@webex/internal-plugin-encryption 3.0.0-beta.4 → 3.0.0-beta.400

package/src/index.js

@@ -8,126 +8,150 @@
 // by using Promise.race to resolve replays (as more requests get enqueue for a
 // specific action, accept whichever one completes first).
 
+import '@webex/internal-plugin-device';
+
+import '@webex/internal-plugin-mercury';
+
 import {registerInternalPlugin} from '@webex/webex-core';
 import {has, isObject, isString} from 'lodash';
 
 import Encryption from './encryption';
 import config from './config';
 import {DryError} from './kms-errors';
-import '@webex/internal-plugin-device';
-import '@webex/internal-plugin-mercury';
+
 import KmsDryErrorInterceptor from './kms-dry-error-interceptor';
 
 let interceptors;
 
 if (process.env.NODE_ENV === 'test') {
   interceptors = {
-    KmsDryErrorInterceptor: KmsDryErrorInterceptor.create
+    KmsDryErrorInterceptor: KmsDryErrorInterceptor.create,
   };
 }
 
 registerInternalPlugin('encryption', Encryption, {
   payloadTransformer: {
-    predicates: [{
-      name: 'encryptKmsMessage',
-      direction: 'outbound',
-      // I don't see any practical way to reduce complexity here.
-      // eslint-disable-next-line complexity
-      test(ctx, options) {
-        if (!has(options, 'body.kmsMessage')) {
-          return Promise.resolve(false);
-        }
-
-        if (!isObject(options.body.kmsMessage)) {
-          return Promise.resolve(false);
-        }
-
-        // If this is a template for a kms message, assume another transform
-        // will fill it in later. This is a bit of a leaky abstraction, but the
-        // alternative is building a complex rules engine for controlling
-        // ordering of transforms
-        if (options.body.kmsMessage.keyUris && options.body.kmsMessage.keyUris.length === 0) {
-          return Promise.resolve(false);
-        }
-        if (options.body.kmsMessage.resourceUri && (options.body.kmsMessage.resourceUri.includes('<KRO>') || options.body.kmsMessage.resourceUri.includes('<KEYURL>'))) {
-          return Promise.resolve(false);
-        }
-        if (options.body.kmsMessage.uri && (options.body.kmsMessage.uri.includes('<KRO>') || options.body.kmsMessage.uri.includes('<KEYURL>'))) {
-          return Promise.resolve(false);
-        }
-
-        return Promise.resolve(true);
+    predicates: [
+      {
+        name: 'encryptKmsMessage',
+        direction: 'outbound',
+        // I don't see any practical way to reduce complexity here.
+        // eslint-disable-next-line complexity
+        test(ctx, options) {
+          if (!has(options, 'body.kmsMessage')) {
+            return Promise.resolve(false);
+          }
+
+          if (!isObject(options.body.kmsMessage)) {
+            return Promise.resolve(false);
+          }
+
+          // If this is a template for a kms message, assume another transform
+          // will fill it in later. This is a bit of a leaky abstraction, but the
+          // alternative is building a complex rules engine for controlling
+          // ordering of transforms
+          if (options.body.kmsMessage.keyUris && options.body.kmsMessage.keyUris.length === 0) {
+            return Promise.resolve(false);
+          }
+          if (
+            options.body.kmsMessage.resourceUri &&
+            (options.body.kmsMessage.resourceUri.includes('<KRO>') ||
+              options.body.kmsMessage.resourceUri.includes('<KEYURL>'))
+          ) {
+            return Promise.resolve(false);
+          }
+          if (
+            options.body.kmsMessage.uri &&
+            (options.body.kmsMessage.uri.includes('<KRO>') ||
+              options.body.kmsMessage.uri.includes('<KEYURL>'))
+          ) {
+            return Promise.resolve(false);
+          }
+
+          return Promise.resolve(true);
+        },
+        extract(options) {
+          return Promise.resolve(options.body);
+        },
       },
-      extract(options) {
-        return Promise.resolve(options.body);
-      }
-    }, {
-      name: 'decryptKmsMessage',
-      direction: 'inbound',
-      test(ctx, response) {
-        return Promise.resolve(has(response, 'body.kmsMessage') && isString(response.body.kmsMessage));
+      {
+        name: 'decryptKmsMessage',
