@naylence/advanced-security 0.3.7-test.119 → 0.3.7-test.121
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/browser/index.cjs +325 -326
- package/dist/browser/index.mjs +325 -326
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js +16 -16
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +1 -1
- package/dist/cjs/version.js +2 -2
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js +16 -16
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +1 -1
- package/dist/esm/version.js +2 -2
- package/dist/node/index.cjs +325 -326
- package/dist/node/index.mjs +325 -326
- package/dist/node/node.cjs +326 -327
- package/dist/node/node.mjs +326 -327
- package/dist/types/naylence/fame/security/cert/trust-store/http-bundle-provider.d.ts.map +1 -1
- package/dist/types/version.d.ts +1 -1
- package/package.json +2 -2
package/dist/node/index.mjs
CHANGED
|
@@ -18,14 +18,14 @@ import { X509Certificate } from '@peculiar/x509';
|
|
|
18
18
|
import { getLogger, secureDigest as secureDigest$1, validateHostLogical, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory, SigningConfigClass as SigningConfigClass$1 } from '@naylence/runtime/node';
|
|
19
19
|
|
|
20
20
|
// This file is auto-generated during build - do not edit manually
|
|
21
|
-
// Generated from package.json version: 0.3.7-test.
|
|
21
|
+
// Generated from package.json version: 0.3.7-test.121
|
|
22
22
|
/**
|
|
23
23
|
* The package version, injected at build time.
|
|
24
24
|
* @internal
|
|
25
25
|
*/
|
|
26
|
-
const VERSION = '0.3.7-test.
|
|
26
|
+
const VERSION = '0.3.7-test.121';
|
|
27
27
|
|
|
28
|
-
const logger$
|
|
28
|
+
const logger$h = getLogger("naylence.fame.security.cert.util");
|
|
29
29
|
const CACHE_LIMIT = 512;
|
|
30
30
|
const OID_ED25519 = "1.3.101.112";
|
|
31
31
|
const textEncoder = new TextEncoder();
|
|
@@ -39,7 +39,7 @@ function publicKeyFromX5c(x5c, options = {}) {
|
|
|
39
39
|
const trustStorePem = normalizeTrustStoreOption(options.trustStorePem ?? null);
|
|
40
40
|
const returnCertificate = options.returnCertificate ?? false;
|
|
41
41
|
const { parsed, chainBytes } = parseCertificateChain(x5c);
|
|
42
|
-
logger$
|
|
42
|
+
logger$h.debug("public_key_from_x5c_called", {
|
|
43
43
|
call_id: callId,
|
|
44
44
|
x5c_count: parsed.length,
|
|
45
45
|
enforce_name_constraints: enforceNameConstraints,
|
|
@@ -51,13 +51,13 @@ function publicKeyFromX5c(x5c, options = {}) {
|
|
|
51
51
|
cacheKey = buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints);
|
|
52
52
|
const cached = getCachedPublicKey(cacheKey);
|
|
53
53
|
if (cached) {
|
|
54
|
-
logger$
|
|
54
|
+
logger$h.debug("certificate_cache_hit", {
|
|
55
55
|
call_id: callId,
|
|
56
56
|
cache_key: cacheKey,
|
|
57
57
|
});
|
|
58
58
|
return cached;
|
|
59
59
|
}
|
|
60
|
-
logger$
|
|
60
|
+
logger$h.debug("certificate_cache_miss", {
|
|
61
61
|
call_id: callId,
|
|
62
62
|
cache_key: cacheKey,
|
|
63
63
|
});
|
|
@@ -228,13 +228,13 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
228
228
|
if (trustedCerts.length === 0) {
|
|
229
229
|
throw new Error("No valid certificates found in trust store");
|
|
230
230
|
}
|
|
231
|
-
logger$
|
|
231
|
+
logger$h.debug("trust_anchor_validation_start", {
|
|
232
232
|
chain_length: chain.length,
|
|
233
233
|
trust_store_cert_count: trustedCerts.length,
|
|
234
234
|
});
|
|
235
235
|
const chainInfo = chain.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
|
|
236
236
|
const trustedInfo = trustedCerts.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
|
|
237
|
-
logger$
|
|
237
|
+
logger$h.debug("certificate_chain_validation", {
|
|
238
238
|
chain_certificates: chainInfo,
|
|
239
239
|
trust_store_certificates: trustedInfo,
|
|
240
240
|
});
|
|
@@ -244,7 +244,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
244
244
|
const match = trustedCerts.find((trusted) => trusted.serialNumber === cert.serialNumber &&
|
|
245
245
|
namesEqual(trusted.certificate.tbsCertificate.subject, cert.certificate.tbsCertificate.subject));
|
|
246
246
|
if (match) {
|
|
247
|
-
logger$
|
|
247
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
248
248
|
matching_serial: match.serialNumber,
|
|
249
249
|
validation_strategy: `direct_trust_cert_${i}`,
|
|
250
250
|
});
|
|
@@ -257,7 +257,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
257
257
|
if (namesEqual(trusted.certificate.tbsCertificate.subject, leaf.certificate.tbsCertificate.issuer) &&
|
|
258
258
|
trusted.serialNumber !== leaf.serialNumber) {
|
|
259
259
|
verifyCertificateSignature(leaf.certificate, trusted.certificate);
|
|
260
|
-
logger$
|
|
260
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
261
261
|
matching_serial: trusted.serialNumber,
|
|
262
262
|
validation_strategy: "leaf_issuer_trust",
|
|
263
263
|
});
|
|
@@ -271,7 +271,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
271
271
|
if (namesEqual(trusted.certificate.tbsCertificate.subject, intermediate.certificate.tbsCertificate.issuer) &&
|
|
272
272
|
trusted.serialNumber !== intermediate.serialNumber) {
|
|
273
273
|
verifyCertificateSignature(intermediate.certificate, trusted.certificate);
|
|
274
|
-
logger$
|
|
274
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
275
275
|
matching_serial: trusted.serialNumber,
|
|
276
276
|
validation_strategy: `intermediate_issuer_trust_cert_${index}`,
|
|
277
277
|
});
|
|
@@ -279,7 +279,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
279
279
|
}
|
|
280
280
|
}
|
|
281
281
|
}
|
|
282
|
-
logger$
|
|
282
|
+
logger$h.warning("certificate_chain_trust_validation_failed", {
|
|
283
283
|
leaf_subject: leaf.subjectName,
|
|
284
284
|
leaf_issuer: leaf.issuerName,
|
|
285
285
|
leaf_serial: leaf.serialNumber,
|
|
@@ -301,7 +301,7 @@ function parseTrustStore(trustStorePem) {
|
|
|
301
301
|
}
|
|
302
302
|
catch (error) {
|
|
303
303
|
const reason = error instanceof Error ? error.message : String(error);
|
|
304
|
-
logger$
|
|
304
|
+
logger$h.debug("trust_store_certificate_parse_failed", { reason });
|
|
305
305
|
}
|
|
306
306
|
}
|
|
307
307
|
return parsed;
|
|
@@ -321,12 +321,12 @@ function validateChainContinuity(chain) {
|
|
|
321
321
|
if (chain.length <= 1) {
|
|
322
322
|
return;
|
|
323
323
|
}
|
|
324
|
-
logger$
|
|
324
|
+
logger$h.debug("validating_chain_continuity", { chain_length: chain.length });
|
|
325
325
|
for (let index = 0; index < chain.length - 1; index += 1) {
|
|
326
326
|
const cert = chain[index];
|
|
327
327
|
const issuer = chain[index + 1];
|
|
328
328
|
if (!namesEqual(cert.certificate.tbsCertificate.issuer, issuer.certificate.tbsCertificate.subject)) {
|
|
329
|
-
logger$
|
|
329
|
+
logger$h.warning("certificate_chain_continuity_failed", {
|
|
330
330
|
cert_index: index,
|
|
331
331
|
cert_subject: cert.subjectName,
|
|
332
332
|
cert_issuer: cert.issuerName,
|
|
@@ -337,7 +337,7 @@ function validateChainContinuity(chain) {
|
|
|
337
337
|
}
|
|
338
338
|
try {
|
|
339
339
|
verifyCertificateSignature(cert.certificate, issuer.certificate);
|
|
340
|
-
logger$
|
|
340
|
+
logger$h.debug("chain_continuity_verification_success", {
|
|
341
341
|
cert_index: index,
|
|
342
342
|
cert_serial: cert.serialNumber,
|
|
343
343
|
issuer_serial: issuer.serialNumber,
|
|
@@ -345,7 +345,7 @@ function validateChainContinuity(chain) {
|
|
|
345
345
|
}
|
|
346
346
|
catch (error) {
|
|
347
347
|
const reason = error instanceof Error ? error.message : String(error);
|
|
348
|
-
logger$
|
|
348
|
+
logger$h.warning("certificate_chain_continuity_failed", {
|
|
349
349
|
cert_index: index,
|
|
350
350
|
cert_subject: cert.subjectName,
|
|
351
351
|
issuer_subject: issuer.subjectName,
|
|
@@ -357,7 +357,7 @@ function validateChainContinuity(chain) {
|
|
|
357
357
|
throw new Error(`Certificate chain continuity broken: certificate at index ${index} was not signed by certificate at index ${index + 1}: ${reason}`);
|
|
358
358
|
}
|
|
359
359
|
}
|
|
360
|
-
logger$
|
|
360
|
+
logger$h.debug("chain_continuity_validation_passed", {
|
|
361
361
|
chain_length: chain.length,
|
|
362
362
|
});
|
|
363
363
|
}
|
|
@@ -491,7 +491,7 @@ function getCachedPublicKey(cacheKey) {
|
|
|
491
491
|
}
|
|
492
492
|
if (Date.now() > entry.expiresAt) {
|
|
493
493
|
trustCache.delete(cacheKey);
|
|
494
|
-
logger$
|
|
494
|
+
logger$h.debug("certificate_cache_expired", { cache_key: cacheKey });
|
|
495
495
|
return null;
|
|
496
496
|
}
|
|
497
497
|
return entry.value.slice();
|
|
@@ -503,13 +503,13 @@ function setCachedPublicKey(cacheKey, value, notAfter) {
|
|
|
503
503
|
break;
|
|
504
504
|
}
|
|
505
505
|
trustCache.delete(firstKey);
|
|
506
|
-
logger$
|
|
506
|
+
logger$h.debug("certificate_cache_evicted", { cache_key: firstKey });
|
|
507
507
|
}
|
|
508
508
|
trustCache.set(cacheKey, {
|
|
509
509
|
value: value.slice(),
|
|
510
510
|
expiresAt: notAfter.getTime(),
|
|
511
511
|
});
|
|
512
|
-
logger$
|
|
512
|
+
logger$h.debug("certificate_cache_stored", {
|
|
513
513
|
cache_key: cacheKey,
|
|
514
514
|
expires_at: notAfter.toISOString(),
|
|
515
515
|
cache_size: trustCache.size,
|
|
@@ -689,7 +689,7 @@ const NODE_ID_OID = "1.3.6.1.4.1.58530.4";
|
|
|
689
689
|
* Provides async HTTP client to request certificates from the CA signing service.
|
|
690
690
|
*/
|
|
691
691
|
// Simple logger for now - TODO: integrate with runtime logging
|
|
692
|
-
const logger$
|
|
692
|
+
const logger$g = {
|
|
693
693
|
debug: (_event, _meta) => {
|
|
694
694
|
// console.log(`[DEBUG] ${event}`, meta);
|
|
695
695
|
},
|
|
@@ -1161,13 +1161,13 @@ class CAServiceClient {
|
|
|
1161
1161
|
const result = await response.json();
|
|
1162
1162
|
const certificatePem = result.certificate_pem;
|
|
1163
1163
|
const certificateChainPem = result.certificate_chain_pem || certificatePem;
|
|
1164
|
-
logger$
|
|
1164
|
+
logger$g.debug("certificate_request_successful", {
|
|
1165
1165
|
requester_id: requesterId,
|
|
1166
1166
|
expires_at: result.expires_at,
|
|
1167
1167
|
});
|
|
1168
1168
|
// Extract and log certificate information with structured logging
|
|
1169
1169
|
const certInfo = extractCertificateInfo(certificatePem);
|
|
1170
|
-
logger$
|
|
1170
|
+
logger$g.debug("certificate_details", {
|
|
1171
1171
|
requester_id: requesterId,
|
|
1172
1172
|
certificate_type: "issued_certificate",
|
|
1173
1173
|
...certInfo,
|
|
@@ -1186,7 +1186,7 @@ class CAServiceClient {
|
|
|
1186
1186
|
// First cert in chain is usually the issued certificate
|
|
1187
1187
|
if (certPemBlock.trim() !== certificatePem.trim()) {
|
|
1188
1188
|
const chainCertInfo = extractCertificateInfo(certPemBlock);
|
|
1189
|
-
logger$
|
|
1189
|
+
logger$g.debug("certificate_chain_details", {
|
|
1190
1190
|
requester_id: requesterId,
|
|
1191
1191
|
certificate_type: "certificate_chain",
|
|
1192
1192
|
chain_index: i,
|
|
@@ -1197,7 +1197,7 @@ class CAServiceClient {
|
|
|
1197
1197
|
else {
|
|
1198
1198
|
// Subsequent certs are intermediate/root CAs
|
|
1199
1199
|
const caCertInfo = extractCertificateInfo(certPemBlock);
|
|
1200
|
-
logger$
|
|
1200
|
+
logger$g.debug("certificate_chain_details", {
|
|
1201
1201
|
requester_id: requesterId,
|
|
1202
1202
|
certificate_type: "ca_certificate",
|
|
1203
1203
|
chain_index: i,
|
|
@@ -1225,7 +1225,7 @@ class CAServiceClient {
|
|
|
1225
1225
|
// Body read failed entirely
|
|
1226
1226
|
errorDetail = `HTTP ${response.status}`;
|
|
1227
1227
|
}
|
|
1228
|
-
logger$
|
|
1228
|
+
logger$g.error("certificate_request_failed", {
|
|
1229
1229
|
requester_id: requesterId,
|
|
1230
1230
|
status_code: response.status,
|
|
1231
1231
|
error: errorDetail,
|
|
@@ -1242,13 +1242,13 @@ class CAServiceClient {
|
|
|
1242
1242
|
throw error;
|
|
1243
1243
|
}
|
|
1244
1244
|
if (error instanceof Error && error.name === "AbortError") {
|
|
1245
|
-
logger$
|
|
1245
|
+
logger$g.error("certificate_request_timeout", {
|
|
1246
1246
|
requester_id: requesterId,
|
|
1247
1247
|
timeout_seconds: this.timeoutSeconds,
|
|
1248
1248
|
});
|
|
1249
1249
|
throw new CertificateRequestError(`Certificate request timed out after ${this.timeoutSeconds} seconds`);
|
|
1250
1250
|
}
|
|
1251
|
-
logger$
|
|
1251
|
+
logger$g.error("certificate_request_network_error", {
|
|
1252
1252
|
requester_id: requesterId,
|
|
1253
1253
|
error: String(error),
|
|
1254
1254
|
});
|
|
@@ -1257,7 +1257,7 @@ class CAServiceClient {
|
|
|
1257
1257
|
}
|
|
1258
1258
|
}
|
|
1259
1259
|
|
|
1260
|
-
const logger$
|
|
1260
|
+
const logger$f = getLogger$1("naylence.fame.security.encryption.sealed.x25519_encryption_manager");
|
|
1261
1261
|
class X25519EncryptionManager {
|
|
1262
1262
|
constructor({ keyProvider, nodeLike = null, cryptoProvider = null, }) {
|
|
1263
1263
|
this.pendingEnvelopes = new Map();
|
|
@@ -1274,7 +1274,7 @@ class X25519EncryptionManager {
|
|
|
1274
1274
|
// KeyManagementHandler will queue the envelope and send KeyRequest.
|
|
1275
1275
|
// X25519 should NOT queue here to avoid dual queueing.
