@naylence/advanced-security 0.3.7-test.120 → 0.3.7-test.121
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/browser/index.cjs +325 -326
- package/dist/browser/index.mjs +325 -326
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js +16 -16
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +1 -1
- package/dist/cjs/version.js +2 -2
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js +16 -16
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +1 -1
- package/dist/esm/version.js +2 -2
- package/dist/node/index.cjs +325 -326
- package/dist/node/index.mjs +325 -326
- package/dist/node/node.cjs +326 -327
- package/dist/node/node.mjs +326 -327
- package/dist/types/naylence/fame/security/cert/trust-store/http-bundle-provider.d.ts.map +1 -1
- package/dist/types/version.d.ts +1 -1
- package/package.json +1 -1
package/dist/browser/index.mjs
CHANGED
|
@@ -18,14 +18,14 @@ import { X509Certificate } from '@peculiar/x509';
|
|
|
18
18
|
import { getLogger, secureDigest as secureDigest$1, validateHostLogical, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CertificateManagerFactory, SigningConfigClass as SigningConfigClass$1 } from '@naylence/runtime/node';
|
|
19
19
|
|
|
20
20
|
// This file is auto-generated during build - do not edit manually
|
|
21
|
-
// Generated from package.json version: 0.3.7-test.
|
|
21
|
+
// Generated from package.json version: 0.3.7-test.121
|
|
22
22
|
/**
|
|
23
23
|
* The package version, injected at build time.
|
|
24
24
|
* @internal
|
|
25
25
|
*/
|
|
26
|
-
const VERSION = '0.3.7-test.
|
|
26
|
+
const VERSION = '0.3.7-test.121';
|
|
27
27
|
|
|
28
|
-
const logger$
|
|
28
|
+
const logger$h = getLogger("naylence.fame.security.cert.util");
|
|
29
29
|
const CACHE_LIMIT = 512;
|
|
30
30
|
const OID_ED25519 = "1.3.101.112";
|
|
31
31
|
const textEncoder = new TextEncoder();
|
|
@@ -39,7 +39,7 @@ function publicKeyFromX5c(x5c, options = {}) {
|
|
|
39
39
|
const trustStorePem = normalizeTrustStoreOption(options.trustStorePem ?? null);
|
|
40
40
|
const returnCertificate = options.returnCertificate ?? false;
|
|
41
41
|
const { parsed, chainBytes } = parseCertificateChain(x5c);
|
|
42
|
-
logger$
|
|
42
|
+
logger$h.debug("public_key_from_x5c_called", {
|
|
43
43
|
call_id: callId,
|
|
44
44
|
x5c_count: parsed.length,
|
|
45
45
|
enforce_name_constraints: enforceNameConstraints,
|
|
@@ -51,13 +51,13 @@ function publicKeyFromX5c(x5c, options = {}) {
|
|
|
51
51
|
cacheKey = buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints);
|
|
52
52
|
const cached = getCachedPublicKey(cacheKey);
|
|
53
53
|
if (cached) {
|
|
54
|
-
logger$
|
|
54
|
+
logger$h.debug("certificate_cache_hit", {
|
|
55
55
|
call_id: callId,
|
|
56
56
|
cache_key: cacheKey,
|
|
57
57
|
});
|
|
58
58
|
return cached;
|
|
59
59
|
}
|
|
60
|
-
logger$
|
|
60
|
+
logger$h.debug("certificate_cache_miss", {
|
|
61
61
|
call_id: callId,
|
|
62
62
|
cache_key: cacheKey,
|
|
63
63
|
});
|
|
@@ -228,13 +228,13 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
228
228
|
if (trustedCerts.length === 0) {
|
|
229
229
|
throw new Error("No valid certificates found in trust store");
|
|
230
230
|
}
|
|
231
|
-
logger$
|
|
231
|
+
logger$h.debug("trust_anchor_validation_start", {
|
|
232
232
|
chain_length: chain.length,
|
|
233
233
|
trust_store_cert_count: trustedCerts.length,
|
|
234
234
|
});
|
|
235
235
|
const chainInfo = chain.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
|
|
236
236
|
const trustedInfo = trustedCerts.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
|
|
237
|
-
logger$
|
|
237
|
+
logger$h.debug("certificate_chain_validation", {
|
|
238
238
|
chain_certificates: chainInfo,
|
|
239
239
|
trust_store_certificates: trustedInfo,
|
|
240
240
|
});
|
|
@@ -244,7 +244,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
244
244
|
const match = trustedCerts.find((trusted) => trusted.serialNumber === cert.serialNumber &&
|
|
245
245
|
namesEqual(trusted.certificate.tbsCertificate.subject, cert.certificate.tbsCertificate.subject));
|
|
246
246
|
if (match) {
|
|
247
|
-
logger$
|
|
247
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
248
248
|
matching_serial: match.serialNumber,
|
|
249
249
|
validation_strategy: `direct_trust_cert_${i}`,
|
|
250
250
|
});
|
|
@@ -257,7 +257,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
257
257
|
if (namesEqual(trusted.certificate.tbsCertificate.subject, leaf.certificate.tbsCertificate.issuer) &&
|
|
258
258
|
trusted.serialNumber !== leaf.serialNumber) {
|
|
259
259
|
verifyCertificateSignature(leaf.certificate, trusted.certificate);
|
|
260
|
-
logger$
|
|
260
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
261
261
|
matching_serial: trusted.serialNumber,
|
|
262
262
|
validation_strategy: "leaf_issuer_trust",
|
|
263
263
|
});
|
|
@@ -271,7 +271,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
271
271
|
if (namesEqual(trusted.certificate.tbsCertificate.subject, intermediate.certificate.tbsCertificate.issuer) &&
|
|
272
272
|
trusted.serialNumber !== intermediate.serialNumber) {
|
|
273
273
|
verifyCertificateSignature(intermediate.certificate, trusted.certificate);
|
|
274
|
-
logger$
|
|
274
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
275
275
|
matching_serial: trusted.serialNumber,
|
|
276
276
|
validation_strategy: `intermediate_issuer_trust_cert_${index}`,
|
|
277
277
|
});
|
|
@@ -279,7 +279,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
279
279
|
}
|
|
280
280
|
}
|
|
281
281
|
}
|
|
282
|
-
logger$
|
|
282
|
+
logger$h.warning("certificate_chain_trust_validation_failed", {
|
|
283
283
|
leaf_subject: leaf.subjectName,
|
|
284
284
|
leaf_issuer: leaf.issuerName,
|
|
285
285
|
leaf_serial: leaf.serialNumber,
|
|
@@ -301,7 +301,7 @@ function parseTrustStore(trustStorePem) {
|
|
|
301
301
|
}
|
|
302
302
|
catch (error) {
|
|
303
303
|
const reason = error instanceof Error ? error.message : String(error);
|
|
304
|
-
logger$
|
|
304
|
+
logger$h.debug("trust_store_certificate_parse_failed", { reason });
|
|
305
305
|
}
|
|
306
306
|
}
|
|
307
307
|
return parsed;
|
|
@@ -321,12 +321,12 @@ function validateChainContinuity(chain) {
|
|
|
321
321
|
if (chain.length <= 1) {
|
|
322
322
|
return;
|
|
323
323
|
}
|
|
324
|
-
logger$
|
|
324
|
+
logger$h.debug("validating_chain_continuity", { chain_length: chain.length });
|
|
325
325
|
for (let index = 0; index < chain.length - 1; index += 1) {
|
|
326
326
|
const cert = chain[index];
|
|
327
327
|
const issuer = chain[index + 1];
|
|
328
328
|
if (!namesEqual(cert.certificate.tbsCertificate.issuer, issuer.certificate.tbsCertificate.subject)) {
|
|
329
|
-
logger$
|
|
329
|
+
logger$h.warning("certificate_chain_continuity_failed", {
|
|
330
330
|
cert_index: index,
|
|
331
331
|
cert_subject: cert.subjectName,
|
|
332
332
|
cert_issuer: cert.issuerName,
|
|
@@ -337,7 +337,7 @@ function validateChainContinuity(chain) {
|
|
|
337
337
|
}
|
|
338
338
|
try {
|
|
339
339
|
verifyCertificateSignature(cert.certificate, issuer.certificate);
|
|
340
|
-
logger$
|
|
340
|
+
logger$h.debug("chain_continuity_verification_success", {
|
|
341
341
|
cert_index: index,
|
|
342
342
|
cert_serial: cert.serialNumber,
|
|
343
343
|
issuer_serial: issuer.serialNumber,
|
|
@@ -345,7 +345,7 @@ function validateChainContinuity(chain) {
|
|
|
345
345
|
}
|
|
346
346
|
catch (error) {
|
|
347
347
|
const reason = error instanceof Error ? error.message : String(error);
|
|
348
|
-
logger$
|
|
348
|
+
logger$h.warning("certificate_chain_continuity_failed", {
|
|
349
349
|
cert_index: index,
|
|
350
350
|
cert_subject: cert.subjectName,
|
|
351
351
|
issuer_subject: issuer.subjectName,
|
|
@@ -357,7 +357,7 @@ function validateChainContinuity(chain) {
|
|
|
357
357
|
throw new Error(`Certificate chain continuity broken: certificate at index ${index} was not signed by certificate at index ${index + 1}: ${reason}`);
|
|
358
358
|
}
|
|
359
359
|
}
|
|
360
|
-
logger$
|
|
360
|
+
logger$h.debug("chain_continuity_validation_passed", {
|
|
361
361
|
chain_length: chain.length,
|
|
362
362
|
});
|
|
363
363
|
}
|
|
@@ -491,7 +491,7 @@ function getCachedPublicKey(cacheKey) {
|
|
|
491
491
|
}
|
|
492
492
|
if (Date.now() > entry.expiresAt) {
|
|
493
493
|
trustCache.delete(cacheKey);
|
|
494
|
-
logger$
|
|
494
|
+
logger$h.debug("certificate_cache_expired", { cache_key: cacheKey });
|
|
495
495
|
return null;
|
|
496
496
|
}
|
|
497
497
|
return entry.value.slice();
|
|
@@ -503,13 +503,13 @@ function setCachedPublicKey(cacheKey, value, notAfter) {
|
|
|
503
503
|
break;
|
|
504
504
|
}
|
|
505
505
|
trustCache.delete(firstKey);
|
|
506
|
-
logger$
|
|
506
|
+
logger$h.debug("certificate_cache_evicted", { cache_key: firstKey });
|
|
507
507
|
}
|
|
508
508
|
trustCache.set(cacheKey, {
|
|
509
509
|
value: value.slice(),
|
|
510
510
|
expiresAt: notAfter.getTime(),
|
|
511
511
|
});
|
|
512
|
-
logger$
|
|
512
|
+
logger$h.debug("certificate_cache_stored", {
|
|
513
513
|
cache_key: cacheKey,
|
|
514
514
|
expires_at: notAfter.toISOString(),
|
|
515
515
|
cache_size: trustCache.size,
|
|
@@ -689,7 +689,7 @@ const NODE_ID_OID = "1.3.6.1.4.1.58530.4";
|
|
|
689
689
|
* Provides async HTTP client to request certificates from the CA signing service.
|
|
690
690
|
*/
|
|
691
691
|
// Simple logger for now - TODO: integrate with runtime logging
|
|
692
|
-
const logger$
|
|
692
|
+
const logger$g = {
|
|
693
693
|
debug: (_event, _meta) => {
|
|
694
694
|
// console.log(`[DEBUG] ${event}`, meta);
|
|
695
695
|
},
|
|
@@ -1161,13 +1161,13 @@ class CAServiceClient {
|
|
|
1161
1161
|
const result = await response.json();
|
|
1162
1162
|
const certificatePem = result.certificate_pem;
|
|
1163
1163
|
const certificateChainPem = result.certificate_chain_pem || certificatePem;
|
|
1164
|
-
logger$
|
|
1164
|
+
logger$g.debug("certificate_request_successful", {
|
|
1165
1165
|
requester_id: requesterId,
|
|
1166
1166
|
expires_at: result.expires_at,
|
|
1167
1167
|
});
|
|
1168
1168
|
// Extract and log certificate information with structured logging
|
|
1169
1169
|
const certInfo = extractCertificateInfo(certificatePem);
|
|
1170
|
-
logger$
|
|
1170
|
+
logger$g.debug("certificate_details", {
|
|
1171
1171
|
requester_id: requesterId,
|
|
1172
1172
|
certificate_type: "issued_certificate",
|
|
1173
1173
|
...certInfo,
|
|
@@ -1186,7 +1186,7 @@ class CAServiceClient {
|
|
|
1186
1186
|
// First cert in chain is usually the issued certificate
|
|
1187
1187
|
if (certPemBlock.trim() !== certificatePem.trim()) {
|
|
1188
1188
|
const chainCertInfo = extractCertificateInfo(certPemBlock);
|
|
1189
|
-
logger$
|
|
1189
|
+
logger$g.debug("certificate_chain_details", {
|
|
1190
1190
|
requester_id: requesterId,
|
|
1191
1191
|
certificate_type: "certificate_chain",
|
|
1192
1192
|
chain_index: i,
|
|
@@ -1197,7 +1197,7 @@ class CAServiceClient {
|
|
|
1197
1197
|
else {
|
|
1198
1198
|
// Subsequent certs are intermediate/root CAs
|
|
1199
1199
|
const caCertInfo = extractCertificateInfo(certPemBlock);
|
|
1200
|
-
logger$
|
|
1200
|
+
logger$g.debug("certificate_chain_details", {
|
|
1201
1201
|
requester_id: requesterId,
|
|
1202
1202
|
certificate_type: "ca_certificate",
|
|
1203
1203
|
chain_index: i,
|
|
@@ -1225,7 +1225,7 @@ class CAServiceClient {
|
|
|
1225
1225
|
// Body read failed entirely
|
|
1226
1226
|
errorDetail = `HTTP ${response.status}`;
|
|
1227
1227
|
}
|
|
1228
|
-
logger$
|
|
1228
|
+
logger$g.error("certificate_request_failed", {
|
|
1229
1229
|
requester_id: requesterId,
|
|
1230
1230
|
status_code: response.status,
|
|
1231
1231
|
error: errorDetail,
|
|
@@ -1242,13 +1242,13 @@ class CAServiceClient {
|
|
|
1242
1242
|
throw error;
|
|
1243
1243
|
}
|
|
1244
1244
|
if (error instanceof Error && error.name === "AbortError") {
|
|
1245
|
-
logger$
|
|
1245
|
+
logger$g.error("certificate_request_timeout", {
|
|
1246
1246
|
requester_id: requesterId,
|
|
1247
1247
|
timeout_seconds: this.timeoutSeconds,
|
|
1248
1248
|
});
|
|
1249
1249
|
throw new CertificateRequestError(`Certificate request timed out after ${this.timeoutSeconds} seconds`);
|
|
1250
1250
|
}
|
|
1251
|
-
logger$
|
|
1251
|
+
logger$g.error("certificate_request_network_error", {
|
|
1252
1252
|
requester_id: requesterId,
|
|
1253
1253
|
error: String(error),
|
|
1254
1254
|
});
|
|
@@ -1257,7 +1257,7 @@ class CAServiceClient {
|
|
|
1257
1257
|
}
|
|
1258
1258
|
}
|
|
1259
1259
|
|
|
1260
|
-
const logger$
|
|
1260
|
+
const logger$f = getLogger$1("naylence.fame.security.encryption.sealed.x25519_encryption_manager");
|
|
1261
1261
|
class X25519EncryptionManager {
|
|
1262
1262
|
constructor({ keyProvider, nodeLike = null, cryptoProvider = null, }) {
|
|
1263
1263
|
this.pendingEnvelopes = new Map();
|
|
@@ -1274,7 +1274,7 @@ class X25519EncryptionManager {
|
|
|
1274
1274
|
// KeyManagementHandler will queue the envelope and send KeyRequest.
|
|
1275
1275
|
// X25519 should NOT queue here to avoid dual queueing.
