@naylence/runtime 0.4.8 → 0.4.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/browser/index.cjs +23 -118
- package/dist/browser/index.mjs +24 -118
- package/dist/cjs/naylence/fame/node/factory-commons.js +2 -3
- package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-definition.js +1 -1
- package/dist/cjs/naylence/fame/security/auth/policy/basic-authorization-policy.js +18 -59
- package/dist/cjs/naylence/fame/security/index.js +1 -2
- package/dist/cjs/naylence/fame/security/node-security-profile-factory.js +1 -52
- package/dist/cjs/version.js +2 -2
- package/dist/esm/naylence/fame/node/factory-commons.js +2 -3
- package/dist/esm/naylence/fame/security/auth/policy/authorization-policy-definition.js +1 -1
- package/dist/esm/naylence/fame/security/auth/policy/basic-authorization-policy.js +18 -59
- package/dist/esm/naylence/fame/security/index.js +1 -1
- package/dist/esm/naylence/fame/security/node-security-profile-factory.js +0 -51
- package/dist/esm/version.js +2 -2
- package/dist/node/index.cjs +23 -118
- package/dist/node/index.mjs +24 -118
- package/dist/node/node.cjs +23 -118
- package/dist/node/node.mjs +24 -118
- package/dist/types/naylence/fame/security/auth/policy/authorization-policy-definition.d.ts +5 -1
- package/dist/types/naylence/fame/security/auth/policy/basic-authorization-policy.d.ts +0 -6
- package/dist/types/naylence/fame/security/index.d.ts +1 -1
- package/dist/types/naylence/fame/security/node-security-profile-factory.d.ts +0 -1
- package/dist/types/version.d.ts +1 -1
- package/package.json +1 -1
package/dist/node/index.mjs
CHANGED
|
@@ -13,12 +13,12 @@ import fastify from 'fastify';
|
|
|
13
13
|
import websocketPlugin from '@fastify/websocket';
|
|
14
14
|
|
|
15
15
|
// This file is auto-generated during build - do not edit manually
|
|
16
|
-
// Generated from package.json version: 0.4.
|
|
16
|
+
// Generated from package.json version: 0.4.10
|
|
17
17
|
/**
|
|
18
18
|
* The package version, injected at build time.
|
|
19
19
|
* @internal
|
|
20
20
|
*/
|
|
21
|
-
const VERSION = '0.4.
|
|
21
|
+
const VERSION = '0.4.10';
|
|
22
22
|
|
|
23
23
|
/**
|
|
24
24
|
* Fame protocol specific error classes with WebSocket close codes and proper inheritance.
|
|
@@ -13680,9 +13680,8 @@ function requiresCryptoProvider(config) {
|
|
|
13680
13680
|
const profile = record.profile;
|
|
13681
13681
|
if (typeof profile === 'string') {
|
|
13682
13682
|
const profileLower = profile.toLowerCase();
|
|
13683
|
-
// Overlay variants require crypto provider for envelope signing
|
|
13684
|
-
if (profileLower.includes('overlay')
|
|
13685
|
-
profileLower === 'strict-overlay') {
|
|
13683
|
+
// Overlay variants (including strict-overlay) require crypto provider for envelope signing
|
|
13684
|
+
if (profileLower.includes('overlay')) {
|
|
13686
13685
|
return true;
|
|
13687
13686
|
}
|
|
13688
13687
|
}
|
|
@@ -22123,7 +22122,7 @@ const KNOWN_RULE_FIELDS = new Set([
|
|
|
22123
22122
|
'effect',
|
|
22124
22123
|
'action',
|
|
22125
22124
|
'address',
|
|
22126
|
-
'frame_type',
|
|
22125
|
+
'frame_type', // Reserved for advanced-security
|
|
22127
22126
|
'origin_type',
|
|
22128
22127
|
'scope',
|
|
22129
22128
|
'when', // Reserved for advanced-security
|
|
@@ -22646,11 +22645,6 @@ class BasicAuthorizationPolicy {
|
|
|
22646
22645
|
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
22647
22646
|
const address = extractAddress(envelope);
|
|
22648
22647
|
const grantedScopes = extractGrantedScopes(context);
|
|
22649
|
-
const rawFrameType = envelope.frame
|
|
22650
|
-
?.type;
|
|
22651
|
-
const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
|
|
22652
|
-
? rawFrameType.trim().toLowerCase()
|
|
22653
|
-
: '';
|
|
22654
22648
|
// Extract and normalize origin type for rule matching
|
|
22655
22649
|
const rawOriginType = context?.originType;
|
|
22656
22650
|
const originTypeNormalized = typeof rawOriginType === 'string'
|
|
@@ -22668,22 +22662,16 @@ class BasicAuthorizationPolicy {
|
|
|
22668
22662
|
step.expression = 'when clause (skipped by basic policy)';
|
|
22669
22663
|
step.result = false;
|
|
22670
22664
|
evaluationTrace.push(step);
|
|
22665
|
+
logger$J.debug('rule_skipped_when_clause', { ruleId: rule.id });
|
|
22671
22666
|
continue;
|
|
22672
22667
|
}
|
|
22673
|
-
//
|
|
22674
|
-
if (rule.