|
|
1276
1276
|
if (opts?.requestAddress) {
|
|
1277
|
-
logger$
|
|
1277
|
+
logger$f.debug("key_not_found_delegating_to_key_management", {
|
|
1278
1278
|
envelope_id: envelope.id,
|
|
1279
1279
|
request_address: String(opts.requestAddress),
|
|
1280
1280
|
});
|
|
@@ -1290,7 +1290,7 @@ class X25519EncryptionManager {
|
|
|
1290
1290
|
return await this.encryptWithKey(envelope, recipPub, recipKid);
|
|
1291
1291
|
}
|
|
1292
1292
|
catch (error) {
|
|
1293
|
-
logger$
|
|
1293
|
+
logger$f.error("x25519_encryption_failed", {
|
|
1294
1294
|
error: error instanceof Error ? error.message : String(error),
|
|
1295
1295
|
});
|
|
1296
1296
|
return EncryptionResult.skipped(envelope);
|
|
@@ -1328,20 +1328,20 @@ class X25519EncryptionManager {
|
|
|
1328
1328
|
return envelope;
|
|
1329
1329
|
}
|
|
1330
1330
|
catch (error) {
|
|
1331
|
-
logger$
|
|
1331
|
+
logger$f.error("x25519_decryption_failed", {
|
|
1332
1332
|
error: error instanceof Error ? error.message : String(error),
|
|
1333
1333
|
});
|
|
1334
1334
|
return envelope;
|
|
1335
1335
|
}
|
|
1336
1336
|
}
|
|
1337
1337
|
async notifyKeyAvailable(keyId) {
|
|
1338
|
-
logger$
|
|
1338
|
+
logger$f.debug("x25519_notify_key_available_called", {
|
|
1339
1339
|
key_id: keyId,
|
|
1340
1340
|
pending_keys: Array.from(this.pendingEnvelopes.keys()),
|
|
1341
1341
|
});
|
|
1342
1342
|
const queued = this.pendingEnvelopes.get(keyId);
|
|
1343
1343
|
if (!queued || queued.length === 0) {
|
|
1344
|
-
logger$
|
|
1344
|
+
logger$f.debug("no_queued_envelopes_for_key", {
|
|
1345
1345
|
key_id: keyId,
|
|
1346
1346
|
has_queue: this.pendingEnvelopes.has(keyId),
|
|
1347
1347
|
queue_length: queued?.length ?? 0,
|
|
@@ -1353,13 +1353,13 @@ class X25519EncryptionManager {
|
|
|
1353
1353
|
this.keyRequestsInProgress.delete(keyId);
|
|
1354
1354
|
const node = this.nodeLike;
|
|
1355
1355
|
if (!node) {
|
|
1356
|
-
logger$
|
|
1356
|
+
logger$f.debug("discarding_queued_envelopes_no_node", {
|
|
1357
1357
|
key_id: keyId,
|
|
1358
1358
|
count: queued.length,
|
|
1359
1359
|
});
|
|
1360
1360
|
return;
|
|
1361
1361
|
}
|
|
1362
|
-
logger$
|
|
1362
|
+
logger$f.debug("replaying_envelopes_for_key", {
|
|
1363
1363
|
key_id: keyId,
|
|
1364
1364
|
count: queued.length,
|
|
1365
1365
|
});
|
|
@@ -1368,7 +1368,7 @@ class X25519EncryptionManager {
|
|
|
1368
1368
|
await node.deliver(envelope);
|
|
1369
1369
|
}
|
|
1370
1370
|
catch (error) {
|
|
1371
|
-
logger$
|
|
1371
|
+
logger$f.error("failed_to_replay_envelope", {
|
|
1372
1372
|
key_id: keyId,
|
|
1373
1373
|
envelope_id: envelope.id,
|
|
1374
1374
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -1469,7 +1469,7 @@ class X25519EncryptionManager {
|
|
|
1469
1469
|
? this.extractPrivateKeyFromRecord(providerRecord)
|
|
1470
1470
|
: null;
|
|
1471
1471
|
if (providerRecordKey) {
|
|
1472
|
-
logger$
|
|
1472
|
+
logger$f.debug("using_provider_key_record_private_key", {
|
|
1473
1473
|
kid,
|
|
1474
1474
|
provider_key_id: providerKeyId,
|
|
1475
1475
|
mismatched_kid: kid && providerKeyId !== kid ? kid : null,
|
|
@@ -1479,7 +1479,7 @@ class X25519EncryptionManager {
|
|
|
1479
1479
|
}
|
|
1480
1480
|
if (!providerPem) {
|
|
1481
1481
|
if (kid && providerKeyId && providerKeyId !== kid) {
|
|
1482
|
-
logger$
|
|
1482
|
+
logger$f.debug("crypto_provider_key_id_mismatch_no_private_key", {
|
|
1483
1483
|
kid,
|
|
1484
1484
|
provider_key_id: providerKeyId,
|
|
1485
1485
|
});
|
|
@@ -1491,13 +1491,13 @@ class X25519EncryptionManager {
|
|
|
1491
1491
|
return null;
|
|
1492
1492
|
}
|
|
1493
1493
|
if (!kid || providerKeyId === kid) {
|
|
1494
|
-
logger$
|
|
1494
|
+
logger$f.debug("using_crypto_provider_private_key_fallback", {
|
|
1495
1495
|
kid: kid ?? null,
|
|
1496
1496
|
provider_key_id: providerKeyId,
|
|
1497
1497
|
});
|
|
1498
1498
|
}
|
|
1499
1499
|
else {
|
|
1500
|
-
logger$
|
|
1500
|
+
logger$f.warning("crypto_provider_key_id_mismatch_using_private_key", {
|
|
1501
1501
|
kid,
|
|
1502
1502
|
provider_key_id: providerKeyId,
|
|
1503
1503
|
key_record_present: Boolean(record),
|
|
@@ -1506,7 +1506,7 @@ class X25519EncryptionManager {
|
|
|
1506
1506
|
return fallbackKey;
|
|
1507
1507
|
}
|
|
1508
1508
|
async queueEnvelopeForKey(envelope, opts, recipientKeyId) {
|
|
1509
|
-
logger$
|
|
1509
|
+
logger$f.debug("queueing_envelope_for_sealed_encryption", {
|
|
1510
1510
|
envelope_id: envelope.id,
|
|
1511
1511
|
recipient_key_id: recipientKeyId,
|
|
1512
1512
|
request_address: opts?.requestAddress
|
|
@@ -1554,7 +1554,7 @@ class X25519EncryptionManager {
|
|
|
1554
1554
|
await node.deliver(keyRequestEnvelope, context);
|
|
1555
1555
|
}
|
|
1556
1556
|
catch (error) {
|
|
1557
|
-
logger$
|
|
1557
|
+
logger$f.error("failed_to_request_recipient_key", {
|
|
1558
1558
|
recipient_key_id: recipientKeyId,
|
|
1559
1559
|
error: error instanceof Error ? error.message : String(error),
|
|
1560
1560
|
});
|
|
@@ -1567,7 +1567,7 @@ class X25519EncryptionManager {
|
|
|
1567
1567
|
return this.extractPublicKeyFromRecord(record);
|
|
1568
1568
|
}
|
|
1569
1569
|
catch (error) {
|
|
1570
|
-
logger$
|
|
1570
|
+
logger$f.debug("recipient_key_lookup_failed", {
|
|
1571
1571
|
kid,
|
|
1572
1572
|
error: error instanceof Error ? error.message : String(error),
|
|
1573
1573
|
});
|
|
@@ -1582,7 +1582,7 @@ class X25519EncryptionManager {
|
|
|
1582
1582
|
return await this.keyProvider.getKey(kid);
|
|
1583
1583
|
}
|
|
1584
1584
|
catch (error) {
|
|
1585
|
-
logger$
|
|
1585
|
+
logger$f.debug("private_key_lookup_failed", {
|
|
1586
1586
|
kid,
|
|
1587
1587
|
error: error instanceof Error ? error.message : String(error),
|
|
1588
1588
|
});
|
|
@@ -1653,7 +1653,7 @@ class X25519EncryptionManager {
|
|
|
1653
1653
|
const base64 = base64Lines.join("");
|
|
1654
1654
|
const der = this.decodeBase64Flexible(base64);
|
|
1655
1655
|
if (!der) {
|
|
1656
|
-
logger$
|
|
1656
|
+
logger$f.debug("pem_decode_failed", {
|
|
1657
1657
|
key_type: keyType,
|
|
1658
1658
|
});
|
|
1659
1659
|
return null;
|
|
@@ -1886,7 +1886,7 @@ var index$1 = /*#__PURE__*/Object.freeze({
|
|
|
1886
1886
|
X25519EncryptionManagerFactory: X25519EncryptionManagerFactory
|
|
1887
1887
|
});
|
|
1888
1888
|
|
|
1889
|
-
const logger$
|
|
1889
|
+
const logger$e = getLogger$1("naylence.fame.security.encryption.channel.channel_encryption_manager");
|
|
1890
1890
|
const SUPPORTED_CHANNEL_ALGORITHMS = ["chacha20-poly1305-channel"];
|
|
1891
1891
|
const CHANNEL_ENCRYPTION_ALGORITHM = "chacha20-poly1305-channel";
|
|
1892
1892
|
const HANDSHAKE_ALGORITHM = "CHACHA20P1305";
|
|
@@ -2037,13 +2037,13 @@ class ChannelEncryptionManager {
|
|
|
2037
2037
|
const destination = opts?.destination ?? envelope.to ?? null;
|
|
2038
2038
|
const destinationStr = toDestinationString(destination);
|
|
2039
2039
|
if (!destinationStr) {
|
|
2040
|
-
logger$
|
|
2040
|
+
logger$e.warning("no_destination_for_channel_encryption", {
|
|
2041
2041
|
envelope_id: envelope.id,
|
|
2042
2042
|
});
|
|
2043
2043
|
return EncryptionResult.skipped(envelope);
|
|
2044
2044
|
}
|
|
2045
2045
|
if (!this.secureChannelManager) {
|
|
2046
|
-
logger$
|
|
2046
|
+
logger$e.warning("no_secure_channel_manager_available", {
|
|
2047
2047
|
envelope_id: envelope.id,
|
|
2048
2048
|
});
|
|
2049
2049
|
return EncryptionResult.skipped(envelope);
|
|
@@ -2054,7 +2054,7 @@ class ChannelEncryptionManager {
|
|
|
2054
2054
|
return this.encryptWithChannel(envelope, existingChannelId);
|
|
2055
2055
|
}
|
|
2056
2056
|
catch (error) {
|
|
2057
|
-
logger$
|
|
2057
|
+
logger$e.error("channel_encryption_failed", {
|
|
2058
2058
|
error: error instanceof Error ? error.message : String(error),
|
|
2059
2059
|
channel_id: existingChannelId,
|
|
2060
2060
|
});
|
|
@@ -2081,35 +2081,35 @@ class ChannelEncryptionManager {
|
|
|
2081
2081
|
}
|
|
2082
2082
|
const channelId = encHeader.kid;
|
|
2083
2083
|
if (!channelId) {
|
|
2084
|
-
logger$
|
|
2084
|
+
logger$e.error("missing_channel_id_in_encryption_header", {
|
|
2085
2085
|
envelope_id: envelope.id,
|
|
2086
2086
|
});
|
|
2087
2087
|
return envelope;
|
|
2088
2088
|
}
|
|
2089
2089
|
const nonce = this.decodeNonceValue(encHeader.val ?? "");
|
|
2090
2090
|
if (!nonce) {
|
|
2091
|
-
logger$
|
|
2091
|
+
logger$e.error("invalid_nonce_in_encryption_header", {
|
|
2092
2092
|
envelope_id: envelope.id,
|
|
2093
2093
|
value_present: Boolean(encHeader.val),
|
|
2094
2094
|
});
|
|
2095
2095
|
return envelope;
|
|
2096
2096
|
}
|
|
2097
2097
|
if (!this.secureChannelManager) {
|
|
2098
|
-
logger$
|
|
2098
|
+
logger$e.warning("no_secure_channel_manager_for_decryption", {
|
|
2099
2099
|
envelope_id: envelope.id,
|
|
2100
2100
|
});
|
|
2101
2101
|
return envelope;
|
|
2102
2102
|
}
|
|
2103
2103
|
const channelState = this.getChannelState(channelId);
|
|
2104
2104
|
if (!channelState) {
|
|
2105
|
-
logger$
|
|
2105
|
+
logger$e.error("channel_not_available_for_decryption", {
|
|
2106
2106
|
channel_id: channelId,
|
|
2107
2107
|
});
|
|
2108
2108
|
return envelope;
|
|
2109
2109
|
}
|
|
2110
2110
|
const ciphertext = this.extractCiphertext(frame.payload);
|
|
2111
2111
|
if (!ciphertext) {
|
|
2112
|
-
logger$
|
|
2112
|
+
logger$e.error("invalid_ciphertext_payload", { envelope_id: envelope.id });
|
|
2113
2113
|
return envelope;
|
|
2114
2114
|
}
|
|
2115
2115
|
try {
|
|
@@ -2134,7 +2134,7 @@ class ChannelEncryptionManager {
|
|
|
2134
2134
|
return envelope;
|
|
2135
2135
|
}
|
|
2136
2136
|
catch (error) {
|
|
2137
|
-
logger$
|
|
2137
|
+
logger$e.error("channel_decryption_failed", {
|
|
2138
2138
|
channel_id: channelId,
|
|
2139
2139
|
error: error instanceof Error ? error.message : String(error),
|
|
2140
2140
|
});
|
|
@@ -2142,24 +2142,24 @@ class ChannelEncryptionManager {
|
|
|
2142
2142
|
}
|
|
2143
2143
|
}
|
|
2144
2144
|
async notifyChannelEstablished(channelId) {
|
|
2145
|
-
logger$
|
|
2145
|
+
logger$e.debug("channel_encryption_manager_notified", {
|
|
2146
2146
|
channel_id: channelId,
|
|
2147
2147
|
manager_type: "channel",
|
|
2148
2148
|
});
|
|
2149
2149
|
if (!channelId.startsWith("auto-")) {
|
|
2150
|
-
logger$
|
|
2150
|
+
logger$e.warning("unexpected_channel_id_format", { channel_id: channelId });
|
|
2151
2151
|
return;
|
|
2152
2152
|
}
|
|
2153
2153
|
const destinationStr = this.extractDestinationFromChannelId(channelId);
|
|
2154
2154
|
if (!destinationStr) {
|
|
2155
|
-
logger$
|
|
2155
|
+
logger$e.warning("cannot_parse_destination_from_channel_id", {
|
|
2156
2156
|
channel_id: channelId,
|
|
2157
2157
|
});
|
|
2158
2158
|
return;
|
|
2159
2159
|
}
|
|
2160
2160
|
this.handshakeInProgress.delete(destinationStr);
|
|
2161
2161
|
if (!this.pendingEnvelopes.has(destinationStr)) {
|
|
2162
|
-
logger$
|
|
2162
|
+
logger$e.debug("no_pending_queue_for_destination", {
|
|
2163
2163
|
destination: destinationStr,
|
|
2164
2164
|
});
|
|
2165
2165
|
return;
|
|
@@ -2167,7 +2167,7 @@ class ChannelEncryptionManager {
|
|
|
2167
2167
|
const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr) ?? [];
|
|
2168
2168
|
this.pendingEnvelopes.delete(destinationStr);
|
|
2169
2169
|
if (!this.secureChannelManager) {
|
|
2170
|
-
logger$
|
|
2170
|
+
logger$e.error("no_secure_channel_manager_for_queue_drain", {
|
|
2171
2171
|
channel_id: channelId,
|
|
2172
2172
|
});
|
|
2173
2173
|
return;
|
|
@@ -2176,7 +2176,7 @@ class ChannelEncryptionManager {
|
|
|
2176
2176
|
try {
|
|
2177
2177
|
const result = this.encryptWithChannel(envelope, channelId);
|
|
2178
2178
|
if (!result.envelope) {
|
|
2179
|
-
logger$
|
|
2179
|
+
logger$e.warning("failed_to_encrypt_queued_envelope", {
|
|
2180
2180
|
envelope_id: envelope.id,
|
|
2181
2181
|
channel_id: channelId,
|
|
2182
2182
|
});
|
|
@@ -2186,7 +2186,7 @@ class ChannelEncryptionManager {
|
|
|
2186
2186
|
this.runAsyncTask(() => this.deliverEnvelope(encryptedEnvelope), `deliver-queued-${envelope.id}`);
|
|
2187
2187
|
}
|
|
2188
2188
|
catch (error) {
|
|
2189
|
-
logger$
|
|
2189
|
+
logger$e.error("failed_to_encrypt_queued_envelope", {
|
|
2190
2190
|
envelope_id: envelope.id,
|
|
2191
2191
|
error: error instanceof Error ? error.message : String(error),
|
|
2192
2192
|
});
|
|
@@ -2194,19 +2194,19 @@ class ChannelEncryptionManager {
|
|
|
2194
2194
|
}
|
|
2195
2195
|
}
|
|
2196
2196
|
async notifyChannelFailed(channelId, reason = "handshake_failed") {
|
|
2197
|
-
logger$
|
|
2197
|
+
logger$e.debug("channel_encryption_manager_notified_failure", {
|
|
2198
2198
|
channel_id: channelId,
|
|
2199
2199
|
reason,
|
|
2200
2200
|
});
|
|
2201
2201
|
if (!channelId.startsWith("auto-")) {
|
|
2202
|
-
logger$
|
|
2202
|
+
logger$e.warning("unexpected_channel_id_format_on_failure", {
|
|
2203
2203
|
channel_id: channelId,
|
|
2204
2204
|
});
|
|
2205
2205
|
return;
|
|
2206
2206
|
}
|
|
2207
2207
|
const destinationStr = this.extractDestinationFromChannelId(channelId);
|
|
2208
2208
|
if (!destinationStr) {
|
|
2209
|
-
logger$
|
|
2209
|
+
logger$e.warning("cannot_parse_destination_from_channel_id_on_failure", {
|
|
2210
2210
|
channel_id: channelId,
|
|
2211
2211
|
});
|
|
2212
2212
|
return;
|
|
@@ -2216,14 +2216,14 @@ class ChannelEncryptionManager {
|
|
|
2216
2216
|
const cachedChannelId = this.addrChannelMap.get(destinationStr);
|
|
2217
2217
|
if (cachedChannelId === channelId) {
|
|
2218
2218
|
this.addrChannelMap.delete(destinationStr);
|
|
2219
|
-
logger$
|
|
2219
|
+
logger$e.debug("cleared_channel_cache_for_failed_channel", {
|
|
2220
2220
|
destination: destinationStr,
|
|
2221
2221
|
channel_id: channelId,
|
|
2222
2222
|
});
|
|
2223
2223
|
}
|
|
2224
2224
|
const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr);
|
|
2225
2225
|
if (!queuedEnvelopes || queuedEnvelopes.length === 0) {
|
|
2226
|
-
logger$
|
|
2226
|
+
logger$e.debug("no_pending_queue_for_failed_destination", {
|
|
2227
2227
|
destination: destinationStr,
|
|
2228
2228
|
});
|
|
2229
2229
|
return;
|
|
@@ -2242,7 +2242,7 @@ class ChannelEncryptionManager {
|
|
|
2242
2242
|
const cached = this.addrChannelMap.get(destination);
|
|
2243
2243
|
if (cached) {
|
|
2244
2244
|
this.addrChannelMap.delete(destination);
|
|
2245
|
-
logger$
|
|
2245
|
+
logger$e.debug("cleared_channel_cache_for_destination", {
|
|
2246
2246
|
destination,
|
|
2247
2247
|
cached_channel_id: cached,
|
|
2248
2248
|
});
|
|
@@ -2260,14 +2260,14 @@ class ChannelEncryptionManager {
|
|
|
2260
2260
|
}
|
|
2261
2261
|
const cached = this.addrChannelMap.get(destination);
|
|
2262
2262
|
if (cached && this.getChannelState(cached)) {
|
|
2263
|
-
logger$
|
|
2263
|
+
logger$e.debug("using_cached_channel", { destination, channel_id: cached });
|
|
2264
2264
|
return cached;
|
|
2265
2265
|
}
|
|
2266
2266
|
const channels = this.secureChannelManager.channels;
|
|
2267
2267
|
for (const channelId of Object.keys(channels)) {
|
|
2268
2268
|
if (channelId.startsWith(`auto-${destination}-`)) {
|
|
2269
2269
|
this.addrChannelMap.set(destination, channelId);
|
|
2270
|
-
logger$
|
|
2270
|
+
logger$e.debug("using_existing_channel", {
|
|
2271
2271
|
destination,
|
|
2272
2272
|
channel_id: channelId,
|
|
2273
2273
|
});
|
|
@@ -2280,12 +2280,12 @@ class ChannelEncryptionManager {
|
|
|
2280
2280
|
const queue = this.pendingEnvelopes.get(destinationStr) ?? [];
|
|
2281
2281
|
queue.push(envelope);
|
|
2282
2282
|
this.pendingEnvelopes.set(destinationStr, queue);
|
|
2283
|
-
logger$
|
|
2283
|
+
logger$e.debug("queued_envelope_for_channel_handshake", {
|
|
2284
2284
|
envelope_id: envelope.id,
|
|
2285
2285
|
destination: destinationStr,
|
|
2286
2286
|
});
|
|
2287
2287
|
if (this.handshakeInProgress.has(destinationStr)) {
|
|
2288
|
-
logger$
|
|
2288
|
+
logger$e.debug("handshake_already_in_progress", {
|
|
2289
2289
|
destination: destinationStr,
|
|
2290
2290
|
});
|
|
2291
2291
|
return;
|
|
@@ -2303,7 +2303,7 @@ class ChannelEncryptionManager {
|
|
|
2303
2303
|
}
|
|
2304
2304
|
async initiateChannelHandshakeAsync(destination, destinationStr, opts) {
|
|
2305
2305
|
if (!this.secureChannelManager) {
|
|
2306
|
-
logger$
|
|
2306
|
+
logger$e.error("no_secure_channel_manager_for_async_handshake_initiation");
|
|
2307
2307
|
return;
|
|
2308
2308
|
}
|
|
2309
2309
|
const channelId = this.generateChannelId(destinationStr);
|
|
@@ -2311,19 +2311,19 @@ class ChannelEncryptionManager {
|
|
|
2311
2311
|
const openFrame = this.secureChannelManager.generateOpenFrame(channelId, HANDSHAKE_ALGORITHM);
|
|
2312
2312
|