|
|
1276
1276
|
if (opts?.requestAddress) {
|
|
1277
|
-
logger$
|
|
1277
|
+
logger$f.debug("key_not_found_delegating_to_key_management", {
|
|
1278
1278
|
envelope_id: envelope.id,
|
|
1279
1279
|
request_address: String(opts.requestAddress),
|
|
1280
1280
|
});
|
|
@@ -1290,7 +1290,7 @@ class X25519EncryptionManager {
|
|
|
1290
1290
|
return await this.encryptWithKey(envelope, recipPub, recipKid);
|
|
1291
1291
|
}
|
|
1292
1292
|
catch (error) {
|
|
1293
|
-
logger$
|
|
1293
|
+
logger$f.error("x25519_encryption_failed", {
|
|
1294
1294
|
error: error instanceof Error ? error.message : String(error),
|
|
1295
1295
|
});
|
|
1296
1296
|
return EncryptionResult.skipped(envelope);
|
|
@@ -1328,20 +1328,20 @@ class X25519EncryptionManager {
|
|
|
1328
1328
|
return envelope;
|
|
1329
1329
|
}
|
|
1330
1330
|
catch (error) {
|
|
1331
|
-
logger$
|
|
1331
|
+
logger$f.error("x25519_decryption_failed", {
|
|
1332
1332
|
error: error instanceof Error ? error.message : String(error),
|
|
1333
1333
|
});
|
|
1334
1334
|
return envelope;
|
|
1335
1335
|
}
|
|
1336
1336
|
}
|
|
1337
1337
|
async notifyKeyAvailable(keyId) {
|
|
1338
|
-
logger$
|
|
1338
|
+
logger$f.debug("x25519_notify_key_available_called", {
|
|
1339
1339
|
key_id: keyId,
|
|
1340
1340
|
pending_keys: Array.from(this.pendingEnvelopes.keys()),
|
|
1341
1341
|
});
|
|
1342
1342
|
const queued = this.pendingEnvelopes.get(keyId);
|
|
1343
1343
|
if (!queued || queued.length === 0) {
|
|
1344
|
-
logger$
|
|
1344
|
+
logger$f.debug("no_queued_envelopes_for_key", {
|
|
1345
1345
|
key_id: keyId,
|
|
1346
1346
|
has_queue: this.pendingEnvelopes.has(keyId),
|
|
1347
1347
|
queue_length: queued?.length ?? 0,
|
|
@@ -1353,13 +1353,13 @@ class X25519EncryptionManager {
|
|
|
1353
1353
|
this.keyRequestsInProgress.delete(keyId);
|
|
1354
1354
|
const node = this.nodeLike;
|
|
1355
1355
|
if (!node) {
|
|
1356
|
-
logger$
|
|
1356
|
+
logger$f.debug("discarding_queued_envelopes_no_node", {
|
|
1357
1357
|
key_id: keyId,
|
|
1358
1358
|
count: queued.length,
|
|
1359
1359
|
});
|
|
1360
1360
|
return;
|
|
1361
1361
|
}
|
|
1362
|
-
logger$
|
|
1362
|
+
logger$f.debug("replaying_envelopes_for_key", {
|
|
1363
1363
|
key_id: keyId,
|
|
1364
1364
|
count: queued.length,
|
|
1365
1365
|
});
|
|
@@ -1368,7 +1368,7 @@ class X25519EncryptionManager {
|
|
|
1368
1368
|
await node.deliver(envelope);
|
|
1369
1369
|
}
|
|
1370
1370
|
catch (error) {
|
|
1371
|
-
logger$
|
|
1371
|
+
logger$f.error("failed_to_replay_envelope", {
|
|
1372
1372
|
key_id: keyId,
|
|
1373
1373
|
envelope_id: envelope.id,
|
|
1374
1374
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -1469,7 +1469,7 @@ class X25519EncryptionManager {
|
|
|
1469
1469
|
? this.extractPrivateKeyFromRecord(providerRecord)
|
|
1470
1470
|
: null;
|
|
1471
1471
|
if (providerRecordKey) {
|
|
1472
|
-
logger$
|
|
1472
|
+
logger$f.debug("using_provider_key_record_private_key", {
|
|
1473
1473
|
kid,
|
|
1474
1474
|
provider_key_id: providerKeyId,
|
|
1475
1475
|
mismatched_kid: kid && providerKeyId !== kid ? kid : null,
|
|
@@ -1479,7 +1479,7 @@ class X25519EncryptionManager {
|
|
|
1479
1479
|
}
|
|
1480
1480
|
if (!providerPem) {
|
|
1481
1481
|
if (kid && providerKeyId && providerKeyId !== kid) {
|
|
1482
|
-
logger$
|
|
1482
|
+
logger$f.debug("crypto_provider_key_id_mismatch_no_private_key", {
|
|
1483
1483
|
kid,
|
|
1484
1484
|
provider_key_id: providerKeyId,
|
|
1485
1485
|
});
|
|
@@ -1491,13 +1491,13 @@ class X25519EncryptionManager {
|
|
|
1491
1491
|
return null;
|
|
1492
1492
|
}
|
|
1493
1493
|
if (!kid || providerKeyId === kid) {
|
|
1494
|
-
logger$
|
|
1494
|
+
logger$f.debug("using_crypto_provider_private_key_fallback", {
|
|
1495
1495
|
kid: kid ?? null,
|
|
1496
1496
|
provider_key_id: providerKeyId,
|
|
1497
1497
|
});
|
|
1498
1498
|
}
|
|
1499
1499
|
else {
|
|
1500
|
-
logger$
|
|
1500
|
+
logger$f.warning("crypto_provider_key_id_mismatch_using_private_key", {
|
|
1501
1501
|
kid,
|
|
1502
1502
|
provider_key_id: providerKeyId,
|
|
1503
1503
|
key_record_present: Boolean(record),
|
|
@@ -1506,7 +1506,7 @@ class X25519EncryptionManager {
|
|
|
1506
1506
|
return fallbackKey;
|
|
1507
1507
|
}
|
|
1508
1508
|
async queueEnvelopeForKey(envelope, opts, recipientKeyId) {
|
|
1509
|
-
logger$
|
|
1509
|
+
logger$f.debug("queueing_envelope_for_sealed_encryption", {
|
|
1510
1510
|
envelope_id: envelope.id,
|
|
1511
1511
|
recipient_key_id: recipientKeyId,
|
|
1512
1512
|
request_address: opts?.requestAddress
|
|
@@ -1554,7 +1554,7 @@ class X25519EncryptionManager {
|
|
|
1554
1554
|
await node.deliver(keyRequestEnvelope, context);
|
|
1555
1555
|
}
|
|
1556
1556
|
catch (error) {
|
|
1557
|
-
logger$
|
|
1557
|
+
logger$f.error("failed_to_request_recipient_key", {
|
|
1558
1558
|
recipient_key_id: recipientKeyId,
|
|
1559
1559
|
error: error instanceof Error ? error.message : String(error),
|
|
1560
1560
|
});
|
|
@@ -1567,7 +1567,7 @@ class X25519EncryptionManager {
|
|
|
1567
1567
|
return this.extractPublicKeyFromRecord(record);
|
|
1568
1568
|
}
|
|
1569
1569
|
catch (error) {
|
|
1570
|
-
logger$
|
|
1570
|
+
logger$f.debug("recipient_key_lookup_failed", {
|
|
1571
1571
|
kid,
|
|
1572
1572
|
error: error instanceof Error ? error.message : String(error),
|
|
1573
1573
|
});
|
|
@@ -1582,7 +1582,7 @@ class X25519EncryptionManager {
|
|
|
1582
1582
|
return await this.keyProvider.getKey(kid);
|
|
1583
1583
|
}
|
|
1584
1584
|
catch (error) {
|
|
1585
|
-
logger$
|
|
1585
|
+
logger$f.debug("private_key_lookup_failed", {
|
|
1586
1586
|
kid,
|
|
1587
1587
|
error: error instanceof Error ? error.message : String(error),
|
|
1588
1588
|
});
|
|
@@ -1653,7 +1653,7 @@ class X25519EncryptionManager {
|
|
|
1653
1653
|
const base64 = base64Lines.join("");
|
|
1654
1654
|
const der = this.decodeBase64Flexible(base64);
|
|
1655
1655
|
if (!der) {
|
|
1656
|
-
logger$
|
|
1656
|
+
logger$f.debug("pem_decode_failed", {
|
|
1657
1657
|
key_type: keyType,
|
|
1658
1658
|
});
|
|
1659
1659
|
return null;
|
|
@@ -1886,7 +1886,7 @@ var index$1 = /*#__PURE__*/Object.freeze({
|
|
|
1886
1886
|
X25519EncryptionManagerFactory: X25519EncryptionManagerFactory
|
|
1887
1887
|
});
|
|
1888
1888
|
|
|
1889
|
-
const logger$
|
|
1889
|
+
const logger$e = getLogger$1("naylence.fame.security.encryption.channel.channel_encryption_manager");
|
|
1890
1890
|
const SUPPORTED_CHANNEL_ALGORITHMS = ["chacha20-poly1305-channel"];
|
|
1891
1891
|
const CHANNEL_ENCRYPTION_ALGORITHM = "chacha20-poly1305-channel";
|
|
1892
1892
|
const HANDSHAKE_ALGORITHM = "CHACHA20P1305";
|
|
@@ -2037,13 +2037,13 @@ class ChannelEncryptionManager {
|
|
|
2037
2037
|
const destination = opts?.destination ?? envelope.to ?? null;
|
|
2038
2038
|
const destinationStr = toDestinationString(destination);
|
|
2039
2039
|
if (!destinationStr) {
|
|
2040
|
-
logger$
|
|
2040
|
+
logger$e.warning("no_destination_for_channel_encryption", {
|
|
2041
2041
|
envelope_id: envelope.id,
|
|
2042
2042
|
});
|
|
2043
2043
|
return EncryptionResult.skipped(envelope);
|
|
2044
2044
|
}
|
|
2045
2045
|
if (!this.secureChannelManager) {
|
|
2046
|
-
logger$
|
|
2046
|
+
logger$e.warning("no_secure_channel_manager_available", {
|
|
2047
2047
|
envelope_id: envelope.id,
|
|
2048
2048
|
});
|
|
2049
2049
|
return EncryptionResult.skipped(envelope);
|
|
@@ -2054,7 +2054,7 @@ class ChannelEncryptionManager {
|
|
|
2054
2054
|
return this.encryptWithChannel(envelope, existingChannelId);
|
|
2055
2055
|
}
|
|
2056
2056
|
catch (error) {
|
|
2057
|
-
logger$
|
|
2057
|
+
logger$e.error("channel_encryption_failed", {
|
|
2058
2058
|
error: error instanceof Error ? error.message : String(error),
|
|
2059
2059
|
channel_id: existingChannelId,
|
|
2060
2060
|
});
|
|
@@ -2081,35 +2081,35 @@ class ChannelEncryptionManager {
|
|
|
2081
2081
|
}
|
|
2082
2082
|
const channelId = encHeader.kid;
|
|
2083
2083
|
if (!channelId) {
|
|
2084
|
-
logger$
|
|
2084
|
+
logger$e.error("missing_channel_id_in_encryption_header", {
|
|
2085
2085
|
envelope_id: envelope.id,
|
|
2086
2086
|
});
|
|
2087
2087
|
return envelope;
|
|
2088
2088
|
}
|
|
2089
2089
|
const nonce = this.decodeNonceValue(encHeader.val ?? "");
|
|
2090
2090
|
if (!nonce) {
|
|
2091
|
-
logger$
|
|
2091
|
+
logger$e.error("invalid_nonce_in_encryption_header", {
|
|
2092
2092
|
envelope_id: envelope.id,
|
|
2093
2093
|
value_present: Boolean(encHeader.val),
|
|
2094
2094
|
});
|
|
2095
2095
|
return envelope;
|
|
2096
2096
|
}
|
|
2097
2097
|
if (!this.secureChannelManager) {
|
|
2098
|
-
logger$
|
|
2098
|
+
logger$e.warning("no_secure_channel_manager_for_decryption", {
|
|
2099
2099
|
envelope_id: envelope.id,
|
|
2100
2100
|
});
|
|
2101
2101
|
return envelope;
|
|
2102
2102
|
}
|
|
2103
2103
|
const channelState = this.getChannelState(channelId);
|
|
2104
2104
|
if (!channelState) {
|
|
2105
|
-
logger$
|
|
2105
|
+
logger$e.error("channel_not_available_for_decryption", {
|
|
2106
2106
|
channel_id: channelId,
|
|
2107
2107
|
});
|
|
2108
2108
|
return envelope;
|
|
2109
2109
|
}
|
|
2110
2110
|
const ciphertext = this.extractCiphertext(frame.payload);
|
|
2111
2111
|
if (!ciphertext) {
|
|
2112
|
-
logger$
|
|
2112
|
+
logger$e.error("invalid_ciphertext_payload", { envelope_id: envelope.id });
|
|
2113
2113
|
return envelope;
|
|
2114
2114
|
}
|
|
2115
2115
|
try {
|
|
@@ -2134,7 +2134,7 @@ class ChannelEncryptionManager {
|
|
|
2134
2134
|
return envelope;
|
|
2135
2135
|
}
|
|
2136
2136
|
catch (error) {
|
|
2137
|
-
logger$
|
|
2137
|
+
logger$e.error("channel_decryption_failed", {
|
|
2138
2138
|
channel_id: channelId,
|
|
2139
2139
|
error: error instanceof Error ? error.message : String(error),
|
|
2140
2140
|
});
|
|
@@ -2142,24 +2142,24 @@ class ChannelEncryptionManager {
|
|
|
2142
2142
|
}
|
|
2143
2143
|
}
|
|
2144
2144
|
async notifyChannelEstablished(channelId) {
|
|
2145
|
-
logger$
|
|
2145
|
+
logger$e.debug("channel_encryption_manager_notified", {
|
|
2146
2146
|
channel_id: channelId,
|
|
2147
2147
|
manager_type: "channel",
|
|
2148
2148
|
});
|
|
2149
2149
|
if (!channelId.startsWith("auto-")) {
|
|
2150
|
-
logger$
|
|
2150
|
+
logger$e.warning("unexpected_channel_id_format", { channel_id: channelId });
|
|
2151
2151
|
return;
|
|
2152
2152
|
}
|
|
2153
2153
|
const destinationStr = this.extractDestinationFromChannelId(channelId);
|
|
2154
2154
|
if (!destinationStr) {
|
|
2155
|
-
logger$
|
|
2155
|
+
logger$e.warning("cannot_parse_destination_from_channel_id", {
|
|
2156
2156
|
channel_id: channelId,
|
|
2157
2157
|
});
|
|
2158
2158
|
return;
|
|
2159
2159
|
}
|
|
2160
2160
|
this.handshakeInProgress.delete(destinationStr);
|
|
2161
2161
|
if (!this.pendingEnvelopes.has(destinationStr)) {
|
|
2162
|
-
logger$
|
|
2162
|
+
logger$e.debug("no_pending_queue_for_destination", {
|
|
2163
2163
|
destination: destinationStr,
|
|
2164
2164
|
});
|
|
2165
2165
|
return;
|
|
@@ -2167,7 +2167,7 @@ class ChannelEncryptionManager {
|
|
|
2167
2167
|
const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr) ?? [];
|
|
2168
2168
|
this.pendingEnvelopes.delete(destinationStr);
|
|
2169
2169
|
if (!this.secureChannelManager) {
|
|
2170
|
-
logger$
|
|
2170
|
+
logger$e.error("no_secure_channel_manager_for_queue_drain", {
|
|
2171
2171
|
channel_id: channelId,
|
|
2172
2172
|
});
|
|
2173
2173
|
return;
|
|
@@ -2176,7 +2176,7 @@ class ChannelEncryptionManager {
|
|
|
2176
2176
|
try {
|
|
2177
2177
|
const result = this.encryptWithChannel(envelope, channelId);
|
|
2178
2178
|
if (!result.envelope) {
|
|
2179
|
-
logger$
|
|
2179
|
+
logger$e.warning("failed_to_encrypt_queued_envelope", {
|
|
2180
2180
|
envelope_id: envelope.id,
|
|
2181
2181
|
channel_id: channelId,
|
|
2182
2182
|
});
|
|
@@ -2186,7 +2186,7 @@ class ChannelEncryptionManager {
|
|
|
2186
2186
|
this.runAsyncTask(() => this.deliverEnvelope(encryptedEnvelope), `deliver-queued-${envelope.id}`);
|
|
2187
2187
|
}
|
|
2188
2188
|
catch (error) {
|
|
2189
|
-
logger$
|
|
2189
|
+
logger$e.error("failed_to_encrypt_queued_envelope", {
|
|
2190
2190
|
envelope_id: envelope.id,
|
|
2191
2191
|
error: error instanceof Error ? error.message : String(error),
|
|
2192
2192
|
});
|
|
@@ -2194,19 +2194,19 @@ class ChannelEncryptionManager {
|
|
|
2194
2194
|
}
|
|
2195
2195
|
}
|
|
2196
2196
|
async notifyChannelFailed(channelId, reason = "handshake_failed") {
|
|
2197
|
-
logger$
|
|
2197
|
+
logger$e.debug("channel_encryption_manager_notified_failure", {
|
|
2198
2198
|
channel_id: channelId,
|
|
2199
2199
|
reason,
|
|
2200
2200
|
});
|
|
2201
2201
|
if (!channelId.startsWith("auto-")) {
|
|
2202
|
-
logger$
|
|
2202
|
+
logger$e.warning("unexpected_channel_id_format_on_failure", {
|
|
2203
2203
|
channel_id: channelId,
|
|
2204
2204
|
});
|
|
2205
2205
|
return;
|
|
2206
2206
|
}
|
|
2207
2207
|
const destinationStr = this.extractDestinationFromChannelId(channelId);
|
|
2208
2208
|
if (!destinationStr) {
|
|
2209
|
-
logger$
|
|
2209
|
+
logger$e.warning("cannot_parse_destination_from_channel_id_on_failure", {
|
|
2210
2210
|
channel_id: channelId,
|
|
2211
2211
|
});
|
|
2212
2212
|
return;
|
|
@@ -2216,14 +2216,14 @@ class ChannelEncryptionManager {
|
|
|
2216
2216
|
const cachedChannelId = this.addrChannelMap.get(destinationStr);
|
|
2217
2217
|
if (cachedChannelId === channelId) {
|
|
2218
2218
|
this.addrChannelMap.delete(destinationStr);
|
|
2219
|
-
logger$
|
|
2219
|
+
logger$e.debug("cleared_channel_cache_for_failed_channel", {
|
|
2220
2220
|
destination: destinationStr,
|
|
2221
2221
|
channel_id: channelId,
|
|
2222
2222
|
});
|
|
2223
2223
|
}
|
|
2224
2224
|
const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr);
|
|
2225
2225
|
if (!queuedEnvelopes || queuedEnvelopes.length === 0) {
|
|
2226
|
-
logger$
|
|
2226
|
+
logger$e.debug("no_pending_queue_for_failed_destination", {
|
|
2227
2227
|
destination: destinationStr,
|
|
2228
2228
|
});
|
|
2229
2229
|
return;
|
|
@@ -2242,7 +2242,7 @@ class ChannelEncryptionManager {
|
|
|
2242
2242
|
const cached = this.addrChannelMap.get(destination);
|
|
2243
2243
|
if (cached) {
|
|
2244
2244
|
this.addrChannelMap.delete(destination);
|
|
2245
|
-
logger$
|
|
2245
|
+
logger$e.debug("cleared_channel_cache_for_destination", {
|
|
2246
2246
|
destination,
|
|
2247
2247
|
cached_channel_id: cached,
|
|
2248
2248
|
});
|
|
@@ -2260,14 +2260,14 @@ class ChannelEncryptionManager {
|
|
|
2260
2260
|
}
|
|
2261
2261
|
const cached = this.addrChannelMap.get(destination);
|
|
2262
2262
|
if (cached && this.getChannelState(cached)) {
|
|
2263
|
-
logger$
|
|
2263
|
+
logger$e.debug("using_cached_channel", { destination, channel_id: cached });
|
|
2264
2264
|
return cached;
|
|
2265
2265
|
}
|
|
2266
2266
|
const channels = this.secureChannelManager.channels;
|
|
2267
2267
|
for (const channelId of Object.keys(channels)) {
|
|
2268
2268
|
if (channelId.startsWith(`auto-${destination}-`)) {
|
|
2269
2269
|
this.addrChannelMap.set(destination, channelId);
|
|
2270
|
-
logger$
|
|
2270
|
+
logger$e.debug("using_existing_channel", {
|
|
2271
2271
|
destination,
|
|
2272
2272
|
channel_id: channelId,
|
|
2273
2273
|
});
|
|
@@ -2280,12 +2280,12 @@ class ChannelEncryptionManager {
|
|
|
2280
2280
|
const queue = this.pendingEnvelopes.get(destinationStr) ?? [];
|
|
2281
2281
|
queue.push(envelope);
|
|
2282
2282
|
this.pendingEnvelopes.set(destinationStr, queue);
|
|
2283
|
-
logger$
|
|
2283
|
+
logger$e.debug("queued_envelope_for_channel_handshake", {
|
|
2284
2284
|
envelope_id: envelope.id,
|
|
2285
2285
|
destination: destinationStr,
|
|
2286
2286
|
});
|
|
2287
2287
|
if (this.handshakeInProgress.has(destinationStr)) {
|
|
2288
|
-
logger$
|
|
2288
|
+
logger$e.debug("handshake_already_in_progress", {
|
|
2289
2289
|
destination: destinationStr,
|
|
2290
2290
|
});
|
|
2291
2291
|
return;
|
|
@@ -2303,7 +2303,7 @@ class ChannelEncryptionManager {
|
|
|
2303
2303
|
}
|
|
2304
2304
|
async initiateChannelHandshakeAsync(destination, destinationStr, opts) {
|
|
2305
2305
|
if (!this.secureChannelManager) {
|
|
2306
|
-
logger$
|
|
2306
|
+
logger$e.error("no_secure_channel_manager_for_async_handshake_initiation");
|
|
2307
2307
|
return;
|
|
2308
2308
|
}
|
|
2309
2309
|
const channelId = this.generateChannelId(destinationStr);
|
|
@@ -2311,19 +2311,19 @@ class ChannelEncryptionManager {
|
|
|
2311
2311
|
const openFrame = this.secureChannelManager.generateOpenFrame(channelId, HANDSHAKE_ALGORITHM);
|
|
2312
2312
|
