@naylence/advanced-security 0.3.7-test.120 → 0.3.7-test.121
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/browser/index.cjs +325 -326
- package/dist/browser/index.mjs +325 -326
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js +16 -16
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +1 -1
- package/dist/cjs/version.js +2 -2
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js +16 -16
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +1 -1
- package/dist/esm/version.js +2 -2
- package/dist/node/index.cjs +325 -326
- package/dist/node/index.mjs +325 -326
- package/dist/node/node.cjs +326 -327
- package/dist/node/node.mjs +326 -327
- package/dist/types/naylence/fame/security/cert/trust-store/http-bundle-provider.d.ts.map +1 -1
- package/dist/types/version.d.ts +1 -1
- package/package.json +1 -1
package/dist/browser/index.cjs
CHANGED
|
@@ -20,14 +20,14 @@ var x509 = require('@peculiar/x509');
|
|
|
20
20
|
var node = require('@naylence/runtime/node');
|
|
21
21
|
|
|
22
22
|
// This file is auto-generated during build - do not edit manually
|
|
23
|
-
// Generated from package.json version: 0.3.7-test.
|
|
23
|
+
// Generated from package.json version: 0.3.7-test.121
|
|
24
24
|
/**
|
|
25
25
|
* The package version, injected at build time.
|
|
26
26
|
* @internal
|
|
27
27
|
*/
|
|
28
|
-
const VERSION = '0.3.7-test.
|
|
28
|
+
const VERSION = '0.3.7-test.121';
|
|
29
29
|
|
|
30
|
-
const logger$
|
|
30
|
+
const logger$h = node.getLogger("naylence.fame.security.cert.util");
|
|
31
31
|
const CACHE_LIMIT = 512;
|
|
32
32
|
const OID_ED25519 = "1.3.101.112";
|
|
33
33
|
const textEncoder = new TextEncoder();
|
|
@@ -41,7 +41,7 @@ function publicKeyFromX5c(x5c, options = {}) {
|
|
|
41
41
|
const trustStorePem = normalizeTrustStoreOption(options.trustStorePem ?? null);
|
|
42
42
|
const returnCertificate = options.returnCertificate ?? false;
|
|
43
43
|
const { parsed, chainBytes } = parseCertificateChain(x5c);
|
|
44
|
-
logger$
|
|
44
|
+
logger$h.debug("public_key_from_x5c_called", {
|
|
45
45
|
call_id: callId,
|
|
46
46
|
x5c_count: parsed.length,
|
|
47
47
|
enforce_name_constraints: enforceNameConstraints,
|
|
@@ -53,13 +53,13 @@ function publicKeyFromX5c(x5c, options = {}) {
|
|
|
53
53
|
cacheKey = buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints);
|
|
54
54
|
const cached = getCachedPublicKey(cacheKey);
|
|
55
55
|
if (cached) {
|
|
56
|
-
logger$
|
|
56
|
+
logger$h.debug("certificate_cache_hit", {
|
|
57
57
|
call_id: callId,
|
|
58
58
|
cache_key: cacheKey,
|
|
59
59
|
});
|
|
60
60
|
return cached;
|
|
61
61
|
}
|
|
62
|
-
logger$
|
|
62
|
+
logger$h.debug("certificate_cache_miss", {
|
|
63
63
|
call_id: callId,
|
|
64
64
|
cache_key: cacheKey,
|
|
65
65
|
});
|
|
@@ -230,13 +230,13 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
230
230
|
if (trustedCerts.length === 0) {
|
|
231
231
|
throw new Error("No valid certificates found in trust store");
|
|
232
232
|
}
|
|
233
|
-
logger$
|
|
233
|
+
logger$h.debug("trust_anchor_validation_start", {
|
|
234
234
|
chain_length: chain.length,
|
|
235
235
|
trust_store_cert_count: trustedCerts.length,
|
|
236
236
|
});
|
|
237
237
|
const chainInfo = chain.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
|
|
238
238
|
const trustedInfo = trustedCerts.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
|
|
239
|
-
logger$
|
|
239
|
+
logger$h.debug("certificate_chain_validation", {
|
|
240
240
|
chain_certificates: chainInfo,
|
|
241
241
|
trust_store_certificates: trustedInfo,
|
|
242
242
|
});
|
|
@@ -246,7 +246,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
246
246
|
const match = trustedCerts.find((trusted) => trusted.serialNumber === cert.serialNumber &&
|
|
247
247
|
namesEqual(trusted.certificate.tbsCertificate.subject, cert.certificate.tbsCertificate.subject));
|
|
248
248
|
if (match) {
|
|
249
|
-
logger$
|
|
249
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
250
250
|
matching_serial: match.serialNumber,
|
|
251
251
|
validation_strategy: `direct_trust_cert_${i}`,
|
|
252
252
|
});
|
|
@@ -259,7 +259,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
259
259
|
if (namesEqual(trusted.certificate.tbsCertificate.subject, leaf.certificate.tbsCertificate.issuer) &&
|
|
260
260
|
trusted.serialNumber !== leaf.serialNumber) {
|
|
261
261
|
verifyCertificateSignature(leaf.certificate, trusted.certificate);
|
|
262
|
-
logger$
|
|
262
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
263
263
|
matching_serial: trusted.serialNumber,
|
|
264
264
|
validation_strategy: "leaf_issuer_trust",
|
|
265
265
|
});
|
|
@@ -273,7 +273,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
273
273
|
if (namesEqual(trusted.certificate.tbsCertificate.subject, intermediate.certificate.tbsCertificate.issuer) &&
|
|
274
274
|
trusted.serialNumber !== intermediate.serialNumber) {
|
|
275
275
|
verifyCertificateSignature(intermediate.certificate, trusted.certificate);
|
|
276
|
-
logger$
|
|
276
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
277
277
|
matching_serial: trusted.serialNumber,
|
|
278
278
|
validation_strategy: `intermediate_issuer_trust_cert_${index}`,
|
|
279
279
|
});
|
|
@@ -281,7 +281,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
281
281
|
}
|
|
282
282
|
}
|
|
283
283
|
}
|
|
284
|
-
logger$
|
|
284
|
+
logger$h.warning("certificate_chain_trust_validation_failed", {
|
|
285
285
|
leaf_subject: leaf.subjectName,
|
|
286
286
|
leaf_issuer: leaf.issuerName,
|
|
287
287
|
leaf_serial: leaf.serialNumber,
|
|
@@ -303,7 +303,7 @@ function parseTrustStore(trustStorePem) {
|
|
|
303
303
|
}
|
|
304
304
|
catch (error) {
|
|
305
305
|
const reason = error instanceof Error ? error.message : String(error);
|
|
306
|
-
logger$
|
|
306
|
+
logger$h.debug("trust_store_certificate_parse_failed", { reason });
|
|
307
307
|
}
|
|
308
308
|
}
|
|
309
309
|
return parsed;
|
|
@@ -323,12 +323,12 @@ function validateChainContinuity(chain) {
|
|
|
323
323
|
if (chain.length <= 1) {
|
|
324
324
|
return;
|
|
325
325
|
}
|
|
326
|
-
logger$
|
|
326
|
+
logger$h.debug("validating_chain_continuity", { chain_length: chain.length });
|
|
327
327
|
for (let index = 0; index < chain.length - 1; index += 1) {
|
|
328
328
|
const cert = chain[index];
|
|
329
329
|
const issuer = chain[index + 1];
|
|
330
330
|
if (!namesEqual(cert.certificate.tbsCertificate.issuer, issuer.certificate.tbsCertificate.subject)) {
|
|
331
|
-
logger$
|
|
331
|
+
logger$h.warning("certificate_chain_continuity_failed", {
|
|
332
332
|
cert_index: index,
|
|
333
333
|
cert_subject: cert.subjectName,
|
|
334
334
|
cert_issuer: cert.issuerName,
|
|
@@ -339,7 +339,7 @@ function validateChainContinuity(chain) {
|
|
|
339
339
|
}
|
|
340
340
|
try {
|
|
341
341
|
verifyCertificateSignature(cert.certificate, issuer.certificate);
|
|
342
|
-
logger$
|
|
342
|
+
logger$h.debug("chain_continuity_verification_success", {
|
|
343
343
|
cert_index: index,
|
|
344
344
|
cert_serial: cert.serialNumber,
|
|
345
345
|
issuer_serial: issuer.serialNumber,
|
|
@@ -347,7 +347,7 @@ function validateChainContinuity(chain) {
|
|
|
347
347
|
}
|
|
348
348
|
catch (error) {
|
|
349
349
|
const reason = error instanceof Error ? error.message : String(error);
|
|
350
|
-
logger$
|
|
350
|
+
logger$h.warning("certificate_chain_continuity_failed", {
|
|
351
351
|
cert_index: index,
|
|
352
352
|
cert_subject: cert.subjectName,
|
|
353
353
|
issuer_subject: issuer.subjectName,
|
|
@@ -359,7 +359,7 @@ function validateChainContinuity(chain) {
|
|
|
359
359
|
throw new Error(`Certificate chain continuity broken: certificate at index ${index} was not signed by certificate at index ${index + 1}: ${reason}`);
|
|
360
360
|
}
|
|
361
361
|
}
|
|
362
|
-
logger$
|
|
362
|
+
logger$h.debug("chain_continuity_validation_passed", {
|
|
363
363
|
chain_length: chain.length,
|
|
364
364
|
});
|
|
365
365
|
}
|
|
@@ -493,7 +493,7 @@ function getCachedPublicKey(cacheKey) {
|
|
|
493
493
|
}
|
|
494
494
|
if (Date.now() > entry.expiresAt) {
|
|
495
495
|
trustCache.delete(cacheKey);
|
|
496
|
-
logger$
|
|
496
|
+
logger$h.debug("certificate_cache_expired", { cache_key: cacheKey });
|
|
497
497
|
return null;
|
|
498
498
|
}
|
|
499
499
|
return entry.value.slice();
|
|
@@ -505,13 +505,13 @@ function setCachedPublicKey(cacheKey, value, notAfter) {
|
|
|
505
505
|
break;
|
|
506
506
|
}
|
|
507
507
|
trustCache.delete(firstKey);
|
|
508
|
-
logger$
|
|
508
|
+
logger$h.debug("certificate_cache_evicted", { cache_key: firstKey });
|
|
509
509
|
}
|
|
510
510
|
trustCache.set(cacheKey, {
|
|
511
511
|
value: value.slice(),
|
|
512
512
|
expiresAt: notAfter.getTime(),
|
|
513
513
|
});
|
|
514
|
-
logger$
|
|
514
|
+
logger$h.debug("certificate_cache_stored", {
|
|
515
515
|
cache_key: cacheKey,
|
|
516
516
|
expires_at: notAfter.toISOString(),
|
|
517
517
|
cache_size: trustCache.size,
|
|
@@ -691,7 +691,7 @@ const NODE_ID_OID = "1.3.6.1.4.1.58530.4";
|
|
|
691
691
|
* Provides async HTTP client to request certificates from the CA signing service.
|
|
692
692
|
*/
|
|
693
693
|
// Simple logger for now - TODO: integrate with runtime logging
|
|
694
|
-
const logger$
|
|
694
|
+
const logger$g = {
|
|
695
695
|
debug: (_event, _meta) => {
|
|
696
696
|
// console.log(`[DEBUG] ${event}`, meta);
|
|
697
697
|
},
|
|
@@ -1163,13 +1163,13 @@ class CAServiceClient {
|
|
|
1163
1163
|
const result = await response.json();
|
|
1164
1164
|
const certificatePem = result.certificate_pem;
|
|
1165
1165
|
const certificateChainPem = result.certificate_chain_pem || certificatePem;
|
|
1166
|
-
logger$
|
|
1166
|
+
logger$g.debug("certificate_request_successful", {
|
|
1167
1167
|
requester_id: requesterId,
|
|
1168
1168
|
expires_at: result.expires_at,
|
|
1169
1169
|
});
|
|
1170
1170
|
// Extract and log certificate information with structured logging
|
|
1171
1171
|
const certInfo = extractCertificateInfo(certificatePem);
|
|
1172
|
-
logger$
|
|
1172
|
+
logger$g.debug("certificate_details", {
|
|
1173
1173
|
requester_id: requesterId,
|
|
1174
1174
|
certificate_type: "issued_certificate",
|
|
1175
1175
|
...certInfo,
|
|
@@ -1188,7 +1188,7 @@ class CAServiceClient {
|
|
|
1188
1188
|
// First cert in chain is usually the issued certificate
|
|
1189
1189
|
if (certPemBlock.trim() !== certificatePem.trim()) {
|
|
1190
1190
|
const chainCertInfo = extractCertificateInfo(certPemBlock);
|
|
1191
|
-
logger$
|
|
1191
|
+
logger$g.debug("certificate_chain_details", {
|
|
1192
1192
|
requester_id: requesterId,
|
|
1193
1193
|
certificate_type: "certificate_chain",
|
|
1194
1194
|
chain_index: i,
|
|
@@ -1199,7 +1199,7 @@ class CAServiceClient {
|
|
|
1199
1199
|
else {
|
|
1200
1200
|
// Subsequent certs are intermediate/root CAs
|
|
1201
1201
|
const caCertInfo = extractCertificateInfo(certPemBlock);
|
|
1202
|
-
logger$
|
|
1202
|
+
logger$g.debug("certificate_chain_details", {
|
|
1203
1203
|
requester_id: requesterId,
|
|
1204
1204
|
certificate_type: "ca_certificate",
|
|
1205
1205
|
chain_index: i,
|
|
@@ -1227,7 +1227,7 @@ class CAServiceClient {
|
|
|
1227
1227
|
// Body read failed entirely
|
|
1228
1228
|
errorDetail = `HTTP ${response.status}`;
|
|
1229
1229
|
}
|
|
1230
|
-
logger$
|
|
1230
|
+
logger$g.error("certificate_request_failed", {
|
|
1231
1231
|
requester_id: requesterId,
|
|
1232
1232
|
status_code: response.status,
|
|
1233
1233
|
error: errorDetail,
|
|
@@ -1244,13 +1244,13 @@ class CAServiceClient {
|
|
|
1244
1244
|
throw error;
|
|
1245
1245
|
}
|
|
1246
1246
|
if (error instanceof Error && error.name === "AbortError") {
|
|
1247
|
-
logger$
|
|
1247
|
+
logger$g.error("certificate_request_timeout", {
|
|
1248
1248
|
requester_id: requesterId,
|
|
1249
1249
|
timeout_seconds: this.timeoutSeconds,
|
|
1250
1250
|
});
|
|
1251
1251
|
throw new CertificateRequestError(`Certificate request timed out after ${this.timeoutSeconds} seconds`);
|
|
1252
1252
|
}
|
|
1253
|
-
logger$
|
|
1253
|
+
logger$g.error("certificate_request_network_error", {
|
|
1254
1254
|
requester_id: requesterId,
|
|
1255
1255
|
error: String(error),
|
|
1256
1256
|
});
|
|
@@ -1259,7 +1259,7 @@ class CAServiceClient {
|
|
|
1259
1259
|
}
|
|
1260
1260
|
}
|
|
1261
1261
|
|
|
1262
|
-
const logger$
|
|
1262
|
+
const logger$f = runtime.getLogger("naylence.fame.security.encryption.sealed.x25519_encryption_manager");
|
|
1263
1263
|
class X25519EncryptionManager {
|
|
1264
1264
|
constructor({ keyProvider, nodeLike = null, cryptoProvider = null, }) {
|
|
1265
1265
|
this.pendingEnvelopes = new Map();
|
|
@@ -1276,7 +1276,7 @@ class X25519EncryptionManager {
|
|
|
1276
1276
|
// KeyManagementHandler will queue the envelope and send KeyRequest.
|
|
1277
1277
|
// X25519 should NOT queue here to avoid dual queueing.
