@naylence/advanced-security 0.3.7-test.120 → 0.3.7-test.122
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/browser/index.cjs +325 -326
- package/dist/browser/index.mjs +325 -326
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js +16 -16
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +1 -1
- package/dist/cjs/version.js +2 -2
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js +16 -16
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +1 -1
- package/dist/esm/version.js +2 -2
- package/dist/node/index.cjs +325 -326
- package/dist/node/index.mjs +325 -326
- package/dist/node/node.cjs +326 -327
- package/dist/node/node.mjs +326 -327
- package/dist/types/naylence/fame/security/cert/trust-store/http-bundle-provider.d.ts.map +1 -1
- package/dist/types/version.d.ts +1 -1
- package/package.json +8 -8
package/dist/node/node.cjs
CHANGED
|
@@ -20,14 +20,14 @@ var jose = require('jose');
|
|
|
20
20
|
var sha256_js = require('@noble/hashes/sha256.js');
|
|
21
21
|
|
|
22
22
|
// This file is auto-generated during build - do not edit manually
|
|
23
|
-
// Generated from package.json version: 0.3.7-test.
|
|
23
|
+
// Generated from package.json version: 0.3.7-test.122
|
|
24
24
|
/**
|
|
25
25
|
* The package version, injected at build time.
|
|
26
26
|
* @internal
|
|
27
27
|
*/
|
|
28
|
-
const VERSION = '0.3.7-test.
|
|
28
|
+
const VERSION = '0.3.7-test.122';
|
|
29
29
|
|
|
30
|
-
const logger$
|
|
30
|
+
const logger$h = node.getLogger("naylence.fame.security.cert.util");
|
|
31
31
|
const CACHE_LIMIT = 512;
|
|
32
32
|
const OID_ED25519 = "1.3.101.112";
|
|
33
33
|
const textEncoder = new TextEncoder();
|
|
@@ -41,7 +41,7 @@ function publicKeyFromX5c(x5c, options = {}) {
|
|
|
41
41
|
const trustStorePem = normalizeTrustStoreOption(options.trustStorePem ?? null);
|
|
42
42
|
const returnCertificate = options.returnCertificate ?? false;
|
|
43
43
|
const { parsed, chainBytes } = parseCertificateChain(x5c);
|
|
44
|
-
logger$
|
|
44
|
+
logger$h.debug("public_key_from_x5c_called", {
|
|
45
45
|
call_id: callId,
|
|
46
46
|
x5c_count: parsed.length,
|
|
47
47
|
enforce_name_constraints: enforceNameConstraints,
|
|
@@ -53,13 +53,13 @@ function publicKeyFromX5c(x5c, options = {}) {
|
|
|
53
53
|
cacheKey = buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints);
|
|
54
54
|
const cached = getCachedPublicKey(cacheKey);
|
|
55
55
|
if (cached) {
|
|
56
|
-
logger$
|
|
56
|
+
logger$h.debug("certificate_cache_hit", {
|
|
57
57
|
call_id: callId,
|
|
58
58
|
cache_key: cacheKey,
|
|
59
59
|
});
|
|
60
60
|
return cached;
|
|
61
61
|
}
|
|
62
|
-
logger$
|
|
62
|
+
logger$h.debug("certificate_cache_miss", {
|
|
63
63
|
call_id: callId,
|
|
64
64
|
cache_key: cacheKey,
|
|
65
65
|
});
|
|
@@ -230,13 +230,13 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
230
230
|
if (trustedCerts.length === 0) {
|
|
231
231
|
throw new Error("No valid certificates found in trust store");
|
|
232
232
|
}
|
|
233
|
-
logger$
|
|
233
|
+
logger$h.debug("trust_anchor_validation_start", {
|
|
234
234
|
chain_length: chain.length,
|
|
235
235
|
trust_store_cert_count: trustedCerts.length,
|
|
236
236
|
});
|
|
237
237
|
const chainInfo = chain.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
|
|
238
238
|
const trustedInfo = trustedCerts.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
|
|
239
|
-
logger$
|
|
239
|
+
logger$h.debug("certificate_chain_validation", {
|
|
240
240
|
chain_certificates: chainInfo,
|
|
241
241
|
trust_store_certificates: trustedInfo,
|
|
242
242
|
});
|
|
@@ -246,7 +246,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
246
246
|
const match = trustedCerts.find((trusted) => trusted.serialNumber === cert.serialNumber &&
|
|
247
247
|
namesEqual(trusted.certificate.tbsCertificate.subject, cert.certificate.tbsCertificate.subject));
|
|
248
248
|
if (match) {
|
|
249
|
-
logger$
|
|
249
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
250
250
|
matching_serial: match.serialNumber,
|
|
251
251
|
validation_strategy: `direct_trust_cert_${i}`,
|
|
252
252
|
});
|
|
@@ -259,7 +259,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
259
259
|
if (namesEqual(trusted.certificate.tbsCertificate.subject, leaf.certificate.tbsCertificate.issuer) &&
|
|
260
260
|
trusted.serialNumber !== leaf.serialNumber) {
|
|
261
261
|
verifyCertificateSignature(leaf.certificate, trusted.certificate);
|
|
262
|
-
logger$
|
|
262
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
263
263
|
matching_serial: trusted.serialNumber,
|
|
264
264
|
validation_strategy: "leaf_issuer_trust",
|
|
265
265
|
});
|
|
@@ -273,7 +273,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
273
273
|
if (namesEqual(trusted.certificate.tbsCertificate.subject, intermediate.certificate.tbsCertificate.issuer) &&
|
|
274
274
|
trusted.serialNumber !== intermediate.serialNumber) {
|
|
275
275
|
verifyCertificateSignature(intermediate.certificate, trusted.certificate);
|
|
276
|
-
logger$
|
|
276
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
277
277
|
matching_serial: trusted.serialNumber,
|
|
278
278
|
validation_strategy: `intermediate_issuer_trust_cert_${index}`,
|
|
279
279
|
});
|
|
@@ -281,7 +281,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
281
281
|
}
|
|
282
282
|
}
|
|
283
283
|
}
|
|
284
|
-
logger$
|
|
284
|
+
logger$h.warning("certificate_chain_trust_validation_failed", {
|
|
285
285
|
leaf_subject: leaf.subjectName,
|
|
286
286
|
leaf_issuer: leaf.issuerName,
|
|
287
287
|
leaf_serial: leaf.serialNumber,
|
|
@@ -303,7 +303,7 @@ function parseTrustStore(trustStorePem) {
|
|
|
303
303
|
}
|
|
304
304
|
catch (error) {
|
|
305
305
|
const reason = error instanceof Error ? error.message : String(error);
|
|
306
|
-
logger$
|
|
306
|
+
logger$h.debug("trust_store_certificate_parse_failed", { reason });
|
|
307
307
|
}
|
|
308
308
|
}
|
|
309
309
|
return parsed;
|
|
@@ -323,12 +323,12 @@ function validateChainContinuity(chain) {
|
|
|
323
323
|
if (chain.length <= 1) {
|
|
324
324
|
return;
|
|
325
325
|
}
|
|
326
|
-
logger$
|
|
326
|
+
logger$h.debug("validating_chain_continuity", { chain_length: chain.length });
|
|
327
327
|
for (let index = 0; index < chain.length - 1; index += 1) {
|
|
328
328
|
const cert = chain[index];
|
|
329
329
|
const issuer = chain[index + 1];
|
|
330
330
|
if (!namesEqual(cert.certificate.tbsCertificate.issuer, issuer.certificate.tbsCertificate.subject)) {
|
|
331
|
-
logger$
|
|
331
|
+
logger$h.warning("certificate_chain_continuity_failed", {
|
|
332
332
|
cert_index: index,
|
|
333
333
|
cert_subject: cert.subjectName,
|
|
334
334
|
cert_issuer: cert.issuerName,
|
|
@@ -339,7 +339,7 @@ function validateChainContinuity(chain) {
|
|
|
339
339
|
}
|
|
340
340
|
try {
|
|
341
341
|
verifyCertificateSignature(cert.certificate, issuer.certificate);
|
|
342
|
-
logger$
|
|
342
|
+
logger$h.debug("chain_continuity_verification_success", {
|
|
343
343
|
cert_index: index,
|
|
344
344
|
cert_serial: cert.serialNumber,
|
|
345
345
|
issuer_serial: issuer.serialNumber,
|
|
@@ -347,7 +347,7 @@ function validateChainContinuity(chain) {
|
|
|
347
347
|
}
|
|
348
348
|
catch (error) {
|
|
349
349
|
const reason = error instanceof Error ? error.message : String(error);
|
|
350
|
-
logger$
|
|
350
|
+
logger$h.warning("certificate_chain_continuity_failed", {
|
|
351
351
|
cert_index: index,
|
|
352
352
|
cert_subject: cert.subjectName,
|
|
353
353
|
issuer_subject: issuer.subjectName,
|
|
@@ -359,7 +359,7 @@ function validateChainContinuity(chain) {
|
|
|
359
359
|
throw new Error(`Certificate chain continuity broken: certificate at index ${index} was not signed by certificate at index ${index + 1}: ${reason}`);
|
|
360
360
|
}
|
|
361
361
|
}
|
|
362
|
-
logger$
|
|
362
|
+
logger$h.debug("chain_continuity_validation_passed", {
|
|
363
363
|
chain_length: chain.length,
|
|
364
364
|
});
|
|
365
365
|
}
|
|
@@ -493,7 +493,7 @@ function getCachedPublicKey(cacheKey) {
|
|
|
493
493
|
}
|
|
494
494
|
if (Date.now() > entry.expiresAt) {
|
|
495
495
|
trustCache.delete(cacheKey);
|
|
496
|
-
logger$
|
|
496
|
+
logger$h.debug("certificate_cache_expired", { cache_key: cacheKey });
|
|
497
497
|
return null;
|
|
498
498
|
}
|
|
499
499
|
return entry.value.slice();
|
|
@@ -505,13 +505,13 @@ function setCachedPublicKey(cacheKey, value, notAfter) {
|
|
|
505
505
|
break;
|
|
506
506
|
}
|
|
507
507
|
trustCache.delete(firstKey);
|
|
508
|
-
logger$
|
|
508
|
+
logger$h.debug("certificate_cache_evicted", { cache_key: firstKey });
|
|
509
509
|
}
|
|
510
510
|
trustCache.set(cacheKey, {
|
|
511
511
|
value: value.slice(),
|
|
512
512
|
expiresAt: notAfter.getTime(),
|
|
513
513
|
});
|
|
514
|
-
logger$
|
|
514
|
+
logger$h.debug("certificate_cache_stored", {
|
|
515
515
|
cache_key: cacheKey,
|
|
516
516
|
expires_at: notAfter.toISOString(),
|
|
517
517
|
cache_size: trustCache.size,
|
|
@@ -691,7 +691,7 @@ const NODE_ID_OID = "1.3.6.1.4.1.58530.4";
|
|
|
691
691
|
* Provides async HTTP client to request certificates from the CA signing service.
|
|
692
692
|
*/
|
|
693
693
|
// Simple logger for now - TODO: integrate with runtime logging
|
|
694
|
-
const logger$
|
|
694
|
+
const logger$g = {
|
|
695
695
|
debug: (_event, _meta) => {
|
|
696
696
|
// console.log(`[DEBUG] ${event}`, meta);
|
|
697
697
|
},
|
|
@@ -1140,7 +1140,7 @@ class CAServiceClient {
|
|
|
1140
1140
|
logicals: logicals || [],
|
|
1141
1141
|
};
|
|
1142
1142
|
const url = `${this.connectionGrant.url.replace(/\/$/, "")}/sign`;
|
|
1143
|
-
logger$
|
|
1143
|
+
logger$g.debug("requesting_certificate", {
|
|
1144
1144
|
requester_id: requesterId,
|
|
1145
1145
|
ca_service_url: url,
|
|
1146
1146
|
physical_path: physicalPath,
|
|
@@ -1169,13 +1169,13 @@ class CAServiceClient {
|
|
|
1169
1169
|
const result = await response.json();
|
|
1170
1170
|
const certificatePem = result.certificate_pem;
|
|
1171
1171
|
const certificateChainPem = result.certificate_chain_pem || certificatePem;
|
|
1172
|
-
logger$
|
|
1172
|
+
logger$g.debug("certificate_request_successful", {
|
|
1173
1173
|
requester_id: requesterId,
|
|
1174
1174
|
expires_at: result.expires_at,
|
|
1175
1175
|
});
|
|
1176
1176
|
// Extract and log certificate information with structured logging
|
|
1177
1177
|
const certInfo = extractCertificateInfo(certificatePem);
|
|
1178
|
-
logger$
|
|
1178
|
+
logger$g.debug("certificate_details", {
|
|
1179
1179
|
requester_id: requesterId,
|
|
1180
1180
|
certificate_type: "issued_certificate",
|
|
1181
1181
|
...certInfo,
|
|
@@ -1194,7 +1194,7 @@ class CAServiceClient {
|
|
|
1194
1194
|
// First cert in chain is usually the issued certificate
|
|
1195
1195
|
if (certPemBlock.trim() !== certificatePem.trim()) {
|
|
1196
1196
|
const chainCertInfo = extractCertificateInfo(certPemBlock);
|
|
1197
|
-
logger$
|
|
1197
|
+
logger$g.debug("certificate_chain_details", {
|
|
1198
1198
|
requester_id: requesterId,
|
|
1199
1199
|
certificate_type: "certificate_chain",
|
|
1200
1200
|
chain_index: i,
|
|
@@ -1205,7 +1205,7 @@ class CAServiceClient {
|
|
|
1205
1205
|
else {
|
|
1206
1206
|
// Subsequent certs are intermediate/root CAs
|
|
1207
1207
|
const caCertInfo = extractCertificateInfo(certPemBlock);
|
|
1208
|
-
logger$
|
|
1208
|
+
logger$g.debug("certificate_chain_details", {
|
|
1209
1209
|
requester_id: requesterId,
|
|
1210
1210
|
certificate_type: "ca_certificate",
|
|
1211
1211
|
chain_index: i,
|
|
@@ -1233,7 +1233,7 @@ class CAServiceClient {
|
|
|
1233
1233
|
// Body read failed entirely
|
|
1234
1234
|
errorDetail = `HTTP ${response.status}`;
|
|
1235
1235
|
}
|
|
1236
|
-
logger$
|
|
1236
|
+
logger$g.error("certificate_request_failed", {
|
|
1237
1237
|
requester_id: requesterId,
|
|
1238
1238
|
status_code: response.status,
|
|
1239
1239
|
error: errorDetail,
|
|
@@ -1250,13 +1250,13 @@ class CAServiceClient {
|
|
|
1250
1250
|
throw error;
|
|
1251
1251
|
}
|
|
1252
1252
|
if (error instanceof Error && error.name === "AbortError") {
|
|
1253
|
-
logger$
|
|
1253
|
+
logger$g.error("certificate_request_timeout", {
|
|
1254
1254
|
requester_id: requesterId,
|
|
1255
1255
|
timeout_seconds: this.timeoutSeconds,
|
|
1256
1256
|
});
|
|
1257
1257
|
throw new CertificateRequestError(`Certificate request timed out after ${this.timeoutSeconds} seconds`);
|
|
1258
1258
|
}
|
|
1259
|
-
logger$
|
|
1259
|
+
logger$g.error("certificate_request_network_error", {
|
|
1260
1260
|
requester_id: requesterId,
|
|
1261
1261
|
error: String(error),
|
|
1262
1262
|
});
|
|
@@ -1265,7 +1265,7 @@ class CAServiceClient {
|
|
|
1265
1265
|
}
|
|
1266
1266
|
}
|
|
1267
1267
|
|
|
1268
|
-
const logger$
|
|
1268
|
+
const logger$f = runtime.getLogger("naylence.fame.security.encryption.sealed.x25519_encryption_manager");
|
|
1269
1269
|
class X25519EncryptionManager {
|
|
1270
1270
|
constructor({ keyProvider, nodeLike = null, cryptoProvider = null, }) {
|
|
1271
1271
|
this.pendingEnvelopes = new Map();
|
|
@@ -1282,7 +1282,7 @@ class X25519EncryptionManager {
|
|
|
1282
1282
|
// KeyManagementHandler will queue the envelope and send KeyRequest.
|
|
1283
1283
|
// X25519 should NOT queue here to avoid dual queueing.
