npm - @webex/internal-plugin-encryption - Versions diffs - 3.8.1-web-workers-keepalive.1 → 3.9.0-multi-llms.1 - Mend

@webex/internal-plugin-encryption 3.8.1-web-workers-keepalive.1 → 3.9.0-multi-llms.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/constants.js +2 -1
package/dist/constants.js.map +1 -1
package/dist/encryption.js +17 -1
package/dist/encryption.js.map +1 -1
package/dist/kms.js +21 -3
package/dist/kms.js.map +1 -1
package/package.json +14 -14
package/src/constants.js +1 -0
package/src/encryption.js +17 -0
package/src/kms.js +27 -1
package/test/integration/spec/encryption.js +102 -0
package/test/unit/spec/encryption.js +72 -0
package/test/unit/spec/kms.js +144 -3

package/dist/constants.js CHANGED Viewed

@@ -4,8 +4,9 @@ var _Object$defineProperty = require("@babel/runtime-corejs2/core-js/object/defi
 _Object$defineProperty(exports, "__esModule", {
   value: true
 });
-exports.KMS_KEY_REVOKE_FAILURE = exports.KMS_KEY_REVOKE_ERROR_STATUS = exports.KMS_KEY_REVOKE_ERROR_CODES = void 0;
+exports.KMS_KEY_REVOKE_FAILURE = exports.KMS_KEY_REVOKE_ERROR_STATUS = exports.KMS_KEY_REVOKE_ERROR_CODES = exports.KMS_KEY_REDIRECT_ERROR_CODE = void 0;
 var KMS_KEY_REVOKE_FAILURE = exports.KMS_KEY_REVOKE_FAILURE = 'event:kms:key:revoke:encryption:failure';
 var KMS_KEY_REVOKE_ERROR_STATUS = exports.KMS_KEY_REVOKE_ERROR_STATUS = 405;
 var KMS_KEY_REVOKE_ERROR_CODES = exports.KMS_KEY_REVOKE_ERROR_CODES = [405005, 405006];
+var KMS_KEY_REDIRECT_ERROR_CODE = exports.KMS_KEY_REDIRECT_ERROR_CODE = 301002;
 //# sourceMappingURL=constants.js.map

package/dist/constants.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["KMS_KEY_REVOKE_FAILURE","exports","KMS_KEY_REVOKE_ERROR_STATUS","KMS_KEY_REVOKE_ERROR_CODES"],"sources":["constants.js"],"sourcesContent":["export const KMS_KEY_REVOKE_FAILURE = 'event:kms:key:revoke:encryption:failure';\nexport const KMS_KEY_REVOKE_ERROR_STATUS = 405;\nexport const KMS_KEY_REVOKE_ERROR_CODES = [405005, 405006];\n"],"mappings":";;;;;;;AAAO,IAAMA,sBAAsB,GAAAC,OAAA,CAAAD,sBAAA,GAAG,yCAAyC;AACxE,IAAME,2BAA2B,GAAAD,OAAA,CAAAC,2BAAA,GAAG,GAAG;AACvC,IAAMC,0BAA0B,GAAAF,OAAA,CAAAE,0BAAA,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC"}
1	+ {"version":3,"names":["KMS_KEY_REVOKE_FAILURE","exports","KMS_KEY_REVOKE_ERROR_STATUS","KMS_KEY_REVOKE_ERROR_CODES","KMS_KEY_REDIRECT_ERROR_CODE"],"sources":["constants.js"],"sourcesContent":["export const KMS_KEY_REVOKE_FAILURE = 'event:kms:key:revoke:encryption:failure';\nexport const KMS_KEY_REVOKE_ERROR_STATUS = 405;\nexport const KMS_KEY_REVOKE_ERROR_CODES = [405005, 405006];\nexport const KMS_KEY_REDIRECT_ERROR_CODE = 301002;\n"],"mappings":";;;;;;;AAAO,IAAMA,sBAAsB,GAAAC,OAAA,CAAAD,sBAAA,GAAG,yCAAyC;AACxE,IAAME,2BAA2B,GAAAD,OAAA,CAAAC,2BAAA,GAAG,GAAG;AACvC,IAAMC,0BAA0B,GAAAF,OAAA,CAAAE,0BAAA,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;AACnD,IAAMC,2BAA2B,GAAAH,OAAA,CAAAG,2BAAA,GAAG,MAAM"}

package/dist/encryption.js CHANGED Viewed

@@ -74,6 +74,22 @@ var Encryption = _webexCore.WebexPlugin.extend({
       });
     });
   },
+  /**
+   * Decrypt binary data using the supplied key uri.
+   *
+   * @param {string} kmsKeyUri - The uri of a key stored in KMS
+   * @param {string} JWE - Encrypted binary data as JWE
+   * @param {Object} options
+   * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role
+   * @returns {Buffer} Decrypted binary data as Buffer
+   */
+  decryptBinaryData: function decryptBinaryData(kmsKeyUri, JWE, options) {
+    return this.getKey(kmsKeyUri, options).then(function (k) {
+      return _nodeJose.default.JWE.createDecrypt(k.jwk).decrypt(JWE).then(function (result) {
+        return result.payload;
+      });
+    });
+  },
   /**
    * Validate and initiate a Download request for requested file
    * @param {Object} fileUrl - Plaintext
@@ -239,7 +255,7 @@ var Encryption = _webexCore.WebexPlugin.extend({
       }));
     });
   },
-  version: "3.8.1-web-workers-keepalive.1"
+  version: "3.9.0-multi-llms.1"
 });
 /**

