@opentdf/sdk 0.13.0 → 0.14.0-rc.133
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +60 -10
- package/dist/cjs/src/access/access-rpc.js +6 -5
- package/dist/cjs/src/access.js +18 -5
- package/dist/cjs/src/auth/interceptors.js +186 -0
- package/dist/cjs/src/auth/oidc.js +5 -3
- package/dist/cjs/src/auth/token-providers.js +247 -0
- package/dist/cjs/src/index.js +16 -2
- package/dist/cjs/src/opentdf.js +40 -32
- package/dist/cjs/src/platform/authorization/entity-identifiers.js +88 -0
- package/dist/cjs/src/platform.js +3 -46
- package/dist/cjs/src/policy/api.js +9 -5
- package/dist/cjs/src/policy/discovery.js +10 -9
- package/dist/cjs/src/version.js +1 -1
- package/dist/cjs/tdf3/src/client/index.js +35 -17
- package/dist/cjs/tdf3/src/tdf.js +8 -7
- package/dist/types/src/access/access-rpc.d.ts +3 -3
- package/dist/types/src/access/access-rpc.d.ts.map +1 -1
- package/dist/types/src/access.d.ts +3 -3
- package/dist/types/src/access.d.ts.map +1 -1
- package/dist/types/src/auth/interceptors.d.ts +99 -0
- package/dist/types/src/auth/interceptors.d.ts.map +1 -0
- package/dist/types/src/auth/oidc.d.ts +1 -1
- package/dist/types/src/auth/oidc.d.ts.map +1 -1
- package/dist/types/src/auth/token-providers.d.ts +100 -0
- package/dist/types/src/auth/token-providers.d.ts.map +1 -0
- package/dist/types/src/index.d.ts +3 -0
- package/dist/types/src/index.d.ts.map +1 -1
- package/dist/types/src/opentdf.d.ts +18 -15
- package/dist/types/src/opentdf.d.ts.map +1 -1
- package/dist/types/src/platform/authorization/entity-identifiers.d.ts +41 -0
- package/dist/types/src/platform/authorization/entity-identifiers.d.ts.map +1 -0
- package/dist/types/src/platform.d.ts +6 -3
- package/dist/types/src/platform.d.ts.map +1 -1
- package/dist/types/src/policy/api.d.ts +3 -3
- package/dist/types/src/policy/api.d.ts.map +1 -1
- package/dist/types/src/policy/discovery.d.ts +5 -5
- package/dist/types/src/policy/discovery.d.ts.map +1 -1
- package/dist/types/src/version.d.ts +1 -1
- package/dist/types/tdf3/src/client/index.d.ts +10 -1
- package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
- package/dist/types/tdf3/src/tdf.d.ts +5 -2
- package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
- package/dist/web/src/access/access-rpc.js +6 -5
- package/dist/web/src/access.js +18 -5
- package/dist/web/src/auth/interceptors.js +142 -0
- package/dist/web/src/auth/oidc.js +5 -3
- package/dist/web/src/auth/token-providers.js +242 -0
- package/dist/web/src/index.js +4 -1
- package/dist/web/src/opentdf.js +40 -32
- package/dist/web/src/platform/authorization/entity-identifiers.js +81 -0
- package/dist/web/src/platform.js +3 -46
- package/dist/web/src/policy/api.js +9 -5
- package/dist/web/src/policy/discovery.js +10 -9
- package/dist/web/src/version.js +1 -1
- package/dist/web/tdf3/src/client/index.js +35 -17
- package/dist/web/tdf3/src/tdf.js +8 -7
- package/package.json +1 -1
- package/src/access/access-rpc.ts +5 -5
- package/src/access.ts +29 -13
- package/src/auth/interceptors.ts +197 -0
- package/src/auth/oidc.ts +5 -3
- package/src/auth/token-providers.ts +303 -0
- package/src/index.ts +25 -0
- package/src/opentdf.ts +54 -34
- package/src/platform/authorization/entity-identifiers.ts +102 -0
- package/src/platform.ts +8 -52
- package/src/policy/api.ts +8 -5
- package/src/policy/discovery.ts +9 -9
- package/src/version.ts +1 -1
- package/tdf3/src/client/index.ts +46 -17
- package/tdf3/src/tdf.ts +14 -11
package/README.md
CHANGED
|
@@ -4,19 +4,15 @@ This project presents client code to write and read OpenTDF data formats.
|
|
|
4
4
|
|
|
5
5
|
## Usage
|
|
6
6
|
|
|
7
|
-
|
|
8
|
-
import { AuthProviders, OpenTDF } from '@opentdf/sdk';
|
|
7
|
+
### With Interceptors (Recommended)
|
|
9
8
|
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
refreshToken: refreshToken,
|
|
15
|
-
oidcOrigin: 'https://keycloak.example.com/auth/realms/my-realm',
|
|
16
|
-
});
|
|
9
|
+
Use interceptors to provide authentication. The SDK does not manage tokens — you bring your own auth.
|
|
10
|
+
|
|
11
|
+
```typescript
|
|
12
|
+
import { authTokenInterceptor, OpenTDF } from '@opentdf/sdk';
|
|
17
13
|
|
|
18
14
|
const client = new OpenTDF({
|
|
19
|
-
|
|
15
|
+
interceptors: [authTokenInterceptor(() => myAuth.getAccessToken())],
|
|
20
16
|
platformUrl: 'https://platform.example.com',
|
|
21
17
|
});
|
|
22
18
|
|
|
@@ -33,3 +29,57 @@ const plainText = await client.read({
|
|
|
33
29
|
});
|
|
34
30
|
console.log(await new Response(plainText).text()); // "hello, world"
|
|
35
31
|
```
|
|
32
|
+
|
|
33
|
+
The `authTokenInterceptor` takes a function that returns an access token. Your auth library handles token refresh, caching, etc.
|
|
34
|
+
|
|
35
|
+
For DPoP-bound tokens, use `authTokenDPoPInterceptor`:
|
|
36
|
+
|
|
37
|
+
```typescript
|
|
38
|
+
import { authTokenDPoPInterceptor, OpenTDF } from '@opentdf/sdk';
|
|
39
|
+
|
|
40
|
+
const dpopInterceptor = authTokenDPoPInterceptor({
|
|
41
|
+
tokenProvider: () => myAuth.getAccessToken(),
|
|
42
|
+
});
|
|
43
|
+
|
|
44
|
+
const client = new OpenTDF({
|
|
45
|
+
interceptors: [dpopInterceptor],
|
|
46
|
+
dpopKeys: dpopInterceptor.dpopKeys,
|
|
47
|
+
platformUrl: 'https://platform.example.com',
|
|
48
|
+
});
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
You can also write your own interceptor for full control over request headers:
|
|
52
|
+
|
|
53
|
+
```typescript
|
|
54
|
+
import { type Interceptor } from '@connectrpc/connect';
|
|
55
|
+
|
|
56
|
+
const myInterceptor: Interceptor = (next) => async (req) => {
|
|
57
|
+
req.header.set('Authorization', `Bearer ${await getToken()}`);
|
|
58
|
+
req.header.set('X-Custom-Header', 'value');
|
|
59
|
+
return next(req);
|
|
60
|
+
};
|
|
61
|
+
|
|
62
|
+
const client = new OpenTDF({
|
|
63
|
+
interceptors: [myInterceptor],
|
|
64
|
+
platformUrl: 'https://platform.example.com',
|
|
65
|
+
});
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
### With AuthProvider (Legacy)
|
|
69
|
+
|
|
70
|
+
The `AuthProvider` pattern is still supported for backwards compatibility.