+        direction: 'inbound',
+        test(ctx, response) {
+          return Promise.resolve(
+            has(response, 'body.kmsMessage') && isString(response.body.kmsMessage)
+          );
+        },
+        extract(response) {
+          return Promise.resolve(response.body);
+        },
       },
-      extract(response) {
-        return Promise.resolve(response.body);
-      }
-    }, {
-      name: 'decryptErrorResponse',
-      direction: 'inbound',
-      test(ctx, reason) {
-        return Promise.resolve(Boolean(reason.body && reason.body.errorCode === 1900000));
+      {
+        name: 'decryptErrorResponse',
+        direction: 'inbound',
+        test(ctx, reason) {
+          return Promise.resolve(Boolean(reason.body && reason.body.errorCode === 1900000));
+        },
+        extract(reason) {
+          return Promise.resolve(reason);
+        },
       },
-      extract(reason) {
-        return Promise.resolve(reason);
-      }
-    }],
-    transforms: [{
-      name: 'encryptKmsMessage',
-      fn(ctx, object) {
-        if (!object) {
-          return Promise.resolve();
-        }
-
-        if (!object.kmsMessage) {
-          return Promise.resolve();
-        }
-
-        if (isString(object.kmsMessage)) {
-          return Promise.resolve();
-        }
-
-        return ctx.webex.internal.encryption.kms.prepareRequest(object.kmsMessage)
-          .then((req) => {
+    ],
+    transforms: [
+      {
+        name: 'encryptKmsMessage',
+        fn(ctx, object) {
+          if (!object) {
+            return Promise.resolve();
+          }
+
+          if (!object.kmsMessage) {
+            return Promise.resolve();
+          }
+
+          if (isString(object.kmsMessage)) {
+            return Promise.resolve();
+          }
+
+          return ctx.webex.internal.encryption.kms.prepareRequest(object.kmsMessage).then((req) => {
             object.kmsMessage = req.wrapped;
           });
-      }
-    }, {
-      name: 'decryptKmsMessage',
-      fn(ctx, object) {
-        return ctx.webex.internal.encryption.kms.decryptKmsMessage(object.kmsMessage)
-          .then((kmsMessage) => {
-            object.kmsMessage = kmsMessage;
-          });
-      }
-    }, {
-      name: 'decryptErrorResponse',
-      fn(ctx, reason) {
-        const promises = reason.body.errors.map((error) => ctx.webex.internal.encryption.kms.decryptKmsMessage(error.description)
-          .then((desc) => {
-            error.description = desc;
-          }));
-
-        promises.push(ctx.webex.internal.encryption.kms.decryptKmsMessage(reason.body.message)
-          .then((kmsMessage) => {
-            reason.body.message = kmsMessage;
-          }));
-
-        return Promise.all(promises)
-          .then(() => Promise.reject(new DryError(reason)));
-      }
-    }]
+        },
+      },
+      {
+        name: 'decryptKmsMessage',
+        fn(ctx, object) {
+          return ctx.webex.internal.encryption.kms
+            .decryptKmsMessage(object.kmsMessage)
+            .then((kmsMessage) => {
+              object.kmsMessage = kmsMessage;
+            });
+        },
+      },
+      {
+        name: 'decryptErrorResponse',
+        fn(ctx, reason) {
+          const promises = reason.body.errors.map((error) =>
+            ctx.webex.internal.encryption.kms.decryptKmsMessage(error.description).then((desc) => {
+              error.description = desc;
+            })
+          );
+
+          promises.push(
+            ctx.webex.internal.encryption.kms
+              .decryptKmsMessage(reason.body.message)
+              .then((kmsMessage) => {
+                reason.body.message = kmsMessage;
+              })
+          );
+
+          return Promise.all(promises).then(() => Promise.reject(new DryError(reason)));
+        },
+      },
+    ],
   },
   interceptors,
-  config
+  config,
 });
 
 export {default} from './encryption';

package/src/kms-batcher.js

@@ -5,7 +5,7 @@
 import {safeSetTimeout} from '@webex/common-timers';
 import {Batcher} from '@webex/webex-core';
 
-import {KmsError, KmsTimeoutError} from './kms-errors';
+import {KmsError, KmsTimeoutError, handleKmsKeyRevokedEncryptionFailure} from './kms-errors';
 
 export const TIMEOUT_SYMBOL = Symbol('TIMEOUT_SYMBOL');
 
