@opentdf/sdk 0.1.0-beta.1718 → 0.2.0-beta.1941
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +45 -38
- package/dist/cjs/src/access.js +99 -62
- package/dist/cjs/src/auth/auth.js +5 -26
- package/dist/cjs/src/auth/oidc-clientcredentials-provider.js +1 -1
- package/dist/cjs/src/auth/oidc-externaljwt-provider.js +1 -1
- package/dist/cjs/src/auth/oidc-refreshtoken-provider.js +1 -1
- package/dist/cjs/src/auth/oidc.js +1 -1
- package/dist/cjs/src/auth/providers.js +1 -1
- package/dist/cjs/src/concurrency.js +3 -4
- package/dist/cjs/src/encodings/base64.js +4 -4
- package/dist/cjs/src/encodings/hex.js +5 -6
- package/dist/cjs/src/encodings/index.js +18 -8
- package/dist/cjs/src/errors.js +1 -1
- package/dist/cjs/src/index.js +28 -320
- package/dist/cjs/src/nanoclients.js +285 -0
- package/dist/cjs/src/nanoindex.js +47 -0
- package/dist/cjs/src/nanotdf/Client.js +35 -30
- package/dist/cjs/src/nanotdf/NanoTDF.js +1 -1
- package/dist/cjs/src/nanotdf/decrypt.js +2 -2
- package/dist/cjs/src/nanotdf/encrypt-dataset.js +2 -2
- package/dist/cjs/src/nanotdf/encrypt.js +2 -2
- package/dist/cjs/src/nanotdf/helpers/calculateByCurve.js +3 -4
- package/dist/cjs/src/nanotdf/helpers/getHkdfSalt.js +2 -2
- package/dist/cjs/src/nanotdf/models/Ciphers.js +3 -3
- package/dist/cjs/src/nanotdf/models/EcCurves.js +3 -3
- package/dist/cjs/src/nanotdf/models/Header.js +1 -1
- package/dist/cjs/src/nanotdf/models/Payload.js +1 -1
- package/dist/cjs/src/nanotdf/models/Policy/AbstractPolicy.js +1 -1
- package/dist/cjs/src/nanotdf/models/Policy/EmbeddedPolicy.js +1 -1
- package/dist/cjs/src/nanotdf/models/Policy/PolicyFactory.js +1 -1
- package/dist/cjs/src/nanotdf/models/ResourceLocator.js +1 -1
- package/dist/cjs/src/nanotdf/models/Signature.js +1 -1
- package/dist/cjs/src/nanotdf-crypto/ciphers.js +1 -1
- package/dist/cjs/src/nanotdf-crypto/decrypt.js +2 -2
- package/dist/cjs/src/nanotdf-crypto/digest.js +2 -2
- package/dist/cjs/src/nanotdf-crypto/ecdsaSignature.js +4 -5
- package/dist/cjs/src/nanotdf-crypto/encrypt.js +2 -2
- package/dist/cjs/src/nanotdf-crypto/exportCryptoKey.js +2 -2
- package/dist/cjs/src/nanotdf-crypto/generateKeyPair.js +2 -2
- package/dist/cjs/src/nanotdf-crypto/generateRandomNumber.js +2 -2
- package/dist/cjs/src/nanotdf-crypto/index.js +21 -13
- package/dist/cjs/src/nanotdf-crypto/keyAgreement.js +10 -8
- package/dist/cjs/src/nanotdf-crypto/pemPublicToCrypto.js +20 -11
- package/dist/cjs/src/opentdf.js +243 -0
- package/dist/cjs/src/policy/api.js +2 -3
- package/dist/cjs/src/policy/granter.js +3 -4
- package/dist/cjs/src/seekable.js +157 -0
- package/dist/cjs/src/tdf/AttributeObject.js +2 -4
- package/dist/cjs/src/tdf/Policy.js +3 -3
- package/dist/cjs/src/utils.js +13 -21
- package/dist/cjs/src/version.js +7 -3
- package/dist/cjs/tdf3/index.js +27 -16
- package/dist/cjs/tdf3/src/assertions.js +25 -11
- package/dist/cjs/tdf3/src/binary.js +1 -1
- package/dist/cjs/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
- package/dist/cjs/tdf3/src/ciphers/symmetric-cipher-base.js +1 -1
- package/dist/cjs/tdf3/src/client/DecoratedReadableStream.js +7 -74
- package/dist/cjs/tdf3/src/client/builders.js +26 -22
- package/dist/cjs/tdf3/src/client/index.js +91 -117
- package/dist/cjs/tdf3/src/client/validation.js +3 -3
- package/dist/cjs/tdf3/src/crypto/crypto-utils.js +1 -1
- package/dist/cjs/tdf3/src/crypto/index.js +18 -18
- package/dist/cjs/tdf3/src/index.js +22 -11
- package/dist/cjs/tdf3/src/models/attribute-set.js +1 -1
- package/dist/cjs/tdf3/src/models/encryption-information.js +3 -3