|
|
22675
|
-
|
|
22676
|
-
|
|
22677
|
-
|
|
22678
|
-
|
|
22679
|
-
|
|
22680
|
-
}
|
|
22681
|
-
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
22682
|
-
step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
|
|
22683
|
-
step.result = false;
|
|
22684
|
-
evaluationTrace.push(step);
|
|
22685
|
-
continue;
|
|
22686
|
-
}
|
|
22668
|
+
// Skip rules with 'frame_type' clause (reserved for advanced-security package)
|
|
22669
|
+
if (rule.hasFrameTypeClause) {
|
|
22670
|
+
step.expression = 'frame_type clause (skipped by basic policy)';
|
|
22671
|
+
step.result = false;
|
|
22672
|
+
evaluationTrace.push(step);
|
|
22673
|
+
logger$J.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
|
|
22674
|
+
continue;
|
|
22687
22675
|
}
|
|
22688
22676
|
// Check origin type match (early gate for efficiency)
|
|
22689
22677
|
if (rule.originTypes) {
|
|
@@ -22798,8 +22786,14 @@ class BasicAuthorizationPolicy {
|
|
|
22798
22786
|
const actions = this.compileActions(rule.action, id);
|
|
22799
22787
|
// Compile address patterns (glob-only, no regex)
|
|
22800
22788
|
const addressPatterns = this.compileAddress(rule.address, id);
|
|
22801
|
-
//
|
|
22802
|
-
const
|
|
22789
|
+
// Check for frame_type clause (reserved for advanced-security)
|
|
22790
|
+
const hasFrameTypeClause = rule.frame_type !== undefined;
|
|
22791
|
+
if (hasFrameTypeClause && warnOnUnknown) {
|
|
22792
|
+
logger$J.warning('reserved_field_frame_type_will_be_skipped', {
|
|
22793
|
+
ruleId: id,
|
|
22794
|
+
message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
|
|
22795
|
+
});
|
|
22796
|
+
}
|
|
22803
22797
|
// Compile origin type gating
|
|
22804
22798
|
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
22805
22799
|
// Compile scope matcher (glob-only, no regex)
|
|
@@ -22826,11 +22820,12 @@ class BasicAuthorizationPolicy {
|
|
|
22826
22820
|
description: rule.description,
|
|
22827
22821
|
effect: rule.effect,
|
|
22828
22822
|
actions,
|
|
22829
|
-
frameTypes,
|
|
22823
|
+
frameTypes: undefined, // No longer used; reserved for advanced-security
|
|
22830
22824
|
originTypes,
|
|
22831
22825
|
addressPatterns,
|
|
22832
22826
|
scopeMatcher,
|
|
22833
22827
|
hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
|
|
22828
|
+
hasFrameTypeClause,
|
|
22834
22829
|
};
|
|
22835
22830
|
}
|
|
22836
22831
|
/**
|
|
@@ -22920,43 +22915,6 @@ class BasicAuthorizationPolicy {
|
|
|
22920
22915
|
}
|
|
22921
22916
|
return patterns;
|
|
22922
22917
|
}
|
|
22923
|
-
/**
|
|
22924
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
22925
|
-
* Supports single string or array of strings (implicit any-of).
|
|
22926
|
-
* Returns undefined if not specified (no frame type gating).
|
|
22927
|
-
*/
|
|
22928
|
-
compileFrameTypes(frameType, ruleId) {
|
|
22929
|
-
if (frameType === undefined) {
|
|
22930
|
-
return undefined;
|
|
22931
|
-
}
|
|
22932
|
-
// Handle single frame type
|
|
22933
|
-
if (typeof frameType === 'string') {
|
|
22934
|
-
const normalized = frameType.trim().toLowerCase();
|
|
22935
|
-
if (!normalized) {
|
|
22936
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
22937
|
-
}
|
|
22938
|
-
return new Set([normalized]);
|
|
22939
|
-
}
|
|
22940
|
-
// Handle array of frame types
|
|
22941
|
-
if (!Array.isArray(frameType)) {
|
|
22942
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
22943
|
-
}
|
|
22944
|
-
if (frameType.length === 0) {
|
|
22945
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
22946
|
-
}
|
|
22947
|
-
const frameTypes = new Set();
|
|
22948
|
-
for (const ft of frameType) {
|
|
22949
|
-
if (typeof ft !== 'string') {
|
|
22950
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
22951
|
-
}
|
|
22952
|
-
const normalized = ft.trim().toLowerCase();
|
|
22953
|
-
if (!normalized) {
|
|
22954
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
22955
|
-
}
|
|
22956
|
-
frameTypes.add(normalized);
|
|
22957
|
-
}
|
|
22958
|
-
return frameTypes;
|
|
22959
|
-
}
|
|
22960
22918
|
/**
|
|
22961
22919
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
22962
22920
|
* Supports single string or array of strings (implicit any-of).
|
|
@@ -29610,61 +29568,11 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
|
|
|
29610
29568
|
const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
|
|
29611
29569
|
const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
|
|
29612
29570
|
const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
|
|
29613
|
-
const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
|
|
29614
29571
|
const PROFILE_NAME_OVERLAY = 'overlay';
|
|
29615
29572
|
const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
|
|
29616
29573
|
const PROFILE_NAME_GATED = 'gated';
|
|
29617
29574
|
const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
|
|
29618
29575
|
const PROFILE_NAME_OPEN$1 = 'open';
|
|
29619
|
-
const STRICT_OVERLAY_PROFILE = {
|
|
29620
|
-
type: 'DefaultSecurityManager',
|
|
29621
|
-
security_policy: {