|
|
1284
1284
|
if (opts?.requestAddress) {
|
|
1285
|
-
logger$
|
|
1285
|
+
logger$f.debug("key_not_found_delegating_to_key_management", {
|
|
1286
1286
|
envelope_id: envelope.id,
|
|
1287
1287
|
request_address: String(opts.requestAddress),
|
|
1288
1288
|
});
|
|
@@ -1298,7 +1298,7 @@ class X25519EncryptionManager {
|
|
|
1298
1298
|
return await this.encryptWithKey(envelope, recipPub, recipKid);
|
|
1299
1299
|
}
|
|
1300
1300
|
catch (error) {
|
|
1301
|
-
logger$
|
|
1301
|
+
logger$f.error("x25519_encryption_failed", {
|
|
1302
1302
|
error: error instanceof Error ? error.message : String(error),
|
|
1303
1303
|
});
|
|
1304
1304
|
return runtime.EncryptionResult.skipped(envelope);
|
|
@@ -1336,20 +1336,20 @@ class X25519EncryptionManager {
|
|
|
1336
1336
|
return envelope;
|
|
1337
1337
|
}
|
|
1338
1338
|
catch (error) {
|
|
1339
|
-
logger$
|
|
1339
|
+
logger$f.error("x25519_decryption_failed", {
|
|
1340
1340
|
error: error instanceof Error ? error.message : String(error),
|
|
1341
1341
|
});
|
|
1342
1342
|
return envelope;
|
|
1343
1343
|
}
|
|
1344
1344
|
}
|
|
1345
1345
|
async notifyKeyAvailable(keyId) {
|
|
1346
|
-
logger$
|
|
1346
|
+
logger$f.debug("x25519_notify_key_available_called", {
|
|
1347
1347
|
key_id: keyId,
|
|
1348
1348
|
pending_keys: Array.from(this.pendingEnvelopes.keys()),
|
|
1349
1349
|
});
|
|
1350
1350
|
const queued = this.pendingEnvelopes.get(keyId);
|
|
1351
1351
|
if (!queued || queued.length === 0) {
|
|
1352
|
-
logger$
|
|
1352
|
+
logger$f.debug("no_queued_envelopes_for_key", {
|
|
1353
1353
|
key_id: keyId,
|
|
1354
1354
|
has_queue: this.pendingEnvelopes.has(keyId),
|
|
1355
1355
|
queue_length: queued?.length ?? 0,
|
|
@@ -1361,13 +1361,13 @@ class X25519EncryptionManager {
|
|
|
1361
1361
|
this.keyRequestsInProgress.delete(keyId);
|
|
1362
1362
|
const node = this.nodeLike;
|
|
1363
1363
|
if (!node) {
|
|
1364
|
-
logger$
|
|
1364
|
+
logger$f.debug("discarding_queued_envelopes_no_node", {
|
|
1365
1365
|
key_id: keyId,
|
|
1366
1366
|
count: queued.length,
|
|
1367
1367
|
});
|
|
1368
1368
|
return;
|
|
1369
1369
|
}
|
|
1370
|
-
logger$
|
|
1370
|
+
logger$f.debug("replaying_envelopes_for_key", {
|
|
1371
1371
|
key_id: keyId,
|
|
1372
1372
|
count: queued.length,
|
|
1373
1373
|
});
|
|
@@ -1376,7 +1376,7 @@ class X25519EncryptionManager {
|
|
|
1376
1376
|
await node.deliver(envelope);
|
|
1377
1377
|
}
|
|
1378
1378
|
catch (error) {
|
|
1379
|
-
logger$
|
|
1379
|
+
logger$f.error("failed_to_replay_envelope", {
|
|
1380
1380
|
key_id: keyId,
|
|
1381
1381
|
envelope_id: envelope.id,
|
|
1382
1382
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -1477,7 +1477,7 @@ class X25519EncryptionManager {
|
|
|
1477
1477
|
? this.extractPrivateKeyFromRecord(providerRecord)
|
|
1478
1478
|
: null;
|
|
1479
1479
|
if (providerRecordKey) {
|
|
1480
|
-
logger$
|
|
1480
|
+
logger$f.debug("using_provider_key_record_private_key", {
|
|
1481
1481
|
kid,
|
|
1482
1482
|
provider_key_id: providerKeyId,
|
|
1483
1483
|
mismatched_kid: kid && providerKeyId !== kid ? kid : null,
|
|
@@ -1487,7 +1487,7 @@ class X25519EncryptionManager {
|
|
|
1487
1487
|
}
|
|
1488
1488
|
if (!providerPem) {
|
|
1489
1489
|
if (kid && providerKeyId && providerKeyId !== kid) {
|
|
1490
|
-
logger$
|
|
1490
|
+
logger$f.debug("crypto_provider_key_id_mismatch_no_private_key", {
|
|
1491
1491
|
kid,
|
|
1492
1492
|
provider_key_id: providerKeyId,
|
|
1493
1493
|
});
|
|
@@ -1499,13 +1499,13 @@ class X25519EncryptionManager {
|
|
|
1499
1499
|
return null;
|
|
1500
1500
|
}
|
|
1501
1501
|
if (!kid || providerKeyId === kid) {
|
|
1502
|
-
logger$
|
|
1502
|
+
logger$f.debug("using_crypto_provider_private_key_fallback", {
|
|
1503
1503
|
kid: kid ?? null,
|
|
1504
1504
|
provider_key_id: providerKeyId,
|
|
1505
1505
|
});
|
|
1506
1506
|
}
|
|
1507
1507
|
else {
|
|
1508
|
-
logger$
|
|
1508
|
+
logger$f.warning("crypto_provider_key_id_mismatch_using_private_key", {
|
|
1509
1509
|
kid,
|
|
1510
1510
|
provider_key_id: providerKeyId,
|
|
1511
1511
|
key_record_present: Boolean(record),
|
|
@@ -1514,7 +1514,7 @@ class X25519EncryptionManager {
|
|
|
1514
1514
|
return fallbackKey;
|
|
1515
1515
|
}
|
|
1516
1516
|
async queueEnvelopeForKey(envelope, opts, recipientKeyId) {
|
|
1517
|
-
logger$
|
|
1517
|
+
logger$f.debug("queueing_envelope_for_sealed_encryption", {
|
|
1518
1518
|
envelope_id: envelope.id,
|
|
1519
1519
|
recipient_key_id: recipientKeyId,
|
|
1520
1520
|
request_address: opts?.requestAddress
|
|
@@ -1562,7 +1562,7 @@ class X25519EncryptionManager {
|
|
|
1562
1562
|
await node.deliver(keyRequestEnvelope, context);
|
|
1563
1563
|
}
|
|
1564
1564
|
catch (error) {
|
|
1565
|
-
logger$
|
|
1565
|
+
logger$f.error("failed_to_request_recipient_key", {
|
|
1566
1566
|
recipient_key_id: recipientKeyId,
|
|
1567
1567
|
error: error instanceof Error ? error.message : String(error),
|
|
1568
1568
|
});
|
|
@@ -1575,7 +1575,7 @@ class X25519EncryptionManager {
|
|
|
1575
1575
|
return this.extractPublicKeyFromRecord(record);
|
|
1576
1576
|
}
|
|
1577
1577
|
catch (error) {
|
|
1578
|
-
logger$
|
|
1578
|
+
logger$f.debug("recipient_key_lookup_failed", {
|
|
1579
1579
|
kid,
|
|
1580
1580
|
error: error instanceof Error ? error.message : String(error),
|
|
1581
1581
|
});
|
|
@@ -1590,7 +1590,7 @@ class X25519EncryptionManager {
|
|
|
1590
1590
|
return await this.keyProvider.getKey(kid);
|
|
1591
1591
|
}
|
|
1592
1592
|
catch (error) {
|
|
1593
|
-
logger$
|
|
1593
|
+
logger$f.debug("private_key_lookup_failed", {
|
|
1594
1594
|
kid,
|
|
1595
1595
|
error: error instanceof Error ? error.message : String(error),
|
|
1596
1596
|
});
|
|
@@ -1661,7 +1661,7 @@ class X25519EncryptionManager {
|
|
|
1661
1661
|
const base64 = base64Lines.join("");
|
|
1662
1662
|
const der = this.decodeBase64Flexible(base64);
|
|
1663
1663
|
if (!der) {
|
|
1664
|
-
logger$
|
|
1664
|
+
logger$f.debug("pem_decode_failed", {
|
|
1665
1665
|
key_type: keyType,
|
|
1666
1666
|
});
|
|
1667
1667
|
return null;
|
|
@@ -1894,7 +1894,7 @@ var index$1 = /*#__PURE__*/Object.freeze({
|
|
|
1894
1894
|
X25519EncryptionManagerFactory: X25519EncryptionManagerFactory
|
|
1895
1895
|
});
|
|
1896
1896
|
|
|
1897
|
-
const logger$
|
|
1897
|
+
const logger$e = runtime.getLogger("naylence.fame.security.encryption.channel.channel_encryption_manager");
|
|
1898
1898
|
const SUPPORTED_CHANNEL_ALGORITHMS = ["chacha20-poly1305-channel"];
|
|
1899
1899
|
const CHANNEL_ENCRYPTION_ALGORITHM = "chacha20-poly1305-channel";
|
|
1900
1900
|
const HANDSHAKE_ALGORITHM = "CHACHA20P1305";
|
|
@@ -2045,13 +2045,13 @@ class ChannelEncryptionManager {
|
|
|
2045
2045
|
const destination = opts?.destination ?? envelope.to ?? null;
|
|
2046
2046
|
const destinationStr = toDestinationString(destination);
|
|
2047
2047
|
if (!destinationStr) {
|
|
2048
|
-
logger$
|
|
2048
|
+
logger$e.warning("no_destination_for_channel_encryption", {
|
|
2049
2049
|
envelope_id: envelope.id,
|
|
2050
2050
|
});
|
|
2051
2051
|
return runtime.EncryptionResult.skipped(envelope);
|
|
2052
2052
|
}
|
|
2053
2053
|
if (!this.secureChannelManager) {
|
|
2054
|
-
logger$
|
|
2054
|
+
logger$e.warning("no_secure_channel_manager_available", {
|
|
2055
2055
|
envelope_id: envelope.id,
|
|
2056
2056
|
});
|
|
2057
2057
|
return runtime.EncryptionResult.skipped(envelope);
|
|
@@ -2062,7 +2062,7 @@ class ChannelEncryptionManager {
|
|
|
2062
2062
|
return this.encryptWithChannel(envelope, existingChannelId);
|
|
2063
2063
|
}
|
|
2064
2064
|
catch (error) {
|
|
2065
|
-
logger$
|
|
2065
|
+
logger$e.error("channel_encryption_failed", {
|
|
2066
2066
|
error: error instanceof Error ? error.message : String(error),
|
|
2067
2067
|
channel_id: existingChannelId,
|
|
2068
2068
|
});
|
|
@@ -2090,35 +2090,35 @@ class ChannelEncryptionManager {
|
|
|
2090
2090
|
}
|
|
2091
2091
|
const channelId = encHeader.kid;
|
|
2092
2092
|
if (!channelId) {
|
|
2093
|
-
logger$
|
|
2093
|
+
logger$e.error("missing_channel_id_in_encryption_header", {
|
|
2094
2094
|
envelope_id: envelope.id,
|
|
2095
2095
|
});
|
|
2096
2096
|
return envelope;
|
|
2097
2097
|
}
|
|
2098
2098
|
const nonce = this.decodeNonceValue(encHeader.val ?? "");
|
|
2099
2099
|
if (!nonce) {
|
|
2100
|
-
logger$
|
|
2100
|
+
logger$e.error("invalid_nonce_in_encryption_header", {
|
|
2101
2101
|
envelope_id: envelope.id,
|
|
2102
2102
|
value_present: Boolean(encHeader.val),
|
|
2103
2103
|
});
|
|
2104
2104
|
return envelope;
|
|
2105
2105
|
}
|
|
2106
2106
|
if (!this.secureChannelManager) {
|
|
2107
|
-
logger$
|
|
2107
|
+
logger$e.warning("no_secure_channel_manager_for_decryption", {
|
|
2108
2108
|
envelope_id: envelope.id,
|
|
2109
2109
|
});
|
|
2110
2110
|
return envelope;
|
|
2111
2111
|
}
|
|
2112
2112
|
const channelState = this.getChannelState(channelId);
|
|
2113
2113
|
if (!channelState) {
|
|
2114
|
-
logger$
|
|
2114
|
+
logger$e.error("channel_not_available_for_decryption", {
|
|
2115
2115
|
channel_id: channelId,
|
|
2116
2116
|
});
|
|
2117
2117
|
return envelope;
|
|
2118
2118
|
}
|
|
2119
2119
|
const ciphertext = this.extractCiphertext(frame.payload);
|
|
2120
2120
|
if (!ciphertext) {
|
|
2121
|
-
logger$
|
|
2121
|
+
logger$e.error("invalid_ciphertext_payload", { envelope_id: envelope.id });
|
|
2122
2122
|
return envelope;
|
|
2123
2123
|
}
|
|
2124
2124
|
try {
|
|
@@ -2143,7 +2143,7 @@ class ChannelEncryptionManager {
|
|
|
2143
2143
|
return envelope;
|
|
2144
2144
|
}
|
|
2145
2145
|
catch (error) {
|
|
2146
|
-
logger$
|
|
2146
|
+
logger$e.error("channel_decryption_failed", {
|
|
2147
2147
|
channel_id: channelId,
|
|
2148
2148
|
error: error instanceof Error ? error.message : String(error),
|
|
2149
2149
|
});
|
|
@@ -2151,24 +2151,24 @@ class ChannelEncryptionManager {
|
|
|
2151
2151
|
}
|
|
2152
2152
|
}
|
|
2153
2153
|
async notifyChannelEstablished(channelId) {
|
|
2154
|
-
logger$
|
|
2154
|
+
logger$e.debug("channel_encryption_manager_notified", {
|
|
2155
2155
|
channel_id: channelId,
|
|
2156
2156
|
manager_type: "channel",
|
|
2157
2157
|
});
|
|
2158
2158
|
if (!channelId.startsWith("auto-")) {
|
|
2159
|
-
logger$
|
|
2159
|
+
logger$e.warning("unexpected_channel_id_format", { channel_id: channelId });
|
|
2160
2160
|
return;
|
|
2161
2161
|
}
|
|
2162
2162
|
const destinationStr = this.extractDestinationFromChannelId(channelId);
|
|
2163
2163
|
if (!destinationStr) {
|
|
2164
|
-
logger$
|
|
2164
|
+
logger$e.warning("cannot_parse_destination_from_channel_id", {
|
|
2165
2165
|
channel_id: channelId,
|
|
2166
2166
|
});
|
|
2167
2167
|
return;
|
|
2168
2168
|
}
|
|
2169
2169
|
this.handshakeInProgress.delete(destinationStr);
|
|
2170
2170
|
if (!this.pendingEnvelopes.has(destinationStr)) {
|
|
2171
|
-
logger$
|
|
2171
|
+
logger$e.debug("no_pending_queue_for_destination", {
|
|
2172
2172
|
destination: destinationStr,
|
|
2173
2173
|
});
|
|
2174
2174
|
return;
|
|
@@ -2176,7 +2176,7 @@ class ChannelEncryptionManager {
|
|
|
2176
2176
|
const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr) ?? [];
|
|
2177
2177
|
this.pendingEnvelopes.delete(destinationStr);
|
|
2178
2178
|
if (!this.secureChannelManager) {
|
|
2179
|
-
logger$
|
|
2179
|
+
logger$e.error("no_secure_channel_manager_for_queue_drain", {
|
|
2180
2180
|
channel_id: channelId,
|
|
2181
2181
|
});
|
|
2182
2182
|
return;
|
|
@@ -2185,7 +2185,7 @@ class ChannelEncryptionManager {
|
|
|
2185
2185
|
try {
|
|
2186
2186
|
const result = this.encryptWithChannel(envelope, channelId);
|
|
2187
2187
|
if (!result.envelope) {
|
|
2188
|
-
logger$
|
|
2188
|
+
logger$e.warning("failed_to_encrypt_queued_envelope", {
|
|
2189
2189
|
envelope_id: envelope.id,
|
|
2190
2190
|
channel_id: channelId,
|
|
2191
2191
|
});
|
|
@@ -2195,7 +2195,7 @@ class ChannelEncryptionManager {
|
|
|
2195
2195
|
this.runAsyncTask(() => this.deliverEnvelope(encryptedEnvelope), `deliver-queued-${envelope.id}`);
|
|
2196
2196
|
}
|
|
2197
2197
|
catch (error) {
|
|
2198
|
-
logger$
|
|
2198
|
+
logger$e.error("failed_to_encrypt_queued_envelope", {
|
|
2199
2199
|
envelope_id: envelope.id,
|
|
2200
2200
|
error: error instanceof Error ? error.message : String(error),
|
|
2201
2201
|
});
|
|
@@ -2203,19 +2203,19 @@ class ChannelEncryptionManager {
|
|
|
2203
2203
|
}
|
|
2204
2204
|
}
|
|
2205
2205
|
async notifyChannelFailed(channelId, reason = "handshake_failed") {
|
|
2206
|
-
logger$
|
|
2206
|
+
logger$e.debug("channel_encryption_manager_notified_failure", {
|
|
2207
2207
|
channel_id: channelId,
|
|
2208
2208
|
reason,
|
|
2209
2209
|
});
|
|
2210
2210
|
if (!channelId.startsWith("auto-")) {
|
|
2211
|
-
logger$
|
|
2211
|
+
logger$e.warning("unexpected_channel_id_format_on_failure", {
|
|
2212
2212
|
channel_id: channelId,
|
|
2213
2213
|
});
|
|
2214
2214
|
return;
|
|
2215
2215
|
}
|
|
2216
2216
|
const destinationStr = this.extractDestinationFromChannelId(channelId);
|
|
2217
2217
|
if (!destinationStr) {
|
|
2218
|
-
logger$
|
|
2218
|
+
logger$e.warning("cannot_parse_destination_from_channel_id_on_failure", {
|
|
2219
2219
|
channel_id: channelId,
|
|
2220
2220
|
});
|
|
2221
2221
|
return;
|
|
@@ -2225,14 +2225,14 @@ class ChannelEncryptionManager {
|
|
|
2225
2225
|
const cachedChannelId = this.addrChannelMap.get(destinationStr);
|
|
2226
2226
|
if (cachedChannelId === channelId) {
|
|
2227
2227
|
this.addrChannelMap.delete(destinationStr);
|
|
2228
|
-
logger$
|
|
2228
|
+
logger$e.debug("cleared_channel_cache_for_failed_channel", {
|
|
2229
2229
|
destination: destinationStr,
|
|
2230
2230
|
channel_id: channelId,
|
|
2231
2231
|
});
|
|
2232
2232
|
}
|
|
2233
2233
|
const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr);
|
|
2234
2234
|
if (!queuedEnvelopes || queuedEnvelopes.length === 0) {
|
|
2235
|
-
logger$
|
|
2235
|
+
logger$e.debug("no_pending_queue_for_failed_destination", {
|
|
2236
2236
|
destination: destinationStr,
|
|
2237
2237
|
});
|
|
2238
2238
|
return;
|
|
@@ -2251,7 +2251,7 @@ class ChannelEncryptionManager {
|
|
|
2251
2251
|
const cached = this.addrChannelMap.get(destination);
|
|
2252
2252
|
if (cached) {
|
|
2253
2253
|
this.addrChannelMap.delete(destination);
|
|
2254
|
-
logger$
|
|
2254
|
+
logger$e.debug("cleared_channel_cache_for_destination", {
|
|
2255
2255
|
destination,
|
|
2256
2256
|
cached_channel_id: cached,
|
|
2257
2257