|
|
1278
1278
|
if (opts?.requestAddress) {
|
|
1279
|
-
logger$
|
|
1279
|
+
logger$f.debug("key_not_found_delegating_to_key_management", {
|
|
1280
1280
|
envelope_id: envelope.id,
|
|
1281
1281
|
request_address: String(opts.requestAddress),
|
|
1282
1282
|
});
|
|
@@ -1292,7 +1292,7 @@ class X25519EncryptionManager {
|
|
|
1292
1292
|
return await this.encryptWithKey(envelope, recipPub, recipKid);
|
|
1293
1293
|
}
|
|
1294
1294
|
catch (error) {
|
|
1295
|
-
logger$
|
|
1295
|
+
logger$f.error("x25519_encryption_failed", {
|
|
1296
1296
|
error: error instanceof Error ? error.message : String(error),
|
|
1297
1297
|
});
|
|
1298
1298
|
return runtime.EncryptionResult.skipped(envelope);
|
|
@@ -1330,20 +1330,20 @@ class X25519EncryptionManager {
|
|
|
1330
1330
|
return envelope;
|
|
1331
1331
|
}
|
|
1332
1332
|
catch (error) {
|
|
1333
|
-
logger$
|
|
1333
|
+
logger$f.error("x25519_decryption_failed", {
|
|
1334
1334
|
error: error instanceof Error ? error.message : String(error),
|
|
1335
1335
|
});
|
|
1336
1336
|
return envelope;
|
|
1337
1337
|
}
|
|
1338
1338
|
}
|
|
1339
1339
|
async notifyKeyAvailable(keyId) {
|
|
1340
|
-
logger$
|
|
1340
|
+
logger$f.debug("x25519_notify_key_available_called", {
|
|
1341
1341
|
key_id: keyId,
|
|
1342
1342
|
pending_keys: Array.from(this.pendingEnvelopes.keys()),
|
|
1343
1343
|
});
|
|
1344
1344
|
const queued = this.pendingEnvelopes.get(keyId);
|
|
1345
1345
|
if (!queued || queued.length === 0) {
|
|
1346
|
-
logger$
|
|
1346
|
+
logger$f.debug("no_queued_envelopes_for_key", {
|
|
1347
1347
|
key_id: keyId,
|
|
1348
1348
|
has_queue: this.pendingEnvelopes.has(keyId),
|
|
1349
1349
|
queue_length: queued?.length ?? 0,
|
|
@@ -1355,13 +1355,13 @@ class X25519EncryptionManager {
|
|
|
1355
1355
|
this.keyRequestsInProgress.delete(keyId);
|
|
1356
1356
|
const node = this.nodeLike;
|
|
1357
1357
|
if (!node) {
|
|
1358
|
-
logger$
|
|
1358
|
+
logger$f.debug("discarding_queued_envelopes_no_node", {
|
|
1359
1359
|
key_id: keyId,
|
|
1360
1360
|
count: queued.length,
|
|
1361
1361
|
});
|
|
1362
1362
|
return;
|
|
1363
1363
|
}
|
|
1364
|
-
logger$
|
|
1364
|
+
logger$f.debug("replaying_envelopes_for_key", {
|
|
1365
1365
|
key_id: keyId,
|
|
1366
1366
|
count: queued.length,
|
|
1367
1367
|
});
|
|
@@ -1370,7 +1370,7 @@ class X25519EncryptionManager {
|
|
|
1370
1370
|
await node.deliver(envelope);
|
|
1371
1371
|
}
|
|
1372
1372
|
catch (error) {
|
|
1373
|
-
logger$
|
|
1373
|
+
logger$f.error("failed_to_replay_envelope", {
|
|
1374
1374
|
key_id: keyId,
|
|
1375
1375
|
envelope_id: envelope.id,
|
|
1376
1376
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -1471,7 +1471,7 @@ class X25519EncryptionManager {
|
|
|
1471
1471
|
? this.extractPrivateKeyFromRecord(providerRecord)
|
|
1472
1472
|
: null;
|
|
1473
1473
|
if (providerRecordKey) {
|
|
1474
|
-
logger$
|
|
1474
|
+
logger$f.debug("using_provider_key_record_private_key", {
|
|
1475
1475
|
kid,
|
|
1476
1476
|
provider_key_id: providerKeyId,
|
|
1477
1477
|
mismatched_kid: kid && providerKeyId !== kid ? kid : null,
|
|
@@ -1481,7 +1481,7 @@ class X25519EncryptionManager {
|
|
|
1481
1481
|
}
|
|
1482
1482
|
if (!providerPem) {
|
|
1483
1483
|
if (kid && providerKeyId && providerKeyId !== kid) {
|
|
1484
|
-
logger$
|
|
1484
|
+
logger$f.debug("crypto_provider_key_id_mismatch_no_private_key", {
|
|
1485
1485
|
kid,
|
|
1486
1486
|
provider_key_id: providerKeyId,
|
|
1487
1487
|
});
|
|
@@ -1493,13 +1493,13 @@ class X25519EncryptionManager {
|
|
|
1493
1493
|
return null;
|
|
1494
1494
|
}
|
|
1495
1495
|
if (!kid || providerKeyId === kid) {
|
|
1496
|
-
logger$
|
|
1496
|
+
logger$f.debug("using_crypto_provider_private_key_fallback", {
|
|
1497
1497
|
kid: kid ?? null,
|
|
1498
1498
|
provider_key_id: providerKeyId,
|
|
1499
1499
|
});
|
|
1500
1500
|
}
|
|
1501
1501
|
else {
|
|
1502
|
-
logger$
|
|
1502
|
+
logger$f.warning("crypto_provider_key_id_mismatch_using_private_key", {
|
|
1503
1503
|
kid,
|
|
1504
1504
|
provider_key_id: providerKeyId,
|
|
1505
1505
|
key_record_present: Boolean(record),
|
|
@@ -1508,7 +1508,7 @@ class X25519EncryptionManager {
|
|
|
1508
1508
|
return fallbackKey;
|
|
1509
1509
|
}
|
|
1510
1510
|
async queueEnvelopeForKey(envelope, opts, recipientKeyId) {
|
|
1511
|
-
logger$
|
|
1511
|
+
logger$f.debug("queueing_envelope_for_sealed_encryption", {
|
|
1512
1512
|
envelope_id: envelope.id,
|
|
1513
1513
|
recipient_key_id: recipientKeyId,
|
|
1514
1514
|
request_address: opts?.requestAddress
|
|
@@ -1556,7 +1556,7 @@ class X25519EncryptionManager {
|
|
|
1556
1556
|
await node.deliver(keyRequestEnvelope, context);
|
|
1557
1557
|
}
|
|
1558
1558
|
catch (error) {
|
|
1559
|
-
logger$
|
|
1559
|
+
logger$f.error("failed_to_request_recipient_key", {
|
|
1560
1560
|
recipient_key_id: recipientKeyId,
|
|
1561
1561
|
error: error instanceof Error ? error.message : String(error),
|
|
1562
1562
|
});
|
|
@@ -1569,7 +1569,7 @@ class X25519EncryptionManager {
|
|
|
1569
1569
|
return this.extractPublicKeyFromRecord(record);
|
|
1570
1570
|
}
|
|
1571
1571
|
catch (error) {
|
|
1572
|
-
logger$
|
|
1572
|
+
logger$f.debug("recipient_key_lookup_failed", {
|
|
1573
1573
|
kid,
|
|
1574
1574
|
error: error instanceof Error ? error.message : String(error),
|
|
1575
1575
|
});
|
|
@@ -1584,7 +1584,7 @@ class X25519EncryptionManager {
|
|
|
1584
1584
|
return await this.keyProvider.getKey(kid);
|
|
1585
1585
|
}
|
|
1586
1586
|
catch (error) {
|
|
1587
|
-
logger$
|
|
1587
|
+
logger$f.debug("private_key_lookup_failed", {
|
|
1588
1588
|
kid,
|
|
1589
1589
|
error: error instanceof Error ? error.message : String(error),
|
|
1590
1590
|
});
|
|
@@ -1655,7 +1655,7 @@ class X25519EncryptionManager {
|
|
|
1655
1655
|
const base64 = base64Lines.join("");
|
|
1656
1656
|
const der = this.decodeBase64Flexible(base64);
|
|
1657
1657
|
if (!der) {
|
|
1658
|
-
logger$
|
|
1658
|
+
logger$f.debug("pem_decode_failed", {
|
|
1659
1659
|
key_type: keyType,
|
|
1660
1660
|
});
|
|
1661
1661
|
return null;
|
|
@@ -1888,7 +1888,7 @@ var index$1 = /*#__PURE__*/Object.freeze({
|
|
|
1888
1888
|
X25519EncryptionManagerFactory: X25519EncryptionManagerFactory
|
|
1889
1889
|
});
|
|
1890
1890
|
|
|
1891
|
-
const logger$
|
|
1891
|
+
const logger$e = runtime.getLogger("naylence.fame.security.encryption.channel.channel_encryption_manager");
|
|
1892
1892
|
const SUPPORTED_CHANNEL_ALGORITHMS = ["chacha20-poly1305-channel"];
|
|
1893
1893
|
const CHANNEL_ENCRYPTION_ALGORITHM = "chacha20-poly1305-channel";
|
|
1894
1894
|
const HANDSHAKE_ALGORITHM = "CHACHA20P1305";
|
|
@@ -2039,13 +2039,13 @@ class ChannelEncryptionManager {
|
|
|
2039
2039
|
const destination = opts?.destination ?? envelope.to ?? null;
|
|
2040
2040
|
const destinationStr = toDestinationString(destination);
|
|
2041
2041
|
if (!destinationStr) {
|
|
2042
|
-
logger$
|
|
2042
|
+
logger$e.warning("no_destination_for_channel_encryption", {
|
|
2043
2043
|
envelope_id: envelope.id,
|
|
2044
2044
|
});
|
|
2045
2045
|
return runtime.EncryptionResult.skipped(envelope);
|
|
2046
2046
|
}
|
|
2047
2047
|
if (!this.secureChannelManager) {
|
|
2048
|
-
logger$
|
|
2048
|
+
logger$e.warning("no_secure_channel_manager_available", {
|
|
2049
2049
|
envelope_id: envelope.id,
|
|
2050
2050
|
});
|
|
2051
2051
|
return runtime.EncryptionResult.skipped(envelope);
|
|
@@ -2056,7 +2056,7 @@ class ChannelEncryptionManager {
|
|
|
2056
2056
|
return this.encryptWithChannel(envelope, existingChannelId);
|
|
2057
2057
|
}
|
|
2058
2058
|
catch (error) {
|
|
2059
|
-
logger$
|
|
2059
|
+
logger$e.error("channel_encryption_failed", {
|
|
2060
2060
|
error: error instanceof Error ? error.message : String(error),
|
|
2061
2061
|
channel_id: existingChannelId,
|
|
2062
2062
|
});
|
|
@@ -2083,35 +2083,35 @@ class ChannelEncryptionManager {
|
|
|
2083
2083
|
}
|
|
2084
2084
|
const channelId = encHeader.kid;
|
|
2085
2085
|
if (!channelId) {
|
|
2086
|
-
logger$
|
|
2086
|
+
logger$e.error("missing_channel_id_in_encryption_header", {
|
|
2087
2087
|
envelope_id: envelope.id,
|
|
2088
2088
|
});
|
|
2089
2089
|
return envelope;
|
|
2090
2090
|
}
|
|
2091
2091
|
const nonce = this.decodeNonceValue(encHeader.val ?? "");
|
|
2092
2092
|
if (!nonce) {
|
|
2093
|
-
logger$
|
|
2093
|
+
logger$e.error("invalid_nonce_in_encryption_header", {
|
|
2094
2094
|
envelope_id: envelope.id,
|
|
2095
2095
|
value_present: Boolean(encHeader.val),
|
|
2096
2096
|
});
|
|
2097
2097
|
return envelope;
|
|
2098
2098
|
}
|
|
2099
2099
|
if (!this.secureChannelManager) {
|
|
2100
|
-
logger$
|
|
2100
|
+
logger$e.warning("no_secure_channel_manager_for_decryption", {
|
|
2101
2101
|
envelope_id: envelope.id,
|
|
2102
2102
|
});
|
|
2103
2103
|
return envelope;
|
|
2104
2104
|
}
|
|
2105
2105
|
const channelState = this.getChannelState(channelId);
|
|
2106
2106
|
if (!channelState) {
|
|
2107
|
-
logger$
|
|
2107
|
+
logger$e.error("channel_not_available_for_decryption", {
|
|
2108
2108
|
channel_id: channelId,
|
|
2109
2109
|
});
|
|
2110
2110
|
return envelope;
|
|
2111
2111
|
}
|
|
2112
2112
|
const ciphertext = this.extractCiphertext(frame.payload);
|
|
2113
2113
|
if (!ciphertext) {
|
|
2114
|
-
logger$
|
|
2114
|
+
logger$e.error("invalid_ciphertext_payload", { envelope_id: envelope.id });
|
|
2115
2115
|
return envelope;
|
|
2116
2116
|
}
|
|
2117
2117
|
try {
|
|
@@ -2136,7 +2136,7 @@ class ChannelEncryptionManager {
|
|
|
2136
2136
|
return envelope;
|
|
2137
2137
|
}
|
|
2138
2138
|
catch (error) {
|
|
2139
|
-
logger$
|
|
2139
|
+
logger$e.error("channel_decryption_failed", {
|
|
2140
2140
|
channel_id: channelId,
|
|
2141
2141
|
error: error instanceof Error ? error.message : String(error),
|
|
2142
2142
|
});
|
|
@@ -2144,24 +2144,24 @@ class ChannelEncryptionManager {
|
|
|
2144
2144
|
}
|
|
2145
2145
|
}
|
|
2146
2146
|
async notifyChannelEstablished(channelId) {
|
|
2147
|
-
logger$
|
|
2147
|
+
logger$e.debug("channel_encryption_manager_notified", {
|
|
2148
2148
|
channel_id: channelId,
|
|
2149
2149
|
manager_type: "channel",
|
|
2150
2150
|
});
|
|
2151
2151
|
if (!channelId.startsWith("auto-")) {
|
|
2152
|
-
logger$
|
|
2152
|
+
logger$e.warning("unexpected_channel_id_format", { channel_id: channelId });
|
|
2153
2153
|
return;
|
|
2154
2154
|
}
|
|
2155
2155
|
const destinationStr = this.extractDestinationFromChannelId(channelId);
|
|
2156
2156
|
if (!destinationStr) {
|
|
2157
|
-
logger$
|
|
2157
|
+
logger$e.warning("cannot_parse_destination_from_channel_id", {
|
|
2158
2158
|
channel_id: channelId,
|
|
2159
2159
|
});
|
|
2160
2160
|
return;
|
|
2161
2161
|
}
|
|
2162
2162
|
this.handshakeInProgress.delete(destinationStr);
|
|
2163
2163
|
if (!this.pendingEnvelopes.has(destinationStr)) {
|
|
2164
|
-
logger$
|
|
2164
|
+
logger$e.debug("no_pending_queue_for_destination", {
|
|
2165
2165
|
destination: destinationStr,
|
|
2166
2166
|
});
|
|
2167
2167
|
return;
|
|
@@ -2169,7 +2169,7 @@ class ChannelEncryptionManager {
|
|
|
2169
2169
|
const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr) ?? [];
|
|
2170
2170
|
this.pendingEnvelopes.delete(destinationStr);
|
|
2171
2171
|
if (!this.secureChannelManager) {
|
|
2172
|
-
logger$
|
|
2172
|
+
logger$e.error("no_secure_channel_manager_for_queue_drain", {
|
|
2173
2173
|
channel_id: channelId,
|
|
2174
2174
|
});
|
|
2175
2175
|
return;
|
|
@@ -2178,7 +2178,7 @@ class ChannelEncryptionManager {
|
|
|
2178
2178
|
try {
|
|
2179
2179
|
const result = this.encryptWithChannel(envelope, channelId);
|
|
2180
2180
|
if (!result.envelope) {
|
|
2181
|
-
logger$
|
|
2181
|
+
logger$e.warning("failed_to_encrypt_queued_envelope", {
|
|
2182
2182
|
envelope_id: envelope.id,
|
|
2183
2183
|
channel_id: channelId,
|
|
2184
2184
|
});
|
|
@@ -2188,7 +2188,7 @@ class ChannelEncryptionManager {
|
|
|
2188
2188
|
this.runAsyncTask(() => this.deliverEnvelope(encryptedEnvelope), `deliver-queued-${envelope.id}`);
|
|
2189
2189
|
}
|
|
2190
2190
|
catch (error) {
|
|
2191
|
-
logger$
|
|
2191
|
+
logger$e.error("failed_to_encrypt_queued_envelope", {
|
|
2192
2192
|
envelope_id: envelope.id,
|
|
2193
2193
|
error: error instanceof Error ? error.message : String(error),
|
|
2194
2194
|
});
|
|
@@ -2196,19 +2196,19 @@ class ChannelEncryptionManager {
|
|
|
2196
2196
|
}
|
|
2197
2197
|
}
|
|
2198
2198
|
async notifyChannelFailed(channelId, reason = "handshake_failed") {
|
|
2199
|
-
logger$
|
|
2199
|
+
logger$e.debug("channel_encryption_manager_notified_failure", {
|
|
2200
2200
|
channel_id: channelId,
|
|
2201
2201
|
reason,
|
|
2202
2202
|
});
|
|
2203
2203
|
if (!channelId.startsWith("auto-")) {
|
|
2204
|
-
logger$
|
|
2204
|
+
logger$e.warning("unexpected_channel_id_format_on_failure", {
|
|
2205
2205
|
channel_id: channelId,
|
|
2206
2206
|
});
|
|
2207
2207
|
return;
|
|
2208
2208
|
}
|
|
2209
2209
|
const destinationStr = this.extractDestinationFromChannelId(channelId);
|
|
2210
2210
|
if (!destinationStr) {
|
|
2211
|
-
logger$
|
|
2211
|
+
logger$e.warning("cannot_parse_destination_from_channel_id_on_failure", {
|
|
2212
2212
|
channel_id: channelId,
|
|
2213
2213
|
});
|
|
2214
2214
|
return;
|
|
@@ -2218,14 +2218,14 @@ class ChannelEncryptionManager {
|
|
|
2218
2218
|
const cachedChannelId = this.addrChannelMap.get(destinationStr);
|
|
2219
2219
|
if (cachedChannelId === channelId) {
|
|
2220
2220
|
this.addrChannelMap.delete(destinationStr);
|
|
2221
|
-
logger$
|
|
2221
|
+
logger$e.debug("cleared_channel_cache_for_failed_channel", {
|
|
2222
2222
|
destination: destinationStr,
|
|
2223
2223
|
channel_id: channelId,
|
|
2224
2224
|
});
|
|
2225
2225
|
}
|
|
2226
2226
|
const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr);
|
|
2227
2227
|
if (!queuedEnvelopes || queuedEnvelopes.length === 0) {
|
|
2228
|
-
logger$
|
|
2228
|
+
logger$e.debug("no_pending_queue_for_failed_destination", {
|
|
2229
2229
|
destination: destinationStr,
|
|
2230
2230
|
});
|
|
2231
2231
|
return;
|
|
@@ -2244,7 +2244,7 @@ class ChannelEncryptionManager {
|
|
|
2244
2244
|
const cached = this.addrChannelMap.get(destination);
|
|
2245
2245
|
if (cached) {
|
|
2246
2246
|
this.addrChannelMap.delete(destination);
|
|
2247
|
-
logger$
|
|
2247
|
+
logger$e.debug("cleared_channel_cache_for_destination", {
|
|
2248
2248
|
destination,
|
|
2249
2249
|
cached_channel_id: cached,
|
|
2250
2250
|
});
|
|
@@ -2262,14 +2262,14 @@ class ChannelEncryptionManager {
|
|
|
2262
2262
|
}
|
|
2263
2263
|
const cached = this.addrChannelMap.get(destination);
|
|
2264
2264
|
if (cached && this.getChannelState(cached)) {
|
|
2265
|
-
logger$
|
|
2265
|
+
logger$e.debug("using_cached_channel", { destination, channel_id: cached });
|
|
2266
2266
|
return cached;
|
|
2267
2267
|
}
|
|
2268
2268
|
const channels = this.secureChannelManager.channels;
|
|
2269
2269
|
for (const channelId of Object.keys(channels)) {
|
|
2270
2270
|
if (channelId.startsWith(`auto-${destination}-`)) {
|
|
2271
2271
|
this.addrChannelMap.set(destination, channelId);
|
|
2272
|
-
logger$
|
|
2272
|
+
logger$e.debug("using_existing_channel", {
|
|
2273
2273
|
destination,
|
|
2274
2274
|
channel_id: channelId,
|
|
2275
2275
|
});
|
|
@@ -2282,12 +2282,12 @@ class ChannelEncryptionManager {
|
|
|
2282
2282
|
const queue = this.pendingEnvelopes.get(destinationStr) ?? [];
|
|
2283
2283
|
queue.push(envelope);
|
|
2284
2284
|
this.pendingEnvelopes.set(destinationStr, queue);
|
|
2285
|
-
logger$
|
|
2285
|
+
logger$e.debug("queued_envelope_for_channel_handshake", {
|
|
2286
2286
|
envelope_id: envelope.id,
|
|
2287
2287
|
destination: destinationStr,
|
|
2288
2288
|
});
|
|
2289
2289
|
if (this.handshakeInProgress.has(destinationStr)) {
|
|
2290
|
-
logger$
|
|
2290
|
+
logger$e.debug("handshake_already_in_progress", {
|
|
2291
2291
|
destination: destinationStr,
|
|
2292
2292
|
});
|
|
2293
2293
|
return;
|
|
@@ -2305,7 +2305,7 @@ class ChannelEncryptionManager {
|
|
|
2305
2305
|
}
|
|
2306
2306
|
async initiateChannelHandshakeAsync(destination, destinationStr, opts) {
|
|
2307
2307
|
if (!this.secureChannelManager) {
|
|
2308
|
-
logger$
|
|
2308
|
+
logger$e.error("no_secure_channel_manager_for_async_handshake_initiation");
|
|
2309
2309
|
return;
|
|
2310
2310
|
}
|
|
2311
2311
|
const channelId = this.generateChannelId(destinationStr);
|
|
@@ -2313,19 +2313,19 @@ class ChannelEncryptionManager {
|
|
|
2313
2313
|
const openFrame = this.secureChannelManager.generateOpenFrame(channelId, HANDSHAKE_ALGORITHM);
|
|
2314
2314
|
