npm - @joclaim/attestor-core - Versions diffs - 0.2.0 → 0.2.3 - Mend

@joclaim/attestor-core 0.2.0 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (420) hide show

package/README.md +21 -15
package/lib/avs/abis/avsDirectoryABI.d.ts +60 -0
package/lib/avs/abis/avsDirectoryABI.js +340 -0
package/lib/avs/abis/delegationABI.d.ts +126 -0
package/lib/avs/abis/delegationABI.js +1 -0
package/lib/avs/abis/registryABI.d.ts +136 -0
package/lib/avs/abis/registryABI.js +725 -0
package/lib/avs/client/create-claim-on-avs.d.ts +12 -0
package/lib/avs/client/create-claim-on-avs.js +138 -0
package/lib/avs/config.d.ts +7 -0
package/lib/avs/config.js +20 -0
package/lib/avs/contracts/ReclaimServiceManager.d.ts +697 -0
package/lib/avs/contracts/ReclaimServiceManager.js +1 -0
package/lib/avs/contracts/common.d.ts +21 -0
package/lib/avs/contracts/common.js +1 -0
package/lib/avs/contracts/factories/ReclaimServiceManager__factory.d.ts +888 -0
package/lib/avs/contracts/factories/ReclaimServiceManager__factory.js +1169 -0
package/lib/avs/contracts/factories/index.d.ts +1 -0
package/{src/avs/contracts/factories/index.ts → lib/avs/contracts/factories/index.js} +1 -1
package/{src/avs/contracts/index.ts → lib/avs/contracts/index.d.ts} +0 -3
package/lib/avs/contracts/index.js +2 -0
package/lib/avs/types/index.d.ts +55 -0
package/lib/avs/types/index.js +1 -0
package/lib/avs/utils/contracts.d.ts +21 -0
package/lib/avs/utils/contracts.js +33 -0
package/lib/avs/utils/register.d.ts +27 -0
package/lib/avs/utils/register.js +78 -0
package/lib/avs/utils/tasks.d.ts +22 -0
package/lib/avs/utils/tasks.js +40 -0
package/lib/client/create-claim.d.ts +5 -0
package/lib/client/create-claim.js +437 -0
package/lib/client/index.d.ts +3 -0
package/lib/client/index.js +3 -0
package/lib/client/tunnels/make-rpc-tcp-tunnel.d.ts +16 -0
package/lib/client/tunnels/make-rpc-tcp-tunnel.js +51 -0
package/lib/client/tunnels/make-rpc-tls-tunnel.d.ts +26 -0
package/lib/client/tunnels/make-rpc-tls-tunnel.js +131 -0
package/lib/client/utils/attestor-pool.d.ts +8 -0
package/lib/client/utils/attestor-pool.js +25 -0
package/lib/client/utils/client-socket.d.ts +11 -0
package/lib/client/utils/client-socket.js +98 -0
package/lib/client/utils/message-handler.d.ts +4 -0
package/lib/client/utils/message-handler.js +87 -0
package/lib/config/index.d.ts +30 -0
package/lib/config/index.js +43 -0
package/lib/external-rpc/benchmark.d.ts +1 -0
package/lib/external-rpc/benchmark.js +69 -0
package/lib/external-rpc/event-bus.d.ts +7 -0
package/lib/external-rpc/event-bus.js +14 -0
package/lib/external-rpc/handle-incoming-msg.d.ts +2 -0
package/lib/external-rpc/handle-incoming-msg.js +233 -0
package/lib/external-rpc/index.d.ts +3 -0
package/lib/external-rpc/index.js +3 -0
package/lib/external-rpc/jsc-polyfills/1.d.ts +14 -0
package/lib/external-rpc/jsc-polyfills/1.js +82 -0
package/lib/external-rpc/jsc-polyfills/2.d.ts +1 -0
package/lib/external-rpc/jsc-polyfills/2.js +20 -0
package/lib/external-rpc/jsc-polyfills/event.d.ts +10 -0
package/lib/external-rpc/jsc-polyfills/event.js +14 -0
package/lib/external-rpc/jsc-polyfills/index.d.ts +2 -0
package/lib/external-rpc/jsc-polyfills/index.js +2 -0
package/lib/external-rpc/jsc-polyfills/ws.d.ts +21 -0
package/lib/external-rpc/jsc-polyfills/ws.js +81 -0
package/lib/external-rpc/setup-browser.d.ts +6 -0
package/lib/external-rpc/setup-browser.js +33 -0
package/lib/external-rpc/setup-jsc.d.ts +24 -0
package/lib/external-rpc/setup-jsc.js +22 -0
package/lib/external-rpc/types.d.ts +213 -0
package/lib/external-rpc/types.js +1 -0
package/lib/external-rpc/utils.d.ts +20 -0
package/lib/external-rpc/utils.js +100 -0
package/lib/external-rpc/zk.d.ts +14 -0
package/lib/external-rpc/zk.js +63 -0
package/lib/index.d.ts +9 -0
package/lib/index.js +9 -0
package/lib/mechain/abis/governanceABI.d.ts +50 -0
package/lib/mechain/abis/governanceABI.js +458 -0
package/lib/mechain/abis/taskABI.d.ts +157 -0
package/lib/mechain/abis/taskABI.js +509 -0
package/lib/mechain/client/create-claim-on-mechain.d.ts +10 -0
package/lib/mechain/client/create-claim-on-mechain.js +28 -0
package/lib/mechain/client/index.d.ts +1 -0
package/lib/mechain/client/index.js +1 -0
package/lib/mechain/constants/index.d.ts +3 -0
package/{src/mechain/constants/index.ts → lib/mechain/constants/index.js} +3 -5
package/lib/mechain/index.d.ts +2 -0
package/lib/mechain/index.js +2 -0
package/lib/mechain/types/index.d.ts +23 -0
package/lib/mechain/types/index.js +1 -0
package/lib/proto/api.d.ts +633 -0
package/lib/proto/api.js +4258 -0
package/lib/proto/tee-bundle.d.ts +135 -0
package/lib/proto/tee-bundle.js +1161 -0
package/lib/providers/http/index.d.ts +18 -0
package/lib/providers/http/index.js +658 -0
package/lib/providers/http/patch-parse5-tree.d.ts +6 -0
package/lib/providers/http/patch-parse5-tree.js +33 -0