@@ -23,14 +23,19 @@ const KmsBatcher = Batcher.extend({
   processKmsMessageEvent(event) {
     this.logger.info('kms-batcher: received kms message');
 
-    return Promise.all(event.encryption.kmsMessages.map((kmsMessage) => new Promise((resolve) => {
-      /* istanbul ignore else */
-      if (process.env.NODE_ENV !== 'production') {
-        this.logger.info('kms-batcher:', kmsMessage.body);
-      }
-
-      resolve(this.acceptItem(kmsMessage));
-    })));
+    return Promise.all(
+      event.encryption.kmsMessages.map(
+        (kmsMessage) =>
+          new Promise((resolve) => {
+            /* istanbul ignore else */
+            if (process.env.NODE_ENV !== 'production') {
+              this.logger.info('kms-batcher:', kmsMessage.body);
+            }
+
+            resolve(this.acceptItem(kmsMessage));
+          })
+      )
+    );
   },
 
   /**
@@ -39,30 +44,34 @@ const KmsBatcher = Batcher.extend({
    * @returns {Promise<Object>}
    */
   prepareItem(item) {
-    return this.getDeferredForRequest(item)
-      .then((defer) => {
-        const timeout = item[TIMEOUT_SYMBOL];
-
-        /* istanbul ignore if */
-        if (!timeout) {
-          throw new Error('timeout is required');
-        }
-
-        const timer = safeSetTimeout(() => {
-          this.logger.warn(`kms: request timed out; request id: ${item.requestId}; timeout: ${timeout}`);
-          this.handleItemFailure(item, new KmsTimeoutError({
+    return this.getDeferredForRequest(item).then((defer) => {
+      const timeout = item[TIMEOUT_SYMBOL];
+
+      /* istanbul ignore if */
+      if (!timeout) {
+        throw new Error('timeout is required');
+      }
+
+      const timer = safeSetTimeout(() => {
+        this.logger.warn(
+          `kms: request timed out; request id: ${item.requestId}; timeout: ${timeout}`
+        );
+        this.handleItemFailure(
+          item,
+          new KmsTimeoutError({
             timeout,
-            request: item
-          }));
-        }, timeout);
+            request: item,
+          })
+        );
+      }, timeout);
 
-        // Reminder: reassign `promise` is not a viable means of inserting into
-        // the Promise chain
-        defer.promise.then(() => clearTimeout(timer));
-        defer.promise.catch(() => clearTimeout(timer));
+      // Reminder: reassign `promise` is not a viable means of inserting into
+      // the Promise chain
+      defer.promise.then(() => clearTimeout(timer));
+      defer.promise.catch(() => clearTimeout(timer));
 
-        return item;
-      });
+      return item;
+    });
   },
 
   /**
@@ -71,11 +80,10 @@ const KmsBatcher = Batcher.extend({
    * @returns {Promise<Array>}
    */
   prepareRequest(queue) {
-    return this.webex.internal.encryption.kms._getKMSCluster()
-      .then((cluster) => ({
-        destination: cluster,
-        kmsMessages: queue.map((req) => req.wrapped)
-      }));
+    return this.webex.internal.encryption.kms._getKMSCluster().then((cluster) => ({
+      destination: cluster,
+      kmsMessages: queue.map((req) => req.wrapped),
+    }));
   },
 
   /**
@@ -89,7 +97,7 @@ const KmsBatcher = Batcher.extend({
       method: 'POST',
       service: 'encryption',
       resource: '/kms/messages',
-      body: payload
+      body: payload,
     });
   },
 
@@ -114,10 +122,9 @@ const KmsBatcher = Batcher.extend({
    * @returns {Promise}
    */
   handleItemSuccess(item) {
-    return this.getDeferredForResponse(item)
-      .then((defer) => {
-        defer.resolve(item.body);
-      });
+    return this.getDeferredForResponse(item).then((defer) => {
+      defer.resolve(item.body);
+    });
   },
 
