feat: Implement private key store backed by GCP KMS (#1)

https://cloud.google.com/security-key-management Fixes relaycorp/relayverse#37 TODO - [x] Session keys: Use CRC32C to verify integrity: https://cloud.google.com/kms/docs/data-integrity-guidelines#calculating_and_verifying_checksums - [x] Identity keys: Use CRC32C: https://cloud.google.com/kms/docs/data-integrity-guidelines - [x] Verify the `.name` of the resource in each response: https://cloud.google.com/kms/docs/data-integrity-guidelines#verifying_resource_names - [x] Wrap API call errors, since their stack traces are utterly useless to infer context. - [x] Enable timeouts in all API calls, especially Datastore. - [x] Enable retries in all API calls. - [x] Remove code to automagically pick unlinked version (first run) - [x] Write functional tests against actual GCP APIs.
relaycorp · May 11, 2022 · 728c7fb · 728c7fb
1 parent 9fb7280
commit 728c7fb
Show file tree

Hide file tree

Showing 33 changed files with 2,751 additions and 28 deletions.
diff --git a/.npmignore b/.npmignore
@@ -1,8 +1,9 @@
 *
 
 !build/main/**
+build/main/testUtils
 !build/module/**
-_test_utils.*
+build/modules/testUtils
 *.spec.js*
 
 !LICENSE

diff --git a/docs/gcp.md b/docs/gcp.md
@@ -0,0 +1,5 @@
+# GCP-powered Awala key stores
+
+## Limitations
+
+- All the GCP resources must be located in the same GCP project and region.
diff --git a/jest.config.js b/jest.config.js
@@ -29,7 +29,7 @@ module.exports = {
 
   // An array of regexp pattern strings used to skip coverage collection
   coveragePathIgnorePatterns: [
-    "_test_utils\.[tj]s",
+    "/testUtils",
   ],
 
   // A list of reporter names that Jest uses when writing coverage reports