const success = await this.sendSecureOpenFrameAsync(openFrame, destination);
|
|
2313
2313
|
if (success) {
|
|
2314
|
-
logger$
|
|
2314
|
+
logger$e.debug("sent_secure_open_frame_async", {
|
|
2315
2315
|
channel_id: channelId,
|
|
2316
2316
|
destination: destinationStr,
|
|
2317
2317
|
});
|
|
2318
2318
|
}
|
|
2319
2319
|
else {
|
|
2320
|
-
logger$
|
|
2320
|
+
logger$e.warning("failed_to_send_secure_open_frame_async", {
|
|
2321
2321
|
channel_id: channelId,
|
|
2322
2322
|
});
|
|
2323
2323
|
}
|
|
2324
2324
|
}
|
|
2325
2325
|
catch (error) {
|
|
2326
|
-
logger$
|
|
2326
|
+
logger$e.error("async_channel_handshake_initiation_failed", {
|
|
2327
2327
|
destination: destinationStr,
|
|
2328
2328
|
error: error instanceof Error ? error.message : String(error),
|
|
2329
2329
|
});
|
|
@@ -2332,22 +2332,22 @@ class ChannelEncryptionManager {
|
|
|
2332
2332
|
async sendSecureOpenFrameAsync(openFrame, destination) {
|
|
2333
2333
|
const node = this.nodeLike;
|
|
2334
2334
|
if (!node) {
|
|
2335
|
-
logger$
|
|
2335
|
+
logger$e.error("no_node_available_for_sending_secure_open_async");
|
|
2336
2336
|
return false;
|
|
2337
2337
|
}
|
|
2338
2338
|
const envelopeFactory = node.envelopeFactory;
|
|
2339
2339
|
if (!envelopeFactory) {
|
|
2340
|
-
logger$
|
|
2340
|
+
logger$e.error("no_envelope_factory_available_for_secure_open_async");
|
|
2341
2341
|
return false;
|
|
2342
2342
|
}
|
|
2343
2343
|
const replyTo = this.buildSystemReplyTo();
|
|
2344
2344
|
if (!replyTo) {
|
|
2345
|
-
logger$
|
|
2345
|
+
logger$e.error("no_physical_path_available_for_reply_to_async");
|
|
2346
2346
|
return false;
|
|
2347
2347
|
}
|
|
2348
2348
|
const toAddress = toFameAddress(destination);
|
|
2349
2349
|
if (!toAddress) {
|
|
2350
|
-
logger$
|
|
2350
|
+
logger$e.error("invalid_destination_for_secure_open", {
|
|
2351
2351
|
destination: String(destination),
|
|
2352
2352
|
});
|
|
2353
2353
|
return false;
|
|
@@ -2359,7 +2359,7 @@ class ChannelEncryptionManager {
|
|
|
2359
2359
|
corrId: generateId(),
|
|
2360
2360
|
});
|
|
2361
2361
|
await this.deliverEnvelope(envelope);
|
|
2362
|
-
logger$
|
|
2362
|
+
logger$e.debug("delivered_secure_open_frame_async", {
|
|
2363
2363
|
channel_id: openFrame.cid,
|
|
2364
2364
|
});
|
|
2365
2365
|
return true;
|
|
@@ -2367,7 +2367,7 @@ class ChannelEncryptionManager {
|
|
|
2367
2367
|
async deliverEnvelope(envelope) {
|
|
2368
2368
|
const node = this.nodeLike;
|
|
2369
2369
|
if (!node) {
|
|
2370
|
-
logger$
|
|
2370
|
+
logger$e.error("no_node_available_for_delivery", {
|
|
2371
2371
|
envelope_id: envelope.id,
|
|
2372
2372
|
});
|
|
2373
2373
|
return;
|
|
@@ -2377,19 +2377,19 @@ class ChannelEncryptionManager {
|
|
|
2377
2377
|
}
|
|
2378
2378
|
encryptWithChannel(envelope, channelId) {
|
|
2379
2379
|
if (!this.secureChannelManager) {
|
|
2380
|
-
logger$
|
|
2380
|
+
logger$e.error("no_secure_channel_manager_for_encryption");
|
|
2381
2381
|
return EncryptionResult.skipped(envelope);
|
|
2382
2382
|
}
|
|
2383
2383
|
const frame = envelope.frame;
|
|
2384
2384
|
if (!this.isDataFrame(frame)) {
|
|
2385
|
-
logger$
|
|
2385
|
+
logger$e.error("attempted_to_encrypt_non_dataframe", {
|
|
2386
2386
|
frame_type: frame.type ?? typeof frame,
|
|
2387
2387
|
});
|
|
2388
2388
|
return EncryptionResult.skipped(envelope);
|
|
2389
2389
|
}
|
|
2390
2390
|
const channelState = this.getChannelState(channelId);
|
|
2391
2391
|
if (!channelState) {
|
|
2392
|
-
logger$
|
|
2392
|
+
logger$e.error("channel_not_in_channels", { channel_id: channelId });
|
|
2393
2393
|
return EncryptionResult.skipped(envelope);
|
|
2394
2394
|
}
|
|
2395
2395
|
const payloadBytes = this.serializePayload(frame.payload);
|
|
@@ -2448,7 +2448,7 @@ class ChannelEncryptionManager {
|
|
|
2448
2448
|
return decodeBase64$1(payload);
|
|
2449
2449
|
}
|
|
2450
2450
|
catch (error) {
|
|
2451
|
-
logger$
|
|
2451
|
+
logger$e.error("failed_to_decode_base64_ciphertext", {
|
|
2452
2452
|
error: error instanceof Error ? error.message : String(error),
|
|
2453
2453
|
});
|
|
2454
2454
|
return null;
|
|
@@ -2478,7 +2478,7 @@ class ChannelEncryptionManager {
|
|
|
2478
2478
|
return parts.slice(1, -1).join("-");
|
|
2479
2479
|
}
|
|
2480
2480
|
async handleFailedEnvelope(envelope, destinationStr, channelId, reason) {
|
|
2481
|
-
logger$
|
|
2481
|
+
logger$e.warning("envelope_failed_due_to_channel_handshake_failure", {
|
|
2482
2482
|
envelope_id: envelope.id,
|
|
2483
2483
|
destination: destinationStr,
|
|
2484
2484
|
channel_id: channelId,
|
|
@@ -2486,14 +2486,14 @@ class ChannelEncryptionManager {
|
|
|
2486
2486
|
});
|
|
2487
2487
|
const frame = envelope.frame;
|
|
2488
2488
|
if (!this.isDataFrame(frame)) {
|
|
2489
|
-
logger$
|
|
2489
|
+
logger$e.debug("skipping_nack_for_non_dataframe", {
|
|
2490
2490
|
envelope_id: envelope.id,
|
|
2491
2491
|
frame_type: frame.type ?? typeof frame,
|
|
2492
2492
|
});
|
|
2493
2493
|
return;
|
|
2494
2494
|
}
|
|
2495
2495
|
if (!envelope.replyTo) {
|
|
2496
|
-
logger$
|
|
2496
|
+
logger$e.debug("skipping_nack_no_reply_to", { envelope_id: envelope.id });
|
|
2497
2497
|
return;
|
|
2498
2498
|
}
|
|
2499
2499
|
await this.sendDeliveryNack(envelope, `channel_handshake_failed: ${reason}`);
|
|
@@ -2501,17 +2501,17 @@ class ChannelEncryptionManager {
|
|
|
2501
2501
|
async sendDeliveryNack(envelope, failureReason) {
|
|
2502
2502
|
const node = this.nodeLike;
|
|
2503
2503
|
if (!node) {
|
|
2504
|
-
logger$
|
|
2504
|
+
logger$e.error("no_node_available_for_sending_delivery_nack");
|
|
2505
2505
|
return;
|
|
2506
2506
|
}
|
|
2507
2507
|
const envelopeFactory = node.envelopeFactory;
|
|
2508
2508
|
if (!envelopeFactory) {
|
|
2509
|
-
logger$
|
|
2509
|
+
logger$e.error("no_envelope_factory_available_for_delivery_nack");
|
|
2510
2510
|
return;
|
|
2511
2511
|
}
|
|
2512
2512
|
const replyTo = toFameAddress(envelope.replyTo ?? null);
|
|
2513
2513
|
if (!replyTo) {
|
|
2514
|
-
logger$
|
|
2514
|
+
logger$e.error("invalid_reply_to_for_delivery_nack", {
|
|
2515
2515
|
reply_to: envelope.replyTo,
|
|
2516
2516
|
});
|
|
2517
2517
|
return;
|
|
@@ -2528,7 +2528,7 @@ class ChannelEncryptionManager {
|
|
|
2528
2528
|
corrId: envelope.corrId ?? generateId(),
|
|
2529
2529
|
});
|
|
2530
2530
|
await this.deliverEnvelope(nackEnvelope);
|
|
2531
|
-
logger$
|
|
2531
|
+
logger$e.debug("delivered_delivery_nack", {
|
|
2532
2532
|
original_envelope_id: envelope.id,
|
|
2533
2533
|
nack_envelope_id: nackEnvelope.id,
|
|
2534
2534
|
});
|
|
@@ -2566,7 +2566,7 @@ class ChannelEncryptionManager {
|
|
|
2566
2566
|
await task();
|
|
2567
2567
|
}
|
|
2568
2568
|
catch (error) {
|
|
2569
|
-
logger$
|
|
2569
|
+
logger$e.error("async_task_failed", {
|
|
2570
2570
|
task_name: name,
|
|
2571
2571
|
error: error instanceof Error ? error.message : String(error),
|
|
2572
2572
|
});
|
|
@@ -2620,7 +2620,7 @@ class ChannelEncryptionManager {
|
|
|
2620
2620
|
}
|
|
2621
2621
|
}
|
|
2622
2622
|
|
|
2623
|
-
const logger$
|
|
2623
|
+
const logger$d = getLogger$1("naylence.fame.security.encryption.channel.channel_encryption_manager_factory");
|
|
2624
2624
|
const DEFAULT_SUPPORTED_ALGORITHMS = ["chacha20-poly1305-channel"];
|
|
2625
2625
|
const FACTORY_META$c = {
|
|
2626
2626
|
base: ENCRYPTION_MANAGER_FACTORY_BASE_TYPE,
|
|
@@ -2652,7 +2652,7 @@ class ChannelEncryptionManagerFactory extends EncryptionManagerFactory {
|
|
|
2652
2652
|
async create(_config, ...factoryArgs) {
|
|
2653
2653
|
const [dependencies] = factoryArgs;
|
|
2654
2654
|
const resolvedDependencies = this.resolveDependencies(dependencies);
|
|
2655
|
-
logger$
|
|
2655
|
+
logger$d.debug("creating_channel_encryption_manager", {
|
|
2656
2656
|
has_secure_channel_manager: Boolean(resolvedDependencies.secureChannelManager),
|
|
2657
2657
|
has_node_like: Boolean(resolvedDependencies.nodeLike),
|
|
2658
2658
|
has_task_spawner: Boolean(resolvedDependencies.taskSpawner),
|
|
@@ -2714,7 +2714,7 @@ var index = /*#__PURE__*/Object.freeze({
|
|
|
2714
2714
|
ChannelEncryptionManagerFactory: ChannelEncryptionManagerFactory
|
|
2715
2715
|
});
|
|
2716
2716
|
|
|
2717
|
-
const logger$
|
|
2717
|
+
const logger$c = getLogger$1("naylence.fame.security.encryption.default_secure_channel_manager");
|
|
2718
2718
|
const DEFAULT_ALGORITHM = "CHACHA20P1305";
|
|
2719
2719
|
const CHANNEL_KEY_LENGTH = 32;
|
|
2720
2720
|
const NONCE_PREFIX_LENGTH = 4;
|
|
@@ -2761,7 +2761,7 @@ class DefaultSecureChannelManager {
|
|
|
2761
2761
|
const privateKey = x25519.utils.randomSecretKey();
|
|
2762
2762
|
const publicKey = x25519.scalarMultBase(privateKey);
|
|
2763
2763
|
this.ephemeralKeys.set(channelId, privateKey);
|
|
2764
|
-
logger$
|
|
2764
|
+
logger$c.debug("generated_channel_open", { cid: channelId, algorithm });
|
|
2765
2765
|
return {
|
|
2766
2766
|
type: "SecureOpen",
|
|
2767
2767
|
cid: channelId,
|
|
@@ -2774,7 +2774,7 @@ class DefaultSecureChannelManager {
|
|
|
2774
2774
|
requireCryptoSupport();
|
|
2775
2775
|
const algorithm = frame.alg || DEFAULT_ALGORITHM;
|
|
2776
2776
|
if (!this.isSupportedAlgorithm(algorithm)) {
|
|
2777
|
-
logger$
|
|
2777
|
+
logger$c.warning("unsupported_channel_algorithm", {
|
|
2778
2778
|
cid: frame.cid,
|
|
2779
2779
|
alg: algorithm,
|
|
2780
2780
|
});
|
|
@@ -2792,7 +2792,7 @@ class DefaultSecureChannelManager {
|
|
|
2792
2792
|
peerPublicKey = decodeBase64(frame.ephPub);
|
|
2793
2793
|
}
|
|
2794
2794
|
catch (error) {
|
|
2795
|
-
logger$
|
|
2795
|
+
logger$c.warning("invalid_peer_public_key", {
|
|
2796
2796
|
cid: frame.cid,
|
|
2797
2797
|
error: error instanceof Error ? error.message : String(error),
|
|
2798
2798
|
});
|
|
@@ -2814,7 +2814,7 @@ class DefaultSecureChannelManager {
|
|
|
2814
2814
|
algorithm,
|
|
2815
2815
|
});
|
|
2816
2816
|
this.channelsMap.set(frame.cid, channelState);
|
|
2817
|
-
logger$
|
|
2817
|
+
logger$c.debug("channel_established", { cid: frame.cid, algorithm });
|
|
2818
2818
|
myPrivateKey.fill(0);
|
|
2819
2819
|
sharedSecret.fill(0);
|
|
2820
2820
|
return {
|
|
@@ -2828,7 +2828,7 @@ class DefaultSecureChannelManager {
|
|
|
2828
2828
|
async handleAcceptFrame(frame) {
|
|
2829
2829
|
requireCryptoSupport();
|
|
2830
2830
|
if (frame.ok === false) {
|
|
2831
|
-
logger$
|
|
2831
|
+
logger$c.warning("channel_rejected", {
|
|
2832
2832
|
cid: frame.cid,
|
|
2833
2833
|
error: frame.reason,
|
|
2834
2834
|
});
|
|
@@ -2837,7 +2837,7 @@ class DefaultSecureChannelManager {
|
|
|
2837
2837
|
}
|
|
2838
2838
|
const privateKey = this.ephemeralKeys.get(frame.cid);
|
|
2839
2839
|
if (!privateKey) {
|
|
2840
|
-
logger$
|
|
2840
|
+
logger$c.error("no_ephemeral_key", { cid: frame.cid });
|
|
2841
2841
|
return false;
|
|
2842
2842
|
}
|
|
2843
2843
|
let peerPublicKey;
|
|
@@ -2845,7 +2845,7 @@ class DefaultSecureChannelManager {
|
|
|
2845
2845
|
peerPublicKey = decodeBase64(frame.ephPub);
|
|
2846
2846
|
}
|
|
2847
2847
|
catch (error) {
|
|
2848
|
-
logger$
|
|
2848
|
+
logger$c.warning("invalid_accept_public_key", {
|
|
2849
2849
|
cid: frame.cid,
|
|
2850
2850
|
error: error instanceof Error ? error.message : String(error),
|
|
2851
2851
|
});
|
|
@@ -2860,17 +2860,17 @@ class DefaultSecureChannelManager {
|
|
|
2860
2860
|
algorithm,
|
|
2861
2861
|
});
|
|
2862
2862
|
this.channelsMap.set(frame.cid, channelState);
|
|
2863
|
-
logger$
|
|
2863
|
+
logger$c.debug("channel_completed", { cid: frame.cid, algorithm });
|
|
2864
2864
|
sharedSecret.fill(0);
|
|
2865
2865
|
this.cleanupEphemeralKey(frame.cid);
|
|
2866
2866
|
return true;
|
|
2867
2867
|
}
|
|
2868
2868
|
handleCloseFrame(frame) {
|
|
2869
2869
|
if (this.channelsMap.delete(frame.cid)) {
|
|
2870
|
-
logger$
|
|
2870
|
+
logger$c.debug("channel_closed", { cid: frame.cid, reason: frame.reason });
|
|
2871
2871
|
}
|
|
2872
2872
|
else {
|
|
2873
|
-
logger$
|
|
2873
|
+
logger$c.warning("close_unknown_channel", { cid: frame.cid });
|
|
2874
2874
|
}
|
|
2875
2875
|
this.cleanupEphemeralKey(frame.cid);
|
|
2876
2876
|
}
|
|
@@ -2897,7 +2897,7 @@ class DefaultSecureChannelManager {
|
|
|
2897
2897
|
}
|
|
2898
2898
|
closeChannel(channelId, reason = "User requested") {
|
|
2899
2899
|
if (this.channelsMap.delete(channelId)) {
|
|
2900
|
-
logger$
|
|
2900
|
+
logger$c.debug("channel_closed_by_user", { cid: channelId, reason });
|
|
2901
2901
|
}
|
|
2902
2902
|
this.cleanupEphemeralKey(channelId);
|
|
2903
2903
|
return {
|
|
@@ -2914,7 +2914,7 @@ class DefaultSecureChannelManager {
|
|
|
2914
2914
|
this.channelsMap.delete(channelId);
|
|
2915
2915
|
this.cleanupEphemeralKey(channelId);
|
|
2916
2916
|
removed += 1;
|
|
2917
|
-
logger$
|
|
2917
|
+
logger$c.debug("channel_expired_cleanup", { cid: channelId });
|
|
2918
2918
|
}
|
|
2919
2919
|
}
|
|
2920
2920
|
return removed;
|
|
@@ -2943,7 +2943,7 @@ class DefaultSecureChannelManager {
|
|
|
2943
2943
|
if (channelId.startsWith(prefix)) {
|
|
2944
2944
|
if (this.removeChannel(channelId)) {
|
|
2945
2945
|
removed += 1;
|
|
2946
|
-
logger$
|
|
2946
|
+
logger$c.debug("removed_channel_for_destination", {
|
|
2947
2947
|
channel_id: channelId,
|
|
2948
2948
|
destination,
|
|
2949
2949
|
});
|
|
@@ -2951,7 +2951,7 @@ class DefaultSecureChannelManager {
|
|
|
2951
2951
|
}
|
|
2952
2952
|
}
|
|
2953
2953
|
if (removed > 0) {
|
|
2954
|
-
logger$
|
|
2954
|
+
logger$c.info("cleanup_channels_for_destination", {
|
|
2955
2955
|
destination,
|
|
2956
2956
|
channels_removed: removed,
|
|
2957
2957
|
});
|
|
@@ -3044,7 +3044,7 @@ var defaultSecureChannelManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
3044
3044
|
default: DefaultSecureChannelManagerFactory
|
|
3045
3045
|
});
|
|
3046
3046
|
|
|
3047
|
-
const logger$
|
|
3047
|
+
const logger$b = getLogger$1("naylence.fame.security.encryption.encryption_manager_registry");
|
|
3048
3048
|
class EncryptionManagerFactoryRegistry {
|
|
3049
3049
|
constructor(autoDiscover = true) {
|
|
3050
3050
|
this.factories = [];
|
|
@@ -3066,7 +3066,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3066
3066
|
let registeredCount = 0;
|
|
3067
3067
|
for (const [factoryName, info] of extensionInfos) {
|
|
3068
3068
|
if (factoryName === "CompositeEncryptionManager") {
|
|
3069
|
-
logger$
|
|
3069
|
+
logger$b.debug("skipping_composite_factory_to_avoid_circular_dependency", {
|
|
3070
3070
|
factory_name: factoryName,
|
|
3071
3071
|
});
|
|
3072
3072
|
continue;
|
|
@@ -3076,7 +3076,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3076
3076
|
ExtensionManager.getGlobalFactory(ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, factoryName));
|
|
3077
3077
|
this.registerFactory(factoryInstance, { autoDiscovered: true });
|
|
3078
3078
|
registeredCount += 1;
|
|
3079
|
-
logger$
|
|
3079
|
+
logger$b.debug("auto_discovered_factory", {
|
|
3080
3080
|
factory_name: factoryName,
|
|
3081
3081
|
factory_class: factoryInstance.constructor.name,
|
|
3082
3082
|
algorithms: factoryInstance.getSupportedAlgorithms(),
|
|
@@ -3085,21 +3085,21 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3085
3085
|
});
|
|
3086
3086
|
}
|
|
3087
3087
|
catch (error) {
|
|
3088
|
-
logger$
|
|
3088
|
+
logger$b.warning("failed_to_auto_register_factory", {
|
|
3089
3089
|
factory_name: factoryName,
|
|
3090
3090
|
error: error instanceof Error ? error.message : String(error),
|
|
3091
3091
|
});
|
|
3092
3092
|
}
|
|
3093
3093
|
}
|
|
3094
3094
|
this.autoDiscovered = true;
|
|
3095
|
-
logger$
|
|
3095
|
+
logger$b.debug("completed_auto_discovery", {
|
|
3096
3096
|
registered_factories: registeredCount,
|
|
3097
3097
|
total_discovered: extensionInfos.size,
|
|
3098
3098
|
skipped_composite: true,
|
|
3099
3099
|
});
|
|
3100
3100
|
}
|
|
3101
3101
|
catch (error) {
|
|
3102
|
-
logger$
|
|
3102
|
+
logger$b.warning("failed_auto_discovery_of_factories", {
|
|
3103
3103
|
error: error instanceof Error ? error.message : String(error),
|
|
3104
3104
|
});
|
|
3105
3105
|
}
|
|
@@ -3117,7 +3117,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3117
3117
|
const existing = this.algorithmToFactory.get(algorithm);
|
|
3118
3118
|
if (!existing || factory.getPriority() > existing.getPriority()) {
|
|
3119
3119
|
this.algorithmToFactory.set(algorithm, factory);
|
|
3120
|
-
logger$
|
|
3120
|
+
logger$b.debug("registered_algorithm_mapping", {
|
|
3121
3121
|
algorithm,
|
|
3122
3122
|
factory: factory.constructor.name,
|
|
3123
3123
|
priority: factory.getPriority(),
|
|
