_DIR=/vault/config
+
+# You can also set the VAULT_LOCAL_CONFIG environment variable to pass some
+# Vault configuration JSON without having to bind any volumes.
+if [ -n "$VAULT_LOCAL_CONFIG" ]; then
+    echo "$VAULT_LOCAL_CONFIG" > "$VAULT_CONFIG_DIR/local.json"
+fi
+
+# If the user is trying to run Vault directly with some arguments, then
+# pass them to Vault.
+if [ "${1:0:1}" = '-' ]; then
+    set -- vault "$@"
+fi
+
+# Look for Vault subcommands.
+if [ "$1" = 'server' ]; then
+    shift
+    set -- vault server \
+        -config="$VAULT_CONFIG_DIR" \
+        -dev-root-token-id="$VAULT_DEV_ROOT_TOKEN_ID" \
+        -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8200"}" \
+        "$@"
+elif [ "$1" = 'version' ]; then
+    # This needs a special case because there's no help output.
+    set -- vault "$@"
+elif vault --help "$1" 2>&1 | grep -q "vault $1"; then
+    # We can't use the return code to check for the existence of a subcommand, so
+    # we have to use grep to look for a pattern in the help output.
+    set -- vault "$@"
+fi
+
+# If we are running Vault, make sure it executes as the proper user.
+if [ "$1" = 'vault' ]; then
+    if [ -z "$SKIP_CHOWN" ]; then
+        # If the config dir is bind mounted then chown it
+        if [ "$(stat -c %u /vault/config)" != "$(id -u vault)" ]; then
+            chown -R vault:vault /vault/config || echo "Could not chown /vault/config (may not have appropriate permissions)"
+        fi
+
+        # If the logs dir is bind mounted then chown it
+        if [ "$(stat -c %u /vault/logs)" != "$(id -u vault)" ]; then
+            chown -R vault:vault /vault/logs
+        fi
+
+        # If the file dir is bind mounted then chown it
+        if [ "$(stat -c %u /vault/file)" != "$(id -u vault)" ]; then
+            chown -R vault:vault /vault/file
+        fi
+    fi
+
+    if [ -z "$SKIP_SETCAP" ]; then
+        # Allow mlock to avoid swapping Vault memory to disk
+        setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
+
+        # In the case vault has been started in a container without IPC_LOCK privileges
+        if ! vault -version 1>/dev/null 2>/dev/null; then
+            >&2 echo "Couldn't start vault with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK"
+            setcap cap_ipc_lock=-ep $(readlink -f $(which vault))
+        fi
+    fi
+
+    if [ "$(id -u)" = '0' ]; then
+      set -- su-exec vault "$@"
+    fi
+fi
+
+"$@" &
+
+
+sleep 3
+
+export VAULT_TOKEN=$VAULT_DEV_ROOT_TOKEN_ID
+
+vault auth enable approle
+vault write auth/approle/role/my-role secret_id_ttl=1000m token_ttl=1000m token_max_ttl=1000m
+vault read -field role_id auth/approle/role/my-role/role-id > /vault/tmp/role-id
+vault write -field secret_id -f auth/approle/role/my-role/secret-id > /vault/tmp/secret-id
+# ROLE_ID=$(vault read -field role_id auth/approle/role/my-role/role-id)
+# SECRET_ID=$(vault write -field secret_id -f auth/approle/role/my-role/secret-id)
+vault secrets enable -path=pki pki
+vault secrets enable -path=secrets kv
+vault secrets tune -max-lease-ttl=97600h pki
+# vault write -field=certificate pki/root/generate/internal \
+#         common_name="example.com" \
+#         ttl=97600h
+vault write pki/config/urls \
+    issuing_certificates="http://127.0.0.1:8233/v1/pki/ca" \
+    crl_distribution_points="http://127.0.0.1:8233/v1/pki/crl"
+vault write pki/roles/example.com allowed_domains=example.com allow_subdomains=true allow_any_name=true allow_localhost=true enforce_hostnames=false max_ttl=720h
+
+tee policy.hcl <<EOF
+# List, create, update, and delete key/value secrets
+path "secrets/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+path "kv/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+path "pki/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+path "pki_int/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+EOF
+
+vault policy write test-policy policy.hcl
+
+vault write auth/approle/role/my-role policies=test-policy ttl=1h
+
+vault secrets enable -path=pki_int pki
+vault secrets tune -max-lease-ttl=43800h pki_int
+vault write pki_int/roles/example.com allowed_domains=example.com allow_subdomains=true allow_any_name=true allow_localhost=true enforce_hostnames=false max_ttl=600h
+
+touch /tmp/service_started
+
+tail -f /dev/null

docker/vault/tmp/role-id

@@ -0,0 +1 @@
+aeb6cc95-b245-894d-6158-7e113e1a8fa6

docker/vault/tmp/secret-id

@@ -0,0 +1 @@
+07c70477-700f-cc29-c426-af17f0aa4c24

eslint.config.js

@@ -0,0 +1,18 @@
+module.exports = [
+    {
+        rules: {
+            "comma-dangle": [
+                "error",
+                {
+                    arrays: "never",
+                    objects: "ignore",
+                    imports: "never",
+                    exports: "never",
+                    functions: "never"
+                }
+            ],
+            "no-extra-semi": "off",
+            semi: ["error", "always"]
+        }
+    }
+];