@naylence/advanced-security 0.3.0

package/dist/cjs/naylence/fame/security/cert/default-certificate-manager.js

@@ -0,0 +1,675 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultCertificateManager = void 0;
+const core_1 = require("@naylence/core");
+const runtime_1 = require("@naylence/runtime");
+const ca_service_client_js_1 = require("./ca-service-client.js");
+const ca_types_js_1 = require("./ca-types.js");
+const grants_js_1 = require("./grants.js");
+const util_js_1 = require("./util.js");
+const logger = (0, runtime_1.getLogger)("naylence.fame.security.cert.default_certificate_manager");
+const ENV_VAR_FAME_CA_CERTS = "FAME_CA_CERTS";
+const CONNECTION_GRANTS_CAMEL = "connectionGrants";
+const CONNECTION_GRANTS_SNAKE = "connection_grants";
+class DefaultCertificateManager {
+    constructor(options = {}) {
+        this.priority = 1500;
+        this.node = null;
+        this.pendingWelcomeFrame = null;
+        this.signing = normalizeSigningConfig(options.signing ?? null);
+        this.securitySettings = options.securitySettings ?? null;
+        this.caServiceUrl = options.caServiceUrl ?? null;
+        this.cryptoProviderOverride =
+            options.cryptoProvider ?? options.crypto_provider ?? null;
+    }
+    setSigning(signing) {
+        this.signing = normalizeSigningConfig(signing);
+    }
+    setSecuritySettings(securitySettings) {
+        this.securitySettings = securitySettings ?? null;
+    }
+    async onNodeStarted(node) {
+        this.node = node;
+        this.prepareProviderContext(node);
+        const requiresCertificate = this.requiresCertificates();
+        if (requiresCertificate) {
+            logger.debug("node_certificate_required_on_start", {
+                node_id: node.id,
+                physical_path: node.physicalPath,
+                has_parent: node.hasParent,
+            });
+            const fallbackWelcome = {
+                security_settings: this.securitySettings ?? undefined,
+                system_id: node.id,
+                assigned_path: node.physicalPath,
+                accepted_logicals: Array.from(node.acceptedLogicals),
+            };
+            const welcomeFrame = this.pendingWelcomeFrame ?? fallbackWelcome;
+            const success = await this.ensureCertificate(welcomeFrame, this.caServiceUrl ? { caServiceUrl: this.caServiceUrl } : undefined);
+            if (!success) {
+                logger.warning("node_certificate_unavailable_on_start", {
+                    node_id: node.id,
+                    physical_path: node.physicalPath,
+                    message: "Certificate provisioning was requested but did not complete",
+                });
+            }
+        }
+        else {
+            this.pendingWelcomeFrame = null;
+        }
+    }
+    async onWelcome(welcomeFrame) {
+        const requiresCertificate = this.requiresCertificates(welcomeFrame);
+        if (!requiresCertificate) {
+            logger.debug("welcome_does_not_require_certificate", {
+                system_id: welcomeFrame.systemId ?? null,
+            });
+            this.pendingWelcomeFrame = null;
+            return;
+        }
+        const success = await this.ensureCertificate(welcomeFrame, this.caServiceUrl ? { caServiceUrl: this.caServiceUrl } : undefined);
+        if (success) {
+            return;
+        }
+        if (!this.node) {
+            logger.debug("certificate_provisioning_deferred_until_node_start", {
+                system_id: welcomeFrame.systemId ?? null,
+                assigned_path: welcomeFrame.assignedPath ?? null,
+            });
+            return;
+        }
+        const nodeId = welcomeFrame.systemId ?? "unknown";
+        logger.warning("certificate_provisioning_not_completed", {
+            node_id: nodeId,
+            assigned_path: welcomeFrame.assignedPath ?? null,
+            message: "Continuing without a provisioned certificate (development mode)",
+        });
+    }
+    async ensureCertificate(welcomeFrame, options) {
+        const requiresCertificate = this.requiresCertificates(welcomeFrame);
+        if (!requiresCertificate) {
+            this.pendingWelcomeFrame = null;
+            return true;
+        }
+        this.pendingWelcomeFrame = welcomeFrame;
+        const cryptoProvider = this.resolveCryptoProvider();
+        if (!cryptoProvider) {
+            if (!this.node) {
+                logger.debug("crypto_provider_pending_node_start", {
+                    system_id: welcomeFrame.systemId ?? null,
+                    assigned_path: welcomeFrame.assignedPath ?? null,
+                });
+            }
+            else {
+                logger.error("crypto_provider_unavailable_for_certificate", {
+                    system_id: welcomeFrame.systemId ?? null,
+                    assigned_path: welcomeFrame.assignedPath ?? null,
+                });
+            }
+            return false;
+        }
+        const nodeId = readFrameString(welcomeFrame, "systemId", "system_id") ??