   /**
@@ -126,10 +133,11 @@ const KmsBatcher = Batcher.extend({
    * @returns {Promise}
    */
   handleItemFailure(item, reason) {
-    return this.getDeferredForResponse(item)
-      .then((defer) => {
-        defer.reject(reason || new KmsError(item.body));
-      });
+    handleKmsKeyRevokedEncryptionFailure(item, this.webex);
+
+    return this.getDeferredForResponse(item).then((defer) => {
+      defer.reject(reason || new KmsError(item.body));
+    });
   },
 
   /**
@@ -146,7 +154,7 @@ const KmsBatcher = Batcher.extend({
    */
   fingerprintResponse(item) {
     return Promise.resolve(item.requestId);
-  }
+  },
 });
 
 export default KmsBatcher;

package/src/kms-certificate-validation.js

@@ -7,7 +7,7 @@ import {
   RSAPublicKey,
   CertificateChainValidationEngine,
   CryptoEngine,
-  setEngine
+  setEngine,
 } from 'pkijs';
 import {isArray} from 'lodash';
 import jose from 'node-jose';
@@ -20,7 +20,7 @@ setEngine(
   new CryptoEngine({
     name: '',
     crypto,
-    subtle: crypto.subtle
+    subtle: crypto.subtle,
   })
 );
 
@@ -29,7 +29,7 @@ const VALID_KID_PROTOCOL = 'kms:';
 
 const X509_COMMON_NAME_KEY = '2.5.4.3';
 
-const X509_SUBJECT_ALT_NAME_KEY = '2.5.29.17';
+export const X509_SUBJECT_ALT_NAME_KEY = '2.5.29.17';
 
 /**
  * Customize Error so the SDK knows to quit retrying and notify
@@ -83,7 +83,7 @@ const validateKtyHeader = ({kty}) => {
 
 const validateKidHeader = ({kid}) => {
   if (!isUri(kid)) {
-    throwError('\'kid\' is not a valid URI');
+    throwError("'kid' is not a valid URI");
   }
 
   if (parseUrl(kid).protocol !== VALID_KID_PROTOCOL) {
@@ -101,7 +101,7 @@ const validateKidHeader = ({kid}) => {
  * @throws {KMSError} if unable to validate certificate against KMS credentials
  * @returns {void}
  */
-const validateCommonName = ([certificate], {kid}) => {
+export const validateCommonName = ([certificate], {kid}) => {
   const kidHostname = parseUrl(kid).hostname;
   let validationSuccessful = false;
 
@@ -112,7 +112,7 @@ const validateCommonName = ([certificate], {kid}) => {
         const {altNames} = extension.parsedValue;
 
         for (const entry of altNames) {
-          const san = entry.value;
+          const san = entry.value.toLowerCase();
 
           validationSuccessful = san === kidHostname;
           if (validationSuccessful) {
@@ -144,7 +144,7 @@ const validateCommonName = ([certificate], {kid}) => {
   }
 
   if (!validationSuccessful) {
-    throwError('hostname of the 1st certificate does not match \'kid\'');
+    throwError("hostname of the 1st certificate does not match 'kid'");
   }
 };
 
@@ -158,23 +158,22 @@ const validateCommonName = ([certificate], {kid}) => {
  * @throws {KMSError} if e or n doesn't match the first certificate
  * @returns {void}
  */
-const validatePublicCertificate =
-  ([certificate], {e: publicExponent, n: modulus}) => {
-    const {encode} = jose.util.base64url;
-
-    const publicKey = certificate.subjectPublicKeyInfo.subjectPublicKey;
-    const asn1PublicCert = fromBER(publicKey.valueBlock.valueHex);
-    const publicCert = new RSAPublicKey({schema: asn1PublicCert.result});
-    const publicExponentHex = publicCert.publicExponent.valueBlock.valueHex;
-    const modulusHex = publicCert.modulus.valueBlock.valueHex;
-
-    if (publicExponent !== encode(publicExponentHex)) {
-      throwError('Public exponent is invalid');
-    }
-    if (modulus !== encode(modulusHex)) {
-      throwError('Modulus is invalid');
-    }
-  };
+const validatePublicCertificate = ([certificate], {e: publicExponent, n: modulus}) => {
+  const {encode} = jose.util.base64url;
+
+  const publicKey = certificate.subjectPublicKeyInfo.subjectPublicKey;
+  const asn1PublicCert = fromBER(publicKey.valueBlock.valueHex);
+  const publicCert = new RSAPublicKey({schema: asn1PublicCert.result});
+  const publicExponentHex = publicCert.publicExponent.valueBlock.valueHex;
+  const modulusHex = publicCert.modulus.valueBlock.valueHex;
+
+  if (publicExponent !== encode(publicExponentHex)) {
+    throwError('Public exponent is invalid');
+  }
+  if (modulus !== encode(modulusHex)) {
+    throwError('Modulus is invalid');
+  }
+};
 