|
});
|
|
@@ -2269,14 +2269,14 @@ class ChannelEncryptionManager {
|
|
|
2269
2269
|
}
|
|
2270
2270
|
const cached = this.addrChannelMap.get(destination);
|
|
2271
2271
|
if (cached && this.getChannelState(cached)) {
|
|
2272
|
-
logger$
|
|
2272
|
+
logger$e.debug("using_cached_channel", { destination, channel_id: cached });
|
|
2273
2273
|
return cached;
|
|
2274
2274
|
}
|
|
2275
2275
|
const channels = this.secureChannelManager.channels;
|
|
2276
2276
|
for (const channelId of Object.keys(channels)) {
|
|
2277
2277
|
if (channelId.startsWith(`auto-${destination}-`)) {
|
|
2278
2278
|
this.addrChannelMap.set(destination, channelId);
|
|
2279
|
-
logger$
|
|
2279
|
+
logger$e.debug("using_existing_channel", {
|
|
2280
2280
|
destination,
|
|
2281
2281
|
channel_id: channelId,
|
|
2282
2282
|
});
|
|
@@ -2289,12 +2289,12 @@ class ChannelEncryptionManager {
|
|
|
2289
2289
|
const queue = this.pendingEnvelopes.get(destinationStr) ?? [];
|
|
2290
2290
|
queue.push(envelope);
|
|
2291
2291
|
this.pendingEnvelopes.set(destinationStr, queue);
|
|
2292
|
-
logger$
|
|
2292
|
+
logger$e.debug("queued_envelope_for_channel_handshake", {
|
|
2293
2293
|
envelope_id: envelope.id,
|
|
2294
2294
|
destination: destinationStr,
|
|
2295
2295
|
});
|
|
2296
2296
|
if (this.handshakeInProgress.has(destinationStr)) {
|
|
2297
|
-
logger$
|
|
2297
|
+
logger$e.debug("handshake_already_in_progress", {
|
|
2298
2298
|
destination: destinationStr,
|
|
2299
2299
|
});
|
|
2300
2300
|
return;
|
|
@@ -2313,7 +2313,7 @@ class ChannelEncryptionManager {
|
|
|
2313
2313
|
async initiateChannelHandshakeAsync(destination, destinationStr, opts) {
|
|
2314
2314
|
void opts;
|
|
2315
2315
|
if (!this.secureChannelManager) {
|
|
2316
|
-
logger$
|
|
2316
|
+
logger$e.error("no_secure_channel_manager_for_async_handshake_initiation");
|
|
2317
2317
|
return;
|
|
2318
2318
|
}
|
|
2319
2319
|
const channelId = this.generateChannelId(destinationStr);
|
|
@@ -2321,19 +2321,19 @@ class ChannelEncryptionManager {
|
|
|
2321
2321
|
const openFrame = this.secureChannelManager.generateOpenFrame(channelId, HANDSHAKE_ALGORITHM);
|
|
2322
2322
|
const success = await this.sendSecureOpenFrameAsync(openFrame, destination);
|
|
2323
2323
|
if (success) {
|
|
2324
|
-
logger$
|
|
2324
|
+
logger$e.debug("sent_secure_open_frame_async", {
|
|
2325
2325
|
channel_id: channelId,
|
|
2326
2326
|
destination: destinationStr,
|
|
2327
2327
|
});
|
|
2328
2328
|
}
|
|
2329
2329
|
else {
|
|
2330
|
-
logger$
|
|
2330
|
+
logger$e.warning("failed_to_send_secure_open_frame_async", {
|
|
2331
2331
|
channel_id: channelId,
|
|
2332
2332
|
});
|
|
2333
2333
|
}
|
|
2334
2334
|
}
|
|
2335
2335
|
catch (error) {
|
|
2336
|
-
logger$
|
|
2336
|
+
logger$e.error("async_channel_handshake_initiation_failed", {
|
|
2337
2337
|
destination: destinationStr,
|
|
2338
2338
|
error: error instanceof Error ? error.message : String(error),
|
|
2339
2339
|
});
|
|
@@ -2342,22 +2342,22 @@ class ChannelEncryptionManager {
|
|
|
2342
2342
|
async sendSecureOpenFrameAsync(openFrame, destination) {
|
|
2343
2343
|
const node = this.nodeLike;
|
|
2344
2344
|
if (!node) {
|
|
2345
|
-
logger$
|
|
2345
|
+
logger$e.error("no_node_available_for_sending_secure_open_async");
|
|
2346
2346
|
return false;
|
|
2347
2347
|
}
|
|
2348
2348
|
const envelopeFactory = node.envelopeFactory;
|
|
2349
2349
|
if (!envelopeFactory) {
|
|
2350
|
-
logger$
|
|
2350
|
+
logger$e.error("no_envelope_factory_available_for_secure_open_async");
|
|
2351
2351
|
return false;
|
|
2352
2352
|
}
|
|
2353
2353
|
const replyTo = this.buildSystemReplyTo();
|
|
2354
2354
|
if (!replyTo) {
|
|
2355
|
-
logger$
|
|
2355
|
+
logger$e.error("no_physical_path_available_for_reply_to_async");
|
|
2356
2356
|
return false;
|
|
2357
2357
|
}
|
|
2358
2358
|
const toAddress = toFameAddress(destination);
|
|
2359
2359
|
if (!toAddress) {
|
|
2360
|
-
logger$
|
|
2360
|
+
logger$e.error("invalid_destination_for_secure_open", {
|
|
2361
2361
|
destination: String(destination),
|
|
2362
2362
|
});
|
|
2363
2363
|
return false;
|
|
@@ -2369,7 +2369,7 @@ class ChannelEncryptionManager {
|
|
|
2369
2369
|
corrId: core.generateId(),
|
|
2370
2370
|
});
|
|
2371
2371
|
await this.deliverEnvelope(envelope);
|
|
2372
|
-
logger$
|
|
2372
|
+
logger$e.debug("delivered_secure_open_frame_async", {
|
|
2373
2373
|
channel_id: openFrame.cid,
|
|
2374
2374
|
});
|
|
2375
2375
|
return true;
|
|
@@ -2377,7 +2377,7 @@ class ChannelEncryptionManager {
|
|
|
2377
2377
|
async deliverEnvelope(envelope) {
|
|
2378
2378
|
const node = this.nodeLike;
|
|
2379
2379
|
if (!node) {
|
|
2380
|
-
logger$
|
|
2380
|
+
logger$e.error("no_node_available_for_delivery", {
|
|
2381
2381
|
envelope_id: envelope.id,
|
|
2382
2382
|
});
|
|
2383
2383
|
return;
|
|
@@ -2387,19 +2387,19 @@ class ChannelEncryptionManager {
|
|
|
2387
2387
|
}
|
|
2388
2388
|
encryptWithChannel(envelope, channelId) {
|
|
2389
2389
|
if (!this.secureChannelManager) {
|
|
2390
|
-
logger$
|
|
2390
|
+
logger$e.error("no_secure_channel_manager_for_encryption");
|
|
2391
2391
|
return runtime.EncryptionResult.skipped(envelope);
|
|
2392
2392
|
}
|
|
2393
2393
|
const frame = envelope.frame;
|
|
2394
2394
|
if (!this.isDataFrame(frame)) {
|
|
2395
|
-
logger$
|
|
2395
|
+
logger$e.error("attempted_to_encrypt_non_dataframe", {
|
|
2396
2396
|
frame_type: frame.type ?? typeof frame,
|
|
2397
2397
|
});
|
|
2398
2398
|
return runtime.EncryptionResult.skipped(envelope);
|
|
2399
2399
|
}
|
|
2400
2400
|
const channelState = this.getChannelState(channelId);
|
|
2401
2401
|
if (!channelState) {
|
|
2402
|
-
logger$
|
|
2402
|
+
logger$e.error("channel_not_in_channels", { channel_id: channelId });
|
|
2403
2403
|
return runtime.EncryptionResult.skipped(envelope);
|
|
2404
2404
|
}
|
|
2405
2405
|
const payloadBytes = this.serializePayload(frame.payload);
|
|
@@ -2458,7 +2458,7 @@ class ChannelEncryptionManager {
|
|
|
2458
2458
|
return decodeBase64$1(payload);
|
|
2459
2459
|
}
|
|
2460
2460
|
catch (error) {
|
|
2461
|
-
logger$
|
|
2461
|
+
logger$e.error("failed_to_decode_base64_ciphertext", {
|
|
2462
2462
|
error: error instanceof Error ? error.message : String(error),
|
|
2463
2463
|
});
|
|
2464
2464
|
return null;
|
|
@@ -2488,7 +2488,7 @@ class ChannelEncryptionManager {
|
|
|
2488
2488
|
return parts.slice(1, -1).join("-");
|
|
2489
2489
|
}
|
|
2490
2490
|
async handleFailedEnvelope(envelope, destinationStr, channelId, reason) {
|
|
2491
|
-
logger$
|
|
2491
|
+
logger$e.warning("envelope_failed_due_to_channel_handshake_failure", {
|
|
2492
2492
|
envelope_id: envelope.id,
|
|
2493
2493
|
destination: destinationStr,
|
|
2494
2494
|
channel_id: channelId,
|
|
@@ -2496,14 +2496,14 @@ class ChannelEncryptionManager {
|
|
|
2496
2496
|
});
|
|
2497
2497
|
const frame = envelope.frame;
|
|
2498
2498
|
if (!this.isDataFrame(frame)) {
|
|
2499
|
-
logger$
|
|
2499
|
+
logger$e.debug("skipping_nack_for_non_dataframe", {
|
|
2500
2500
|
envelope_id: envelope.id,
|
|
2501
2501
|
frame_type: frame.type ?? typeof frame,
|
|
2502
2502
|
});
|
|
2503
2503
|
return;
|
|
2504
2504
|
}
|
|
2505
2505
|
if (!envelope.replyTo) {
|
|
2506
|
-
logger$
|
|
2506
|
+
logger$e.debug("skipping_nack_no_reply_to", { envelope_id: envelope.id });
|
|
2507
2507
|
return;
|
|
2508
2508
|
}
|
|
2509
2509
|
await this.sendDeliveryNack(envelope, `channel_handshake_failed: ${reason}`);
|
|
@@ -2511,17 +2511,17 @@ class ChannelEncryptionManager {
|
|
|
2511
2511
|
async sendDeliveryNack(envelope, failureReason) {
|
|
2512
2512
|
const node = this.nodeLike;
|
|
2513
2513
|
if (!node) {
|
|
2514
|
-
logger$
|
|
2514
|
+
logger$e.error("no_node_available_for_sending_delivery_nack");
|
|
2515
2515
|
return;
|
|
2516
2516
|
}
|
|
2517
2517
|
const envelopeFactory = node.envelopeFactory;
|
|
2518
2518
|
if (!envelopeFactory) {
|
|
2519
|
-
logger$
|
|
2519
|
+
logger$e.error("no_envelope_factory_available_for_delivery_nack");
|
|
2520
2520
|
return;
|
|
2521
2521
|
}
|
|
2522
2522
|
const replyTo = toFameAddress(envelope.replyTo ?? null);
|
|
2523
2523
|
if (!replyTo) {
|
|
2524
|
-
logger$
|
|
2524
|
+
logger$e.error("invalid_reply_to_for_delivery_nack", {
|
|
2525
2525
|
reply_to: envelope.replyTo,
|
|
2526
2526
|
});
|
|
2527
2527
|
return;
|
|
@@ -2538,7 +2538,7 @@ class ChannelEncryptionManager {
|
|
|
2538
2538
|
corrId: envelope.corrId ?? core.generateId(),
|
|
2539
2539
|
});
|
|
2540
2540
|
await this.deliverEnvelope(nackEnvelope);
|
|
2541
|
-
logger$
|
|
2541
|
+
logger$e.debug("delivered_delivery_nack", {
|
|
2542
2542
|
original_envelope_id: envelope.id,
|
|
2543
2543
|
nack_envelope_id: nackEnvelope.id,
|
|
2544
2544
|
});
|
|
@@ -2576,7 +2576,7 @@ class ChannelEncryptionManager {
|
|
|
2576
2576
|
await task();
|
|
2577
2577
|
}
|
|
2578
2578
|
catch (error) {
|
|
2579
|
-
logger$
|
|
2579
|
+
logger$e.error("async_task_failed", {
|
|
2580
2580
|
task_name: name,
|
|
2581
2581
|
error: error instanceof Error ? error.message : String(error),
|
|
2582
2582
|
});
|
|
@@ -2630,7 +2630,7 @@ class ChannelEncryptionManager {
|
|
|
2630
2630
|
}
|
|
2631
2631
|
}
|
|
2632
2632
|
|
|
2633
|
-
const logger$
|
|
2633
|
+
const logger$d = runtime.getLogger("naylence.fame.security.encryption.channel.channel_encryption_manager_factory");
|
|
2634
2634
|
const DEFAULT_SUPPORTED_ALGORITHMS = ["chacha20-poly1305-channel"];
|
|
2635
2635
|
const FACTORY_META$d = {
|
|
2636
2636
|
base: runtime.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE,
|
|
@@ -2662,7 +2662,7 @@ class ChannelEncryptionManagerFactory extends runtime.EncryptionManagerFactory {
|
|
|
2662
2662
|
async create(_config, ...factoryArgs) {
|
|
2663
2663
|
const [dependencies] = factoryArgs;
|
|
2664
2664
|
const resolvedDependencies = this.resolveDependencies(dependencies);
|
|
2665
|
-
logger$
|
|
2665
|
+
logger$d.debug("creating_channel_encryption_manager", {
|
|
2666
2666
|
has_secure_channel_manager: Boolean(resolvedDependencies.secureChannelManager),
|
|
2667
2667
|
has_node_like: Boolean(resolvedDependencies.nodeLike),
|
|
2668
2668
|
has_task_spawner: Boolean(resolvedDependencies.taskSpawner),
|
|
@@ -2724,7 +2724,7 @@ var index = /*#__PURE__*/Object.freeze({
|
|
|
2724
2724
|
ChannelEncryptionManagerFactory: ChannelEncryptionManagerFactory
|
|
2725
2725
|
});
|
|
2726
2726
|
|
|
2727
|
-
const logger$
|
|
2727
|
+
const logger$c = runtime.getLogger("naylence.fame.security.encryption.default_secure_channel_manager");
|
|
2728
2728
|
const DEFAULT_ALGORITHM = "CHACHA20P1305";
|
|
2729
2729
|
const CHANNEL_KEY_LENGTH = 32;
|
|
2730
2730
|
const NONCE_PREFIX_LENGTH = 4;
|
|
@@ -2771,7 +2771,7 @@ class DefaultSecureChannelManager {
|
|
|
2771
2771
|
const privateKey = ed25519_js.x25519.utils.randomSecretKey();
|
|
2772
2772
|
const publicKey = ed25519_js.x25519.scalarMultBase(privateKey);
|
|
2773
2773
|
this.ephemeralKeys.set(channelId, privateKey);
|
|
2774
|
-
logger$
|
|
2774
|
+
logger$c.debug("generated_channel_open", { cid: channelId, algorithm });
|
|
2775
2775
|
return {
|
|
2776
2776
|
type: "SecureOpen",
|
|
2777
2777
|
cid: channelId,
|
|
@@ -2784,7 +2784,7 @@ class DefaultSecureChannelManager {
|
|
|
2784
2784
|
runtime.requireCryptoSupport();
|
|
2785
2785
|
const algorithm = frame.alg || DEFAULT_ALGORITHM;
|
|
2786
2786
|
if (!this.isSupportedAlgorithm(algorithm)) {
|
|
2787
|
-
logger$
|
|
2787
|
+
logger$c.warning("unsupported_channel_algorithm", {
|
|
2788
2788
|
cid: frame.cid,
|
|
2789
2789
|
alg: algorithm,
|
|
2790
2790
|
});
|
|
@@ -2802,7 +2802,7 @@ class DefaultSecureChannelManager {
|
|
|
2802
2802
|
peerPublicKey = decodeBase64(frame.ephPub);
|
|
2803
2803
|
}
|
|
2804
2804
|
catch (error) {
|
|
2805
|
-
logger$
|
|
2805
|
+
logger$c.warning("invalid_peer_public_key", {
|
|
2806
2806
|
cid: frame.cid,
|
|
2807
2807
|
error: error instanceof Error ? error.message : String(error),
|
|
2808
2808
|
});
|
|
@@ -2824,7 +2824,7 @@ class DefaultSecureChannelManager {
|
|
|
2824
2824
|
algorithm,
|
|
2825
2825
|
});
|
|
2826
2826
|
this.channelsMap.set(frame.cid, channelState);
|
|
2827
|
-
logger$
|
|
2827
|
+
logger$c.debug("channel_established", { cid: frame.cid, algorithm });
|
|
2828
2828
|
myPrivateKey.fill(0);
|
|
2829
2829
|
sharedSecret.fill(0);
|
|
2830
2830
|
return {
|
|
@@ -2838,7 +2838,7 @@ class DefaultSecureChannelManager {
|
|
|
2838
2838
|
async handleAcceptFrame(frame) {
|
|
2839
2839
|
runtime.requireCryptoSupport();
|
|
2840
2840
|
if (frame.ok === false) {
|
|
2841
|
-
logger$
|
|
2841
|
+
logger$c.warning("channel_rejected", {
|
|
2842
2842
|
cid: frame.cid,
|
|
2843
2843
|
error: frame.reason,
|
|
2844
2844
|
});
|
|
@@ -2847,7 +2847,7 @@ class DefaultSecureChannelManager {
|
|
|
2847
2847
|
}
|
|
2848
2848
|
const privateKey = this.ephemeralKeys.get(frame.cid);
|
|
2849
2849
|
if (!privateKey) {
|
|
2850
|
-
logger$
|
|
2850
|
+
logger$c.error("no_ephemeral_key", { cid: frame.cid });
|
|
2851
2851
|
return false;
|
|
2852
2852
|
}
|
|
2853
2853
|
let peerPublicKey;
|
|
@@ -2855,7 +2855,7 @@ class DefaultSecureChannelManager {
|
|
|
2855
2855
|
peerPublicKey = decodeBase64(frame.ephPub);
|
|
2856
2856
|
}
|
|
2857
2857
|
catch (error) {
|
|
2858
|
-
logger$
|
|
2858
|
+
logger$c.warning("invalid_accept_public_key", {
|
|
2859
2859
|
cid: frame.cid,
|
|
2860
2860
|
error: error instanceof Error ? error.message : String(error),
|
|
2861
2861
|
});
|
|
@@ -2870,17 +2870,17 @@ class DefaultSecureChannelManager {
|
|
|
2870
2870
|
algorithm,
|
|
2871
2871
|
});
|
|
2872
2872
|
this.channelsMap.set(frame.cid, channelState);
|
|
2873
|
-
logger$
|
|
2873
|
+
logger$c.debug("channel_completed", { cid: frame.cid, algorithm });
|
|
2874
2874
|
sharedSecret.fill(0);
|
|
2875
2875
|
this.cleanupEphemeralKey(frame.cid);
|
|
2876
2876
|
return true;
|
|
2877
2877
|
}
|
|
2878
2878
|
handleCloseFrame(frame) {
|
|
2879
2879
|
if (this.channelsMap.delete(frame.cid)) {
|
|
2880
|
-
logger$
|
|
2880
|
+
logger$c.debug("channel_closed", { cid: frame.cid, reason: frame.reason });
|
|
2881
2881
|
}
|
|
2882
2882
|
else {
|
|
2883
|
-
logger$
|
|
2883
|
+
logger$c.warning("close_unknown_channel", { cid: frame.cid });
|
|
2884
2884
|
}
|
|
2885
2885
|
this.cleanupEphemeralKey(frame.cid);
|
|
2886
2886
|
}
|
|
@@ -2907,7 +2907,7 @@ class DefaultSecureChannelManager {
|
|
|
2907
2907
|
}
