@azure/keyvault-keys 4.4.0-beta.2 → 4.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +37 -1
- package/README.md +11 -10
- package/dist/index.js +332 -295
- package/dist/index.js.map +1 -1
- package/dist-esm/keyvault-common/src/challengeBasedAuthenticationPolicy.js +14 -25
- package/dist-esm/keyvault-common/src/challengeBasedAuthenticationPolicy.js.map +1 -1
- package/dist-esm/keyvault-common/src/index.js +1 -0
- package/dist-esm/keyvault-common/src/index.js.map +1 -1
- package/dist-esm/keyvault-common/src/parseKeyvaultIdentifier.js +1 -1
- package/dist-esm/keyvault-common/src/parseKeyvaultIdentifier.js.map +1 -1
- package/dist-esm/keyvault-common/src/parseWWWAuthenticate.js +52 -0
- package/dist-esm/keyvault-common/src/parseWWWAuthenticate.js.map +1 -0
- package/dist-esm/keyvault-common/src/tracingHelpers.js +4 -4
- package/dist-esm/keyvault-common/src/tracingHelpers.js.map +1 -1
- package/dist-esm/keyvault-keys/src/constants.js +1 -1
- package/dist-esm/keyvault-keys/src/constants.js.map +1 -1
- package/dist-esm/keyvault-keys/src/cryptography/aesCryptographyProvider.js +7 -7
- package/dist-esm/keyvault-keys/src/cryptography/aesCryptographyProvider.js.map +1 -1
- package/dist-esm/keyvault-keys/src/cryptography/crypto.js +2 -2
- package/dist-esm/keyvault-keys/src/cryptography/crypto.js.map +1 -1
- package/dist-esm/keyvault-keys/src/cryptography/models.js.map +1 -1
- package/dist-esm/keyvault-keys/src/cryptography/remoteCryptographyProvider.js +11 -12
- package/dist-esm/keyvault-keys/src/cryptography/remoteCryptographyProvider.js.map +1 -1
- package/dist-esm/keyvault-keys/src/cryptography/rsaCryptographyProvider.js +7 -9
- package/dist-esm/keyvault-keys/src/cryptography/rsaCryptographyProvider.js.map +1 -1
- package/dist-esm/keyvault-keys/src/cryptographyClient.js +10 -11
- package/dist-esm/keyvault-keys/src/cryptographyClient.js.map +1 -1
- package/dist-esm/keyvault-keys/src/cryptographyClientModels.js +36 -2
- package/dist-esm/keyvault-keys/src/cryptographyClientModels.js.map +1 -1
- package/dist-esm/keyvault-keys/src/generated/keyVaultClient.js +4 -50
- package/dist-esm/keyvault-keys/src/generated/keyVaultClient.js.map +1 -1
- package/dist-esm/keyvault-keys/src/generated/keyVaultClientContext.js +2 -2
- package/dist-esm/keyvault-keys/src/generated/keyVaultClientContext.js.map +1 -1
- package/dist-esm/keyvault-keys/src/generated/models/index.js +6 -21
- package/dist-esm/keyvault-keys/src/generated/models/index.js.map +1 -1
- package/dist-esm/keyvault-keys/src/generated/models/mappers.js +36 -29
- package/dist-esm/keyvault-keys/src/generated/models/mappers.js.map +1 -1
- package/dist-esm/keyvault-keys/src/generated/models/parameters.js +4 -16
- package/dist-esm/keyvault-keys/src/generated/models/parameters.js.map +1 -1
- package/dist-esm/keyvault-keys/src/identifier.js.map +1 -1
- package/dist-esm/keyvault-keys/src/index.js +32 -42
- package/dist-esm/keyvault-keys/src/index.js.map +1 -1
- package/dist-esm/keyvault-keys/src/keysModels.js +5 -2
- package/dist-esm/keyvault-keys/src/keysModels.js.map +1 -1
- package/dist-esm/keyvault-keys/src/lro/delete/poller.js.map +1 -1
- package/dist-esm/keyvault-keys/src/lro/keyVaultKeyPoller.js +1 -1
- package/dist-esm/keyvault-keys/src/lro/keyVaultKeyPoller.js.map +1 -1
- package/dist-esm/keyvault-keys/src/lro/recover/poller.js.map +1 -1
- package/dist-esm/keyvault-keys/src/transformations.js +12 -13
- package/dist-esm/keyvault-keys/src/transformations.js.map +1 -1
- package/package.json +16 -32
- package/types/keyvault-keys.d.ts +93 -36
|
@@ -1,16 +1,18 @@
|
|
|
1
1
|
// Copyright (c) Microsoft Corporation.
|
|
2
2
|
// Licensed under the MIT license.
|
|
3
3
|
/* eslint-disable @azure/azure-sdk/ts-use-interface-parameters */
|
|
4
|
-
import { BaseRequestPolicy } from "@azure/core-http";
|
|
5
|
-
import { Constants } from "@azure/core-http";
|
|
6
4
|
import { ExpiringAccessTokenCache } from "@azure/core-http";
|
|
5
|
+
import { BaseRequestPolicy, } from "@azure/core-http";
|
|
6
|
+
import { parseWWWAuthenticate } from "./parseWWWAuthenticate";
|
|
7
|
+
import { Constants } from "@azure/core-http";
|
|
7
8
|
/**
|
|
8
9
|
* Representation of the Authentication Challenge
|
|
9
10
|
*/
|
|
10
11
|
export class AuthenticationChallenge {
|
|
11
|
-
constructor(authorization, scope) {
|
|
12
|
+
constructor(authorization, scope, tenantId) {
|
|
12
13
|
this.authorization = authorization;
|
|
13
14
|
this.scope = scope;
|
|
15
|
+
this.tenantId = tenantId;
|
|
14
16
|
}
|
|
15
17
|
/**
|
|
16
18
|
* Checks that this AuthenticationChallenge is equal to another one given.
|
|
@@ -20,9 +22,11 @@ export class AuthenticationChallenge {
|
|
|
20
22
|
* @param other - The other AuthenticationChallenge
|
|
21
23
|
*/
|
|
22
24
|
equalTo(other) {
|
|
25
|
+
var _a, _b;
|
|
23
26
|
return other
|
|
24
27
|
? this.scope.toLowerCase() === other.scope.toLowerCase() &&
|
|
25
|
-
this.authorization.toLowerCase() === other.authorization.toLowerCase()
|
|
28
|
+
this.authorization.toLowerCase() === other.authorization.toLowerCase() &&
|
|
29
|
+
((_a = this.tenantId) === null || _a === void 0 ? void 0 : _a.toLowerCase()) === ((_b = other.tenantId) === null || _b === void 0 ? void 0 : _b.toLowerCase())
|
|
26
30
|
: false;
|
|
27
31
|
}
|
|
28
32
|
}
|
|
@@ -46,27 +50,9 @@ export function challengeBasedAuthenticationPolicy(credential) {
|
|
|
46
50
|
return {
|
|
47
51
|
create: (nextPolicy, options) => {
|
|
48
52
|
return new ChallengeBasedAuthenticationPolicy(nextPolicy, options, credential, tokenCache, challengeCache);
|
|
49
|
-
}
|
|
53
|
+
},
|
|
50
54
|
};
|
|
51
55
|
}
|
|
52
|
-
/**
|
|
53
|
-
* Parses an WWW-Authenticate response.
|
|
54
|
-
* This transforms a string value like:
|
|
55
|
-
* `Bearer authorization="some_authorization", resource="https://some.url"`
|
|
56
|
-
* into an object like:
|
|
57
|
-
* `{ authorization: "some_authorization", resource: "https://some.url" }`
|
|
58
|
-
* @param wwwAuthenticate - String value in the WWW-Authenticate header
|
|
59
|
-
*/
|
|
60
|
-
export function parseWWWAuthenticate(wwwAuthenticate) {
|
|
61
|
-
// First we split the string by either `, ` or ` `.
|
|
62
|
-
const parts = wwwAuthenticate.split(/,* +/);
|
|
63
|
-
// Then we only keep the strings with an equal sign after a word and before a quote.
|
|
64
|
-
// also splitting these sections by their equal sign
|
|
65
|
-
const keyValues = parts.reduce((acc, str) => (str.match(/\w="/) ? [...acc, str.split("=")] : acc), []);
|
|
66
|
-
// Then we transform these key-value pairs back into an object.
|
|
67
|
-
const parsed = keyValues.reduce((result, [key, value]) => (Object.assign(Object.assign({}, result), { [key]: value.slice(1, -1) })), {});
|
|
68
|
-
return parsed;
|
|
69
|
-
}
|
|
70
56
|
/**
|
|
71
57
|
*
|
|
72
58
|
* Provides a RequestPolicy that can request a token from a TokenCredential
|
|
@@ -97,7 +83,9 @@ export class ChallengeBasedAuthenticationPolicy extends BaseRequestPolicy {
|
|
|
97
83
|
let accessToken = this.tokenCache.getCachedToken();
|
|
98
84
|
// If there's no cached token in the cache, we try to get a new one.
