feat(threadwinds-ingestion): add AES decryption support for API secret

JocLRojas · JocLRojas · commit 258b3962b9ee · 2026-01-02T18:17:22.000-05:00
diff --git a/threadwinds-ingestion/go.mod b/threadwinds-ingestion/go.mod
@@ -3,6 +3,7 @@ module github.com/utmstack/UTMStack/threadwinds-ingestion
 go 1.25.4
 
 require (
+	github.com/AtlasInsideCorp/AtlasInsideAES v1.0.0
 	github.com/lib/pq v1.10.9
 	github.com/opensearch-project/opensearch-go/v2 v2.3.0
 	github.com/threatwinds/go-sdk v1.0.47
diff --git a/threadwinds-ingestion/go.sum b/threadwinds-ingestion/go.sum
@@ -1,3 +1,5 @@
+github.com/AtlasInsideCorp/AtlasInsideAES v1.0.0 h1:TBiBl9KCa4i4epY0/q9WSC4ugavL6+6JUkOXWDnMM6I=
+github.com/AtlasInsideCorp/AtlasInsideAES v1.0.0/go.mod h1:cRhQ3TS/VEfu/z+qaciyuDZdtxgaXgaX8+G6Wa5NzBk=
 github.com/aws/aws-sdk-go v1.44.263/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
 github.com/aws/aws-sdk-go-v2/config v1.18.25/go.mod h1:dZnYpD5wTW/dQF0rRNLVypB396zWCcPiBIvdvSWHEg4=
diff --git a/threadwinds-ingestion/internal/client/backend_client.go b/threadwinds-ingestion/internal/client/backend_client.go
@@ -12,6 +12,7 @@ import (
 	"github.com/threatwinds/go-sdk/catcher"
 	"github.com/utmstack/UTMStack/threadwinds-ingestion/config"
 	"github.com/utmstack/UTMStack/threadwinds-ingestion/internal/models"
+	"github.com/utmstack/UTMStack/threadwinds-ingestion/utils"
 )
 
 type BackendClient struct {
@@ -150,7 +151,19 @@ func (c *BackendClient) GetThreadWindsConfig(ctx context.Context) (*ThreadWindsC
 			config.APIKey = param.ConfParamValue
 			config.KeyID = param.ID
 		case "utmstack.tw.apiSecret":
-			config.APISecret = param.ConfParamValue
+			if param.ConfParamDatatype == "password" && param.ConfParamValue != "" {
+				decrypted, err := utils.DecryptValue(param.ConfParamValue)
+				if err != nil {
+					return nil, fmt.Errorf("failed to decrypt API Secret: %w", err)
+				}
+				config.APISecret = decrypted
+				catcher.Info("API Secret decrypted successfully", map[string]any{
+					"encrypted_length": len(param.ConfParamValue),
+					"decrypted_length": len(decrypted),
+				})
+			} else {
+				config.APISecret = param.ConfParamValue
+			}
 			config.SecretID = param.ID
 		}
 	}
diff --git a/threadwinds-ingestion/utils/aes.go b/threadwinds-ingestion/utils/aes.go
@@ -0,0 +1,10 @@
+package utils
+
+import (
+	"github.com/AtlasInsideCorp/AtlasInsideAES"
+)
+
+func DecryptValue(encryptedValue string) (string, error) {
+	passphrase := Getenv("ENCRYPTION_KEY")
+	return AtlasInsideAES.AESDecrypt(encryptedValue, []byte(passphrase))
+}

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+github.com/AtlasInsideCorp/AtlasInsideAES v1.0.0 h1:TBiBl9KCa4i4epY0/q9WSC4ugavL6+6JUkOXWDnMM6I=`
	`2`	`+github.com/AtlasInsideCorp/AtlasInsideAES v1.0.0/go.mod h1:cRhQ3TS/VEfu/z+qaciyuDZdtxgaXgaX8+G6Wa5NzBk=`
`1`	`3`	`github.com/aws/aws-sdk-go v1.44.263/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=`
`2`	`4`	`github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=`
`3`	`5`	`github.com/aws/aws-sdk-go-v2/config v1.18.25/go.mod h1:dZnYpD5wTW/dQF0rRNLVypB396zWCcPiBIvdvSWHEg4=`