Bugfix - Retrieve Settings from KV map

Makefile

@@ -198,6 +198,8 @@ release-policy-set:
 	KMS_URL=${KMS_URL} \
 	RELEASE_POLICY_PROPOSAL=$(release-policy-proposal) \
 		./scripts/release-policy-set.sh
+test-unit:
+	npm run test
 
 test-system:
 	@pytest -s test/system-test/$(filter-out $@,$(MAKECMDGOALS))

README.md

@@ -138,14 +138,17 @@ make setup
 ## Manual tests
 
 ```
-# Testing with heartbeat: Use user certs
-curl ${KMS_URL}/app/heartbeat --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/user0_cert.pem --key ${KEYS_DIR}/user0_privk.pem -H "Content-Type: application/json" -w '\n' | jq
+# Heartbeat endpoint
+curl ${KMS_URL}/app/heartbeat --cacert ${KEYS_DIR}/service_cert.pem  -H "Content-Type: application/json"  -w '\n' | jq
 
-# Testing with heartbeat: Use member certs
-curl ${KMS_URL}/app/heartbeat --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/member0_cert.pem --key ${KEYS_DIR}/member0_privk.pem -H "Content-Type: application/json" -w '\n' | jq
+# Testing with auth: Use user certs
+curl ${KMS_URL}/app/auth --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/user0_cert.pem --key ${KEYS_DIR}/user0_privk.pem -H "Content-Type: application/json" -w '\n' | jq
 
-# Testing with heartbeat: Use JWT
-curl ${KMS_URL}/app/heartbeat --cacert ${KEYS_DIR}/service_cert.pem  -H "Content-Type: application/json" -H "Authorization:$AUTHORIZATION"  -w '\n' | jq
+# Testing with auth: Use member certs
+curl ${KMS_URL}/app/auth --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/member0_cert.pem --key ${KEYS_DIR}/member0_privk.pem -H "Content-Type: application/json" -w '\n' | jq
+
+# Testing with auth: Use JWT
+curl ${KMS_URL}/app/auth --cacert ${KEYS_DIR}/service_cert.pem  -H "Content-Type: application/json" -H "Authorization:$AUTHORIZATION"  -w '\n' | jq
 
 # Generate a new key item
 curl ${KMS_URL}/app/refresh -X POST --cacert ${KEYS_DIR}/service_cert.pem  -H "Content-Type: application/json" -i  -w '\n'
@@ -187,6 +190,9 @@ curl $KMS_URL/app/unwrapKey?fmt=tink -X POST --cacert ${KEYS_DIR}/service_cert.p
 # Get key release policy
 curl $KMS_URL/app/keyReleasePolicy --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/member0_cert.pem --key ${KEYS_DIR}/member0_privk.pem -H "Content-Type: application/json" | jq
 
+# Get settings policy
+curl $KMS_URL/app/settingsPolicy --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/member0_cert.pem --key ${KEYS_DIR}/member0_privk.pem -H "Content-Type: application/json" | jq
+
 # Get receipt
 curl $KMS_URL/receipt?transaction_id=2.20 --cacert ${KEYS_DIR}/service_cert.pem --cert ${KEYS_DIR}/user0_cert.pem --key ${KEYS_DIR}/user0_privk.pem -H "Content-Type: application/json" -i  -w '\n'
 ```

app.json

@@ -21,6 +21,27 @@
         }
       }
     },
+    "/settingsPolicy": {
+      "get": {
+        "js_module": "endpoints/settingsPolicyEndpoint.js",
+        "js_function": "settingsPolicy",
+        "forwarding_required": "sometimes",
+        "authn_policies": ["member_cert"],
+        "mode": "readonly",
+        "openapi": {
+          "responses": {
+            "200": {
+              "description": "Settings policy",
+              "content": {
+                "application/json": {
+                  "type": "object"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/pubkey": {
       "get": {
         "js_module": "endpoints/publickeyEndpoint.js",

src/endpoints/kms.ts

@@ -7,6 +7,7 @@ import { enableEndpoint } from "../utils/Tooling";
 import { ServiceRequest } from "../utils/ServiceRequest";
 import { Settings } from "../policies/Settings";
 import { LogContext } from "../utils/Logger";
+import { settingsPolicyMap } from "../repositories/Maps";
 
 // Enable the endpoint
 enableEndpoint();
@@ -36,7 +37,7 @@ export const auth = (
   const [policy, isValidIdentity] = serviceRequest.isAuthenticated();
   if (isValidIdentity.failure) return isValidIdentity;
 
-  const settings = Settings.loadSettings();
+  const settings = Settings.loadSettingsFromMap(settingsPolicyMap, logContext);
   const description = [
     settings.settings.service.name,
     settings.settings.service.description,
@@ -62,7 +63,7 @@ export const heartbeat = (
   const logContext = new LogContext().appendScope("heartbeatEndpoint");
   new ServiceRequest<void>(logContext, request);
 