const success = await this.sendSecureOpenFrameAsync(openFrame, destination);
|
|
2315
2315
|
if (success) {
|
|
2316
|
-
logger$
|
|
2316
|
+
logger$e.debug("sent_secure_open_frame_async", {
|
|
2317
2317
|
channel_id: channelId,
|
|
2318
2318
|
destination: destinationStr,
|
|
2319
2319
|
});
|
|
2320
2320
|
}
|
|
2321
2321
|
else {
|
|
2322
|
-
logger$
|
|
2322
|
+
logger$e.warning("failed_to_send_secure_open_frame_async", {
|
|
2323
2323
|
channel_id: channelId,
|
|
2324
2324
|
});
|
|
2325
2325
|
}
|
|
2326
2326
|
}
|
|
2327
2327
|
catch (error) {
|
|
2328
|
-
logger$
|
|
2328
|
+
logger$e.error("async_channel_handshake_initiation_failed", {
|
|
2329
2329
|
destination: destinationStr,
|
|
2330
2330
|
error: error instanceof Error ? error.message : String(error),
|
|
2331
2331
|
});
|
|
@@ -2334,22 +2334,22 @@ class ChannelEncryptionManager {
|
|
|
2334
2334
|
async sendSecureOpenFrameAsync(openFrame, destination) {
|
|
2335
2335
|
const node = this.nodeLike;
|
|
2336
2336
|
if (!node) {
|
|
2337
|
-
logger$
|
|
2337
|
+
logger$e.error("no_node_available_for_sending_secure_open_async");
|
|
2338
2338
|
return false;
|
|
2339
2339
|
}
|
|
2340
2340
|
const envelopeFactory = node.envelopeFactory;
|
|
2341
2341
|
if (!envelopeFactory) {
|
|
2342
|
-
logger$
|
|
2342
|
+
logger$e.error("no_envelope_factory_available_for_secure_open_async");
|
|
2343
2343
|
return false;
|
|
2344
2344
|
}
|
|
2345
2345
|
const replyTo = this.buildSystemReplyTo();
|
|
2346
2346
|
if (!replyTo) {
|
|
2347
|
-
logger$
|
|
2347
|
+
logger$e.error("no_physical_path_available_for_reply_to_async");
|
|
2348
2348
|
return false;
|
|
2349
2349
|
}
|
|
2350
2350
|
const toAddress = toFameAddress(destination);
|
|
2351
2351
|
if (!toAddress) {
|
|
2352
|
-
logger$
|
|
2352
|
+
logger$e.error("invalid_destination_for_secure_open", {
|
|
2353
2353
|
destination: String(destination),
|
|
2354
2354
|
});
|
|
2355
2355
|
return false;
|
|
@@ -2361,7 +2361,7 @@ class ChannelEncryptionManager {
|
|
|
2361
2361
|
corrId: core.generateId(),
|
|
2362
2362
|
});
|
|
2363
2363
|
await this.deliverEnvelope(envelope);
|
|
2364
|
-
logger$
|
|
2364
|
+
logger$e.debug("delivered_secure_open_frame_async", {
|
|
2365
2365
|
channel_id: openFrame.cid,
|
|
2366
2366
|
});
|
|
2367
2367
|
return true;
|
|
@@ -2369,7 +2369,7 @@ class ChannelEncryptionManager {
|
|
|
2369
2369
|
async deliverEnvelope(envelope) {
|
|
2370
2370
|
const node = this.nodeLike;
|
|
2371
2371
|
if (!node) {
|
|
2372
|
-
logger$
|
|
2372
|
+
logger$e.error("no_node_available_for_delivery", {
|
|
2373
2373
|
envelope_id: envelope.id,
|
|
2374
2374
|
});
|
|
2375
2375
|
return;
|
|
@@ -2379,19 +2379,19 @@ class ChannelEncryptionManager {
|
|
|
2379
2379
|
}
|
|
2380
2380
|
encryptWithChannel(envelope, channelId) {
|
|
2381
2381
|
if (!this.secureChannelManager) {
|
|
2382
|
-
logger$
|
|
2382
|
+
logger$e.error("no_secure_channel_manager_for_encryption");
|
|
2383
2383
|
return runtime.EncryptionResult.skipped(envelope);
|
|
2384
2384
|
}
|
|
2385
2385
|
const frame = envelope.frame;
|
|
2386
2386
|
if (!this.isDataFrame(frame)) {
|
|
2387
|
-
logger$
|
|
2387
|
+
logger$e.error("attempted_to_encrypt_non_dataframe", {
|
|
2388
2388
|
frame_type: frame.type ?? typeof frame,
|
|
2389
2389
|
});
|
|
2390
2390
|
return runtime.EncryptionResult.skipped(envelope);
|
|
2391
2391
|
}
|
|
2392
2392
|
const channelState = this.getChannelState(channelId);
|
|
2393
2393
|
if (!channelState) {
|
|
2394
|
-
logger$
|
|
2394
|
+
logger$e.error("channel_not_in_channels", { channel_id: channelId });
|
|
2395
2395
|
return runtime.EncryptionResult.skipped(envelope);
|
|
2396
2396
|
}
|
|
2397
2397
|
const payloadBytes = this.serializePayload(frame.payload);
|
|
@@ -2450,7 +2450,7 @@ class ChannelEncryptionManager {
|
|
|
2450
2450
|
return decodeBase64$1(payload);
|
|
2451
2451
|
}
|
|
2452
2452
|
catch (error) {
|
|
2453
|
-
logger$
|
|
2453
|
+
logger$e.error("failed_to_decode_base64_ciphertext", {
|
|
2454
2454
|
error: error instanceof Error ? error.message : String(error),
|
|
2455
2455
|
});
|
|
2456
2456
|
return null;
|
|
@@ -2480,7 +2480,7 @@ class ChannelEncryptionManager {
|
|
|
2480
2480
|
return parts.slice(1, -1).join("-");
|
|
2481
2481
|
}
|
|
2482
2482
|
async handleFailedEnvelope(envelope, destinationStr, channelId, reason) {
|
|
2483
|
-
logger$
|
|
2483
|
+
logger$e.warning("envelope_failed_due_to_channel_handshake_failure", {
|
|
2484
2484
|
envelope_id: envelope.id,
|
|
2485
2485
|
destination: destinationStr,
|
|
2486
2486
|
channel_id: channelId,
|
|
@@ -2488,14 +2488,14 @@ class ChannelEncryptionManager {
|
|
|
2488
2488
|
});
|
|
2489
2489
|
const frame = envelope.frame;
|
|
2490
2490
|
if (!this.isDataFrame(frame)) {
|
|
2491
|
-
logger$
|
|
2491
|
+
logger$e.debug("skipping_nack_for_non_dataframe", {
|
|
2492
2492
|
envelope_id: envelope.id,
|
|
2493
2493
|
frame_type: frame.type ?? typeof frame,
|
|
2494
2494
|
});
|
|
2495
2495
|
return;
|
|
2496
2496
|
}
|
|
2497
2497
|
if (!envelope.replyTo) {
|
|
2498
|
-
logger$
|
|
2498
|
+
logger$e.debug("skipping_nack_no_reply_to", { envelope_id: envelope.id });
|
|
2499
2499
|
return;
|
|
2500
2500
|
}
|
|
2501
2501
|
await this.sendDeliveryNack(envelope, `channel_handshake_failed: ${reason}`);
|
|
@@ -2503,17 +2503,17 @@ class ChannelEncryptionManager {
|
|
|
2503
2503
|
async sendDeliveryNack(envelope, failureReason) {
|
|
2504
2504
|
const node = this.nodeLike;
|
|
2505
2505
|
if (!node) {
|
|
2506
|
-
logger$
|
|
2506
|
+
logger$e.error("no_node_available_for_sending_delivery_nack");
|
|
2507
2507
|
return;
|
|
2508
2508
|
}
|
|
2509
2509
|
const envelopeFactory = node.envelopeFactory;
|
|
2510
2510
|
if (!envelopeFactory) {
|
|
2511
|
-
logger$
|
|
2511
|
+
logger$e.error("no_envelope_factory_available_for_delivery_nack");
|
|
2512
2512
|
return;
|
|
2513
2513
|
}
|
|
2514
2514
|
const replyTo = toFameAddress(envelope.replyTo ?? null);
|
|
2515
2515
|
if (!replyTo) {
|
|
2516
|
-
logger$
|
|
2516
|
+
logger$e.error("invalid_reply_to_for_delivery_nack", {
|
|
2517
2517
|
reply_to: envelope.replyTo,
|
|
2518
2518
|
});
|
|
2519
2519
|
return;
|
|
@@ -2530,7 +2530,7 @@ class ChannelEncryptionManager {
|
|
|
2530
2530
|
corrId: envelope.corrId ?? core.generateId(),
|
|
2531
2531
|
});
|
|
2532
2532
|
await this.deliverEnvelope(nackEnvelope);
|
|
2533
|
-
logger$
|
|
2533
|
+
logger$e.debug("delivered_delivery_nack", {
|
|
2534
2534
|
original_envelope_id: envelope.id,
|
|
2535
2535
|
nack_envelope_id: nackEnvelope.id,
|
|
2536
2536
|
});
|
|
@@ -2568,7 +2568,7 @@ class ChannelEncryptionManager {
|
|
|
2568
2568
|
await task();
|
|
2569
2569
|
}
|
|
2570
2570
|
catch (error) {
|
|
2571
|
-
logger$
|
|
2571
|
+
logger$e.error("async_task_failed", {
|
|
2572
2572
|
task_name: name,
|
|
2573
2573
|
error: error instanceof Error ? error.message : String(error),
|
|
2574
2574
|
});
|
|
@@ -2622,7 +2622,7 @@ class ChannelEncryptionManager {
|
|
|
2622
2622
|
}
|
|
2623
2623
|
}
|
|
2624
2624
|
|
|
2625
|
-
const logger$
|
|
2625
|
+
const logger$d = runtime.getLogger("naylence.fame.security.encryption.channel.channel_encryption_manager_factory");
|
|
2626
2626
|
const DEFAULT_SUPPORTED_ALGORITHMS = ["chacha20-poly1305-channel"];
|
|
2627
2627
|
const FACTORY_META$c = {
|
|
2628
2628
|
base: runtime.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE,
|
|
@@ -2654,7 +2654,7 @@ class ChannelEncryptionManagerFactory extends runtime.EncryptionManagerFactory {
|
|
|
2654
2654
|
async create(_config, ...factoryArgs) {
|
|
2655
2655
|
const [dependencies] = factoryArgs;
|
|
2656
2656
|
const resolvedDependencies = this.resolveDependencies(dependencies);
|
|
2657
|
-
logger$
|
|
2657
|
+
logger$d.debug("creating_channel_encryption_manager", {
|
|
2658
2658
|
has_secure_channel_manager: Boolean(resolvedDependencies.secureChannelManager),
|
|
2659
2659
|
has_node_like: Boolean(resolvedDependencies.nodeLike),
|
|
2660
2660
|
has_task_spawner: Boolean(resolvedDependencies.taskSpawner),
|
|
@@ -2716,7 +2716,7 @@ var index = /*#__PURE__*/Object.freeze({
|
|
|
2716
2716
|
ChannelEncryptionManagerFactory: ChannelEncryptionManagerFactory
|
|
2717
2717
|
});
|
|
2718
2718
|
|
|
2719
|
-
const logger$
|
|
2719
|
+
const logger$c = runtime.getLogger("naylence.fame.security.encryption.default_secure_channel_manager");
|
|
2720
2720
|
const DEFAULT_ALGORITHM = "CHACHA20P1305";
|
|
2721
2721
|
const CHANNEL_KEY_LENGTH = 32;
|
|
2722
2722
|
const NONCE_PREFIX_LENGTH = 4;
|
|
@@ -2763,7 +2763,7 @@ class DefaultSecureChannelManager {
|
|
|
2763
2763
|
const privateKey = ed25519_js.x25519.utils.randomSecretKey();
|
|
2764
2764
|
const publicKey = ed25519_js.x25519.scalarMultBase(privateKey);
|
|
2765
2765
|
this.ephemeralKeys.set(channelId, privateKey);
|
|
2766
|
-
logger$
|
|
2766
|
+
logger$c.debug("generated_channel_open", { cid: channelId, algorithm });
|
|
2767
2767
|
return {
|
|
2768
2768
|
type: "SecureOpen",
|
|
2769
2769
|
cid: channelId,
|
|
@@ -2776,7 +2776,7 @@ class DefaultSecureChannelManager {
|
|
|
2776
2776
|
runtime.requireCryptoSupport();
|
|
2777
2777
|
const algorithm = frame.alg || DEFAULT_ALGORITHM;
|
|
2778
2778
|
if (!this.isSupportedAlgorithm(algorithm)) {
|
|
2779
|
-
logger$
|
|
2779
|
+
logger$c.warning("unsupported_channel_algorithm", {
|
|
2780
2780
|
cid: frame.cid,
|
|
2781
2781
|
alg: algorithm,
|
|
2782
2782
|
});
|
|
@@ -2794,7 +2794,7 @@ class DefaultSecureChannelManager {
|
|
|
2794
2794
|
peerPublicKey = decodeBase64(frame.ephPub);
|
|
2795
2795
|
}
|
|
2796
2796
|
catch (error) {
|
|
2797
|
-
logger$
|
|
2797
|
+
logger$c.warning("invalid_peer_public_key", {
|
|
2798
2798
|
cid: frame.cid,
|
|
2799
2799
|
error: error instanceof Error ? error.message : String(error),
|
|
2800
2800
|
});
|
|
@@ -2816,7 +2816,7 @@ class DefaultSecureChannelManager {
|
|
|
2816
2816
|
algorithm,
|
|
2817
2817
|
});
|
|
2818
2818
|
this.channelsMap.set(frame.cid, channelState);
|
|
2819
|
-
logger$
|
|
2819
|
+
logger$c.debug("channel_established", { cid: frame.cid, algorithm });
|
|
2820
2820
|
myPrivateKey.fill(0);
|
|
2821
2821
|
sharedSecret.fill(0);
|
|
2822
2822
|
return {
|
|
@@ -2830,7 +2830,7 @@ class DefaultSecureChannelManager {
|
|
|
2830
2830
|
async handleAcceptFrame(frame) {
|
|
2831
2831
|
runtime.requireCryptoSupport();
|
|
2832
2832
|
if (frame.ok === false) {
|
|
2833
|
-
logger$
|
|
2833
|
+
logger$c.warning("channel_rejected", {
|
|
2834
2834
|
cid: frame.cid,
|
|
2835
2835
|
error: frame.reason,
|
|
2836
2836
|
});
|
|
@@ -2839,7 +2839,7 @@ class DefaultSecureChannelManager {
|
|
|
2839
2839
|
}
|
|
2840
2840
|
const privateKey = this.ephemeralKeys.get(frame.cid);
|
|
2841
2841
|
if (!privateKey) {
|
|
2842
|
-
logger$
|
|
2842
|
+
logger$c.error("no_ephemeral_key", { cid: frame.cid });
|
|
2843
2843
|
return false;
|
|
2844
2844
|
}
|
|
2845
2845
|
let peerPublicKey;
|
|
@@ -2847,7 +2847,7 @@ class DefaultSecureChannelManager {
|
|
|
2847
2847
|
peerPublicKey = decodeBase64(frame.ephPub);
|
|
2848
2848
|
}
|
|
2849
2849
|
catch (error) {
|
|
2850
|
-
logger$
|
|
2850
|
+
logger$c.warning("invalid_accept_public_key", {
|
|
2851
2851
|
cid: frame.cid,
|
|
2852
2852
|
error: error instanceof Error ? error.message : String(error),
|
|
2853
2853
|
});
|
|
@@ -2862,17 +2862,17 @@ class DefaultSecureChannelManager {
|
|
|
2862
2862
|
algorithm,
|
|
2863
2863
|
});
|
|
2864
2864
|
this.channelsMap.set(frame.cid, channelState);
|
|
2865
|
-
logger$
|
|
2865
|
+
logger$c.debug("channel_completed", { cid: frame.cid, algorithm });
|
|
2866
2866
|
sharedSecret.fill(0);
|
|
2867
2867
|
this.cleanupEphemeralKey(frame.cid);
|
|
2868
2868
|
return true;
|
|
2869
2869
|
}
|
|
2870
2870
|
handleCloseFrame(frame) {
|
|
2871
2871
|
if (this.channelsMap.delete(frame.cid)) {
|
|
2872
|
-
logger$
|
|
2872
|
+
logger$c.debug("channel_closed", { cid: frame.cid, reason: frame.reason });
|
|
2873
2873
|
}
|
|
2874
2874
|
else {
|
|
2875
|
-
logger$
|
|
2875
|
+
logger$c.warning("close_unknown_channel", { cid: frame.cid });
|
|
2876
2876
|
}
|
|
2877
2877
|
this.cleanupEphemeralKey(frame.cid);
|
|
2878
2878
|
}
|
|
@@ -2899,7 +2899,7 @@ class DefaultSecureChannelManager {
|
|
|
2899
2899
|
}
|
|
2900
2900
|
closeChannel(channelId, reason = "User requested") {
|
|
2901
2901
|
if (this.channelsMap.delete(channelId)) {
|
|
2902
|
-
logger$
|
|
2902
|
+
logger$c.debug("channel_closed_by_user", { cid: channelId, reason });
|
|
2903
2903
|
}
|
|
2904
2904
|
this.cleanupEphemeralKey(channelId);
|
|
2905
2905
|
return {
|
|
@@ -2916,7 +2916,7 @@ class DefaultSecureChannelManager {
|
|
|
2916
2916
|
this.channelsMap.delete(channelId);
|
|
2917
2917
|
this.cleanupEphemeralKey(channelId);
|
|
2918
2918
|
removed += 1;
|
|
2919
|
-
logger$
|
|
2919
|
+
logger$c.debug("channel_expired_cleanup", { cid: channelId });
|
|
2920
2920
|
}
|
|
2921
2921
|
}
|
|
2922
2922
|
return removed;
|
|
@@ -2945,7 +2945,7 @@ class DefaultSecureChannelManager {
|
|
|
2945
2945
|
if (channelId.startsWith(prefix)) {
|
|
2946
2946
|
if (this.removeChannel(channelId)) {
|
|
2947
2947
|
removed += 1;
|
|
2948
|
-
logger$
|
|
2948
|
+
logger$c.debug("removed_channel_for_destination", {
|
|
2949
2949
|
channel_id: channelId,
|
|
2950
2950
|
destination,
|
|
2951
2951
|
});
|
|
@@ -2953,7 +2953,7 @@ class DefaultSecureChannelManager {
|
|
|
2953
2953
|
}
|
|
2954
2954
|
}
|
|
2955
2955
|
if (removed > 0) {
|
|
2956
|
-
logger$
|
|
2956
|
+
logger$c.info("cleanup_channels_for_destination", {
|
|
2957
2957
|
destination,
|
|
2958
2958
|
channels_removed: removed,
|
|
2959
2959
|
});
|
|
@@ -3046,7 +3046,7 @@ var defaultSecureChannelManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
3046
3046
|
default: DefaultSecureChannelManagerFactory
|
|
3047
3047
|
});
|
|
3048
3048
|
|
|
3049
|
-
const logger$
|
|
3049
|
+
const logger$b = runtime.getLogger("naylence.fame.security.encryption.encryption_manager_registry");
|
|
3050
3050
|
class EncryptionManagerFactoryRegistry {
|
|
3051
3051
|
constructor(autoDiscover = true) {
|
|
3052
3052
|
this.factories = [];
|
|
@@ -3068,7 +3068,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3068
3068
|
let registeredCount = 0;
|
|
3069
3069
|
for (const [factoryName, info] of extensionInfos) {
|
|
3070
3070
|
if (factoryName === "CompositeEncryptionManager") {
|
|
3071
|
-
logger$
|
|
3071
|
+
logger$b.debug("skipping_composite_factory_to_avoid_circular_dependency", {
|
|
3072
3072
|
factory_name: factoryName,
|
|
3073
3073
|
});
|
|
3074
3074
|
continue;
|
|
@@ -3078,7 +3078,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3078
3078
|
factory.ExtensionManager.getGlobalFactory(runtime.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, factoryName));
|
|
3079
3079
|
this.registerFactory(factoryInstance, { autoDiscovered: true });
|
|
3080
3080
|
registeredCount += 1;
|
|
3081
|
-
logger$
|
|
3081
|
+
logger$b.debug("auto_discovered_factory", {
|
|
3082
3082
|
factory_name: factoryName,
|
|
3083
3083
|
factory_class: factoryInstance.constructor.name,
|
|
3084
3084
|
algorithms: factoryInstance.getSupportedAlgorithms(),
|
|
@@ -3087,21 +3087,21 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3087
3087
|
});
|
|
3088
3088
|
}
|
|
3089
3089
|
catch (error) {
|
|
3090
|
-
logger$
|
|
3090
|
+
logger$b.warning("failed_to_auto_register_factory", {
|
|
3091
3091
|
factory_name: factoryName,
|
|
3092
3092
|
error: error instanceof Error ? error.message : String(error),
|
|
3093
3093
|
});
|
|
3094
3094
|
}
|
|
3095
3095
|
}
|
|
3096
3096
|
this.autoDiscovered = true;
|
|
3097
|
-
logger$
|
|
3097
|
+
logger$b.debug("completed_auto_discovery", {
|
|
3098
3098
|
registered_factories: registeredCount,
|
|
3099
3099
|
total_discovered: extensionInfos.size,
|
|
3100
3100
|
skipped_composite: true,
|
|
3101
3101
|
});
|
|
3102
3102
|
}
|
|
3103
3103
|
catch (error) {
|
|
3104
|
-
logger$
|
|
3104
|
+
logger$b.warning("failed_auto_discovery_of_factories", {
|
|
3105
3105
|
error: error instanceof Error ? error.message : String(error),
|
|
3106
3106
|
});
|
|
3107
3107
|
}
|
|
@@ -3119,7 +3119,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3119
3119
|
const existing = this.algorithmToFactory.get(algorithm);
|
|
3120
3120
|
if (!existing || factory.getPriority() > existing.getPriority()) {
|
|
3121
3121
|
this.algorithmToFactory.set(algorithm, factory);
|
|
3122
|
-
logger$
|
|
3122
|
+
logger$b.debug("registered_algorithm_mapping", {
|
|
3123
3123
|
algorithm,
|
|
3124
3124
|
factory: factory.constructor.name,
|
|
3125
3125
|
priority: factory.getPriority(),