- package/dist/cjs/tdf3/src/models/index.js +1 -2
- package/dist/cjs/tdf3/src/models/key-access.js +67 -35
- package/dist/cjs/tdf3/src/models/policy.js +3 -3
- package/dist/cjs/tdf3/src/tdf.js +180 -395
- package/dist/cjs/tdf3/src/utils/buffer-crc32.js +2 -3
- package/dist/cjs/tdf3/src/utils/index.js +48 -38
- package/dist/cjs/tdf3/src/utils/keysplit.js +4 -5
- package/dist/cjs/tdf3/src/utils/unwrap.js +21 -0
- package/dist/cjs/tdf3/src/utils/zip-reader.js +4 -4
- package/dist/cjs/tdf3/src/utils/zip-writer.js +4 -4
- package/dist/types/src/access.d.ts +10 -4
- package/dist/types/src/access.d.ts.map +1 -1
- package/dist/types/src/auth/auth.d.ts +1 -28
- package/dist/types/src/auth/auth.d.ts.map +1 -1
- package/dist/types/src/auth/providers.d.ts.map +1 -1
- package/dist/types/src/index.d.ts +5 -136
- package/dist/types/src/index.d.ts.map +1 -1
- package/dist/types/src/nanoclients.d.ts +107 -0
- package/dist/types/src/nanoclients.d.ts.map +1 -0
- package/dist/types/src/nanoindex.d.ts +5 -0
- package/dist/types/src/nanoindex.d.ts.map +1 -0
- package/dist/types/src/nanotdf/Client.d.ts +1 -13
- package/dist/types/src/nanotdf/Client.d.ts.map +1 -1
- package/dist/types/src/nanotdf/NanoTDF.d.ts +1 -1
- package/dist/types/src/nanotdf/NanoTDF.d.ts.map +1 -1
- package/dist/types/src/nanotdf/encrypt-dataset.d.ts +1 -1
- package/dist/types/src/nanotdf/encrypt-dataset.d.ts.map +1 -1
- package/dist/types/src/nanotdf/encrypt.d.ts +1 -1
- package/dist/types/src/nanotdf/encrypt.d.ts.map +1 -1
- package/dist/types/src/nanotdf/enum/CipherEnum.d.ts +1 -1
- package/dist/types/src/nanotdf/enum/CipherEnum.d.ts.map +1 -1
- package/dist/types/src/nanotdf/enum/PolicyTypeEnum.d.ts +1 -1
- package/dist/types/src/nanotdf/enum/PolicyTypeEnum.d.ts.map +1 -1
- package/dist/types/src/nanotdf/helpers/getHkdfSalt.d.ts +1 -1
- package/dist/types/src/nanotdf/helpers/getHkdfSalt.d.ts.map +1 -1
- package/dist/types/src/nanotdf/models/DefaultParams.d.ts +1 -1
- package/dist/types/src/nanotdf/models/ResourceLocator.d.ts.map +1 -1
- package/dist/types/src/nanotdf-crypto/digest.d.ts +1 -1
- package/dist/types/src/nanotdf-crypto/digest.d.ts.map +1 -1
- package/dist/types/src/nanotdf-crypto/generateKeyPair.d.ts +1 -1
- package/dist/types/src/nanotdf-crypto/generateKeyPair.d.ts.map +1 -1
- package/dist/types/src/nanotdf-crypto/generateRandomNumber.d.ts +1 -1
- package/dist/types/src/nanotdf-crypto/generateRandomNumber.d.ts.map +1 -1
- package/dist/types/src/nanotdf-crypto/index.d.ts +2 -3
- package/dist/types/src/nanotdf-crypto/index.d.ts.map +1 -1
- package/dist/types/src/nanotdf-crypto/keyAgreement.d.ts.map +1 -1
- package/dist/types/src/opentdf.d.ts +106 -0
- package/dist/types/src/opentdf.d.ts.map +1 -0
- package/dist/types/src/seekable.d.ts +39 -0
- package/dist/types/src/seekable.d.ts.map +1 -0
- package/dist/types/src/tdf/AttributeObject.d.ts +0 -2
- package/dist/types/src/tdf/AttributeObject.d.ts.map +1 -1
- package/dist/types/src/tdf/NanoTDF/NanoTDF.d.ts +2 -2
- package/dist/types/src/tdf/NanoTDF/NanoTDF.d.ts.map +1 -1
- package/dist/types/src/tdf/Policy.d.ts +1 -1
- package/dist/types/src/tdf/Policy.d.ts.map +1 -1
- package/dist/types/src/tdf/PolicyObject.d.ts +1 -2
- package/dist/types/src/tdf/PolicyObject.d.ts.map +1 -1
- package/dist/types/src/tdf/TypedArray.d.ts +1 -2
- package/dist/types/src/tdf/TypedArray.d.ts.map +1 -1
- package/dist/types/src/utils.d.ts +1 -3
- package/dist/types/src/utils.d.ts.map +1 -1
- package/dist/types/src/version.d.ts +5 -1
- package/dist/types/src/version.d.ts.map +1 -1
- package/dist/types/tdf3/index.d.ts +5 -4