+            (typeof cryptoProvider.signatureKeyId === "string"
+                ? cryptoProvider.signatureKeyId
+                : null);
+        if (await this.ensureExistingCertificateIsTrusted(cryptoProvider, nodeId)) {
+            this.pendingWelcomeFrame = null;
+            return true;
+        }
+        this.prepareProviderForWelcome(cryptoProvider, welcomeFrame);
+        const connectionGrants = readFrameValue(welcomeFrame, CONNECTION_GRANTS_CAMEL, CONNECTION_GRANTS_SNAKE);
+        const caSignGrant = this.getCaSignGrant(connectionGrants);
+        if (!caSignGrant) {
+            logger.warning("welcome_frame_missing_ca_sign_grant", {
+                system_id: nodeId,
+                grant_count: Array.isArray(connectionGrants)
+                    ? connectionGrants.length
+                    : 0,
+            });
+        }
+        let material = null;
+        if (caSignGrant) {
+            material = await this.requestCertificateFromCa(cryptoProvider, welcomeFrame, caSignGrant, options);
+            if (!material) {
+                logger.warning("ca_certificate_request_failed_falling_back_to_env", {
+                    system_id: nodeId,
+                    ca_service_url: options?.caServiceUrl ?? this.caServiceUrl ?? caSignGrant.url,
+                });
+            }
+        }
+        if (!material) {
+            logger.debug("attempting_certificate_resolution_from_environment", {
+                system_id: nodeId,
+            });
+            material = await resolveCertificateMaterial();
+        }
+        if (!material) {
+            logger.warning("certificate_material_not_found", {
+                system_id: nodeId,
+                assigned_path: readFrameString(welcomeFrame, "assignedPath", "assigned_path"),
+                ca_service_url: options?.caServiceUrl ?? this.caServiceUrl,
+            });
+            return false;
+        }
+        const stored = storeCertificateMaterial(cryptoProvider, material);
+        if (!stored) {
+            logger.warning("certificate_storage_not_supported", {
+                system_id: nodeId,
+            });
+            return false;
+        }
+        const validated = await this.validateProviderCertificate(cryptoProvider, nodeId);
+        if (!validated) {
+            return false;
+        }
+        logger.debug("certificate_material_applied", {
+            system_id: nodeId,
+            has_chain: Boolean(material.certificateChainPem),
+        });
+        this.pendingWelcomeFrame = null;
+        return true;
+    }
+    requiresCertificates(welcomeFrame) {
+        const frameMaterial = welcomeFrame?.securitySettings?.signing_material ?? null;
+        if (frameMaterial === core_1.SigningMaterial.X509_CHAIN) {
+            return true;
+        }
+        if (this.securitySettings?.signing_material === core_1.SigningMaterial.X509_CHAIN) {
+            return true;
+        }
+        if (this.signing.signingMaterial === core_1.SigningMaterial.X509_CHAIN) {
+            return true;
+        }
+        return false;
+    }
+    prepareProviderContext(node) {
+        const provider = this.resolveCryptoProvider();
+        if (!provider) {
+            return;
+        }
+        const awareProvider = provider;
+        if (typeof awareProvider.setNodeContextFromNodeLike === "function") {
+            awareProvider.setNodeContextFromNodeLike(node);
+            return;
+        }
+        if (typeof awareProvider.setNodeContext === "function") {
+            awareProvider.setNodeContext(node.id, node.physicalPath, Array.from(node.acceptedLogicals), null);
+        }
+    }
+    prepareProviderForWelcome(provider, welcomeFrame) {
+        const logicals = Array.isArray(welcomeFrame.acceptedLogicals)
+            ? welcomeFrame.acceptedLogicals.filter((value) => typeof value === "string")
+            : [];
+        if (typeof provider.prepareForAttach === "function" &&
+            typeof welcomeFrame.systemId === "string") {
+            provider.prepareForAttach(welcomeFrame.systemId, typeof welcomeFrame.assignedPath === "string"
+                ? welcomeFrame.assignedPath
+                : undefined, logicals);
+        }
+    }
+    resolveCryptoProvider() {
+        // First check if we have a crypto provider override
+        if (this.cryptoProviderOverride) {
+            return this.cryptoProviderOverride;
+        }
+        // Otherwise, try to get from the node
+        const candidate = this.node?.cryptoProvider ?? null;
+        if (!candidate) {
+            return null;
+        }
+        return candidate;
+    }
+    async ensureExistingCertificateIsTrusted(provider, nodeId) {
+        if (!providerHasCertificate(provider)) {