@@ -3129,7 +3129,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3129
3129
|
typeFactories.push(factory);
|
|
3130
3130
|
typeFactories.sort((a, b) => b.getPriority() - a.getPriority());
|
|
3131
3131
|
this.typeToFactories.set(encryptionType, typeFactories);
|
|
3132
|
-
logger$
|
|
3132
|
+
logger$b.debug("registered_encryption_manager_factory", {
|
|
3133
3133
|
factory: factory.constructor.name,
|
|
3134
3134
|
encryption_type: encryptionType,
|
|
3135
3135
|
algorithms: factory.getSupportedAlgorithms(),
|
|
@@ -3145,14 +3145,14 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3145
3145
|
this.ensureAutoDiscovery();
|
|
3146
3146
|
for (const factory of this.factories) {
|
|
3147
3147
|
if (factory.supportsOptions(opts ?? undefined)) {
|
|
3148
|
-
logger$
|
|
3148
|
+
logger$b.debug("found_factory_for_options", {
|
|
3149
3149
|
factory: factory.constructor.name,
|
|
3150
3150
|
encryption_type: factory.getEncryptionType(),
|
|
3151
3151
|
});
|
|
3152
3152
|
return factory;
|
|
3153
3153
|
}
|
|
3154
3154
|
}
|
|
3155
|
-
logger$
|
|
3155
|
+
logger$b.debug("no_factory_found_for_options", { opts });
|
|
3156
3156
|
return undefined;
|
|
3157
3157
|
}
|
|
3158
3158
|
getFactoriesByType(encryptionType) {
|
|
@@ -3205,7 +3205,7 @@ function getEncryptionManagerFactoryRegistry() {
|
|
|
3205
3205
|
return globalRegistry;
|
|
3206
3206
|
}
|
|
3207
3207
|
|
|
3208
|
-
const logger$
|
|
3208
|
+
const logger$a = getLogger$1("naylence.fame.security.encryption.composite_encryption_manager");
|
|
3209
3209
|
const DEFAULT_SEALED_ALGORITHMS = [
|
|
3210
3210
|
"X25519",
|
|
3211
3211
|
"ECDH-ES+A256GCM",
|
|
@@ -3244,7 +3244,7 @@ class CompositeEncryptionManager {
|
|
|
3244
3244
|
return await manager.encryptEnvelope(envelope, opts);
|
|
3245
3245
|
}
|
|
3246
3246
|
catch (error) {
|
|
3247
|
-
logger$
|
|
3247
|
+
logger$a.error("composite_encrypt_failed", {
|
|
3248
3248
|
error: error instanceof Error ? error.message : String(error),
|
|
3249
3249
|
});
|
|
3250
3250
|
return EncryptionResult.skipped(envelope);
|
|
@@ -3263,7 +3263,7 @@ class CompositeEncryptionManager {
|
|
|
3263
3263
|
return await manager.decryptEnvelope(envelope, opts);
|
|
3264
3264
|
}
|
|
3265
3265
|
catch (error) {
|
|
3266
|
-
logger$
|
|
3266
|
+
logger$a.error("composite_decrypt_failed", {
|
|
3267
3267
|
algorithm,
|
|
3268
3268
|
error: error instanceof Error ? error.message : String(error),
|
|
3269
3269
|
});
|
|
@@ -3275,14 +3275,14 @@ class CompositeEncryptionManager {
|
|
|
3275
3275
|
if (factories.length === 0) {
|
|
3276
3276
|
return;
|
|
3277
3277
|
}
|
|
3278
|
-
logger$
|
|
3278
|
+
logger$a.debug("composite_notify_channel_established", {
|
|
3279
3279
|
channel_id: channelId,
|
|
3280
3280
|
});
|
|
3281
3281
|
await this.notifyManagers(factories, async (manager, factoryKey) => {
|
|
3282
3282
|
const channelAware = manager;
|
|
3283
3283
|
if (typeof channelAware.notifyChannelEstablished === "function") {
|
|
3284
3284
|
await channelAware.notifyChannelEstablished(channelId);
|
|
3285
|
-
logger$
|
|
3285
|
+
logger$a.debug("composite_channel_established_notified", {
|
|
3286
3286
|
factory: factoryKey,
|
|
3287
3287
|
channel_id: channelId,
|
|
3288
3288
|
});
|
|
@@ -3294,7 +3294,7 @@ class CompositeEncryptionManager {
|
|
|
3294
3294
|
if (factories.length === 0) {
|
|
3295
3295
|
return;
|
|
3296
3296
|
}
|
|
3297
|
-
logger$
|
|
3297
|
+
logger$a.debug("composite_notify_channel_failed", {
|
|
3298
3298
|
channel_id: channelId,
|
|
3299
3299
|
reason,
|
|
3300
3300
|
});
|
|
@@ -3302,7 +3302,7 @@ class CompositeEncryptionManager {
|
|
|
3302
3302
|
const channelAware = manager;
|
|
3303
3303
|
if (typeof channelAware.notifyChannelFailed === "function") {
|
|
3304
3304
|
await channelAware.notifyChannelFailed(channelId, reason);
|
|
3305
|
-
logger$
|
|
3305
|
+
logger$a.debug("composite_channel_failed_notified", {
|
|
3306
3306
|
factory: factoryKey,
|
|
3307
3307
|
channel_id: channelId,
|
|
3308
3308
|
reason,
|
|
@@ -3315,12 +3315,12 @@ class CompositeEncryptionManager {
|
|
|
3315
3315
|
if (factories.length === 0) {
|
|
3316
3316
|
return;
|
|
3317
3317
|
}
|
|
3318
|
-
logger$
|
|
3318
|
+
logger$a.debug("composite_notify_key_available", { key_id: keyId });
|
|
3319
3319
|
await this.notifyManagers(factories, async (manager, factoryKey) => {
|
|
3320
3320
|
const sealedAware = manager;
|
|
3321
3321
|
if (typeof sealedAware.notifyKeyAvailable === "function") {
|
|
3322
3322
|
await sealedAware.notifyKeyAvailable(keyId);
|
|
3323
|
-
logger$
|
|
3323
|
+
logger$a.debug("composite_key_available_notified", {
|
|
3324
3324
|
factory: factoryKey,
|
|
3325
3325
|
key_id: keyId,
|
|
3326
3326
|
});
|
|
@@ -3361,7 +3361,7 @@ class CompositeEncryptionManager {
|
|
|
3361
3361
|
async getManagerForOptions(opts) {
|
|
3362
3362
|
const factory = this.factoryRegistry.getFactoryForOptions(opts ?? undefined);
|
|
3363
3363
|
if (!factory) {
|
|
3364
|
-
logger$
|
|
3364
|
+
logger$a.debug("composite_no_factory_for_options", { opts });
|
|
3365
3365
|
return null;
|
|
3366
3366
|
}
|
|
3367
3367
|
return await this.getOrCreateManager(factory, "options");
|
|
@@ -3369,7 +3369,7 @@ class CompositeEncryptionManager {
|
|
|
3369
3369
|
async getManagerForAlgorithm(algorithm) {
|
|
3370
3370
|
const factory = this.factoryRegistry.getFactoryForAlgorithm(algorithm);
|
|
3371
3371
|
if (!factory) {
|
|
3372
|
-
logger$
|
|
3372
|
+
logger$a.debug("composite_no_factory_for_algorithm", { algorithm });
|
|
3373
3373
|
return null;
|
|
3374
3374
|
}
|
|
3375
3375
|
return await this.getOrCreateManager(factory, algorithm);
|
|
@@ -3394,7 +3394,7 @@ class CompositeEncryptionManager {
|
|
|
3394
3394
|
const manager = await factory.create(null, dependencies);
|
|
3395
3395
|
this.managerInstances.set(key, manager);
|
|
3396
3396
|
await this.applyNodeContext(manager, key);
|
|
3397
|
-
logger$
|
|
3397
|
+
logger$a.debug("composite_created_manager", {
|
|
3398
3398
|
factory: key,
|
|
3399
3399
|
context,
|
|
3400
3400
|
manager_type: manager.constructor.name,
|
|
@@ -3402,7 +3402,7 @@ class CompositeEncryptionManager {
|
|
|
3402
3402
|
return manager;
|
|
3403
3403
|
}
|
|
3404
3404
|
catch (error) {
|
|
3405
|
-
logger$
|
|
3405
|
+
logger$a.error("composite_create_manager_failed", {
|
|
3406
3406
|
factory: key,
|
|
3407
3407
|
context,
|
|
3408
3408
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3415,7 +3415,7 @@ class CompositeEncryptionManager {
|
|
|
3415
3415
|
const factoryKey = this.resolveFactoryKey(factory);
|
|
3416
3416
|
const manager = this.managerInstances.get(factoryKey);
|
|
3417
3417
|
if (!manager) {
|
|
3418
|
-
logger$
|
|
3418
|
+
logger$a.debug("composite_skip_notification_no_manager", {
|
|
3419
3419
|
factory: factoryKey,
|
|
3420
3420
|
});
|
|
3421
3421
|
continue;
|
|
@@ -3424,7 +3424,7 @@ class CompositeEncryptionManager {
|
|
|
3424
3424
|
await callback(manager, factoryKey);
|
|
3425
3425
|
}
|
|
3426
3426
|
catch (error) {
|
|
3427
|
-
logger$
|
|
3427
|
+
logger$a.error("composite_notify_manager_failed", {
|
|
3428
3428
|
factory: factoryKey,
|
|
3429
3429
|
error: error instanceof Error ? error.message : String(error),
|
|
3430
3430
|
});
|
|
@@ -3440,7 +3440,7 @@ class CompositeEncryptionManager {
|
|
|
3440
3440
|
await callback(manager);
|
|
3441
3441
|
}
|
|
3442
3442
|
catch (error) {
|
|
3443
|
-
logger$
|
|
3443
|
+
logger$a.error("composite_node_event_failed", {
|
|
3444
3444
|
manager: manager.constructor.name,
|
|
3445
3445
|
error: error instanceof Error ? error.message : String(error),
|
|
3446
3446
|
});
|
|
@@ -3457,7 +3457,7 @@ class CompositeEncryptionManager {
|
|
|
3457
3457
|
await manager.onNodeStarted?.(this.nodeLike);
|
|
3458
3458
|
}
|
|
3459
3459
|
catch (error) {
|
|
3460
|
-
logger$
|
|
3460
|
+
logger$a.error("composite_apply_node_context_failed", {
|
|
3461
3461
|
stage: "onNodeStarted",
|
|
3462
3462
|
factory: factoryKey,
|
|
3463
3463
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3470,7 +3470,7 @@ class CompositeEncryptionManager {
|
|
|
3470
3470
|
await manager.onNodeAttachToUpstream?.(this.nodeLike, this.lastAttachInfo);
|
|
3471
3471
|
}
|
|
3472
3472
|
catch (error) {
|
|
3473
|
-
logger$
|
|
3473
|
+
logger$a.error("composite_apply_node_context_failed", {
|
|
3474
3474
|
stage: "onNodeAttachToUpstream",
|
|
3475
3475
|
factory: factoryKey,
|
|
3476
3476
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3493,7 +3493,7 @@ class CompositeEncryptionManager {
|
|
|
3493
3493
|
const channelAware = manager;
|
|
3494
3494
|
if (typeof channelAware.clearChannelCacheForDestination === "function") {
|
|
3495
3495
|
channelAware.clearChannelCacheForDestination(destination);
|
|
3496
|
-
logger$
|
|
3496
|
+
logger$a.debug("composite_cleared_channel_cache", {
|
|
3497
3497
|
destination,
|
|
3498
3498
|
factory: factoryKey,
|
|
3499
3499
|
});
|
|
@@ -3513,7 +3513,7 @@ class CompositeEncryptionManager {
|
|
|
3513
3513
|
"function") {
|
|
3514
3514
|
const removed = this.secureChannelManager.removeChannelsForDestination(destination);
|
|
3515
3515
|
if (removed > 0) {
|
|
3516
|
-
logger$
|
|
3516
|
+
logger$a.debug("composite_removed_channels", {
|
|
3517
3517
|
destination,
|
|
3518
3518
|
count: removed,
|
|
3519
3519
|
});
|
|
@@ -3524,7 +3524,7 @@ class CompositeEncryptionManager {
|
|
|
3524
3524
|
}
|
|
3525
3525
|
}
|
|
3526
3526
|
|
|
3527
|
-
const logger$
|
|
3527
|
+
const logger$9 = getLogger$1("naylence.fame.security.encryption.composite_encryption_manager_factory");
|
|
3528
3528
|
const DEFAULT_PRIORITY = 1000;
|
|
3529
3529
|
const DEFAULT_ENCRYPTION_TYPE = "composite";
|
|
3530
3530
|
const FACTORY_META$a = {
|
|
@@ -3562,7 +3562,7 @@ class CompositeEncryptionManagerFactory extends EncryptionManagerFactory {
|
|
|
3562
3562
|
const supportedChannelAlgorithms = runtimeConfig?.supportedChannelAlgorithms ??
|
|
3563
3563
|
this.supportedChannelAlgorithms ??
|
|
3564
3564
|
undefined;
|
|
3565
|
-
logger$
|
|
3565
|
+
logger$9.debug("creating_composite_encryption_manager", {
|
|
3566
3566
|
has_secure_channel_manager: Boolean(resolved.secureChannelManager),
|
|
3567
3567
|
has_key_provider: Boolean(resolved.keyProvider),
|
|
3568
3568
|
has_crypto_provider: Boolean(resolved.cryptoProvider),
|
|
@@ -3935,7 +3935,7 @@ var eddsaEnvelopeVerifierFactory = /*#__PURE__*/Object.freeze({
|
|
|
3935
3935
|
default: AdvancedEdDSAEnvelopeVerifierFactory
|
|
3936
3936
|
});
|
|
3937
3937
|
|
|
3938
|
-
const logger$
|
|
3938
|
+
const logger$8 = getLogger$1("naylence.fame.security.keys.x5c_key_manager");
|
|
3939
3939
|
let x509ModulePromise$1 = null;
|
|
3940
3940
|
async function loadX509Module$1() {
|
|
3941
3941
|
if (!x509ModulePromise$1) {
|
|
@@ -3947,7 +3947,7 @@ async function loadX509Module$1() {
|
|
|
3947
3947
|
return null;
|
|
3948
3948
|
})
|
|
3949
3949
|
.catch((error) => {
|
|
3950
|
-
logger$
|
|
3950
|
+
logger$8.warning("certificate_module_unavailable", {
|
|
3951
3951
|
error: error instanceof Error ? error.message : String(error),
|
|
3952
3952
|
});
|
|
3953
3953
|
return null;
|
|
@@ -3978,16 +3978,16 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
3978
3978
|
async onNodeStarted(node) {
|
|
3979
3979
|
await this.inner.onNodeStarted(node);
|
|
3980
3980
|
this.startPurgeLoop();
|
|
3981
|
-
logger$
|
|
3981
|
+
logger$8.debug("x5c_key_manager_started", {
|
|
3982
3982
|
cert_purge_interval: this.certPurgeInterval,
|
|
3983
3983
|
});
|
|
3984
3984
|
}
|
|
3985
3985
|
async onNodeStopped(node) {
|
|
3986
|
-
logger$
|
|
3986
|
+
logger$8.debug("x5c_key_manager_stopping");
|
|
3987
3987
|
await this.shutdownTasks({ gracePeriod: 50, joinTimeout: 100 });
|
|
3988
3988
|
this.purgeTask = null;
|
|
3989
3989
|
await this.inner.onNodeStopped(node);
|
|
3990
|
-
logger$
|
|
3990
|
+
logger$8.debug("x5c_key_manager_stopped");
|
|
3991
3991
|
}
|
|
3992
3992
|
async getKey(kid) {
|
|
3993
3993
|
return this.inner.getKey(kid);
|
|
@@ -4024,7 +4024,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4024
4024
|
}
|
|
4025
4025
|
catch (error) {
|
|
4026
4026
|
if (error instanceof JWKValidationError) {
|
|
4027
|
-
logger$
|
|
4027
|
+
logger$8.warning("rejected_invalid_jwk_in_announce", {
|
|
4028
4028
|
kid: typeof key?.kid === "string" ? key.kid : "unknown",
|
|
4029
4029
|
from_system_id: systemId,
|
|
4030
4030
|
from_physical_path: physicalPath,
|
|
@@ -4037,7 +4037,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4037
4037
|
}
|
|
4038
4038
|
}
|
|
4039
4039
|
if (validKeys.length === 0) {
|
|
4040
|
-
logger$
|
|
4040
|
+
logger$8.warning("no_valid_keys_in_announce", {
|
|
4041
4041
|
from_system_id: systemId,
|
|
4042
4042
|
from_physical_path: physicalPath,
|
|
4043
4043
|
total_keys: keys.length,
|
|
@@ -4045,7 +4045,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4045
4045
|
});
|
|
4046
4046
|
return;
|
|
4047
4047
|
}
|
|
4048
|
-
logger$
|
|
4048
|
+
logger$8.debug("adding_keys", {
|
|
4049
4049
|
key_ids: validKeys.map((key) => typeof key?.kid === "string" ? key.kid : "unknown"),
|
|
4050
4050
|
source_system_id: systemId,
|
|
4051
4051
|
from_physical_path: physicalPath,
|
|
@@ -4056,7 +4056,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4056
4056
|
});
|
|
4057
4057
|
const hasEncryptionKeys = validKeys.some((key) => typeof key?.use === "string" && key.use === "enc");
|
|
4058
4058
|
if (hasEncryptionKeys) {
|
|
4059
|
-
logger$
|
|
4059
|
+
logger$8.debug("checking_for_old_encryption_keys_to_remove", {
|
|
4060
4060
|
physical_path: physicalPath,
|
|
4061
4061
|
origin,
|
|
4062
4062
|
new_enc_keys: validKeys
|
|
@@ -4084,7 +4084,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4084
4084
|
}
|
|
4085
4085
|
}
|
|
4086
4086
|
if (existingEncKeyIds.size > 0) {
|
|
4087
|
-
logger$
|
|
4087
|
+
logger$8.debug("found_existing_encryption_keys_across_paths", {
|
|
4088
4088
|
physical_path: physicalPath,
|
|
4089
4089
|
paths_checked: pathsWithOldKeys,
|
|
4090
4090
|
existing_enc_key_ids: Array.from(existingEncKeyIds),
|
|
@@ -4095,7 +4095,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4095
4095
|
.filter((kid) => kid.length > 0));
|
|
4096
4096
|
const keysToRemove = Array.from(existingEncKeyIds).filter((kid) => !newEncKeyIds.has(kid));
|
|
4097
4097
|
if (keysToRemove.length > 0) {
|
|
4098
|
-
logger$
|
|
4098
|
+
logger$8.info("removing_old_encryption_keys_for_key_rotation", {
|
|
4099
4099
|
physical_path: physicalPath,
|
|
4100
4100
|
paths_with_old_keys: pathsWithOldKeys,
|
|
4101
4101
|
old_key_ids: keysToRemove,
|
|
@@ -4104,7 +4104,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4104
4104
|
});
|
|
4105
4105
|
for (const kid of keysToRemove) {
|
|
4106
4106
|
await this.keyStore.removeKey(kid);
|
|
4107
|
-
logger$
|
|
4107
|
+
logger$8.debug("removed_old_encryption_key_from_all_paths", {
|
|
4108
4108
|
kid,
|
|
4109
4109
|
});
|
|
4110
4110
|
}
|
|
@@ -4112,7 +4112,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4112
4112
|
}
|
|
4113
4113
|
}
|
|
4114
4114
|
catch (error) {
|
|
4115
|
-
logger$
|
|
4115
|
+
logger$8.warning("failed_to_remove_old_encryption_keys", {
|
|
4116
4116
|
physical_path: physicalPath,
|
|
4117
4117
|
error: error instanceof Error ? error.message : String(error),
|
|
4118
4118
|
origin,
|
|
@@ -4146,10 +4146,10 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4146
4146
|
return this.inner.getKeysForPath(physicalPath);
|
|
4147
4147
|
}
|
|
4148
4148
|
async purgeExpiredCertificates() {
|
|
4149
|
-
logger$
|
|
4149
|
+
logger$8.debug("certificate_purge_starting");
|
|
4150
4150
|
const module = await loadX509Module$1();
|
|
4151
4151
|
if (!module) {
|
|
4152
|
-
logger$
|
|
4152
|
+
logger$8.warning("certificate_purge_skipped", {
|
|
4153
4153
|
reason: "x509_module_unavailable",
|
|
4154
4154
|
});
|
|
4155
4155
|
return 0;
|
|
@@ -4172,7 +4172,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4172
4172
|
const cert = new module.X509Certificate(raw);
|
|
4173
4173
|
const expiration = cert.notAfter;
|
|
4174
4174
|
if (expiration && expiration.getTime() < now.getTime()) {
|
|
4175
|
-
logger$
|
|
4175
|
+
logger$8.debug("expired_certificate_found", {
|
|
4176
4176
|
kid: typeof key.kid === "string" ? key.kid : "unknown",
|
|
4177
4177
|
physical_path: typeof key.physical_path === "string"
|
|
4178
4178
|
? key.physical_path
|
|
@@ -4191,7 +4191,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4191
4191
|
}
|
|
4192
4192
|
}
|
|
4193
4193
|
catch (error) {
|
|