|
|
@@ -3131,7 +3131,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3131
3131
|
typeFactories.push(factory);
|
|
3132
3132
|
typeFactories.sort((a, b) => b.getPriority() - a.getPriority());
|
|
3133
3133
|
this.typeToFactories.set(encryptionType, typeFactories);
|
|
3134
|
-
logger$
|
|
3134
|
+
logger$b.debug("registered_encryption_manager_factory", {
|
|
3135
3135
|
factory: factory.constructor.name,
|
|
3136
3136
|
encryption_type: encryptionType,
|
|
3137
3137
|
algorithms: factory.getSupportedAlgorithms(),
|
|
@@ -3147,14 +3147,14 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3147
3147
|
this.ensureAutoDiscovery();
|
|
3148
3148
|
for (const factory of this.factories) {
|
|
3149
3149
|
if (factory.supportsOptions(opts ?? undefined)) {
|
|
3150
|
-
logger$
|
|
3150
|
+
logger$b.debug("found_factory_for_options", {
|
|
3151
3151
|
factory: factory.constructor.name,
|
|
3152
3152
|
encryption_type: factory.getEncryptionType(),
|
|
3153
3153
|
});
|
|
3154
3154
|
return factory;
|
|
3155
3155
|
}
|
|
3156
3156
|
}
|
|
3157
|
-
logger$
|
|
3157
|
+
logger$b.debug("no_factory_found_for_options", { opts });
|
|
3158
3158
|
return undefined;
|
|
3159
3159
|
}
|
|
3160
3160
|
getFactoriesByType(encryptionType) {
|
|
@@ -3207,7 +3207,7 @@ function getEncryptionManagerFactoryRegistry() {
|
|
|
3207
3207
|
return globalRegistry;
|
|
3208
3208
|
}
|
|
3209
3209
|
|
|
3210
|
-
const logger$
|
|
3210
|
+
const logger$a = runtime.getLogger("naylence.fame.security.encryption.composite_encryption_manager");
|
|
3211
3211
|
const DEFAULT_SEALED_ALGORITHMS = [
|
|
3212
3212
|
"X25519",
|
|
3213
3213
|
"ECDH-ES+A256GCM",
|
|
@@ -3246,7 +3246,7 @@ class CompositeEncryptionManager {
|
|
|
3246
3246
|
return await manager.encryptEnvelope(envelope, opts);
|
|
3247
3247
|
}
|
|
3248
3248
|
catch (error) {
|
|
3249
|
-
logger$
|
|
3249
|
+
logger$a.error("composite_encrypt_failed", {
|
|
3250
3250
|
error: error instanceof Error ? error.message : String(error),
|
|
3251
3251
|
});
|
|
3252
3252
|
return runtime.EncryptionResult.skipped(envelope);
|
|
@@ -3265,7 +3265,7 @@ class CompositeEncryptionManager {
|
|
|
3265
3265
|
return await manager.decryptEnvelope(envelope, opts);
|
|
3266
3266
|
}
|
|
3267
3267
|
catch (error) {
|
|
3268
|
-
logger$
|
|
3268
|
+
logger$a.error("composite_decrypt_failed", {
|
|
3269
3269
|
algorithm,
|
|
3270
3270
|
error: error instanceof Error ? error.message : String(error),
|
|
3271
3271
|
});
|
|
@@ -3277,14 +3277,14 @@ class CompositeEncryptionManager {
|
|
|
3277
3277
|
if (factories.length === 0) {
|
|
3278
3278
|
return;
|
|
3279
3279
|
}
|
|
3280
|
-
logger$
|
|
3280
|
+
logger$a.debug("composite_notify_channel_established", {
|
|
3281
3281
|
channel_id: channelId,
|
|
3282
3282
|
});
|
|
3283
3283
|
await this.notifyManagers(factories, async (manager, factoryKey) => {
|
|
3284
3284
|
const channelAware = manager;
|
|
3285
3285
|
if (typeof channelAware.notifyChannelEstablished === "function") {
|
|
3286
3286
|
await channelAware.notifyChannelEstablished(channelId);
|
|
3287
|
-
logger$
|
|
3287
|
+
logger$a.debug("composite_channel_established_notified", {
|
|
3288
3288
|
factory: factoryKey,
|
|
3289
3289
|
channel_id: channelId,
|
|
3290
3290
|
});
|
|
@@ -3296,7 +3296,7 @@ class CompositeEncryptionManager {
|
|
|
3296
3296
|
if (factories.length === 0) {
|
|
3297
3297
|
return;
|
|
3298
3298
|
}
|
|
3299
|
-
logger$
|
|
3299
|
+
logger$a.debug("composite_notify_channel_failed", {
|
|
3300
3300
|
channel_id: channelId,
|
|
3301
3301
|
reason,
|
|
3302
3302
|
});
|
|
@@ -3304,7 +3304,7 @@ class CompositeEncryptionManager {
|
|
|
3304
3304
|
const channelAware = manager;
|
|
3305
3305
|
if (typeof channelAware.notifyChannelFailed === "function") {
|
|
3306
3306
|
await channelAware.notifyChannelFailed(channelId, reason);
|
|
3307
|
-
logger$
|
|
3307
|
+
logger$a.debug("composite_channel_failed_notified", {
|
|
3308
3308
|
factory: factoryKey,
|
|
3309
3309
|
channel_id: channelId,
|
|
3310
3310
|
reason,
|
|
@@ -3317,12 +3317,12 @@ class CompositeEncryptionManager {
|
|
|
3317
3317
|
if (factories.length === 0) {
|
|
3318
3318
|
return;
|
|
3319
3319
|
}
|
|
3320
|
-
logger$
|
|
3320
|
+
logger$a.debug("composite_notify_key_available", { key_id: keyId });
|
|
3321
3321
|
await this.notifyManagers(factories, async (manager, factoryKey) => {
|
|
3322
3322
|
const sealedAware = manager;
|
|
3323
3323
|
if (typeof sealedAware.notifyKeyAvailable === "function") {
|
|
3324
3324
|
await sealedAware.notifyKeyAvailable(keyId);
|
|
3325
|
-
logger$
|
|
3325
|
+
logger$a.debug("composite_key_available_notified", {
|
|
3326
3326
|
factory: factoryKey,
|
|
3327
3327
|
key_id: keyId,
|
|
3328
3328
|
});
|
|
@@ -3363,7 +3363,7 @@ class CompositeEncryptionManager {
|
|
|
3363
3363
|
async getManagerForOptions(opts) {
|
|
3364
3364
|
const factory = this.factoryRegistry.getFactoryForOptions(opts ?? undefined);
|
|
3365
3365
|
if (!factory) {
|
|
3366
|
-
logger$
|
|
3366
|
+
logger$a.debug("composite_no_factory_for_options", { opts });
|
|
3367
3367
|
return null;
|
|
3368
3368
|
}
|
|
3369
3369
|
return await this.getOrCreateManager(factory, "options");
|
|
@@ -3371,7 +3371,7 @@ class CompositeEncryptionManager {
|
|
|
3371
3371
|
async getManagerForAlgorithm(algorithm) {
|
|
3372
3372
|
const factory = this.factoryRegistry.getFactoryForAlgorithm(algorithm);
|
|
3373
3373
|
if (!factory) {
|
|
3374
|
-
logger$
|
|
3374
|
+
logger$a.debug("composite_no_factory_for_algorithm", { algorithm });
|
|
3375
3375
|
return null;
|
|
3376
3376
|
}
|
|
3377
3377
|
return await this.getOrCreateManager(factory, algorithm);
|
|
@@ -3396,7 +3396,7 @@ class CompositeEncryptionManager {
|
|
|
3396
3396
|
const manager = await factory.create(null, dependencies);
|
|
3397
3397
|
this.managerInstances.set(key, manager);
|
|
3398
3398
|
await this.applyNodeContext(manager, key);
|
|
3399
|
-
logger$
|
|
3399
|
+
logger$a.debug("composite_created_manager", {
|
|
3400
3400
|
factory: key,
|
|
3401
3401
|
context,
|
|
3402
3402
|
manager_type: manager.constructor.name,
|
|
@@ -3404,7 +3404,7 @@ class CompositeEncryptionManager {
|
|
|
3404
3404
|
return manager;
|
|
3405
3405
|
}
|
|
3406
3406
|
catch (error) {
|
|
3407
|
-
logger$
|
|
3407
|
+
logger$a.error("composite_create_manager_failed", {
|
|
3408
3408
|
factory: key,
|
|
3409
3409
|
context,
|
|
3410
3410
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3417,7 +3417,7 @@ class CompositeEncryptionManager {
|
|
|
3417
3417
|
const factoryKey = this.resolveFactoryKey(factory);
|
|
3418
3418
|
const manager = this.managerInstances.get(factoryKey);
|
|
3419
3419
|
if (!manager) {
|
|
3420
|
-
logger$
|
|
3420
|
+
logger$a.debug("composite_skip_notification_no_manager", {
|
|
3421
3421
|
factory: factoryKey,
|
|
3422
3422
|
});
|
|
3423
3423
|
continue;
|
|
@@ -3426,7 +3426,7 @@ class CompositeEncryptionManager {
|
|
|
3426
3426
|
await callback(manager, factoryKey);
|
|
3427
3427
|
}
|
|
3428
3428
|
catch (error) {
|
|
3429
|
-
logger$
|
|
3429
|
+
logger$a.error("composite_notify_manager_failed", {
|
|
3430
3430
|
factory: factoryKey,
|
|
3431
3431
|
error: error instanceof Error ? error.message : String(error),
|
|
3432
3432
|
});
|
|
@@ -3442,7 +3442,7 @@ class CompositeEncryptionManager {
|
|
|
3442
3442
|
await callback(manager);
|
|
3443
3443
|
}
|
|
3444
3444
|
catch (error) {
|
|
3445
|
-
logger$
|
|
3445
|
+
logger$a.error("composite_node_event_failed", {
|
|
3446
3446
|
manager: manager.constructor.name,
|
|
3447
3447
|
error: error instanceof Error ? error.message : String(error),
|
|
3448
3448
|
});
|
|
@@ -3459,7 +3459,7 @@ class CompositeEncryptionManager {
|
|
|
3459
3459
|
await manager.onNodeStarted?.(this.nodeLike);
|
|
3460
3460
|
}
|
|
3461
3461
|
catch (error) {
|
|
3462
|
-
logger$
|
|
3462
|
+
logger$a.error("composite_apply_node_context_failed", {
|
|
3463
3463
|
stage: "onNodeStarted",
|
|
3464
3464
|
factory: factoryKey,
|
|
3465
3465
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3472,7 +3472,7 @@ class CompositeEncryptionManager {
|
|
|
3472
3472
|
await manager.onNodeAttachToUpstream?.(this.nodeLike, this.lastAttachInfo);
|
|
3473
3473
|
}
|
|
3474
3474
|
catch (error) {
|
|
3475
|
-
logger$
|
|
3475
|
+
logger$a.error("composite_apply_node_context_failed", {
|
|
3476
3476
|
stage: "onNodeAttachToUpstream",
|
|
3477
3477
|
factory: factoryKey,
|
|
3478
3478
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3495,7 +3495,7 @@ class CompositeEncryptionManager {
|
|
|
3495
3495
|
const channelAware = manager;
|
|
3496
3496
|
if (typeof channelAware.clearChannelCacheForDestination === "function") {
|
|
3497
3497
|
channelAware.clearChannelCacheForDestination(destination);
|
|
3498
|
-
logger$
|
|
3498
|
+
logger$a.debug("composite_cleared_channel_cache", {
|
|
3499
3499
|
destination,
|
|
3500
3500
|
factory: factoryKey,
|
|
3501
3501
|
});
|
|
@@ -3515,7 +3515,7 @@ class CompositeEncryptionManager {
|
|
|
3515
3515
|
"function") {
|
|
3516
3516
|
const removed = this.secureChannelManager.removeChannelsForDestination(destination);
|
|
3517
3517
|
if (removed > 0) {
|
|
3518
|
-
logger$
|
|
3518
|
+
logger$a.debug("composite_removed_channels", {
|
|
3519
3519
|
destination,
|
|
3520
3520
|
count: removed,
|
|
3521
3521
|
});
|
|
@@ -3526,7 +3526,7 @@ class CompositeEncryptionManager {
|
|
|
3526
3526
|
}
|
|
3527
3527
|
}
|
|
3528
3528
|
|
|
3529
|
-
const logger$
|
|
3529
|
+
const logger$9 = runtime.getLogger("naylence.fame.security.encryption.composite_encryption_manager_factory");
|
|
3530
3530
|
const DEFAULT_PRIORITY = 1000;
|
|
3531
3531
|
const DEFAULT_ENCRYPTION_TYPE = "composite";
|
|
3532
3532
|
const FACTORY_META$a = {
|
|
@@ -3564,7 +3564,7 @@ class CompositeEncryptionManagerFactory extends runtime.EncryptionManagerFactory
|
|
|
3564
3564
|
const supportedChannelAlgorithms = runtimeConfig?.supportedChannelAlgorithms ??
|
|
3565
3565
|
this.supportedChannelAlgorithms ??
|
|
3566
3566
|
undefined;
|
|
3567
|
-
logger$
|
|
3567
|
+
logger$9.debug("creating_composite_encryption_manager", {
|
|
3568
3568
|
has_secure_channel_manager: Boolean(resolved.secureChannelManager),
|
|
3569
3569
|
has_key_provider: Boolean(resolved.keyProvider),
|
|
3570
3570
|
has_crypto_provider: Boolean(resolved.cryptoProvider),
|
|
@@ -3937,7 +3937,7 @@ var eddsaEnvelopeVerifierFactory = /*#__PURE__*/Object.freeze({
|
|
|
3937
3937
|
default: AdvancedEdDSAEnvelopeVerifierFactory
|
|
3938
3938
|
});
|
|
3939
3939
|
|
|
3940
|
-
const logger$
|
|
3940
|
+
const logger$8 = runtime.getLogger("naylence.fame.security.keys.x5c_key_manager");
|
|
3941
3941
|
let x509ModulePromise$1 = null;
|
|
3942
3942
|
async function loadX509Module$1() {
|
|
3943
3943
|
if (!x509ModulePromise$1) {
|
|
@@ -3949,7 +3949,7 @@ async function loadX509Module$1() {
|
|
|
3949
3949
|
return null;
|
|
3950
3950
|
})
|
|
3951
3951
|
.catch((error) => {
|
|
3952
|
-
logger$
|
|
3952
|
+
logger$8.warning("certificate_module_unavailable", {
|
|
3953
3953
|
error: error instanceof Error ? error.message : String(error),
|
|
3954
3954
|
});
|
|
3955
3955
|
return null;
|
|
@@ -3980,16 +3980,16 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
3980
3980
|
async onNodeStarted(node) {
|
|
3981
3981
|
await this.inner.onNodeStarted(node);
|
|
3982
3982
|
this.startPurgeLoop();
|
|
3983
|
-
logger$
|
|
3983
|
+
logger$8.debug("x5c_key_manager_started", {
|
|
3984
3984
|
cert_purge_interval: this.certPurgeInterval,
|
|
3985
3985
|
});
|
|
3986
3986
|
}
|
|
3987
3987
|
async onNodeStopped(node) {
|
|
3988
|
-
logger$
|
|
3988
|
+
logger$8.debug("x5c_key_manager_stopping");
|
|
3989
3989
|
await this.shutdownTasks({ gracePeriod: 50, joinTimeout: 100 });
|
|
3990
3990
|
this.purgeTask = null;
|
|
3991
3991
|
await this.inner.onNodeStopped(node);
|
|
3992
|
-
logger$
|
|
3992
|
+
logger$8.debug("x5c_key_manager_stopped");
|
|
3993
3993
|
}
|
|
3994
3994
|
async getKey(kid) {
|
|
3995
3995
|
return this.inner.getKey(kid);
|
|
@@ -4026,7 +4026,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4026
4026
|
}
|
|
4027
4027
|
catch (error) {
|
|
4028
4028
|
if (error instanceof runtime.JWKValidationError) {
|
|
4029
|
-
logger$
|
|
4029
|
+
logger$8.warning("rejected_invalid_jwk_in_announce", {
|
|
4030
4030
|
kid: typeof key?.kid === "string" ? key.kid : "unknown",
|
|
4031
4031
|
from_system_id: systemId,
|
|
4032
4032
|
from_physical_path: physicalPath,
|
|
@@ -4039,7 +4039,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4039
4039
|
}
|
|
4040
4040
|
}
|
|
4041
4041
|
if (validKeys.length === 0) {
|
|
4042
|
-
logger$
|
|
4042
|
+
logger$8.warning("no_valid_keys_in_announce", {
|
|
4043
4043
|
from_system_id: systemId,
|
|
4044
4044
|
from_physical_path: physicalPath,
|
|
4045
4045
|
total_keys: keys.length,
|
|
@@ -4047,7 +4047,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4047
4047
|
});
|
|
4048
4048
|
return;
|
|
4049
4049
|
}
|
|
4050
|
-
logger$
|
|
4050
|
+
logger$8.debug("adding_keys", {
|
|
4051
4051
|
key_ids: validKeys.map((key) => typeof key?.kid === "string" ? key.kid : "unknown"),
|
|
4052
4052
|
source_system_id: systemId,
|
|
4053
4053
|
from_physical_path: physicalPath,
|
|
@@ -4058,7 +4058,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4058
4058
|
});
|
|
4059
4059
|
const hasEncryptionKeys = validKeys.some((key) => typeof key?.use === "string" && key.use === "enc");
|
|
4060
4060
|
if (hasEncryptionKeys) {
|
|
4061
|
-
logger$
|
|
4061
|
+
logger$8.debug("checking_for_old_encryption_keys_to_remove", {
|
|
4062
4062
|
physical_path: physicalPath,
|
|
4063
4063
|
origin,
|
|
4064
4064
|
new_enc_keys: validKeys
|
|
@@ -4086,7 +4086,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4086
4086
|
}
|
|
4087
4087
|
}
|
|
4088
4088
|
if (existingEncKeyIds.size > 0) {
|
|
4089
|
-
logger$
|
|
4089
|
+
logger$8.debug("found_existing_encryption_keys_across_paths", {
|
|
4090
4090
|
physical_path: physicalPath,
|
|
4091
4091
|
paths_checked: pathsWithOldKeys,
|
|
4092
4092
|
existing_enc_key_ids: Array.from(existingEncKeyIds),
|
|
@@ -4097,7 +4097,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4097
4097
|
.filter((kid) => kid.length > 0));
|
|
4098
4098
|
const keysToRemove = Array.from(existingEncKeyIds).filter((kid) => !newEncKeyIds.has(kid));
|
|
4099
4099
|
if (keysToRemove.length > 0) {
|
|
4100
|
-
logger$
|
|
4100
|
+
logger$8.info("removing_old_encryption_keys_for_key_rotation", {
|
|
4101
4101
|
physical_path: physicalPath,
|
|
4102
4102
|
paths_with_old_keys: pathsWithOldKeys,
|
|
4103
4103
|
old_key_ids: keysToRemove,
|
|
@@ -4106,7 +4106,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4106
4106
|
});
|
|
4107
4107
|
for (const kid of keysToRemove) {
|
|
4108
4108
|
await this.keyStore.removeKey(kid);
|
|
4109
|
-
logger$
|
|
4109
|
+
logger$8.debug("removed_old_encryption_key_from_all_paths", {
|
|
4110
4110
|
kid,
|
|
4111
4111
|
});
|
|
4112
4112
|
}
|
|
@@ -4114,7 +4114,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4114
4114
|
}
|
|
4115
4115
|
}
|
|
4116
4116
|
catch (error) {
|
|
4117
|
-
logger$
|
|
4117
|
+
logger$8.warning("failed_to_remove_old_encryption_keys", {
|
|
4118
4118
|
physical_path: physicalPath,
|
|
4119
4119
|
error: error instanceof Error ? error.message : String(error),
|
|
4120
4120
|
origin,
|
|
@@ -4148,10 +4148,10 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4148
4148
|
return this.inner.getKeysForPath(physicalPath);
|
|
4149
4149
|
}
|
|
4150
4150
|
async purgeExpiredCertificates() {
|
|
4151
|
-
logger$
|
|
4151
|
+
logger$8.debug("certificate_purge_starting");
|
|
4152
4152
|
const module = await loadX509Module$1();
|
|
4153
4153
|
if (!module) {
|
|
4154
|
-
logger$
|
|
4154
|
+
logger$8.warning("certificate_purge_skipped", {
|
|
4155
4155
|
reason: "x509_module_unavailable",
|
|
4156
4156
|
});
|
|
4157
4157
|
return 0;
|
|
@@ -4174,7 +4174,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4174
4174
|
const cert = new module.X509Certificate(raw);
|
|
4175
4175
|
const expiration = cert.notAfter;
|
|
4176
4176
|
if (expiration && expiration.getTime() < now.getTime()) {
|
|
4177
|
-
logger$
|
|
4177
|
+
logger$8.debug("expired_certificate_found", {
|
|
4178
4178
|
kid: typeof key.kid === "string" ? key.kid : "unknown",
|
|
4179
4179
|
physical_path: typeof key.physical_path === "string"
|
|
4180
4180
|
? key.physical_path
|
|
@@ -4193,7 +4193,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4193
4193
|
}
|
|
4194
4194
|
}
|
|
4195
4195