package/dist/encryption.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["_events","require","_url","_interopRequireDefault","_webexCore","_common","_nodeJose","_nodeScr","_ensureBuffer","_kms","ownKeys","e","r","t","_Object$keys2","_Object$getOwnPropertySymbols","o","filter","_Object$getOwnPropertyDescriptor","enumerable","push","apply","_objectSpread","arguments","length","Object","forEach","_defineProperty2","default","_Object$getOwnPropertyDescriptors","_Object$defineProperties","_Object$defineProperty","Encryption","WebexPlugin","extend","children","kms","KMS","namespace","processKmsMessageEvent","event","decryptBinary","scr","buffer","ensureBuffer","then","b","byteLength","_promise","reject","Error","decrypt","decryptScr","key","cipherScr","options","getKey","k","SCR","fromJWE","jwk","decryptText","ciphertext","jose","JWE","createDecrypt","result","plaintext","toString","download","fileUrl","_this","shunt","EventEmitter","promise","_fetchDownloadUrl","useFileService","uri","method","responseType","ret","request","transferEvents","res","body","proxyEvents","_this2","logger","info","process","env","NODE_ENV","includes","resolve","startsWith","error","inputBody","endpoints","endpointUrl","url","parse","protocol","pathname","format","params","_keys","indexOf","allow","warn","catch","err","concat","encryptBinary","file","create","encrypt","cdata","encryptScr","loc","toJWE","encryptText","_this3","createEncrypt","config","joseOptions","header","alg","reference","final","_this4","_ref","undefined","onBehalfOf","asKey","storageKey","unboundedStorage","get","keyString","JSON","keyObject","fetchKey","tap","put","_stringify","replacer","version","v","json","toJSON","_default","exports"],"sources":["encryption.js"],"sourcesContent":["/!\n Copyright (c) 2015-2020 Cisco Systems, Inc. See LICENSE file.\n /\n\nimport {EventEmitter} from 'events';\nimport url from 'url';\n\nimport {WebexPlugin} from '@webex/webex-core';\nimport {proxyEvents, tap, transferEvents} from '@webex/common';\nimport jose from 'node-jose';\nimport SCR from 'node-scr';\n\nimport ensureBuffer from './ensure-buffer';\nimport KMS from './kms';\n\nconst Encryption = WebexPlugin.extend({\n children: {\n kms: KMS,\n },\n\n namespace: 'Encryption',\n\n processKmsMessageEvent(event) {\n return this.kms.processKmsMessageEvent(event);\n },\n\n decryptBinary(scr, buffer) {\n return ensureBuffer(buffer).then((b) => {\n / istanbul ignore if /\n if (buffer.length === 0 \|\| buffer.byteLength === 0) {\n return Promise.reject(new Error('Attempted to decrypt zero-length buffer'));\n }\n\n return scr.decrypt(b);\n });\n },\n\n /\n Decrypt a SCR (Secure Content Resource) using the supplied key uri.\n \n @param {string} key - The uri of a key stored in KMS\n * @param {Object} cipherScr - An encrypted SCR\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {Object} Decrypted SCR\n /\n decryptScr(key, cipherScr, options) {\n return this.getKey(key, options).then((k) => SCR.fromJWE(k.jwk, cipherScr));\n },\n\n /\n Decrypt text using the supplied key uri.\n \n @param {string} key - The uri of a key stored in KMS\n * @param {string} ciphertext - Encrypted text\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {string} Decrypted plaintext\n /\n decryptText(key, ciphertext, options) {\n return this.getKey(key, options).then((k) =>\n jose.JWE.createDecrypt(k.jwk)\n .decrypt(ciphertext)\n .then((result) => result.plaintext.toString())\n );\n },\n\n /\n Validate and initiate a Download request for requested file\n * @param {Object} fileUrl - Plaintext\n * @param {Object} scr - Plaintext\n * @param {Object} options - optional parameters to download a file\n * @returns {promise}\n /\n download(fileUrl, scr, options) {\n / istanbul ignore if /\n if (!fileUrl \|\| !scr) {\n return Promise.reject(new Error('`scr` and `fileUrl` are required'));\n }\n\n const shunt = new EventEmitter();\n const promise = this._fetchDownloadUrl(fileUrl, {useFileService: true, ...options})\n .then((uri) => {\n // eslint-disable-next-line no-shadow\n const options = {\n method: 'GET',\n uri,\n responseType: 'buffer',\n };\n\n const ret = this.request(options);\n\n transferEvents('progress', options.download, shunt);\n\n return ret;\n })\n .then((res) => this.decryptBinary(scr, res.body));\n\n proxyEvents(shunt, promise);\n\n return promise;\n },\n\n /\n Fetch Download URL for the requested file\n * @param {Object} fileUrl - Plaintext\n * @param {Object} options - optional parameters to download a file\n * @returns {promise} url of the downloadable file\n /\n _fetchDownloadUrl(fileUrl, options) {\n this.logger.info('encryption: retrieving download url for encrypted file');\n\n if (process.env.NODE_ENV !== 'production' && fileUrl.includes('localhost')) {\n this.logger.info(\n 'encryption: bypassing webex files because this looks to be a test file on localhost'\n );\n\n return Promise.resolve(fileUrl);\n }\n\n if (options?.useFileService === false) {\n if (!fileUrl.startsWith('https://')) {\n this.logger.error('encryption: direct file URLs must use HTTPS');\n\n return Promise.reject(new Error('Direct file URLs must use HTTPS'));\n }\n\n return Promise.resolve(fileUrl);\n }\n\n const inputBody = {\n endpoints: [fileUrl],\n };\n const endpointUrl = url.parse(fileUrl);\n\n // hardcode the url to use 'https' and the file service '/v1/download/endpoints' api\n endpointUrl.protocol = 'https';\n endpointUrl.pathname = '/v1/download/endpoints';\n\n return this.request({\n method: 'POST',\n uri: url.format(endpointUrl),\n body:\n options?.params && Object.keys(options.params).indexOf('allow') > -1\n ? {\n ...inputBody,\n allow: options.params.allow,\n }\n : inputBody,\n })\n .then((res) => {\n // eslint-disable-next-line no-shadow\n const url = res.body.endpoints[fileUrl];\n\n if (!url) {\n this.logger.warn(\n 'encryption: could not determine download url for `fileUrl`; attempting to download `fileUrl` directly'\n );\n\n return fileUrl;\n }\n this.logger.info('encryption: retrieved download url for encrypted file');\n\n return url;\n })\n .catch((err) => {\n this.logger.warn(\n `encryption: ${err} could not determine download url for ${fileUrl}; attempting to download ${fileUrl} directly`\n );\n\n return fileUrl;\n });\n },\n\n encryptBinary(file) {\n return ensureBuffer(file).then((buffer) =>\n SCR.create().then((scr) =>\n scr\n .encrypt(buffer)\n .then(ensureBuffer)\n // eslint-disable-next-line max-nested-callbacks\n .then((cdata) => ({scr, cdata}))\n )\n );\n },\n\n /\n Encrypt a SCR (Secure Content Resource) using the supplied key uri.\n \n @param {string} key - The uri of a key stored in KMS\n * @param {Object} scr - SCRObject\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {string} Encrypted SCR\n /\n encryptScr(key, scr, options) {\n / istanbul ignore if /\n if (!scr.loc) {\n return Promise.reject(new Error('Cannot encrypt `scr` without first setting `loc`'));\n }\n\n return this.getKey(key, options).then((k) => scr.toJWE(k.jwk));\n },\n\n /\n Encrypt plaintext using the supplied key uri.\n \n @param {string} key - The uri of a key stored in KMS\n * @param {string} plaintext\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {string} Encrypted text\n /\n encryptText(key, plaintext, options) {\n return this.getKey(key, options).then((k) =>\n jose.JWE.createEncrypt(this.config.joseOptions, {\n key: k.jwk,\n header: {\n alg: 'dir',\n },\n reference: null,\n }).final(plaintext, 'utf8')\n );\n },\n\n /\n Fetch the key associated with the supplied KMS uri.\n \n @param {string} uri - The uri of a key stored in KMS\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {string} Key\n /\n getKey(uri, {onBehalfOf} = {}) {\n if (uri.jwk) {\n return this.kms.asKey(uri);\n }\n\n let storageKey = uri;\n\n if (onBehalfOf) {\n storageKey += `/onBehalfOf/${onBehalfOf}`;\n }\n\n return this.unboundedStorage\n .get(storageKey)\n .then((keyString) => JSON.parse(keyString))\n .then((keyObject) => this.kms.asKey(keyObject))\n .catch(() =>\n this.kms\n .fetchKey({uri, onBehalfOf})\n .then(tap((key) => this.unboundedStorage.put(storageKey, JSON.stringify(key, replacer))))\n );\n },\n});\n\n/\n JSON.stringify replacer that ensures private key data is serialized.\n * @param {string} k\n * @param {mixed} v\n * @returns {mixed}\n */\nfunction replacer(k, v) {\n if (k === 'jwk') {\n // note: this[k] and v may be different representations of the same value\n // eslint-disable-next-line no-invalid-this\n const json = this[k].toJSON(true);\n\n return json;\n }\n\n return v;\n}\n\nexport default Encryption;\n"],"mappings":";;;;;;;;;;;;;;;;;AAIA,IAAAA,OAAA,GAAAC,OAAA;AACA,IAAAC,IAAA,GAAAC,sBAAA,CAAAF,OAAA;AAEA,IAAAG,UAAA,GAAAH,OAAA;AACA,IAAAI,OAAA,GAAAJ,OAAA;AACA,IAAAK,SAAA,GAAAH,sBAAA,CAAAF,OAAA;AACA,IAAAM,QAAA,GAAAJ,sBAAA,CAAAF,OAAA;AAEA,IAAAO,aAAA,GAAAL,sBAAA,CAAAF,OAAA;AACA,IAAAQ,IAAA,GAAAN,sBAAA,CAAAF,OAAA;AAAwB,SAAAS,QAAAC,CAAA,EAAAC,CAAA,QAAAC,CAAA,GAAAC,aAAA,CAAAH,CAAA,OAAAI,6BAAA,QAAAC,CAAA,GAAAD,6BAAA,CAAAJ,CAAA,GAAAC,CAAA,KAAAI,CAAA,GAAAA,CAAA,CAAAC,MAAA,WAAAL,CAAA,WAAAM,gCAAA,CAAAP,CAAA,EAAAC,CAAA,EAAAO,UAAA,OAAAN,CAAA,CAAAO,IAAA,CAAAC,KAAA,CAAAR,CAAA,EAAAG,CAAA,YAAAH,CAAA;AAAA,SAAAS,cAAAX,CAAA,aAAAC,CAAA,MAAAA,CAAA,GAAAW,SAAA,CAAAC,MAAA,EAAAZ,CAAA,UAAAC,CAAA,WAAAU,SAAA,CAAAX,CAAA,IAAAW,SAAA,CAAAX,CAAA,QAAAA,CAAA,OAAAF,OAAA,CAAAe,MAAA,CAAAZ,CAAA,OAAAa,OAAA,WAAAd,CAAA,QAAAe,gBAAA,CAAAC,OAAA,EAAAjB,CAAA,EAAAC,CAAA,EAAAC,CAAA,CAAAD,CAAA,SAAAiB,iCAAA,GAAAC,wBAAA,CAAAnB,CAAA,EAAAkB,iCAAA,CAAAhB,CAAA,KAAAH,OAAA,CAAAe,MAAA,CAAAZ,CAAA,GAAAa,OAAA,WAAAd,CAAA,IAAAmB,sBAAA,CAAApB,CAAA,EAAAC,CAAA,EAAAM,gCAAA,CAAAL,CAAA,EAAAD,CAAA,iBAAAD,CAAA,IAbxB;AACA;AACA;AAaA,IAAMqB,UAAU,GAAGC,sBAAW,CAACC,MAAM,CAAC;EACpCC,QAAQ,EAAE;IACRC,GAAG,EAAEC;EACP,CAAC;EAEDC,SAAS,EAAE,YAAY;EAEvBC,sBAAsB,WAAAA,uBAACC,KAAK,EAAE;IAC5B,OAAO,IAAI,CAACJ,GAAG,CAACG,sBAAsB,CAACC,KAAK,CAAC;EAC/C,CAAC;EAEDC,aAAa,WAAAA,cAACC,GAAG,EAAEC,MAAM,EAAE;IACzB,OAAO,IAAAC,qBAAY,EAACD,MAAM,CAAC,CAACE,IAAI,CAAC,UAACC,CAAC,EAAK;MACtC;MACA,IAAIH,MAAM,CAACnB,MAAM,KAAK,CAAC,IAAImB,MAAM,CAACI,UAAU,KAAK,CAAC,EAAE;QAClD,OAAOC,QAAA,CAAApB,OAAA,CAAQqB,MAAM,CAAC,IAAIC,KAAK,CAAC,yCAAyC,CAAC,CAAC;MAC7E;MAEA,OAAOR,GAAG,CAACS,OAAO,CAACL,CAAC,CAAC;IACvB,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEM,UAAU,WAAAA,WAACC,GAAG,EAAEC,SAAS,EAAEC,OAAO,EAAE;IAClC,OAAO,IAAI,CAACC,MAAM,CAACH,GAAG,EAAEE,OAAO,CAAC,CAACV,IAAI,CAAC,UAACY,CAAC;MAAA,OAAKC,gBAAG,CAACC,OAAO,CAACF,CAAC,CAACG,GAAG,EAAEN,SAAS,CAAC;IAAA,EAAC;EAC7E,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEO,WAAW,WAAAA,YAACR,GAAG,EAAES,UAAU,EAAEP,OAAO,EAAE;IACpC,OAAO,IAAI,CAACC,MAAM,CAACH,GAAG,EAAEE,OAAO,CAAC,CAACV,IAAI,CAAC,UAACY,CAAC;MAAA,OACtCM,iBAAI,CAACC,GAAG,CAACC,aAAa,CAACR,CAAC,CAACG,GAAG,CAAC,CAC1BT,OAAO,CAACW,UAAU,CAAC,CACnBjB,IAAI,CAAC,UAACqB,MAAM;QAAA,OAAKA,MAAM,CAACC,SAAS,CAACC,QAAQ,CAAC,CAAC;MAAA,EAAC;IAAA,CAClD,CAAC;EACH,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,QAAQ,WAAAA,SAACC,OAAO,EAAE5B,GAAG,EAAEa,OAAO,EAAE;IAAA,IAAAgB,KAAA;IAC9B;IACA,IAAI,CAACD,OAAO,IAAI,CAAC5B,GAAG,EAAE;MACpB,OAAOM,QAAA,CAAApB,OAAA,CAAQqB,MAAM,CAAC,IAAIC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtE;IAEA,IAAMsB,KAAK,GAAG,IAAIC,oBAAY,CAAC,CAAC;IAChC,IAAMC,OAAO,GAAG,IAAI,CAACC,iBAAiB,CAACL,OAAO,EAAAhD,aAAA;MAAGsD,cAAc,EAAE;IAAI,GAAKrB,OAAO,CAAC,CAAC,CAChFV,IAAI,CAAC,UAACgC,GAAG,EAAK;MACb;MACA,IAAMtB,OAAO,GAAG;QACduB,MAAM,EAAE,KAAK;QACbD,GAAG,EAAHA,GAAG;QACHE,YAAY,EAAE;MAChB,CAAC;MAED,IAAMC,GAAG,GAAGT,KAAI,CAACU,OAAO,CAAC1B,OAAO,CAAC;MAEjC,IAAA2B,sBAAc,EAAC,UAAU,EAAE3B,OAAO,CAACc,QAAQ,EAAEG,KAAK,CAAC;MAEnD,OAAOQ,GAAG;IACZ,CAAC,CAAC,CACDnC,IAAI,CAAC,UAACsC,GAAG;MAAA,OAAKZ,KAAI,CAAC9B,aAAa,CAACC,GAAG,EAAEyC,GAAG,CAACC,IAAI,CAAC;IAAA,EAAC;IAEnD,IAAAC,mBAAW,EAACb,KAAK,EAAEE,OAAO,CAAC;IAE3B,OAAOA,OAAO;EAChB,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACEC,iBAAiB,WAAAA,kBAACL,OAAO,EAAEf,OAAO,EAAE;IAAA,IAAA+B,MAAA;IAClC,IAAI,CAACC,MAAM,CAACC,IAAI,CAAC,wDAAwD,CAAC;IAE1E,IAAIC,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,YAAY,IAAIrB,OAAO,CAACsB,QAAQ,CAAC,WAAW,CAAC,EAAE;MAC1E,IAAI,CAACL,MAAM,CAACC,IAAI,CACd,qFACF,CAAC;MAED,OAAOxC,QAAA,CAAApB,OAAA,CAAQiE,OAAO,CAACvB,OAAO,CAAC;IACjC;IAEA,IAAI,CAAAf,OAAO,aAAPA,OAAO,uBAAPA,OAAO,CAAEqB,cAAc,MAAK,KAAK,EAAE;MACrC,IAAI,CAACN,OAAO,CAACwB,UAAU,CAAC,UAAU,CAAC,EAAE;QACnC,IAAI,CAACP,MAAM,CAACQ,KAAK,CAAC,6CAA6C,CAAC;QAEhE,OAAO/C,QAAA,CAAApB,OAAA,CAAQqB,MAAM,CAAC,IAAIC,KAAK,CAAC,iCAAiC,CAAC,CAAC;MACrE;MAEA,OAAOF,QAAA,CAAApB,OAAA,CAAQiE,OAAO,CAACvB,OAAO,CAAC;IACjC;IAEA,IAAM0B,SAAS,GAAG;MAChBC,SAAS,EAAE,CAAC3B,OAAO;IACrB,CAAC;IACD,IAAM4B,WAAW,GAAGC,YAAG,CAACC,KAAK,CAAC9B,OAAO,CAAC;;IAEtC;IACA4B,WAAW,CAACG,QAAQ,GAAG,OAAO;IAC9BH,WAAW,CAACI,QAAQ,GAAG,wBAAwB;IAE/C,OAAO,IAAI,CAACrB,OAAO,CAAC;MAClBH,MAAM,EAAE,MAAM;MACdD,GAAG,EAAEsB,YAAG,CAACI,MAAM,CAACL,WAAW,CAAC;MAC5Bd,IAAI,EACF7B,OAAO,aAAPA,OAAO,eAAPA,OAAO,CAAEiD,MAAM,IAAI,IAAAC,KAAA,CAAA7E,OAAA,EAAY2B,OAAO,CAACiD,MAAM,CAAC,CAACE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAApF,aAAA,CAAAA,aAAA,KAE3D0E,SAAS;QACZW,KAAK,EAAEpD,OAAO,CAACiD,MAAM,CAACG;MAAK,KAE7BX;IACR,CAAC,CAAC,CACCnD,IAAI,CAAC,UAACsC,GAAG,EAAK;MACb;MACA,IAAMgB,GAAG,GAAGhB,GAAG,CAACC,IAAI,CAACa,SAAS,CAAC3B,OAAO,CAAC;MAEvC,IAAI,CAAC6B,GAAG,EAAE;QACRb,MAAI,CAACC,MAAM,CAACqB,IAAI,CACd,uGACF,CAAC;QAED,OAAOtC,OAAO;MAChB;MACAgB,MAAI,CAACC,MAAM,CAACC,IAAI,CAAC,uDAAuD,CAAC;MAEzE,OAAOW,GAAG;IACZ,CAAC,CAAC,CACDU,KAAK,CAAC,UAACC,GAAG,EAAK;MACdxB,MAAI,CAACC,MAAM,CAACqB,IAAI,gBAAAG,MAAA,CACCD,GAAG,4CAAAC,MAAA,CAAyCzC,OAAO,+BAAAyC,MAAA,CAA4BzC,OAAO,cACvG,CAAC;MAED,OAAOA,OAAO;IAChB,CAAC,CAAC;EACN,CAAC;EAED0C,aAAa,WAAAA,cAACC,IAAI,EAAE;IAClB,OAAO,IAAArE,qBAAY,EAACqE,IAAI,CAAC,CAACpE,IAAI,CAAC,UAACF,MAAM;MAAA,OACpCe,gBAAG,CAACwD,MAAM,CAAC,CAAC,CAACrE,IAAI,CAAC,UAACH,GAAG;QAAA,OACpBA,GAAG,CACAyE,OAAO,CAACxE,MAAM,CAAC,CACfE,IAAI,CAACD,qBAAY;QAClB;QAAA,CACCC,IAAI,CAAC,UAACuE,KAAK;UAAA,OAAM;YAAC1E,GAAG,EAAHA,GAAG;YAAE0E,KAAK,EAALA;UAAK,CAAC;QAAA,CAAC,CAAC;MAAA,CACpC,CAAC;IAAA,CACH,CAAC;EACH,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,UAAU,WAAAA,WAAChE,GAAG,EAAEX,GAAG,EAAEa,OAAO,EAAE;IAC5B;IACA,IAAI,CAACb,GAAG,CAAC4E,GAAG,EAAE;MACZ,OAAOtE,QAAA,CAAApB,OAAA,CAAQqB,MAAM,CAAC,IAAIC,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtF;IAEA,OAAO,IAAI,CAACM,MAAM,CAACH,GAAG,EAAEE,OAAO,CAAC,CAACV,IAAI,CAAC,UAACY,CAAC;MAAA,OAAKf,GAAG,CAAC6E,KAAK,CAAC9D,CAAC,CAACG,GAAG,CAAC;IAAA,EAAC;EAChE,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE4D,WAAW,WAAAA,YAACnE,GAAG,EAAEc,SAAS,EAAEZ,OAAO,EAAE;IAAA,IAAAkE,MAAA;IACnC,OAAO,IAAI,CAACjE,MAAM,CAACH,GAAG,EAAEE,OAAO,CAAC,CAACV,IAAI,CAAC,UAACY,CAAC;MAAA,OACtCM,iBAAI,CAACC,GAAG,CAAC0D,aAAa,CAACD,MAAI,CAACE,MAAM,CAACC,WAAW,EAAE;QAC9CvE,GAAG,EAAEI,CAAC,CAACG,GAAG;QACViE,MAAM,EAAE;UACNC,GAAG,EAAE;QACP,CAAC;QACDC,SAAS,EAAE;MACb,CAAC,CAAC,CAACC,KAAK,CAAC7D,SAAS,EAAE,MAAM,CAAC;IAAA,CAC7B,CAAC;EACH,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;EACEX,MAAM,WAAAA,OAACqB,GAAG,EAAqB;IAAA,IAAAoD,MAAA;IAAA,IAAAC,IAAA,GAAA3G,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA4G,SAAA,GAAA5G,SAAA,MAAJ,CAAC,CAAC;MAAhB6G,UAAU,GAAAF,IAAA,CAAVE,UAAU;IACrB,IAAIvD,GAAG,CAACjB,GAAG,EAAE;MACX,OAAO,IAAI,CAACxB,GAAG,CAACiG,KAAK,CAACxD,GAAG,CAAC;IAC5B;IAEA,IAAIyD,UAAU,GAAGzD,GAAG;IAEpB,IAAIuD,UAAU,EAAE;MACdE,UAAU,mBAAAvB,MAAA,CAAmBqB,UAAU,CAAE;IAC3C;IAEA,OAAO,IAAI,CAACG,gBAAgB,CACzBC,GAAG,CAACF,UAAU,CAAC,CACfzF,IAAI,CAAC,UAAC4F,SAAS;MAAA,OAAKC,IAAI,CAACtC,KAAK,CAACqC,SAAS,CAAC;IAAA,EAAC,CAC1C5F,IAAI,CAAC,UAAC8F,SAAS;MAAA,OAAKV,MAAI,CAAC7F,GAAG,CAACiG,KAAK,CAACM,SAAS,CAAC;IAAA,EAAC,CAC9C9B,KAAK,CAAC;MAAA,OACLoB,MAAI,CAAC7F,GAAG,CACLwG,QAAQ,CAAC;QAAC/D,GAAG,EAAHA,GAAG;QAAEuD,UAAU,EAAVA;MAAU,CAAC,CAAC,CAC3BvF,IAAI,CAAC,IAAAgG,WAAG,EAAC,UAACxF,GAAG;QAAA,OAAK4E,MAAI,CAACM,gBAAgB,CAACO,GAAG,CAACR,UAAU,EAAE,IAAAS,UAAA,CAAAnH,OAAA,EAAeyB,GAAG,EAAE2F,QAAQ,CAAC,CAAC;MAAA,EAAC,CAAC;IAAA,CAC7F,CAAC;EACL,CAAC;EAAAC,OAAA;AACH,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA,SAASD,QAAQA,CAACvF,CAAC,EAAEyF,CAAC,EAAE;EACtB,IAAIzF,CAAC,KAAK,KAAK,EAAE;IACf;IACA;IACA,IAAM0F,IAAI,GAAG,IAAI,CAAC1F,CAAC,CAAC,CAAC2F,MAAM,CAAC,IAAI,CAAC;IAEjC,OAAOD,IAAI;EACb;EAEA,OAAOD,CAAC;AACV;AAAC,IAAAG,QAAA,GAAAC,OAAA,CAAA1H,OAAA,GAEcI,UAAU"}
1	+ {"version":3,"names":["_events","require","_url","_interopRequireDefault","_webexCore","_common","_nodeJose","_nodeScr","_ensureBuffer","_kms","ownKeys","e","r","t","_Object$keys2","_Object$getOwnPropertySymbols","o","filter","_Object$getOwnPropertyDescriptor","enumerable","push","apply","_objectSpread","arguments","length","Object","forEach","_defineProperty2","default","_Object$getOwnPropertyDescriptors","_Object$defineProperties","_Object$defineProperty","Encryption","WebexPlugin","extend","children","kms","KMS","namespace","processKmsMessageEvent","event","decryptBinary","scr","buffer","ensureBuffer","then","b","byteLength","_promise","reject","Error","decrypt","decryptScr","key","cipherScr","options","getKey","k","SCR","fromJWE","jwk","decryptText","ciphertext","jose","JWE","createDecrypt","result","plaintext","toString","decryptBinaryData","kmsKeyUri","payload","download","fileUrl","_this","shunt","EventEmitter","promise","_fetchDownloadUrl","useFileService","uri","method","responseType","ret","request","transferEvents","res","body","proxyEvents","_this2","logger","info","process","env","NODE_ENV","includes","resolve","startsWith","error","inputBody","endpoints","endpointUrl","url","parse","protocol","pathname","format","params","_keys","indexOf","allow","warn","catch","err","concat","encryptBinary","file","create","encrypt","cdata","encryptScr","loc","toJWE","encryptText","_this3","createEncrypt","config","joseOptions","header","alg","reference","final","_this4","_ref","undefined","onBehalfOf","asKey","storageKey","unboundedStorage","get","keyString","JSON","keyObject","fetchKey","tap","put","_stringify","replacer","version","v","json","toJSON","_default","exports"],"sources":["encryption.js"],"sourcesContent":["/!\n Copyright (c) 2015-2020 Cisco Systems, Inc. See LICENSE file.\n /\n\nimport {EventEmitter} from 'events';\nimport url from 'url';\n\nimport {WebexPlugin} from '@webex/webex-core';\nimport {proxyEvents, tap, transferEvents} from '@webex/common';\nimport jose from 'node-jose';\nimport SCR from 'node-scr';\n\nimport ensureBuffer from './ensure-buffer';\nimport KMS from './kms';\n\nconst Encryption = WebexPlugin.extend({\n children: {\n kms: KMS,\n },\n\n namespace: 'Encryption',\n\n processKmsMessageEvent(event) {\n return this.kms.processKmsMessageEvent(event);\n },\n\n decryptBinary(scr, buffer) {\n return ensureBuffer(buffer).then((b) => {\n / istanbul ignore if /\n if (buffer.length === 0 \|\| buffer.byteLength === 0) {\n return Promise.reject(new Error('Attempted to decrypt zero-length buffer'));\n }\n\n return scr.decrypt(b);\n });\n },\n\n /\n Decrypt a SCR (Secure Content Resource) using the supplied key uri.\n \n @param {string} key - The uri of a key stored in KMS\n * @param {Object} cipherScr - An encrypted SCR\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {Object} Decrypted SCR\n /\n decryptScr(key, cipherScr, options) {\n return this.getKey(key, options).then((k) => SCR.fromJWE(k.jwk, cipherScr));\n },\n\n /\n Decrypt text using the supplied key uri.\n \n @param {string} key - The uri of a key stored in KMS\n * @param {string} ciphertext - Encrypted text\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {string} Decrypted plaintext\n /\n decryptText(key, ciphertext, options) {\n return this.getKey(key, options).then((k) =>\n jose.JWE.createDecrypt(k.jwk)\n .decrypt(ciphertext)\n .then((result) => result.plaintext.toString())\n );\n },\n\n /\n Decrypt binary data using the supplied key uri.\n \n @param {string} kmsKeyUri - The uri of a key stored in KMS\n * @param {string} JWE - Encrypted binary data as JWE\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {Buffer} Decrypted binary data as Buffer\n /\n decryptBinaryData(kmsKeyUri, JWE, options) {\n return this.getKey(kmsKeyUri, options).then((k) =>\n jose.JWE.createDecrypt(k.jwk)\n .decrypt(JWE)\n .then((result) => result.payload)\n );\n },\n\n /\n Validate and initiate a Download request for requested file\n * @param {Object} fileUrl - Plaintext\n * @param {Object} scr - Plaintext\n * @param {Object} options - optional parameters to download a file\n * @returns {promise}\n /\n download(fileUrl, scr, options) {\n / istanbul ignore if /\n if (!fileUrl \|\| !scr) {\n return Promise.reject(new Error('`scr` and `fileUrl` are required'));\n }\n\n const shunt = new EventEmitter();\n const promise = this._fetchDownloadUrl(fileUrl, {useFileService: true, ...options})\n .then((uri) => {\n // eslint-disable-next-line no-shadow\n const options = {\n method: 'GET',\n uri,\n responseType: 'buffer',\n };\n\n const ret = this.request(options);\n\n transferEvents('progress', options.download, shunt);\n\n return ret;\n })\n .then((res) => this.decryptBinary(scr, res.body));\n\n proxyEvents(shunt, promise);\n\n return promise;\n },\n\n /\n Fetch Download URL for the requested file\n * @param {Object} fileUrl - Plaintext\n * @param {Object} options - optional parameters to download a file\n * @returns {promise} url of the downloadable file\n /\n _fetchDownloadUrl(fileUrl, options) {\n this.logger.info('encryption: retrieving download url for encrypted file');\n\n if (process.env.NODE_ENV !== 'production' && fileUrl.includes('localhost')) {\n this.logger.info(\n 'encryption: bypassing webex files because this looks to be a test file on localhost'\n );\n\n return Promise.resolve(fileUrl);\n }\n\n if (options?.useFileService === false) {\n if (!fileUrl.startsWith('https://')) {\n this.logger.error('encryption: direct file URLs must use HTTPS');\n\n return Promise.reject(new Error('Direct file URLs must use HTTPS'));\n }\n\n return Promise.resolve(fileUrl);\n }\n\n const inputBody = {\n endpoints: [fileUrl],\n };\n const endpointUrl = url.parse(fileUrl);\n\n // hardcode the url to use 'https' and the file service '/v1/download/endpoints' api\n endpointUrl.protocol = 'https';\n endpointUrl.pathname = '/v1/download/endpoints';\n\n return this.request({\n method: 'POST',\n uri: url.format(endpointUrl),\n body:\n options?.params && Object.keys(options.params).indexOf('allow') > -1\n ? {\n ...inputBody,\n allow: options.params.allow,\n }\n : inputBody,\n })\n .then((res) => {\n // eslint-disable-next-line no-shadow\n const url = res.body.endpoints[fileUrl];\n\n if (!url) {\n this.logger.warn(\n 'encryption: could not determine download url for `fileUrl`; attempting to download `fileUrl` directly'\n );\n\n return fileUrl;\n }\n this.logger.info('encryption: retrieved download url for encrypted file');\n\n return url;\n })\n .catch((err) => {\n this.logger.warn(\n `encryption: ${err} could not determine download url for ${fileUrl}; attempting to download ${fileUrl} directly`\n );\n\n return fileUrl;\n });\n },\n\n encryptBinary(file) {\n return ensureBuffer(file).then((buffer) =>\n SCR.create().then((scr) =>\n scr\n .encrypt(buffer)\n .then(ensureBuffer)\n // eslint-disable-next-line max-nested-callbacks\n .then((cdata) => ({scr, cdata}))\n )\n );\n },\n\n /\n Encrypt a SCR (Secure Content Resource) using the supplied key uri.\n \n @param {string} key - The uri of a key stored in KMS\n * @param {Object} scr - SCRObject\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {string} Encrypted SCR\n /\n encryptScr(key, scr, options) {\n / istanbul ignore if /\n if (!scr.loc) {\n return Promise.reject(new Error('Cannot encrypt `scr` without first setting `loc`'));\n }\n\n return this.getKey(key, options).then((k) => scr.toJWE(k.jwk));\n },\n\n /\n Encrypt plaintext using the supplied key uri.\n \n @param {string} key - The uri of a key stored in KMS\n * @param {string} plaintext\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {string} Encrypted text\n /\n encryptText(key, plaintext, options) {\n return this.getKey(key, options).then((k) =>\n jose.JWE.createEncrypt(this.config.joseOptions, {\n key: k.jwk,\n header: {\n alg: 'dir',\n },\n reference: null,\n }).final(plaintext, 'utf8')\n );\n },\n\n /\n Fetch the key associated with the supplied KMS uri.\n \n @param {string} uri - The uri of a key stored in KMS\n * @param {Object} options\n * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role\n * @returns {string} Key\n /\n getKey(uri, {onBehalfOf} = {}) {\n if (uri.jwk) {\n return this.kms.asKey(uri);\n }\n\n let storageKey = uri;\n\n if (onBehalfOf) {\n storageKey += `/onBehalfOf/${onBehalfOf}`;\n }\n\n return this.unboundedStorage\n .get(storageKey)\n .then((keyString) => JSON.parse(keyString))\n .then((keyObject) => this.kms.asKey(keyObject))\n .catch(() =>\n this.kms\n .fetchKey({uri, onBehalfOf})\n .then(tap((key) => this.unboundedStorage.put(storageKey, JSON.stringify(key, replacer))))\n );\n },\n});\n\n/\n JSON.stringify replacer that ensures private key data is serialized.\n * @param {string} k\n * @param {mixed} v\n * @returns {mixed}\n */\nfunction replacer(k, v) {\n if (k === 'jwk') {\n // note: this[k] and v may be different representations of the same value\n // eslint-disable-next-line no-invalid-this\n const json = this[k].toJSON(true);\n\n return json;\n }\n\n return v;\n}\n\nexport default Encryption;\n"],"mappings":";;;;;;;;;;;;;;;;;AAIA,IAAAA,OAAA,GAAAC,OAAA;AACA,IAAAC,IAAA,GAAAC,sBAAA,CAAAF,OAAA;AAEA,IAAAG,UAAA,GAAAH,OAAA;AACA,IAAAI,OAAA,GAAAJ,OAAA;AACA,IAAAK,SAAA,GAAAH,sBAAA,CAAAF,OAAA;AACA,IAAAM,QAAA,GAAAJ,sBAAA,CAAAF,OAAA;AAEA,IAAAO,aAAA,GAAAL,sBAAA,CAAAF,OAAA;AACA,IAAAQ,IAAA,GAAAN,sBAAA,CAAAF,OAAA;AAAwB,SAAAS,QAAAC,CAAA,EAAAC,CAAA,QAAAC,CAAA,GAAAC,aAAA,CAAAH,CAAA,OAAAI,6BAAA,QAAAC,CAAA,GAAAD,6BAAA,CAAAJ,CAAA,GAAAC,CAAA,KAAAI,CAAA,GAAAA,CAAA,CAAAC,MAAA,WAAAL,CAAA,WAAAM,gCAAA,CAAAP,CAAA,EAAAC,CAAA,EAAAO,UAAA,OAAAN,CAAA,CAAAO,IAAA,CAAAC,KAAA,CAAAR,CAAA,EAAAG,CAAA,YAAAH,CAAA;AAAA,SAAAS,cAAAX,CAAA,aAAAC,CAAA,MAAAA,CAAA,GAAAW,SAAA,CAAAC,MAAA,EAAAZ,CAAA,UAAAC,CAAA,WAAAU,SAAA,CAAAX,CAAA,IAAAW,SAAA,CAAAX,CAAA,QAAAA,CAAA,OAAAF,OAAA,CAAAe,MAAA,CAAAZ,CAAA,OAAAa,OAAA,WAAAd,CAAA,QAAAe,gBAAA,CAAAC,OAAA,EAAAjB,CAAA,EAAAC,CAAA,EAAAC,CAAA,CAAAD,CAAA,SAAAiB,iCAAA,GAAAC,wBAAA,CAAAnB,CAAA,EAAAkB,iCAAA,CAAAhB,CAAA,KAAAH,OAAA,CAAAe,MAAA,CAAAZ,CAAA,GAAAa,OAAA,WAAAd,CAAA,IAAAmB,sBAAA,CAAApB,CAAA,EAAAC,CAAA,EAAAM,gCAAA,CAAAL,CAAA,EAAAD,CAAA,iBAAAD,CAAA,IAbxB;AACA;AACA;AAaA,IAAMqB,UAAU,GAAGC,sBAAW,CAACC,MAAM,CAAC;EACpCC,QAAQ,EAAE;IACRC,GAAG,EAAEC;EACP,CAAC;EAEDC,SAAS,EAAE,YAAY;EAEvBC,sBAAsB,WAAAA,uBAACC,KAAK,EAAE;IAC5B,OAAO,IAAI,CAACJ,GAAG,CAACG,sBAAsB,CAACC,KAAK,CAAC;EAC/C,CAAC;EAEDC,aAAa,WAAAA,cAACC,GAAG,EAAEC,MAAM,EAAE;IACzB,OAAO,IAAAC,qBAAY,EAACD,MAAM,CAAC,CAACE,IAAI,CAAC,UAACC,CAAC,EAAK;MACtC;MACA,IAAIH,MAAM,CAACnB,MAAM,KAAK,CAAC,IAAImB,MAAM,CAACI,UAAU,KAAK,CAAC,EAAE;QAClD,OAAOC,QAAA,CAAApB,OAAA,CAAQqB,MAAM,CAAC,IAAIC,KAAK,CAAC,yCAAyC,CAAC,CAAC;MAC7E;MAEA,OAAOR,GAAG,CAACS,OAAO,CAACL,CAAC,CAAC;IACvB,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEM,UAAU,WAAAA,WAACC,GAAG,EAAEC,SAAS,EAAEC,OAAO,EAAE;IAClC,OAAO,IAAI,CAACC,MAAM,CAACH,GAAG,EAAEE,OAAO,CAAC,CAACV,IAAI,CAAC,UAACY,CAAC;MAAA,OAAKC,gBAAG,CAACC,OAAO,CAACF,CAAC,CAACG,GAAG,EAAEN,SAAS,CAAC;IAAA,EAAC;EAC7E,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEO,WAAW,WAAAA,YAACR,GAAG,EAAES,UAAU,EAAEP,OAAO,EAAE;IACpC,OAAO,IAAI,CAACC,MAAM,CAACH,GAAG,EAAEE,OAAO,CAAC,CAACV,IAAI,CAAC,UAACY,CAAC;MAAA,OACtCM,iBAAI,CAACC,GAAG,CAACC,aAAa,CAACR,CAAC,CAACG,GAAG,CAAC,CAC1BT,OAAO,CAACW,UAAU,CAAC,CACnBjB,IAAI,CAAC,UAACqB,MAAM;QAAA,OAAKA,MAAM,CAACC,SAAS,CAACC,QAAQ,CAAC,CAAC;MAAA,EAAC;IAAA,CAClD,CAAC;EACH,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,iBAAiB,WAAAA,kBAACC,SAAS,EAAEN,GAAG,EAAET,OAAO,EAAE;IACzC,OAAO,IAAI,CAACC,MAAM,CAACc,SAAS,EAAEf,OAAO,CAAC,CAACV,IAAI,CAAC,UAACY,CAAC;MAAA,OAC5CM,iBAAI,CAACC,GAAG,CAACC,aAAa,CAACR,CAAC,CAACG,GAAG,CAAC,CAC1BT,OAAO,CAACa,GAAG,CAAC,CACZnB,IAAI,CAAC,UAACqB,MAAM;QAAA,OAAKA,MAAM,CAACK,OAAO;MAAA,EAAC;IAAA,CACrC,CAAC;EACH,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,QAAQ,WAAAA,SAACC,OAAO,EAAE/B,GAAG,EAAEa,OAAO,EAAE;IAAA,IAAAmB,KAAA;IAC9B;IACA,IAAI,CAACD,OAAO,IAAI,CAAC/B,GAAG,EAAE;MACpB,OAAOM,QAAA,CAAApB,OAAA,CAAQqB,MAAM,CAAC,IAAIC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtE;IAEA,IAAMyB,KAAK,GAAG,IAAIC,oBAAY,CAAC,CAAC;IAChC,IAAMC,OAAO,GAAG,IAAI,CAACC,iBAAiB,CAACL,OAAO,EAAAnD,aAAA;MAAGyD,cAAc,EAAE;IAAI,GAAKxB,OAAO,CAAC,CAAC,CAChFV,IAAI,CAAC,UAACmC,GAAG,EAAK;MACb;MACA,IAAMzB,OAAO,GAAG;QACd0B,MAAM,EAAE,KAAK;QACbD,GAAG,EAAHA,GAAG;QACHE,YAAY,EAAE;MAChB,CAAC;MAED,IAAMC,GAAG,GAAGT,KAAI,CAACU,OAAO,CAAC7B,OAAO,CAAC;MAEjC,IAAA8B,sBAAc,EAAC,UAAU,EAAE9B,OAAO,CAACiB,QAAQ,EAAEG,KAAK,CAAC;MAEnD,OAAOQ,GAAG;IACZ,CAAC,CAAC,CACDtC,IAAI,CAAC,UAACyC,GAAG;MAAA,OAAKZ,KAAI,CAACjC,aAAa,CAACC,GAAG,EAAE4C,GAAG,CAACC,IAAI,CAAC;IAAA,EAAC;IAEnD,IAAAC,mBAAW,EAACb,KAAK,EAAEE,OAAO,CAAC;IAE3B,OAAOA,OAAO;EAChB,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACEC,iBAAiB,WAAAA,kBAACL,OAAO,EAAElB,OAAO,EAAE;IAAA,IAAAkC,MAAA;IAClC,IAAI,CAACC,MAAM,CAACC,IAAI,CAAC,wDAAwD,CAAC;IAE1E,IAAIC,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,YAAY,IAAIrB,OAAO,CAACsB,QAAQ,CAAC,WAAW,CAAC,EAAE;MAC1E,IAAI,CAACL,MAAM,CAACC,IAAI,CACd,qFACF,CAAC;MAED,OAAO3C,QAAA,CAAApB,OAAA,CAAQoE,OAAO,CAACvB,OAAO,CAAC;IACjC;IAEA,IAAI,CAAAlB,OAAO,aAAPA,OAAO,uBAAPA,OAAO,CAAEwB,cAAc,MAAK,KAAK,EAAE;MACrC,IAAI,CAACN,OAAO,CAACwB,UAAU,CAAC,UAAU,CAAC,EAAE;QACnC,IAAI,CAACP,MAAM,CAACQ,KAAK,CAAC,6CAA6C,CAAC;QAEhE,OAAOlD,QAAA,CAAApB,OAAA,CAAQqB,MAAM,CAAC,IAAIC,KAAK,CAAC,iCAAiC,CAAC,CAAC;MACrE;MAEA,OAAOF,QAAA,CAAApB,OAAA,CAAQoE,OAAO,CAACvB,OAAO,CAAC;IACjC;IAEA,IAAM0B,SAAS,GAAG;MAChBC,SAAS,EAAE,CAAC3B,OAAO;IACrB,CAAC;IACD,IAAM4B,WAAW,GAAGC,YAAG,CAACC,KAAK,CAAC9B,OAAO,CAAC;;IAEtC;IACA4B,WAAW,CAACG,QAAQ,GAAG,OAAO;IAC9BH,WAAW,CAACI,QAAQ,GAAG,wBAAwB;IAE/C,OAAO,IAAI,CAACrB,OAAO,CAAC;MAClBH,MAAM,EAAE,MAAM;MACdD,GAAG,EAAEsB,YAAG,CAACI,MAAM,CAACL,WAAW,CAAC;MAC5Bd,IAAI,EACFhC,OAAO,aAAPA,OAAO,eAAPA,OAAO,CAAEoD,MAAM,IAAI,IAAAC,KAAA,CAAAhF,OAAA,EAAY2B,OAAO,CAACoD,MAAM,CAAC,CAACE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAAvF,aAAA,CAAAA,aAAA,KAE3D6E,SAAS;QACZW,KAAK,EAAEvD,OAAO,CAACoD,MAAM,CAACG;MAAK,KAE7BX;IACR,CAAC,CAAC,CACCtD,IAAI,CAAC,UAACyC,GAAG,EAAK;MACb;MACA,IAAMgB,GAAG,GAAGhB,GAAG,CAACC,IAAI,CAACa,SAAS,CAAC3B,OAAO,CAAC;MAEvC,IAAI,CAAC6B,GAAG,EAAE;QACRb,MAAI,CAACC,MAAM,CAACqB,IAAI,CACd,uGACF,CAAC;QAED,OAAOtC,OAAO;MAChB;MACAgB,MAAI,CAACC,MAAM,CAACC,IAAI,CAAC,uDAAuD,CAAC;MAEzE,OAAOW,GAAG;IACZ,CAAC,CAAC,CACDU,KAAK,CAAC,UAACC,GAAG,EAAK;MACdxB,MAAI,CAACC,MAAM,CAACqB,IAAI,gBAAAG,MAAA,CACCD,GAAG,4CAAAC,MAAA,CAAyCzC,OAAO,+BAAAyC,MAAA,CAA4BzC,OAAO,cACvG,CAAC;MAED,OAAOA,OAAO;IAChB,CAAC,CAAC;EACN,CAAC;EAED0C,aAAa,WAAAA,cAACC,IAAI,EAAE;IAClB,OAAO,IAAAxE,qBAAY,EAACwE,IAAI,CAAC,CAACvE,IAAI,CAAC,UAACF,MAAM;MAAA,OACpCe,gBAAG,CAAC2D,MAAM,CAAC,CAAC,CAACxE,IAAI,CAAC,UAACH,GAAG;QAAA,OACpBA,GAAG,CACA4E,OAAO,CAAC3E,MAAM,CAAC,CACfE,IAAI,CAACD,qBAAY;QAClB;QAAA,CACCC,IAAI,CAAC,UAAC0E,KAAK;UAAA,OAAM;YAAC7E,GAAG,EAAHA,GAAG;YAAE6E,KAAK,EAALA;UAAK,CAAC;QAAA,CAAC,CAAC;MAAA,CACpC,CAAC;IAAA,CACH,CAAC;EACH,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,UAAU,WAAAA,WAACnE,GAAG,EAAEX,GAAG,EAAEa,OAAO,EAAE;IAC5B;IACA,IAAI,CAACb,GAAG,CAAC+E,GAAG,EAAE;MACZ,OAAOzE,QAAA,CAAApB,OAAA,CAAQqB,MAAM,CAAC,IAAIC,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtF;IAEA,OAAO,IAAI,CAACM,MAAM,CAACH,GAAG,EAAEE,OAAO,CAAC,CAACV,IAAI,CAAC,UAACY,CAAC;MAAA,OAAKf,GAAG,CAACgF,KAAK,CAACjE,CAAC,CAACG,GAAG,CAAC;IAAA,EAAC;EAChE,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE+D,WAAW,WAAAA,YAACtE,GAAG,EAAEc,SAAS,EAAEZ,OAAO,EAAE;IAAA,IAAAqE,MAAA;IACnC,OAAO,IAAI,CAACpE,MAAM,CAACH,GAAG,EAAEE,OAAO,CAAC,CAACV,IAAI,CAAC,UAACY,CAAC;MAAA,OACtCM,iBAAI,CAACC,GAAG,CAAC6D,aAAa,CAACD,MAAI,CAACE,MAAM,CAACC,WAAW,EAAE;QAC9C1E,GAAG,EAAEI,CAAC,CAACG,GAAG;QACVoE,MAAM,EAAE;UACNC,GAAG,EAAE;QACP,CAAC;QACDC,SAAS,EAAE;MACb,CAAC,CAAC,CAACC,KAAK,CAAChE,SAAS,EAAE,MAAM,CAAC;IAAA,CAC7B,CAAC;EACH,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;EACEX,MAAM,WAAAA,OAACwB,GAAG,EAAqB;IAAA,IAAAoD,MAAA;IAAA,IAAAC,IAAA,GAAA9G,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAA+G,SAAA,GAAA/G,SAAA,MAAJ,CAAC,CAAC;MAAhBgH,UAAU,GAAAF,IAAA,CAAVE,UAAU;IACrB,IAAIvD,GAAG,CAACpB,GAAG,EAAE;MACX,OAAO,IAAI,CAACxB,GAAG,CAACoG,KAAK,CAACxD,GAAG,CAAC;IAC5B;IAEA,IAAIyD,UAAU,GAAGzD,GAAG;IAEpB,IAAIuD,UAAU,EAAE;MACdE,UAAU,mBAAAvB,MAAA,CAAmBqB,UAAU,CAAE;IAC3C;IAEA,OAAO,IAAI,CAACG,gBAAgB,CACzBC,GAAG,CAACF,UAAU,CAAC,CACf5F,IAAI,CAAC,UAAC+F,SAAS;MAAA,OAAKC,IAAI,CAACtC,KAAK,CAACqC,SAAS,CAAC;IAAA,EAAC,CAC1C/F,IAAI,CAAC,UAACiG,SAAS;MAAA,OAAKV,MAAI,CAAChG,GAAG,CAACoG,KAAK,CAACM,SAAS,CAAC;IAAA,EAAC,CAC9C9B,KAAK,CAAC;MAAA,OACLoB,MAAI,CAAChG,GAAG,CACL2G,QAAQ,CAAC;QAAC/D,GAAG,EAAHA,GAAG;QAAEuD,UAAU,EAAVA;MAAU,CAAC,CAAC,CAC3B1F,IAAI,CAAC,IAAAmG,WAAG,EAAC,UAAC3F,GAAG;QAAA,OAAK+E,MAAI,CAACM,gBAAgB,CAACO,GAAG,CAACR,UAAU,EAAE,IAAAS,UAAA,CAAAtH,OAAA,EAAeyB,GAAG,EAAE8F,QAAQ,CAAC,CAAC;MAAA,EAAC,CAAC;IAAA,CAC7F,CAAC;EACL,CAAC;EAAAC,OAAA;AACH,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA,SAASD,QAAQA,CAAC1F,CAAC,EAAE4F,CAAC,EAAE;EACtB,IAAI5F,CAAC,KAAK,KAAK,EAAE;IACf;IACA;IACA,IAAM6F,IAAI,GAAG,IAAI,CAAC7F,CAAC,CAAC,CAAC8F,MAAM,CAAC,IAAI,CAAC;IAEjC,OAAOD,IAAI;EACb;EAEA,OAAOD,CAAC;AACV;AAAC,IAAAG,QAAA,GAAAC,OAAA,CAAA7H,OAAA,GAEcI,UAAU"}

