@naylence/advanced-security 0.3.7-test.120 → 0.3.7-test.122
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/browser/index.cjs +325 -326
- package/dist/browser/index.mjs +325 -326
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js +16 -16
- package/dist/cjs/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +1 -1
- package/dist/cjs/version.js +2 -2
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js +16 -16
- package/dist/esm/naylence/fame/security/cert/trust-store/http-bundle-provider.js.map +1 -1
- package/dist/esm/version.js +2 -2
- package/dist/node/index.cjs +325 -326
- package/dist/node/index.mjs +325 -326
- package/dist/node/node.cjs +326 -327
- package/dist/node/node.mjs +326 -327
- package/dist/types/naylence/fame/security/cert/trust-store/http-bundle-provider.d.ts.map +1 -1
- package/dist/types/version.d.ts +1 -1
- package/package.json +8 -8
package/dist/node/node.mjs
CHANGED
|
@@ -18,14 +18,14 @@ import { SignJWT, importPKCS8, compactVerify, importJWK, importSPKI } from 'jose
|
|
|
18
18
|
import { sha256 as sha256$1 } from '@noble/hashes/sha256.js';
|
|
19
19
|
|
|
20
20
|
// This file is auto-generated during build - do not edit manually
|
|
21
|
-
// Generated from package.json version: 0.3.7-test.
|
|
21
|
+
// Generated from package.json version: 0.3.7-test.122
|
|
22
22
|
/**
|
|
23
23
|
* The package version, injected at build time.
|
|
24
24
|
* @internal
|
|
25
25
|
*/
|
|
26
|
-
const VERSION = '0.3.7-test.
|
|
26
|
+
const VERSION = '0.3.7-test.122';
|
|
27
27
|
|
|
28
|
-
const logger$
|
|
28
|
+
const logger$h = getLogger("naylence.fame.security.cert.util");
|
|
29
29
|
const CACHE_LIMIT = 512;
|
|
30
30
|
const OID_ED25519 = "1.3.101.112";
|
|
31
31
|
const textEncoder = new TextEncoder();
|
|
@@ -39,7 +39,7 @@ function publicKeyFromX5c(x5c, options = {}) {
|
|
|
39
39
|
const trustStorePem = normalizeTrustStoreOption(options.trustStorePem ?? null);
|
|
40
40
|
const returnCertificate = options.returnCertificate ?? false;
|
|
41
41
|
const { parsed, chainBytes } = parseCertificateChain(x5c);
|
|
42
|
-
logger$
|
|
42
|
+
logger$h.debug("public_key_from_x5c_called", {
|
|
43
43
|
call_id: callId,
|
|
44
44
|
x5c_count: parsed.length,
|
|
45
45
|
enforce_name_constraints: enforceNameConstraints,
|
|
@@ -51,13 +51,13 @@ function publicKeyFromX5c(x5c, options = {}) {
|
|
|
51
51
|
cacheKey = buildCacheKey(chainBytes, trustStorePem, enforceNameConstraints);
|
|
52
52
|
const cached = getCachedPublicKey(cacheKey);
|
|
53
53
|
if (cached) {
|
|
54
|
-
logger$
|
|
54
|
+
logger$h.debug("certificate_cache_hit", {
|
|
55
55
|
call_id: callId,
|
|
56
56
|
cache_key: cacheKey,
|
|
57
57
|
});
|
|
58
58
|
return cached;
|
|
59
59
|
}
|
|
60
|
-
logger$
|
|
60
|
+
logger$h.debug("certificate_cache_miss", {
|
|
61
61
|
call_id: callId,
|
|
62
62
|
cache_key: cacheKey,
|
|
63
63
|
});
|
|
@@ -228,13 +228,13 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
228
228
|
if (trustedCerts.length === 0) {
|
|
229
229
|
throw new Error("No valid certificates found in trust store");
|
|
230
230
|
}
|
|
231
|
-
logger$
|
|
231
|
+
logger$h.debug("trust_anchor_validation_start", {
|
|
232
232
|
chain_length: chain.length,
|
|
233
233
|
trust_store_cert_count: trustedCerts.length,
|
|
234
234
|
});
|
|
235
235
|
const chainInfo = chain.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
|
|
236
236
|
const trustedInfo = trustedCerts.map((cert, index) => `[${index}] ${cert.subjectName} (Serial: ${cert.serialNumber})`);
|
|
237
|
-
logger$
|
|
237
|
+
logger$h.debug("certificate_chain_validation", {
|
|
238
238
|
chain_certificates: chainInfo,
|
|
239
239
|
trust_store_certificates: trustedInfo,
|
|
240
240
|
});
|
|
@@ -244,7 +244,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
244
244
|
const match = trustedCerts.find((trusted) => trusted.serialNumber === cert.serialNumber &&
|
|
245
245
|
namesEqual(trusted.certificate.tbsCertificate.subject, cert.certificate.tbsCertificate.subject));
|
|
246
246
|
if (match) {
|
|
247
|
-
logger$
|
|
247
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
248
248
|
matching_serial: match.serialNumber,
|
|
249
249
|
validation_strategy: `direct_trust_cert_${i}`,
|
|
250
250
|
});
|
|
@@ -257,7 +257,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
257
257
|
if (namesEqual(trusted.certificate.tbsCertificate.subject, leaf.certificate.tbsCertificate.issuer) &&
|
|
258
258
|
trusted.serialNumber !== leaf.serialNumber) {
|
|
259
259
|
verifyCertificateSignature(leaf.certificate, trusted.certificate);
|
|
260
|
-
logger$
|
|
260
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
261
261
|
matching_serial: trusted.serialNumber,
|
|
262
262
|
validation_strategy: "leaf_issuer_trust",
|
|
263
263
|
});
|
|
@@ -271,7 +271,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
271
271
|
if (namesEqual(trusted.certificate.tbsCertificate.subject, intermediate.certificate.tbsCertificate.issuer) &&
|
|
272
272
|
trusted.serialNumber !== intermediate.serialNumber) {
|
|
273
273
|
verifyCertificateSignature(intermediate.certificate, trusted.certificate);
|
|
274
|
-
logger$
|
|
274
|
+
logger$h.debug("certificate_chain_trust_validation_passed", {
|
|
275
275
|
matching_serial: trusted.serialNumber,
|
|
276
276
|
validation_strategy: `intermediate_issuer_trust_cert_${index}`,
|
|
277
277
|
});
|
|
@@ -279,7 +279,7 @@ function validateTrustAnchor(chain, trustStorePem) {
|
|
|
279
279
|
}
|
|
280
280
|
}
|
|
281
281
|
}
|
|
282
|
-
logger$
|
|
282
|
+
logger$h.warning("certificate_chain_trust_validation_failed", {
|
|
283
283
|
leaf_subject: leaf.subjectName,
|
|
284
284
|
leaf_issuer: leaf.issuerName,
|
|
285
285
|
leaf_serial: leaf.serialNumber,
|
|
@@ -301,7 +301,7 @@ function parseTrustStore(trustStorePem) {
|
|
|
301
301
|
}
|
|
302
302
|
catch (error) {
|
|
303
303
|
const reason = error instanceof Error ? error.message : String(error);
|
|
304
|
-
logger$
|
|
304
|
+
logger$h.debug("trust_store_certificate_parse_failed", { reason });
|
|
305
305
|
}
|
|
306
306
|
}
|
|
307
307
|
return parsed;
|
|
@@ -321,12 +321,12 @@ function validateChainContinuity(chain) {
|
|
|
321
321
|
if (chain.length <= 1) {
|
|
322
322
|
return;
|
|
323
323
|
}
|
|
324
|
-
logger$
|
|
324
|
+
logger$h.debug("validating_chain_continuity", { chain_length: chain.length });
|
|
325
325
|
for (let index = 0; index < chain.length - 1; index += 1) {
|
|
326
326
|
const cert = chain[index];
|
|
327
327
|
const issuer = chain[index + 1];
|
|
328
328
|
if (!namesEqual(cert.certificate.tbsCertificate.issuer, issuer.certificate.tbsCertificate.subject)) {
|
|
329
|
-
logger$
|
|
329
|
+
logger$h.warning("certificate_chain_continuity_failed", {
|
|
330
330
|
cert_index: index,
|
|
331
331
|
cert_subject: cert.subjectName,
|
|
332
332
|
cert_issuer: cert.issuerName,
|
|
@@ -337,7 +337,7 @@ function validateChainContinuity(chain) {
|
|
|
337
337
|
}
|
|
338
338
|
try {
|
|
339
339
|
verifyCertificateSignature(cert.certificate, issuer.certificate);
|
|
340
|
-
logger$
|
|
340
|
+
logger$h.debug("chain_continuity_verification_success", {
|
|
341
341
|
cert_index: index,
|
|
342
342
|
cert_serial: cert.serialNumber,
|
|
343
343
|
issuer_serial: issuer.serialNumber,
|
|
@@ -345,7 +345,7 @@ function validateChainContinuity(chain) {
|
|
|
345
345
|
}
|
|
346
346
|
catch (error) {
|
|
347
347
|
const reason = error instanceof Error ? error.message : String(error);
|
|
348
|
-
logger$
|
|
348
|
+
logger$h.warning("certificate_chain_continuity_failed", {
|
|
349
349
|
cert_index: index,
|
|
350
350
|
cert_subject: cert.subjectName,
|
|
351
351
|
issuer_subject: issuer.subjectName,
|
|
@@ -357,7 +357,7 @@ function validateChainContinuity(chain) {
|
|
|
357
357
|
throw new Error(`Certificate chain continuity broken: certificate at index ${index} was not signed by certificate at index ${index + 1}: ${reason}`);
|
|
358
358
|
}
|
|
359
359
|
}
|
|
360
|
-
logger$
|
|
360
|
+
logger$h.debug("chain_continuity_validation_passed", {
|
|
361
361
|
chain_length: chain.length,
|
|
362
362
|
});
|
|
363
363
|
}
|
|
@@ -491,7 +491,7 @@ function getCachedPublicKey(cacheKey) {
|
|
|
491
491
|
}
|
|
492
492
|
if (Date.now() > entry.expiresAt) {
|
|
493
493
|
trustCache.delete(cacheKey);
|
|
494
|
-
logger$
|
|
494
|
+
logger$h.debug("certificate_cache_expired", { cache_key: cacheKey });
|
|
495
495
|
return null;
|
|
496
496
|
}
|
|
497
497
|
return entry.value.slice();
|
|
@@ -503,13 +503,13 @@ function setCachedPublicKey(cacheKey, value, notAfter) {
|
|
|
503
503
|
break;
|
|
504
504
|
}
|
|
505
505
|
trustCache.delete(firstKey);
|
|
506
|
-
logger$
|
|
506
|
+
logger$h.debug("certificate_cache_evicted", { cache_key: firstKey });
|
|
507
507
|
}
|
|
508
508
|
trustCache.set(cacheKey, {
|
|
509
509
|
value: value.slice(),
|
|
510
510
|
expiresAt: notAfter.getTime(),
|
|
511
511
|
});
|
|
512
|
-
logger$
|
|
512
|
+
logger$h.debug("certificate_cache_stored", {
|
|
513
513
|
cache_key: cacheKey,
|
|
514
514
|
expires_at: notAfter.toISOString(),
|
|
515
515
|
cache_size: trustCache.size,
|
|
@@ -689,7 +689,7 @@ const NODE_ID_OID = "1.3.6.1.4.1.58530.4";
|
|
|
689
689
|
* Provides async HTTP client to request certificates from the CA signing service.
|
|
690
690
|
*/
|
|
691
691
|
// Simple logger for now - TODO: integrate with runtime logging
|
|
692
|
-
const logger$
|
|
692
|
+
const logger$g = {
|
|
693
693
|
debug: (_event, _meta) => {
|
|
694
694
|
// console.log(`[DEBUG] ${event}`, meta);
|
|
695
695
|
},
|
|
@@ -1138,7 +1138,7 @@ class CAServiceClient {
|
|
|
1138
1138
|
logicals: logicals || [],
|
|
1139
1139
|
};
|
|
1140
1140
|
const url = `${this.connectionGrant.url.replace(/\/$/, "")}/sign`;
|
|
1141
|
-
logger$
|
|
1141
|
+
logger$g.debug("requesting_certificate", {
|
|
1142
1142
|
requester_id: requesterId,
|
|
1143
1143
|
ca_service_url: url,
|
|
1144
1144
|
physical_path: physicalPath,
|
|
@@ -1167,13 +1167,13 @@ class CAServiceClient {
|
|
|
1167
1167
|
const result = await response.json();
|
|
1168
1168
|
const certificatePem = result.certificate_pem;
|
|
1169
1169
|
const certificateChainPem = result.certificate_chain_pem || certificatePem;
|
|
1170
|
-
logger$
|
|
1170
|
+
logger$g.debug("certificate_request_successful", {
|
|
1171
1171
|
requester_id: requesterId,
|
|
1172
1172
|
expires_at: result.expires_at,
|
|
1173
1173
|
});
|
|
1174
1174
|
// Extract and log certificate information with structured logging
|
|
1175
1175
|
const certInfo = extractCertificateInfo(certificatePem);
|
|
1176
|
-
logger$
|
|
1176
|
+
logger$g.debug("certificate_details", {
|
|
1177
1177
|
requester_id: requesterId,
|
|
1178
1178
|
certificate_type: "issued_certificate",
|
|
1179
1179
|
...certInfo,
|
|
@@ -1192,7 +1192,7 @@ class CAServiceClient {
|
|
|
1192
1192
|
// First cert in chain is usually the issued certificate
|
|
1193
1193
|
if (certPemBlock.trim() !== certificatePem.trim()) {
|
|
1194
1194
|
const chainCertInfo = extractCertificateInfo(certPemBlock);
|
|
1195
|
-
logger$
|
|
1195
|
+
logger$g.debug("certificate_chain_details", {
|
|
1196
1196
|
requester_id: requesterId,
|
|
1197
1197
|
certificate_type: "certificate_chain",
|
|
1198
1198
|
chain_index: i,
|
|
@@ -1203,7 +1203,7 @@ class CAServiceClient {
|
|
|
1203
1203
|
else {
|
|
1204
1204
|
// Subsequent certs are intermediate/root CAs
|
|
1205
1205
|
const caCertInfo = extractCertificateInfo(certPemBlock);
|
|
1206
|
-
logger$
|
|
1206
|
+
logger$g.debug("certificate_chain_details", {
|
|
1207
1207
|
requester_id: requesterId,
|
|
1208
1208
|
certificate_type: "ca_certificate",
|
|
1209
1209
|
chain_index: i,
|
|
@@ -1231,7 +1231,7 @@ class CAServiceClient {
|
|
|
1231
1231
|
// Body read failed entirely
|
|
1232
1232
|
errorDetail = `HTTP ${response.status}`;
|
|
1233
1233
|
}
|
|
1234
|
-
logger$
|
|
1234
|
+
logger$g.error("certificate_request_failed", {
|
|
1235
1235
|
requester_id: requesterId,
|
|
1236
1236
|
status_code: response.status,
|
|
1237
1237
|
error: errorDetail,
|
|
@@ -1248,13 +1248,13 @@ class CAServiceClient {
|
|
|
1248
1248
|
throw error;
|
|
1249
1249
|
}
|
|
1250
1250
|
if (error instanceof Error && error.name === "AbortError") {
|
|
1251
|
-
logger$
|
|
1251
|
+
logger$g.error("certificate_request_timeout", {
|
|
1252
1252
|
requester_id: requesterId,
|
|
1253
1253
|
timeout_seconds: this.timeoutSeconds,
|
|
1254
1254
|
});
|
|
1255
1255
|
throw new CertificateRequestError(`Certificate request timed out after ${this.timeoutSeconds} seconds`);
|
|
1256
1256
|
}
|
|
1257
|
-
logger$
|
|
1257
|
+
logger$g.error("certificate_request_network_error", {
|
|
1258
1258
|
requester_id: requesterId,
|
|
1259
1259
|
error: String(error),
|
|
1260
1260
|
});
|
|
@@ -1263,7 +1263,7 @@ class CAServiceClient {
|
|
|
1263
1263
|
}
|
|
1264
1264
|
}
|
|
1265
1265
|
|
|
1266
|
-
const logger$
|
|
1266
|
+
const logger$f = getLogger$1("naylence.fame.security.encryption.sealed.x25519_encryption_manager");
|
|
1267
1267
|
class X25519EncryptionManager {
|
|
1268
1268
|
constructor({ keyProvider, nodeLike = null, cryptoProvider = null, }) {
|
|
1269
1269
|
this.pendingEnvelopes = new Map();
|
|
@@ -1280,7 +1280,7 @@ class X25519EncryptionManager {
|
|
|
1280
1280
|
// KeyManagementHandler will queue the envelope and send KeyRequest.
|
|
1281
1281
|
// X25519 should NOT queue here to avoid dual queueing.