|
|
2908
2908
|
closeChannel(channelId, reason = "User requested") {
|
|
2909
2909
|
if (this.channelsMap.delete(channelId)) {
|
|
2910
|
-
logger$
|
|
2910
|
+
logger$c.debug("channel_closed_by_user", { cid: channelId, reason });
|
|
2911
2911
|
}
|
|
2912
2912
|
this.cleanupEphemeralKey(channelId);
|
|
2913
2913
|
return {
|
|
@@ -2924,7 +2924,7 @@ class DefaultSecureChannelManager {
|
|
|
2924
2924
|
this.channelsMap.delete(channelId);
|
|
2925
2925
|
this.cleanupEphemeralKey(channelId);
|
|
2926
2926
|
removed += 1;
|
|
2927
|
-
logger$
|
|
2927
|
+
logger$c.debug("channel_expired_cleanup", { cid: channelId });
|
|
2928
2928
|
}
|
|
2929
2929
|
}
|
|
2930
2930
|
return removed;
|
|
@@ -2953,7 +2953,7 @@ class DefaultSecureChannelManager {
|
|
|
2953
2953
|
if (channelId.startsWith(prefix)) {
|
|
2954
2954
|
if (this.removeChannel(channelId)) {
|
|
2955
2955
|
removed += 1;
|
|
2956
|
-
logger$
|
|
2956
|
+
logger$c.debug("removed_channel_for_destination", {
|
|
2957
2957
|
channel_id: channelId,
|
|
2958
2958
|
destination,
|
|
2959
2959
|
});
|
|
@@ -2961,7 +2961,7 @@ class DefaultSecureChannelManager {
|
|
|
2961
2961
|
}
|
|
2962
2962
|
}
|
|
2963
2963
|
if (removed > 0) {
|
|
2964
|
-
logger$
|
|
2964
|
+
logger$c.info("cleanup_channels_for_destination", {
|
|
2965
2965
|
destination,
|
|
2966
2966
|
channels_removed: removed,
|
|
2967
2967
|
});
|
|
@@ -3054,7 +3054,7 @@ var defaultSecureChannelManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
3054
3054
|
default: DefaultSecureChannelManagerFactory
|
|
3055
3055
|
});
|
|
3056
3056
|
|
|
3057
|
-
const logger$
|
|
3057
|
+
const logger$b = runtime.getLogger("naylence.fame.security.encryption.encryption_manager_registry");
|
|
3058
3058
|
class EncryptionManagerFactoryRegistry {
|
|
3059
3059
|
constructor(autoDiscover = true) {
|
|
3060
3060
|
this.factories = [];
|
|
@@ -3076,7 +3076,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3076
3076
|
let registeredCount = 0;
|
|
3077
3077
|
for (const [factoryName, info] of extensionInfos) {
|
|
3078
3078
|
if (factoryName === "CompositeEncryptionManager") {
|
|
3079
|
-
logger$
|
|
3079
|
+
logger$b.debug("skipping_composite_factory_to_avoid_circular_dependency", {
|
|
3080
3080
|
factory_name: factoryName,
|
|
3081
3081
|
});
|
|
3082
3082
|
continue;
|
|
@@ -3086,7 +3086,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3086
3086
|
factory.ExtensionManager.getGlobalFactory(runtime.ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, factoryName));
|
|
3087
3087
|
this.registerFactory(factoryInstance, { autoDiscovered: true });
|
|
3088
3088
|
registeredCount += 1;
|
|
3089
|
-
logger$
|
|
3089
|
+
logger$b.debug("auto_discovered_factory", {
|
|
3090
3090
|
factory_name: factoryName,
|
|
3091
3091
|
factory_class: factoryInstance.constructor.name,
|
|
3092
3092
|
algorithms: factoryInstance.getSupportedAlgorithms(),
|
|
@@ -3095,21 +3095,21 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3095
3095
|
});
|
|
3096
3096
|
}
|
|
3097
3097
|
catch (error) {
|
|
3098
|
-
logger$
|
|
3098
|
+
logger$b.warning("failed_to_auto_register_factory", {
|
|
3099
3099
|
factory_name: factoryName,
|
|
3100
3100
|
error: error instanceof Error ? error.message : String(error),
|
|
3101
3101
|
});
|
|
3102
3102
|
}
|
|
3103
3103
|
}
|
|
3104
3104
|
this.autoDiscovered = true;
|
|
3105
|
-
logger$
|
|
3105
|
+
logger$b.debug("completed_auto_discovery", {
|
|
3106
3106
|
registered_factories: registeredCount,
|
|
3107
3107
|
total_discovered: extensionInfos.size,
|
|
3108
3108
|
skipped_composite: true,
|
|
3109
3109
|
});
|
|
3110
3110
|
}
|
|
3111
3111
|
catch (error) {
|
|
3112
|
-
logger$
|
|
3112
|
+
logger$b.warning("failed_auto_discovery_of_factories", {
|
|
3113
3113
|
error: error instanceof Error ? error.message : String(error),
|
|
3114
3114
|
});
|
|
3115
3115
|
}
|
|
@@ -3127,7 +3127,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3127
3127
|
const existing = this.algorithmToFactory.get(algorithm);
|
|
3128
3128
|
if (!existing || factory.getPriority() > existing.getPriority()) {
|
|
3129
3129
|
this.algorithmToFactory.set(algorithm, factory);
|
|
3130
|
-
logger$
|
|
3130
|
+
logger$b.debug("registered_algorithm_mapping", {
|
|
3131
3131
|
algorithm,
|
|
3132
3132
|
factory: factory.constructor.name,
|
|
3133
3133
|
priority: factory.getPriority(),
|
|
@@ -3139,7 +3139,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3139
3139
|
typeFactories.push(factory);
|
|
3140
3140
|
typeFactories.sort((a, b) => b.getPriority() - a.getPriority());
|
|
3141
3141
|
this.typeToFactories.set(encryptionType, typeFactories);
|
|
3142
|
-
logger$
|
|
3142
|
+
logger$b.debug("registered_encryption_manager_factory", {
|
|
3143
3143
|
factory: factory.constructor.name,
|
|
3144
3144
|
encryption_type: encryptionType,
|
|
3145
3145
|
algorithms: factory.getSupportedAlgorithms(),
|
|
@@ -3155,14 +3155,14 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3155
3155
|
this.ensureAutoDiscovery();
|
|
3156
3156
|
for (const factory of this.factories) {
|
|
3157
3157
|
if (factory.supportsOptions(opts ?? undefined)) {
|
|
3158
|
-
logger$
|
|
3158
|
+
logger$b.debug("found_factory_for_options", {
|
|
3159
3159
|
factory: factory.constructor.name,
|
|
3160
3160
|
encryption_type: factory.getEncryptionType(),
|
|
3161
3161
|
});
|
|
3162
3162
|
return factory;
|
|
3163
3163
|
}
|
|
3164
3164
|
}
|
|
3165
|
-
logger$
|
|
3165
|
+
logger$b.debug("no_factory_found_for_options", { opts });
|
|
3166
3166
|
return undefined;
|
|
3167
3167
|
}
|
|
3168
3168
|
getFactoriesByType(encryptionType) {
|
|
@@ -3218,7 +3218,7 @@ function registerEncryptionManagerFactory(factory) {
|
|
|
3218
3218
|
globalRegistry.registerFactory(factory);
|
|
3219
3219
|
}
|
|
3220
3220
|
|
|
3221
|
-
const logger$
|
|
3221
|
+
const logger$a = runtime.getLogger("naylence.fame.security.encryption.composite_encryption_manager");
|
|
3222
3222
|
const DEFAULT_SEALED_ALGORITHMS = [
|
|
3223
3223
|
"X25519",
|
|
3224
3224
|
"ECDH-ES+A256GCM",
|
|
@@ -3257,7 +3257,7 @@ class CompositeEncryptionManager {
|
|
|
3257
3257
|
return await manager.encryptEnvelope(envelope, opts);
|
|
3258
3258
|
}
|
|
3259
3259
|
catch (error) {
|
|
3260
|
-
logger$
|
|
3260
|
+
logger$a.error("composite_encrypt_failed", {
|
|
3261
3261
|
error: error instanceof Error ? error.message : String(error),
|
|
3262
3262
|
});
|
|
3263
3263
|
return runtime.EncryptionResult.skipped(envelope);
|
|
@@ -3276,7 +3276,7 @@ class CompositeEncryptionManager {
|
|
|
3276
3276
|
return await manager.decryptEnvelope(envelope, opts);
|
|
3277
3277
|
}
|
|
3278
3278
|
catch (error) {
|
|
3279
|
-
logger$
|
|
3279
|
+
logger$a.error("composite_decrypt_failed", {
|
|
3280
3280
|
algorithm,
|
|
3281
3281
|
error: error instanceof Error ? error.message : String(error),
|
|
3282
3282
|
});
|
|
@@ -3288,14 +3288,14 @@ class CompositeEncryptionManager {
|
|
|
3288
3288
|
if (factories.length === 0) {
|
|
3289
3289
|
return;
|
|
3290
3290
|
}
|
|
3291
|
-
logger$
|
|
3291
|
+
logger$a.debug("composite_notify_channel_established", {
|
|
3292
3292
|
channel_id: channelId,
|
|
3293
3293
|
});
|
|
3294
3294
|
await this.notifyManagers(factories, async (manager, factoryKey) => {
|
|
3295
3295
|
const channelAware = manager;
|
|
3296
3296
|
if (typeof channelAware.notifyChannelEstablished === "function") {
|
|
3297
3297
|
await channelAware.notifyChannelEstablished(channelId);
|
|
3298
|
-
logger$
|
|
3298
|
+
logger$a.debug("composite_channel_established_notified", {
|
|
3299
3299
|
factory: factoryKey,
|
|
3300
3300
|
channel_id: channelId,
|
|
3301
3301
|
});
|
|
@@ -3307,7 +3307,7 @@ class CompositeEncryptionManager {
|
|
|
3307
3307
|
if (factories.length === 0) {
|
|
3308
3308
|
return;
|
|
3309
3309
|
}
|
|
3310
|
-
logger$
|
|
3310
|
+
logger$a.debug("composite_notify_channel_failed", {
|
|
3311
3311
|
channel_id: channelId,
|
|
3312
3312
|
reason,
|
|
3313
3313
|
});
|
|
@@ -3315,7 +3315,7 @@ class CompositeEncryptionManager {
|
|
|
3315
3315
|
const channelAware = manager;
|
|
3316
3316
|
if (typeof channelAware.notifyChannelFailed === "function") {
|
|
3317
3317
|
await channelAware.notifyChannelFailed(channelId, reason);
|
|
3318
|
-
logger$
|
|
3318
|
+
logger$a.debug("composite_channel_failed_notified", {
|
|
3319
3319
|
factory: factoryKey,
|
|
3320
3320
|
channel_id: channelId,
|
|
3321
3321
|
reason,
|
|
@@ -3328,12 +3328,12 @@ class CompositeEncryptionManager {
|
|
|
3328
3328
|
if (factories.length === 0) {
|
|
3329
3329
|
return;
|
|
3330
3330
|
}
|
|
3331
|
-
logger$
|
|
3331
|
+
logger$a.debug("composite_notify_key_available", { key_id: keyId });
|
|
3332
3332
|
await this.notifyManagers(factories, async (manager, factoryKey) => {
|
|
3333
3333
|
const sealedAware = manager;
|
|
3334
3334
|
if (typeof sealedAware.notifyKeyAvailable === "function") {
|
|
3335
3335
|
await sealedAware.notifyKeyAvailable(keyId);
|
|
3336
|
-
logger$
|
|
3336
|
+
logger$a.debug("composite_key_available_notified", {
|
|
3337
3337
|
factory: factoryKey,
|
|
3338
3338
|
key_id: keyId,
|
|
3339
3339
|
});
|
|
@@ -3374,7 +3374,7 @@ class CompositeEncryptionManager {
|
|
|
3374
3374
|
async getManagerForOptions(opts) {
|
|
3375
3375
|
const factory = this.factoryRegistry.getFactoryForOptions(opts ?? undefined);
|
|
3376
3376
|
if (!factory) {
|
|
3377
|
-
logger$
|
|
3377
|
+
logger$a.debug("composite_no_factory_for_options", { opts });
|
|
3378
3378
|
return null;
|
|
3379
3379
|
}
|
|
3380
3380
|
return await this.getOrCreateManager(factory, "options");
|
|
@@ -3382,7 +3382,7 @@ class CompositeEncryptionManager {
|
|
|
3382
3382
|
async getManagerForAlgorithm(algorithm) {
|
|
3383
3383
|
const factory = this.factoryRegistry.getFactoryForAlgorithm(algorithm);
|
|
3384
3384
|
if (!factory) {
|
|
3385
|
-
logger$
|
|
3385
|
+
logger$a.debug("composite_no_factory_for_algorithm", { algorithm });
|
|
3386
3386
|
return null;
|
|
3387
3387
|
}
|
|
3388
3388
|
return await this.getOrCreateManager(factory, algorithm);
|
|
@@ -3407,7 +3407,7 @@ class CompositeEncryptionManager {
|
|
|
3407
3407
|
const manager = await factory.create(null, dependencies);
|
|
3408
3408
|
this.managerInstances.set(key, manager);
|
|
3409
3409
|
await this.applyNodeContext(manager, key);
|
|
3410
|
-
logger$
|
|
3410
|
+
logger$a.debug("composite_created_manager", {
|
|
3411
3411
|
factory: key,
|
|
3412
3412
|
context,
|
|
3413
3413
|
manager_type: manager.constructor.name,
|
|
@@ -3415,7 +3415,7 @@ class CompositeEncryptionManager {
|
|
|
3415
3415
|
return manager;
|
|
3416
3416
|
}
|
|
3417
3417
|
catch (error) {
|
|
3418
|
-
logger$
|
|
3418
|
+
logger$a.error("composite_create_manager_failed", {
|
|
3419
3419
|
factory: key,
|
|
3420
3420
|
context,
|
|
3421
3421
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3428,7 +3428,7 @@ class CompositeEncryptionManager {
|
|
|
3428
3428
|
const factoryKey = this.resolveFactoryKey(factory);
|
|
3429
3429
|
const manager = this.managerInstances.get(factoryKey);
|
|
3430
3430
|
if (!manager) {
|
|
3431
|
-
logger$
|
|
3431
|
+
logger$a.debug("composite_skip_notification_no_manager", {
|
|
3432
3432
|
factory: factoryKey,
|
|
3433
3433
|
});
|
|
3434
3434
|
continue;
|
|
@@ -3437,7 +3437,7 @@ class CompositeEncryptionManager {
|
|
|
3437
3437
|
await callback(manager, factoryKey);
|
|
3438
3438
|
}
|
|
3439
3439
|
catch (error) {
|
|
3440
|
-
logger$
|
|
3440
|
+
logger$a.error("composite_notify_manager_failed", {
|
|
3441
3441
|
factory: factoryKey,
|
|
3442
3442
|
error: error instanceof Error ? error.message : String(error),
|
|
3443
3443
|
});
|
|
@@ -3453,7 +3453,7 @@ class CompositeEncryptionManager {
|
|
|
3453
3453
|
await callback(manager);
|
|
3454
3454
|
}
|
|
3455
3455
|
catch (error) {
|
|
3456
|
-
logger$
|
|
3456
|
+
logger$a.error("composite_node_event_failed", {
|
|
3457
3457
|
manager: manager.constructor.name,
|
|
3458
3458
|
error: error instanceof Error ? error.message : String(error),
|
|
3459
3459
|
});
|
|
@@ -3470,7 +3470,7 @@ class CompositeEncryptionManager {
|
|
|
3470
3470
|
await manager.onNodeStarted?.(this.nodeLike);
|
|
3471
3471
|
}
|
|
3472
3472
|
catch (error) {
|
|
3473
|
-
logger$
|
|
3473
|
+
logger$a.error("composite_apply_node_context_failed", {
|
|
3474
3474
|
stage: "onNodeStarted",
|
|
3475
3475
|
factory: factoryKey,
|
|
3476
3476
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3483,7 +3483,7 @@ class CompositeEncryptionManager {
|
|
|
3483
3483
|
await manager.onNodeAttachToUpstream?.(this.nodeLike, this.lastAttachInfo);
|
|
3484
3484
|
}
|
|
3485
3485
|
catch (error) {
|
|
3486
|
-
logger$
|
|
3486
|
+
logger$a.error("composite_apply_node_context_failed", {
|
|
3487
3487
|
stage: "onNodeAttachToUpstream",
|
|
3488
3488
|
factory: factoryKey,
|
|
3489
3489
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3506,7 +3506,7 @@ class CompositeEncryptionManager {
|
|
|
3506
3506
|
const channelAware = manager;
|
|
3507
3507
|
if (typeof channelAware.clearChannelCacheForDestination === "function") {
|
|
3508
3508
|
channelAware.clearChannelCacheForDestination(destination);
|
|
3509
|
-
logger$
|
|
3509
|
+
logger$a.debug("composite_cleared_channel_cache", {
|
|
3510
3510
|
destination,
|
|
3511
3511
|
factory: factoryKey,
|
|
3512
3512
|
});
|
|
@@ -3526,7 +3526,7 @@ class CompositeEncryptionManager {
|
|
|
3526
3526
|
"function") {
|
|
3527
3527
|
const removed = this.secureChannelManager.removeChannelsForDestination(destination);
|
|
3528
3528
|
if (removed > 0) {
|
|
3529
|
-
logger$
|
|
3529
|
+
logger$a.debug("composite_removed_channels", {
|
|
3530
3530
|
destination,
|
|
3531
3531
|
count: removed,
|
|
3532
3532
|
});
|
|
@@ -3537,7 +3537,7 @@ class CompositeEncryptionManager {
|
|
|
3537
3537
|
}
|
|
3538
3538
|
}
|
|
3539
3539
|
|
|
3540
|
-
const logger$
|
|
3540
|
+
const logger$9 = runtime.getLogger("naylence.fame.security.encryption.composite_encryption_manager_factory");
|
|
3541
3541
|
const DEFAULT_PRIORITY = 1000;
|
|
3542
3542
|
const DEFAULT_ENCRYPTION_TYPE = "composite";
|
|
3543
3543
|
const FACTORY_META$b = {
|
|
@@ -3575,7 +3575,7 @@ class CompositeEncryptionManagerFactory extends runtime.EncryptionManagerFactory
|
|
|
3575
3575
|
const supportedChannelAlgorithms = runtimeConfig?.supportedChannelAlgorithms ??
|
|
3576
3576
|
this.supportedChannelAlgorithms ??