package/dist/kms.js CHANGED Viewed

@@ -27,6 +27,7 @@ var _lodash = require("lodash");
 var _uuid = _interopRequireDefault(require("uuid"));
 var _kmsBatcher = _interopRequireWildcard(require("./kms-batcher"));
 var _kmsCertificateValidation = _interopRequireWildcard(require("./kms-certificate-validation"));
+var _constants = require("./constants");
 var _dec, _obj;
 /*!
  * Copyright (c) 2015-2024 Cisco Systems, Inc. See LICENSE file.
@@ -298,6 +299,7 @@ var KMS = _webexCore.WebexPlugin.extend((_dec = (0, _common.oneFlight)({
    * @param {UUID} options.assignedOrgId the orgId
    * @param {string} options.customerMasterKey the master key
    * @param {string} options.customerMasterKeyBackup the master key backup
+   * @param {string} options.customerMasterKeyRole the optional role associated with customerMasterKey
    * @param {boolean} options.awsKms enable amazon aws keys
    * @returns {Promise.<UploadCmkResponse>} response of upload CMK api
    */
@@ -308,7 +310,9 @@ var KMS = _webexCore.WebexPlugin.extend((_dec = (0, _common.oneFlight)({
       _ref9$awsKms = _ref9.awsKms,
       awsKms = _ref9$awsKms === void 0 ? false : _ref9$awsKms,
       _ref9$customerMasterK = _ref9.customerMasterKeyBackup,
-      customerMasterKeyBackup = _ref9$customerMasterK === void 0 ? undefined : _ref9$customerMasterK;
+      customerMasterKeyBackup = _ref9$customerMasterK === void 0 ? undefined : _ref9$customerMasterK,
+      _ref9$customerMasterK2 = _ref9.customerMasterKeyRole,
+      customerMasterKeyRole = _ref9$customerMasterK2 === void 0 ? undefined : _ref9$customerMasterK2;
     this.logger.info('kms: upload customer master key for byok');
     return this.request({
       method: 'create',
@@ -316,7 +320,8 @@ var KMS = _webexCore.WebexPlugin.extend((_dec = (0, _common.oneFlight)({
       assignedOrgId: assignedOrgId,
       customerMasterKey: customerMasterKey,
       requestId: _uuid.default.v4(),
-      customerMasterKeyBackup: awsKms ? customerMasterKeyBackup : undefined
+      customerMasterKeyBackup: awsKms ? customerMasterKeyBackup : undefined,
+      customerMasterKeyRole: awsKms ? customerMasterKeyRole : undefined
     }).then(function (res) {
       _this8.logger.info('kms: finish to upload customer master key');
       return res;
@@ -448,6 +453,19 @@ var KMS = _webexCore.WebexPlugin.extend((_dec = (0, _common.oneFlight)({
     }, {
       onBehalfOf: onBehalfOf
     }).then(function (res) {
+      // Handle redirect for migrated KRO, Key or Auth
+      if (res.errorCode === _constants.KMS_KEY_REDIRECT_ERROR_CODE && res.redirectUri) {
+        _this13.logger.info('kms: handling redirect for migrated resource', res.redirectUri);
+        return _this13.request({
+          method: 'retrieve',
+          uri: res.redirectUri
+        }, {
+          onBehalfOf: onBehalfOf
+        }).then(function (redirectRes) {
+          _this13.logger.info('kms: fetched key from redirect');
+          return _this13.asKey(redirectRes.key);
+        });
+      }
       _this13.logger.info('kms: fetched key');
       return _this13.asKey(res.key);
     });
@@ -809,7 +827,7 @@ var KMS = _webexCore.WebexPlugin.extend((_dec = (0, _common.oneFlight)({
     context.ephemeralKey = originalContext.ephemeralKey;
     return context;
   },
-  version: "3.8.1-web-workers-keepalive.1"
+  version: "3.9.0-multi-llms.1"
 }, ((0, _applyDecoratedDescriptor2.default)(_obj, "fetchKey", [_dec], (0, _getOwnPropertyDescriptor.default)(_obj, "fetchKey"), _obj), (0, _applyDecoratedDescriptor2.default)(_obj, "_getContext", [_common.oneFlight], (0, _getOwnPropertyDescriptor.default)(_obj, "_getContext"), _obj)), _obj)));
 var _default = exports.default = KMS;
 //# sourceMappingURL=kms.js.map