- package/dist/types/tdf3/index.d.ts.map +1 -1
- package/dist/types/tdf3/src/assertions.d.ts +3 -3
- package/dist/types/tdf3/src/assertions.d.ts.map +1 -1
- package/dist/types/tdf3/src/client/DecoratedReadableStream.d.ts +2 -15
- package/dist/types/tdf3/src/client/DecoratedReadableStream.d.ts.map +1 -1
- package/dist/types/tdf3/src/client/builders.d.ts +43 -42
- package/dist/types/tdf3/src/client/builders.d.ts.map +1 -1
- package/dist/types/tdf3/src/client/index.d.ts +12 -17
- package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
- package/dist/types/tdf3/src/client/validation.d.ts +3 -3
- package/dist/types/tdf3/src/client/validation.d.ts.map +1 -1
- package/dist/types/tdf3/src/crypto/crypto-utils.d.ts.map +1 -1
- package/dist/types/tdf3/src/index.d.ts +1 -1
- package/dist/types/tdf3/src/index.d.ts.map +1 -1
- package/dist/types/tdf3/src/models/index.d.ts +0 -1
- package/dist/types/tdf3/src/models/index.d.ts.map +1 -1
- package/dist/types/tdf3/src/models/key-access.d.ts +63 -15
- package/dist/types/tdf3/src/models/key-access.d.ts.map +1 -1
- package/dist/types/tdf3/src/models/manifest.d.ts +2 -0
- package/dist/types/tdf3/src/models/manifest.d.ts.map +1 -1
- package/dist/types/tdf3/src/models/policy.d.ts +0 -1
- package/dist/types/tdf3/src/models/policy.d.ts.map +1 -1
- package/dist/types/tdf3/src/tdf.d.ts +24 -37
- package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
- package/dist/types/tdf3/src/utils/index.d.ts +0 -4
- package/dist/types/tdf3/src/utils/index.d.ts.map +1 -1
- package/dist/types/tdf3/src/utils/unwrap.d.ts +2 -0
- package/dist/types/tdf3/src/utils/unwrap.d.ts.map +1 -0
- package/dist/types/tdf3/src/utils/zip-reader.d.ts +1 -1
- package/dist/types/tdf3/src/utils/zip-reader.d.ts.map +1 -1
- package/dist/types/tdf3/src/utils/zip-writer.d.ts +2 -2
- package/dist/web/src/access.js +93 -58
- package/dist/web/src/auth/auth.js +1 -21
- package/dist/web/src/auth/oidc-clientcredentials-provider.js +1 -1
- package/dist/web/src/auth/oidc-externaljwt-provider.js +1 -1
- package/dist/web/src/auth/oidc-refreshtoken-provider.js +1 -1
- package/dist/web/src/auth/oidc.js +1 -1
- package/dist/web/src/auth/providers.js +1 -1
- package/dist/web/src/concurrency.js +1 -1
- package/dist/web/src/encodings/base64.js +1 -1
- package/dist/web/src/encodings/hex.js +1 -1
- package/dist/web/src/errors.js +1 -1
- package/dist/web/src/index.js +6 -312
- package/dist/web/src/nanoclients.js +280 -0
- package/dist/web/src/nanoindex.js +5 -0
- package/dist/web/src/nanotdf/Client.js +18 -23
- package/dist/web/src/nanotdf/NanoTDF.js +1 -1
- package/dist/web/src/nanotdf/encrypt-dataset.js +1 -1
- package/dist/web/src/nanotdf/encrypt.js +1 -1
- package/dist/web/src/nanotdf/models/Ciphers.js +1 -1
- package/dist/web/src/nanotdf/models/EcCurves.js +1 -1
- package/dist/web/src/nanotdf/models/Header.js +1 -1
- package/dist/web/src/nanotdf/models/Payload.js +1 -1
- package/dist/web/src/nanotdf/models/Policy/AbstractPolicy.js +1 -1
- package/dist/web/src/nanotdf/models/Policy/EmbeddedPolicy.js +1 -1
- package/dist/web/src/nanotdf/models/Policy/PolicyFactory.js +1 -1
- package/dist/web/src/nanotdf/models/ResourceLocator.js +1 -1
- package/dist/web/src/nanotdf/models/Signature.js +1 -1
- package/dist/web/src/nanotdf-crypto/ciphers.js +1 -1
- package/dist/web/src/nanotdf-crypto/ecdsaSignature.js +1 -1
- package/dist/web/src/nanotdf-crypto/generateKeyPair.js +2 -2
- package/dist/web/src/nanotdf-crypto/generateRandomNumber.js +2 -2
- package/dist/web/src/nanotdf-crypto/index.js +3 -4
- package/dist/web/src/nanotdf-crypto/keyAgreement.js +9 -6