|
|
29622
|
-
type: 'DefaultSecurityPolicy',
|
|
29623
|
-
signing: {
|
|
29624
|
-
signing_material: 'x509-chain',
|
|
29625
|
-
require_cert_sid_match: true,
|
|
29626
|
-
inbound: {
|
|
29627
|
-
signature_policy: 'required',
|
|
29628
|
-
unsigned_violation_action: 'nack',
|
|
29629
|
-
invalid_signature_action: 'nack',
|
|
29630
|
-
},
|
|
29631
|
-
response: {
|
|
29632
|
-
mirror_request_signing: true,
|
|
29633
|
-
always_sign_responses: false,
|
|
29634
|
-
sign_error_responses: true,
|
|
29635
|
-
},
|
|
29636
|
-
outbound: {
|
|
29637
|
-
default_signing: true,
|
|
29638
|
-
sign_sensitive_operations: true,
|
|
29639
|
-
sign_if_recipient_expects: true,
|
|
29640
|
-
},
|
|
29641
|
-
},
|
|
29642
|
-
encryption: {
|
|
29643
|
-
inbound: {
|
|
29644
|
-
allow_plaintext: true,
|
|
29645
|
-
allow_channel: true,
|
|
29646
|
-
allow_sealed: true,
|
|
29647
|
-
plaintext_violation_action: 'nack',
|
|
29648
|
-
channel_violation_action: 'nack',
|
|
29649
|
-
sealed_violation_action: 'nack',
|
|
29650
|
-
},
|
|
29651
|
-
response: {
|
|
29652
|
-
mirror_request_level: true,
|
|
29653
|
-
minimum_response_level: 'plaintext',
|
|
29654
|
-
escalate_sealed_responses: false,
|
|
29655
|
-
},
|
|
29656
|
-
outbound: {
|
|
29657
|
-
default_level: Expressions.env(ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, 'channel'),
|
|
29658
|
-
escalate_if_peer_supports: false,
|
|
29659
|
-
prefer_sealed_for_sensitive: false,
|
|
29660
|
-
},
|
|
29661
|
-
},
|
|
29662
|
-
},
|
|
29663
|
-
authorizer: {
|
|
29664
|
-
type: 'AuthorizationProfile',
|
|
29665
|
-
profile: Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
|
|
29666
|
-
},
|
|
29667
|
-
};
|
|
29668
29576
|
const OVERLAY_PROFILE = {
|
|
29669
29577
|
type: 'DefaultSecurityManager',
|
|
29670
29578
|
security_policy: {
|
|
@@ -29867,7 +29775,6 @@ const OPEN_PROFILE$1 = {
|
|
|
29867
29775
|
};
|
|
29868
29776
|
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY, OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
|
|
29869
29777
|
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY_CALLBACK, OVERLAY_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
|
|
29870
|
-
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_STRICT_OVERLAY, STRICT_OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
|
|
29871
29778
|
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED, GATED_PROFILE, { source: 'node-security-profile-factory' });
|
|
29872
29779
|
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED_CALLBACK, GATED_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
|
|
29873
29780
|
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OPEN$1, OPEN_PROFILE$1, { source: 'node-security-profile-factory' });
|
|
@@ -30004,7 +29911,6 @@ var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
|
|
|
30004
29911
|
PROFILE_NAME_OPEN: PROFILE_NAME_OPEN$1,
|
|
30005
29912
|
PROFILE_NAME_OVERLAY: PROFILE_NAME_OVERLAY,
|
|
30006
29913
|
PROFILE_NAME_OVERLAY_CALLBACK: PROFILE_NAME_OVERLAY_CALLBACK,
|
|
30007
|
-
PROFILE_NAME_STRICT_OVERLAY: PROFILE_NAME_STRICT_OVERLAY,
|
|
30008
29914
|
default: NodeSecurityProfileFactory
|
|
30009
29915
|
});
|
|
30010
29916
|
|
|
@@ -43739,4 +43645,4 @@ var websocketTransportProvisioner = /*#__PURE__*/Object.freeze({
|
|
|
43739
43645
|
WebSocketTransportProvisionerFactory: WebSocketTransportProvisionerFactory
|
|
43740
43646
|
});
|
|
43741
43647
|
|
|
43742
|
-
export { ADMISSION_CLIENT_FACTORY_BASE_TYPE, ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AUTHORIZER_FACTORY_BASE_TYPE, AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE, ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 as AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, ENV_VAR_HMAC_SECRET$1 as AUTH_PROFILE_ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL$1 as AUTH_PROFILE_ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM$1 as AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$2 as AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_TRUSTED_CLIENT_SCOPE$1 as AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE, PROFILE_NAME_DEFAULT as AUTH_PROFILE_NAME_DEFAULT, PROFILE_NAME_NOOP$2 as AUTH_PROFILE_NAME_NOOP, PROFILE_NAME_OAUTH2 as AUTH_PROFILE_NAME_OAUTH2, PROFILE_NAME_OAUTH2_CALLBACK as AUTH_PROFILE_NAME_OAUTH2_CALLBACK, PROFILE_NAME_OAUTH2_GATED as AUTH_PROFILE_NAME_OAUTH2_GATED, AnsiColor, AsyncLock, AttachmentKeyValidator, AuthInjectionStrategyFactory, AuthorizationPolicyFactory, AuthorizationPolicySourceFactory, AuthorizationProfileFactory, AuthorizerFactory, BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE, BackPressureFull, BaseAsyncConnector, BaseNodeEventListener, BasicAuthorizationPolicy, BasicAuthorizationPolicyFactory, BindingManager, BindingStoreEntryRecord, BrowserAutoKeyCredentialProvider, BrowserWrappedKeyCredentialProvider, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE, CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE, CRYPTO_LEVEL_SECURITY_ORDER, CertificateManagerFactory, ConnectionRetryPolicyFactory, ConnectorConfigDefaults, ConnectorFactory, ConsoleMetricsEmitter, CryptoLevel, FACTORY_META$11 