const success = await this.sendSecureOpenFrameAsync(openFrame, destination);
|
|
2313
2313
|
if (success) {
|
|
2314
|
-
logger$
|
|
2314
|
+
logger$e.debug("sent_secure_open_frame_async", {
|
|
2315
2315
|
channel_id: channelId,
|
|
2316
2316
|
destination: destinationStr,
|
|
2317
2317
|
});
|
|
2318
2318
|
}
|
|
2319
2319
|
else {
|
|
2320
|
-
logger$
|
|
2320
|
+
logger$e.warning("failed_to_send_secure_open_frame_async", {
|
|
2321
2321
|
channel_id: channelId,
|
|
2322
2322
|
});
|
|
2323
2323
|
}
|
|
2324
2324
|
}
|
|
2325
2325
|
catch (error) {
|
|
2326
|
-
logger$
|
|
2326
|
+
logger$e.error("async_channel_handshake_initiation_failed", {
|
|
2327
2327
|
destination: destinationStr,
|
|
2328
2328
|
error: error instanceof Error ? error.message : String(error),
|
|
2329
2329
|
});
|
|
@@ -2332,22 +2332,22 @@ class ChannelEncryptionManager {
|
|
|
2332
2332
|
async sendSecureOpenFrameAsync(openFrame, destination) {
|
|
2333
2333
|
const node = this.nodeLike;
|
|
2334
2334
|
if (!node) {
|
|
2335
|
-
logger$
|
|
2335
|
+
logger$e.error("no_node_available_for_sending_secure_open_async");
|
|
2336
2336
|
return false;
|
|
2337
2337
|
}
|
|
2338
2338
|
const envelopeFactory = node.envelopeFactory;
|
|
2339
2339
|
if (!envelopeFactory) {
|
|
2340
|
-
logger$
|
|
2340
|
+
logger$e.error("no_envelope_factory_available_for_secure_open_async");
|
|
2341
2341
|
return false;
|
|
2342
2342
|
}
|
|
2343
2343
|
const replyTo = this.buildSystemReplyTo();
|
|
2344
2344
|
if (!replyTo) {
|
|
2345
|
-
logger$
|
|
2345
|
+
logger$e.error("no_physical_path_available_for_reply_to_async");
|
|
2346
2346
|
return false;
|
|
2347
2347
|
}
|
|
2348
2348
|
const toAddress = toFameAddress(destination);
|
|
2349
2349
|
if (!toAddress) {
|
|
2350
|
-
logger$
|
|
2350
|
+
logger$e.error("invalid_destination_for_secure_open", {
|
|
2351
2351
|
destination: String(destination),
|
|
2352
2352
|
});
|
|
2353
2353
|
return false;
|
|
@@ -2359,7 +2359,7 @@ class ChannelEncryptionManager {
|
|
|
2359
2359
|
corrId: generateId(),
|
|
2360
2360
|
});
|
|
2361
2361
|
await this.deliverEnvelope(envelope);
|
|
2362
|
-
logger$
|
|
2362
|
+
logger$e.debug("delivered_secure_open_frame_async", {
|
|
2363
2363
|
channel_id: openFrame.cid,
|
|
2364
2364
|
});
|
|
2365
2365
|
return true;
|
|
@@ -2367,7 +2367,7 @@ class ChannelEncryptionManager {
|
|
|
2367
2367
|
async deliverEnvelope(envelope) {
|
|
2368
2368
|
const node = this.nodeLike;
|
|
2369
2369
|
if (!node) {
|
|
2370
|
-
logger$
|
|
2370
|
+
logger$e.error("no_node_available_for_delivery", {
|
|
2371
2371
|
envelope_id: envelope.id,
|
|
2372
2372
|
});
|
|
2373
2373
|
return;
|
|
@@ -2377,19 +2377,19 @@ class ChannelEncryptionManager {
|
|
|
2377
2377
|
}
|
|
2378
2378
|
encryptWithChannel(envelope, channelId) {
|
|
2379
2379
|
if (!this.secureChannelManager) {
|
|
2380
|
-
logger$
|
|
2380
|
+
logger$e.error("no_secure_channel_manager_for_encryption");
|
|
2381
2381
|
return EncryptionResult.skipped(envelope);
|
|
2382
2382
|
}
|
|
2383
2383
|
const frame = envelope.frame;
|
|
2384
2384
|
if (!this.isDataFrame(frame)) {
|
|
2385
|
-
logger$
|
|
2385
|
+
logger$e.error("attempted_to_encrypt_non_dataframe", {
|
|
2386
2386
|
frame_type: frame.type ?? typeof frame,
|
|
2387
2387
|
});
|
|
2388
2388
|
return EncryptionResult.skipped(envelope);
|
|
2389
2389
|
}
|
|
2390
2390
|
const channelState = this.getChannelState(channelId);
|
|
2391
2391
|
if (!channelState) {
|
|
2392
|
-
logger$
|
|
2392
|
+
logger$e.error("channel_not_in_channels", { channel_id: channelId });
|
|
2393
2393
|
return EncryptionResult.skipped(envelope);
|
|
2394
2394
|
}
|
|
2395
2395
|
const payloadBytes = this.serializePayload(frame.payload);
|
|
@@ -2448,7 +2448,7 @@ class ChannelEncryptionManager {
|
|
|
2448
2448
|
return decodeBase64$1(payload);
|
|
2449
2449
|
}
|
|
2450
2450
|
catch (error) {
|
|
2451
|
-
logger$
|
|
2451
|
+
logger$e.error("failed_to_decode_base64_ciphertext", {
|
|
2452
2452
|
error: error instanceof Error ? error.message : String(error),
|
|
2453
2453
|
});
|
|
2454
2454
|
return null;
|
|
@@ -2478,7 +2478,7 @@ class ChannelEncryptionManager {
|
|
|
2478
2478
|
return parts.slice(1, -1).join("-");
|
|
2479
2479
|
}
|
|
2480
2480
|
async handleFailedEnvelope(envelope, destinationStr, channelId, reason) {
|
|
2481
|
-
logger$
|
|
2481
|
+
logger$e.warning("envelope_failed_due_to_channel_handshake_failure", {
|
|
2482
2482
|
envelope_id: envelope.id,
|
|
2483
2483
|
destination: destinationStr,
|
|
2484
2484
|
channel_id: channelId,
|
|
@@ -2486,14 +2486,14 @@ class ChannelEncryptionManager {
|
|
|
2486
2486
|
});
|
|
2487
2487
|
const frame = envelope.frame;
|
|
2488
2488
|
if (!this.isDataFrame(frame)) {
|
|
2489
|
-
logger$
|
|
2489
|
+
logger$e.debug("skipping_nack_for_non_dataframe", {
|
|
2490
2490
|
envelope_id: envelope.id,
|
|
2491
2491
|
frame_type: frame.type ?? typeof frame,
|
|
2492
2492
|
});
|
|
2493
2493
|
return;
|
|
2494
2494
|
}
|
|
2495
2495
|
if (!envelope.replyTo) {
|
|
2496
|
-
logger$
|
|
2496
|
+
logger$e.debug("skipping_nack_no_reply_to", { envelope_id: envelope.id });
|
|
2497
2497
|
return;
|
|
2498
2498
|
}
|
|
2499
2499
|
await this.sendDeliveryNack(envelope, `channel_handshake_failed: ${reason}`);
|
|
@@ -2501,17 +2501,17 @@ class ChannelEncryptionManager {
|
|
|
2501
2501
|
async sendDeliveryNack(envelope, failureReason) {
|
|
2502
2502
|
const node = this.nodeLike;
|
|
2503
2503
|
if (!node) {
|
|
2504
|
-
logger$
|
|
2504
|
+
logger$e.error("no_node_available_for_sending_delivery_nack");
|
|
2505
2505
|
return;
|
|
2506
2506
|
}
|
|
2507
2507
|
const envelopeFactory = node.envelopeFactory;
|
|
2508
2508
|
if (!envelopeFactory) {
|
|
2509
|
-
logger$
|
|
2509
|
+
logger$e.error("no_envelope_factory_available_for_delivery_nack");
|
|
2510
2510
|
return;
|
|
2511
2511
|
}
|
|
2512
2512
|
const replyTo = toFameAddress(envelope.replyTo ?? null);
|
|
2513
2513
|
if (!replyTo) {
|
|
2514
|
-
logger$
|
|
2514
|
+
logger$e.error("invalid_reply_to_for_delivery_nack", {
|
|
2515
2515
|
reply_to: envelope.replyTo,
|
|
2516
2516
|
});
|
|
2517
2517
|
return;
|
|
@@ -2528,7 +2528,7 @@ class ChannelEncryptionManager {
|
|
|
2528
2528
|
corrId: envelope.corrId ?? generateId(),
|
|
2529
2529
|
});
|
|
2530
2530
|
await this.deliverEnvelope(nackEnvelope);
|
|
2531
|
-
logger$
|
|
2531
|
+
logger$e.debug("delivered_delivery_nack", {
|
|
2532
2532
|
original_envelope_id: envelope.id,
|
|
2533
2533
|
nack_envelope_id: nackEnvelope.id,
|
|
2534
2534
|
});
|
|
@@ -2566,7 +2566,7 @@ class ChannelEncryptionManager {
|
|
|
2566
2566
|
await task();
|
|
2567
2567
|
}
|
|
2568
2568
|
catch (error) {
|
|
2569
|
-
logger$
|
|
2569
|
+
logger$e.error("async_task_failed", {
|
|
2570
2570
|
task_name: name,
|
|
2571
2571
|
error: error instanceof Error ? error.message : String(error),
|
|
2572
2572
|
});
|
|
@@ -2620,7 +2620,7 @@ class ChannelEncryptionManager {
|
|
|
2620
2620
|
}
|
|
2621
2621
|
}
|
|
2622
2622
|
|
|
2623
|
-
const logger$
|
|
2623
|
+
const logger$d = getLogger$1("naylence.fame.security.encryption.channel.channel_encryption_manager_factory");
|
|
2624
2624
|
const DEFAULT_SUPPORTED_ALGORITHMS = ["chacha20-poly1305-channel"];
|
|
2625
2625
|
const FACTORY_META$c = {
|
|
2626
2626
|
base: ENCRYPTION_MANAGER_FACTORY_BASE_TYPE,
|
|
@@ -2652,7 +2652,7 @@ class ChannelEncryptionManagerFactory extends EncryptionManagerFactory {
|
|
|
2652
2652
|
async create(_config, ...factoryArgs) {
|
|
2653
2653
|
const [dependencies] = factoryArgs;
|
|
2654
2654
|
const resolvedDependencies = this.resolveDependencies(dependencies);
|
|
2655
|
-
logger$
|
|
2655
|
+
logger$d.debug("creating_channel_encryption_manager", {
|
|
2656
2656
|
has_secure_channel_manager: Boolean(resolvedDependencies.secureChannelManager),
|
|
2657
2657
|
has_node_like: Boolean(resolvedDependencies.nodeLike),
|
|
2658
2658
|
has_task_spawner: Boolean(resolvedDependencies.taskSpawner),
|
|
@@ -2714,7 +2714,7 @@ var index = /*#__PURE__*/Object.freeze({
|
|
|
2714
2714
|
ChannelEncryptionManagerFactory: ChannelEncryptionManagerFactory
|
|
2715
2715
|
});
|
|
2716
2716
|
|
|
2717
|
-
const logger$
|
|
2717
|
+
const logger$c = getLogger$1("naylence.fame.security.encryption.default_secure_channel_manager");
|
|
2718
2718
|
const DEFAULT_ALGORITHM = "CHACHA20P1305";
|
|
2719
2719
|
const CHANNEL_KEY_LENGTH = 32;
|
|
2720
2720
|
const NONCE_PREFIX_LENGTH = 4;
|
|
@@ -2761,7 +2761,7 @@ class DefaultSecureChannelManager {
|
|
|
2761
2761
|
const privateKey = x25519.utils.randomSecretKey();
|
|
2762
2762
|
const publicKey = x25519.scalarMultBase(privateKey);
|
|
2763
2763
|
this.ephemeralKeys.set(channelId, privateKey);
|
|
2764
|
-
logger$
|
|
2764
|
+
logger$c.debug("generated_channel_open", { cid: channelId, algorithm });
|
|
2765
2765
|
return {
|
|
2766
2766
|
type: "SecureOpen",
|
|
2767
2767
|
cid: channelId,
|
|
@@ -2774,7 +2774,7 @@ class DefaultSecureChannelManager {
|
|
|
2774
2774
|
requireCryptoSupport();
|
|
2775
2775
|
const algorithm = frame.alg || DEFAULT_ALGORITHM;
|
|
2776
2776
|
if (!this.isSupportedAlgorithm(algorithm)) {
|
|
2777
|
-
logger$
|
|
2777
|
+
logger$c.warning("unsupported_channel_algorithm", {
|
|
2778
2778
|
cid: frame.cid,
|
|
2779
2779
|
alg: algorithm,
|
|
2780
2780
|
});
|
|
@@ -2792,7 +2792,7 @@ class DefaultSecureChannelManager {
|
|
|
2792
2792
|
peerPublicKey = decodeBase64(frame.ephPub);
|
|
2793
2793
|
}
|
|
2794
2794
|
catch (error) {
|
|
2795
|
-
logger$
|
|
2795
|
+
logger$c.warning("invalid_peer_public_key", {
|
|
2796
2796
|
cid: frame.cid,
|
|
2797
2797
|
error: error instanceof Error ? error.message : String(error),
|
|
2798
2798
|
});
|
|
@@ -2814,7 +2814,7 @@ class DefaultSecureChannelManager {
|
|
|
2814
2814
|
algorithm,
|
|
2815
2815
|
});
|
|
2816
2816
|
this.channelsMap.set(frame.cid, channelState);
|
|
2817
|
-
logger$
|
|
2817
|
+
logger$c.debug("channel_established", { cid: frame.cid, algorithm });
|
|
2818
2818
|
myPrivateKey.fill(0);
|
|
2819
2819
|
sharedSecret.fill(0);
|
|
2820
2820
|
return {
|
|
@@ -2828,7 +2828,7 @@ class DefaultSecureChannelManager {
|
|
|
2828
2828
|
async handleAcceptFrame(frame) {
|
|
2829
2829
|
requireCryptoSupport();
|
|
2830
2830
|
if (frame.ok === false) {
|
|
2831
|
-
logger$
|
|
2831
|
+
logger$c.warning("channel_rejected", {
|
|
2832
2832
|
cid: frame.cid,
|
|
2833
2833
|
error: frame.reason,
|
|
2834
2834
|
});
|
|
@@ -2837,7 +2837,7 @@ class DefaultSecureChannelManager {
|
|
|
2837
2837
|
}
|
|
2838
2838
|
const privateKey = this.ephemeralKeys.get(frame.cid);
|
|
2839
2839
|
if (!privateKey) {
|
|
2840
|
-
logger$
|
|
2840
|
+
logger$c.error("no_ephemeral_key", { cid: frame.cid });
|
|
2841
2841
|
return false;
|
|
2842
2842
|
}
|
|
2843
2843
|
let peerPublicKey;
|
|
@@ -2845,7 +2845,7 @@ class DefaultSecureChannelManager {
|
|
|
2845
2845
|
peerPublicKey = decodeBase64(frame.ephPub);
|
|
2846
2846
|
}
|
|
2847
2847
|
catch (error) {
|
|
2848
|
-
logger$
|
|
2848
|
+
logger$c.warning("invalid_accept_public_key", {
|
|
2849
2849
|
cid: frame.cid,
|
|
2850
2850
|
error: error instanceof Error ? error.message : String(error),
|
|
2851
2851
|
});
|
|
@@ -2860,17 +2860,17 @@ class DefaultSecureChannelManager {
|
|
|
2860
2860
|
algorithm,
|
|
2861
2861
|
});
|
|
2862
2862
|
this.channelsMap.set(frame.cid, channelState);
|
|
2863
|
-
logger$
|
|
2863
|
+
logger$c.debug("channel_completed", { cid: frame.cid, algorithm });
|
|
2864
2864
|
sharedSecret.fill(0);
|
|
2865
2865
|
this.cleanupEphemeralKey(frame.cid);
|
|
2866
2866
|
return true;
|
|
2867
2867
|
}
|
|
2868
2868
|
handleCloseFrame(frame) {
|
|
2869
2869
|
if (this.channelsMap.delete(frame.cid)) {
|
|
2870
|
-
logger$
|
|
2870
|
+
logger$c.debug("channel_closed", { cid: frame.cid, reason: frame.reason });
|
|
2871
2871
|
}
|
|
2872
2872
|
else {
|
|
2873
|
-
logger$
|
|
2873
|
+
logger$c.warning("close_unknown_channel", { cid: frame.cid });
|
|
2874
2874
|
}
|
|
2875
2875
|
this.cleanupEphemeralKey(frame.cid);
|
|
2876
2876
|
}
|
|
@@ -2897,7 +2897,7 @@ class DefaultSecureChannelManager {
|
|
|
2897
2897
|
}
|
|
2898
2898
|
closeChannel(channelId, reason = "User requested") {
|
|
2899
2899
|
if (this.channelsMap.delete(channelId)) {
|
|
2900
|
-
logger$
|
|
2900
|
+
logger$c.debug("channel_closed_by_user", { cid: channelId, reason });
|
|
2901
2901
|
}
|
|
2902
2902
|
this.cleanupEphemeralKey(channelId);
|
|
2903
2903
|
return {
|
|
@@ -2914,7 +2914,7 @@ class DefaultSecureChannelManager {
|
|
|
2914
2914
|
this.channelsMap.delete(channelId);
|
|
2915
2915
|
this.cleanupEphemeralKey(channelId);
|
|
2916
2916
|
removed += 1;
|
|
2917
|
-
logger$
|
|
2917
|
+
logger$c.debug("channel_expired_cleanup", { cid: channelId });
|
|
2918
2918
|
}
|
|
2919
2919
|
}
|
|
2920
2920
|
return removed;
|
|
@@ -2943,7 +2943,7 @@ class DefaultSecureChannelManager {
|
|
|
2943
2943
|
if (channelId.startsWith(prefix)) {
|
|
2944
2944
|
if (this.removeChannel(channelId)) {
|
|
2945
2945
|
removed += 1;
|
|
2946
|
-
logger$
|
|
2946
|
+
logger$c.debug("removed_channel_for_destination", {
|
|
2947
2947
|
channel_id: channelId,
|
|
2948
2948
|
destination,
|
|
2949
2949
|
});
|
|
@@ -2951,7 +2951,7 @@ class DefaultSecureChannelManager {
|
|
|
2951
2951
|
}
|
|
2952
2952
|
}
|
|
2953
2953
|
if (removed > 0) {
|
|
2954
|
-
logger$
|
|
2954
|
+
logger$c.info("cleanup_channels_for_destination", {
|
|
2955
2955
|
destination,
|
|
2956
2956
|
channels_removed: removed,
|
|
2957
2957
|
});
|
|
@@ -3044,7 +3044,7 @@ var defaultSecureChannelManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
3044
3044
|
default: DefaultSecureChannelManagerFactory
|
|
3045
3045
|
});
|
|
3046
3046
|
|
|
3047
|
-
const logger$
|
|
3047
|
+
const logger$b = getLogger$1("naylence.fame.security.encryption.encryption_manager_registry");
|
|
3048
3048
|
class EncryptionManagerFactoryRegistry {
|
|
3049
3049
|
constructor(autoDiscover = true) {
|
|
3050
3050
|
this.factories = [];
|
|
@@ -3066,7 +3066,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3066
3066
|
let registeredCount = 0;
|
|
3067
3067
|
for (const [factoryName, info] of extensionInfos) {
|
|
3068
3068
|
if (factoryName === "CompositeEncryptionManager") {
|
|
3069
|
-
logger$
|
|
3069
|
+
logger$b.debug("skipping_composite_factory_to_avoid_circular_dependency", {
|
|
3070
3070
|
factory_name: factoryName,
|
|
3071
3071
|
});
|
|
3072
3072
|
continue;
|
|
@@ -3076,7 +3076,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3076
3076
|
ExtensionManager.getGlobalFactory(ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, factoryName));
|
|
3077
3077
|
this.registerFactory(factoryInstance, { autoDiscovered: true });
|
|
3078
3078
|
registeredCount += 1;
|
|
3079
|
-
logger$
|
|
3079
|
+
logger$b.debug("auto_discovered_factory", {
|
|
3080
3080
|
factory_name: factoryName,
|
|
3081
3081
|
factory_class: factoryInstance.constructor.name,
|
|
3082
3082
|
algorithms: factoryInstance.getSupportedAlgorithms(),
|
|
@@ -3085,21 +3085,21 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3085
3085
|
});
|
|
3086
3086
|
}
|
|
3087
3087
|
catch (error) {
|
|
3088
|
-
logger$
|
|
3088
|
+
logger$b.warning("failed_to_auto_register_factory", {
|
|
3089
3089
|
factory_name: factoryName,
|
|
3090
3090
|
error: error instanceof Error ? error.message : String(error),
|
|
3091
3091
|
});
|
|
3092
3092
|
}
|
|
3093
3093
|
}
|
|
3094
3094
|
this.autoDiscovered = true;
|
|
3095
|
-
logger$
|
|
3095
|
+
logger$b.debug("completed_auto_discovery", {
|
|
3096
3096
|
registered_factories: registeredCount,
|
|
3097
3097
|
total_discovered: extensionInfos.size,
|
|
3098
3098
|
skipped_composite: true,
|
|
3099
3099
|
});
|
|
3100
3100
|
}
|
|
3101
3101
|
catch (error) {
|
|
3102
|
-
logger$
|
|
3102
|
+
logger$b.warning("failed_auto_discovery_of_factories", {
|
|
3103
3103
|
error: error instanceof Error ? error.message : String(error),
|
|
3104
3104
|
});
|
|
3105
3105
|
}
|
|
@@ -3117,7 +3117,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3117
3117
|
const existing = this.algorithmToFactory.get(algorithm);
|
|
3118
3118
|
if (!existing || factory.getPriority() > existing.getPriority()) {
|
|
3119
3119
|
this.algorithmToFactory.set(algorithm, factory);
|
|
3120
|
-
logger$
|
|
3120
|
+
logger$b.debug("registered_algorithm_mapping", {
|
|
3121
3121
|
algorithm,
|
|
3122
3122
|
factory: factory.constructor.name,
|
|
3123
3123
|
priority: factory.getPriority(),
|
|