package/dist/kms.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["_querystring","_interopRequireDefault","require","_util","_commonTimers","_common","_webexCore","_nodeKms","_nodeJose","_lodash","_uuid","_kmsBatcher","_interopRequireWildcard","_kmsCertificateValidation","_dec","_obj","_getRequireWildcardCache","e","_WeakMap2","r","t","__esModule","_typeof","default","has","get","n","__proto__","a","_Object$defineProperty","_Object$getOwnPropertyDescriptor2","u","Object","prototype","hasOwnProperty","call","i","set","contexts","_weakMap","kmsDetails","partialContexts","consoleDebug","KMS","WebexPlugin","extend","oneFlight","keyFactory","_ref","uri","onBehalfOf","concat","namespace","children","batcher","KMSBatcher","bindKey","_ref2","_this","kro","kroUri","key","keyUri","logger","info","_promise","reject","Error","request","method","resourceUri","then","res","createResource","_ref3","_this2","userIds","keyUris","keys","reduce","uris","k","push","length","resource","addAuthorization","_ref4","_this3","authIds","authorizations","listAuthorizations","_ref5","_this4","removeAuthorization","_ref6","_this5","authId","userId","querystring","stringify","createUnboundKeys","_ref7","_this6","count","all","map","asKey","fetchPublicKey","_ref8","_this7","assignedOrgId","publicKey","uploadCustomerMasterKey","_ref9","_this8","customerMasterKey","_ref9$awsKms","awsKms","_ref9$customerMasterK","customerMasterKeyBackup","undefined","requestId","uuid","v4","listAllCustomerMasterKey","_ref10","_this9","_ref10$awsKms","changeCustomerMasterKeyState","_ref11","_this10","keyId","keyState","deleteAllCustomerMasterKeys","_ref12","_this11","_ref12$awsKms","useGlobalMasterKey","_ref13","_this12","fetchKey","_ref14","_this13","ping","jose","JWK","jwk","prepareRequest","payload","_this14","isECDHRequest","includes","resolve","_getContext","context","req","Request","requestContext","_contextOnBehalfOf","wrap","serverKey","process","env","NODE_ENV","util","inspect","omit","JSON","parse","_stringify","depth","processKmsMessageEvent","event","_this15","encryption","kmsMessages","kmsMessage","index","_isECDHEMessage","isECDHMessage","Response","unwrap","catch","reason","error","stack","decryptKmsMessage","body","_getKMSStaticPubKey","kmsStaticPubKey","fields","split","header","base64url","decode","kid","_this16","_ref15","arguments","timeout","config","kmsInitialTimeout","webex","internal","mercury","connect","TIMEOUT_SYMBOL","status","statusCode","message","match","warn","KMSError","trigger","ecdhMaxTimeout","nextTimeout","kmsMaxTimeout","delete","_getAuthorization","credentials","getUserToken","token","access_token","_this17","promise","_prepareContext","expiresIn","ephemeralKey","expirationDate","_now","safeSetTimeout","_ref16","_ref17","_slicedToArray2","authorization","clientInfo","credential","bearer","_getKMSCluster","_getKMSDetails","_ref18","kmsCluster","_this18","details","service","device","rsaPublicKey","_ref19","_this19","Context","validateKMS","caroots","_ref20","_ref21","clientId","url","serverInfo","createECDHKey","localECDHKey","_ref22","_ref23","cluster","toJSON","deriveEphemeralKey","originalContext","version","_applyDecoratedDescriptor2","_getOwnPropertyDescriptor","_default","exports"],"sources":["kms.js"],"sourcesContent":["/!\n Copyright (c) 2015-2024 Cisco Systems, Inc. See LICENSE file.\n /\n\nimport querystring from 'querystring';\nimport util from 'util';\n\nimport {safeSetTimeout} from '@webex/common-timers';\nimport {oneFlight} from '@webex/common';\nimport {WebexPlugin} from '@webex/webex-core';\nimport {Context, Request, Response} from 'node-kms';\nimport jose from 'node-jose';\nimport {omit} from 'lodash';\nimport uuid from 'uuid';\n\nimport KMSBatcher, {TIMEOUT_SYMBOL} from './kms-batcher';\nimport validateKMS, {KMSError} from './kms-certificate-validation';\n\nconst contexts = new WeakMap();\nconst kmsDetails = new WeakMap();\nconst partialContexts = new WeakMap();\n\nconst consoleDebug = require('debug')('kms');\n\n/\n @class\n /\nconst KMS = WebexPlugin.extend({\n namespace: 'Encryption',\n\n children: {\n batcher: KMSBatcher,\n },\n\n /\n Binds a key to a resource\n * @param {Object} options\n * @param {KMSResourceObject} options.kro\n * @param {string} options.kroUri\n * @param {Key} options.key\n * @param {string} options.keyUri\n * @returns {Promise<Key>}\n /\n bindKey({kro, kroUri, key, keyUri}) {\n kroUri = kroUri \|\| kro.uri;\n keyUri = keyUri \|\| key.uri;\n\n this.logger.info('kms: binding key to resource');\n\n / istanbul ignore if /\n if (!kroUri) {\n return Promise.reject(new Error('`kro` or `kroUri` is required'));\n }\n\n / istanbul ignore if /\n if (!keyUri) {\n return Promise.reject(new Error('`key` or `keyUri` is required'));\n }\n\n return this.request({\n method: 'update',\n resourceUri: kroUri,\n uri: keyUri,\n }).then((res) => {\n this.logger.info('kms: bound key to resource');\n\n return res.key;\n });\n },\n\n /\n Creates a new KMS Resource\n * @param {Object} options\n * @param {Array<string>} options.userIds\n * @param {Array<string>} options.keyUris\n * @param {Key} options.key\n * @param {Array<Keys>} options.keys\n * @returns {Promise<KMSResourceObject>}\n /\n createResource({userIds, keyUris, key, keys}) {\n keyUris = keyUris \|\| [];\n / istanbul ignore if /\n if (keys) {\n keyUris = keys.reduce((uris, k) => {\n uris.push(k.uri);\n\n return uris;\n }, keyUris);\n }\n\n / istanbul ignore else /\n if (key) {\n keyUris.push(key.uri);\n }\n\n / istanbul ignore if /\n if (keyUris.length === 0) {\n return Promise.reject(new Error('Cannot create KMS Resource without at least one keyUri'));\n }\n\n this.logger.info('kms: creating resource');\n\n return this.request({\n method: 'create',\n uri: '/resources',\n userIds,\n keyUris,\n }).then((res) => {\n this.logger.info('kms: created resource');\n\n return res.resource;\n });\n },\n\n /\n Authorizes a user or KRO to a KRO\n * @param {Object} options\n * @param {Array<string>} options.userIds\n * @param {Array<string>} options.authIds interchangable with userIds\n * @param {KMSResourceObject} options.kro the target kro\n * @param {string} options.kroUri\n * @returns {Promise<KMSAuthorizationObject>}\n /\n addAuthorization({userIds, authIds, kro, kroUri}) {\n userIds = userIds \|\| [];\n kroUri = kroUri \|\| kro.uri;\n\n if (authIds) {\n userIds = userIds.concat(authIds);\n }\n\n / istanbul ignore if /\n if (userIds.length === 0) {\n return Promise.reject(new Error('Cannot add authorization without userIds or authIds'));\n }\n\n / istanbul ignore if /\n if (!kroUri) {\n return Promise.reject(new Error('`kro` or `kroUri` is required'));\n }\n\n this.logger.info('kms: adding authorization to kms resource');\n\n return this.request({\n method: 'create',\n uri: '/authorizations',\n resourceUri: kroUri,\n userIds,\n }).then((res) => {\n this.logger.info('kms: added authorization');\n\n return res.authorizations;\n });\n },\n\n /\n Retrieve a list of users that have been authorized to the KRO\n * @param {Object} options\n * @param {KMSResourceObject} options.kro the target kro\n * @param {string} options.kroUri\n * @returns {Array<authId>}\n /\n listAuthorizations({kro, kroUri}) {\n kroUri = kroUri \|\| kro.uri;\n / istanbul ignore if /\n if (!kroUri) {\n return Promise.reject(new Error('`kro` or `kroUri` is required'));\n }\n\n return this.request({\n method: 'retrieve',\n uri: `${kroUri}/authorizations`,\n }).then((res) => {\n this.logger.info('kms: retrieved authorization list');\n\n return res.authorizations;\n });\n },\n\n /\n Deauthorizes a user or KRO from a KRO\n * @param {Object} options\n * @param {string} options.userId\n * @param {string} options.authId interchangable with userIds\n * @param {KMSResourceObject} options.kro the target kro\n * @param {string} options.kroUri\n * @returns {Promise<KMSAuthorizationObject>}\n /\n removeAuthorization({authId, userId, kro, kroUri}) {\n authId = authId \|\| userId;\n kroUri = kroUri \|\| kro.uri;\n\n / istanbul ignore if /\n if (!authId) {\n return Promise.reject(new Error('Cannot remove authorization without authId'));\n }\n\n / istanbul ignore if /\n if (!kroUri) {\n return Promise.reject(new Error('`kro` or `kroUri` is required'));\n }\n\n this.logger.info('kms: removing authorization from kms resource');\n\n return this.request({\n method: 'delete',\n uri: `${kroUri}/authorizations?${querystring.stringify({authId})}`,\n }).then((res) => {\n this.logger.info('kms: removed authorization');\n\n return res.authorizations;\n });\n },\n\n /\n Requests `count` unbound keys from the kms\n * @param {Object} options\n * @param {Number} options.count\n * @returns {Array<Key>}\n /\n createUnboundKeys({count}) {\n this.logger.info(`kms: request ${count} unbound keys`);\n\n / istanbul ignore if /\n if (!count) {\n return Promise.reject(new Error('`options.count` is required'));\n }\n\n return this.request({\n method: 'create',\n uri: '/keys',\n count,\n }).then((res) => {\n this.logger.info('kms: received unbound keys');\n\n return Promise.all(res.keys.map(this.asKey));\n });\n },\n\n /\n @typedef {Object} FetchPublicKeyResponse\n * @property {number} status 200,400(Bad Request: Request payload missing info),404(Not Found: HSM Public Key not found),501(Not Implemented: This KMS does not support BYOK),502(Bad Gateway: KMS could not communicate with HSM)\n * @property {UUID} requestId this is should be unique, used for debug.\n * @property {string} publicKey\n /\n /\n get public key from kms\n * @param {Object} options\n * @param {UUID} options.assignedOrgId the orgId\n * @returns {Promise.<FetchPublicKeyResponse>} response of get public key api\n /\n fetchPublicKey({assignedOrgId}) {\n this.logger.info('kms: fetch public key for byok');\n\n return this.request({\n method: 'retrieve',\n uri: '/publicKey',\n assignedOrgId,\n }).then((res) => {\n this.logger.info('kms: received public key');\n\n return res.publicKey;\n });\n },\n\n /\n @typedef {Object} UploadCmkResponse\n * @property {number} status\n * @property {UUID} requestId\n * @property {string} uri\n * @property {string} keysState\n /\n /\n upload master key for one org.\n * @param {Object} options\n * @param {UUID} options.assignedOrgId the orgId\n * @param {string} options.customerMasterKey the master key\n * @param {string} options.customerMasterKeyBackup the master key backup\n * @param {boolean} options.awsKms enable amazon aws keys\n * @returns {Promise.<UploadCmkResponse>} response of upload CMK api\n /\n uploadCustomerMasterKey({assignedOrgId, customerMasterKey, awsKms = false, customerMasterKeyBackup = undefined}) {\n this.logger.info('kms: upload customer master key for byok');\n\n return this.request({\n method: 'create',\n uri: awsKms ? '/awsKmsCmk' : '/cmk',\n assignedOrgId,\n customerMasterKey,\n requestId: uuid.v4(),\n customerMasterKeyBackup: awsKms ? customerMasterKeyBackup : undefined,\n }).then((res) => {\n this.logger.info('kms: finish to upload customer master key');\n\n return res;\n });\n },\n\n /\n get all customer master keys for one org.\n * @param {Object} options\n * @param {UUID} options.assignedOrgId the orgId\n * @param {boolean} options.awsKms enable amazon aws keys\n * @returns {Promise.<ActivateCmkResponse>} response of list CMKs api\n /\n listAllCustomerMasterKey({assignedOrgId, awsKms = false}) {\n this.logger.info('kms: get all customer master keys for byok');\n\n return this.request({\n method: 'retrieve',\n uri: awsKms ? '/awsKmsCmk' : '/cmk',\n assignedOrgId,\n requestId: uuid.v4(),\n }).then((res) => {\n this.logger.info('kms: finish to get all customer master keys');\n\n return res;\n });\n },\n\n /\n @typedef {Object} ActivateCmkResponse\n * @property {number} status\n * @property {UUID} requestId\n * @property {Array<CMK>} customerMasterKeys\n /\n /\n \n * @typedef {Object} CMK\n * @property {string} usageState\n * @property {UUID} assignedOrgId\n * @property {string} uri\n * @property {string} source\n * @property {Date \| undefined} stateUpdatedOn\n * @property {Date \| undefined} rotation\n /\n /\n change one customer master key state for one org.\n * delete pending key, then the keyState should be 'removedclean';\n * active pending key, then the keyState should be 'active';\n \n @param {Object} options\n * @param {string} options.keyId the id of one customer master key, it should be a url\n * @param {string} options.keyState one of the following: PENDING, RECOVERING,ACTIVE,REVOKED,DEACTIVATED,REENCRYPTING,RETIRED,DELETED,DISABLED,REMOVEDCLEAN,REMOVEDDIRTY;\n * @param {UUID} options.assignedOrgId the orgId\n * @returns {Promise.<ActivateCmkResponse>} response of list CMKs api\n /\n changeCustomerMasterKeyState({keyId, keyState, assignedOrgId}) {\n this.logger.info('kms: change one customer master key state for byok');\n\n return this.request({\n method: 'update',\n uri: keyId,\n keyState,\n assignedOrgId,\n requestId: uuid.v4(),\n }).then((res) => {\n this.logger.info('kms: finish to change the customer master key state to {}', keyState);\n\n return res;\n });\n },\n\n /\n this is for test case. it will delete all CMKs, no matter what their status is. This is mainly for test purpose\n * @param {Object} options\n * @param {UUID} options.assignedOrgId the orgId\n * @param {boolean} options.awsKms enable amazon aws keys\n * @returns {Promise.<{status, requestId}>}\n /\n deleteAllCustomerMasterKeys({assignedOrgId, awsKms = false}) {\n this.logger.info('kms: delete all customer master keys at the same time');\n\n return this.request({\n method: 'delete',\n uri: awsKms ? '/awsKmsCmk' : '/cmk',\n assignedOrgId,\n requestId: uuid.v4(),\n }).then((res) => {\n this.logger.info('kms: finish to delete all customer master keys');\n\n return res;\n });\n },\n\n /\n return to use global master key for one org.\n * @param {Object} options\n * @param {UUID} options.assignedOrgId the orgId\n * @returns {Promise.<ActivateCmkResponse>} response of activate CMK api\n /\n useGlobalMasterKey({assignedOrgId}) {\n this.logger.info('kms: return to use global master key');\n\n return this.request({\n method: 'update',\n uri: 'default',\n keyState: 'ACTIVE',\n assignedOrgId,\n requestId: uuid.v4(),\n }).then((res) => {\n this.logger.info('kms: finish to return to global master key');\n\n return res;\n });\n },\n\n /\n Fetches the specified key from the kms\n * @param {Object} options\n * @param {string} options.uri\n * @param {string} options.onBehalfOf The id of a user, upon whose behalf, the key is to be retrieved or undefined if retrieval is for the active user\n * @returns {Promise<Key>}\n /\n // Ideally, this would be done via the kms batcher, but other than request id,\n // there isn't any other userful key in a kms response to match it to a\n // request. as such, we need the batcher to group requests, but one flight to\n // make sure we don't make the same request multiple times.\n @oneFlight({\n keyFactory: ({uri, onBehalfOf}) => `${uri}/${onBehalfOf}`,\n })\n fetchKey({uri, onBehalfOf}) {\n / istanbul ignore if /\n if (!uri) {\n return Promise.reject(new Error('`options.uri` is required'));\n }\n\n this.logger.info('kms: fetching key');\n\n return this.request(\n {\n method: 'retrieve',\n uri,\n },\n {onBehalfOf}\n ).then((res) => {\n this.logger.info('kms: fetched key');\n\n return this.asKey(res.key);\n });\n },\n\n /\n Pings the kms. Mostly for testing\n * @returns {Promise}\n /\n ping() {\n return this.request({\n method: 'update',\n uri: '/ping',\n });\n },\n\n /\n Ensures a key obect is Key instance\n * @param {Object} key\n * @returns {Promise<Key>}\n /\n asKey(key) {\n return jose.JWK.asKey(key.jwk).then((jwk) => {\n key.jwk = jwk;\n\n return key;\n });\n },\n\n /\n Adds appropriate metadata to the KMS request\n * @param {Object} payload\n * @param {Object} onBehalfOf Optional parameter to prepare the request on behalf of another user\n * @returns {Promise<KMS.Request>}\n /\n prepareRequest(payload, onBehalfOf) {\n const isECDHRequest = payload.method === 'create' && payload.uri.includes('/ecdhe');\n\n return Promise.resolve(isECDHRequest ? partialContexts.get(this) : this._getContext()).then(\n (context) => {\n this.logger.info(`kms: wrapping ${isECDHRequest ? 'ephemeral key' : 'kms'} request`);\n const req = new Request(payload);\n let requestContext = context;\n\n if (onBehalfOf) {\n requestContext = this._contextOnBehalfOf(context, onBehalfOf);\n }\n\n return req.wrap(requestContext, {serverKey: isECDHRequest}).then(() => {\n / istanbul ignore else /\n if (process.env.NODE_ENV !== 'production') {\n this.logger.info(\n 'kms: request payload',\n util.inspect(omit(JSON.parse(JSON.stringify(req)), 'wrapped'), {depth: null})\n );\n }\n\n return req;\n });\n }\n );\n },\n\n /\n Accepts a kms message event, decrypts it, and passes it to the batcher\n * @param {Object} event\n * @returns {Promise<Object>}\n /\n processKmsMessageEvent(event) {\n this.logger.info('kms: received kms message');\n\n return Promise.all(\n event.encryption.kmsMessages.map((kmsMessage, index) =>\n this._isECDHEMessage(kmsMessage).then((isECDHMessage) => {\n this.logger.info(`kms: received ${isECDHMessage ? 'ecdhe' : 'normal'} message`);\n const res = new Response(kmsMessage);\n\n return (\n Promise.resolve(isECDHMessage ? partialContexts.get(this) : contexts.get(this))\n // eslint-disable-next-line max-nested-callbacks\n .then((context) => res.unwrap(context))\n // eslint-disable-next-line max-nested-callbacks\n .then(() => {\n if (process.env.NODE_ENV !== 'production') {\n this.logger.info(\n 'kms: response payload',\n util.inspect(omit(JSON.parse(JSON.stringify(res)), 'wrapped'), {depth: null})\n );\n }\n })\n // eslint-disable-next-line max-nested-callbacks\n .then(() => {\n event.encryption.kmsMessages[index] = res;\n })\n // eslint-disable-next-line max-nested-callbacks\n .then(() => res)\n );\n })\n )\n )\n .then(() => this.batcher.processKmsMessageEvent(event))\n .catch((reason) => {\n this.logger.error('kms: decrypt failed', reason.stack);\n\n return Promise.reject(reason);\n })\n .then(() => event);\n },\n\n /\n Decrypts a kms message\n * @param {Object} kmsMessage\n * @returns {Promise<Object>}\n /\n decryptKmsMessage(kmsMessage) {\n const res = new Response(kmsMessage);\n\n return contexts\n .get(this)\n .then((context) => res.unwrap(context))\n .then(() => res.body);\n },\n\n /\n Determines if the kms message is an ecdhe message or a normal message\n * @param {Object} kmsMessage\n * @returns {Promise<boolean>}\n /\n _isECDHEMessage(kmsMessage) {\n return this._getKMSStaticPubKey().then((kmsStaticPubKey) => {\n const fields = kmsMessage.split('.');\n\n if (fields.length !== 3) {\n return false;\n }\n\n const header = JSON.parse(jose.util.base64url.decode(fields[0]));\n\n return header.kid === kmsStaticPubKey.kid;\n });\n },\n\n /\n Sends a request to the kms\n * @param {Object} payload\n * @param {Object} options\n * @param {Number} options.timeout (internal)\n * @param {string} options.onBehalfOf Run the request on behalf of another user (UUID), used in compliance scenarios\n * @returns {Promise<Object>}\n /\n request(payload, {timeout, onBehalfOf} = {}) {\n timeout = timeout \|\| this.config.kmsInitialTimeout;\n\n // Note: this should only happen when we're using the async kms batcher;\n // once we implement the sync batcher, this'll need to be smarter.\n return (\n this.webex.internal.mercury\n .connect()\n .then(() => this.prepareRequest(payload, onBehalfOf))\n .then((req) => {\n req[TIMEOUT_SYMBOL] = timeout;\n\n return this.batcher.request(req);\n })\n // High complexity is due to attempt at test mode resiliency\n // eslint-disable-next-line complexity\n .catch((reason) => {\n if (\n process.env.NODE_ENV === 'test' &&\n (reason.status === 403 \|\| reason.statusCode === 403) &&\n reason.message.match(\n /Failed to resolve authorization token in KmsMessage request for user/\n )\n ) {\n this.logger.warn('kms: rerequested key due to test-mode kms auth failure');\n\n return this.request(payload, {onBehalfOf});\n }\n\n // KMS Error. Notify the user\n if (reason instanceof KMSError) {\n this.webex.trigger('client:InvalidRequestError');\n\n return Promise.reject(reason);\n }\n\n // Ideally, most or all of the code below would go in kms-batcher, but\n // but batching needs at least one more round of refactoring for that to\n // work.\n if (!reason.statusCode && !reason.status) {\n / istanbul ignore else /\n if (process.env.NODE_ENV !== 'production') {\n / istanbul ignore next: reason.stack vs stack difficult to control in test /\n this.logger.info('kms: request error', reason.stack \|\| reason);\n }\n\n consoleDebug(`timeout ${timeout}`);\n timeout = 2;\n\n if (timeout >= this.config.ecdhMaxTimeout) {\n this.logger.info('kms: exceeded maximum KMS request retries');\n\n return Promise.reject(reason);\n }\n\n // Peek ahead to make sure we don't reset the timeout if the next timeout\n // will exceed the maximum timeout for renegotiating ECDH keys.\n const nextTimeout = timeout * 2;\n\n if (timeout >= this.config.kmsMaxTimeout && nextTimeout < this.config.ecdhMaxTimeout) {\n this.logger.info(\n 'kms: exceeded maximum KMS request retries; negotiating new ecdh key'\n );\n\n /* istanbul ignore else /\n if (process.env.NODE_ENV !== 'production') {\n this.logger.info('kms: timeout/maxtimeout', timeout, this.config.kmsMaxTimeout);\n }\n\n contexts.delete(this);\n timeout = 0;\n }\n\n return this.request(payload, {timeout, onBehalfOf});\n }\n\n return Promise.reject(reason);\n })\n );\n },\n\n /\n @private\n * @returns {Promise<string>}\n /\n _getAuthorization() {\n return this.webex.credentials.getUserToken('spark:kms').then((token) => token.access_token);\n },\n\n @oneFlight\n /\n @private\n * @param {String} onBehalfOf create context on behalf of another user, undefined when this is not necessary\n * @returns {Promise<Object>}\n /\n _getContext() {\n let promise = contexts.get(this);\n\n if (!promise) {\n promise = this._prepareContext();\n contexts.set(this, promise);\n promise.then((context) => {\n const expiresIn = context.ephemeralKey.expirationDate - Date.now() - 30000;\n\n safeSetTimeout(() => contexts.delete(this), expiresIn);\n });\n }\n\n return Promise.all([promise, this._getAuthorization()]).then(([context, authorization]) => {\n context.clientInfo.credential.bearer = authorization;\n\n return context;\n });\n },\n\n /\n @private\n * @returns {Promise<Object>}\n /\n _getKMSCluster() {\n this.logger.info('kms: retrieving KMS cluster');\n\n return this._getKMSDetails().then(({kmsCluster}) => kmsCluster);\n },\n\n /\n @private\n * @returns {Promise<Object>}\n /\n _getKMSDetails() {\n let details = kmsDetails.get(this);\n\n if (!details) {\n this.logger.info('kms: fetching KMS details');\n details = this.webex\n .request({\n service: 'encryption',\n resource: `/kms/${this.webex.internal.device.userId}`,\n })\n .then((res) => {\n this.logger.info('kms: fetched KMS details');\n const {body} = res;\n\n body.rsaPublicKey = JSON.parse(body.rsaPublicKey);\n\n return body;\n })\n .catch((reason) => {\n this.logger.error('kms: failed to fetch KMS details', reason);\n\n return Promise.reject(reason);\n });\n\n kmsDetails.set(this, details);\n }\n\n return details;\n },\n\n /\n @private\n * @returns {Promise<Object>}\n /\n _getKMSStaticPubKey() {\n this.logger.info('kms: retrieving KMS static public key');\n\n return this._getKMSDetails().then(({rsaPublicKey}) => rsaPublicKey);\n },\n\n /\n @private\n * @returns {Promise<Object>}\n /\n _prepareContext() {\n this.logger.info('kms: creating context');\n const context = new Context();\n\n return Promise.all([\n this._getKMSStaticPubKey().then(validateKMS(this.config.caroots)),\n this._getAuthorization(),\n ])\n .then(([kmsStaticPubKey, authorization]) => {\n context.clientInfo = {\n clientId: this.webex.internal.device.url,\n credential: {\n userId: this.webex.internal.device.userId,\n bearer: authorization,\n },\n };\n\n context.serverInfo = {\n key: kmsStaticPubKey,\n };\n\n this.logger.info('kms: creating local ephemeral key');\n\n return context.createECDHKey();\n })\n .then((localECDHKey) => {\n context.ephemeralKey = localECDHKey;\n partialContexts.set(this, context);\n\n return Promise.all([localECDHKey.asKey(), this._getKMSCluster()]);\n })\n .then(([localECDHKey, cluster]) => {\n this.logger.info('kms: submitting ephemeral key request');\n\n return this.request({\n uri: `${cluster}/ecdhe`,\n method: 'create',\n jwk: localECDHKey.toJSON(),\n });\n })\n .then((res) => {\n this.logger.info('kms: deriving final ephemeral key');\n\n return context.deriveEphemeralKey(res.key);\n })\n .then((key) => {\n context.ephemeralKey = key;\n partialContexts.delete(this);\n this.logger.info('kms: derived final ephemeral key');\n\n return context;\n })\n .catch((reason) => {\n this.logger.error('kms: failed to negotiate ephemeral key', reason);\n\n return Promise.reject(reason);\n });\n },\n\n /\n KMS 'retrieve' requests can be made on behalf of another user. This is useful\n * for scenarios such as eDiscovery. i.e. Where an authorized compliance officer is\n * entitled to retrieve content generated by any organisational user.