|
catch (error) {
|
|
4196
|
-
logger$
|
|
4196
|
+
logger$8.warning("certificate_parsing_failed_during_purge", {
|
|
4197
4197
|
kid: typeof key.kid === "string" ? key.kid : "unknown",
|
|
4198
4198
|
error: error instanceof Error ? error.message : String(error),
|
|
4199
4199
|
message: "Could not parse certificate for expiry check",
|
|
@@ -4207,20 +4207,20 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4207
4207
|
const removed = await this.keyStore.removeKey(keyInfo.kid);
|
|
4208
4208
|
if (removed) {
|
|
4209
4209
|
purgedCount += 1;
|
|
4210
|
-
logger$
|
|
4210
|
+
logger$8.debug("expired_certificate_purged", {
|
|
4211
4211
|
kid: keyInfo.kid,
|
|
4212
4212
|
physical_path: keyInfo.physicalPath ?? "unknown",
|
|
4213
4213
|
});
|
|
4214
4214
|
}
|
|
4215
4215
|
}
|
|
4216
4216
|
catch (error) {
|
|
4217
|
-
logger$
|
|
4217
|
+
logger$8.error("certificate_purge_failed", {
|
|
4218
4218
|
kid: keyInfo.kid,
|
|
4219
4219
|
error: error instanceof Error ? error.message : String(error),
|
|
4220
4220
|
});
|
|
4221
4221
|
}
|
|
4222
4222
|
}
|
|
4223
|
-
logger$
|
|
4223
|
+
logger$8.debug("certificate_purge_completed", {
|
|
4224
4224
|
purged_count: purgedCount,
|
|
4225
4225
|
});
|
|
4226
4226
|
return purgedCount;
|
|
@@ -4230,7 +4230,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4230
4230
|
return;
|
|
4231
4231
|
}
|
|
4232
4232
|
this.purgeTask = this.spawn(async (signal) => {
|
|
4233
|
-
logger$
|
|
4233
|
+
logger$8.debug("certificate_purge_loop_started", {
|
|
4234
4234
|
interval_seconds: this.certPurgeInterval,
|
|
4235
4235
|
});
|
|
4236
4236
|
try {
|
|
@@ -4251,13 +4251,13 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4251
4251
|
try {
|
|
4252
4252
|
const purged = await this.purgeExpiredCertificates();
|
|
4253
4253
|
if (purged > 0) {
|
|
4254
|
-
logger$
|
|
4254
|
+
logger$8.debug("certificate_purge_cycle_completed", {
|
|
4255
4255
|
purged_count: purged,
|
|
4256
4256
|
});
|
|
4257
4257
|
}
|
|
4258
4258
|
}
|
|
4259
4259
|
catch (error) {
|
|
4260
|
-
logger$
|
|
4260
|
+
logger$8.error("certificate_purge_cycle_failed", {
|
|
4261
4261
|
error: error instanceof Error ? error.message : String(error),
|
|
4262
4262
|
});
|
|
4263
4263
|
}
|
|
@@ -4265,16 +4265,16 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4265
4265
|
}
|
|
4266
4266
|
catch (error) {
|
|
4267
4267
|
if (signal?.aborted) {
|
|
4268
|
-
logger$
|
|
4268
|
+
logger$8.debug("certificate_purge_loop_cancelled");
|
|
4269
4269
|
}
|
|
4270
4270
|
else {
|
|
4271
|
-
logger$
|
|
4271
|
+
logger$8.error("certificate_purge_loop_failed", {
|
|
4272
4272
|
error: error instanceof Error ? error.message : String(error),
|
|
4273
4273
|
});
|
|
4274
4274
|
}
|
|
4275
4275
|
}
|
|
4276
4276
|
finally {
|
|
4277
|
-
logger$
|
|
4277
|
+
logger$8.debug("certificate_purge_loop_stopped");
|
|
4278
4278
|
}
|
|
4279
4279
|
}, { name: "cert-purge" });
|
|
4280
4280
|
}
|
|
@@ -4291,7 +4291,7 @@ function validateJwkX5cCertificateWrapper(options) {
|
|
|
4291
4291
|
});
|
|
4292
4292
|
}
|
|
4293
4293
|
catch (error) {
|
|
4294
|
-
logger$
|
|
4294
|
+
logger$8.warning("rejected_key_due_to_certificate_validation_failure", {
|
|
4295
4295
|
kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
|
|
4296
4296
|
from_system_id: systemId,
|
|
4297
4297
|
from_physical_path: physicalPath,
|
|
@@ -4308,7 +4308,7 @@ function validateJwkX5cCertificateWrapper(options) {
|
|
|
4308
4308
|
if (result.isValid) {
|
|
4309
4309
|
return { accepted: true, skip: false };
|
|
4310
4310
|
}
|
|
4311
|
-
logger$
|
|
4311
|
+
logger$8.warning("rejected_key_due_to_certificate_validation_failure", {
|
|
4312
4312
|
kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
|
|
4313
4313
|
from_system_id: systemId,
|
|
4314
4314
|
from_physical_path: physicalPath,
|
|
@@ -4333,7 +4333,7 @@ function resolveTrustStorePath() {
|
|
|
4333
4333
|
return process.env.FAME_CA_CERT_FILE ?? null;
|
|
4334
4334
|
}
|
|
4335
4335
|
catch (error) {
|
|
4336
|
-
logger$
|
|
4336
|
+
logger$8.debug("trust_store_resolution_failed", {
|
|
4337
4337
|
error: error instanceof Error ? error.message : String(error),
|
|
4338
4338
|
});
|
|
4339
4339
|
return null;
|
|
@@ -4541,7 +4541,7 @@ function utf8Decode(data) {
|
|
|
4541
4541
|
return decodeURIComponent(escape(str));
|
|
4542
4542
|
}
|
|
4543
4543
|
|
|
4544
|
-
const logger$
|
|
4544
|
+
const logger$7 = runtime.getLogger("naylence.fame.stickiness.aft_signer");
|
|
4545
4545
|
class AbstractAFTSigner {
|
|
4546
4546
|
constructor(kid, maxTtlSec = 7200) {
|
|
4547
4547
|
this.kid = kid;
|
|
@@ -4633,7 +4633,7 @@ class SignedAFTSigner extends AbstractAFTSigner {
|
|
|
4633
4633
|
return token;
|
|
4634
4634
|
}
|
|
4635
4635
|
catch (error) {
|
|
4636
|
-
logger$
|
|
4636
|
+
logger$7.error("aft_signing_failed", {
|
|
4637
4637
|
kid: this.kid,
|
|
4638
4638
|
algorithm: this.algorithm,
|
|
4639
4639
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4645,7 +4645,7 @@ class SignedAFTSigner extends AbstractAFTSigner {
|
|
|
4645
4645
|
if (!this.cryptoKeyPromise) {
|
|
4646
4646
|
this.cryptoKeyPromise = jose.importPKCS8(this.privateKeyPem, this.algorithm).catch((error) => {
|
|
4647
4647
|
this.cryptoKeyPromise = null;
|
|
4648
|
-
logger$
|
|
4648
|
+
logger$7.error("aft_private_key_import_failed", {
|
|
4649
4649
|
kid: this.kid,
|
|
4650
4650
|
algorithm: this.algorithm,
|
|
4651
4651
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4683,7 +4683,7 @@ function createAftSigner(options) {
|
|
|
4683
4683
|
}
|
|
4684
4684
|
}
|
|
4685
4685
|
|
|
4686
|
-
const logger$
|
|
4686
|
+
const logger$6 = runtime.getLogger("naylence.fame.stickiness.aft_helper");
|
|
4687
4687
|
class AFTHelper {
|
|
4688
4688
|
constructor(options) {
|
|
4689
4689
|
this.signer = options.signer;
|
|
@@ -4697,7 +4697,7 @@ class AFTHelper {
|
|
|
4697
4697
|
let clientSid;
|
|
4698
4698
|
if (context?.stickySid) {
|
|
4699
4699
|
clientSid = context.stickySid;
|
|
4700
|
-
logger$
|
|
4700
|
+
logger$6.debug("client_sticky_sid_extracted", { client_sid: clientSid });
|
|
4701
4701
|
}
|
|
4702
4702
|
const signOptions = {
|
|
4703
4703
|
sid: this.nodeSid,
|
|
@@ -4719,7 +4719,7 @@ class AFTHelper {
|
|
|
4719
4719
|
envelope.meta.set = setMeta;
|
|
4720
4720
|
}
|
|
4721
4721
|
setMeta.aft = aftToken;
|
|
4722
|
-
logger$
|
|
4722
|
+
logger$6.debug("aft_instruction_added", {
|
|
4723
4723
|
envelope_id: envelope.id,
|
|
4724
4724
|
ttl_sec: ttlSec,
|
|
4725
4725
|
scope,
|
|
@@ -4728,7 +4728,7 @@ class AFTHelper {
|
|
|
4728
4728
|
return true;
|
|
4729
4729
|
}
|
|
4730
4730
|
catch (error) {
|
|
4731
|
-
logger$
|
|
4731
|
+
logger$6.error("aft_generation_failed", {
|
|
4732
4732
|
envelope_id: envelope.id,
|
|
4733
4733
|
error: error instanceof Error ? error.message : String(error),
|
|
4734
4734
|
});
|
|
@@ -4752,7 +4752,7 @@ function createAftHelper(options) {
|
|
|
4752
4752
|
}
|
|
4753
4753
|
const DEFAULT_STICKINESS_SECURITY_LEVEL = exports.StickinessMode.SIGNED_OPTIONAL;
|
|
4754
4754
|
|
|
4755
|
-
const logger$
|
|
4755
|
+
const logger$5 = runtime.getLogger("naylence.fame.stickiness.aft_verifier");
|
|
4756
4756
|
function decodeToken(token) {
|
|
4757
4757
|
const parts = token.split(".");
|
|
4758
4758
|
if (parts.length !== 3) {
|
|
@@ -4785,7 +4785,7 @@ function decodeToken(token) {
|
|
|
4785
4785
|
return { header, claims };
|
|
4786
4786
|
}
|
|
4787
4787
|
catch (error) {
|
|
4788
|
-
logger$
|
|
4788
|
+
logger$5.debug("aft_decoding_failed", {
|
|
4789
4789
|
error: error instanceof Error ? error.message : String(error),
|
|
4790
4790
|
});
|
|
4791
4791
|
return null;
|
|
@@ -4847,7 +4847,7 @@ class BaseAFTVerifier {
|
|
|
4847
4847
|
signatureValid = await this.verifySignature(token, header, claims);
|
|
4848
4848
|
}
|
|
4849
4849
|
catch (error) {
|
|
4850
|
-
logger$
|
|
4850
|
+
logger$5.debug("aft_signature_verification_failed", {
|
|
4851
4851
|
kid: header.kid,
|
|
4852
4852
|
algorithm: header.alg,
|
|
4853
4853
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4893,7 +4893,7 @@ class StrictAFTVerifier extends BaseAFTVerifier {
|
|
|
4893
4893
|
keyRecord = await this.keyProvider.getKey(header.kid);
|
|
4894
4894
|
}
|
|
4895
4895
|
catch (error) {
|
|
4896
|
-
logger$
|
|
4896
|
+
logger$5.debug("aft_public_key_missing", {
|
|
4897
4897
|
kid: header.kid,
|
|
4898
4898
|
error: error instanceof Error ? error.message : String(error),
|
|
4899
4899
|
});
|
|
@@ -4908,7 +4908,7 @@ class StrictAFTVerifier extends BaseAFTVerifier {
|
|
|
4908
4908
|
return protectedHeader.alg === header.alg;
|
|
4909
4909
|
}
|
|
4910
4910
|
catch (error) {
|
|
4911
|
-
logger$
|
|
4911
|
+
logger$5.debug("aft_jws_verification_failed", {
|
|
4912
4912
|
kid: header.kid,
|
|
4913
4913
|
algorithm: header.alg,
|
|
4914
4914
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4937,7 +4937,7 @@ class SignedOptionalAFTVerifier extends BaseAFTVerifier {
|
|
|
4937
4937
|
keyRecord = await this.keyProvider.getKey(header.kid);
|
|
4938
4938
|
}
|
|
4939
4939
|
catch (error) {
|
|
4940
|
-
logger$
|
|
4940
|
+
logger$5.debug("aft_public_key_missing", {
|
|
4941
4941
|
kid: header.kid,
|
|
4942
4942
|
error: error instanceof Error ? error.message : String(error),
|
|
4943
4943
|
});
|
|
@@ -4952,7 +4952,7 @@ class SignedOptionalAFTVerifier extends BaseAFTVerifier {
|
|
|
4952
4952
|
return protectedHeader.alg === header.alg;
|
|
4953
4953
|
}
|
|
4954
4954
|
catch (error) {
|
|
4955
|
-
logger$
|
|
4955
|
+
logger$5.debug("aft_jws_verification_failed", {
|
|
4956
4956
|
kid: header.kid,
|
|
4957
4957
|
algorithm: header.alg,
|
|
4958
4958
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4987,7 +4987,7 @@ async function resolveVerificationKey(keyRecord, algorithm) {
|
|
|
4987
4987
|
return key;
|
|
4988
4988
|
}
|
|
4989
4989
|
catch (error) {
|
|
4990
|
-
logger$
|
|
4990
|
+
logger$5.debug("aft_jwk_import_failed", {
|
|
4991
4991
|
kid: keyRecord.kid,
|
|
4992
4992
|
algorithm,
|
|
4993
4993
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -5008,14 +5008,14 @@ async function resolveVerificationKey(keyRecord, algorithm) {
|
|
|
5008
5008
|
return key;
|
|
5009
5009
|
}
|
|
5010
5010
|
catch (error) {
|
|
5011
|
-
logger$
|
|
5011
|
+
logger$5.debug("aft_spki_import_failed", {
|
|
5012
5012
|
kid: keyRecord.kid,
|
|
5013
5013
|
algorithm,
|
|
5014
5014
|
error: error instanceof Error ? error.message : String(error),
|
|
5015
5015
|
});
|
|
5016
5016
|
}
|
|
5017
5017
|
}
|
|
5018
|
-
logger$
|
|
5018
|
+
logger$5.debug("aft_verification_key_unavailable", {
|
|
5019
5019
|
kid: keyRecord.kid,
|
|
5020
5020
|
algorithm,
|
|
5021
5021
|
});
|
|
@@ -5038,7 +5038,7 @@ function createAftVerifier(options) {
|
|
|
5038
5038
|
}
|
|
5039
5039
|
}
|
|
5040
5040
|
|
|
5041
|
-
const logger$
|
|
5041
|
+
const logger$4 = runtime.getLogger("naylence.fame.stickiness.aft_load_balancer_stickiness_manager");
|
|
5042
5042
|
class AFTAssociation {
|
|
5043
5043
|
constructor(params) {
|
|
5044
5044
|
this.replicaId = params.replicaId;
|
|
@@ -5077,7 +5077,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5077
5077
|
};
|
|
5078
5078
|
this.config = config;
|
|
5079
5079
|
this.verifier = verifier;
|
|
5080
|
-
logger$
|
|
5080
|
+
logger$4.debug("stickiness_manager_initialized", {
|
|
5081
5081
|
enabled: this.config.enabled,
|
|
5082
5082
|
security_level: this.config.securityLevel,
|
|
5083
5083
|
verifier_type: verifier.constructor.name,
|
|
@@ -5095,14 +5095,14 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5095
5095
|
negotiate(stickiness) {
|
|
5096
5096
|
if (!stickiness) {
|
|
5097
5097
|
if (this.config.enabled) {
|
|
5098
|
-
logger$
|
|
5098
|
+
logger$4.debug("stickiness_negotiated_no_offer_attr_fallback");
|
|
5099
5099
|
return { enabled: true, mode: "attr", version: 1 };
|
|
5100
5100
|
}
|
|
5101
5101
|
return null;
|
|
5102
5102
|
}
|
|
5103
5103
|
const version = stickiness.version ?? 1;
|
|
5104
5104
|
if (!this.config.enabled) {
|
|
5105
|
-
logger$
|
|
5105
|
+
logger$4.debug("stickiness_negotiation_disabled_by_config");
|
|
5106
5106
|
return { enabled: false, version };
|
|
5107
5107
|
}
|
|
5108
5108
|
const childModes = new Set();
|
|
@@ -5123,32 +5123,32 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5123
5123
|
ttlSec: ttl,
|
|
5124
5124
|
version,
|
|
5125
5125
|
};
|
|
5126
|
-
logger$
|
|
5126
|
+
logger$4.debug("stickiness_negotiated", { mode: policy.mode, ttl });
|
|
5127
5127
|
return policy;
|
|
5128
5128
|
}
|
|
5129
5129
|
if (childModes.has("attr")) {
|
|
5130
5130
|
const policy = { enabled: true, mode: "attr", version };
|
|
5131
|
-
logger$
|
|
5131
|
+
logger$4.debug("stickiness_negotiated", { mode: policy.mode });
|
|
5132
5132
|
return policy;
|
|
5133
5133
|
}
|
|
5134
|
-
logger$
|
|
5134
|
+
logger$4.debug("stickiness_negotiation_no_common_mode");
|
|
5135
5135
|
return { enabled: false, version };
|
|
5136
5136
|
}
|
|
5137
5137
|
async handleOutboundEnvelope(envelope, replicaId) {
|
|
5138
5138
|
if (!this.config.enabled) {
|
|
5139
|
-
logger$
|
|
5139
|
+
logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
|
|
5140
5140
|
return null;
|
|
5141
5141
|
}
|
|
5142
5142
|
const aftToken = extractAftInstruction(envelope);
|
|
5143
5143
|
if (!aftToken) {
|
|
5144
|
-
logger$
|
|
5144
|
+
logger$4.debug("no_aft_instruction", {
|
|
5145
5145
|
envelope_id: envelope.id,
|
|
5146
5146
|
has_meta: Boolean(envelope.meta),
|
|
5147
5147
|
});
|
|
5148
5148
|
return null;
|
|
5149
5149
|
}
|
|
5150
5150
|
if (typeof aftToken !== "string") {
|
|
5151
|
-
logger$
|
|
5151
|
+
logger$4.warning("invalid_aft_instruction", {
|
|
5152
5152
|
envelope_id: envelope.id,
|
|
5153
5153
|
replica_id: replicaId,
|
|
5154
5154
|
reason: "set.aft value is not a string",
|
|
@@ -5158,7 +5158,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5158
5158
|
const verification = await this.verifier.verify(aftToken, envelope.sid ?? undefined);
|
|
5159
5159
|
if (!verification.valid) {
|
|
5160
5160
|
this.metrics.verifyFailures += 1;
|
|
5161
|
-
logger$
|
|
5161
|
+
logger$4.warning("aft_verification_failed", {
|
|
5162
5162
|
envelope_id: envelope.id,
|
|
5163
5163
|
replica_id: replicaId,
|
|
5164
5164
|
error: verification.error,
|
|
@@ -5176,14 +5176,14 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5176
5176
|
});
|
|
5177
5177
|
if (verification.clientSid) {
|
|
5178
5178
|
this.sidCache.set(verification.clientSid, replicaId);
|
|
5179
|
-
logger$
|
|
5179
|
+
logger$4.debug("sid_cache_updated", {
|
|
5180
5180
|
envelope_id: envelope.id,
|
|
5181
5181
|
client_sid: verification.clientSid,
|
|
5182
5182
|
replica_id: replicaId,
|
|
5183
5183
|
});
|
|
5184
5184
|
}
|
|
5185
5185
|
this.metrics.associationsCreated += 1;
|
|
5186
|
-
logger$
|
|
5186
|
+
logger$4.debug("aft_association_created", {
|
|
5187
5187
|
envelope_id: envelope.id,
|
|
5188
5188
|
replica_id: replicaId,
|
|
5189
5189
|
sid: verification.sid,
|
|
@@ -5195,14 +5195,14 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5195
5195
|
}
|
|
5196
5196
|
getStickyReplicaSegment(envelope, segments) {
|
|
5197
5197
|
if (!this.config.enabled) {
|
|
5198
|
-
logger$
|
|
5198
|
+
logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
|
|
5199
5199
|
return null;
|
|
5200
5200
|
}
|
|
5201
5201
|
if (envelope.aft) {
|
|
5202
5202
|
const replicaId = this.routeByAft(envelope.aft, envelope);
|
|
5203
5203
|
if (replicaId) {
|
|
5204
5204
|
this.metrics.cacheHits += 1;
|
|
5205
|
-
logger$
|
|
5205
|
+
logger$4.debug("aft_routed_envelope", {
|
|
5206
5206
|
envelope_id: envelope.id,
|
|
5207
5207
|
replica_id: replicaId,
|
|
5208
5208
|
routing_type: "aft_direct",
|
|
@@ -5215,7 +5215,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5215
5215
|
if (cachedReplica) {
|
|
5216
5216
|
if (this.config.securityLevel === exports.StickinessMode.SID_ONLY) {
|
|
5217
5217
|
this.metrics.cacheHits += 1;
|
|
5218
|
-
logger$
|
|
5218
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5219
5219
|
envelope_id: envelope.id,
|
|
5220
5220
|
replica_id: cachedReplica,
|
|
5221
5221
|
sid: envelope.sid,
|
|
@@ -5228,7 +5228,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5228
5228
|
!association.isExpired()) {
|
|
5229
5229
|
envelope.aft = token;
|
|
5230
5230
|
this.metrics.cacheHits += 1;
|
|
5231
|
-
logger$
|
|
5231
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5232
5232
|
envelope_id: envelope.id,
|
|
5233
5233
|
replica_id: cachedReplica,
|
|
5234
5234
|
sid: envelope.sid,