@@ -3129,7 +3129,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3129
3129
|
typeFactories.push(factory);
|
|
3130
3130
|
typeFactories.sort((a, b) => b.getPriority() - a.getPriority());
|
|
3131
3131
|
this.typeToFactories.set(encryptionType, typeFactories);
|
|
3132
|
-
logger$
|
|
3132
|
+
logger$b.debug("registered_encryption_manager_factory", {
|
|
3133
3133
|
factory: factory.constructor.name,
|
|
3134
3134
|
encryption_type: encryptionType,
|
|
3135
3135
|
algorithms: factory.getSupportedAlgorithms(),
|
|
@@ -3145,14 +3145,14 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3145
3145
|
this.ensureAutoDiscovery();
|
|
3146
3146
|
for (const factory of this.factories) {
|
|
3147
3147
|
if (factory.supportsOptions(opts ?? undefined)) {
|
|
3148
|
-
logger$
|
|
3148
|
+
logger$b.debug("found_factory_for_options", {
|
|
3149
3149
|
factory: factory.constructor.name,
|
|
3150
3150
|
encryption_type: factory.getEncryptionType(),
|
|
3151
3151
|
});
|
|
3152
3152
|
return factory;
|
|
3153
3153
|
}
|
|
3154
3154
|
}
|
|
3155
|
-
logger$
|
|
3155
|
+
logger$b.debug("no_factory_found_for_options", { opts });
|
|
3156
3156
|
return undefined;
|
|
3157
3157
|
}
|
|
3158
3158
|
getFactoriesByType(encryptionType) {
|
|
@@ -3205,7 +3205,7 @@ function getEncryptionManagerFactoryRegistry() {
|
|
|
3205
3205
|
return globalRegistry;
|
|
3206
3206
|
}
|
|
3207
3207
|
|
|
3208
|
-
const logger$
|
|
3208
|
+
const logger$a = getLogger$1("naylence.fame.security.encryption.composite_encryption_manager");
|
|
3209
3209
|
const DEFAULT_SEALED_ALGORITHMS = [
|
|
3210
3210
|
"X25519",
|
|
3211
3211
|
"ECDH-ES+A256GCM",
|
|
@@ -3244,7 +3244,7 @@ class CompositeEncryptionManager {
|
|
|
3244
3244
|
return await manager.encryptEnvelope(envelope, opts);
|
|
3245
3245
|
}
|
|
3246
3246
|
catch (error) {
|
|
3247
|
-
logger$
|
|
3247
|
+
logger$a.error("composite_encrypt_failed", {
|
|
3248
3248
|
error: error instanceof Error ? error.message : String(error),
|
|
3249
3249
|
});
|
|
3250
3250
|
return EncryptionResult.skipped(envelope);
|
|
@@ -3263,7 +3263,7 @@ class CompositeEncryptionManager {
|
|
|
3263
3263
|
return await manager.decryptEnvelope(envelope, opts);
|
|
3264
3264
|
}
|
|
3265
3265
|
catch (error) {
|
|
3266
|
-
logger$
|
|
3266
|
+
logger$a.error("composite_decrypt_failed", {
|
|
3267
3267
|
algorithm,
|
|
3268
3268
|
error: error instanceof Error ? error.message : String(error),
|
|
3269
3269
|
});
|
|
@@ -3275,14 +3275,14 @@ class CompositeEncryptionManager {
|
|
|
3275
3275
|
if (factories.length === 0) {
|
|
3276
3276
|
return;
|
|
3277
3277
|
}
|
|
3278
|
-
logger$
|
|
3278
|
+
logger$a.debug("composite_notify_channel_established", {
|
|
3279
3279
|
channel_id: channelId,
|
|
3280
3280
|
});
|
|
3281
3281
|
await this.notifyManagers(factories, async (manager, factoryKey) => {
|
|
3282
3282
|
const channelAware = manager;
|
|
3283
3283
|
if (typeof channelAware.notifyChannelEstablished === "function") {
|
|
3284
3284
|
await channelAware.notifyChannelEstablished(channelId);
|
|
3285
|
-
logger$
|
|
3285
|
+
logger$a.debug("composite_channel_established_notified", {
|
|
3286
3286
|
factory: factoryKey,
|
|
3287
3287
|
channel_id: channelId,
|
|
3288
3288
|
});
|
|
@@ -3294,7 +3294,7 @@ class CompositeEncryptionManager {
|
|
|
3294
3294
|
if (factories.length === 0) {
|
|
3295
3295
|
return;
|
|
3296
3296
|
}
|
|
3297
|
-
logger$
|
|
3297
|
+
logger$a.debug("composite_notify_channel_failed", {
|
|
3298
3298
|
channel_id: channelId,
|
|
3299
3299
|
reason,
|
|
3300
3300
|
});
|
|
@@ -3302,7 +3302,7 @@ class CompositeEncryptionManager {
|
|
|
3302
3302
|
const channelAware = manager;
|
|
3303
3303
|
if (typeof channelAware.notifyChannelFailed === "function") {
|
|
3304
3304
|
await channelAware.notifyChannelFailed(channelId, reason);
|
|
3305
|
-
logger$
|
|
3305
|
+
logger$a.debug("composite_channel_failed_notified", {
|
|
3306
3306
|
factory: factoryKey,
|
|
3307
3307
|
channel_id: channelId,
|
|
3308
3308
|
reason,
|
|
@@ -3315,12 +3315,12 @@ class CompositeEncryptionManager {
|
|
|
3315
3315
|
if (factories.length === 0) {
|
|
3316
3316
|
return;
|
|
3317
3317
|
}
|
|
3318
|
-
logger$
|
|
3318
|
+
logger$a.debug("composite_notify_key_available", { key_id: keyId });
|
|
3319
3319
|
await this.notifyManagers(factories, async (manager, factoryKey) => {
|
|
3320
3320
|
const sealedAware = manager;
|
|
3321
3321
|
if (typeof sealedAware.notifyKeyAvailable === "function") {
|
|
3322
3322
|
await sealedAware.notifyKeyAvailable(keyId);
|
|
3323
|
-
logger$
|
|
3323
|
+
logger$a.debug("composite_key_available_notified", {
|
|
3324
3324
|
factory: factoryKey,
|
|
3325
3325
|
key_id: keyId,
|
|
3326
3326
|
});
|
|
@@ -3361,7 +3361,7 @@ class CompositeEncryptionManager {
|
|
|
3361
3361
|
async getManagerForOptions(opts) {
|
|
3362
3362
|
const factory = this.factoryRegistry.getFactoryForOptions(opts ?? undefined);
|
|
3363
3363
|
if (!factory) {
|
|
3364
|
-
logger$
|
|
3364
|
+
logger$a.debug("composite_no_factory_for_options", { opts });
|
|
3365
3365
|
return null;
|
|
3366
3366
|
}
|
|
3367
3367
|
return await this.getOrCreateManager(factory, "options");
|
|
@@ -3369,7 +3369,7 @@ class CompositeEncryptionManager {
|
|
|
3369
3369
|
async getManagerForAlgorithm(algorithm) {
|
|
3370
3370
|
const factory = this.factoryRegistry.getFactoryForAlgorithm(algorithm);
|
|
3371
3371
|
if (!factory) {
|
|
3372
|
-
logger$
|
|
3372
|
+
logger$a.debug("composite_no_factory_for_algorithm", { algorithm });
|
|
3373
3373
|
return null;
|
|
3374
3374
|
}
|
|
3375
3375
|
return await this.getOrCreateManager(factory, algorithm);
|
|
@@ -3394,7 +3394,7 @@ class CompositeEncryptionManager {
|
|
|
3394
3394
|
const manager = await factory.create(null, dependencies);
|
|
3395
3395
|
this.managerInstances.set(key, manager);
|
|
3396
3396
|
await this.applyNodeContext(manager, key);
|
|
3397
|
-
logger$
|
|
3397
|
+
logger$a.debug("composite_created_manager", {
|
|
3398
3398
|
factory: key,
|
|
3399
3399
|
context,
|
|
3400
3400
|
manager_type: manager.constructor.name,
|
|
@@ -3402,7 +3402,7 @@ class CompositeEncryptionManager {
|
|
|
3402
3402
|
return manager;
|
|
3403
3403
|
}
|
|
3404
3404
|
catch (error) {
|
|
3405
|
-
logger$
|
|
3405
|
+
logger$a.error("composite_create_manager_failed", {
|
|
3406
3406
|
factory: key,
|
|
3407
3407
|
context,
|
|
3408
3408
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3415,7 +3415,7 @@ class CompositeEncryptionManager {
|
|
|
3415
3415
|
const factoryKey = this.resolveFactoryKey(factory);
|
|
3416
3416
|
const manager = this.managerInstances.get(factoryKey);
|
|
3417
3417
|
if (!manager) {
|
|
3418
|
-
logger$
|
|
3418
|
+
logger$a.debug("composite_skip_notification_no_manager", {
|
|
3419
3419
|
factory: factoryKey,
|
|
3420
3420
|
});
|
|
3421
3421
|
continue;
|
|
@@ -3424,7 +3424,7 @@ class CompositeEncryptionManager {
|
|
|
3424
3424
|
await callback(manager, factoryKey);
|
|
3425
3425
|
}
|
|
3426
3426
|
catch (error) {
|
|
3427
|
-
logger$
|
|
3427
|
+
logger$a.error("composite_notify_manager_failed", {
|
|
3428
3428
|
factory: factoryKey,
|
|
3429
3429
|
error: error instanceof Error ? error.message : String(error),
|
|
3430
3430
|
});
|
|
@@ -3440,7 +3440,7 @@ class CompositeEncryptionManager {
|
|
|
3440
3440
|
await callback(manager);
|
|
3441
3441
|
}
|
|
3442
3442
|
catch (error) {
|
|
3443
|
-
logger$
|
|
3443
|
+
logger$a.error("composite_node_event_failed", {
|
|
3444
3444
|
manager: manager.constructor.name,
|
|
3445
3445
|
error: error instanceof Error ? error.message : String(error),
|
|
3446
3446
|
});
|
|
@@ -3457,7 +3457,7 @@ class CompositeEncryptionManager {
|
|
|
3457
3457
|
await manager.onNodeStarted?.(this.nodeLike);
|
|
3458
3458
|
}
|
|
3459
3459
|
catch (error) {
|
|
3460
|
-
logger$
|
|
3460
|
+
logger$a.error("composite_apply_node_context_failed", {
|
|
3461
3461
|
stage: "onNodeStarted",
|
|
3462
3462
|
factory: factoryKey,
|
|
3463
3463
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3470,7 +3470,7 @@ class CompositeEncryptionManager {
|
|
|
3470
3470
|
await manager.onNodeAttachToUpstream?.(this.nodeLike, this.lastAttachInfo);
|
|
3471
3471
|
}
|
|
3472
3472
|
catch (error) {
|
|
3473
|
-
logger$
|
|
3473
|
+
logger$a.error("composite_apply_node_context_failed", {
|
|
3474
3474
|
stage: "onNodeAttachToUpstream",
|
|
3475
3475
|
factory: factoryKey,
|
|
3476
3476
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3493,7 +3493,7 @@ class CompositeEncryptionManager {
|
|
|
3493
3493
|
const channelAware = manager;
|
|
3494
3494
|
if (typeof channelAware.clearChannelCacheForDestination === "function") {
|
|
3495
3495
|
channelAware.clearChannelCacheForDestination(destination);
|
|
3496
|
-
logger$
|
|
3496
|
+
logger$a.debug("composite_cleared_channel_cache", {
|
|
3497
3497
|
destination,
|
|
3498
3498
|
factory: factoryKey,
|
|
3499
3499
|
});
|
|
@@ -3513,7 +3513,7 @@ class CompositeEncryptionManager {
|
|
|
3513
3513
|
"function") {
|
|
3514
3514
|
const removed = this.secureChannelManager.removeChannelsForDestination(destination);
|
|
3515
3515
|
if (removed > 0) {
|
|
3516
|
-
logger$
|
|
3516
|
+
logger$a.debug("composite_removed_channels", {
|
|
3517
3517
|
destination,
|
|
3518
3518
|
count: removed,
|
|
3519
3519
|
});
|
|
@@ -3524,7 +3524,7 @@ class CompositeEncryptionManager {
|
|
|
3524
3524
|
}
|
|
3525
3525
|
}
|
|
3526
3526
|
|
|
3527
|
-
const logger$
|
|
3527
|
+
const logger$9 = getLogger$1("naylence.fame.security.encryption.composite_encryption_manager_factory");
|
|
3528
3528
|
const DEFAULT_PRIORITY = 1000;
|
|
3529
3529
|
const DEFAULT_ENCRYPTION_TYPE = "composite";
|
|
3530
3530
|
const FACTORY_META$a = {
|
|
@@ -3562,7 +3562,7 @@ class CompositeEncryptionManagerFactory extends EncryptionManagerFactory {
|
|
|
3562
3562
|
const supportedChannelAlgorithms = runtimeConfig?.supportedChannelAlgorithms ??
|
|
3563
3563
|
this.supportedChannelAlgorithms ??
|
|
3564
3564
|
undefined;
|
|
3565
|
-
logger$
|
|
3565
|
+
logger$9.debug("creating_composite_encryption_manager", {
|
|
3566
3566
|
has_secure_channel_manager: Boolean(resolved.secureChannelManager),
|
|
3567
3567
|
has_key_provider: Boolean(resolved.keyProvider),
|
|
3568
3568
|
has_crypto_provider: Boolean(resolved.cryptoProvider),
|
|
@@ -3935,7 +3935,7 @@ var eddsaEnvelopeVerifierFactory = /*#__PURE__*/Object.freeze({
|
|
|
3935
3935
|
default: AdvancedEdDSAEnvelopeVerifierFactory
|
|
3936
3936
|
});
|
|
3937
3937
|
|
|
3938
|
-
const logger$
|
|
3938
|
+
const logger$8 = getLogger$1("naylence.fame.security.keys.x5c_key_manager");
|
|
3939
3939
|
let x509ModulePromise$1 = null;
|
|
3940
3940
|
async function loadX509Module$1() {
|
|
3941
3941
|
if (!x509ModulePromise$1) {
|
|
@@ -3947,7 +3947,7 @@ async function loadX509Module$1() {
|
|
|
3947
3947
|
return null;
|
|
3948
3948
|
})
|
|
3949
3949
|
.catch((error) => {
|
|
3950
|
-
logger$
|
|
3950
|
+
logger$8.warning("certificate_module_unavailable", {
|
|
3951
3951
|
error: error instanceof Error ? error.message : String(error),
|
|
3952
3952
|
});
|
|
3953
3953
|
return null;
|
|
@@ -3978,16 +3978,16 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
3978
3978
|
async onNodeStarted(node) {
|
|
3979
3979
|
await this.inner.onNodeStarted(node);
|
|
3980
3980
|
this.startPurgeLoop();
|
|
3981
|
-
logger$
|
|
3981
|
+
logger$8.debug("x5c_key_manager_started", {
|
|
3982
3982
|
cert_purge_interval: this.certPurgeInterval,
|
|
3983
3983
|
});
|
|
3984
3984
|
}
|
|
3985
3985
|
async onNodeStopped(node) {
|
|
3986
|
-
logger$
|
|
3986
|
+
logger$8.debug("x5c_key_manager_stopping");
|
|
3987
3987
|
await this.shutdownTasks({ gracePeriod: 50, joinTimeout: 100 });
|
|
3988
3988
|
this.purgeTask = null;
|
|
3989
3989
|
await this.inner.onNodeStopped(node);
|
|
3990
|
-
logger$
|
|
3990
|
+
logger$8.debug("x5c_key_manager_stopped");
|
|
3991
3991
|
}
|
|
3992
3992
|
async getKey(kid) {
|
|
3993
3993
|
return this.inner.getKey(kid);
|
|
@@ -4024,7 +4024,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4024
4024
|
}
|
|
4025
4025
|
catch (error) {
|
|
4026
4026
|
if (error instanceof JWKValidationError) {
|
|
4027
|
-
logger$
|
|
4027
|
+
logger$8.warning("rejected_invalid_jwk_in_announce", {
|
|
4028
4028
|
kid: typeof key?.kid === "string" ? key.kid : "unknown",
|
|
4029
4029
|
from_system_id: systemId,
|
|
4030
4030
|
from_physical_path: physicalPath,
|
|
@@ -4037,7 +4037,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4037
4037
|
}
|
|
4038
4038
|
}
|
|
4039
4039
|
if (validKeys.length === 0) {
|
|
4040
|
-
logger$
|
|
4040
|
+
logger$8.warning("no_valid_keys_in_announce", {
|
|
4041
4041
|
from_system_id: systemId,
|
|
4042
4042
|
from_physical_path: physicalPath,
|
|
4043
4043
|
total_keys: keys.length,
|
|
@@ -4045,7 +4045,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4045
4045
|
});
|
|
4046
4046
|
return;
|
|
4047
4047
|
}
|
|
4048
|
-
logger$
|
|
4048
|
+
logger$8.debug("adding_keys", {
|
|
4049
4049
|
key_ids: validKeys.map((key) => typeof key?.kid === "string" ? key.kid : "unknown"),
|
|
4050
4050
|
source_system_id: systemId,
|
|
4051
4051
|
from_physical_path: physicalPath,
|
|
@@ -4056,7 +4056,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4056
4056
|
});
|
|
4057
4057
|
const hasEncryptionKeys = validKeys.some((key) => typeof key?.use === "string" && key.use === "enc");
|
|
4058
4058
|
if (hasEncryptionKeys) {
|
|
4059
|
-
logger$
|
|
4059
|
+
logger$8.debug("checking_for_old_encryption_keys_to_remove", {
|
|
4060
4060
|
physical_path: physicalPath,
|
|
4061
4061
|
origin,
|
|
4062
4062
|
new_enc_keys: validKeys
|
|
@@ -4084,7 +4084,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4084
4084
|
}
|
|
4085
4085
|
}
|
|
4086
4086
|
if (existingEncKeyIds.size > 0) {
|
|
4087
|
-
logger$
|
|
4087
|
+
logger$8.debug("found_existing_encryption_keys_across_paths", {
|
|
4088
4088
|
physical_path: physicalPath,
|
|
4089
4089
|
paths_checked: pathsWithOldKeys,
|
|
4090
4090
|
existing_enc_key_ids: Array.from(existingEncKeyIds),
|
|
@@ -4095,7 +4095,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4095
4095
|
.filter((kid) => kid.length > 0));
|
|
4096
4096
|
const keysToRemove = Array.from(existingEncKeyIds).filter((kid) => !newEncKeyIds.has(kid));
|
|
4097
4097
|
if (keysToRemove.length > 0) {
|
|
4098
|
-
logger$
|
|
4098
|
+
logger$8.info("removing_old_encryption_keys_for_key_rotation", {
|
|
4099
4099
|
physical_path: physicalPath,
|
|
4100
4100
|
paths_with_old_keys: pathsWithOldKeys,
|
|
4101
4101
|
old_key_ids: keysToRemove,
|
|
@@ -4104,7 +4104,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4104
4104
|
});
|
|
4105
4105
|
for (const kid of keysToRemove) {
|
|
4106
4106
|
await this.keyStore.removeKey(kid);
|
|
4107
|
-
logger$
|
|
4107
|
+
logger$8.debug("removed_old_encryption_key_from_all_paths", {
|
|
4108
4108
|
kid,
|
|
4109
4109
|
});
|
|
4110
4110
|
}
|
|
@@ -4112,7 +4112,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4112
4112
|
}
|
|
4113
4113
|
}
|
|
4114
4114
|
catch (error) {
|
|
4115
|
-
logger$
|
|
4115
|
+
logger$8.warning("failed_to_remove_old_encryption_keys", {
|
|
4116
4116
|
physical_path: physicalPath,
|
|
4117
4117
|
error: error instanceof Error ? error.message : String(error),
|
|
4118
4118
|
origin,
|
|
@@ -4146,10 +4146,10 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4146
4146
|
return this.inner.getKeysForPath(physicalPath);
|
|
4147
4147
|
}
|
|
4148
4148
|
async purgeExpiredCertificates() {
|
|
4149
|
-
logger$
|
|
4149
|
+
logger$8.debug("certificate_purge_starting");
|
|
4150
4150
|
const module = await loadX509Module$1();
|
|
4151
4151
|
if (!module) {
|
|
4152
|
-
logger$
|
|
4152
|
+
logger$8.warning("certificate_purge_skipped", {
|
|
4153
4153
|
reason: "x509_module_unavailable",
|
|
4154
4154
|
});
|
|
4155
4155
|
return 0;
|
|
@@ -4172,7 +4172,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4172
4172
|
const cert = new module.X509Certificate(raw);
|
|
4173
4173
|
const expiration = cert.notAfter;
|
|
4174
4174
|
if (expiration && expiration.getTime() < now.getTime()) {
|
|
4175
|
-
logger$
|
|
4175
|
+
logger$8.debug("expired_certificate_found", {
|
|
4176
4176
|
kid: typeof key.kid === "string" ? key.kid : "unknown",
|
|
4177
4177
|
physical_path: typeof key.physical_path === "string"
|
|
4178
4178
|
? key.physical_path
|
|
@@ -4191,7 +4191,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4191
4191
|
}
|
|
4192
4192
|
}
|
|
4193
4193
|
catch (error) {
|
|