\n * As the KMSContext is cached, updating it will affect separate requests. Hence when\n * making a request onBehalfOf another user create a new context for just this request.\n * However this context will be 'light' as it only needs to change one field.\n * @param {Object} originalContext - The base context to 'copy'\n * @param {String} onBehalfOf - The user specified in the new context\n * @returns {Context} A 'copy' of the existing context with a new user specified\n * @private\n */\n _contextOnBehalfOf(originalContext, onBehalfOf) {\n const context = new Context();\n\n context.clientInfo = context.clientInfo = {\n clientId: originalContext.clientInfo.clientId,\n credential: {\n userId: onBehalfOf,\n onBehalfOf, // Supports running onBehalfOf self. i.e. A CO which calls onBehalfOf with CO.id.\n bearer: originalContext.clientInfo.credential.bearer,\n },\n };\n context.serverInfo = originalContext.serverInfo;\n context.ephemeralKey = originalContext.ephemeralKey;\n\n return context;\n },\n});\n\nexport default KMS;\n"],"mappings":";;;;;;;;;;;;;;;;;;AAIA,IAAAA,YAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,KAAA,GAAAF,sBAAA,CAAAC,OAAA;AAEA,IAAAE,aAAA,GAAAF,OAAA;AACA,IAAAG,OAAA,GAAAH,OAAA;AACA,IAAAI,UAAA,GAAAJ,OAAA;AACA,IAAAK,QAAA,GAAAL,OAAA;AACA,IAAAM,SAAA,GAAAP,sBAAA,CAAAC,OAAA;AACA,IAAAO,OAAA,GAAAP,OAAA;AACA,IAAAQ,KAAA,GAAAT,sBAAA,CAAAC,OAAA;AAEA,IAAAS,WAAA,GAAAC,uBAAA,CAAAV,OAAA;AACA,IAAAW,yBAAA,GAAAD,uBAAA,CAAAV,OAAA;AAAmE,IAAAY,IAAA,EAAAC,IAAA;AAhBnE;AACA;AACA;AAFA,SAAAC,yBAAAC,CAAA,6BAAAC,SAAA,mBAAAC,CAAA,OAAAD,SAAA,IAAAE,CAAA,OAAAF,SAAA,YAAAF,wBAAA,YAAAA,yBAAAC,CAAA,WAAAA,CAAA,GAAAG,CAAA,GAAAD,CAAA,KAAAF,CAAA;AAAA,SAAAL,wBAAAK,CAAA,EAAAE,CAAA,SAAAA,CAAA,IAAAF,CAAA,IAAAA,CAAA,CAAAI,UAAA,SAAAJ,CAAA,eAAAA,CAAA,gBAAAK,OAAA,CAAAL,CAAA,0BAAAA,CAAA,WAAAM,OAAA,EAAAN,CAAA,QAAAG,CAAA,GAAAJ,wBAAA,CAAAG,CAAA,OAAAC,CAAA,IAAAA,CAAA,CAAAI,GAAA,CAAAP,CAAA,UAAAG,CAAA,CAAAK,GAAA,CAAAR,CAAA,OAAAS,CAAA,KAAAC,SAAA,UAAAC,CAAA,GAAAC,sBAAA,IAAAC,iCAAA,WAAAC,CAAA,IAAAd,CAAA,oBAAAc,CAAA,IAAAC,MAAA,CAAAC,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAlB,CAAA,EAAAc,CAAA,SAAAK,CAAA,GAAAR,CAAA,GAAAE,iCAAA,CAAAb,CAAA,EAAAc,CAAA,UAAAK,CAAA,KAAAA,CAAA,CAAAX,GAAA,IAAAW,CAAA,CAAAC,GAAA,IAAAR,sBAAA,CAAAH,CAAA,EAAAK,CAAA,EAAAK,CAAA,IAAAV,CAAA,CAAAK,CAAA,IAAAd,CAAA,CAAAc,CAAA,YAAAL,CAAA,CAAAH,OAAA,GAAAN,CAAA,EAAAG,CAAA,IAAAA,CAAA,CAAAiB,GAAA,CAAApB,CAAA,EAAAS,CAAA,GAAAA,CAAA;AAkBA,IAAMY,QAAQ,GAAG,IAAAC,QAAA,CAAAhB,OAAA,CAAY,CAAC;AAC9B,IAAMiB,UAAU,GAAG,IAAAD,QAAA,CAAAhB,OAAA,CAAY,CAAC;AAChC,IAAMkB,eAAe,GAAG,IAAAF,QAAA,CAAAhB,OAAA,CAAY,CAAC;AAErC,IAAMmB,YAAY,GAAGxC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC;;AAE5C;AACA;AACA;AACA,IAAMyC,GAAG,GAAGC,sBAAW,CAACC,MAAM,EAAA/B,IAAA,GAuY3B,IAAAgC,iBAAS,EAAC;EACTC,UAAU,EAAE,SAAAA,WAAAC,IAAA;IAAA,IAAEC,GAAG,GAAAD,IAAA,CAAHC,GAAG;MAAEC,UAAU,GAAAF,IAAA,CAAVE,UAAU;IAAA,UAAAC,MAAA,CAASF,GAAG,OAAAE,MAAA,CAAID,UAAU;EAAA;AACzD,CAAC,CAAC,GAAAnC,IAAA,GAzY2B;EAC7BqC,SAAS,EAAE,YAAY;EAEvBC,QAAQ,EAAE;IACRC,OAAO,EAAEC;EACX,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,OAAO,WAAAA,QAAAC,KAAA,EAA6B;IAAA,IAAAC,KAAA;IAAA,IAA3BC,GAAG,GAAAF,KAAA,CAAHE,GAAG;MAAEC,MAAM,GAAAH,KAAA,CAANG,MAAM;MAAEC,GAAG,GAAAJ,KAAA,CAAHI,GAAG;MAAEC,MAAM,GAAAL,KAAA,CAANK,MAAM;IAC/BF,MAAM,GAAGA,MAAM,IAAID,GAAG,CAACV,GAAG;IAC1Ba,MAAM,GAAGA,MAAM,IAAID,GAAG,CAACZ,GAAG;IAE1B,IAAI,CAACc,MAAM,CAACC,IAAI,CAAC,8BAA8B,CAAC;;IAEhD;IACA,IAAI,CAACJ,MAAM,EAAE;MACX,OAAOK,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE;;IAEA;IACA,IAAI,CAACL,MAAM,EAAE;MACX,OAAOG,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE;IAEA,OAAO,IAAI,CAACC,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBC,WAAW,EAAEV,MAAM;MACnBX,GAAG,EAAEa;IACP,CAAC,CAAC,CAACS,IAAI,CAAC,UAACC,GAAG,EAAK;MACfd,KAAI,CAACK,MAAM,CAACC,IAAI,CAAC,4BAA4B,CAAC;MAE9C,OAAOQ,GAAG,CAACX,GAAG;IAChB,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEY,cAAc,WAAAA,eAAAC,KAAA,EAAgC;IAAA,IAAAC,MAAA;IAAA,IAA9BC,OAAO,GAAAF,KAAA,CAAPE,OAAO;MAAEC,OAAO,GAAAH,KAAA,CAAPG,OAAO;MAAEhB,GAAG,GAAAa,KAAA,CAAHb,GAAG;MAAEiB,IAAI,GAAAJ,KAAA,CAAJI,IAAI;IACzCD,OAAO,GAAGA,OAAO,IAAI,EAAE;IACvB;IACA,IAAIC,IAAI,EAAE;MACRD,OAAO,GAAGC,IAAI,CAACC,MAAM,CAAC,UAACC,IAAI,EAAEC,CAAC,EAAK;QACjCD,IAAI,CAACE,IAAI,CAACD,CAAC,CAAChC,GAAG,CAAC;QAEhB,OAAO+B,IAAI;MACb,CAAC,EAAEH,OAAO,CAAC;IACb;;IAEA;IACA,IAAIhB,GAAG,EAAE;MACPgB,OAAO,CAACK,IAAI,CAACrB,GAAG,CAACZ,GAAG,CAAC;IACvB;;IAEA;IACA,IAAI4B,OAAO,CAACM,MAAM,KAAK,CAAC,EAAE;MACxB,OAAOlB,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5F;IAEA,IAAI,CAACJ,MAAM,CAACC,IAAI,CAAC,wBAAwB,CAAC;IAE1C,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAE,YAAY;MACjB2B,OAAO,EAAPA,OAAO;MACPC,OAAO,EAAPA;IACF,CAAC,CAAC,CAACN,IAAI,CAAC,UAACC,GAAG,EAAK;MACfG,MAAI,CAACZ,MAAM,CAACC,IAAI,CAAC,uBAAuB,CAAC;MAEzC,OAAOQ,GAAG,CAACY,QAAQ;IACrB,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,gBAAgB,WAAAA,iBAAAC,KAAA,EAAkC;IAAA,IAAAC,MAAA;IAAA,IAAhCX,OAAO,GAAAU,KAAA,CAAPV,OAAO;MAAEY,OAAO,GAAAF,KAAA,CAAPE,OAAO;MAAE7B,GAAG,GAAA2B,KAAA,CAAH3B,GAAG;MAAEC,MAAM,GAAA0B,KAAA,CAAN1B,MAAM;IAC7CgB,OAAO,GAAGA,OAAO,IAAI,EAAE;IACvBhB,MAAM,GAAGA,MAAM,IAAID,GAAG,CAACV,GAAG;IAE1B,IAAIuC,OAAO,EAAE;MACXZ,OAAO,GAAGA,OAAO,CAACzB,MAAM,CAACqC,OAAO,CAAC;IACnC;;IAEA;IACA,IAAIZ,OAAO,CAACO,MAAM,KAAK,CAAC,EAAE;MACxB,OAAOlB,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzF;;IAEA;IACA,IAAI,CAACP,MAAM,EAAE;MACX,OAAOK,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE;IAEA,IAAI,CAACJ,MAAM,CAACC,IAAI,CAAC,2CAA2C,CAAC;IAE7D,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAE,iBAAiB;MACtBqB,WAAW,EAAEV,MAAM;MACnBgB,OAAO,EAAPA;IACF,CAAC,CAAC,CAACL,IAAI,CAAC,UAACC,GAAG,EAAK;MACfe,MAAI,CAACxB,MAAM,CAACC,IAAI,CAAC,0BAA0B,CAAC;MAE5C,OAAOQ,GAAG,CAACiB,cAAc;IAC3B,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,kBAAkB,WAAAA,mBAAAC,KAAA,EAAgB;IAAA,IAAAC,MAAA;IAAA,IAAdjC,GAAG,GAAAgC,KAAA,CAAHhC,GAAG;MAAEC,MAAM,GAAA+B,KAAA,CAAN/B,MAAM;IAC7BA,MAAM,GAAGA,MAAM,IAAID,GAAG,CAACV,GAAG;IAC1B;IACA,IAAI,CAACW,MAAM,EAAE;MACX,OAAOK,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE;IAEA,OAAO,IAAI,CAACC,OAAO,CAAC;MAClBC,MAAM,EAAE,UAAU;MAClBpB,GAAG,KAAAE,MAAA,CAAKS,MAAM;IAChB,CAAC,CAAC,CAACW,IAAI,CAAC,UAACC,GAAG,EAAK;MACfoB,MAAI,CAAC7B,MAAM,CAACC,IAAI,CAAC,mCAAmC,CAAC;MAErD,OAAOQ,GAAG,CAACiB,cAAc;IAC3B,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEI,mBAAmB,WAAAA,oBAAAC,KAAA,EAAgC;IAAA,IAAAC,MAAA;IAAA,IAA9BC,MAAM,GAAAF,KAAA,CAANE,MAAM;MAAEC,MAAM,GAAAH,KAAA,CAANG,MAAM;MAAEtC,GAAG,GAAAmC,KAAA,CAAHnC,GAAG;MAAEC,MAAM,GAAAkC,KAAA,CAANlC,MAAM;IAC9CoC,MAAM,GAAGA,MAAM,IAAIC,MAAM;IACzBrC,MAAM,GAAGA,MAAM,IAAID,GAAG,CAACV,GAAG;;IAE1B;IACA,IAAI,CAAC+C,MAAM,EAAE;MACX,OAAO/B,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChF;;IAEA;IACA,IAAI,CAACP,MAAM,EAAE;MACX,OAAOK,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE;IAEA,IAAI,CAACJ,MAAM,CAACC,IAAI,CAAC,+CAA+C,CAAC;IAEjE,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,KAAAE,MAAA,CAAKS,MAAM,sBAAAT,MAAA,CAAmB+C,oBAAW,CAACC,SAAS,CAAC;QAACH,MAAM,EAANA;MAAM,CAAC,CAAC;IAClE,CAAC,CAAC,CAACzB,IAAI,CAAC,UAACC,GAAG,EAAK;MACfuB,MAAI,CAAChC,MAAM,CAACC,IAAI,CAAC,4BAA4B,CAAC;MAE9C,OAAOQ,GAAG,CAACiB,cAAc;IAC3B,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACEW,iBAAiB,WAAAA,kBAAAC,KAAA,EAAU;IAAA,IAAAC,MAAA;IAAA,IAARC,KAAK,GAAAF,KAAA,CAALE,KAAK;IACtB,IAAI,CAACxC,MAAM,CAACC,IAAI,iBAAAb,MAAA,CAAiBoD,KAAK,kBAAe,CAAC;;IAEtD;IACA,IAAI,CAACA,KAAK,EAAE;MACV,OAAOtC,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjE;IAEA,OAAO,IAAI,CAACC,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAE,OAAO;MACZsD,KAAK,EAALA;IACF,CAAC,CAAC,CAAChC,IAAI,CAAC,UAACC,GAAG,EAAK;MACf8B,MAAI,CAACvC,MAAM,CAACC,IAAI,CAAC,4BAA4B,CAAC;MAE9C,OAAOC,QAAA,CAAA1C,OAAA,CAAQiF,GAAG,CAAChC,GAAG,CAACM,IAAI,CAAC2B,GAAG,CAACH,MAAI,CAACI,KAAK,CAAC,CAAC;IAC9C,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACE;AACF;AACA;AACA;AACA;AACA;EACEC,cAAc,WAAAA,eAAAC,KAAA,EAAkB;IAAA,IAAAC,MAAA;IAAA,IAAhBC,aAAa,GAAAF,KAAA,CAAbE,aAAa;IAC3B,IAAI,CAAC/C,MAAM,CAACC,IAAI,CAAC,gCAAgC,CAAC;IAElD,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,UAAU;MAClBpB,GAAG,EAAE,YAAY;MACjB6D,aAAa,EAAbA;IACF,CAAC,CAAC,CAACvC,IAAI,CAAC,UAACC,GAAG,EAAK;MACfqC,MAAI,CAAC9C,MAAM,CAACC,IAAI,CAAC,0BAA0B,CAAC;MAE5C,OAAOQ,GAAG,CAACuC,SAAS;IACtB,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;EACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,uBAAuB,WAAAA,wBAAAC,KAAA,EAA0F;IAAA,IAAAC,MAAA;IAAA,IAAxFJ,aAAa,GAAAG,KAAA,CAAbH,aAAa;MAAEK,iBAAiB,GAAAF,KAAA,CAAjBE,iBAAiB;MAAAC,YAAA,GAAAH,KAAA,CAAEI,MAAM;MAANA,MAAM,GAAAD,YAAA,cAAG,KAAK,GAAAA,YAAA;MAAAE,qBAAA,GAAAL,KAAA,CAAEM,uBAAuB;MAAvBA,uBAAuB,GAAAD,qBAAA,cAAGE,SAAS,GAAAF,qBAAA;IAC5G,IAAI,CAACvD,MAAM,CAACC,IAAI,CAAC,0CAA0C,CAAC;IAE5D,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAEoE,MAAM,GAAG,YAAY,GAAG,MAAM;MACnCP,aAAa,EAAbA,aAAa;MACbK,iBAAiB,EAAjBA,iBAAiB;MACjBM,SAAS,EAAEC,aAAI,CAACC,EAAE,CAAC,CAAC;MACpBJ,uBAAuB,EAAEF,MAAM,GAAGE,uBAAuB,GAAGC;IAC9D,CAAC,CAAC,CAACjD,IAAI,CAAC,UAACC,GAAG,EAAK;MACf0C,MAAI,CAACnD,MAAM,CAACC,IAAI,CAAC,2CAA2C,CAAC;MAE7D,OAAOQ,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;EACEoD,wBAAwB,WAAAA,yBAAAC,MAAA,EAAkC;IAAA,IAAAC,MAAA;IAAA,IAAhChB,aAAa,GAAAe,MAAA,CAAbf,aAAa;MAAAiB,aAAA,GAAAF,MAAA,CAAER,MAAM;MAANA,MAAM,GAAAU,aAAA,cAAG,KAAK,GAAAA,aAAA;IACrD,IAAI,CAAChE,MAAM,CAACC,IAAI,CAAC,4CAA4C,CAAC;IAE9D,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,UAAU;MAClBpB,GAAG,EAAEoE,MAAM,GAAG,YAAY,GAAG,MAAM;MACnCP,aAAa,EAAbA,aAAa;MACbW,SAAS,EAAEC,aAAI,CAACC,EAAE,CAAC;IACrB,CAAC,CAAC,CAACpD,IAAI,CAAC,UAACC,GAAG,EAAK;MACfsD,MAAI,CAAC/D,MAAM,CAACC,IAAI,CAAC,6CAA6C,CAAC;MAE/D,OAAOQ,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEwD,4BAA4B,WAAAA,6BAAAC,MAAA,EAAmC;IAAA,IAAAC,OAAA;IAAA,IAAjCC,KAAK,GAAAF,MAAA,CAALE,KAAK;MAAEC,QAAQ,GAAAH,MAAA,CAARG,QAAQ;MAAEtB,aAAa,GAAAmB,MAAA,CAAbnB,aAAa;IAC1D,IAAI,CAAC/C,MAAM,CAACC,IAAI,CAAC,oDAAoD,CAAC;IAEtE,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAEkF,KAAK;MACVC,QAAQ,EAARA,QAAQ;MACRtB,aAAa,EAAbA,aAAa;MACbW,SAAS,EAAEC,aAAI,CAACC,EAAE,CAAC;IACrB,CAAC,CAAC,CAACpD,IAAI,CAAC,UAACC,GAAG,EAAK;MACf0D,OAAI,CAACnE,MAAM,CAACC,IAAI,CAAC,2DAA2D,EAAEoE,QAAQ,CAAC;MAEvF,OAAO5D,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;EACE6D,2BAA2B,WAAAA,4BAAAC,MAAA,EAAkC;IAAA,IAAAC,OAAA;IAAA,IAAhCzB,aAAa,GAAAwB,MAAA,CAAbxB,aAAa;MAAA0B,aAAA,GAAAF,MAAA,CAAEjB,MAAM;MAANA,MAAM,GAAAmB,aAAA,cAAG,KAAK,GAAAA,aAAA;IACxD,IAAI,CAACzE,MAAM,CAACC,IAAI,CAAC,uDAAuD,CAAC;IAEzE,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAEoE,MAAM,GAAG,YAAY,GAAG,MAAM;MACnCP,aAAa,EAAbA,aAAa;MACbW,SAAS,EAAEC,aAAI,CAACC,EAAE,CAAC;IACrB,CAAC,CAAC,CAACpD,IAAI,CAAC,UAACC,GAAG,EAAK;MACf+D,OAAI,CAACxE,MAAM,CAACC,IAAI,CAAC,gDAAgD,CAAC;MAElE,OAAOQ,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACEiE,kBAAkB,WAAAA,mBAAAC,MAAA,EAAkB;IAAA,IAAAC,OAAA;IAAA,IAAhB7B,aAAa,GAAA4B,MAAA,CAAb5B,aAAa;IAC/B,IAAI,CAAC/C,MAAM,CAACC,IAAI,CAAC,sCAAsC,CAAC;IAExD,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAE,SAAS;MACdmF,QAAQ,EAAE,QAAQ;MAClBtB,aAAa,EAAbA,aAAa;MACbW,SAAS,EAAEC,aAAI,CAACC,EAAE,CAAC;IACrB,CAAC,CAAC,CAACpD,IAAI,CAAC,UAACC,GAAG,EAAK;MACfmE,OAAI,CAAC5E,MAAM,CAACC,IAAI,CAAC,4CAA4C,CAAC;MAE9D,OAAOQ,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAgBDoE,QAAQ,WAAAA,SAAAC,MAAA,EAAoB;IAAA,IAAAC,OAAA;IAAA,IAAlB7F,GAAG,GAAA4F,MAAA,CAAH5F,GAAG;MAAEC,UAAU,GAAA2F,MAAA,CAAV3F,UAAU;IACvB;IACA,IAAI,CAACD,GAAG,EAAE;MACR,OAAOgB,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/D;IAEA,IAAI,CAACJ,MAAM,CAACC,IAAI,CAAC,mBAAmB,CAAC;IAErC,OAAO,IAAI,CAACI,OAAO,CACjB;MACEC,MAAM,EAAE,UAAU;MAClBpB,GAAG,EAAHA;IACF,CAAC,EACD;MAACC,UAAU,EAAVA;IAAU,CACb,CAAC,CAACqB,IAAI,CAAC,UAACC,GAAG,EAAK;MACdsE,OAAI,CAAC/E,MAAM,CAACC,IAAI,CAAC,kBAAkB,CAAC;MAEpC,OAAO8E,OAAI,CAACpC,KAAK,CAAClC,GAAG,CAACX,GAAG,CAAC;IAC5B,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;EACEkF,IAAI,WAAAA,KAAA,EAAG;IACL,OAAO,IAAI,CAAC3E,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAE;IACP,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;EACEyD,KAAK,WAAAA,MAAC7C,GAAG,EAAE;IACT,OAAOmF,iBAAI,CAACC,GAAG,CAACvC,KAAK,CAAC7C,GAAG,CAACqF,GAAG,CAAC,CAAC3E,IAAI,CAAC,UAAC2E,GAAG,EAAK;MAC3CrF,GAAG,CAACqF,GAAG,GAAGA,GAAG;MAEb,OAAOrF,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACEsF,cAAc,WAAAA,eAACC,OAAO,EAAElG,UAAU,EAAE;IAAA,IAAAmG,OAAA;IAClC,IAAMC,aAAa,GAAGF,OAAO,CAAC/E,MAAM,KAAK,QAAQ,IAAI+E,OAAO,CAACnG,GAAG,CAACsG,QAAQ,CAAC,QAAQ,CAAC;IAEnF,OAAOtF,QAAA,CAAA1C,OAAA,CAAQiI,OAAO,CAACF,aAAa,GAAG7G,eAAe,CAAChB,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAACgI,WAAW,CAAC,CAAC,CAAC,CAAClF,IAAI,CACzF,UAACmF,OAAO,EAAK;MACXL,OAAI,CAACtF,MAAM,CAACC,IAAI,kBAAAb,MAAA,CAAkBmG,aAAa,GAAG,eAAe,GAAG,KAAK,aAAU,CAAC;MACpF,IAAMK,GAAG,GAAG,IAAIC,gBAAO,CAACR,OAAO,CAAC;MAChC,IAAIS,cAAc,GAAGH,OAAO;MAE5B,IAAIxG,UAAU,EAAE;QACd2G,cAAc,GAAGR,OAAI,CAACS,kBAAkB,CAACJ,OAAO,EAAExG,UAAU,CAAC;MAC/D;MAEA,OAAOyG,GAAG,CAACI,IAAI,CAACF,cAAc,EAAE;QAACG,SAAS,EAAEV;MAAa,CAAC,CAAC,CAAC/E,IAAI,CAAC,YAAM;QACrE;QACA,IAAI0F,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,YAAY,EAAE;UACzCd,OAAI,CAACtF,MAAM,CAACC,IAAI,CACd,sBAAsB,EACtBoG,aAAI,CAACC,OAAO,CAAC,IAAAC,YAAI,EAACC,IAAI,CAACC,KAAK,CAAC,IAAAC,UAAA,CAAAlJ,OAAA,EAAeoI,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE;YAACe,KAAK,EAAE;UAAI,CAAC,CAC9E,CAAC;QACH;QAEA,OAAOf,GAAG;MACZ,CAAC,CAAC;IACJ,CACF,CAAC;EACH,CAAC;EAED;AACF;AACA;AACA;AACA;EACEgB,sBAAsB,WAAAA,uBAACC,KAAK,EAAE;IAAA,IAAAC,OAAA;IAC5B,IAAI,CAAC9G,MAAM,CAACC,IAAI,CAAC,2BAA2B,CAAC;IAE7C,OAAOC,QAAA,CAAA1C,OAAA,CAAQiF,GAAG,CAChBoE,KAAK,CAACE,UAAU,CAACC,WAAW,CAACtE,GAAG,CAAC,UAACuE,UAAU,EAAEC,KAAK;MAAA,OACjDJ,OAAI,CAACK,eAAe,CAACF,UAAU,CAAC,CAACzG,IAAI,CAAC,UAAC4G,aAAa,EAAK;QACvDN,OAAI,CAAC9G,MAAM,CAACC,IAAI,kBAAAb,MAAA,CAAkBgI,aAAa,GAAG,OAAO,GAAG,QAAQ,aAAU,CAAC;QAC/E,IAAM3G,GAAG,GAAG,IAAI4G,iBAAQ,CAACJ,UAAU,CAAC;QAEpC,OACE/G,QAAA,CAAA1C,OAAA,CAAQiI,OAAO,CAAC2B,aAAa,GAAG1I,eAAe,CAAChB,GAAG,CAACoJ,OAAI,CAAC,GAAGvI,QAAQ,CAACb,GAAG,CAACoJ,OAAI,CAAC;QAC5E;QAAA,CACCtG,IAAI,CAAC,UAACmF,OAAO;UAAA,OAAKlF,GAAG,CAAC6G,MAAM,CAAC3B,OAAO,CAAC;QAAA;QACtC;QAAA,CACCnF,IAAI,CAAC,YAAM;UACV,IAAI0F,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,YAAY,EAAE;YACzCU,OAAI,CAAC9G,MAAM,CAACC,IAAI,CACd,uBAAuB,EACvBoG,aAAI,CAACC,OAAO,CAAC,IAAAC,YAAI,EAACC,IAAI,CAACC,KAAK,CAAC,IAAAC,UAAA,CAAAlJ,OAAA,EAAeiD,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE;cAACkG,KAAK,EAAE;YAAI,CAAC,CAC9E,CAAC;UACH;QACF,CAAC;QACD;QAAA,CACCnG,IAAI,CAAC,YAAM;UACVqG,KAAK,CAACE,UAAU,CAACC,WAAW,CAACE,KAAK,CAAC,GAAGzG,GAAG;QAC3C,CAAC;QACD;QAAA,CACCD,IAAI,CAAC;UAAA,OAAMC,GAAG;QAAA,EAAC;MAEtB,CAAC,CAAC;IAAA,CACJ,CACF,CAAC,CACED,IAAI,CAAC;MAAA,OAAMsG,OAAI,CAACvH,OAAO,CAACqH,sBAAsB,CAACC,KAAK,CAAC;IAAA,EAAC,CACtDU,KAAK,CAAC,UAACC,MAAM,EAAK;MACjBV,OAAI,CAAC9G,MAAM,CAACyH,KAAK,CAAC,qBAAqB,EAAED,MAAM,CAACE,KAAK,CAAC;MAEtD,OAAOxH,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAACqH,MAAM,CAAC;IAC/B,CAAC,CAAC,CACDhH,IAAI,CAAC;MAAA,OAAMqG,KAAK;IAAA,EAAC;EACtB,CAAC;EAED;AACF;AACA;AACA;AACA;EACEc,iBAAiB,WAAAA,kBAACV,UAAU,EAAE;IAC5B,IAAMxG,GAAG,GAAG,IAAI4G,iBAAQ,CAACJ,UAAU,CAAC;IAEpC,OAAO1I,QAAQ,CACZb,GAAG,CAAC,IAAI,CAAC,CACT8C,IAAI,CAAC,UAACmF,OAAO;MAAA,OAAKlF,GAAG,CAAC6G,MAAM,CAAC3B,OAAO,CAAC;IAAA,EAAC,CACtCnF,IAAI,CAAC;MAAA,OAAMC,GAAG,CAACmH,IAAI;IAAA,EAAC;EACzB,CAAC;EAED;AACF;AACA;AACA;AACA;EACET,eAAe,WAAAA,gBAACF,UAAU,EAAE;IAC1B,OAAO,IAAI,CAACY,mBAAmB,CAAC,CAAC,CAACrH,IAAI,CAAC,UAACsH,eAAe,EAAK;MAC1D,IAAMC,MAAM,GAAGd,UAAU,CAACe,KAAK,CAAC,GAAG,CAAC;MAEpC,IAAID,MAAM,CAAC3G,MAAM,KAAK,CAAC,EAAE;QACvB,OAAO,KAAK;MACd;MAEA,IAAM6G,MAAM,GAAGzB,IAAI,CAACC,KAAK,CAACxB,iBAAI,CAACoB,IAAI,CAAC6B,SAAS,CAACC,MAAM,CAACJ,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;MAEhE,OAAOE,MAAM,CAACG,GAAG,KAAKN,eAAe,CAACM,GAAG;IAC3C,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;EACE/H,OAAO,WAAAA,QAACgF,OAAO,EAA8B;IAAA,IAAAgD,OAAA;IAAA,IAAAC,MAAA,GAAAC,SAAA,CAAAnH,MAAA,QAAAmH,SAAA,QAAA9E,SAAA,GAAA8E,SAAA,MAAJ,CAAC,CAAC;MAAzBC,OAAO,GAAAF,MAAA,CAAPE,OAAO;MAAErJ,UAAU,GAAAmJ,MAAA,CAAVnJ,UAAU;IACnCqJ,OAAO,GAAGA,OAAO,IAAI,IAAI,CAACC,MAAM,CAACC,iBAAiB;;IAElD;IACA;IACA,OACE,IAAI,CAACC,KAAK,CAACC,QAAQ,CAACC,OAAO,CACxBC,OAAO,CAAC,CAAC,CACTtI,IAAI,CAAC;MAAA,OAAM6H,OAAI,CAACjD,cAAc,CAACC,OAAO,EAAElG,UAAU,CAAC;IAAA,EAAC,CACpDqB,IAAI,CAAC,UAACoF,GAAG,EAAK;MACbA,GAAG,CAACmD,0BAAc,CAAC,GAAGP,OAAO;MAE7B,OAAOH,OAAI,CAAC9I,OAAO,CAACc,OAAO,CAACuF,GAAG,CAAC;IAClC,CAAC;IACD;IACA;IAAA,CACC2B,KAAK,CAAC,UAACC,MAAM,EAAK;MACjB,IACEtB,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,MAAM,KAC9BoB,MAAM,CAACwB,MAAM,KAAK,GAAG,IAAIxB,MAAM,CAACyB,UAAU,KAAK,GAAG,CAAC,IACpDzB,MAAM,CAAC0B,OAAO,CAACC,KAAK,CAClB,sEACF,CAAC,EACD;QACAd,OAAI,CAACrI,MAAM,CAACoJ,IAAI,CAAC,wDAAwD,CAAC;QAE1E,OAAOf,OAAI,CAAChI,OAAO,CAACgF,OAAO,EAAE;UAAClG,UAAU,EAAVA;QAAU,CAAC,CAAC;MAC5C;;MAEA;MACA,IAAIqI,MAAM,YAAY6B,kCAAQ,EAAE;QAC9BhB,OAAI,CAACM,KAAK,CAACW,OAAO,CAAC,4BAA4B,CAAC;QAEhD,OAAOpJ,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAACqH,MAAM,CAAC;MAC/B;;MAEA;MACA;MACA;MACA,IAAI,CAACA,MAAM,CAACyB,UAAU,IAAI,CAACzB,MAAM,CAACwB,MAAM,EAAE;QACxC;QACA,IAAI9C,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,YAAY,EAAE;UACzC;UACAiC,OAAI,CAACrI,MAAM,CAACC,IAAI,CAAC,oBAAoB,EAAEuH,MAAM,CAACE,KAAK,IAAIF,MAAM,CAAC;QAChE;QAEA7I,YAAY,YAAAS,MAAA,CAAYoJ,OAAO,CAAE,CAAC;QAClCA,OAAO,IAAI,CAAC;QAEZ,IAAIA,OAAO,IAAIH,OAAI,CAACI,MAAM,CAACc,cAAc,EAAE;UACzClB,OAAI,CAACrI,MAAM,CAACC,IAAI,CAAC,2CAA2C,CAAC;UAE7D,OAAOC,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAACqH,MAAM,CAAC;QAC/B;;QAEA;QACA;QACA,IAAMgC,WAAW,GAAGhB,OAAO,GAAG,CAAC;QAE/B,IAAIA,OAAO,IAAIH,OAAI,CAACI,MAAM,CAACgB,aAAa,IAAID,WAAW,GAAGnB,OAAI,CAACI,MAAM,CAACc,cAAc,EAAE;UACpFlB,OAAI,CAACrI,MAAM,CAACC,IAAI,CACd,qEACF,CAAC;;UAED;UACA,IAAIiG,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,YAAY,EAAE;YACzCiC,OAAI,CAACrI,MAAM,CAACC,IAAI,CAAC,yBAAyB,EAAEuI,OAAO,EAAEH,OAAI,CAACI,MAAM,CAACgB,aAAa,CAAC;UACjF;UAEAlL,QAAQ,CAACmL,MAAM,CAACrB,OAAI,CAAC;UACrBG,OAAO,GAAG,CAAC;QACb;QAEA,OAAOH,OAAI,CAAChI,OAAO,CAACgF,OAAO,EAAE;UAACmD,OAAO,EAAPA,OAAO;UAAErJ,UAAU,EAAVA;QAAU,CAAC,CAAC;MACrD;MAEA,OAAOe,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAACqH,MAAM,CAAC;IAC/B,CAAC,CAAC;EAER,CAAC;EAED;AACF;AACA;AACA;EACEmC,iBAAiB,WAAAA,kBAAA,EAAG;IAClB,OAAO,IAAI,CAAChB,KAAK,CAACiB,WAAW,CAACC,YAAY,CAAC,WAAW,CAAC,CAACrJ,IAAI,CAAC,UAACsJ,KAAK;MAAA,OAAKA,KAAK,CAACC,YAAY;IAAA,EAAC;EAC7F,CAAC;EAGD;AACF;AACA;AACA;AACA;EACErE,WAAW,WAAAA,YAAA,EAAG;IAAA,IAAAsE,OAAA;IACZ,IAAIC,OAAO,GAAG1L,QAAQ,CAACb,GAAG,CAAC,IAAI,CAAC;IAEhC,IAAI,CAACuM,OAAO,EAAE;MACZA,OAAO,GAAG,IAAI,CAACC,eAAe,CAAC,CAAC;MAChC3L,QAAQ,CAACD,GAAG,CAAC,IAAI,EAAE2L,OAAO,CAAC;MAC3BA,OAAO,CAACzJ,IAAI,CAAC,UAACmF,OAAO,EAAK;QACxB,IAAMwE,SAAS,GAAGxE,OAAO,CAACyE,YAAY,CAACC,cAAc,GAAG,IAAAC,IAAA,CAAA9M,OAAA,EAAS,CAAC,GAAG,KAAK;QAE1E,IAAA+M,4BAAc,EAAC;UAAA,OAAMhM,QAAQ,CAACmL,MAAM,CAACM,OAAI,CAAC;QAAA,GAAEG,SAAS,CAAC;MACxD,CAAC,CAAC;IACJ;IAEA,OAAOjK,QAAA,CAAA1C,OAAA,CAAQiF,GAAG,CAAC,CAACwH,OAAO,EAAE,IAAI,CAACN,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAACnJ,IAAI,CAAC,UAAAgK,MAAA,EAA8B;MAAA,IAAAC,MAAA,OAAAC,eAAA,CAAAlN,OAAA,EAAAgN,MAAA;QAA5B7E,OAAO,GAAA8E,MAAA;QAAEE,aAAa,GAAAF,MAAA;MACnF9E,OAAO,CAACiF,UAAU,CAACC,UAAU,CAACC,MAAM,GAAGH,aAAa;MAEpD,OAAOhF,OAAO;IAChB,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;EACEoF,cAAc,WAAAA,eAAA,EAAG;IACf,IAAI,CAAC/K,MAAM,CAACC,IAAI,CAAC,6BAA6B,CAAC;IAE/C,OAAO,IAAI,CAAC+K,cAAc,CAAC,CAAC,CAACxK,IAAI,CAAC,UAAAyK,MAAA;MAAA,IAAEC,UAAU,GAAAD,MAAA,CAAVC,UAAU;MAAA,OAAMA,UAAU;IAAA,EAAC;EACjE,CAAC;EAED;AACF;AACA;AACA;EACEF,cAAc,WAAAA,eAAA,EAAG;IAAA,IAAAG,OAAA;IACf,IAAIC,OAAO,GAAG3M,UAAU,CAACf,GAAG,CAAC,IAAI,CAAC;IAElC,IAAI,CAAC0N,OAAO,EAAE;MACZ,IAAI,CAACpL,MAAM,CAACC,IAAI,CAAC,2BAA2B,CAAC;MAC7CmL,OAAO,GAAG,IAAI,CAACzC,KAAK,CACjBtI,OAAO,CAAC;QACPgL,OAAO,EAAE,YAAY;QACrBhK,QAAQ,UAAAjC,MAAA,CAAU,IAAI,CAACuJ,KAAK,CAACC,QAAQ,CAAC0C,MAAM,CAACpJ,MAAM;MACrD,CAAC,CAAC,CACD1B,IAAI,CAAC,UAACC,GAAG,EAAK;QACb0K,OAAI,CAACnL,MAAM,CAACC,IAAI,CAAC,0BAA0B,CAAC;QAC5C,IAAO2H,IAAI,GAAInH,GAAG,CAAXmH,IAAI;QAEXA,IAAI,CAAC2D,YAAY,GAAG/E,IAAI,CAACC,KAAK,CAACmB,IAAI,CAAC2D,YAAY,CAAC;QAEjD,OAAO3D,IAAI;MACb,CAAC,CAAC,CACDL,KAAK,CAAC,UAACC,MAAM,EAAK;QACjB2D,OAAI,CAACnL,MAAM,CAACyH,KAAK,CAAC,kCAAkC,EAAED,MAAM,CAAC;QAE7D,OAAOtH,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAACqH,MAAM,CAAC;MAC/B,CAAC,CAAC;MAEJ/I,UAAU,CAACH,GAAG,CAAC,IAAI,EAAE8M,OAAO,CAAC;IAC/B;IAEA,OAAOA,OAAO;EAChB,CAAC;EAED;AACF;AACA;AACA;EACEvD,mBAAmB,WAAAA,oBAAA,EAAG;IACpB,IAAI,CAAC7H,MAAM,CAACC,IAAI,CAAC,uCAAuC,CAAC;IAEzD,OAAO,IAAI,CAAC+K,cAAc,CAAC,CAAC,CAACxK,IAAI,CAAC,UAAAgL,MAAA;MAAA,IAAED,YAAY,GAAAC,MAAA,CAAZD,YAAY;MAAA,OAAMA,YAAY;IAAA,EAAC;EACrE,CAAC;EAED;AACF;AACA;AACA;EACErB,eAAe,WAAAA,gBAAA,EAAG;IAAA,IAAAuB,OAAA;IAChB,IAAI,CAACzL,MAAM,CAACC,IAAI,CAAC,uBAAuB,CAAC;IACzC,IAAM0F,OAAO,GAAG,IAAI+F,gBAAO,CAAC,CAAC;IAE7B,OAAOxL,QAAA,CAAA1C,OAAA,CAAQiF,GAAG,CAAC,CACjB,IAAI,CAACoF,mBAAmB,CAAC,CAAC,CAACrH,IAAI,CAAC,IAAAmL,iCAAW,EAAC,IAAI,CAAClD,MAAM,CAACmD,OAAO,CAAC,CAAC,EACjE,IAAI,CAACjC,iBAAiB,CAAC,CAAC,CACzB,CAAC,CACCnJ,IAAI,CAAC,UAAAqL,MAAA,EAAsC;MAAA,IAAAC,MAAA,OAAApB,eAAA,CAAAlN,OAAA,EAAAqO,MAAA;QAApC/D,eAAe,GAAAgE,MAAA;QAAEnB,aAAa,GAAAmB,MAAA;MACpCnG,OAAO,CAACiF,UAAU,GAAG;QACnBmB,QAAQ,EAAEN,OAAI,CAAC9C,KAAK,CAACC,QAAQ,CAAC0C,MAAM,CAACU,GAAG;QACxCnB,UAAU,EAAE;UACV3I,MAAM,EAAEuJ,OAAI,CAAC9C,KAAK,CAACC,QAAQ,CAAC0C,MAAM,CAACpJ,MAAM;UACzC4I,MAAM,EAAEH;QACV;MACF,CAAC;MAEDhF,OAAO,CAACsG,UAAU,GAAG;QACnBnM,GAAG,EAAEgI;MACP,CAAC;MAED2D,OAAI,CAACzL,MAAM,CAACC,IAAI,CAAC,mCAAmC,CAAC;MAErD,OAAO0F,OAAO,CAACuG,aAAa,CAAC,CAAC;IAChC,CAAC,CAAC,CACD1L,IAAI,CAAC,UAAC2L,YAAY,EAAK;MACtBxG,OAAO,CAACyE,YAAY,GAAG+B,YAAY;MACnCzN,eAAe,CAACJ,GAAG,CAACmN,OAAI,EAAE9F,OAAO,CAAC;MAElC,OAAOzF,QAAA,CAAA1C,OAAA,CAAQiF,GAAG,CAAC,CAAC0J,YAAY,CAACxJ,KAAK,CAAC,CAAC,EAAE8I,OAAI,CAACV,cAAc,CAAC,CAAC,CAAC,CAAC;IACnE,CAAC,CAAC,CACDvK,IAAI,CAAC,UAAA4L,MAAA,EAA6B;MAAA,IAAAC,MAAA,OAAA3B,eAAA,CAAAlN,OAAA,EAAA4O,MAAA;QAA3BD,YAAY,GAAAE,MAAA;QAAEC,OAAO,GAAAD,MAAA;MAC3BZ,OAAI,CAACzL,MAAM,CAACC,IAAI,CAAC,uCAAuC,CAAC;MAEzD,OAAOwL,OAAI,CAACpL,OAAO,CAAC;QAClBnB,GAAG,KAAAE,MAAA,CAAKkN,OAAO,WAAQ;QACvBhM,MAAM,EAAE,QAAQ;QAChB6E,GAAG,EAAEgH,YAAY,CAACI,MAAM,CAAC;MAC3B,CAAC,CAAC;IACJ,CAAC,CAAC,CACD/L,IAAI,CAAC,UAACC,GAAG,EAAK;MACbgL,OAAI,CAACzL,MAAM,CAACC,IAAI,CAAC,mCAAmC,CAAC;MAErD,OAAO0F,OAAO,CAAC6G,kBAAkB,CAAC/L,GAAG,CAACX,GAAG,CAAC;IAC5C,CAAC,CAAC,CACDU,IAAI,CAAC,UAACV,GAAG,EAAK;MACb6F,OAAO,CAACyE,YAAY,GAAGtK,GAAG;MAC1BpB,eAAe,CAACgL,MAAM,CAAC+B,OAAI,CAAC;MAC5BA,OAAI,CAACzL,MAAM,CAACC,IAAI,CAAC,kCAAkC,CAAC;MAEpD,OAAO0F,OAAO;IAChB,CAAC,CAAC,CACD4B,KAAK,CAAC,UAACC,MAAM,EAAK;MACjBiE,OAAI,CAACzL,MAAM,CAACyH,KAAK,CAAC,wCAAwC,EAAED,MAAM,CAAC;MAEnE,OAAOtH,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAACqH,MAAM,CAAC;IAC/B,CAAC,CAAC;EACN,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEzB,kBAAkB,WAAAA,mBAAC0G,eAAe,EAAEtN,UAAU,EAAE;IAC9C,IAAMwG,OAAO,GAAG,IAAI+F,gBAAO,CAAC,CAAC;IAE7B/F,OAAO,CAACiF,UAAU,GAAGjF,OAAO,CAACiF,UAAU,GAAG;MACxCmB,QAAQ,EAAEU,eAAe,CAAC7B,UAAU,CAACmB,QAAQ;MAC7ClB,UAAU,EAAE;QACV3I,MAAM,EAAE/C,UAAU;QAClBA,UAAU,EAAVA,UAAU;QAAE;QACZ2L,MAAM,EAAE2B,eAAe,CAAC7B,UAAU,CAACC,UAAU,CAACC;MAChD;IACF,CAAC;IACDnF,OAAO,CAACsG,UAAU,GAAGQ,eAAe,CAACR,UAAU;IAC/CtG,OAAO,CAACyE,YAAY,GAAGqC,eAAe,CAACrC,YAAY;IAEnD,OAAOzE,OAAO;EAChB,CAAC;EAAA+G,OAAA;AACH,CAAC,OAAAC,0BAAA,CAAAnP,OAAA,EAAAR,IAAA,eAAAD,IAAA,OAAA6P,yBAAA,CAAApP,OAAA,EAAAR,IAAA,eAAAA,IAAA,OAAA2P,0BAAA,CAAAnP,OAAA,EAAAR,IAAA,kBA3KE+B,iBAAS,OAAA6N,yBAAA,CAAApP,OAAA,EAAAR,IAAA,kBAAAA,IAAA,IAAAA,IAAA,EA2KX,CAAC;AAAC,IAAA6P,QAAA,GAAAC,OAAA,CAAAtP,OAAA,GAEYoB,GAAG"}
