valitydev · ttt161 · Jun 19, 2025 · Jun 20, 2025 · Jun 20, 2025
diff --git a/Dockerfile.dev b/Dockerfile.dev
@@ -14,4 +14,4 @@ ENV CHARSET=UTF-8
 ENV LANG=C.UTF-8
 
 # Set runtime
-CMD ["/bin/bash"]
+CMD ["/bin/bash"]
diff --git a/apps/akm/src/akm.app.src b/apps/akm/src/akm.app.src
@@ -16,8 +16,6 @@
         scoper,
         jose,
         jsx,
-        epgsql,
-        epgsql_pool,
         cowboy_draining_server,
         cowboy_cors,
         cowboy_access_log,
@@ -32,7 +30,6 @@
         woody_user_identity,
         erlydtl,
         gen_smtp,
-        canal,
         opentelemetry_api,
         opentelemetry_exporter,
         opentelemetry

diff --git a/apps/akm/src/akm_apikeys_handler.erl b/apps/akm/src/akm_apikeys_handler.erl
@@ -58,7 +58,10 @@
 
 %% Providers
 -spec prepare(operation_id(), request_data(), handler_context(), handler_opts()) -> {ok, request_state()}.
-prepare('IssueApiKey' = OperationID, #{'partyId' := PartyID, 'ApiKeyIssue' := ApiKey}, Context, _Opts) ->
+prepare(OperationID, #{'partyId' := PartyID, 'ApiKeyIssue' := ApiKey}, Context, _Opts) when
+    OperationID =:= 'IssueApiKey';
+    OperationID =:= 'IssueApiKeyPrivate'
+->
     Authorize = fun() ->
         Prototypes = [{operation, #{id => OperationID, party => PartyID}}],
         Resolution = akm_auth:authorize_operation(Prototypes, Context),
@@ -77,7 +80,10 @@ prepare('IssueApiKey' = OperationID, #{'partyId' := PartyID, 'ApiKeyIssue' := Ap
         end
     end,
     {ok, #{authorize => Authorize, process => Process}};
-prepare('GetApiKey' = OperationID, #{'partyId' := PartyID, 'apiKeyId' := ApiKeyId}, Context, _Opts) ->
+prepare(OperationID, #{'partyId' := PartyID, 'apiKeyId' := ApiKeyId}, Context, _Opts) when
+    OperationID =:= 'GetApiKey';
+    OperationID =:= 'GetApiKeyPrivate'
+->
     Result = akm_apikeys_processing:get_api_key(ApiKeyId),
     Authorize = fun() ->
         ApiKey = extract_api_key(Result),
@@ -95,7 +101,7 @@ prepare('GetApiKey' = OperationID, #{'partyId' := PartyID, 'apiKeyId' := ApiKeyI
     end,
     {ok, #{authorize => Authorize, process => Process}};
 prepare(
-    'ListApiKeys' = OperationID,
+    OperationID,
     #{
         'partyId' := PartyID,
         'limit' := Limit,
@@ -104,7 +110,10 @@ prepare(
     },
     Context,
     _Opts
-) ->
+) when
+    OperationID =:= 'ListApiKeys';
+    OperationID =:= 'ListApiKeysPrivate'
+->
     Authorize = fun() ->
         Prototypes = [{operation, #{id => OperationID, party => PartyID}}],
         Resolution = akm_auth:authorize_operation(Prototypes, Context),
@@ -139,6 +148,25 @@ prepare('RequestRevokeApiKey' = OperationID, Params, Context, _Opts) ->
         end
     end,
     {ok, #{authorize => Authorize, process => Process}};
+prepare('RequestRevokeApiKeyPrivate', Params, Context, _Opts) ->
+    #{
+        'partyId' := PartyID,
+        'apiKeyId' := ApiKeyId,
+        'RequestRevoke' := #{<<"status">> := Status}
+    } = Params,
+    Authorize = fun() ->
+        {ok, allowed}
+    end,
+    Process = fun() ->
+        #{woody_context := WoodyContext} = Context,
+        case akm_apikeys_processing:force_revoke(PartyID, ApiKeyId, Status, WoodyContext) of
+            ok ->
+                akm_handler_utils:reply_ok(204);
+            {error, not_found} ->
+                akm_handler_utils:reply_error(404)
+        end
+    end,
+    {ok, #{authorize => Authorize, process => Process}};
 prepare(
     'RevokeApiKey' = OperationID,
     #{'partyId' := PartyID, 'apiKeyId' := ApiKeyId, 'apiKeyRevokeToken' := Token},

diff --git a/apps/akm/src/akm_apikeys_processing.erl b/apps/akm/src/akm_apikeys_processing.erl
@@ -9,6 +9,7 @@
 -export([list_api_keys/4]).
 -export([request_revoke/4]).
 -export([revoke/3]).
+-export([force_revoke/4]).
 