|
|
71
|
+
|
|
72
|
+
```typescript
|
|
73
|
+
import { AuthProviders, OpenTDF } from '@opentdf/sdk';
|
|
74
|
+
|
|
75
|
+
const authProvider = await AuthProviders.refreshAuthProvider({
|
|
76
|
+
clientId: 'my-client-id',
|
|
77
|
+
refreshToken: refreshToken,
|
|
78
|
+
oidcOrigin: 'https://keycloak.example.com/auth/realms/my-realm',
|
|
79
|
+
});
|
|
80
|
+
|
|
81
|
+
const client = new OpenTDF({
|
|
82
|
+
authProvider,
|
|
83
|
+
platformUrl: 'https://platform.example.com',
|
|
84
|
+
});
|
|
85
|
+
```
|
|
@@ -7,6 +7,7 @@ exports.fetchKeyAccessServers = fetchKeyAccessServers;
|
|
|
7
7
|
exports.fetchKasPubKey = fetchKasPubKey;
|
|
8
8
|
exports.fetchKasBasePubKey = fetchKasBasePubKey;
|
|
9
9
|
const access_js_1 = require("../access.js");
|
|
10
|
+
const interceptors_js_1 = require("../auth/interceptors.js");
|
|
10
11
|
const errors_js_1 = require("../errors.js");
|
|
11
12
|
const platform_js_1 = require("../platform.js");
|
|
12
13
|
const utils_js_1 = require("../utils.js");
|
|
@@ -20,9 +21,9 @@ const connect_1 = require("@connectrpc/connect");
|
|
|
20
21
|
* @param rewrapAdditionalContextHeader optional value for 'X-Rewrap-Additional-Context'
|
|
21
22
|
* @param clientVersion
|
|
22
23
|
*/
|
|
23
|
-
async function fetchWrappedKey(url, signedRequestToken,
|
|
24
|
+
async function fetchWrappedKey(url, signedRequestToken, auth, rewrapAdditionalContextHeader) {
|
|
24
25
|
const platformUrl = (0, utils_js_1.getPlatformUrlFromKasEndpoint)(url);
|
|
25
|
-
const platform = new platform_js_1.PlatformClient({
|
|
26
|
+
const platform = new platform_js_1.PlatformClient({ interceptors: (0, interceptors_js_1.resolveInterceptors)(auth), platformUrl });
|
|
26
27
|
const options = {};
|
|
27
28
|
if (rewrapAdditionalContextHeader) {
|
|
28
29
|
options.headers = {
|
|
@@ -87,10 +88,10 @@ function handleRpcRewrapErrorString(e, platformUrl, requiredObligations) {
|
|
|
87
88
|
}
|
|
88
89
|
throw new errors_js_1.NetworkError(`[${platformUrl}] [Rewrap] ${e}`);
|
|
89
90
|
}
|
|
90
|
-
async function fetchKeyAccessServers(platformUrl,
|
|
91
|
+
async function fetchKeyAccessServers(platformUrl, auth) {
|
|
91
92
|
let nextOffset = 0;
|
|
92
93
|
const allServers = [];
|
|
93
|
-
const platform = new platform_js_1.PlatformClient({
|
|
94
|
+
const platform = new platform_js_1.PlatformClient({ interceptors: (0, interceptors_js_1.resolveInterceptors)(auth), platformUrl });
|
|
94
95
|
do {
|
|
95
96
|
let response;
|
|
96
97
|
try {
|
|
@@ -186,4 +187,4 @@ async function fetchKasBasePubKey(kasEndpoint) {
|
|
|
186
187
|
throw new errors_js_1.NetworkError(`[${platformUrl}] [PublicKey] ${(0, utils_js_1.extractRpcErrorMessage)(e)}`);
|
|
187
188
|
}
|
|
188
189
|
}
|
|
189
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
190
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjZXNzLXJwYy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hY2Nlc3MvYWNjZXNzLXJwYy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQW9DQSwwQ0FxQkM7QUFFRCxvREF3QkM7QUFFRCxnRUFrQ0M7QUFFRCxzREFpQ0M7QUEyQkQsd0NBNkJDO0FBU0QsZ0RBNkJDO0FBdlBELDRDQUtzQjtBQUV0Qiw2REFBK0U7QUFDL0UsNENBT3NCO0FBQ3RCLGdEQUFnRDtBQUdoRCwwQ0FJcUI7QUFDckIsaURBQTZEO0FBQzdELGlEQUF5RDtBQUV6RDs7Ozs7OztHQU9HO0FBQ0ksS0FBSyxVQUFVLGVBQWUsQ0FDbkMsR0FBVyxFQUNYLGtCQUEwQixFQUMxQixJQUFnQixFQUNoQiw2QkFBc0M7SUFFdEMsTUFBTSxXQUFXLEdBQUcsSUFBQSx3Q0FBNkIsRUFBQyxHQUFHLENBQUMsQ0FBQztJQUN2RCxNQUFNLFFBQVEsR0FBRyxJQUFJLDRCQUFjLENBQUMsRUFBRSxZQUFZLEVBQUUsSUFBQSxxQ0FBbUIsRUFBQyxJQUFJLENBQUMsRUFBRSxXQUFXLEVBQUUsQ0FBQyxDQUFDO0lBQzlGLE1BQU0sT0FBTyxHQUFnQixFQUFFLENBQUM7SUFDaEMsSUFBSSw2QkFBNkIsRUFBRSxDQUFDO1FBQ2xDLE9BQU8sQ0FBQyxPQUFPLEdBQUc7WUFDaEIsQ0FBQywwQ0FBMkIsQ0FBQyxFQUFFLDZCQUE2QjtTQUM3RCxDQUFDO0lBQ0osQ0FBQztJQUNELElBQUksUUFBd0IsQ0FBQztJQUM3QixJQUFJLENBQUM7UUFDSCxRQUFRLEdBQUcsTUFBTSxRQUFRLENBQUMsRUFBRSxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsRUFBRSxrQkFBa0IsRUFBRSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQzlFLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsb0JBQW9CLENBQUMsQ0FBQyxFQUFFLFdBQVcsQ0FBQyxDQUFDO0lBQ3ZDLENBQUM7SUFDRCxPQUFPLFFBQVEsQ0FBQztBQUNsQixDQUFDO0FBRUQsU0FBZ0Isb0JBQW9CLENBQUMsQ0FBVSxFQUFFLFdBQW1CO0lBQ2xFLElBQUksQ0FBQyxZQUFZLHNCQUFZLEVBQUUsQ0FBQztRQUM5QixPQUFPLENBQUMsR0FBRyxDQUFDLG9DQUFvQyxFQUFFLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUMxRCxRQUFRLENBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FBQztZQUNmLEtBQUssY0FBSSxDQUFDLGVBQWUsRUFBRSxrQkFBa0I7Z0JBQzNDLE1BQU0sSUFBSSw0QkFBZ0IsQ0FBQyxZQUFZLFdBQVcsMEJBQTBCLENBQUMsQ0FBQyxPQUFPLEdBQUcsQ0FBQyxDQUFDO1lBQzVGLEtBQUssY0FBSSxDQUFDLGdCQUFnQixFQUFFLGdCQUFnQjtnQkFDMUMsTUFBTSxJQUFJLGlDQUFxQixDQUFDLFlBQVksV0FBVyw2QkFBNkIsQ0FBQyxDQUFDO1lBQ3hGLEtBQUssY0FBSSxDQUFDLGVBQWUsRUFBRSxtQkFBbUI7Z0JBQzVDLE1BQU0sSUFBSSxnQ0FBb0IsQ0FBQyxZQUFZLFdBQVcsd0JBQXdCLENBQUMsQ0FBQztZQUNsRixLQUFLLGNBQUksQ0FBQyxRQUFRLENBQUM7WUFDbkIsS0FBSyxjQUFJLENBQUMsYUFBYSxDQUFDO1lBQ3hCLEtBQUssY0FBSSxDQUFDLFFBQVEsQ0FBQztZQUNuQixLQUFLLGNBQUksQ0FBQyxPQUFPLENBQUM7WUFDbEIsS0FBSyxjQUFJLENBQUMsZ0JBQWdCLENBQUM7WUFDM0IsS0FBSyxjQUFJLENBQUMsV0FBVyxFQUFFLHFCQUFxQjtnQkFDMUMsTUFBTSxJQUFJLHdCQUFZLENBQ3BCLEdBQUcsQ0FBQyxDQUFDLElBQUksU0FBUyxXQUFXLDJDQUEyQyxDQUFDLENBQUMsT0FBTyxHQUFHLENBQ3JGLENBQUM7WUFDSjtnQkFDRSxNQUFNLElBQUksd0JBQVksQ0FBQyxJQUFJLFdBQVcsY0FBYyxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztRQUNyRSxDQUFDO0lBQ0gsQ0FBQztJQUNELE1BQU0sSUFBSSx3QkFBWSxDQUFDLElBQUksV0FBVyxjQUFjLElBQUEsaUNBQXNCLEVBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQyxDQUFDO0FBQ25GLENBQUM7QUFFRCxTQUFnQiwwQkFBMEIsQ0FDeEMsQ0FBUyxFQUNULFdBQW1CLEVBQ25CLG1CQUE4QjtJQUU5QixJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsY0FBSSxDQUFDLGNBQUksQ0FBQyxlQUFlLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDM0Msa0JBQWtCO1FBQ2xCLE1BQU0sSUFBSSw0QkFBZ0IsQ0FBQyxZQUFZLFdBQVcsMEJBQTBCLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDcEYsQ0FBQztJQUNELElBQUksQ0FBQyxDQUFDLFFBQVEsQ0FBQyxjQUFJLENBQUMsY0FBSSxDQUFDLGdCQUFnQixDQUFDLENBQUMsRUFBRSxDQUFDO1FBQzVDLElBQUksbUJBQW1CLElBQUksbUJBQW1CLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQzFELE1BQU0sSUFBSSxpQ0FBcUIsQ0FDN0IsWUFBWSxXQUFXLDZCQUE2QixFQUNwRCxtQkFBbUIsQ0FDcEIsQ0FBQztRQUNKLENBQUM7UUFDRCxNQUFNLElBQUksaUNBQXFCLENBQUMsWUFBWSxXQUFXLDZCQUE2QixDQUFDLENBQUM7SUFDeEYsQ0FBQztJQUNELElBQUksQ0FBQyxDQUFDLFFBQVEsQ0FBQyxjQUFJLENBQUMsY0FBSSxDQUFDLGVBQWUsQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUMzQyxtQkFBbUI7UUFDbkIsTUFBTSxJQUFJLGdDQUFvQixDQUFDLFlBQVksV0FBVyx3QkFBd0IsQ0FBQyxDQUFDO0lBQ2xGLENBQUM7SUFDRCxJQUNFLENBQUMsQ0FBQyxRQUFRLENBQUMsY0FBSSxDQUFDLGNBQUksQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUMvQixDQUFDLENBQUMsUUFBUSxDQUFDLGNBQUksQ0FBQyxjQUFJLENBQUMsYUFBYSxDQUFDLENBQUM7UUFDcEMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxjQUFJLENBQUMsY0FBSSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQy9CLENBQUMsQ0FBQyxRQUFRLENBQUMsY0FBSSxDQUFDLGNBQUksQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUM5QixDQUFDLENBQUMsUUFBUSxDQUFDLGNBQUksQ0FBQyxjQUFJLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztRQUN2QyxDQUFDLENBQUMsUUFBUSxDQUFDLGNBQUksQ0FBQyxjQUFJLENBQUMsV0FBVyxDQUFDLENBQUMsRUFDbEMsQ0FBQztRQUNELFFBQVE7UUFDUixNQUFNLElBQUksd0JBQVksQ0FBQyxTQUFTLFdBQVcsMkNBQTJDLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDOUYsQ0FBQztJQUNELE1BQU0sSUFBSSx3QkFBWSxDQUFDLElBQUksV0FBVyxjQUFjLENBQUMsRUFBRSxDQUFDLENBQUM7QUFDM0QsQ0FBQztBQUVNLEtBQUssVUFBVSxxQkFBcUIsQ0FDekMsV0FBbUIsRUFDbkIsSUFBZ0I7SUFFaEIsSUFBSSxVQUFVLEdBQUcsQ0FBQyxDQUFDO0lBQ25CLE1BQU0sVUFBVSxHQUFHLEVBQUUsQ0FBQztJQUN0QixNQUFNLFFBQVEsR0FBRyxJQUFJLDRCQUFjLENBQUMsRUFBRSxZQUFZLEVBQUUsSUFBQSxxQ0FBbUIsRUFBQyxJQUFJLENBQUMsRUFBRSxXQUFXLEVBQUUsQ0FBQyxDQUFDO0lBRTlGLEdBQUcsQ0FBQztRQUNGLElBQUksUUFBc0MsQ0FBQztRQUMzQyxJQUFJLENBQUM7WUFDSCxRQUFRLEdBQUcsTUFBTSxRQUFRLENBQUMsRUFBRSxDQUFDLHVCQUF1QixDQUFDLG9CQUFvQixDQUFDO2dCQUN4RSxVQUFVLEVBQUU7b0JBQ1YsTUFBTSxFQUFFLFVBQVU7aUJBQ25CO2FBQ0YsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztRQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDWCxNQUFNLElBQUksd0JBQVksQ0FDcEIsSUFBSSxXQUFXLDRCQUE0QixJQUFBLGlDQUFzQixFQUFDLENBQUMsQ0FBQyxFQUFFLENBQ3ZFLENBQUM7UUFDSixDQUFDO1FBRUQsVUFBVSxDQUFDLElBQUksQ0FBQyxHQUFHLFFBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1FBQzlDLFVBQVUsR0FBRyxRQUFRLEVBQUUsVUFBVSxFQUFFLFVBQVUsSUFBSSxDQUFDLENBQUM7SUFDckQsQ0FBQyxRQUFRLFVBQVUsR0FBRyxDQUFDLEVBQUU7SUFFekIsTUFBTSxVQUFVLEdBQUcsVUFBVSxDQUFDLEdBQUcsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQzFELHdCQUF3QjtJQUN4QixJQUFJLENBQUMsVUFBVSxDQUFDLFFBQVEsQ0FBQyxHQUFHLFdBQVcsTUFBTSxDQUFDLEVBQUUsQ0FBQztRQUMvQyxVQUFVLENBQUMsSUFBSSxDQUFDLEdBQUcsV0FBVyxNQUFNLENBQUMsQ0FBQztJQUN4QyxDQUFDO0lBRUQsT0FBTyxJQUFJLDJCQUFlLENBQUMsVUFBVSxFQUFFLEtBQUssQ0FBQyxDQUFDO0FBQ2hELENBQUM7QUFZRCxTQUFTLFNBQVMsQ0FBQyxPQUFpQjtJQUNsQyxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7UUFDYixPQUFPLEtBQUssQ0FBQztJQUNmLENBQUM7SUFDRCxNQUFNLEVBQUUsR0FBRyxPQUEwQixDQUFDO0lBQ3RDLE9BQU8sQ0FDTCxDQUFDLENBQUMsRUFBRSxDQUFDLE9BQU87UUFDWixDQUFDLENBQUMsRUFBRSxDQUFDLFVBQVU7UUFDZixPQUFPLEVBQUUsQ0FBQyxVQUFVLEtBQUssUUFBUTtRQUNqQyxDQUFDLENBQUMsRUFBRSxDQUFDLFVBQVUsQ0FBQyxHQUFHO1FBQ25CLENBQUMsQ0FBQyxFQUFFLENBQUMsVUFBVSxDQUFDLFNBQVM7UUFDekIsSUFBQSxnQ0FBb0IsRUFBQyxFQUFFLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUM5QyxDQUFDO0FBQ0osQ0FBQztBQUVNLEtBQUssVUFBVSxjQUFjLENBQ2xDLFdBQW1CLEVBQ25CLFNBQWlDO0lBRWpDLElBQUksQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUNqQixNQUFNLElBQUksOEJBQWtCLENBQUMsMEJBQTBCLENBQUMsQ0FBQztJQUMzRCxDQUFDO0lBQ0QsdURBQXVEO0lBQ3ZELElBQUEsNEJBQWlCLEVBQUMsV0FBVyxDQUFDLENBQUM7SUFFL0IsTUFBTSxXQUFXLEdBQUcsSUFBQSx3Q0FBNkIsRUFBQyxXQUFXLENBQUMsQ0FBQztJQUMvRCxNQUFNLFFBQVEsR0FBRyxJQUFJLDRCQUFjLENBQUM7UUFDbEMsV0FBVztLQUNaLENBQUMsQ0FBQztJQUNILElBQUksQ0FBQztRQUNILE1BQU0sRUFBRSxHQUFHLEVBQUUsU0FBUyxFQUFFLEdBQUcsTUFBTSxRQUFRLENBQUMsRUFBRSxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUM7WUFDNUQsU0FBUyxFQUFFLFNBQVMsSUFBSSxVQUFVO1lBQ2xDLENBQUMsRUFBRSxHQUFHO1NBQ1AsQ0FBQyxDQUFDO1FBQ0gsTUFBTSxNQUFNLEdBQXFCO1lBQy9CLFNBQVM7WUFDVCxHQUFHLEVBQUUsV0FBVztZQUNoQixTQUFTLEVBQUUsU0FBUyxJQUFJLFVBQVU7WUFDbEMsR0FBRyxDQUFDLEdBQUcsSUFBSSxFQUFFLEdBQUcsRUFBRSxDQUFDO1NBQ3BCLENBQUM7UUFDRixPQUFPLE1BQU0sQ0FBQztJQUNoQixDQUFDO0lBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNYLE1BQU0sSUFBSSx3QkFBWSxDQUFDLElBQUksV0FBVyxpQkFBaUIsSUFBQSxpQ0FBc0IsRUFBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUM7SUFDdEYsQ0FBQztBQUNILENBQUM7QUFFRDs7Ozs7O0dBTUc7QUFDSSxLQUFLLFVBQVUsa0JBQWtCLENBQUMsV0FBbUI7SUFDMUQsSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO1FBQ2pCLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0lBQzNELENBQUM7SUFDRCxJQUFBLDRCQUFpQixFQUFDLFdBQVcsQ0FBQyxDQUFDO0lBRS9CLE1BQU0sV0FBVyxHQUFHLElBQUEsd0NBQTZCLEVBQUMsV0FBVyxDQUFDLENBQUM7SUFDL0QsTUFBTSxRQUFRLEdBQUcsSUFBSSw0QkFBYyxDQUFDO1FBQ2xDLFdBQVc7S0FDWixDQUFDLENBQUM7SUFDSCxJQUFJLENBQUM7UUFDSCxNQUFNLEVBQUUsYUFBYSxFQUFFLEdBQUcsTUFBTSxRQUFRLENBQUMsRUFBRSxDQUFDLFNBQVMsQ0FBQyx5QkFBeUIsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUNwRixNQUFNLE9BQU8sR0FBRyxhQUFhLEVBQUUsUUFBc0MsQ0FBQztRQUN0RSxJQUFJLENBQUMsU0FBUyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDeEIsTUFBTSxJQUFJLHdCQUFZLENBQ3BCLG9DQUFvQyxXQUFXLGdEQUFnRCxDQUNoRyxDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0sTUFBTSxHQUFxQjtZQUMvQixTQUFTLEVBQUUsT0FBTyxDQUFDLFVBQVUsQ0FBQyxHQUFHO1lBQ2pDLEdBQUcsRUFBRSxPQUFPLENBQUMsT0FBTztZQUNwQixTQUFTLEVBQUUsT0FBTyxDQUFDLFVBQVUsQ0FBQyxTQUFTO1lBQ3ZDLEdBQUcsRUFBRSxPQUFPLENBQUMsVUFBVSxDQUFDLEdBQUc7U0FDNUIsQ0FBQztRQUNGLE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsTUFBTSxJQUFJLHdCQUFZLENBQUMsSUFBSSxXQUFXLGlCQUFpQixJQUFBLGlDQUFzQixFQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQztJQUN0RixDQUFDO0FBQ0gsQ0FBQyJ9
|
package/dist/cjs/src/access.js
CHANGED
|
@@ -5,6 +5,7 @@ exports.fetchWrappedKey = fetchWrappedKey;
|
|
|
5
5
|
exports.fetchKeyAccessServers = fetchKeyAccessServers;
|
|
6
6
|
exports.fetchECKasPubKey = fetchECKasPubKey;
|
|
7
7
|
exports.fetchKasPubKey = fetchKasPubKey;
|
|
8
|
+
const interceptors_js_1 = require("./auth/interceptors.js");
|
|
8
9
|
const utils_js_1 = require("./utils.js");
|
|
9
10
|
const index_js_1 = require("./encodings/index.js");
|
|
10
11
|
const access_rpc_js_1 = require("./access/access-rpc.js");
|
|
@@ -21,9 +22,16 @@ const access_fetch_js_3 = require("./access/access-fetch.js");
|
|
|
21
22
|
* @param fulfillableObligationFQNs client-configured list of obligation value FQNs that can be fulfilled in this PEP
|
|
22
23
|
* @param clientVersion
|
|
23
24
|
*/
|
|
24
|
-
async function fetchWrappedKey(url, signedRequestToken,
|
|
25
|
+
async function fetchWrappedKey(url, signedRequestToken, auth, fulfillableObligationFQNs) {
|
|
25
26
|
const platformUrl = (0, utils_js_1.getPlatformUrlFromKasEndpoint)(url);
|
|
26
|
-
|
|
27
|
+
const { interceptors, authProvider } = (0, interceptors_js_1.resolveAuthConfig)(auth);
|
|
28
|
+
const rpcCall = () => (0, access_rpc_js_2.fetchWrappedKey)(platformUrl, signedRequestToken, { interceptors }, (0, exports.rewrapAdditionalContextHeader)(fulfillableObligationFQNs));
|
|
29
|
+
// When no AuthProvider is available, skip the legacy fallback so the real
|
|
30
|
+
// RPC error propagates instead of being masked by tryPromisesUntilFirstSuccess.