1	+ {"version":3,"names":["_querystring","_interopRequireDefault","require","_util","_commonTimers","_common","_webexCore","_nodeKms","_nodeJose","_lodash","_uuid","_kmsBatcher","_interopRequireWildcard","_kmsCertificateValidation","_constants","_dec","_obj","_getRequireWildcardCache","e","_WeakMap2","r","t","__esModule","_typeof","default","has","get","n","__proto__","a","_Object$defineProperty","_Object$getOwnPropertyDescriptor2","u","Object","prototype","hasOwnProperty","call","i","set","contexts","_weakMap","kmsDetails","partialContexts","consoleDebug","KMS","WebexPlugin","extend","oneFlight","keyFactory","_ref","uri","onBehalfOf","concat","namespace","children","batcher","KMSBatcher","bindKey","_ref2","_this","kro","kroUri","key","keyUri","logger","info","_promise","reject","Error","request","method","resourceUri","then","res","createResource","_ref3","_this2","userIds","keyUris","keys","reduce","uris","k","push","length","resource","addAuthorization","_ref4","_this3","authIds","authorizations","listAuthorizations","_ref5","_this4","removeAuthorization","_ref6","_this5","authId","userId","querystring","stringify","createUnboundKeys","_ref7","_this6","count","all","map","asKey","fetchPublicKey","_ref8","_this7","assignedOrgId","publicKey","uploadCustomerMasterKey","_ref9","_this8","customerMasterKey","_ref9$awsKms","awsKms","_ref9$customerMasterK","customerMasterKeyBackup","undefined","_ref9$customerMasterK2","customerMasterKeyRole","requestId","uuid","v4","listAllCustomerMasterKey","_ref10","_this9","_ref10$awsKms","changeCustomerMasterKeyState","_ref11","_this10","keyId","keyState","deleteAllCustomerMasterKeys","_ref12","_this11","_ref12$awsKms","useGlobalMasterKey","_ref13","_this12","fetchKey","_ref14","_this13","errorCode","KMS_KEY_REDIRECT_ERROR_CODE","redirectUri","redirectRes","ping","jose","JWK","jwk","prepareRequest","payload","_this14","isECDHRequest","includes","resolve","_getContext","context","req","Request","requestContext","_contextOnBehalfOf","wrap","serverKey","process","env","NODE_ENV","util","inspect","omit","JSON","parse","_stringify","depth","processKmsMessageEvent","event","_this15","encryption","kmsMessages","kmsMessage","index","_isECDHEMessage","isECDHMessage","Response","unwrap","catch","reason","error","stack","decryptKmsMessage","body","_getKMSStaticPubKey","kmsStaticPubKey","fields","split","header","base64url","decode","kid","_this16","_ref15","arguments","timeout","config","kmsInitialTimeout","webex","internal","mercury","connect","TIMEOUT_SYMBOL","status","statusCode","message","match","warn","KMSError","trigger","ecdhMaxTimeout","nextTimeout","kmsMaxTimeout","delete","_getAuthorization","credentials","getUserToken","token","access_token","_this17","promise","_prepareContext","expiresIn","ephemeralKey","expirationDate","_now","safeSetTimeout","_ref16","_ref17","_slicedToArray2","authorization","clientInfo","credential","bearer","_getKMSCluster","_getKMSDetails","_ref18","kmsCluster","_this18","details","service","device","rsaPublicKey","_ref19","_this19","Context","validateKMS","caroots","_ref20","_ref21","clientId","url","serverInfo","createECDHKey","localECDHKey","_ref22","_ref23","cluster","toJSON","deriveEphemeralKey","originalContext","version","_applyDecoratedDescriptor2","_getOwnPropertyDescriptor","_default","exports"],"sources":["kms.js"],"sourcesContent":["/!\n Copyright (c) 2015-2024 Cisco Systems, Inc. See LICENSE file.\n /\n\nimport querystring from 'querystring';\nimport util from 'util';\n\nimport {safeSetTimeout} from '@webex/common-timers';\nimport {oneFlight} from '@webex/common';\nimport {WebexPlugin} from '@webex/webex-core';\nimport {Context, Request, Response} from 'node-kms';\nimport jose from 'node-jose';\nimport {omit} from 'lodash';\nimport uuid from 'uuid';\n\nimport KMSBatcher, {TIMEOUT_SYMBOL} from './kms-batcher';\nimport validateKMS, {KMSError} from './kms-certificate-validation';\nimport {KMS_KEY_REDIRECT_ERROR_CODE} from './constants';\n\nconst contexts = new WeakMap();\nconst kmsDetails = new WeakMap();\nconst partialContexts = new WeakMap();\n\nconst consoleDebug = require('debug')('kms');\n\n/\n @class\n /\nconst KMS = WebexPlugin.extend({\n namespace: 'Encryption',\n\n children: {\n batcher: KMSBatcher,\n },\n\n /\n Binds a key to a resource\n * @param {Object} options\n * @param {KMSResourceObject} options.kro\n * @param {string} options.kroUri\n * @param {Key} options.key\n * @param {string} options.keyUri\n * @returns {Promise<Key>}\n /\n bindKey({kro, kroUri, key, keyUri}) {\n kroUri = kroUri \|\| kro.uri;\n keyUri = keyUri \|\| key.uri;\n\n this.logger.info('kms: binding key to resource');\n\n / istanbul ignore if /\n if (!kroUri) {\n return Promise.reject(new Error('`kro` or `kroUri` is required'));\n }\n\n / istanbul ignore if /\n if (!keyUri) {\n return Promise.reject(new Error('`key` or `keyUri` is required'));\n }\n\n return this.request({\n method: 'update',\n resourceUri: kroUri,\n uri: keyUri,\n }).then((res) => {\n this.logger.info('kms: bound key to resource');\n\n return res.key;\n });\n },\n\n /\n Creates a new KMS Resource\n * @param {Object} options\n * @param {Array<string>} options.userIds\n * @param {Array<string>} options.keyUris\n * @param {Key} options.key\n * @param {Array<Keys>} options.keys\n * @returns {Promise<KMSResourceObject>}\n /\n createResource({userIds, keyUris, key, keys}) {\n keyUris = keyUris \|\| [];\n / istanbul ignore if /\n if (keys) {\n keyUris = keys.reduce((uris, k) => {\n uris.push(k.uri);\n\n return uris;\n }, keyUris);\n }\n\n / istanbul ignore else /\n if (key) {\n keyUris.push(key.uri);\n }\n\n / istanbul ignore if /\n if (keyUris.length === 0) {\n return Promise.reject(new Error('Cannot create KMS Resource without at least one keyUri'));\n }\n\n this.logger.info('kms: creating resource');\n\n return this.request({\n method: 'create',\n uri: '/resources',\n userIds,\n keyUris,\n }).then((res) => {\n this.logger.info('kms: created resource');\n\n return res.resource;\n });\n },\n\n /\n Authorizes a user or KRO to a KRO\n * @param {Object} options\n * @param {Array<string>} options.userIds\n * @param {Array<string>} options.authIds interchangable with userIds\n * @param {KMSResourceObject} options.kro the target kro\n * @param {string} options.kroUri\n * @returns {Promise<KMSAuthorizationObject>}\n /\n addAuthorization({userIds, authIds, kro, kroUri}) {\n userIds = userIds \|\| [];\n kroUri = kroUri \|\| kro.uri;\n\n if (authIds) {\n userIds = userIds.concat(authIds);\n }\n\n / istanbul ignore if /\n if (userIds.length === 0) {\n return Promise.reject(new Error('Cannot add authorization without userIds or authIds'));\n }\n\n / istanbul ignore if /\n if (!kroUri) {\n return Promise.reject(new Error('`kro` or `kroUri` is required'));\n }\n\n this.logger.info('kms: adding authorization to kms resource');\n\n return this.request({\n method: 'create',\n uri: '/authorizations',\n resourceUri: kroUri,\n userIds,\n }).then((res) => {\n this.logger.info('kms: added authorization');\n\n return res.authorizations;\n });\n },\n\n /\n Retrieve a list of users that have been authorized to the KRO\n * @param {Object} options\n * @param {KMSResourceObject} options.kro the target kro\n * @param {string} options.kroUri\n * @returns {Array<authId>}\n /\n listAuthorizations({kro, kroUri}) {\n kroUri = kroUri \|\| kro.uri;\n / istanbul ignore if /\n if (!kroUri) {\n return Promise.reject(new Error('`kro` or `kroUri` is required'));\n }\n\n return this.request({\n method: 'retrieve',\n uri: `${kroUri}/authorizations`,\n }).then((res) => {\n this.logger.info('kms: retrieved authorization list');\n\n return res.authorizations;\n });\n },\n\n /\n Deauthorizes a user or KRO from a KRO\n * @param {Object} options\n * @param {string} options.userId\n * @param {string} options.authId interchangable with userIds\n * @param {KMSResourceObject} options.kro the target kro\n * @param {string} options.kroUri\n * @returns {Promise<KMSAuthorizationObject>}\n /\n removeAuthorization({authId, userId, kro, kroUri}) {\n authId = authId \|\| userId;\n kroUri = kroUri \|\| kro.uri;\n\n / istanbul ignore if /\n if (!authId) {\n return Promise.reject(new Error('Cannot remove authorization without authId'));\n }\n\n / istanbul ignore if /\n if (!kroUri) {\n return Promise.reject(new Error('`kro` or `kroUri` is required'));\n }\n\n this.logger.info('kms: removing authorization from kms resource');\n\n return this.request({\n method: 'delete',\n uri: `${kroUri}/authorizations?${querystring.stringify({authId})}`,\n }).then((res) => {\n this.logger.info('kms: removed authorization');\n\n return res.authorizations;\n });\n },\n\n /\n Requests `count` unbound keys from the kms\n * @param {Object} options\n * @param {Number} options.count\n * @returns {Array<Key>}\n /\n createUnboundKeys({count}) {\n this.logger.info(`kms: request ${count} unbound keys`);\n\n / istanbul ignore if /\n if (!count) {\n return Promise.reject(new Error('`options.count` is required'));\n }\n\n return this.request({\n method: 'create',\n uri: '/keys',\n count,\n }).then((res) => {\n this.logger.info('kms: received unbound keys');\n\n return Promise.all(res.keys.map(this.asKey));\n });\n },\n\n /\n @typedef {Object} FetchPublicKeyResponse\n * @property {number} status 200,400(Bad Request: Request payload missing info),404(Not Found: HSM Public Key not found),501(Not Implemented: This KMS does not support BYOK),502(Bad Gateway: KMS could not communicate with HSM)\n * @property {UUID} requestId this is should be unique, used for debug.\n * @property {string} publicKey\n /\n /\n get public key from kms\n * @param {Object} options\n * @param {UUID} options.assignedOrgId the orgId\n * @returns {Promise.<FetchPublicKeyResponse>} response of get public key api\n /\n fetchPublicKey({assignedOrgId}) {\n this.logger.info('kms: fetch public key for byok');\n\n return this.request({\n method: 'retrieve',\n uri: '/publicKey',\n assignedOrgId,\n }).then((res) => {\n this.logger.info('kms: received public key');\n\n return res.publicKey;\n });\n },\n\n /\n @typedef {Object} UploadCmkResponse\n * @property {number} status\n * @property {UUID} requestId\n * @property {string} uri\n * @property {string} keysState\n /\n /\n upload master key for one org.\n * @param {Object} options\n * @param {UUID} options.assignedOrgId the orgId\n * @param {string} options.customerMasterKey the master key\n * @param {string} options.customerMasterKeyBackup the master key backup\n * @param {string} options.customerMasterKeyRole the optional role associated with customerMasterKey\n * @param {boolean} options.awsKms enable amazon aws keys\n * @returns {Promise.<UploadCmkResponse>} response of upload CMK api\n /\n uploadCustomerMasterKey({\n assignedOrgId,\n customerMasterKey,\n awsKms = false,\n customerMasterKeyBackup = undefined,\n customerMasterKeyRole = undefined,\n }) {\n this.logger.info('kms: upload customer master key for byok');\n\n return this.request({\n method: 'create',\n uri: awsKms ? '/awsKmsCmk' : '/cmk',\n assignedOrgId,\n customerMasterKey,\n requestId: uuid.v4(),\n customerMasterKeyBackup: awsKms ? customerMasterKeyBackup : undefined,\n customerMasterKeyRole: awsKms ? customerMasterKeyRole : undefined,\n }).then((res) => {\n this.logger.info('kms: finish to upload customer master key');\n\n return res;\n });\n },\n\n /\n get all customer master keys for one org.\n * @param {Object} options\n * @param {UUID} options.assignedOrgId the orgId\n * @param {boolean} options.awsKms enable amazon aws keys\n * @returns {Promise.<ActivateCmkResponse>} response of list CMKs api\n /\n listAllCustomerMasterKey({assignedOrgId, awsKms = false}) {\n this.logger.info('kms: get all customer master keys for byok');\n\n return this.request({\n method: 'retrieve',\n uri: awsKms ? '/awsKmsCmk' : '/cmk',\n assignedOrgId,\n requestId: uuid.v4(),\n }).then((res) => {\n this.logger.info('kms: finish to get all customer master keys');\n\n return res;\n });\n },\n\n /\n @typedef {Object} ActivateCmkResponse\n * @property {number} status\n * @property {UUID} requestId\n * @property {Array<CMK>} customerMasterKeys\n /\n /\n \n * @typedef {Object} CMK\n * @property {string} usageState\n * @property {UUID} assignedOrgId\n * @property {string} uri\n * @property {string} source\n * @property {Date \| undefined} stateUpdatedOn\n * @property {Date \| undefined} rotation\n /\n /\n change one customer master key state for one org.\n * delete pending key, then the keyState should be 'removedclean';\n * active pending key, then the keyState should be 'active';\n \n @param {Object} options\n * @param {string} options.keyId the id of one customer master key, it should be a url\n * @param {string} options.keyState one of the following: PENDING, RECOVERING,ACTIVE,REVOKED,DEACTIVATED,REENCRYPTING,RETIRED,DELETED,DISABLED,REMOVEDCLEAN,REMOVEDDIRTY;\n * @param {UUID} options.assignedOrgId the orgId\n * @returns {Promise.<ActivateCmkResponse>} response of list CMKs api\n /\n changeCustomerMasterKeyState({keyId, keyState, assignedOrgId}) {\n this.logger.info('kms: change one customer master key state for byok');\n\n return this.request({\n method: 'update',\n uri: keyId,\n keyState,\n assignedOrgId,\n requestId: uuid.v4(),\n }).then((res) => {\n this.logger.info('kms: finish to change the customer master key state to {}', keyState);\n\n return res;\n });\n },\n\n /\n this is for test case. it will delete all CMKs, no matter what their status is. This is mainly for test purpose\n * @param {Object} options\n * @param {UUID} options.assignedOrgId the orgId\n * @param {boolean} options.awsKms enable amazon aws keys\n * @returns {Promise.<{status, requestId}>}\n /\n deleteAllCustomerMasterKeys({assignedOrgId, awsKms = false}) {\n this.logger.info('kms: delete all customer master keys at the same time');\n\n return this.request({\n method: 'delete',\n uri: awsKms ? '/awsKmsCmk' : '/cmk',\n assignedOrgId,\n requestId: uuid.v4(),\n }).then((res) => {\n this.logger.info('kms: finish to delete all customer master keys');\n\n return res;\n });\n },\n\n /\n return to use global master key for one org.\n * @param {Object} options\n * @param {UUID} options.assignedOrgId the orgId\n * @returns {Promise.<ActivateCmkResponse>} response of activate CMK api\n /\n useGlobalMasterKey({assignedOrgId}) {\n this.logger.info('kms: return to use global master key');\n\n return this.request({\n method: 'update',\n uri: 'default',\n keyState: 'ACTIVE',\n assignedOrgId,\n requestId: uuid.v4(),\n }).then((res) => {\n this.logger.info('kms: finish to return to global master key');\n\n return res;\n });\n },\n\n /\n Fetches the specified key from the kms\n * @param {Object} options\n * @param {string} options.uri\n * @param {string} options.onBehalfOf The id of a user, upon whose behalf, the key is to be retrieved or undefined if retrieval is for the active user\n * @returns {Promise<Key>}\n /\n // Ideally, this would be done via the kms batcher, but other than request id,\n // there isn't any other userful key in a kms response to match it to a\n // request. as such, we need the batcher to group requests, but one flight to\n // make sure we don't make the same request multiple times.\n @oneFlight({\n keyFactory: ({uri, onBehalfOf}) => `${uri}/${onBehalfOf}`,\n })\n fetchKey({uri, onBehalfOf}) {\n / istanbul ignore if /\n if (!uri) {\n return Promise.reject(new Error('`options.uri` is required'));\n }\n\n this.logger.info('kms: fetching key');\n\n return this.request(\n {\n method: 'retrieve',\n uri,\n },\n {onBehalfOf}\n ).then((res) => {\n // Handle redirect for migrated KRO, Key or Auth\n if (res.errorCode === KMS_KEY_REDIRECT_ERROR_CODE && res.redirectUri) {\n this.logger.info('kms: handling redirect for migrated resource', res.redirectUri);\n\n return this.request(\n {\n method: 'retrieve',\n uri: res.redirectUri,\n },\n {onBehalfOf}\n ).then((redirectRes) => {\n this.logger.info('kms: fetched key from redirect');\n\n return this.asKey(redirectRes.key);\n });\n }\n\n this.logger.info('kms: fetched key');\n\n return this.asKey(res.key);\n });\n },\n\n /\n Pings the kms. Mostly for testing\n * @returns {Promise}\n /\n ping() {\n return this.request({\n method: 'update',\n uri: '/ping',\n });\n },\n\n /\n Ensures a key obect is Key instance\n * @param {Object} key\n * @returns {Promise<Key>}\n /\n asKey(key) {\n return jose.JWK.asKey(key.jwk).then((jwk) => {\n key.jwk = jwk;\n\n return key;\n });\n },\n\n /\n Adds appropriate metadata to the KMS request\n * @param {Object} payload\n * @param {Object} onBehalfOf Optional parameter to prepare the request on behalf of another user\n * @returns {Promise<KMS.Request>}\n /\n prepareRequest(payload, onBehalfOf) {\n const isECDHRequest = payload.method === 'create' && payload.uri.includes('/ecdhe');\n\n return Promise.resolve(isECDHRequest ? partialContexts.get(this) : this._getContext()).then(\n (context) => {\n this.logger.info(`kms: wrapping ${isECDHRequest ? 'ephemeral key' : 'kms'} request`);\n const req = new Request(payload);\n let requestContext = context;\n\n if (onBehalfOf) {\n requestContext = this._contextOnBehalfOf(context, onBehalfOf);\n }\n\n return req.wrap(requestContext, {serverKey: isECDHRequest}).then(() => {\n / istanbul ignore else /\n if (process.env.NODE_ENV !== 'production') {\n this.logger.info(\n 'kms: request payload',\n util.inspect(omit(JSON.parse(JSON.stringify(req)), 'wrapped'), {depth: null})\n );\n }\n\n return req;\n });\n }\n );\n },\n\n /\n Accepts a kms message event, decrypts it, and passes it to the batcher\n * @param {Object} event\n * @returns {Promise<Object>}\n /\n processKmsMessageEvent(event) {\n this.logger.info('kms: received kms message');\n\n return Promise.all(\n event.encryption.kmsMessages.map((kmsMessage, index) =>\n this._isECDHEMessage(kmsMessage).then((isECDHMessage) => {\n this.logger.info(`kms: received ${isECDHMessage ? 'ecdhe' : 'normal'} message`);\n const res = new Response(kmsMessage);\n\n return (\n Promise.resolve(isECDHMessage ? partialContexts.get(this) : contexts.get(this))\n // eslint-disable-next-line max-nested-callbacks\n .then((context) => res.unwrap(context))\n // eslint-disable-next-line max-nested-callbacks\n .then(() => {\n if (process.env.NODE_ENV !== 'production') {\n this.logger.info(\n 'kms: response payload',\n util.inspect(omit(JSON.parse(JSON.stringify(res)), 'wrapped'), {depth: null})\n );\n }\n })\n // eslint-disable-next-line max-nested-callbacks\n .then(() => {\n event.encryption.kmsMessages[index] = res;\n })\n // eslint-disable-next-line max-nested-callbacks\n .then(() => res)\n );\n })\n )\n )\n .then(() => this.batcher.processKmsMessageEvent(event))\n .catch((reason) => {\n this.logger.error('kms: decrypt failed', reason.stack);\n\n return Promise.reject(reason);\n })\n .then(() => event);\n },\n\n /\n Decrypts a kms message\n * @param {Object} kmsMessage\n * @returns {Promise<Object>}\n /\n decryptKmsMessage(kmsMessage) {\n const res = new Response(kmsMessage);\n\n return contexts\n .get(this)\n .then((context) => res.unwrap(context))\n .then(() => res.body);\n },\n\n /\n Determines if the kms message is an ecdhe message or a normal message\n * @param {Object} kmsMessage\n * @returns {Promise<boolean>}\n /\n _isECDHEMessage(kmsMessage) {\n return this._getKMSStaticPubKey().then((kmsStaticPubKey) => {\n const fields = kmsMessage.split('.');\n\n if (fields.length !== 3) {\n return false;\n }\n\n const header = JSON.parse(jose.util.base64url.decode(fields[0]));\n\n return header.kid === kmsStaticPubKey.kid;\n });\n },\n\n /\n Sends a request to the kms\n * @param {Object} payload\n * @param {Object} options\n * @param {Number} options.timeout (internal)\n * @param {string} options.onBehalfOf Run the request on behalf of another user (UUID), used in compliance scenarios\n * @returns {Promise<Object>}\n /\n request(payload, {timeout, onBehalfOf} = {}) {\n timeout = timeout \|\| this.config.kmsInitialTimeout;\n\n // Note: this should only happen when we're using the async kms batcher;\n // once we implement the sync batcher, this'll need to be smarter.\n return (\n this.webex.internal.mercury\n .connect()\n .then(() => this.prepareRequest(payload, onBehalfOf))\n .then((req) => {\n req[TIMEOUT_SYMBOL] = timeout;\n\n return this.batcher.request(req);\n })\n // High complexity is due to attempt at test mode resiliency\n // eslint-disable-next-line complexity\n .catch((reason) => {\n if (\n process.env.NODE_ENV === 'test' &&\n (reason.status === 403 \|\| reason.statusCode === 403) &&\n reason.message.match(\n /Failed to resolve authorization token in KmsMessage request for user/\n )\n ) {\n this.logger.warn('kms: rerequested key due to test-mode kms auth failure');\n\n return this.request(payload, {onBehalfOf});\n }\n\n // KMS Error. Notify the user\n if (reason instanceof KMSError) {\n this.webex.trigger('client:InvalidRequestError');\n\n return Promise.reject(reason);\n }\n\n // Ideally, most or all of the code below would go in kms-batcher, but\n // but batching needs at least one more round of refactoring for that to\n // work.\n if (!reason.statusCode && !reason.status) {\n / istanbul ignore else /\n if (process.env.NODE_ENV !== 'production') {\n / istanbul ignore next: reason.stack vs stack difficult to control in test /\n this.logger.info('kms: request error', reason.stack \|\| reason);\n }\n\n consoleDebug(`timeout ${timeout}`);\n timeout = 2;\n\n if (timeout >= this.config.ecdhMaxTimeout) {\n this.logger.info('kms: exceeded maximum KMS request retries');\n\n return Promise.reject(reason);\n }\n\n // Peek ahead to make sure we don't reset the timeout if the next timeout\n // will exceed the maximum timeout for renegotiating ECDH keys.\n const nextTimeout = timeout * 2;\n\n if (timeout >= this.config.kmsMaxTimeout && nextTimeout < this.config.ecdhMaxTimeout) {\n this.logger.info(\n 'kms: exceeded maximum KMS request retries; negotiating new ecdh key'\n );\n\n /* istanbul ignore else /\n if (process.env.NODE_ENV !== 'production') {\n this.logger.info('kms: timeout/maxtimeout', timeout, this.config.kmsMaxTimeout);\n }\n\n contexts.delete(this);\n timeout = 0;\n }\n\n return this.request(payload, {timeout, onBehalfOf});\n }\n\n return Promise.reject(reason);\n })\n );\n },\n\n /\n @private\n * @returns {Promise<string>}\n /\n _getAuthorization() {\n return this.webex.credentials.getUserToken('spark:kms').then((token) => token.access_token);\n },\n\n @oneFlight\n /\n @private\n * @param {String} onBehalfOf create context on behalf of another user, undefined when this is not necessary\n * @returns {Promise<Object>}\n /\n _getContext() {\n let promise = contexts.get(this);\n\n if (!promise) {\n promise = this._prepareContext();\n contexts.set(this, promise);\n promise.then((context) => {\n const expiresIn = context.ephemeralKey.expirationDate - Date.now() - 30000;\n\n safeSetTimeout(() => contexts.delete(this), expiresIn);\n });\n }\n\n return Promise.all([promise, this._getAuthorization()]).then(([context, authorization]) => {\n context.clientInfo.credential.bearer = authorization;\n\n return context;\n });\n },\n\n /\n @private\n * @returns {Promise<Object>}\n /\n _getKMSCluster() {\n this.logger.info('kms: retrieving KMS cluster');\n\n return this._getKMSDetails().then(({kmsCluster}) => kmsCluster);\n },\n\n /\n @private\n * @returns {Promise<Object>}\n /\n _getKMSDetails() {\n let details = kmsDetails.get(this);\n\n if (!details) {\n this.logger.info('kms: fetching KMS details');\n details = this.webex\n .request({\n service: 'encryption',\n resource: `/kms/${this.webex.internal.device.userId}`,\n })\n .then((res) => {\n this.logger.info('kms: fetched KMS details');\n const {body} = res;\n\n body.rsaPublicKey = JSON.parse(body.rsaPublicKey);\n\n return body;\n })\n .catch((reason) => {\n this.logger.error('kms: failed to fetch KMS details', reason);\n\n return Promise.reject(reason);\n });\n\n kmsDetails.set(this, details);\n }\n\n return details;\n },\n\n /\n @private\n * @returns {Promise<Object>}\n /\n _getKMSStaticPubKey() {\n this.logger.info('kms: retrieving KMS static public key');\n\n return this._getKMSDetails().then(({rsaPublicKey}) => rsaPublicKey);\n },\n\n /\n @private\n * @returns {Promise<Object>}\n /\n _prepareContext() {\n this.logger.info('kms: creating context');\n const context = new Context();\n\n return Promise.all([\n this._getKMSStaticPubKey().then(validateKMS(this.config.caroots)),\n this._getAuthorization(),\n ])\n .then(([kmsStaticPubKey, authorization]) => {\n context.clientInfo = {\n clientId: this.webex.internal.device.url,\n credential: {\n userId: this.webex.internal.device.userId,\n bearer: authorization,\n },\n };\n\n context.serverInfo = {\n key: kmsStaticPubKey,\n };\n\n this.logger.info('kms: creating local ephemeral key');\n\n return context.createECDHKey();\n })\n .then((localECDHKey) => {\n context.ephemeralKey = localECDHKey;\n partialContexts.set(this, context);\n\n return Promise.all([localECDHKey.asKey(), this._getKMSCluster()]);\n })\n .then(([localECDHKey, cluster]) => {\n this.logger.info('kms: submitting ephemeral key request');\n\n return this.request({\n uri: `${cluster}/ecdhe`,\n method: 'create',\n jwk: localECDHKey.toJSON(),\n });\n })\n .then((res) => {\n this.logger.info('kms: deriving final ephemeral key');\n\n return context.deriveEphemeralKey(res.key);\n })\n .then((key) => {\n context.ephemeralKey = key;\n partialContexts.delete(this);\n this.logger.info('kms: derived final ephemeral key');\n\n return context;\n })\n .catch((reason) => {\n this.logger.error('kms: failed to negotiate ephemeral key', reason);\n\n return Promise.reject(reason);\n });\n },\n\n /\n KMS 'retrieve' requests can be made on behalf of another user. This is useful\n * for scenarios such as eDiscovery. i.e. Where an authorized compliance officer is\n * entitled to retrieve content generated by any organisational user.