4194
|
-
logger$
|
|
4194
|
+
logger$8.warning("certificate_parsing_failed_during_purge", {
|
|
4195
4195
|
kid: typeof key.kid === "string" ? key.kid : "unknown",
|
|
4196
4196
|
error: error instanceof Error ? error.message : String(error),
|
|
4197
4197
|
message: "Could not parse certificate for expiry check",
|
|
@@ -4205,20 +4205,20 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4205
4205
|
const removed = await this.keyStore.removeKey(keyInfo.kid);
|
|
4206
4206
|
if (removed) {
|
|
4207
4207
|
purgedCount += 1;
|
|
4208
|
-
logger$
|
|
4208
|
+
logger$8.debug("expired_certificate_purged", {
|
|
4209
4209
|
kid: keyInfo.kid,
|
|
4210
4210
|
physical_path: keyInfo.physicalPath ?? "unknown",
|
|
4211
4211
|
});
|
|
4212
4212
|
}
|
|
4213
4213
|
}
|
|
4214
4214
|
catch (error) {
|
|
4215
|
-
logger$
|
|
4215
|
+
logger$8.error("certificate_purge_failed", {
|
|
4216
4216
|
kid: keyInfo.kid,
|
|
4217
4217
|
error: error instanceof Error ? error.message : String(error),
|
|
4218
4218
|
});
|
|
4219
4219
|
}
|
|
4220
4220
|
}
|
|
4221
|
-
logger$
|
|
4221
|
+
logger$8.debug("certificate_purge_completed", {
|
|
4222
4222
|
purged_count: purgedCount,
|
|
4223
4223
|
});
|
|
4224
4224
|
return purgedCount;
|
|
@@ -4228,7 +4228,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4228
4228
|
return;
|
|
4229
4229
|
}
|
|
4230
4230
|
this.purgeTask = this.spawn(async (signal) => {
|
|
4231
|
-
logger$
|
|
4231
|
+
logger$8.debug("certificate_purge_loop_started", {
|
|
4232
4232
|
interval_seconds: this.certPurgeInterval,
|
|
4233
4233
|
});
|
|
4234
4234
|
try {
|
|
@@ -4249,13 +4249,13 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4249
4249
|
try {
|
|
4250
4250
|
const purged = await this.purgeExpiredCertificates();
|
|
4251
4251
|
if (purged > 0) {
|
|
4252
|
-
logger$
|
|
4252
|
+
logger$8.debug("certificate_purge_cycle_completed", {
|
|
4253
4253
|
purged_count: purged,
|
|
4254
4254
|
});
|
|
4255
4255
|
}
|
|
4256
4256
|
}
|
|
4257
4257
|
catch (error) {
|
|
4258
|
-
logger$
|
|
4258
|
+
logger$8.error("certificate_purge_cycle_failed", {
|
|
4259
4259
|
error: error instanceof Error ? error.message : String(error),
|
|
4260
4260
|
});
|
|
4261
4261
|
}
|
|
@@ -4263,16 +4263,16 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4263
4263
|
}
|
|
4264
4264
|
catch (error) {
|
|
4265
4265
|
if (signal?.aborted) {
|
|
4266
|
-
logger$
|
|
4266
|
+
logger$8.debug("certificate_purge_loop_cancelled");
|
|
4267
4267
|
}
|
|
4268
4268
|
else {
|
|
4269
|
-
logger$
|
|
4269
|
+
logger$8.error("certificate_purge_loop_failed", {
|
|
4270
4270
|
error: error instanceof Error ? error.message : String(error),
|
|
4271
4271
|
});
|
|
4272
4272
|
}
|
|
4273
4273
|
}
|
|
4274
4274
|
finally {
|
|
4275
|
-
logger$
|
|
4275
|
+
logger$8.debug("certificate_purge_loop_stopped");
|
|
4276
4276
|
}
|
|
4277
4277
|
}, { name: "cert-purge" });
|
|
4278
4278
|
}
|
|
@@ -4289,7 +4289,7 @@ function validateJwkX5cCertificateWrapper(options) {
|
|
|
4289
4289
|
});
|
|
4290
4290
|
}
|
|
4291
4291
|
catch (error) {
|
|
4292
|
-
logger$
|
|
4292
|
+
logger$8.warning("rejected_key_due_to_certificate_validation_failure", {
|
|
4293
4293
|
kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
|
|
4294
4294
|
from_system_id: systemId,
|
|
4295
4295
|
from_physical_path: physicalPath,
|
|
@@ -4306,7 +4306,7 @@ function validateJwkX5cCertificateWrapper(options) {
|
|
|
4306
4306
|
if (result.isValid) {
|
|
4307
4307
|
return { accepted: true, skip: false };
|
|
4308
4308
|
}
|
|
4309
|
-
logger$
|
|
4309
|
+
logger$8.warning("rejected_key_due_to_certificate_validation_failure", {
|
|
4310
4310
|
kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
|
|
4311
4311
|
from_system_id: systemId,
|
|
4312
4312
|
from_physical_path: physicalPath,
|
|
@@ -4331,7 +4331,7 @@ function resolveTrustStorePath() {
|
|
|
4331
4331
|
return process.env.FAME_CA_CERT_FILE ?? null;
|
|
4332
4332
|
}
|
|
4333
4333
|
catch (error) {
|
|
4334
|
-
logger$
|
|
4334
|
+
logger$8.debug("trust_store_resolution_failed", {
|
|
4335
4335
|
error: error instanceof Error ? error.message : String(error),
|
|
4336
4336
|
});
|
|
4337
4337
|
return null;
|
|
@@ -4539,7 +4539,7 @@ function utf8Decode(data) {
|
|
|
4539
4539
|
return decodeURIComponent(escape(str));
|
|
4540
4540
|
}
|
|
4541
4541
|
|
|
4542
|
-
const logger$
|
|
4542
|
+
const logger$7 = getLogger$1("naylence.fame.stickiness.aft_signer");
|
|
4543
4543
|
class AbstractAFTSigner {
|
|
4544
4544
|
constructor(kid, maxTtlSec = 7200) {
|
|
4545
4545
|
this.kid = kid;
|
|
@@ -4631,7 +4631,7 @@ class SignedAFTSigner extends AbstractAFTSigner {
|
|
|
4631
4631
|
return token;
|
|
4632
4632
|
}
|
|
4633
4633
|
catch (error) {
|
|
4634
|
-
logger$
|
|
4634
|
+
logger$7.error("aft_signing_failed", {
|
|
4635
4635
|
kid: this.kid,
|
|
4636
4636
|
algorithm: this.algorithm,
|
|
4637
4637
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4643,7 +4643,7 @@ class SignedAFTSigner extends AbstractAFTSigner {
|
|
|
4643
4643
|
if (!this.cryptoKeyPromise) {
|
|
4644
4644
|
this.cryptoKeyPromise = importPKCS8(this.privateKeyPem, this.algorithm).catch((error) => {
|
|
4645
4645
|
this.cryptoKeyPromise = null;
|
|
4646
|
-
logger$
|
|
4646
|
+
logger$7.error("aft_private_key_import_failed", {
|
|
4647
4647
|
kid: this.kid,
|
|
4648
4648
|
algorithm: this.algorithm,
|
|
4649
4649
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4681,7 +4681,7 @@ function createAftSigner(options) {
|
|
|
4681
4681
|
}
|
|
4682
4682
|
}
|
|
4683
4683
|
|
|
4684
|
-
const logger$
|
|
4684
|
+
const logger$6 = getLogger$1("naylence.fame.stickiness.aft_helper");
|
|
4685
4685
|
class AFTHelper {
|
|
4686
4686
|
constructor(options) {
|
|
4687
4687
|
this.signer = options.signer;
|
|
@@ -4695,7 +4695,7 @@ class AFTHelper {
|
|
|
4695
4695
|
let clientSid;
|
|
4696
4696
|
if (context?.stickySid) {
|
|
4697
4697
|
clientSid = context.stickySid;
|
|
4698
|
-
logger$
|
|
4698
|
+
logger$6.debug("client_sticky_sid_extracted", { client_sid: clientSid });
|
|
4699
4699
|
}
|
|
4700
4700
|
const signOptions = {
|
|
4701
4701
|
sid: this.nodeSid,
|
|
@@ -4717,7 +4717,7 @@ class AFTHelper {
|
|
|
4717
4717
|
envelope.meta.set = setMeta;
|
|
4718
4718
|
}
|
|
4719
4719
|
setMeta.aft = aftToken;
|
|
4720
|
-
logger$
|
|
4720
|
+
logger$6.debug("aft_instruction_added", {
|
|
4721
4721
|
envelope_id: envelope.id,
|
|
4722
4722
|
ttl_sec: ttlSec,
|
|
4723
4723
|
scope,
|
|
@@ -4726,7 +4726,7 @@ class AFTHelper {
|
|
|
4726
4726
|
return true;
|
|
4727
4727
|
}
|
|
4728
4728
|
catch (error) {
|
|
4729
|
-
logger$
|
|
4729
|
+
logger$6.error("aft_generation_failed", {
|
|
4730
4730
|
envelope_id: envelope.id,
|
|
4731
4731
|
error: error instanceof Error ? error.message : String(error),
|
|
4732
4732
|
});
|
|
@@ -4750,7 +4750,7 @@ function createAftHelper(options) {
|
|
|
4750
4750
|
}
|
|
4751
4751
|
const DEFAULT_STICKINESS_SECURITY_LEVEL = StickinessMode.SIGNED_OPTIONAL;
|
|
4752
4752
|
|
|
4753
|
-
const logger$
|
|
4753
|
+
const logger$5 = getLogger$1("naylence.fame.stickiness.aft_verifier");
|
|
4754
4754
|
function decodeToken(token) {
|
|
4755
4755
|
const parts = token.split(".");
|
|
4756
4756
|
if (parts.length !== 3) {
|
|
@@ -4783,7 +4783,7 @@ function decodeToken(token) {
|
|
|
4783
4783
|
return { header, claims };
|
|
4784
4784
|
}
|
|
4785
4785
|
catch (error) {
|
|
4786
|
-
logger$
|
|
4786
|
+
logger$5.debug("aft_decoding_failed", {
|
|
4787
4787
|
error: error instanceof Error ? error.message : String(error),
|
|
4788
4788
|
});
|
|
4789
4789
|
return null;
|
|
@@ -4845,7 +4845,7 @@ class BaseAFTVerifier {
|
|
|
4845
4845
|
signatureValid = await this.verifySignature(token, header, claims);
|
|
4846
4846
|
}
|
|
4847
4847
|
catch (error) {
|
|
4848
|
-
logger$
|
|
4848
|
+
logger$5.debug("aft_signature_verification_failed", {
|
|
4849
4849
|
kid: header.kid,
|
|
4850
4850
|
algorithm: header.alg,
|
|
4851
4851
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4891,7 +4891,7 @@ class StrictAFTVerifier extends BaseAFTVerifier {
|
|
|
4891
4891
|
keyRecord = await this.keyProvider.getKey(header.kid);
|
|
4892
4892
|
}
|
|
4893
4893
|
catch (error) {
|
|
4894
|
-
logger$
|
|
4894
|
+
logger$5.debug("aft_public_key_missing", {
|
|
4895
4895
|
kid: header.kid,
|
|
4896
4896
|
error: error instanceof Error ? error.message : String(error),
|
|
4897
4897
|
});
|
|
@@ -4906,7 +4906,7 @@ class StrictAFTVerifier extends BaseAFTVerifier {
|
|
|
4906
4906
|
return protectedHeader.alg === header.alg;
|
|
4907
4907
|
}
|
|
4908
4908
|
catch (error) {
|
|
4909
|
-
logger$
|
|
4909
|
+
logger$5.debug("aft_jws_verification_failed", {
|
|
4910
4910
|
kid: header.kid,
|
|
4911
4911
|
algorithm: header.alg,
|
|
4912
4912
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4935,7 +4935,7 @@ class SignedOptionalAFTVerifier extends BaseAFTVerifier {
|
|
|
4935
4935
|
keyRecord = await this.keyProvider.getKey(header.kid);
|
|
4936
4936
|
}
|
|
4937
4937
|
catch (error) {
|
|
4938
|
-
logger$
|
|
4938
|
+
logger$5.debug("aft_public_key_missing", {
|
|
4939
4939
|
kid: header.kid,
|
|
4940
4940
|
error: error instanceof Error ? error.message : String(error),
|
|
4941
4941
|
});
|
|
@@ -4950,7 +4950,7 @@ class SignedOptionalAFTVerifier extends BaseAFTVerifier {
|
|
|
4950
4950
|
return protectedHeader.alg === header.alg;
|
|
4951
4951
|
}
|
|
4952
4952
|
catch (error) {
|
|
4953
|
-
logger$
|
|
4953
|
+
logger$5.debug("aft_jws_verification_failed", {
|
|
4954
4954
|
kid: header.kid,
|
|
4955
4955
|
algorithm: header.alg,
|
|
4956
4956
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4985,7 +4985,7 @@ async function resolveVerificationKey(keyRecord, algorithm) {
|
|
|
4985
4985
|
return key;
|
|
4986
4986
|
}
|
|
4987
4987
|
catch (error) {
|
|
4988
|
-
logger$
|
|
4988
|
+
logger$5.debug("aft_jwk_import_failed", {
|
|
4989
4989
|
kid: keyRecord.kid,
|
|
4990
4990
|
algorithm,
|
|
4991
4991
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -5006,14 +5006,14 @@ async function resolveVerificationKey(keyRecord, algorithm) {
|
|
|
5006
5006
|
return key;
|
|
5007
5007
|
}
|
|
5008
5008
|
catch (error) {
|
|
5009
|
-
logger$
|
|
5009
|
+
logger$5.debug("aft_spki_import_failed", {
|
|
5010
5010
|
kid: keyRecord.kid,
|
|
5011
5011
|
algorithm,
|
|
5012
5012
|
error: error instanceof Error ? error.message : String(error),
|
|
5013
5013
|
});
|
|
5014
5014
|
}
|
|
5015
5015
|
}
|
|
5016
|
-
logger$
|
|
5016
|
+
logger$5.debug("aft_verification_key_unavailable", {
|
|
5017
5017
|
kid: keyRecord.kid,
|
|
5018
5018
|
algorithm,
|
|
5019
5019
|
});
|
|
@@ -5036,7 +5036,7 @@ function createAftVerifier(options) {
|
|
|
5036
5036
|
}
|
|
5037
5037
|
}
|
|
5038
5038
|
|
|
5039
|
-
const logger$
|
|
5039
|
+
const logger$4 = getLogger$1("naylence.fame.stickiness.aft_load_balancer_stickiness_manager");
|
|
5040
5040
|
class AFTAssociation {
|
|
5041
5041
|
constructor(params) {
|
|
5042
5042
|
this.replicaId = params.replicaId;
|
|
@@ -5075,7 +5075,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5075
5075
|
};
|
|
5076
5076
|
this.config = config;
|
|
5077
5077
|
this.verifier = verifier;
|
|
5078
|
-
logger$
|
|
5078
|
+
logger$4.debug("stickiness_manager_initialized", {
|
|
5079
5079
|
enabled: this.config.enabled,
|
|
5080
5080
|
security_level: this.config.securityLevel,
|
|
5081
5081
|
verifier_type: verifier.constructor.name,
|
|
@@ -5093,14 +5093,14 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5093
5093
|
negotiate(stickiness) {
|
|
5094
5094
|
if (!stickiness) {
|
|
5095
5095
|
if (this.config.enabled) {
|
|
5096
|
-
logger$
|
|
5096
|
+
logger$4.debug("stickiness_negotiated_no_offer_attr_fallback");
|
|
5097
5097
|
return { enabled: true, mode: "attr", version: 1 };
|
|
5098
5098
|
}
|
|
5099
5099
|
return null;
|
|
5100
5100
|
}
|
|
5101
5101
|
const version = stickiness.version ?? 1;
|
|
5102
5102
|
if (!this.config.enabled) {
|
|
5103
|
-
logger$
|
|
5103
|
+
logger$4.debug("stickiness_negotiation_disabled_by_config");
|
|
5104
5104
|
return { enabled: false, version };
|
|
5105
5105
|
}
|
|
5106
5106
|
const childModes = new Set();
|
|
@@ -5121,32 +5121,32 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5121
5121
|
ttlSec: ttl,
|
|
5122
5122
|
version,
|
|
5123
5123
|
};
|
|
5124
|
-
logger$
|
|
5124
|
+
logger$4.debug("stickiness_negotiated", { mode: policy.mode, ttl });
|
|
5125
5125
|
return policy;
|
|
5126
5126
|
}
|
|
5127
5127
|
if (childModes.has("attr")) {
|
|
5128
5128
|
const policy = { enabled: true, mode: "attr", version };
|
|
5129
|
-
logger$
|
|
5129
|
+
logger$4.debug("stickiness_negotiated", { mode: policy.mode });
|
|
5130
5130
|
return policy;
|
|
5131
5131
|
}
|
|
5132
|
-
logger$
|
|
5132
|
+
logger$4.debug("stickiness_negotiation_no_common_mode");
|
|
5133
5133
|
return { enabled: false, version };
|
|
5134
5134
|
}
|
|
5135
5135
|
async handleOutboundEnvelope(envelope, replicaId) {
|
|
5136
5136
|
if (!this.config.enabled) {
|
|
5137
|
-
logger$
|
|
5137
|
+
logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
|
|
5138
5138
|
return null;
|
|
5139
5139
|
}
|
|
5140
5140
|
const aftToken = extractAftInstruction(envelope);
|
|
5141
5141
|
if (!aftToken) {
|
|
5142
|
-
logger$
|
|
5142
|
+
logger$4.debug("no_aft_instruction", {
|
|
5143
5143
|
envelope_id: envelope.id,
|
|
5144
5144
|
has_meta: Boolean(envelope.meta),
|
|
5145
5145
|
});
|
|
5146
5146
|
return null;
|
|
5147
5147
|
}
|
|
5148
5148
|
if (typeof aftToken !== "string") {
|
|
5149
|
-
logger$
|
|
5149
|
+
logger$4.warning("invalid_aft_instruction", {
|
|
5150
5150
|
envelope_id: envelope.id,
|
|
5151
5151
|
replica_id: replicaId,
|
|
5152
5152
|
reason: "set.aft value is not a string",
|
|
@@ -5156,7 +5156,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5156
5156
|
const verification = await this.verifier.verify(aftToken, envelope.sid ?? undefined);
|
|
5157
5157
|
if (!verification.valid) {
|
|
5158
5158
|
this.metrics.verifyFailures += 1;
|
|
5159
|
-
logger$
|
|
5159
|
+
logger$4.warning("aft_verification_failed", {
|
|
5160
5160
|
envelope_id: envelope.id,
|
|
5161
5161
|
replica_id: replicaId,
|
|
5162
5162
|
error: verification.error,
|
|
@@ -5174,14 +5174,14 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5174
5174
|
});
|
|
5175
5175
|
if (verification.clientSid) {
|
|
5176
5176
|
this.sidCache.set(verification.clientSid, replicaId);
|
|
5177
|
-
logger$
|
|
5177
|
+
logger$4.debug("sid_cache_updated", {
|
|
5178
5178
|
envelope_id: envelope.id,
|
|
5179
5179
|
client_sid: verification.clientSid,
|
|
5180
5180
|
replica_id: replicaId,
|
|
5181
5181
|
});
|
|
5182
5182
|
}
|
|
5183
5183
|
this.metrics.associationsCreated += 1;
|
|
5184
|
-
logger$
|
|
5184
|
+
logger$4.debug("aft_association_created", {
|
|
5185
5185
|
envelope_id: envelope.id,
|
|
5186
5186
|
replica_id: replicaId,
|
|
5187
5187
|
sid: verification.sid,
|
|
@@ -5193,14 +5193,14 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5193
5193
|
}
|
|
5194
5194
|
getStickyReplicaSegment(envelope, segments) {
|
|
5195
5195
|
if (!this.config.enabled) {
|
|
5196
|
-
logger$
|
|
5196
|
+
logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
|
|
5197
5197
|
return null;
|
|
5198
5198
|
}
|
|
5199
5199
|
if (envelope.aft) {
|
|
5200
5200
|
const replicaId = this.routeByAft(envelope.aft, envelope);
|
|
5201
5201
|
if (replicaId) {
|
|
5202
5202
|
this.metrics.cacheHits += 1;
|
|
5203
|
-
logger$
|
|
5203
|
+
logger$4.debug("aft_routed_envelope", {
|
|
5204
5204
|
envelope_id: envelope.id,
|
|
5205
5205
|
replica_id: replicaId,
|
|
5206
5206
|
routing_type: "aft_direct",
|
|
@@ -5213,7 +5213,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5213
5213
|
if (cachedReplica) {
|
|
5214
5214
|
if (this.config.securityLevel === StickinessMode.SID_ONLY) {
|
|
5215
5215
|
this.metrics.cacheHits += 1;
|
|
5216
|
-
logger$
|
|
5216
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5217
5217
|
envelope_id: envelope.id,
|
|
5218
5218
|
replica_id: cachedReplica,
|
|
5219
5219
|
sid: envelope.sid,
|
|
@@ -5226,7 +5226,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5226
5226
|
!association.isExpired()) {
|
|
5227
5227
|
envelope.aft = token;
|
|
5228
5228
|
this.metrics.cacheHits += 1;
|
|
5229
|
-
logger$
|
|
5229
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5230
5230
|
envelope_id: envelope.id,
|
|
5231
5231
|
replica_id: cachedReplica,
|
|
5232
5232
|
sid: envelope.sid,
|
