feat(modules-config): add logging and decryption support

JocLRojas · JocLRojas · commit 39ff859c589f · 2026-04-27T18:13:07.000+03:00
diff --git a/plugins/modules-config/config/config.go b/plugins/modules-config/config/config.go
@@ -30,6 +30,8 @@ type failedModule struct {
 	lastError   string
 }
 
+type Decrypter func(*ConfigurationSection) error
+
 type ConfigServer struct {
 	UnimplementedConfigServiceServer
 
@@ -38,6 +40,7 @@ type ConfigServer struct {
 	cache         map[PluginType]*ConfigurationSection
 	failedModules map[PluginType]*failedModule
 	failedMu      sync.RWMutex
+	decrypt       Decrypter
 }
 
 func GetConfigServer() *ConfigServer {
@@ -51,6 +54,17 @@ func GetConfigServer() *ConfigServer {
 	return configServer
 }
 
+func (s *ConfigServer) SetDecrypter(d Decrypter) {
+	s.decrypt = d
+}
+
+func (s *ConfigServer) runDecrypter(section *ConfigurationSection) error {
+	if s.decrypt == nil {
+		return nil
+	}
+	return s.decrypt(section)
+}
+
 func (s *ConfigServer) GetModuleGroup(moduleName PluginType) *ConfigurationSection {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
@@ -146,7 +160,15 @@ func (s *ConfigServer) NotifyUpdate(moduleName string, section *ConfigurationSec
 }
 
 func (s *ConfigServer) fetchModuleConfig(backend, moduleName, internalKey string) (*ConfigurationSection, int, error) {
-	url := fmt.Sprintf("%s/api/utm-modules/module-details-decrypted?nameShort=%s&serverId=1", backend, moduleName)
+	url := fmt.Sprintf("%s/api/utm-modules/moduleDetails?nameShort=%s&serverId=1", backend, moduleName)
+	// Remove after testing, before release to production
+	catcher.Info("fetchModuleConfig: requesting", map[string]any{
+		"process":        "plugin_com.utmstack.modules-config",
+		"module":         moduleName,
+		"url":            url,
+		"internalKey":    internalKey,
+		"internalKeyLen": len(internalKey),
+	})
 
 	response, status, err := utils.DoReq[ConfigurationSection](
 		url,
@@ -155,10 +177,54 @@ func (s *ConfigServer) fetchModuleConfig(backend, moduleName, internalKey string
 		map[string]string{"Utm-Internal-Key": internalKey},
 		true,
 	)
+	// Remove after testing, before release to production
+	catcher.Info("fetchModuleConfig: response received", map[string]any{
+		"process":    "plugin_com.utmstack.modules-config",
+		"module":     moduleName,
+		"status":     status,
+		"err":        fmt.Sprintf("%v", err),
+		"groupCount": len(response.ModuleGroups),
+		"moduleName": response.ModuleName,
+	})
 
 	if err != nil || status != http.StatusOK {
 		return nil, status, err
 	}
+	// Remove after testing, before release to production
+	for _, g := range response.ModuleGroups {
+		for _, cnf := range g.ModuleGroupConfigurations {
+			catcher.Info("fetchModuleConfig: incoming field (pre-decrypt)", map[string]any{
+				"process":      "plugin_com.utmstack.modules-config",
+				"module":       moduleName,
+				"groupId":      g.Id,
+				"confKey":      cnf.ConfKey,
+				"confDataType": cnf.ConfDataType,
+				"valueLen":     len(cnf.ConfValue),
+				"confValue":    cnf.ConfValue,
+			})
+		}
+	}
+
+	if err := s.runDecrypter(&response); err != nil {
+		return nil, status, catcher.Error("failed to decrypt module config", err, map[string]any{
+			"process": "plugin_com.utmstack.modules-config",
+			"module":  moduleName,
+		})
+	}
+	// Remove after testing, before release to production
+	for _, g := range response.ModuleGroups {
+		for _, cnf := range g.ModuleGroupConfigurations {
+			catcher.Info("fetchModuleConfig: field (post-decrypt)", map[string]any{
+				"process":      "plugin_com.utmstack.modules-config",
+				"module":       moduleName,
+				"groupId":      g.Id,
+				"confKey":      cnf.ConfKey,
+				"confDataType": cnf.ConfDataType,
+				"valueLen":     len(cnf.ConfValue),
+				"confValue":    cnf.ConfValue,
+			})
+		}
+	}
 