|
|
1282
1282
|
if (opts?.requestAddress) {
|
|
1283
|
-
logger$
|
|
1283
|
+
logger$f.debug("key_not_found_delegating_to_key_management", {
|
|
1284
1284
|
envelope_id: envelope.id,
|
|
1285
1285
|
request_address: String(opts.requestAddress),
|
|
1286
1286
|
});
|
|
@@ -1296,7 +1296,7 @@ class X25519EncryptionManager {
|
|
|
1296
1296
|
return await this.encryptWithKey(envelope, recipPub, recipKid);
|
|
1297
1297
|
}
|
|
1298
1298
|
catch (error) {
|
|
1299
|
-
logger$
|
|
1299
|
+
logger$f.error("x25519_encryption_failed", {
|
|
1300
1300
|
error: error instanceof Error ? error.message : String(error),
|
|
1301
1301
|
});
|
|
1302
1302
|
return EncryptionResult.skipped(envelope);
|
|
@@ -1334,20 +1334,20 @@ class X25519EncryptionManager {
|
|
|
1334
1334
|
return envelope;
|
|
1335
1335
|
}
|
|
1336
1336
|
catch (error) {
|
|
1337
|
-
logger$
|
|
1337
|
+
logger$f.error("x25519_decryption_failed", {
|
|
1338
1338
|
error: error instanceof Error ? error.message : String(error),
|
|
1339
1339
|
});
|
|
1340
1340
|
return envelope;
|
|
1341
1341
|
}
|
|
1342
1342
|
}
|
|
1343
1343
|
async notifyKeyAvailable(keyId) {
|
|
1344
|
-
logger$
|
|
1344
|
+
logger$f.debug("x25519_notify_key_available_called", {
|
|
1345
1345
|
key_id: keyId,
|
|
1346
1346
|
pending_keys: Array.from(this.pendingEnvelopes.keys()),
|
|
1347
1347
|
});
|
|
1348
1348
|
const queued = this.pendingEnvelopes.get(keyId);
|
|
1349
1349
|
if (!queued || queued.length === 0) {
|
|
1350
|
-
logger$
|
|
1350
|
+
logger$f.debug("no_queued_envelopes_for_key", {
|
|
1351
1351
|
key_id: keyId,
|
|
1352
1352
|
has_queue: this.pendingEnvelopes.has(keyId),
|
|
1353
1353
|
queue_length: queued?.length ?? 0,
|
|
@@ -1359,13 +1359,13 @@ class X25519EncryptionManager {
|
|
|
1359
1359
|
this.keyRequestsInProgress.delete(keyId);
|
|
1360
1360
|
const node = this.nodeLike;
|
|
1361
1361
|
if (!node) {
|
|
1362
|
-
logger$
|
|
1362
|
+
logger$f.debug("discarding_queued_envelopes_no_node", {
|
|
1363
1363
|
key_id: keyId,
|
|
1364
1364
|
count: queued.length,
|
|
1365
1365
|
});
|
|
1366
1366
|
return;
|
|
1367
1367
|
}
|
|
1368
|
-
logger$
|
|
1368
|
+
logger$f.debug("replaying_envelopes_for_key", {
|
|
1369
1369
|
key_id: keyId,
|
|
1370
1370
|
count: queued.length,
|
|
1371
1371
|
});
|
|
@@ -1374,7 +1374,7 @@ class X25519EncryptionManager {
|
|
|
1374
1374
|
await node.deliver(envelope);
|
|
1375
1375
|
}
|
|
1376
1376
|
catch (error) {
|
|
1377
|
-
logger$
|
|
1377
|
+
logger$f.error("failed_to_replay_envelope", {
|
|
1378
1378
|
key_id: keyId,
|
|
1379
1379
|
envelope_id: envelope.id,
|
|
1380
1380
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -1475,7 +1475,7 @@ class X25519EncryptionManager {
|
|
|
1475
1475
|
? this.extractPrivateKeyFromRecord(providerRecord)
|
|
1476
1476
|
: null;
|
|
1477
1477
|
if (providerRecordKey) {
|
|
1478
|
-
logger$
|
|
1478
|
+
logger$f.debug("using_provider_key_record_private_key", {
|
|
1479
1479
|
kid,
|
|
1480
1480
|
provider_key_id: providerKeyId,
|
|
1481
1481
|
mismatched_kid: kid && providerKeyId !== kid ? kid : null,
|
|
@@ -1485,7 +1485,7 @@ class X25519EncryptionManager {
|
|
|
1485
1485
|
}
|
|
1486
1486
|
if (!providerPem) {
|
|
1487
1487
|
if (kid && providerKeyId && providerKeyId !== kid) {
|
|
1488
|
-
logger$
|
|
1488
|
+
logger$f.debug("crypto_provider_key_id_mismatch_no_private_key", {
|
|
1489
1489
|
kid,
|
|
1490
1490
|
provider_key_id: providerKeyId,
|
|
1491
1491
|
});
|
|
@@ -1497,13 +1497,13 @@ class X25519EncryptionManager {
|
|
|
1497
1497
|
return null;
|
|
1498
1498
|
}
|
|
1499
1499
|
if (!kid || providerKeyId === kid) {
|
|
1500
|
-
logger$
|
|
1500
|
+
logger$f.debug("using_crypto_provider_private_key_fallback", {
|
|
1501
1501
|
kid: kid ?? null,
|
|
1502
1502
|
provider_key_id: providerKeyId,
|
|
1503
1503
|
});
|
|
1504
1504
|
}
|
|
1505
1505
|
else {
|
|
1506
|
-
logger$
|
|
1506
|
+
logger$f.warning("crypto_provider_key_id_mismatch_using_private_key", {
|
|
1507
1507
|
kid,
|
|
1508
1508
|
provider_key_id: providerKeyId,
|
|
1509
1509
|
key_record_present: Boolean(record),
|
|
@@ -1512,7 +1512,7 @@ class X25519EncryptionManager {
|
|
|
1512
1512
|
return fallbackKey;
|
|
1513
1513
|
}
|
|
1514
1514
|
async queueEnvelopeForKey(envelope, opts, recipientKeyId) {
|
|
1515
|
-
logger$
|
|
1515
|
+
logger$f.debug("queueing_envelope_for_sealed_encryption", {
|
|
1516
1516
|
envelope_id: envelope.id,
|
|
1517
1517
|
recipient_key_id: recipientKeyId,
|
|
1518
1518
|
request_address: opts?.requestAddress
|
|
@@ -1560,7 +1560,7 @@ class X25519EncryptionManager {
|
|
|
1560
1560
|
await node.deliver(keyRequestEnvelope, context);
|
|
1561
1561
|
}
|
|
1562
1562
|
catch (error) {
|
|
1563
|
-
logger$
|
|
1563
|
+
logger$f.error("failed_to_request_recipient_key", {
|
|
1564
1564
|
recipient_key_id: recipientKeyId,
|
|
1565
1565
|
error: error instanceof Error ? error.message : String(error),
|
|
1566
1566
|
});
|
|
@@ -1573,7 +1573,7 @@ class X25519EncryptionManager {
|
|
|
1573
1573
|
return this.extractPublicKeyFromRecord(record);
|
|
1574
1574
|
}
|
|
1575
1575
|
catch (error) {
|
|
1576
|
-
logger$
|
|
1576
|
+
logger$f.debug("recipient_key_lookup_failed", {
|
|
1577
1577
|
kid,
|
|
1578
1578
|
error: error instanceof Error ? error.message : String(error),
|
|
1579
1579
|
});
|
|
@@ -1588,7 +1588,7 @@ class X25519EncryptionManager {
|
|
|
1588
1588
|
return await this.keyProvider.getKey(kid);
|
|
1589
1589
|
}
|
|
1590
1590
|
catch (error) {
|
|
1591
|
-
logger$
|
|
1591
|
+
logger$f.debug("private_key_lookup_failed", {
|
|
1592
1592
|
kid,
|
|
1593
1593
|
error: error instanceof Error ? error.message : String(error),
|
|
1594
1594
|
});
|
|
@@ -1659,7 +1659,7 @@ class X25519EncryptionManager {
|
|
|
1659
1659
|
const base64 = base64Lines.join("");
|
|
1660
1660
|
const der = this.decodeBase64Flexible(base64);
|
|
1661
1661
|
if (!der) {
|
|
1662
|
-
logger$
|
|
1662
|
+
logger$f.debug("pem_decode_failed", {
|
|
1663
1663
|
key_type: keyType,
|
|
1664
1664
|
});
|
|
1665
1665
|
return null;
|
|
@@ -1892,7 +1892,7 @@ var index$1 = /*#__PURE__*/Object.freeze({
|
|
|
1892
1892
|
X25519EncryptionManagerFactory: X25519EncryptionManagerFactory
|
|
1893
1893
|
});
|
|
1894
1894
|
|
|
1895
|
-
const logger$
|
|
1895
|
+
const logger$e = getLogger$1("naylence.fame.security.encryption.channel.channel_encryption_manager");
|
|
1896
1896
|
const SUPPORTED_CHANNEL_ALGORITHMS = ["chacha20-poly1305-channel"];
|
|
1897
1897
|
const CHANNEL_ENCRYPTION_ALGORITHM = "chacha20-poly1305-channel";
|
|
1898
1898
|
const HANDSHAKE_ALGORITHM = "CHACHA20P1305";
|
|
@@ -2043,13 +2043,13 @@ class ChannelEncryptionManager {
|
|
|
2043
2043
|
const destination = opts?.destination ?? envelope.to ?? null;
|
|
2044
2044
|
const destinationStr = toDestinationString(destination);
|
|
2045
2045
|
if (!destinationStr) {
|
|
2046
|
-
logger$
|
|
2046
|
+
logger$e.warning("no_destination_for_channel_encryption", {
|
|
2047
2047
|
envelope_id: envelope.id,
|
|
2048
2048
|
});
|
|
2049
2049
|
return EncryptionResult.skipped(envelope);
|
|
2050
2050
|
}
|
|
2051
2051
|
if (!this.secureChannelManager) {
|
|
2052
|
-
logger$
|
|
2052
|
+
logger$e.warning("no_secure_channel_manager_available", {
|
|
2053
2053
|
envelope_id: envelope.id,
|
|
2054
2054
|
});
|
|
2055
2055
|
return EncryptionResult.skipped(envelope);
|
|
@@ -2060,7 +2060,7 @@ class ChannelEncryptionManager {
|
|
|
2060
2060
|
return this.encryptWithChannel(envelope, existingChannelId);
|
|
2061
2061
|
}
|
|
2062
2062
|
catch (error) {
|
|
2063
|
-
logger$
|
|
2063
|
+
logger$e.error("channel_encryption_failed", {
|
|
2064
2064
|
error: error instanceof Error ? error.message : String(error),
|
|
2065
2065
|
channel_id: existingChannelId,
|
|
2066
2066
|
});
|
|
@@ -2088,35 +2088,35 @@ class ChannelEncryptionManager {
|
|
|
2088
2088
|
}
|
|
2089
2089
|
const channelId = encHeader.kid;
|
|
2090
2090
|
if (!channelId) {
|
|
2091
|
-
logger$
|
|
2091
|
+
logger$e.error("missing_channel_id_in_encryption_header", {
|
|
2092
2092
|
envelope_id: envelope.id,
|
|
2093
2093
|
});
|
|
2094
2094
|
return envelope;
|
|
2095
2095
|
}
|
|
2096
2096
|
const nonce = this.decodeNonceValue(encHeader.val ?? "");
|
|
2097
2097
|
if (!nonce) {
|
|
2098
|
-
logger$
|
|
2098
|
+
logger$e.error("invalid_nonce_in_encryption_header", {
|
|
2099
2099
|
envelope_id: envelope.id,
|
|
2100
2100
|
value_present: Boolean(encHeader.val),
|
|
2101
2101
|
});
|
|
2102
2102
|
return envelope;
|
|
2103
2103
|
}
|
|
2104
2104
|
if (!this.secureChannelManager) {
|
|
2105
|
-
logger$
|
|
2105
|
+
logger$e.warning("no_secure_channel_manager_for_decryption", {
|
|
2106
2106
|
envelope_id: envelope.id,
|
|
2107
2107
|
});
|
|
2108
2108
|
return envelope;
|
|
2109
2109
|
}
|
|
2110
2110
|
const channelState = this.getChannelState(channelId);
|
|
2111
2111
|
if (!channelState) {
|
|
2112
|
-
logger$
|
|
2112
|
+
logger$e.error("channel_not_available_for_decryption", {
|
|
2113
2113
|
channel_id: channelId,
|
|
2114
2114
|
});
|
|
2115
2115
|
return envelope;
|
|
2116
2116
|
}
|
|
2117
2117
|
const ciphertext = this.extractCiphertext(frame.payload);
|
|
2118
2118
|
if (!ciphertext) {
|
|
2119
|
-
logger$
|
|
2119
|
+
logger$e.error("invalid_ciphertext_payload", { envelope_id: envelope.id });
|
|
2120
2120
|
return envelope;
|
|
2121
2121
|
}
|
|
2122
2122
|
try {
|
|
@@ -2141,7 +2141,7 @@ class ChannelEncryptionManager {
|
|
|
2141
2141
|
return envelope;
|
|
2142
2142
|
}
|
|
2143
2143
|
catch (error) {
|
|
2144
|
-
logger$
|
|
2144
|
+
logger$e.error("channel_decryption_failed", {
|
|
2145
2145
|
channel_id: channelId,
|
|
2146
2146
|
error: error instanceof Error ? error.message : String(error),
|
|
2147
2147
|
});
|
|
@@ -2149,24 +2149,24 @@ class ChannelEncryptionManager {
|
|
|
2149
2149
|
}
|
|
2150
2150
|
}
|
|
2151
2151
|
async notifyChannelEstablished(channelId) {
|
|
2152
|
-
logger$
|
|
2152
|
+
logger$e.debug("channel_encryption_manager_notified", {
|
|
2153
2153
|
channel_id: channelId,
|
|
2154
2154
|
manager_type: "channel",
|
|
2155
2155
|
});
|
|
2156
2156
|
if (!channelId.startsWith("auto-")) {
|
|
2157
|
-
logger$
|
|
2157
|
+
logger$e.warning("unexpected_channel_id_format", { channel_id: channelId });
|
|
2158
2158
|
return;
|
|
2159
2159
|
}
|
|
2160
2160
|
const destinationStr = this.extractDestinationFromChannelId(channelId);
|
|
2161
2161
|
if (!destinationStr) {
|
|
2162
|
-
logger$
|
|
2162
|
+
logger$e.warning("cannot_parse_destination_from_channel_id", {
|
|
2163
2163
|
channel_id: channelId,
|
|
2164
2164
|
});
|
|
2165
2165
|
return;
|
|
2166
2166
|
}
|
|
2167
2167
|
this.handshakeInProgress.delete(destinationStr);
|
|
2168
2168
|
if (!this.pendingEnvelopes.has(destinationStr)) {
|
|
2169
|
-
logger$
|
|
2169
|
+
logger$e.debug("no_pending_queue_for_destination", {
|
|
2170
2170
|
destination: destinationStr,
|
|
2171
2171
|
});
|
|
2172
2172
|
return;
|
|
@@ -2174,7 +2174,7 @@ class ChannelEncryptionManager {
|
|
|
2174
2174
|
const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr) ?? [];
|
|
2175
2175
|
this.pendingEnvelopes.delete(destinationStr);
|
|
2176
2176
|
if (!this.secureChannelManager) {
|
|
2177
|
-
logger$
|
|
2177
|
+
logger$e.error("no_secure_channel_manager_for_queue_drain", {
|
|
2178
2178
|
channel_id: channelId,
|
|
2179
2179
|
});
|
|
2180
2180
|
return;
|
|
@@ -2183,7 +2183,7 @@ class ChannelEncryptionManager {
|
|
|
2183
2183
|
try {
|
|
2184
2184
|
const result = this.encryptWithChannel(envelope, channelId);
|
|
2185
2185
|
if (!result.envelope) {
|
|
2186
|
-
logger$
|
|
2186
|
+
logger$e.warning("failed_to_encrypt_queued_envelope", {
|
|
2187
2187
|
envelope_id: envelope.id,
|
|
2188
2188
|
channel_id: channelId,
|
|
2189
2189
|
});
|
|
@@ -2193,7 +2193,7 @@ class ChannelEncryptionManager {
|
|
|
2193
2193
|
this.runAsyncTask(() => this.deliverEnvelope(encryptedEnvelope), `deliver-queued-${envelope.id}`);
|
|
2194
2194
|
}
|
|
2195
2195
|
catch (error) {
|
|
2196
|
-
logger$
|
|
2196
|
+
logger$e.error("failed_to_encrypt_queued_envelope", {
|
|
2197
2197
|
envelope_id: envelope.id,
|
|
2198
2198
|
error: error instanceof Error ? error.message : String(error),
|
|
2199
2199
|
});
|
|
@@ -2201,19 +2201,19 @@ class ChannelEncryptionManager {
|
|
|
2201
2201
|
}
|
|
2202
2202
|
}
|
|
2203
2203
|
async notifyChannelFailed(channelId, reason = "handshake_failed") {
|
|
2204
|
-
logger$
|
|
2204
|
+
logger$e.debug("channel_encryption_manager_notified_failure", {
|
|
2205
2205
|
channel_id: channelId,
|
|
2206
2206
|
reason,
|
|
2207
2207
|
});
|
|
2208
2208
|
if (!channelId.startsWith("auto-")) {
|
|
2209
|
-
logger$
|
|
2209
|
+
logger$e.warning("unexpected_channel_id_format_on_failure", {
|
|
2210
2210
|
channel_id: channelId,
|
|
2211
2211
|
});
|
|
2212
2212
|
return;
|
|
2213
2213
|
}
|
|
2214
2214
|
const destinationStr = this.extractDestinationFromChannelId(channelId);
|
|
2215
2215
|
if (!destinationStr) {
|
|
2216
|
-
logger$
|
|
2216
|
+
logger$e.warning("cannot_parse_destination_from_channel_id_on_failure", {
|
|
2217
2217
|
channel_id: channelId,
|
|
2218
2218
|
});
|
|
2219
2219
|
return;
|
|
@@ -2223,14 +2223,14 @@ class ChannelEncryptionManager {
|
|
|
2223
2223
|
const cachedChannelId = this.addrChannelMap.get(destinationStr);
|
|
2224
2224
|
if (cachedChannelId === channelId) {
|
|
2225
2225
|
this.addrChannelMap.delete(destinationStr);
|
|
2226
|
-
logger$
|
|
2226
|
+
logger$e.debug("cleared_channel_cache_for_failed_channel", {
|
|
2227
2227
|
destination: destinationStr,
|
|
2228
2228
|
channel_id: channelId,
|
|
2229
2229
|
});
|
|
2230
2230
|
}
|
|
2231
2231
|
const queuedEnvelopes = this.pendingEnvelopes.get(destinationStr);
|
|
2232
2232
|
if (!queuedEnvelopes || queuedEnvelopes.length === 0) {
|
|
2233
|
-
logger$
|
|
2233
|
+
logger$e.debug("no_pending_queue_for_failed_destination", {
|
|
2234
2234
|
destination: destinationStr,
|
|
2235
2235
|
});
|
|
2236
2236
|
return;
|
|
@@ -2249,7 +2249,7 @@ class ChannelEncryptionManager {
|
|
|
2249
2249
|
const cached = this.addrChannelMap.get(destination);
|
|
2250
2250
|
if (cached) {
|
|
2251
2251
|
this.addrChannelMap.delete(destination);
|
|
2252
|
-
logger$
|
|
2252
|
+
logger$e.debug("cleared_channel_cache_for_destination", {
|
|
2253
2253
|
destination,
|
|
2254
2254
|