4194
|
-
logger$
|
|
4194
|
+
logger$8.warning("certificate_parsing_failed_during_purge", {
|
|
4195
4195
|
kid: typeof key.kid === "string" ? key.kid : "unknown",
|
|
4196
4196
|
error: error instanceof Error ? error.message : String(error),
|
|
4197
4197
|
message: "Could not parse certificate for expiry check",
|
|
@@ -4205,20 +4205,20 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4205
4205
|
const removed = await this.keyStore.removeKey(keyInfo.kid);
|
|
4206
4206
|
if (removed) {
|
|
4207
4207
|
purgedCount += 1;
|
|
4208
|
-
logger$
|
|
4208
|
+
logger$8.debug("expired_certificate_purged", {
|
|
4209
4209
|
kid: keyInfo.kid,
|
|
4210
4210
|
physical_path: keyInfo.physicalPath ?? "unknown",
|
|
4211
4211
|
});
|
|
4212
4212
|
}
|
|
4213
4213
|
}
|
|
4214
4214
|
catch (error) {
|
|
4215
|
-
logger$
|
|
4215
|
+
logger$8.error("certificate_purge_failed", {
|
|
4216
4216
|
kid: keyInfo.kid,
|
|
4217
4217
|
error: error instanceof Error ? error.message : String(error),
|
|
4218
4218
|
});
|
|
4219
4219
|
}
|
|
4220
4220
|
}
|
|
4221
|
-
logger$
|
|
4221
|
+
logger$8.debug("certificate_purge_completed", {
|
|
4222
4222
|
purged_count: purgedCount,
|
|
4223
4223
|
});
|
|
4224
4224
|
return purgedCount;
|
|
@@ -4228,7 +4228,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4228
4228
|
return;
|
|
4229
4229
|
}
|
|
4230
4230
|
this.purgeTask = this.spawn(async (signal) => {
|
|
4231
|
-
logger$
|
|
4231
|
+
logger$8.debug("certificate_purge_loop_started", {
|
|
4232
4232
|
interval_seconds: this.certPurgeInterval,
|
|
4233
4233
|
});
|
|
4234
4234
|
try {
|
|
@@ -4249,13 +4249,13 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4249
4249
|
try {
|
|
4250
4250
|
const purged = await this.purgeExpiredCertificates();
|
|
4251
4251
|
if (purged > 0) {
|
|
4252
|
-
logger$
|
|
4252
|
+
logger$8.debug("certificate_purge_cycle_completed", {
|
|
4253
4253
|
purged_count: purged,
|
|
4254
4254
|
});
|
|
4255
4255
|
}
|
|
4256
4256
|
}
|
|
4257
4257
|
catch (error) {
|
|
4258
|
-
logger$
|
|
4258
|
+
logger$8.error("certificate_purge_cycle_failed", {
|
|
4259
4259
|
error: error instanceof Error ? error.message : String(error),
|
|
4260
4260
|
});
|
|
4261
4261
|
}
|
|
@@ -4263,16 +4263,16 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4263
4263
|
}
|
|
4264
4264
|
catch (error) {
|
|
4265
4265
|
if (signal?.aborted) {
|
|
4266
|
-
logger$
|
|
4266
|
+
logger$8.debug("certificate_purge_loop_cancelled");
|
|
4267
4267
|
}
|
|
4268
4268
|
else {
|
|
4269
|
-
logger$
|
|
4269
|
+
logger$8.error("certificate_purge_loop_failed", {
|
|
4270
4270
|
error: error instanceof Error ? error.message : String(error),
|
|
4271
4271
|
});
|
|
4272
4272
|
}
|
|
4273
4273
|
}
|
|
4274
4274
|
finally {
|
|
4275
|
-
logger$
|
|
4275
|
+
logger$8.debug("certificate_purge_loop_stopped");
|
|
4276
4276
|
}
|
|
4277
4277
|
}, { name: "cert-purge" });
|
|
4278
4278
|
}
|
|
@@ -4289,7 +4289,7 @@ function validateJwkX5cCertificateWrapper(options) {
|
|
|
4289
4289
|
});
|
|
4290
4290
|
}
|
|
4291
4291
|
catch (error) {
|
|
4292
|
-
logger$
|
|
4292
|
+
logger$8.warning("rejected_key_due_to_certificate_validation_failure", {
|
|
4293
4293
|
kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
|
|
4294
4294
|
from_system_id: systemId,
|
|
4295
4295
|
from_physical_path: physicalPath,
|
|
@@ -4306,7 +4306,7 @@ function validateJwkX5cCertificateWrapper(options) {
|
|
|
4306
4306
|
if (result.isValid) {
|
|
4307
4307
|
return { accepted: true, skip: false };
|
|
4308
4308
|
}
|
|
4309
|
-
logger$
|
|
4309
|
+
logger$8.warning("rejected_key_due_to_certificate_validation_failure", {
|
|
4310
4310
|
kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
|
|
4311
4311
|
from_system_id: systemId,
|
|
4312
4312
|
from_physical_path: physicalPath,
|
|
@@ -4331,7 +4331,7 @@ function resolveTrustStorePath() {
|
|
|
4331
4331
|
return process.env.FAME_CA_CERT_FILE ?? null;
|
|
4332
4332
|
}
|
|
4333
4333
|
catch (error) {
|
|
4334
|
-
logger$
|
|
4334
|
+
logger$8.debug("trust_store_resolution_failed", {
|
|
4335
4335
|
error: error instanceof Error ? error.message : String(error),
|
|
4336
4336
|
});
|
|
4337
4337
|
return null;
|
|
@@ -4539,7 +4539,7 @@ function utf8Decode(data) {
|
|
|
4539
4539
|
return decodeURIComponent(escape(str));
|
|
4540
4540
|
}
|
|
4541
4541
|
|
|
4542
|
-
const logger$
|
|
4542
|
+
const logger$7 = getLogger$1("naylence.fame.stickiness.aft_signer");
|
|
4543
4543
|
class AbstractAFTSigner {
|
|
4544
4544
|
constructor(kid, maxTtlSec = 7200) {
|
|
4545
4545
|
this.kid = kid;
|
|
@@ -4631,7 +4631,7 @@ class SignedAFTSigner extends AbstractAFTSigner {
|
|
|
4631
4631
|
return token;
|
|
4632
4632
|
}
|
|
4633
4633
|
catch (error) {
|
|
4634
|
-
logger$
|
|
4634
|
+
logger$7.error("aft_signing_failed", {
|
|
4635
4635
|
kid: this.kid,
|
|
4636
4636
|
algorithm: this.algorithm,
|
|
4637
4637
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4643,7 +4643,7 @@ class SignedAFTSigner extends AbstractAFTSigner {
|
|
|
4643
4643
|
if (!this.cryptoKeyPromise) {
|
|
4644
4644
|
this.cryptoKeyPromise = importPKCS8(this.privateKeyPem, this.algorithm).catch((error) => {
|
|
4645
4645
|
this.cryptoKeyPromise = null;
|
|
4646
|
-
logger$
|
|
4646
|
+
logger$7.error("aft_private_key_import_failed", {
|
|
4647
4647
|
kid: this.kid,
|
|
4648
4648
|
algorithm: this.algorithm,
|
|
4649
4649
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4681,7 +4681,7 @@ function createAftSigner(options) {
|
|
|
4681
4681
|
}
|
|
4682
4682
|
}
|
|
4683
4683
|
|
|
4684
|
-
const logger$
|
|
4684
|
+
const logger$6 = getLogger$1("naylence.fame.stickiness.aft_helper");
|
|
4685
4685
|
class AFTHelper {
|
|
4686
4686
|
constructor(options) {
|
|
4687
4687
|
this.signer = options.signer;
|
|
@@ -4695,7 +4695,7 @@ class AFTHelper {
|
|
|
4695
4695
|
let clientSid;
|
|
4696
4696
|
if (context?.stickySid) {
|
|
4697
4697
|
clientSid = context.stickySid;
|
|
4698
|
-
logger$
|
|
4698
|
+
logger$6.debug("client_sticky_sid_extracted", { client_sid: clientSid });
|
|
4699
4699
|
}
|
|
4700
4700
|
const signOptions = {
|
|
4701
4701
|
sid: this.nodeSid,
|
|
@@ -4717,7 +4717,7 @@ class AFTHelper {
|
|
|
4717
4717
|
envelope.meta.set = setMeta;
|
|
4718
4718
|
}
|
|
4719
4719
|
setMeta.aft = aftToken;
|
|
4720
|
-
logger$
|
|
4720
|
+
logger$6.debug("aft_instruction_added", {
|
|
4721
4721
|
envelope_id: envelope.id,
|
|
4722
4722
|
ttl_sec: ttlSec,
|
|
4723
4723
|
scope,
|
|
@@ -4726,7 +4726,7 @@ class AFTHelper {
|
|
|
4726
4726
|
return true;
|
|
4727
4727
|
}
|
|
4728
4728
|
catch (error) {
|
|
4729
|
-
logger$
|
|
4729
|
+
logger$6.error("aft_generation_failed", {
|
|
4730
4730
|
envelope_id: envelope.id,
|
|
4731
4731
|
error: error instanceof Error ? error.message : String(error),
|
|
4732
4732
|
});
|
|
@@ -4750,7 +4750,7 @@ function createAftHelper(options) {
|
|
|
4750
4750
|
}
|
|
4751
4751
|
const DEFAULT_STICKINESS_SECURITY_LEVEL = StickinessMode.SIGNED_OPTIONAL;
|
|
4752
4752
|
|
|
4753
|
-
const logger$
|
|
4753
|
+
const logger$5 = getLogger$1("naylence.fame.stickiness.aft_verifier");
|
|
4754
4754
|
function decodeToken(token) {
|
|
4755
4755
|
const parts = token.split(".");
|
|
4756
4756
|
if (parts.length !== 3) {
|
|
@@ -4783,7 +4783,7 @@ function decodeToken(token) {
|
|
|
4783
4783
|
return { header, claims };
|
|
4784
4784
|
}
|
|
4785
4785
|
catch (error) {
|
|
4786
|
-
logger$
|
|
4786
|
+
logger$5.debug("aft_decoding_failed", {
|
|
4787
4787
|
error: error instanceof Error ? error.message : String(error),
|
|
4788
4788
|
});
|
|
4789
4789
|
return null;
|
|
@@ -4845,7 +4845,7 @@ class BaseAFTVerifier {
|
|
|
4845
4845
|
signatureValid = await this.verifySignature(token, header, claims);
|
|
4846
4846
|
}
|
|
4847
4847
|
catch (error) {
|
|
4848
|
-
logger$
|
|
4848
|
+
logger$5.debug("aft_signature_verification_failed", {
|
|
4849
4849
|
kid: header.kid,
|
|
4850
4850
|
algorithm: header.alg,
|
|
4851
4851
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4891,7 +4891,7 @@ class StrictAFTVerifier extends BaseAFTVerifier {
|
|
|
4891
4891
|
keyRecord = await this.keyProvider.getKey(header.kid);
|
|
4892
4892
|
}
|
|
4893
4893
|
catch (error) {
|
|
4894
|
-
logger$
|
|
4894
|
+
logger$5.debug("aft_public_key_missing", {
|
|
4895
4895
|
kid: header.kid,
|
|
4896
4896
|
error: error instanceof Error ? error.message : String(error),
|
|
4897
4897
|
});
|
|
@@ -4906,7 +4906,7 @@ class StrictAFTVerifier extends BaseAFTVerifier {
|
|
|
4906
4906
|
return protectedHeader.alg === header.alg;
|
|
4907
4907
|
}
|
|
4908
4908
|
catch (error) {
|
|
4909
|
-
logger$
|
|
4909
|
+
logger$5.debug("aft_jws_verification_failed", {
|
|
4910
4910
|
kid: header.kid,
|
|
4911
4911
|
algorithm: header.alg,
|
|
4912
4912
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4935,7 +4935,7 @@ class SignedOptionalAFTVerifier extends BaseAFTVerifier {
|
|
|
4935
4935
|
keyRecord = await this.keyProvider.getKey(header.kid);
|
|
4936
4936
|
}
|
|
4937
4937
|
catch (error) {
|
|
4938
|
-
logger$
|
|
4938
|
+
logger$5.debug("aft_public_key_missing", {
|
|
4939
4939
|
kid: header.kid,
|
|
4940
4940
|
error: error instanceof Error ? error.message : String(error),
|
|
4941
4941
|
});
|
|
@@ -4950,7 +4950,7 @@ class SignedOptionalAFTVerifier extends BaseAFTVerifier {
|
|
|
4950
4950
|
return protectedHeader.alg === header.alg;
|
|
4951
4951
|
}
|
|
4952
4952
|
catch (error) {
|
|
4953
|
-
logger$
|
|
4953
|
+
logger$5.debug("aft_jws_verification_failed", {
|
|
4954
4954
|
kid: header.kid,
|
|
4955
4955
|
algorithm: header.alg,
|
|
4956
4956
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4985,7 +4985,7 @@ async function resolveVerificationKey(keyRecord, algorithm) {
|
|
|
4985
4985
|
return key;
|
|
4986
4986
|
}
|
|
4987
4987
|
catch (error) {
|
|
4988
|
-
logger$
|
|
4988
|
+
logger$5.debug("aft_jwk_import_failed", {
|
|
4989
4989
|
kid: keyRecord.kid,
|
|
4990
4990
|
algorithm,
|
|
4991
4991
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -5006,14 +5006,14 @@ async function resolveVerificationKey(keyRecord, algorithm) {
|
|
|
5006
5006
|
return key;
|
|
5007
5007
|
}
|
|
5008
5008
|
catch (error) {
|
|
5009
|
-
logger$
|
|
5009
|
+
logger$5.debug("aft_spki_import_failed", {
|
|
5010
5010
|
kid: keyRecord.kid,
|
|
5011
5011
|
algorithm,
|
|
5012
5012
|
error: error instanceof Error ? error.message : String(error),
|
|
5013
5013
|
});
|
|
5014
5014
|
}
|
|
5015
5015
|
}
|
|
5016
|
-
logger$
|
|
5016
|
+
logger$5.debug("aft_verification_key_unavailable", {
|
|
5017
5017
|
kid: keyRecord.kid,
|
|
5018
5018
|
algorithm,
|
|
5019
5019
|
});
|
|
@@ -5036,7 +5036,7 @@ function createAftVerifier(options) {
|
|
|
5036
5036
|
}
|
|
5037
5037
|
}
|
|
5038
5038
|
|
|
5039
|
-
const logger$
|
|
5039
|
+
const logger$4 = getLogger$1("naylence.fame.stickiness.aft_load_balancer_stickiness_manager");
|
|
5040
5040
|
class AFTAssociation {
|
|
5041
5041
|
constructor(params) {
|
|
5042
5042
|
this.replicaId = params.replicaId;
|
|
@@ -5075,7 +5075,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5075
5075
|
};
|
|
5076
5076
|
this.config = config;
|
|
5077
5077
|
this.verifier = verifier;
|
|
5078
|
-
logger$
|
|
5078
|
+
logger$4.debug("stickiness_manager_initialized", {
|
|
5079
5079
|
enabled: this.config.enabled,
|
|
5080
5080
|
security_level: this.config.securityLevel,
|
|
5081
5081
|
verifier_type: verifier.constructor.name,
|
|
@@ -5093,14 +5093,14 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5093
5093
|
negotiate(stickiness) {
|
|
5094
5094
|
if (!stickiness) {
|
|
5095
5095
|
if (this.config.enabled) {
|
|
5096
|
-
logger$
|
|
5096
|
+
logger$4.debug("stickiness_negotiated_no_offer_attr_fallback");
|
|
5097
5097
|
return { enabled: true, mode: "attr", version: 1 };
|
|
5098
5098
|
}
|
|
5099
5099
|
return null;
|
|
5100
5100
|
}
|
|
5101
5101
|
const version = stickiness.version ?? 1;
|
|
5102
5102
|
if (!this.config.enabled) {
|
|
5103
|
-
logger$
|
|
5103
|
+
logger$4.debug("stickiness_negotiation_disabled_by_config");
|
|
5104
5104
|
return { enabled: false, version };
|
|
5105
5105
|
}
|
|
5106
5106
|
const childModes = new Set();
|
|
@@ -5121,32 +5121,32 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5121
5121
|
ttlSec: ttl,
|
|
5122
5122
|
version,
|
|
5123
5123
|
};
|
|
5124
|
-
logger$
|
|
5124
|
+
logger$4.debug("stickiness_negotiated", { mode: policy.mode, ttl });
|
|
5125
5125
|
return policy;
|
|
5126
5126
|
}
|
|
5127
5127
|
if (childModes.has("attr")) {
|
|
5128
5128
|
const policy = { enabled: true, mode: "attr", version };
|
|
5129
|
-
logger$
|
|
5129
|
+
logger$4.debug("stickiness_negotiated", { mode: policy.mode });
|
|
5130
5130
|
return policy;
|
|
5131
5131
|
}
|
|
5132
|
-
logger$
|
|
5132
|
+
logger$4.debug("stickiness_negotiation_no_common_mode");
|
|
5133
5133
|
return { enabled: false, version };
|
|
5134
5134
|
}
|
|
5135
5135
|
async handleOutboundEnvelope(envelope, replicaId) {
|
|
5136
5136
|
if (!this.config.enabled) {
|
|
5137
|
-
logger$
|
|
5137
|
+
logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
|
|
5138
5138
|
return null;
|
|
5139
5139
|
}
|
|
5140
5140
|
const aftToken = extractAftInstruction(envelope);
|
|
5141
5141
|
if (!aftToken) {
|
|
5142
|
-
logger$
|
|
5142
|
+
logger$4.debug("no_aft_instruction", {
|
|
5143
5143
|
envelope_id: envelope.id,
|
|
5144
5144
|
has_meta: Boolean(envelope.meta),
|
|
5145
5145
|
});
|
|
5146
5146
|
return null;
|
|
5147
5147
|
}
|
|
5148
5148
|
if (typeof aftToken !== "string") {
|
|
5149
|
-
logger$
|
|
5149
|
+
logger$4.warning("invalid_aft_instruction", {
|
|
5150
5150
|
envelope_id: envelope.id,
|
|
5151
5151
|
replica_id: replicaId,
|
|
5152
5152
|
reason: "set.aft value is not a string",
|
|
@@ -5156,7 +5156,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5156
5156
|
const verification = await this.verifier.verify(aftToken, envelope.sid ?? undefined);
|
|
5157
5157
|
if (!verification.valid) {
|
|
5158
5158
|
this.metrics.verifyFailures += 1;
|
|
5159
|
-
logger$
|
|
5159
|
+
logger$4.warning("aft_verification_failed", {
|
|
5160
5160
|
envelope_id: envelope.id,
|
|
5161
5161
|
replica_id: replicaId,
|
|
5162
5162
|
error: verification.error,
|
|
@@ -5174,14 +5174,14 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5174
5174
|
});
|
|
5175
5175
|
if (verification.clientSid) {
|
|
5176
5176
|
this.sidCache.set(verification.clientSid, replicaId);
|
|
5177
|
-
logger$
|
|
5177
|
+
logger$4.debug("sid_cache_updated", {
|
|
5178
5178
|
envelope_id: envelope.id,
|
|
5179
5179
|
client_sid: verification.clientSid,
|
|
5180
5180
|
replica_id: replicaId,
|
|
5181
5181
|
});
|
|
5182
5182
|
}
|
|
5183
5183
|
this.metrics.associationsCreated += 1;
|
|
5184
|
-
logger$
|
|
5184
|
+
logger$4.debug("aft_association_created", {
|
|
5185
5185
|
envelope_id: envelope.id,
|
|
5186
5186
|
replica_id: replicaId,
|
|
5187
5187
|
sid: verification.sid,
|
|
@@ -5193,14 +5193,14 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5193
5193
|
}
|
|
5194
5194
|
getStickyReplicaSegment(envelope, segments) {
|
|
5195
5195
|
if (!this.config.enabled) {
|
|
5196
|
-
logger$
|
|
5196
|
+
logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
|
|
5197
5197
|
return null;
|
|
5198
5198
|
}
|
|
5199
5199
|
if (envelope.aft) {
|
|
5200
5200
|
const replicaId = this.routeByAft(envelope.aft, envelope);
|
|
5201
5201
|
if (replicaId) {
|
|
5202
5202
|
this.metrics.cacheHits += 1;
|
|
5203
|
-
logger$
|
|
5203
|
+
logger$4.debug("aft_routed_envelope", {
|
|
5204
5204
|
envelope_id: envelope.id,
|
|
5205
5205
|
replica_id: replicaId,
|
|
5206
5206
|
routing_type: "aft_direct",
|
|
@@ -5213,7 +5213,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5213
5213
|
if (cachedReplica) {
|
|
5214
5214
|
if (this.config.securityLevel === StickinessMode.SID_ONLY) {
|
|
5215
5215
|
this.metrics.cacheHits += 1;
|
|
5216
|
-
logger$
|
|
5216
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5217
5217
|
envelope_id: envelope.id,
|
|
5218
5218
|
replica_id: cachedReplica,
|
|
5219
5219
|
sid: envelope.sid,
|
|
@@ -5226,7 +5226,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5226
5226
|
!association.isExpired()) {
|
|
5227
5227
|
envelope.aft = token;
|
|
5228
5228
|
this.metrics.cacheHits += 1;
|
|
5229
|
-
logger$
|
|
5229
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5230
5230
|
envelope_id: envelope.id,
|
|
5231
5231
|
replica_id: cachedReplica,
|
|
5232
5232
|
sid: envelope.sid,
|