|
@@ -5236,7 +5236,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5236
5236
|
}
|
|
5237
5237
|
}
|
|
5238
5238
|
this.metrics.cacheHits += 1;
|
|
5239
|
-
logger$
|
|
5239
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5240
5240
|
envelope_id: envelope.id,
|
|
5241
5241
|
replica_id: cachedReplica,
|
|
5242
5242
|
sid: envelope.sid,
|
|
@@ -5244,7 +5244,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5244
5244
|
});
|
|
5245
5245
|
return cachedReplica;
|
|
5246
5246
|
}
|
|
5247
|
-
logger$
|
|
5247
|
+
logger$4.debug("no_cached_replica_for_sid", {
|
|
5248
5248
|
envelope_id: envelope.id,
|
|
5249
5249
|
sid: envelope.sid,
|
|
5250
5250
|
});
|
|
@@ -5253,7 +5253,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5253
5253
|
const index = computeDeterministicIndex(envelope.sid, segments.length);
|
|
5254
5254
|
const chosen = segments[index];
|
|
5255
5255
|
this.metrics.cacheHits += 1;
|
|
5256
|
-
logger$
|
|
5256
|
+
logger$4.debug("sid_based_deterministic_choice", {
|
|
5257
5257
|
envelope_id: envelope.id,
|
|
5258
5258
|
sid: envelope.sid,
|
|
5259
5259
|
chosen,
|
|
@@ -5262,7 +5262,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5262
5262
|
return chosen;
|
|
5263
5263
|
}
|
|
5264
5264
|
this.metrics.cacheMisses += 1;
|
|
5265
|
-
logger$
|
|
5265
|
+
logger$4.debug("no_stickiness_routing", {
|
|
5266
5266
|
envelope_id: envelope.id,
|
|
5267
5267
|
has_aft: Boolean(envelope.aft),
|
|
5268
5268
|
has_sid: Boolean(envelope.sid),
|
|
@@ -5282,7 +5282,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5282
5282
|
}
|
|
5283
5283
|
if (expiredTokens.length > 0) {
|
|
5284
5284
|
this.metrics.associationsExpired += expiredTokens.length;
|
|
5285
|
-
logger$
|
|
5285
|
+
logger$4.debug("cleaned_expired_associations", {
|
|
5286
5286
|
count: expiredTokens.length,
|
|
5287
5287
|
});
|
|
5288
5288
|
}
|
|
@@ -5298,7 +5298,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5298
5298
|
this.removeAssociation(token);
|
|
5299
5299
|
}
|
|
5300
5300
|
if (tokensToRemove.length > 0) {
|
|
5301
|
-
logger$
|
|
5301
|
+
logger$4.debug("removed_associations_for_departed_replica", {
|
|
5302
5302
|
replica_id: replicaId,
|
|
5303
5303
|
count: tokensToRemove.length,
|
|
5304
5304
|
});
|
|
@@ -5306,7 +5306,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5306
5306
|
}
|
|
5307
5307
|
handleReplicaLeft(replicaId) {
|
|
5308
5308
|
this.replicaLeft(replicaId);
|
|
5309
|
-
logger$
|
|
5309
|
+
logger$4.debug("stickiness_replica_cleanup", { replica_id: replicaId });
|
|
5310
5310
|
}
|
|
5311
5311
|
getMetrics() {
|
|
5312
5312
|
return {
|
|
@@ -5339,7 +5339,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5339
5339
|
const misses = this.metrics.cacheMisses;
|
|
5340
5340
|
const total = hits + misses;
|
|
5341
5341
|
const hitRate = total > 0 ? Math.round((hits / total) * 10000) / 100 : 0;
|
|
5342
|
-
logger$
|
|
5342
|
+
logger$4.info("stickiness_metrics_report", {
|
|
5343
5343
|
enabled: this.config.enabled,
|
|
5344
5344
|
security_level: this.config.securityLevel,
|
|
5345
5345
|
cache_hits: hits,
|
|
@@ -5353,7 +5353,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5353
5353
|
});
|
|
5354
5354
|
}
|
|
5355
5355
|
async onDeliver(_node, envelope, context) {
|
|
5356
|
-
logger$
|
|
5356
|
+
logger$4.debug("stickiness_manager_on_deliver", {
|
|
5357
5357
|
envelope_id: envelope.id,
|
|
5358
5358
|
origin_type: context?.originType ?? "unknown",
|
|
5359
5359
|
from_system_id: context?.fromSystemId ?? null,
|
|
@@ -5361,7 +5361,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5361
5361
|
if (context?.originType === DeliveryOriginType$1.DOWNSTREAM) {
|
|
5362
5362
|
const sourceRoute = context.fromSystemId;
|
|
5363
5363
|
if (sourceRoute) {
|
|
5364
|
-
logger$
|
|
5364
|
+
logger$4.debug("processing_downstream_envelope", {
|
|
5365
5365
|
envelope_id: envelope.id,
|
|
5366
5366
|
source_route: sourceRoute,
|
|
5367
5367
|
});
|
|
@@ -5369,7 +5369,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5369
5369
|
envelope.sid &&
|
|
5370
5370
|
!this.sidCache.has(envelope.sid)) {
|
|
5371
5371
|
this.sidCache.set(envelope.sid, sourceRoute);
|
|
5372
|
-
logger$
|
|
5372
|
+
logger$4.debug("sid_only_association_recorded", {
|
|
5373
5373
|
envelope_id: envelope.id,
|
|
5374
5374
|
sid: envelope.sid,
|
|
5375
5375
|
replica_id: sourceRoute,
|
|
@@ -5378,27 +5378,27 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5378
5378
|
const hadInstruction = Boolean(extractAftInstruction(envelope));
|
|
5379
5379
|
const token = await this.handleOutboundEnvelope(envelope, sourceRoute);
|
|
5380
5380
|
if (hadInstruction) {
|
|
5381
|
-
logger$
|
|
5381
|
+
logger$4.debug("processed_aft_setter_instruction", {
|
|
5382
5382
|
envelope_id: envelope.id,
|
|
5383
5383
|
source_route: sourceRoute,
|
|
5384
5384
|
client_echo: Boolean(token),
|
|
5385
5385
|
});
|
|
5386
5386
|
}
|
|
5387
5387
|
else {
|
|
5388
|
-
logger$
|
|
5388
|
+
logger$4.debug("no_aft_setter_instruction", {
|
|
5389
5389
|
envelope_id: envelope.id,
|
|
5390
5390
|
source_route: sourceRoute,
|
|
5391
5391
|
});
|
|
5392
5392
|
}
|
|
5393
5393
|
}
|
|
5394
5394
|
else {
|
|
5395
|
-
logger$
|
|
5395
|
+
logger$4.debug("downstream_envelope_without_source_route", {
|
|
5396
5396
|
envelope_id: envelope.id,
|
|
5397
5397
|
});
|
|
5398
5398
|
}
|
|
5399
5399
|
}
|
|
5400
5400
|
else {
|
|
5401
|
-
logger$
|
|
5401
|
+
logger$4.debug("envelope_not_from_downstream", {
|
|
5402
5402
|
envelope_id: envelope.id,
|
|
5403
5403
|
});
|
|
5404
5404
|
}
|
|
@@ -5439,7 +5439,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5439
5439
|
}
|
|
5440
5440
|
if (this.verifier.securityLevel === StickinessMode.STRICT &&
|
|
5441
5441
|
association.isLowTrust()) {
|
|
5442
|
-
logger$
|
|
5442
|
+
logger$4.warning("rejecting_low_trust_association", {
|
|
5443
5443
|
envelope_id: envelope.id,
|
|
5444
5444
|
replica_id: association.replicaId,
|
|
5445
5445
|
reason: "strict mode rejects low-trust associations",
|
|
@@ -5546,7 +5546,7 @@ var aftLoadBalancerStickinessManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
5546
5546
|
default: AFTLoadBalancerStickinessManagerFactory
|
|
5547
5547
|
});
|
|
5548
5548
|
|
|
5549
|
-
const logger$
|
|
5549
|
+
const logger$3 = getLogger$1("naylence.fame.stickiness.aft_replica_stickiness_manager");
|
|
5550
5550
|
function isStickinessRequired(context) {
|
|
5551
5551
|
if (typeof context.stickinessRequired === "boolean") {
|
|
5552
5552
|
return context.stickinessRequired;
|
|
@@ -5566,14 +5566,14 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5566
5566
|
this.isInitialized = this.aftHelper !== null;
|
|
5567
5567
|
this.negotiatedStickiness = null;
|
|
5568
5568
|
if (this.aftHelper) {
|
|
5569
|
-
logger$
|
|
5569
|
+
logger$3.debug("aft_replica_stickiness_manager_initialized", {
|
|
5570
5570
|
helper_type: this.aftHelper.signer.constructor.name,
|
|
5571
5571
|
security_level: this.aftHelper.signer.securityLevel,
|
|
5572
5572
|
max_ttl_sec: this.aftHelper.maxTtlSec,
|
|
5573
5573
|
});
|
|
5574
5574
|
}
|
|
5575
5575
|
else {
|
|
5576
|
-
logger$
|
|
5576
|
+
logger$3.debug("aft_replica_stickiness_manager_created", {
|
|
5577
5577
|
security_level: this.securityLevel,
|
|
5578
5578
|
max_ttl_sec: this.maxTtlSec,
|
|
5579
5579
|
});
|
|
@@ -5584,7 +5584,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5584
5584
|
}
|
|
5585
5585
|
accept(stickiness) {
|
|
5586
5586
|
this.negotiatedStickiness = stickiness ?? null;
|
|
5587
|
-
logger$
|
|
5587
|
+
logger$3.debug("replica_stickiness_policy_set", {
|
|
5588
5588
|
enabled: stickiness?.enabled ?? null,
|
|
5589
5589
|
mode: stickiness?.mode ?? null,
|
|
5590
5590
|
ttl: stickiness?.ttlSec ?? null,
|
|
@@ -5596,7 +5596,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5596
5596
|
}
|
|
5597
5597
|
const helper = this.aftHelper;
|
|
5598
5598
|
if (!helper) {
|
|
5599
|
-
logger$
|
|
5599
|
+
logger$3.debug("aft_helper_not_ready_skip_injection", {
|
|
5600
5600
|
envelope_id: envelope.id,
|
|
5601
5601
|
delivery_origin: context.originType ?? null,
|
|
5602
5602
|
reason: "not_initialized",
|
|
@@ -5612,7 +5612,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5612
5612
|
(negotiated.mode !== null &&
|
|
5613
5613
|
negotiated.mode !== undefined &&
|
|
5614
5614
|
negotiated.mode !== "aft")) {
|
|
5615
|
-
logger$
|
|
5615
|
+
logger$3.debug("aft_injection_skipped_due_to_policy", {
|
|
5616
5616
|
envelope_id: envelope.id,
|
|
5617
5617
|
policy_mode: negotiated.mode ?? null,
|
|
5618
5618
|
policy_enabled: negotiated.enabled ?? null,
|
|
@@ -5620,7 +5620,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5620
5620
|
return envelope;
|
|
5621
5621
|
}
|
|
5622
5622
|
}
|
|
5623
|
-
logger$
|
|
5623
|
+
logger$3.debug("applying_aft_for_upstream_stickiness_required", {
|
|
5624
5624
|
envelope_id: envelope.id,
|
|
5625
5625
|
from_system_id: context.fromSystemId ?? null,
|
|
5626
5626
|
delivery_origin: context.originType ?? null,
|
|
@@ -5631,14 +5631,14 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5631
5631
|
context: stickinessContext,
|
|
5632
5632
|
});
|
|
5633
5633
|
if (success) {
|
|
5634
|
-
logger$
|
|
5634
|
+
logger$3.debug("aft_token_applied_via_context_flag_upstream", {
|
|
5635
5635
|
envelope_id: envelope.id,
|
|
5636
5636
|
from_system_id: context.fromSystemId ?? null,
|
|
5637
5637
|
delivery_origin: context.originType ?? null,
|
|
5638
5638
|
});
|
|
5639
5639
|
}
|
|
5640
5640
|
else {
|
|
5641
|
-
logger$
|
|
5641
|
+
logger$3.debug("aft_token_not_applied_upstream", {
|
|
5642
5642
|
envelope_id: envelope.id,
|
|
5643
5643
|
delivery_origin: context.originType ?? null,
|
|
5644
5644
|
reason: "helper_returned_false",
|
|
@@ -5654,19 +5654,19 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5654
5654
|
}
|
|
5655
5655
|
if (this.aftHelper && node.sid) {
|
|
5656
5656
|
this.updateNodeSid(node.sid);
|
|
5657
|
-
logger$
|
|
5657
|
+
logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
|
|
5658
5658
|
node_id: node.id ?? "unknown",
|
|
5659
5659
|
node_sid: node.sid,
|
|
5660
5660
|
security_level: this.aftHelper.signer.securityLevel,
|
|
5661
5661
|
});
|
|
5662
5662
|
}
|
|
5663
5663
|
else if (!node.sid) {
|
|
5664
|
-
logger$
|
|
5664
|
+
logger$3.warning("aft_replica_stickiness_manager_no_sid_available", {
|
|
5665
5665
|
node_id: node.id ?? "unknown",
|
|
5666
5666
|
});
|
|
5667
5667
|
}
|
|
5668
5668
|
else {
|
|
5669
|
-
logger$
|
|
5669
|
+
logger$3.error("aft_replica_stickiness_manager_node_missing_sid", {
|
|
5670
5670
|
node_type: node.constructor?.name ?? typeof node,
|
|
5671
5671
|
});
|
|
5672
5672
|
}
|
|
@@ -5674,7 +5674,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5674
5674
|
updateNodeSid(nodeSid) {
|
|
5675
5675
|
if (this.aftHelper) {
|
|
5676
5676
|
this.aftHelper.nodeSid = nodeSid;
|
|
5677
|
-
logger$
|
|
5677
|
+
logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
|
|
5678
5678
|
new_sid: nodeSid,
|
|
5679
5679
|
});
|
|
5680
5680
|
}
|
|
@@ -5682,14 +5682,14 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5682
5682
|
async initializeAftHelper(node) {
|
|
5683
5683
|
const nodeSid = node.sid;
|
|
5684
5684
|
if (!nodeSid) {
|
|
5685
|
-
logger$
|
|
5685
|
+
logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_sid", {
|
|
5686
5686
|
node_id: node.id ?? "unknown",
|
|
5687
5687
|
});
|
|
5688
5688
|
return;
|
|
5689
5689
|
}
|
|
5690
5690
|
const cryptoProvider = node.cryptoProvider ?? null;
|
|
5691
5691
|
if (!cryptoProvider) {
|
|
5692
|
-
logger$
|
|
5692
|
+
logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_crypto_provider", {
|
|
5693
5693
|
node_id: node.id ?? "unknown",
|
|
5694
5694
|
});
|
|
5695
5695
|
return;
|
|
@@ -5702,7 +5702,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5702
5702
|
? cryptoProvider.signingPrivatePem
|
|
5703
5703
|
: null;
|
|
5704
5704
|
if (this.securityLevel === StickinessMode.STRICT && !privateKeyPem) {
|
|
5705
|
-
logger$
|
|
5705
|
+
logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
|
|
5706
5706
|
node_id: node.id ?? "unknown",
|
|
5707
5707
|
error: "Missing signing private key for strict security level",
|
|
5708
5708
|
});
|
|
@@ -5718,7 +5718,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5718
5718
|
});
|
|
5719
5719
|
this.aftHelper = helper;
|
|
5720
5720
|
this.isInitialized = true;
|
|
5721
|
-
logger$
|
|
5721
|
+
logger$3.debug("aft_replica_stickiness_manager_initialized", {
|
|
5722
5722
|
node_id: node.id ?? "unknown",
|
|
5723
5723
|
node_sid: nodeSid,
|
|
5724
5724
|
key_id: keyId,
|
|
@@ -5726,7 +5726,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5726
5726
|
});
|
|
5727
5727
|
}
|
|
5728
5728
|
catch (error) {
|
|
5729
|
-
logger$
|
|
5729
|
+
logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
|
|
5730
5730
|
node_id: node.id ?? "unknown",
|
|
5731
5731
|
error: error instanceof Error ? error.message : String(error),
|
|
5732
5732
|
});
|
|
@@ -5796,7 +5796,7 @@ var aftReplicaStickinessManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
5796
5796
|
default: AFTReplicaStickinessManagerFactory
|
|
5797
5797
|
});
|
|
5798
5798
|
|
|
5799
|
-
const logger$
|
|
5799
|
+
const logger$2 = getLogger$1("naylence.fame.welcome.advanced_welcome_service");
|
|
5800
5800
|
const ENV_VAR_SHOW_ENVELOPES = "FAME_SHOW_ENVELOPES";
|
|
5801
5801
|
const DEFAULT_TTL_SEC = 3600;
|
|
5802
5802
|
const showEnvelopes = typeof process !== "undefined" &&
|
|
@@ -5839,7 +5839,7 @@ class AdvancedWelcomeService {
|
|
|
5839
5839
|
typeof options.ttlSec === "number" && Number.isFinite(options.ttlSec)
|
|
5840
5840
|
? Math.max(0, options.ttlSec)
|
|
5841
5841
|
: DEFAULT_TTL_SEC;
|
|
5842
|
-
logger$
|
|
5842
|
+
logger$2.debug("initialized_advanced_welcome_service", {
|
|
5843
5843
|
ca_service_url: this.caServiceUrl,
|
|
5844
5844
|
ttl_sec: this.ttlSec,
|
|
5845
5845
|
});
|
|
@@ -5859,7 +5859,7 @@ class AdvancedWelcomeService {
|
|
|
5859
5859
|
// eslint-disable-next-line no-console
|
|
5860
5860
|
console.log(`\n${formatTimestampForConsole()} - ${color("Received envelope 📨", AnsiColor.BLUE)}\n${prettyModel(normalizedHello)}`);
|
|
5861
5861
|
}
|
|
5862
|
-
logger$
|
|
5862
|
+
logger$2.debug("starting_hello_frame_processing", {
|
|
5863
5863
|
instanceId: normalizedHello.instanceId,
|
|
5864
5864
|
systemId,
|
|
5865
5865
|
logicals: normalizedHello.logicals,
|
|
@@ -5876,35 +5876,35 @@ class AdvancedWelcomeService {
|
|
|
5876
5876
|
fullMetadata.instance_id = normalizedHello.instanceId;
|
|
5877
5877
|
}
|
|
5878
5878
|
}
|
|
5879
|
-
logger$
|
|
5879
|
+
logger$2.debug("system_id_assignment_completed", {
|
|
5880
5880
|
systemId,
|
|
5881
5881
|
wasAssigned,
|
|
5882
5882
|
});
|
|
5883
5883
|
if (normalizedHello.logicals?.length) {
|
|
5884
|
-
logger$
|
|
5884
|
+
logger$2.debug("validating_logicals_for_dns_compatibility", {
|
|
5885
5885
|
logicals: normalizedHello.logicals,
|
|
5886
5886
|
});
|
|
5887
5887
|
const [pathsValid, pathError] = validateHostLogicals(normalizedHello.logicals);
|
|
5888
5888
|
if (!pathsValid) {
|
|
5889
|
-
logger$
|
|
5889
|
+
logger$2.error("logical_validation_failed", {
|
|
5890
5890
|
error: pathError,
|
|
5891
5891
|
logicals: normalizedHello.logicals,
|
|
5892
5892
|
});
|
|
5893
5893
|
throw new Error(`Invalid logical format: ${pathError}`);
|
|
5894
5894
|
}
|
|
5895
|
-
logger$
|
|
5895
|
+
logger$2.debug("logicals_validation_successful");
|
|
5896
5896
|
}
|
|
5897
|
-
logger$
|
|
5897
|
+
logger$2.debug("requesting_node_placement", { systemId });
|
|
5898
5898
|
const placementResult = await this.placementStrategy.place(normalizedHello);
|
|
5899
5899
|
if (!placementResult.accept) {
|
|
5900
|
-
logger$
|
|
5900
|
+
logger$2.error("node_placement_rejected", {
|
|
5901
5901
|
systemId,
|
|
5902
5902
|
reason: placementResult.reason,
|
|
5903
5903
|
});
|
|
5904
5904
|
throw new Error(placementResult.reason || "Node not accepted");
|
|
5905
5905
|
}
|
|
5906
5906
|
const assignedPath = placementResult.assignedPath;
|
|
5907
|
-
logger$
|
|
5907
|
+
logger$2.debug("node_placement_accepted", {
|
|
5908
5908
|
systemId,
|
|
5909
5909
|
assignedPath,
|
|
5910
5910
|
targetPhysicalPath: placementResult.targetPhysicalPath ?? null,
|
|
@@ -5916,7 +5916,7 @@ class AdvancedWelcomeService {
|
|
|
5916
5916
|
const acceptedLogicals = coercePlacementMetadataValue(placementResult.metadata, "acceptedLogicals", "accepted_logicals") ??