- package/dist/web/src/nanotdf-crypto/pemPublicToCrypto.js +1 -1
- package/dist/web/src/opentdf.js +234 -0
- package/dist/web/src/policy/api.js +1 -1
- package/dist/web/src/policy/granter.js +1 -1
- package/dist/web/src/seekable.js +148 -0
- package/dist/web/src/tdf/AttributeObject.js +1 -2
- package/dist/web/src/tdf/Policy.js +2 -4
- package/dist/web/src/utils.js +3 -10
- package/dist/web/src/version.js +6 -2
- package/dist/web/tdf3/index.js +5 -4
- package/dist/web/tdf3/src/assertions.js +21 -6
- package/dist/web/tdf3/src/binary.js +1 -1
- package/dist/web/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
- package/dist/web/tdf3/src/ciphers/symmetric-cipher-base.js +1 -1
- package/dist/web/tdf3/src/client/DecoratedReadableStream.js +4 -68
- package/dist/web/tdf3/src/client/builders.js +26 -22
- package/dist/web/tdf3/src/client/index.js +74 -105
- package/dist/web/tdf3/src/client/validation.js +1 -1
- package/dist/web/tdf3/src/crypto/crypto-utils.js +1 -1
- package/dist/web/tdf3/src/crypto/index.js +1 -1
- package/dist/web/tdf3/src/index.js +2 -2
- package/dist/web/tdf3/src/models/attribute-set.js +1 -1
- package/dist/web/tdf3/src/models/encryption-information.js +3 -3
- package/dist/web/tdf3/src/models/index.js +1 -2
- package/dist/web/tdf3/src/models/key-access.js +47 -24
- package/dist/web/tdf3/src/models/policy.js +1 -1
- package/dist/web/tdf3/src/tdf.js +153 -371
- package/dist/web/tdf3/src/utils/buffer-crc32.js +1 -1
- package/dist/web/tdf3/src/utils/index.js +19 -14
- package/dist/web/tdf3/src/utils/keysplit.js +1 -1
- package/dist/web/tdf3/src/utils/unwrap.js +18 -0
- package/dist/web/tdf3/src/utils/zip-reader.js +1 -1
- package/dist/web/tdf3/src/utils/zip-writer.js +1 -1
- package/package.json +45 -45
- package/src/access.ts +111 -54
- package/src/auth/auth.ts +1 -31
- package/src/index.ts +5 -440
- package/src/nanoclients.ts +405 -0
- package/src/nanoindex.ts +4 -0
- package/src/nanotdf/Client.ts +18 -25
- package/src/nanotdf/NanoTDF.ts +1 -1
- package/src/nanotdf/encrypt-dataset.ts +1 -1
- package/src/nanotdf/encrypt.ts +1 -1
- package/src/nanotdf/helpers/getHkdfSalt.ts +1 -1
- package/src/nanotdf-crypto/digest.ts +1 -1
- package/src/nanotdf-crypto/generateKeyPair.ts +1 -1
- package/src/nanotdf-crypto/generateRandomNumber.ts +1 -1
- package/src/nanotdf-crypto/index.ts +2 -3
- package/src/nanotdf-crypto/keyAgreement.ts +14 -7
- package/src/opentdf.ts +441 -0
- package/src/seekable.ts +180 -0
- package/src/tdf/AttributeObject.ts +0 -3
- package/src/tdf/Policy.ts +1 -2
- package/src/tdf/PolicyObject.ts +1 -2
- package/src/tdf/TypedArray.ts +1 -3
- package/src/utils.ts +3 -11
- package/src/version.ts +6 -1
- package/tdf3/index.ts +15 -10
- package/tdf3/src/assertions.ts +33 -8
- package/tdf3/src/client/DecoratedReadableStream.ts +3 -80
- package/tdf3/src/client/builders.ts +44 -28
- package/tdf3/src/client/index.ts +109 -165
- package/tdf3/src/index.ts +1 -1
- package/tdf3/src/models/encryption-information.ts +2 -2
- package/tdf3/src/models/index.ts +0 -1
- package/tdf3/src/models/key-access.ts +120 -38
- package/tdf3/src/models/manifest.ts +3 -0
- package/tdf3/src/models/policy.ts +0 -1
- package/tdf3/src/tdf.ts +266 -522
- package/tdf3/src/utils/index.ts +19 -18
- package/tdf3/src/utils/unwrap.ts +17 -0
- package/tdf3/src/utils/zip-reader.ts +1 -1
- package/dist/cjs/src/auth/Eas.js +0 -60
- package/dist/cjs/src/nanotdf-crypto/importRawKey.js +0 -18
- package/dist/cjs/src/tdf/Crypto.js +0 -47
- package/dist/cjs/src/tdf/EntityObject.js +0 -3