as DEFAULT_WELCOME_FACTORY_META, DefaultConnectionRetryPolicy, DefaultConnectionRetryPolicyFactory, DefaultCryptoProvider, DefaultKeyManager, DefaultNodeIdentityPolicy, DefaultNodeIdentityPolicyFactory, DefaultSecurityManager, DefaultSecurityPolicy, DefaultWelcomeService, DefaultWelcomeServiceFactory, DevFixedKeyCredentialProvider, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, ENV_VAR_AUTHORIZATION_PROFILE, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$1 as ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_SESSION_MAX_INITIAL_ATTEMPTS, ENV_VAR_SHOW_ENVELOPES$1 as ENV_VAR_SHOW_ENVELOPES, EdDSAEnvelopeSigner, EncryptedKeyValueStore, EncryptedStorageProviderBase, EncryptedValue, EncryptionConfiguration, EncryptionManagerFactory, EncryptionResult, EncryptionStatus, EnvCredentialProvider, EnvelopeContext, EnvelopeListenerManager, EnvelopeSecurityHandler, EnvelopeSignerFactory, EnvelopeVerifierFactory, FACTORY_META$12 as FACTORY_META, FIXED_PREFIX_LEN, FameAuthorizedDeliveryContextSchema, FameConnectError, FameEnvironmentContext, FameError, FameMessageTooLarge, FameNode, FameNodeAuthorizationContextSchema, FameProtocolError, FameTransportClose, FlowController, GRANT_PURPOSE_NODE_ATTACH, HTTP_CONNECTION_GRANT_TYPE, HTTP_STATELESS_CONNECTOR_TYPE, INPAGE_CONNECTION_GRANT_TYPE, INPAGE_CONNECTOR_TYPE, InMemoryBinding, InMemoryFanoutBroker, InMemoryKeyValueStore, InMemoryReadWriteChannel, InMemoryStorageProvider, InPageConnector, IndexedDBKeyValueStore, IndexedDBStorageProvider, InvalidPassphraseError, JWKValidationError, KEY_MANAGER_FACTORY_BASE_TYPE, KEY_STORE_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, KNOWN_RULE_FIELDS, KeyInfo, KeyManagementHandler, KeyManagerFactory, KeyStore, KeyStoreFactory, KeyValidationError, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, LogLevel, LogLevelNames, MAX_SCOPE_NESTING_DEPTH, MemoryMetricsEmitter, NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NODE_LIKE_FACTORY_BASE_TYPE, NODE_PLACEMENT_STRATEGY_FACTORY_BASE_TYPE, NoOpMetricsEmitter, NoSecurityPolicy, NodeFactory, NodeIdentityPolicyFactory, NodeIdentityPolicyProfileFactory, NodePlacementStrategyFactory, NoneCredentialProvider, NoopEncryptionManager, NoopKeyValidator, NoopTrustStoreProvider, NotAuthorized, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN$1 as PROFILE_NAME_OPEN, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK,
|
|
43648
|
+
export { ADMISSION_CLIENT_FACTORY_BASE_TYPE, ATTACHMENT_KEY_VALIDATOR_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, AUTHORIZER_FACTORY_BASE_TYPE, AUTH_INJECTION_STRATEGY_FACTORY_BASE_TYPE, ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY$1 as AUTH_PROFILE_ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY, ENV_VAR_HMAC_SECRET$1 as AUTH_PROFILE_ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL$1 as AUTH_PROFILE_ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM$1 as AUTH_PROFILE_ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$2 as AUTH_PROFILE_ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER$1 as AUTH_PROFILE_ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_TRUSTED_CLIENT_SCOPE$1 as AUTH_PROFILE_ENV_VAR_TRUSTED_CLIENT_SCOPE, PROFILE_NAME_DEFAULT as AUTH_PROFILE_NAME_DEFAULT, PROFILE_NAME_NOOP$2 as AUTH_PROFILE_NAME_NOOP, PROFILE_NAME_OAUTH2 as AUTH_PROFILE_NAME_OAUTH2, PROFILE_NAME_OAUTH2_CALLBACK as AUTH_PROFILE_NAME_OAUTH2_CALLBACK, PROFILE_NAME_OAUTH2_GATED as AUTH_PROFILE_NAME_OAUTH2_GATED, AnsiColor, AsyncLock, AttachmentKeyValidator, AuthInjectionStrategyFactory, AuthorizationPolicyFactory, AuthorizationPolicySourceFactory, AuthorizationProfileFactory, AuthorizerFactory, BROADCAST_CHANNEL_CONNECTION_GRANT_TYPE, BackPressureFull, BaseAsyncConnector, BaseNodeEventListener, BasicAuthorizationPolicy, BasicAuthorizationPolicyFactory, BindingManager, BindingStoreEntryRecord, BrowserAutoKeyCredentialProvider, BrowserWrappedKeyCredentialProvider, CERTIFICATE_MANAGER_FACTORY_BASE_TYPE, CONNECTION_RETRY_POLICY_FACTORY_BASE_TYPE, CREDENTIAL_PROVIDER_FACTORY_BASE_TYPE, CRYPTO_LEVEL_SECURITY_ORDER, CertificateManagerFactory, ConnectionRetryPolicyFactory, ConnectorConfigDefaults, ConnectorFactory, ConsoleMetricsEmitter, CryptoLevel, FACTORY_META$11 as DEFAULT_WELCOME_FACTORY_META, DefaultConnectionRetryPolicy, DefaultConnectionRetryPolicyFactory, DefaultCryptoProvider, DefaultKeyManager, DefaultNodeIdentityPolicy, DefaultNodeIdentityPolicyFactory, DefaultSecurityManager, DefaultSecurityPolicy, DefaultWelcomeService, DefaultWelcomeServiceFactory, DevFixedKeyCredentialProvider, ENCRYPTION_MANAGER_FACTORY_BASE_TYPE, ENVELOPE_SIGNER_FACTORY_BASE_TYPE, ENVELOPE_VERIFIER_FACTORY_BASE_TYPE, ENV_VAR_AUTHORIZATION_PROFILE, ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, ENV_VAR_HMAC_SECRET, ENV_VAR_JWKS_URL, ENV_VAR_JWT_ALGORITHM, ENV_VAR_JWT_AUDIENCE$1 