|
|
5917
5917
|
normalizedHello.logicals ??
|
|
5918
5918
|
null;
|
|
5919
|
-
logger$
|
|
5919
|
+
logger$2.debug("processing_placement_result_metadata", {
|
|
5920
5920
|
acceptedCapabilities,
|
|
5921
5921
|
acceptedLogicals,
|
|
5922
5922
|
hasPlacementMetadata: placementResult.metadata !== undefined &&
|
|
@@ -5930,7 +5930,7 @@ class AdvancedWelcomeService {
|
|
|
5930
5930
|
normalizedHello.instanceId ||
|
|
5931
5931
|
generateId();
|
|
5932
5932
|
if (placementResult.targetSystemId) {
|
|
5933
|
-
logger$
|
|
5933
|
+
logger$2.debug("issuing_node_attach_token", {
|
|
5934
5934
|
systemId,
|
|
5935
5935
|
assignedPath,
|
|
5936
5936
|
});
|
|
@@ -5942,10 +5942,10 @@ class AdvancedWelcomeService {
|
|
|
5942
5942
|
accepted_logicals: acceptedLogicals,
|
|
5943
5943
|
instance_id: metadataInstanceId,
|
|
5944
5944
|
});
|
|
5945
|
-
logger$
|
|
5946
|
-
logger$
|
|
5945
|
+
logger$2.debug("token_issued_successfully");
|
|
5946
|
+
logger$2.debug("provisioning_transport", { systemId });
|
|
5947
5947
|
const transportInfo = await this.transportProvisioner.provision(placementResult, normalizedHello, fullMetadata, nodeAttachToken);
|
|
5948
|
-
logger$
|
|
5948
|
+
logger$2.debug("transport_provisioned_successfully", {
|
|
5949
5949
|
systemId,
|
|
5950
5950
|
directiveType: transportInfo.connectionGrant &&
|
|
5951
5951
|
typeof transportInfo.connectionGrant === "object"
|
|
@@ -5989,7 +5989,7 @@ class AdvancedWelcomeService {
|
|
|
5989
5989
|
metadata: Object.keys(fullMetadata).length > 0 ? fullMetadata : undefined,
|
|
5990
5990
|
expiresAt: expiry.toISOString(),
|
|
5991
5991
|
};
|
|
5992
|
-
logger$
|
|
5992
|
+
logger$2.debug("hello_frame_processing_completed_successfully", {
|
|
5993
5993
|
systemId,
|
|
5994
5994
|
assignedPath,
|
|
5995
5995
|
acceptedLogicals,
|
|
@@ -7665,7 +7665,7 @@ function encodeBitString(signature) {
|
|
|
7665
7665
|
return result.buffer;
|
|
7666
7666
|
}
|
|
7667
7667
|
|
|
7668
|
-
const logger = getLogger$1("naylence.fame.security.cert.default_certificate_manager");
|
|
7668
|
+
const logger$1 = getLogger$1("naylence.fame.security.cert.default_certificate_manager");
|
|
7669
7669
|
const CONNECTION_GRANTS_CAMEL = "connectionGrants";
|
|
7670
7670
|
const CONNECTION_GRANTS_SNAKE = "connection_grants";
|
|
7671
7671
|
class DefaultCertificateManager {
|
|
@@ -7694,7 +7694,7 @@ class DefaultCertificateManager {
|
|
|
7694
7694
|
this.prepareProviderContext(node);
|
|
7695
7695
|
const requiresCertificate = this.requiresCertificates();
|
|
7696
7696
|
if (requiresCertificate) {
|
|
7697
|
-
logger.debug("node_certificate_required_on_start", {
|
|
7697
|
+
logger$1.debug("node_certificate_required_on_start", {
|
|
7698
7698
|
node_id: node.id,
|
|
7699
7699
|
physical_path: node.physicalPath,
|
|
7700
7700
|
has_parent: node.hasParent,
|
|
@@ -7708,7 +7708,7 @@ class DefaultCertificateManager {
|
|
|
7708
7708
|
const welcomeFrame = this.pendingWelcomeFrame ?? fallbackWelcome;
|
|
7709
7709
|
const success = await this.ensureCertificate(welcomeFrame, this.caServiceUrl ? { caServiceUrl: this.caServiceUrl } : undefined);
|
|
7710
7710
|
if (!success) {
|
|
7711
|
-
logger.warning("node_certificate_unavailable_on_start", {
|
|
7711
|
+
logger$1.warning("node_certificate_unavailable_on_start", {
|
|
7712
7712
|
node_id: node.id,
|
|
7713
7713
|
physical_path: node.physicalPath,
|
|
7714
7714
|
message: "Certificate provisioning was requested but did not complete",
|
|
@@ -7722,7 +7722,7 @@ class DefaultCertificateManager {
|
|
|
7722
7722
|
async onWelcome(welcomeFrame) {
|
|
7723
7723
|
const requiresCertificate = this.requiresCertificates(welcomeFrame);
|
|
7724
7724
|
if (!requiresCertificate) {
|
|
7725
|
-
logger.debug("welcome_does_not_require_certificate", {
|
|
7725
|
+
logger$1.debug("welcome_does_not_require_certificate", {
|
|
7726
7726
|
system_id: welcomeFrame.systemId ?? null,
|
|
7727
7727
|
});
|
|
7728
7728
|
this.pendingWelcomeFrame = null;
|
|
@@ -7733,14 +7733,14 @@ class DefaultCertificateManager {
|
|
|
7733
7733
|
return;
|
|
7734
7734
|
}
|
|
7735
7735
|
if (!this.node) {
|
|
7736
|
-
logger.debug("certificate_provisioning_deferred_until_node_start", {
|
|
7736
|
+
logger$1.debug("certificate_provisioning_deferred_until_node_start", {
|
|
7737
7737
|
system_id: welcomeFrame.systemId ?? null,
|
|
7738
7738
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7739
7739
|
});
|
|
7740
7740
|
return;
|
|
7741
7741
|
}
|
|
7742
7742
|
const nodeId = welcomeFrame.systemId ?? "unknown";
|
|
7743
|
-
logger.warning("certificate_provisioning_not_completed", {
|
|
7743
|
+
logger$1.warning("certificate_provisioning_not_completed", {
|
|
7744
7744
|
node_id: nodeId,
|
|
7745
7745
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7746
7746
|
message: "Continuing without a provisioned certificate (development mode)",
|
|
@@ -7756,13 +7756,13 @@ class DefaultCertificateManager {
|
|
|
7756
7756
|
const cryptoProvider = this.resolveCryptoProvider();
|
|
7757
7757
|
if (!cryptoProvider) {
|
|
7758
7758
|
if (!this.node) {
|
|
7759
|
-
logger.debug("crypto_provider_pending_node_start", {
|
|
7759
|
+
logger$1.debug("crypto_provider_pending_node_start", {
|
|
7760
7760
|
system_id: welcomeFrame.systemId ?? null,
|
|
7761
7761
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7762
7762
|
});
|
|
7763
7763
|
}
|
|
7764
7764
|
else {
|
|
7765
|
-
logger.error("crypto_provider_unavailable_for_certificate", {
|
|
7765
|
+
logger$1.error("crypto_provider_unavailable_for_certificate", {
|
|
7766
7766
|
system_id: welcomeFrame.systemId ?? null,
|
|
7767
7767
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7768
7768
|
});
|
|
@@ -7781,7 +7781,7 @@ class DefaultCertificateManager {
|
|
|
7781
7781
|
const connectionGrants = readFrameValue(welcomeFrame, CONNECTION_GRANTS_CAMEL, CONNECTION_GRANTS_SNAKE);
|
|
7782
7782
|
const caSignGrant = this.getCaSignGrant(connectionGrants);
|
|
7783
7783
|
if (!caSignGrant) {
|
|
7784
|
-
logger.warning("welcome_frame_missing_ca_sign_grant", {
|
|
7784
|
+
logger$1.warning("welcome_frame_missing_ca_sign_grant", {
|
|
7785
7785
|
system_id: nodeId,
|
|
7786
7786
|
grant_count: Array.isArray(connectionGrants)
|
|
7787
7787
|
? connectionGrants.length
|
|
@@ -7792,7 +7792,7 @@ class DefaultCertificateManager {
|
|
|
7792
7792
|
if (caSignGrant) {
|
|
7793
7793
|
material = await this.requestCertificateFromCa(cryptoProvider, welcomeFrame, caSignGrant, options);
|
|
7794
7794
|
if (!material) {
|
|
7795
|
-
logger.warning("ca_certificate_request_failed_falling_back_to_env", {
|
|
7795
|
+
logger$1.warning("ca_certificate_request_failed_falling_back_to_env", {
|
|
7796
7796
|
system_id: nodeId,
|
|
7797
7797
|
ca_service_url: options?.caServiceUrl ?? this.caServiceUrl ?? caSignGrant.url,
|
|
7798
7798
|
});
|
|
@@ -7802,13 +7802,13 @@ class DefaultCertificateManager {
|
|
|
7802
7802
|
material = await this.resolveCertificateMaterialFromInjectedSources(cryptoProvider, nodeId);
|
|
7803
7803
|
}
|
|
7804
7804
|
if (!material) {
|
|
7805
|
-
logger.debug("attempting_certificate_resolution_from_environment", {
|
|
7805
|
+
logger$1.debug("attempting_certificate_resolution_from_environment", {
|
|
7806
7806
|
system_id: nodeId,
|
|
7807
7807
|
});
|
|
7808
7808
|
material = await resolveCertificateMaterialFromEnvironment();
|
|
7809
7809
|
}
|
|
7810
7810
|
if (!material) {
|
|
7811
|
-
logger.warning("certificate_material_not_found", {
|
|
7811
|
+
logger$1.warning("certificate_material_not_found", {
|
|
7812
7812
|
system_id: nodeId,
|
|
7813
7813
|
assigned_path: readFrameString(welcomeFrame, "assignedPath", "assigned_path"),
|
|
7814
7814
|
ca_service_url: options?.caServiceUrl ?? this.caServiceUrl,
|
|
@@ -7817,7 +7817,7 @@ class DefaultCertificateManager {
|
|
|
7817
7817
|
}
|
|
7818
7818
|
const stored = await this.storeCertificateMaterial(cryptoProvider, material, nodeId);
|
|
7819
7819
|
if (!stored) {
|
|
7820
|
-
logger.warning("certificate_storage_not_supported", {
|
|
7820
|
+
logger$1.warning("certificate_storage_not_supported", {
|
|
7821
7821
|
system_id: nodeId,
|
|
7822
7822
|
});
|
|
7823
7823
|
return false;
|
|
@@ -7826,7 +7826,7 @@ class DefaultCertificateManager {
|
|
|
7826
7826
|
if (!validated) {
|
|
7827
7827
|
return false;
|
|
7828
7828
|
}
|
|
7829
|
-
logger.debug("certificate_material_applied", {
|
|
7829
|
+
logger$1.debug("certificate_material_applied", {
|
|
7830
7830
|
system_id: nodeId,
|
|
7831
7831
|
has_chain: Boolean(material.certificateChainPem),
|
|
7832
7832
|
});
|
|
@@ -7889,12 +7889,12 @@ class DefaultCertificateManager {
|
|
|
7889
7889
|
}
|
|
7890
7890
|
const validated = await this.validateProviderCertificate(provider, nodeId);
|
|
7891
7891
|
if (!validated) {
|
|
7892
|
-
logger.error("existing_certificate_validation_failed", {
|
|
7892
|
+
logger$1.error("existing_certificate_validation_failed", {
|
|
7893
7893
|
node_id: nodeId,
|
|
7894
7894
|
});
|
|
7895
7895
|
return false;
|
|
7896
7896
|
}
|
|
7897
|
-
logger.debug("existing_certificate_validated", {
|
|
7897
|
+
logger$1.debug("existing_certificate_validated", {
|
|
7898
7898
|
node_id: nodeId,
|
|
7899
7899
|
});
|
|
7900
7900
|
return true;
|
|
@@ -7902,7 +7902,7 @@ class DefaultCertificateManager {
|
|
|
7902
7902
|
async resolveCertificateMaterialFromInjectedSources(provider, nodeId) {
|
|
7903
7903
|
const providerMaterial = await this.resolveCertificateMaterialFromProvider(provider, nodeId);
|
|
7904
7904
|
if (providerMaterial) {
|
|
7905
|
-
logger.debug("certificate_material_resolved_from_provider", {
|
|
7905
|
+
logger$1.debug("certificate_material_resolved_from_provider", {
|
|
7906
7906
|
system_id: nodeId,
|
|
7907
7907
|
});
|
|
7908
7908
|
return providerMaterial;
|
|
@@ -7911,14 +7911,14 @@ class DefaultCertificateManager {
|
|
|
7911
7911
|
try {
|
|
7912
7912
|
const material = await this.certificateMaterialResolver();
|
|
7913
7913
|
if (material) {
|
|
7914
|
-
logger.debug("certificate_material_resolved_from_options", {
|
|
7914
|
+
logger$1.debug("certificate_material_resolved_from_options", {
|
|
7915
7915
|
system_id: nodeId,
|
|
7916
7916
|
});
|
|
7917
7917
|
return material;
|
|
7918
7918
|
}
|
|
7919
7919
|
}
|
|
7920
7920
|
catch (error) {
|
|
7921
|
-
logger.debug("certificate_material_option_resolution_failed", {
|
|
7921
|
+
logger$1.debug("certificate_material_option_resolution_failed", {
|
|
7922
7922
|
system_id: nodeId,
|
|
7923
7923
|
error: error instanceof Error ? error.message : String(error),
|
|
7924
7924
|
});
|
|
@@ -7935,7 +7935,7 @@ class DefaultCertificateManager {
|
|
|
7935
7935
|
return normalizeCertificateMaterial(material ?? null);
|
|
7936
7936
|
}
|
|
7937
7937
|
catch (error) {
|
|
7938
|
-
logger.debug("provider_certificate_material_resolution_failed", {
|
|
7938
|
+
logger$1.debug("provider_certificate_material_resolution_failed", {
|
|
7939
7939
|
system_id: nodeId,
|
|
7940
7940
|
error: error instanceof Error ? error.message : String(error),
|
|
7941
7941
|
});
|
|
@@ -7957,7 +7957,7 @@ class DefaultCertificateManager {
|
|
|
7957
7957
|
}
|
|
7958
7958
|
const url = readRecordString(grantRecord, "url", "baseUrl", "base_url");
|
|
7959
7959
|
if (!url) {
|
|
7960
|
-
logger.warning("ca_sign_grant_missing_url", {
|
|
7960
|
+
logger$1.warning("ca_sign_grant_missing_url", {
|
|
7961
7961
|
grant_keys: Object.keys(grantRecord),
|
|
7962
7962
|
});
|
|
7963
7963
|
continue;
|
|
@@ -7976,12 +7976,12 @@ class DefaultCertificateManager {
|
|
|
7976
7976
|
? provider.signatureKeyId
|
|
7977
7977
|
: null);
|
|
7978
7978
|
if (!nodeId) {
|
|
7979
|
-
logger.warning("certificate_request_missing_node_id");
|
|
7979
|
+
logger$1.warning("certificate_request_missing_node_id");
|
|
7980
7980
|
return null;
|
|
7981
7981
|
}
|
|
7982
7982
|
const physicalPath = readFrameString(welcomeFrame, "assignedPath", "assigned_path");
|
|
7983
7983
|
if (!physicalPath) {
|
|
7984
|
-
logger.warning("certificate_request_missing_physical_path", {
|
|
7984
|
+
logger$1.warning("certificate_request_missing_physical_path", {
|
|
7985
7985
|
node_id: nodeId,
|
|
7986
7986
|
});
|
|
7987
7987
|
return null;
|
|
@@ -7995,7 +7995,7 @@ class DefaultCertificateManager {
|
|
|
7995
7995
|
}
|
|
7996
7996
|
const caServiceUrl = options?.caServiceUrl ?? this.caServiceUrl ?? grant.url;
|
|
7997
7997
|
if (!caServiceUrl) {
|
|
7998
|
-
logger.error("ca_service_url_unavailable", {
|
|
7998
|
+
logger$1.error("ca_service_url_unavailable", {
|
|
7999
7999
|
node_id: nodeId,
|
|
8000
8000
|
});
|
|
8001
8001
|
return null;
|
|
@@ -8008,7 +8008,7 @@ class DefaultCertificateManager {
|
|
|
8008
8008
|
authStrategy = await this.createAuthStrategyForGrant(grant);
|
|
8009
8009
|
}
|
|
8010
8010
|
catch (error) {
|
|
8011
|
-
logger.error("ca_sign_auth_strategy_creation_failed", {
|
|
8011
|
+
logger$1.error("ca_sign_auth_strategy_creation_failed", {
|
|
8012
8012
|
node_id: nodeId,
|
|
8013
8013
|
error: error instanceof Error ? error.message : String(error),
|
|
8014
8014
|
});
|
|
@@ -8020,7 +8020,7 @@ class DefaultCertificateManager {
|
|
|
8020
8020
|
await authStrategy.apply(client);
|
|
8021
8021
|
}
|
|
8022
8022
|
const [certificatePem, certificateChainPem] = await client.requestCertificate(csrPem, nodeId, physicalPath, logicals);
|
|
8023
|
-
logger.debug("certificate_received_from_ca_service", {
|
|
8023
|
+
logger$1.debug("certificate_received_from_ca_service", {
|
|
8024
8024
|
node_id: nodeId,
|
|
8025
8025
|
has_chain: Boolean(certificateChainPem),
|
|
8026
8026
|
ca_service_url: caServiceUrl,
|
|
@@ -8032,13 +8032,13 @@ class DefaultCertificateManager {
|
|
|
8032
8032
|
}
|
|
8033
8033