|
|
99
85
|
if (accessToken === undefined) {
|
|
100
|
-
const receivedToken = await this.credential.getToken(this.challengeCache.challenge.scope
|
|
86
|
+
const receivedToken = await this.credential.getToken(this.challengeCache.challenge.scope, {
|
|
87
|
+
tenantId: this.challengeCache.challenge.tenantId,
|
|
88
|
+
});
|
|
101
89
|
accessToken = receivedToken || undefined;
|
|
102
90
|
this.tokenCache.setCachedToken(accessToken);
|
|
103
91
|
}
|
|
@@ -120,10 +108,11 @@ export class ChallengeBasedAuthenticationPolicy extends BaseRequestPolicy {
|
|
|
120
108
|
const parsedWWWAuth = this.parseWWWAuthenticate(wwwAuthenticate);
|
|
121
109
|
const authorization = parsedWWWAuth.authorization;
|
|
122
110
|
const resource = parsedWWWAuth.resource || parsedWWWAuth.scope;
|
|
111
|
+
const tenantId = parsedWWWAuth.tenantId;
|
|
123
112
|
if (!(authorization && resource)) {
|
|
124
113
|
return this._nextPolicy.sendRequest(webResource);
|
|
125
114
|
}
|
|
126
|
-
const challenge = new AuthenticationChallenge(authorization, resource + "/.default");
|
|
115
|
+
const challenge = new AuthenticationChallenge(authorization, resource + "/.default", tenantId);
|
|
127
116
|
// Either if there's no cached challenge at this point (could have happen in parallel),
|
|
128
117
|
// or if the cached challenge has a different scope,
|
|
129
118
|
// we store the just received challenge and reset the cached token, to force a re-authentication.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"challengeBasedAuthenticationPolicy.js","sourceRoot":"","sources":["../../../../keyvault-common/src/challengeBasedAuthenticationPolicy.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAClC,iEAAiE;AAGjE,OAAO,EACL,iBAAiB,EAIlB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAG7C,OAAO,EAAoB,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAe9E;;GAEG;AACH,MAAM,OAAO,uBAAuB;IAClC,YAAmB,aAAqB,EAAS,KAAa;QAA3C,kBAAa,GAAb,aAAa,CAAQ;QAAS,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IAElE;;;;;;OAMG;IACI,OAAO,CAAC,KAA0C;QACvD,OAAO,KAAK;YACV,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE;gBACpD,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,aAAa,CAAC,WAAW,EAAE;YAC1E,CAAC,CAAC,KAAK,CAAC;IACZ,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,4BAA4B;IAGhC,kBAAkB,CAAC,SAAkC;QAC1D,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,kCAAkC,CAChD,UAA2B;IAE3B,MAAM,UAAU,GAAqB,IAAI,wBAAwB,EAAE,CAAC;IACpE,MAAM,cAAc,GAAG,IAAI,4BAA4B,EAAE,CAAC;IAC1D,OAAO;QACL,MAAM,EAAE,CAAC,UAAyB,EAAE,OAA6B,EAAE,EAAE;YACnE,OAAO,IAAI,kCAAkC,CAC3C,UAAU,EACV,OAAO,EACP,UAAU,EACV,UAAU,EACV,cAAc,CACf,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,eAAuB;IAC1D,mDAAmD;IACnD,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC5C,oFAAoF;IACpF,oDAAoD;IACpD,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAC5B,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAClE,EAAE,CACH,CAAC;IACF,+DAA+D;IAC/D,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAC7B,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,KAAK,CAAW,EAAE,EAAE,CAAC,iCAC/B,MAAM,KACT,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IACzB,EACF,EAAE,CACH,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,OAAO,kCAAmC,SAAQ,iBAAiB;IAKvE;;;;;;;OAOG;IACH,YACE,UAAyB,EACzB,OAA6B,EACrB,UAA2B,EAC3B,UAA4B,EAC5B,cAA4C;QAEpD,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAJnB,eAAU,GAAV,UAAU,CAAiB;QAC3B,eAAU,GAAV,UAAU,CAAkB;QAC5B,mBAAc,GAAd,cAAc,CAA8B;QAjB9C,yBAAoB,GAEC,oBAAoB,CAAC;IAkBlD,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,WAAwB;QAC9C,IAAI,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;QAEnD,oEAAoE;QACpE,IAAI,WAAW,KAAK,SAAS,EAAE;YAC7B,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,SAAU,CAAC,KAAK,CAAC,CAAC;YAC3F,WAAW,GAAG,aAAa,IAAI,SAAS,CAAC;YACzC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;SAC7C;QAED,IAAI,WAAW,EAAE;YACf,WAAW,CAAC,OAAO,CAAC,GAAG,CACrB,SAAS,CAAC,eAAe,CAAC,aAAa,EACvC,UAAU,WAAW,CAAC,KAAK,EAAE,CAC9B,CAAC;SACH;IACH,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,mBAAmB,CAC/B,eAAuB,EACvB,WAAwB;;QAExB,wDAAwD;QACxD,uCAAuC;QACvC,+EAA+E;QAC/E,MAAM,aAAa,GAAG,IAAI,CAAC,oBAAoB,CAAC,eAAe,CAAC,CAAC;QACjE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAc,CAAC;QACnD,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAS,IAAI,aAAa,CAAC,KAAM,CAAC;QAEjE,IAAI,CAAC,CAAC,aAAa,IAAI,QAAQ,CAAC,EAAE;YAChC,OAAO,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;SAClD;QAED,MAAM,SAAS,GAAG,IAAI,uBAAuB,CAAC,aAAa,EAAE,QAAQ,GAAG,WAAW,CAAC,CAAC;QAErF,uFAAuF;QACvF,oDAAoD;QACpD,iGAAiG;QACjG,IAAI,CAAC,CAAA,MAAA,IAAI,CAAC,cAAc,CAAC,SAAS,0CAAE,OAAO,CAAC,SAAS,CAAC,CAAA,EAAE;YACtD,IAAI,CAAC,cAAc,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;SAC3C;QAED,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAClC,OAAO,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;IACnD,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,WAAW,CAAC,WAAwB;QAC/C,sDAAsD;QACtD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE;YACzC,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;SAC1F;QAED,+EAA+E;QAC/E,IAAI,QAA+B,CAAC;QAEpC,IACE,IAAI,CAAC,cAAc,CAAC,SAAS,KAAK,SAAS;YAC3C,IAAI,CAAC,cAAc,CAAC,SAAS,KAAK,SAAS,EAC3C;YACA,2EAA2E;YAC3E,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC;YACtC,WAAW,CAAC,IAAI,GAAG,EAAE,CAAC;YACtB,IAAI;gBACF,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;aAC5D;oBAAS;gBACR,WAAW,CAAC,IAAI,GAAG,YAAY,CAAC;aACjC;SACF;aAAM;YACL,wCAAwC;YACxC,kGAAkG;YAClG,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YAClC,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;SAC5D;QAED,yDAAyD;QACzD,gGAAgG;QAChG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,OAAO,QAAQ,CAAC;SACjB;QAED,oGAAoG;QACpG,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QACjE,IAAI,CAAC,eAAe,EAAE;YACpB,OAAO,QAAQ,CAAC;SACjB;QAED,sEAAsE;QACtE,OAAO,IAAI,CAAC,mBAAmB,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IAChE,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n/* eslint-disable @azure/azure-sdk/ts-use-interface-parameters */\n\nimport { TokenCredential } from \"@azure/core-http\";\nimport {\n BaseRequestPolicy,\n RequestPolicy,\n RequestPolicyOptions,\n RequestPolicyFactory\n} from \"@azure/core-http\";\nimport { Constants } from \"@azure/core-http\";\nimport { HttpOperationResponse } from \"@azure/core-http\";\nimport { WebResource } from \"@azure/core-http\";\nimport { AccessTokenCache, ExpiringAccessTokenCache } from \"@azure/core-http\";\n\ntype ValidParsedWWWAuthenticateProperties =\n // \"authorization_uri\" was used in the track 1 version of KeyVault.\n // This is not a relevant property anymore, since the service is consistently answering with \"authorization\".\n // | \"authorization_uri\"\n | \"authorization\"\n // Even though the service is moving to \"scope\", both \"resource\" and \"scope\" should be supported.\n | \"resource\"\n | \"scope\";\n\ntype ParsedWWWAuthenticate = {\n [Key in ValidParsedWWWAuthenticateProperties]?: string;\n};\n\n/**\n * Representation of the Authentication Challenge\n */\nexport class AuthenticationChallenge {\n constructor(public authorization: string, public scope: string) {}\n\n /**\n * Checks that this AuthenticationChallenge is equal to another one given.\n * Only compares the scope.\n * This is exactly what C# is doing, as we can see here:\n * https://github.com/Azure/azure-sdk-for-net/blob/70e54b878ff1d01a45266fb3674a396b4ab9c1d2/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs#L143-L147\n * @param other - The other AuthenticationChallenge\n */\n public equalTo(other: AuthenticationChallenge | undefined): boolean {\n return other\n ? this.scope.toLowerCase() === other.scope.toLowerCase() &&\n this.authorization.toLowerCase() === other.authorization.toLowerCase()\n : false;\n }\n}\n\n/**\n * Helps keep a copy of any previous authentication challenges,\n * so that we can compare on any further request.\n */\nexport class AuthenticationChallengeCache {\n public challenge?: AuthenticationChallenge;\n\n public setCachedChallenge(challenge: AuthenticationChallenge): void {\n this.challenge = challenge;\n }\n}\n\n/**\n * Creates a new ChallengeBasedAuthenticationPolicy factory.\n *\n * @param credential - The TokenCredential implementation that can supply the challenge token.\n */\nexport function challengeBasedAuthenticationPolicy(\n credential: TokenCredential\n): RequestPolicyFactory {\n const tokenCache: AccessTokenCache = new ExpiringAccessTokenCache();\n const challengeCache = new AuthenticationChallengeCache();\n return {\n create: (nextPolicy: RequestPolicy, options: RequestPolicyOptions) => {\n return new ChallengeBasedAuthenticationPolicy(\n nextPolicy,\n options,\n credential,\n tokenCache,\n challengeCache\n );\n }\n };\n}\n\n/**\n * Parses an WWW-Authenticate response.\n * This transforms a string value like:\n * `Bearer authorization=\"some_authorization\", resource=\"https://some.url\"`\n * into an object like:\n * `{ authorization: \"some_authorization\", resource: \"https://some.url\" }`\n * @param wwwAuthenticate - String value in the WWW-Authenticate header\n */\nexport function parseWWWAuthenticate(wwwAuthenticate: string): ParsedWWWAuthenticate {\n // First we split the string by either `, ` or ` `.\n const parts = wwwAuthenticate.split(/,* +/);\n // Then we only keep the strings with an equal sign after a word and before a quote.\n // also splitting these sections by their equal sign\n const keyValues = parts.reduce<string[][]>(\n (acc, str) => (str.match(/\\w=\"/) ? [...acc, str.split(\"=\")] : acc),\n []\n );\n // Then we transform these key-value pairs back into an object.\n const parsed = keyValues.reduce<ParsedWWWAuthenticate>(\n (result, [key, value]: string[]) => ({\n ...result,\n [key]: value.slice(1, -1)\n }),\n {}\n );\n return parsed;\n}\n\n/**\n *\n * Provides a RequestPolicy that can request a token from a TokenCredential\n * implementation and then apply it to the Authorization header of a request\n * as a Bearer token.\n *\n */\nexport class ChallengeBasedAuthenticationPolicy extends BaseRequestPolicy {\n private parseWWWAuthenticate: (\n wwwAuthenticate: string\n ) => ParsedWWWAuthenticate = parseWWWAuthenticate;\n\n /**\n * Creates a new ChallengeBasedAuthenticationPolicy object.\n *\n * @param nextPolicy - The next RequestPolicy in the request pipeline.\n * @param options - Options for this RequestPolicy.\n * @param credential - The TokenCredential implementation that can supply the bearer token.\n * @param tokenCache - The cache for the most recent AccessToken returned by the TokenCredential.\n */\n constructor(\n nextPolicy: RequestPolicy,\n options: RequestPolicyOptions,\n private credential: TokenCredential,\n private tokenCache: AccessTokenCache,\n private challengeCache: AuthenticationChallengeCache\n ) {\n super(nextPolicy, options);\n }\n\n /**\n * Gets or updates the token from the token cache into the headers of the received web resource.\n */\n private async loadToken(webResource: WebResource): Promise<void> {\n let accessToken = this.tokenCache.getCachedToken();\n\n // If there's no cached token in the cache, we try to get a new one.