|
|
31
|
+
if (!authProvider) {
|
|
32
|
+
return await rpcCall();
|
|
33
|
+
}
|
|
34
|
+
return await tryPromisesUntilFirstSuccess(rpcCall,
|
|
27
35
|
// We intentionally do not provide the rewrap additional context to legacy requests destined for older platforms.
|
|
28
36
|
// Platforms new enough to have knowledge of obligations will be handling RPC requests successfully.
|
|
29
37
|
() => (0, access_fetch_js_2.fetchWrappedKey)(url, { signedRequestToken }, authProvider));
|
|
@@ -102,8 +110,13 @@ exports.publicKeyAlgorithmToJwa = publicKeyAlgorithmToJwa;
|
|
|
102
110
|
* @param authProvider The authentication provider to use for the request.
|
|
103
111
|
* @returns A promise that resolves to an OriginAllowList.
|
|
104
112
|
*/
|
|
105
|
-
async function fetchKeyAccessServers(platformUrl,
|
|
106
|
-
|
|
113
|
+
async function fetchKeyAccessServers(platformUrl, auth) {
|
|
114
|
+
const { interceptors, authProvider } = (0, interceptors_js_1.resolveAuthConfig)(auth);
|
|
115
|
+
const rpcCall = () => (0, access_rpc_js_1.fetchKeyAccessServers)(platformUrl, { interceptors });
|
|
116
|
+
if (!authProvider) {
|
|
117
|
+
return await rpcCall();
|
|
118
|
+
}
|
|
119
|
+
return await tryPromisesUntilFirstSuccess(rpcCall, () => (0, access_fetch_js_1.fetchKeyAccessServers)(platformUrl, authProvider));
|
|
107
120
|
}
|
|
108
121
|
/**
|
|
109
122
|
* Fetch the EC (secp256r1) public key for a KAS endpoint.
|
|
@@ -184,4 +197,4 @@ async function tryPromisesUntilFirstSuccess(first, second) {
|
|
|
184
197
|
}
|
|
185
198
|
}
|
|
186
199
|
}
|
|
187
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
200
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjZXNzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2FjY2Vzcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFvQ0EsMENBa0NDO0FBdUdELHNEQWVDO0FBT0QsNENBRUM7QUFZRCx3Q0FjQztBQS9ORCw0REFBNEU7QUFFNUUseUNBQThFO0FBQzlFLG1EQUE4QztBQUU5QywwREFHZ0M7QUFDaEMsOERBQWdHO0FBQ2hHLDBEQUFnRjtBQUNoRiw4REFBcUY7QUFDckYsMERBQTZFO0FBQzdFLDhEQUFrRjtBQWVsRjs7Ozs7OztHQU9HO0FBQ0ksS0FBSyxVQUFVLGVBQWUsQ0FDbkMsR0FBVyxFQUNYLGtCQUEwQixFQUMxQixJQUFnQixFQUNoQix5QkFBbUM7SUFFbkMsTUFBTSxXQUFXLEdBQUcsSUFBQSx3Q0FBNkIsRUFBQyxHQUFHLENBQUMsQ0FBQztJQUN2RCxNQUFNLEVBQUUsWUFBWSxFQUFFLFlBQVksRUFBRSxHQUFHLElBQUEsbUNBQWlCLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFFL0QsTUFBTSxPQUFPLEdBQUcsR0FBRyxFQUFFLENBQ25CLElBQUEsK0JBQW1CLEVBQ2pCLFdBQVcsRUFDWCxrQkFBa0IsRUFDbEIsRUFBRSxZQUFZLEVBQUUsRUFDaEIsSUFBQSxxQ0FBNkIsRUFBQyx5QkFBeUIsQ0FBQyxDQUN6RCxDQUFDO0lBRUosMEVBQTBFO0lBQzFFLGdGQUFnRjtJQUNoRixJQUFJLENBQUMsWUFBWSxFQUFFLENBQUM7UUFDbEIsT0FBTyxNQUFNLE9BQU8sRUFBRSxDQUFDO0lBQ3pCLENBQUM7SUFFRCxPQUFPLE1BQU0sNEJBQTRCLENBQ3ZDLE9BQU87SUFDUCxpSEFBaUg7SUFDakgsb0dBQW9HO0lBQ3BHLEdBQUcsRUFBRSxDQUNILElBQUEsaUNBQXNCLEVBQ3BCLEdBQUcsRUFDSCxFQUFFLGtCQUFrQixFQUFFLEVBQ3RCLFlBQVksQ0FDeUIsQ0FDMUMsQ0FBQztBQUNKLENBQUM7QUFFRDs7O0dBR0c7QUFDSSxNQUFNLDZCQUE2QixHQUFHLENBQzNDLDhCQUF3QyxFQUNwQixFQUFFO0lBQ3RCLElBQUksQ0FBQyw4QkFBOEIsQ0FBQyxNQUFNO1FBQUUsT0FBTztJQUVuRCxNQUFNLE9BQU8sR0FBNEI7UUFDdkMsV0FBVyxFQUFFO1lBQ1gsZUFBZSxFQUFFLDhCQUE4QixDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLFdBQVcsRUFBRSxDQUFDO1NBQ2hGO0tBQ0YsQ0FBQztJQUNGLE9BQU8saUJBQU0sQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDO0FBQ2hELENBQUMsQ0FBQztBQVhXLFFBQUEsNkJBQTZCLGlDQVd4QztBQVNLLE1BQU0sb0JBQW9CLEdBQUcsQ0FBQyxDQUFTLEVBQThCLEVBQUU7SUFDNUUsT0FBTyxDQUFDLEtBQUssY0FBYyxJQUFJLENBQUMsS0FBSyxVQUFVLENBQUM7QUFDbEQsQ0FBQyxDQUFDO0FBRlcsUUFBQSxvQkFBb0Isd0JBRS9CO0FBRUssTUFBTSxnQ0FBZ0MsR0FBRyxDQUFDLENBQVksRUFBeUIsRUFBRTtJQUN0RixNQUFNLENBQUMsR0FBRyxDQUFDLENBQUMsU0FBUyxDQUFDO0lBQ3RCLElBQUksQ0FBQyxDQUFDLElBQUksS0FBSyxPQUFPLElBQUksQ0FBQyxDQUFDLElBQUksS0FBSyxNQUFNLEVBQUUsQ0FBQztRQUM1QyxNQUFNLEdBQUcsR0FBRyxDQUFtQixDQUFDO1FBQ2hDLFFBQVEsR0FBRyxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQ3ZCLEtBQUssT0FBTztnQkFDVixPQUFPLGNBQWMsQ0FBQztZQUN4QixLQUFLLE9BQU87Z0JBQ1YsT0FBTyxjQUFjLENBQUM7WUFDeEIsS0FBSyxPQUFPO2dCQUNWLE9BQU8sY0FBYyxDQUFDO1lBQ3hCO2dCQUNFLE1BQU0sSUFBSSxLQUFLLENBQUMseUJBQXlCLEdBQUcsQ0FBQyxVQUFVLEVBQUUsQ0FBQyxDQUFDO1FBQy9ELENBQUM7SUFDSCxDQUFDO0lBQ0QsSUFBSSxDQUFDLENBQUMsSUFBSSxLQUFLLFVBQVUsSUFBSSxDQUFDLENBQUMsSUFBSSxLQUFLLG1CQUFtQixFQUFFLENBQUM7UUFDNUQsTUFBTSxJQUFJLEdBQUcsQ0FBMEIsQ0FBQztRQUN4QyxJQUFJLElBQUksQ0FBQyxjQUFjLENBQUMsUUFBUSxFQUFFLEtBQUssT0FBTyxFQUFFLENBQUM7WUFDL0MsTUFBTSxJQUFJLEtBQUssQ0FBQyxvQ0FBb0MsSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDLENBQUM7UUFDN0UsQ0FBQztRQUNELFFBQVEsSUFBSSxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQzNCLEtBQUssSUFBSTtnQkFDUCxPQUFPLFVBQVUsQ0FBQztZQUNwQixLQUFLLElBQUk7Z0JBQ1AsT0FBTyxVQUFVLENBQUM7WUFDcEI7Z0JBQ0UsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsSUFBSSxDQUFDLGFBQWEsRUFBRSxDQUFDLENBQUM7UUFDN0UsQ0FBQztJQUNILENBQUM7SUFDRCxNQUFNLElBQUksS0FBSyxDQUFDLDhCQUE4QixDQUFDLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQztBQUMxRCxDQUFDLENBQUM7QUE5QlcsUUFBQSxnQ0FBZ0Msb0NBOEIzQztBQUVLLE1BQU0sdUJBQXVCLEdBQUcsQ0FBQyxDQUF3QixFQUFVLEVBQUU7SUFDMUUsUUFBUSxDQUFDLEVBQUUsQ0FBQztRQUNWLEtBQUssY0FBYztZQUNqQixPQUFPLE9BQU8sQ0FBQztRQUNqQixLQUFLLFVBQVU7WUFDYixPQUFPLE9BQU8sQ0FBQztRQUNqQixLQUFLLFVBQVU7WUFDYixPQUFPLE9BQU8sQ0FBQztRQUNqQixLQUFLLGNBQWM7WUFDakIsT0FBTyxPQUFPLENBQUM7UUFDakIsS0FBSyxjQUFjO1lBQ2pCLE9BQU8sT0FBTyxDQUFDO1FBQ2pCO1lBQ0UsTUFBTSxJQUFJLEtBQUssQ0FBQyxxQ0FBcUMsQ0FBQyxFQUFFLENBQUMsQ0FBQztJQUM5RCxDQUFDO0FBQ0gsQ0FBQyxDQUFDO0FBZlcsUUFBQSx1QkFBdUIsMkJBZWxDO0FBb0JGOzs7OztHQUtHO0FBQ0ksS0FBSyxVQUFVLHFCQUFxQixDQUN6QyxXQUFtQixFQUNuQixJQUFnQjtJQUVoQixNQUFNLEVBQUUsWUFBWSxFQUFFLFlBQVksRUFBRSxHQUFHLElBQUEsbUNBQWlCLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFFL0QsTUFBTSxPQUFPLEdBQUcsR0FBRyxFQUFFLENBQUMsSUFBQSxxQ0FBd0IsRUFBQyxXQUFXLEVBQUUsRUFBRSxZQUFZLEVBQUUsQ0FBQyxDQUFDO0lBRTlFLElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztRQUNsQixPQUFPLE1BQU0sT0FBTyxFQUFFLENBQUM7SUFDekIsQ0FBQztJQUVELE9BQU8sTUFBTSw0QkFBNEIsQ0FBQyxPQUFPLEVBQUUsR0FBRyxFQUFFLENBQ3RELElBQUEsdUNBQTJCLEVBQUMsV0FBVyxFQUFFLFlBQVksQ0FBQyxDQUN2RCxDQUFDO0FBQ0osQ0FBQztBQUVEOzs7O0dBSUc7QUFDSSxLQUFLLFVBQVUsZ0JBQWdCLENBQUMsV0FBbUI7SUFDeEQsT0FBTyxjQUFjLENBQUMsV0FBVyxFQUFFLGNBQWMsQ0FBQyxDQUFDO0FBQ3JELENBQUM7QUFFRDs7Ozs7Ozs7O0dBU0c7QUFDSSxLQUFLLFVBQVUsY0FBYyxDQUNsQyxXQUFtQixFQUNuQixTQUFpQztJQUVqQyxJQUFJLENBQUM7UUFDSCxPQUFPLE1BQU0sSUFBQSxrQ0FBa0IsRUFBQyxXQUFXLENBQUMsQ0FBQztJQUMvQyxDQUFDO0lBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNYLE9BQU8sQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDakIsQ0FBQztJQUVELE9BQU8sTUFBTSw0QkFBNEIsQ0FDdkMsR0FBRyxFQUFFLENBQUMsSUFBQSw4QkFBaUIsRUFBQyxXQUFXLEVBQUUsU0FBUyxDQUFDLEVBQy9DLEdBQUcsRUFBRSxDQUFDLElBQUEsZ0NBQW9CLEVBQUMsV0FBVyxFQUFFLFNBQVMsQ0FBQyxDQUNuRCxDQUFDO0FBQ0osQ0FBQztBQUVELE1BQU0sTUFBTSxHQUFHLENBQUMsQ0FBUyxFQUFVLEVBQUU7SUFDbkMsSUFBSSxDQUFDO1FBQ0gsT0FBTyxJQUFJLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUM7SUFDM0IsQ0FBQztJQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDWCxPQUFPLENBQUMsR0FBRyxDQUFDLHFCQUFxQixDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ3ZDLE1BQU0sQ0FBQyxDQUFDO0lBQ1YsQ0FBQztBQUNILENBQUMsQ0FBQztBQUVGOzs7Ozs7OztHQVFHO0FBQ0gsTUFBYSxlQUFlO0lBRzFCLFlBQVksSUFBYyxFQUFFLFFBQWtCO1FBQzVDLElBQUksQ0FBQyxPQUFPLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNoQyxJQUFJLENBQUMsT0FBTyxDQUFDLDRCQUFpQixDQUFDLENBQUM7UUFDaEMsSUFBSSxDQUFDLFFBQVEsR0FBRyxDQUFDLENBQUMsUUFBUSxDQUFDO0lBQzdCLENBQUM7SUFDRCxNQUFNLENBQUMsR0FBVztRQUNoQixJQUFJLElBQUksQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUNsQixPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFDRCxPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO0lBQzVDLENBQUM7Q0FDRjtBQWRELDBDQWNDO0FBRUQ7Ozs7O0dBS0c7QUFDSCxLQUFLLFVBQVUsNEJBQTRCLENBQ3pDLEtBQXVCLEVBQ3ZCLE1BQXdCO0lBRXhCLElBQUksQ0FBQztRQUNILE9BQU8sTUFBTSxLQUFLLEVBQUUsQ0FBQztJQUN2QixDQUFDO0lBQUMsT0FBTyxFQUFFLEVBQUUsQ0FBQztRQUNaLE9BQU8sQ0FBQyxJQUFJLENBQUMsa0JBQWtCLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFDckMsSUFBSSxDQUFDO1lBQ0gsT0FBTyxNQUFNLE1BQU0sRUFBRSxDQUFDO1FBQ3hCLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsTUFBTSxHQUFHLENBQUM7UUFDWixDQUFDO0lBQ0gsQ0FBQztBQUNILENBQUMifQ==
|
|
@@ -0,0 +1,186 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
36
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
37
|
+
};
|
|
38
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
39
|
+
exports.authTokenInterceptor = authTokenInterceptor;
|
|
40
|
+
exports.authTokenDPoPInterceptor = authTokenDPoPInterceptor;
|
|
41
|
+
exports.authProviderInterceptor = authProviderInterceptor;
|
|
42
|
+
exports.isInterceptorConfig = isInterceptorConfig;
|
|
43
|
+
exports.resolveInterceptors = resolveInterceptors;
|
|
44
|
+
exports.resolveAuthConfig = resolveAuthConfig;
|
|
45
|
+
const DefaultCryptoService = __importStar(require("../../tdf3/src/crypto/index.js"));
|
|
46
|
+
const dpop_js_1 = __importDefault(require("./dpop.js"));
|
|
47
|
+
const index_js_1 = require("../encodings/index.js");
|
|
48
|
+
/**
|
|
49
|
+
* Creates a simple bearer-token interceptor.
|
|
50
|
+
* Calls `tokenProvider()` per-request and sets the `Authorization` header.
|
|
51
|
+
*
|
|
52
|
+
* @param tokenProvider Function returning a valid access token.
|
|
53
|
+
* @returns A Connect RPC Interceptor.
|
|
54
|
+
*
|
|
55
|
+
* @example
|
|
56
|
+
* ```ts
|
|
57
|
+
* const opentdf = new OpenTDF({
|
|
58
|
+
* interceptors: [authTokenInterceptor(() => myAuth.getAccessToken())],
|
|
59
|
+
* platformUrl: '/api',
|
|
60
|
+
* });
|
|
61
|
+
* ```
|
|
62
|
+
*/
|
|
63
|
+
function authTokenInterceptor(tokenProvider) {
|
|
64
|
+
return (next) => async (req) => {
|
|
65
|
+
const token = await tokenProvider();
|
|
66
|
+
req.header.set('Authorization', `Bearer ${token}`);
|
|
67
|
+
return next(req);
|
|
68
|
+
};
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* Creates a DPoP-aware auth interceptor.
|
|
72
|
+
* Per-request: gets token, generates DPoP proof JWT, sets Authorization + DPoP + X-VirtruPubKey headers.
|
|
73
|
+
* Exposes `dpopKeys` for TDF request body signing.
|
|
74
|
+
*
|
|
75
|
+
* @param options DPoP interceptor configuration.
|
|
76
|
+
* @returns A DPoP interceptor with an exposed `dpopKeys` promise.
|
|
77
|
+
*
|
|
78
|
+
* @example
|
|
79
|
+
* ```ts
|
|
80
|
+
* const dpopInterceptor = authTokenDPoPInterceptor({
|
|
81
|
+
* tokenProvider: () => myAuth.getAccessToken(),
|
|
82
|
+
* });
|
|
83
|
+
* const opentdf = new OpenTDF({
|
|
84
|
+
* interceptors: [dpopInterceptor],
|
|
85
|
+
* dpopKeys: dpopInterceptor.dpopKeys,
|
|
86
|
+
* platformUrl: '/api',
|
|
87
|
+
* });
|
|
88
|
+
* ```
|
|
89
|
+
*/
|
|
90
|
+
function authTokenDPoPInterceptor(options) {
|
|
91
|
+
const cryptoService = options.cryptoService ?? DefaultCryptoService;
|
|
92
|
+
const dpopKeysPromise = options.dpopKeys
|
|
93
|
+
? Promise.resolve(options.dpopKeys)
|
|
94
|
+
: cryptoService.generateSigningKeyPair();
|
|
95
|
+
const interceptor = (next) => async (req) => {
|
|
96
|
+
const [token, keys] = await Promise.all([options.tokenProvider(), dpopKeysPromise]);
|
|
97
|
+
const url = new URL(req.url);
|
|
98
|
+
const httpUri = `${url.origin}${url.pathname}`;
|
|
99
|
+
// Generate DPoP proof JWT for this request
|
|
100
|
+
const dpopProof = await (0, dpop_js_1.default)(keys, cryptoService, httpUri, 'POST');
|
|
101
|
+
// Export public key PEM for X-VirtruPubKey header
|
|
102
|
+
const publicKeyPem = await cryptoService.exportPublicKeyPem(keys.publicKey);
|
|
103
|
+
req.header.set('Authorization', `Bearer ${token}`);
|
|
104
|
+
req.header.set('DPoP', dpopProof);
|
|
105
|
+
req.header.set('X-VirtruPubKey', index_js_1.base64.encode(publicKeyPem));
|
|
106
|
+
return next(req);
|
|
107
|
+
};
|
|
108
|
+
// Attach dpopKeys to the interceptor function
|
|
109
|
+
const dpopInterceptor = interceptor;
|
|
110
|
+
Object.defineProperty(dpopInterceptor, 'dpopKeys', {
|
|
111
|
+
value: dpopKeysPromise,
|
|
112
|
+
writable: false,
|
|
113
|
+
enumerable: true,
|
|
114
|
+
});
|
|
115
|
+
return dpopInterceptor;
|
|
116
|
+
}
|
|
117
|
+
/**
|
|
118
|
+
* Creates an interceptor that bridges an existing AuthProvider to the Interceptor pattern.