|
@@ -5236,7 +5236,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5236
5236
|
}
|
|
5237
5237
|
}
|
|
5238
5238
|
this.metrics.cacheHits += 1;
|
|
5239
|
-
logger$
|
|
5239
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5240
5240
|
envelope_id: envelope.id,
|
|
5241
5241
|
replica_id: cachedReplica,
|
|
5242
5242
|
sid: envelope.sid,
|
|
@@ -5244,7 +5244,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5244
5244
|
});
|
|
5245
5245
|
return cachedReplica;
|
|
5246
5246
|
}
|
|
5247
|
-
logger$
|
|
5247
|
+
logger$4.debug("no_cached_replica_for_sid", {
|
|
5248
5248
|
envelope_id: envelope.id,
|
|
5249
5249
|
sid: envelope.sid,
|
|
5250
5250
|
});
|
|
@@ -5253,7 +5253,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5253
5253
|
const index = computeDeterministicIndex(envelope.sid, segments.length);
|
|
5254
5254
|
const chosen = segments[index];
|
|
5255
5255
|
this.metrics.cacheHits += 1;
|
|
5256
|
-
logger$
|
|
5256
|
+
logger$4.debug("sid_based_deterministic_choice", {
|
|
5257
5257
|
envelope_id: envelope.id,
|
|
5258
5258
|
sid: envelope.sid,
|
|
5259
5259
|
chosen,
|
|
@@ -5262,7 +5262,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5262
5262
|
return chosen;
|
|
5263
5263
|
}
|
|
5264
5264
|
this.metrics.cacheMisses += 1;
|
|
5265
|
-
logger$
|
|
5265
|
+
logger$4.debug("no_stickiness_routing", {
|
|
5266
5266
|
envelope_id: envelope.id,
|
|
5267
5267
|
has_aft: Boolean(envelope.aft),
|
|
5268
5268
|
has_sid: Boolean(envelope.sid),
|
|
@@ -5282,7 +5282,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5282
5282
|
}
|
|
5283
5283
|
if (expiredTokens.length > 0) {
|
|
5284
5284
|
this.metrics.associationsExpired += expiredTokens.length;
|
|
5285
|
-
logger$
|
|
5285
|
+
logger$4.debug("cleaned_expired_associations", {
|
|
5286
5286
|
count: expiredTokens.length,
|
|
5287
5287
|
});
|
|
5288
5288
|
}
|
|
@@ -5298,7 +5298,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5298
5298
|
this.removeAssociation(token);
|
|
5299
5299
|
}
|
|
5300
5300
|
if (tokensToRemove.length > 0) {
|
|
5301
|
-
logger$
|
|
5301
|
+
logger$4.debug("removed_associations_for_departed_replica", {
|
|
5302
5302
|
replica_id: replicaId,
|
|
5303
5303
|
count: tokensToRemove.length,
|
|
5304
5304
|
});
|
|
@@ -5306,7 +5306,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5306
5306
|
}
|
|
5307
5307
|
handleReplicaLeft(replicaId) {
|
|
5308
5308
|
this.replicaLeft(replicaId);
|
|
5309
|
-
logger$
|
|
5309
|
+
logger$4.debug("stickiness_replica_cleanup", { replica_id: replicaId });
|
|
5310
5310
|
}
|
|
5311
5311
|
getMetrics() {
|
|
5312
5312
|
return {
|
|
@@ -5339,7 +5339,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5339
5339
|
const misses = this.metrics.cacheMisses;
|
|
5340
5340
|
const total = hits + misses;
|
|
5341
5341
|
const hitRate = total > 0 ? Math.round((hits / total) * 10000) / 100 : 0;
|
|
5342
|
-
logger$
|
|
5342
|
+
logger$4.info("stickiness_metrics_report", {
|
|
5343
5343
|
enabled: this.config.enabled,
|
|
5344
5344
|
security_level: this.config.securityLevel,
|
|
5345
5345
|
cache_hits: hits,
|
|
@@ -5353,7 +5353,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5353
5353
|
});
|
|
5354
5354
|
}
|
|
5355
5355
|
async onDeliver(_node, envelope, context) {
|
|
5356
|
-
logger$
|
|
5356
|
+
logger$4.debug("stickiness_manager_on_deliver", {
|
|
5357
5357
|
envelope_id: envelope.id,
|
|
5358
5358
|
origin_type: context?.originType ?? "unknown",
|
|
5359
5359
|
from_system_id: context?.fromSystemId ?? null,
|
|
@@ -5361,7 +5361,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5361
5361
|
if (context?.originType === DeliveryOriginType$1.DOWNSTREAM) {
|
|
5362
5362
|
const sourceRoute = context.fromSystemId;
|
|
5363
5363
|
if (sourceRoute) {
|
|
5364
|
-
logger$
|
|
5364
|
+
logger$4.debug("processing_downstream_envelope", {
|
|
5365
5365
|
envelope_id: envelope.id,
|
|
5366
5366
|
source_route: sourceRoute,
|
|
5367
5367
|
});
|
|
@@ -5369,7 +5369,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5369
5369
|
envelope.sid &&
|
|
5370
5370
|
!this.sidCache.has(envelope.sid)) {
|
|
5371
5371
|
this.sidCache.set(envelope.sid, sourceRoute);
|
|
5372
|
-
logger$
|
|
5372
|
+
logger$4.debug("sid_only_association_recorded", {
|
|
5373
5373
|
envelope_id: envelope.id,
|
|
5374
5374
|
sid: envelope.sid,
|
|
5375
5375
|
replica_id: sourceRoute,
|
|
@@ -5378,27 +5378,27 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5378
5378
|
const hadInstruction = Boolean(extractAftInstruction(envelope));
|
|
5379
5379
|
const token = await this.handleOutboundEnvelope(envelope, sourceRoute);
|
|
5380
5380
|
if (hadInstruction) {
|
|
5381
|
-
logger$
|
|
5381
|
+
logger$4.debug("processed_aft_setter_instruction", {
|
|
5382
5382
|
envelope_id: envelope.id,
|
|
5383
5383
|
source_route: sourceRoute,
|
|
5384
5384
|
client_echo: Boolean(token),
|
|
5385
5385
|
});
|
|
5386
5386
|
}
|
|
5387
5387
|
else {
|
|
5388
|
-
logger$
|
|
5388
|
+
logger$4.debug("no_aft_setter_instruction", {
|
|
5389
5389
|
envelope_id: envelope.id,
|
|
5390
5390
|
source_route: sourceRoute,
|
|
5391
5391
|
});
|
|
5392
5392
|
}
|
|
5393
5393
|
}
|
|
5394
5394
|
else {
|
|
5395
|
-
logger$
|
|
5395
|
+
logger$4.debug("downstream_envelope_without_source_route", {
|
|
5396
5396
|
envelope_id: envelope.id,
|
|
5397
5397
|
});
|
|
5398
5398
|
}
|
|
5399
5399
|
}
|
|
5400
5400
|
else {
|
|
5401
|
-
logger$
|
|
5401
|
+
logger$4.debug("envelope_not_from_downstream", {
|
|
5402
5402
|
envelope_id: envelope.id,
|
|
5403
5403
|
});
|
|
5404
5404
|
}
|
|
@@ -5439,7 +5439,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5439
5439
|
}
|
|
5440
5440
|
if (this.verifier.securityLevel === StickinessMode.STRICT &&
|
|
5441
5441
|
association.isLowTrust()) {
|
|
5442
|
-
logger$
|
|
5442
|
+
logger$4.warning("rejecting_low_trust_association", {
|
|
5443
5443
|
envelope_id: envelope.id,
|
|
5444
5444
|
replica_id: association.replicaId,
|
|
5445
5445
|
reason: "strict mode rejects low-trust associations",
|
|
@@ -5546,7 +5546,7 @@ var aftLoadBalancerStickinessManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
5546
5546
|
default: AFTLoadBalancerStickinessManagerFactory
|
|
5547
5547
|
});
|
|
5548
5548
|
|
|
5549
|
-
const logger$
|
|
5549
|
+
const logger$3 = getLogger$1("naylence.fame.stickiness.aft_replica_stickiness_manager");
|
|
5550
5550
|
function isStickinessRequired(context) {
|
|
5551
5551
|
if (typeof context.stickinessRequired === "boolean") {
|
|
5552
5552
|
return context.stickinessRequired;
|
|
@@ -5566,14 +5566,14 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5566
5566
|
this.isInitialized = this.aftHelper !== null;
|
|
5567
5567
|
this.negotiatedStickiness = null;
|
|
5568
5568
|
if (this.aftHelper) {
|
|
5569
|
-
logger$
|
|
5569
|
+
logger$3.debug("aft_replica_stickiness_manager_initialized", {
|
|
5570
5570
|
helper_type: this.aftHelper.signer.constructor.name,
|
|
5571
5571
|
security_level: this.aftHelper.signer.securityLevel,
|
|
5572
5572
|
max_ttl_sec: this.aftHelper.maxTtlSec,
|
|
5573
5573
|
});
|
|
5574
5574
|
}
|
|
5575
5575
|
else {
|
|
5576
|
-
logger$
|
|
5576
|
+
logger$3.debug("aft_replica_stickiness_manager_created", {
|
|
5577
5577
|
security_level: this.securityLevel,
|
|
5578
5578
|
max_ttl_sec: this.maxTtlSec,
|
|
5579
5579
|
});
|
|
@@ -5584,7 +5584,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5584
5584
|
}
|
|
5585
5585
|
accept(stickiness) {
|
|
5586
5586
|
this.negotiatedStickiness = stickiness ?? null;
|
|
5587
|
-
logger$
|
|
5587
|
+
logger$3.debug("replica_stickiness_policy_set", {
|
|
5588
5588
|
enabled: stickiness?.enabled ?? null,
|
|
5589
5589
|
mode: stickiness?.mode ?? null,
|
|
5590
5590
|
ttl: stickiness?.ttlSec ?? null,
|
|
@@ -5596,7 +5596,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5596
5596
|
}
|
|
5597
5597
|
const helper = this.aftHelper;
|
|
5598
5598
|
if (!helper) {
|
|
5599
|
-
logger$
|
|
5599
|
+
logger$3.debug("aft_helper_not_ready_skip_injection", {
|
|
5600
5600
|
envelope_id: envelope.id,
|
|
5601
5601
|
delivery_origin: context.originType ?? null,
|
|
5602
5602
|
reason: "not_initialized",
|
|
@@ -5612,7 +5612,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5612
5612
|
(negotiated.mode !== null &&
|
|
5613
5613
|
negotiated.mode !== undefined &&
|
|
5614
5614
|
negotiated.mode !== "aft")) {
|
|
5615
|
-
logger$
|
|
5615
|
+
logger$3.debug("aft_injection_skipped_due_to_policy", {
|
|
5616
5616
|
envelope_id: envelope.id,
|
|
5617
5617
|
policy_mode: negotiated.mode ?? null,
|
|
5618
5618
|
policy_enabled: negotiated.enabled ?? null,
|
|
@@ -5620,7 +5620,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5620
5620
|
return envelope;
|
|
5621
5621
|
}
|
|
5622
5622
|
}
|
|
5623
|
-
logger$
|
|
5623
|
+
logger$3.debug("applying_aft_for_upstream_stickiness_required", {
|
|
5624
5624
|
envelope_id: envelope.id,
|
|
5625
5625
|
from_system_id: context.fromSystemId ?? null,
|
|
5626
5626
|
delivery_origin: context.originType ?? null,
|
|
@@ -5631,14 +5631,14 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5631
5631
|
context: stickinessContext,
|
|
5632
5632
|
});
|
|
5633
5633
|
if (success) {
|
|
5634
|
-
logger$
|
|
5634
|
+
logger$3.debug("aft_token_applied_via_context_flag_upstream", {
|
|
5635
5635
|
envelope_id: envelope.id,
|
|
5636
5636
|
from_system_id: context.fromSystemId ?? null,
|
|
5637
5637
|
delivery_origin: context.originType ?? null,
|
|
5638
5638
|
});
|
|
5639
5639
|
}
|
|
5640
5640
|
else {
|
|
5641
|
-
logger$
|
|
5641
|
+
logger$3.debug("aft_token_not_applied_upstream", {
|
|
5642
5642
|
envelope_id: envelope.id,
|
|
5643
5643
|
delivery_origin: context.originType ?? null,
|
|
5644
5644
|
reason: "helper_returned_false",
|
|
@@ -5654,19 +5654,19 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5654
5654
|
}
|
|
5655
5655
|
if (this.aftHelper && node.sid) {
|
|
5656
5656
|
this.updateNodeSid(node.sid);
|
|
5657
|
-
logger$
|
|
5657
|
+
logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
|
|
5658
5658
|
node_id: node.id ?? "unknown",
|
|
5659
5659
|
node_sid: node.sid,
|
|
5660
5660
|
security_level: this.aftHelper.signer.securityLevel,
|
|
5661
5661
|
});
|
|
5662
5662
|
}
|
|
5663
5663
|
else if (!node.sid) {
|
|
5664
|
-
logger$
|
|
5664
|
+
logger$3.warning("aft_replica_stickiness_manager_no_sid_available", {
|
|
5665
5665
|
node_id: node.id ?? "unknown",
|
|
5666
5666
|
});
|
|
5667
5667
|
}
|
|
5668
5668
|
else {
|
|
5669
|
-
logger$
|
|
5669
|
+
logger$3.error("aft_replica_stickiness_manager_node_missing_sid", {
|
|
5670
5670
|
node_type: node.constructor?.name ?? typeof node,
|
|
5671
5671
|
});
|
|
5672
5672
|
}
|
|
@@ -5674,7 +5674,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5674
5674
|
updateNodeSid(nodeSid) {
|
|
5675
5675
|
if (this.aftHelper) {
|
|
5676
5676
|
this.aftHelper.nodeSid = nodeSid;
|
|
5677
|
-
logger$
|
|
5677
|
+
logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
|
|
5678
5678
|
new_sid: nodeSid,
|
|
5679
5679
|
});
|
|
5680
5680
|
}
|
|
@@ -5682,14 +5682,14 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5682
5682
|
async initializeAftHelper(node) {
|
|
5683
5683
|
const nodeSid = node.sid;
|
|
5684
5684
|
if (!nodeSid) {
|
|
5685
|
-
logger$
|
|
5685
|
+
logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_sid", {
|
|
5686
5686
|
node_id: node.id ?? "unknown",
|
|
5687
5687
|
});
|
|
5688
5688
|
return;
|
|
5689
5689
|
}
|
|
5690
5690
|
const cryptoProvider = node.cryptoProvider ?? null;
|
|
5691
5691
|
if (!cryptoProvider) {
|
|
5692
|
-
logger$
|
|
5692
|
+
logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_crypto_provider", {
|
|
5693
5693
|
node_id: node.id ?? "unknown",
|
|
5694
5694
|
});
|
|
5695
5695
|
return;
|
|
@@ -5702,7 +5702,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5702
5702
|
? cryptoProvider.signingPrivatePem
|
|
5703
5703
|
: null;
|
|
5704
5704
|
if (this.securityLevel === StickinessMode.STRICT && !privateKeyPem) {
|
|
5705
|
-
logger$
|
|
5705
|
+
logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
|
|
5706
5706
|
node_id: node.id ?? "unknown",
|
|
5707
5707
|
error: "Missing signing private key for strict security level",
|
|
5708
5708
|
});
|
|
@@ -5718,7 +5718,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5718
5718
|
});
|
|
5719
5719
|
this.aftHelper = helper;
|
|
5720
5720
|
this.isInitialized = true;
|
|
5721
|
-
logger$
|
|
5721
|
+
logger$3.debug("aft_replica_stickiness_manager_initialized", {
|
|
5722
5722
|
node_id: node.id ?? "unknown",
|
|
5723
5723
|
node_sid: nodeSid,
|
|
5724
5724
|
key_id: keyId,
|
|
@@ -5726,7 +5726,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5726
5726
|
});
|
|
5727
5727
|
}
|
|
5728
5728
|
catch (error) {
|
|
5729
|
-
logger$
|
|
5729
|
+
logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
|
|
5730
5730
|
node_id: node.id ?? "unknown",
|
|
5731
5731
|
error: error instanceof Error ? error.message : String(error),
|
|
5732
5732
|
});
|
|
@@ -5796,7 +5796,7 @@ var aftReplicaStickinessManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
5796
5796
|
default: AFTReplicaStickinessManagerFactory
|
|
5797
5797
|
});
|
|
5798
5798
|
|
|
5799
|
-
const logger$
|
|
5799
|
+
const logger$2 = getLogger$1("naylence.fame.welcome.advanced_welcome_service");
|
|
5800
5800
|
const ENV_VAR_SHOW_ENVELOPES = "FAME_SHOW_ENVELOPES";
|
|
5801
5801
|
const DEFAULT_TTL_SEC = 3600;
|
|
5802
5802
|
const showEnvelopes = typeof process !== "undefined" &&
|
|
@@ -5839,7 +5839,7 @@ class AdvancedWelcomeService {
|
|
|
5839
5839
|
typeof options.ttlSec === "number" && Number.isFinite(options.ttlSec)
|
|
5840
5840
|
? Math.max(0, options.ttlSec)
|
|
5841
5841
|
: DEFAULT_TTL_SEC;
|
|
5842
|
-
logger$
|
|
5842
|
+
logger$2.debug("initialized_advanced_welcome_service", {
|
|
5843
5843
|
ca_service_url: this.caServiceUrl,
|
|
5844
5844
|
ttl_sec: this.ttlSec,
|
|
5845
5845
|
});
|
|
@@ -5859,7 +5859,7 @@ class AdvancedWelcomeService {
|
|
|
5859
5859
|
// eslint-disable-next-line no-console
|
|
5860
5860
|
console.log(`\n${formatTimestampForConsole()} - ${color("Received envelope 📨", AnsiColor.BLUE)}\n${prettyModel(normalizedHello)}`);
|
|
5861
5861
|
}
|
|
5862
|
-
logger$
|
|
5862
|
+
logger$2.debug("starting_hello_frame_processing", {
|
|
5863
5863
|
instanceId: normalizedHello.instanceId,
|
|
5864
5864
|
systemId,
|
|
5865
5865
|
logicals: normalizedHello.logicals,
|
|
@@ -5876,35 +5876,35 @@ class AdvancedWelcomeService {
|
|
|
5876
5876
|
fullMetadata.instance_id = normalizedHello.instanceId;
|
|
5877
5877
|
}
|
|
5878
5878
|
}
|
|
5879
|
-
logger$
|
|
5879
|
+
logger$2.debug("system_id_assignment_completed", {
|
|
5880
5880
|
systemId,
|
|
5881
5881
|
wasAssigned,
|
|
5882
5882
|
});
|
|
5883
5883
|
if (normalizedHello.logicals?.length) {
|
|
5884
|
-
logger$
|
|
5884
|
+
logger$2.debug("validating_logicals_for_dns_compatibility", {
|
|
5885
5885
|
logicals: normalizedHello.logicals,
|
|
5886
5886
|
});
|
|
5887
5887
|
const [pathsValid, pathError] = validateHostLogicals(normalizedHello.logicals);
|
|
5888
5888
|
if (!pathsValid) {
|
|
5889
|
-
logger$
|
|
5889
|
+
logger$2.error("logical_validation_failed", {
|
|
5890
5890
|
error: pathError,
|
|
5891
5891
|
logicals: normalizedHello.logicals,
|
|
5892
5892
|
});
|
|
5893
5893
|
throw new Error(`Invalid logical format: ${pathError}`);
|
|
5894
5894
|
}
|
|
5895
|
-
logger$
|
|
5895
|
+
logger$2.debug("logicals_validation_successful");
|
|
5896
5896
|
}
|
|
5897
|
-
logger$
|
|
5897
|
+
logger$2.debug("requesting_node_placement", { systemId });
|
|
5898
5898
|
const placementResult = await this.placementStrategy.place(normalizedHello);
|
|
5899
5899
|
if (!placementResult.accept) {
|
|
5900
|
-
logger$
|
|
5900
|
+
logger$2.error("node_placement_rejected", {
|
|
5901
5901
|
systemId,
|
|
5902
5902
|
reason: placementResult.reason,
|
|
5903
5903
|
});
|
|
5904
5904
|
throw new Error(placementResult.reason || "Node not accepted");
|
|
5905
5905
|
}
|
|
5906
5906
|
const assignedPath = placementResult.assignedPath;
|
|
5907
|
-
logger$
|
|
5907
|
+
logger$2.debug("node_placement_accepted", {
|
|
5908
5908
|
systemId,
|
|
5909
5909
|
assignedPath,
|
|
5910
5910
|
targetPhysicalPath: placementResult.targetPhysicalPath ?? null,
|
|
@@ -5916,7 +5916,7 @@ class AdvancedWelcomeService {
|
|
|
5916
5916
|
const acceptedLogicals = coercePlacementMetadataValue(placementResult.metadata, "acceptedLogicals", "accepted_logicals") ??