package/lib/providers/http/utils.d.ts +77 -0
package/lib/providers/http/utils.js +324 -0
package/lib/providers/index.d.ts +4 -0
package/lib/providers/index.js +4 -0
package/lib/scripts/build-browser.d.ts +1 -0
package/lib/scripts/build-browser.js +37 -0
package/lib/scripts/build-jsc.d.ts +1 -0
package/lib/scripts/build-jsc.js +49 -0
package/lib/scripts/check-avs-registration.d.ts +1 -0
package/lib/scripts/check-avs-registration.js +26 -0
package/lib/scripts/fallbacks/crypto.d.ts +1 -0
package/lib/scripts/fallbacks/crypto.js +1 -0
package/lib/scripts/fallbacks/empty.d.ts +3 -0
package/lib/scripts/fallbacks/empty.js +1 -0
package/lib/scripts/fallbacks/re2.d.ts +1 -0
package/lib/scripts/fallbacks/re2.js +4 -0
package/lib/scripts/fallbacks/snarkjs.d.ts +1 -0
package/lib/scripts/fallbacks/snarkjs.js +1 -0
package/lib/scripts/generate-provider-types.d.ts +5 -0
package/lib/scripts/generate-provider-types.js +78 -0
package/lib/scripts/generate-receipt.d.ts +9 -0
package/lib/scripts/generate-receipt.js +90 -0
package/lib/scripts/generate-toprf-keys.d.ts +1 -0
package/lib/scripts/generate-toprf-keys.js +20 -0
package/lib/scripts/jsc-cli-rpc.d.ts +1 -0
package/lib/scripts/jsc-cli-rpc.js +37 -0
package/lib/scripts/register-avs-operator.d.ts +1 -0
package/lib/scripts/register-avs-operator.js +4 -0
package/lib/scripts/start-server.d.ts +1 -0
package/lib/scripts/start-server.js +13 -0
package/lib/scripts/update-avs-metadata.d.ts +1 -0
package/lib/scripts/update-avs-metadata.js +19 -0
package/lib/scripts/utils.d.ts +1 -0
package/lib/scripts/utils.js +7 -0
package/lib/scripts/whitelist-operator.d.ts +1 -0
package/lib/scripts/whitelist-operator.js +15 -0
package/lib/server/create-server.d.ts +7 -0
package/lib/server/create-server.js +122 -0
package/lib/server/handlers/claimTeeBundle.d.ts +6 -0
package/lib/server/handlers/claimTeeBundle.js +206 -0
package/lib/server/handlers/claimTunnel.d.ts +2 -0
package/lib/server/handlers/claimTunnel.js +73 -0
package/lib/server/handlers/completeClaimOnChain.d.ts +2 -0
package/lib/server/handlers/completeClaimOnChain.js +22 -0
package/lib/server/handlers/createClaimOnChain.d.ts +2 -0
package/lib/server/handlers/createClaimOnChain.js +26 -0
package/lib/server/handlers/createTaskOnMechain.d.ts +2 -0
package/lib/server/handlers/createTaskOnMechain.js +47 -0
package/lib/server/handlers/createTunnel.d.ts +2 -0
package/lib/server/handlers/createTunnel.js +93 -0
package/lib/server/handlers/disconnectTunnel.d.ts +2 -0
package/lib/server/handlers/disconnectTunnel.js +5 -0
package/lib/server/handlers/fetchCertificateBytes.d.ts +2 -0
package/lib/server/handlers/fetchCertificateBytes.js +41 -0
package/lib/server/handlers/index.d.ts +4 -0
package/lib/server/handlers/index.js +22 -0
package/lib/server/handlers/init.d.ts +2 -0
package/lib/server/handlers/init.js +30 -0
package/lib/server/handlers/toprf.d.ts +2 -0
package/lib/server/handlers/toprf.js +16 -0
package/lib/server/index.d.ts +4 -0
package/lib/server/index.js +4 -0
package/lib/server/provider-api.d.ts +9 -0
package/lib/server/provider-api.js +98 -0
package/lib/server/provider-store.d.ts +53 -0
package/lib/server/provider-store.js +80 -0
package/lib/server/session-api.d.ts +9 -0
package/lib/server/session-api.js +95 -0
package/lib/server/session-store.d.ts +14 -0
package/lib/server/session-store.js +36 -0
package/lib/server/socket.d.ts +13 -0
package/lib/server/socket.js +109 -0
package/lib/server/tunnels/make-tcp-tunnel.d.ts +22 -0
package/lib/server/tunnels/make-tcp-tunnel.js +177 -0
package/lib/server/utils/apm.d.ts +11 -0
package/lib/server/utils/apm.js +36 -0
package/lib/server/utils/assert-valid-claim-request.d.ts +31 -0
package/lib/server/utils/assert-valid-claim-request.js +229 -0
package/lib/server/utils/config-env.d.ts +1 -0
package/lib/server/utils/config-env.js +4 -0
package/lib/server/utils/dns.d.ts +1 -0
package/lib/server/utils/dns.js +18 -0
package/lib/server/utils/gcp-attestation.d.ts +17 -0
package/lib/server/utils/gcp-attestation.js +289 -0
package/lib/server/utils/generics.d.ts +22 -0
package/lib/server/utils/generics.js +51 -0
package/lib/server/utils/iso.d.ts +1 -0
package/lib/server/utils/iso.js +256 -0
package/lib/server/utils/keep-alive.d.ts +7 -0
package/lib/server/utils/keep-alive.js +38 -0
package/lib/server/utils/nitro-attestation.d.ts +33 -0
package/lib/server/utils/nitro-attestation.js +325 -0
package/lib/server/utils/process-handshake.d.ts +13 -0
package/lib/server/utils/process-handshake.js +214 -0
package/lib/server/utils/proxy-session.d.ts +1 -0
package/lib/server/utils/proxy-session.js +6 -0
package/lib/server/utils/tee-oprf-verification.d.ts +22 -0
package/lib/server/utils/tee-oprf-verification.js +160 -0
package/lib/server/utils/tee-transcript-reconstruction.d.ts +24 -0
