Refactor AWS and Azure object store credential retrieval by centralizing validation logic and removing redundant service manager checks

Author: KoblerS

lib/aws-s3.js

@@ -103,31 +103,8 @@ module.exports = class AWSAttachmentsService extends require("./basic") {
         return
       }
 
-      // Validate Service Manager configuration
-      const serviceManagerCreds = cds.env.requires?.serviceManager?.credentials
-      if (!serviceManagerCreds) {
-        logConfig.configValidation('serviceManager.credentials', serviceManagerCreds, false,
-          'Bind a Service Manager instance for separate object store mode')
-        throw new Error("Service Manager Instance is not bound")
-      }
-
-      const { sm_url, url, clientid, clientsecret, certificate, key, certurl } = serviceManagerCreds
-
-      // Validate required Service Manager fields
-      const requiredSmFields = ['sm_url', 'url', 'clientid']
-      const missingSmFields = requiredSmFields.filter(field => !serviceManagerCreds[field])
-
-      if (missingSmFields.length > 0) {
-        logConfig.configValidation('serviceManager.credentials', serviceManagerCreds, false,
-          `Service Manager credentials missing: ${missingSmFields.join(', ')}`)
-        throw new Error(`Missing Service Manager credentials: ${missingSmFields.join(', ')}`)
-      }
-
-      logConfig.debug('Fetching access token for tenant', { tenantID, sm_url })
-      const token = await utils.fetchToken(url, clientid, clientsecret, certificate, key, certurl)
-
       logConfig.debug('Fetching object store credentials for tenant', { tenantID })
-      const objectStoreCreds = await utils.getObjectStoreCredentials(tenantID, sm_url, token)
+      const objectStoreCreds = await utils.getObjectStoreCredentials(tenantID)
 
       if (!objectStoreCreds) {
         logConfig.withSuggestion('error',

lib/azure-blob-storage.js

@@ -95,31 +95,8 @@ module.exports = class AzureAttachmentsService extends require("./basic") {
         return
       }
 
-      // Validate Service Manager configuration
-      const serviceManagerCreds = cds.env.requires?.serviceManager?.credentials
-      if (!serviceManagerCreds) {
-        logConfig.configValidation('serviceManager.credentials', serviceManagerCreds, false,
-          'Bind a Service Manager instance for separate object store mode')
-        throw new Error("Service Manager Instance is not bound")
-      }
-
-      const { sm_url, url, clientid, clientsecret, certificate, key, certurl } = serviceManagerCreds
-
-      // Validate required Service Manager fields
-      const requiredSmFields = ['sm_url', 'url', 'clientid']
-      const missingSmFields = requiredSmFields.filter(field => !serviceManagerCreds[field])
-
-      if (missingSmFields.length > 0) {
-        logConfig.configValidation('serviceManager.credentials', serviceManagerCreds, false,
-          `Service Manager credentials missing: ${missingSmFields.join(', ')}`)
-        throw new Error(`Missing Service Manager credentials: ${missingSmFields.join(', ')}`)
-      }
-
-      logConfig.debug('Fetching access token for tenant', { tenantID, sm_url })
-      const token = await utils.fetchToken(url, clientid, clientsecret, certificate, key, certurl)
-
       logConfig.debug('Fetching object store credentials for tenant', { tenantID })
-      const objectStoreCreds = await utils.getObjectStoreCredentials(tenantID, sm_url, token)
+      const objectStoreCreds = await utils.getObjectStoreCredentials(tenantID)
 
       if (!objectStoreCreds) {
         logConfig.withSuggestion('error',

lib/helper.js

@@ -1,53 +1,117 @@
 const axios = require('axios')
 const https = require("https")
 const { logConfig } = require('./logger')
+const cds = require('@sap/cds')
+
+/**
+ * Validates the presence of required Service Manager credentials
+ * @param {*} serviceManagerCreds - Service Manager credentials object
+ * @throws Will throw an error if validation fails
+ */
+function validateServiceManagerCredentials(serviceManagerCreds) {
+  if (!serviceManagerCreds) {
+    logConfig.configValidation('serviceManager.credentials', serviceManagerCreds, false,
+      'Bind a Service Manager instance for separate object store mode')
+    throw new Error("Service Manager Instance is not bound")
+  }
 
