@superhero/eventflow-certificates 4.8.2 → 4.8.3

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+---
+#### v4.8.3
+---
+
+...
+
 ---
 #### v4.8.2
 ---\n\nVersion alignment...

package/index.js

@@ -10,9 +10,11 @@ import config     from '@superhero/eventflow-certificates/config'
 export default class Certificates
 {
   #db
-  #map    = new Map()
-  openSSL = new OpenSSL()
-  config  = structuredClone(config.eventflow.certificates)
+  #map      = new Map()
+  openSSL   = new OpenSSL()
+  config    = structuredClone(config.eventflow.certificates)
+  #lockRef  = 'eventflow:certificates'
+  rootUID   = 'EVENTFLOW-ROOT-CA'
 
   constructor(intermediateUID, leafUID, config, db)
   {
@@ -48,7 +50,7 @@ export default class Certificates
    * 
    * @returns {Promise<boolean>} true if the certificate was persisted, false if it already exists
    */
-  perist(id, validity, cert, key, pass)
+  #perist(id, validity, cert, key, pass)
   {
     const
       encryptionKey = this.config.CERT_PASS_ENCRYPTION_KEY,
@@ -74,29 +76,85 @@ export default class Certificates
   }
 
   /**
-   * Revoke a specific certificate by ID in the database.
-   * @param {string} id the certificate identifier
-   * @returns {Promise<boolean>} true if the certificate was revoked, false if it does not exist
+   * Revokes the certificate, and any certificate that depends on it.
+   * @param {string} id the certificate identifier (UID), must be one of: `this.rootUID`, `this.intermediateUID` or `this.leafUID`
+   * @returns {Promise<boolean>} true if any certificate was revoked, false if none was revoked.
    */
-  revoke(id)
+  async revoke(id)
   {
-    return this.#db.revokeCertificate(id)
+    return await this.#db.lock(this.#lockRef, this.#revoke.bind(this, id))
+  }
+
+  async #revoke(id)
+  {
+    let revoked = false
+
+    switch(id)
+    {
+      case this.rootUID: 
+      {
+        this.#map.delete(this.rootUID)
+        revoked = await this.#db.revokeCertificate(this.rootUID)
+
+        // fall through to also revoke the intermediate and leaf certificates, since they depends on the root certificate
+      }
+      case this.intermediateUID: 
+      {
+        this.#map.delete(this.intermediateUID)
+        revoked = await this.#db.revokeCertificate(this.intermediateUID) || revoked
+
+        // fall through to also revoke the leaf certificate, since it depends on the intermediate certificate
+      }
+      case this.leafUID:
+      {
+        this.#map.delete(this.leafUID)
+        revoked = await this.#db.revokeCertificate(this.leafUID) || revoked
+
+        // returns if any of the certificates was revoked...
+        return revoked
+      }
+      default:
+      {
+        const error = new Error(`can not revoke the provided invalid certificate (${id})`)
+        error.code  = 'E_EVENTFLOW_CERTIFICATES_INVALID_ID'
+        throw error
+      }
+    }
+  }
+
+  /**
+   * Get the certificate chain, which includes the root, intermediate and leaf certificates.
+   * @returns {Promise
+   * <{
+   *  root          : {cert:string, key:string, pass:string}, 
+   *  intermediate  : {cert:string, key:string, pass:string}, 
+   *  leaf          : {cert:string, key:string, pass:string}
+   * }>}
+   */
+  async getChain()
+  {
+    return await this.#db.lock(this.#lockRef, async () => 
+    ({
+      root         : await this.#getRoot(),
+      intermediate : await this.#getIntermediate(),
+      leaf         : await this.#getLeaf()
+    }))
   }
 
   /**
    * The root certificate authority (CA).
    * @returns {Promise<{cert:string, key:string, pass:string}>}
    */
-  get root()
+  async #getRoot()
   {
-    return this.#lazyload('EVENTFLOW-ROOT-CA', this.#createRoot.bind(this))
+    return this.#lazyload(this.rootUID, this.#createRoot.bind(this))
   }
 
   /**
    * The intermediate certificate authority (ICA).
    * @returns {Promise<{cert:string, key:string, pass:string}>}
    */
-  get intermediate()
+  async #getIntermediate()
   {
     return this.#lazyload(this.intermediateUID, this.#createIntermediate.bind(this))
   }
@@ -105,7 +163,7 @@ export default class Certificates
    * The leaf end-entity certificate.
    * @returns {Promise<{cert:string, key:string, pass:string}>}
    */
-  get leaf()
+  async #getLeaf()
   {
     return this.#lazyload(this.leafUID, this.#createLeaf.bind(this))
   }
@@ -142,8 +200,7 @@ export default class Certificates
     if(Date.now() + 6e5 > crt.validity)
     {
       this.log.warn`certificate expired ${id}`
-      this.#map.delete(id)
-      await this.#db.revokeCertificate(id)
+      await this.#revoke(id)
       return this.#lazyload(id, factory)
     }
     else
@@ -176,7 +233,7 @@ export default class Certificates
     const
       x509          = new crypto.X509Certificate(certificate.cert),
       validity      = x509.validToDate,
-      isPersisted   = await this.perist(id, validity, cert, key, keyPass)
+      isPersisted   = await this.#perist(id, validity, cert, key, keyPass)
 