package/lib/server/utils/tee-transcript-reconstruction.js +187 -0
package/lib/server/utils/tee-verification.d.ts +27 -0
package/lib/server/utils/tee-verification.js +365 -0
package/lib/server/utils/validation.d.ts +2 -0
package/lib/server/utils/validation.js +38 -0
package/lib/types/bgp.d.ts +11 -0
package/lib/types/bgp.js +1 -0
package/lib/types/claims.d.ts +73 -0
package/lib/types/claims.js +1 -0
package/lib/types/client.d.ts +163 -0
package/lib/types/client.js +1 -0
package/lib/types/general.d.ts +54 -0
package/lib/types/general.js +1 -0
package/lib/types/handlers.d.ts +10 -0
package/lib/types/handlers.js +1 -0
package/lib/types/index.d.ts +10 -0
package/lib/types/index.js +10 -0
package/lib/types/providers.d.ts +161 -0
package/lib/types/providers.gen.d.ts +443 -0
package/lib/types/providers.gen.js +10 -0
package/lib/types/providers.js +1 -0
package/lib/types/rpc.d.ts +35 -0
package/lib/types/rpc.js +1 -0
package/lib/types/signatures.d.ts +28 -0
package/lib/types/signatures.js +1 -0
package/lib/types/tunnel.d.ts +18 -0
package/lib/types/tunnel.js +1 -0
package/lib/types/zk.d.ts +28 -0
package/lib/types/zk.js +1 -0
package/lib/utils/auth.d.ts +8 -0
package/lib/utils/auth.js +59 -0
package/lib/utils/b64-json.d.ts +2 -0
package/lib/utils/b64-json.js +17 -0
package/lib/utils/bgp-listener.d.ts +7 -0
package/lib/utils/bgp-listener.js +119 -0
package/lib/utils/claims.d.ts +33 -0
package/lib/utils/claims.js +101 -0
package/lib/utils/env.d.ts +3 -0
package/lib/utils/env.js +15 -0
package/lib/utils/error.d.ts +26 -0
package/lib/utils/error.js +50 -0
package/lib/utils/generics.d.ts +114 -0
package/lib/utils/generics.js +317 -0
package/lib/utils/http-parser.d.ts +59 -0
package/lib/utils/http-parser.js +246 -0
package/lib/utils/index.d.ts +13 -0
package/lib/utils/index.js +13 -0
package/lib/utils/logger.d.ts +13 -0
package/lib/utils/logger.js +91 -0
package/lib/utils/prepare-packets.d.ts +16 -0
package/lib/utils/prepare-packets.js +62 -0
package/lib/utils/redactions.d.ts +62 -0
package/lib/utils/redactions.js +148 -0
package/lib/utils/retries.d.ts +12 -0
package/lib/utils/retries.js +24 -0
package/lib/utils/signatures/eth.d.ts +2 -0
package/lib/utils/signatures/eth.js +29 -0
package/lib/utils/signatures/index.d.ts +5 -0
package/lib/utils/signatures/index.js +7 -0
package/lib/utils/socket-base.d.ts +23 -0
package/lib/utils/socket-base.js +90 -0
package/lib/utils/tls.d.ts +2 -0
package/{src/utils/tls.ts → lib/utils/tls.js} +28 -35
package/lib/utils/ws.d.ts +7 -0
package/lib/utils/ws.js +22 -0
package/lib/utils/zk.d.ts +70 -0
package/lib/utils/zk.js +572 -0
package/package.json +19 -12
package/src/avs/abis/avsDirectoryABI.ts +0 -340
package/src/avs/abis/delegationABI.ts +0 -1
package/src/avs/abis/registryABI.ts +0 -725
package/src/avs/client/create-claim-on-avs.ts +0 -206
package/src/avs/config.ts +0 -25
package/src/avs/contracts/ReclaimServiceManager.ts +0 -1457
package/src/avs/contracts/common.ts +0 -44
package/src/avs/contracts/factories/ReclaimServiceManager__factory.ts +0 -1213
package/src/avs/tests/test.operator.ts +0 -413
package/src/avs/tests/utils.ts +0 -51
package/src/avs/types/index.ts +0 -60
package/src/avs/utils/contracts.ts +0 -66
package/src/avs/utils/register.ts +0 -125
package/src/avs/utils/tasks.ts +0 -76
package/src/client/create-claim.ts +0 -626
package/src/client/index.ts +0 -3
package/src/client/tunnels/make-rpc-tcp-tunnel.ts +0 -78
package/src/client/tunnels/make-rpc-tls-tunnel.ts +0 -172
package/src/client/utils/attestor-pool.ts +0 -35
package/src/client/utils/client-socket.ts +0 -160
package/src/client/utils/message-handler.ts +0 -116
package/src/config/index.ts +0 -65
package/src/external-rpc/benchmark.ts +0 -102
package/src/external-rpc/event-bus.ts +0 -19
package/src/external-rpc/global.d.ts +0 -20
package/src/external-rpc/handle-incoming-msg.ts +0 -308
package/src/external-rpc/index.ts +0 -3
package/src/external-rpc/jsc-polyfills/1.ts +0 -117
package/src/external-rpc/jsc-polyfills/2.ts +0 -24
package/src/external-rpc/jsc-polyfills/event.ts +0 -16
package/src/external-rpc/jsc-polyfills/index.ts +0 -2
package/src/external-rpc/jsc-polyfills/ws.ts +0 -105
package/src/external-rpc/setup-browser.ts +0 -42
package/src/external-rpc/setup-jsc.ts +0 -48
package/src/external-rpc/types.ts +0 -289
package/src/external-rpc/utils.ts +0 -126
package/src/external-rpc/zk.ts +0 -79
package/src/index.ts +0 -9
package/src/mechain/abis/governanceABI.ts +0 -458
package/src/mechain/abis/taskABI.ts +0 -509
package/src/mechain/client/create-claim-on-mechain.ts +0 -52
package/src/mechain/client/index.ts +0 -1
package/src/mechain/index.ts +0 -2
package/src/mechain/types/index.ts +0 -29
package/src/proto/api.ts +0 -5285
package/src/proto/tee-bundle.ts +0 -1413
package/src/providers/http/index.ts +0 -873
package/src/providers/http/patch-parse5-tree.ts +0 -49