 -type list_keys_response() :: #{
     results => [map()],
@@ -33,7 +34,7 @@ issue_api_key(PartyID, #{<<"name">> := Name} = ApiKey0, WoodyContext) ->
     Client = token_keeper_client:offline_authority(get_authority_id(), WoodyContext),
     case token_keeper_authority_offline:create(ID, ContextFragment, Metadata, Client) of
         {ok, #{token := Token}} ->
-            {ok, _, Columns, Rows} = epgsql_pool:query(
+            {ok, _, Columns, Rows} = epg_pool:query(
                 main_pool,
                 "INSERT INTO apikeys (id, name, party_id, status, pending_status, metadata)"
                 "VALUES ($1, $2, $3, $4, $5, $6) RETURNING id, name, status, metadata, created_at",
@@ -51,7 +52,7 @@ issue_api_key(PartyID, #{<<"name">> := Name} = ApiKey0, WoodyContext) ->
 
 -spec get_api_key(binary()) -> {ok, map()} | {error, not_found}.
 get_api_key(ApiKeyId) ->
-    Result = epgsql_pool:query(
+    Result = epg_pool:query(
         main_pool,
         "SELECT id, name, status, metadata, created_at FROM apikeys WHERE id = $1",
         [ApiKeyId]
@@ -87,11 +88,11 @@ request_revoke(Email, PartyID, ApiKeyId, Status) ->
         {ok, _ApiKey} ->
             Token = akm_id:generate_snowflake_id(),
             try
-                epgsql_pool:transaction(
+                epg_pool:transaction(
                     main_pool,
                     fun(Worker) ->
                         ok = akm_mailer:send_revoke_mail(Email, PartyID, ApiKeyId, Token),
-                        epgsql_pool:query(
+                        epg_pool:query(
                             Worker,
                             "UPDATE apikeys SET pending_status = $1, revoke_token = $2 "
                             "WHERE id = $3",
@@ -109,6 +110,35 @@ request_revoke(Email, PartyID, ApiKeyId, Status) ->
             end
     end.
 
+-spec force_revoke(binary(), binary(), binary(), binary()) ->
+    ok | {error, not_found}.
+force_revoke(_PartyID, ApiKeyId, Status, WoodyContext) ->
+    case get_full_api_key(ApiKeyId) of
+        {error, not_found} ->
+            {error, not_found};
+        {ok, _ApiKey} ->
+            Client = token_keeper_client:offline_authority(get_authority_id(), WoodyContext),
+            try
+                epg_pool:transaction(
+                    main_pool,
+                    fun(Worker) ->
+                        {ok, _} = token_keeper_authority_offline:revoke(ApiKeyId, Client),
+                        epg_pool:query(
+                            Worker,
+                            "UPDATE apikeys SET status = $1, revoke_token = null WHERE id = $2",
+                            [Status, ApiKeyId]
+                        )
+                    end
+                )
+            of
+                {ok, 1} -> ok
+            catch
+                Ex:Er ->
+                    logger:error("Can`t revoke ApiKey ~p with error: ~p:~p", [ApiKeyId, Ex, Er]),
+                    {error, not_found}
+            end
+    end.
+
 -spec revoke(binary(), binary(), woody_context()) -> ok | {error, not_found}.
 revoke(ApiKeyId, RevokeToken, WoodyContext) ->
     case get_full_api_key(ApiKeyId) of
@@ -118,11 +148,11 @@ revoke(ApiKeyId, RevokeToken, WoodyContext) ->
         }} ->
             Client = token_keeper_client:offline_authority(get_authority_id(), WoodyContext),
             try
-                epgsql_pool:transaction(
+                epg_pool:transaction(
                     main_pool,
                     fun(Worker) ->
                         {ok, _} = token_keeper_authority_offline:revoke(ApiKeyId, Client),
-                        epgsql_pool:query(
+                        epg_pool:query(
                             Worker,
                             "UPDATE apikeys SET status = $1, revoke_token = null WHERE id = $2",
                             [PendingStatus, ApiKeyId]
@@ -146,7 +176,7 @@ get_authority_id() ->
     application:get_env(akm, authority_id, undefined).
 