|
catch (error) {
|
|
8034
8034
|
if (error instanceof CertificateRequestError) {
|
|
8035
|
-
logger.error("certificate_request_failed", {
|
|
8035
|
+
logger$1.error("certificate_request_failed", {
|
|
8036
8036
|
node_id: nodeId,
|
|
8037
8037
|
error: error.message,
|
|
8038
8038
|
});
|
|
8039
8039
|
}
|
|
8040
8040
|
else {
|
|
8041
|
-
logger.error("certificate_request_unhandled_error", {
|
|
8041
|
+
logger$1.error("certificate_request_unhandled_error", {
|
|
8042
8042
|
node_id: nodeId,
|
|
8043
8043
|
error: error instanceof Error ? error.message : String(error),
|
|
8044
8044
|
});
|
|
@@ -8051,7 +8051,7 @@ class DefaultCertificateManager {
|
|
|
8051
8051
|
await authStrategy.cleanup();
|
|
8052
8052
|
}
|
|
8053
8053
|
catch (cleanupError) {
|
|
8054
|
-
logger.debug("auth_strategy_cleanup_failed", {
|
|
8054
|
+
logger$1.debug("auth_strategy_cleanup_failed", {
|
|
8055
8055
|
error: cleanupError instanceof Error
|
|
8056
8056
|
? cleanupError.message
|
|
8057
8057
|
: String(cleanupError),
|
|
@@ -8074,14 +8074,14 @@ class DefaultCertificateManager {
|
|
|
8074
8074
|
async validateProviderCertificate(provider, nodeId) {
|
|
8075
8075
|
const { pem: trustStorePem, reason } = await this.resolveTrustStorePemValue(provider, nodeId);
|
|
8076
8076
|
if (!trustStorePem) {
|
|
8077
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8077
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8078
8078
|
node_id: nodeId,
|
|
8079
8079
|
reason: reason ?? "trust_store_unavailable",
|
|
8080
8080
|
});
|
|
8081
8081
|
return false;
|
|
8082
8082
|
}
|
|
8083
8083
|
if (typeof provider.nodeJwk !== "function") {
|
|
8084
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8084
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8085
8085
|
node_id: nodeId,
|
|
8086
8086
|
reason: "crypto_provider_lacks_node_jwk",
|
|
8087
8087
|
});
|
|
@@ -8092,7 +8092,7 @@ class DefaultCertificateManager {
|
|
|
8092
8092
|
jwk = provider.nodeJwk() ?? null;
|
|
8093
8093
|
}
|
|
8094
8094
|
catch (error) {
|
|
8095
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8095
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8096
8096
|
node_id: nodeId,
|
|
8097
8097
|
reason: "node_jwk_retrieval_failed",
|
|
8098
8098
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -8100,7 +8100,7 @@ class DefaultCertificateManager {
|
|
|
8100
8100
|
return false;
|
|
8101
8101
|
}
|
|
8102
8102
|
if (!jwk) {
|
|
8103
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8103
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8104
8104
|
node_id: nodeId,
|
|
8105
8105
|
reason: "node_jwk_missing",
|
|
8106
8106
|
});
|
|
@@ -8110,7 +8110,7 @@ class DefaultCertificateManager {
|
|
|
8110
8110
|
if (!Array.isArray(x5c) ||
|
|
8111
8111
|
x5c.length === 0 ||
|
|
8112
8112
|
x5c.some((entry) => typeof entry !== "string")) {
|
|
8113
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8113
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8114
8114
|
node_id: nodeId,
|
|
8115
8115
|
reason: "invalid_certificate_chain",
|
|
8116
8116
|
});
|
|
@@ -8124,19 +8124,19 @@ class DefaultCertificateManager {
|
|
|
8124
8124
|
strict: false,
|
|
8125
8125
|
});
|
|
8126
8126
|
if (!result.isValid) {
|
|
8127
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8127
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8128
8128
|
node_id: nodeId,
|
|
8129
8129
|
reason: result.error ?? "validation_failed",
|
|
8130
8130
|
});
|
|
8131
8131
|
return false;
|
|
8132
8132
|
}
|
|
8133
|
-
logger.debug("certificate_chain_validation_successful", {
|
|
8133
|
+
logger$1.debug("certificate_chain_validation_successful", {
|
|
8134
8134
|
node_id: nodeId,
|
|
8135
8135
|
});
|
|
8136
8136
|
return true;
|
|
8137
8137
|
}
|
|
8138
8138
|
catch (error) {
|
|
8139
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8139
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8140
8140
|
node_id: nodeId,
|
|
8141
8141
|
reason: "validation_error",
|
|
8142
8142
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -8147,7 +8147,7 @@ class DefaultCertificateManager {
|
|
|
8147
8147
|
async resolveTrustStorePemValue(provider, nodeId) {
|
|
8148
8148
|
const providerPem = await this.resolveTrustStorePemFromProvider(provider, nodeId);
|
|
8149
8149
|
if (providerPem) {
|
|
8150
|
-
logger.debug("trust_store_resolved_from_provider", {
|
|
8150
|
+
logger$1.debug("trust_store_resolved_from_provider", {
|
|
8151
8151
|
node_id: nodeId,
|
|
8152
8152
|
});
|
|
8153
8153
|
return { pem: providerPem };
|
|
@@ -8157,14 +8157,14 @@ class DefaultCertificateManager {
|
|
|
8157
8157
|
const pem = await this.trustStorePemResolver();
|
|
8158
8158
|
const normalized = normalizePemOrNull(pem);
|
|
8159
8159
|
if (normalized) {
|
|
8160
|
-
logger.debug("trust_store_resolved_from_options", {
|
|
8160
|
+
logger$1.debug("trust_store_resolved_from_options", {
|
|
8161
8161
|
node_id: nodeId,
|
|
8162
8162
|
});
|
|
8163
8163
|
return { pem: normalized };
|
|
8164
8164
|
}
|
|
8165
8165
|
}
|
|
8166
8166
|
catch (error) {
|
|
8167
|
-
logger.debug("trust_store_option_resolution_failed", {
|
|
8167
|
+
logger$1.debug("trust_store_option_resolution_failed", {
|
|
8168
8168
|
node_id: nodeId,
|
|
8169
8169
|
error: error instanceof Error ? error.message : String(error),
|
|
8170
8170
|
});
|
|
@@ -8185,7 +8185,7 @@ class DefaultCertificateManager {
|
|
|
8185
8185
|
return normalizePemOrNull(pem);
|
|
8186
8186
|
}
|
|
8187
8187
|
catch (error) {
|
|
8188
|
-
logger.debug("provider_trust_store_resolution_failed", {
|
|
8188
|
+
logger$1.debug("provider_trust_store_resolution_failed", {
|
|
8189
8189
|
node_id: nodeId,
|
|
8190
8190
|
error: error instanceof Error ? error.message : String(error),
|
|
8191
8191
|
});
|
|
@@ -8200,7 +8200,7 @@ class DefaultCertificateManager {
|
|
|
8200
8200
|
stored = true;
|
|
8201
8201
|
}
|
|
8202
8202
|
catch (error) {
|
|
8203
|
-
logger.warning("failed_to_store_certificate", {
|
|
8203
|
+
logger$1.warning("failed_to_store_certificate", {
|
|
8204
8204
|
error: error instanceof Error ? error.message : String(error),
|
|
8205
8205
|
});
|
|
8206
8206
|
}
|
|
@@ -8218,7 +8218,7 @@ class DefaultCertificateManager {
|
|
|
8218
8218
|
stored = true;
|
|
8219
8219
|
}
|
|
8220
8220
|
catch (error) {
|
|
8221
|
-
logger.debug("certificate_persistence_hook_failed", {
|
|
8221
|
+
logger$1.debug("certificate_persistence_hook_failed", {
|
|
8222
8222
|
node_id: nodeId,
|
|
8223
8223
|
error: error instanceof Error ? error.message : String(error),
|
|
8224
8224
|
});
|
|
@@ -8229,7 +8229,7 @@ class DefaultCertificateManager {
|
|
|
8229
8229
|
async buildCertificateSigningRequest(provider, nodeId, physicalPath, logicals) {
|
|
8230
8230
|
const trimmedPath = physicalPath.trim();
|
|
8231
8231
|
if (!trimmedPath) {
|
|
8232
|
-
logger.warning("certificate_request_missing_physical_path", {
|
|
8232
|
+
logger$1.warning("certificate_request_missing_physical_path", {
|
|
8233
8233
|
node_id: nodeId,
|
|
8234
8234
|
});
|
|
8235
8235
|
return null;
|
|
@@ -8238,7 +8238,7 @@ class DefaultCertificateManager {
|
|
|
8238
8238
|
const privateKeyPem = pemSource.signingPrivatePem?.trim() ?? "";
|
|
8239
8239
|
const publicKeyPem = pemSource.signingPublicPem?.trim() ?? "";
|
|
8240
8240
|
if (!privateKeyPem || !publicKeyPem) {
|
|
8241
|
-
logger.error("crypto_provider_missing_signing_material", {
|
|
8241
|
+
logger$1.error("crypto_provider_missing_signing_material", {
|
|
8242
8242
|
node_id: nodeId,
|
|
8243
8243
|
has_private: Boolean(privateKeyPem),
|
|
8244
8244
|
has_public: Boolean(publicKeyPem),
|
|
@@ -8256,7 +8256,7 @@ class DefaultCertificateManager {
|
|
|
8256
8256
|
return csrPem;
|
|
8257
8257
|
}
|
|
8258
8258
|
catch (error) {
|
|
8259
|
-
logger.error("csr_generation_failed", {
|
|
8259
|
+
logger$1.error("csr_generation_failed", {
|
|
8260
8260
|
node_id: nodeId,
|
|
8261
8261
|
error: error instanceof Error ? error.message : String(error),
|
|
8262
8262
|
});
|
|
@@ -8340,7 +8340,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
|
|
|
8340
8340
|
return null;
|
|
8341
8341
|
}
|
|
8342
8342
|
if (!isNodeProcess()) {
|
|
8343
|
-
logger.debug("pem_file_unavailable_in_browser", {
|
|
8343
|
+
logger$1.debug("pem_file_unavailable_in_browser", {
|
|
8344
8344
|
env_var: fileVar,
|
|
8345
8345
|
});
|
|
8346
8346
|
return null;
|
|
@@ -8351,7 +8351,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
|
|
|
8351
8351
|
return normalizePemOrNull(content);
|
|
8352
8352
|
}
|
|
8353
8353
|
catch (error) {
|
|
8354
|
-
logger.warning("failed_to_read_certificate_file", {
|
|
8354
|
+
logger$1.warning("failed_to_read_certificate_file", {
|
|
8355
8355
|
file: filePath,
|
|
8356
8356
|
error: error instanceof Error ? error.message : String(error),
|
|
8357
8357
|
});
|
|
@@ -8382,7 +8382,7 @@ function providerHasCertificate(provider) {
|
|
|
8382
8382
|
return Boolean(provider.hasCertificate());
|
|
8383
8383
|
}
|
|
8384
8384
|
catch (error) {
|
|
8385
|
-
logger.debug("has_certificate_check_failed", {
|
|
8385
|
+
logger$1.debug("has_certificate_check_failed", {
|
|
8386
8386
|
error: error instanceof Error ? error.message : String(error),
|
|
8387
8387
|
});
|
|
8388
8388
|
}
|
|
@@ -8392,7 +8392,7 @@ function providerHasCertificate(provider) {
|
|
|
8392
8392
|
return Boolean(provider.nodeCertificatePem());
|
|
8393
8393
|
}
|
|
8394
8394
|
catch (error) {
|
|
8395
|
-
logger.debug("node_certificate_check_failed", {
|
|
8395
|
+
logger$1.debug("node_certificate_check_failed", {
|
|
8396
8396
|
error: error instanceof Error ? error.message : String(error),
|
|
8397
8397
|
});
|
|
8398
8398
|
}
|
|
@@ -8446,7 +8446,7 @@ function normalizeAuthConfig(candidate) {
|
|
|
8446
8446
|
}
|
|
8447
8447
|
const normalized = candidate;
|
|
8448
8448
|
if (!normalized.type || typeof normalized.type !== "string") {
|
|
8449
|
-
logger.warning("auth_strategy_missing_type", {
|
|
8449
|
+
logger$1.warning("auth_strategy_missing_type", {
|
|
8450
8450
|
provided_keys: Object.keys(candidate),
|
|
8451
8451
|
});
|
|
8452
8452
|
return null;
|
|
@@ -8464,7 +8464,7 @@ async function resolveTrustStorePemFromEnvironment() {
|
|
|
8464
8464
|
}
|
|
8465
8465
|
catch (error) {
|
|
8466
8466
|
const message = error instanceof Error ? error.message : String(error);
|
|
8467
|
-
logger.debug("trust_store_provider_resolution_failed", {
|
|
8467
|
+
logger$1.debug("trust_store_provider_resolution_failed", {
|
|
8468
8468
|
error: message,
|
|
8469
8469
|
});
|
|
8470
8470
|
return null;
|
|
@@ -8659,16 +8659,7 @@ function bytesToUtf8$1(data) {
|
|
|
8659
8659
|
|
|
8660
8660
|
const DEFAULT_REFRESH_INTERVAL_MS = 86400000; // 24 hours
|
|
8661
8661
|
const MIN_REFRESH_INTERVAL_MS = 60000; // 1 minute
|
|
8662
|
-
const
|
|
8663
|
-
debug: (...args) => {
|
|
8664
|
-
if (!isProductionEnvironment()) {
|
|
8665
|
-
console.debug("[trust-bundle]", ...args);
|
|
8666
|
-
}
|
|
8667
|
-
},
|
|
8668
|
-
warn: (...args) => {
|
|
8669
|
-
console.warn("[trust-bundle]", ...args);
|
|
8670
|
-
},
|
|
8671
|
-
};
|
|
8662
|
+
const logger = getLogger$1("naylence.fame.security.cert.trust_store.http_bundle_provider");
|
|
8672
8663
|
function isTruthyFlag(value) {
|
|
8673
8664
|
if (typeof value === "boolean") {
|
|
8674
8665
|
return value;
|
|
@@ -8721,7 +8712,7 @@ class HttpBundleProvider {
|
|
|
8721
8712
|
if (!(this.allowInsecureHttp && devMode && isLoopbackHost)) {
|
|
8722
8713
|
throw new Error("Trust bundle URL must use HTTPS (set allowInsecureHttp or FAME_TRUST_BUNDLE_ALLOW_HTTP for dev-only http)");
|
|
8723
8714
|
}
|
|
8724
|
-
|
|
8715
|
+
logger.warning("allowing_insecure_trust_bundle_url", {
|
|
8725
8716
|
url: parsed.toString(),
|
|
8726
8717
|
devMode,
|
|
8727
8718
|
isLoopbackHost,
|
|
@@ -8753,7 +8744,9 @@ class HttpBundleProvider {
|
|
|
8753
8744
|
if (stale || !this.anchors) {
|
|
8754
8745
|
this.inflight = this.fetchLatest()
|
|
8755
8746
|
.catch((error) => {
|
|
8756
|
-
|
|
8747
|
+
logger.warning("trust_bundle_refresh_failed", {
|
|
8748
|
+
error: error instanceof Error ? error.message : String(error),
|
|
8749
|
+
});
|
|
8757
8750
|
if (this.anchors) {
|
|
8758
8751
|
return this.anchors;
|
|
8759
8752
|
}
|
|
@@ -8793,14 +8786,16 @@ class HttpBundleProvider {
|
|
|
8793
8786
|
const cached = await loadCache(this.cacheKey);
|
|
8794
8787
|
if (cached) {
|
|
8795
8788
|
this.applyCachedEntry(cached);
|
|
8796
|
-
|
|
8789
|
+
logger.debug("loaded_trust_bundle_from_cache", {
|
|
8797
8790
|
url: this.url.href,
|
|
8798
8791
|
anchorCount: cached.anchors.length,
|
|
8799
8792
|
});
|
|
8800
8793
|
}
|
|
8801
8794
|
}
|
|
8802
8795
|
catch (error) {
|
|
8803
|
-
|
|
8796
|
+
logger.warning("failed_to_load_cached_trust_bundle", {
|
|
8797
|
+
error: error instanceof Error ? error.message : String(error),
|
|
8798
|
+
});
|
|
8804
8799
|
}
|
|
8805
8800
|
this.initialized = true;
|
|
8806
8801
|
}
|
|
@@ -8886,7 +8881,9 @@ class HttpBundleProvider {
|
|
|
8886
8881
|
callback();
|
|
8887
8882
|
}
|
|
8888
8883
|
catch (error) {
|
|
8889
|
-
|
|
8884
|
+
logger.warning("trust_bundle_listener_failed", {
|
|
8885
|
+
error: error instanceof Error ? error.message : String(error),
|
|
8886
|
+
});
|
|
8890
8887
|
}
|
|
8891
8888
|
}
|
|
8892
8889
|
}
|
|
@@ -9133,7 +9130,9 @@ async function openIndexedDbStore() {
|
|
|
9133
9130
|
});
|
|
9134
9131
|
};
|
|
9135
9132
|
request.onerror = () => {
|
|
9136
|
-
|
|
9133
|
+
logger.warning("indexeddb_unavailable_for_trust_bundle_caching", {
|
|
9134
|
+
error: request.error ? String(request.error) : "unknown",
|
|
9135
|
+
});
|
|
9137
9136
|
resolve(null);
|
|
9138
9137
|
};
|
|
9139
9138
|
});
|