|
|
5917
5917
|
normalizedHello.logicals ??
|
|
5918
5918
|
null;
|
|
5919
|
-
logger$
|
|
5919
|
+
logger$2.debug("processing_placement_result_metadata", {
|
|
5920
5920
|
acceptedCapabilities,
|
|
5921
5921
|
acceptedLogicals,
|
|
5922
5922
|
hasPlacementMetadata: placementResult.metadata !== undefined &&
|
|
@@ -5930,7 +5930,7 @@ class AdvancedWelcomeService {
|
|
|
5930
5930
|
normalizedHello.instanceId ||
|
|
5931
5931
|
generateId();
|
|
5932
5932
|
if (placementResult.targetSystemId) {
|
|
5933
|
-
logger$
|
|
5933
|
+
logger$2.debug("issuing_node_attach_token", {
|
|
5934
5934
|
systemId,
|
|
5935
5935
|
assignedPath,
|
|
5936
5936
|
});
|
|
@@ -5942,10 +5942,10 @@ class AdvancedWelcomeService {
|
|
|
5942
5942
|
accepted_logicals: acceptedLogicals,
|
|
5943
5943
|
instance_id: metadataInstanceId,
|
|
5944
5944
|
});
|
|
5945
|
-
logger$
|
|
5946
|
-
logger$
|
|
5945
|
+
logger$2.debug("token_issued_successfully");
|
|
5946
|
+
logger$2.debug("provisioning_transport", { systemId });
|
|
5947
5947
|
const transportInfo = await this.transportProvisioner.provision(placementResult, normalizedHello, fullMetadata, nodeAttachToken);
|
|
5948
|
-
logger$
|
|
5948
|
+
logger$2.debug("transport_provisioned_successfully", {
|
|
5949
5949
|
systemId,
|
|
5950
5950
|
directiveType: transportInfo.connectionGrant &&
|
|
5951
5951
|
typeof transportInfo.connectionGrant === "object"
|
|
@@ -5989,7 +5989,7 @@ class AdvancedWelcomeService {
|
|
|
5989
5989
|
metadata: Object.keys(fullMetadata).length > 0 ? fullMetadata : undefined,
|
|
5990
5990
|
expiresAt: expiry.toISOString(),
|
|
5991
5991
|
};
|
|
5992
|
-
logger$
|
|
5992
|
+
logger$2.debug("hello_frame_processing_completed_successfully", {
|
|
5993
5993
|
systemId,
|
|
5994
5994
|
assignedPath,
|
|
5995
5995
|
acceptedLogicals,
|
|
@@ -7676,7 +7676,7 @@ function encodeBitString(signature) {
|
|
|
7676
7676
|
return result.buffer;
|
|
7677
7677
|
}
|
|
7678
7678
|
|
|
7679
|
-
const logger = getLogger$1("naylence.fame.security.cert.default_certificate_manager");
|
|
7679
|
+
const logger$1 = getLogger$1("naylence.fame.security.cert.default_certificate_manager");
|
|
7680
7680
|
const CONNECTION_GRANTS_CAMEL = "connectionGrants";
|
|
7681
7681
|
const CONNECTION_GRANTS_SNAKE = "connection_grants";
|
|
7682
7682
|
class DefaultCertificateManager {
|
|
@@ -7705,7 +7705,7 @@ class DefaultCertificateManager {
|
|
|
7705
7705
|
this.prepareProviderContext(node);
|
|
7706
7706
|
const requiresCertificate = this.requiresCertificates();
|
|
7707
7707
|
if (requiresCertificate) {
|
|
7708
|
-
logger.debug("node_certificate_required_on_start", {
|
|
7708
|
+
logger$1.debug("node_certificate_required_on_start", {
|
|
7709
7709
|
node_id: node.id,
|
|
7710
7710
|
physical_path: node.physicalPath,
|
|
7711
7711
|
has_parent: node.hasParent,
|
|
@@ -7719,7 +7719,7 @@ class DefaultCertificateManager {
|
|
|
7719
7719
|
const welcomeFrame = this.pendingWelcomeFrame ?? fallbackWelcome;
|
|
7720
7720
|
const success = await this.ensureCertificate(welcomeFrame, this.caServiceUrl ? { caServiceUrl: this.caServiceUrl } : undefined);
|
|
7721
7721
|
if (!success) {
|
|
7722
|
-
logger.warning("node_certificate_unavailable_on_start", {
|
|
7722
|
+
logger$1.warning("node_certificate_unavailable_on_start", {
|
|
7723
7723
|
node_id: node.id,
|
|
7724
7724
|
physical_path: node.physicalPath,
|
|
7725
7725
|
message: "Certificate provisioning was requested but did not complete",
|
|
@@ -7733,7 +7733,7 @@ class DefaultCertificateManager {
|
|
|
7733
7733
|
async onWelcome(welcomeFrame) {
|
|
7734
7734
|
const requiresCertificate = this.requiresCertificates(welcomeFrame);
|
|
7735
7735
|
if (!requiresCertificate) {
|
|
7736
|
-
logger.debug("welcome_does_not_require_certificate", {
|
|
7736
|
+
logger$1.debug("welcome_does_not_require_certificate", {
|
|
7737
7737
|
system_id: welcomeFrame.systemId ?? null,
|
|
7738
7738
|
});
|
|
7739
7739
|
this.pendingWelcomeFrame = null;
|
|
@@ -7744,14 +7744,14 @@ class DefaultCertificateManager {
|
|
|
7744
7744
|
return;
|
|
7745
7745
|
}
|
|
7746
7746
|
if (!this.node) {
|
|
7747
|
-
logger.debug("certificate_provisioning_deferred_until_node_start", {
|
|
7747
|
+
logger$1.debug("certificate_provisioning_deferred_until_node_start", {
|
|
7748
7748
|
system_id: welcomeFrame.systemId ?? null,
|
|
7749
7749
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7750
7750
|
});
|
|
7751
7751
|
return;
|
|
7752
7752
|
}
|
|
7753
7753
|
const nodeId = welcomeFrame.systemId ?? "unknown";
|
|
7754
|
-
logger.warning("certificate_provisioning_not_completed", {
|
|
7754
|
+
logger$1.warning("certificate_provisioning_not_completed", {
|
|
7755
7755
|
node_id: nodeId,
|
|
7756
7756
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7757
7757
|
message: "Continuing without a provisioned certificate (development mode)",
|
|
@@ -7767,13 +7767,13 @@ class DefaultCertificateManager {
|
|
|
7767
7767
|
const cryptoProvider = this.resolveCryptoProvider();
|
|
7768
7768
|
if (!cryptoProvider) {
|
|
7769
7769
|
if (!this.node) {
|
|
7770
|
-
logger.debug("crypto_provider_pending_node_start", {
|
|
7770
|
+
logger$1.debug("crypto_provider_pending_node_start", {
|
|
7771
7771
|
system_id: welcomeFrame.systemId ?? null,
|
|
7772
7772
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7773
7773
|
});
|
|
7774
7774
|
}
|
|
7775
7775
|
else {
|
|
7776
|
-
logger.error("crypto_provider_unavailable_for_certificate", {
|
|
7776
|
+
logger$1.error("crypto_provider_unavailable_for_certificate", {
|
|
7777
7777
|
system_id: welcomeFrame.systemId ?? null,
|
|
7778
7778
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
7779
7779
|
});
|
|
@@ -7792,7 +7792,7 @@ class DefaultCertificateManager {
|
|
|
7792
7792
|
const connectionGrants = readFrameValue(welcomeFrame, CONNECTION_GRANTS_CAMEL, CONNECTION_GRANTS_SNAKE);
|
|
7793
7793
|
const caSignGrant = this.getCaSignGrant(connectionGrants);
|
|
7794
7794
|
if (!caSignGrant) {
|
|
7795
|
-
logger.warning("welcome_frame_missing_ca_sign_grant", {
|
|
7795
|
+
logger$1.warning("welcome_frame_missing_ca_sign_grant", {
|
|
7796
7796
|
system_id: nodeId,
|
|
7797
7797
|
grant_count: Array.isArray(connectionGrants)
|
|
7798
7798
|
? connectionGrants.length
|
|
@@ -7803,7 +7803,7 @@ class DefaultCertificateManager {
|
|
|
7803
7803
|
if (caSignGrant) {
|
|
7804
7804
|
material = await this.requestCertificateFromCa(cryptoProvider, welcomeFrame, caSignGrant, options);
|
|
7805
7805
|
if (!material) {
|
|
7806
|
-
logger.warning("ca_certificate_request_failed_falling_back_to_env", {
|
|
7806
|
+
logger$1.warning("ca_certificate_request_failed_falling_back_to_env", {
|
|
7807
7807
|
system_id: nodeId,
|
|
7808
7808
|
ca_service_url: options?.caServiceUrl ?? this.caServiceUrl ?? caSignGrant.url,
|
|
7809
7809
|
});
|
|
@@ -7813,13 +7813,13 @@ class DefaultCertificateManager {
|
|
|
7813
7813
|
material = await this.resolveCertificateMaterialFromInjectedSources(cryptoProvider, nodeId);
|
|
7814
7814
|
}
|
|
7815
7815
|
if (!material) {
|
|
7816
|
-
logger.debug("attempting_certificate_resolution_from_environment", {
|
|
7816
|
+
logger$1.debug("attempting_certificate_resolution_from_environment", {
|
|
7817
7817
|
system_id: nodeId,
|
|
7818
7818
|
});
|
|
7819
7819
|
material = await resolveCertificateMaterialFromEnvironment();
|
|
7820
7820
|
}
|
|
7821
7821
|
if (!material) {
|
|
7822
|
-
logger.warning("certificate_material_not_found", {
|
|
7822
|
+
logger$1.warning("certificate_material_not_found", {
|
|
7823
7823
|
system_id: nodeId,
|
|
7824
7824
|
assigned_path: readFrameString(welcomeFrame, "assignedPath", "assigned_path"),
|
|
7825
7825
|
ca_service_url: options?.caServiceUrl ?? this.caServiceUrl,
|
|
@@ -7828,7 +7828,7 @@ class DefaultCertificateManager {
|
|
|
7828
7828
|
}
|
|
7829
7829
|
const stored = await this.storeCertificateMaterial(cryptoProvider, material, nodeId);
|
|
7830
7830
|
if (!stored) {
|
|
7831
|
-
logger.warning("certificate_storage_not_supported", {
|
|
7831
|
+
logger$1.warning("certificate_storage_not_supported", {
|
|
7832
7832
|
system_id: nodeId,
|
|
7833
7833
|
});
|
|
7834
7834
|
return false;
|
|
@@ -7837,7 +7837,7 @@ class DefaultCertificateManager {
|
|
|
7837
7837
|
if (!validated) {
|
|
7838
7838
|
return false;
|
|
7839
7839
|
}
|
|
7840
|
-
logger.debug("certificate_material_applied", {
|
|
7840
|
+
logger$1.debug("certificate_material_applied", {
|
|
7841
7841
|
system_id: nodeId,
|
|
7842
7842
|
has_chain: Boolean(material.certificateChainPem),
|
|
7843
7843
|
});
|
|
@@ -7900,12 +7900,12 @@ class DefaultCertificateManager {
|
|
|
7900
7900
|
}
|
|
7901
7901
|
const validated = await this.validateProviderCertificate(provider, nodeId);
|
|
7902
7902
|
if (!validated) {
|
|
7903
|
-
logger.error("existing_certificate_validation_failed", {
|
|
7903
|
+
logger$1.error("existing_certificate_validation_failed", {
|
|
7904
7904
|
node_id: nodeId,
|
|
7905
7905
|
});
|
|
7906
7906
|
return false;
|
|
7907
7907
|
}
|
|
7908
|
-
logger.debug("existing_certificate_validated", {
|
|
7908
|
+
logger$1.debug("existing_certificate_validated", {
|
|
7909
7909
|
node_id: nodeId,
|
|
7910
7910
|
});
|
|
7911
7911
|
return true;
|
|
@@ -7913,7 +7913,7 @@ class DefaultCertificateManager {
|
|
|
7913
7913
|
async resolveCertificateMaterialFromInjectedSources(provider, nodeId) {
|
|
7914
7914
|
const providerMaterial = await this.resolveCertificateMaterialFromProvider(provider, nodeId);
|
|
7915
7915
|
if (providerMaterial) {
|
|
7916
|
-
logger.debug("certificate_material_resolved_from_provider", {
|
|
7916
|
+
logger$1.debug("certificate_material_resolved_from_provider", {
|
|
7917
7917
|
system_id: nodeId,
|
|
7918
7918
|
});
|
|
7919
7919
|
return providerMaterial;
|
|
@@ -7922,14 +7922,14 @@ class DefaultCertificateManager {
|
|
|
7922
7922
|
try {
|
|
7923
7923
|
const material = await this.certificateMaterialResolver();
|
|
7924
7924
|
if (material) {
|
|
7925
|
-
logger.debug("certificate_material_resolved_from_options", {
|
|
7925
|
+
logger$1.debug("certificate_material_resolved_from_options", {
|
|
7926
7926
|
system_id: nodeId,
|
|
7927
7927
|
});
|
|
7928
7928
|
return material;
|
|
7929
7929
|
}
|
|
7930
7930
|
}
|
|
7931
7931
|
catch (error) {
|
|
7932
|
-
logger.debug("certificate_material_option_resolution_failed", {
|
|
7932
|
+
logger$1.debug("certificate_material_option_resolution_failed", {
|
|
7933
7933
|
system_id: nodeId,
|
|
7934
7934
|
error: error instanceof Error ? error.message : String(error),
|
|
7935
7935
|
});
|
|
@@ -7946,7 +7946,7 @@ class DefaultCertificateManager {
|
|
|
7946
7946
|
return normalizeCertificateMaterial(material ?? null);
|
|
7947
7947
|
}
|
|
7948
7948
|
catch (error) {
|
|
7949
|
-
logger.debug("provider_certificate_material_resolution_failed", {
|
|
7949
|
+
logger$1.debug("provider_certificate_material_resolution_failed", {
|
|
7950
7950
|
system_id: nodeId,
|
|
7951
7951
|
error: error instanceof Error ? error.message : String(error),
|
|
7952
7952
|
});
|
|
@@ -7968,7 +7968,7 @@ class DefaultCertificateManager {
|
|
|
7968
7968
|
}
|
|
7969
7969
|
const url = readRecordString(grantRecord, "url", "baseUrl", "base_url");
|
|
7970
7970
|
if (!url) {
|
|
7971
|
-
logger.warning("ca_sign_grant_missing_url", {
|
|
7971
|
+
logger$1.warning("ca_sign_grant_missing_url", {
|
|
7972
7972
|
grant_keys: Object.keys(grantRecord),
|
|
7973
7973
|
});
|
|
7974
7974
|
continue;
|
|
@@ -7987,12 +7987,12 @@ class DefaultCertificateManager {
|
|
|
7987
7987
|
? provider.signatureKeyId
|
|
7988
7988
|
: null);
|
|
7989
7989
|
if (!nodeId) {
|
|
7990
|
-
logger.warning("certificate_request_missing_node_id");
|
|
7990
|
+
logger$1.warning("certificate_request_missing_node_id");
|
|
7991
7991
|
return null;
|
|
7992
7992
|
}
|
|
7993
7993
|
const physicalPath = readFrameString(welcomeFrame, "assignedPath", "assigned_path");
|
|
7994
7994
|
if (!physicalPath) {
|
|
7995
|
-
logger.warning("certificate_request_missing_physical_path", {
|
|
7995
|
+
logger$1.warning("certificate_request_missing_physical_path", {
|
|
7996
7996
|
node_id: nodeId,
|
|
7997
7997
|
});
|
|
7998
7998
|
return null;
|
|
@@ -8006,7 +8006,7 @@ class DefaultCertificateManager {
|
|
|
8006
8006
|
}
|
|
8007
8007
|
const caServiceUrl = options?.caServiceUrl ?? this.caServiceUrl ?? grant.url;
|
|
8008
8008
|
if (!caServiceUrl) {
|
|
8009
|
-
logger.error("ca_service_url_unavailable", {
|
|
8009
|
+
logger$1.error("ca_service_url_unavailable", {
|
|
8010
8010
|
node_id: nodeId,
|
|
8011
8011
|
});
|
|
8012
8012
|
return null;
|
|
@@ -8019,7 +8019,7 @@ class DefaultCertificateManager {
|
|
|
8019
8019
|
authStrategy = await this.createAuthStrategyForGrant(grant);
|
|
8020
8020
|
}
|
|
8021
8021
|
catch (error) {
|
|
8022
|
-
logger.error("ca_sign_auth_strategy_creation_failed", {
|
|
8022
|
+
logger$1.error("ca_sign_auth_strategy_creation_failed", {
|
|
8023
8023
|
node_id: nodeId,
|
|
8024
8024
|
error: error instanceof Error ? error.message : String(error),
|
|
8025
8025
|
});
|
|
@@ -8031,7 +8031,7 @@ class DefaultCertificateManager {
|
|
|
8031
8031
|
await authStrategy.apply(client);
|
|
8032
8032
|
}
|
|
8033
8033
|
const [certificatePem, certificateChainPem] = await client.requestCertificate(csrPem, nodeId, physicalPath, logicals);
|
|
8034
|
-
logger.debug("certificate_received_from_ca_service", {
|
|
8034
|
+
logger$1.debug("certificate_received_from_ca_service", {
|
|
8035
8035
|
node_id: nodeId,
|
|
8036
8036
|
has_chain: Boolean(certificateChainPem),
|
|
8037
8037
|
ca_service_url: caServiceUrl,
|
|
@@ -8043,13 +8043,13 @@ class DefaultCertificateManager {
|
|
|
8043
8043
|
}
|
|
8044
8044