|
|
3577
3577
|
undefined;
|
|
3578
|
-
logger$
|
|
3578
|
+
logger$9.debug("creating_composite_encryption_manager", {
|
|
3579
3579
|
has_secure_channel_manager: Boolean(resolved.secureChannelManager),
|
|
3580
3580
|
has_key_provider: Boolean(resolved.keyProvider),
|
|
3581
3581
|
has_crypto_provider: Boolean(resolved.cryptoProvider),
|
|
@@ -3948,7 +3948,7 @@ var eddsaEnvelopeVerifierFactory = /*#__PURE__*/Object.freeze({
|
|
|
3948
3948
|
default: AdvancedEdDSAEnvelopeVerifierFactory
|
|
3949
3949
|
});
|
|
3950
3950
|
|
|
3951
|
-
const logger$
|
|
3951
|
+
const logger$8 = runtime.getLogger("naylence.fame.security.keys.x5c_key_manager");
|
|
3952
3952
|
let x509ModulePromise$1 = null;
|
|
3953
3953
|
async function loadX509Module$1() {
|
|
3954
3954
|
if (!x509ModulePromise$1) {
|
|
@@ -3960,7 +3960,7 @@ async function loadX509Module$1() {
|
|
|
3960
3960
|
return null;
|
|
3961
3961
|
})
|
|
3962
3962
|
.catch((error) => {
|
|
3963
|
-
logger$
|
|
3963
|
+
logger$8.warning("certificate_module_unavailable", {
|
|
3964
3964
|
error: error instanceof Error ? error.message : String(error),
|
|
3965
3965
|
});
|
|
3966
3966
|
return null;
|
|
@@ -3991,16 +3991,16 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
3991
3991
|
async onNodeStarted(node) {
|
|
3992
3992
|
await this.inner.onNodeStarted(node);
|
|
3993
3993
|
this.startPurgeLoop();
|
|
3994
|
-
logger$
|
|
3994
|
+
logger$8.debug("x5c_key_manager_started", {
|
|
3995
3995
|
cert_purge_interval: this.certPurgeInterval,
|
|
3996
3996
|
});
|
|
3997
3997
|
}
|
|
3998
3998
|
async onNodeStopped(node) {
|
|
3999
|
-
logger$
|
|
3999
|
+
logger$8.debug("x5c_key_manager_stopping");
|
|
4000
4000
|
await this.shutdownTasks({ gracePeriod: 50, joinTimeout: 100 });
|
|
4001
4001
|
this.purgeTask = null;
|
|
4002
4002
|
await this.inner.onNodeStopped(node);
|
|
4003
|
-
logger$
|
|
4003
|
+
logger$8.debug("x5c_key_manager_stopped");
|
|
4004
4004
|
}
|
|
4005
4005
|
async getKey(kid) {
|
|
4006
4006
|
return this.inner.getKey(kid);
|
|
@@ -4037,7 +4037,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4037
4037
|
}
|
|
4038
4038
|
catch (error) {
|
|
4039
4039
|
if (error instanceof runtime.JWKValidationError) {
|
|
4040
|
-
logger$
|
|
4040
|
+
logger$8.warning("rejected_invalid_jwk_in_announce", {
|
|
4041
4041
|
kid: typeof key?.kid === "string" ? key.kid : "unknown",
|
|
4042
4042
|
from_system_id: systemId,
|
|
4043
4043
|
from_physical_path: physicalPath,
|
|
@@ -4050,7 +4050,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4050
4050
|
}
|
|
4051
4051
|
}
|
|
4052
4052
|
if (validKeys.length === 0) {
|
|
4053
|
-
logger$
|
|
4053
|
+
logger$8.warning("no_valid_keys_in_announce", {
|
|
4054
4054
|
from_system_id: systemId,
|
|
4055
4055
|
from_physical_path: physicalPath,
|
|
4056
4056
|
total_keys: keys.length,
|
|
@@ -4058,7 +4058,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4058
4058
|
});
|
|
4059
4059
|
return;
|
|
4060
4060
|
}
|
|
4061
|
-
logger$
|
|
4061
|
+
logger$8.debug("adding_keys", {
|
|
4062
4062
|
key_ids: validKeys.map((key) => typeof key?.kid === "string" ? key.kid : "unknown"),
|
|
4063
4063
|
source_system_id: systemId,
|
|
4064
4064
|
from_physical_path: physicalPath,
|
|
@@ -4069,7 +4069,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4069
4069
|
});
|
|
4070
4070
|
const hasEncryptionKeys = validKeys.some((key) => typeof key?.use === "string" && key.use === "enc");
|
|
4071
4071
|
if (hasEncryptionKeys) {
|
|
4072
|
-
logger$
|
|
4072
|
+
logger$8.debug("checking_for_old_encryption_keys_to_remove", {
|
|
4073
4073
|
physical_path: physicalPath,
|
|
4074
4074
|
origin,
|
|
4075
4075
|
new_enc_keys: validKeys
|
|
@@ -4097,7 +4097,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4097
4097
|
}
|
|
4098
4098
|
}
|
|
4099
4099
|
if (existingEncKeyIds.size > 0) {
|
|
4100
|
-
logger$
|
|
4100
|
+
logger$8.debug("found_existing_encryption_keys_across_paths", {
|
|
4101
4101
|
physical_path: physicalPath,
|
|
4102
4102
|
paths_checked: pathsWithOldKeys,
|
|
4103
4103
|
existing_enc_key_ids: Array.from(existingEncKeyIds),
|
|
@@ -4108,7 +4108,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4108
4108
|
.filter((kid) => kid.length > 0));
|
|
4109
4109
|
const keysToRemove = Array.from(existingEncKeyIds).filter((kid) => !newEncKeyIds.has(kid));
|
|
4110
4110
|
if (keysToRemove.length > 0) {
|
|
4111
|
-
logger$
|
|
4111
|
+
logger$8.info("removing_old_encryption_keys_for_key_rotation", {
|
|
4112
4112
|
physical_path: physicalPath,
|
|
4113
4113
|
paths_with_old_keys: pathsWithOldKeys,
|
|
4114
4114
|
old_key_ids: keysToRemove,
|
|
@@ -4117,7 +4117,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4117
4117
|
});
|
|
4118
4118
|
for (const kid of keysToRemove) {
|
|
4119
4119
|
await this.keyStore.removeKey(kid);
|
|
4120
|
-
logger$
|
|
4120
|
+
logger$8.debug("removed_old_encryption_key_from_all_paths", {
|
|
4121
4121
|
kid,
|
|
4122
4122
|
});
|
|
4123
4123
|
}
|
|
@@ -4125,7 +4125,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4125
4125
|
}
|
|
4126
4126
|
}
|
|
4127
4127
|
catch (error) {
|
|
4128
|
-
logger$
|
|
4128
|
+
logger$8.warning("failed_to_remove_old_encryption_keys", {
|
|
4129
4129
|
physical_path: physicalPath,
|
|
4130
4130
|
error: error instanceof Error ? error.message : String(error),
|
|
4131
4131
|
origin,
|
|
@@ -4159,10 +4159,10 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4159
4159
|
return this.inner.getKeysForPath(physicalPath);
|
|
4160
4160
|
}
|
|
4161
4161
|
async purgeExpiredCertificates() {
|
|
4162
|
-
logger$
|
|
4162
|
+
logger$8.debug("certificate_purge_starting");
|
|
4163
4163
|
const module = await loadX509Module$1();
|
|
4164
4164
|
if (!module) {
|
|
4165
|
-
logger$
|
|
4165
|
+
logger$8.warning("certificate_purge_skipped", {
|
|
4166
4166
|
reason: "x509_module_unavailable",
|
|
4167
4167
|
});
|
|
4168
4168
|
return 0;
|
|
@@ -4185,7 +4185,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4185
4185
|
const cert = new module.X509Certificate(raw);
|
|
4186
4186
|
const expiration = cert.notAfter;
|
|
4187
4187
|
if (expiration && expiration.getTime() < now.getTime()) {
|
|
4188
|
-
logger$
|
|
4188
|
+
logger$8.debug("expired_certificate_found", {
|
|
4189
4189
|
kid: typeof key.kid === "string" ? key.kid : "unknown",
|
|
4190
4190
|
physical_path: typeof key.physical_path === "string"
|
|
4191
4191
|
? key.physical_path
|
|
@@ -4204,7 +4204,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4204
4204
|
}
|
|
4205
4205
|
}
|
|
4206
4206
|
catch (error) {
|
|
4207
|
-
logger$
|
|
4207
|
+
logger$8.warning("certificate_parsing_failed_during_purge", {
|
|
4208
4208
|
kid: typeof key.kid === "string" ? key.kid : "unknown",
|
|
4209
4209
|
error: error instanceof Error ? error.message : String(error),
|
|
4210
4210
|
message: "Could not parse certificate for expiry check",
|
|
@@ -4218,20 +4218,20 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4218
4218
|
const removed = await this.keyStore.removeKey(keyInfo.kid);
|
|
4219
4219
|
if (removed) {
|
|
4220
4220
|
purgedCount += 1;
|
|
4221
|
-
logger$
|
|
4221
|
+
logger$8.debug("expired_certificate_purged", {
|
|
4222
4222
|
kid: keyInfo.kid,
|
|
4223
4223
|
physical_path: keyInfo.physicalPath ?? "unknown",
|
|
4224
4224
|
});
|
|
4225
4225
|
}
|
|
4226
4226
|
}
|
|
4227
4227
|
catch (error) {
|
|
4228
|
-
logger$
|
|
4228
|
+
logger$8.error("certificate_purge_failed", {
|
|
4229
4229
|
kid: keyInfo.kid,
|
|
4230
4230
|
error: error instanceof Error ? error.message : String(error),
|
|
4231
4231
|
});
|
|
4232
4232
|
}
|
|
4233
4233
|
}
|
|
4234
|
-
logger$
|
|
4234
|
+
logger$8.debug("certificate_purge_completed", {
|
|
4235
4235
|
purged_count: purgedCount,
|
|
4236
4236
|
});
|
|
4237
4237
|
return purgedCount;
|
|
@@ -4241,7 +4241,7 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4241
4241
|
return;
|
|
4242
4242
|
}
|
|
4243
4243
|
this.purgeTask = this.spawn(async (signal) => {
|
|
4244
|
-
logger$
|
|
4244
|
+
logger$8.debug("certificate_purge_loop_started", {
|
|
4245
4245
|
interval_seconds: this.certPurgeInterval,
|
|
4246
4246
|
});
|
|
4247
4247
|
try {
|
|
@@ -4262,13 +4262,13 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4262
4262
|
try {
|
|
4263
4263
|
const purged = await this.purgeExpiredCertificates();
|
|
4264
4264
|
if (purged > 0) {
|
|
4265
|
-
logger$
|
|
4265
|
+
logger$8.debug("certificate_purge_cycle_completed", {
|
|
4266
4266
|
purged_count: purged,
|
|
4267
4267
|
});
|
|
4268
4268
|
}
|
|
4269
4269
|
}
|
|
4270
4270
|
catch (error) {
|
|
4271
|
-
logger$
|
|
4271
|
+
logger$8.error("certificate_purge_cycle_failed", {
|
|
4272
4272
|
error: error instanceof Error ? error.message : String(error),
|
|
4273
4273
|
});
|
|
4274
4274
|
}
|
|
@@ -4276,16 +4276,16 @@ class X5CKeyManager extends runtime.TaskSpawner {
|
|
|
4276
4276
|
}
|
|
4277
4277
|
catch (error) {
|
|
4278
4278
|
if (signal?.aborted) {
|
|
4279
|
-
logger$
|
|
4279
|
+
logger$8.debug("certificate_purge_loop_cancelled");
|
|
4280
4280
|
}
|
|
4281
4281
|
else {
|
|
4282
|
-
logger$
|
|
4282
|
+
logger$8.error("certificate_purge_loop_failed", {
|
|
4283
4283
|
error: error instanceof Error ? error.message : String(error),
|
|
4284
4284
|
});
|
|
4285
4285
|
}
|
|
4286
4286
|
}
|
|
4287
4287
|
finally {
|
|
4288
|
-
logger$
|
|
4288
|
+
logger$8.debug("certificate_purge_loop_stopped");
|
|
4289
4289
|
}
|
|
4290
4290
|
}, { name: "cert-purge" });
|
|
4291
4291
|
}
|
|
@@ -4302,7 +4302,7 @@ function validateJwkX5cCertificateWrapper(options) {
|
|
|
4302
4302
|
});
|
|
4303
4303
|
}
|
|
4304
4304
|
catch (error) {
|
|
4305
|
-
logger$
|
|
4305
|
+
logger$8.warning("rejected_key_due_to_certificate_validation_failure", {
|
|
4306
4306
|
kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
|
|
4307
4307
|
from_system_id: systemId,
|
|
4308
4308
|
from_physical_path: physicalPath,
|
|
@@ -4319,7 +4319,7 @@ function validateJwkX5cCertificateWrapper(options) {
|
|
|
4319
4319
|
if (result.isValid) {
|
|
4320
4320
|
return { accepted: true, skip: false };
|
|
4321
4321
|
}
|
|
4322
|
-
logger$
|
|
4322
|
+
logger$8.warning("rejected_key_due_to_certificate_validation_failure", {
|
|
4323
4323
|
kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
|
|
4324
4324
|
from_system_id: systemId,
|
|
4325
4325
|
from_physical_path: physicalPath,
|
|
@@ -4344,7 +4344,7 @@ function resolveTrustStorePath() {
|
|
|
4344
4344
|
return process.env.FAME_CA_CERT_FILE ?? null;
|
|
4345
4345
|
}
|
|
4346
4346
|
catch (error) {
|
|
4347
|
-
logger$
|
|
4347
|
+
logger$8.debug("trust_store_resolution_failed", {
|
|
4348
4348
|
error: error instanceof Error ? error.message : String(error),
|
|
4349
4349
|
});
|
|
4350
4350
|
return null;
|
|
@@ -4559,7 +4559,7 @@ function utf8Decode(data) {
|
|
|
4559
4559
|
return decodeURIComponent(escape(str));
|
|
4560
4560
|
}
|
|
4561
4561
|
|
|
4562
|
-
const logger$
|
|
4562
|
+
const logger$7 = runtime.getLogger("naylence.fame.stickiness.aft_signer");
|
|
4563
4563
|
class AbstractAFTSigner {
|
|
4564
4564
|
constructor(kid, maxTtlSec = 7200) {
|
|
4565
4565
|
this.kid = kid;
|
|
@@ -4651,7 +4651,7 @@ class SignedAFTSigner extends AbstractAFTSigner {
|
|
|
4651
4651
|
return token;
|
|
4652
4652
|
}
|
|
4653
4653
|
catch (error) {
|
|
4654
|
-
logger$
|
|
4654
|
+
logger$7.error("aft_signing_failed", {
|
|
4655
4655
|
kid: this.kid,
|
|
4656
4656
|
algorithm: this.algorithm,
|
|
4657
4657
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4663,7 +4663,7 @@ class SignedAFTSigner extends AbstractAFTSigner {
|
|
|
4663
4663
|
if (!this.cryptoKeyPromise) {
|
|
4664
4664
|
this.cryptoKeyPromise = jose.importPKCS8(this.privateKeyPem, this.algorithm).catch((error) => {
|
|
4665
4665
|
this.cryptoKeyPromise = null;
|
|
4666
|
-
logger$
|
|
4666
|
+
logger$7.error("aft_private_key_import_failed", {
|
|
4667
4667
|
kid: this.kid,
|
|
4668
4668
|
algorithm: this.algorithm,
|
|
4669
4669
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4701,7 +4701,7 @@ function createAftSigner(options) {
|
|
|
4701
4701
|
}
|
|
4702
4702
|
}
|
|
4703
4703
|
|
|
4704
|
-
const logger$
|
|
4704
|
+
const logger$6 = runtime.getLogger("naylence.fame.stickiness.aft_helper");
|
|
4705
4705
|
class AFTHelper {
|
|
4706
4706
|
constructor(options) {
|
|
4707
4707
|
this.signer = options.signer;
|
|
@@ -4715,7 +4715,7 @@ class AFTHelper {
|
|
|
4715
4715
|
let clientSid;
|
|
4716
4716
|
if (context?.stickySid) {
|
|
4717
4717
|
clientSid = context.stickySid;
|
|
4718
|
-
logger$
|
|
4718
|
+
logger$6.debug("client_sticky_sid_extracted", { client_sid: clientSid });
|
|
4719
4719
|
}
|
|
4720
4720
|
const signOptions = {
|
|
4721
4721
|
sid: this.nodeSid,
|
|
@@ -4737,7 +4737,7 @@ class AFTHelper {
|
|
|
4737
4737
|
envelope.meta.set = setMeta;
|
|
4738
4738
|
}
|
|
4739
4739
|
setMeta.aft = aftToken;
|
|
4740
|
-
logger$
|
|
4740
|
+
logger$6.debug("aft_instruction_added", {
|
|
4741
4741
|
envelope_id: envelope.id,
|
|
4742
4742
|
ttl_sec: ttlSec,
|
|
4743
4743
|
scope,
|
|
@@ -4746,7 +4746,7 @@ class AFTHelper {
|
|
|
4746
4746
|
return true;
|
|
4747
4747
|
}
|
|
4748
4748
|
catch (error) {
|
|
4749
|
-
logger$
|
|
4749
|
+
logger$6.error("aft_generation_failed", {
|
|
4750
4750
|
envelope_id: envelope.id,
|
|
4751
4751
|
error: error instanceof Error ? error.message : String(error),
|
|
4752
4752
|
});
|
|
@@ -4770,7 +4770,7 @@ function createAftHelper(options) {
|
|
|
4770
4770
|
}
|
|
4771
4771
|
const DEFAULT_STICKINESS_SECURITY_LEVEL = exports.StickinessMode.SIGNED_OPTIONAL;
|
|
4772
4772
|
|
|
4773
|
-
const logger$
|
|
4773
|
+
const logger$5 = runtime.getLogger("naylence.fame.stickiness.aft_verifier");
|
|
4774
4774
|
function decodeToken(token) {
|
|
4775
4775
|
const parts = token.split(".");
|
|
4776
4776
|
if (parts.length !== 3) {
|
|
@@ -4803,7 +4803,7 @@ function decodeToken(token) {
|
|
|
4803
4803
|
return { header, claims };
|
|
4804
4804
|
}
|
|
4805
4805
|
catch (error) {
|
|
4806
|
-
logger$
|
|
4806
|
+
logger$5.debug("aft_decoding_failed", {
|
|
4807
4807
|
error: error instanceof Error ? error.message : String(error),
|
|
4808
4808
|
});
|
|
4809
4809
|
return null;
|
|
@@ -4865,7 +4865,7 @@ class BaseAFTVerifier {
|
|
|
4865
4865
|
signatureValid = await this.verifySignature(token, header, claims);
|
|
4866
4866
|
}
|
|
4867
4867
|
catch (error) {
|
|
4868
|
-
logger$
|
|
4868
|
+
logger$5.debug("aft_signature_verification_failed", {
|
|
4869
4869
|
kid: header.kid,
|
|
4870
4870
|
algorithm: header.alg,
|
|
4871
4871
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4911,7 +4911,7 @@ class StrictAFTVerifier extends BaseAFTVerifier {
|
|
|
4911
4911
|
keyRecord = await this.keyProvider.getKey(header.kid);
|
|
4912
4912
|
}
|
|
4913
4913
|
catch (error) {
|
|
4914
|
-
logger$
|
|
4914
|
+
logger$5.debug("aft_public_key_missing", {
|
|
4915
4915
|
kid: header.kid,
|
|
4916
4916
|
error: error instanceof Error ? error.message : String(error),
|
|
4917
4917
|
});
|
|
@@ -4926,7 +4926,7 @@ class StrictAFTVerifier extends BaseAFTVerifier {
|
|
|
4926
4926
|
return protectedHeader.alg === header.alg;
|
|
4927
4927
|
}
|
|
4928
4928
|
catch (error) {
|
|
4929
|
-
logger$
|
|
4929
|
+
logger$5.debug("aft_jws_verification_failed", {
|
|
4930
4930
|
kid: header.kid,
|
|
4931
4931
|
algorithm: header.alg,
|
|
4932
4932
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4955,7 +4955,7 @@ class SignedOptionalAFTVerifier extends BaseAFTVerifier {
|
|
|
4955
4955
|
keyRecord = await this.keyProvider.getKey(header.kid);
|
|
4956
4956
|
}
|
|
4957
4957
|
catch (error) {
|
|
4958
|
-
logger$
|
|
4958
|
+
logger$5.debug("aft_public_key_missing", {
|
|
4959
4959
|
kid: header.kid,
|
|
4960
4960
|
error: error instanceof Error ? error.message : String(error),
|
|
4961
4961
|
});
|
|
@@ -4970,7 +4970,7 @@ class SignedOptionalAFTVerifier extends BaseAFTVerifier {
|
|
|
4970
4970
|
return protectedHeader.alg === header.alg;
|
|
4971
4971
|
}
|
|
4972
4972
|
catch (error) {
|
|
4973
|
-
logger$
|
|
4973
|
+
logger$5.debug("aft_jws_verification_failed", {
|
|
4974
4974
|
kid: header.kid,
|
|
4975
4975
|
algorithm: header.alg,
|
|
4976
4976
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -5005,7 +5005,7 @@ async function resolveVerificationKey(keyRecord, algorithm) {
|
|
|
5005
5005
|
return key;
|
|
5006
5006
|
}
|
|
5007
5007
|
catch (error) {
|
|
5008
|
-
logger$
|
|
5008
|
+
logger$5.debug("aft_jwk_import_failed", {
|
|
5009
5009
|
kid: keyRecord.kid,
|
|
5010
5010
|
algorithm,
|
|
5011
5011
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -5026,14 +5026,14 @@ async function resolveVerificationKey(keyRecord, algorithm) {
|
|
|
5026
5026
|
return key;
|
|
5027
5027
|
}
|
|
5028
5028
|
catch (error) {
|
|
5029
|
-
logger$
|
|
5029
|
+
logger$5.debug("aft_spki_import_failed", {
|
|
5030
5030
|
kid: keyRecord.kid,
|
|
5031
5031
|
algorithm,
|
|
5032
5032
|
error: error instanceof Error ? error.message : String(error),
|
|
5033
5033
|
});
|
|
5034
5034
|
}
|
|
5035
5035
|
}
|
|
5036
|
-
logger$
|
|
5036
|
+
logger$5.debug("aft_verification_key_unavailable", {
|
|
5037
5037
|
kid: keyRecord.kid,
|
|
5038
5038
|
algorithm,
|
|
5039
5039
|
});
|
|
@@ -5056,7 +5056,7 @@ function createAftVerifier(options) {
|
|
|
5056
5056
|
}
|
|
5057
5057
|
}
|
|
5058
5058
|
|
|
5059
|
-
const logger$
|
|
5059
|
+
const logger$4 = runtime.getLogger("naylence.fame.stickiness.aft_load_balancer_stickiness_manager");
|
|
5060
5060
|
class AFTAssociation {
|
|
5061
5061
|
constructor(params) {
|
|
5062
5062
|
this.replicaId = params.replicaId;
|
|
@@ -5095,7 +5095,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5095
5095
|
};
|
|
5096
5096
|
this.config = config;
|
|
5097
5097
|
this.verifier = verifier;
|
|
5098
|
-
logger$
|
|
5098
|
+
logger$4.debug("stickiness_manager_initialized", {
|
|
5099
5099
|
enabled: this.config.enabled,
|
|
5100
5100
|
security_level: this.config.securityLevel,
|
|
5101
5101
|
verifier_type: verifier.constructor.name,
|
|
@@ -5113,14 +5113,14 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5113
5113
|
negotiate(stickiness) {
|
|
5114
5114
|
if (!stickiness) {
|
|
5115
5115
|
if (this.config.enabled) {
|
|
5116
|
-
logger$
|
|
5116
|
+
logger$4.debug("stickiness_negotiated_no_offer_attr_fallback");
|
|
5117
5117
|
return { enabled: true, mode: "attr", version: 1 };
|
|
5118
5118
|
}
|
|
5119
5119
|
return null;
|
|
5120
5120
|
}
|
|
5121
5121
|
const version = stickiness.version ?? 1;
|
|
5122
5122
|
if (!this.config.enabled) {
|
|
5123
|
-
logger$
|
|
5123
|
+
logger$4.debug("stickiness_negotiation_disabled_by_config");
|
|
5124
5124
|
return { enabled: false, version };
|
|
5125
5125
|
}
|
|
5126
5126
|
const childModes = new Set();
|
|
@@ -5141,32 +5141,32 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5141
5141
|
ttlSec: ttl,
|
|
5142
5142
|
version,
|
|
5143
5143
|
};
|
|
5144
|
-
logger$
|
|
5144
|
+
logger$4.debug("stickiness_negotiated", { mode: policy.mode, ttl });
|
|
5145
5145
|
return policy;
|
|
5146
5146
|
}
|
|
5147
5147
|
if (childModes.has("attr")) {
|
|
5148
5148
|
const policy = { enabled: true, mode: "attr", version };
|
|
5149
|
-
logger$
|
|
5149
|
+
logger$4.debug("stickiness_negotiated", { mode: policy.mode });
|
|
5150
5150
|
return policy;
|
|
5151
5151
|
}
|
|
5152
|
-
logger$
|
|
5152
|
+
logger$4.debug("stickiness_negotiation_no_common_mode");
|
|
5153
5153
|
return { enabled: false, version };
|
|
5154
5154
|
}
|
|
5155
5155
|
async handleOutboundEnvelope(envelope, replicaId) {
|
|
5156
5156
|
if (!this.config.enabled) {
|
|
5157
|
-
logger$
|
|
5157
|
+
logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
|
|
5158
5158
|
return null;
|
|
5159
5159
|
}
|
|
5160
5160
|
const aftToken = extractAftInstruction(envelope);
|
|
5161
5161
|