|
|
@@ -5238,7 +5238,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5238
5238
|
}
|
|
5239
5239
|
}
|
|
5240
5240
|
this.metrics.cacheHits += 1;
|
|
5241
|
-
logger$
|
|
5241
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5242
5242
|
envelope_id: envelope.id,
|
|
5243
5243
|
replica_id: cachedReplica,
|
|
5244
5244
|
sid: envelope.sid,
|
|
@@ -5246,7 +5246,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5246
5246
|
});
|
|
5247
5247
|
return cachedReplica;
|
|
5248
5248
|
}
|
|
5249
|
-
logger$
|
|
5249
|
+
logger$4.debug("no_cached_replica_for_sid", {
|
|
5250
5250
|
envelope_id: envelope.id,
|
|
5251
5251
|
sid: envelope.sid,
|
|
5252
5252
|
});
|
|
@@ -5255,7 +5255,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5255
5255
|
const index = computeDeterministicIndex(envelope.sid, segments.length);
|
|
5256
5256
|
const chosen = segments[index];
|
|
5257
5257
|
this.metrics.cacheHits += 1;
|
|
5258
|
-
logger$
|
|
5258
|
+
logger$4.debug("sid_based_deterministic_choice", {
|
|
5259
5259
|
envelope_id: envelope.id,
|
|
5260
5260
|
sid: envelope.sid,
|
|
5261
5261
|
chosen,
|
|
@@ -5264,7 +5264,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5264
5264
|
return chosen;
|
|
5265
5265
|
}
|
|
5266
5266
|
this.metrics.cacheMisses += 1;
|
|
5267
|
-
logger$
|
|
5267
|
+
logger$4.debug("no_stickiness_routing", {
|
|
5268
5268
|
envelope_id: envelope.id,
|
|
5269
5269
|
has_aft: Boolean(envelope.aft),
|
|
5270
5270
|
has_sid: Boolean(envelope.sid),
|
|
@@ -5284,7 +5284,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5284
5284
|
}
|
|
5285
5285
|
if (expiredTokens.length > 0) {
|
|
5286
5286
|
this.metrics.associationsExpired += expiredTokens.length;
|
|
5287
|
-
logger$
|
|
5287
|
+
logger$4.debug("cleaned_expired_associations", {
|
|
5288
5288
|
count: expiredTokens.length,
|
|
5289
5289
|
});
|
|
5290
5290
|
}
|
|
@@ -5300,7 +5300,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5300
5300
|
this.removeAssociation(token);
|
|
5301
5301
|
}
|
|
5302
5302
|
if (tokensToRemove.length > 0) {
|
|
5303
|
-
logger$
|
|
5303
|
+
logger$4.debug("removed_associations_for_departed_replica", {
|
|
5304
5304
|
replica_id: replicaId,
|
|
5305
5305
|
count: tokensToRemove.length,
|
|
5306
5306
|
});
|
|
@@ -5308,7 +5308,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5308
5308
|
}
|
|
5309
5309
|
handleReplicaLeft(replicaId) {
|
|
5310
5310
|
this.replicaLeft(replicaId);
|
|
5311
|
-
logger$
|
|
5311
|
+
logger$4.debug("stickiness_replica_cleanup", { replica_id: replicaId });
|
|
5312
5312
|
}
|
|
5313
5313
|
getMetrics() {
|
|
5314
5314
|
return {
|
|
@@ -5341,7 +5341,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5341
5341
|
const misses = this.metrics.cacheMisses;
|
|
5342
5342
|
const total = hits + misses;
|
|
5343
5343
|
const hitRate = total > 0 ? Math.round((hits / total) * 10000) / 100 : 0;
|
|
5344
|
-
logger$
|
|
5344
|
+
logger$4.info("stickiness_metrics_report", {
|
|
5345
5345
|
enabled: this.config.enabled,
|
|
5346
5346
|
security_level: this.config.securityLevel,
|
|
5347
5347
|
cache_hits: hits,
|
|
@@ -5355,7 +5355,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5355
5355
|
});
|
|
5356
5356
|
}
|
|
5357
5357
|
async onDeliver(_node, envelope, context) {
|
|
5358
|
-
logger$
|
|
5358
|
+
logger$4.debug("stickiness_manager_on_deliver", {
|
|
5359
5359
|
envelope_id: envelope.id,
|
|
5360
5360
|
origin_type: context?.originType ?? "unknown",
|
|
5361
5361
|
from_system_id: context?.fromSystemId ?? null,
|
|
@@ -5363,7 +5363,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5363
5363
|
if (context?.originType === core.DeliveryOriginType.DOWNSTREAM) {
|
|
5364
5364
|
const sourceRoute = context.fromSystemId;
|
|
5365
5365
|
if (sourceRoute) {
|
|
5366
|
-
logger$
|
|
5366
|
+
logger$4.debug("processing_downstream_envelope", {
|
|
5367
5367
|
envelope_id: envelope.id,
|
|
5368
5368
|
source_route: sourceRoute,
|
|
5369
5369
|
});
|
|
@@ -5371,7 +5371,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5371
5371
|
envelope.sid &&
|
|
5372
5372
|
!this.sidCache.has(envelope.sid)) {
|
|
5373
5373
|
this.sidCache.set(envelope.sid, sourceRoute);
|
|
5374
|
-
logger$
|
|
5374
|
+
logger$4.debug("sid_only_association_recorded", {
|
|
5375
5375
|
envelope_id: envelope.id,
|
|
5376
5376
|
sid: envelope.sid,
|
|
5377
5377
|
replica_id: sourceRoute,
|
|
@@ -5380,27 +5380,27 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5380
5380
|
const hadInstruction = Boolean(extractAftInstruction(envelope));
|
|
5381
5381
|
const token = await this.handleOutboundEnvelope(envelope, sourceRoute);
|
|
5382
5382
|
if (hadInstruction) {
|
|
5383
|
-
logger$
|
|
5383
|
+
logger$4.debug("processed_aft_setter_instruction", {
|
|
5384
5384
|
envelope_id: envelope.id,
|
|
5385
5385
|
source_route: sourceRoute,
|
|
5386
5386
|
client_echo: Boolean(token),
|
|
5387
5387
|
});
|
|
5388
5388
|
}
|
|
5389
5389
|
else {
|
|
5390
|
-
logger$
|
|
5390
|
+
logger$4.debug("no_aft_setter_instruction", {
|
|
5391
5391
|
envelope_id: envelope.id,
|
|
5392
5392
|
source_route: sourceRoute,
|
|
5393
5393
|
});
|
|
5394
5394
|
}
|
|
5395
5395
|
}
|
|
5396
5396
|
else {
|
|
5397
|
-
logger$
|
|
5397
|
+
logger$4.debug("downstream_envelope_without_source_route", {
|
|
5398
5398
|
envelope_id: envelope.id,
|
|
5399
5399
|
});
|
|
5400
5400
|
}
|
|
5401
5401
|
}
|
|
5402
5402
|
else {
|
|
5403
|
-
logger$
|
|
5403
|
+
logger$4.debug("envelope_not_from_downstream", {
|
|
5404
5404
|
envelope_id: envelope.id,
|
|
5405
5405
|
});
|
|
5406
5406
|
}
|
|
@@ -5441,7 +5441,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5441
5441
|
}
|
|
5442
5442
|
if (this.verifier.securityLevel === exports.StickinessMode.STRICT &&
|
|
5443
5443
|
association.isLowTrust()) {
|
|
5444
|
-
logger$
|
|
5444
|
+
logger$4.warning("rejecting_low_trust_association", {
|
|
5445
5445
|
envelope_id: envelope.id,
|
|
5446
5446
|
replica_id: association.replicaId,
|
|
5447
5447
|
reason: "strict mode rejects low-trust associations",
|
|
@@ -5548,7 +5548,7 @@ var aftLoadBalancerStickinessManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
5548
5548
|
default: AFTLoadBalancerStickinessManagerFactory
|
|
5549
5549
|
});
|
|
5550
5550
|
|
|
5551
|
-
const logger$
|
|
5551
|
+
const logger$3 = runtime.getLogger("naylence.fame.stickiness.aft_replica_stickiness_manager");
|
|
5552
5552
|
function isStickinessRequired(context) {
|
|
5553
5553
|
if (typeof context.stickinessRequired === "boolean") {
|
|
5554
5554
|
return context.stickinessRequired;
|
|
@@ -5568,14 +5568,14 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5568
5568
|
this.isInitialized = this.aftHelper !== null;
|
|
5569
5569
|
this.negotiatedStickiness = null;
|
|
5570
5570
|
if (this.aftHelper) {
|
|
5571
|
-
logger$
|
|
5571
|
+
logger$3.debug("aft_replica_stickiness_manager_initialized", {
|
|
5572
5572
|
helper_type: this.aftHelper.signer.constructor.name,
|
|
5573
5573
|
security_level: this.aftHelper.signer.securityLevel,
|
|
5574
5574
|
max_ttl_sec: this.aftHelper.maxTtlSec,
|
|
5575
5575
|
});
|
|
5576
5576
|
}
|
|
5577
5577
|
else {
|
|
5578
|
-
logger$
|
|
5578
|
+
logger$3.debug("aft_replica_stickiness_manager_created", {
|
|
5579
5579
|
security_level: this.securityLevel,
|
|
5580
5580
|
max_ttl_sec: this.maxTtlSec,
|
|
5581
5581
|
});
|
|
@@ -5586,7 +5586,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5586
5586
|
}
|
|
5587
5587
|
accept(stickiness) {
|
|
5588
5588
|
this.negotiatedStickiness = stickiness ?? null;
|
|
5589
|
-
logger$
|
|
5589
|
+
logger$3.debug("replica_stickiness_policy_set", {
|
|
5590
5590
|
enabled: stickiness?.enabled ?? null,
|
|
5591
5591
|
mode: stickiness?.mode ?? null,
|
|
5592
5592
|
ttl: stickiness?.ttlSec ?? null,
|
|
@@ -5598,7 +5598,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5598
5598
|
}
|
|
5599
5599
|
const helper = this.aftHelper;
|
|
5600
5600
|
if (!helper) {
|
|
5601
|
-
logger$
|
|
5601
|
+
logger$3.debug("aft_helper_not_ready_skip_injection", {
|
|
5602
5602
|
envelope_id: envelope.id,
|
|
5603
5603
|
delivery_origin: context.originType ?? null,
|
|
5604
5604
|
reason: "not_initialized",
|
|
@@ -5614,7 +5614,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5614
5614
|
(negotiated.mode !== null &&
|
|
5615
5615
|
negotiated.mode !== undefined &&
|
|
5616
5616
|
negotiated.mode !== "aft")) {
|
|
5617
|
-
logger$
|
|
5617
|
+
logger$3.debug("aft_injection_skipped_due_to_policy", {
|
|
5618
5618
|
envelope_id: envelope.id,
|
|
5619
5619
|
policy_mode: negotiated.mode ?? null,
|
|
5620
5620
|
policy_enabled: negotiated.enabled ?? null,
|
|
@@ -5622,7 +5622,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5622
5622
|
return envelope;
|
|
5623
5623
|
}
|
|
5624
5624
|
}
|
|
5625
|
-
logger$
|
|
5625
|
+
logger$3.debug("applying_aft_for_upstream_stickiness_required", {
|
|
5626
5626
|
envelope_id: envelope.id,
|
|
5627
5627
|
from_system_id: context.fromSystemId ?? null,
|
|
5628
5628
|
delivery_origin: context.originType ?? null,
|
|
@@ -5633,14 +5633,14 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5633
5633
|
context: stickinessContext,
|
|
5634
5634
|
});
|
|
5635
5635
|
if (success) {
|
|
5636
|
-
logger$
|
|
5636
|
+
logger$3.debug("aft_token_applied_via_context_flag_upstream", {
|
|
5637
5637
|
envelope_id: envelope.id,
|
|
5638
5638
|
from_system_id: context.fromSystemId ?? null,
|
|
5639
5639
|
delivery_origin: context.originType ?? null,
|
|
5640
5640
|
});
|
|
5641
5641
|
}
|
|
5642
5642
|
else {
|
|
5643
|
-
logger$
|
|
5643
|
+
logger$3.debug("aft_token_not_applied_upstream", {
|
|
5644
5644
|
envelope_id: envelope.id,
|
|
5645
5645
|
delivery_origin: context.originType ?? null,
|
|
5646
5646
|
reason: "helper_returned_false",
|
|
@@ -5656,19 +5656,19 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5656
5656
|
}
|
|
5657
5657
|
if (this.aftHelper && node.sid) {
|
|
5658
5658
|
this.updateNodeSid(node.sid);
|
|
5659
|
-
logger$
|
|
5659
|
+
logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
|
|
5660
5660
|
node_id: node.id ?? "unknown",
|
|
5661
5661
|
node_sid: node.sid,
|
|
5662
5662
|
security_level: this.aftHelper.signer.securityLevel,
|
|
5663
5663
|
});
|
|
5664
5664
|
}
|
|
5665
5665
|
else if (!node.sid) {
|
|
5666
|
-
logger$
|
|
5666
|
+
logger$3.warning("aft_replica_stickiness_manager_no_sid_available", {
|
|
5667
5667
|
node_id: node.id ?? "unknown",
|
|
5668
5668
|
});
|
|
5669
5669
|
}
|
|
5670
5670
|
else {
|
|
5671
|
-
logger$
|
|
5671
|
+
logger$3.error("aft_replica_stickiness_manager_node_missing_sid", {
|
|
5672
5672
|
node_type: node.constructor?.name ?? typeof node,
|
|
5673
5673
|
});
|
|
5674
5674
|
}
|
|
@@ -5676,7 +5676,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5676
5676
|
updateNodeSid(nodeSid) {
|
|
5677
5677
|
if (this.aftHelper) {
|
|
5678
5678
|
this.aftHelper.nodeSid = nodeSid;
|
|
5679
|
-
logger$
|
|
5679
|
+
logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
|
|
5680
5680
|
new_sid: nodeSid,
|
|
5681
5681
|
});
|
|
5682
5682
|
}
|
|
@@ -5684,14 +5684,14 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5684
5684
|
async initializeAftHelper(node) {
|
|
5685
5685
|
const nodeSid = node.sid;
|
|
5686
5686
|
if (!nodeSid) {
|
|
5687
|
-
logger$
|
|
5687
|
+
logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_sid", {
|
|
5688
5688
|
node_id: node.id ?? "unknown",
|
|
5689
5689
|
});
|
|
5690
5690
|
return;
|
|
5691
5691
|
}
|
|
5692
5692
|
const cryptoProvider = node.cryptoProvider ?? null;
|
|
5693
5693
|
if (!cryptoProvider) {
|
|
5694
|
-
logger$
|
|
5694
|
+
logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_crypto_provider", {
|
|
5695
5695
|
node_id: node.id ?? "unknown",
|
|
5696
5696
|
});
|
|
5697
5697
|
return;
|
|
@@ -5704,7 +5704,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5704
5704
|
? cryptoProvider.signingPrivatePem
|
|
5705
5705
|
: null;
|
|
5706
5706
|
if (this.securityLevel === exports.StickinessMode.STRICT && !privateKeyPem) {
|
|
5707
|
-
logger$
|
|
5707
|
+
logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
|
|
5708
5708
|
node_id: node.id ?? "unknown",
|
|
5709
5709
|
error: "Missing signing private key for strict security level",
|
|
5710
5710
|
});
|
|
@@ -5720,7 +5720,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5720
5720
|
});
|
|
5721
5721
|
this.aftHelper = helper;
|
|
5722
5722
|
this.isInitialized = true;
|
|
5723
|
-
logger$
|
|
5723
|
+
logger$3.debug("aft_replica_stickiness_manager_initialized", {
|
|
5724
5724
|
node_id: node.id ?? "unknown",
|
|
5725
5725
|
node_sid: nodeSid,
|
|
5726
5726
|
key_id: keyId,
|
|
@@ -5728,7 +5728,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5728
5728
|
});
|
|
5729
5729
|
}
|
|
5730
5730
|
catch (error) {
|
|
5731
|
-
logger$
|
|
5731
|
+
logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
|
|
5732
5732
|
node_id: node.id ?? "unknown",
|
|
5733
5733
|
error: error instanceof Error ? error.message : String(error),
|
|
5734
5734
|
});
|
|
@@ -5798,7 +5798,7 @@ var aftReplicaStickinessManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
5798
5798
|
default: AFTReplicaStickinessManagerFactory
|
|
5799
5799
|
});
|
|
5800
5800
|
|
|
5801
|
-
const logger$
|
|
5801
|
+
const logger$2 = runtime.getLogger("naylence.fame.welcome.advanced_welcome_service");
|
|
5802
5802
|
const ENV_VAR_SHOW_ENVELOPES = "FAME_SHOW_ENVELOPES";
|
|
5803
5803
|
const DEFAULT_TTL_SEC = 3600;
|
|
5804
5804
|
const showEnvelopes = typeof process !== "undefined" &&
|
|
@@ -5841,7 +5841,7 @@ class AdvancedWelcomeService {
|
|
|
5841
5841
|
typeof options.ttlSec === "number" && Number.isFinite(options.ttlSec)
|
|
5842
5842
|
? Math.max(0, options.ttlSec)
|
|
5843
5843
|
: DEFAULT_TTL_SEC;
|
|
5844
|
-
logger$
|
|
5844
|
+
logger$2.debug("initialized_advanced_welcome_service", {
|
|
5845
5845
|
ca_service_url: this.caServiceUrl,
|
|
5846
5846
|
ttl_sec: this.ttlSec,
|
|
5847
5847
|
});
|
|
@@ -5861,7 +5861,7 @@ class AdvancedWelcomeService {
|
|
|
5861
5861
|
// eslint-disable-next-line no-console
|
|
5862
5862
|
console.log(`\n${formatTimestampForConsole()} - ${runtime.color("Received envelope 📨", runtime.AnsiColor.BLUE)}\n${prettyModel(normalizedHello)}`);
|
|
5863
5863
|
}
|
|
5864
|
-
logger$
|
|
5864
|
+
logger$2.debug("starting_hello_frame_processing", {
|
|
5865
5865
|
instanceId: normalizedHello.instanceId,
|
|
5866
5866
|
systemId,
|
|
5867
5867
|
logicals: normalizedHello.logicals,
|
|
@@ -5878,35 +5878,35 @@ class AdvancedWelcomeService {
|
|
|
5878
5878
|
fullMetadata.instance_id = normalizedHello.instanceId;
|
|
5879
5879
|
}
|
|
5880
5880
|
}
|
|
5881
|
-
logger$
|
|
5881
|
+
logger$2.debug("system_id_assignment_completed", {
|
|
5882
5882
|
systemId,
|
|
5883
5883
|
wasAssigned,
|
|
5884
5884
|
});
|
|
5885
5885
|
if (normalizedHello.logicals?.length) {
|
|
5886
|
-
logger$
|
|
5886
|
+
logger$2.debug("validating_logicals_for_dns_compatibility", {
|
|
5887
5887
|
logicals: normalizedHello.logicals,
|
|
5888
5888
|
});
|
|
5889
5889
|
const [pathsValid, pathError] = runtime.validateHostLogicals(normalizedHello.logicals);
|
|
5890
5890
|
if (!pathsValid) {
|
|
5891
|
-
logger$
|
|
5891
|
+
logger$2.error("logical_validation_failed", {
|
|
5892
5892
|
error: pathError,
|
|
5893
5893
|
logicals: normalizedHello.logicals,
|
|
5894
5894
|
});
|
|
5895
5895
|
throw new Error(`Invalid logical format: ${pathError}`);
|
|
5896
5896
|
}
|
|
5897
|
-
logger$
|
|
5897
|
+
logger$2.debug("logicals_validation_successful");
|
|
5898
5898
|
}
|
|
5899
|
-
logger$
|
|
5899
|
+
logger$2.debug("requesting_node_placement", { systemId });
|
|
5900
5900
|
const placementResult = await this.placementStrategy.place(normalizedHello);
|
|
5901
5901
|
if (!placementResult.accept) {
|
|
5902
|
-
logger$
|
|
5902
|
+
logger$2.error("node_placement_rejected", {
|
|
5903
5903
|
systemId,
|
|
5904
5904
|
reason: placementResult.reason,
|
|
5905
5905
|
});
|
|
5906
5906
|
throw new Error(placementResult.reason || "Node not accepted");
|
|
5907
5907
|
}
|
|
5908
5908
|
const assignedPath = placementResult.assignedPath;
|
|
5909
|
-
logger$
|
|
5909
|
+
logger$2.debug("node_placement_accepted", {
|
|
5910
5910
|
systemId,
|
|
5911
5911
|
assignedPath,
|
|
5912
5912
|
targetPhysicalPath: placementResult.targetPhysicalPath ?? null,
|
|
@@ -5918,7 +5918,7 @@ class AdvancedWelcomeService {
|
|
|
5918
5918
|
const acceptedLogicals = coercePlacementMetadataValue(placementResult.metadata, "acceptedLogicals", "accepted_logicals") ??