\n if (accessToken === undefined) {\n const receivedToken = await this.credential.getToken(this.challengeCache.challenge!.scope);\n accessToken = receivedToken || undefined;\n this.tokenCache.setCachedToken(accessToken);\n }\n\n if (accessToken) {\n webResource.headers.set(\n Constants.HeaderConstants.AUTHORIZATION,\n `Bearer ${accessToken.token}`\n );\n }\n }\n\n /**\n * Parses the given WWW-Authenticate header, generates a new AuthenticationChallenge,\n * then if the challenge is different from the one cached, resets the token and forces\n * a re-authentication, otherwise continues with the existing challenge and token.\n * @param wwwAuthenticate - Value of the incoming WWW-Authenticate header.\n * @param webResource - Ongoing HTTP request.\n */\n private async regenerateChallenge(\n wwwAuthenticate: string,\n webResource: WebResource\n ): Promise<HttpOperationResponse> {\n // The challenge based authentication will contain both:\n // - An authorization URI with a token,\n // - The resource to which that token is valid against (also called the scope).\n const parsedWWWAuth = this.parseWWWAuthenticate(wwwAuthenticate);\n const authorization = parsedWWWAuth.authorization!;\n const resource = parsedWWWAuth.resource! || parsedWWWAuth.scope!;\n\n if (!(authorization && resource)) {\n return this._nextPolicy.sendRequest(webResource);\n }\n\n const challenge = new AuthenticationChallenge(authorization, resource + \"/.default\");\n\n // Either if there's no cached challenge at this point (could have happen in parallel),\n // or if the cached challenge has a different scope,\n // we store the just received challenge and reset the cached token, to force a re-authentication.\n if (!this.challengeCache.challenge?.equalTo(challenge)) {\n this.challengeCache.setCachedChallenge(challenge);\n this.tokenCache.setCachedToken(undefined);\n }\n\n await this.loadToken(webResource);\n return this._nextPolicy.sendRequest(webResource);\n }\n\n /**\n * Applies the Bearer token to the request through the Authorization header.\n * @param webResource - Ongoing HTTP request.\n */\n public async sendRequest(webResource: WebResource): Promise<HttpOperationResponse> {\n // Ensure that we're about to use a secure connection.\n if (!webResource.url.startsWith(\"https:\")) {\n throw new Error(\"The resource address for authorization must use the 'https' protocol.\");\n }\n\n // The next request will happen differently whether we have a challenge or not.\n let response: HttpOperationResponse;\n\n if (\n this.challengeCache.challenge === undefined ||\n this.challengeCache.challenge === undefined\n ) {\n // If there's no challenge in cache, a blank body will start the challenge.\n const originalBody = webResource.body;\n webResource.body = \"\";\n try {\n response = await this._nextPolicy.sendRequest(webResource);\n } finally {\n webResource.body = originalBody;\n }\n } else {\n // If we did have a challenge in memory,\n // we attempt to load the token from the cache into the request before we try to send the request.\n await this.loadToken(webResource);\n response = await this._nextPolicy.sendRequest(webResource);\n }\n\n // If we don't receive a response with a 401 status code,\n // then we can assume this response has nothing to do with the challenge authentication process.\n if (response.status !== 401) {\n return response;\n }\n\n // If the response status is 401, we only re-authenticate if the WWW-Authenticate header is present.\n const wwwAuthenticate = response.headers.get(\"WWW-Authenticate\");\n if (!wwwAuthenticate) {\n return response;\n }\n\n // We re-generate the challenge and see if we have to re-authenticate.\n return this.regenerateChallenge(wwwAuthenticate, webResource);\n }\n}\n"]}
|
|
1
|
+
{"version":3,"file":"challengeBasedAuthenticationPolicy.js","sourceRoot":"","sources":["../../../../keyvault-common/src/challengeBasedAuthenticationPolicy.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAClC,iEAAiE;AAEjE,OAAO,EAAoB,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EACL,iBAAiB,GAIlB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAyB,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AACrF,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAK7C;;GAEG;AACH,MAAM,OAAO,uBAAuB;IAClC,YAAmB,aAAqB,EAAS,KAAa,EAAS,QAAiB;QAArE,kBAAa,GAAb,aAAa,CAAQ;QAAS,UAAK,GAAL,KAAK,CAAQ;QAAS,aAAQ,GAAR,QAAQ,CAAS;IAAG,CAAC;IAE5F;;;;;;OAMG;IACI,OAAO,CAAC,KAA0C;;QACvD,OAAO,KAAK;YACV,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE;gBACpD,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,aAAa,CAAC,WAAW,EAAE;gBACtE,CAAA,MAAA,IAAI,CAAC,QAAQ,0CAAE,WAAW,EAAE,OAAK,MAAA,KAAK,CAAC,QAAQ,0CAAE,WAAW,EAAE,CAAA;YAClE,CAAC,CAAC,KAAK,CAAC;IACZ,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,4BAA4B;IAGhC,kBAAkB,CAAC,SAAkC;QAC1D,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,kCAAkC,CAChD,UAA2B;IAE3B,MAAM,UAAU,GAAqB,IAAI,wBAAwB,EAAE,CAAC;IACpE,MAAM,cAAc,GAAG,IAAI,4BAA4B,EAAE,CAAC;IAC1D,OAAO;QACL,MAAM,EAAE,CAAC,UAAyB,EAAE,OAA6B,EAAE,EAAE;YACnE,OAAO,IAAI,kCAAkC,CAC3C,UAAU,EACV,OAAO,EACP,UAAU,EACV,UAAU,EACV,cAAc,CACf,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,OAAO,kCAAmC,SAAQ,iBAAiB;IAIvE;;;;;;;OAOG;IACH,YACE,UAAyB,EACzB,OAA6B,EACrB,UAA2B,EAC3B,UAA4B,EAC5B,cAA4C;QAEpD,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAJnB,eAAU,GAAV,UAAU,CAAiB;QAC3B,eAAU,GAAV,UAAU,CAAkB;QAC5B,mBAAc,GAAd,cAAc,CAA8B;QAhB9C,yBAAoB,GAC1B,oBAAoB,CAAC;IAkBvB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,WAAwB;QAC9C,IAAI,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;QAEnD,oEAAoE;QACpE,IAAI,WAAW,KAAK,SAAS,EAAE;YAC7B,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,SAAU,CAAC,KAAK,EAAE;gBACzF,QAAQ,EAAE,IAAI,CAAC,cAAc,CAAC,SAAU,CAAC,QAAQ;aAClD,CAAC,CAAC;YACH,WAAW,GAAG,aAAa,IAAI,SAAS,CAAC;YACzC,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;SAC7C;QAED,IAAI,WAAW,EAAE;YACf,WAAW,CAAC,OAAO,CAAC,GAAG,CACrB,SAAS,CAAC,eAAe,CAAC,aAAa,EACvC,UAAU,WAAW,CAAC,KAAK,EAAE,CAC9B,CAAC;SACH;IACH,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,mBAAmB,CAC/B,eAAuB,EACvB,WAAwB;;QAExB,wDAAwD;QACxD,uCAAuC;QACvC,+EAA+E;QAC/E,MAAM,aAAa,GAAG,IAAI,CAAC,oBAAoB,CAAC,eAAe,CAAC,CAAC;QACjE,MAAM,aAAa,GAAG,aAAa,CAAC,aAAc,CAAC;QACnD,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAS,IAAI,aAAa,CAAC,KAAM,CAAC;QACjE,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC;QAExC,IAAI,CAAC,CAAC,aAAa,IAAI,QAAQ,CAAC,EAAE;YAChC,OAAO,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;SAClD;QAED,MAAM,SAAS,GAAG,IAAI,uBAAuB,CAAC,aAAa,EAAE,QAAQ,GAAG,WAAW,EAAE,QAAQ,CAAC,CAAC;QAE/F,uFAAuF;QACvF,oDAAoD;QACpD,iGAAiG;QACjG,IAAI,CAAC,CAAA,MAAA,IAAI,CAAC,cAAc,CAAC,SAAS,0CAAE,OAAO,CAAC,SAAS,CAAC,CAAA,EAAE;YACtD,IAAI,CAAC,cAAc,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;SAC3C;QAED,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAClC,OAAO,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;IACnD,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,WAAW,CAAC,WAAwB;QAC/C,sDAAsD;QACtD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE;YACzC,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;SAC1F;QAED,+EAA+E;QAC/E,IAAI,QAA+B,CAAC;QAEpC,IACE,IAAI,CAAC,cAAc,CAAC,SAAS,KAAK,SAAS;YAC3C,IAAI,CAAC,cAAc,CAAC,SAAS,KAAK,SAAS,EAC3C;YACA,2EAA2E;YAC3E,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC;YACtC,WAAW,CAAC,IAAI,GAAG,EAAE,CAAC;YACtB,IAAI;gBACF,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;aAC5D;oBAAS;gBACR,WAAW,CAAC,IAAI,GAAG,YAAY,CAAC;aACjC;SACF;aAAM;YACL,wCAAwC;YACxC,kGAAkG;YAClG,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;YAClC,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;SAC5D;QAED,yDAAyD;QACzD,gGAAgG;QAChG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,OAAO,QAAQ,CAAC;SACjB;QAED,oGAAoG;QACpG,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QACjE,IAAI,CAAC,eAAe,EAAE;YACpB,OAAO,QAAQ,CAAC;SACjB;QAED,sEAAsE;QACtE,OAAO,IAAI,CAAC,mBAAmB,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IAChE,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n/* eslint-disable @azure/azure-sdk/ts-use-interface-parameters */\n\nimport { AccessTokenCache, ExpiringAccessTokenCache } from \"@azure/core-http\";\nimport {\n BaseRequestPolicy,\n RequestPolicy,\n RequestPolicyFactory,\n RequestPolicyOptions,\n} from \"@azure/core-http\";\nimport { ParsedWWWAuthenticate, parseWWWAuthenticate } from \"./parseWWWAuthenticate\";\nimport { Constants } from \"@azure/core-http\";\nimport { HttpOperationResponse } from \"@azure/core-http\";\nimport { TokenCredential } from \"@azure/core-http\";\nimport { WebResource } from \"@azure/core-http\";\n\n/**\n * Representation of the Authentication Challenge\n */\nexport class AuthenticationChallenge {\n constructor(public authorization: string, public scope: string, public tenantId?: string) {}\n\n /**\n * Checks that this AuthenticationChallenge is equal to another one given.\n * Only compares the scope.\n * This is exactly what C# is doing, as we can see here:\n * https://github.com/Azure/azure-sdk-for-net/blob/70e54b878ff1d01a45266fb3674a396b4ab9c1d2/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs#L143-L147\n * @param other - The other AuthenticationChallenge\n */\n public equalTo(other: AuthenticationChallenge | undefined): boolean {\n return other\n ? this.scope.toLowerCase() === other.scope.toLowerCase() &&\n this.authorization.toLowerCase() === other.authorization.toLowerCase() &&\n this.tenantId?.toLowerCase() === other.tenantId?.toLowerCase()\n : false;\n }\n}\n\n/**\n * Helps keep a copy of any previous authentication challenges,\n * so that we can compare on any further request.\n */\nexport class AuthenticationChallengeCache {\n public challenge?: AuthenticationChallenge;\n\n public setCachedChallenge(challenge: AuthenticationChallenge): void {\n this.challenge = challenge;\n }\n}\n\n/**\n * Creates a new ChallengeBasedAuthenticationPolicy factory.\n *\n * @param credential - The TokenCredential implementation that can supply the challenge token.\n */\nexport function challengeBasedAuthenticationPolicy(\n credential: TokenCredential\n): RequestPolicyFactory {\n const tokenCache: AccessTokenCache = new ExpiringAccessTokenCache();\n const challengeCache = new AuthenticationChallengeCache();\n return {\n create: (nextPolicy: RequestPolicy, options: RequestPolicyOptions) => {\n return new ChallengeBasedAuthenticationPolicy(\n nextPolicy,\n options,\n credential,\n tokenCache,\n challengeCache\n );\n },\n };\n}\n\n/**\n *\n * Provides a RequestPolicy that can request a token from a TokenCredential\n * implementation and then apply it to the Authorization header of a request\n * as a Bearer token.\n *\n */\nexport class ChallengeBasedAuthenticationPolicy extends BaseRequestPolicy {\n private parseWWWAuthenticate: (wwwAuthenticate: string) => ParsedWWWAuthenticate =\n parseWWWAuthenticate;\n\n /**\n * Creates a new ChallengeBasedAuthenticationPolicy object.\n *\n * @param nextPolicy - The next RequestPolicy in the request pipeline.\n * @param options - Options for this RequestPolicy.\n * @param credential - The TokenCredential implementation that can supply the bearer token.\n * @param tokenCache - The cache for the most recent AccessToken returned by the TokenCredential.