cached_channel_id: cached,
|
|
2255
2255
|
});
|
|
@@ -2267,14 +2267,14 @@ class ChannelEncryptionManager {
|
|
|
2267
2267
|
}
|
|
2268
2268
|
const cached = this.addrChannelMap.get(destination);
|
|
2269
2269
|
if (cached && this.getChannelState(cached)) {
|
|
2270
|
-
logger$
|
|
2270
|
+
logger$e.debug("using_cached_channel", { destination, channel_id: cached });
|
|
2271
2271
|
return cached;
|
|
2272
2272
|
}
|
|
2273
2273
|
const channels = this.secureChannelManager.channels;
|
|
2274
2274
|
for (const channelId of Object.keys(channels)) {
|
|
2275
2275
|
if (channelId.startsWith(`auto-${destination}-`)) {
|
|
2276
2276
|
this.addrChannelMap.set(destination, channelId);
|
|
2277
|
-
logger$
|
|
2277
|
+
logger$e.debug("using_existing_channel", {
|
|
2278
2278
|
destination,
|
|
2279
2279
|
channel_id: channelId,
|
|
2280
2280
|
});
|
|
@@ -2287,12 +2287,12 @@ class ChannelEncryptionManager {
|
|
|
2287
2287
|
const queue = this.pendingEnvelopes.get(destinationStr) ?? [];
|
|
2288
2288
|
queue.push(envelope);
|
|
2289
2289
|
this.pendingEnvelopes.set(destinationStr, queue);
|
|
2290
|
-
logger$
|
|
2290
|
+
logger$e.debug("queued_envelope_for_channel_handshake", {
|
|
2291
2291
|
envelope_id: envelope.id,
|
|
2292
2292
|
destination: destinationStr,
|
|
2293
2293
|
});
|
|
2294
2294
|
if (this.handshakeInProgress.has(destinationStr)) {
|
|
2295
|
-
logger$
|
|
2295
|
+
logger$e.debug("handshake_already_in_progress", {
|
|
2296
2296
|
destination: destinationStr,
|
|
2297
2297
|
});
|
|
2298
2298
|
return;
|
|
@@ -2311,7 +2311,7 @@ class ChannelEncryptionManager {
|
|
|
2311
2311
|
async initiateChannelHandshakeAsync(destination, destinationStr, opts) {
|
|
2312
2312
|
void opts;
|
|
2313
2313
|
if (!this.secureChannelManager) {
|
|
2314
|
-
logger$
|
|
2314
|
+
logger$e.error("no_secure_channel_manager_for_async_handshake_initiation");
|
|
2315
2315
|
return;
|
|
2316
2316
|
}
|
|
2317
2317
|
const channelId = this.generateChannelId(destinationStr);
|
|
@@ -2319,19 +2319,19 @@ class ChannelEncryptionManager {
|
|
|
2319
2319
|
const openFrame = this.secureChannelManager.generateOpenFrame(channelId, HANDSHAKE_ALGORITHM);
|
|
2320
2320
|
const success = await this.sendSecureOpenFrameAsync(openFrame, destination);
|
|
2321
2321
|
if (success) {
|
|
2322
|
-
logger$
|
|
2322
|
+
logger$e.debug("sent_secure_open_frame_async", {
|
|
2323
2323
|
channel_id: channelId,
|
|
2324
2324
|
destination: destinationStr,
|
|
2325
2325
|
});
|
|
2326
2326
|
}
|
|
2327
2327
|
else {
|
|
2328
|
-
logger$
|
|
2328
|
+
logger$e.warning("failed_to_send_secure_open_frame_async", {
|
|
2329
2329
|
channel_id: channelId,
|
|
2330
2330
|
});
|
|
2331
2331
|
}
|
|
2332
2332
|
}
|
|
2333
2333
|
catch (error) {
|
|
2334
|
-
logger$
|
|
2334
|
+
logger$e.error("async_channel_handshake_initiation_failed", {
|
|
2335
2335
|
destination: destinationStr,
|
|
2336
2336
|
error: error instanceof Error ? error.message : String(error),
|
|
2337
2337
|
});
|
|
@@ -2340,22 +2340,22 @@ class ChannelEncryptionManager {
|
|
|
2340
2340
|
async sendSecureOpenFrameAsync(openFrame, destination) {
|
|
2341
2341
|
const node = this.nodeLike;
|
|
2342
2342
|
if (!node) {
|
|
2343
|
-
logger$
|
|
2343
|
+
logger$e.error("no_node_available_for_sending_secure_open_async");
|
|
2344
2344
|
return false;
|
|
2345
2345
|
}
|
|
2346
2346
|
const envelopeFactory = node.envelopeFactory;
|
|
2347
2347
|
if (!envelopeFactory) {
|
|
2348
|
-
logger$
|
|
2348
|
+
logger$e.error("no_envelope_factory_available_for_secure_open_async");
|
|
2349
2349
|
return false;
|
|
2350
2350
|
}
|
|
2351
2351
|
const replyTo = this.buildSystemReplyTo();
|
|
2352
2352
|
if (!replyTo) {
|
|
2353
|
-
logger$
|
|
2353
|
+
logger$e.error("no_physical_path_available_for_reply_to_async");
|
|
2354
2354
|
return false;
|
|
2355
2355
|
}
|
|
2356
2356
|
const toAddress = toFameAddress(destination);
|
|
2357
2357
|
if (!toAddress) {
|
|
2358
|
-
logger$
|
|
2358
|
+
logger$e.error("invalid_destination_for_secure_open", {
|
|
2359
2359
|
destination: String(destination),
|
|
2360
2360
|
});
|
|
2361
2361
|
return false;
|
|
@@ -2367,7 +2367,7 @@ class ChannelEncryptionManager {
|
|
|
2367
2367
|
corrId: generateId(),
|
|
2368
2368
|
});
|
|
2369
2369
|
await this.deliverEnvelope(envelope);
|
|
2370
|
-
logger$
|
|
2370
|
+
logger$e.debug("delivered_secure_open_frame_async", {
|
|
2371
2371
|
channel_id: openFrame.cid,
|
|
2372
2372
|
});
|
|
2373
2373
|
return true;
|
|
@@ -2375,7 +2375,7 @@ class ChannelEncryptionManager {
|
|
|
2375
2375
|
async deliverEnvelope(envelope) {
|
|
2376
2376
|
const node = this.nodeLike;
|
|
2377
2377
|
if (!node) {
|
|
2378
|
-
logger$
|
|
2378
|
+
logger$e.error("no_node_available_for_delivery", {
|
|
2379
2379
|
envelope_id: envelope.id,
|
|
2380
2380
|
});
|
|
2381
2381
|
return;
|
|
@@ -2385,19 +2385,19 @@ class ChannelEncryptionManager {
|
|
|
2385
2385
|
}
|
|
2386
2386
|
encryptWithChannel(envelope, channelId) {
|
|
2387
2387
|
if (!this.secureChannelManager) {
|
|
2388
|
-
logger$
|
|
2388
|
+
logger$e.error("no_secure_channel_manager_for_encryption");
|
|
2389
2389
|
return EncryptionResult.skipped(envelope);
|
|
2390
2390
|
}
|
|
2391
2391
|
const frame = envelope.frame;
|
|
2392
2392
|
if (!this.isDataFrame(frame)) {
|
|
2393
|
-
logger$
|
|
2393
|
+
logger$e.error("attempted_to_encrypt_non_dataframe", {
|
|
2394
2394
|
frame_type: frame.type ?? typeof frame,
|
|
2395
2395
|
});
|
|
2396
2396
|
return EncryptionResult.skipped(envelope);
|
|
2397
2397
|
}
|
|
2398
2398
|
const channelState = this.getChannelState(channelId);
|
|
2399
2399
|
if (!channelState) {
|
|
2400
|
-
logger$
|
|
2400
|
+
logger$e.error("channel_not_in_channels", { channel_id: channelId });
|
|
2401
2401
|
return EncryptionResult.skipped(envelope);
|
|
2402
2402
|
}
|
|
2403
2403
|
const payloadBytes = this.serializePayload(frame.payload);
|
|
@@ -2456,7 +2456,7 @@ class ChannelEncryptionManager {
|
|
|
2456
2456
|
return decodeBase64$1(payload);
|
|
2457
2457
|
}
|
|
2458
2458
|
catch (error) {
|
|
2459
|
-
logger$
|
|
2459
|
+
logger$e.error("failed_to_decode_base64_ciphertext", {
|
|
2460
2460
|
error: error instanceof Error ? error.message : String(error),
|
|
2461
2461
|
});
|
|
2462
2462
|
return null;
|
|
@@ -2486,7 +2486,7 @@ class ChannelEncryptionManager {
|
|
|
2486
2486
|
return parts.slice(1, -1).join("-");
|
|
2487
2487
|
}
|
|
2488
2488
|
async handleFailedEnvelope(envelope, destinationStr, channelId, reason) {
|
|
2489
|
-
logger$
|
|
2489
|
+
logger$e.warning("envelope_failed_due_to_channel_handshake_failure", {
|
|
2490
2490
|
envelope_id: envelope.id,
|
|
2491
2491
|
destination: destinationStr,
|
|
2492
2492
|
channel_id: channelId,
|
|
@@ -2494,14 +2494,14 @@ class ChannelEncryptionManager {
|
|
|
2494
2494
|
});
|
|
2495
2495
|
const frame = envelope.frame;
|
|
2496
2496
|
if (!this.isDataFrame(frame)) {
|
|
2497
|
-
logger$
|
|
2497
|
+
logger$e.debug("skipping_nack_for_non_dataframe", {
|
|
2498
2498
|
envelope_id: envelope.id,
|
|
2499
2499
|
frame_type: frame.type ?? typeof frame,
|
|
2500
2500
|
});
|
|
2501
2501
|
return;
|
|
2502
2502
|
}
|
|
2503
2503
|
if (!envelope.replyTo) {
|
|
2504
|
-
logger$
|
|
2504
|
+
logger$e.debug("skipping_nack_no_reply_to", { envelope_id: envelope.id });
|
|
2505
2505
|
return;
|
|
2506
2506
|
}
|
|
2507
2507
|
await this.sendDeliveryNack(envelope, `channel_handshake_failed: ${reason}`);
|
|
@@ -2509,17 +2509,17 @@ class ChannelEncryptionManager {
|
|
|
2509
2509
|
async sendDeliveryNack(envelope, failureReason) {
|
|
2510
2510
|
const node = this.nodeLike;
|
|
2511
2511
|
if (!node) {
|
|
2512
|
-
logger$
|
|
2512
|
+
logger$e.error("no_node_available_for_sending_delivery_nack");
|
|
2513
2513
|
return;
|
|
2514
2514
|
}
|
|
2515
2515
|
const envelopeFactory = node.envelopeFactory;
|
|
2516
2516
|
if (!envelopeFactory) {
|
|
2517
|
-
logger$
|
|
2517
|
+
logger$e.error("no_envelope_factory_available_for_delivery_nack");
|
|
2518
2518
|
return;
|
|
2519
2519
|
}
|
|
2520
2520
|
const replyTo = toFameAddress(envelope.replyTo ?? null);
|
|
2521
2521
|
if (!replyTo) {
|
|
2522
|
-
logger$
|
|
2522
|
+
logger$e.error("invalid_reply_to_for_delivery_nack", {
|
|
2523
2523
|
reply_to: envelope.replyTo,
|
|
2524
2524
|
});
|
|
2525
2525
|
return;
|
|
@@ -2536,7 +2536,7 @@ class ChannelEncryptionManager {
|
|
|
2536
2536
|
corrId: envelope.corrId ?? generateId(),
|
|
2537
2537
|
});
|
|
2538
2538
|
await this.deliverEnvelope(nackEnvelope);
|
|
2539
|
-
logger$
|
|
2539
|
+
logger$e.debug("delivered_delivery_nack", {
|
|
2540
2540
|
original_envelope_id: envelope.id,
|
|
2541
2541
|
nack_envelope_id: nackEnvelope.id,
|
|
2542
2542
|
});
|
|
@@ -2574,7 +2574,7 @@ class ChannelEncryptionManager {
|
|
|
2574
2574
|
await task();
|
|
2575
2575
|
}
|
|
2576
2576
|
catch (error) {
|
|
2577
|
-
logger$
|
|
2577
|
+
logger$e.error("async_task_failed", {
|
|
2578
2578
|
task_name: name,
|
|
2579
2579
|
error: error instanceof Error ? error.message : String(error),
|
|
2580
2580
|
});
|
|
@@ -2628,7 +2628,7 @@ class ChannelEncryptionManager {
|
|
|
2628
2628
|
}
|
|
2629
2629
|
}
|
|
2630
2630
|
|
|
2631
|
-
const logger$
|
|
2631
|
+
const logger$d = getLogger$1("naylence.fame.security.encryption.channel.channel_encryption_manager_factory");
|
|
2632
2632
|
const DEFAULT_SUPPORTED_ALGORITHMS = ["chacha20-poly1305-channel"];
|
|
2633
2633
|
const FACTORY_META$d = {
|
|
2634
2634
|
base: ENCRYPTION_MANAGER_FACTORY_BASE_TYPE,
|
|
@@ -2660,7 +2660,7 @@ class ChannelEncryptionManagerFactory extends EncryptionManagerFactory {
|
|
|
2660
2660
|
async create(_config, ...factoryArgs) {
|
|
2661
2661
|
const [dependencies] = factoryArgs;
|
|
2662
2662
|
const resolvedDependencies = this.resolveDependencies(dependencies);
|
|
2663
|
-
logger$
|
|
2663
|
+
logger$d.debug("creating_channel_encryption_manager", {
|
|
2664
2664
|
has_secure_channel_manager: Boolean(resolvedDependencies.secureChannelManager),
|
|
2665
2665
|
has_node_like: Boolean(resolvedDependencies.nodeLike),
|
|
2666
2666
|
has_task_spawner: Boolean(resolvedDependencies.taskSpawner),
|
|
@@ -2722,7 +2722,7 @@ var index = /*#__PURE__*/Object.freeze({
|
|
|
2722
2722
|
ChannelEncryptionManagerFactory: ChannelEncryptionManagerFactory
|
|
2723
2723
|
});
|
|
2724
2724
|
|
|
2725
|
-
const logger$
|
|
2725
|
+
const logger$c = getLogger$1("naylence.fame.security.encryption.default_secure_channel_manager");
|
|
2726
2726
|
const DEFAULT_ALGORITHM = "CHACHA20P1305";
|
|
2727
2727
|
const CHANNEL_KEY_LENGTH = 32;
|
|
2728
2728
|
const NONCE_PREFIX_LENGTH = 4;
|
|
@@ -2769,7 +2769,7 @@ class DefaultSecureChannelManager {
|
|
|
2769
2769
|
const privateKey = x25519.utils.randomSecretKey();
|
|
2770
2770
|
const publicKey = x25519.scalarMultBase(privateKey);
|
|
2771
2771
|
this.ephemeralKeys.set(channelId, privateKey);
|
|
2772
|
-
logger$
|
|
2772
|
+
logger$c.debug("generated_channel_open", { cid: channelId, algorithm });
|
|
2773
2773
|
return {
|
|
2774
2774
|
type: "SecureOpen",
|
|
2775
2775
|
cid: channelId,
|
|
@@ -2782,7 +2782,7 @@ class DefaultSecureChannelManager {
|
|
|
2782
2782
|
requireCryptoSupport();
|
|
2783
2783
|
const algorithm = frame.alg || DEFAULT_ALGORITHM;
|
|
2784
2784
|
if (!this.isSupportedAlgorithm(algorithm)) {
|
|
2785
|
-
logger$
|
|
2785
|
+
logger$c.warning("unsupported_channel_algorithm", {
|
|
2786
2786
|
cid: frame.cid,
|
|
2787
2787
|
alg: algorithm,
|
|
2788
2788
|
});
|
|
@@ -2800,7 +2800,7 @@ class DefaultSecureChannelManager {
|
|
|
2800
2800
|
peerPublicKey = decodeBase64(frame.ephPub);
|
|
2801
2801
|
}
|
|
2802
2802
|
catch (error) {
|
|
2803
|
-
logger$
|
|
2803
|
+
logger$c.warning("invalid_peer_public_key", {
|
|
2804
2804
|
cid: frame.cid,
|
|
2805
2805
|
error: error instanceof Error ? error.message : String(error),
|
|
2806
2806
|
});
|
|
@@ -2822,7 +2822,7 @@ class DefaultSecureChannelManager {
|
|
|
2822
2822
|
algorithm,
|
|
2823
2823
|
});
|
|
2824
2824
|
this.channelsMap.set(frame.cid, channelState);
|
|
2825
|
-
logger$
|
|
2825
|
+
logger$c.debug("channel_established", { cid: frame.cid, algorithm });
|
|
2826
2826
|
myPrivateKey.fill(0);
|
|
2827
2827
|
sharedSecret.fill(0);
|
|
2828
2828
|
return {
|
|
@@ -2836,7 +2836,7 @@ class DefaultSecureChannelManager {
|
|
|
2836
2836
|
async handleAcceptFrame(frame) {
|
|
2837
2837
|
requireCryptoSupport();
|
|
2838
2838
|
if (frame.ok === false) {
|
|
2839
|
-
logger$
|
|
2839
|
+
logger$c.warning("channel_rejected", {
|
|
2840
2840
|
cid: frame.cid,
|
|
2841
2841
|
error: frame.reason,
|
|
2842
2842
|
});
|
|
@@ -2845,7 +2845,7 @@ class DefaultSecureChannelManager {
|
|
|
2845
2845
|
}
|
|
2846
2846
|
const privateKey = this.ephemeralKeys.get(frame.cid);
|
|
2847
2847
|
if (!privateKey) {
|
|
2848
|
-
logger$
|
|
2848
|
+
logger$c.error("no_ephemeral_key", { cid: frame.cid });
|
|
2849
2849
|
return false;
|
|
2850
2850
|
}
|
|
2851
2851
|
let peerPublicKey;
|
|
@@ -2853,7 +2853,7 @@ class DefaultSecureChannelManager {
|
|
|
2853
2853
|
peerPublicKey = decodeBase64(frame.ephPub);
|
|
2854
2854
|
}
|
|
2855
2855
|
catch (error) {
|
|
2856
|
-
logger$
|
|
2856
|
+
logger$c.warning("invalid_accept_public_key", {
|
|
2857
2857
|
cid: frame.cid,
|
|
2858
2858
|
error: error instanceof Error ? error.message : String(error),
|
|
2859
2859
|
});
|
|
@@ -2868,17 +2868,17 @@ class DefaultSecureChannelManager {
|
|
|
2868
2868
|
algorithm,
|
|
2869
2869
|
});
|
|
2870
2870
|
this.channelsMap.set(frame.cid, channelState);
|
|
2871
|
-
logger$
|
|
2871
|
+
logger$c.debug("channel_completed", { cid: frame.cid, algorithm });
|
|
2872
2872
|
sharedSecret.fill(0);
|
|
2873
2873
|
this.cleanupEphemeralKey(frame.cid);
|
|
2874
2874
|
return true;
|
|
2875
2875
|
}
|
|
2876
2876
|
handleCloseFrame(frame) {
|
|
2877
2877
|
if (this.channelsMap.delete(frame.cid)) {
|
|
2878
|
-
logger$
|
|
2878
|
+
logger$c.debug("channel_closed", { cid: frame.cid, reason: frame.reason });
|
|
2879
2879
|
}
|
|
2880
2880
|
else {
|
|
2881
|
-
logger$
|
|
2881
|
+
logger$c.warning("close_unknown_channel", { cid: frame.cid });
|
|
2882
2882
|
}
|
|
2883
2883
|
this.cleanupEphemeralKey(frame.cid);
|
|
2884
2884
|
}
|
|
@@ -2905,7 +2905,7 @@ class DefaultSecureChannelManager {
|
|
|
2905
2905
|
}
|
|
2906
2906
|