as ENV_VAR_JWT_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE, ENV_VAR_JWT_REVERSE_AUTH_TRUSTED_ISSUER, ENV_VAR_JWT_TRUSTED_ISSUER, ENV_VAR_SESSION_MAX_INITIAL_ATTEMPTS, ENV_VAR_SHOW_ENVELOPES$1 as ENV_VAR_SHOW_ENVELOPES, EdDSAEnvelopeSigner, EncryptedKeyValueStore, EncryptedStorageProviderBase, EncryptedValue, EncryptionConfiguration, EncryptionManagerFactory, EncryptionResult, EncryptionStatus, EnvCredentialProvider, EnvelopeContext, EnvelopeListenerManager, EnvelopeSecurityHandler, EnvelopeSignerFactory, EnvelopeVerifierFactory, FACTORY_META$12 as FACTORY_META, FIXED_PREFIX_LEN, FameAuthorizedDeliveryContextSchema, FameConnectError, FameEnvironmentContext, FameError, FameMessageTooLarge, FameNode, FameNodeAuthorizationContextSchema, FameProtocolError, FameTransportClose, FlowController, GRANT_PURPOSE_NODE_ATTACH, HTTP_CONNECTION_GRANT_TYPE, HTTP_STATELESS_CONNECTOR_TYPE, INPAGE_CONNECTION_GRANT_TYPE, INPAGE_CONNECTOR_TYPE, InMemoryBinding, InMemoryFanoutBroker, InMemoryKeyValueStore, InMemoryReadWriteChannel, InMemoryStorageProvider, InPageConnector, IndexedDBKeyValueStore, IndexedDBStorageProvider, InvalidPassphraseError, JWKValidationError, KEY_MANAGER_FACTORY_BASE_TYPE, KEY_STORE_FACTORY_BASE_TYPE, KNOWN_POLICY_FIELDS, KNOWN_RULE_FIELDS, KeyInfo, KeyManagementHandler, KeyManagerFactory, KeyStore, KeyStoreFactory, KeyValidationError, LOAD_BALANCER_STICKINESS_MANAGER_FACTORY_BASE_TYPE, LoadBalancerStickinessManagerFactory, LogLevel, LogLevelNames, MAX_SCOPE_NESTING_DEPTH, MemoryMetricsEmitter, NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NODE_LIKE_FACTORY_BASE_TYPE, NODE_PLACEMENT_STRATEGY_FACTORY_BASE_TYPE, NoOpMetricsEmitter, NoSecurityPolicy, NodeFactory, NodeIdentityPolicyFactory, NodeIdentityPolicyProfileFactory, NodePlacementStrategyFactory, NoneCredentialProvider, NoopEncryptionManager, NoopKeyValidator, NoopTrustStoreProvider, NotAuthorized, PROFILE_NAME_GATED, PROFILE_NAME_GATED_CALLBACK, PROFILE_NAME_OPEN$1 as PROFILE_NAME_OPEN, PROFILE_NAME_OVERLAY, PROFILE_NAME_OVERLAY_CALLBACK, PromptCredentialProvider, REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE, REQUIRED_FIELDS_BY_KTY, ReplicaStickinessManagerFactory, RootSessionManager, RouteManager, RpcMixin, RpcProxy, SEALED_ENVELOPE_NONCE_LENGTH, SEALED_ENVELOPE_OVERHEAD, SEALED_ENVELOPE_PRIVATE_KEY_LENGTH, SEALED_ENVELOPE_PUBLIC_KEY_LENGTH, SEALED_ENVELOPE_TAG_LENGTH, SECURE_CHANNEL_MANAGER_FACTORY_BASE_TYPE, SECURITY_MANAGER_FACTORY_BASE_TYPE, SECURITY_POLICY_FACTORY_BASE_TYPE, STORAGE_PROVIDER_FACTORY_BASE_TYPE, SecretSource, SecretStoreCredentialProvider, SecureChannelFrameHandler, SecureChannelManagerFactory, SecurityAction, SecurityRequirements, Sentinel, SentinelFactory, SessionKeyCredentialProvider, SignaturePolicy, SigningConfig as SigningConfigClass, SigningConfiguration, SimpleLoadBalancerStickinessManager, SimpleLoadBalancerStickinessManagerFactory, StaticCredentialProvider, StorageAESEncryptionManager, TOKEN_ISSUER_FACTORY_BASE_TYPE, TOKEN_PROVIDER_FACTORY_BASE_TYPE, TOKEN_VERIFIER_FACTORY_BASE_TYPE, TRANSPORT_PROVISIONER_FACTORY_BASE_TYPE, TRUST_STORE_PROVIDER_FACTORY_BASE_TYPE, TaskSpawner, TokenIssuerFactory, TokenProviderFactory, TokenSubjectNodeIdentityPolicy, TokenSubjectNodeIdentityPolicyFactory, TokenVerifierFactory, TransportProvisionerFactory, TrustStoreProviderFactory, TtlValidationError, UpstreamSessionManager, VALID_ACTIONS, VALID_CURVES_BY_KTY, VALID_EFFECTS, VALID_KEY_USES, VALID_ORIGIN_TYPES, VERSION, WEBSOCKET_CONNECTION_GRANT_TYPE, WELCOME_SERVICE_FACTORY_BASE_TYPE, WebSocketCloseCode, WebSocketConnector, WebSocketState, WelcomeServiceFactory, _NoopFlowController, __runtimePluginLoader, addEnvelopeFields, addLogLevel, addTimestamp, assertConnectionGrant, assertGrant, assertNotRegexPattern, basicConfig, broadcastChannelGrantToConnectorConfig, camelToSnakeCase, canonicalJson, capitalizeFirstLetter, clearProfiles, color, compareCryptoLevels, compileGlobOnlyScopeRequirement, compileGlobPattern, compilePattern, compileScopeRequirement, compiledPathPattern, consoleTransport, convertWildcardLogicalToDnsConstraint, createConnectorConfig, createEd25519Keypair, createHostLogicalUri, createLogicalUri, createNodeDeliveryContext, createResource, createRpcProxy, createRsaKeypair, createTransportCloseError, createX25519Keypair, credentialToString, currentTraceId$1 as currentTraceId, debounce, decodeBase64Url, decodeFameDataPayload, deepMerge, defaultJsonEncoder, delay, dropEmpty, enableLogging, encodeUtf8, ensureRuntimeFactoriesRegistered, evaluateScopeRequirement, extractId, extractPoolAddressBase, extractPoolBase, filterKeysByUse, formatTimestamp, formatTimestampForConsole$1 as