if (!aftToken) {
|
|
5162
|
-
logger$
|
|
5162
|
+
logger$4.debug("no_aft_instruction", {
|
|
5163
5163
|
envelope_id: envelope.id,
|
|
5164
5164
|
has_meta: Boolean(envelope.meta),
|
|
5165
5165
|
});
|
|
5166
5166
|
return null;
|
|
5167
5167
|
}
|
|
5168
5168
|
if (typeof aftToken !== "string") {
|
|
5169
|
-
logger$
|
|
5169
|
+
logger$4.warning("invalid_aft_instruction", {
|
|
5170
5170
|
envelope_id: envelope.id,
|
|
5171
5171
|
replica_id: replicaId,
|
|
5172
5172
|
reason: "set.aft value is not a string",
|
|
@@ -5176,7 +5176,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5176
5176
|
const verification = await this.verifier.verify(aftToken, envelope.sid ?? undefined);
|
|
5177
5177
|
if (!verification.valid) {
|
|
5178
5178
|
this.metrics.verifyFailures += 1;
|
|
5179
|
-
logger$
|
|
5179
|
+
logger$4.warning("aft_verification_failed", {
|
|
5180
5180
|
envelope_id: envelope.id,
|
|
5181
5181
|
replica_id: replicaId,
|
|
5182
5182
|
error: verification.error,
|
|
@@ -5194,14 +5194,14 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5194
5194
|
});
|
|
5195
5195
|
if (verification.clientSid) {
|
|
5196
5196
|
this.sidCache.set(verification.clientSid, replicaId);
|
|
5197
|
-
logger$
|
|
5197
|
+
logger$4.debug("sid_cache_updated", {
|
|
5198
5198
|
envelope_id: envelope.id,
|
|
5199
5199
|
client_sid: verification.clientSid,
|
|
5200
5200
|
replica_id: replicaId,
|
|
5201
5201
|
});
|
|
5202
5202
|
}
|
|
5203
5203
|
this.metrics.associationsCreated += 1;
|
|
5204
|
-
logger$
|
|
5204
|
+
logger$4.debug("aft_association_created", {
|
|
5205
5205
|
envelope_id: envelope.id,
|
|
5206
5206
|
replica_id: replicaId,
|
|
5207
5207
|
sid: verification.sid,
|
|
@@ -5213,14 +5213,14 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5213
5213
|
}
|
|
5214
5214
|
getStickyReplicaSegment(envelope, segments) {
|
|
5215
5215
|
if (!this.config.enabled) {
|
|
5216
|
-
logger$
|
|
5216
|
+
logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
|
|
5217
5217
|
return null;
|
|
5218
5218
|
}
|
|
5219
5219
|
if (envelope.aft) {
|
|
5220
5220
|
const replicaId = this.routeByAft(envelope.aft, envelope);
|
|
5221
5221
|
if (replicaId) {
|
|
5222
5222
|
this.metrics.cacheHits += 1;
|
|
5223
|
-
logger$
|
|
5223
|
+
logger$4.debug("aft_routed_envelope", {
|
|
5224
5224
|
envelope_id: envelope.id,
|
|
5225
5225
|
replica_id: replicaId,
|
|
5226
5226
|
routing_type: "aft_direct",
|
|
@@ -5233,7 +5233,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5233
5233
|
if (cachedReplica) {
|
|
5234
5234
|
if (this.config.securityLevel === exports.StickinessMode.SID_ONLY) {
|
|
5235
5235
|
this.metrics.cacheHits += 1;
|
|
5236
|
-
logger$
|
|
5236
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5237
5237
|
envelope_id: envelope.id,
|
|
5238
5238
|
replica_id: cachedReplica,
|
|
5239
5239
|
sid: envelope.sid,
|
|
@@ -5246,7 +5246,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5246
5246
|
!association.isExpired()) {
|
|
5247
5247
|
envelope.aft = token;
|
|
5248
5248
|
this.metrics.cacheHits += 1;
|
|
5249
|
-
logger$
|
|
5249
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5250
5250
|
envelope_id: envelope.id,
|
|
5251
5251
|
replica_id: cachedReplica,
|
|
5252
5252
|
sid: envelope.sid,
|
|
@@ -5256,7 +5256,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5256
5256
|
}
|
|
5257
5257
|
}
|
|
5258
5258
|
this.metrics.cacheHits += 1;
|
|
5259
|
-
logger$
|
|
5259
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5260
5260
|
envelope_id: envelope.id,
|
|
5261
5261
|
replica_id: cachedReplica,
|
|
5262
5262
|
sid: envelope.sid,
|
|
@@ -5264,7 +5264,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5264
5264
|
});
|
|
5265
5265
|
return cachedReplica;
|
|
5266
5266
|
}
|
|
5267
|
-
logger$
|
|
5267
|
+
logger$4.debug("no_cached_replica_for_sid", {
|
|
5268
5268
|
envelope_id: envelope.id,
|
|
5269
5269
|
sid: envelope.sid,
|
|
5270
5270
|
});
|
|
@@ -5273,7 +5273,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5273
5273
|
const index = computeDeterministicIndex(envelope.sid, segments.length);
|
|
5274
5274
|
const chosen = segments[index];
|
|
5275
5275
|
this.metrics.cacheHits += 1;
|
|
5276
|
-
logger$
|
|
5276
|
+
logger$4.debug("sid_based_deterministic_choice", {
|
|
5277
5277
|
envelope_id: envelope.id,
|
|
5278
5278
|
sid: envelope.sid,
|
|
5279
5279
|
chosen,
|
|
@@ -5282,7 +5282,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5282
5282
|
return chosen;
|
|
5283
5283
|
}
|
|
5284
5284
|
this.metrics.cacheMisses += 1;
|
|
5285
|
-
logger$
|
|
5285
|
+
logger$4.debug("no_stickiness_routing", {
|
|
5286
5286
|
envelope_id: envelope.id,
|
|
5287
5287
|
has_aft: Boolean(envelope.aft),
|
|
5288
5288
|
has_sid: Boolean(envelope.sid),
|
|
@@ -5302,7 +5302,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5302
5302
|
}
|
|
5303
5303
|
if (expiredTokens.length > 0) {
|
|
5304
5304
|
this.metrics.associationsExpired += expiredTokens.length;
|
|
5305
|
-
logger$
|
|
5305
|
+
logger$4.debug("cleaned_expired_associations", {
|
|
5306
5306
|
count: expiredTokens.length,
|
|
5307
5307
|
});
|
|
5308
5308
|
}
|
|
@@ -5318,7 +5318,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5318
5318
|
this.removeAssociation(token);
|
|
5319
5319
|
}
|
|
5320
5320
|
if (tokensToRemove.length > 0) {
|
|
5321
|
-
logger$
|
|
5321
|
+
logger$4.debug("removed_associations_for_departed_replica", {
|
|
5322
5322
|
replica_id: replicaId,
|
|
5323
5323
|
count: tokensToRemove.length,
|
|
5324
5324
|
});
|
|
@@ -5326,7 +5326,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5326
5326
|
}
|
|
5327
5327
|
handleReplicaLeft(replicaId) {
|
|
5328
5328
|
this.replicaLeft(replicaId);
|
|
5329
|
-
logger$
|
|
5329
|
+
logger$4.debug("stickiness_replica_cleanup", { replica_id: replicaId });
|
|
5330
5330
|
}
|
|
5331
5331
|
getMetrics() {
|
|
5332
5332
|
return {
|
|
@@ -5359,7 +5359,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5359
5359
|
const misses = this.metrics.cacheMisses;
|
|
5360
5360
|
const total = hits + misses;
|
|
5361
5361
|
const hitRate = total > 0 ? Math.round((hits / total) * 10000) / 100 : 0;
|
|
5362
|
-
logger$
|
|
5362
|
+
logger$4.info("stickiness_metrics_report", {
|
|
5363
5363
|
enabled: this.config.enabled,
|
|
5364
5364
|
security_level: this.config.securityLevel,
|
|
5365
5365
|
cache_hits: hits,
|
|
@@ -5373,7 +5373,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5373
5373
|
});
|
|
5374
5374
|
}
|
|
5375
5375
|
async onDeliver(_node, envelope, context) {
|
|
5376
|
-
logger$
|
|
5376
|
+
logger$4.debug("stickiness_manager_on_deliver", {
|
|
5377
5377
|
envelope_id: envelope.id,
|
|
5378
5378
|
origin_type: context?.originType ?? "unknown",
|
|
5379
5379
|
from_system_id: context?.fromSystemId ?? null,
|
|
@@ -5381,7 +5381,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5381
5381
|
if (context?.originType === core.DeliveryOriginType.DOWNSTREAM) {
|
|
5382
5382
|
const sourceRoute = context.fromSystemId;
|
|
5383
5383
|
if (sourceRoute) {
|
|
5384
|
-
logger$
|
|
5384
|
+
logger$4.debug("processing_downstream_envelope", {
|
|
5385
5385
|
envelope_id: envelope.id,
|
|
5386
5386
|
source_route: sourceRoute,
|
|
5387
5387
|
});
|
|
@@ -5389,7 +5389,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5389
5389
|
envelope.sid &&
|
|
5390
5390
|
!this.sidCache.has(envelope.sid)) {
|
|
5391
5391
|
this.sidCache.set(envelope.sid, sourceRoute);
|
|
5392
|
-
logger$
|
|
5392
|
+
logger$4.debug("sid_only_association_recorded", {
|
|
5393
5393
|
envelope_id: envelope.id,
|
|
5394
5394
|
sid: envelope.sid,
|
|
5395
5395
|
replica_id: sourceRoute,
|
|
@@ -5398,27 +5398,27 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5398
5398
|
const hadInstruction = Boolean(extractAftInstruction(envelope));
|
|
5399
5399
|
const token = await this.handleOutboundEnvelope(envelope, sourceRoute);
|
|
5400
5400
|
if (hadInstruction) {
|
|
5401
|
-
logger$
|
|
5401
|
+
logger$4.debug("processed_aft_setter_instruction", {
|
|
5402
5402
|
envelope_id: envelope.id,
|
|
5403
5403
|
source_route: sourceRoute,
|
|
5404
5404
|
client_echo: Boolean(token),
|
|
5405
5405
|
});
|
|
5406
5406
|
}
|
|
5407
5407
|
else {
|
|
5408
|
-
logger$
|
|
5408
|
+
logger$4.debug("no_aft_setter_instruction", {
|
|
5409
5409
|
envelope_id: envelope.id,
|
|
5410
5410
|
source_route: sourceRoute,
|
|
5411
5411
|
});
|
|
5412
5412
|
}
|
|
5413
5413
|
}
|
|
5414
5414
|
else {
|
|
5415
|
-
logger$
|
|
5415
|
+
logger$4.debug("downstream_envelope_without_source_route", {
|
|
5416
5416
|
envelope_id: envelope.id,
|
|
5417
5417
|
});
|
|
5418
5418
|
}
|
|
5419
5419
|
}
|
|
5420
5420
|
else {
|
|
5421
|
-
logger$
|
|
5421
|
+
logger$4.debug("envelope_not_from_downstream", {
|
|
5422
5422
|
envelope_id: envelope.id,
|
|
5423
5423
|
});
|
|
5424
5424
|
}
|
|
@@ -5459,7 +5459,7 @@ class AFTLoadBalancerStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5459
5459
|
}
|
|
5460
5460
|
if (this.verifier.securityLevel === exports.StickinessMode.STRICT &&
|
|
5461
5461
|
association.isLowTrust()) {
|
|
5462
|
-
logger$
|
|
5462
|
+
logger$4.warning("rejecting_low_trust_association", {
|
|
5463
5463
|
envelope_id: envelope.id,
|
|
5464
5464
|
replica_id: association.replicaId,
|
|
5465
5465
|
reason: "strict mode rejects low-trust associations",
|
|
@@ -5566,7 +5566,7 @@ var aftLoadBalancerStickinessManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
5566
5566
|
default: AFTLoadBalancerStickinessManagerFactory
|
|
5567
5567
|
});
|
|
5568
5568
|
|
|
5569
|
-
const logger$
|
|
5569
|
+
const logger$3 = runtime.getLogger("naylence.fame.stickiness.aft_replica_stickiness_manager");
|
|
5570
5570
|
function isStickinessRequired(context) {
|
|
5571
5571
|
if (typeof context.stickinessRequired === "boolean") {
|
|
5572
5572
|
return context.stickinessRequired;
|
|
@@ -5586,14 +5586,14 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5586
5586
|
this.isInitialized = this.aftHelper !== null;
|
|
5587
5587
|
this.negotiatedStickiness = null;
|
|
5588
5588
|
if (this.aftHelper) {
|
|
5589
|
-
logger$
|
|
5589
|
+
logger$3.debug("aft_replica_stickiness_manager_initialized", {
|
|
5590
5590
|
helper_type: this.aftHelper.signer.constructor.name,
|
|
5591
5591
|
security_level: this.aftHelper.signer.securityLevel,
|
|
5592
5592
|
max_ttl_sec: this.aftHelper.maxTtlSec,
|
|
5593
5593
|
});
|
|
5594
5594
|
}
|
|
5595
5595
|
else {
|
|
5596
|
-
logger$
|
|
5596
|
+
logger$3.debug("aft_replica_stickiness_manager_created", {
|
|
5597
5597
|
security_level: this.securityLevel,
|
|
5598
5598
|
max_ttl_sec: this.maxTtlSec,
|
|
5599
5599
|
});
|
|
@@ -5604,7 +5604,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5604
5604
|
}
|
|
5605
5605
|
accept(stickiness) {
|
|
5606
5606
|
this.negotiatedStickiness = stickiness ?? null;
|
|
5607
|
-
logger$
|
|
5607
|
+
logger$3.debug("replica_stickiness_policy_set", {
|
|
5608
5608
|
enabled: stickiness?.enabled ?? null,
|
|
5609
5609
|
mode: stickiness?.mode ?? null,
|
|
5610
5610
|
ttl: stickiness?.ttlSec ?? null,
|
|
@@ -5616,7 +5616,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5616
5616
|
}
|
|
5617
5617
|
const helper = this.aftHelper;
|
|
5618
5618
|
if (!helper) {
|
|
5619
|
-
logger$
|
|
5619
|
+
logger$3.debug("aft_helper_not_ready_skip_injection", {
|
|
5620
5620
|
envelope_id: envelope.id,
|
|
5621
5621
|
delivery_origin: context.originType ?? null,
|
|
5622
5622
|
reason: "not_initialized",
|
|
@@ -5632,7 +5632,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5632
5632
|
(negotiated.mode !== null &&
|
|
5633
5633
|
negotiated.mode !== undefined &&
|
|
5634
5634
|
negotiated.mode !== "aft")) {
|
|
5635
|
-
logger$
|
|
5635
|
+
logger$3.debug("aft_injection_skipped_due_to_policy", {
|
|
5636
5636
|
envelope_id: envelope.id,
|
|
5637
5637
|
policy_mode: negotiated.mode ?? null,
|
|
5638
5638
|
policy_enabled: negotiated.enabled ?? null,
|
|
@@ -5640,7 +5640,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5640
5640
|
return envelope;
|
|
5641
5641
|
}
|
|
5642
5642
|
}
|
|
5643
|
-
logger$
|
|
5643
|
+
logger$3.debug("applying_aft_for_upstream_stickiness_required", {
|
|
5644
5644
|
envelope_id: envelope.id,
|
|
5645
5645
|
from_system_id: context.fromSystemId ?? null,
|
|
5646
5646
|
delivery_origin: context.originType ?? null,
|
|
@@ -5651,14 +5651,14 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5651
5651
|
context: stickinessContext,
|
|
5652
5652
|
});
|
|
5653
5653
|
if (success) {
|
|
5654
|
-
logger$
|
|
5654
|
+
logger$3.debug("aft_token_applied_via_context_flag_upstream", {
|
|
5655
5655
|
envelope_id: envelope.id,
|
|
5656
5656
|
from_system_id: context.fromSystemId ?? null,
|
|
5657
5657
|
delivery_origin: context.originType ?? null,
|
|
5658
5658
|
});
|
|
5659
5659
|
}
|
|
5660
5660
|
else {
|
|
5661
|
-
logger$
|
|
5661
|
+
logger$3.debug("aft_token_not_applied_upstream", {
|
|
5662
5662
|
envelope_id: envelope.id,
|
|
5663
5663
|
delivery_origin: context.originType ?? null,
|
|
5664
5664
|
reason: "helper_returned_false",
|
|
@@ -5674,19 +5674,19 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5674
5674
|
}
|
|
5675
5675
|
if (this.aftHelper && node.sid) {
|
|
5676
5676
|
this.updateNodeSid(node.sid);
|
|
5677
|
-
logger$
|
|
5677
|
+
logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
|
|
5678
5678
|
node_id: node.id ?? "unknown",
|
|
5679
5679
|
node_sid: node.sid,
|
|
5680
5680
|
security_level: this.aftHelper.signer.securityLevel,
|
|
5681
5681
|
});
|
|
5682
5682
|
}
|
|
5683
5683
|
else if (!node.sid) {
|
|
5684
|
-
logger$
|
|
5684
|
+
logger$3.warning("aft_replica_stickiness_manager_no_sid_available", {
|
|
5685
5685
|
node_id: node.id ?? "unknown",
|
|
5686
5686
|
});
|
|
5687
5687
|
}
|
|
5688
5688
|
else {
|
|
5689
|
-
logger$
|
|
5689
|
+
logger$3.error("aft_replica_stickiness_manager_node_missing_sid", {
|
|
5690
5690
|
node_type: node.constructor?.name ?? typeof node,
|
|
5691
5691
|
});
|
|
5692
5692
|
}
|
|
@@ -5694,7 +5694,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5694
5694
|
updateNodeSid(nodeSid) {
|
|
5695
5695
|
if (this.aftHelper) {
|
|
5696
5696
|
this.aftHelper.nodeSid = nodeSid;
|
|
5697
|
-
logger$
|
|
5697
|
+
logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
|
|
5698
5698
|
new_sid: nodeSid,
|
|
5699
5699
|
});
|
|
5700
5700
|
}
|
|
@@ -5702,14 +5702,14 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5702
5702
|
async initializeAftHelper(node) {
|
|
5703
5703
|
const nodeSid = node.sid;
|
|
5704
5704
|
if (!nodeSid) {
|
|
5705
|
-
logger$
|
|
5705
|
+
logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_sid", {
|
|
5706
5706
|
node_id: node.id ?? "unknown",
|
|
5707
5707
|
});
|
|
5708
5708
|
return;
|
|
5709
5709
|
}
|
|
5710
5710
|
const cryptoProvider = node.cryptoProvider ?? null;
|
|
5711
5711
|
if (!cryptoProvider) {
|
|
5712
|
-
logger$
|
|
5712
|
+
logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_crypto_provider", {
|
|
5713
5713
|
node_id: node.id ?? "unknown",
|
|
5714
5714
|
});
|
|
5715
5715
|
return;
|
|
@@ -5722,7 +5722,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5722
5722
|
? cryptoProvider.signingPrivatePem
|
|
5723
5723
|
: null;
|
|
5724
5724
|
if (this.securityLevel === exports.StickinessMode.STRICT && !privateKeyPem) {
|
|
5725
|
-
logger$
|
|
5725
|
+
logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
|
|
5726
5726
|
node_id: node.id ?? "unknown",
|
|
5727
5727
|
error: "Missing signing private key for strict security level",
|
|
5728
5728
|
});
|
|
@@ -5738,7 +5738,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5738
5738
|
});
|
|
5739
5739
|
this.aftHelper = helper;
|
|
5740
5740
|
this.isInitialized = true;
|
|
5741
|
-
logger$
|
|
5741
|
+
logger$3.debug("aft_replica_stickiness_manager_initialized", {
|
|
5742
5742
|
node_id: node.id ?? "unknown",
|
|
5743
5743
|
node_sid: nodeSid,
|
|
5744
5744
|
key_id: keyId,
|
|
@@ -5746,7 +5746,7 @@ class AFTReplicaStickinessManager extends runtime.BaseNodeEventListener {
|
|
|
5746
5746
|
});
|
|
5747
5747
|
}
|
|
5748
5748
|
catch (error) {
|
|
5749
|
-
logger$
|
|
5749
|
+
logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
|
|
5750
5750
|
node_id: node.id ?? "unknown",
|
|
5751
5751
|
error: error instanceof Error ? error.message : String(error),
|
|
5752
5752
|
});
|
|
@@ -5816,7 +5816,7 @@ var aftReplicaStickinessManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
5816
5816
|
default: AFTReplicaStickinessManagerFactory
|
|
5817
5817
|
});
|
|
5818
5818
|
|
|
5819
|
-
const logger$
|
|
5819
|
+
const logger$2 = runtime.getLogger("naylence.fame.welcome.advanced_welcome_service");
|
|
5820
5820
|
const ENV_VAR_SHOW_ENVELOPES = "FAME_SHOW_ENVELOPES";
|
|
5821
5821
|
const DEFAULT_TTL_SEC = 3600;
|
|
5822
5822
|
const showEnvelopes = typeof process !== "undefined" &&
|
|
@@ -5859,7 +5859,7 @@ class AdvancedWelcomeService {
|
|
|
5859
5859
|
typeof options.ttlSec === "number" && Number.isFinite(options.ttlSec)
|
|
5860
5860
|
? Math.max(0, options.ttlSec)
|
|
5861
5861
|
: DEFAULT_TTL_SEC;
|
|
5862
|
-
logger$
|
|
5862
|
+
logger$2.debug("initialized_advanced_welcome_service", {
|
|
5863
5863
|
ca_service_url: this.caServiceUrl,
|
|
5864
5864
|
ttl_sec: this.ttlSec,
|
|
5865
5865
|
});
|
|
@@ -5879,7 +5879,7 @@ class AdvancedWelcomeService {
|
|
|
5879
5879
|
// eslint-disable-next-line no-console
|
|
5880
5880
|
console.log(`\n${formatTimestampForConsole()} - ${runtime.color("Received envelope 📨", runtime.AnsiColor.BLUE)}\n${prettyModel(normalizedHello)}`);
|
|
5881
5881
|
}
|
|
5882
|
-
logger$
|
|
5882
|
+
logger$2.debug("starting_hello_frame_processing", {
|
|
5883
5883
|
instanceId: normalizedHello.instanceId,
|
|
5884
5884
|
systemId,
|
|
5885
5885
|
logicals: normalizedHello.logicals,
|
|
@@ -5896,35 +5896,35 @@ class AdvancedWelcomeService {
|
|
|
5896
5896
|
fullMetadata.instance_id = normalizedHello.instanceId;
|
|
5897
5897
|
}
|
|
5898
5898
|
}
|
|
5899
|
-
logger$
|
|
5899
|
+
logger$2.debug("system_id_assignment_completed", {
|
|
5900
5900
|
systemId,
|
|
5901
5901
|
wasAssigned,
|
|
5902
5902
|
});
|
|
5903
5903
|
if (normalizedHello.logicals?.length) {
|
|
5904
|
-
logger$
|
|
5904
|
+
logger$2.debug("validating_logicals_for_dns_compatibility", {
|
|
5905
5905
|
logicals: normalizedHello.logicals,
|
|
5906
5906
|
});
|
|
5907
5907
|
const [pathsValid, pathError] = runtime.validateHostLogicals(normalizedHello.logicals);
|
|
5908
5908
|
if (!pathsValid) {
|
|
5909
|
-
logger$
|
|
5909
|
+
logger$2.error("logical_validation_failed", {
|
|
5910
5910
|
error: pathError,
|
|
5911
5911
|
logicals: normalizedHello.logicals,
|
|
5912
5912
|
});
|
|
5913
5913
|
throw new Error(`Invalid logical format: ${pathError}`);
|
|
5914
5914
|
}
|
|
5915
|
-
logger$
|
|
5915
|
+
logger$2.debug("logicals_validation_successful");
|
|
5916
5916
|
}
|
|
5917
|
-
logger$
|
|
5917
|
+
logger$2.debug("requesting_node_placement", { systemId });
|
|
5918
5918
|
const placementResult = await this.placementStrategy.place(normalizedHello);
|
|
5919
5919
|
if (!placementResult.accept) {
|
|
5920
|
-
logger$
|
|
5920
|
+
logger$2.error("node_placement_rejected", {
|
|
5921
5921
|
systemId,
|
|
5922
5922
|
reason: placementResult.reason,
|
|
5923
5923
|
});
|
|
5924
5924
|
throw new Error(placementResult.reason || "Node not accepted");
|
|
5925
5925
|
}
|
|
5926
5926
|
const assignedPath = placementResult.assignedPath;
|
|
5927
|
-
logger$
|
|
5927
|
+
logger$2.debug("node_placement_accepted", {
|
|
5928
5928
|
systemId,
|
|
5929
5929
|
assignedPath,
|
|
5930
5930
|
targetPhysicalPath: placementResult.targetPhysicalPath ?? null,
|
|
@@ -5936,7 +5936,7 @@ class AdvancedWelcomeService {
|
|
|
5936
5936
|
const acceptedLogicals = coercePlacementMetadataValue(placementResult.metadata, "acceptedLogicals", "accepted_logicals") ??