closeChannel(channelId, reason = "User requested") {
|
|
2907
2907
|
if (this.channelsMap.delete(channelId)) {
|
|
2908
|
-
logger$
|
|
2908
|
+
logger$c.debug("channel_closed_by_user", { cid: channelId, reason });
|
|
2909
2909
|
}
|
|
2910
2910
|
this.cleanupEphemeralKey(channelId);
|
|
2911
2911
|
return {
|
|
@@ -2922,7 +2922,7 @@ class DefaultSecureChannelManager {
|
|
|
2922
2922
|
this.channelsMap.delete(channelId);
|
|
2923
2923
|
this.cleanupEphemeralKey(channelId);
|
|
2924
2924
|
removed += 1;
|
|
2925
|
-
logger$
|
|
2925
|
+
logger$c.debug("channel_expired_cleanup", { cid: channelId });
|
|
2926
2926
|
}
|
|
2927
2927
|
}
|
|
2928
2928
|
return removed;
|
|
@@ -2951,7 +2951,7 @@ class DefaultSecureChannelManager {
|
|
|
2951
2951
|
if (channelId.startsWith(prefix)) {
|
|
2952
2952
|
if (this.removeChannel(channelId)) {
|
|
2953
2953
|
removed += 1;
|
|
2954
|
-
logger$
|
|
2954
|
+
logger$c.debug("removed_channel_for_destination", {
|
|
2955
2955
|
channel_id: channelId,
|
|
2956
2956
|
destination,
|
|
2957
2957
|
});
|
|
@@ -2959,7 +2959,7 @@ class DefaultSecureChannelManager {
|
|
|
2959
2959
|
}
|
|
2960
2960
|
}
|
|
2961
2961
|
if (removed > 0) {
|
|
2962
|
-
logger$
|
|
2962
|
+
logger$c.info("cleanup_channels_for_destination", {
|
|
2963
2963
|
destination,
|
|
2964
2964
|
channels_removed: removed,
|
|
2965
2965
|
});
|
|
@@ -3052,7 +3052,7 @@ var defaultSecureChannelManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
3052
3052
|
default: DefaultSecureChannelManagerFactory
|
|
3053
3053
|
});
|
|
3054
3054
|
|
|
3055
|
-
const logger$
|
|
3055
|
+
const logger$b = getLogger$1("naylence.fame.security.encryption.encryption_manager_registry");
|
|
3056
3056
|
class EncryptionManagerFactoryRegistry {
|
|
3057
3057
|
constructor(autoDiscover = true) {
|
|
3058
3058
|
this.factories = [];
|
|
@@ -3074,7 +3074,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3074
3074
|
let registeredCount = 0;
|
|
3075
3075
|
for (const [factoryName, info] of extensionInfos) {
|
|
3076
3076
|
if (factoryName === "CompositeEncryptionManager") {
|
|
3077
|
-
logger$
|
|
3077
|
+
logger$b.debug("skipping_composite_factory_to_avoid_circular_dependency", {
|
|
3078
3078
|
factory_name: factoryName,
|
|
3079
3079
|
});
|
|
3080
3080
|
continue;
|
|
@@ -3084,7 +3084,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3084
3084
|
ExtensionManager.getGlobalFactory(ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, factoryName));
|
|
3085
3085
|
this.registerFactory(factoryInstance, { autoDiscovered: true });
|
|
3086
3086
|
registeredCount += 1;
|
|
3087
|
-
logger$
|
|
3087
|
+
logger$b.debug("auto_discovered_factory", {
|
|
3088
3088
|
factory_name: factoryName,
|
|
3089
3089
|
factory_class: factoryInstance.constructor.name,
|
|
3090
3090
|
algorithms: factoryInstance.getSupportedAlgorithms(),
|
|
@@ -3093,21 +3093,21 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3093
3093
|
});
|
|
3094
3094
|
}
|
|
3095
3095
|
catch (error) {
|
|
3096
|
-
logger$
|
|
3096
|
+
logger$b.warning("failed_to_auto_register_factory", {
|
|
3097
3097
|
factory_name: factoryName,
|
|
3098
3098
|
error: error instanceof Error ? error.message : String(error),
|
|
3099
3099
|
});
|
|
3100
3100
|
}
|
|
3101
3101
|
}
|
|
3102
3102
|
this.autoDiscovered = true;
|
|
3103
|
-
logger$
|
|
3103
|
+
logger$b.debug("completed_auto_discovery", {
|
|
3104
3104
|
registered_factories: registeredCount,
|
|
3105
3105
|
total_discovered: extensionInfos.size,
|
|
3106
3106
|
skipped_composite: true,
|
|
3107
3107
|
});
|
|
3108
3108
|
}
|
|
3109
3109
|
catch (error) {
|
|
3110
|
-
logger$
|
|
3110
|
+
logger$b.warning("failed_auto_discovery_of_factories", {
|
|
3111
3111
|
error: error instanceof Error ? error.message : String(error),
|
|
3112
3112
|
});
|
|
3113
3113
|
}
|
|
@@ -3125,7 +3125,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3125
3125
|
const existing = this.algorithmToFactory.get(algorithm);
|
|
3126
3126
|
if (!existing || factory.getPriority() > existing.getPriority()) {
|
|
3127
3127
|
this.algorithmToFactory.set(algorithm, factory);
|
|
3128
|
-
logger$
|
|
3128
|
+
logger$b.debug("registered_algorithm_mapping", {
|
|
3129
3129
|
algorithm,
|
|
3130
3130
|
factory: factory.constructor.name,
|
|
3131
3131
|
priority: factory.getPriority(),
|
|
@@ -3137,7 +3137,7 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3137
3137
|
typeFactories.push(factory);
|
|
3138
3138
|
typeFactories.sort((a, b) => b.getPriority() - a.getPriority());
|
|
3139
3139
|
this.typeToFactories.set(encryptionType, typeFactories);
|
|
3140
|
-
logger$
|
|
3140
|
+
logger$b.debug("registered_encryption_manager_factory", {
|
|
3141
3141
|
factory: factory.constructor.name,
|
|
3142
3142
|
encryption_type: encryptionType,
|
|
3143
3143
|
algorithms: factory.getSupportedAlgorithms(),
|
|
@@ -3153,14 +3153,14 @@ class EncryptionManagerFactoryRegistry {
|
|
|
3153
3153
|
this.ensureAutoDiscovery();
|
|
3154
3154
|
for (const factory of this.factories) {
|
|
3155
3155
|
if (factory.supportsOptions(opts ?? undefined)) {
|
|
3156
|
-
logger$
|
|
3156
|
+
logger$b.debug("found_factory_for_options", {
|
|
3157
3157
|
factory: factory.constructor.name,
|
|
3158
3158
|
encryption_type: factory.getEncryptionType(),
|
|
3159
3159
|
});
|
|
3160
3160
|
return factory;
|
|
3161
3161
|
}
|
|
3162
3162
|
}
|
|
3163
|
-
logger$
|
|
3163
|
+
logger$b.debug("no_factory_found_for_options", { opts });
|
|
3164
3164
|
return undefined;
|
|
3165
3165
|
}
|
|
3166
3166
|
getFactoriesByType(encryptionType) {
|
|
@@ -3216,7 +3216,7 @@ function registerEncryptionManagerFactory(factory) {
|
|
|
3216
3216
|
globalRegistry.registerFactory(factory);
|
|
3217
3217
|
}
|
|
3218
3218
|
|
|
3219
|
-
const logger$
|
|
3219
|
+
const logger$a = getLogger$1("naylence.fame.security.encryption.composite_encryption_manager");
|
|
3220
3220
|
const DEFAULT_SEALED_ALGORITHMS = [
|
|
3221
3221
|
"X25519",
|
|
3222
3222
|
"ECDH-ES+A256GCM",
|
|
@@ -3255,7 +3255,7 @@ class CompositeEncryptionManager {
|
|
|
3255
3255
|
return await manager.encryptEnvelope(envelope, opts);
|
|
3256
3256
|
}
|
|
3257
3257
|
catch (error) {
|
|
3258
|
-
logger$
|
|
3258
|
+
logger$a.error("composite_encrypt_failed", {
|
|
3259
3259
|
error: error instanceof Error ? error.message : String(error),
|
|
3260
3260
|
});
|
|
3261
3261
|
return EncryptionResult.skipped(envelope);
|
|
@@ -3274,7 +3274,7 @@ class CompositeEncryptionManager {
|
|
|
3274
3274
|
return await manager.decryptEnvelope(envelope, opts);
|
|
3275
3275
|
}
|
|
3276
3276
|
catch (error) {
|
|
3277
|
-
logger$
|
|
3277
|
+
logger$a.error("composite_decrypt_failed", {
|
|
3278
3278
|
algorithm,
|
|
3279
3279
|
error: error instanceof Error ? error.message : String(error),
|
|
3280
3280
|
});
|
|
@@ -3286,14 +3286,14 @@ class CompositeEncryptionManager {
|
|
|
3286
3286
|
if (factories.length === 0) {
|
|
3287
3287
|
return;
|
|
3288
3288
|
}
|
|
3289
|
-
logger$
|
|
3289
|
+
logger$a.debug("composite_notify_channel_established", {
|
|
3290
3290
|
channel_id: channelId,
|
|
3291
3291
|
});
|
|
3292
3292
|
await this.notifyManagers(factories, async (manager, factoryKey) => {
|
|
3293
3293
|
const channelAware = manager;
|
|
3294
3294
|
if (typeof channelAware.notifyChannelEstablished === "function") {
|
|
3295
3295
|
await channelAware.notifyChannelEstablished(channelId);
|
|
3296
|
-
logger$
|
|
3296
|
+
logger$a.debug("composite_channel_established_notified", {
|
|
3297
3297
|
factory: factoryKey,
|
|
3298
3298
|
channel_id: channelId,
|
|
3299
3299
|
});
|
|
@@ -3305,7 +3305,7 @@ class CompositeEncryptionManager {
|
|
|
3305
3305
|
if (factories.length === 0) {
|
|
3306
3306
|
return;
|
|
3307
3307
|
}
|
|
3308
|
-
logger$
|
|
3308
|
+
logger$a.debug("composite_notify_channel_failed", {
|
|
3309
3309
|
channel_id: channelId,
|
|
3310
3310
|
reason,
|
|
3311
3311
|
});
|
|
@@ -3313,7 +3313,7 @@ class CompositeEncryptionManager {
|
|
|
3313
3313
|
const channelAware = manager;
|
|
3314
3314
|
if (typeof channelAware.notifyChannelFailed === "function") {
|
|
3315
3315
|
await channelAware.notifyChannelFailed(channelId, reason);
|
|
3316
|
-
logger$
|
|
3316
|
+
logger$a.debug("composite_channel_failed_notified", {
|
|
3317
3317
|
factory: factoryKey,
|
|
3318
3318
|
channel_id: channelId,
|
|
3319
3319
|
reason,
|
|
@@ -3326,12 +3326,12 @@ class CompositeEncryptionManager {
|
|
|
3326
3326
|
if (factories.length === 0) {
|
|
3327
3327
|
return;
|
|
3328
3328
|
}
|
|
3329
|
-
logger$
|
|
3329
|
+
logger$a.debug("composite_notify_key_available", { key_id: keyId });
|
|
3330
3330
|
await this.notifyManagers(factories, async (manager, factoryKey) => {
|
|
3331
3331
|
const sealedAware = manager;
|
|
3332
3332
|
if (typeof sealedAware.notifyKeyAvailable === "function") {
|
|
3333
3333
|
await sealedAware.notifyKeyAvailable(keyId);
|
|
3334
|
-
logger$
|
|
3334
|
+
logger$a.debug("composite_key_available_notified", {
|
|
3335
3335
|
factory: factoryKey,
|
|
3336
3336
|
key_id: keyId,
|
|
3337
3337
|
});
|
|
@@ -3372,7 +3372,7 @@ class CompositeEncryptionManager {
|
|
|
3372
3372
|
async getManagerForOptions(opts) {
|
|
3373
3373
|
const factory = this.factoryRegistry.getFactoryForOptions(opts ?? undefined);
|
|
3374
3374
|
if (!factory) {
|
|
3375
|
-
logger$
|
|
3375
|
+
logger$a.debug("composite_no_factory_for_options", { opts });
|
|
3376
3376
|
return null;
|
|
3377
3377
|
}
|
|
3378
3378
|
return await this.getOrCreateManager(factory, "options");
|
|
@@ -3380,7 +3380,7 @@ class CompositeEncryptionManager {
|
|
|
3380
3380
|
async getManagerForAlgorithm(algorithm) {
|
|
3381
3381
|
const factory = this.factoryRegistry.getFactoryForAlgorithm(algorithm);
|
|
3382
3382
|
if (!factory) {
|
|
3383
|
-
logger$
|
|
3383
|
+
logger$a.debug("composite_no_factory_for_algorithm", { algorithm });
|
|
3384
3384
|
return null;
|
|
3385
3385
|
}
|
|
3386
3386
|
return await this.getOrCreateManager(factory, algorithm);
|
|
@@ -3405,7 +3405,7 @@ class CompositeEncryptionManager {
|
|
|
3405
3405
|
const manager = await factory.create(null, dependencies);
|
|
3406
3406
|
this.managerInstances.set(key, manager);
|
|
3407
3407
|
await this.applyNodeContext(manager, key);
|
|
3408
|
-
logger$
|
|
3408
|
+
logger$a.debug("composite_created_manager", {
|
|
3409
3409
|
factory: key,
|
|
3410
3410
|
context,
|
|
3411
3411
|
manager_type: manager.constructor.name,
|
|
@@ -3413,7 +3413,7 @@ class CompositeEncryptionManager {
|
|
|
3413
3413
|
return manager;
|
|
3414
3414
|
}
|
|
3415
3415
|
catch (error) {
|
|
3416
|
-
logger$
|
|
3416
|
+
logger$a.error("composite_create_manager_failed", {
|
|
3417
3417
|
factory: key,
|
|
3418
3418
|
context,
|
|
3419
3419
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3426,7 +3426,7 @@ class CompositeEncryptionManager {
|
|
|
3426
3426
|
const factoryKey = this.resolveFactoryKey(factory);
|
|
3427
3427
|
const manager = this.managerInstances.get(factoryKey);
|
|
3428
3428
|
if (!manager) {
|
|
3429
|
-
logger$
|
|
3429
|
+
logger$a.debug("composite_skip_notification_no_manager", {
|
|
3430
3430
|
factory: factoryKey,
|
|
3431
3431
|
});
|
|
3432
3432
|
continue;
|
|
@@ -3435,7 +3435,7 @@ class CompositeEncryptionManager {
|
|
|
3435
3435
|
await callback(manager, factoryKey);
|
|
3436
3436
|
}
|
|
3437
3437
|
catch (error) {
|
|
3438
|
-
logger$
|
|
3438
|
+
logger$a.error("composite_notify_manager_failed", {
|
|
3439
3439
|
factory: factoryKey,
|
|
3440
3440
|
error: error instanceof Error ? error.message : String(error),
|
|
3441
3441
|
});
|
|
@@ -3451,7 +3451,7 @@ class CompositeEncryptionManager {
|
|
|
3451
3451
|
await callback(manager);
|
|
3452
3452
|
}
|
|
3453
3453
|
catch (error) {
|
|
3454
|
-
logger$
|
|
3454
|
+
logger$a.error("composite_node_event_failed", {
|
|
3455
3455
|
manager: manager.constructor.name,
|
|
3456
3456
|
error: error instanceof Error ? error.message : String(error),
|
|
3457
3457
|
});
|
|
@@ -3468,7 +3468,7 @@ class CompositeEncryptionManager {
|
|
|
3468
3468
|
await manager.onNodeStarted?.(this.nodeLike);
|
|
3469
3469
|
}
|
|
3470
3470
|
catch (error) {
|
|
3471
|
-
logger$
|
|
3471
|
+
logger$a.error("composite_apply_node_context_failed", {
|
|
3472
3472
|
stage: "onNodeStarted",
|
|
3473
3473
|
factory: factoryKey,
|
|
3474
3474
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3481,7 +3481,7 @@ class CompositeEncryptionManager {
|
|
|
3481
3481
|
await manager.onNodeAttachToUpstream?.(this.nodeLike, this.lastAttachInfo);
|
|
3482
3482
|
}
|
|
3483
3483
|
catch (error) {
|
|
3484
|
-
logger$
|
|
3484
|
+
logger$a.error("composite_apply_node_context_failed", {
|
|
3485
3485
|
stage: "onNodeAttachToUpstream",
|
|
3486
3486
|
factory: factoryKey,
|
|
3487
3487
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -3504,7 +3504,7 @@ class CompositeEncryptionManager {
|
|
|
3504
3504
|
const channelAware = manager;
|
|
3505
3505
|
if (typeof channelAware.clearChannelCacheForDestination === "function") {
|
|
3506
3506
|
channelAware.clearChannelCacheForDestination(destination);
|
|
3507
|
-
logger$
|
|
3507
|
+
logger$a.debug("composite_cleared_channel_cache", {
|
|
3508
3508
|
destination,
|
|
3509
3509
|
factory: factoryKey,
|
|
3510
3510
|
});
|
|
@@ -3524,7 +3524,7 @@ class CompositeEncryptionManager {
|
|
|
3524
3524
|
"function") {
|
|
3525
3525
|
const removed = this.secureChannelManager.removeChannelsForDestination(destination);
|
|
3526
3526
|
if (removed > 0) {
|
|
3527
|
-
logger$
|
|
3527
|
+
logger$a.debug("composite_removed_channels", {
|
|
3528
3528
|
destination,
|
|
3529
3529
|
count: removed,
|
|
3530
3530
|
});
|
|
@@ -3535,7 +3535,7 @@ class CompositeEncryptionManager {
|
|
|
3535
3535
|
}
|
|
3536
3536
|
}
|
|
3537
3537
|
|
|
3538
|
-
const logger$
|
|
3538
|
+
const logger$9 = getLogger$1("naylence.fame.security.encryption.composite_encryption_manager_factory");
|
|
3539
3539
|
const DEFAULT_PRIORITY = 1000;
|
|
3540
3540
|
const DEFAULT_ENCRYPTION_TYPE = "composite";
|
|
3541
3541
|
const FACTORY_META$b = {
|
|
@@ -3573,7 +3573,7 @@ class CompositeEncryptionManagerFactory extends EncryptionManagerFactory {
|
|
|
3573
3573
|
const supportedChannelAlgorithms = runtimeConfig?.supportedChannelAlgorithms ??
|
|
3574
3574
|
this.supportedChannelAlgorithms ??