package/src/providers/http/utils.ts +0 -439
package/src/providers/index.ts +0 -8
package/src/scripts/build-browser.sh +0 -9
package/src/scripts/build-browser.ts +0 -40
package/src/scripts/build-jsc.ts +0 -55
package/src/scripts/check-avs-registration.ts +0 -38
package/src/scripts/contract-data-gen.sh +0 -8
package/src/scripts/fallbacks/crypto.ts +0 -1
package/src/scripts/fallbacks/empty.ts +0 -2
package/src/scripts/fallbacks/re2.ts +0 -5
package/src/scripts/fallbacks/snarkjs.ts +0 -5
package/src/scripts/generate-certs.sh +0 -11
package/src/scripts/generate-proto.sh +0 -5
package/src/scripts/generate-provider-types.ts +0 -121
package/src/scripts/generate-receipt.ts +0 -138
package/src/scripts/generate-toprf-keys.ts +0 -30
package/src/scripts/jsc-cli-rpc.ts +0 -48
package/src/scripts/register-avs-operator.ts +0 -5
package/src/scripts/start-server.ts +0 -17
package/src/scripts/update-avs-metadata.ts +0 -26
package/src/scripts/utils.ts +0 -8
package/src/scripts/whitelist-operator.ts +0 -22
package/src/server/create-server.ts +0 -169
package/src/server/handlers/claimTeeBundle.ts +0 -308
package/src/server/handlers/claimTunnel.ts +0 -106
package/src/server/handlers/completeClaimOnChain.ts +0 -36
package/src/server/handlers/createClaimOnChain.ts +0 -39
package/src/server/handlers/createTaskOnMechain.ts +0 -80
package/src/server/handlers/createTunnel.ts +0 -128
package/src/server/handlers/disconnectTunnel.ts +0 -11
package/src/server/handlers/fetchCertificateBytes.ts +0 -66
package/src/server/handlers/index.ts +0 -24
package/src/server/handlers/init.ts +0 -46
package/src/server/handlers/toprf.ts +0 -25
package/src/server/index.ts +0 -4
package/src/server/provider-api.ts +0 -118
package/src/server/provider-store.ts +0 -117
package/src/server/session-api.ts +0 -115
package/src/server/session-store.ts +0 -60
package/src/server/socket.ts +0 -156
package/src/server/tunnels/make-tcp-tunnel.ts +0 -275
package/src/server/utils/apm.ts +0 -49
package/src/server/utils/assert-valid-claim-request.ts +0 -375
package/src/server/utils/config-env.ts +0 -6
package/src/server/utils/dns.ts +0 -25
package/src/server/utils/gcp-attestation.ts +0 -415
package/src/server/utils/generics.ts +0 -68
package/src/server/utils/iso.ts +0 -258
package/src/server/utils/keep-alive.ts +0 -50
package/src/server/utils/nitro-attestation.ts +0 -396
package/src/server/utils/process-handshake.ts +0 -311
package/src/server/utils/proxy-session.ts +0 -6
package/src/server/utils/tee-oprf-verification.ts +0 -231
package/src/server/utils/tee-transcript-reconstruction.ts +0 -254
package/src/server/utils/tee-verification.ts +0 -513
package/src/server/utils/validation.ts +0 -57
package/src/tests/auth.test.ts +0 -105
package/src/tests/bgp-listener.test.ts +0 -193
package/src/tests/claim-creation.test.ts +0 -415
package/src/tests/describe-with-server.ts +0 -94
package/src/tests/gcp-attestation.test.ts +0 -206
package/src/tests/http-parser.test.ts +0 -135
package/src/tests/http-provider-utils.test.ts +0 -3306
package/src/tests/http-provider.test.ts +0 -125
package/src/tests/jsc.test_mac.ts +0 -296
package/src/tests/mock-provider-server.ts +0 -106
package/src/tests/mocks.ts +0 -25
package/src/tests/proof_bundle.bin +0 -0
package/src/tests/rpc-communication.test.ts +0 -115
package/src/tests/rpc-tunnel.test.ts +0 -239
package/src/tests/signatures.test.ts +0 -37
package/src/tests/tcp-tunnel.test.ts +0 -154
package/src/tests/tee-bundle.test.ts +0 -321
package/src/tests/tee-signatures.test.ts +0 -81
package/src/tests/utils.ts +0 -108
package/src/tests/verification_bundle.pb +0 -0
package/src/tests/verification_bundle_tee.pb +0 -0
package/src/tests/zk.test.ts +0 -453
package/src/types/bgp.ts +0 -17
package/src/types/claims.ts +0 -79
package/src/types/client.ts +0 -205
package/src/types/general.ts +0 -61
package/src/types/handlers.ts +0 -16
package/src/types/index.ts +0 -10
package/src/types/providers.gen.ts +0 -135
package/src/types/providers.ts +0 -203
package/src/types/rpc.ts +0 -46
package/src/types/signatures.ts +0 -29
package/src/types/tunnel.ts +0 -25
package/src/types/zk.ts +0 -31
package/src/utils/auth.ts +0 -92
package/src/utils/b64-json.ts +0 -25
package/src/utils/bgp-listener.ts +0 -159
package/src/utils/claims.ts +0 -132
package/src/utils/env.ts +0 -21
package/src/utils/error.ts +0 -76
package/src/utils/generics.ts +0 -429
package/src/utils/http-parser.ts +0 -312
package/src/utils/index.ts +0 -13
package/src/utils/logger.ts +0 -114
package/src/utils/prepare-packets.ts +0 -98
package/src/utils/redactions.ts +0 -203
package/src/utils/retries.ts +0 -41
package/src/utils/signatures/eth.ts +0 -35
package/src/utils/signatures/index.ts +0 -11
package/src/utils/socket-base.ts +0 -132
package/src/utils/ws.ts +0 -30
package/src/utils/zk.ts +0 -908