 get_full_api_key(ApiKeyId) ->
-    Result = epgsql_pool:query(
+    Result = epg_pool:query(
         main_pool,
         "SELECT * FROM apikeys WHERE id = $1",
         [ApiKeyId]
@@ -160,14 +190,14 @@ get_full_api_key(ApiKeyId) ->
     end.
 
 get_keys(PartyID, undefined, Limit, Offset) ->
-    epgsql_pool:query(
+    epg_pool:query(
         main_pool,
         "SELECT id, name, status, metadata, created_at FROM apikeys where party_id = $1 "
         "ORDER BY created_at DESC LIMIT $2 OFFSET $3",
         [PartyID, Limit, Offset]
     );
 get_keys(PartyID, Status, Limit, Offset) ->
-    epgsql_pool:query(
+    epg_pool:query(
         main_pool,
         "SELECT id, name, status, metadata, created_at FROM apikeys where party_id = $1 AND status = $2 "
         "ORDER BY created_at DESC LIMIT $3 OFFSET $4",

diff --git a/apps/akm/src/akm_handler.erl b/apps/akm/src/akm_handler.erl
@@ -102,6 +102,27 @@ handle_request_(OperationID, Req, SwagContext, Opts) ->
             })
     end.
 
+process_request(OperationID, Req, SwagContext, Opts, WoodyContext) when
+    OperationID =:= 'IssueApiKeyPrivate';
+    OperationID =:= 'GetApiKeyPrivate';
+    OperationID =:= 'ListApiKeysPrivate';
+    OperationID =:= 'RequestRevokeApiKeyPrivate'
+->
+    case application:get_env(akm, private_methods_enabled, false) of
+        true ->
+            _ = logger:info("Processing request ~p", [OperationID]),
+            try
+                Context = create_handler_context(OperationID, SwagContext, WoodyContext),
+                {ok, RequestState} = akm_apikeys_handler:prepare(OperationID, Req, Context, Opts),
+                #{process := Process} = RequestState,
+                Process()
+            catch
+                error:{woody_error, {Source, Class, Details}} ->
+                    process_woody_error(Source, Class, Details)
+            end;
+        false ->
+            akm_handler_utils:reply_error(501)
+    end;
 process_request(OperationID, Req, SwagContext0, Opts, WoodyContext0) ->
     _ = logger:info("Processing request ~p", [OperationID]),
     try

diff --git a/apps/akm/src/akm_sup.erl b/apps/akm/src/akm_sup.erl
@@ -5,12 +5,6 @@
 
 -behaviour(supervisor).
 
--include("akm.hrl").
-
--define(VAULT_TOKEN_PATH, "/var/run/secrets/kubernetes.io/serviceaccount/token").
--define(VAULT_ROLE, <<"api-key-mgmt-v2">>).
--define(VAULT_KEY_PG_CREDS, <<"api-key-mgmt-v2/pg_creds">>).
-
 %% API
 -export([start_link/0]).
 
@@ -27,14 +21,13 @@ start_link() ->
 
 -spec init([]) -> {ok, {supervisor:sup_flags(), [supervisor:child_spec()]}}.
 init([]) ->
-    ok = maybe_set_secrets(),
+    {ok, _} = application:ensure_all_started(epg_connector),
     ok = dbinit(),
     {LogicHandlers, LogicHandlerSpecs} = get_logic_handler_info(),
     HealthCheck = enable_health_logging(genlib_app:env(akm, health_check, #{})),
     AdditionalRoutes = [{'_', [erl_health_handle:get_route(HealthCheck), get_prometheus_route()]}],
     SwaggerHandlerOpts = genlib_app:env(akm, swagger_handler_opts, #{}),
     SwaggerSpec = akm_swagger_server:child_spec(AdditionalRoutes, LogicHandlers, SwaggerHandlerOpts),
-    ok = start_epgsql_pooler(),
     {ok, {
         {one_for_all, 0, 1},
         LogicHandlerSpecs ++ [SwaggerSpec]
@@ -54,12 +47,6 @@ enable_health_logging(Check) ->
     EvHandler = {erl_health_event_handler, []},
     maps:map(fun(_, {_, _, _} = V) -> #{runner => V, event_handler => EvHandler} end, Check).
 