|
|
3575
3575
|
undefined;
|
|
3576
|
-
logger$
|
|
3576
|
+
logger$9.debug("creating_composite_encryption_manager", {
|
|
3577
3577
|
has_secure_channel_manager: Boolean(resolved.secureChannelManager),
|
|
3578
3578
|
has_key_provider: Boolean(resolved.keyProvider),
|
|
3579
3579
|
has_crypto_provider: Boolean(resolved.cryptoProvider),
|
|
@@ -3946,7 +3946,7 @@ var eddsaEnvelopeVerifierFactory = /*#__PURE__*/Object.freeze({
|
|
|
3946
3946
|
default: AdvancedEdDSAEnvelopeVerifierFactory
|
|
3947
3947
|
});
|
|
3948
3948
|
|
|
3949
|
-
const logger$
|
|
3949
|
+
const logger$8 = getLogger$1("naylence.fame.security.keys.x5c_key_manager");
|
|
3950
3950
|
let x509ModulePromise$1 = null;
|
|
3951
3951
|
async function loadX509Module$1() {
|
|
3952
3952
|
if (!x509ModulePromise$1) {
|
|
@@ -3958,7 +3958,7 @@ async function loadX509Module$1() {
|
|
|
3958
3958
|
return null;
|
|
3959
3959
|
})
|
|
3960
3960
|
.catch((error) => {
|
|
3961
|
-
logger$
|
|
3961
|
+
logger$8.warning("certificate_module_unavailable", {
|
|
3962
3962
|
error: error instanceof Error ? error.message : String(error),
|
|
3963
3963
|
});
|
|
3964
3964
|
return null;
|
|
@@ -3989,16 +3989,16 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
3989
3989
|
async onNodeStarted(node) {
|
|
3990
3990
|
await this.inner.onNodeStarted(node);
|
|
3991
3991
|
this.startPurgeLoop();
|
|
3992
|
-
logger$
|
|
3992
|
+
logger$8.debug("x5c_key_manager_started", {
|
|
3993
3993
|
cert_purge_interval: this.certPurgeInterval,
|
|
3994
3994
|
});
|
|
3995
3995
|
}
|
|
3996
3996
|
async onNodeStopped(node) {
|
|
3997
|
-
logger$
|
|
3997
|
+
logger$8.debug("x5c_key_manager_stopping");
|
|
3998
3998
|
await this.shutdownTasks({ gracePeriod: 50, joinTimeout: 100 });
|
|
3999
3999
|
this.purgeTask = null;
|
|
4000
4000
|
await this.inner.onNodeStopped(node);
|
|
4001
|
-
logger$
|
|
4001
|
+
logger$8.debug("x5c_key_manager_stopped");
|
|
4002
4002
|
}
|
|
4003
4003
|
async getKey(kid) {
|
|
4004
4004
|
return this.inner.getKey(kid);
|
|
@@ -4035,7 +4035,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4035
4035
|
}
|
|
4036
4036
|
catch (error) {
|
|
4037
4037
|
if (error instanceof JWKValidationError) {
|
|
4038
|
-
logger$
|
|
4038
|
+
logger$8.warning("rejected_invalid_jwk_in_announce", {
|
|
4039
4039
|
kid: typeof key?.kid === "string" ? key.kid : "unknown",
|
|
4040
4040
|
from_system_id: systemId,
|
|
4041
4041
|
from_physical_path: physicalPath,
|
|
@@ -4048,7 +4048,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4048
4048
|
}
|
|
4049
4049
|
}
|
|
4050
4050
|
if (validKeys.length === 0) {
|
|
4051
|
-
logger$
|
|
4051
|
+
logger$8.warning("no_valid_keys_in_announce", {
|
|
4052
4052
|
from_system_id: systemId,
|
|
4053
4053
|
from_physical_path: physicalPath,
|
|
4054
4054
|
total_keys: keys.length,
|
|
@@ -4056,7 +4056,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4056
4056
|
});
|
|
4057
4057
|
return;
|
|
4058
4058
|
}
|
|
4059
|
-
logger$
|
|
4059
|
+
logger$8.debug("adding_keys", {
|
|
4060
4060
|
key_ids: validKeys.map((key) => typeof key?.kid === "string" ? key.kid : "unknown"),
|
|
4061
4061
|
source_system_id: systemId,
|
|
4062
4062
|
from_physical_path: physicalPath,
|
|
@@ -4067,7 +4067,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4067
4067
|
});
|
|
4068
4068
|
const hasEncryptionKeys = validKeys.some((key) => typeof key?.use === "string" && key.use === "enc");
|
|
4069
4069
|
if (hasEncryptionKeys) {
|
|
4070
|
-
logger$
|
|
4070
|
+
logger$8.debug("checking_for_old_encryption_keys_to_remove", {
|
|
4071
4071
|
physical_path: physicalPath,
|
|
4072
4072
|
origin,
|
|
4073
4073
|
new_enc_keys: validKeys
|
|
@@ -4095,7 +4095,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4095
4095
|
}
|
|
4096
4096
|
}
|
|
4097
4097
|
if (existingEncKeyIds.size > 0) {
|
|
4098
|
-
logger$
|
|
4098
|
+
logger$8.debug("found_existing_encryption_keys_across_paths", {
|
|
4099
4099
|
physical_path: physicalPath,
|
|
4100
4100
|
paths_checked: pathsWithOldKeys,
|
|
4101
4101
|
existing_enc_key_ids: Array.from(existingEncKeyIds),
|
|
@@ -4106,7 +4106,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4106
4106
|
.filter((kid) => kid.length > 0));
|
|
4107
4107
|
const keysToRemove = Array.from(existingEncKeyIds).filter((kid) => !newEncKeyIds.has(kid));
|
|
4108
4108
|
if (keysToRemove.length > 0) {
|
|
4109
|
-
logger$
|
|
4109
|
+
logger$8.info("removing_old_encryption_keys_for_key_rotation", {
|
|
4110
4110
|
physical_path: physicalPath,
|
|
4111
4111
|
paths_with_old_keys: pathsWithOldKeys,
|
|
4112
4112
|
old_key_ids: keysToRemove,
|
|
@@ -4115,7 +4115,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4115
4115
|
});
|
|
4116
4116
|
for (const kid of keysToRemove) {
|
|
4117
4117
|
await this.keyStore.removeKey(kid);
|
|
4118
|
-
logger$
|
|
4118
|
+
logger$8.debug("removed_old_encryption_key_from_all_paths", {
|
|
4119
4119
|
kid,
|
|
4120
4120
|
});
|
|
4121
4121
|
}
|
|
@@ -4123,7 +4123,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4123
4123
|
}
|
|
4124
4124
|
}
|
|
4125
4125
|
catch (error) {
|
|
4126
|
-
logger$
|
|
4126
|
+
logger$8.warning("failed_to_remove_old_encryption_keys", {
|
|
4127
4127
|
physical_path: physicalPath,
|
|
4128
4128
|
error: error instanceof Error ? error.message : String(error),
|
|
4129
4129
|
origin,
|
|
@@ -4157,10 +4157,10 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4157
4157
|
return this.inner.getKeysForPath(physicalPath);
|
|
4158
4158
|
}
|
|
4159
4159
|
async purgeExpiredCertificates() {
|
|
4160
|
-
logger$
|
|
4160
|
+
logger$8.debug("certificate_purge_starting");
|
|
4161
4161
|
const module = await loadX509Module$1();
|
|
4162
4162
|
if (!module) {
|
|
4163
|
-
logger$
|
|
4163
|
+
logger$8.warning("certificate_purge_skipped", {
|
|
4164
4164
|
reason: "x509_module_unavailable",
|
|
4165
4165
|
});
|
|
4166
4166
|
return 0;
|
|
@@ -4183,7 +4183,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4183
4183
|
const cert = new module.X509Certificate(raw);
|
|
4184
4184
|
const expiration = cert.notAfter;
|
|
4185
4185
|
if (expiration && expiration.getTime() < now.getTime()) {
|
|
4186
|
-
logger$
|
|
4186
|
+
logger$8.debug("expired_certificate_found", {
|
|
4187
4187
|
kid: typeof key.kid === "string" ? key.kid : "unknown",
|
|
4188
4188
|
physical_path: typeof key.physical_path === "string"
|
|
4189
4189
|
? key.physical_path
|
|
@@ -4202,7 +4202,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4202
4202
|
}
|
|
4203
4203
|
}
|
|
4204
4204
|
catch (error) {
|
|
4205
|
-
logger$
|
|
4205
|
+
logger$8.warning("certificate_parsing_failed_during_purge", {
|
|
4206
4206
|
kid: typeof key.kid === "string" ? key.kid : "unknown",
|
|
4207
4207
|
error: error instanceof Error ? error.message : String(error),
|
|
4208
4208
|
message: "Could not parse certificate for expiry check",
|
|
@@ -4216,20 +4216,20 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4216
4216
|
const removed = await this.keyStore.removeKey(keyInfo.kid);
|
|
4217
4217
|
if (removed) {
|
|
4218
4218
|
purgedCount += 1;
|
|
4219
|
-
logger$
|
|
4219
|
+
logger$8.debug("expired_certificate_purged", {
|
|
4220
4220
|
kid: keyInfo.kid,
|
|
4221
4221
|
physical_path: keyInfo.physicalPath ?? "unknown",
|
|
4222
4222
|
});
|
|
4223
4223
|
}
|
|
4224
4224
|
}
|
|
4225
4225
|
catch (error) {
|
|
4226
|
-
logger$
|
|
4226
|
+
logger$8.error("certificate_purge_failed", {
|
|
4227
4227
|
kid: keyInfo.kid,
|
|
4228
4228
|
error: error instanceof Error ? error.message : String(error),
|
|
4229
4229
|
});
|
|
4230
4230
|
}
|
|
4231
4231
|
}
|
|
4232
|
-
logger$
|
|
4232
|
+
logger$8.debug("certificate_purge_completed", {
|
|
4233
4233
|
purged_count: purgedCount,
|
|
4234
4234
|
});
|
|
4235
4235
|
return purgedCount;
|
|
@@ -4239,7 +4239,7 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4239
4239
|
return;
|
|
4240
4240
|
}
|
|
4241
4241
|
this.purgeTask = this.spawn(async (signal) => {
|
|
4242
|
-
logger$
|
|
4242
|
+
logger$8.debug("certificate_purge_loop_started", {
|
|
4243
4243
|
interval_seconds: this.certPurgeInterval,
|
|
4244
4244
|
});
|
|
4245
4245
|
try {
|
|
@@ -4260,13 +4260,13 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4260
4260
|
try {
|
|
4261
4261
|
const purged = await this.purgeExpiredCertificates();
|
|
4262
4262
|
if (purged > 0) {
|
|
4263
|
-
logger$
|
|
4263
|
+
logger$8.debug("certificate_purge_cycle_completed", {
|
|
4264
4264
|
purged_count: purged,
|
|
4265
4265
|
});
|
|
4266
4266
|
}
|
|
4267
4267
|
}
|
|
4268
4268
|
catch (error) {
|
|
4269
|
-
logger$
|
|
4269
|
+
logger$8.error("certificate_purge_cycle_failed", {
|
|
4270
4270
|
error: error instanceof Error ? error.message : String(error),
|
|
4271
4271
|
});
|
|
4272
4272
|
}
|
|
@@ -4274,16 +4274,16 @@ class X5CKeyManager extends TaskSpawner {
|
|
|
4274
4274
|
}
|
|
4275
4275
|
catch (error) {
|
|
4276
4276
|
if (signal?.aborted) {
|
|
4277
|
-
logger$
|
|
4277
|
+
logger$8.debug("certificate_purge_loop_cancelled");
|
|
4278
4278
|
}
|
|
4279
4279
|
else {
|
|
4280
|
-
logger$
|
|
4280
|
+
logger$8.error("certificate_purge_loop_failed", {
|
|
4281
4281
|
error: error instanceof Error ? error.message : String(error),
|
|
4282
4282
|
});
|
|
4283
4283
|
}
|
|
4284
4284
|
}
|
|
4285
4285
|
finally {
|
|
4286
|
-
logger$
|
|
4286
|
+
logger$8.debug("certificate_purge_loop_stopped");
|
|
4287
4287
|
}
|
|
4288
4288
|
}, { name: "cert-purge" });
|
|
4289
4289
|
}
|
|
@@ -4300,7 +4300,7 @@ function validateJwkX5cCertificateWrapper(options) {
|
|
|
4300
4300
|
});
|
|
4301
4301
|
}
|
|
4302
4302
|
catch (error) {
|
|
4303
|
-
logger$
|
|
4303
|
+
logger$8.warning("rejected_key_due_to_certificate_validation_failure", {
|
|
4304
4304
|
kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
|
|
4305
4305
|
from_system_id: systemId,
|
|
4306
4306
|
from_physical_path: physicalPath,
|
|
@@ -4317,7 +4317,7 @@ function validateJwkX5cCertificateWrapper(options) {
|
|
|
4317
4317
|
if (result.isValid) {
|
|
4318
4318
|
return { accepted: true, skip: false };
|
|
4319
4319
|
}
|
|
4320
|
-
logger$
|
|
4320
|
+
logger$8.warning("rejected_key_due_to_certificate_validation_failure", {
|
|
4321
4321
|
kid: typeof jwk.kid === "string" ? jwk.kid : "unknown",
|
|
4322
4322
|
from_system_id: systemId,
|
|
4323
4323
|
from_physical_path: physicalPath,
|
|
@@ -4342,7 +4342,7 @@ function resolveTrustStorePath() {
|
|
|
4342
4342
|
return process.env.FAME_CA_CERT_FILE ?? null;
|
|
4343
4343
|
}
|
|
4344
4344
|
catch (error) {
|
|
4345
|
-
logger$
|
|
4345
|
+
logger$8.debug("trust_store_resolution_failed", {
|
|
4346
4346
|
error: error instanceof Error ? error.message : String(error),
|
|
4347
4347
|
});
|
|
4348
4348
|
return null;
|
|
@@ -4557,7 +4557,7 @@ function utf8Decode(data) {
|
|
|
4557
4557
|
return decodeURIComponent(escape(str));
|
|
4558
4558
|
}
|
|
4559
4559
|
|
|
4560
|
-
const logger$
|
|
4560
|
+
const logger$7 = getLogger$1("naylence.fame.stickiness.aft_signer");
|
|
4561
4561
|
class AbstractAFTSigner {
|
|
4562
4562
|
constructor(kid, maxTtlSec = 7200) {
|
|
4563
4563
|
this.kid = kid;
|
|
@@ -4649,7 +4649,7 @@ class SignedAFTSigner extends AbstractAFTSigner {
|
|
|
4649
4649
|
return token;
|
|
4650
4650
|
}
|
|
4651
4651
|
catch (error) {
|
|
4652
|
-
logger$
|
|
4652
|
+
logger$7.error("aft_signing_failed", {
|
|
4653
4653
|
kid: this.kid,
|
|
4654
4654
|
algorithm: this.algorithm,
|
|
4655
4655
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4661,7 +4661,7 @@ class SignedAFTSigner extends AbstractAFTSigner {
|
|
|
4661
4661
|
if (!this.cryptoKeyPromise) {
|
|
4662
4662
|
this.cryptoKeyPromise = importPKCS8(this.privateKeyPem, this.algorithm).catch((error) => {
|
|
4663
4663
|
this.cryptoKeyPromise = null;
|
|
4664
|
-
logger$
|
|
4664
|
+
logger$7.error("aft_private_key_import_failed", {
|
|
4665
4665
|
kid: this.kid,
|
|
4666
4666
|
algorithm: this.algorithm,
|
|
4667
4667
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4699,7 +4699,7 @@ function createAftSigner(options) {
|
|
|
4699
4699
|
}
|
|
4700
4700
|
}
|
|
4701
4701
|
|
|
4702
|
-
const logger$
|
|
4702
|
+
const logger$6 = getLogger$1("naylence.fame.stickiness.aft_helper");
|
|
4703
4703
|
class AFTHelper {
|
|
4704
4704
|
constructor(options) {
|
|
4705
4705
|
this.signer = options.signer;
|
|
@@ -4713,7 +4713,7 @@ class AFTHelper {
|
|
|
4713
4713
|
let clientSid;
|
|
4714
4714
|
if (context?.stickySid) {
|
|
4715
4715
|
clientSid = context.stickySid;
|
|
4716
|
-
logger$
|
|
4716
|
+
logger$6.debug("client_sticky_sid_extracted", { client_sid: clientSid });
|
|
4717
4717
|
}
|
|
4718
4718
|
const signOptions = {
|
|
4719
4719
|
sid: this.nodeSid,
|
|
@@ -4735,7 +4735,7 @@ class AFTHelper {
|
|
|
4735
4735
|
envelope.meta.set = setMeta;
|
|
4736
4736
|
}
|
|
4737
4737
|
setMeta.aft = aftToken;
|
|
4738
|
-
logger$
|
|
4738
|
+
logger$6.debug("aft_instruction_added", {
|
|
4739
4739
|
envelope_id: envelope.id,
|
|
4740
4740
|
ttl_sec: ttlSec,
|
|
4741
4741
|
scope,
|
|
@@ -4744,7 +4744,7 @@ class AFTHelper {
|
|
|
4744
4744
|
return true;
|
|
4745
4745
|
}
|
|
4746
4746
|
catch (error) {
|
|
4747
|
-
logger$
|
|
4747
|
+
logger$6.error("aft_generation_failed", {
|
|
4748
4748
|
envelope_id: envelope.id,
|
|
4749
4749
|
error: error instanceof Error ? error.message : String(error),
|
|
4750
4750
|
});
|
|
@@ -4768,7 +4768,7 @@ function createAftHelper(options) {
|
|
|
4768
4768
|
}
|
|
4769
4769
|
const DEFAULT_STICKINESS_SECURITY_LEVEL = StickinessMode.SIGNED_OPTIONAL;
|
|
4770
4770
|
|
|
4771
|
-
const logger$
|
|
4771
|
+
const logger$5 = getLogger$1("naylence.fame.stickiness.aft_verifier");
|
|
4772
4772
|
function decodeToken(token) {
|
|
4773
4773
|
const parts = token.split(".");
|
|
4774
4774
|
if (parts.length !== 3) {
|
|
@@ -4801,7 +4801,7 @@ function decodeToken(token) {
|
|
|
4801
4801
|
return { header, claims };
|
|
4802
4802
|
}
|
|
4803
4803
|
catch (error) {
|
|
4804
|
-
logger$
|
|
4804
|
+
logger$5.debug("aft_decoding_failed", {
|
|
4805
4805
|
error: error instanceof Error ? error.message : String(error),
|
|
4806
4806
|
});
|
|
4807
4807
|
return null;
|
|
@@ -4863,7 +4863,7 @@ class BaseAFTVerifier {
|
|
|
4863
4863
|
signatureValid = await this.verifySignature(token, header, claims);
|
|
4864
4864
|
}
|
|
4865
4865
|
catch (error) {
|
|
4866
|
-
logger$
|
|
4866
|
+
logger$5.debug("aft_signature_verification_failed", {
|
|
4867
4867
|
kid: header.kid,
|
|
4868
4868
|
algorithm: header.alg,
|
|
4869
4869
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4909,7 +4909,7 @@ class StrictAFTVerifier extends BaseAFTVerifier {
|
|
|
4909
4909
|
keyRecord = await this.keyProvider.getKey(header.kid);
|
|
4910
4910
|
}
|
|
4911
4911
|
catch (error) {
|
|
4912
|
-
logger$
|
|
4912
|
+
logger$5.debug("aft_public_key_missing", {
|
|
4913
4913
|
kid: header.kid,
|
|
4914
4914
|
error: error instanceof Error ? error.message : String(error),
|
|
4915
4915
|
});
|
|
@@ -4924,7 +4924,7 @@ class StrictAFTVerifier extends BaseAFTVerifier {
|
|
|
4924
4924
|
return protectedHeader.alg === header.alg;
|
|
4925
4925
|
}
|
|
4926
4926
|
catch (error) {
|
|
4927
|
-
logger$
|
|
4927
|
+
logger$5.debug("aft_jws_verification_failed", {
|
|
4928
4928
|
kid: header.kid,
|
|
4929
4929
|
algorithm: header.alg,
|
|
4930
4930
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -4953,7 +4953,7 @@ class SignedOptionalAFTVerifier extends BaseAFTVerifier {
|
|
|
4953
4953
|
keyRecord = await this.keyProvider.getKey(header.kid);
|
|
4954
4954
|
}
|
|
4955
4955
|
catch (error) {
|
|
4956
|
-
logger$
|
|
4956
|
+
logger$5.debug("aft_public_key_missing", {
|
|
4957
4957
|
kid: header.kid,
|
|
4958
4958
|
error: error instanceof Error ? error.message : String(error),
|
|
4959
4959
|
});
|
|
@@ -4968,7 +4968,7 @@ class SignedOptionalAFTVerifier extends BaseAFTVerifier {
|
|
|
4968
4968
|
return protectedHeader.alg === header.alg;
|
|
4969
4969
|
}
|
|
4970
4970
|
catch (error) {
|
|
4971
|
-
logger$
|
|
4971
|
+
logger$5.debug("aft_jws_verification_failed", {
|
|
4972
4972
|
kid: header.kid,
|
|
4973
4973
|
algorithm: header.alg,
|
|
4974
4974
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -5003,7 +5003,7 @@ async function resolveVerificationKey(keyRecord, algorithm) {
|
|
|
5003
5003
|
return key;
|
|
5004
5004
|
}
|
|
5005
5005
|
catch (error) {
|
|
5006
|
-
logger$
|
|
5006
|
+
logger$5.debug("aft_jwk_import_failed", {
|
|
5007
5007
|
kid: keyRecord.kid,
|
|
5008
5008
|
algorithm,
|
|
5009
5009
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -5024,14 +5024,14 @@ async function resolveVerificationKey(keyRecord, algorithm) {
|
|
|
5024
5024
|
return key;
|
|
5025
5025
|
}
|
|
5026
5026
|
catch (error) {
|
|
5027
|
-
logger$
|
|
5027
|
+
logger$5.debug("aft_spki_import_failed", {
|
|
5028
5028
|
kid: keyRecord.kid,
|
|
5029
5029
|
algorithm,
|
|
5030
5030
|
error: error instanceof Error ? error.message : String(error),
|
|
5031
5031
|
});
|
|
5032
5032
|
}
|
|
5033
5033
|
}
|
|
5034
|
-
logger$
|
|
5034
|
+
logger$5.debug("aft_verification_key_unavailable", {
|
|
5035
5035
|
kid: keyRecord.kid,
|
|
5036
5036
|
algorithm,
|
|
5037
5037
|
});
|
|
@@ -5054,7 +5054,7 @@ function createAftVerifier(options) {
|
|
|
5054
5054
|
}
|
|
5055
5055
|
}
|
|
5056
5056
|
|
|
5057
|
-
const logger$
|
|
5057
|
+
const logger$4 = getLogger$1("naylence.fame.stickiness.aft_load_balancer_stickiness_manager");
|
|
5058
5058
|
class AFTAssociation {
|
|
5059
5059
|
constructor(params) {
|
|
5060
5060
|
this.replicaId = params.replicaId;
|
|
@@ -5093,7 +5093,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5093
5093
|
};
|
|
5094
5094
|
this.config = config;
|
|
5095
5095
|
this.verifier = verifier;
|
|
5096
|
-
logger$
|
|
5096
|
+
logger$4.debug("stickiness_manager_initialized", {
|
|
5097
5097
|
enabled: this.config.enabled,
|
|
5098
5098
|
security_level: this.config.securityLevel,
|
|
5099
5099
|
verifier_type: verifier.constructor.name,
|
|
@@ -5111,14 +5111,14 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5111
5111
|
negotiate(stickiness) {
|
|
5112
5112
|
if (!stickiness) {
|
|
5113
5113
|
if (this.config.enabled) {
|
|
5114
|
-
logger$
|
|
5114
|
+
logger$4.debug("stickiness_negotiated_no_offer_attr_fallback");
|
|
5115
5115
|
return { enabled: true, mode: "attr", version: 1 };
|
|
5116
5116
|
}
|
|
5117
5117
|
return null;
|
|
5118
5118
|
}
|
|
5119
5119
|
const version = stickiness.version ?? 1;
|
|
5120
5120
|
if (!this.config.enabled) {
|
|
5121
|
-
logger$
|
|
5121
|
+
logger$4.debug("stickiness_negotiation_disabled_by_config");
|
|
5122
5122
|
return { enabled: false, version };
|
|
5123
5123
|
}
|
|
5124
5124
|
const childModes = new Set();
|
|
@@ -5139,32 +5139,32 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5139
5139
|
ttlSec: ttl,
|
|
5140
5140
|
version,
|
|
5141
5141
|
};
|
|
5142
|
-
logger$
|
|
5142
|
+
logger$4.debug("stickiness_negotiated", { mode: policy.mode, ttl });
|
|
5143
5143
|
return policy;
|
|
5144
5144
|
}
|
|
5145
5145
|
if (childModes.has("attr")) {
|
|
5146
5146
|
const policy = { enabled: true, mode: "attr", version };
|
|
5147
|
-
logger$
|
|
5147
|
+
logger$4.debug("stickiness_negotiated", { mode: policy.mode });
|
|
5148
5148
|
return policy;
|
|
5149
5149
|
}
|
|
5150
|
-
logger$
|
|
5150
|
+
logger$4.debug("stickiness_negotiation_no_common_mode");
|
|
5151
5151
|
return { enabled: false, version };
|
|
5152
5152
|
}
|
|
5153
5153
|
async handleOutboundEnvelope(envelope, replicaId) {
|
|
5154
5154
|
if (!this.config.enabled) {
|
|
5155
|
-
logger$
|
|
5155
|
+
logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
|
|
5156
5156
|
return null;
|
|
5157
5157
|
}
|
|
5158
5158
|
const aftToken = extractAftInstruction(envelope);
|
|
5159
5159
|
if (!aftToken) {
|
|