- package/dist/cjs/src/tdf/index.js +0 -35
- package/dist/cjs/tdf3/src/models/upsert-response.js +0 -3
- package/dist/cjs/tdf3/src/templates/default.html.js +0 -98
- package/dist/cjs/tdf3/src/templates/escaper.js +0 -15
- package/dist/cjs/tdf3/src/templates/index.js +0 -12
- package/dist/cjs/tdf3/src/utils/chunkers.js +0 -106
- package/dist/cjs/tdf3/src/version.js +0 -6
- package/dist/types/src/auth/Eas.d.ts +0 -34
- package/dist/types/src/auth/Eas.d.ts.map +0 -1
- package/dist/types/src/nanotdf-crypto/importRawKey.d.ts +0 -13
- package/dist/types/src/nanotdf-crypto/importRawKey.d.ts.map +0 -1
- package/dist/types/src/tdf/Crypto.d.ts +0 -37
- package/dist/types/src/tdf/Crypto.d.ts.map +0 -1
- package/dist/types/src/tdf/EntityObject.d.ts +0 -18
- package/dist/types/src/tdf/EntityObject.d.ts.map +0 -1
- package/dist/types/src/tdf/index.d.ts +0 -7
- package/dist/types/src/tdf/index.d.ts.map +0 -1
- package/dist/types/tdf3/src/models/upsert-response.d.ts +0 -16
- package/dist/types/tdf3/src/models/upsert-response.d.ts.map +0 -1
- package/dist/types/tdf3/src/templates/default.html.d.ts +0 -8
- package/dist/types/tdf3/src/templates/default.html.d.ts.map +0 -1
- package/dist/types/tdf3/src/templates/escaper.d.ts +0 -6
- package/dist/types/tdf3/src/templates/escaper.d.ts.map +0 -1
- package/dist/types/tdf3/src/templates/index.d.ts +0 -3
- package/dist/types/tdf3/src/templates/index.d.ts.map +0 -1
- package/dist/types/tdf3/src/utils/chunkers.d.ts +0 -29
- package/dist/types/tdf3/src/utils/chunkers.d.ts.map +0 -1
- package/dist/types/tdf3/src/version.d.ts +0 -3
- package/dist/types/tdf3/src/version.d.ts.map +0 -1
- package/dist/web/src/auth/Eas.js +0 -55
- package/dist/web/src/nanotdf-crypto/importRawKey.js +0 -15
- package/dist/web/src/tdf/Crypto.js +0 -44
- package/dist/web/src/tdf/EntityObject.js +0 -2
- package/dist/web/src/tdf/index.js +0 -4
- package/dist/web/tdf3/src/models/upsert-response.js +0 -2
- package/dist/web/tdf3/src/templates/default.html.js +0 -96
- package/dist/web/tdf3/src/templates/escaper.js +0 -10
- package/dist/web/tdf3/src/templates/index.js +0 -3
- package/dist/web/tdf3/src/utils/chunkers.js +0 -96
- package/dist/web/tdf3/src/version.js +0 -3
- package/src/auth/Eas.ts +0 -79
- package/src/nanotdf-crypto/importRawKey.ts +0 -19
- package/src/tdf/Crypto.ts +0 -42
- package/src/tdf/EntityObject.ts +0 -18
- package/src/tdf/index.ts +0 -6
- package/tdf3/src/models/upsert-response.ts +0 -17
- package/tdf3/src/templates/default.html.ts +0 -105
- package/tdf3/src/templates/escaper.ts +0 -10
- package/tdf3/src/templates/index.ts +0 -2
- package/tdf3/src/utils/chunkers.ts +0 -118
- package/tdf3/src/version.ts +0 -2
package/src/access.ts
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { type AuthProvider } from './auth/auth.js';
|
|
2
2
|
import {
|
|
3
|
+
ConfigurationError,
|
|
3
4
|
InvalidFileError,
|
|
4
5
|
NetworkError,
|
|
5
6
|
PermissionDeniedError,
|
|
@@ -8,14 +9,16 @@ import {
|
|
|
8
9
|
} from './errors.js';
|
|
9
10
|
import { pemToCryptoPublicKey, validateSecureUrl } from './utils.js';
|
|
10
11
|
|
|
11
|
-
export
|
|
12
|
-
signedRequestToken
|
|
13
|
-
}
|
|
12
|
+
export type RewrapRequest = {
|
|
13
|
+
signedRequestToken: string;
|
|
14
|
+
};
|
|
14
15
|
|
|
15
|
-
export
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
16
|
+
export type RewrapResponse = {
|
|
17
|
+
metadata: Record<string, unknown>;
|
|
18
|
+
entityWrappedKey: string;
|
|
19
|
+
sessionPublicKey: string;
|
|
20
|
+
schemaVersion: string;
|
|
21
|
+
};
|
|
19
22
|
|
|
20
23
|
/**
|
|
21
24
|