+            return false;
+        }
+        const validated = await this.validateProviderCertificate(provider, nodeId);
+        if (!validated) {
+            logger.error("existing_certificate_validation_failed", {
+                node_id: nodeId,
+            });
+            return false;
+        }
+        logger.debug("existing_certificate_validated", {
+            node_id: nodeId,
+        });
+        return true;
+    }
+    getCaSignGrant(connectionGrants) {
+        if (!Array.isArray(connectionGrants)) {
+            return null;
+        }
+        for (const candidate of connectionGrants) {
+            if (!candidate || typeof candidate !== "object") {
+                continue;
+            }
+            const grantRecord = candidate;
+            const purpose = readRecordString(grantRecord, "purpose");
+            if (purpose !== grants_js_1.GRANT_PURPOSE_CA_SIGN) {
+                continue;
+            }
+            const url = readRecordString(grantRecord, "url", "baseUrl", "base_url");
+            if (!url) {
+                logger.warning("ca_sign_grant_missing_url", {
+                    grant_keys: Object.keys(grantRecord),
+                });
+                continue;
+            }
+            const authConfig = readGrantAuthConfig(grantRecord);
+            return {
+                url,
+                ...(authConfig ? { auth: authConfig } : {}),
+            };
+        }
+        return null;
+    }
+    async requestCertificateFromCa(provider, welcomeFrame, grant, options) {
+        const nodeId = readFrameString(welcomeFrame, "systemId", "system_id") ??
+            (typeof provider.signatureKeyId === "string"
+                ? provider.signatureKeyId
+                : null);
+        if (!nodeId) {
+            logger.warning("certificate_request_missing_node_id");
+            return null;
+        }
+        const physicalPath = readFrameString(welcomeFrame, "assignedPath", "assigned_path");
+        if (!physicalPath) {
+            logger.warning("certificate_request_missing_physical_path", {
+                node_id: nodeId,
+            });
+            return null;
+        }
+        const logicals = Array.isArray(welcomeFrame.acceptedLogicals)
+            ? welcomeFrame.acceptedLogicals.filter((value) => typeof value === "string")
+            : [];
+        if (typeof provider.createCsr !== "function") {
+            logger.warning("crypto_provider_missing_create_csr", {
+                node_id: nodeId,
+            });
+            return null;
+        }
+        let csrPem;
+        try {
+            const result = provider.createCsr(nodeId, physicalPath, logicals);
+            csrPem = typeof result === "string" ? result : await result;
+        }
+        catch (error) {
+            logger.error("csr_generation_failed", {
+                node_id: nodeId,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return null;
+        }
+        const caServiceUrl = options?.caServiceUrl ?? this.caServiceUrl ?? grant.url;
+        if (!caServiceUrl) {
+            logger.error("ca_service_url_unavailable", {
+                node_id: nodeId,
+            });
+            return null;
+        }
+        const connectionGrant = {
+            url: caServiceUrl,
+        };
+        let authStrategy = null;
+        try {
+            authStrategy = await this.createAuthStrategyForGrant(grant);
+        }
+        catch (error) {
+            logger.error("ca_sign_auth_strategy_creation_failed", {
+                node_id: nodeId,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return null;
+        }
+        const client = new ca_service_client_js_1.CAServiceClient(connectionGrant);
+        try {
+            if (authStrategy) {
+                await authStrategy.apply(client);
+            }
+            const [certificatePem, certificateChainPem] = await client.requestCertificate(csrPem, nodeId, physicalPath, logicals);
+            logger.debug("certificate_received_from_ca_service", {
+                node_id: nodeId,
+                has_chain: Boolean(certificateChainPem),
+                ca_service_url: caServiceUrl,
+            });
+            return {
+                certificatePem,
+                certificateChainPem: certificateChainPem ?? null,
+            };
+        }
+        catch (error) {
+            if (error instanceof ca_types_js_1.CertificateRequestError) {
+                logger.error("certificate_request_failed", {
+                    node_id: nodeId,
+                    error: error.message,
+                });
+            }
+            else {
+                logger.error("certificate_request_unhandled_error", {