 /**
  * Validates the list of certificates against the CAs provided
@@ -187,17 +186,14 @@ const validatePublicCertificate =
 const validateCertificatesSignature = (certificates, caroots = []) => {
   const certificateEngine = new CertificateChainValidationEngine({
     trustedCerts: caroots.map(decodeCert),
-    certs: certificates
+    certs: certificates,
   });
 
-  return certificateEngine.verify()
-    .then(({result, resultCode, resultMessage}) => {
-      if (!result) {
-        throwError(
-          `Certificate Validation failed [${resultCode}]: ${resultMessage}`
-        );
-      }
-    });
+  return certificateEngine.verify().then(({result, resultCode, resultMessage}) => {
+    if (!result) {
+      throwError(`Certificate Validation failed [${resultCode}]: ${resultMessage}`);
+    }
+  });
 };
 
 /**
@@ -210,25 +206,27 @@ const validateCertificatesSignature = (certificates, caroots = []) => {
  *   validate the KMS
  * @returns {Promise} when resolved will return the jwt
  */
-const validateKMS = (caroots) => (jwt = {}) => Promise.resolve()
-  .then(() => {
-    validateKtyHeader(jwt);
-    validateKidHeader(jwt);
-
-    if (!(isArray(jwt.x5c) && jwt.x5c.length > 0)) {
-      throwError('JWK does not contain a list of certificates');
-    }
-    const certificates = jwt.x5c.map(decodeCert);
+const validateKMS =
+  (caroots) =>
+  (jwt = {}) =>
+    Promise.resolve().then(() => {
+      validateKtyHeader(jwt);
+      validateKidHeader(jwt);
+
+      if (!(isArray(jwt.x5c) && jwt.x5c.length > 0)) {
+        throwError('JWK does not contain a list of certificates');
+      }
+      const certificates = jwt.x5c.map(decodeCert);
 
-    validateCommonName(certificates, jwt);
-    validatePublicCertificate(certificates, jwt);
+      validateCommonName(certificates, jwt);
+      validatePublicCertificate(certificates, jwt);
 
-    // Skip validating signatures if no CA roots were provided
-    const promise = caroots ?
-      validateCertificatesSignature(certificates, caroots) : Promise.resolve();
+      // Skip validating signatures if no CA roots were provided
+      const promise = caroots
+        ? validateCertificatesSignature(certificates, caroots)
+        : Promise.resolve();
 
-    return promise
-      .then(() => jwt);
-  });
+      return promise.then(() => jwt);
+    });
 
 export default validateKMS;

package/src/kms-dry-error-interceptor.js

@@ -24,7 +24,10 @@ export default class KmsDryErrorInterceptor extends Interceptor {
    * @returns {Promise}
    */
   onResponseError(options, reason) {
-    if (reason instanceof DryError && reason.message.match(/Failed to resolve authorization token in KmsMessage request for user/)) {
+    if (
+      reason instanceof DryError &&
+      reason.message.match(/Failed to resolve authorization token in KmsMessage request for user/)
+    ) {
       this.webex.logger.error('DRY Request Failed due to kms/test-user flakiness');
       this.webex.logger.error(reason);
 
@@ -43,13 +46,14 @@ export default class KmsDryErrorInterceptor extends Interceptor {
   replay(options, reason) {
     if (options.replayCount) {
       options.replayCount += 1;
-    }
-    else {
+    } else {
       options.replayCount = 1;
     }
 
     if (options.replayCount > this.webex.config.maxAuthenticationReplays) {
-      this.webex.logger.error(`kms: failed after ${this.webex.config.maxAuthenticationReplays} replay attempts`);
+      this.webex.logger.error(
+        `kms: failed after ${this.webex.config.maxAuthenticationReplays} replay attempts`
+      );
 
       return Promise.reject(reason);
     }