* Get a rewrapped access key to the document, if possible
|
|
@@ -40,8 +43,10 @@ export async function fetchWrappedKey(
|
|
|
40
43
|
body: JSON.stringify(requestBody),
|
|
41
44
|
});
|
|
42
45
|
|
|
46
|
+
let response: Response;
|
|
47
|
+
|
|
43
48
|
try {
|
|
44
|
-
|
|
49
|
+
response = await fetch(req.url, {
|
|
45
50
|
method: req.method,
|
|
46
51
|
mode: 'cors', // no-cors, *cors, same-origin
|
|
47
52
|
cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
|
|
@@ -51,32 +56,73 @@ export async function fetchWrappedKey(
|
|
|
51
56
|
referrerPolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
|
|
52
57
|
body: req.body as BodyInit,
|
|
53
58
|
});
|
|
59
|
+
} catch (e) {
|
|
60
|
+
throw new NetworkError(`unable to fetch wrapped key from [${url}]`, e);
|
|
61
|
+
}
|
|
54
62
|
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
63
|
+
if (!response.ok) {
|
|
64
|
+
switch (response.status) {
|
|
65
|
+
case 400:
|
|
66
|
+
throw new InvalidFileError(
|
|
67
|
+
`400 for [${req.url}]: rewrap bad request [${await response.text()}]`
|
|
68
|
+
);
|
|
69
|
+
case 401:
|
|
70
|
+
throw new UnauthenticatedError(`401 for [${req.url}]; rewrap auth failure`);
|
|
71
|
+
case 403:
|
|
72
|
+
throw new PermissionDeniedError(`403 for [${req.url}]; rewrap permission denied`);
|
|
73
|
+
default:
|
|
74
|
+
if (response.status >= 500) {
|
|
75
|
+
throw new ServiceError(
|
|
76
|
+
`${response.status} for [${req.url}]: rewrap failure due to service error [${await response.text()}]`
|
|
68
77
|
);
|
|
69
|
-
|
|
78
|
+
}
|
|
79
|
+
throw new NetworkError(
|
|
80
|
+
`${req.method} ${req.url} => ${response.status} ${response.statusText}`
|
|
81
|
+
);
|
|
70
82
|
}
|
|
71
|
-
|
|
72
|
-
return response.json();
|
|
73
|
-
} catch (e) {
|
|
74
|
-
throw new NetworkError(`unable to fetch wrapped key from [${url}]: ${e}`);
|
|
75
83
|
}
|
|
84
|
+
|
|
85
|
+
return response.json();
|
|
76
86
|
}
|
|
77
87
|
|
|
78
88
|
export type KasPublicKeyAlgorithm = 'ec:secp256r1' | 'rsa:2048';
|
|
79
89
|
|
|
90
|
+
export const isPublicKeyAlgorithm = (a: string): a is KasPublicKeyAlgorithm => {
|
|
91
|
+
return a === 'ec:secp256r1' || a === 'rsa:2048';
|
|
92
|
+
};
|
|
93
|
+
|
|
94
|
+
export const keyAlgorithmToPublicKeyAlgorithm = (a: KeyAlgorithm): KasPublicKeyAlgorithm => {
|
|
95
|
+
if (a.name === 'ECDSA' || a.name === 'ECDH') {
|
|
96
|
+
const eca = a as EcKeyAlgorithm;
|
|
97
|
+
if (eca.namedCurve === 'P-256') {
|
|
98
|
+
return 'ec:secp256r1';
|
|
99
|
+
}
|
|
100
|
+
throw new Error(`unsupported EC curve: ${eca.namedCurve}`);
|
|
101
|
+
}
|
|
102
|
+
if (a.name === 'RSA-OAEP') {
|
|
103
|
+
const rsaa = a as RsaHashedKeyAlgorithm;
|
|
104
|
+
if (rsaa.modulusLength === 2048) {
|
|
105
|
+
// if (rsaa.hash.name !== 'RSASSA-PKCS1-v1_5') {
|
|
106
|
+
// throw new Error(`unsupported RSA hash: ${rsaa.hash.name}`);
|
|
107
|
+
// }
|
|
108
|
+
if (rsaa.publicExponent.toString() !== '1,0,1') {
|
|
109
|
+
throw new Error(`unsupported RSA public exponent: ${rsaa.publicExponent}`);
|
|
110
|
+
}
|
|
111
|
+
return 'rsa:2048';
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
throw new Error(`unsupported key algorithm: ${a.name}`);
|
|
115
|
+
};
|
|
116
|
+
|
|
117
|
+
export const publicKeyAlgorithmToJwa = (a: KasPublicKeyAlgorithm): string => {
|
|
118
|
+
switch (a) {
|
|
119
|
+
case 'ec:secp256r1':
|
|
120
|
+
return 'ES256';
|
|
121
|
+
case 'rsa:2048':
|
|
122
|
+
return 'RS256';
|
|
123
|
+
}
|
|
124
|
+
};
|
|
125
|
+
|
|
80
126
|
/**
|
|
81
127
|
* Information about one of a KAS's published public keys.