5160
|
-
logger$
|
|
5160
|
+
logger$4.debug("no_aft_instruction", {
|
|
5161
5161
|
envelope_id: envelope.id,
|
|
5162
5162
|
has_meta: Boolean(envelope.meta),
|
|
5163
5163
|
});
|
|
5164
5164
|
return null;
|
|
5165
5165
|
}
|
|
5166
5166
|
if (typeof aftToken !== "string") {
|
|
5167
|
-
logger$
|
|
5167
|
+
logger$4.warning("invalid_aft_instruction", {
|
|
5168
5168
|
envelope_id: envelope.id,
|
|
5169
5169
|
replica_id: replicaId,
|
|
5170
5170
|
reason: "set.aft value is not a string",
|
|
@@ -5174,7 +5174,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5174
5174
|
const verification = await this.verifier.verify(aftToken, envelope.sid ?? undefined);
|
|
5175
5175
|
if (!verification.valid) {
|
|
5176
5176
|
this.metrics.verifyFailures += 1;
|
|
5177
|
-
logger$
|
|
5177
|
+
logger$4.warning("aft_verification_failed", {
|
|
5178
5178
|
envelope_id: envelope.id,
|
|
5179
5179
|
replica_id: replicaId,
|
|
5180
5180
|
error: verification.error,
|
|
@@ -5192,14 +5192,14 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5192
5192
|
});
|
|
5193
5193
|
if (verification.clientSid) {
|
|
5194
5194
|
this.sidCache.set(verification.clientSid, replicaId);
|
|
5195
|
-
logger$
|
|
5195
|
+
logger$4.debug("sid_cache_updated", {
|
|
5196
5196
|
envelope_id: envelope.id,
|
|
5197
5197
|
client_sid: verification.clientSid,
|
|
5198
5198
|
replica_id: replicaId,
|
|
5199
5199
|
});
|
|
5200
5200
|
}
|
|
5201
5201
|
this.metrics.associationsCreated += 1;
|
|
5202
|
-
logger$
|
|
5202
|
+
logger$4.debug("aft_association_created", {
|
|
5203
5203
|
envelope_id: envelope.id,
|
|
5204
5204
|
replica_id: replicaId,
|
|
5205
5205
|
sid: verification.sid,
|
|
@@ -5211,14 +5211,14 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5211
5211
|
}
|
|
5212
5212
|
getStickyReplicaSegment(envelope, segments) {
|
|
5213
5213
|
if (!this.config.enabled) {
|
|
5214
|
-
logger$
|
|
5214
|
+
logger$4.debug("stickiness_disabled", { envelope_id: envelope.id });
|
|
5215
5215
|
return null;
|
|
5216
5216
|
}
|
|
5217
5217
|
if (envelope.aft) {
|
|
5218
5218
|
const replicaId = this.routeByAft(envelope.aft, envelope);
|
|
5219
5219
|
if (replicaId) {
|
|
5220
5220
|
this.metrics.cacheHits += 1;
|
|
5221
|
-
logger$
|
|
5221
|
+
logger$4.debug("aft_routed_envelope", {
|
|
5222
5222
|
envelope_id: envelope.id,
|
|
5223
5223
|
replica_id: replicaId,
|
|
5224
5224
|
routing_type: "aft_direct",
|
|
@@ -5231,7 +5231,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5231
5231
|
if (cachedReplica) {
|
|
5232
5232
|
if (this.config.securityLevel === StickinessMode.SID_ONLY) {
|
|
5233
5233
|
this.metrics.cacheHits += 1;
|
|
5234
|
-
logger$
|
|
5234
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5235
5235
|
envelope_id: envelope.id,
|
|
5236
5236
|
replica_id: cachedReplica,
|
|
5237
5237
|
sid: envelope.sid,
|
|
@@ -5244,7 +5244,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5244
5244
|
!association.isExpired()) {
|
|
5245
5245
|
envelope.aft = token;
|
|
5246
5246
|
this.metrics.cacheHits += 1;
|
|
5247
|
-
logger$
|
|
5247
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5248
5248
|
envelope_id: envelope.id,
|
|
5249
5249
|
replica_id: cachedReplica,
|
|
5250
5250
|
sid: envelope.sid,
|
|
@@ -5254,7 +5254,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5254
5254
|
}
|
|
5255
5255
|
}
|
|
5256
5256
|
this.metrics.cacheHits += 1;
|
|
5257
|
-
logger$
|
|
5257
|
+
logger$4.debug("sid_cache_routed_envelope", {
|
|
5258
5258
|
envelope_id: envelope.id,
|
|
5259
5259
|
replica_id: cachedReplica,
|
|
5260
5260
|
sid: envelope.sid,
|
|
@@ -5262,7 +5262,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5262
5262
|
});
|
|
5263
5263
|
return cachedReplica;
|
|
5264
5264
|
}
|
|
5265
|
-
logger$
|
|
5265
|
+
logger$4.debug("no_cached_replica_for_sid", {
|
|
5266
5266
|
envelope_id: envelope.id,
|
|
5267
5267
|
sid: envelope.sid,
|
|
5268
5268
|
});
|
|
@@ -5271,7 +5271,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5271
5271
|
const index = computeDeterministicIndex(envelope.sid, segments.length);
|
|
5272
5272
|
const chosen = segments[index];
|
|
5273
5273
|
this.metrics.cacheHits += 1;
|
|
5274
|
-
logger$
|
|
5274
|
+
logger$4.debug("sid_based_deterministic_choice", {
|
|
5275
5275
|
envelope_id: envelope.id,
|
|
5276
5276
|
sid: envelope.sid,
|
|
5277
5277
|
chosen,
|
|
@@ -5280,7 +5280,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5280
5280
|
return chosen;
|
|
5281
5281
|
}
|
|
5282
5282
|
this.metrics.cacheMisses += 1;
|
|
5283
|
-
logger$
|
|
5283
|
+
logger$4.debug("no_stickiness_routing", {
|
|
5284
5284
|
envelope_id: envelope.id,
|
|
5285
5285
|
has_aft: Boolean(envelope.aft),
|
|
5286
5286
|
has_sid: Boolean(envelope.sid),
|
|
@@ -5300,7 +5300,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5300
5300
|
}
|
|
5301
5301
|
if (expiredTokens.length > 0) {
|
|
5302
5302
|
this.metrics.associationsExpired += expiredTokens.length;
|
|
5303
|
-
logger$
|
|
5303
|
+
logger$4.debug("cleaned_expired_associations", {
|
|
5304
5304
|
count: expiredTokens.length,
|
|
5305
5305
|
});
|
|
5306
5306
|
}
|
|
@@ -5316,7 +5316,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5316
5316
|
this.removeAssociation(token);
|
|
5317
5317
|
}
|
|
5318
5318
|
if (tokensToRemove.length > 0) {
|
|
5319
|
-
logger$
|
|
5319
|
+
logger$4.debug("removed_associations_for_departed_replica", {
|
|
5320
5320
|
replica_id: replicaId,
|
|
5321
5321
|
count: tokensToRemove.length,
|
|
5322
5322
|
});
|
|
@@ -5324,7 +5324,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5324
5324
|
}
|
|
5325
5325
|
handleReplicaLeft(replicaId) {
|
|
5326
5326
|
this.replicaLeft(replicaId);
|
|
5327
|
-
logger$
|
|
5327
|
+
logger$4.debug("stickiness_replica_cleanup", { replica_id: replicaId });
|
|
5328
5328
|
}
|
|
5329
5329
|
getMetrics() {
|
|
5330
5330
|
return {
|
|
@@ -5357,7 +5357,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5357
5357
|
const misses = this.metrics.cacheMisses;
|
|
5358
5358
|
const total = hits + misses;
|
|
5359
5359
|
const hitRate = total > 0 ? Math.round((hits / total) * 10000) / 100 : 0;
|
|
5360
|
-
logger$
|
|
5360
|
+
logger$4.info("stickiness_metrics_report", {
|
|
5361
5361
|
enabled: this.config.enabled,
|
|
5362
5362
|
security_level: this.config.securityLevel,
|
|
5363
5363
|
cache_hits: hits,
|
|
@@ -5371,7 +5371,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5371
5371
|
});
|
|
5372
5372
|
}
|
|
5373
5373
|
async onDeliver(_node, envelope, context) {
|
|
5374
|
-
logger$
|
|
5374
|
+
logger$4.debug("stickiness_manager_on_deliver", {
|
|
5375
5375
|
envelope_id: envelope.id,
|
|
5376
5376
|
origin_type: context?.originType ?? "unknown",
|
|
5377
5377
|
from_system_id: context?.fromSystemId ?? null,
|
|
@@ -5379,7 +5379,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5379
5379
|
if (context?.originType === DeliveryOriginType$1.DOWNSTREAM) {
|
|
5380
5380
|
const sourceRoute = context.fromSystemId;
|
|
5381
5381
|
if (sourceRoute) {
|
|
5382
|
-
logger$
|
|
5382
|
+
logger$4.debug("processing_downstream_envelope", {
|
|
5383
5383
|
envelope_id: envelope.id,
|
|
5384
5384
|
source_route: sourceRoute,
|
|
5385
5385
|
});
|
|
@@ -5387,7 +5387,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5387
5387
|
envelope.sid &&
|
|
5388
5388
|
!this.sidCache.has(envelope.sid)) {
|
|
5389
5389
|
this.sidCache.set(envelope.sid, sourceRoute);
|
|
5390
|
-
logger$
|
|
5390
|
+
logger$4.debug("sid_only_association_recorded", {
|
|
5391
5391
|
envelope_id: envelope.id,
|
|
5392
5392
|
sid: envelope.sid,
|
|
5393
5393
|
replica_id: sourceRoute,
|
|
@@ -5396,27 +5396,27 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5396
5396
|
const hadInstruction = Boolean(extractAftInstruction(envelope));
|
|
5397
5397
|
const token = await this.handleOutboundEnvelope(envelope, sourceRoute);
|
|
5398
5398
|
if (hadInstruction) {
|
|
5399
|
-
logger$
|
|
5399
|
+
logger$4.debug("processed_aft_setter_instruction", {
|
|
5400
5400
|
envelope_id: envelope.id,
|
|
5401
5401
|
source_route: sourceRoute,
|
|
5402
5402
|
client_echo: Boolean(token),
|
|
5403
5403
|
});
|
|
5404
5404
|
}
|
|
5405
5405
|
else {
|
|
5406
|
-
logger$
|
|
5406
|
+
logger$4.debug("no_aft_setter_instruction", {
|
|
5407
5407
|
envelope_id: envelope.id,
|
|
5408
5408
|
source_route: sourceRoute,
|
|
5409
5409
|
});
|
|
5410
5410
|
}
|
|
5411
5411
|
}
|
|
5412
5412
|
else {
|
|
5413
|
-
logger$
|
|
5413
|
+
logger$4.debug("downstream_envelope_without_source_route", {
|
|
5414
5414
|
envelope_id: envelope.id,
|
|
5415
5415
|
});
|
|
5416
5416
|
}
|
|
5417
5417
|
}
|
|
5418
5418
|
else {
|
|
5419
|
-
logger$
|
|
5419
|
+
logger$4.debug("envelope_not_from_downstream", {
|
|
5420
5420
|
envelope_id: envelope.id,
|
|
5421
5421
|
});
|
|
5422
5422
|
}
|
|
@@ -5457,7 +5457,7 @@ class AFTLoadBalancerStickinessManager extends BaseNodeEventListener {
|
|
|
5457
5457
|
}
|
|
5458
5458
|
if (this.verifier.securityLevel === StickinessMode.STRICT &&
|
|
5459
5459
|
association.isLowTrust()) {
|
|
5460
|
-
logger$
|
|
5460
|
+
logger$4.warning("rejecting_low_trust_association", {
|
|
5461
5461
|
envelope_id: envelope.id,
|
|
5462
5462
|
replica_id: association.replicaId,
|
|
5463
5463
|
reason: "strict mode rejects low-trust associations",
|
|
@@ -5564,7 +5564,7 @@ var aftLoadBalancerStickinessManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
5564
5564
|
default: AFTLoadBalancerStickinessManagerFactory
|
|
5565
5565
|
});
|
|
5566
5566
|
|
|
5567
|
-
const logger$
|
|
5567
|
+
const logger$3 = getLogger$1("naylence.fame.stickiness.aft_replica_stickiness_manager");
|
|
5568
5568
|
function isStickinessRequired(context) {
|
|
5569
5569
|
if (typeof context.stickinessRequired === "boolean") {
|
|
5570
5570
|
return context.stickinessRequired;
|
|
@@ -5584,14 +5584,14 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5584
5584
|
this.isInitialized = this.aftHelper !== null;
|
|
5585
5585
|
this.negotiatedStickiness = null;
|
|
5586
5586
|
if (this.aftHelper) {
|
|
5587
|
-
logger$
|
|
5587
|
+
logger$3.debug("aft_replica_stickiness_manager_initialized", {
|
|
5588
5588
|
helper_type: this.aftHelper.signer.constructor.name,
|
|
5589
5589
|
security_level: this.aftHelper.signer.securityLevel,
|
|
5590
5590
|
max_ttl_sec: this.aftHelper.maxTtlSec,
|
|
5591
5591
|
});
|
|
5592
5592
|
}
|
|
5593
5593
|
else {
|
|
5594
|
-
logger$
|
|
5594
|
+
logger$3.debug("aft_replica_stickiness_manager_created", {
|
|
5595
5595
|
security_level: this.securityLevel,
|
|
5596
5596
|
max_ttl_sec: this.maxTtlSec,
|
|
5597
5597
|
});
|
|
@@ -5602,7 +5602,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5602
5602
|
}
|
|
5603
5603
|
accept(stickiness) {
|
|
5604
5604
|
this.negotiatedStickiness = stickiness ?? null;
|
|
5605
|
-
logger$
|
|
5605
|
+
logger$3.debug("replica_stickiness_policy_set", {
|
|
5606
5606
|
enabled: stickiness?.enabled ?? null,
|
|
5607
5607
|
mode: stickiness?.mode ?? null,
|
|
5608
5608
|
ttl: stickiness?.ttlSec ?? null,
|
|
@@ -5614,7 +5614,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5614
5614
|
}
|
|
5615
5615
|
const helper = this.aftHelper;
|
|
5616
5616
|
if (!helper) {
|
|
5617
|
-
logger$
|
|
5617
|
+
logger$3.debug("aft_helper_not_ready_skip_injection", {
|
|
5618
5618
|
envelope_id: envelope.id,
|
|
5619
5619
|
delivery_origin: context.originType ?? null,
|
|
5620
5620
|
reason: "not_initialized",
|
|
@@ -5630,7 +5630,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5630
5630
|
(negotiated.mode !== null &&
|
|
5631
5631
|
negotiated.mode !== undefined &&
|
|
5632
5632
|
negotiated.mode !== "aft")) {
|
|
5633
|
-
logger$
|
|
5633
|
+
logger$3.debug("aft_injection_skipped_due_to_policy", {
|
|
5634
5634
|
envelope_id: envelope.id,
|
|
5635
5635
|
policy_mode: negotiated.mode ?? null,
|
|
5636
5636
|
policy_enabled: negotiated.enabled ?? null,
|
|
@@ -5638,7 +5638,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5638
5638
|
return envelope;
|
|
5639
5639
|
}
|
|
5640
5640
|
}
|
|
5641
|
-
logger$
|
|
5641
|
+
logger$3.debug("applying_aft_for_upstream_stickiness_required", {
|
|
5642
5642
|
envelope_id: envelope.id,
|
|
5643
5643
|
from_system_id: context.fromSystemId ?? null,
|
|
5644
5644
|
delivery_origin: context.originType ?? null,
|
|
@@ -5649,14 +5649,14 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5649
5649
|
context: stickinessContext,
|
|
5650
5650
|
});
|
|
5651
5651
|
if (success) {
|
|
5652
|
-
logger$
|
|
5652
|
+
logger$3.debug("aft_token_applied_via_context_flag_upstream", {
|
|
5653
5653
|
envelope_id: envelope.id,
|
|
5654
5654
|
from_system_id: context.fromSystemId ?? null,
|
|
5655
5655
|
delivery_origin: context.originType ?? null,
|
|
5656
5656
|
});
|
|
5657
5657
|
}
|
|
5658
5658
|
else {
|
|
5659
|
-
logger$
|
|
5659
|
+
logger$3.debug("aft_token_not_applied_upstream", {
|
|
5660
5660
|
envelope_id: envelope.id,
|
|
5661
5661
|
delivery_origin: context.originType ?? null,
|
|
5662
5662
|
reason: "helper_returned_false",
|
|
@@ -5672,19 +5672,19 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5672
5672
|
}
|
|
5673
5673
|
if (this.aftHelper && node.sid) {
|
|
5674
5674
|
this.updateNodeSid(node.sid);
|
|
5675
|
-
logger$
|
|
5675
|
+
logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
|
|
5676
5676
|
node_id: node.id ?? "unknown",
|
|
5677
5677
|
node_sid: node.sid,
|
|
5678
5678
|
security_level: this.aftHelper.signer.securityLevel,
|
|
5679
5679
|
});
|
|
5680
5680
|
}
|
|
5681
5681
|
else if (!node.sid) {
|
|
5682
|
-
logger$
|
|
5682
|
+
logger$3.warning("aft_replica_stickiness_manager_no_sid_available", {
|
|
5683
5683
|
node_id: node.id ?? "unknown",
|
|
5684
5684
|
});
|
|
5685
5685
|
}
|
|
5686
5686
|
else {
|
|
5687
|
-
logger$
|
|
5687
|
+
logger$3.error("aft_replica_stickiness_manager_node_missing_sid", {
|
|
5688
5688
|
node_type: node.constructor?.name ?? typeof node,
|
|
5689
5689
|
});
|
|
5690
5690
|
}
|
|
@@ -5692,7 +5692,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5692
5692
|
updateNodeSid(nodeSid) {
|
|
5693
5693
|
if (this.aftHelper) {
|
|
5694
5694
|
this.aftHelper.nodeSid = nodeSid;
|
|
5695
|
-
logger$
|
|
5695
|
+
logger$3.debug("aft_replica_stickiness_manager_sid_updated", {
|
|
5696
5696
|
new_sid: nodeSid,
|
|
5697
5697
|
});
|
|
5698
5698
|
}
|
|
@@ -5700,14 +5700,14 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5700
5700
|
async initializeAftHelper(node) {
|
|
5701
5701
|
const nodeSid = node.sid;
|
|
5702
5702
|
if (!nodeSid) {
|
|
5703
|
-
logger$
|
|
5703
|
+
logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_sid", {
|
|
5704
5704
|
node_id: node.id ?? "unknown",
|
|
5705
5705
|
});
|
|
5706
5706
|
return;
|
|
5707
5707
|
}
|
|
5708
5708
|
const cryptoProvider = node.cryptoProvider ?? null;
|
|
5709
5709
|
if (!cryptoProvider) {
|
|
5710
|
-
logger$
|
|
5710
|
+
logger$3.error("aft_replica_stickiness_manager_cannot_initialize_no_crypto_provider", {
|
|
5711
5711
|
node_id: node.id ?? "unknown",
|
|
5712
5712
|
});
|
|
5713
5713
|
return;
|
|
@@ -5720,7 +5720,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5720
5720
|
? cryptoProvider.signingPrivatePem
|
|
5721
5721
|
: null;
|
|
5722
5722
|
if (this.securityLevel === StickinessMode.STRICT && !privateKeyPem) {
|
|
5723
|
-
logger$
|
|
5723
|
+
logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
|
|
5724
5724
|
node_id: node.id ?? "unknown",
|
|
5725
5725
|
error: "Missing signing private key for strict security level",
|
|
5726
5726
|
});
|
|
@@ -5736,7 +5736,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5736
5736
|
});
|
|
5737
5737
|
this.aftHelper = helper;
|
|
5738
5738
|
this.isInitialized = true;
|
|
5739
|
-
logger$
|
|
5739
|
+
logger$3.debug("aft_replica_stickiness_manager_initialized", {
|
|
5740
5740
|
node_id: node.id ?? "unknown",
|
|
5741
5741
|
node_sid: nodeSid,
|
|
5742
5742
|
key_id: keyId,
|
|
@@ -5744,7 +5744,7 @@ class AFTReplicaStickinessManager extends BaseNodeEventListener {
|
|
|
5744
5744
|
});
|
|
5745
5745
|
}
|
|
5746
5746
|
catch (error) {
|
|
5747
|
-
logger$
|
|
5747
|
+
logger$3.error("aft_replica_stickiness_manager_initialization_failed", {
|
|
5748
5748
|
node_id: node.id ?? "unknown",
|
|
5749
5749
|
error: error instanceof Error ? error.message : String(error),
|
|
5750
5750
|
});
|
|
@@ -5814,7 +5814,7 @@ var aftReplicaStickinessManagerFactory = /*#__PURE__*/Object.freeze({
|
|
|
5814
5814
|
default: AFTReplicaStickinessManagerFactory
|
|
5815
5815
|
});
|
|
5816
5816
|
|
|
5817
|
-
const logger$
|
|
5817
|
+
const logger$2 = getLogger$1("naylence.fame.welcome.advanced_welcome_service");
|
|
5818
5818
|
const ENV_VAR_SHOW_ENVELOPES = "FAME_SHOW_ENVELOPES";
|
|
5819
5819
|
const DEFAULT_TTL_SEC = 3600;
|
|
5820
5820
|
const showEnvelopes = typeof process !== "undefined" &&
|
|
@@ -5857,7 +5857,7 @@ class AdvancedWelcomeService {
|
|
|
5857
5857
|
typeof options.ttlSec === "number" && Number.isFinite(options.ttlSec)
|
|
5858
5858
|
? Math.max(0, options.ttlSec)
|
|
5859
5859
|
: DEFAULT_TTL_SEC;
|
|
5860
|
-
logger$
|
|
5860
|
+
logger$2.debug("initialized_advanced_welcome_service", {
|
|
5861
5861
|
ca_service_url: this.caServiceUrl,
|
|
5862
5862
|
ttl_sec: this.ttlSec,
|
|
5863
5863
|
});
|
|
@@ -5877,7 +5877,7 @@ class AdvancedWelcomeService {
|
|
|
5877
5877
|
// eslint-disable-next-line no-console
|
|
5878
5878
|
console.log(`\n${formatTimestampForConsole()} - ${color("Received envelope 📨", AnsiColor.BLUE)}\n${prettyModel(normalizedHello)}`);
|
|
5879
5879
|
}
|
|
5880
|
-
logger$
|
|
5880
|
+
logger$2.debug("starting_hello_frame_processing", {
|
|
5881
5881
|
instanceId: normalizedHello.instanceId,
|
|
5882
5882
|
systemId,
|
|
5883
5883
|
logicals: normalizedHello.logicals,
|
|
@@ -5894,35 +5894,35 @@ class AdvancedWelcomeService {
|
|
|
5894
5894
|
fullMetadata.instance_id = normalizedHello.instanceId;
|
|
5895
5895
|
}
|
|
5896
5896
|
}
|
|
5897
|
-
logger$
|
|
5897
|
+
logger$2.debug("system_id_assignment_completed", {
|
|
5898
5898
|
systemId,
|
|
5899
5899
|
wasAssigned,
|
|
5900
5900
|
});
|
|
5901
5901
|
if (normalizedHello.logicals?.length) {
|
|
5902
|
-
logger$
|
|
5902
|
+
logger$2.debug("validating_logicals_for_dns_compatibility", {
|
|
5903
5903
|
logicals: normalizedHello.logicals,
|
|
5904
5904
|
});
|
|
5905
5905
|
const [pathsValid, pathError] = validateHostLogicals(normalizedHello.logicals);
|
|
5906
5906
|
if (!pathsValid) {
|
|
5907
|
-
logger$
|
|
5907
|
+
logger$2.error("logical_validation_failed", {
|
|
5908
5908
|
error: pathError,
|
|
5909
5909
|
logicals: normalizedHello.logicals,
|
|
5910
5910
|
});
|
|
5911
5911
|
throw new Error(`Invalid logical format: ${pathError}`);
|
|
5912
5912
|
}
|
|
5913
|
-
logger$
|
|
5913
|
+
logger$2.debug("logicals_validation_successful");
|
|
5914
5914
|
}
|
|
5915
|
-
logger$
|
|
5915
|
+
logger$2.debug("requesting_node_placement", { systemId });
|
|
5916
5916
|
const placementResult = await this.placementStrategy.place(normalizedHello);
|
|
5917
5917
|
if (!placementResult.accept) {
|
|
5918
|
-
logger$
|
|
5918
|
+
logger$2.error("node_placement_rejected", {
|
|
5919
5919
|
systemId,
|
|
5920
5920
|
reason: placementResult.reason,
|
|
5921
5921
|
});
|
|
5922
5922
|
throw new Error(placementResult.reason || "Node not accepted");
|
|
5923
5923
|
}
|
|
5924
5924
|
const assignedPath = placementResult.assignedPath;
|
|
5925
|
-
logger$
|
|
5925
|
+
logger$2.debug("node_placement_accepted", {
|
|
5926
5926
|
systemId,
|
|
5927
5927
|
assignedPath,
|
|
5928
5928
|
targetPhysicalPath: placementResult.targetPhysicalPath ?? null,
|
|
@@ -5934,7 +5934,7 @@ class AdvancedWelcomeService {
|
|
|
5934
5934
|
const acceptedLogicals = coercePlacementMetadataValue(placementResult.metadata, "acceptedLogicals", "accepted_logicals") ??