|
catch (error) {
|
|
8045
8045
|
if (error instanceof CertificateRequestError) {
|
|
8046
|
-
logger.error("certificate_request_failed", {
|
|
8046
|
+
logger$1.error("certificate_request_failed", {
|
|
8047
8047
|
node_id: nodeId,
|
|
8048
8048
|
error: error.message,
|
|
8049
8049
|
});
|
|
8050
8050
|
}
|
|
8051
8051
|
else {
|
|
8052
|
-
logger.error("certificate_request_unhandled_error", {
|
|
8052
|
+
logger$1.error("certificate_request_unhandled_error", {
|
|
8053
8053
|
node_id: nodeId,
|
|
8054
8054
|
error: error instanceof Error ? error.message : String(error),
|
|
8055
8055
|
});
|
|
@@ -8062,7 +8062,7 @@ class DefaultCertificateManager {
|
|
|
8062
8062
|
await authStrategy.cleanup();
|
|
8063
8063
|
}
|
|
8064
8064
|
catch (cleanupError) {
|
|
8065
|
-
logger.debug("auth_strategy_cleanup_failed", {
|
|
8065
|
+
logger$1.debug("auth_strategy_cleanup_failed", {
|
|
8066
8066
|
error: cleanupError instanceof Error
|
|
8067
8067
|
? cleanupError.message
|
|
8068
8068
|
: String(cleanupError),
|
|
@@ -8085,14 +8085,14 @@ class DefaultCertificateManager {
|
|
|
8085
8085
|
async validateProviderCertificate(provider, nodeId) {
|
|
8086
8086
|
const { pem: trustStorePem, reason } = await this.resolveTrustStorePemValue(provider, nodeId);
|
|
8087
8087
|
if (!trustStorePem) {
|
|
8088
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8088
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8089
8089
|
node_id: nodeId,
|
|
8090
8090
|
reason: reason ?? "trust_store_unavailable",
|
|
8091
8091
|
});
|
|
8092
8092
|
return false;
|
|
8093
8093
|
}
|
|
8094
8094
|
if (typeof provider.nodeJwk !== "function") {
|
|
8095
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8095
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8096
8096
|
node_id: nodeId,
|
|
8097
8097
|
reason: "crypto_provider_lacks_node_jwk",
|
|
8098
8098
|
});
|
|
@@ -8103,7 +8103,7 @@ class DefaultCertificateManager {
|
|
|
8103
8103
|
jwk = provider.nodeJwk() ?? null;
|
|
8104
8104
|
}
|
|
8105
8105
|
catch (error) {
|
|
8106
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8106
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8107
8107
|
node_id: nodeId,
|
|
8108
8108
|
reason: "node_jwk_retrieval_failed",
|
|
8109
8109
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -8111,7 +8111,7 @@ class DefaultCertificateManager {
|
|
|
8111
8111
|
return false;
|
|
8112
8112
|
}
|
|
8113
8113
|
if (!jwk) {
|
|
8114
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8114
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8115
8115
|
node_id: nodeId,
|
|
8116
8116
|
reason: "node_jwk_missing",
|
|
8117
8117
|
});
|
|
@@ -8121,7 +8121,7 @@ class DefaultCertificateManager {
|
|
|
8121
8121
|
if (!Array.isArray(x5c) ||
|
|
8122
8122
|
x5c.length === 0 ||
|
|
8123
8123
|
x5c.some((entry) => typeof entry !== "string")) {
|
|
8124
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8124
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8125
8125
|
node_id: nodeId,
|
|
8126
8126
|
reason: "invalid_certificate_chain",
|
|
8127
8127
|
});
|
|
@@ -8135,19 +8135,19 @@ class DefaultCertificateManager {
|
|
|
8135
8135
|
strict: false,
|
|
8136
8136
|
});
|
|
8137
8137
|
if (!result.isValid) {
|
|
8138
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8138
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8139
8139
|
node_id: nodeId,
|
|
8140
8140
|
reason: result.error ?? "validation_failed",
|
|
8141
8141
|
});
|
|
8142
8142
|
return false;
|
|
8143
8143
|
}
|
|
8144
|
-
logger.debug("certificate_chain_validation_successful", {
|
|
8144
|
+
logger$1.debug("certificate_chain_validation_successful", {
|
|
8145
8145
|
node_id: nodeId,
|
|
8146
8146
|
});
|
|
8147
8147
|
return true;
|
|
8148
8148
|
}
|
|
8149
8149
|
catch (error) {
|
|
8150
|
-
logger.error("trust_anchor_validation_failed", {
|
|
8150
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
8151
8151
|
node_id: nodeId,
|
|
8152
8152
|
reason: "validation_error",
|
|
8153
8153
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -8158,7 +8158,7 @@ class DefaultCertificateManager {
|
|
|
8158
8158
|
async resolveTrustStorePemValue(provider, nodeId) {
|
|
8159
8159
|
const providerPem = await this.resolveTrustStorePemFromProvider(provider, nodeId);
|
|
8160
8160
|
if (providerPem) {
|
|
8161
|
-
logger.debug("trust_store_resolved_from_provider", {
|
|
8161
|
+
logger$1.debug("trust_store_resolved_from_provider", {
|
|
8162
8162
|
node_id: nodeId,
|
|
8163
8163
|
});
|
|
8164
8164
|
return { pem: providerPem };
|
|
@@ -8168,14 +8168,14 @@ class DefaultCertificateManager {
|
|
|
8168
8168
|
const pem = await this.trustStorePemResolver();
|
|
8169
8169
|
const normalized = normalizePemOrNull(pem);
|
|
8170
8170
|
if (normalized) {
|
|
8171
|
-
logger.debug("trust_store_resolved_from_options", {
|
|
8171
|
+
logger$1.debug("trust_store_resolved_from_options", {
|
|
8172
8172
|
node_id: nodeId,
|
|
8173
8173
|
});
|
|
8174
8174
|
return { pem: normalized };
|
|
8175
8175
|
}
|
|
8176
8176
|
}
|
|
8177
8177
|
catch (error) {
|
|
8178
|
-
logger.debug("trust_store_option_resolution_failed", {
|
|
8178
|
+
logger$1.debug("trust_store_option_resolution_failed", {
|
|
8179
8179
|
node_id: nodeId,
|
|
8180
8180
|
error: error instanceof Error ? error.message : String(error),
|
|
8181
8181
|
});
|
|
@@ -8196,7 +8196,7 @@ class DefaultCertificateManager {
|
|
|
8196
8196
|
return normalizePemOrNull(pem);
|
|
8197
8197
|
}
|
|
8198
8198
|
catch (error) {
|
|
8199
|
-
logger.debug("provider_trust_store_resolution_failed", {
|
|
8199
|
+
logger$1.debug("provider_trust_store_resolution_failed", {
|
|
8200
8200
|
node_id: nodeId,
|
|
8201
8201
|
error: error instanceof Error ? error.message : String(error),
|
|
8202
8202
|
});
|
|
@@ -8211,7 +8211,7 @@ class DefaultCertificateManager {
|
|
|
8211
8211
|
stored = true;
|
|
8212
8212
|
}
|
|
8213
8213
|
catch (error) {
|
|
8214
|
-
logger.warning("failed_to_store_certificate", {
|
|
8214
|
+
logger$1.warning("failed_to_store_certificate", {
|
|
8215
8215
|
error: error instanceof Error ? error.message : String(error),
|
|
8216
8216
|
});
|
|
8217
8217
|
}
|
|
@@ -8229,7 +8229,7 @@ class DefaultCertificateManager {
|
|
|
8229
8229
|
stored = true;
|
|
8230
8230
|
}
|
|
8231
8231
|
catch (error) {
|
|
8232
|
-
logger.debug("certificate_persistence_hook_failed", {
|
|
8232
|
+
logger$1.debug("certificate_persistence_hook_failed", {
|
|
8233
8233
|
node_id: nodeId,
|
|
8234
8234
|
error: error instanceof Error ? error.message : String(error),
|
|
8235
8235
|
});
|
|
@@ -8240,7 +8240,7 @@ class DefaultCertificateManager {
|
|
|
8240
8240
|
async buildCertificateSigningRequest(provider, nodeId, physicalPath, logicals) {
|
|
8241
8241
|
const trimmedPath = physicalPath.trim();
|
|
8242
8242
|
if (!trimmedPath) {
|
|
8243
|
-
logger.warning("certificate_request_missing_physical_path", {
|
|
8243
|
+
logger$1.warning("certificate_request_missing_physical_path", {
|
|
8244
8244
|
node_id: nodeId,
|
|
8245
8245
|
});
|
|
8246
8246
|
return null;
|
|
@@ -8249,7 +8249,7 @@ class DefaultCertificateManager {
|
|
|
8249
8249
|
const privateKeyPem = pemSource.signingPrivatePem?.trim() ?? "";
|
|
8250
8250
|
const publicKeyPem = pemSource.signingPublicPem?.trim() ?? "";
|
|
8251
8251
|
if (!privateKeyPem || !publicKeyPem) {
|
|
8252
|
-
logger.error("crypto_provider_missing_signing_material", {
|
|
8252
|
+
logger$1.error("crypto_provider_missing_signing_material", {
|
|
8253
8253
|
node_id: nodeId,
|
|
8254
8254
|
has_private: Boolean(privateKeyPem),
|
|
8255
8255
|
has_public: Boolean(publicKeyPem),
|
|
@@ -8267,7 +8267,7 @@ class DefaultCertificateManager {
|
|
|
8267
8267
|
return csrPem;
|
|
8268
8268
|
}
|
|
8269
8269
|
catch (error) {
|
|
8270
|
-
logger.error("csr_generation_failed", {
|
|
8270
|
+
logger$1.error("csr_generation_failed", {
|
|
8271
8271
|
node_id: nodeId,
|
|
8272
8272
|
error: error instanceof Error ? error.message : String(error),
|
|
8273
8273
|
});
|
|
@@ -8351,7 +8351,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
|
|
|
8351
8351
|
return null;
|
|
8352
8352
|
}
|
|
8353
8353
|
if (!isNodeProcess()) {
|
|
8354
|
-
logger.debug("pem_file_unavailable_in_browser", {
|
|
8354
|
+
logger$1.debug("pem_file_unavailable_in_browser", {
|
|
8355
8355
|
env_var: fileVar,
|
|
8356
8356
|
});
|
|
8357
8357
|
return null;
|
|
@@ -8362,7 +8362,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
|
|
|
8362
8362
|
return normalizePemOrNull(content);
|
|
8363
8363
|
}
|
|
8364
8364
|
catch (error) {
|
|
8365
|
-
logger.warning("failed_to_read_certificate_file", {
|
|
8365
|
+
logger$1.warning("failed_to_read_certificate_file", {
|
|
8366
8366
|
file: filePath,
|
|
8367
8367
|
error: error instanceof Error ? error.message : String(error),
|
|
8368
8368
|
});
|
|
@@ -8393,7 +8393,7 @@ function providerHasCertificate(provider) {
|
|
|
8393
8393
|
return Boolean(provider.hasCertificate());
|
|
8394
8394
|
}
|
|
8395
8395
|
catch (error) {
|
|
8396
|
-
logger.debug("has_certificate_check_failed", {
|
|
8396
|
+
logger$1.debug("has_certificate_check_failed", {
|
|
8397
8397
|
error: error instanceof Error ? error.message : String(error),
|
|
8398
8398
|
});
|
|
8399
8399
|
}
|
|
@@ -8403,7 +8403,7 @@ function providerHasCertificate(provider) {
|
|
|
8403
8403
|
return Boolean(provider.nodeCertificatePem());
|
|
8404
8404
|
}
|
|
8405
8405
|
catch (error) {
|
|
8406
|
-
logger.debug("node_certificate_check_failed", {
|
|
8406
|
+
logger$1.debug("node_certificate_check_failed", {
|
|
8407
8407
|
error: error instanceof Error ? error.message : String(error),
|
|
8408
8408
|
});
|
|
8409
8409
|
}
|
|
@@ -8457,7 +8457,7 @@ function normalizeAuthConfig(candidate) {
|
|
|
8457
8457
|
}
|
|
8458
8458
|
const normalized = candidate;
|
|
8459
8459
|
if (!normalized.type || typeof normalized.type !== "string") {
|
|
8460
|
-
logger.warning("auth_strategy_missing_type", {
|
|
8460
|
+
logger$1.warning("auth_strategy_missing_type", {
|
|
8461
8461
|
provided_keys: Object.keys(candidate),
|
|
8462
8462
|
});
|
|
8463
8463
|
return null;
|
|
@@ -8475,7 +8475,7 @@ async function resolveTrustStorePemFromEnvironment() {
|
|
|
8475
8475
|
}
|
|
8476
8476
|
catch (error) {
|
|
8477
8477
|
const message = error instanceof Error ? error.message : String(error);
|
|
8478
|
-
logger.debug("trust_store_provider_resolution_failed", {
|
|
8478
|
+
logger$1.debug("trust_store_provider_resolution_failed", {
|
|
8479
8479
|
error: message,
|
|
8480
8480
|
});
|
|
8481
8481
|
return null;
|
|
@@ -8670,16 +8670,7 @@ function bytesToUtf8$1(data) {
|
|
|
8670
8670
|
|
|
8671
8671
|
const DEFAULT_REFRESH_INTERVAL_MS = 86400000; // 24 hours
|
|
8672
8672
|
const MIN_REFRESH_INTERVAL_MS = 60000; // 1 minute
|
|
8673
|
-
const
|
|
8674
|
-
debug: (...args) => {
|
|
8675
|
-
if (!isProductionEnvironment()) {
|
|
8676
|
-
console.debug("[trust-bundle]", ...args);
|
|
8677
|
-
}
|
|
8678
|
-
},
|
|
8679
|
-
warn: (...args) => {
|
|
8680
|
-
console.warn("[trust-bundle]", ...args);
|
|
8681
|
-
},
|
|
8682
|
-
};
|
|
8673
|
+
const logger = getLogger$1("naylence.fame.security.cert.trust_store.http_bundle_provider");
|
|
8683
8674
|
function isTruthyFlag(value) {
|
|
8684
8675
|
if (typeof value === "boolean") {
|
|
8685
8676
|
return value;
|
|
@@ -8732,7 +8723,7 @@ class HttpBundleProvider {
|
|
|
8732
8723
|
if (!(this.allowInsecureHttp && devMode && isLoopbackHost)) {
|
|
8733
8724
|
throw new Error("Trust bundle URL must use HTTPS (set allowInsecureHttp or FAME_TRUST_BUNDLE_ALLOW_HTTP for dev-only http)");
|
|
8734
8725
|
}
|
|
8735
|
-
|
|
8726
|
+
logger.warning("allowing_insecure_trust_bundle_url", {
|
|
8736
8727
|
url: parsed.toString(),
|
|
8737
8728
|
devMode,
|
|
8738
8729
|
isLoopbackHost,
|
|
@@ -8764,7 +8755,9 @@ class HttpBundleProvider {
|
|
|
8764
8755
|
if (stale || !this.anchors) {
|
|
8765
8756
|
this.inflight = this.fetchLatest()
|
|
8766
8757
|
.catch((error) => {
|
|
8767
|
-
|
|
8758
|
+
logger.warning("trust_bundle_refresh_failed", {
|
|
8759
|
+
error: error instanceof Error ? error.message : String(error),
|
|
8760
|
+
});
|
|
8768
8761
|
if (this.anchors) {
|
|
8769
8762
|
return this.anchors;
|
|
8770
8763
|
}
|
|
@@ -8804,14 +8797,16 @@ class HttpBundleProvider {
|
|
|
8804
8797
|
const cached = await loadCache(this.cacheKey);
|
|
8805
8798
|
if (cached) {
|
|
8806
8799
|
this.applyCachedEntry(cached);
|
|
8807
|
-
|
|
8800
|
+
logger.debug("loaded_trust_bundle_from_cache", {
|
|
8808
8801
|
url: this.url.href,
|
|
8809
8802
|
anchorCount: cached.anchors.length,
|
|
8810
8803
|
});
|
|
8811
8804
|
}
|
|
8812
8805
|
}
|
|
8813
8806
|
catch (error) {
|
|
8814
|
-
|
|
8807
|
+
logger.warning("failed_to_load_cached_trust_bundle", {
|
|
8808
|
+
error: error instanceof Error ? error.message : String(error),
|
|
8809
|
+
});
|
|
8815
8810
|
}
|
|
8816
8811
|
this.initialized = true;
|
|
8817
8812
|
}
|
|
@@ -8897,7 +8892,9 @@ class HttpBundleProvider {
|
|
|
8897
8892
|
callback();
|
|
8898
8893
|
}
|
|
8899
8894
|
catch (error) {
|
|
8900
|
-
|
|
8895
|
+
logger.warning("trust_bundle_listener_failed", {
|
|
8896
|
+
error: error instanceof Error ? error.message : String(error),
|
|
8897
|
+
});
|
|
8901
8898
|
}
|
|
8902
8899
|
}
|
|
8903
8900
|
}
|
|
@@ -9144,7 +9141,9 @@ async function openIndexedDbStore() {
|
|
|
9144
9141
|
});
|
|
9145
9142
|
};
|
|
9146
9143
|
request.onerror = () => {
|
|
9147
|
-
|
|
9144
|
+
logger.warning("indexeddb_unavailable_for_trust_bundle_caching", {
|
|
9145
|
+
error: request.error ? String(request.error) : "unknown",
|
|
9146
|
+
});
|
|
9148
9147
|
resolve(null);
|
|
9149
9148
|
};
|
|
9150
9149
|
});
|