\n */\n constructor(\n nextPolicy: RequestPolicy,\n options: RequestPolicyOptions,\n private credential: TokenCredential,\n private tokenCache: AccessTokenCache,\n private challengeCache: AuthenticationChallengeCache\n ) {\n super(nextPolicy, options);\n }\n\n /**\n * Gets or updates the token from the token cache into the headers of the received web resource.\n */\n private async loadToken(webResource: WebResource): Promise<void> {\n let accessToken = this.tokenCache.getCachedToken();\n\n // If there's no cached token in the cache, we try to get a new one.\n if (accessToken === undefined) {\n const receivedToken = await this.credential.getToken(this.challengeCache.challenge!.scope, {\n tenantId: this.challengeCache.challenge!.tenantId,\n });\n accessToken = receivedToken || undefined;\n this.tokenCache.setCachedToken(accessToken);\n }\n\n if (accessToken) {\n webResource.headers.set(\n Constants.HeaderConstants.AUTHORIZATION,\n `Bearer ${accessToken.token}`\n );\n }\n }\n\n /**\n * Parses the given WWW-Authenticate header, generates a new AuthenticationChallenge,\n * then if the challenge is different from the one cached, resets the token and forces\n * a re-authentication, otherwise continues with the existing challenge and token.\n * @param wwwAuthenticate - Value of the incoming WWW-Authenticate header.\n * @param webResource - Ongoing HTTP request.\n */\n private async regenerateChallenge(\n wwwAuthenticate: string,\n webResource: WebResource\n ): Promise<HttpOperationResponse> {\n // The challenge based authentication will contain both:\n // - An authorization URI with a token,\n // - The resource to which that token is valid against (also called the scope).\n const parsedWWWAuth = this.parseWWWAuthenticate(wwwAuthenticate);\n const authorization = parsedWWWAuth.authorization!;\n const resource = parsedWWWAuth.resource! || parsedWWWAuth.scope!;\n const tenantId = parsedWWWAuth.tenantId;\n\n if (!(authorization && resource)) {\n return this._nextPolicy.sendRequest(webResource);\n }\n\n const challenge = new AuthenticationChallenge(authorization, resource + \"/.default\", tenantId);\n\n // Either if there's no cached challenge at this point (could have happen in parallel),\n // or if the cached challenge has a different scope,\n // we store the just received challenge and reset the cached token, to force a re-authentication.\n if (!this.challengeCache.challenge?.equalTo(challenge)) {\n this.challengeCache.setCachedChallenge(challenge);\n this.tokenCache.setCachedToken(undefined);\n }\n\n await this.loadToken(webResource);\n return this._nextPolicy.sendRequest(webResource);\n }\n\n /**\n * Applies the Bearer token to the request through the Authorization header.\n * @param webResource - Ongoing HTTP request.\n */\n public async sendRequest(webResource: WebResource): Promise<HttpOperationResponse> {\n // Ensure that we're about to use a secure connection.\n if (!webResource.url.startsWith(\"https:\")) {\n throw new Error(\"The resource address for authorization must use the 'https' protocol.\");\n }\n\n // The next request will happen differently whether we have a challenge or not.\n let response: HttpOperationResponse;\n\n if (\n this.challengeCache.challenge === undefined ||\n this.challengeCache.challenge === undefined\n ) {\n // If there's no challenge in cache, a blank body will start the challenge.\n const originalBody = webResource.body;\n webResource.body = \"\";\n try {\n response = await this._nextPolicy.sendRequest(webResource);\n } finally {\n webResource.body = originalBody;\n }\n } else {\n // If we did have a challenge in memory,\n // we attempt to load the token from the cache into the request before we try to send the request.\n await this.loadToken(webResource);\n response = await this._nextPolicy.sendRequest(webResource);\n }\n\n // If we don't receive a response with a 401 status code,\n // then we can assume this response has nothing to do with the challenge authentication process.\n if (response.status !== 401) {\n return response;\n }\n\n // If the response status is 401, we only re-authenticate if the WWW-Authenticate header is present.\n const wwwAuthenticate = response.headers.get(\"WWW-Authenticate\");\n if (!wwwAuthenticate) {\n return response;\n }\n\n // We re-generate the challenge and see if we have to re-authenticate.\n return this.regenerateChallenge(wwwAuthenticate, webResource);\n }\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../keyvault-common/src/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,cAAc,sCAAsC,CAAC;AACrD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,kBAAkB,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nexport * from \"./challengeBasedAuthenticationPolicy\";\nexport * from \"./parseKeyvaultIdentifier\";\nexport * from \"./tracingHelpers\";\n"]}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../keyvault-common/src/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,cAAc,sCAAsC,CAAC;AACrD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,kBAAkB,CAAC;AACjC,cAAc,wBAAwB,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nexport * from \"./challengeBasedAuthenticationPolicy\";\nexport * from \"./parseKeyvaultIdentifier\";\nexport * from \"./tracingHelpers\";\nexport * from \"./parseWWWAuthenticate\";\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"parseKeyvaultIdentifier.js","sourceRoot":"","sources":["../../../../keyvault-common/src/parseKeyvaultIdentifier.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,KAAK,GAAG,MAAM,KAAK,CAAC;AAgB3B,MAAM,UAAU,uBAAuB,CACrC,UAAkB,EAClB,UAA8B;IAE9B,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE;QACvE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;KAChD;IAED,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE;QACvE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;KAChD;IAED,IAAI,OAAO,CAAC;IACZ,IAAI;QACF,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;KAC7C;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,IAAI,KAAK,CAAC,WAAW,UAAU,gBAAgB,UAAU,mBAAmB,CAAC,CAAC;KACrF;IAED,mDAAmD;IACnD,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACrD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE;QAClD,MAAM,IAAI,KAAK,CACb,WAAW,UAAU,gBAAgB,UAAU,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAC9F,CAAC;KACH;IAED,IAAI,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE;QAC9B,MAAM,IAAI,KAAK,CACb,WAAW,UAAU,gBAAgB,UAAU,4BAA4B,UAAU,aAAa,QAAQ,CAAC,CAAC,CAAC,GAAG,CACjH,CAAC;KACH;IAED,MAAM,QAAQ,GAAG,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,IAAI,EAAE,CAAC;IACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IACzB,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAChE,OAAO;QACL,QAAQ;QACR,IAAI;QACJ,OAAO;KACR,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport * as url from \"url\";\n\nexport interface ParsedKeyVaultEntityIdentifier {\n /**\n * The vault URI.\n */\n vaultUrl: string;\n /**\n * The version of key/secret/certificate. May be undefined.\n */\n version?: string;\n /**\n * The name of key/secret/certificate.\n */\n name: string;\n}\nexport function parseKeyvaultIdentifier(\n collection: string,\n identifier: string | undefined\n): ParsedKeyVaultEntityIdentifier {\n if (typeof collection !== \"string\" || !(collection = collection.trim())) {\n throw new Error(\"Invalid collection argument\");\n }\n\n if (typeof identifier !== \"string\" || !(identifier = identifier.trim())) {\n throw new Error(\"Invalid identifier argument\");\n }\n\n let baseUri;\n try {\n baseUri = url.parse(identifier, true, true);\n } catch (e) {\n throw new Error(`Invalid ${collection} identifier: ${identifier}. Not a valid URI`);\n }\n\n // Path is of the form '/collection/name[/version]'\n const segments = (baseUri.pathname || \"\").split(\"/\");\n if (segments.length !== 3 && segments.length !== 4) {\n throw new Error(\n `Invalid ${collection} identifier: ${identifier}. Bad number of segments: ${segments.length}`\n );\n }\n\n if (collection !== segments[1]) {\n throw new Error(\n `Invalid ${collection} identifier: ${identifier}. segment [1] should be \"${collection}\", found \"${segments[1]}\"`\n );\n }\n\n const vaultUrl = `${baseUri.protocol}//${baseUri.host}`;\n const name = segments[2];\n const version = segments.length === 4 ? segments[3] : undefined;\n return {\n vaultUrl,\n name,\n version
|
|
1
|
+
{"version":3,"file":"parseKeyvaultIdentifier.js","sourceRoot":"","sources":["../../../../keyvault-common/src/parseKeyvaultIdentifier.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,KAAK,GAAG,MAAM,KAAK,CAAC;AAgB3B,MAAM,UAAU,uBAAuB,CACrC,UAAkB,EAClB,UAA8B;IAE9B,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE;QACvE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;KAChD;IAED,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE;QACvE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;KAChD;IAED,IAAI,OAAO,CAAC;IACZ,IAAI;QACF,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;KAC7C;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,IAAI,KAAK,CAAC,WAAW,UAAU,gBAAgB,UAAU,mBAAmB,CAAC,CAAC;KACrF;IAED,mDAAmD;IACnD,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACrD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE;QAClD,MAAM,IAAI,KAAK,CACb,WAAW,UAAU,gBAAgB,UAAU,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAC9F,CAAC;KACH;IAED,IAAI,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE;QAC9B,MAAM,IAAI,KAAK,CACb,WAAW,UAAU,gBAAgB,UAAU,4BAA4B,UAAU,aAAa,QAAQ,CAAC,CAAC,CAAC,GAAG,CACjH,CAAC;KACH;IAED,MAAM,QAAQ,GAAG,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,IAAI,EAAE,CAAC;IACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IACzB,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAChE,OAAO;QACL,QAAQ;QACR,IAAI;QACJ,OAAO;KACR,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport * as url from \"url\";\n\nexport interface ParsedKeyVaultEntityIdentifier {\n /**\n * The vault URI.\n */\n vaultUrl: string;\n /**\n * The version of key/secret/certificate. May be undefined.\n */\n version?: string;\n /**\n * The name of key/secret/certificate.\n */\n name: string;\n}\nexport function parseKeyvaultIdentifier(\n collection: string,\n identifier: string | undefined\n): ParsedKeyVaultEntityIdentifier {\n if (typeof collection !== \"string\" || !(collection = collection.trim())) {\n throw new Error(\"Invalid collection argument\");\n }\n\n if (typeof identifier !== \"string\" || !(identifier = identifier.trim())) {\n throw new Error(\"Invalid identifier argument\");\n }\n\n let baseUri;\n try {\n baseUri = url.parse(identifier, true, true);\n } catch (e) {\n throw new Error(`Invalid ${collection} identifier: ${identifier}. Not a valid URI`);\n }\n\n // Path is of the form '/collection/name[/version]'\n const segments = (baseUri.pathname || \"\").split(\"/\");\n if (segments.length !== 3 && segments.length !== 4) {\n throw new Error(\n `Invalid ${collection} identifier: ${identifier}. Bad number of segments: ${segments.length}`\n );\n }\n\n if (collection !== segments[1]) {\n throw new Error(\n `Invalid ${collection} identifier: ${identifier}. segment [1] should be \"${collection}\", found \"${segments[1]}\"`\n );\n }\n\n const vaultUrl = `${baseUri.protocol}//${baseUri.host}`;\n const name = segments[2];\n const version = segments.length === 4 ? segments[3] : undefined;\n return {\n vaultUrl,\n name,\n version,\n };\n}\n"]}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
// Copyright (c) Microsoft Corporation.