|
|
5935
5935
|
normalizedHello.logicals ??
|
|
5936
5936
|
null;
|
|
5937
|
-
logger$
|
|
5937
|
+
logger$2.debug("processing_placement_result_metadata", {
|
|
5938
5938
|
acceptedCapabilities,
|
|
5939
5939
|
acceptedLogicals,
|
|
5940
5940
|
hasPlacementMetadata: placementResult.metadata !== undefined &&
|
|
@@ -5948,7 +5948,7 @@ class AdvancedWelcomeService {
|
|
|
5948
5948
|
normalizedHello.instanceId ||
|
|
5949
5949
|
generateId();
|
|
5950
5950
|
if (placementResult.targetSystemId) {
|
|
5951
|
-
logger$
|
|
5951
|
+
logger$2.debug("issuing_node_attach_token", {
|
|
5952
5952
|
systemId,
|
|
5953
5953
|
assignedPath,
|
|
5954
5954
|
});
|
|
@@ -5960,10 +5960,10 @@ class AdvancedWelcomeService {
|
|
|
5960
5960
|
accepted_logicals: acceptedLogicals,
|
|
5961
5961
|
instance_id: metadataInstanceId,
|
|
5962
5962
|
});
|
|
5963
|
-
logger$
|
|
5964
|
-
logger$
|
|
5963
|
+
logger$2.debug("token_issued_successfully");
|
|
5964
|
+
logger$2.debug("provisioning_transport", { systemId });
|
|
5965
5965
|
const transportInfo = await this.transportProvisioner.provision(placementResult, normalizedHello, fullMetadata, nodeAttachToken);
|
|
5966
|
-
logger$
|
|
5966
|
+
logger$2.debug("transport_provisioned_successfully", {
|
|
5967
5967
|
systemId,
|
|
5968
5968
|
directiveType: transportInfo.connectionGrant &&
|
|
5969
5969
|
typeof transportInfo.connectionGrant === "object"
|
|
@@ -6007,7 +6007,7 @@ class AdvancedWelcomeService {
|
|
|
6007
6007
|
metadata: Object.keys(fullMetadata).length > 0 ? fullMetadata : undefined,
|
|
6008
6008
|
expiresAt: expiry.toISOString(),
|
|
6009
6009
|
};
|
|
6010
|
-
logger$
|
|
6010
|
+
logger$2.debug("hello_frame_processing_completed_successfully", {
|
|
6011
6011
|
systemId,
|
|
6012
6012
|
assignedPath,
|
|
6013
6013
|
acceptedLogicals,
|
|
@@ -6664,7 +6664,7 @@ function encodeBitString(signature) {
|
|
|
6664
6664
|
return result.buffer;
|
|
6665
6665
|
}
|
|
6666
6666
|
|
|
6667
|
-
const logger = getLogger$1("naylence.fame.security.cert.default_certificate_manager");
|
|
6667
|
+
const logger$1 = getLogger$1("naylence.fame.security.cert.default_certificate_manager");
|
|
6668
6668
|
const CONNECTION_GRANTS_CAMEL = "connectionGrants";
|
|
6669
6669
|
const CONNECTION_GRANTS_SNAKE = "connection_grants";
|
|
6670
6670
|
class DefaultCertificateManager {
|
|
@@ -6693,7 +6693,7 @@ class DefaultCertificateManager {
|
|
|
6693
6693
|
this.prepareProviderContext(node);
|
|
6694
6694
|
const requiresCertificate = this.requiresCertificates();
|
|
6695
6695
|
if (requiresCertificate) {
|
|
6696
|
-
logger.debug("node_certificate_required_on_start", {
|
|
6696
|
+
logger$1.debug("node_certificate_required_on_start", {
|
|
6697
6697
|
node_id: node.id,
|
|
6698
6698
|
physical_path: node.physicalPath,
|
|
6699
6699
|
has_parent: node.hasParent,
|
|
@@ -6707,7 +6707,7 @@ class DefaultCertificateManager {
|
|
|
6707
6707
|
const welcomeFrame = this.pendingWelcomeFrame ?? fallbackWelcome;
|
|
6708
6708
|
const success = await this.ensureCertificate(welcomeFrame, this.caServiceUrl ? { caServiceUrl: this.caServiceUrl } : undefined);
|
|
6709
6709
|
if (!success) {
|
|
6710
|
-
logger.warning("node_certificate_unavailable_on_start", {
|
|
6710
|
+
logger$1.warning("node_certificate_unavailable_on_start", {
|
|
6711
6711
|
node_id: node.id,
|
|
6712
6712
|
physical_path: node.physicalPath,
|
|
6713
6713
|
message: "Certificate provisioning was requested but did not complete",
|
|
@@ -6721,7 +6721,7 @@ class DefaultCertificateManager {
|
|
|
6721
6721
|
async onWelcome(welcomeFrame) {
|
|
6722
6722
|
const requiresCertificate = this.requiresCertificates(welcomeFrame);
|
|
6723
6723
|
if (!requiresCertificate) {
|
|
6724
|
-
logger.debug("welcome_does_not_require_certificate", {
|
|
6724
|
+
logger$1.debug("welcome_does_not_require_certificate", {
|
|
6725
6725
|
system_id: welcomeFrame.systemId ?? null,
|
|
6726
6726
|
});
|
|
6727
6727
|
this.pendingWelcomeFrame = null;
|
|
@@ -6732,14 +6732,14 @@ class DefaultCertificateManager {
|
|
|
6732
6732
|
return;
|
|
6733
6733
|
}
|
|
6734
6734
|
if (!this.node) {
|
|
6735
|
-
logger.debug("certificate_provisioning_deferred_until_node_start", {
|
|
6735
|
+
logger$1.debug("certificate_provisioning_deferred_until_node_start", {
|
|
6736
6736
|
system_id: welcomeFrame.systemId ?? null,
|
|
6737
6737
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
6738
6738
|
});
|
|
6739
6739
|
return;
|
|
6740
6740
|
}
|
|
6741
6741
|
const nodeId = welcomeFrame.systemId ?? "unknown";
|
|
6742
|
-
logger.warning("certificate_provisioning_not_completed", {
|
|
6742
|
+
logger$1.warning("certificate_provisioning_not_completed", {
|
|
6743
6743
|
node_id: nodeId,
|
|
6744
6744
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
6745
6745
|
message: "Continuing without a provisioned certificate (development mode)",
|
|
@@ -6755,13 +6755,13 @@ class DefaultCertificateManager {
|
|
|
6755
6755
|
const cryptoProvider = this.resolveCryptoProvider();
|
|
6756
6756
|
if (!cryptoProvider) {
|
|
6757
6757
|
if (!this.node) {
|
|
6758
|
-
logger.debug("crypto_provider_pending_node_start", {
|
|
6758
|
+
logger$1.debug("crypto_provider_pending_node_start", {
|
|
6759
6759
|
system_id: welcomeFrame.systemId ?? null,
|
|
6760
6760
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
6761
6761
|
});
|
|
6762
6762
|
}
|
|
6763
6763
|
else {
|
|
6764
|
-
logger.error("crypto_provider_unavailable_for_certificate", {
|
|
6764
|
+
logger$1.error("crypto_provider_unavailable_for_certificate", {
|
|
6765
6765
|
system_id: welcomeFrame.systemId ?? null,
|
|
6766
6766
|
assigned_path: welcomeFrame.assignedPath ?? null,
|
|
6767
6767
|
});
|
|
@@ -6780,7 +6780,7 @@ class DefaultCertificateManager {
|
|
|
6780
6780
|
const connectionGrants = readFrameValue(welcomeFrame, CONNECTION_GRANTS_CAMEL, CONNECTION_GRANTS_SNAKE);
|
|
6781
6781
|
const caSignGrant = this.getCaSignGrant(connectionGrants);
|
|
6782
6782
|
if (!caSignGrant) {
|
|
6783
|
-
logger.warning("welcome_frame_missing_ca_sign_grant", {
|
|
6783
|
+
logger$1.warning("welcome_frame_missing_ca_sign_grant", {
|
|
6784
6784
|
system_id: nodeId,
|
|
6785
6785
|
grant_count: Array.isArray(connectionGrants)
|
|
6786
6786
|
? connectionGrants.length
|
|
@@ -6791,7 +6791,7 @@ class DefaultCertificateManager {
|
|
|
6791
6791
|
if (caSignGrant) {
|
|
6792
6792
|
material = await this.requestCertificateFromCa(cryptoProvider, welcomeFrame, caSignGrant, options);
|
|
6793
6793
|
if (!material) {
|
|
6794
|
-
logger.warning("ca_certificate_request_failed_falling_back_to_env", {
|
|
6794
|
+
logger$1.warning("ca_certificate_request_failed_falling_back_to_env", {
|
|
6795
6795
|
system_id: nodeId,
|
|
6796
6796
|
ca_service_url: options?.caServiceUrl ?? this.caServiceUrl ?? caSignGrant.url,
|
|
6797
6797
|
});
|
|
@@ -6801,13 +6801,13 @@ class DefaultCertificateManager {
|
|
|
6801
6801
|
material = await this.resolveCertificateMaterialFromInjectedSources(cryptoProvider, nodeId);
|
|
6802
6802
|
}
|
|
6803
6803
|
if (!material) {
|
|
6804
|
-
logger.debug("attempting_certificate_resolution_from_environment", {
|
|
6804
|
+
logger$1.debug("attempting_certificate_resolution_from_environment", {
|
|
6805
6805
|
system_id: nodeId,
|
|
6806
6806
|
});
|
|
6807
6807
|
material = await resolveCertificateMaterialFromEnvironment();
|
|
6808
6808
|
}
|
|
6809
6809
|
if (!material) {
|
|
6810
|
-
logger.warning("certificate_material_not_found", {
|
|
6810
|
+
logger$1.warning("certificate_material_not_found", {
|
|
6811
6811
|
system_id: nodeId,
|
|
6812
6812
|
assigned_path: readFrameString(welcomeFrame, "assignedPath", "assigned_path"),
|
|
6813
6813
|
ca_service_url: options?.caServiceUrl ?? this.caServiceUrl,
|
|
@@ -6816,7 +6816,7 @@ class DefaultCertificateManager {
|
|
|
6816
6816
|
}
|
|
6817
6817
|
const stored = await this.storeCertificateMaterial(cryptoProvider, material, nodeId);
|
|
6818
6818
|
if (!stored) {
|
|
6819
|
-
logger.warning("certificate_storage_not_supported", {
|
|
6819
|
+
logger$1.warning("certificate_storage_not_supported", {
|
|
6820
6820
|
system_id: nodeId,
|
|
6821
6821
|
});
|
|
6822
6822
|
return false;
|
|
@@ -6825,7 +6825,7 @@ class DefaultCertificateManager {
|
|
|
6825
6825
|
if (!validated) {
|
|
6826
6826
|
return false;
|
|
6827
6827
|
}
|
|
6828
|
-
logger.debug("certificate_material_applied", {
|
|
6828
|
+
logger$1.debug("certificate_material_applied", {
|
|
6829
6829
|
system_id: nodeId,
|
|
6830
6830
|
has_chain: Boolean(material.certificateChainPem),
|
|
6831
6831
|
});
|
|
@@ -6888,12 +6888,12 @@ class DefaultCertificateManager {
|
|
|
6888
6888
|
}
|
|
6889
6889
|
const validated = await this.validateProviderCertificate(provider, nodeId);
|
|
6890
6890
|
if (!validated) {
|
|
6891
|
-
logger.error("existing_certificate_validation_failed", {
|
|
6891
|
+
logger$1.error("existing_certificate_validation_failed", {
|
|
6892
6892
|
node_id: nodeId,
|
|
6893
6893
|
});
|
|
6894
6894
|
return false;
|
|
6895
6895
|
}
|
|
6896
|
-
logger.debug("existing_certificate_validated", {
|
|
6896
|
+
logger$1.debug("existing_certificate_validated", {
|
|
6897
6897
|
node_id: nodeId,
|
|
6898
6898
|
});
|
|
6899
6899
|
return true;
|
|
@@ -6901,7 +6901,7 @@ class DefaultCertificateManager {
|
|
|
6901
6901
|
async resolveCertificateMaterialFromInjectedSources(provider, nodeId) {
|
|
6902
6902
|
const providerMaterial = await this.resolveCertificateMaterialFromProvider(provider, nodeId);
|
|
6903
6903
|
if (providerMaterial) {
|
|
6904
|
-
logger.debug("certificate_material_resolved_from_provider", {
|
|
6904
|
+
logger$1.debug("certificate_material_resolved_from_provider", {
|
|
6905
6905
|
system_id: nodeId,
|
|
6906
6906
|
});
|
|
6907
6907
|
return providerMaterial;
|
|
@@ -6910,14 +6910,14 @@ class DefaultCertificateManager {
|
|
|
6910
6910
|
try {
|
|
6911
6911
|
const material = await this.certificateMaterialResolver();
|
|
6912
6912
|
if (material) {
|
|
6913
|
-
logger.debug("certificate_material_resolved_from_options", {
|
|
6913
|
+
logger$1.debug("certificate_material_resolved_from_options", {
|
|
6914
6914
|
system_id: nodeId,
|
|
6915
6915
|
});
|
|
6916
6916
|
return material;
|
|
6917
6917
|
}
|
|
6918
6918
|
}
|
|
6919
6919
|
catch (error) {
|
|
6920
|
-
logger.debug("certificate_material_option_resolution_failed", {
|
|
6920
|
+
logger$1.debug("certificate_material_option_resolution_failed", {
|
|
6921
6921
|
system_id: nodeId,
|
|
6922
6922
|
error: error instanceof Error ? error.message : String(error),
|
|
6923
6923
|
});
|
|
@@ -6934,7 +6934,7 @@ class DefaultCertificateManager {
|
|
|
6934
6934
|
return normalizeCertificateMaterial(material ?? null);
|
|
6935
6935
|
}
|
|
6936
6936
|
catch (error) {
|
|
6937
|
-
logger.debug("provider_certificate_material_resolution_failed", {
|
|
6937
|
+
logger$1.debug("provider_certificate_material_resolution_failed", {
|
|
6938
6938
|
system_id: nodeId,
|
|
6939
6939
|
error: error instanceof Error ? error.message : String(error),
|
|
6940
6940
|
});
|
|
@@ -6956,7 +6956,7 @@ class DefaultCertificateManager {
|
|
|
6956
6956
|
}
|
|
6957
6957
|
const url = readRecordString(grantRecord, "url", "baseUrl", "base_url");
|
|
6958
6958
|
if (!url) {
|
|
6959
|
-
logger.warning("ca_sign_grant_missing_url", {
|
|
6959
|
+
logger$1.warning("ca_sign_grant_missing_url", {
|
|
6960
6960
|
grant_keys: Object.keys(grantRecord),
|
|
6961
6961
|
});
|
|
6962
6962
|
continue;
|
|
@@ -6975,12 +6975,12 @@ class DefaultCertificateManager {
|
|
|
6975
6975
|
? provider.signatureKeyId
|
|
6976
6976
|
: null);
|
|
6977
6977
|
if (!nodeId) {
|
|
6978
|
-
logger.warning("certificate_request_missing_node_id");
|
|
6978
|
+
logger$1.warning("certificate_request_missing_node_id");
|
|
6979
6979
|
return null;
|
|
6980
6980
|
}
|
|
6981
6981
|
const physicalPath = readFrameString(welcomeFrame, "assignedPath", "assigned_path");
|
|
6982
6982
|
if (!physicalPath) {
|
|
6983
|
-
logger.warning("certificate_request_missing_physical_path", {
|
|
6983
|
+
logger$1.warning("certificate_request_missing_physical_path", {
|
|
6984
6984
|
node_id: nodeId,
|
|
6985
6985
|
});
|
|
6986
6986
|
return null;
|
|
@@ -6994,7 +6994,7 @@ class DefaultCertificateManager {
|
|
|
6994
6994
|
}
|
|
6995
6995
|
const caServiceUrl = options?.caServiceUrl ?? this.caServiceUrl ?? grant.url;
|
|
6996
6996
|
if (!caServiceUrl) {
|
|
6997
|
-
logger.error("ca_service_url_unavailable", {
|
|
6997
|
+
logger$1.error("ca_service_url_unavailable", {
|
|
6998
6998
|
node_id: nodeId,
|
|
6999
6999
|
});
|
|
7000
7000
|
return null;
|
|
@@ -7007,7 +7007,7 @@ class DefaultCertificateManager {
|
|
|
7007
7007
|
authStrategy = await this.createAuthStrategyForGrant(grant);
|
|
7008
7008
|
}
|
|
7009
7009
|
catch (error) {
|
|
7010
|
-
logger.error("ca_sign_auth_strategy_creation_failed", {
|
|
7010
|
+
logger$1.error("ca_sign_auth_strategy_creation_failed", {
|
|
7011
7011
|
node_id: nodeId,
|
|
7012
7012
|
error: error instanceof Error ? error.message : String(error),
|
|
7013
7013
|
});
|
|
@@ -7019,7 +7019,7 @@ class DefaultCertificateManager {
|
|
|
7019
7019
|
await authStrategy.apply(client);
|
|
7020
7020
|
}
|
|
7021
7021
|
const [certificatePem, certificateChainPem] = await client.requestCertificate(csrPem, nodeId, physicalPath, logicals);
|
|
7022
|
-
logger.debug("certificate_received_from_ca_service", {
|
|
7022
|
+
logger$1.debug("certificate_received_from_ca_service", {
|
|
7023
7023
|
node_id: nodeId,
|
|
7024
7024
|
has_chain: Boolean(certificateChainPem),
|
|
7025
7025
|
ca_service_url: caServiceUrl,
|
|
@@ -7031,13 +7031,13 @@ class DefaultCertificateManager {
|
|
|
7031
7031
|
}
|
|
7032
7032
|
catch (error) {