-  const settings = Settings.loadSettings();
+  const settings = Settings.loadSettingsFromMap(settingsPolicyMap, logContext);
   const description = [
     settings.settings.service.name,
     settings.settings.service.description,

src/endpoints/settingsPolicyEndpoint.ts

@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import * as ccfapp from "@microsoft/ccf-app";
+import { ServiceResult } from "../utils/ServiceResult";
+import { enableEndpoint } from "../utils/Tooling";
+import { ServiceRequest } from "../utils/ServiceRequest";
+import { LogContext } from "../utils/Logger";
+import { ISettings, Settings } from "../policies/Settings";
+import { settingsPolicyMap } from "../repositories/Maps";
+
+// Enable the endpoint
+enableEndpoint();
+
+/**
+ * Retrieves the settings policy.
+ * @returns A ServiceResult containing the settings policy properties.
+ */
+export const settingsPolicy = (
+  request: ccfapp.Request<void>,
+  logContextIn: LogContext,
+): ServiceResult<string | ISettings> => {
+  const logContext = logContextIn.appendScope("settingsPolicyEndpoint");
+  const serviceRequest = new ServiceRequest<void>(logContext, request);
+
+  // check if caller has a valid identity
+  const [_, isValidIdentity] = serviceRequest.isAuthenticated();
+  if (isValidIdentity.failure) return isValidIdentity;
+
+  try {
+    const result =
+      Settings.loadSettingsFromMap(settingsPolicyMap, logContext).settings;
+    return ServiceResult.Succeeded<ISettings>(result, undefined, logContext, serviceRequest.requestId);
+  } catch (error: any) {
+    return ServiceResult.Failed<string>({ errorMessage: error.message }, 500, logContext, serviceRequest.requestId);
+  }
+};

src/index.ts

@@ -6,6 +6,7 @@ export * from "./endpoints/keyEndpoint";
 export * from "./endpoints/publickeyEndpoint";
 export * from "./endpoints/refreshEndpoint";
 export * from "./endpoints/keyReleasePolicyEndpoint";
+export * from "./endpoints/settingsPolicyEndpoint";
 export * from "./endpoints/IKeyItem";
 export * from "./endpoints/KeyGeneration";
 export * from "./endpoints/TinkKey";

src/policies/Settings.ts

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
+import * as ccfapp from "@microsoft/ccf-app";
 import { ccf } from "@microsoft/ccf-app/global";
 import { Logger, LogContext } from "../utils/Logger";
 import { KmsError } from "../utils/KmsError";
@@ -56,34 +57,37 @@ export class Settings {
    * @returns An instance of `Settings` containing the loaded settings.
    * @throws Error if the settings policy map is not found or if there is an error parsing the settings policy.
    */
-  public static loadSettings(): Settings {
+  public static loadSettingsFromMap(
+    settingsPolicyMap: ccfapp.KvMap,
+    logContextIn: LogContext,
+  ): Settings {
+    const logContext = logContextIn.appendScope("loadSettingsFromMap");
+
+    Logger.info(`Loading settings from map: ${settingsPolicyMap === undefined ? "undefined" : JSON.stringify(settingsPolicyMap)}`, logContext);
+    Logger.info(`Map size: ${settingsPolicyMap.size}`, logContext);
+
     // Load the settings from the map
-    const settingsPolicyMapName = "public:ccf.gov.policies.settings";
-    const key = "settings_policy";
+    const key = "settings_policy"; // Ensure the key matches the stored key in governance
     const keyBuf = ccf.strToBuf(key);
 
-    const settingsPolicyMap = ccf.kv[settingsPolicyMapName];
-    if (!settingsPolicyMap) {
-      const error = `Settings policy map not found: ${settingsPolicyMapName}`;
-      Logger.error(error, Settings.logContext);
-      throw new KmsError(error, Settings.logContext);
-    }
-
     const settingsPolicy = settingsPolicyMap.get(keyBuf);
+    const settingsPolicyStr = settingsPolicy ? ccf.bufToStr(settingsPolicy) : undefined;
+    Logger.info(`Loading settings: ${settingsPolicyStr}`, logContext);
+
+
     let settings: ISettings;
-    if (!settingsPolicy) {
+    if (!settingsPolicyStr) {
+      Logger.warn(`No settings policy found, using default settings`, logContext);
       settings = Settings.defaultSettings();
     } else {
-      Logger.info(`No settings policy found, using default settings`, Settings.logContext);
       try {
-        settings = JSON.parse(ccf.bufToStr(settingsPolicy)) as ISettings;
+        settings = JSON.parse(settingsPolicyStr) as ISettings;
       } catch {
-        const error = `Failed to parse settings policy: ${ccf.bufToStr(settingsPolicy)}`;
-        Logger.error(error, Settings.logContext);
-        throw new KmsError(error, Settings.logContext);
+        const error = `Failed to parse settings policy: ${settingsPolicyStr}`;
+        Logger.error(error, logContext);
+        throw new KmsError(error, logContext);
       }
     }
-
     return new Settings(settings);
   }
 }