|
|
2
|
+
// Licensed under the MIT license.
|
|
3
|
+
/**
|
|
4
|
+
* @internal
|
|
5
|
+
*
|
|
6
|
+
* Valid key names in WWW-Authenticate header.
|
|
7
|
+
*/
|
|
8
|
+
const validParsedWWWAuthenticateProperties = [
|
|
9
|
+
"authorization",
|
|
10
|
+
"authorization_url",
|
|
11
|
+
"resource",
|
|
12
|
+
"scope",
|
|
13
|
+
"tenantId",
|
|
14
|
+
];
|
|
15
|
+
/**
|
|
16
|
+
* Parses an WWW-Authenticate response.
|
|
17
|
+
* This transforms a string value like:
|
|
18
|
+
* `Bearer authorization="https://some.url/tenantId", resource="https://some.url"`
|
|
19
|
+
* into an object like:
|
|
20
|
+
* `{ authorization: "https://some.url/tenantId", resource: "https://some.url" }`
|
|
21
|
+
* @param wwwAuthenticate - String value in the WWW-Authenticate header
|
|
22
|
+
*/
|
|
23
|
+
export function parseWWWAuthenticate(wwwAuthenticate) {
|
|
24
|
+
const pairDelimiter = /,? +/;
|
|
25
|
+
const parsed = wwwAuthenticate
|
|
26
|
+
.split(pairDelimiter)
|
|
27
|
+
.reduce((kvPairs, p) => {
|
|
28
|
+
if (p.match(/\w="/)) {
|
|
29
|
+
// 'sampleKey="sample_value"' -> [sampleKey, "sample_value"] -> { sampleKey: sample_value }
|
|
30
|
+
const [key, value] = p.split("=");
|
|
31
|
+
if (validParsedWWWAuthenticateProperties.includes(key)) {
|
|
32
|
+
// The values will be wrapped in quotes, which need to be stripped out.
|
|
33
|
+
return Object.assign(Object.assign({}, kvPairs), { [key]: value.slice(1, -1) });
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
return kvPairs;
|
|
37
|
+
}, {});
|
|
38
|
+
// Finally, we pull the tenantId from the authorization header to support multi-tenant authentication.
|
|
39
|
+
if (parsed.authorization) {
|
|
40
|
+
try {
|
|
41
|
+
const tenantId = new URL(parsed.authorization).pathname.substring(1);
|
|
42
|
+
if (tenantId) {
|
|
43
|
+
parsed.tenantId = tenantId;
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
catch (_) {
|
|
47
|
+
throw new Error(`The challenge authorization URI '${parsed.authorization}' is invalid.`);
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
return parsed;
|
|
51
|
+
}
|
|
52
|
+
//# sourceMappingURL=parseWWWAuthenticate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"parseWWWAuthenticate.js","sourceRoot":"","sources":["../../../../keyvault-common/src/parseWWWAuthenticate.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC;;;;GAIG;AACH,MAAM,oCAAoC,GAAG;IAC3C,eAAe;IACf,mBAAmB;IACnB,UAAU;IACV,OAAO;IACP,UAAU;CACF,CAAC;AAmBX;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,eAAuB;IAC1D,MAAM,aAAa,GAAG,MAAM,CAAC;IAC7B,MAAM,MAAM,GAAG,eAAe;SAC3B,KAAK,CAAC,aAAa,CAAC;SACpB,MAAM,CAAwB,CAAC,OAAO,EAAE,CAAC,EAAE,EAAE;QAC5C,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE;YACnB,2FAA2F;YAC3F,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAClC,IACE,oCAAoC,CAAC,QAAQ,CAAC,GAA2C,CAAC,EAC1F;gBACA,uEAAuE;gBACvE,uCAAY,OAAO,KAAE,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAG;aAClD;SACF;QACD,OAAO,OAAO,CAAC;IACjB,CAAC,EAAE,EAAE,CAAC,CAAC;IAET,sGAAsG;IACtG,IAAI,MAAM,CAAC,aAAa,EAAE;QACxB,IAAI;YACF,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YACrE,IAAI,QAAQ,EAAE;gBACZ,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC;aAC5B;SACF;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,IAAI,KAAK,CAAC,oCAAoC,MAAM,CAAC,aAAa,eAAe,CAAC,CAAC;SAC1F;KACF;IAED,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\n/**\n * @internal\n *\n * Valid key names in WWW-Authenticate header.\n */\nconst validParsedWWWAuthenticateProperties = [\n \"authorization\",\n \"authorization_url\",\n \"resource\",\n \"scope\",\n \"tenantId\",\n] as const;\n\n/**\n * @internal\n *\n * A union type representing all valid key names in WWW-Authenticate header.\n */\ntype ValidParsedWWWAuthenticateProperties = typeof validParsedWWWAuthenticateProperties[number];\n\n/**\n * @internal\n *\n * Holds the known WWWAuthenticate keys and their values as a result of\n * parsing a WWW-Authenticate header.\n */\nexport type ParsedWWWAuthenticate = {\n [Key in ValidParsedWWWAuthenticateProperties]?: string;\n};\n\n/**\n * Parses an WWW-Authenticate response.\n * This transforms a string value like:\n * `Bearer authorization=\"https://some.url/tenantId\", resource=\"https://some.url\"`\n * into an object like:\n * `{ authorization: \"https://some.url/tenantId\", resource: \"https://some.url\" }`\n * @param wwwAuthenticate - String value in the WWW-Authenticate header\n */\nexport function parseWWWAuthenticate(wwwAuthenticate: string): ParsedWWWAuthenticate {\n const pairDelimiter = /,? +/;\n const parsed = wwwAuthenticate\n .split(pairDelimiter)\n .reduce<ParsedWWWAuthenticate>((kvPairs, p) => {\n if (p.match(/\\w=\"/)) {\n // 'sampleKey=\"sample_value\"' -> [sampleKey, \"sample_value\"] -> { sampleKey: sample_value }\n const [key, value] = p.split(\"=\");\n if (\n validParsedWWWAuthenticateProperties.includes(key as ValidParsedWWWAuthenticateProperties)\n ) {\n // The values will be wrapped in quotes, which need to be stripped out.\n return { ...kvPairs, [key]: value.slice(1, -1) };\n }\n }\n return kvPairs;\n }, {});\n\n // Finally, we pull the tenantId from the authorization header to support multi-tenant authentication.\n if (parsed.authorization) {\n try {\n const tenantId = new URL(parsed.authorization).pathname.substring(1);\n if (tenantId) {\n parsed.tenantId = tenantId;\n }\n } catch (_) {\n throw new Error(`The challenge authorization URI '${parsed.authorization}' is invalid.`);\n }\n }\n\n return parsed;\n}\n"]}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
// Copyright (c) Microsoft Corporation.
|
|
2
2
|
// Licensed under the MIT license.
|
|
3
|
-
import {
|
|
3
|
+
import { SpanStatusCode, createSpanFunction } from "@azure/core-tracing";
|
|
4
4
|
/**
|
|
5
5
|
* Returns a function that can be used for tracing options.