package/lib/server/tunnels/make-tcp-tunnel.js ADDED Viewed

@@ -0,0 +1,177 @@
+import { HttpsProxyAgent } from 'https-proxy-agent';
+import { Socket } from 'net';
+import { CONNECTION_TIMEOUT_MS } from '../../config/index.js';
+import { resolveHostnames } from '../../server/utils/dns.js';
+import { isValidCountryCode } from '../../server/utils/iso.js';
+import { isValidProxySessionId } from '../../server/utils/proxy-session.js';
+import { getEnvVariable } from '../../utils/env.js';
+import { AttestorError } from '../../utils/index.js';
+const HTTPS_PROXY_URL = getEnvVariable('HTTPS_PROXY_URL');
+/**
+ * Builds a TCP tunnel to the given host and port.
+ * If a geolocation is provided -- an HTTPS proxy is used
+ * to connect to the host.
+ * If a proxySessionId is provided -- a static ip is used with HTTPS proxy
+ * across multiple requests with this same proxySessionId.
+ *
+ * HTTPS proxy essentially creates an opaque tunnel to the
+ * host using the CONNECT method. Any data can be sent through
+ * this tunnel to the end host.
+ * https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT
+ *
+ * The tunnel also retains a transcript of all messages sent and received.
+ */
+export const makeTcpTunnel = async ({ onClose, onMessage, logger, ...opts }) => {
+    const transcript = [];
+    const socket = await connectTcp({ ...opts, logger });
+    let closed = false;
+    socket.on('data', message => {
+        if (closed) {
+            logger.warn('socket is closed, dropping message');
+            return;
+        }
+        onMessage?.(message);
+        transcript.push({ sender: 'server', message });
+    });
+    // socket.once('error', onSocketClose)
+    socket.once('close', () => onSocketClose(undefined));
+    return {
+        socket,
+        transcript,
+        createRequest: opts,
+        async write(data) {
+            transcript.push({ sender: 'client', message: data });
+            await new Promise((resolve, reject) => {
+                socket.write(data, err => {
+                    if (err) {
+                        reject(err);
+                    }
+                    else {
+                        resolve();
+                    }
+                });
+            });
+        },
+        close(err) {
+            if (closed) {
+                return;
+            }
+            socket.destroy(err);
+        }
+    };
+    function onSocketClose(err) {
+        if (closed) {
+            return;
+        }
+        logger.debug({ err }, 'closing socket');
+        closed = true;
+        onClose?.(err);
+        onClose = undefined;
+    }
+};
+async function connectTcp({ host, port, geoLocation, proxySessionId, logger }) {
+    let connectTimeout;
+    let socket;
+    try {
+        await new Promise(async (resolve, reject) => {
+            try {
+                // add a timeout to ensure the connection doesn't hang
+                // and cause our gateway to send out a 504
+                connectTimeout = setTimeout(() => reject(new AttestorError('ERROR_NETWORK_ERROR', 'Server connection timed out')), CONNECTION_TIMEOUT_MS);
+                socket = await getSocket({
+                    host,
+                    port,
+                    geoLocation,
+                    proxySessionId,
+                    logger
+                });
+                socket.once('connect', resolve);
+                socket.once('error', reject);
+                socket.once('end', () => (reject(new AttestorError('ERROR_NETWORK_ERROR', 'connection closed'))));
+            }
+            catch (err) {
+                reject(err);
+            }
+        });
+        logger.debug({ addr: `${host}:${port}` }, 'connected');
+        return socket;
+    }
+    catch (err) {
+        socket?.end();
+        throw err;
+    }
+    finally {
+        clearTimeout(connectTimeout);
+    }
+}
+async function getSocket(opts) {
+    const { logger } = opts;
+    try {
+        return await _getSocket(opts);
+    }
+    catch (err) {
+        // see if the proxy is blocking the connection
+        // due to their own arbitrary rules,
+        // if so -- we resolve hostname first &
+        // connect directly via address to
+        // avoid proxy knowing which host we're connecting to
+        if (!(err instanceof AttestorError)
+            || err.data?.code !== 403) {
+            throw err;
+        }
+        const addrs = await resolveHostnames(opts.host);
+        logger.info({ addrs, host: opts.host }, 'failed to connect due to restricted IP, trying via raw addr');
+        for (const addr of addrs) {
+            try {
+                return await _getSocket({ ...opts, host: addr });
+            }
+            catch (err) {
+                logger.error({ addr, err }, 'failed to connect to host');
+            }
+        }
+        throw err;
+    }
+}
+async function _getSocket({ host, port, geoLocation, proxySessionId, logger }) {
+    const socket = new Socket();
+    if ((proxySessionId || geoLocation) && !HTTPS_PROXY_URL) {
+        logger.warn({ geoLocation, proxySessionId }, 'geoLocation or proxySessionId provided but no proxy URL found');
+        geoLocation = '';
+        proxySessionId = '';
+    }
+    if (!geoLocation && !proxySessionId) {
+        socket.connect({ host, port, });
+        return socket;
+    }
+    if (!isValidCountryCode(geoLocation)) {
+        throw AttestorError.badRequest(`Geolocation "${geoLocation}" is invalid. Must be 2 letter ISO country code`, { geoLocation });
+    }
+    if (proxySessionId && !isValidProxySessionId(proxySessionId)) {
+        throw AttestorError.badRequest(`proxySessionId "${proxySessionId}" is invalid. Must be a lowercase alphanumeric string of length 8-14 characters. eg. "mystring12345", "something1234".`, { proxySessionId });
+    }
+    const agentUrl = HTTPS_PROXY_URL.replace('{{geoLocation}}', geoLocation?.toLowerCase() || '').replace('{{proxySessionId}}', proxySessionId ? `-session-${proxySessionId}` : '');
+    const agent = new HttpsProxyAgent(agentUrl);
+    const waitForProxyRes = new Promise(resolve => {
+        // @ts-ignore
+        socket.once('proxyConnect', resolve);
+    });
+    const proxySocket = await agent.connect(
+    // ignore, because https-proxy-agent
+    // expects an http request object
+    // @ts-ignore
+    socket, { host, port, timeout: CONNECTION_TIMEOUT_MS });
+    const res = await waitForProxyRes;
+    if (res.statusCode !== 200) {
+        logger.error({ geoLocation, proxySessionId, res }, 'Proxy geo location or session id failed');
+        throw new AttestorError('ERROR_PROXY_ERROR', `Proxy via ${geoLocation ? `geo location "${geoLocation}"` : ''}${geoLocation && proxySessionId ? ', or ' : ''}${proxySessionId ? `session id "${proxySessionId}"` : ''} failed with status code: ${res.statusCode}, message: ${res.statusText}`, {
+            code: res.statusCode,
+            message: res.statusText,
+        });
+    }
+    process.nextTick(() => {
+        // ensure connect event is emitted
+        // so it can be captured by the caller
+        proxySocket.emit('connect');
+    });
+    return proxySocket;
+}