\n * As the KMSContext is cached, updating it will affect separate requests. Hence when\n * making a request onBehalfOf another user create a new context for just this request.\n * However this context will be 'light' as it only needs to change one field.\n * @param {Object} originalContext - The base context to 'copy'\n * @param {String} onBehalfOf - The user specified in the new context\n * @returns {Context} A 'copy' of the existing context with a new user specified\n * @private\n */\n _contextOnBehalfOf(originalContext, onBehalfOf) {\n const context = new Context();\n\n context.clientInfo = context.clientInfo = {\n clientId: originalContext.clientInfo.clientId,\n credential: {\n userId: onBehalfOf,\n onBehalfOf, // Supports running onBehalfOf self. i.e. A CO which calls onBehalfOf with CO.id.\n bearer: originalContext.clientInfo.credential.bearer,\n },\n };\n context.serverInfo = originalContext.serverInfo;\n context.ephemeralKey = originalContext.ephemeralKey;\n\n return context;\n },\n});\n\nexport default KMS;\n"],"mappings":";;;;;;;;;;;;;;;;;;AAIA,IAAAA,YAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,KAAA,GAAAF,sBAAA,CAAAC,OAAA;AAEA,IAAAE,aAAA,GAAAF,OAAA;AACA,IAAAG,OAAA,GAAAH,OAAA;AACA,IAAAI,UAAA,GAAAJ,OAAA;AACA,IAAAK,QAAA,GAAAL,OAAA;AACA,IAAAM,SAAA,GAAAP,sBAAA,CAAAC,OAAA;AACA,IAAAO,OAAA,GAAAP,OAAA;AACA,IAAAQ,KAAA,GAAAT,sBAAA,CAAAC,OAAA;AAEA,IAAAS,WAAA,GAAAC,uBAAA,CAAAV,OAAA;AACA,IAAAW,yBAAA,GAAAD,uBAAA,CAAAV,OAAA;AACA,IAAAY,UAAA,GAAAZ,OAAA;AAAwD,IAAAa,IAAA,EAAAC,IAAA;AAjBxD;AACA;AACA;AAFA,SAAAC,yBAAAC,CAAA,6BAAAC,SAAA,mBAAAC,CAAA,OAAAD,SAAA,IAAAE,CAAA,OAAAF,SAAA,YAAAF,wBAAA,YAAAA,yBAAAC,CAAA,WAAAA,CAAA,GAAAG,CAAA,GAAAD,CAAA,KAAAF,CAAA;AAAA,SAAAN,wBAAAM,CAAA,EAAAE,CAAA,SAAAA,CAAA,IAAAF,CAAA,IAAAA,CAAA,CAAAI,UAAA,SAAAJ,CAAA,eAAAA,CAAA,gBAAAK,OAAA,CAAAL,CAAA,0BAAAA,CAAA,WAAAM,OAAA,EAAAN,CAAA,QAAAG,CAAA,GAAAJ,wBAAA,CAAAG,CAAA,OAAAC,CAAA,IAAAA,CAAA,CAAAI,GAAA,CAAAP,CAAA,UAAAG,CAAA,CAAAK,GAAA,CAAAR,CAAA,OAAAS,CAAA,KAAAC,SAAA,UAAAC,CAAA,GAAAC,sBAAA,IAAAC,iCAAA,WAAAC,CAAA,IAAAd,CAAA,oBAAAc,CAAA,IAAAC,MAAA,CAAAC,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAlB,CAAA,EAAAc,CAAA,SAAAK,CAAA,GAAAR,CAAA,GAAAE,iCAAA,CAAAb,CAAA,EAAAc,CAAA,UAAAK,CAAA,KAAAA,CAAA,CAAAX,GAAA,IAAAW,CAAA,CAAAC,GAAA,IAAAR,sBAAA,CAAAH,CAAA,EAAAK,CAAA,EAAAK,CAAA,IAAAV,CAAA,CAAAK,CAAA,IAAAd,CAAA,CAAAc,CAAA,YAAAL,CAAA,CAAAH,OAAA,GAAAN,CAAA,EAAAG,CAAA,IAAAA,CAAA,CAAAiB,GAAA,CAAApB,CAAA,EAAAS,CAAA,GAAAA,CAAA;AAmBA,IAAMY,QAAQ,GAAG,IAAAC,QAAA,CAAAhB,OAAA,CAAY,CAAC;AAC9B,IAAMiB,UAAU,GAAG,IAAAD,QAAA,CAAAhB,OAAA,CAAY,CAAC;AAChC,IAAMkB,eAAe,GAAG,IAAAF,QAAA,CAAAhB,OAAA,CAAY,CAAC;AAErC,IAAMmB,YAAY,GAAGzC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC;;AAE5C;AACA;AACA;AACA,IAAM0C,GAAG,GAAGC,sBAAW,CAACC,MAAM,EAAA/B,IAAA,GA+Y3B,IAAAgC,iBAAS,EAAC;EACTC,UAAU,EAAE,SAAAA,WAAAC,IAAA;IAAA,IAAEC,GAAG,GAAAD,IAAA,CAAHC,GAAG;MAAEC,UAAU,GAAAF,IAAA,CAAVE,UAAU;IAAA,UAAAC,MAAA,CAASF,GAAG,OAAAE,MAAA,CAAID,UAAU;EAAA;AACzD,CAAC,CAAC,GAAAnC,IAAA,GAjZ2B;EAC7BqC,SAAS,EAAE,YAAY;EAEvBC,QAAQ,EAAE;IACRC,OAAO,EAAEC;EACX,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,OAAO,WAAAA,QAAAC,KAAA,EAA6B;IAAA,IAAAC,KAAA;IAAA,IAA3BC,GAAG,GAAAF,KAAA,CAAHE,GAAG;MAAEC,MAAM,GAAAH,KAAA,CAANG,MAAM;MAAEC,GAAG,GAAAJ,KAAA,CAAHI,GAAG;MAAEC,MAAM,GAAAL,KAAA,CAANK,MAAM;IAC/BF,MAAM,GAAGA,MAAM,IAAID,GAAG,CAACV,GAAG;IAC1Ba,MAAM,GAAGA,MAAM,IAAID,GAAG,CAACZ,GAAG;IAE1B,IAAI,CAACc,MAAM,CAACC,IAAI,CAAC,8BAA8B,CAAC;;IAEhD;IACA,IAAI,CAACJ,MAAM,EAAE;MACX,OAAOK,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE;;IAEA;IACA,IAAI,CAACL,MAAM,EAAE;MACX,OAAOG,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE;IAEA,OAAO,IAAI,CAACC,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBC,WAAW,EAAEV,MAAM;MACnBX,GAAG,EAAEa;IACP,CAAC,CAAC,CAACS,IAAI,CAAC,UAACC,GAAG,EAAK;MACfd,KAAI,CAACK,MAAM,CAACC,IAAI,CAAC,4BAA4B,CAAC;MAE9C,OAAOQ,GAAG,CAACX,GAAG;IAChB,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEY,cAAc,WAAAA,eAAAC,KAAA,EAAgC;IAAA,IAAAC,MAAA;IAAA,IAA9BC,OAAO,GAAAF,KAAA,CAAPE,OAAO;MAAEC,OAAO,GAAAH,KAAA,CAAPG,OAAO;MAAEhB,GAAG,GAAAa,KAAA,CAAHb,GAAG;MAAEiB,IAAI,GAAAJ,KAAA,CAAJI,IAAI;IACzCD,OAAO,GAAGA,OAAO,IAAI,EAAE;IACvB;IACA,IAAIC,IAAI,EAAE;MACRD,OAAO,GAAGC,IAAI,CAACC,MAAM,CAAC,UAACC,IAAI,EAAEC,CAAC,EAAK;QACjCD,IAAI,CAACE,IAAI,CAACD,CAAC,CAAChC,GAAG,CAAC;QAEhB,OAAO+B,IAAI;MACb,CAAC,EAAEH,OAAO,CAAC;IACb;;IAEA;IACA,IAAIhB,GAAG,EAAE;MACPgB,OAAO,CAACK,IAAI,CAACrB,GAAG,CAACZ,GAAG,CAAC;IACvB;;IAEA;IACA,IAAI4B,OAAO,CAACM,MAAM,KAAK,CAAC,EAAE;MACxB,OAAOlB,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5F;IAEA,IAAI,CAACJ,MAAM,CAACC,IAAI,CAAC,wBAAwB,CAAC;IAE1C,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAE,YAAY;MACjB2B,OAAO,EAAPA,OAAO;MACPC,OAAO,EAAPA;IACF,CAAC,CAAC,CAACN,IAAI,CAAC,UAACC,GAAG,EAAK;MACfG,MAAI,CAACZ,MAAM,CAACC,IAAI,CAAC,uBAAuB,CAAC;MAEzC,OAAOQ,GAAG,CAACY,QAAQ;IACrB,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,gBAAgB,WAAAA,iBAAAC,KAAA,EAAkC;IAAA,IAAAC,MAAA;IAAA,IAAhCX,OAAO,GAAAU,KAAA,CAAPV,OAAO;MAAEY,OAAO,GAAAF,KAAA,CAAPE,OAAO;MAAE7B,GAAG,GAAA2B,KAAA,CAAH3B,GAAG;MAAEC,MAAM,GAAA0B,KAAA,CAAN1B,MAAM;IAC7CgB,OAAO,GAAGA,OAAO,IAAI,EAAE;IACvBhB,MAAM,GAAGA,MAAM,IAAID,GAAG,CAACV,GAAG;IAE1B,IAAIuC,OAAO,EAAE;MACXZ,OAAO,GAAGA,OAAO,CAACzB,MAAM,CAACqC,OAAO,CAAC;IACnC;;IAEA;IACA,IAAIZ,OAAO,CAACO,MAAM,KAAK,CAAC,EAAE;MACxB,OAAOlB,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzF;;IAEA;IACA,IAAI,CAACP,MAAM,EAAE;MACX,OAAOK,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE;IAEA,IAAI,CAACJ,MAAM,CAACC,IAAI,CAAC,2CAA2C,CAAC;IAE7D,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAE,iBAAiB;MACtBqB,WAAW,EAAEV,MAAM;MACnBgB,OAAO,EAAPA;IACF,CAAC,CAAC,CAACL,IAAI,CAAC,UAACC,GAAG,EAAK;MACfe,MAAI,CAACxB,MAAM,CAACC,IAAI,CAAC,0BAA0B,CAAC;MAE5C,OAAOQ,GAAG,CAACiB,cAAc;IAC3B,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;EACEC,kBAAkB,WAAAA,mBAAAC,KAAA,EAAgB;IAAA,IAAAC,MAAA;IAAA,IAAdjC,GAAG,GAAAgC,KAAA,CAAHhC,GAAG;MAAEC,MAAM,GAAA+B,KAAA,CAAN/B,MAAM;IAC7BA,MAAM,GAAGA,MAAM,IAAID,GAAG,CAACV,GAAG;IAC1B;IACA,IAAI,CAACW,MAAM,EAAE;MACX,OAAOK,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE;IAEA,OAAO,IAAI,CAACC,OAAO,CAAC;MAClBC,MAAM,EAAE,UAAU;MAClBpB,GAAG,KAAAE,MAAA,CAAKS,MAAM;IAChB,CAAC,CAAC,CAACW,IAAI,CAAC,UAACC,GAAG,EAAK;MACfoB,MAAI,CAAC7B,MAAM,CAACC,IAAI,CAAC,mCAAmC,CAAC;MAErD,OAAOQ,GAAG,CAACiB,cAAc;IAC3B,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEI,mBAAmB,WAAAA,oBAAAC,KAAA,EAAgC;IAAA,IAAAC,MAAA;IAAA,IAA9BC,MAAM,GAAAF,KAAA,CAANE,MAAM;MAAEC,MAAM,GAAAH,KAAA,CAANG,MAAM;MAAEtC,GAAG,GAAAmC,KAAA,CAAHnC,GAAG;MAAEC,MAAM,GAAAkC,KAAA,CAANlC,MAAM;IAC9CoC,MAAM,GAAGA,MAAM,IAAIC,MAAM;IACzBrC,MAAM,GAAGA,MAAM,IAAID,GAAG,CAACV,GAAG;;IAE1B;IACA,IAAI,CAAC+C,MAAM,EAAE;MACX,OAAO/B,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChF;;IAEA;IACA,IAAI,CAACP,MAAM,EAAE;MACX,OAAOK,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnE;IAEA,IAAI,CAACJ,MAAM,CAACC,IAAI,CAAC,+CAA+C,CAAC;IAEjE,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,KAAAE,MAAA,CAAKS,MAAM,sBAAAT,MAAA,CAAmB+C,oBAAW,CAACC,SAAS,CAAC;QAACH,MAAM,EAANA;MAAM,CAAC,CAAC;IAClE,CAAC,CAAC,CAACzB,IAAI,CAAC,UAACC,GAAG,EAAK;MACfuB,MAAI,CAAChC,MAAM,CAACC,IAAI,CAAC,4BAA4B,CAAC;MAE9C,OAAOQ,GAAG,CAACiB,cAAc;IAC3B,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACEW,iBAAiB,WAAAA,kBAAAC,KAAA,EAAU;IAAA,IAAAC,MAAA;IAAA,IAARC,KAAK,GAAAF,KAAA,CAALE,KAAK;IACtB,IAAI,CAACxC,MAAM,CAACC,IAAI,iBAAAb,MAAA,CAAiBoD,KAAK,kBAAe,CAAC;;IAEtD;IACA,IAAI,CAACA,KAAK,EAAE;MACV,OAAOtC,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjE;IAEA,OAAO,IAAI,CAACC,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAE,OAAO;MACZsD,KAAK,EAALA;IACF,CAAC,CAAC,CAAChC,IAAI,CAAC,UAACC,GAAG,EAAK;MACf8B,MAAI,CAACvC,MAAM,CAACC,IAAI,CAAC,4BAA4B,CAAC;MAE9C,OAAOC,QAAA,CAAA1C,OAAA,CAAQiF,GAAG,CAAChC,GAAG,CAACM,IAAI,CAAC2B,GAAG,CAACH,MAAI,CAACI,KAAK,CAAC,CAAC;IAC9C,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACE;AACF;AACA;AACA;AACA;AACA;EACEC,cAAc,WAAAA,eAAAC,KAAA,EAAkB;IAAA,IAAAC,MAAA;IAAA,IAAhBC,aAAa,GAAAF,KAAA,CAAbE,aAAa;IAC3B,IAAI,CAAC/C,MAAM,CAACC,IAAI,CAAC,gCAAgC,CAAC;IAElD,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,UAAU;MAClBpB,GAAG,EAAE,YAAY;MACjB6D,aAAa,EAAbA;IACF,CAAC,CAAC,CAACvC,IAAI,CAAC,UAACC,GAAG,EAAK;MACfqC,MAAI,CAAC9C,MAAM,CAACC,IAAI,CAAC,0BAA0B,CAAC;MAE5C,OAAOQ,GAAG,CAACuC,SAAS;IACtB,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;EACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEC,uBAAuB,WAAAA,wBAAAC,KAAA,EAMpB;IAAA,IAAAC,MAAA;IAAA,IALDJ,aAAa,GAAAG,KAAA,CAAbH,aAAa;MACbK,iBAAiB,GAAAF,KAAA,CAAjBE,iBAAiB;MAAAC,YAAA,GAAAH,KAAA,CACjBI,MAAM;MAANA,MAAM,GAAAD,YAAA,cAAG,KAAK,GAAAA,YAAA;MAAAE,qBAAA,GAAAL,KAAA,CACdM,uBAAuB;MAAvBA,uBAAuB,GAAAD,qBAAA,cAAGE,SAAS,GAAAF,qBAAA;MAAAG,sBAAA,GAAAR,KAAA,CACnCS,qBAAqB;MAArBA,qBAAqB,GAAAD,sBAAA,cAAGD,SAAS,GAAAC,sBAAA;IAEjC,IAAI,CAAC1D,MAAM,CAACC,IAAI,CAAC,0CAA0C,CAAC;IAE5D,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAEoE,MAAM,GAAG,YAAY,GAAG,MAAM;MACnCP,aAAa,EAAbA,aAAa;MACbK,iBAAiB,EAAjBA,iBAAiB;MACjBQ,SAAS,EAAEC,aAAI,CAACC,EAAE,CAAC,CAAC;MACpBN,uBAAuB,EAAEF,MAAM,GAAGE,uBAAuB,GAAGC,SAAS;MACrEE,qBAAqB,EAAEL,MAAM,GAAGK,qBAAqB,GAAGF;IAC1D,CAAC,CAAC,CAACjD,IAAI,CAAC,UAACC,GAAG,EAAK;MACf0C,MAAI,CAACnD,MAAM,CAACC,IAAI,CAAC,2CAA2C,CAAC;MAE7D,OAAOQ,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;EACEsD,wBAAwB,WAAAA,yBAAAC,MAAA,EAAkC;IAAA,IAAAC,MAAA;IAAA,IAAhClB,aAAa,GAAAiB,MAAA,CAAbjB,aAAa;MAAAmB,aAAA,GAAAF,MAAA,CAAEV,MAAM;MAANA,MAAM,GAAAY,aAAA,cAAG,KAAK,GAAAA,aAAA;IACrD,IAAI,CAAClE,MAAM,CAACC,IAAI,CAAC,4CAA4C,CAAC;IAE9D,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,UAAU;MAClBpB,GAAG,EAAEoE,MAAM,GAAG,YAAY,GAAG,MAAM;MACnCP,aAAa,EAAbA,aAAa;MACba,SAAS,EAAEC,aAAI,CAACC,EAAE,CAAC;IACrB,CAAC,CAAC,CAACtD,IAAI,CAAC,UAACC,GAAG,EAAK;MACfwD,MAAI,CAACjE,MAAM,CAACC,IAAI,CAAC,6CAA6C,CAAC;MAE/D,OAAOQ,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE0D,4BAA4B,WAAAA,6BAAAC,MAAA,EAAmC;IAAA,IAAAC,OAAA;IAAA,IAAjCC,KAAK,GAAAF,MAAA,CAALE,KAAK;MAAEC,QAAQ,GAAAH,MAAA,CAARG,QAAQ;MAAExB,aAAa,GAAAqB,MAAA,CAAbrB,aAAa;IAC1D,IAAI,CAAC/C,MAAM,CAACC,IAAI,CAAC,oDAAoD,CAAC;IAEtE,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAEoF,KAAK;MACVC,QAAQ,EAARA,QAAQ;MACRxB,aAAa,EAAbA,aAAa;MACba,SAAS,EAAEC,aAAI,CAACC,EAAE,CAAC;IACrB,CAAC,CAAC,CAACtD,IAAI,CAAC,UAACC,GAAG,EAAK;MACf4D,OAAI,CAACrE,MAAM,CAACC,IAAI,CAAC,2DAA2D,EAAEsE,QAAQ,CAAC;MAEvF,OAAO9D,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;EACE+D,2BAA2B,WAAAA,4BAAAC,MAAA,EAAkC;IAAA,IAAAC,OAAA;IAAA,IAAhC3B,aAAa,GAAA0B,MAAA,CAAb1B,aAAa;MAAA4B,aAAA,GAAAF,MAAA,CAAEnB,MAAM;MAANA,MAAM,GAAAqB,aAAA,cAAG,KAAK,GAAAA,aAAA;IACxD,IAAI,CAAC3E,MAAM,CAACC,IAAI,CAAC,uDAAuD,CAAC;IAEzE,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAEoE,MAAM,GAAG,YAAY,GAAG,MAAM;MACnCP,aAAa,EAAbA,aAAa;MACba,SAAS,EAAEC,aAAI,CAACC,EAAE,CAAC;IACrB,CAAC,CAAC,CAACtD,IAAI,CAAC,UAACC,GAAG,EAAK;MACfiE,OAAI,CAAC1E,MAAM,CAACC,IAAI,CAAC,gDAAgD,CAAC;MAElE,OAAOQ,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACEmE,kBAAkB,WAAAA,mBAAAC,MAAA,EAAkB;IAAA,IAAAC,OAAA;IAAA,IAAhB/B,aAAa,GAAA8B,MAAA,CAAb9B,aAAa;IAC/B,IAAI,CAAC/C,MAAM,CAACC,IAAI,CAAC,sCAAsC,CAAC;IAExD,OAAO,IAAI,CAACI,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAE,SAAS;MACdqF,QAAQ,EAAE,QAAQ;MAClBxB,aAAa,EAAbA,aAAa;MACba,SAAS,EAAEC,aAAI,CAACC,EAAE,CAAC;IACrB,CAAC,CAAC,CAACtD,IAAI,CAAC,UAACC,GAAG,EAAK;MACfqE,OAAI,CAAC9E,MAAM,CAACC,IAAI,CAAC,4CAA4C,CAAC;MAE9D,OAAOQ,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAgBDsE,QAAQ,WAAAA,SAAAC,MAAA,EAAoB;IAAA,IAAAC,OAAA;IAAA,IAAlB/F,GAAG,GAAA8F,MAAA,CAAH9F,GAAG;MAAEC,UAAU,GAAA6F,MAAA,CAAV7F,UAAU;IACvB;IACA,IAAI,CAACD,GAAG,EAAE;MACR,OAAOgB,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC,IAAIC,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/D;IAEA,IAAI,CAACJ,MAAM,CAACC,IAAI,CAAC,mBAAmB,CAAC;IAErC,OAAO,IAAI,CAACI,OAAO,CACjB;MACEC,MAAM,EAAE,UAAU;MAClBpB,GAAG,EAAHA;IACF,CAAC,EACD;MAACC,UAAU,EAAVA;IAAU,CACb,CAAC,CAACqB,IAAI,CAAC,UAACC,GAAG,EAAK;MACd;MACA,IAAIA,GAAG,CAACyE,SAAS,KAAKC,sCAA2B,IAAI1E,GAAG,CAAC2E,WAAW,EAAE;QACpEH,OAAI,CAACjF,MAAM,CAACC,IAAI,CAAC,8CAA8C,EAAEQ,GAAG,CAAC2E,WAAW,CAAC;QAEjF,OAAOH,OAAI,CAAC5E,OAAO,CACjB;UACEC,MAAM,EAAE,UAAU;UAClBpB,GAAG,EAAEuB,GAAG,CAAC2E;QACX,CAAC,EACD;UAACjG,UAAU,EAAVA;QAAU,CACb,CAAC,CAACqB,IAAI,CAAC,UAAC6E,WAAW,EAAK;UACtBJ,OAAI,CAACjF,MAAM,CAACC,IAAI,CAAC,gCAAgC,CAAC;UAElD,OAAOgF,OAAI,CAACtC,KAAK,CAAC0C,WAAW,CAACvF,GAAG,CAAC;QACpC,CAAC,CAAC;MACJ;MAEAmF,OAAI,CAACjF,MAAM,CAACC,IAAI,CAAC,kBAAkB,CAAC;MAEpC,OAAOgF,OAAI,CAACtC,KAAK,CAAClC,GAAG,CAACX,GAAG,CAAC;IAC5B,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;EACEwF,IAAI,WAAAA,KAAA,EAAG;IACL,OAAO,IAAI,CAACjF,OAAO,CAAC;MAClBC,MAAM,EAAE,QAAQ;MAChBpB,GAAG,EAAE;IACP,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;EACEyD,KAAK,WAAAA,MAAC7C,GAAG,EAAE;IACT,OAAOyF,iBAAI,CAACC,GAAG,CAAC7C,KAAK,CAAC7C,GAAG,CAAC2F,GAAG,CAAC,CAACjF,IAAI,CAAC,UAACiF,GAAG,EAAK;MAC3C3F,GAAG,CAAC2F,GAAG,GAAGA,GAAG;MAEb,OAAO3F,GAAG;IACZ,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;EACE4F,cAAc,WAAAA,eAACC,OAAO,EAAExG,UAAU,EAAE;IAAA,IAAAyG,OAAA;IAClC,IAAMC,aAAa,GAAGF,OAAO,CAACrF,MAAM,KAAK,QAAQ,IAAIqF,OAAO,CAACzG,GAAG,CAAC4G,QAAQ,CAAC,QAAQ,CAAC;IAEnF,OAAO5F,QAAA,CAAA1C,OAAA,CAAQuI,OAAO,CAACF,aAAa,GAAGnH,eAAe,CAAChB,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,CAACsI,WAAW,CAAC,CAAC,CAAC,CAACxF,IAAI,CACzF,UAACyF,OAAO,EAAK;MACXL,OAAI,CAAC5F,MAAM,CAACC,IAAI,kBAAAb,MAAA,CAAkByG,aAAa,GAAG,eAAe,GAAG,KAAK,aAAU,CAAC;MACpF,IAAMK,GAAG,GAAG,IAAIC,gBAAO,CAACR,OAAO,CAAC;MAChC,IAAIS,cAAc,GAAGH,OAAO;MAE5B,IAAI9G,UAAU,EAAE;QACdiH,cAAc,GAAGR,OAAI,CAACS,kBAAkB,CAACJ,OAAO,EAAE9G,UAAU,CAAC;MAC/D;MAEA,OAAO+G,GAAG,CAACI,IAAI,CAACF,cAAc,EAAE;QAACG,SAAS,EAAEV;MAAa,CAAC,CAAC,CAACrF,IAAI,CAAC,YAAM;QACrE;QACA,IAAIgG,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,YAAY,EAAE;UACzCd,OAAI,CAAC5F,MAAM,CAACC,IAAI,CACd,sBAAsB,EACtB0G,aAAI,CAACC,OAAO,CAAC,IAAAC,YAAI,EAACC,IAAI,CAACC,KAAK,CAAC,IAAAC,UAAA,CAAAxJ,OAAA,EAAe0I,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE;YAACe,KAAK,EAAE;UAAI,CAAC,CAC9E,CAAC;QACH;QAEA,OAAOf,GAAG;MACZ,CAAC,CAAC;IACJ,CACF,CAAC;EACH,CAAC;EAED;AACF;AACA;AACA;AACA;EACEgB,sBAAsB,WAAAA,uBAACC,KAAK,EAAE;IAAA,IAAAC,OAAA;IAC5B,IAAI,CAACpH,MAAM,CAACC,IAAI,CAAC,2BAA2B,CAAC;IAE7C,OAAOC,QAAA,CAAA1C,OAAA,CAAQiF,GAAG,CAChB0E,KAAK,CAACE,UAAU,CAACC,WAAW,CAAC5E,GAAG,CAAC,UAAC6E,UAAU,EAAEC,KAAK;MAAA,OACjDJ,OAAI,CAACK,eAAe,CAACF,UAAU,CAAC,CAAC/G,IAAI,CAAC,UAACkH,aAAa,EAAK;QACvDN,OAAI,CAACpH,MAAM,CAACC,IAAI,kBAAAb,MAAA,CAAkBsI,aAAa,GAAG,OAAO,GAAG,QAAQ,aAAU,CAAC;QAC/E,IAAMjH,GAAG,GAAG,IAAIkH,iBAAQ,CAACJ,UAAU,CAAC;QAEpC,OACErH,QAAA,CAAA1C,OAAA,CAAQuI,OAAO,CAAC2B,aAAa,GAAGhJ,eAAe,CAAChB,GAAG,CAAC0J,OAAI,CAAC,GAAG7I,QAAQ,CAACb,GAAG,CAAC0J,OAAI,CAAC;QAC5E;QAAA,CACC5G,IAAI,CAAC,UAACyF,OAAO;UAAA,OAAKxF,GAAG,CAACmH,MAAM,CAAC3B,OAAO,CAAC;QAAA;QACtC;QAAA,CACCzF,IAAI,CAAC,YAAM;UACV,IAAIgG,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,YAAY,EAAE;YACzCU,OAAI,CAACpH,MAAM,CAACC,IAAI,CACd,uBAAuB,EACvB0G,aAAI,CAACC,OAAO,CAAC,IAAAC,YAAI,EAACC,IAAI,CAACC,KAAK,CAAC,IAAAC,UAAA,CAAAxJ,OAAA,EAAeiD,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE;cAACwG,KAAK,EAAE;YAAI,CAAC,CAC9E,CAAC;UACH;QACF,CAAC;QACD;QAAA,CACCzG,IAAI,CAAC,YAAM;UACV2G,KAAK,CAACE,UAAU,CAACC,WAAW,CAACE,KAAK,CAAC,GAAG/G,GAAG;QAC3C,CAAC;QACD;QAAA,CACCD,IAAI,CAAC;UAAA,OAAMC,GAAG;QAAA,EAAC;MAEtB,CAAC,CAAC;IAAA,CACJ,CACF,CAAC,CACED,IAAI,CAAC;MAAA,OAAM4G,OAAI,CAAC7H,OAAO,CAAC2H,sBAAsB,CAACC,KAAK,CAAC;IAAA,EAAC,CACtDU,KAAK,CAAC,UAACC,MAAM,EAAK;MACjBV,OAAI,CAACpH,MAAM,CAAC+H,KAAK,CAAC,qBAAqB,EAAED,MAAM,CAACE,KAAK,CAAC;MAEtD,OAAO9H,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC2H,MAAM,CAAC;IAC/B,CAAC,CAAC,CACDtH,IAAI,CAAC;MAAA,OAAM2G,KAAK;IAAA,EAAC;EACtB,CAAC;EAED;AACF;AACA;AACA;AACA;EACEc,iBAAiB,WAAAA,kBAACV,UAAU,EAAE;IAC5B,IAAM9G,GAAG,GAAG,IAAIkH,iBAAQ,CAACJ,UAAU,CAAC;IAEpC,OAAOhJ,QAAQ,CACZb,GAAG,CAAC,IAAI,CAAC,CACT8C,IAAI,CAAC,UAACyF,OAAO;MAAA,OAAKxF,GAAG,CAACmH,MAAM,CAAC3B,OAAO,CAAC;IAAA,EAAC,CACtCzF,IAAI,CAAC;MAAA,OAAMC,GAAG,CAACyH,IAAI;IAAA,EAAC;EACzB,CAAC;EAED;AACF;AACA;AACA;AACA;EACET,eAAe,WAAAA,gBAACF,UAAU,EAAE;IAC1B,OAAO,IAAI,CAACY,mBAAmB,CAAC,CAAC,CAAC3H,IAAI,CAAC,UAAC4H,eAAe,EAAK;MAC1D,IAAMC,MAAM,GAAGd,UAAU,CAACe,KAAK,CAAC,GAAG,CAAC;MAEpC,IAAID,MAAM,CAACjH,MAAM,KAAK,CAAC,EAAE;QACvB,OAAO,KAAK;MACd;MAEA,IAAMmH,MAAM,GAAGzB,IAAI,CAACC,KAAK,CAACxB,iBAAI,CAACoB,IAAI,CAAC6B,SAAS,CAACC,MAAM,CAACJ,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;MAEhE,OAAOE,MAAM,CAACG,GAAG,KAAKN,eAAe,CAACM,GAAG;IAC3C,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;EACErI,OAAO,WAAAA,QAACsF,OAAO,EAA8B;IAAA,IAAAgD,OAAA;IAAA,IAAAC,MAAA,GAAAC,SAAA,CAAAzH,MAAA,QAAAyH,SAAA,QAAApF,SAAA,GAAAoF,SAAA,MAAJ,CAAC,CAAC;MAAzBC,OAAO,GAAAF,MAAA,CAAPE,OAAO;MAAE3J,UAAU,GAAAyJ,MAAA,CAAVzJ,UAAU;IACnC2J,OAAO,GAAGA,OAAO,IAAI,IAAI,CAACC,MAAM,CAACC,iBAAiB;;IAElD;IACA;IACA,OACE,IAAI,CAACC,KAAK,CAACC,QAAQ,CAACC,OAAO,CACxBC,OAAO,CAAC,CAAC,CACT5I,IAAI,CAAC;MAAA,OAAMmI,OAAI,CAACjD,cAAc,CAACC,OAAO,EAAExG,UAAU,CAAC;IAAA,EAAC,CACpDqB,IAAI,CAAC,UAAC0F,GAAG,EAAK;MACbA,GAAG,CAACmD,0BAAc,CAAC,GAAGP,OAAO;MAE7B,OAAOH,OAAI,CAACpJ,OAAO,CAACc,OAAO,CAAC6F,GAAG,CAAC;IAClC,CAAC;IACD;IACA;IAAA,CACC2B,KAAK,CAAC,UAACC,MAAM,EAAK;MACjB,IACEtB,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,MAAM,KAC9BoB,MAAM,CAACwB,MAAM,KAAK,GAAG,IAAIxB,MAAM,CAACyB,UAAU,KAAK,GAAG,CAAC,IACpDzB,MAAM,CAAC0B,OAAO,CAACC,KAAK,CAClB,sEACF,CAAC,EACD;QACAd,OAAI,CAAC3I,MAAM,CAAC0J,IAAI,CAAC,wDAAwD,CAAC;QAE1E,OAAOf,OAAI,CAACtI,OAAO,CAACsF,OAAO,EAAE;UAACxG,UAAU,EAAVA;QAAU,CAAC,CAAC;MAC5C;;MAEA;MACA,IAAI2I,MAAM,YAAY6B,kCAAQ,EAAE;QAC9BhB,OAAI,CAACM,KAAK,CAACW,OAAO,CAAC,4BAA4B,CAAC;QAEhD,OAAO1J,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC2H,MAAM,CAAC;MAC/B;;MAEA;MACA;MACA;MACA,IAAI,CAACA,MAAM,CAACyB,UAAU,IAAI,CAACzB,MAAM,CAACwB,MAAM,EAAE;QACxC;QACA,IAAI9C,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,YAAY,EAAE;UACzC;UACAiC,OAAI,CAAC3I,MAAM,CAACC,IAAI,CAAC,oBAAoB,EAAE6H,MAAM,CAACE,KAAK,IAAIF,MAAM,CAAC;QAChE;QAEAnJ,YAAY,YAAAS,MAAA,CAAY0J,OAAO,CAAE,CAAC;QAClCA,OAAO,IAAI,CAAC;QAEZ,IAAIA,OAAO,IAAIH,OAAI,CAACI,MAAM,CAACc,cAAc,EAAE;UACzClB,OAAI,CAAC3I,MAAM,CAACC,IAAI,CAAC,2CAA2C,CAAC;UAE7D,OAAOC,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC2H,MAAM,CAAC;QAC/B;;QAEA;QACA;QACA,IAAMgC,WAAW,GAAGhB,OAAO,GAAG,CAAC;QAE/B,IAAIA,OAAO,IAAIH,OAAI,CAACI,MAAM,CAACgB,aAAa,IAAID,WAAW,GAAGnB,OAAI,CAACI,MAAM,CAACc,cAAc,EAAE;UACpFlB,OAAI,CAAC3I,MAAM,CAACC,IAAI,CACd,qEACF,CAAC;;UAED;UACA,IAAIuG,OAAO,CAACC,GAAG,CAACC,QAAQ,KAAK,YAAY,EAAE;YACzCiC,OAAI,CAAC3I,MAAM,CAACC,IAAI,CAAC,yBAAyB,EAAE6I,OAAO,EAAEH,OAAI,CAACI,MAAM,CAACgB,aAAa,CAAC;UACjF;UAEAxL,QAAQ,CAACyL,MAAM,CAACrB,OAAI,CAAC;UACrBG,OAAO,GAAG,CAAC;QACb;QAEA,OAAOH,OAAI,CAACtI,OAAO,CAACsF,OAAO,EAAE;UAACmD,OAAO,EAAPA,OAAO;UAAE3J,UAAU,EAAVA;QAAU,CAAC,CAAC;MACrD;MAEA,OAAOe,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC2H,MAAM,CAAC;IAC/B,CAAC,CAAC;EAER,CAAC;EAED;AACF;AACA;AACA;EACEmC,iBAAiB,WAAAA,kBAAA,EAAG;IAClB,OAAO,IAAI,CAAChB,KAAK,CAACiB,WAAW,CAACC,YAAY,CAAC,WAAW,CAAC,CAAC3J,IAAI,CAAC,UAAC4J,KAAK;MAAA,OAAKA,KAAK,CAACC,YAAY;IAAA,EAAC;EAC7F,CAAC;EAGD;AACF;AACA;AACA;AACA;EACErE,WAAW,WAAAA,YAAA,EAAG;IAAA,IAAAsE,OAAA;IACZ,IAAIC,OAAO,GAAGhM,QAAQ,CAACb,GAAG,CAAC,IAAI,CAAC;IAEhC,IAAI,CAAC6M,OAAO,EAAE;MACZA,OAAO,GAAG,IAAI,CAACC,eAAe,CAAC,CAAC;MAChCjM,QAAQ,CAACD,GAAG,CAAC,IAAI,EAAEiM,OAAO,CAAC;MAC3BA,OAAO,CAAC/J,IAAI,CAAC,UAACyF,OAAO,EAAK;QACxB,IAAMwE,SAAS,GAAGxE,OAAO,CAACyE,YAAY,CAACC,cAAc,GAAG,IAAAC,IAAA,CAAApN,OAAA,EAAS,CAAC,GAAG,KAAK;QAE1E,IAAAqN,4BAAc,EAAC;UAAA,OAAMtM,QAAQ,CAACyL,MAAM,CAACM,OAAI,CAAC;QAAA,GAAEG,SAAS,CAAC;MACxD,CAAC,CAAC;IACJ;IAEA,OAAOvK,QAAA,CAAA1C,OAAA,CAAQiF,GAAG,CAAC,CAAC8H,OAAO,EAAE,IAAI,CAACN,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAACzJ,IAAI,CAAC,UAAAsK,MAAA,EAA8B;MAAA,IAAAC,MAAA,OAAAC,eAAA,CAAAxN,OAAA,EAAAsN,MAAA;QAA5B7E,OAAO,GAAA8E,MAAA;QAAEE,aAAa,GAAAF,MAAA;MACnF9E,OAAO,CAACiF,UAAU,CAACC,UAAU,CAACC,MAAM,GAAGH,aAAa;MAEpD,OAAOhF,OAAO;IAChB,CAAC,CAAC;EACJ,CAAC;EAED;AACF;AACA;AACA;EACEoF,cAAc,WAAAA,eAAA,EAAG;IACf,IAAI,CAACrL,MAAM,CAACC,IAAI,CAAC,6BAA6B,CAAC;IAE/C,OAAO,IAAI,CAACqL,cAAc,CAAC,CAAC,CAAC9K,IAAI,CAAC,UAAA+K,MAAA;MAAA,IAAEC,UAAU,GAAAD,MAAA,CAAVC,UAAU;MAAA,OAAMA,UAAU;IAAA,EAAC;EACjE,CAAC;EAED;AACF;AACA;AACA;EACEF,cAAc,WAAAA,eAAA,EAAG;IAAA,IAAAG,OAAA;IACf,IAAIC,OAAO,GAAGjN,UAAU,CAACf,GAAG,CAAC,IAAI,CAAC;IAElC,IAAI,CAACgO,OAAO,EAAE;MACZ,IAAI,CAAC1L,MAAM,CAACC,IAAI,CAAC,2BAA2B,CAAC;MAC7CyL,OAAO,GAAG,IAAI,CAACzC,KAAK,CACjB5I,OAAO,CAAC;QACPsL,OAAO,EAAE,YAAY;QACrBtK,QAAQ,UAAAjC,MAAA,CAAU,IAAI,CAAC6J,KAAK,CAACC,QAAQ,CAAC0C,MAAM,CAAC1J,MAAM;MACrD,CAAC,CAAC,CACD1B,IAAI,CAAC,UAACC,GAAG,EAAK;QACbgL,OAAI,CAACzL,MAAM,CAACC,IAAI,CAAC,0BAA0B,CAAC;QAC5C,IAAOiI,IAAI,GAAIzH,GAAG,CAAXyH,IAAI;QAEXA,IAAI,CAAC2D,YAAY,GAAG/E,IAAI,CAACC,KAAK,CAACmB,IAAI,CAAC2D,YAAY,CAAC;QAEjD,OAAO3D,IAAI;MACb,CAAC,CAAC,CACDL,KAAK,CAAC,UAACC,MAAM,EAAK;QACjB2D,OAAI,CAACzL,MAAM,CAAC+H,KAAK,CAAC,kCAAkC,EAAED,MAAM,CAAC;QAE7D,OAAO5H,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC2H,MAAM,CAAC;MAC/B,CAAC,CAAC;MAEJrJ,UAAU,CAACH,GAAG,CAAC,IAAI,EAAEoN,OAAO,CAAC;IAC/B;IAEA,OAAOA,OAAO;EAChB,CAAC;EAED;AACF;AACA;AACA;EACEvD,mBAAmB,WAAAA,oBAAA,EAAG;IACpB,IAAI,CAACnI,MAAM,CAACC,IAAI,CAAC,uCAAuC,CAAC;IAEzD,OAAO,IAAI,CAACqL,cAAc,CAAC,CAAC,CAAC9K,IAAI,CAAC,UAAAsL,MAAA;MAAA,IAAED,YAAY,GAAAC,MAAA,CAAZD,YAAY;MAAA,OAAMA,YAAY;IAAA,EAAC;EACrE,CAAC;EAED;AACF;AACA;AACA;EACErB,eAAe,WAAAA,gBAAA,EAAG;IAAA,IAAAuB,OAAA;IAChB,IAAI,CAAC/L,MAAM,CAACC,IAAI,CAAC,uBAAuB,CAAC;IACzC,IAAMgG,OAAO,GAAG,IAAI+F,gBAAO,CAAC,CAAC;IAE7B,OAAO9L,QAAA,CAAA1C,OAAA,CAAQiF,GAAG,CAAC,CACjB,IAAI,CAAC0F,mBAAmB,CAAC,CAAC,CAAC3H,IAAI,CAAC,IAAAyL,iCAAW,EAAC,IAAI,CAAClD,MAAM,CAACmD,OAAO,CAAC,CAAC,EACjE,IAAI,CAACjC,iBAAiB,CAAC,CAAC,CACzB,CAAC,CACCzJ,IAAI,CAAC,UAAA2L,MAAA,EAAsC;MAAA,IAAAC,MAAA,OAAApB,eAAA,CAAAxN,OAAA,EAAA2O,MAAA;QAApC/D,eAAe,GAAAgE,MAAA;QAAEnB,aAAa,GAAAmB,MAAA;MACpCnG,OAAO,CAACiF,UAAU,GAAG;QACnBmB,QAAQ,EAAEN,OAAI,CAAC9C,KAAK,CAACC,QAAQ,CAAC0C,MAAM,CAACU,GAAG;QACxCnB,UAAU,EAAE;UACVjJ,MAAM,EAAE6J,OAAI,CAAC9C,KAAK,CAACC,QAAQ,CAAC0C,MAAM,CAAC1J,MAAM;UACzCkJ,MAAM,EAAEH;QACV;MACF,CAAC;MAEDhF,OAAO,CAACsG,UAAU,GAAG;QACnBzM,GAAG,EAAEsI;MACP,CAAC;MAED2D,OAAI,CAAC/L,MAAM,CAACC,IAAI,CAAC,mCAAmC,CAAC;MAErD,OAAOgG,OAAO,CAACuG,aAAa,CAAC,CAAC;IAChC,CAAC,CAAC,CACDhM,IAAI,CAAC,UAACiM,YAAY,EAAK;MACtBxG,OAAO,CAACyE,YAAY,GAAG+B,YAAY;MACnC/N,eAAe,CAACJ,GAAG,CAACyN,OAAI,EAAE9F,OAAO,CAAC;MAElC,OAAO/F,QAAA,CAAA1C,OAAA,CAAQiF,GAAG,CAAC,CAACgK,YAAY,CAAC9J,KAAK,CAAC,CAAC,EAAEoJ,OAAI,CAACV,cAAc,CAAC,CAAC,CAAC,CAAC;IACnE,CAAC,CAAC,CACD7K,IAAI,CAAC,UAAAkM,MAAA,EAA6B;MAAA,IAAAC,MAAA,OAAA3B,eAAA,CAAAxN,OAAA,EAAAkP,MAAA;QAA3BD,YAAY,GAAAE,MAAA;QAAEC,OAAO,GAAAD,MAAA;MAC3BZ,OAAI,CAAC/L,MAAM,CAACC,IAAI,CAAC,uCAAuC,CAAC;MAEzD,OAAO8L,OAAI,CAAC1L,OAAO,CAAC;QAClBnB,GAAG,KAAAE,MAAA,CAAKwN,OAAO,WAAQ;QACvBtM,MAAM,EAAE,QAAQ;QAChBmF,GAAG,EAAEgH,YAAY,CAACI,MAAM,CAAC;MAC3B,CAAC,CAAC;IACJ,CAAC,CAAC,CACDrM,IAAI,CAAC,UAACC,GAAG,EAAK;MACbsL,OAAI,CAAC/L,MAAM,CAACC,IAAI,CAAC,mCAAmC,CAAC;MAErD,OAAOgG,OAAO,CAAC6G,kBAAkB,CAACrM,GAAG,CAACX,GAAG,CAAC;IAC5C,CAAC,CAAC,CACDU,IAAI,CAAC,UAACV,GAAG,EAAK;MACbmG,OAAO,CAACyE,YAAY,GAAG5K,GAAG;MAC1BpB,eAAe,CAACsL,MAAM,CAAC+B,OAAI,CAAC;MAC5BA,OAAI,CAAC/L,MAAM,CAACC,IAAI,CAAC,kCAAkC,CAAC;MAEpD,OAAOgG,OAAO;IAChB,CAAC,CAAC,CACD4B,KAAK,CAAC,UAACC,MAAM,EAAK;MACjBiE,OAAI,CAAC/L,MAAM,CAAC+H,KAAK,CAAC,wCAAwC,EAAED,MAAM,CAAC;MAEnE,OAAO5H,QAAA,CAAA1C,OAAA,CAAQ2C,MAAM,CAAC2H,MAAM,CAAC;IAC/B,CAAC,CAAC;EACN,CAAC;EAED;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACEzB,kBAAkB,WAAAA,mBAAC0G,eAAe,EAAE5N,UAAU,EAAE;IAC9C,IAAM8G,OAAO,GAAG,IAAI+F,gBAAO,CAAC,CAAC;IAE7B/F,OAAO,CAACiF,UAAU,GAAGjF,OAAO,CAACiF,UAAU,GAAG;MACxCmB,QAAQ,EAAEU,eAAe,CAAC7B,UAAU,CAACmB,QAAQ;MAC7ClB,UAAU,EAAE;QACVjJ,MAAM,EAAE/C,UAAU;QAClBA,UAAU,EAAVA,UAAU;QAAE;QACZiM,MAAM,EAAE2B,eAAe,CAAC7B,UAAU,CAACC,UAAU,CAACC;MAChD;IACF,CAAC;IACDnF,OAAO,CAACsG,UAAU,GAAGQ,eAAe,CAACR,UAAU;IAC/CtG,OAAO,CAACyE,YAAY,GAAGqC,eAAe,CAACrC,YAAY;IAEnD,OAAOzE,OAAO;EAChB,CAAC;EAAA+G,OAAA;AACH,CAAC,OAAAC,0BAAA,CAAAzP,OAAA,EAAAR,IAAA,eAAAD,IAAA,OAAAmQ,yBAAA,CAAA1P,OAAA,EAAAR,IAAA,eAAAA,IAAA,OAAAiQ,0BAAA,CAAAzP,OAAA,EAAAR,IAAA,kBA3KE+B,iBAAS,OAAAmO,yBAAA,CAAA1P,OAAA,EAAAR,IAAA,kBAAAA,IAAA,IAAAA,IAAA,EA2KX,CAAC;AAAC,IAAAmQ,QAAA,GAAAC,OAAA,CAAA5P,OAAA,GAEYoB,GAAG"}