-async function getObjectStoreCredentials(tenantID, sm_url, token) {
-  logConfig.processStep('Fetching object store credentials', { tenantID, sm_url })
+  const requiredSmFields = ['sm_url', 'url', 'clientid']
+  const missingSmFields = requiredSmFields.filter(field => !serviceManagerCreds[field])
+
+  if (missingSmFields.length > 0) {
+    logConfig.configValidation('serviceManager.credentials', serviceManagerCreds, false,
+      `Service Manager credentials missing: ${missingSmFields.join(', ')}`)
+    throw new Error(`Missing Service Manager credentials: ${missingSmFields.join(', ')}`)
+  }
+}
 
-  // Validate inputs
+/**
+ * Validates the inputs required for fetching object store credentials
+ * @param {string} tenantID - Tenant ID
+ * @param {string} sm_url - Service Manager URL
+ * @param {string} token - Access token
+ * @returns 
+ */
+function validateInputs(tenantID, sm_url, token) {
   if (!tenantID) {
     logConfig.withSuggestion('error', 'Tenant ID is required for object store credentials', null,
       'Ensure multitenancy is properly configured and tenant context is available', { tenantID })
-    return null
+    return false
   }
 
   if (!sm_url) {
     logConfig.configValidation('serviceManager.credentials.sm_url', sm_url, false,
       'Bind a Service Manager instance to your application')
-    return null
+    return false
   }
 
   if (!token) {
     logConfig.withSuggestion('error', 'Access token is required for Service Manager API', null,
       'Check if token fetching completed successfully', { hasToken: !!token })
+    return false
+  }
+
+  return true
+}
+
+/**
+ * Fetches object store service binding from Service Manager
+ * @param {string} sm_url - Service Manager URL
+ * @param {string} tenantID - Tenant ID
+ * @param {string} token - Access token
+ * @returns {Promise<Array>} - Promise resolving to array of service bindings
+ */
+async function fetchObjectStoreBinding(sm_url, tenantID, token) {
+  logConfig.debug('Making Service Manager API call', {
+    tenantID,
+    endpoint: `${sm_url}/v1/service_bindings`,
+    labelQuery: `service eq 'OBJECT_STORE' and tenant_id eq '${tenantID}'`
+  })
+
+  const response = await axios.get(`${sm_url}/v1/service_bindings`, {
+    params: { labelQuery: `service eq 'OBJECT_STORE' and tenant_id eq '${tenantID}'` },
+    headers: {
+      'Accept': 'application/json',
+      'Authorization': `Bearer ${token}`,
+      'Content-Type': 'application/json'
+    }
+  })
+
+  return response.data?.items || []
+}
+
+/**
+ * Retrieves object store credentials for a given tenant
+ * @param {*} tenantID - Tenant ID
+ * @returns {Promise<Object|null>} - Promise resolving to object store credentials or null
+ */
+async function getObjectStoreCredentials(tenantID) {
+  const serviceManagerCreds = cds.env.requires?.serviceManager?.credentials
+
+  validateServiceManagerCredentials(serviceManagerCreds)
+
+  const { sm_url, url, clientid, clientsecret, certificate, key, certurl } = serviceManagerCreds
+
+  logConfig.debug('Fetching access token for tenant', { tenantID, sm_url: sm_url })
+  const token = await fetchToken(url, clientid, clientsecret, certificate, key, certurl)
+
+  logConfig.processStep('Fetching object store credentials', { tenantID, sm_url })
+
+  if (!validateInputs(tenantID, sm_url, token)) {
     return null
   }
 
   try {
-    logConfig.debug('Making Service Manager API call', {
-      tenantID,
-      endpoint: `${sm_url}/v1/service_bindings`,
-      labelQuery: `service eq 'OBJECT_STORE' and tenant_id eq '${tenantID}'`
-    })
-
-    const response = await axios.get(`${sm_url}/v1/service_bindings`, {
-      params: { labelQuery: `service eq 'OBJECT_STORE' and tenant_id eq '${tenantID}'` },
-      headers: {
-        'Accept': 'application/json',
-        'Authorization': `Bearer ${token}`,
-        'Content-Type': 'application/json'
-      }
-    })
+    const items = await fetchObjectStoreBinding(sm_url, tenantID, token)
 