package/lib/server/utils/apm.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import type { Agent } from 'elastic-apm-node';
+/**
+ * Initialises the APM agent if required,
+ * and returns it.
+ * If ELASTIC_APM_SERVER_URL & ELASTIC_APM_SECRET_TOKEN
+ * are not set will return undefined
+ *
+ * Utilises the standard env variables mentioned
+ * here: https://www.elastic.co/guide/en/apm/agent/nodejs/current/custom-stack.html#custom-stack-advanced-configuration
+ */
+export declare function getApm(): Agent | undefined;

package/lib/server/utils/apm.js ADDED Viewed

@@ -0,0 +1,36 @@
+import ElasticAPM from 'elastic-apm-node';
+import { getEnvVariable } from '../../utils/env.js';
+import { logger } from '../../utils/logger.js';
+let apm;
+/**
+ * Initialises the APM agent if required,
+ * and returns it.
+ * If ELASTIC_APM_SERVER_URL & ELASTIC_APM_SECRET_TOKEN
+ * are not set will return undefined
+ *
+ * Utilises the standard env variables mentioned
+ * here: https://www.elastic.co/guide/en/apm/agent/nodejs/current/custom-stack.html#custom-stack-advanced-configuration
+ */
+export function getApm() {
+    if (!getEnvVariable('ELASTIC_APM_SERVER_URL')
+        || !getEnvVariable('ELASTIC_APM_SECRET_TOKEN')) {
+        logger.info('ELASTIC_APM_SERVER_URL or ELASTIC_APM_SECRET_TOKEN not found'
+            + ' in env, APM agent not initialised');
+        return undefined;
+    }
+    if (!apm) {
+        const sampleRate = +(getEnvVariable('ELASTIC_APM_SAMPLE_RATE')
+            || '0.1');
+        apm = ElasticAPM.start({
+            serviceName: 'reclaim_attestor',
+            serviceVersion: '4.0.0',
+            transactionSampleRate: sampleRate,
+            instrumentIncomingHTTPRequests: true,
+            usePathAsTransactionName: true,
+            instrument: true,
+            captureHeaders: true,
+        });
+        logger.info('initialised APM agent');
+    }
+    return apm;
+}

package/lib/server/utils/assert-valid-claim-request.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import type { ZKEngine } from '@joclaim/zk-symmetric-crypto';
+import type { InitRequest, ProviderClaimInfo } from '../../proto/api.js';
+import { ClaimTunnelRequest } from '../../proto/api.js';
+import type { IDecryptedTranscript, Logger, ProviderCtx, TCPSocketProperties, Transcript } from '../../types/index.js';
+/**
+ * Asserts that the claim request is valid.
+ *
+ * 1. We begin by verifying the signature of the claim request.
+ * 2. Next, we produce the transcript of the TLS exchange
+ * from the proofs provided by the client.
+ * 3. We then pull the provider the client is trying to claim
+ * from
+ * 4. We then use the provider's verification function to verify
+ *  whether the claim is valid.
+ *
+ * If any of these steps fail, we throw an error.
+ */
+export declare function assertValidClaimRequest(request: ClaimTunnelRequest, metadata: InitRequest, logger: Logger): Promise<import("../../proto/api.js").ClaimRequestData>;
+/**
+ * Verify that the transcript contains a valid claim
+ * for the provider.
+ */
+export declare function assertValidProviderTranscript<T extends ProviderClaimInfo>(applData: Transcript<Uint8Array>, info: T, logger: Logger, providerCtx: ProviderCtx): Promise<T>;
+/**
+ * Verify that the transcript provided by the client
+ * matches the transcript of the tunnel, the server
+ * has created.
+ */
+export declare function assertTranscriptsMatch(clientTranscript: ClaimTunnelRequest['transcript'], tunnelTranscript: TCPSocketProperties['transcript']): void;
+export declare function decryptTranscript(transcript: ClaimTunnelRequest['transcript'], logger: Logger, zkEngine: ZKEngine, serverIV: Uint8Array, clientIV: Uint8Array): Promise<IDecryptedTranscript>;
+export declare function getWithoutHeader(message: Uint8Array): Uint8Array<ArrayBuffer>;