+                    node_id: nodeId,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+            return null;
+        }
+        finally {
+            if (authStrategy) {
+                try {
+                    await authStrategy.cleanup();
+                }
+                catch (cleanupError) {
+                    logger.debug("auth_strategy_cleanup_failed", {
+                        error: cleanupError instanceof Error
+                            ? cleanupError.message
+                            : String(cleanupError),
+                    });
+                }
+            }
+        }
+    }
+    async createAuthStrategyForGrant(grant) {
+        const authConfig = grant.auth ?? null;
+        if (!authConfig) {
+            return null;
+        }
+        const normalizedConfig = normalizeAuthConfig(authConfig);
+        if (!normalizedConfig) {
+            return null;
+        }
+        return runtime_1.AuthInjectionStrategyFactory.createAuthInjectionStrategy(normalizedConfig);
+    }
+    async validateProviderCertificate(provider, nodeId) {
+        const trustStorePem = await resolveTrustStorePem();
+        if (!trustStorePem) {
+            logger.error("trust_anchor_validation_failed", {
+                node_id: nodeId,
+                reason: `${ENV_VAR_FAME_CA_CERTS}_not_set`,
+            });
+            return false;
+        }
+        if (typeof provider.nodeJwk !== "function") {
+            logger.error("trust_anchor_validation_failed", {
+                node_id: nodeId,
+                reason: "crypto_provider_lacks_node_jwk",
+            });
+            return false;
+        }
+        let jwk;
+        try {
+            jwk = provider.nodeJwk() ?? null;
+        }
+        catch (error) {
+            logger.error("trust_anchor_validation_failed", {
+                node_id: nodeId,
+                reason: "node_jwk_retrieval_failed",
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return false;
+        }
+        if (!jwk) {
+            logger.error("trust_anchor_validation_failed", {
+                node_id: nodeId,
+                reason: "node_jwk_missing",
+            });
+            return false;
+        }
+        const x5c = jwk.x5c;
+        if (!Array.isArray(x5c) ||
+            x5c.length === 0 ||
+            x5c.some((entry) => typeof entry !== "string")) {
+            logger.error("trust_anchor_validation_failed", {
+                node_id: nodeId,
+                reason: "invalid_certificate_chain",
+            });
+            return false;
+        }
+        try {
+            const result = (0, util_js_1.validateJwkX5cCertificate)({
+                jwk,
+                trustStorePem,
+                enforceNameConstraints: true,
+                strict: false,
+            });
+            if (!result.isValid) {
+                logger.error("trust_anchor_validation_failed", {
+                    node_id: nodeId,
+                    reason: result.error ?? "validation_failed",
+                });
+                return false;
+            }
+            logger.debug("certificate_chain_validation_successful", {
+                node_id: nodeId,
+            });
+            return true;
+        }
+        catch (error) {
+            logger.error("trust_anchor_validation_failed", {
+                node_id: nodeId,
+                reason: "validation_error",
+                error: error instanceof Error ? error.message : String(error),
+            });
+            return false;
+        }
+    }
+}
+exports.DefaultCertificateManager = DefaultCertificateManager;
+function normalizeSigningConfig(value) {
+    if (value instanceof runtime_1.SigningConfigClass) {
+        return value;
+    }
+    if (value && typeof value === "object") {
+        return new runtime_1.SigningConfigClass(value);
+    }
+    return new runtime_1.SigningConfigClass();
+}
+async function resolveCertificateMaterial() {
+    const certificatePem = await resolvePemFromEnvironment("FAME_NODE_CERT_PEM", "FAME_NODE_CERT_FILE");
+    if (!certificatePem) {
+        return null;
+    }
+    const certificateChainPem = await resolvePemFromEnvironment("FAME_NODE_CERT_CHAIN_PEM", "FAME_NODE_CERT_CHAIN_FILE");
+    return {
+        certificatePem,
+        certificateChainPem,
+    };
+}
+async function resolvePemFromEnvironment(envVar, fileVar) {
+    if (!hasProcessEnv()) {
+        return null;
+    }
+    const inlineValue = process.env?.[envVar];
+    if (inlineValue && inlineValue.trim().length > 0) {
+        return normalizePem(inlineValue);
+    }
+    const filePath = process.env?.[fileVar];
+    if (!filePath || filePath.trim().length === 0) {