formatTimestampForConsole, frameDigest, getCompiledGlobPattern, getCurrentEnvelope, getFabricForNode, getFameRoot, getKeyProvider, getKeyStore, getLogger, getProfile, hasCryptoSupport, hostnameToLogical, hostnamesToLogicals, httpGrantToConnectorConfig, immutableHeaders, inPageGrantToConnectorConfig, isAuthInjectionStrategy, isBroadcastChannelConnectionGrant, isConnectionGrant, isConnectorConfig, isEnvelopeLoggingEnabled, isFameError, isFameErrorType, isGrant, isHttpConnectionGrant, isIdentityExposingTokenProvider, isInPageConnectionGrant, isNodeLike, isPlainObject$4 as isPlainObject, isPoolAddress, isPoolLogical, isRegexPattern, isRegisterable, isTokenExpired, isTokenProvider, isTokenValid, isWebSocketConnectionGrant, jsonDumps, listProfiles, logicalPatternsToDnsConstraints, logicalToHostname, logicalsToHostnames, matchPattern, matchesPoolAddress, matchesPoolLogical, maybeAwait, nodeWelcomeRouter, nodeWelcomeRouterPlugin, normalizeBroadcastChannelConnectionGrant, normalizeEncryptionConfig, normalizeEnvelopeSnapshot, normalizeHttpConnectionGrant, normalizeInPageConnectionGrant, normalizeInboundCryptoRules, normalizeInboundSigningRules, normalizeOutboundCryptoRules, normalizeOutboundSigningRules, normalizePath, normalizeResponseCryptoRules, normalizeResponseSigningRules, normalizeScopeRequirement, normalizeSecretSource, normalizeSecurityRequirements, normalizeSigningConfig, normalizeWebSocketConnectionGrant, objectToBytes, operation, parseSealedEnvelope, pinoTransport, prettyModel$1 as prettyModel, registerDefaultFactories, registerDefaultKeyStoreFactory, registerNodePlacementStrategyFactory, registerProfile, registerRuntimeFactories, requireCryptoSupport, retryWithBackoff, safeColor, safeImport, sealedDecrypt, sealedEncrypt, secureDigest, setKeyStore, showEnvelopes$1 as showEnvelopes, sleep, snakeToCamelCase, stringifyNonPrimitives, supportsColor, throttle, urlsafeBase64Decode, urlsafeBase64Encode, validateCacheTtlSec, validateEncryptionKey, validateHostLogical, validateHostLogicals, validateJwkComplete, validateJwkStructure, validateJwkUseField, validateJwtTokenTtlSec, validateKeyCorrelationTtlSec, validateLogical, validateLogicalSegment, validateOAuth2TtlSec, validateSigningKey, validateTtlSec, waitForAll, waitForAllSettled, waitForAny, websocketGrantToConnectorConfig, withEnvelopeContext, withEnvelopeContextAsync, withLegacySnakeCaseKeys, withLock, withTimeout };
|
package/dist/node/node.cjs
CHANGED
|
@@ -4436,12 +4436,12 @@ async function ensureRuntimeFactoriesRegistered(registry = factory.Registry) {
|
|
|
4436
4436
|
}
|
|
4437
4437
|
|
|
4438
4438
|
// This file is auto-generated during build - do not edit manually
|
|
4439
|
-
// Generated from package.json version: 0.4.
|
|
4439
|
+
// Generated from package.json version: 0.4.10
|
|
4440
4440
|
/**
|
|
4441
4441
|
* The package version, injected at build time.
|
|
4442
4442
|
* @internal
|
|
4443
4443
|
*/
|
|
4444
|
-
const VERSION = '0.4.
|
|
4444
|
+
const VERSION = '0.4.10';
|
|
4445
4445
|
|
|
4446
4446
|
let initialized = false;
|
|
4447
4447
|
const runtimePlugin = {
|
|
@@ -15828,9 +15828,8 @@ function requiresCryptoProvider(config) {
|
|
|
15828
15828
|
const profile = record.profile;
|
|
15829
15829
|
if (typeof profile === 'string') {
|
|
15830
15830
|
const profileLower = profile.toLowerCase();
|
|
15831
|
-
// Overlay variants require crypto provider for envelope signing
|
|
15832
|
-
if (profileLower.includes('overlay')
|
|
15833
|
-
profileLower === 'strict-overlay') {
|
|
15831
|
+
// Overlay variants (including strict-overlay) require crypto provider for envelope signing
|
|
15832
|
+
if (profileLower.includes('overlay')) {
|
|
15834
15833
|
return true;
|
|
15835
15834
|
}
|
|
15836
15835
|
}
|
|
@@ -23331,7 +23330,7 @@ const KNOWN_RULE_FIELDS = new Set([
|
|
|
23331
23330
|
'effect',
|
|
23332
23331
|
'action',
|
|
23333
23332
|
'address',
|
|
23334
|
-
'frame_type',
|
|
23333
|
+
'frame_type', // Reserved for advanced-security
|
|
23335
23334
|
'origin_type',
|
|
23336
23335
|
'scope',
|
|
23337
23336
|
'when', // Reserved for advanced-security
|
|
@@ -23861,11 +23860,6 @@ class BasicAuthorizationPolicy {
|
|
|
23861
23860
|
const resolvedActionNormalized = this.normalizeActionToken(resolvedAction) ?? resolvedAction;
|
|
23862
23861
|
const address = extractAddress(envelope);
|
|
23863
23862
|
const grantedScopes = extractGrantedScopes(context);
|
|
23864
|
-
const rawFrameType = envelope.frame
|
|
23865
|
-
?.type;
|
|
23866
|
-
const frameTypeNormalized = typeof rawFrameType === 'string' && rawFrameType.trim().length > 0
|
|
23867
|
-
? rawFrameType.trim().toLowerCase()
|
|
23868
|
-
: '';
|
|
23869
23863
|
// Extract and normalize origin type for rule matching
|
|
23870
23864
|
const rawOriginType = context?.originType;
|
|
23871
23865
|
const originTypeNormalized = typeof rawOriginType === 'string'
|
|
@@ -23883,22 +23877,16 @@ class BasicAuthorizationPolicy {
|
|
|
23883
23877
|
step.expression = 'when clause (skipped by basic policy)';
|
|
23884
23878
|
step.result = false;
|
|
23885
23879
|
evaluationTrace.push(step);
|
|
23880
|
+
logger$M.debug('rule_skipped_when_clause', { ruleId: rule.id });
|
|
23886
23881
|
continue;
|
|
23887
23882
|
}
|
|
23888
|
-
//
|
|
23889
|
-
if (rule.