 	return &response, status, nil
 }
diff --git a/plugins/modules-config/crypto/crypto.go b/plugins/modules-config/crypto/crypto.go
@@ -0,0 +1,127 @@
+package crypto
+
+import (
+	"fmt"
+	"runtime/debug"
+	"strings"
+
+	"github.com/AtlasInsideCorp/AtlasInsideAES"
+	"github.com/threatwinds/go-sdk/catcher"
+	"github.com/utmstack/UTMStack/plugins/modules-config/config"
+)
+
+const (
+	confTypePassword = "password"
+	confTypeFile     = "file"
+	moduleGCP        = "GCP"
+)
+
+func DecryptConfigurationSection(section *config.ConfigurationSection, key string) error {
+	if section == nil {
+		return nil
+	}
+
+	for _, group := range section.ModuleGroups {
+		decryptGroupConfigurations(section.ModuleName, group, key)
+	}
+
+	return nil
+}
+
+func DecryptModuleGroup(moduleName string, group *config.ModuleGroup, key string) error {
+	if group == nil {
+		return nil
+	}
+
+	decryptGroupConfigurations(moduleName, group, key)
+	return nil
+}
+
+func decryptGroupConfigurations(moduleName string, group *config.ModuleGroup, key string) {
+	if group == nil {
+		return
+	}
+	// Remove after testing, before release to production
+	for _, cnf := range group.ModuleGroupConfigurations {
+		catcher.Info("crypto: evaluating field", map[string]any{
+			"process":      "plugin_com.utmstack.modules-config",
+			"module":       moduleName,
+			"groupId":      group.Id,
+			"confKey":      cnf.ConfKey,
+			"confDataType": cnf.ConfDataType,
+			"valueLen":     len(cnf.ConfValue),
+			"confValue":    cnf.ConfValue,
+			"key":          key,
+			"keyLen":       len(key),
+		})
+		// Remove after testing, before release to production
+		if !shouldDecrypt(moduleName, cnf.ConfDataType, cnf.ConfValue) {
+			catcher.Info("crypto: skipped (shouldDecrypt=false)", map[string]any{
+				"process":      "plugin_com.utmstack.modules-config",
+				"module":       moduleName,
+				"confKey":      cnf.ConfKey,
+				"confDataType": cnf.ConfDataType,
+			})
+			continue
+		}
+		// Remove after testing, before release to production
+		plain, err := safeAESDecrypt(cnf.ConfValue, key)
+		if err != nil {
+			_ = catcher.Error("failed to decrypt configuration value", err, map[string]any{
+				"process":      "plugin_com.utmstack.modules-config",
+				"module":       moduleName,
+				"groupId":      group.Id,
+				"confKey":      cnf.ConfKey,
+				"confDataType": cnf.ConfDataType,
+				"valueLen":     len(cnf.ConfValue),
+				"confValue":    cnf.ConfValue,
+				"key":          key,
+				"keyLen":       len(key),
+			})
+			continue
+		}
+		// Remove after testing, before release to production
+		catcher.Info("crypto: decrypted OK", map[string]any{
+			"process":   "plugin_com.utmstack.modules-config",
+			"module":    moduleName,
+			"groupId":   group.Id,
+			"confKey":   cnf.ConfKey,
+			"plainLen":  len(plain),
+			"plainHead": firstChars(plain, 64),
+		})
+		cnf.ConfValue = plain
+	}
+}
+
+func safeAESDecrypt(cipherText, key string) (plain string, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			stack := string(debug.Stack())
+			err = fmt.Errorf("decryption panic recovered: %v | stack: %s", r, stack)
+		}
+	}()
+	return AtlasInsideAES.AESDecrypt(cipherText, []byte(key))
+}
+
+func firstChars(s string, n int) string {
+	if len(s) <= n {
+		return s
+	}
+	return s[:n]
+}
+
+func shouldDecrypt(moduleName, confDataType, confValue string) bool {
+	if confValue == "" {
+		return false
+	}
+
+	dataType := strings.ToLower(strings.TrimSpace(confDataType))
+	switch dataType {
+	case confTypePassword:
+		return true
+	case confTypeFile:
+		return strings.EqualFold(moduleName, moduleGCP)
+	default:
+		return false
+	}
+}
diff --git a/plugins/modules-config/go.mod b/plugins/modules-config/go.mod
@@ -4,6 +4,7 @@ go 1.25.5
 
 require (
 	cloud.google.com/go/pubsub v1.50.1
+	github.com/AtlasInsideCorp/AtlasInsideAES v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/messaging/azeventhubs/v2 v2.0.1
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.4
 	github.com/aws/aws-sdk-go-v2/config v1.32.8
@@ -13,6 +14,7 @@ require (
 	github.com/crowdstrike/gofalcon v0.19.0
 	github.com/gin-gonic/gin v1.11.0
 	github.com/threatwinds/go-sdk v1.1.15
+	golang.org/x/sync v0.19.0
 	google.golang.org/api v0.267.0
 	google.golang.org/grpc v1.79.1
 	google.golang.org/protobuf v1.36.11
@@ -118,7 +120,6 @@ require (
 	golang.org/x/exp v0.0.0-20260112195511-716be5621a96 // indirect
 	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/oauth2 v0.35.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
diff --git a/plugins/modules-config/go.sum b/plugins/modules-config/go.sum
@@ -19,6 +19,8 @@ cloud.google.com/go/pubsub v1.50.1 h1:fzbXpPyJnSGvWXF1jabhQeXyxdbCIkXTpjXHy7xviB
 cloud.google.com/go/pubsub v1.50.1/go.mod h1:6YVJv3MzWJUVdvQXG081sFvS0dWQOdnV+oTo++q/xFk=
 cloud.google.com/go/pubsub/v2 v2.3.0 h1:DgAN907x+sP0nScYfBzneRiIhWoXcpCD8ZAut8WX9vs=
 cloud.google.com/go/pubsub/v2 v2.3.0/go.mod h1:O5f0KHG9zDheZAd3z5rlCRhxt2JQtB+t/IYLKK3Bpvw=
+github.com/AtlasInsideCorp/AtlasInsideAES v1.0.0 h1:TBiBl9KCa4i4epY0/q9WSC4ugavL6+6JUkOXWDnMM6I=
+github.com/AtlasInsideCorp/AtlasInsideAES v1.0.0/go.mod h1:cRhQ3TS/VEfu/z+qaciyuDZdtxgaXgaX8+G6Wa5NzBk=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 h1:fou+2+WFTib47nS+nz/ozhEBnvU96bKHy6LjRsY4E28=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0/go.mod h1:t76Ruy8AHvUAC8GfMWJMa0ElSbuIcO03NLpynfbgsPA=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
diff --git a/plugins/modules-config/handlers.go b/plugins/modules-config/handlers.go