|
|
119
|
+
* Use this for backwards compatibility when migrating from AuthProvider to interceptors.
|
|
120
|
+
*
|
|
121
|
+
* @param authProvider The legacy AuthProvider to bridge.
|
|
122
|
+
* @returns A Connect RPC Interceptor.
|
|
123
|
+
*/
|
|
124
|
+
function authProviderInterceptor(authProvider) {
|
|
125
|
+
return (next) => async (req) => {
|
|
126
|
+
const url = new URL(req.url);
|
|
127
|
+
const pathOnly = url.pathname;
|
|
128
|
+
// Signs only the path of the url in the request
|
|
129
|
+
let token;
|
|
130
|
+
try {
|
|
131
|
+
token = await authProvider.withCreds({
|
|
132
|
+
url: pathOnly,
|
|
133
|
+
method: 'POST',
|
|
134
|
+
// Start with any headers Connect already has
|
|
135
|
+
headers: {
|
|
136
|
+
...Object.fromEntries(req.header.entries()),
|
|
137
|
+
'Content-Type': 'application/json',
|
|
138
|
+
},
|
|
139
|
+
});
|
|
140
|
+
}
|
|
141
|
+
catch (err) {
|
|
142
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
143
|
+
if (msg.includes('public key') || msg.includes('updateClientPublicKey')) {
|
|
144
|
+
throw new Error('PlatformClient: DPoP key binding is not complete. ' +
|
|
145
|
+
'If you are using OpenTDF with PlatformClient, create OpenTDF first and ' +
|
|
146
|
+
'`await client.ready` before constructing PlatformClient. ' +
|
|
147
|
+
`Original error: ${msg}`);
|
|
148
|
+
}
|
|
149
|
+
throw err;
|
|
150
|
+
}
|
|
151
|
+
Object.entries(token.headers).forEach(([key, value]) => {
|
|
152
|
+
req.header.set(key, value);
|
|
153
|
+
});
|
|
154
|
+
return await next(req);
|
|
155
|
+
};
|
|
156
|
+
}
|
|
157
|
+
/**
|
|
158
|
+
* Type guard for AuthConfig with interceptors.
|
|
159
|
+
*/
|
|
160
|
+
function isInterceptorConfig(auth) {
|
|
161
|
+
return 'interceptors' in auth && Array.isArray(auth.interceptors);
|
|
162
|
+
}
|
|
163
|
+
/**
|
|
164
|
+
* Resolves an AuthConfig into interceptors for use with PlatformClient.
|
|
165
|
+
* If the config is an AuthProvider, it is bridged via authProviderInterceptor.
|
|
166
|
+
*/
|
|
167
|
+
function resolveInterceptors(auth) {
|
|
168
|
+
if (isInterceptorConfig(auth)) {
|
|
169
|
+
return auth.interceptors;
|
|
170
|
+
}
|
|
171
|
+
return [authProviderInterceptor(auth)];
|
|
172
|
+
}
|
|
173
|
+
/**
|
|
174
|
+
* Resolves an AuthConfig into both interceptors and an optional AuthProvider.
|
|
175
|
+
* The AuthProvider is available for legacy code paths that need withCreds().
|
|
176
|
+
*/
|
|
177
|
+
function resolveAuthConfig(auth) {
|
|
178
|
+
if (isInterceptorConfig(auth)) {
|
|
179
|
+
return { interceptors: auth.interceptors };
|
|
180
|
+
}
|
|
181
|
+
return {
|
|
182
|
+
interceptors: [authProviderInterceptor(auth)],
|
|
183
|
+
authProvider: auth,
|
|
184
|
+
};
|
|
185
|
+
}
|
|
186
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW50ZXJjZXB0b3JzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2F1dGgvaW50ZXJjZXB0b3JzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBa0RBLG9EQU1DO0FBc0JELDREQWtDQztBQVNELDBEQW1DQztBQVVELGtEQUVDO0FBTUQsa0RBS0M7QUFNRCw4Q0FXQztBQWpNRCxxRkFBdUU7QUFDdkUsd0RBQTZCO0FBRTdCLG9EQUErQztBQTZCL0M7Ozs7Ozs7Ozs7Ozs7O0dBY0c7QUFDSCxTQUFnQixvQkFBb0IsQ0FBQyxhQUE0QjtJQUMvRCxPQUFPLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxLQUFLLEVBQUUsR0FBRyxFQUFFLEVBQUU7UUFDN0IsTUFBTSxLQUFLLEdBQUcsTUFBTSxhQUFhLEVBQUUsQ0FBQztRQUNwQyxHQUFHLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxlQUFlLEVBQUUsVUFBVSxLQUFLLEVBQUUsQ0FBQyxDQUFDO1FBQ25ELE9BQU8sSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ25CLENBQUMsQ0FBQztBQUNKLENBQUM7QUFFRDs7Ozs7Ozs7Ozs7Ozs7Ozs7OztHQW1CRztBQUNILFNBQWdCLHdCQUF3QixDQUFDLE9BQStCO0lBQ3RFLE1BQU0sYUFBYSxHQUFHLE9BQU8sQ0FBQyxhQUFhLElBQUksb0JBQW9CLENBQUM7SUFDcEUsTUFBTSxlQUFlLEdBQXFCLE9BQU8sQ0FBQyxRQUFRO1FBQ3hELENBQUMsQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUM7UUFDbkMsQ0FBQyxDQUFDLGFBQWEsQ0FBQyxzQkFBc0IsRUFBRSxDQUFDO0lBRTNDLE1BQU0sV0FBVyxHQUFnQixDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsS0FBSyxFQUFFLEdBQUcsRUFBRSxFQUFFO1FBQ3ZELE1BQU0sQ0FBQyxLQUFLLEVBQUUsSUFBSSxDQUFDLEdBQUcsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxDQUFDLGFBQWEsRUFBRSxFQUFFLGVBQWUsQ0FBQyxDQUFDLENBQUM7UUFFcEYsTUFBTSxHQUFHLEdBQUcsSUFBSSxHQUFHLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQzdCLE1BQU0sT0FBTyxHQUFHLEdBQUcsR0FBRyxDQUFDLE1BQU0sR0FBRyxHQUFHLENBQUMsUUFBUSxFQUFFLENBQUM7UUFFL0MsMkNBQTJDO1FBQzNDLE1BQU0sU0FBUyxHQUFHLE1BQU0sSUFBQSxpQkFBSSxFQUFDLElBQUksRUFBRSxhQUFhLEVBQUUsT0FBTyxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBRW5FLGtEQUFrRDtRQUNsRCxNQUFNLFlBQVksR0FBRyxNQUFNLGFBQWEsQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLENBQUM7UUFFNUUsR0FBRyxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsZUFBZSxFQUFFLFVBQVUsS0FBSyxFQUFFLENBQUMsQ0FBQztRQUNuRCxHQUFHLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUsU0FBUyxDQUFDLENBQUM7UUFDbEMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxHQUFHLENBQUMsZ0JBQWdCLEVBQUUsaUJBQU0sQ0FBQyxNQUFNLENBQUMsWUFBWSxDQUFDLENBQUMsQ0FBQztRQUU5RCxPQUFPLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNuQixDQUFDLENBQUM7SUFFRiw4Q0FBOEM7SUFDOUMsTUFBTSxlQUFlLEdBQUcsV0FBOEIsQ0FBQztJQUN2RCxNQUFNLENBQUMsY0FBYyxDQUFDLGVBQWUsRUFBRSxVQUFVLEVBQUU7UUFDakQsS0FBSyxFQUFFLGVBQWU7UUFDdEIsUUFBUSxFQUFFLEtBQUs7UUFDZixVQUFVLEVBQUUsSUFBSTtLQUNqQixDQUFDLENBQUM7SUFFSCxPQUFPLGVBQWUsQ0FBQztBQUN6QixDQUFDO0FBRUQ7Ozs7OztHQU1HO0FBQ0gsU0FBZ0IsdUJBQXVCLENBQUMsWUFBMEI7SUFDaEUsT0FBTyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsS0FBSyxFQUFFLEdBQUcsRUFBRSxFQUFFO1FBQzdCLE1BQU0sR0FBRyxHQUFHLElBQUksR0FBRyxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUM3QixNQUFNLFFBQVEsR0FBRyxHQUFHLENBQUMsUUFBUSxDQUFDO1FBQzlCLGdEQUFnRDtRQUNoRCxJQUFJLEtBQUssQ0FBQztRQUNWLElBQUksQ0FBQztZQUNILEtBQUssR0FBRyxNQUFNLFlBQVksQ0FBQyxTQUFTLENBQUM7Z0JBQ25DLEdBQUcsRUFBRSxRQUFRO2dCQUNiLE1BQU0sRUFBRSxNQUFNO2dCQUNkLDZDQUE2QztnQkFDN0MsT0FBTyxFQUFFO29CQUNQLEdBQUcsTUFBTSxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLE9BQU8sRUFBRSxDQUFDO29CQUMzQyxjQUFjLEVBQUUsa0JBQWtCO2lCQUNuQzthQUNGLENBQUMsQ0FBQztRQUNMLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsTUFBTSxHQUFHLEdBQUcsR0FBRyxZQUFZLEtBQUssQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1lBQzdELElBQUksR0FBRyxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQUMsSUFBSSxHQUFHLENBQUMsUUFBUSxDQUFDLHVCQUF1QixDQUFDLEVBQUUsQ0FBQztnQkFDeEUsTUFBTSxJQUFJLEtBQUssQ0FDYixvREFBb0Q7b0JBQ2xELHlFQUF5RTtvQkFDekUsMkRBQTJEO29CQUMzRCxtQkFBbUIsR0FBRyxFQUFFLENBQzNCLENBQUM7WUFDSixDQUFDO1lBQ0QsTUFBTSxHQUFHLENBQUM7UUFDWixDQUFDO1FBRUQsTUFBTSxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsS0FBSyxDQUFDLEVBQUUsRUFBRTtZQUNyRCxHQUFHLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxHQUFHLEVBQUUsS0FBSyxDQUFDLENBQUM7UUFDN0IsQ0FBQyxDQUFDLENBQUM7UUFFSCxPQUFPLE1BQU0sSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ3pCLENBQUMsQ0FBQztBQUNKLENBQUM7QUFPRDs7R0FFRztBQUNILFNBQWdCLG1CQUFtQixDQUFDLElBQWdCO0lBQ2xELE9BQU8sY0FBYyxJQUFJLElBQUksSUFBSSxLQUFLLENBQUMsT0FBTyxDQUFFLElBQWtDLENBQUMsWUFBWSxDQUFDLENBQUM7QUFDbkcsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQWdCLG1CQUFtQixDQUFDLElBQWdCO0lBQ2xELElBQUksbUJBQW1CLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztRQUM5QixPQUFPLElBQUksQ0FBQyxZQUFZLENBQUM7SUFDM0IsQ0FBQztJQUNELE9BQU8sQ0FBQyx1QkFBdUIsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDO0FBQ3pDLENBQUM7QUFFRDs7O0dBR0c7QUFDSCxTQUFnQixpQkFBaUIsQ0FBQyxJQUFnQjtJQUloRCxJQUFJLG1CQUFtQixDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7UUFDOUIsT0FBTyxFQUFFLFlBQVksRUFBRSxJQUFJLENBQUMsWUFBWSxFQUFFLENBQUM7SUFDN0MsQ0FBQztJQUNELE9BQU87UUFDTCxZQUFZLEVBQUUsQ0FBQyx1QkFBdUIsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUM3QyxZQUFZLEVBQUUsSUFBSTtLQUNuQixDQUFDO0FBQ0osQ0FBQyJ9
|
|
@@ -93,6 +93,8 @@ class AccessToken {
|
|
|
93
93
|
}
|
|
94
94
|
// Export opaque public key to PEM format for header
|
|
95
95
|
const publicKeyPem = await this.cryptoService.exportPublicKeyPem(this.signingKey.publicKey);
|
|
96
|
+
// TODO: Rename to X-OpenTDF-PubKey; requires coordinated change with
|
|
97
|
+
// platform Keycloak mapper (lib/fixtures/keycloak.go `client.publickey`).