|
|
23890
|
-
|
|
23891
|
-
|
|
23892
|
-
|
|
23893
|
-
|
|
23894
|
-
|
|
23895
|
-
}
|
|
23896
|
-
if (!rule.frameTypes.has(frameTypeNormalized)) {
|
|
23897
|
-
step.expression = `frame_type: ${rawFrameType ?? 'unknown'} not in rule set`;
|
|
23898
|
-
step.result = false;
|
|
23899
|
-
evaluationTrace.push(step);
|
|
23900
|
-
continue;
|
|
23901
|
-
}
|
|
23883
|
+
// Skip rules with 'frame_type' clause (reserved for advanced-security package)
|
|
23884
|
+
if (rule.hasFrameTypeClause) {
|
|
23885
|
+
step.expression = 'frame_type clause (skipped by basic policy)';
|
|
23886
|
+
step.result = false;
|
|
23887
|
+
evaluationTrace.push(step);
|
|
23888
|
+
logger$M.debug('rule_skipped_frame_type_clause', { ruleId: rule.id });
|
|
23889
|
+
continue;
|
|
23902
23890
|
}
|
|
23903
23891
|
// Check origin type match (early gate for efficiency)
|
|
23904
23892
|
if (rule.originTypes) {
|
|
@@ -24013,8 +24001,14 @@ class BasicAuthorizationPolicy {
|
|
|
24013
24001
|
const actions = this.compileActions(rule.action, id);
|
|
24014
24002
|
// Compile address patterns (glob-only, no regex)
|
|
24015
24003
|
const addressPatterns = this.compileAddress(rule.address, id);
|
|
24016
|
-
//
|
|
24017
|
-
const
|
|
24004
|
+
// Check for frame_type clause (reserved for advanced-security)
|
|
24005
|
+
const hasFrameTypeClause = rule.frame_type !== undefined;
|
|
24006
|
+
if (hasFrameTypeClause && warnOnUnknown) {
|
|
24007
|
+
logger$M.warning('reserved_field_frame_type_will_be_skipped', {
|
|
24008
|
+
ruleId: id,
|
|
24009
|
+
message: `Rule "${id}" uses reserved field "frame_type" which is only supported in advanced-security package. This rule will be skipped during evaluation.`,
|
|
24010
|
+
});
|
|
24011
|
+
}
|
|
24018
24012
|
// Compile origin type gating
|
|
24019
24013
|
const originTypes = this.compileOriginTypes(rule.origin_type, id);
|
|
24020
24014
|
// Compile scope matcher (glob-only, no regex)
|
|
@@ -24041,11 +24035,12 @@ class BasicAuthorizationPolicy {
|
|
|
24041
24035
|
description: rule.description,
|
|
24042
24036
|
effect: rule.effect,
|
|
24043
24037
|
actions,
|
|
24044
|
-
frameTypes,
|
|
24038
|
+
frameTypes: undefined, // No longer used; reserved for advanced-security
|
|
24045
24039
|
originTypes,
|
|
24046
24040
|
addressPatterns,
|
|
24047
24041
|
scopeMatcher,
|
|
24048
24042
|
hasWhenClause: typeof rule.when === 'string' && rule.when.length > 0,
|
|
24043
|
+
hasFrameTypeClause,
|
|
24049
24044
|
};
|
|
24050
24045
|
}
|
|
24051
24046
|
/**
|
|
@@ -24135,43 +24130,6 @@ class BasicAuthorizationPolicy {
|
|
|
24135
24130
|
}
|
|
24136
24131
|
return patterns;
|
|
24137
24132
|
}
|
|
24138
|
-
/**
|
|
24139
|
-
* Compiles frame_type field into a Set of normalized frame types.
|
|
24140
|
-
* Supports single string or array of strings (implicit any-of).
|
|
24141
|
-
* Returns undefined if not specified (no frame type gating).
|
|
24142
|
-
*/
|
|
24143
|
-
compileFrameTypes(frameType, ruleId) {
|
|
24144
|
-
if (frameType === undefined) {
|
|
24145
|
-
return undefined;
|
|
24146
|
-
}
|
|
24147
|
-
// Handle single frame type
|
|
24148
|
-
if (typeof frameType === 'string') {
|
|
24149
|
-
const normalized = frameType.trim().toLowerCase();
|
|
24150
|
-
if (!normalized) {
|
|
24151
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": value must not be empty`);
|
|
24152
|
-
}
|
|
24153
|
-
return new Set([normalized]);
|
|
24154
|
-
}
|
|
24155
|
-
// Handle array of frame types
|
|
24156
|
-
if (!Array.isArray(frameType)) {
|
|
24157
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": must be a string or array of strings`);
|
|
24158
|
-
}
|
|
24159
|
-
if (frameType.length === 0) {
|
|
24160
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": array must not be empty`);
|
|
24161
|
-
}
|
|
24162
|
-
const frameTypes = new Set();
|
|
24163
|
-
for (const ft of frameType) {
|
|
24164
|
-
if (typeof ft !== 'string') {
|
|
24165
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": all values must be strings`);
|
|
24166
|
-
}
|
|
24167
|
-
const normalized = ft.trim().toLowerCase();
|
|
24168
|
-
if (!normalized) {
|
|
24169
|
-
throw new Error(`Invalid frame_type in rule "${ruleId}": values must not be empty`);
|
|
24170
|
-
}
|
|
24171
|
-
frameTypes.add(normalized);
|
|
24172
|
-
}
|
|
24173
|
-
return frameTypes;
|
|
24174
|
-
}
|
|
24175
24133
|
/**
|
|
24176
24134
|
* Compiles origin_type field into a Set of normalized origin types.
|
|
24177
24135
|
* Supports single string or array of strings (implicit any-of).