|
|
5919
5919
|
normalizedHello.logicals ??
|
|
5920
5920
|
null;
|
|
5921
|
-
logger$
|
|
5921
|
+
logger$2.debug("processing_placement_result_metadata", {
|
|
5922
5922
|
acceptedCapabilities,
|
|
5923
5923
|
acceptedLogicals,
|
|
5924
5924
|
hasPlacementMetadata: placementResult.metadata !== undefined &&
|
|
@@ -5932,7 +5932,7 @@ class AdvancedWelcomeService {
|
|
|
5932
5932
|
normalizedHello.instanceId ||
|
|
5933
5933
|
core.generateId();
|
|
5934
5934
|
if (placementResult.targetSystemId) {
|
|
5935
|
-
logger$
|
|
5935
|
+
logger$2.debug("issuing_node_attach_token", {
|
|
5936
5936
|
systemId,
|
|
5937
5937
|
assignedPath,
|
|
5938
5938
|
});
|
|
@@ -5944,10 +5944,10 @@ class AdvancedWelcomeService {
|
|
|
5944
5944
|
accepted_logicals: acceptedLogicals,
|
|
5945
5945
|
instance_id: metadataInstanceId,
|
|
5946
5946
|
});
|
|
5947
|
-
logger$
|
|
5948
|
-
logger$
|
|
5947
|
+
logger$2.debug("token_issued_successfully");
|
|
5948
|
+
logger$2.debug("provisioning_transport", { systemId });
|
|
5949
5949
|
const transportInfo = await this.transportProvisioner.provision(placementResult, normalizedHello, fullMetadata, nodeAttachToken);
|
|
5950
|
-
logger$
|
|
5950
|
+
logger$2.debug("transport_provisioned_successfully", {
|
|
5951
5951
|
systemId,
|
|
5952
5952
|
directiveType: transportInfo.connectionGrant &&
|
|
5953
5953
|
typeof transportInfo.connectionGrant === "object"
|
|
@@ -5991,7 +5991,7 @@ class AdvancedWelcomeService {
|
|
|
5991
5991
|
metadata: Object.keys(fullMetadata).length > 0 ? fullMetadata : undefined,
|
|
5992
5992
|
expiresAt: expiry.toISOString(),
|
|
5993
5993
|
};
|
|
5994
|
-
logger$
|
|
5994
|
+
logger$2.debug("hello_frame_processing_completed_successfully", {
|
|
5995
5995
|
systemId,
|
|
5996
5996
|
assignedPath,
|
|
5997
5997
|
acceptedLogicals,
|
|
@@ -7678,7 +7678,7 @@ function encodeBitString(signature) {
|
|
|
7678
7678
|
return result.buffer;
|
|
7679
7679
|
}
|
|
7680
7680
|
|
|
7681
|
-
const logger = runtime.getLogger("naylence.fame.security.cert.default_certificate_manager");
|
|
7681
|
+
const logger$1 = runtime.getLogger("naylence.fame.security.cert.default_certificate_manager");
|
|
7682
7682
|
const CONNECTION_GRANTS_CAMEL = "connectionGrants";
|
|
7683
7683
|
const CONNECTION_GRANTS_SNAKE = "connection_grants";
|
|
7684
7684
|
class DefaultCertificateManager {
|
|
@@ -7707,7 +7707,7 @@ class DefaultCertificateManager {
|
|
|
7707
7707
|
this.prepareProviderContext(node);
|
|
7708
7708
|
const requiresCertificate = this.requiresCertificates();
|
|
7709
7709
|
if (requiresCertificate) {
|
|
7710
|
-
logger.debug("node_certificate_required_on_start", {
|
|
7710
|
+
logger$1.debug("node_certificate_required_on_start", {
|
|
7711
7711
|
node_id: node.id,
|
|
7712
7712
|
physical_path: node.physicalPath,
|
|
7713
7713
|
has_parent: node.hasParent,
|
|
@@ -7721,7 +7721,7 @@ class DefaultCertificateManager {
|
|
|
7721
7721
|
const welcomeFrame = this.pendingWelcomeFrame ?? fallbackWelcome;
|
|
7722
7722
|
const success = await this.ensureCertificate(welcomeFrame, this.caServiceUrl ? { caServiceUrl: this.caServiceUrl } : undefined);
|
|
7723
7723
|
if (!success) {
|
|
7724
|
-
logger.warning("node_certificate_unavailable_on_start", {
|
|
7724
|
+
logger$1.warning("node_certificate_unavailable_on_start", {
|
|
7725
7725
|
node_id: node.id,
|
|
7726
7726
|
physical_path: node.physicalPath,
|
|
7727
7727
|
message: "Certificate provisioning was requested but did not complete",
|
|
@@ -7735,7 +7735,7 @@ class DefaultCertificateManager {
|
|
|
7735
7735
|
async onWelcome(welcomeFrame) {
|
|
7736
7736
|
const requiresCertificate = this.requiresCertificates(welcomeFrame);
|
|
7737
7737
|
if (!requiresCertificate) {
|
|
7738
|
-
logger.debug("welcome_does_not_require_certificate", {
|
|
7738
|
+
logger$1.debug("welcome_does_not_require_certificate", {
|
|
7739
7739
|
system_id: welcomeFrame.systemId ?? null,
|
|
7740
7740
|
});
|
|
7741
7741
|
this.pendingWelcomeFrame = null;
|
|
@@ -7746,14 +7746,14 @@ class DefaultCertificateManager {
|
|
|
7746
7746
|
return;
|
|
7747
7747
|
}
|
|
7748
7748
|
if (!this.node) {
|
|
7749
|
-
logger.debug("certificate_provisioning_deferred_until_node_start", {
|
|
7749
|
+
logger$1.debug("certificate_provisioning_deferred_until_node_start", {
|
|
7750
7750
|
system_id: welcomeFrame.systemId ?? null,
|
|
7751
7751
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7752
7752
|
});
|
|
7753
7753
|
return;
|
|
7754
7754
|
}
|
|
7755
7755
|
const nodeId = welcomeFrame.systemId ?? "unknown";
|
|
7756
|
-
logger.warning("certificate_provisioning_not_completed", {
|
|
7756
|
+
logger$1.warning("certificate_provisioning_not_completed", {
|
|
7757
7757
|
node_id: nodeId,
|
|
7758
7758
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7759
7759
|
message: "Continuing without a provisioned certificate (development mode)",
|
|
@@ -7769,13 +7769,13 @@ class DefaultCertificateManager {
|
|
|
7769
7769
|
const cryptoProvider = this.resolveCryptoProvider();
|
|
7770
7770
|
if (!cryptoProvider) {
|
|
7771
7771
|
if (!this.node) {
|
|
7772
|
-
logger.debug("crypto_provider_pending_node_start", {
|
|
7772
|
+
logger$1.debug("crypto_provider_pending_node_start", {
|
|
7773
7773
|
system_id: welcomeFrame.systemId ?? null,
|
|
7774
7774
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7775
7775
|
});
|
|
7776
7776
|
}
|
|
7777
7777
|
else {
|
|
7778
|
-
logger.error("crypto_provider_unavailable_for_certificate", {
|
|
7778
|
+
logger$1.error("crypto_provider_unavailable_for_certificate", {
|
|
7779
7779
|
system_id: welcomeFrame.systemId ?? null,
|
|
7780
7780
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7781
7781
|
});
|
|
@@ -7794,7 +7794,7 @@ class DefaultCertificateManager {
|
|
|
7794
7794
|
const connectionGrants = readFrameValue(welcomeFrame, CONNECTION_GRANTS_CAMEL, CONNECTION_GRANTS_SNAKE);
|
|
7795
7795
|
const caSignGrant = this.getCaSignGrant(connectionGrants);
|
|
7796
7796
|
if (!caSignGrant) {
|
|
7797
|
-
logger.warning("welcome_frame_missing_ca_sign_grant", {
|
|
7797
|
+
logger$1.warning("welcome_frame_missing_ca_sign_grant", {
|
|
7798
7798
|
system_id: nodeId,
|
|
7799
7799
|
grant_count: Array.isArray(connectionGrants)
|
|
7800
7800
|
? connectionGrants.length
|
|
@@ -7805,7 +7805,7 @@ class DefaultCertificateManager {
|
|
|
7805
7805
|
if (caSignGrant) {
|
|
7806
7806
|
material = await this.requestCertificateFromCa(cryptoProvider, welcomeFrame, caSignGrant, options);
|
|
7807
7807
|
if (!material) {
|
|
7808
|
-
logger.warning("ca_certificate_request_failed_falling_back_to_env", {
|
|
7808
|
+
logger$1.warning("ca_certificate_request_failed_falling_back_to_env", {
|
|
7809
7809
|
system_id: nodeId,
|
|
7810
7810
|
ca_service_url: options?.caServiceUrl ?? this.caServiceUrl ?? caSignGrant.url,
|
|
7811
7811
|
});
|
|
@@ -7815,13 +7815,13 @@ class DefaultCertificateManager {
|
|
|
7815
7815
|
material = await this.resolveCertificateMaterialFromInjectedSources(cryptoProvider, nodeId);
|
|
7816
7816
|
}
|
|
7817
7817
|
if (!material) {
|
|
7818
|
-
logger.debug("attempting_certificate_resolution_from_environment", {
|
|
7818
|
+
logger$1.debug("attempting_certificate_resolution_from_environment", {
|
|
7819
7819
|
system_id: nodeId,
|
|
7820
7820
|
});
|
|
7821
7821
|
material = await resolveCertificateMaterialFromEnvironment();
|
|
7822
7822
|
}
|
|
7823
7823
|
if (!material) {
|
|
7824
|
-
logger.warning("certificate_material_not_found", {
|
|
7824
|
+
logger$1.warning("certificate_material_not_found", {
|
|
7825
7825
|
system_id: nodeId,
|
|
7826
7826
|
assigned_path: readFrameString(welcomeFrame, "assignedPath", "assigned_path"),
|
|
7827
7827
|
ca_service_url: options?.caServiceUrl ?? this.caServiceUrl,
|
|
@@ -7830,7 +7830,7 @@ class DefaultCertificateManager {
|
|
|
7830
7830
|
}
|
|
7831
7831
|
const stored = await this.storeCertificateMaterial(cryptoProvider, material, nodeId);
|
|
7832
7832
|
if (!stored) {
|
|
7833
|
-
logger.warning("certificate_storage_not_supported", {
|
|
7833
|
+
logger$1.warning("certificate_storage_not_supported", {
|
|
7834
7834
|
system_id: nodeId,
|
|
7835
7835
|
});
|
|
7836
7836
|
return false;
|
|
@@ -7839,7 +7839,7 @@ class DefaultCertificateManager {
|
|
|
7839
7839
|
if (!validated) {
|
|
7840
7840
|
return false;
|
|
7841
7841
|
}
|
|
7842
|
-
logger.debug("certificate_material_applied", {
|
|
7842
|
+
logger$1.debug("certificate_material_applied", {
|
|
7843
7843
|
system_id: nodeId,
|
|
7844
7844
|
has_chain: Boolean(material.certificateChainPem),
|
|
7845
7845
|
});
|
|
@@ -7902,12 +7902,12 @@ class DefaultCertificateManager {
|
|
|
7902
7902
|
}
|
|
7903
7903
|
const validated = await this.validateProviderCertificate(provider, nodeId);
|
|
7904
7904
|
if (!validated) {
|
|
7905
|
-
logger.error("existing_certificate_validation_failed", {
|
|
7905
|
+
logger$1.error("existing_certificate_validation_failed", {
|
|
7906
7906
|
node_id: nodeId,
|
|
7907
7907
|
});
|
|
7908
7908
|
return false;
|
|
7909
7909
|
}
|
|
7910
|
-
logger.debug("existing_certificate_validated", {
|
|
7910
|
+
logger$1.debug("existing_certificate_validated", {
|
|
7911
7911
|
node_id: nodeId,
|
|
7912
7912
|
});
|
|
7913
7913
|
return true;
|
|
@@ -7915,7 +7915,7 @@ class DefaultCertificateManager {
|
|
|
7915
7915
|
async resolveCertificateMaterialFromInjectedSources(provider, nodeId) {
|
|
7916
7916
|
const providerMaterial = await this.resolveCertificateMaterialFromProvider(provider, nodeId);
|
|
7917
7917
|
if (providerMaterial) {
|
|
7918
|
-
logger.debug("certificate_material_resolved_from_provider", {
|
|
7918
|
+
logger$1.debug("certificate_material_resolved_from_provider", {
|
|
7919
7919
|
system_id: nodeId,
|
|
7920
7920
|
});
|
|
7921
7921
|
return providerMaterial;
|
|
@@ -7924,14 +7924,14 @@ class DefaultCertificateManager {
|
|
|
7924
7924
|
try {
|
|
7925
7925
|
const material = await this.certificateMaterialResolver();
|
|
7926
7926
|
if (material) {
|
|
7927
|
-
logger.debug("certificate_material_resolved_from_options", {
|
|
7927
|
+
logger$1.debug("certificate_material_resolved_from_options", {
|
|
7928
7928
|
system_id: nodeId,
|
|
7929
7929
|
});
|
|
7930
7930
|
return material;
|
|
7931
7931
|
}
|
|
7932
7932
|
}
|
|
7933
7933
|
catch (error) {
|
|
7934
|
-
logger.debug("certificate_material_option_resolution_failed", {
|
|
7934
|
+
logger$1.debug("certificate_material_option_resolution_failed", {
|
|
7935
7935
|
system_id: nodeId,
|
|
7936
7936
|
error: error instanceof Error ? error.message : String(error),
|
|
7937
7937
|
});
|
|
@@ -7948,7 +7948,7 @@ class DefaultCertificateManager {
|
|
|
7948
7948
|
return normalizeCertificateMaterial(material ?? null);
|
|
7949
7949
|
}
|
|
7950
7950
|
catch (error) {
|
|
7951
|
-
logger.debug("provider_certificate_material_resolution_failed", {
|
|
7951
|
+
logger$1.debug("provider_certificate_material_resolution_failed", {
|
|
7952
7952
|
system_id: nodeId,
|
|
7953
7953
|
error: error instanceof Error ? error.message : String(error),
|
|
7954
7954
|
});
|
|
@@ -7970,7 +7970,7 @@ class DefaultCertificateManager {
|
|
|
7970
7970
|
}
|
|
7971
7971
|
const url = readRecordString(grantRecord, "url", "baseUrl", "base_url");
|
|
7972
7972
|
if (!url) {
|
|
7973
|
-
logger.warning("ca_sign_grant_missing_url", {
|
|
7973
|
+
logger$1.warning("ca_sign_grant_missing_url", {
|
|
7974
7974
|
grant_keys: Object.keys(grantRecord),
|
|
7975
7975
|
});
|
|
7976
7976
|
continue;
|
|
@@ -7989,12 +7989,12 @@ class DefaultCertificateManager {
|
|
|
7989
7989
|
? provider.signatureKeyId
|
|
7990
7990
|
: null);
|
|
7991
7991
|
if (!nodeId) {
|
|
7992
|
-
logger.warning("certificate_request_missing_node_id");
|
|
7992
|
+
logger$1.warning("certificate_request_missing_node_id");
|
|
7993
7993
|
return null;
|
|
7994
7994
|
}
|
|
7995
7995
|
const physicalPath = readFrameString(welcomeFrame, "assignedPath", "assigned_path");
|
|
7996
7996
|
if (!physicalPath) {
|
|
7997
|
-
logger.warning("certificate_request_missing_physical_path", {
|
|
7997
|
+
logger$1.warning("certificate_request_missing_physical_path", {
|
|
7998
7998
|
node_id: nodeId,
|
|
7999
7999
|
});
|
|
8000
8000
|
return null;
|
|
@@ -8008,7 +8008,7 @@ class DefaultCertificateManager {
|
|
|
8008
8008
|
}
|
|
8009
8009
|
const caServiceUrl = options?.caServiceUrl ?? this.caServiceUrl ?? grant.url;
|
|
8010
8010
|
if (!caServiceUrl) {
|
|
8011
|
-
logger.error("ca_service_url_unavailable", {
|
|
8011
|
+
logger$1.error("ca_service_url_unavailable", {
|
|
8012
8012
|
node_id: nodeId,
|
|
8013
8013
|
});
|
|
8014
8014
|
return null;
|
|
@@ -8021,7 +8021,7 @@ class DefaultCertificateManager {
|
|
|
8021
8021
|
authStrategy = await this.createAuthStrategyForGrant(grant);
|
|
8022
8022
|
}
|
|
8023
8023
|
catch (error) {
|
|
8024
|
-
logger.error("ca_sign_auth_strategy_creation_failed", {
|
|
8024
|
+
logger$1.error("ca_sign_auth_strategy_creation_failed", {
|
|
8025
8025
|
node_id: nodeId,
|
|
8026
8026
|
error: error instanceof Error ? error.message : String(error),
|
|
8027
8027
|
});
|
|
@@ -8033,7 +8033,7 @@ class DefaultCertificateManager {
|
|
|
8033
8033
|
await authStrategy.apply(client);
|
|
8034
8034
|
}
|
|
8035
8035
|
const [certificatePem, certificateChainPem] = await client.requestCertificate(csrPem, nodeId, physicalPath, logicals);
|
|
8036
|
-
logger.debug("certificate_received_from_ca_service", {
|
|
8036
|
+
logger$1.debug("certificate_received_from_ca_service", {
|
|
8037
8037
|
node_id: nodeId,
|
|
8038
8038
|
has_chain: Boolean(certificateChainPem),
|
|
8039
8039
|
ca_service_url: caServiceUrl,
|
|
@@ -8045,13 +8045,13 @@ class DefaultCertificateManager {
|
|
|
8045
8045
|
}
|
|
8046