|
|
5937
5937
|
normalizedHello.logicals ??
|
|
5938
5938
|
null;
|
|
5939
|
-
logger$
|
|
5939
|
+
logger$2.debug("processing_placement_result_metadata", {
|
|
5940
5940
|
acceptedCapabilities,
|
|
5941
5941
|
acceptedLogicals,
|
|
5942
5942
|
hasPlacementMetadata: placementResult.metadata !== undefined &&
|
|
@@ -5950,7 +5950,7 @@ class AdvancedWelcomeService {
|
|
|
5950
5950
|
normalizedHello.instanceId ||
|
|
5951
5951
|
core.generateId();
|
|
5952
5952
|
if (placementResult.targetSystemId) {
|
|
5953
|
-
logger$
|
|
5953
|
+
logger$2.debug("issuing_node_attach_token", {
|
|
5954
5954
|
systemId,
|
|
5955
5955
|
assignedPath,
|
|
5956
5956
|
});
|
|
@@ -5962,10 +5962,10 @@ class AdvancedWelcomeService {
|
|
|
5962
5962
|
accepted_logicals: acceptedLogicals,
|
|
5963
5963
|
instance_id: metadataInstanceId,
|
|
5964
5964
|
});
|
|
5965
|
-
logger$
|
|
5966
|
-
logger$
|
|
5965
|
+
logger$2.debug("token_issued_successfully");
|
|
5966
|
+
logger$2.debug("provisioning_transport", { systemId });
|
|
5967
5967
|
const transportInfo = await this.transportProvisioner.provision(placementResult, normalizedHello, fullMetadata, nodeAttachToken);
|
|
5968
|
-
logger$
|
|
5968
|
+
logger$2.debug("transport_provisioned_successfully", {
|
|
5969
5969
|
systemId,
|
|
5970
5970
|
directiveType: transportInfo.connectionGrant &&
|
|
5971
5971
|
typeof transportInfo.connectionGrant === "object"
|
|
@@ -6009,7 +6009,7 @@ class AdvancedWelcomeService {
|
|
|
6009
6009
|
metadata: Object.keys(fullMetadata).length > 0 ? fullMetadata : undefined,
|
|
6010
6010
|
expiresAt: expiry.toISOString(),
|
|
6011
6011
|
};
|
|
6012
|
-
logger$
|
|
6012
|
+
logger$2.debug("hello_frame_processing_completed_successfully", {
|
|
6013
6013
|
systemId,
|
|
6014
6014
|
assignedPath,
|
|
6015
6015
|
acceptedLogicals,
|
|
@@ -6666,7 +6666,7 @@ function encodeBitString(signature) {
|
|
|
6666
6666
|
return result.buffer;
|
|
6667
6667
|
}
|
|
6668
6668
|
|
|
6669
|
-
const logger = runtime.getLogger("naylence.fame.security.cert.default_certificate_manager");
|
|
6669
|
+
const logger$1 = runtime.getLogger("naylence.fame.security.cert.default_certificate_manager");
|
|
6670
6670
|
const CONNECTION_GRANTS_CAMEL = "connectionGrants";
|
|
6671
6671
|
const CONNECTION_GRANTS_SNAKE = "connection_grants";
|
|
6672
6672
|
class DefaultCertificateManager {
|
|
@@ -6695,7 +6695,7 @@ class DefaultCertificateManager {
|
|
|
6695
6695
|
this.prepareProviderContext(node);
|
|
6696
6696
|
const requiresCertificate = this.requiresCertificates();
|
|
6697
6697
|
if (requiresCertificate) {
|
|
6698
|
-
logger.debug("node_certificate_required_on_start", {
|
|
6698
|
+
logger$1.debug("node_certificate_required_on_start", {
|
|
6699
6699
|
node_id: node.id,
|
|
6700
6700
|
physical_path: node.physicalPath,
|
|
6701
6701
|
has_parent: node.hasParent,
|
|
@@ -6709,7 +6709,7 @@ class DefaultCertificateManager {
|
|
|
6709
6709
|
const welcomeFrame = this.pendingWelcomeFrame ?? fallbackWelcome;
|
|
6710
6710
|
const success = await this.ensureCertificate(welcomeFrame, this.caServiceUrl ? { caServiceUrl: this.caServiceUrl } : undefined);
|
|
6711
6711
|
if (!success) {
|
|
6712
|
-
logger.warning("node_certificate_unavailable_on_start", {
|
|
6712
|
+
logger$1.warning("node_certificate_unavailable_on_start", {
|
|
6713
6713
|
node_id: node.id,
|
|
6714
6714
|
physical_path: node.physicalPath,
|
|
6715
6715
|
message: "Certificate provisioning was requested but did not complete",
|
|
@@ -6723,7 +6723,7 @@ class DefaultCertificateManager {
|
|
|
6723
6723
|
async onWelcome(welcomeFrame) {
|
|
6724
6724
|
const requiresCertificate = this.requiresCertificates(welcomeFrame);
|
|
6725
6725
|
if (!requiresCertificate) {
|
|
6726
|
-
logger.debug("welcome_does_not_require_certificate", {
|
|
6726
|
+
logger$1.debug("welcome_does_not_require_certificate", {
|
|
6727
6727
|
system_id: welcomeFrame.systemId ?? null,
|
|
6728
6728
|
});
|
|
6729
6729
|
this.pendingWelcomeFrame = null;
|
|
@@ -6734,14 +6734,14 @@ class DefaultCertificateManager {
|
|
|
6734
6734
|
return;
|
|
6735
6735
|
}
|
|
6736
6736
|
if (!this.node) {
|
|
6737
|
-
logger.debug("certificate_provisioning_deferred_until_node_start", {
|
|
6737
|
+
logger$1.debug("certificate_provisioning_deferred_until_node_start", {
|
|
6738
6738
|
system_id: welcomeFrame.systemId ?? null,
|
|
6739
6739
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
6740
6740
|
});
|
|
6741
6741
|
return;
|
|
6742
6742
|
}
|
|
6743
6743
|
const nodeId = welcomeFrame.systemId ?? "unknown";
|
|
6744
|
-
logger.warning("certificate_provisioning_not_completed", {
|
|
6744
|
+
logger$1.warning("certificate_provisioning_not_completed", {
|
|
6745
6745
|
node_id: nodeId,
|
|
6746
6746
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
6747
6747
|
message: "Continuing without a provisioned certificate (development mode)",
|
|
@@ -6757,13 +6757,13 @@ class DefaultCertificateManager {
|
|
|
6757
6757
|
const cryptoProvider = this.resolveCryptoProvider();
|
|
6758
6758
|
if (!cryptoProvider) {
|
|
6759
6759
|
if (!this.node) {
|
|
6760
|
-
logger.debug("crypto_provider_pending_node_start", {
|
|
6760
|
+
logger$1.debug("crypto_provider_pending_node_start", {
|
|
6761
6761
|
system_id: welcomeFrame.systemId ?? null,
|
|
6762
6762
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
6763
6763
|
});
|
|
6764
6764
|
}
|
|
6765
6765
|
else {
|
|
6766
|
-
logger.error("crypto_provider_unavailable_for_certificate", {
|
|
6766
|
+
logger$1.error("crypto_provider_unavailable_for_certificate", {
|
|
6767
6767
|
system_id: welcomeFrame.systemId ?? null,
|
|
6768
6768
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
6769
6769
|
});
|
|
@@ -6782,7 +6782,7 @@ class DefaultCertificateManager {
|
|
|
6782
6782
|
const connectionGrants = readFrameValue(welcomeFrame, CONNECTION_GRANTS_CAMEL, CONNECTION_GRANTS_SNAKE);
|
|
6783
6783
|
const caSignGrant = this.getCaSignGrant(connectionGrants);
|
|
6784
6784
|
if (!caSignGrant) {
|
|
6785
|
-
logger.warning("welcome_frame_missing_ca_sign_grant", {
|
|
6785
|
+
logger$1.warning("welcome_frame_missing_ca_sign_grant", {
|
|
6786
6786
|
system_id: nodeId,
|
|
6787
6787
|
grant_count: Array.isArray(connectionGrants)
|
|
6788
6788
|
? connectionGrants.length
|
|
@@ -6793,7 +6793,7 @@ class DefaultCertificateManager {
|
|
|
6793
6793
|
if (caSignGrant) {
|
|
6794
6794
|
material = await this.requestCertificateFromCa(cryptoProvider, welcomeFrame, caSignGrant, options);
|
|
6795
6795
|
if (!material) {
|
|
6796
|
-
logger.warning("ca_certificate_request_failed_falling_back_to_env", {
|
|
6796
|
+
logger$1.warning("ca_certificate_request_failed_falling_back_to_env", {
|
|
6797
6797
|
system_id: nodeId,
|
|
6798
6798
|
ca_service_url: options?.caServiceUrl ?? this.caServiceUrl ?? caSignGrant.url,
|
|
6799
6799
|
});
|
|
@@ -6803,13 +6803,13 @@ class DefaultCertificateManager {
|
|
|
6803
6803
|
material = await this.resolveCertificateMaterialFromInjectedSources(cryptoProvider, nodeId);
|
|
6804
6804
|
}
|
|
6805
6805
|
if (!material) {
|
|
6806
|
-
logger.debug("attempting_certificate_resolution_from_environment", {
|
|
6806
|
+
logger$1.debug("attempting_certificate_resolution_from_environment", {
|
|
6807
6807
|
system_id: nodeId,
|
|
6808
6808
|
});
|
|
6809
6809
|
material = await resolveCertificateMaterialFromEnvironment();
|
|
6810
6810
|
}
|
|
6811
6811
|
if (!material) {
|
|
6812
|
-
logger.warning("certificate_material_not_found", {
|
|
6812
|
+
logger$1.warning("certificate_material_not_found", {
|
|
6813
6813
|
system_id: nodeId,
|
|
6814
6814
|
assigned_path: readFrameString(welcomeFrame, "assignedPath", "assigned_path"),
|
|
6815
6815
|
ca_service_url: options?.caServiceUrl ?? this.caServiceUrl,
|
|
@@ -6818,7 +6818,7 @@ class DefaultCertificateManager {
|
|
|
6818
6818
|
}
|
|
6819
6819
|
const stored = await this.storeCertificateMaterial(cryptoProvider, material, nodeId);
|
|
6820
6820
|
if (!stored) {
|
|
6821
|
-
logger.warning("certificate_storage_not_supported", {
|
|
6821
|
+
logger$1.warning("certificate_storage_not_supported", {
|
|
6822
6822
|
system_id: nodeId,
|
|
6823
6823
|
});
|
|
6824
6824
|
return false;
|
|
@@ -6827,7 +6827,7 @@ class DefaultCertificateManager {
|
|
|
6827
6827
|
if (!validated) {
|
|
6828
6828
|
return false;
|
|
6829
6829
|
}
|
|
6830
|
-
logger.debug("certificate_material_applied", {
|
|
6830
|
+
logger$1.debug("certificate_material_applied", {
|
|
6831
6831
|
system_id: nodeId,
|
|
6832
6832
|
has_chain: Boolean(material.certificateChainPem),
|
|
6833
6833
|
});
|
|
@@ -6890,12 +6890,12 @@ class DefaultCertificateManager {
|
|
|
6890
6890
|
}
|
|
6891
6891
|
const validated = await this.validateProviderCertificate(provider, nodeId);
|
|
6892
6892
|
if (!validated) {
|
|
6893
|
-
logger.error("existing_certificate_validation_failed", {
|
|
6893
|
+
logger$1.error("existing_certificate_validation_failed", {
|
|
6894
6894
|
node_id: nodeId,
|
|
6895
6895
|
});
|
|
6896
6896
|
return false;
|
|
6897
6897
|
}
|
|
6898
|
-
logger.debug("existing_certificate_validated", {
|
|
6898
|
+
logger$1.debug("existing_certificate_validated", {
|
|
6899
6899
|
node_id: nodeId,
|
|
6900
6900
|
});
|
|
6901
6901
|
return true;
|
|
@@ -6903,7 +6903,7 @@ class DefaultCertificateManager {
|
|
|
6903
6903
|
async resolveCertificateMaterialFromInjectedSources(provider, nodeId) {
|
|
6904
6904
|
const providerMaterial = await this.resolveCertificateMaterialFromProvider(provider, nodeId);
|
|
6905
6905
|
if (providerMaterial) {
|
|
6906
|
-
logger.debug("certificate_material_resolved_from_provider", {
|
|
6906
|
+
logger$1.debug("certificate_material_resolved_from_provider", {
|
|
6907
6907
|
system_id: nodeId,
|
|
6908
6908
|
});
|
|
6909
6909
|
return providerMaterial;
|
|
@@ -6912,14 +6912,14 @@ class DefaultCertificateManager {
|
|
|
6912
6912
|
try {
|
|
6913
6913
|
const material = await this.certificateMaterialResolver();
|
|
6914
6914
|
if (material) {
|
|
6915
|
-
logger.debug("certificate_material_resolved_from_options", {
|
|
6915
|
+
logger$1.debug("certificate_material_resolved_from_options", {
|
|
6916
6916
|
system_id: nodeId,
|
|
6917
6917
|
});
|
|
6918
6918
|
return material;
|
|
6919
6919
|
}
|
|
6920
6920
|
}
|
|
6921
6921
|
catch (error) {
|
|
6922
|
-
logger.debug("certificate_material_option_resolution_failed", {
|
|
6922
|
+
logger$1.debug("certificate_material_option_resolution_failed", {
|
|
6923
6923
|
system_id: nodeId,
|
|
6924
6924
|
error: error instanceof Error ? error.message : String(error),
|
|
6925
6925
|
});
|
|
@@ -6936,7 +6936,7 @@ class DefaultCertificateManager {
|
|
|
6936
6936
|
return normalizeCertificateMaterial(material ?? null);
|
|
6937
6937
|
}
|
|
6938
6938
|
catch (error) {
|
|
6939
|
-
logger.debug("provider_certificate_material_resolution_failed", {
|
|
6939
|
+
logger$1.debug("provider_certificate_material_resolution_failed", {
|
|
6940
6940
|
system_id: nodeId,
|
|
6941
6941
|
error: error instanceof Error ? error.message : String(error),
|
|
6942
6942
|
});
|
|
@@ -6958,7 +6958,7 @@ class DefaultCertificateManager {
|
|
|
6958
6958
|
}
|
|
6959
6959
|
const url = readRecordString(grantRecord, "url", "baseUrl", "base_url");
|
|
6960
6960
|
if (!url) {
|
|
6961
|
-
logger.warning("ca_sign_grant_missing_url", {
|
|
6961
|
+
logger$1.warning("ca_sign_grant_missing_url", {
|
|
6962
6962
|
grant_keys: Object.keys(grantRecord),
|
|
6963
6963
|
});
|
|
6964
6964
|
continue;
|
|
@@ -6977,12 +6977,12 @@ class DefaultCertificateManager {
|
|
|
6977
6977
|
? provider.signatureKeyId
|
|
6978
6978
|
: null);
|
|
6979
6979
|
if (!nodeId) {
|
|
6980
|
-
logger.warning("certificate_request_missing_node_id");
|
|
6980
|
+
logger$1.warning("certificate_request_missing_node_id");
|
|
6981
6981
|
return null;
|
|
6982
6982
|
}
|
|
6983
6983
|
const physicalPath = readFrameString(welcomeFrame, "assignedPath", "assigned_path");
|
|
6984
6984
|
if (!physicalPath) {
|
|
6985
|
-
logger.warning("certificate_request_missing_physical_path", {
|
|
6985
|
+
logger$1.warning("certificate_request_missing_physical_path", {
|
|
6986
6986
|
node_id: nodeId,
|
|
6987
6987
|
});
|
|
6988
6988
|
return null;
|
|
@@ -6996,7 +6996,7 @@ class DefaultCertificateManager {
|
|
|
6996
6996
|
}
|
|
6997
6997
|
const caServiceUrl = options?.caServiceUrl ?? this.caServiceUrl ?? grant.url;
|
|
6998
6998
|
if (!caServiceUrl) {
|
|
6999
|
-
logger.error("ca_service_url_unavailable", {
|
|
6999
|
+
logger$1.error("ca_service_url_unavailable", {
|
|
7000
7000
|
node_id: nodeId,
|
|
7001
7001
|
});
|
|
7002
7002
|
return null;
|
|
@@ -7009,7 +7009,7 @@ class DefaultCertificateManager {
|
|
|
7009
7009
|
authStrategy = await this.createAuthStrategyForGrant(grant);
|
|
7010
7010
|
}
|
|
7011
7011
|
catch (error) {
|
|
7012
|
-
logger.error("ca_sign_auth_strategy_creation_failed", {
|
|
7012
|
+
logger$1.error("ca_sign_auth_strategy_creation_failed", {
|
|
7013
7013
|
node_id: nodeId,
|
|
7014
7014
|
error: error instanceof Error ? error.message : String(error),
|
|
7015
7015
|
});
|
|
@@ -7021,7 +7021,7 @@ class DefaultCertificateManager {
|
|
|
7021
7021
|
await authStrategy.apply(client);
|
|
7022
7022
|
}
|
|
7023
7023
|
const [certificatePem, certificateChainPem] = await client.requestCertificate(csrPem, nodeId, physicalPath, logicals);
|
|
7024
|
-
logger.debug("certificate_received_from_ca_service", {
|
|
7024
|
+
logger$1.debug("certificate_received_from_ca_service", {
|
|
7025
7025
|
node_id: nodeId,
|
|
7026
7026
|
has_chain: Boolean(certificateChainPem),
|
|
7027
7027
|
ca_service_url: caServiceUrl,
|
|
@@ -7033,13 +7033,13 @@ class DefaultCertificateManager {
|
|
|
7033
7033
|
}
|
|
