Added Oracle KMS support to KSM JavaScript SDK

.gitignore

@@ -64,4 +64,7 @@ keeper.ini*
 .secrets
 ansible.cfg
 
+# Except typescript configuration
+!tsconfig.json
+
 .gradle/

sdk/javascript/.gitignore

@@ -2,3 +2,4 @@
 **/node_modules
 /packages/core/configs
 /packages/core/cache.dat
+/packages/**/package-lock.json

sdk/javascript/packages/oracle/.github/workflows/publish.yml

@@ -0,0 +1,29 @@
+name: Publish KSM_Oracle NPM Package
+
+on:
+    workflow_dispatch:
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: "https://registry.npmjs.org/"
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: build dependencies
+        run: npm run build
+
+      - name: Publish to NPM
+        run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}

sdk/javascript/packages/oracle/.gitignore

@@ -0,0 +1,3 @@
+package-lock.json
+yarn.lock
+dist/*.d.ts

sdk/javascript/packages/oracle/README.md

@@ -0,0 +1,99 @@
+# Oracle Key Management
+Keeper Secrets Manager integrates with **Oracle Key Vault Management Service (OCI KMS)** to provide protection for Keeper Secrets Manager configuration files. With this integration, you can secure connection details on your machine while leveraging Keeper's **zero-knowledge encryption** for all your secret credentials.
+
+## Features
+* Encrypt and decrypt your Keeper Secrets Manager configuration files using **OCI KMS**.
+* Protect against unauthorized access to your **Secrets Manager connections**.
+* Requires only minor code modifications for immediate protection. Works with all Keeper Secrets Manager **JavaScript SDK** functionality.
+
+## Prerequisites
+* Supports the JavaScript Secrets Manager SDK.
+* Requires the **oci-keymanagement** package from OCI SDK.
+* OCI KMS Key needs `ENCRYPT` and `DECRYPT` permissions.
+
+## Setup
+
+1. Install KSM Storage Module
+
+The Secrets Manager oracle KSM module can be installed using npm
+
+> `npm install @keeper-security/secrets-manager-oracle-kv`
+
+2. Configure oracle Connection
+
+By default, the **oci-keymanagement** library will use the **default OCI configuration file** (`~/.oci/config`).
+
+See the [OCI documentation](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm) for more details.
+
+3. Add oracle KMS Storage to Your Code
+
+Now that the oracle connection has been configured, you need to tell the Secrets Manager SDK to utilize the KMS as storage.
+
+To do this, use `OciKeyValueStorage` as your Secrets Manager storage in the SecretsManager constructor.
+
+The storage will require an `Oracle config file location`, `Oracle configuration profile`(if there are multiple profile configurations) and the OCI `Oracle KMS endpoint` as well as the name of the `Secrets Manager configuration file` which will be encrypted by Oracle KMS.
+```
+    import { OCISessionConfig, OciKeyValueStorage } from "@keeper-security/secrets-manager-oracle-kv";
+
+    const getKeeperRecordsOCI = async () => {
+
+        const oracleConfigFileLocation = "/home/...../.oci/config";
+        const oracleProfile = "DEFAULT";
+        const kmsCryptoEndpoint = "https://<>-crypto.kms.<location>.oraclecloud.com";
+        const kmsManagementEndpoint = "https://<>-management.kms.<location>.oraclecloud.com";
+
+        const ociSessionConfig = await new OCISessionConfig(oracleConfigFileLocation, oracleProfile, kmsCryptoEndpoint,kmsManagementEndpoint);
+        const logLevel = LoggerLogLevelOptions.info;
+        let config_path = "<Keeper config File Path>";
+
+        const oneTimeToken = "<one time token>";
+
+        const keyId = 'ocid1.key.oc1.iad.<>.<>';
+        const keyVersionId = "ocid1.keyversion.oc1.iad.<>.<>";
+
+        const storage = await new OciKeyValueStorage(keyId, keyVersionId, config_path, ociSessionConfig,logLevel).init();
+        await initializeStorage(storage, oneTimeToken);
+
+        const { records } = await getSecrets({ storage: storage });
+        console.log(records);
+
+        const firstRecord = records[0];
+        const firstRecordPassword = firstRecord.data.fields.find((x: { type: string; }) => x.type === 'bankAccount');
+        console.log(firstRecordPassword.value[0]);
+    };
+    console.log("start");
+    getKeeperRecordsOCI();
+```
+## Change Key
+
+To change the Oracle KMS key used for encryption, you can call the `changeKey` method on the `OciKeyValueStorage` instance.
+```
+    const storage = await new OciKeyValueStorage(keyId, keyVersionId, config_path2, ociSessionConfig).init();
+    await storage.changeKey(keyId2, keyVersionId2);
+```
+
+## decrypt config
+
+To decrypt the config file and save it again in plaintext, you can call the `decryptConfig` method on the `OciKeyValueStorage` instance.
+Note: this will compromise the security of the config file.
+```
+    const storage = await new OciKeyValueStorage(keyId, keyVersionId, config_path, ociSessionConfig).init();
+    await storage.decryptConfig(true); // Saves to file
+    const decryptedConfig = await storage.decryptConfig(true); // returns the decrypted config
+```
+
+
+## Logging
+We support logging for the Oracle Key Vault integration. Supported log levels are as follows
+* trace
+* debug
+* info
+* warn
+* error
+* fatal
+
+All these levels should be accessed from the LoggerLogLevelOptions enum. If no log level is set, the default log level is info. We can set the logging level to debug to get more information about the integration.
+
+You're ready to use the KSM integration Using the Oracle KMS Integration 👍
+
+Once setup, the Secrets Manager Oracle KMS integration supports all Secrets Manager JavaScript SDK functionality.  Your code will need to be able to access the Oracle KMS APIs in order to manage the decryption of the configuration file when run. 