src/repositories/Maps.ts

@@ -11,4 +11,6 @@ export const hpkeKeysMap = new KeyStore("HpkeKeys");
 export const hpkeKeyIdMap = new LastestItemStore<number, string>("HpkeKeyids");
 export const keyReleaseMapName = "public:ccf.gov.policies.key_release";
 export const keyReleasePolicyMap = ccf.kv[keyReleaseMapName];
+export const settingsMapName = "public:ccf.gov.policies.settings";
+export const settingsPolicyMap = ccf.kv[settingsMapName];
 //#endregion

src/utils/ServiceRequest.ts

@@ -6,6 +6,7 @@ import { queryParams } from "./Tooling";
 import { AuthenticationService } from "../authorization/AuthenticationService";
 import { Logger, LogContext } from "./Logger";
 import { Settings } from "../policies/Settings";
+import { settingsPolicyMap } from "../repositories/Maps";
 
 /**
  * A generic request.
@@ -36,7 +37,7 @@ export class ServiceRequest<T> {
     // Set the log level from the settings
     let settings: Settings;
     try {
-      settings = Settings.loadSettings();
+      settings = Settings.loadSettingsFromMap(settingsPolicyMap, this.logContext);
     } catch (error) {
       const errorMessage = `${this.logContext.getBaseScope()}: Error loading settings: ${error}`;
       Logger.error(errorMessage, this.logContext);

test/unit-test/policies/Settings.test.ts

@@ -4,10 +4,11 @@
 // Use the CCF polyfill to mock-up all key-value map functionality for unit-test
 import "@microsoft/ccf-app/polyfill.js";
 import { describe, expect, jest, test } from "@jest/globals";
-import { Settings } from "../../../src/policies/Settings";
-import { Logger, LogLevel } from "../../../src/utils/Logger";
+import { ISettings, Settings } from "../../../src/policies/Settings";
+import { LogContext, Logger, LogLevel } from "../../../src/utils/Logger";
 
 describe("Test Settings Policy properties", () => {
+
   test("Should get all data successfully", () => {
     // Arrange
     const settings = Settings.defaultSettings();
@@ -66,4 +67,53 @@ describe("Test Settings Policy properties", () => {
     // Clean up
     debugSpy.mockRestore();
   });
+
+  test("Should load settings from map successfully", () => {
+    // Arrange
+    const settingsPolicyMap = globalThis.ccf.kv["public:ccf.gov.policies.settings"];
+    settingsPolicyMap.clear();
+    const settingsPolicyValue = globalThis.ccf.strToBuf(JSON.stringify({
+      service: {
+        name: "azure-privacy-sandbox-kms",
+        description: "Key Management Service",
+        version: "10.0.0",
+        debug: true
+      }
+    }));
+    settingsPolicyMap.set("settings_policy", settingsPolicyValue);
+
+    // Act
+    const settings = Settings.loadSettingsFromMap(settingsPolicyMap, new LogContext().appendScope("loadSettingsFromMap")).settings as ISettings;
+
+    // Assert
+    expect(settings.service.name).toBe("azure-privacy-sandbox-kms");
+    expect(settings.service.description).toBe("Key Management Service");
+    expect(settings.service.version).toBe("10.0.0");
+    expect(settings.service.debug).toBe(true);
+  });
+
+  test("Should load default settings when settings are found on map successfully", () => {
+    // Arrange
+    const settingsPolicyMap = globalThis.ccf.kv["public:ccf.gov.policies.settings"];
+    settingsPolicyMap.clear();
+
+    const settingsPolicyValue = globalThis.ccf.strToBuf(JSON.stringify({
+      service: {
+        name: "azure-privacy-sandbox-kms",
+        description: "Key Management Service",
+        version: "10.0.0",
+        debug: false
+      }
+    }));
+    settingsPolicyMap.set("dummy", settingsPolicyValue);
+
+    // Act
+    const settings = Settings.loadSettingsFromMap(settingsPolicyMap, new LogContext().appendScope("loadSettingsFromMap")).settings as ISettings;
+
+    // Assert
+    expect(settings.service.name).toBe("azure-privacy-sandbox-kms");
+    expect(settings.service.description).toBe("Key Management Service");
+    expect(settings.service.version).toBe("1.0.0");
+    expect(settings.service.debug).toBe(false);
+  });
 });