|
|
@@ -30833,61 +30791,11 @@ const ENV_VAR_JWT_REVERSE_AUTH_AUDIENCE = 'FAME_JWT_REVERSE_AUTH_AUDIENCE';
|
|
|
30833
30791
|
const ENV_VAR_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY = 'FAME_ENFORCE_TOKEN_SUBJECT_NODE_IDENTITY';
|
|
30834
30792
|
const ENV_VAR_TRUSTED_CLIENT_SCOPE = 'FAME_TRUSTED_CLIENT_SCOPE';
|
|
30835
30793
|
const ENV_VAR_AUTHORIZATION_PROFILE = 'FAME_AUTHORIZATION_PROFILE';
|
|
30836
|
-
const PROFILE_NAME_STRICT_OVERLAY = 'strict-overlay';
|
|
30837
30794
|
const PROFILE_NAME_OVERLAY = 'overlay';
|
|
30838
30795
|
const PROFILE_NAME_OVERLAY_CALLBACK = 'overlay-callback';
|
|
30839
30796
|
const PROFILE_NAME_GATED = 'gated';
|
|
30840
30797
|
const PROFILE_NAME_GATED_CALLBACK = 'gated-callback';
|
|
30841
30798
|
const PROFILE_NAME_OPEN$1 = 'open';
|
|
30842
|
-
const STRICT_OVERLAY_PROFILE = {
|
|
30843
|
-
type: 'DefaultSecurityManager',
|
|
30844
|
-
security_policy: {
|
|
30845
|
-
type: 'DefaultSecurityPolicy',
|
|
30846
|
-
signing: {
|
|
30847
|
-
signing_material: 'x509-chain',
|
|
30848
|
-
require_cert_sid_match: true,
|
|
30849
|
-
inbound: {
|
|
30850
|
-
signature_policy: 'required',
|
|
30851
|
-
unsigned_violation_action: 'nack',
|
|
30852
|
-
invalid_signature_action: 'nack',
|
|
30853
|
-
},
|
|
30854
|
-
response: {
|
|
30855
|
-
mirror_request_signing: true,
|
|
30856
|
-
always_sign_responses: false,
|
|
30857
|
-
sign_error_responses: true,
|
|
30858
|
-
},
|
|
30859
|
-
outbound: {
|
|
30860
|
-
default_signing: true,
|
|
30861
|
-
sign_sensitive_operations: true,
|
|
30862
|
-
sign_if_recipient_expects: true,
|
|
30863
|
-
},
|
|
30864
|
-
},
|
|
30865
|
-
encryption: {
|
|
30866
|
-
inbound: {
|
|
30867
|
-
allow_plaintext: true,
|
|
30868
|
-
allow_channel: true,
|
|
30869
|
-
allow_sealed: true,
|
|
30870
|
-
plaintext_violation_action: 'nack',
|
|
30871
|
-
channel_violation_action: 'nack',
|
|
30872
|
-
sealed_violation_action: 'nack',
|
|
30873
|
-
},
|
|
30874
|
-
response: {
|
|
30875
|
-
mirror_request_level: true,
|
|
30876
|
-
minimum_response_level: 'plaintext',
|
|
30877
|
-
escalate_sealed_responses: false,
|
|
30878
|
-
},
|
|
30879
|
-
outbound: {
|
|
30880
|
-
default_level: factory.Expressions.env(ENV_VAR_DEFAULT_ENCRYPTION_LEVEL, 'channel'),
|
|
30881
|
-
escalate_if_peer_supports: false,
|
|
30882
|
-
prefer_sealed_for_sensitive: false,
|
|
30883
|
-
},
|
|
30884
|
-
},
|
|
30885
|
-
},
|
|
30886
|
-
authorizer: {
|
|
30887
|
-
type: 'AuthorizationProfile',
|
|
30888
|
-
profile: factory.Expressions.env(ENV_VAR_AUTHORIZATION_PROFILE, 'jwt'),
|
|
30889
|
-
},
|
|
30890
|
-
};
|
|
30891
30799
|
const OVERLAY_PROFILE = {
|
|
30892
30800
|
type: 'DefaultSecurityManager',
|
|
30893
30801
|
security_policy: {
|
|
@@ -31090,7 +30998,6 @@ const OPEN_PROFILE$1 = {
|
|
|
31090
30998
|
};
|
|
31091
30999
|
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY, OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
|
|
31092
31000
|
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OVERLAY_CALLBACK, OVERLAY_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
|
|
31093
|
-
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_STRICT_OVERLAY, STRICT_OVERLAY_PROFILE, { source: 'node-security-profile-factory' });
|
|
31094
31001
|
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED, GATED_PROFILE, { source: 'node-security-profile-factory' });
|
|
31095
31002
|
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_GATED_CALLBACK, GATED_CALLBACK_PROFILE, { source: 'node-security-profile-factory' });
|
|
31096
31003
|
registerProfile(SECURITY_MANAGER_FACTORY_BASE_TYPE, PROFILE_NAME_OPEN$1, OPEN_PROFILE$1, { source: 'node-security-profile-factory' });
|
|
@@ -31227,7 +31134,6 @@ var nodeSecurityProfileFactory = /*#__PURE__*/Object.freeze({
|
|
|
31227
31134
|
PROFILE_NAME_OPEN: PROFILE_NAME_OPEN$1,
|
|
31228
31135
|
PROFILE_NAME_OVERLAY: PROFILE_NAME_OVERLAY,
|
|
31229
31136
|
PROFILE_NAME_OVERLAY_CALLBACK: PROFILE_NAME_OVERLAY_CALLBACK,
|
|
31230
|
-
PROFILE_NAME_STRICT_OVERLAY: PROFILE_NAME_STRICT_OVERLAY,
|
|
31231
31137
|
default: NodeSecurityProfileFactory
|
|
31232
31138
|
});
|
|
31233
31139
|
|
|
@@ -46151,7 +46057,6 @@ exports.PROFILE_NAME_GATED_CALLBACK = PROFILE_NAME_GATED_CALLBACK;
|
|
|
46151
46057
|
exports.PROFILE_NAME_OPEN = PROFILE_NAME_OPEN$1;
|
|
46152
46058
|
exports.PROFILE_NAME_OVERLAY = PROFILE_NAME_OVERLAY;
|
|
46153
46059
|
exports.PROFILE_NAME_OVERLAY_CALLBACK = PROFILE_NAME_OVERLAY_CALLBACK;
|
|
46154
|
-
exports.PROFILE_NAME_STRICT_OVERLAY = PROFILE_NAME_STRICT_OVERLAY;
|
|
46155
46060
|
exports.PromptCredentialProvider = PromptCredentialProvider;
|
|
46156
46061
|
exports.QueueFullError = QueueFullError;
|
|
46157
46062
|
exports.REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE = REPLICA_STICKINESS_MANAGER_FACTORY_BASE_TYPE;
|