+        return null;
+    }
+    if (!isNodeProcess()) {
+        logger.debug("pem_file_unavailable_in_browser", {
+            env_var: fileVar,
+        });
+        return null;
+    }
+    try {
+        const fs = await Promise.resolve().then(() => __importStar(require("node:fs/promises")));
+        const content = await fs.readFile(filePath, "utf8");
+        return normalizePem(content);
+    }
+    catch (error) {
+        logger.warning("failed_to_read_certificate_file", {
+            file: filePath,
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return null;
+    }
+}
+function normalizePem(value) {
+    return value.replace(/\r/g, "").trim();
+}
+function hasProcessEnv() {
+    return typeof process !== "undefined" && !!process?.env;
+}
+function isNodeProcess() {
+    return (typeof process !== "undefined" &&
+        typeof process.versions === "object" &&
+        typeof process.versions?.node === "string");
+}
+function providerHasCertificate(provider) {
+    if (typeof provider.hasCertificate === "function") {
+        try {
+            return Boolean(provider.hasCertificate());
+        }
+        catch (error) {
+            logger.debug("has_certificate_check_failed", {
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    if (typeof provider.nodeCertificatePem === "function") {
+        try {
+            return Boolean(provider.nodeCertificatePem());
+        }
+        catch (error) {
+            logger.debug("node_certificate_check_failed", {
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    return false;
+}
+function storeCertificateMaterial(provider, material) {
+    if (typeof provider.storeSignedCertificate !== "function") {
+        return false;
+    }
+    try {
+        provider.storeSignedCertificate(material.certificatePem, material.certificateChainPem);
+        return true;
+    }
+    catch (error) {
+        logger.warning("failed_to_store_certificate", {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return false;
+    }
+}
+function readFrameValue(frame, ...keys) {
+    const record = frame;
+    for (const key of keys) {
+        if (Object.prototype.hasOwnProperty.call(record, key)) {
+            const value = record[key];
+            if (value !== undefined && value !== null) {
+                return value;
+            }
+        }
+    }
+    return null;
+}
+function readFrameString(frame, ...keys) {
+    const value = readFrameValue(frame, ...keys);
+    if (typeof value === "string" && value.length > 0) {
+        return value;
+    }
+    return null;
+}
+function readRecordString(source, ...keys) {
+    for (const key of keys) {
+        const value = source[key];
+        if (typeof value === "string" && value.length > 0) {
+            return value;
+        }
+    }
+    return null;
+}
+function readGrantAuthConfig(source) {
+    const candidate = source.auth ??
+        source.authConfig ??
+        source.auth_config ??
+        source.authentication ??
+        source.authenticationConfig ??
+        source.authentication_config ??
+        null;
+    if (!candidate || typeof candidate !== "object") {
+        return null;
+    }
+    return candidate;
+}
+function normalizeAuthConfig(candidate) {
+    if (!candidate || typeof candidate !== "object") {
+        return null;
+    }
+    const normalized = candidate;
+    if (!normalized.type || typeof normalized.type !== "string") {
+        logger.warning("auth_strategy_missing_type", {
+            provided_keys: Object.keys(candidate),
+        });
+        return null;
+    }
+    return normalized;
+}
+async function resolveTrustStorePem() {
+    if (!hasProcessEnv()) {
+        return null;
+    }
+    const rawValue = process.env?.[ENV_VAR_FAME_CA_CERTS];
+    if (!rawValue || rawValue.trim().length === 0) {
+        return null;
+    }
+    if (rawValue.trim().startsWith("-----BEGIN")) {
+        return rawValue.replace(/\r/g, "").trim();
+    }
+    if (!isNodeProcess()) {
+        logger.debug("trust_store_file_unavailable_in_browser", {
+            env_var: ENV_VAR_FAME_CA_CERTS,
+        });
+        return null;
+    }
+    const filePath = rawValue.trim();
+    try {
+        const fs = await Promise.resolve().then(() => __importStar(require("node:fs/promises")));
+        const content = await fs.readFile(filePath, "utf8");
+        return content.replace(/\r/g, "").trim();
+    }
+    catch (error) {
+        logger.error("failed_to_read_trust_store", {
+            file: filePath,
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return null;
+    }
+}
+exports.default = DefaultCertificateManager;
+//# sourceMappingURL=default-certificate-manager.js.map