|
|
6
6
|
*
|
|
@@ -13,7 +13,7 @@ import { createSpanFunction, SpanStatusCode } from "@azure/core-tracing";
|
|
|
13
13
|
export function createTraceFunction(prefix) {
|
|
14
14
|
const createSpan = createSpanFunction({
|
|
15
15
|
namespace: "Microsoft.KeyVault",
|
|
16
|
-
packagePrefix: prefix
|
|
16
|
+
packagePrefix: prefix,
|
|
17
17
|
});
|
|
18
18
|
return async function (operationName, options, cb) {
|
|
19
19
|
const { updatedOptions, span } = createSpan(operationName, options);
|
|
@@ -23,14 +23,14 @@ export function createTraceFunction(prefix) {
|
|
|
23
23
|
const result = await cb(updatedOptions, span);
|
|
24
24
|
// otel 0.16+ needs this or else the code ends up being set as UNSET
|
|
25
25
|
span.setStatus({
|
|
26
|
-
code: SpanStatusCode.OK
|
|
26
|
+
code: SpanStatusCode.OK,
|
|
27
27
|
});
|
|
28
28
|
return result;
|
|
29
29
|
}
|
|
30
30
|
catch (err) {
|
|
31
31
|
span.setStatus({
|
|
32
32
|
code: SpanStatusCode.ERROR,
|
|
33
|
-
message: err.message
|
|
33
|
+
message: err.message,
|
|
34
34
|
});
|
|
35
35
|
throw err;
|
|
36
36
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tracingHelpers.js","sourceRoot":"","sources":["../../../../keyvault-common/src/tracingHelpers.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;
|
|
1
|
+
{"version":3,"file":"tracingHelpers.js","sourceRoot":"","sources":["../../../../keyvault-common/src/tracingHelpers.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAQ,cAAc,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAsB/E;;;;;;;;GAQG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc;IAChD,MAAM,UAAU,GAAG,kBAAkB,CAAC;QACpC,SAAS,EAAE,oBAAoB;QAC/B,aAAa,EAAE,MAAM;KACtB,CAAC,CAAC;IAEH,OAAO,KAAK,WAAW,aAAa,EAAE,OAAO,EAAE,EAAE;QAC/C,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,UAAU,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QAEpE,IAAI;YACF,6GAA6G;YAC7G,kBAAkB;YAClB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;YAE9C,oEAAoE;YACpE,IAAI,CAAC,SAAS,CAAC;gBACb,IAAI,EAAE,cAAc,CAAC,EAAE;aACxB,CAAC,CAAC;YACH,OAAO,MAAM,CAAC;SACf;QAAC,OAAO,GAAG,EAAE;YACZ,IAAI,CAAC,SAAS,CAAC;gBACb,IAAI,EAAE,cAAc,CAAC,KAAK;gBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;SACX;gBAAS;YACR,IAAI,CAAC,GAAG,EAAE,CAAC;SACZ;IACH,CAAC,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { Span, SpanStatusCode, createSpanFunction } from \"@azure/core-tracing\";\nimport { OperationOptions } from \"@azure/core-http\";\n\n/**\n * An interface representing a function that is traced.\n *\n * A traced function will automatically create and close tracing '\n * spans as needed and will handle setting the status / errors as a\n * result of calling the underlying callback.\n *\n * use {@link createTraceFunction} to add tracing to a block of code.\n *\n * @internal\n */\nexport interface TracedFunction {\n <TOptions extends OperationOptions, TReturn>(\n operationName: string,\n options: TOptions,\n cb: (options: TOptions, span: Span) => Promise<TReturn>\n ): Promise<TReturn>;\n}\n\n/**\n * Returns a function that can be used for tracing options.\n *\n * @param prefix - The prefix to use, likely the name of the class / client.\n *\n * @example const withTrace = createTraceFunction(\"Azure.KeyVault.Certificates.CertificateClient\")\n *\n * @internal\n */\nexport function createTraceFunction(prefix: string): TracedFunction {\n const createSpan = createSpanFunction({\n namespace: \"Microsoft.KeyVault\",\n packagePrefix: prefix,\n });\n\n return async function (operationName, options, cb) {\n const { updatedOptions, span } = createSpan(operationName, options);\n\n try {\n // NOTE: we really do need to await on this function here so we can handle any exceptions thrown and properly\n // close the span.\n const result = await cb(updatedOptions, span);\n\n // otel 0.16+ needs this or else the code ends up being set as UNSET\n span.setStatus({\n code: SpanStatusCode.OK,\n });\n return result;\n } catch (err) {\n span.setStatus({\n code: SpanStatusCode.ERROR,\n message: err.message,\n });\n throw err;\n } finally {\n span.end();\n }\n };\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../src/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,MAAM,CAAC,MAAM,WAAW,GAAW,
|
|
1
|
+
{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../src/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,MAAM,CAAC,MAAM,WAAW,GAAW,OAAO,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nexport const SDK_VERSION: string = \"4.4.0\";\n"]}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
// Copyright (c) Microsoft Corporation.
|
|
2
2
|
// Licensed under the MIT license.
|
|
3
3
|
import * as crypto from "crypto";
|
|
4
|
-
import { LocalCryptographyUnsupportedError } from "./models";
|
|
4
|
+
import { LocalCryptographyUnsupportedError, } from "./models";
|
|
5
5
|
/**
|
|
6
6
|
* An AES cryptography provider supporting AES algorithms.
|
|
7
7
|
* @internal
|
|
@@ -18,16 +18,16 @@ export class AesCryptographyProvider {
|
|
|
18
18
|
this.supportedAlgorithms = {
|
|
19
19
|
A128CBCPAD: {
|
|
20
20
|
algorithm: "aes-128-cbc",
|
|
21
|
-
keySizeInBytes: 128 >> 3
|
|
21
|
+
keySizeInBytes: 128 >> 3,
|
|
22
22
|
},
|
|
23
23
|
A192CBCPAD: {
|
|
24
24
|
algorithm: "aes-192-cbc",
|
|
25
|
-
keySizeInBytes: 192 >> 3
|
|
25
|
+
keySizeInBytes: 192 >> 3,
|
|
26
26
|
},
|
|
27
27
|
A256CBCPAD: {
|
|
28
28
|
algorithm: "aes-256-cbc",
|
|
29
|
-
keySizeInBytes: 256 >> 3
|
|
30
|
-
}
|
|
29
|
+
keySizeInBytes: 256 >> 3,
|
|
30
|
+
},
|
|
31
31
|
};
|
|
32
32
|
this.supportedOperations = ["encrypt", "decrypt"];
|
|
33
33
|
this.key = key;
|
|
@@ -42,7 +42,7 @@ export class AesCryptographyProvider {
|
|
|
42
42
|
return Promise.resolve({
|
|
43
43
|
algorithm: encryptParameters.algorithm,
|
|
44
44
|
result: encrypted,
|
|
45
|
-
iv: iv
|
|
45
|
+
iv: iv,
|
|
46
46
|
});
|
|
47
47
|
}
|
|
48
48
|
decrypt(decryptParameters, _options) {
|
|
@@ -53,7 +53,7 @@ export class AesCryptographyProvider {
|
|
|
53
53
|
dec = Buffer.concat([dec, decipher.final()]);
|
|
54
54
|
return Promise.resolve({
|
|
55
55
|
algorithm: decryptParameters.algorithm,
|
|
56
|
-
result: dec
|
|
56
|
+
result: dec,
|
|
57
57
|
});
|
|
58
58
|
}
|
|
59
59
|
isSupported(algorithm, operation) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aesCryptographyProvider.js","sourceRoot":"","sources":["../../../../src/cryptography/aesCryptographyProvider.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAmBjC,OAAO,EAGL,iCAAiC,
|
|
1
|
+
{"version":3,"file":"aesCryptographyProvider.js","sourceRoot":"","sources":["../../../../src/cryptography/aesCryptographyProvider.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAmBjC,OAAO,EAGL,iCAAiC,GAClC,MAAM,UAAU,CAAC;AAElB;;;GAGG;AACH,MAAM,OAAO,uBAAuB;IAElC,YAAY,GAAe;QA6D3B;;;;;;WAMG;QACK,wBAAmB,GAAmE;YAC5F,UAAU,EAAE;gBACV,SAAS,EAAE,aAAa;gBACxB,cAAc,EAAE,GAAG,IAAI,CAAC;aACzB;YACD,UAAU,EAAE;gBACV,SAAS,EAAE,aAAa;gBACxB,cAAc,EAAE,GAAG,IAAI,CAAC;aACzB;YACD,UAAU,EAAE;gBACV,SAAS,EAAE,aAAa;gBACxB,cAAc,EAAE,GAAG,IAAI,CAAC;aACzB;SACF,CAAC;QAEM,wBAAmB,GAAoC,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAlFpF,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IACD,OAAO,CACL,iBAA0C,EAC1C,QAAyB;QAEzB,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC5F,MAAM,EAAE,GAAG,iBAAiB,CAAC,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAE1D,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC;QAEjC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,cAAc,CAAC,EAAE,EAAE,CAAC,CAAC;QAC7F,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC;QACxE,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAEvD,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,iBAAiB,CAAC,SAAS;YACtC,MAAM,EAAE,SAAS;YACjB,EAAE,EAAE,EAAE;SACP,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CACL,iBAA0C,EAC1C,QAAyB;QAEzB,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAE5F,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC;QAEjC,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CACtC,SAAS,EACT,IAAI,CAAC,GAAG,CAAC,CAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,cAAc,CAAC,EACvC,iBAAiB,CAAC,EAAE,CACrB,CAAC;QACF,IAAI,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,CAAC;QACrE,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAE7C,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,iBAAiB,CAAC,SAAS;YACtC,MAAM,EAAE,GAAG;SACZ,CAAC,CAAC;IACL,CAAC;IAED,WAAW,CAAC,SAAiB,EAAE,SAAwC;QACrE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE;YACf,OAAO,KAAK,CAAC;SACd;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE;YAC9D,OAAO,KAAK,CAAC;SACd;QAED,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE;YACjD,OAAO,KAAK,CAAC;SACd;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IA0BD,OAAO,CACL,UAA4B,EAC5B,UAAsB,EACtB,QAAyB;QAEzB,MAAM,IAAI,iCAAiC,CACzC,mEAAmE,CACpE,CAAC;IACJ,CAAC;IAED,SAAS,CACP,UAA4B,EAC5B,aAAyB,EACzB,QAA2B;QAE3B,MAAM,IAAI,iCAAiC,CACzC,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,UAAkB,EAAE,OAAmB,EAAE,QAAsB;QAClE,MAAM,IAAI,iCAAiC,CACzC,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IAED,QAAQ,CAAC,UAAkB,EAAE,KAAiB,EAAE,QAAsB;QACpE,MAAM,IAAI,iCAAiC,CACzC,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IAED,MAAM,CACJ,UAAkB,EAClB,OAAmB,EACnB,UAAsB,EACtB,QAAwB;QAExB,MAAM,IAAI,iCAAiC,CACzC,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IACD,UAAU,CACR,UAAkB,EAClB,KAAiB,EACjB,UAAsB,EACtB,eAAiC;QAEjC,MAAM,IAAI,iCAAiC,CACzC,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IAEO,WAAW,CAAC,cAAsB;;QACxC,IACE,IAAI,CAAC,GAAG;YACR,CAAA,MAAA,IAAI,CAAC,GAAG,CAAC,GAAG,0CAAE,WAAW,EAAE,MAAK,KAAK;YACrC,CAAA,MAAA,IAAI,CAAC,GAAG,CAAC,GAAG,0CAAE,WAAW,EAAE,MAAK,SAAS,EACzC;YACA,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;SACxE;QAED,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE;YACf,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;SAC9C;QAED,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,cAAc,EAAE;YACtC,MAAM,IAAI,KAAK,CAAC,wBAAwB,cAAc,IAAI,CAAC,OAAO,CAAC,CAAC;SACrE;IACH,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { OperationOptions } from \"@azure/core-http\";\nimport * as crypto from \"crypto\";\nimport {\n EncryptOptions,\n EncryptResult,\n DecryptOptions,\n DecryptResult,\n KeyWrapAlgorithm,\n WrapKeyOptions,\n WrapResult,\n UnwrapKeyOptions,\n UnwrapResult,\n SignOptions,\n SignResult,\n VerifyOptions,\n VerifyResult,\n AesCbcEncryptParameters,\n JsonWebKey,\n} from \"..