|
|
82
128
|
* A KAS may publish multiple keys with a given algorithm type.
|
|
@@ -100,7 +146,7 @@ export type KasPublicKeyInfo = {
|
|
|
100
146
|
key: Promise<CryptoKey>;
|
|
101
147
|
};
|
|
102
148
|
|
|
103
|
-
async function noteInvalidPublicKey(url:
|
|
149
|
+
async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<CryptoKey> {
|
|
104
150
|
try {
|
|
105
151
|
return await r;
|
|
106
152
|
} catch (e) {
|
|
@@ -116,14 +162,47 @@ async function noteInvalidPublicKey(url: string, r: Promise<CryptoKey>): Promise
|
|
|
116
162
|
* the value from `${kas}/kas_public_key`.
|
|
117
163
|
*/
|
|
118
164
|
export async function fetchECKasPubKey(kasEndpoint: string): Promise<KasPublicKeyInfo> {
|
|
165
|
+
return fetchKasPubKey(kasEndpoint, 'ec:secp256r1');
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
export async function fetchKasPubKey(
|
|
169
|
+
kasEndpoint: string,
|
|
170
|
+
algorithm?: KasPublicKeyAlgorithm
|
|
171
|
+
): Promise<KasPublicKeyInfo> {
|
|
172
|
+
if (!kasEndpoint) {
|
|
173
|
+
throw new ConfigurationError('KAS definition not found');
|
|
174
|
+
}
|
|
175
|
+
// Logs insecure KAS. Secure is enforced in constructor
|
|
119
176
|
validateSecureUrl(kasEndpoint);
|
|
120
|
-
|
|
121
|
-
|
|
177
|
+
|
|
178
|
+
// Parse kasEndpoint to URL, then append to its path and update its query parameters
|
|
179
|
+
let pkUrlV2: URL;
|
|
180
|
+
try {
|
|
181
|
+
pkUrlV2 = new URL(kasEndpoint);
|
|
182
|
+
} catch (e) {
|
|
183
|
+
throw new ConfigurationError(`KAS definition invalid: [${kasEndpoint}]`, e);
|
|
184
|
+
}
|
|
185
|
+
if (!pkUrlV2.pathname.endsWith('kas_public_key')) {
|
|
186
|
+
if (!pkUrlV2.pathname.endsWith('/')) {
|
|
187
|
+
pkUrlV2.pathname += '/';
|
|
188
|
+
}
|
|
189
|
+
pkUrlV2.pathname += 'v2/kas_public_key';
|
|
190
|
+
}
|
|
191
|
+
pkUrlV2.searchParams.set('algorithm', algorithm || 'rsa:2048');
|
|
192
|
+
if (!pkUrlV2.searchParams.get('v')) {
|
|
193
|
+
pkUrlV2.searchParams.set('v', '2');
|
|
194
|
+
}
|
|
195
|
+
|
|
196
|
+
let kasPubKeyResponseV2: Response;
|
|
197
|
+
try {
|
|
198
|
+
kasPubKeyResponseV2 = await fetch(pkUrlV2);
|
|
199
|
+
} catch (e) {
|
|
200
|
+
throw new NetworkError(`unable to fetch public key from [${pkUrlV2}]`, e);
|
|
201
|
+
}
|
|
122
202
|
if (!kasPubKeyResponseV2.ok) {
|
|
123
203
|
switch (kasPubKeyResponseV2.status) {
|
|
124
204
|
case 404:
|
|
125
|
-
|
|
126
|
-
break;
|
|
205
|
+
throw new ConfigurationError(`404 for [${pkUrlV2}]`);
|
|
127
206
|
case 401:
|
|
128
207
|
throw new UnauthenticatedError(`401 for [${pkUrlV2}]`);
|
|
129
208
|
case 403:
|
|
@@ -133,28 +212,6 @@ export async function fetchECKasPubKey(kasEndpoint: string): Promise<KasPublicKe
|
|
|
133
212
|
`${pkUrlV2} => ${kasPubKeyResponseV2.status} ${kasPubKeyResponseV2.statusText}`
|
|
134
213
|
);
|
|
135
214
|
}
|
|
136
|
-
// most likely a server that does not implement v2 endpoint, so no key identifier
|
|
137
|
-
const pkUrlV1 = `${kasEndpoint}/kas_public_key?algorithm=ec:secp256r1`;
|
|
138
|
-
const r2 = await fetch(pkUrlV1);
|
|
139
|
-
if (!r2.ok) {
|
|
140
|
-
switch (r2.status) {
|
|
141
|
-
case 401:
|
|
142
|
-
throw new UnauthenticatedError(`401 for [${pkUrlV2}]`);
|
|
143
|
-
case 403:
|
|
144
|
-