|
|
7033
7033
|
if (error instanceof CertificateRequestError) {
|
|
7034
|
-
logger.error("certificate_request_failed", {
|
|
7034
|
+
logger$1.error("certificate_request_failed", {
|
|
7035
7035
|
node_id: nodeId,
|
|
7036
7036
|
error: error.message,
|
|
7037
7037
|
});
|
|
7038
7038
|
}
|
|
7039
7039
|
else {
|
|
7040
|
-
logger.error("certificate_request_unhandled_error", {
|
|
7040
|
+
logger$1.error("certificate_request_unhandled_error", {
|
|
7041
7041
|
node_id: nodeId,
|
|
7042
7042
|
error: error instanceof Error ? error.message : String(error),
|
|
7043
7043
|
});
|
|
@@ -7050,7 +7050,7 @@ class DefaultCertificateManager {
|
|
|
7050
7050
|
await authStrategy.cleanup();
|
|
7051
7051
|
}
|
|
7052
7052
|
catch (cleanupError) {
|
|
7053
|
-
logger.debug("auth_strategy_cleanup_failed", {
|
|
7053
|
+
logger$1.debug("auth_strategy_cleanup_failed", {
|
|
7054
7054
|
error: cleanupError instanceof Error
|
|
7055
7055
|
? cleanupError.message
|
|
7056
7056
|
: String(cleanupError),
|
|
@@ -7073,14 +7073,14 @@ class DefaultCertificateManager {
|
|
|
7073
7073
|
async validateProviderCertificate(provider, nodeId) {
|
|
7074
7074
|
const { pem: trustStorePem, reason } = await this.resolveTrustStorePemValue(provider, nodeId);
|
|
7075
7075
|
if (!trustStorePem) {
|
|
7076
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7076
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7077
7077
|
node_id: nodeId,
|
|
7078
7078
|
reason: reason ?? "trust_store_unavailable",
|
|
7079
7079
|
});
|
|
7080
7080
|
return false;
|
|
7081
7081
|
}
|
|
7082
7082
|
if (typeof provider.nodeJwk !== "function") {
|
|
7083
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7083
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7084
7084
|
node_id: nodeId,
|
|
7085
7085
|
reason: "crypto_provider_lacks_node_jwk",
|
|
7086
7086
|
});
|
|
@@ -7091,7 +7091,7 @@ class DefaultCertificateManager {
|
|
|
7091
7091
|
jwk = provider.nodeJwk() ?? null;
|
|
7092
7092
|
}
|
|
7093
7093
|
catch (error) {
|
|
7094
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7094
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7095
7095
|
node_id: nodeId,
|
|
7096
7096
|
reason: "node_jwk_retrieval_failed",
|
|
7097
7097
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -7099,7 +7099,7 @@ class DefaultCertificateManager {
|
|
|
7099
7099
|
return false;
|
|
7100
7100
|
}
|
|
7101
7101
|
if (!jwk) {
|
|
7102
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7102
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7103
7103
|
node_id: nodeId,
|
|
7104
7104
|
reason: "node_jwk_missing",
|
|
7105
7105
|
});
|
|
@@ -7109,7 +7109,7 @@ class DefaultCertificateManager {
|
|
|
7109
7109
|
if (!Array.isArray(x5c) ||
|
|
7110
7110
|
x5c.length === 0 ||
|
|
7111
7111
|
x5c.some((entry) => typeof entry !== "string")) {
|
|
7112
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7112
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7113
7113
|
node_id: nodeId,
|
|
7114
7114
|
reason: "invalid_certificate_chain",
|
|
7115
7115
|
});
|
|
@@ -7123,19 +7123,19 @@ class DefaultCertificateManager {
|
|
|
7123
7123
|
strict: false,
|
|
7124
7124
|
});
|
|
7125
7125
|
if (!result.isValid) {
|
|
7126
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7126
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7127
7127
|
node_id: nodeId,
|
|
7128
7128
|
reason: result.error ?? "validation_failed",
|
|
7129
7129
|
});
|
|
7130
7130
|
return false;
|
|
7131
7131
|
}
|
|
7132
|
-
logger.debug("certificate_chain_validation_successful", {
|
|
7132
|
+
logger$1.debug("certificate_chain_validation_successful", {
|
|
7133
7133
|
node_id: nodeId,
|
|
7134
7134
|
});
|
|
7135
7135
|
return true;
|
|
7136
7136
|
}
|
|
7137
7137
|
catch (error) {
|
|
7138
|
-
logger.error("trust_anchor_validation_failed", {
|
|
7138
|
+
logger$1.error("trust_anchor_validation_failed", {
|
|
7139
7139
|
node_id: nodeId,
|
|
7140
7140
|
reason: "validation_error",
|
|
7141
7141
|
error: error instanceof Error ? error.message : String(error),
|
|
@@ -7146,7 +7146,7 @@ class DefaultCertificateManager {
|
|
|
7146
7146
|
async resolveTrustStorePemValue(provider, nodeId) {
|
|
7147
7147
|
const providerPem = await this.resolveTrustStorePemFromProvider(provider, nodeId);
|
|
7148
7148
|
if (providerPem) {
|
|
7149
|
-
logger.debug("trust_store_resolved_from_provider", {
|
|
7149
|
+
logger$1.debug("trust_store_resolved_from_provider", {
|
|
7150
7150
|
node_id: nodeId,
|
|
7151
7151
|
});
|
|
7152
7152
|
return { pem: providerPem };
|
|
@@ -7156,14 +7156,14 @@ class DefaultCertificateManager {
|
|
|
7156
7156
|
const pem = await this.trustStorePemResolver();
|
|
7157
7157
|
const normalized = normalizePemOrNull(pem);
|
|
7158
7158
|
if (normalized) {
|
|
7159
|
-
logger.debug("trust_store_resolved_from_options", {
|
|
7159
|
+
logger$1.debug("trust_store_resolved_from_options", {
|
|
7160
7160
|
node_id: nodeId,
|
|
7161
7161
|
});
|
|
7162
7162
|
return { pem: normalized };
|
|
7163
7163
|
}
|
|
7164
7164
|
}
|
|
7165
7165
|
catch (error) {
|
|
7166
|
-
logger.debug("trust_store_option_resolution_failed", {
|
|
7166
|
+
logger$1.debug("trust_store_option_resolution_failed", {
|
|
7167
7167
|
node_id: nodeId,
|
|
7168
7168
|
error: error instanceof Error ? error.message : String(error),
|
|
7169
7169
|
});
|
|
@@ -7184,7 +7184,7 @@ class DefaultCertificateManager {
|
|
|
7184
7184
|
return normalizePemOrNull(pem);
|
|
7185
7185
|
}
|
|
7186
7186
|
catch (error) {
|
|
7187
|
-
logger.debug("provider_trust_store_resolution_failed", {
|
|
7187
|
+
logger$1.debug("provider_trust_store_resolution_failed", {
|
|
7188
7188
|
node_id: nodeId,
|
|
7189
7189
|
error: error instanceof Error ? error.message : String(error),
|
|
7190
7190
|
});
|
|
@@ -7199,7 +7199,7 @@ class DefaultCertificateManager {
|
|
|
7199
7199
|
stored = true;
|
|
7200
7200
|
}
|
|
7201
7201
|
catch (error) {
|
|
7202
|
-
logger.warning("failed_to_store_certificate", {
|
|
7202
|
+
logger$1.warning("failed_to_store_certificate", {
|
|
7203
7203
|
error: error instanceof Error ? error.message : String(error),
|
|
7204
7204
|
});
|
|
7205
7205
|
}
|
|
@@ -7217,7 +7217,7 @@ class DefaultCertificateManager {
|
|
|
7217
7217
|
stored = true;
|
|
7218
7218
|
}
|
|
7219
7219
|
catch (error) {
|
|
7220
|
-
logger.debug("certificate_persistence_hook_failed", {
|
|
7220
|
+
logger$1.debug("certificate_persistence_hook_failed", {
|
|
7221
7221
|
node_id: nodeId,
|
|
7222
7222
|
error: error instanceof Error ? error.message : String(error),
|
|
7223
7223
|
});
|
|
@@ -7228,7 +7228,7 @@ class DefaultCertificateManager {
|
|
|
7228
7228
|
async buildCertificateSigningRequest(provider, nodeId, physicalPath, logicals) {
|
|
7229
7229
|
const trimmedPath = physicalPath.trim();
|
|
7230
7230
|
if (!trimmedPath) {
|
|
7231
|
-
logger.warning("certificate_request_missing_physical_path", {
|
|
7231
|
+
logger$1.warning("certificate_request_missing_physical_path", {
|
|
7232
7232
|
node_id: nodeId,
|
|
7233
7233
|
});
|
|
7234
7234
|
return null;
|
|
@@ -7237,7 +7237,7 @@ class DefaultCertificateManager {
|
|
|
7237
7237
|
const privateKeyPem = pemSource.signingPrivatePem?.trim() ?? "";
|
|
7238
7238
|
const publicKeyPem = pemSource.signingPublicPem?.trim() ?? "";
|
|
7239
7239
|
if (!privateKeyPem || !publicKeyPem) {
|
|
7240
|
-
logger.error("crypto_provider_missing_signing_material", {
|
|
7240
|
+
logger$1.error("crypto_provider_missing_signing_material", {
|
|
7241
7241
|
node_id: nodeId,
|
|
7242
7242
|
has_private: Boolean(privateKeyPem),
|
|
7243
7243
|
has_public: Boolean(publicKeyPem),
|
|
@@ -7255,7 +7255,7 @@ class DefaultCertificateManager {
|
|
|
7255
7255
|
return csrPem;
|
|
7256
7256
|
}
|
|
7257
7257
|
catch (error) {
|
|
7258
|
-
logger.error("csr_generation_failed", {
|
|
7258
|
+
logger$1.error("csr_generation_failed", {
|
|
7259
7259
|
node_id: nodeId,
|
|
7260
7260
|
error: error instanceof Error ? error.message : String(error),
|
|
7261
7261
|
});
|
|
@@ -7339,7 +7339,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
|
|
|
7339
7339
|
return null;
|
|
7340
7340
|
}
|
|
7341
7341
|
if (!isNodeProcess()) {
|
|
7342
|
-
logger.debug("pem_file_unavailable_in_browser", {
|
|
7342
|
+
logger$1.debug("pem_file_unavailable_in_browser", {
|
|
7343
7343
|
env_var: fileVar,
|
|
7344
7344
|
});
|
|
7345
7345
|
return null;
|
|
@@ -7350,7 +7350,7 @@ async function resolvePemFromEnvironment(envVar, fileVar) {
|
|
|
7350
7350
|
return normalizePemOrNull(content);
|
|
7351
7351
|
}
|
|
7352
7352
|
catch (error) {
|
|
7353
|
-
logger.warning("failed_to_read_certificate_file", {
|
|
7353
|
+
logger$1.warning("failed_to_read_certificate_file", {
|
|
7354
7354
|
file: filePath,
|
|
7355
7355
|
error: error instanceof Error ? error.message : String(error),
|
|
7356
7356
|
});
|
|
@@ -7381,7 +7381,7 @@ function providerHasCertificate(provider) {
|
|
|
7381
7381
|
return Boolean(provider.hasCertificate());
|
|
7382
7382
|
}
|
|
7383
7383
|
catch (error) {
|
|
7384
|
-
logger.debug("has_certificate_check_failed", {
|
|
7384
|
+
logger$1.debug("has_certificate_check_failed", {
|
|
7385
7385
|
error: error instanceof Error ? error.message : String(error),
|
|
7386
7386
|
});
|
|
7387
7387
|
}
|
|
@@ -7391,7 +7391,7 @@ function providerHasCertificate(provider) {
|
|
|
7391
7391
|
return Boolean(provider.nodeCertificatePem());
|
|
7392
7392
|
}
|
|
7393
7393
|
catch (error) {
|
|
7394
|
-
logger.debug("node_certificate_check_failed", {
|
|
7394
|
+
logger$1.debug("node_certificate_check_failed", {
|
|
7395
7395
|
error: error instanceof Error ? error.message : String(error),
|
|
7396
7396
|
});
|
|
7397
7397
|
}
|
|
@@ -7445,7 +7445,7 @@ function normalizeAuthConfig(candidate) {
|
|
|
7445
7445
|
}
|
|
7446
7446
|
const normalized = candidate;
|
|
7447
7447
|
if (!normalized.type || typeof normalized.type !== "string") {
|
|
7448
|
-
logger.warning("auth_strategy_missing_type", {
|
|
7448
|
+
logger$1.warning("auth_strategy_missing_type", {
|
|
7449
7449
|
provided_keys: Object.keys(candidate),
|
|
7450
7450
|
});
|
|
7451
7451
|
return null;
|
|
@@ -7463,7 +7463,7 @@ async function resolveTrustStorePemFromEnvironment() {
|
|
|
7463
7463
|
}
|
|
7464
7464
|
catch (error) {
|
|
7465
7465
|
const message = error instanceof Error ? error.message : String(error);
|
|
7466
|
-
logger.debug("trust_store_provider_resolution_failed", {
|
|
7466
|
+
logger$1.debug("trust_store_provider_resolution_failed", {
|
|
7467
7467
|
error: message,
|
|
7468
7468
|
});
|
|
7469
7469
|
return null;
|
|
@@ -7665,16 +7665,7 @@ function bytesToUtf8$1(data) {
|
|
|
7665
7665
|
|
|
7666
7666
|
const DEFAULT_REFRESH_INTERVAL_MS = 86400000; // 24 hours
|
|
7667
7667
|
const MIN_REFRESH_INTERVAL_MS = 60000; // 1 minute
|
|
7668
|
-
const
|
|
7669
|
-
debug: (...args) => {
|
|
7670
|
-
if (!isProductionEnvironment()) {
|
|
7671
|
-
console.debug("[trust-bundle]", ...args);
|
|
7672
|
-
}
|
|
7673
|
-
},
|
|
7674
|
-
warn: (...args) => {
|
|
7675
|
-
console.warn("[trust-bundle]", ...args);
|
|
7676
|
-
},
|
|
7677
|
-
};
|
|
7668
|
+
const logger = getLogger$1("naylence.fame.security.cert.trust_store.http_bundle_provider");
|
|
7678
7669
|
function isTruthyFlag(value) {
|
|
7679
7670
|
if (typeof value === "boolean") {
|
|
7680
7671
|
return value;
|
|
@@ -7727,7 +7718,7 @@ class HttpBundleProvider {
|
|
|
7727
7718
|
if (!(this.allowInsecureHttp && devMode && isLoopbackHost)) {
|
|
7728
7719
|
throw new Error("Trust bundle URL must use HTTPS (set allowInsecureHttp or FAME_TRUST_BUNDLE_ALLOW_HTTP for dev-only http)");
|
|
7729
7720
|
}
|
|
7730
|
-
|
|
7721
|
+
logger.warning("allowing_insecure_trust_bundle_url", {
|
|
7731
7722
|
url: parsed.toString(),
|
|
7732
7723
|
devMode,
|
|
7733
7724
|
isLoopbackHost,
|
|
@@ -7759,7 +7750,9 @@ class HttpBundleProvider {
|
|
|
7759
7750
|
if (stale || !this.anchors) {
|
|
7760
7751
|
this.inflight = this.fetchLatest()
|
|
7761
7752
|
.catch((error) => {
|
|
7762
|
-
|
|
7753
|
+
logger.warning("trust_bundle_refresh_failed", {
|
|
7754
|
+
error: error instanceof Error ? error.message : String(error),
|
|
7755
|
+
});
|
|
7763
7756
|
if (this.anchors) {
|
|
7764
7757
|
return this.anchors;
|
|
7765
7758
|
}
|
|
@@ -7799,14 +7792,16 @@ class HttpBundleProvider {
|
|
|
7799
7792
|
const cached = await loadCache(this.cacheKey);
|
|
7800
7793
|
if (cached) {
|
|
7801
7794
|
this.applyCachedEntry(cached);
|
|
7802
|
-
|
|
7795
|
+
logger.debug("loaded_trust_bundle_from_cache", {
|
|
7803
7796
|
url: this.url.href,
|
|
7804
7797
|
anchorCount: cached.anchors.length,
|
|
7805
7798
|
});
|
|
7806
7799
|
}
|
|
7807
7800
|
}
|
|
7808
7801
|
catch (error) {
|
|
7809
|
-
|
|
7802
|
+
logger.warning("failed_to_load_cached_trust_bundle", {
|
|
7803
|
+
error: error instanceof Error ? error.message : String(error),
|
|
7804
|
+
});
|
|
7810
7805
|
}
|
|
7811
7806
|
this.initialized = true;
|
|
7812
7807
|
}
|
|
@@ -7892,7 +7887,9 @@ class HttpBundleProvider {
|
|
|
7892
7887
|
callback();
|
|
7893
7888
|
}
|
|
7894
7889
|
catch (error) {
|
|
7895
|
-
|
|
7890
|
+
logger.warning("trust_bundle_listener_failed", {
|
|
7891
|
+
error: error instanceof Error ? error.message : String(error),
|
|
7892
|
+
});
|
|
7896
7893
|
}
|
|
7897
7894
|
}
|
|
7898
7895
|
}
|
|
@@ -8139,7 +8136,9 @@ async function openIndexedDbStore() {
|
|
|
8139
8136
|
});
|
|
8140
8137
|
};
|
|
8141
8138
|
request.onerror = () => {
|
|
8142
|
-
|
|
8139
|
+
logger.warning("indexeddb_unavailable_for_trust_bundle_caching", {
|
|
8140
|
+
error: request.error ? String(request.error) : "unknown",
|
|
8141
|
+
});
|
|
8143
8142
|
resolve(null);
|
|
8144
8143
|
};
|
|
8145
8144
|
});
|