8046
|
catch (error) {
|
|
8047
8047
|
if (error instanceof CertificateRequestError) {
|
|
8048
|
-
logger.error("certificate_request_failed", {
|
|
8048
|
+
logger$1.error("certificate_request_failed", {
|
|
8049
8049
|
node_id: nodeId,
|
|
8050
8050
|
error: error.message,
|
|
8051
8051
|
});
|
|
8052
8052
|
}
|
|
8053
8053
|
else {
|
|
8054
|
-
logger.error("certificate_request_unhandled_error", {
|
|
8054
|
+
logger$1.error("certificate_request_unhandled_error", {
|
|
8055
8055
|
node_id: nodeId,
|
|
8056
8056
|
error: error instanceof Error ? error.message : String(error),
|
|
8057
8057
|
});
|
|
@@ -8064,7 +8064,7 @@ class DefaultCertificateManager {
|
|
|
8064
8064
|
await authStrategy.cleanup();
|
|
8065
8065
|
}
|
|
8066
8066
|
catch (cleanupError) {
|
|
8067
|
-
logger.debug("auth_strategy_cleanup_failed", {
|
|
8067
|
+
logger$1.debug("auth_strategy_cleanup_failed", {
|
|
8068
8068
|
error: cleanupError instanceof Error
|
|
8069
8069
|
? cleanupError.message
|
|
8070
8070
|
: String(cleanupError),
|
|
@@ -8087,14 +8087,14 @@ class DefaultCertificateManager {
|
|
|
8087
8087
|
async validateProviderCertificate(provider, nodeId) {
|
|
8088
8088
|
const { pem: trustStorePem, reason } = await this.resolveTrustStorePemValue(provider, nodeId);
|
|
8089
8089
|
if (!trustStorePem) {
|
|
8090
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8090
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8091
8091
|
node_id: nodeId,
|
|
8092
8092
|
reason: reason ?? "trust_store_unavailable",
|
|
8093
8093
|
});
|
|
8094
8094
|
return false;
|
|
8095
8095
|
}
|
|
8096
8096
|
if (typeof provider.nodeJwk !== "function") {
|
|
8097
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8097
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8098
8098
|
node_id: nodeId,
|
|
8099
8099
|
reason: "crypto_provider_lacks_node_jwk",
|
|
8100
8100
|
});
|
|
@@ -8105,7 +8105,7 @@ class DefaultCertificateManager {
|
|
|
8105
8105
|
jwk = provider.nodeJwk() ?? null;
|
|
8106
8106
|
}
|
|
8107
8107
|
catch (error) {
|
|
8108
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8108
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8109
8109
|
node_id: nodeId,
|
|
8110
8110
|
reason: "node_jwk_retrieval_failed",
|
|
8111
8111
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -8113,7 +8113,7 @@ class DefaultCertificateManager {
|
|
|
8113
8113
|
return false;
|
|
8114
8114
|
}
|
|
8115
8115
|
if (!jwk) {
|
|
8116
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8116
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8117
8117
|
node_id: nodeId,
|
|
8118
8118
|
reason: "node_jwk_missing",
|
|
8119
8119
|
});
|
|
@@ -8123,7 +8123,7 @@ class DefaultCertificateManager {
|
|
|
8123
8123
|
if (!Array.isArray(x5c) ||
|
|
8124
8124
|
x5c.length === 0 ||
|
|
8125
8125
|
x5c.some((entry) => typeof entry !== "string")) {
|
|
8126
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8126
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8127
8127
|
node_id: nodeId,
|
|
8128
8128
|
reason: "invalid_certificate_chain",
|
|
8129
8129
|
});
|
|
@@ -8137,19 +8137,19 @@ class DefaultCertificateManager {
|
|
|
8137
8137
|
strict: false,
|
|
8138
8138
|
});
|
|
8139
8139
|
if (!result.isValid) {
|
|
8140
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8140
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8141
8141
|
node_id: nodeId,
|
|
8142
8142
|
reason: result.error ?? "validation_failed",
|
|
8143
8143
|
});
|
|
8144
8144
|
return false;
|
|
8145
8145
|
}
|
|
8146
|
-
logger.debug("certificate_chain_validation_successful", {
|
|
8146
|
+
logger$1.debug("certificate_chain_validation_successful", {
|
|
8147
8147
|
node_id: nodeId,
|
|
8148
8148
|
});
|
|
8149
8149
|
return true;
|
|
8150
8150
|
}
|
|
8151
8151
|
catch (error) {
|
|
8152
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8152
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8153
8153
|
node_id: nodeId,
|
|
8154
8154
|
reason: "validation_error",
|
|
8155
8155
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -8160,7 +8160,7 @@ class DefaultCertificateManager {
|
|
|
8160
8160
|
async resolveTrustStorePemValue(provider, nodeId) {
|
|
8161
8161
|
const providerPem = await this.resolveTrustStorePemFromProvider(provider, nodeId);
|
|
8162
8162
|
if (providerPem) {
|
|
8163
|
-
logger.debug("trust_store_resolved_from_provider", {
|
|
8163
|
+
logger$1.debug("trust_store_resolved_from_provider", {
|
|
8164
8164
|
node_id: nodeId,
|
|
8165
8165
|
});
|
|
8166
8166
|
return { pem: providerPem };
|
|
@@ -8170,14 +8170,14 @@ class DefaultCertificateManager {
|
|
|
8170
8170
|
const pem = await this.trustStorePemResolver();
|
|
8171
8171
|
const normalized = normalizePemOrNull(pem);
|
|
8172
8172
|
if (normalized) {
|
|
8173
|
-
logger.debug("trust_store_resolved_from_options", {
|
|
8173
|
+
logger$1.debug("trust_store_resolved_from_options", {
|
|
8174
8174
|
node_id: nodeId,
|
|
8175
8175
|
});
|
|
8176
8176
|
return { pem: normalized };
|
|
8177
8177
|
}
|
|
8178
8178
|
}
|
|
8179
8179
|
catch (error) {
|
|
8180
|
-
logger.debug("trust_store_option_resolution_failed", {
|
|
8180
|
+
logger$1.debug("trust_store_option_resolution_failed", {
|
|
8181
8181
|
node_id: nodeId,
|
|
8182
8182
|
error: error instanceof Error ? error.message : String(error),
|
|
8183
8183
|
});
|
|
@@ -8198,7 +8198,7 @@ class DefaultCertificateManager {
|
|
|
8198
8198
|
return normalizePemOrNull(pem);
|
|
8199
8199
|
}
|
|
8200
8200
|
catch (error) {
|
|
8201
|
-
logger.debug("provider_trust_store_resolution_failed", {
|
|
8201
|
+
logger$1.debug("provider_trust_store_resolution_failed", {
|
|
8202
8202
|
node_id: nodeId,
|
|
8203
8203
|
error: error instanceof Error ? error.message : String(error),
|
|
8204
8204
|
});
|
|
@@ -8213,7 +8213,7 @@ class DefaultCertificateManager {
|
|
|
8213
8213
|
stored = true;
|
|
8214
8214
|
}
|
|
8215
8215
|
catch (error) {
|
|
8216
|
-
logger.warning("failed_to_store_certificate", {
|
|
8216
|
+
logger$1.warning("failed_to_store_certificate", {
|
|
8217
8217
|
error: error instanceof Error ? error.message : String(error),
|
|
8218
8218
|
});
|
|
8219
8219
|
}
|
|
@@ -8231,7 +8231,7 @@ class DefaultCertificateManager {
|
|
|
8231
8231
|
stored = true;
|
|
8232
8232
|
}
|
|
8233
8233
|
catch (error) {
|
|
8234
|
-
logger.debug("certificate_persistence_hook_failed", {
|
|
8234
|
+
logger$1.debug("certificate_persistence_hook_failed", {
|
|
8235
8235
|
node_id: nodeId,
|
|
8236
8236
|
error: error instanceof Error ? error.message : String(error),
|
|
8237
8237
|
});
|
|
@@ -8242,7 +8242,7 @@ class DefaultCertificateManager {
|
|
|
8242
8242
|
async buildCertificateSigningRequest(provider, nodeId, physicalPath, logicals) {
|
|
8243
8243
|
const trimmedPath = physicalPath.trim();
|
|
8244
8244
|
if (!trimmedPath) {
|
|
8245
|
-
logger.warning("certificate_request_missing_physical_path", {
|
|
8245
|
+
logger$1.warning("certificate_request_missing_physical_path", {
|
|
8246
8246
|
node_id: nodeId,
|
|
8247
8247
|
});
|
|
8248
8248
|
return null;
|
|
@@ -8251,7 +8251,7 @@ class DefaultCertificateManager {
|
|
|
8251
8251
|
const privateKeyPem = pemSource.signingPrivatePem?.trim() ?? "";
|
|
8252
8252
|
const publicKeyPem = pemSource.signingPublicPem?.trim() ?? "";
|
|
8253
8253
|
if (!privateKeyPem || !publicKeyPem) {
|
|
8254
|
-
logger.error("crypto_provider_missing_signing_material", {
|
|
8254
|
+
logger$1.error("crypto_provider_missing_signing_material", {
|
|
8255
8255
|
node_id: nodeId,
|
|
8256
8256
|
has_private: Boolean(privateKeyPem),
|
|
8257
8257
|
has_public: Boolean(publicKeyPem),
|
|
@@ -8269,7 +8269,7 @@ class DefaultCertificateManager {
|
|
|
8269
8269
|
return csrPem;
|
|
8270
8270
|
}
|
|
8271
8271
|
catch (error) {
|
|
8272
|
-
logger.error("csr_generation_failed", {
|
|
8272
|
+
logger$1.error("csr_generation_failed", {
|
|
8273
8273
|
node_id: nodeId,
|
|
8274
8274
|
error: error instanceof Error ? error.message : String(error),
|
|
8275
8275
|
});
|
|
@@ -8353,7 +8353,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
|
|
|
8353
8353
|
return null;
|
|
8354
8354
|
}
|
|
8355
8355
|
if (!isNodeProcess()) {
|
|
8356
|
-
logger.debug("pem_file_unavailable_in_browser", {
|
|
8356
|
+
logger$1.debug("pem_file_unavailable_in_browser", {
|
|
8357
8357
|
env_var: fileVar,
|
|
8358
8358
|
});
|
|
8359
8359
|
return null;
|
|
@@ -8364,7 +8364,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
|
|
|
8364
8364
|
return normalizePemOrNull(content);
|
|
8365
8365
|
}
|
|
8366
8366
|
catch (error) {
|
|
8367
|
-
logger.warning("failed_to_read_certificate_file", {
|
|
8367
|
+
logger$1.warning("failed_to_read_certificate_file", {
|
|
8368
8368
|
file: filePath,
|
|
8369
8369
|
error: error instanceof Error ? error.message : String(error),
|
|
8370
8370
|
});
|
|
@@ -8395,7 +8395,7 @@ function providerHasCertificate(provider) {
|
|
|
8395
8395
|
return Boolean(provider.hasCertificate());
|
|
8396
8396
|
}
|
|
8397
8397
|
catch (error) {
|
|
8398
|
-
logger.debug("has_certificate_check_failed", {
|
|
8398
|
+
logger$1.debug("has_certificate_check_failed", {
|
|
8399
8399
|
error: error instanceof Error ? error.message : String(error),
|
|
8400
8400
|
});
|
|
8401
8401
|
}
|
|
@@ -8405,7 +8405,7 @@ function providerHasCertificate(provider) {
|
|
|
8405
8405
|
return Boolean(provider.nodeCertificatePem());
|
|
8406
8406
|
}
|
|
8407
8407
|
catch (error) {
|
|
8408
|
-
logger.debug("node_certificate_check_failed", {
|
|
8408
|
+
logger$1.debug("node_certificate_check_failed", {
|
|
8409
8409
|
error: error instanceof Error ? error.message : String(error),
|
|
8410
8410
|
});
|
|
8411
8411
|
}
|
|
@@ -8459,7 +8459,7 @@ function normalizeAuthConfig(candidate) {
|
|
|
8459
8459
|
}
|
|
8460
8460
|
const normalized = candidate;
|
|
8461
8461
|
if (!normalized.type || typeof normalized.type !== "string") {
|
|
8462
|
-
logger.warning("auth_strategy_missing_type", {
|
|
8462
|
+
logger$1.warning("auth_strategy_missing_type", {
|
|
8463
8463
|
provided_keys: Object.keys(candidate),
|
|
8464
8464
|
});
|
|
8465
8465
|
return null;
|
|
@@ -8477,7 +8477,7 @@ async function resolveTrustStorePemFromEnvironment() {
|
|
|
8477
8477
|
}
|
|
8478
8478
|
catch (error) {
|
|
8479
8479
|
const message = error instanceof Error ? error.message : String(error);
|
|
8480
|
-
logger.debug("trust_store_provider_resolution_failed", {
|
|
8480
|
+
logger$1.debug("trust_store_provider_resolution_failed", {
|
|
8481
8481
|
error: message,
|
|
8482
8482
|
});
|
|
8483
8483
|
return null;
|
|
@@ -8672,16 +8672,7 @@ function bytesToUtf8$1(data) {
|
|
|
8672
8672
|
|
|
8673
8673
|
const DEFAULT_REFRESH_INTERVAL_MS = 86400000; // 24 hours
|
|
8674
8674
|
const MIN_REFRESH_INTERVAL_MS = 60000; // 1 minute
|
|
8675
|
-
const
|
|
8676
|
-
debug: (...args) => {
|
|
8677
|
-
if (!isProductionEnvironment()) {
|
|
8678
|
-
console.debug("[trust-bundle]", ...args);
|
|
8679
|
-
}
|
|
8680
|
-
},
|
|
8681
|
-
warn: (...args) => {
|
|
8682
|
-
console.warn("[trust-bundle]", ...args);
|
|
8683
|
-
},
|
|
8684
|
-
};
|
|
8675
|
+
const logger = runtime.getLogger("naylence.fame.security.cert.trust_store.http_bundle_provider");
|
|
8685
8676
|
function isTruthyFlag(value) {
|
|
8686
8677
|
if (typeof value === "boolean") {
|
|
8687
8678
|
return value;
|
|
@@ -8734,7 +8725,7 @@ class HttpBundleProvider {
|
|
|
8734
8725
|
if (!(this.allowInsecureHttp && devMode && isLoopbackHost)) {
|
|
8735
8726
|
throw new Error("Trust bundle URL must use HTTPS (set allowInsecureHttp or FAME_TRUST_BUNDLE_ALLOW_HTTP for dev-only http)");
|
|
8736
8727
|
}
|
|
8737
|
-
|
|
8728
|
+
logger.warning("allowing_insecure_trust_bundle_url", {
|
|
8738
8729
|
url: parsed.toString(),
|
|
8739
8730
|
devMode,
|
|
8740
8731
|
isLoopbackHost,
|
|
@@ -8766,7 +8757,9 @@ class HttpBundleProvider {
|
|
|
8766
8757
|
if (stale || !this.anchors) {
|
|
8767
8758
|
this.inflight = this.fetchLatest()
|
|
8768
8759
|
.catch((error) => {
|
|
8769
|
-
|
|
8760
|
+
logger.warning("trust_bundle_refresh_failed", {
|
|
8761
|
+
error: error instanceof Error ? error.message : String(error),
|
|
8762
|
+
});
|
|
8770
8763
|
if (this.anchors) {
|
|
8771
8764
|
return this.anchors;
|
|
8772
8765
|
}
|
|
@@ -8806,14 +8799,16 @@ class HttpBundleProvider {
|
|
|
8806
8799
|
const cached = await loadCache(this.cacheKey);
|
|
8807
8800
|
if (cached) {
|
|
8808
8801
|
this.applyCachedEntry(cached);
|
|
8809
|
-
|
|
8802
|
+
logger.debug("loaded_trust_bundle_from_cache", {
|
|
8810
8803
|
url: this.url.href,
|
|
8811
8804
|
anchorCount: cached.anchors.length,
|
|
8812
8805
|
});
|
|
8813
8806
|
}
|
|
8814
8807
|
}
|
|
8815
8808
|
catch (error) {
|
|
8816
|
-
|
|
8809
|
+
logger.warning("failed_to_load_cached_trust_bundle", {
|
|
8810
|
+
error: error instanceof Error ? error.message : String(error),
|
|
8811
|
+
});
|
|
8817
8812
|
}
|
|
8818
8813
|
this.initialized = true;
|
|
8819
8814
|
}
|
|
@@ -8899,7 +8894,9 @@ class HttpBundleProvider {
|
|
|
8899
8894
|
callback();
|
|
8900
8895
|
}
|
|
8901
8896
|
catch (error) {
|
|
8902
|
-
|
|
8897
|
+
logger.warning("trust_bundle_listener_failed", {
|
|
8898
|
+
error: error instanceof Error ? error.message : String(error),
|
|
8899
|
+
});
|
|
8903
8900
|
}
|
|
8904
8901
|
}
|
|
8905
8902
|
}
|
|
@@ -9146,7 +9143,9 @@ async function openIndexedDbStore() {
|
|
|
9146
9143
|
});
|
|
9147
9144
|
};
|
|
9148
9145
|
request.onerror = () => {
|
|
9149
|
-
|
|
9146
|
+
logger.warning("indexeddb_unavailable_for_trust_bundle_caching", {
|
|
9147
|
+
error: request.error ? String(request.error) : "unknown",
|
|
9148
|
+
});
|
|
9150
9149
|
resolve(null);
|
|
9151
9150
|
};
|
|
9152
9151
|
});
|