throw new PermissionDeniedError(`403 for [${pkUrlV2}]`);
|
|
145
|
-
default:
|
|
146
|
-
throw new NetworkError(
|
|
147
|
-
`unable to load KAS public key from [${pkUrlV1}]. Received [${r2.status}:${r2.statusText}]`
|
|
148
|
-
);
|
|
149
|
-
}
|
|
150
|
-
}
|
|
151
|
-
const pem = await r2.json();
|
|
152
|
-
return {
|
|
153
|
-
key: noteInvalidPublicKey(pkUrlV1, pemToCryptoPublicKey(pem)),
|
|
154
|
-
publicKey: pem,
|
|
155
|
-
url: kasEndpoint,
|
|
156
|
-
algorithm: 'ec:secp256r1',
|
|
157
|
-
};
|
|
158
215
|
}
|
|
159
216
|
const jsonContent = await kasPubKeyResponseV2.json();
|
|
160
217
|
const { publicKey, kid }: KasPublicKeyInfo = jsonContent;
|
|
@@ -167,7 +224,7 @@ export async function fetchECKasPubKey(kasEndpoint: string): Promise<KasPublicKe
|
|
|
167
224
|
key: noteInvalidPublicKey(pkUrlV2, pemToCryptoPublicKey(publicKey)),
|
|
168
225
|
publicKey,
|
|
169
226
|
url: kasEndpoint,
|
|
170
|
-
algorithm: '
|
|
227
|
+
algorithm: algorithm || 'rsa:2048',
|
|
171
228
|
...(kid && { kid }),
|
|
172
229
|
};
|
|
173
230
|
}
|
package/src/auth/auth.ts
CHANGED
|
@@ -23,7 +23,7 @@ export class HttpRequest {
|
|
|
23
23
|
|
|
24
24
|
url: string;
|
|
25
25
|
|
|
26
|
-
body?: BodyInit | null
|
|
26
|
+
body?: BodyInit | null;
|
|
27
27
|
|
|
28
28
|
constructor() {
|
|
29
29
|
this.headers = {};
|
|
@@ -109,33 +109,3 @@ export function isAuthProvider(a?: unknown): a is AuthProvider {
|
|
|
109
109
|
}
|
|
110
110
|
return 'withCreds' in a;
|
|
111
111
|
}
|
|
112
|
-
|
|
113
|
-
/**
|
|
114
|
-
* An AuthProvider encapsulates all logic necessary to authenticate to a backend service, in the
|
|
115
|
-
* vein of <a href="https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Credentials.html">AWS.Credentials</a>.
|
|
116
|
-
* <br/><br/>
|
|
117
|
-
* The client will call into its configured AuthProvider to decorate remote TDF service calls with necessary
|
|
118
|
-
* authentication info. This approach allows the client to be agnostic to the auth scheme, allowing for
|
|
119
|
-
* methods like identify federation and custom service credentials to be used and changed at the developer's will.
|
|
120
|
-
* <br/><br/>
|
|
121
|
-
* This class is not intended to be used on its own. See the documented subclasses for public-facing implementations.
|
|
122
|
-
* <ul>
|
|
123
|
-
* <li><a href="EmailCodeAuthProvider.html">EmailCodeAuthProvider</li>
|
|
124
|
-
* <li><a href="GoogleAuthProvider.html">GoogleAuthProvider</li>
|
|
125
|
-
* <li><a href="O365AuthProvider.html">O365AuthProvider</li>
|
|
126
|
-
* <li><a href="OutlookAuthProvider.html">OutlookAuthProvider</li>
|
|
127
|
-
* <li><a href="VirtruCredentialsAuthProvider.html">VirtruCredentialsAuthProvider</li>
|
|
128
|
-
* </ul>
|
|
129
|
-
*/
|
|
130
|
-
export abstract class AppIdAuthProvider {
|
|
131
|
-
/**
|
|
132
|
-
* Augment the provided http request with custom auth info to be used by backend services.
|
|
133
|
-
*
|
|
134
|
-
* @param httpReq - Required. An http request pre-populated with the data public key.
|
|
135
|
-
*/
|
|
136
|
-
abstract withCreds(httpReq: HttpRequest): Promise<HttpRequest>;
|
|
137
|
-
|
|
138
|
-
abstract _getName(): string;
|
|
139
|
-
}
|
|
140
|
-
|
|
141
|
-
export default AppIdAuthProvider;
|