package/lib/server/utils/assert-valid-claim-request.js ADDED Viewed

@@ -0,0 +1,229 @@
+import { areUint8ArraysEqual, concatenateUint8Arrays } from '@joclaim/tls';
+import { ClaimTunnelRequest, TranscriptMessageSenderType, ZKProofEngine } from '../../proto/api.js';
+import { providers } from '../../providers/index.js';
+import { niceParseJsonObject } from '../../server/utils/generics.js';
+import { processHandshake } from '../../server/utils/process-handshake.js';
+import { assertValidateProviderParams } from '../../server/utils/validation.js';
+import { AttestorError, canonicalStringify, decryptDirect, extractApplicationDataFromTranscript, hashProviderParams, SIGNATURES, verifyZkPacket } from '../../utils/index.js';
+/**
+ * Asserts that the claim request is valid.
+ *
+ * 1. We begin by verifying the signature of the claim request.
+ * 2. Next, we produce the transcript of the TLS exchange
+ * from the proofs provided by the client.
+ * 3. We then pull the provider the client is trying to claim
+ * from
+ * 4. We then use the provider's verification function to verify
+ *  whether the claim is valid.
+ *
+ * If any of these steps fail, we throw an error.
+ */
+export async function assertValidClaimRequest(request, metadata, logger) {
+    const { data, signatures: { requestSignature } = {}, zkEngine, fixedServerIV, fixedClientIV } = request;
+    if (!data) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', 'No info provided on claim request');
+    }
+    if (!requestSignature?.length) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', 'No signature provided on claim request');
+    }
+    // verify request signature
+    const serialisedReq = ClaimTunnelRequest
+        .encode({ ...request, signatures: undefined })
+        .finish();
+    const { verify: verifySig } = SIGNATURES[metadata.signatureType];
+    const verified = await verifySig(serialisedReq, requestSignature, data.owner);
+    if (!verified) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', 'Invalid signature on claim request');
+    }
+    const receipt = await decryptTranscript(request.transcript, logger, zkEngine === ZKProofEngine.ZK_ENGINE_GNARK ? 'gnark' : 'snarkjs', fixedServerIV, fixedClientIV);
+    const reqHost = request.request?.host;
+    if (receipt.hostname !== reqHost) {
+        throw new Error(`Expected server name ${reqHost}, got ${receipt.hostname}`);
+    }
+    // get all application data messages
+    const applData = extractApplicationDataFromTranscript(receipt);
+    const newData = await assertValidProviderTranscript(applData, data, logger, { version: metadata.clientVersion });
+    if (newData !== data) {
+        logger.info({ newData }, 'updated claim info');
+    }
+    return newData;
+}
+/**
+ * Verify that the transcript contains a valid claim
+ * for the provider.
+ */
+export async function assertValidProviderTranscript(applData, info, logger, providerCtx) {
+    const providerName = info.provider;
+    const provider = providers[providerName];
+    if (!provider) {
+        throw new AttestorError('ERROR_INVALID_CLAIM', `Unsupported provider: ${providerName}`);
+    }
+    const params = niceParseJsonObject(info.parameters, 'params');
+    const ctx = niceParseJsonObject(info.context, 'context');
+    assertValidateProviderParams(providerName, params);
+    const rslt = await provider.assertValidProviderReceipt({
+        receipt: applData,
+        params,
+        logger,
+        ctx: providerCtx
+    });
+    ctx.providerHash = hashProviderParams(params);
+    const extractedParameters = rslt?.extractedParameters || {};
+    if (Object.keys(extractedParameters).length) {
+        ctx.extractedParameters = extractedParameters;
+    }
+    info.context = canonicalStringify(ctx) ?? '';
+    return info;
+}
+/**
+ * Verify that the transcript provided by the client
+ * matches the transcript of the tunnel, the server
+ * has created.
+ */
+export function assertTranscriptsMatch(clientTranscript, tunnelTranscript) {
+    const clientSends = concatenateUint8Arrays(clientTranscript
+        .filter(m => m.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT)
+        .map(m => m.message));
+    const tunnelSends = concatenateUint8Arrays(tunnelTranscript
+        .filter(m => m.sender === 'client')
+        .map(m => m.message));
+    if (!areUint8ArraysEqual(clientSends, tunnelSends)) {
+        throw AttestorError.badRequest('Outgoing messages from client do not match the tunnel transcript');
+    }
+    const clientRecvs = concatenateUint8Arrays(clientTranscript
+        .filter(m => m.sender === TranscriptMessageSenderType.TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER)
+        .map(m => m.message));
+    const tunnelRecvs = concatenateUint8Arrays(tunnelTranscript
+        .filter(m => m.sender === 'server')
+        .map(m => m.message))
+        // We only need to compare the first N messages
+        // that the client claims to have received
+        // the rest are not relevant -- so even if they're
+        // not present in the tunnel transcript, it's fine
+        .slice(0, clientRecvs.length);
+    if (!areUint8ArraysEqual(clientRecvs, tunnelRecvs)) {
+        throw AttestorError.badRequest('Incoming messages from server do not match the tunnel transcript');
+    }
+}
+export async function decryptTranscript(transcript, logger, zkEngine, serverIV, clientIV) {
+    const { tlsVersion, cipherSuite, hostname, nextMsgIndex } = await processHandshake(transcript, logger);
+    // TLS 1.3 has already one record encrypted at this point
+    let clientRecordNumber = tlsVersion === 'TLS1_3' ? -1 : 0;
+    let serverRecordNumber = clientRecordNumber;
+    transcript = transcript.slice(nextMsgIndex);
+    const overshotMap = {};
+    const decryptedTranscript = [];
+    for (const [i, { sender, message, reveal: { zkReveal, directReveal } = {} }] of transcript.entries()) {
+        try {
+            //start with first message after last handshake message
+            await decryptMessage(sender, message, directReveal, zkReveal, i);
+        }
+        catch (error) {
+            const err = new AttestorError('ERROR_INVALID_CLAIM', `error in handling packet at idx ${i}: ${error}`, { packetIdx: i, error });
+            if (error.stack) {
+                err.stack = error.stack;
+            }
+            throw err;
+        }
+    }
+    return {
+        transcript: decryptedTranscript,
+        hostname: hostname,
+        tlsVersion: tlsVersion,
+    };
+    async function decryptMessage(sender, message, directReveal, zkReveal, i) {
+        const isServer = sender === TranscriptMessageSenderType
+            .TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER;
+        const recordHeader = message.slice(0, 5);
+        const content = getWithoutHeader(message);
+        if (isServer) {
+            serverRecordNumber++;
+        }
+        else {
+            clientRecordNumber++;
+        }
+        let redacted = true;
+        let plaintext = undefined;
+        let plaintextLength;
+        if (directReveal?.key?.length) {
+            const result = await decryptDirect(directReveal, cipherSuite, recordHeader, tlsVersion, content);
+            plaintext = result.plaintext;
+            redacted = false;
+            plaintextLength = plaintext.length;
+            const decoder = new TextDecoder('utf-8', { fatal: false });
+            const keyHex = Buffer.from(directReveal.key).toString('hex');
+            const ciphertextPreview = Buffer.from(content.slice(0, 64)).toString('hex');
+            const plaintextStr = decoder.decode(plaintext);
+            logger.info(`\n=======================================================================\n` +
+                `[directReveal] packet #${i} | sender: ${isServer ? 'server' : 'client'}\n` +
+                `session key: ${keyHex}\n` +
+                `ciphertext size: ${content.length} bytes | preview: ${ciphertextPreview}...\n` +
+                `plaintext (${plaintextLength} bytes):\n${plaintextStr}\n` +
+                `=======================================================================`);
+        }
+        else if (zkReveal?.proofs?.length) {
+            const iv = sender === TranscriptMessageSenderType
+                .TRANSCRIPT_MESSAGE_SENDER_TYPE_SERVER
+                ? serverIV
+                : clientIV;
+            const recordNumber = isServer
+                ? serverRecordNumber
+                : clientRecordNumber;
+            const result = await verifyZkPacket({
+                ciphertext: content,
+                zkReveal,
+                iv,
+                recordNumber,
+                toprfOvershotNullifier: overshotMap[i]?.data,
+                getNextPacket(overshot) {
+                    const nextIdx = transcript
+                        .findIndex((t, j) => t.sender === sender && j > i);
+                    if (nextIdx < 0) {
+                        return;
+                    }
+                    overshotMap[nextIdx] = { data: overshot };
+                    return getWithoutHeader(transcript[nextIdx].message);
+                },
+                logger,
+                cipherSuite,
+                zkEngine: zkEngine,
+            });
+            plaintext = result.redactedPlaintext;
+            redacted = false;
+            plaintextLength = plaintext.length;
+            const decoder2 = new TextDecoder('utf-8', { fatal: false });
+            const ciphertextPreview2 = Buffer.from(content.slice(0, 64)).toString('hex');
+            const plaintextStr2 = decoder2.decode(plaintext);
+            logger.info(`\n=======================================================================\n` +
+                `[zkReveal] packet #${i} | sender: ${isServer ? 'server' : 'client'}\n` +
+                `zk proofs count: ${zkReveal.proofs.length}\n` +
+                `ciphertext size: ${content.length} bytes | preview: ${ciphertextPreview2}...\n` +
+                `redacted plaintext (${plaintextLength} bytes):\n${plaintextStr2}\n` +
+                `=======================================================================`);
+        }
+        else {
+            plaintext = content;
+            plaintextLength = plaintext.length;
+            const decoder3 = new TextDecoder('utf-8', { fatal: false });
+            logger.info(`\n=======================================================================\n` +
+                `[noReveal] packet #${i} | sender: ${isServer ? 'server' : 'client'}\n` +
+                `raw content size: ${content.length} bytes\n` +
+                `content:\n${decoder3.decode(plaintext)}\n` +
+                `=======================================================================`);
+        }
+        decryptedTranscript.push({
+            sender: sender === TranscriptMessageSenderType
+                .TRANSCRIPT_MESSAGE_SENDER_TYPE_CLIENT
+                ? 'client'
+                : 'server',
+            redacted,
+            message: plaintext,
+            recordHeader,
+            plaintextLength,
+        });
+    }
+}
+export function getWithoutHeader(message) {
+    // strip the record header (xx 03 03 xx xx)
+    return message.slice(5);
+}