7034
7034
|
catch (error) {
|
|
7035
7035
|
if (error instanceof CertificateRequestError) {
|
|
7036
|
-
logger.error("certificate_request_failed", {
|
|
7036
|
+
logger$1.error("certificate_request_failed", {
|
|
7037
7037
|
node_id: nodeId,
|
|
7038
7038
|
error: error.message,
|
|
7039
7039
|
});
|
|
7040
7040
|
}
|
|
7041
7041
|
else {
|
|
7042
|
-
logger.error("certificate_request_unhandled_error", {
|
|
7042
|
+
logger$1.error("certificate_request_unhandled_error", {
|
|
7043
7043
|
node_id: nodeId,
|
|
7044
7044
|
error: error instanceof Error ? error.message : String(error),
|
|
7045
7045
|
});
|
|
@@ -7052,7 +7052,7 @@ class DefaultCertificateManager {
|
|
|
7052
7052
|
await authStrategy.cleanup();
|
|
7053
7053
|
}
|
|
7054
7054
|
catch (cleanupError) {
|
|
7055
|
-
logger.debug("auth_strategy_cleanup_failed", {
|
|
7055
|
+
logger$1.debug("auth_strategy_cleanup_failed", {
|
|
7056
7056
|
error: cleanupError instanceof Error
|
|
7057
7057
|
? cleanupError.message
|
|
7058
7058
|
: String(cleanupError),
|
|
@@ -7075,14 +7075,14 @@ class DefaultCertificateManager {
|
|
|
7075
7075
|
async validateProviderCertificate(provider, nodeId) {
|
|
7076
7076
|
const { pem: trustStorePem, reason } = await this.resolveTrustStorePemValue(provider, nodeId);
|
|
7077
7077
|
if (!trustStorePem) {
|
|
7078
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7078
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7079
7079
|
node_id: nodeId,
|
|
7080
7080
|
reason: reason ?? "trust_store_unavailable",
|
|
7081
7081
|
});
|
|
7082
7082
|
return false;
|
|
7083
7083
|
}
|
|
7084
7084
|
if (typeof provider.nodeJwk !== "function") {
|
|
7085
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7085
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7086
7086
|
node_id: nodeId,
|
|
7087
7087
|
reason: "crypto_provider_lacks_node_jwk",
|
|
7088
7088
|
});
|
|
@@ -7093,7 +7093,7 @@ class DefaultCertificateManager {
|
|
|
7093
7093
|
jwk = provider.nodeJwk() ?? null;
|
|
7094
7094
|
}
|
|
7095
7095
|
catch (error) {
|
|
7096
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7096
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7097
7097
|
node_id: nodeId,
|
|
7098
7098
|
reason: "node_jwk_retrieval_failed",
|
|
7099
7099
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -7101,7 +7101,7 @@ class DefaultCertificateManager {
|
|
|
7101
7101
|
return false;
|
|
7102
7102
|
}
|
|
7103
7103
|
if (!jwk) {
|
|
7104
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7104
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7105
7105
|
node_id: nodeId,
|
|
7106
7106
|
reason: "node_jwk_missing",
|
|
7107
7107
|
});
|
|
@@ -7111,7 +7111,7 @@ class DefaultCertificateManager {
|
|
|
7111
7111
|
if (!Array.isArray(x5c) ||
|
|
7112
7112
|
x5c.length === 0 ||
|
|
7113
7113
|
x5c.some((entry) => typeof entry !== "string")) {
|
|
7114
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7114
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7115
7115
|
node_id: nodeId,
|
|
7116
7116
|
reason: "invalid_certificate_chain",
|
|
7117
7117
|
});
|
|
@@ -7125,19 +7125,19 @@ class DefaultCertificateManager {
|
|
|
7125
7125
|
strict: false,
|
|
7126
7126
|
});
|
|
7127
7127
|
if (!result.isValid) {
|
|
7128
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7128
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7129
7129
|
node_id: nodeId,
|
|
7130
7130
|
reason: result.error ?? "validation_failed",
|
|
7131
7131
|
});
|
|
7132
7132
|
return false;
|
|
7133
7133
|
}
|
|
7134
|
-
logger.debug("certificate_chain_validation_successful", {
|
|
7134
|
+
logger$1.debug("certificate_chain_validation_successful", {
|
|
7135
7135
|
node_id: nodeId,
|
|
7136
7136
|
});
|
|
7137
7137
|
return true;
|
|
7138
7138
|
}
|
|
7139
7139
|
catch (error) {
|
|
7140
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7140
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7141
7141
|
node_id: nodeId,
|
|
7142
7142
|
reason: "validation_error",
|
|
7143
7143
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -7148,7 +7148,7 @@ class DefaultCertificateManager {
|
|
|
7148
7148
|
async resolveTrustStorePemValue(provider, nodeId) {
|
|
7149
7149
|
const providerPem = await this.resolveTrustStorePemFromProvider(provider, nodeId);
|
|
7150
7150
|
if (providerPem) {
|
|
7151
|
-
logger.debug("trust_store_resolved_from_provider", {
|
|
7151
|
+
logger$1.debug("trust_store_resolved_from_provider", {
|
|
7152
7152
|
node_id: nodeId,
|
|
7153
7153
|
});
|
|
7154
7154
|
return { pem: providerPem };
|
|
@@ -7158,14 +7158,14 @@ class DefaultCertificateManager {
|
|
|
7158
7158
|
const pem = await this.trustStorePemResolver();
|
|
7159
7159
|
const normalized = normalizePemOrNull(pem);
|
|
7160
7160
|
if (normalized) {
|
|
7161
|
-
logger.debug("trust_store_resolved_from_options", {
|
|
7161
|
+
logger$1.debug("trust_store_resolved_from_options", {
|
|
7162
7162
|
node_id: nodeId,
|
|
7163
7163
|
});
|
|
7164
7164
|
return { pem: normalized };
|
|
7165
7165
|
}
|
|
7166
7166
|
}
|
|
7167
7167
|
catch (error) {
|
|
7168
|
-
logger.debug("trust_store_option_resolution_failed", {
|
|
7168
|
+
logger$1.debug("trust_store_option_resolution_failed", {
|
|
7169
7169
|
node_id: nodeId,
|
|
7170
7170
|
error: error instanceof Error ? error.message : String(error),
|
|
7171
7171
|
});
|
|
@@ -7186,7 +7186,7 @@ class DefaultCertificateManager {
|
|
|
7186
7186
|
return normalizePemOrNull(pem);
|
|
7187
7187
|
}
|
|
7188
7188
|
catch (error) {
|
|
7189
|
-
logger.debug("provider_trust_store_resolution_failed", {
|
|
7189
|
+
logger$1.debug("provider_trust_store_resolution_failed", {
|
|
7190
7190
|
node_id: nodeId,
|
|
7191
7191
|
error: error instanceof Error ? error.message : String(error),
|
|
7192
7192
|
});
|
|
@@ -7201,7 +7201,7 @@ class DefaultCertificateManager {
|
|
|
7201
7201
|
stored = true;
|
|
7202
7202
|
}
|
|
7203
7203
|
catch (error) {
|
|
7204
|
-
logger.warning("failed_to_store_certificate", {
|
|
7204
|
+
logger$1.warning("failed_to_store_certificate", {
|
|
7205
7205
|
error: error instanceof Error ? error.message : String(error),
|
|
7206
7206
|
});
|
|
7207
7207
|
}
|
|
@@ -7219,7 +7219,7 @@ class DefaultCertificateManager {
|
|
|
7219
7219
|
stored = true;
|
|
7220
7220
|
}
|
|
7221
7221
|
catch (error) {
|
|
7222
|
-
logger.debug("certificate_persistence_hook_failed", {
|
|
7222
|
+
logger$1.debug("certificate_persistence_hook_failed", {
|
|
7223
7223
|
node_id: nodeId,
|
|
7224
7224
|
error: error instanceof Error ? error.message : String(error),
|
|
7225
7225
|
});
|
|
@@ -7230,7 +7230,7 @@ class DefaultCertificateManager {
|
|
|
7230
7230
|
async buildCertificateSigningRequest(provider, nodeId, physicalPath, logicals) {
|
|
7231
7231
|
const trimmedPath = physicalPath.trim();
|
|
7232
7232
|
if (!trimmedPath) {
|
|
7233
|
-
logger.warning("certificate_request_missing_physical_path", {
|
|
7233
|
+
logger$1.warning("certificate_request_missing_physical_path", {
|
|
7234
7234
|
node_id: nodeId,
|
|
7235
7235
|
});
|
|
7236
7236
|
return null;
|
|
@@ -7239,7 +7239,7 @@ class DefaultCertificateManager {
|
|
|
7239
7239
|
const privateKeyPem = pemSource.signingPrivatePem?.trim() ?? "";
|
|
7240
7240
|
const publicKeyPem = pemSource.signingPublicPem?.trim() ?? "";
|
|
7241
7241
|
if (!privateKeyPem || !publicKeyPem) {
|
|
7242
|
-
logger.error("crypto_provider_missing_signing_material", {
|
|
7242
|
+
logger$1.error("crypto_provider_missing_signing_material", {
|
|
7243
7243
|
node_id: nodeId,
|
|
7244
7244
|
has_private: Boolean(privateKeyPem),
|
|
7245
7245
|
has_public: Boolean(publicKeyPem),
|
|
@@ -7257,7 +7257,7 @@ class DefaultCertificateManager {
|
|
|
7257
7257
|
return csrPem;
|
|
7258
7258
|
}
|
|
7259
7259
|
catch (error) {
|
|
7260
|
-
logger.error("csr_generation_failed", {
|
|
7260
|
+
logger$1.error("csr_generation_failed", {
|
|
7261
7261
|
node_id: nodeId,
|
|
7262
7262
|
error: error instanceof Error ? error.message : String(error),
|
|
7263
7263
|
});
|
|
@@ -7341,7 +7341,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
|
|
|
7341
7341
|
return null;
|
|
7342
7342
|
}
|
|
7343
7343
|
if (!isNodeProcess()) {
|
|
7344
|
-
logger.debug("pem_file_unavailable_in_browser", {
|
|
7344
|
+
logger$1.debug("pem_file_unavailable_in_browser", {
|
|
7345
7345
|
env_var: fileVar,
|
|
7346
7346
|
});
|
|
7347
7347
|
return null;
|
|
@@ -7352,7 +7352,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
|
|
|
7352
7352
|
return normalizePemOrNull(content);
|
|
7353
7353
|
}
|
|
7354
7354
|
catch (error) {
|
|
7355
|
-
logger.warning("failed_to_read_certificate_file", {
|
|
7355
|
+
logger$1.warning("failed_to_read_certificate_file", {
|
|
7356
7356
|
file: filePath,
|
|
7357
7357
|
error: error instanceof Error ? error.message : String(error),
|
|
7358
7358
|
});
|
|
@@ -7383,7 +7383,7 @@ function providerHasCertificate(provider) {
|
|
|
7383
7383
|
return Boolean(provider.hasCertificate());
|
|
7384
7384
|
}
|
|
7385
7385
|
catch (error) {
|
|
7386
|
-
logger.debug("has_certificate_check_failed", {
|
|
7386
|
+
logger$1.debug("has_certificate_check_failed", {
|
|
7387
7387
|
error: error instanceof Error ? error.message : String(error),
|
|
7388
7388
|
});
|
|
7389
7389
|
}
|
|
@@ -7393,7 +7393,7 @@ function providerHasCertificate(provider) {
|
|
|
7393
7393
|
return Boolean(provider.nodeCertificatePem());
|
|
7394
7394
|
}
|
|
7395
7395
|
catch (error) {
|
|
7396
|
-
logger.debug("node_certificate_check_failed", {
|
|
7396
|
+
logger$1.debug("node_certificate_check_failed", {
|
|
7397
7397
|
error: error instanceof Error ? error.message : String(error),
|
|
7398
7398
|
});
|
|
7399
7399
|
}
|
|
@@ -7447,7 +7447,7 @@ function normalizeAuthConfig(candidate) {
|
|
|
7447
7447
|
}
|
|
7448
7448
|
const normalized = candidate;
|
|
7449
7449
|
if (!normalized.type || typeof normalized.type !== "string") {
|
|
7450
|
-
logger.warning("auth_strategy_missing_type", {
|
|
7450
|
+
logger$1.warning("auth_strategy_missing_type", {
|
|
7451
7451
|
provided_keys: Object.keys(candidate),
|
|
7452
7452
|
});
|
|
7453
7453
|
return null;
|
|
@@ -7465,7 +7465,7 @@ async function resolveTrustStorePemFromEnvironment() {
|
|
|
7465
7465
|
}
|
|
7466
7466
|
catch (error) {
|
|
7467
7467
|
const message = error instanceof Error ? error.message : String(error);
|
|
7468
|
-
logger.debug("trust_store_provider_resolution_failed", {
|
|
7468
|
+
logger$1.debug("trust_store_provider_resolution_failed", {
|
|
7469
7469
|
error: message,
|
|
7470
7470
|
});
|
|
7471
7471
|
return null;
|
|
@@ -7667,16 +7667,7 @@ function bytesToUtf8$1(data) {
|
|
|
7667
7667
|
|
|
7668
7668
|
const DEFAULT_REFRESH_INTERVAL_MS = 86400000; // 24 hours
|
|
7669
7669
|
const MIN_REFRESH_INTERVAL_MS = 60000; // 1 minute
|
|
7670
|
-
const
|
|
7671
|
-
debug: (...args) => {
|
|
7672
|
-
if (!isProductionEnvironment()) {
|
|
7673
|
-
console.debug("[trust-bundle]", ...args);
|
|
7674
|
-
}
|
|
7675
|
-
},
|
|
7676
|
-
warn: (...args) => {
|
|
7677
|
-
console.warn("[trust-bundle]", ...args);
|
|
7678
|
-
},
|
|
7679
|
-
};
|
|
7670
|
+
const logger = runtime.getLogger("naylence.fame.security.cert.trust_store.http_bundle_provider");
|
|
7680
7671
|
function isTruthyFlag(value) {
|
|
7681
7672
|
if (typeof value === "boolean") {
|
|
7682
7673
|
return value;
|
|
@@ -7729,7 +7720,7 @@ class HttpBundleProvider {
|
|
|
7729
7720
|
if (!(this.allowInsecureHttp && devMode && isLoopbackHost)) {
|
|
7730
7721
|
throw new Error("Trust bundle URL must use HTTPS (set allowInsecureHttp or FAME_TRUST_BUNDLE_ALLOW_HTTP for dev-only http)");
|
|
7731
7722
|
}
|
|
7732
|
-
|
|
7723
|
+
logger.warning("allowing_insecure_trust_bundle_url", {
|
|
7733
7724
|
url: parsed.toString(),
|
|
7734
7725
|
devMode,
|
|
7735
7726
|
isLoopbackHost,
|
|
@@ -7761,7 +7752,9 @@ class HttpBundleProvider {
|
|
|
7761
7752
|
if (stale || !this.anchors) {
|
|
7762
7753
|
this.inflight = this.fetchLatest()
|
|
7763
7754
|
.catch((error) => {
|
|
7764
|
-
|
|
7755
|
+
logger.warning("trust_bundle_refresh_failed", {
|
|
7756
|
+
error: error instanceof Error ? error.message : String(error),
|
|
7757
|
+
});
|
|
7765
7758
|
if (this.anchors) {
|
|
7766
7759
|
return this.anchors;
|
|
7767
7760
|
}
|
|
@@ -7801,14 +7794,16 @@ class HttpBundleProvider {
|
|
|
7801
7794
|
const cached = await loadCache(this.cacheKey);
|
|
7802
7795
|
if (cached) {
|
|
7803
7796
|
this.applyCachedEntry(cached);
|
|
7804
|
-
|
|
7797
|
+
logger.debug("loaded_trust_bundle_from_cache", {
|
|
7805
7798
|
url: this.url.href,
|
|
7806
7799
|
anchorCount: cached.anchors.length,
|
|
7807
7800
|
});
|
|
7808
7801
|
}
|
|
7809
7802
|
}
|
|
7810
7803
|
catch (error) {
|
|
7811
|
-
|
|
7804
|
+
logger.warning("failed_to_load_cached_trust_bundle", {
|
|
7805
|
+
error: error instanceof Error ? error.message : String(error),
|
|
7806
|
+
});
|
|
7812
7807
|
}
|
|
7813
7808
|
this.initialized = true;
|
|
7814
7809
|
}
|
|
@@ -7894,7 +7889,9 @@ class HttpBundleProvider {
|
|
|
7894
7889
|
callback();
|
|
7895
7890
|
}
|
|
7896
7891
|
catch (error) {
|
|
7897
|
-
|
|
7892
|
+
logger.warning("trust_bundle_listener_failed", {
|
|
7893
|
+
error: error instanceof Error ? error.message : String(error),
|
|
7894
|
+
});
|
|
7898
7895
|
}
|
|
7899
7896
|
}
|
|
7900
7897
|
}
|
|
@@ -8141,7 +8138,9 @@ async function openIndexedDbStore() {
|
|
|
8141
8138
|
});
|
|
8142
8139
|
};
|
|
8143
8140
|
request.onerror = () => {
|
|
8144
|
-
|
|
8141
|
+
logger.warning("indexeddb_unavailable_for_trust_bundle_caching", {
|
|
8142
|
+
error: request.error ? String(request.error) : "unknown",
|
|
8143
|
+
});
|
|
8145
8144
|
resolve(null);
|
|
8146
8145
|
};
|
|
8147
8146
|
});
|