sdk/javascript/packages/oracle/eslint.config.mjs

@@ -0,0 +1,11 @@
+import globals from "globals";
+import pluginJs from "@eslint/js";
+import tseslint from "typescript-eslint";
+
+/** @type {import('eslint').Linter.Config[]} */
+export default [
+  { files: ["src/*.ts}"] },
+  { languageOptions: { globals: globals.browser } },
+  pluginJs.configs.recommended,
+  ...tseslint.configs.recommended,
+];

sdk/javascript/packages/oracle/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@keeper-security/secrets-manager-oracle-kv",
+  "version": "0.1.0",
+  "description": "Keeper Secrets Manager oracle kv storage. This module enables secure storage of Keeper configuration using Oracle Key Vault Management Service (KMS).",
+  "main": "dist/index.js",
+  "repository": "https://github.com/Keeper-Security/secrets-manager",
+  "license": "ISC",
+  "scripts": {
+    "prebuild": "rimraf dist",
+    "link-local": "yarn link",
+    "build": "tsc",
+    "lint": "eslint 'src/**/*.ts'",
+    "clean": "rimraf dist node_modules package-lock.json"
+  },
+  "devDependencies": {
+    "@types/node": "^22.12.0",
+    "@types/node-fetch": "^2.6.7",
+    "@typescript-eslint/eslint-plugin": "^8.22.0",
+    "@typescript-eslint/parser": "^8.22.0",
+    "eslint": "^9.19.0",
+    "fast-crc32c": "^2.0.0",
+    "rimraf": "^6.0.1",
+    "typescript": "^5.8.2",
+    "typescript-eslint": "^8.22.0"
+  },
+  "dependencies": {
+    "@keeper-security/secrets-manager-core": "^17.0.0",
+    "crc-32": "^1.2.2",
+    "oci-keymanagement": "^2.102.2",
+    "oci-vault": "^2.103.0",
+    "node-fetch": "^2.6.5",  
+    "pino": "^9.6.0",
+    "pino-pretty": "^13.0.0"
+  }
+}

sdk/javascript/packages/oracle/src/Logger.ts

@@ -0,0 +1,12 @@
+import pino from 'pino';
+import { LoggerLogLevelOptions } from './enum';
+
+export function getLogger(logLevel: LoggerLogLevelOptions): pino.Logger {
+  return pino({
+    level: logLevel || process.env.LOG_LEVEL || LoggerLogLevelOptions.info,
+    transport: {
+      target: 'pino-pretty',
+      options: { colorize: true },
+    },
+  });
+}

sdk/javascript/packages/oracle/src/OciKmsClient.ts

@@ -0,0 +1,23 @@
+import { KmsCryptoClient, KmsManagementClient } from "oci-keymanagement/lib/client";
+import { OCISessionConfig } from "./OciSessionConfig";
+
+export class OciKmsClient {
+  private ociKmsCryptoClient: KmsCryptoClient;
+  private ociKmsManagementClient: KmsManagementClient;
+
+  constructor(sessionConfig: OCISessionConfig) {
+    this.ociKmsCryptoClient = new KmsCryptoClient({ authenticationDetailsProvider: sessionConfig.getProvider() });
+    this.ociKmsCryptoClient.endpoint = sessionConfig.getKmsCryptoEndpoint();
+    this.ociKmsManagementClient = new KmsManagementClient({authenticationDetailsProvider : sessionConfig.getProvider()});
+    this.ociKmsManagementClient.endpoint = sessionConfig.getKmsManagementEndpoint()
+  }
+
+  public getCryptoClient(): KmsCryptoClient {
+    return this.ociKmsCryptoClient;
+  }
+
+  public getManagementClient() :KmsManagementClient{
+    return this.ociKmsManagementClient;
+  }
+
+}

sdk/javascript/packages/oracle/src/OciSessionConfig.ts

@@ -0,0 +1,32 @@
+import { ConfigFileAuthenticationDetailsProvider } from "oci-common";
+
+export class OCISessionConfig {
+  ociConfigFileLocation: string;
+  profile?: string;
+  ksmCryptoEndpoint: string;
+  ksmManagementEndpoint: string;
+
+  constructor(
+    ociConfigFileLocation: string,
+    profile: string | null,
+    kmsCryptoEndpoint: string,
+    ksmManagementEndpoint : string
+  ) {
+    this.ociConfigFileLocation = ociConfigFileLocation;
+    this.profile = profile || "DEFAULT";
+    this.ksmCryptoEndpoint = kmsCryptoEndpoint;
+    this.ksmManagementEndpoint = ksmManagementEndpoint;
+  }
+
+  public getProvider(): ConfigFileAuthenticationDetailsProvider {
+    return new ConfigFileAuthenticationDetailsProvider(this.ociConfigFileLocation, this.profile);
+  }
+
+  public getKmsCryptoEndpoint(): string {
+    return this.ksmCryptoEndpoint;
+  }
+
+  public getKmsManagementEndpoint(): string {
+    return this.ksmManagementEndpoint;
+  }
+}