package/lib/server/utils/config-env.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/lib/server/utils/config-env.js ADDED Viewed

@@ -0,0 +1,4 @@
+import { config } from 'dotenv';
+import { getEnvVariable } from '../../utils/env.js';
+const nodeEnv = getEnvVariable('NODE_ENV') || 'development';
+config({ path: `.env.${nodeEnv}` });

package/lib/server/utils/dns.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function resolveHostnames(hostname: string): Promise<string[]>;

package/lib/server/utils/dns.js ADDED Viewed

@@ -0,0 +1,18 @@
+import { resolve, setServers } from 'dns';
+import { DNS_SERVERS } from '../../config/index.js';
+setDnsServers();
+export async function resolveHostnames(hostname) {
+    return new Promise((_resolve, reject) => {
+        resolve(hostname, (err, addresses) => {
+            if (err) {
+                reject(new Error(`Could not resolve hostname: ${hostname}, ${err.message}`));
+            }
+            else {
+                _resolve(addresses);
+            }
+        });
+    });
+}
+function setDnsServers() {
+    setServers(DNS_SERVERS);
+}

package/lib/server/utils/gcp-attestation.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * GCP attestation validation utilities
+ * Validates JWT tokens from Google Confidential Computing
+ */
+import type { Logger } from '../../types/general.js';
+export interface GcpValidationResult {
+    isValid: boolean;
+    errors: string[];
+    ethAddress?: Uint8Array;
+    userDataType?: string;
+    pcr0?: string;
+    envVars?: Record<string, string>;
+}
+/**
+ * Validates GCP JWT attestation and extracts ETH address
+ */
+export declare function validateGcpAttestationAndExtractKey(attestationBytes: Uint8Array, logger?: Logger): Promise<GcpValidationResult>;