\";\nimport { AesCbcDecryptParameters } from \"../cryptographyClientModels\";\nimport {\n CryptographyProvider,\n CryptographyProviderOperation,\n LocalCryptographyUnsupportedError,\n} from \"./models\";\n\n/**\n * An AES cryptography provider supporting AES algorithms.\n * @internal\n */\nexport class AesCryptographyProvider implements CryptographyProvider {\n private key: JsonWebKey;\n constructor(key: JsonWebKey) {\n this.key = key;\n }\n encrypt(\n encryptParameters: AesCbcEncryptParameters,\n _options?: EncryptOptions\n ): Promise<EncryptResult> {\n const { algorithm, keySizeInBytes } = this.supportedAlgorithms[encryptParameters.algorithm];\n const iv = encryptParameters.iv || crypto.randomBytes(16);\n\n this.ensureValid(keySizeInBytes);\n\n const cipher = crypto.createCipheriv(algorithm, this.key.k!.subarray(0, keySizeInBytes), iv);\n let encrypted = cipher.update(Buffer.from(encryptParameters.plaintext));\n encrypted = Buffer.concat([encrypted, cipher.final()]);\n\n return Promise.resolve({\n algorithm: encryptParameters.algorithm,\n result: encrypted,\n iv: iv,\n });\n }\n\n decrypt(\n decryptParameters: AesCbcDecryptParameters,\n _options?: DecryptOptions\n ): Promise<DecryptResult> {\n const { algorithm, keySizeInBytes } = this.supportedAlgorithms[decryptParameters.algorithm];\n\n this.ensureValid(keySizeInBytes);\n\n const decipher = crypto.createDecipheriv(\n algorithm,\n this.key.k!.subarray(0, keySizeInBytes),\n decryptParameters.iv\n );\n let dec = decipher.update(Buffer.from(decryptParameters.ciphertext));\n dec = Buffer.concat([dec, decipher.final()]);\n\n return Promise.resolve({\n algorithm: decryptParameters.algorithm,\n result: dec,\n });\n }\n\n isSupported(algorithm: string, operation: CryptographyProviderOperation): boolean {\n if (!this.key.k) {\n return false;\n }\n\n if (!Object.keys(this.supportedAlgorithms).includes(algorithm)) {\n return false;\n }\n\n if (!this.supportedOperations.includes(operation)) {\n return false;\n }\n\n return true;\n }\n\n /**\n * The set of algorithms this provider supports.\n * For AES encryption, the values include the underlying algorithm used in crypto\n * as well as the key size in bytes.\n *\n * We start with support for A[SIZE]CBCPAD which uses the PKCS padding (the default padding scheme in node crypto)\n */\n private supportedAlgorithms: { [s: string]: { algorithm: string; keySizeInBytes: number } } = {\n A128CBCPAD: {\n algorithm: \"aes-128-cbc\",\n keySizeInBytes: 128 >> 3,\n },\n A192CBCPAD: {\n algorithm: \"aes-192-cbc\",\n keySizeInBytes: 192 >> 3,\n },\n A256CBCPAD: {\n algorithm: \"aes-256-cbc\",\n keySizeInBytes: 256 >> 3,\n },\n };\n\n private supportedOperations: CryptographyProviderOperation[] = [\"encrypt\", \"decrypt\"];\n\n wrapKey(\n _algorithm: KeyWrapAlgorithm,\n _keyToWrap: Uint8Array,\n _options?: WrapKeyOptions\n ): Promise<WrapResult> {\n throw new LocalCryptographyUnsupportedError(\n \"Wrapping a key using a local JsonWebKey is not supported for AES.\"\n );\n }\n\n unwrapKey(\n _algorithm: KeyWrapAlgorithm,\n _encryptedKey: Uint8Array,\n _options?: UnwrapKeyOptions\n ): Promise<UnwrapResult> {\n throw new LocalCryptographyUnsupportedError(\n \"Unwrapping a key using a local JsonWebKey is not supported for AES.\"\n );\n }\n\n sign(_algorithm: string, _digest: Uint8Array, _options?: SignOptions): Promise<SignResult> {\n throw new LocalCryptographyUnsupportedError(\n \"Signing using a local JsonWebKey is not supported for AES.\"\n );\n }\n\n signData(_algorithm: string, _data: Uint8Array, _options?: SignOptions): Promise<SignResult> {\n throw new LocalCryptographyUnsupportedError(\n \"Signing using a local JsonWebKey is not supported for AES.\"\n );\n }\n\n verify(\n _algorithm: string,\n _digest: Uint8Array,\n _signature: Uint8Array,\n _options?: VerifyOptions\n ): Promise<VerifyResult> {\n throw new LocalCryptographyUnsupportedError(\n \"Verifying using a local JsonWebKey is not supported for AES.\"\n );\n }\n verifyData(\n _algorithm: string,\n _data: Uint8Array,\n _signature: Uint8Array,\n _updatedOptions: OperationOptions\n ): Promise<VerifyResult> {\n throw new LocalCryptographyUnsupportedError(\n \"Verifying using a local JsonWebKey is not supported for AES.\"\n );\n }\n\n private ensureValid(keySizeInBytes: number): void {\n if (\n this.key &&\n this.key.kty?.toUpperCase() !== \"OCT\" &&\n this.key.kty?.toUpperCase() !== \"OCT-HSM\"\n ) {\n throw new Error(\"Key type does not match the key type oct or oct-hsm\");\n }\n\n if (!this.key.k) {\n throw new Error(\"Symmetric key is required\");\n }\n\n if (this.key.k.length < keySizeInBytes) {\n throw new Error(`Key must be at least ${keySizeInBytes << 3} bits`);\n }\n }\n}\n"]}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
// Copyright (c) Microsoft Corporation.
|
|
2
2
|
// Licensed under the MIT license.
|
|
3
|
-
import { createHash as cryptoCreateHash, createVerify as cryptoCreateVerify, randomBytes as cryptoRandomBytes } from "crypto";
|
|
3
|
+
import { createHash as cryptoCreateHash, createVerify as cryptoCreateVerify, randomBytes as cryptoRandomBytes, } from "crypto";
|
|
4
4
|
/**
|
|
5
5
|
* @internal
|
|
6
6
|
* Mapping between signature algorithms and their corresponding hash algorithms. Externally used for testing.
|
|
@@ -15,7 +15,7 @@ const algorithmToHashAlgorithm = {
|
|
|
15
15
|
RS384: "SHA384",
|
|
16
16
|
ES512: "SHA512",
|
|
17
17
|
PS512: "SHA512",
|
|
18
|
-
RS512: "SHA512"
|
|
18
|
+
RS512: "SHA512",
|
|
19
19
|
};
|
|
20
20
|
/**
|
|
21
21
|
* @internal
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../../src/cryptography/crypto.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EACL,UAAU,IAAI,gBAAgB,EAC9B,YAAY,IAAI,kBAAkB,EAElC,WAAW,IAAI,iBAAiB,
|
|
1
|
+
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../../src/cryptography/crypto.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EACL,UAAU,IAAI,gBAAgB,EAC9B,YAAY,IAAI,kBAAkB,EAElC,WAAW,IAAI,iBAAiB,GACjC,MAAM,QAAQ,CAAC;AAEhB;;;IAGI;AACJ,MAAM,wBAAwB,GAA4B;IACxD,KAAK,EAAE,QAAQ;IACf,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;CAChB,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,SAAiB,EAAE,IAAgB;IAClE,MAAM,aAAa,GAAG,wBAAwB,CAAC,SAAS,CAAC,CAAC;IAC1D,IAAI,CAAC,aAAa,EAAE;QAClB,MAAM,IAAI,KAAK,CACb,qBAAqB,SAAS,gDAAgD,MAAM,CAAC,IAAI,CACvF,wBAAwB,CACzB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACf,CAAC;KACH;IACD,MAAM,IAAI,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;IAC7B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,SAAiB,EAAE,IAAgB;IAC9D,MAAM,eAAe,GAAG,wBAAwB,CAAC,SAAS,CAAC,CAAC;IAC5D,IAAI,CAAC,eAAe,EAAE;QACpB,MAAM,IAAI,KAAK,CACb,qBAAqB,SAAS,gDAAgD,MAAM,CAAC,IAAI,CACvF,wBAAwB,CACzB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACf,CAAC;KACH;IACD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,eAAe,CAAC,CAAC;IACrD,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACnC,QAAQ,CAAC,GAAG,EAAE,CAAC;IACf,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,MAAc;IACxC,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AACnC,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport {\n createHash as cryptoCreateHash,\n createVerify as cryptoCreateVerify,\n Verify,\n randomBytes as cryptoRandomBytes,\n} from \"crypto\";\n\n/**\n * @internal\n * Mapping between signature algorithms and their corresponding hash algorithms. Externally used for testing.\n **/\nconst algorithmToHashAlgorithm: { [s: string]: string } = {\n ES256: \"SHA256\",\n ES256K: \"SHA256\",\n PS256: \"SHA256\",\n RS256: \"SHA256\",\n ES384: \"SHA384\",\n PS384: \"SHA384\",\n RS384: \"SHA384\",\n ES512: \"SHA512\",\n PS512: \"SHA512\",\n RS512: \"SHA512\",\n};\n\n/**\n * @internal\n * Use the platform-local hashing functionality\n */\nexport async function createHash(algorithm: string, data: Uint8Array): Promise<Buffer> {\n const hashAlgorithm = algorithmToHashAlgorithm[algorithm];\n if (!hashAlgorithm) {\n throw new Error(\n `Invalid algorithm ${algorithm} passed to createHash. Supported algorithms: ${Object.keys(\n algorithmToHashAlgorithm\n ).join(\", \")}`\n );\n }\n const hash = cryptoCreateHash(hashAlgorithm);\n hash.update(Buffer.from(data));\n const digest = hash.digest();\n return digest;\n}\n\n/**\n * @internal\n * Use the platform-local verify functionality\n */\nexport function createVerify(algorithm: string, data: Uint8Array): Verify {\n const verifyAlgorithm = algorithmToHashAlgorithm[algorithm];\n if (!verifyAlgorithm) {\n throw new Error(\n `Invalid algorithm ${algorithm} passed to createHash. Supported algorithms: ${Object.keys(\n algorithmToHashAlgorithm\n ).join(\", \")}`\n );\n }\n const verifier = cryptoCreateVerify(verifyAlgorithm);\n verifier.update(Buffer.from(data));\n verifier.end();\n return verifier;\n}\n\n/**\n * @internal\n * Use the platform-local randomBytes functionality\n */\nexport function randomBytes(length: number): Uint8Array {\n return cryptoRandomBytes(length);\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"models.js","sourceRoot":"","sources":["../../../../src/cryptography/models.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAsBlC,MAAM,OAAO,iCAAkC,SAAQ,KAAK;CAAG","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { OperationOptions } from \"@azure/core-http\";\nimport {\n DecryptOptions,\n DecryptParameters,\n DecryptResult,\n EncryptOptions,\n EncryptParameters,\n EncryptResult,\n KeyWrapAlgorithm,\n SignatureAlgorithm,\n SignOptions,\n SignResult,\n UnwrapKeyOptions,\n UnwrapResult,\n VerifyOptions,\n VerifyResult,\n WrapKeyOptions,\n WrapResult