     // If multiple replicas tries at the same time to creater the certificate, 
     // then only the first one to persist is valid, the rest should throw away 
@@ -208,7 +265,7 @@ export default class Certificates
 
   async #createIntermediate(UID, password)
   {
-    const root = await this.root
+    const root = await this.#getRoot()
     return await this.openSSL.intermediate(root, 
     {
       days      : Number(this.config.CERT_INTERMEDIATE_DAYS),
@@ -226,7 +283,7 @@ export default class Certificates
 
   async #createLeaf(UID, password)
   {
-    const ica = await this.intermediate
+    const ica = await this.#getIntermediate()
     return await this.openSSL.leaf(ica,
     {
       days      : Number(this.config.CERT_LEAF_DAYS),

package/index.test.js

@@ -1,4 +1,5 @@
 import Locator              from '@superhero/locator'
+import config               from '@superhero/eventflow-db/config'
 import Certificates         from '@superhero/eventflow-certificates'
 import assert               from 'node:assert/strict'
 import { X509Certificate }  from 'node:crypto'
@@ -6,13 +7,14 @@ import { suite, test, before, after } from 'node:test'
 
 suite('@superhero/eventflow-certificates', async () =>
 {
-  const 
-    locator = new Locator(),
-    config  = locator.config
+  const locator = new Locator()
+
+  await locator.config.assign(config, '@superhero/eventflow-db')
 
-  await config.add('@superhero/eventflow-db')
   const db = await locator.lazyload('@superhero/eventflow-db')
 
+  await db.createTableCertificate()
+
   let conf, manager, icaUID = 'INTERMEDIATE-CERT-ID', leafUID = 'LEAF-CERT-ID'
 
   before(() =>
@@ -43,7 +45,7 @@ suite('@superhero/eventflow-certificates', async () =>
 
   test('Get root certificate', async (sub) =>
   {
-    const root = await manager.root
+    const { root } = await manager.getChain()
 
     assert.ok(root.validity > Date.now())
     assert.ok(root.cert)
@@ -55,13 +57,13 @@ suite('@superhero/eventflow-certificates', async () =>
 
     await sub.test('Get same root certificate each time lazyloading it', async () =>
     {
-      const root2 = await manager.root
+      const { root: root2 } = await manager.getChain()
       assert.deepEqual(root, root2)
     })
 
     await sub.test('Get intermediate certificate', async (sub) =>
     {
-      const ica = await manager.intermediate
+      const { intermediate: ica } = await manager.getChain()
   
       assert.ok(ica.validity > Date.now())
       assert.ok(ica.cert)
@@ -73,7 +75,7 @@ suite('@superhero/eventflow-certificates', async () =>
 
       await sub.test('Get leaf certificate', async (sub) =>
       {
-        const leaf = await manager.leaf
+        const { leaf } = await manager.getChain()
     
         assert.ok(leaf.validity > Date.now())
         assert.ok(leaf.cert)
@@ -87,10 +89,7 @@ suite('@superhero/eventflow-certificates', async () =>
         {
           manager.clearCache()
 
-          const
-            root2 = await manager.root,
-            ica2  = await manager.intermediate,
-            leaf2 = await manager.leaf
+          const{ root: root2, intermediate: ica2, leaf: leaf2 } = await manager.getChain()
 
           assert.deepEqual(root, root2)
           assert.deepEqual(ica, ica2)
@@ -102,7 +101,7 @@ suite('@superhero/eventflow-certificates', async () =>
           await assert.doesNotReject(manager.revoke(leafUID))
 
           const
-            leaf      = await manager.leaf,
+            { leaf }  = await manager.getChain(),
             leafX509  = new X509Certificate(leaf.cert)
 
           assert.ok(leafX509.checkIssued(icaX509))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@superhero/eventflow-certificates",
-  "version": "4.8.2",
+  "version": "4.8.3",
   "description": "Eventflow certificates is common tls certificates logic used in the eventflow ecosystem.",
   "keywords": [
     "eventflow"
@@ -18,15 +18,15 @@
     "test": "syntax-check; node --test --test-reporter=@superhero/audit/reporter --experimental-test-coverage"
   },
   "dependencies": {
-    "@superhero/log": "4.8.2",
-    "@superhero/openssl": "4.8.2",
-    "@superhero/deep": "4.8.2"
+    "@superhero/log": "4.8.3",
+    "@superhero/openssl": "4.8.3",
+    "@superhero/deep": "4.8.3"
   },
   "devDependencies": {
-    "@superhero/audit": "4.8.2",
+    "@superhero/audit": "4.8.3",
     "@superhero/syntax-check": "0.0.2",
-    "@superhero/eventflow-db": "4.8.2",
-    "@superhero/locator": "4.8.2"
+    "@superhero/eventflow-db": "4.8.3",
+    "@superhero/locator": "4.8.3"
   },
   "author": {
     "name": "Erik Landvall",