|
|
96
98
|
headers['X-VirtruPubKey'] = index_js_1.base64.encode(publicKeyPem);
|
|
97
99
|
headers.DPoP = await (0, dpop_js_1.default)(this.signingKey, this.cryptoService, url, 'POST');
|
|
98
100
|
}
|
|
@@ -208,8 +210,8 @@ class AccessToken {
|
|
|
208
210
|
return tokenResponse.access_token;
|
|
209
211
|
}
|
|
210
212
|
async withCreds(httpReq) {
|
|
211
|
-
if (!this.signingKey) {
|
|
212
|
-
throw new errors_js_1.ConfigurationError('Client public key was not set via `updateClientPublicKey` or passed in via constructor
|
|
213
|
+
if (this.config.dpopEnabled && !this.signingKey) {
|
|
214
|
+
throw new errors_js_1.ConfigurationError('Client public key was not set via `updateClientPublicKey` or passed in via constructor; required when DPoP is enabled');
|
|
213
215
|
}
|
|
214
216
|
const accessToken = (this.currentAccessToken ??= await this.get());
|
|
215
217
|
if (this.config.dpopEnabled && this.signingKey) {
|
|
@@ -222,4 +224,4 @@ class AccessToken {
|
|
|
222
224
|
}
|
|
223
225
|
}
|
|
224
226
|
exports.AccessToken = AccessToken;
|
|
225
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
227
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL29pZGMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUEsd0RBQThDO0FBQzlDLHVDQUFxRDtBQUNyRCxvREFBK0M7QUFDL0MsNENBQTREO0FBQzVELDBDQUFxQztBQXFEckMsTUFBTSxVQUFVLEdBQUcsQ0FBQyxHQUEyQixFQUFFLEVBQUUsQ0FBQyxJQUFJLGVBQWUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxRQUFRLEVBQUUsQ0FBQztBQU94Rjs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBcUJHO0FBQ0gsTUFBYSxXQUFXO0lBbUJ0QixZQUFZLEdBQW9CLEVBQUUsYUFBNEIsRUFBRSxPQUFzQjtRQU50RixpQkFBWSxHQUEyQixFQUFFLENBQUM7UUFPeEMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUNsQixNQUFNLElBQUksOEJBQWtCLENBQzFCLDRFQUE0RSxDQUM3RSxDQUFDO1FBQ0osQ0FBQztRQUNELElBQUksR0FBRyxDQUFDLFFBQVEsS0FBSyxRQUFRLElBQUksQ0FBQyxHQUFHLENBQUMsWUFBWSxFQUFFLENBQUM7WUFDbkQsTUFBTSxJQUFJLDhCQUFrQixDQUMxQiw0RUFBNEUsQ0FDN0UsQ0FBQztRQUNKLENBQUM7UUFDRCxJQUFJLEdBQUcsQ0FBQyxRQUFRLEtBQUssU0FBUyxJQUFJLENBQUMsR0FBRyxDQUFDLFlBQVksRUFBRSxDQUFDO1lBQ3BELE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw0REFBNEQsQ0FBQyxDQUFDO1FBQzdGLENBQUM7UUFDRCxJQUFJLEdBQUcsQ0FBQyxRQUFRLEtBQUssVUFBVSxJQUFJLENBQUMsR0FBRyxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQ3BELE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyxtREFBbUQsQ0FBQyxDQUFDO1FBQ3BGLENBQUM7UUFDRCxJQUFJLENBQUMsR0FBRyxDQUFDLFFBQVEsRUFBRSxDQUFDO1lBQ2xCLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyw0QkFBNEIsQ0FBQyxDQUFDO1FBQzdELENBQUM7UUFDRCxJQUFJLENBQUMsTUFBTSxHQUFHLEdBQUcsQ0FBQztRQUNsQixJQUFJLENBQUMsYUFBYSxHQUFHLGFBQWEsQ0FBQztRQUNuQyxJQUFJLENBQUMsT0FBTyxHQUFHLE9BQU8sQ0FBQztRQUN2QixJQUFJLENBQUMsT0FBTyxHQUFHLElBQUEsaUJBQU0sRUFBQyxHQUFHLENBQUMsVUFBVSxFQUFFLEdBQUcsQ0FBQyxDQUFDO1FBQzNDLElBQUksQ0FBQyxhQUFhLEdBQUcsR0FBRyxDQUFDLGlCQUFpQixJQUFJLEdBQUcsSUFBSSxDQUFDLE9BQU8sZ0NBQWdDLENBQUM7UUFDOUYsSUFBSSxDQUFDLGdCQUFnQjtZQUNuQixHQUFHLENBQUMsb0JBQW9CLElBQUksR0FBRyxJQUFJLENBQUMsT0FBTyxtQ0FBbUMsQ0FBQztRQUNqRixJQUFJLENBQUMsVUFBVSxHQUFHLEdBQUcsQ0FBQyxVQUFVLENBQUM7SUFDbkMsQ0FBQztJQUVEOzs7O09BSUc7SUFDSCxLQUFLLENBQUMsSUFBSSxDQUFDLFdBQW1CO1FBQzVCLE1BQU0sT0FBTyxHQUFHO1lBQ2QsR0FBRyxJQUFJLENBQUMsWUFBWTtZQUNwQixhQUFhLEVBQUUsVUFBVSxXQUFXLEVBQUU7U0FDYixDQUFDO1FBQzVCLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxXQUFXLElBQUksSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQy9DLE9BQU8sQ0FBQyxJQUFJLEdBQUcsTUFBTSxJQUFBLGlCQUFNLEVBQ3pCLElBQUksQ0FBQyxVQUFVLEVBQ2YsSUFBSSxDQUFDLGFBQWEsRUFDbEIsSUFBSSxDQUFDLGdCQUFnQixFQUNyQixNQUFNLENBQ1AsQ0FBQztRQUNKLENBQUM7UUFDRCxNQUFNLFFBQVEsR0FBRyxNQUFNLENBQUMsSUFBSSxDQUFDLE9BQU8sSUFBSSxLQUFLLENBQUMsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLEVBQUU7WUFDcEUsT0FBTztTQUNSLENBQUMsQ0FBQztRQUNILElBQUksQ0FBQyxRQUFRLENBQUMsRUFBRSxFQUFFLENBQUM7WUFDakIsT0FBTyxDQUFDLEtBQUssQ0FBQyxNQUFNLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxDQUFDO1lBQ3JDLE1BQU0sSUFBSSxvQkFBUSxDQUNoQix3QkFBd0IsSUFBSSxDQUFDLGdCQUFnQixRQUFRLFFBQVEsQ0FBQyxNQUFNLElBQUksUUFBUSxDQUFDLFVBQVUsRUFBRSxDQUM5RixDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sQ0FBQyxNQUFNLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBWSxDQUFDO0lBQzVDLENBQUM7SUFFRCxLQUFLLENBQUMsTUFBTSxDQUFDLEdBQVcsRUFBRSxDQUF5QjtRQUNqRCxNQUFNLE9BQU8sR0FBMkI7WUFDdEMsY0FBYyxFQUFFLG1DQUFtQztZQUNuRCxNQUFNLEVBQUUsa0JBQWtCO1NBQzNCLENBQUM7UUFDRixpQ0FBaUM7UUFDakMsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQzVCLElBQUksQ0FBQyxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7Z0JBQ3JCLE1BQU0sSUFBSSw4QkFBa0IsQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO1lBQzFELENBQUM7WUFDRCxvREFBb0Q7WUFDcEQsTUFBTSxZQUFZLEdBQUcsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLGtCQUFrQixDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDNUYscUVBQXFFO1lBQ3JFLDBFQUEwRTtZQUMxRSxPQUFPLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxpQkFBTSxDQUFDLE1BQU0sQ0FBQyxZQUFZLENBQUMsQ0FBQztZQUN4RCxPQUFPLENBQUMsSUFBSSxHQUFHLE1BQU0sSUFBQSxpQkFBTSxFQUFDLElBQUksQ0FBQyxVQUFVLEVBQUUsSUFBSSxDQUFDLGFBQWEsRUFBRSxHQUFHLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFDaEYsQ0FBQztRQUNELE9BQU8sQ0FBQyxJQUFJLENBQUMsT0FBTyxJQUFJLEtBQUssQ0FBQyxDQUFDLEdBQUcsRUFBRTtZQUNsQyxNQUFNLEVBQUUsTUFBTTtZQUNkLE9BQU87WUFDUCxJQUFJLEVBQUUsVUFBVSxDQUFDLENBQUMsQ0FBQztTQUNwQixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsS0FBSyxDQUFDLGlCQUFpQixDQUFDLEdBQW9CO1FBQzFDLElBQUksSUFBSSxDQUFDO1FBQ1QsUUFBUSxHQUFHLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDckIsS0FBSyxRQUFRO2dCQUNYLElBQUksR0FBRztvQkFDTCxVQUFVLEVBQUUsb0JBQW9CO29CQUNoQyxTQUFTLEVBQUUsR0FBRyxDQUFDLFFBQVE7b0JBQ3ZCLGFBQWEsRUFBRSxHQUFHLENBQUMsWUFBWTtpQkFDaEMsQ0FBQztnQkFDRixNQUFNO1lBQ1IsS0FBSyxVQUFVO2dCQUNiLElBQUksR0FBRztvQkFDTCxVQUFVLEVBQUUsaURBQWlEO29CQUM3RCxhQUFhLEVBQUUsR0FBRyxDQUFDLFdBQVc7b0JBQzlCLGtCQUFrQixFQUFFLHNDQUFzQztvQkFDMUQsUUFBUSxFQUFFLEdBQUcsQ0FBQyxRQUFRO29CQUN0QixTQUFTLEVBQUUsR0FBRyxDQUFDLFFBQVE7aUJBQ3hCLENBQUM7Z0JBQ0YsTUFBTTtZQUNSLEtBQUssU0FBUztnQkFDWixJQUFJLEdBQUc7b0JBQ0wsVUFBVSxFQUFFLGVBQWU7b0JBQzNCLGFBQWEsRUFBRSxHQUFHLENBQUMsWUFBWTtvQkFDL0IsU0FBUyxFQUFFLEdBQUcsQ0FBQyxRQUFRO2lCQUN4QixDQUFDO2dCQUNGLE1BQU07UUFDVixDQUFDO1FBQ0QsTUFBTSxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxhQUFhLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFDN0QsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLEVBQUUsQ0FBQztZQUNqQixPQUFPLENBQUMsS0FBSyxDQUFDLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDLENBQUM7WUFDckMsTUFBTSxJQUFJLG9CQUFRLENBQ2hCLG1DQUFtQyxJQUFJLENBQUMsYUFBYSxRQUFRLFFBQVEsQ0FBQyxNQUFNLElBQUksUUFBUSxDQUFDLFVBQVUsRUFBRSxDQUN0RyxDQUFDO1FBQ0osQ0FBQztRQUNELE9BQU8sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDO0lBQ3pCLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsS0FBSyxDQUFDLEdBQUcsQ0FBQyxRQUFRLEdBQUcsSUFBSTtRQUN2QixJQUFJLElBQUksQ0FBQyxJQUFJLEVBQUUsWUFBWSxFQUFFLENBQUM7WUFDNUIsSUFBSSxDQUFDO2dCQUNILElBQUksUUFBUSxFQUFFLENBQUM7b0JBQ2IsTUFBTSxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDLENBQUM7Z0JBQzFDLENBQUM7Z0JBQ0QsT0FBTyxJQUFJLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQztZQUNoQyxDQUFDO1lBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztnQkFDWCxPQUFPLENBQUMsR0FBRyxDQUFDLCtEQUErRCxFQUFFLENBQUMsQ0FBQyxDQUFDO2dCQUNoRixJQUFJLElBQUksQ0FBQyxJQUFJLEVBQUUsYUFBYSxFQUFFLENBQUM7b0JBQzdCLGtFQUFrRTtvQkFDbEUsaUJBQWlCO29CQUNqQixJQUFJLENBQUMsTUFBTSxHQUFHO3dCQUNaLEdBQUcsSUFBSSxDQUFDLE1BQU07d0JBQ2QsUUFBUSxFQUFFLFNBQVM7d0JBQ25CLFlBQVksRUFBRSxJQUFJLENBQUMsSUFBSSxDQUFDLGFBQWE7cUJBQ3RDLENBQUM7Z0JBQ0osQ0FBQztnQkFDRCxPQUFPLElBQUksQ0FBQyxJQUFJLENBQUM7WUFDbkIsQ0FBQztRQUNILENBQUM7UUFFRCxNQUFNLGFBQWEsR0FBRyxDQUFDLElBQUksQ0FBQyxJQUFJLEdBQUcsTUFBTSxJQUFJLENBQUMsaUJBQWlCLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUM7UUFDOUUsT0FBTyxhQUFhLENBQUMsWUFBWSxDQUFDO0lBQ3BDLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSCxLQUFLLENBQUMsMENBQTBDLENBQUMsVUFBbUI7UUFDbEUsc0RBQXNEO1FBQ3RELDZDQUE2QztRQUM3QywyREFBMkQ7UUFDM0QsSUFBSSxJQUFJLENBQUMsa0JBQWtCLElBQUksVUFBVSxLQUFLLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUM5RCxPQUFPO1FBQ1QsQ0FBQztRQUNELE9BQU8sSUFBSSxDQUFDLGtCQUFrQixDQUFDO1FBQy9CLElBQUksQ0FBQyxVQUFVLEdBQUcsVUFBVSxDQUFDO0lBQy9CLENBQUM7SUFFRDs7T0FFRztJQUNILEtBQUssQ0FBQyx1QkFBdUI7UUFDM0IsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQztRQUN4QixJQUFJLEdBQUcsQ0FBQyxRQUFRLElBQUksVUFBVSxJQUFJLEdBQUcsQ0FBQyxRQUFRLElBQUksU0FBUyxFQUFFLENBQUM7WUFDNUQsTUFBTSxJQUFJLDhCQUFrQixDQUFDLDRCQUE0QixDQUFDLENBQUM7UUFDN0QsQ0FBQztRQUNELE1BQU0sYUFBYSxHQUFHLENBQUMsSUFBSSxDQUFDLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztRQUM5RSxJQUFJLENBQUMsYUFBYSxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQ2pDLE9BQU8sQ0FBQyxHQUFHLENBQUMsMkJBQTJCLENBQUMsQ0FBQztZQUN6QyxPQUFPLENBQ0wsQ0FBQyxHQUFHLENBQUMsUUFBUSxJQUFJLFNBQVMsSUFBSSxHQUFHLENBQUMsWUFBWSxDQUFDO2dCQUMvQyxDQUFDLEdBQUcsQ0FBQyxRQUFRLElBQUksVUFBVSxJQUFJLEdBQUcsQ0FBQyxXQUFXLENBQUM7Z0JBQy9DLEVBQUUsQ0FDSCxDQUFDO1FBQ0osQ0FBQztRQUNELGtFQUFrRTtRQUNsRSxpQkFBaUI7UUFDakIsSUFBSSxDQUFDLE1BQU0sR0FBRztZQUNaLEdBQUcsSUFBSSxDQUFDLE1BQU07WUFDZCxRQUFRLEVBQUUsU0FBUztZQUNuQixZQUFZLEVBQUUsYUFBYSxDQUFDLGFBQWE7U0FDMUMsQ0FBQztRQUNGLE9BQU8sYUFBYSxDQUFDLFlBQVksQ0FBQztJQUNwQyxDQUFDO0lBRUQsS0FBSyxDQUFDLFNBQVMsQ0FBQyxPQUFvQjtRQUNsQyxJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsV0FBVyxJQUFJLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQ2hELE1BQU0sSUFBSSw4QkFBa0IsQ0FDMUIsdUhBQXVILENBQ3hILENBQUM7UUFDSixDQUFDO1FBQ0QsTUFBTSxXQUFXLEdBQUcsQ0FBQyxJQUFJLENBQUMsa0JBQWtCLEtBQUssTUFBTSxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUMsQ0FBQztRQUNuRSxJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsV0FBVyxJQUFJLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUMvQyxNQUFNLFNBQVMsR0FBRyxNQUFNLElBQUEsaUJBQU0sRUFDNUIsSUFBSSxDQUFDLFVBQVUsRUFDZixJQUFJLENBQUMsYUFBYSxFQUNsQixPQUFPLENBQUMsR0FBRyxFQUNYLE9BQU8sQ0FBQyxNQUFNO1lBQ2QsV0FBVyxDQUFDLFNBQVMsRUFDckIsV0FBVyxDQUNaLENBQUM7WUFDRix1RUFBdUU7WUFDdkUsT0FBTyxJQUFBLHFCQUFXLEVBQUMsT0FBTyxFQUFFLEVBQUUsYUFBYSxFQUFFLFVBQVUsV0FBVyxFQUFFLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxDQUFDLENBQUM7UUFDM0YsQ0FBQztRQUNELE9BQU8sSUFBQSxxQkFBVyxFQUFDLE9BQU8sRUFBRSxFQUFFLGFBQWEsRUFBRSxVQUFVLFdBQVcsRUFBRSxFQUFFLENBQUMsQ0FBQztJQUMxRSxDQUFDO0NBQ0Y7QUE5T0Qsa0NBOE9DIn0=
|