|
|
1
|
+
{"version":3,"file":"models.js","sourceRoot":"","sources":["../../../../src/cryptography/models.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAsBlC,MAAM,OAAO,iCAAkC,SAAQ,KAAK;CAAG","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { OperationOptions } from \"@azure/core-http\";\nimport {\n DecryptOptions,\n DecryptParameters,\n DecryptResult,\n EncryptOptions,\n EncryptParameters,\n EncryptResult,\n KeyWrapAlgorithm,\n SignatureAlgorithm,\n SignOptions,\n SignResult,\n UnwrapKeyOptions,\n UnwrapResult,\n VerifyOptions,\n VerifyResult,\n WrapKeyOptions,\n WrapResult,\n} from \"..\";\n\nexport class LocalCryptographyUnsupportedError extends Error {}\n\n/**\n * The set of operations a {@link CryptographyProvider} supports.\n *\n * This corresponds to every single method on the interface so that providers\n * can declare whether they support this method or not.\n *\n * Purposely more granular than {@link KnownKeyOperations} because some providers\n * support verifyData but not verify.\n * @internal\n */\nexport type CryptographyProviderOperation =\n | \"encrypt\"\n | \"decrypt\"\n | \"wrapKey\"\n | \"unwrapKey\"\n | \"sign\"\n | \"signData\"\n | \"verify\"\n | \"verifyData\";\n\n/**\n *\n * Represents an object that can perform cryptography operations.\n * @internal\n */\nexport interface CryptographyProvider {\n /**\n * Encrypts the given plaintext with the specified encryption parameters.\n * @internal\n *\n * @param encryptParameters - The encryption parameters, keyed on the encryption algorithm chosen.\n * @param options - Additional options.\n */\n encrypt(encryptParameters: EncryptParameters, options?: EncryptOptions): Promise<EncryptResult>;\n\n /**\n * Decrypts the given ciphertext with the specified decryption parameters.\n * @internal\n *\n * @param decryptParameters - The decryption parameters.\n * @param options - Additional options.\n */\n decrypt(decryptParameters: DecryptParameters, options?: DecryptOptions): Promise<DecryptResult>;\n\n /**\n *\n * @param algorithm - The algorithm to check support for.\n * @param operation - The {@link CryptographyProviderOperation} to check support for.\n */\n isSupported(algorithm: string, operation: CryptographyProviderOperation): boolean;\n\n /**\n * Wraps the given key using the specified cryptography algorithm\n * @internal\n *\n * @param algorithm - The encryption algorithm to use to wrap the given key.\n * @param keyToWrap - The key to wrap.\n * @param options - Additional options.\n */\n wrapKey(\n algorithm: KeyWrapAlgorithm,\n keyToWrap: Uint8Array,\n options?: WrapKeyOptions\n ): Promise<WrapResult>;\n\n /**\n * Unwraps the given wrapped key using the specified cryptography algorithm\n * @internal\n *\n * @param algorithm - The decryption algorithm to use to unwrap the key.\n * @param encryptedKey - The encrypted key to unwrap.\n * @param options - Additional options.\n */\n unwrapKey(\n algorithm: KeyWrapAlgorithm,\n encryptedKey: Uint8Array,\n options?: UnwrapKeyOptions\n ): Promise<UnwrapResult>;\n\n /**\n * Cryptographically sign the digest of a message\n * @internal\n *\n * @param algorithm - The signing algorithm to use.\n * @param digest - The digest of the data to sign.\n * @param options - Additional options.\n */\n sign(\n algorithm: SignatureAlgorithm,\n digest: Uint8Array,\n options?: SignOptions\n ): Promise<SignResult>;\n\n /**\n * Cryptographically sign a block of data\n * @internal\n *\n * @param algorithm - The signing algorithm to use.\n * @param data - The data to sign.\n * @param options - Additional options.\n */\n signData(\n algorithm: SignatureAlgorithm,\n data: Uint8Array,\n options?: SignOptions\n ): Promise<SignResult>;\n\n /**\n * Verify the signed message digest\n * @internal\n *\n * @param algorithm - The signing algorithm to use to verify with.\n * @param digest - The digest to verify.\n * @param signature - The signature to verify the digest against.\n * @param options - Additional options.\n */\n verify(\n algorithm: SignatureAlgorithm,\n digest: Uint8Array,\n signature: Uint8Array,\n options?: VerifyOptions\n ): Promise<VerifyResult>;\n\n /**\n * Verify the signed block of data\n * @internal\n *\n * @param algorithm - The algorithm to use to verify with.\n * @param data - The signed block of data to verify.\n * @param signature - The signature to verify the block against.\n * @param updatedOptions - Additional options.\n */\n verifyData(\n algorithm: string,\n data: Uint8Array,\n signature: Uint8Array,\n updatedOptions: OperationOptions\n ): Promise<VerifyResult>;\n}\n"]}
|
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
// Copyright (c) Microsoft Corporation.
|
|
2
2
|
// Licensed under the MIT license.
|
|
3
3
|
import { __rest } from "tslib";
|
|
4
|
-
import { createPipelineFromOptions, isTokenCredential, signingPolicy } from "@azure/core-http";
|
|
4
|
+
import { createPipelineFromOptions, isTokenCredential, signingPolicy, } from "@azure/core-http";
|
|
5
5
|
import { SDK_VERSION } from "../constants";
|
|
6
6
|
import { KeyVaultClient } from "../generated";
|
|
7
7
|
import { parseKeyVaultKeyIdentifier } from "../identifier";
|
|
8
|
-
import { LATEST_API_VERSION } from "../keysModels";
|
|
8
|
+
import { LATEST_API_VERSION, } from "../keysModels";
|
|
9
9
|
import { getKeyFromKeyBundle } from "../transformations";
|
|
10
10
|
import { createHash } from "./crypto";
|
|
11
11
|
import { logger } from "../log";
|
|
12
|
-
import { createTraceFunction, challengeBasedAuthenticationPolicy } from "../../../keyvault-common/src";
|
|
12
|
+
import { createTraceFunction, challengeBasedAuthenticationPolicy, } from "../../../keyvault-common/src";
|
|
13
13
|
const withTrace = createTraceFunction("Azure.KeyVault.Keys.RemoteCryptographyProvider");
|
|
14
14
|
/**
|
|
15
15
|
* The remote cryptography provider is used to run crypto operations against KeyVault.
|
|
@@ -59,7 +59,7 @@ export class RemoteCryptographyProvider {
|
|
|
59
59
|
keyID: this.getKeyID(),
|
|
60
60
|
additionalAuthenticatedData: result.additionalAuthenticatedData,
|
|
61
61
|
authenticationTag: result.authenticationTag,
|
|
62
|
-
iv: result.iv
|
|
62
|
+
iv: result.iv,
|
|
63
63
|
};
|
|
64
64
|
});
|
|
65
65
|
}
|
|
@@ -71,7 +71,7 @@ export class RemoteCryptographyProvider {
|
|
|
71
71
|
return {
|
|
72
72
|
result: result.result,
|
|
73
73
|
keyID: this.getKeyID(),
|
|
74
|
-
algorithm
|
|
74
|
+
algorithm,
|
|
75
75
|
};
|
|
76
76
|
});
|
|
77
77
|
}
|
|
@@ -81,7 +81,7 @@ export class RemoteCryptographyProvider {
|
|
|
81
81
|
return {
|
|
82
82
|
result: result.result,
|
|
83
83
|
algorithm,
|
|
84
|
-
keyID: this.getKeyID()
|
|
84
|
+
keyID: this.getKeyID(),
|
|
85
85
|
};
|
|
86
86
|
});
|
|
87
87
|
}
|
|
@@ -91,7 +91,7 @@ export class RemoteCryptographyProvider {
|
|
|
91
91
|
return {
|
|
92
92
|
result: result.result,
|
|
93
93
|
algorithm,
|
|
94
|
-
keyID: this.getKeyID()
|
|
94
|
+
keyID: this.getKeyID(),
|
|
95
95
|
};
|
|
96
96
|
});
|
|
97
97
|
}
|
|
@@ -112,7 +112,7 @@ export class RemoteCryptographyProvider {
|
|
|
112
112
|
const response = await this.client.verify(this.vaultUrl, this.name, this.version, algorithm, digest, signature, updatedOptions);
|
|
113
113
|
return {
|
|
114
114
|
result: response.value ? response.value : false,
|
|
115
|
-
keyID: this.getKeyID()
|
|
115
|
+
keyID: this.getKeyID(),
|
|
116
116
|
};
|
|
117
117
|
});
|
|
118
118
|
}
|
|
@@ -148,7 +148,6 @@ export class RemoteCryptographyProvider {
|
|
|
148
148
|
}
|
|
149
149
|
/**
|
|
150
150
|
* Attempts to retrieve the ID of the key.
|
|
151
|
-
* @internal
|
|
152
151
|
*/
|
|
153
152
|
getKeyID() {
|
|
154
153
|
let kid;
|
|
@@ -179,7 +178,7 @@ function getOrInitializeClient(credential, options) {
|
|
|
179
178
|
options.userAgentOptions = {
|
|
180
179
|
userAgentPrefix: userAgentOptions && userAgentOptions.userAgentPrefix
|
|
181
180
|
? `${userAgentOptions.userAgentPrefix} ${libInfo}`
|
|
182
|
-
: libInfo
|
|
181
|
+
: libInfo,
|
|
183
182
|
};
|
|
184
183
|
const authPolicy = isTokenCredential(credential)
|
|
185
184
|
? challengeBasedAuthenticationPolicy(credential)
|
|
@@ -189,8 +188,8 @@ function getOrInitializeClient(credential, options) {
|
|
|
189
188
|
allowedHeaderNames: [
|
|
190
189
|
"x-ms-keyvault-region",
|
|
191
190
|
"x-ms-keyvault-network-info",
|
|
192
|
-
"x-ms-keyvault-service-version"
|
|
193
|
-
]
|
|
191
|
+
"x-ms-keyvault-service-version",
|
|
192
|
+
],
|
|
194
193
|
} });
|
|
195
194
|
return new KeyVaultClient(options.serviceVersion || LATEST_API_VERSION, createPipelineFromOptions(internalPipelineOptions, authPolicy));
|
|
196
195
|
}
|