-start_epgsql_pooler() ->
-    Params = genlib_app:env(akm, epsql_connection, #{}),
-    ok = epgsql_pool:validate_connection_params(Params),
-    {ok, _} = epgsql_pool:start(main_pool, 10, 20, Params),
-    ok.
-
 -spec get_prometheus_route() -> {iodata(), module(), _Opts :: any()}.
 get_prometheus_route() ->
     {"/metrics/[:registry]", prometheus_cowboy2_handler, []}.
@@ -82,99 +69,16 @@ dbinit() ->
 
 set_database_url() ->
     {ok, #{
-        host := PgHost,
-        port := PgPort,
-        username := PgUser,
-        password := PgPassword,
-        database := DbName
-    }} = application:get_env(akm, epsql_connection),
-    %% DATABASE_URL=postgresql://postgres:postgres@db/apikeymgmtv2
+        'api-key-mgmt-v2' := #{
+            host := PgHost,
+            port := PgPort,
+            username := PgUser,
+            password := PgPassword,
+            database := DbName
+        }
+    }} = application:get_env(epg_connector, databases),
+    %% DATABASE_URL=postgresql://postgres:postgres@db/api-key-mgmt-v2
     PgPortStr = erlang:integer_to_list(PgPort),
     Value =
         "postgresql://" ++ PgUser ++ ":" ++ PgPassword ++ "@" ++ PgHost ++ ":" ++ PgPortStr ++ "/" ++ DbName,
     true = os:putenv("DATABASE_URL", Value).
-
-maybe_set_secrets() ->
-    TokenPath = application:get_env(akm, vault_token_path, ?VAULT_TOKEN_PATH),
-    try vault_client_auth(TokenPath) of
-        ok ->
-            Key = application:get_env(akm, vault_key_pg_creds, ?VAULT_KEY_PG_CREDS),
-            set_secrets(canal:read(Key));
-        Error ->
-            logger:error("can`t auth vault client with error: ~p", [Error]),
-            skip
-    catch
-        _:_ ->
-            logger:error("catch exception when auth vault client"),
-            skip
-    end,
-    ok.
-
-set_secrets(
-    {
-        ok, #{
-            <<"pg_creds">> := #{
-                <<"pg_user">> := PgUser,
-                <<"pg_password">> := PgPassword
-            }
-        }
-    }
-) ->
-    logger:info("postgres credentials successfuly read from vault (as json)"),
-    {ok, ConnOpts} = application:get_env(akm, epsql_connection),
-    application:set_env(
-        akm,
-        epsql_connection,
-        ConnOpts#{
-            username => unicode:characters_to_list(PgUser),
-            password => unicode:characters_to_list(PgPassword)
-        }
-    ),
-    ok;
-set_secrets({ok, #{<<"pg_creds">> := PgCreds}}) ->
-    logger:info("postgres credentials successfuly read from vault (as string)"),
-    set_secrets({ok, #{<<"pg_creds">> => jsx:decode(PgCreds, [return_maps])}});
-set_secrets(Error) ->
-    logger:error("can`t read postgres credentials from vault with error: ~p", [Error]),
-    skip.
-
-vault_client_auth(TokenPath) ->
-    case read_maybe_linked_file(TokenPath) of
-        {ok, Token} ->
-            Role = application:get_env(akm, vault_role, ?VAULT_ROLE),
-            canal:auth({kubernetes, Role, Token});
-        Error ->
-            Error
-    end.
-
-read_maybe_linked_file(MaybeLinkName) ->
-    case file:read_link(MaybeLinkName) of
-        {error, enoent} = Result ->
-            Result;
-        {error, einval} ->
-            file:read_file(MaybeLinkName);
-        {ok, Filename} ->
-            file:read_file(maybe_expand_relative(MaybeLinkName, Filename))
-    end.
-
-maybe_expand_relative(BaseFilename, Filename) ->
-    filename:absname_join(filename:dirname(BaseFilename), Filename).
-
--ifdef(TEST).
--include_lib("eunit/include/eunit.hrl").
-
--spec test() -> _.
-
--spec set_secrets_error_test() -> _.
-set_secrets_error_test() ->
-    ?assertEqual(skip, set_secrets(error)).
-
--spec read_error_test() -> _.
-read_error_test() ->
-    ?assertEqual({error, enoent}, read_maybe_linked_file("unknown_file")).
-
--spec vault_auth_error_test() -> _.
-vault_auth_error_test() ->
-    ?assertEqual({error, enoent}, vault_client_auth("unknown_file")).
-
--endif.