-    if (!response.data?.items?.length) {
+    if (!items.length) {
       logConfig.withSuggestion('error', `No object store service binding found for tenant`, null,
         'Ensure an Object Store instance is subscribed and bound for this tenant',
-        { tenantID, itemsFound: response.data?.items?.length || 0 })
+        { tenantID, itemsFound: 0 })
       return null
     }
 
-    const credentials = response.data.items[0]
+    const credentials = items[0]
     logConfig.info('Object store credentials retrieved successfully', {
       tenantID,
       hasCredentials: !!credentials,
@@ -72,6 +136,16 @@ async function getObjectStoreCredentials(tenantID, sm_url, token) {
   }
 }
 
+/**
+ * Fetches an OAuth token using either client credentials or MTLS
+ * @param {string} url - Token endpoint URL
+ * @param {string} clientid - Client ID
+ * @param {string} clientsecret - Client Secret
+ * @param {string} certificate - MTLS Certificate
+ * @param {string} key - MTLS Key
+ * @param {string} certURL - MTLS Certificate URL
+ * @returns {Promise<string>} - Promise resolving to access token
+ */
 async function fetchToken(url, clientid, clientsecret, certificate, key, certURL) {
   logConfig.processStep('Determining token fetch method', {
     hasClientCredentials: !!(clientid && clientsecret),
@@ -106,6 +180,13 @@ async function fetchToken(url, clientid, clientsecret, certificate, key, certURL
   }
 }
 
+/**
+ * Fetches OAuth token using client credentials flow
+ * @param {string} url - Token endpoint URL
+ * @param {string} clientid - Client ID
+ * @param {string} clientsecret - Client Secret
+ * @returns 
+ */
 async function fetchTokenWithClientSecret(url, clientid, clientsecret) {
   const startTime = Date.now()
 
@@ -150,6 +231,14 @@ async function fetchTokenWithClientSecret(url, clientid, clientsecret) {
   }
 }
 
+/**
+ * Fetches OAuth token using MTLS authentication
+ * @param {string} certURL - Certificate URL
+ * @param {string} clientid - Client ID
+ * @param {string} certificate - MTLS Certificate
+ * @param {string} key - MTLS Key
+ * @returns {Promise<string>} - Promise resolving to access token
+ */
 async function fetchTokenWithMTLS(certURL, clientid, certificate, key) {
   const startTime = Date.now()
 

tests/unit/unitTests.test.js

@@ -122,28 +122,28 @@ describe('scanRequest', () => {
 describe('getObjectStoreCredentials', () => {
   it('should return credentials from service manager', async () => {
     axios.get.mockResolvedValue({ data: { items: [{ id: 'test-cred' }] } })
-    const creds = await getObjectStoreCredentials('tenant', 'url', 'token')
+    const creds = await getObjectStoreCredentials('tenant')
     expect(creds.id).toBe('test-cred')
   })
 
   it('should return null when tenant ID is missing', async () => {
-    const creds = await getObjectStoreCredentials(null, 'url', 'token')
+    const creds = await getObjectStoreCredentials(null)
     expect(creds).toBeNull()
   })
 
   it('should return null when sm_url is missing', async () => {
-    const creds = await getObjectStoreCredentials('tenant', null, 'token')
+    const creds = await getObjectStoreCredentials('tenant')
     expect(creds).toBeNull()
   })
 
   it('should return null when token is missing', async () => {
-    const creds = await getObjectStoreCredentials('tenant', 'url', null)
+    const creds = await getObjectStoreCredentials('tenant')
     expect(creds).toBeNull()
   })
 
   it('should handle error gracefully and return null', async () => {
     axios.get.mockRejectedValue(new Error('fail'))
-    const creds = await getObjectStoreCredentials('tenant', 'url', 'token')
+    const creds = await getObjectStoreCredentials('tenant')
     expect(creds).toBeNull()
   })
 })