package/package.json CHANGED Viewed

@@ -10,7 +10,7 @@
     "directory": "packages/@webex/internal-plugin-encryption"
   },
   "engines": {
-    "node": ">=16"
+    "node": ">=18"
   },
   "browser": {
     "./dist/ensure-buffer.js": "./dist/ensure-buffer.browser.js",
@@ -28,23 +28,23 @@
     "@webex/eslint-config-legacy": "0.0.0",
     "@webex/jest-config-legacy": "0.0.0",
     "@webex/legacy-tools": "0.0.0",
-    "@webex/test-helper-chai": "3.8.1-web-workers-keepalive.1",
-    "@webex/test-helper-make-local-url": "3.8.1-web-workers-keepalive.1",
-    "@webex/test-helper-mocha": "3.8.1-web-workers-keepalive.1",
-    "@webex/test-helper-mock-webex": "3.8.1-web-workers-keepalive.1",
-    "@webex/test-helper-test-users": "3.8.1-web-workers-keepalive.1",
+    "@webex/test-helper-chai": "3.9.0-multi-llms.0",
+    "@webex/test-helper-make-local-url": "3.9.0-multi-llms.0",
+    "@webex/test-helper-mocha": "3.9.0-multi-llms.0",
+    "@webex/test-helper-mock-webex": "3.9.0-multi-llms.0",
+    "@webex/test-helper-test-users": "3.9.0-multi-llms.0",
     "eslint": "^8.24.0",
     "prettier": "^2.7.1",
     "sinon": "^9.2.4"
   },
   "dependencies": {
-    "@webex/common": "3.8.1-web-workers-keepalive.1",
-    "@webex/common-timers": "3.8.1-web-workers-keepalive.1",
-    "@webex/http-core": "3.8.1-web-workers-keepalive.1",
-    "@webex/internal-plugin-device": "3.8.1-web-workers-keepalive.1",
-    "@webex/internal-plugin-mercury": "3.8.1-web-workers-keepalive.1",
-    "@webex/test-helper-file": "3.8.1-web-workers-keepalive.1",
-    "@webex/webex-core": "3.8.1-web-workers-keepalive.1",
+    "@webex/common": "3.9.0-multi-llms.0",
+    "@webex/common-timers": "3.9.0-multi-llms.0",
+    "@webex/http-core": "3.9.0-multi-llms.0",
+    "@webex/internal-plugin-device": "3.9.0-multi-llms.1",
+    "@webex/internal-plugin-mercury": "3.9.0-multi-llms.1",
+    "@webex/test-helper-file": "3.9.0-multi-llms.0",
+    "@webex/webex-core": "3.9.0-multi-llms.1",
     "asn1js": "^2.0.26",
     "debug": "^4.3.4",
     "isomorphic-webcrypto": "^2.3.8",
@@ -67,5 +67,5 @@
     "test:style": "eslint ./src/**/*.*",
     "test:unit": "webex-legacy-tools test --unit --runner jest"
   },
-  "version": "3.8.1-web-workers-keepalive.1"
+  "version": "3.9.0-multi-llms.1"
 }

package/src/constants.js CHANGED Viewed

@@ -1,3 +1,4 @@
 export const KMS_KEY_REVOKE_FAILURE = 'event:kms:key:revoke:encryption:failure';
 export const KMS_KEY_REVOKE_ERROR_STATUS = 405;
 export const KMS_KEY_REVOKE_ERROR_CODES = [405005, 405006];
+export const KMS_KEY_REDIRECT_ERROR_CODE = 301002;

package/src/encryption.js CHANGED Viewed

@@ -65,6 +65,23 @@ const Encryption = WebexPlugin.extend({
     );
   },
+  /**
+   * Decrypt binary data using the supplied key uri.
+   *
+   * @param {string} kmsKeyUri - The uri of a key stored in KMS
+   * @param {string} JWE - Encrypted binary data as JWE
+   * @param {Object} options
+   * @param {string} options.onBehalfOf - Fetch the KMS key on behalf of another user (using the user's UUID), active user requires the 'spark.kms_orgagent' role
+   * @returns {Buffer} Decrypted binary data as Buffer
+   */
+  decryptBinaryData(kmsKeyUri, JWE, options) {
+    return this.getKey(kmsKeyUri, options).then((k) =>
+      jose.JWE.createDecrypt(k.jwk)
+        .decrypt(JWE)
+        .then((result) => result.payload)
+    );
+  },
   /**
    * Validate and initiate a Download request for requested file
    * @param {Object} fileUrl - Plaintext

package/src/kms.js CHANGED Viewed

@@ -15,6 +15,7 @@ import uuid from 'uuid';
 import KMSBatcher, {TIMEOUT_SYMBOL} from './kms-batcher';
 import validateKMS, {KMSError} from './kms-certificate-validation';
+import {KMS_KEY_REDIRECT_ERROR_CODE} from './constants';
 const contexts = new WeakMap();
 const kmsDetails = new WeakMap();
@@ -276,10 +277,17 @@ const KMS = WebexPlugin.extend({
    * @param {UUID} options.assignedOrgId the orgId
    * @param {string} options.customerMasterKey the master key
    * @param {string} options.customerMasterKeyBackup the master key backup
+   * @param {string} options.customerMasterKeyRole the optional role associated with customerMasterKey
    * @param {boolean} options.awsKms enable amazon aws keys
    * @returns {Promise.<UploadCmkResponse>} response of upload CMK api
    */
-  uploadCustomerMasterKey({assignedOrgId, customerMasterKey, awsKms = false, customerMasterKeyBackup = undefined}) {
+  uploadCustomerMasterKey({
+    assignedOrgId,
+    customerMasterKey,
+    awsKms = false,
+    customerMasterKeyBackup = undefined,
+    customerMasterKeyRole = undefined,
+  }) {
     this.logger.info('kms: upload customer master key for byok');
     return this.request({
@@ -289,6 +297,7 @@ const KMS = WebexPlugin.extend({
       customerMasterKey,
       requestId: uuid.v4(),
       customerMasterKeyBackup: awsKms ? customerMasterKeyBackup : undefined,
+      customerMasterKeyRole: awsKms ? customerMasterKeyRole : undefined,
     }).then((res) => {
       this.logger.info('kms: finish to upload customer master key');
@@ -434,6 +443,23 @@ const KMS = WebexPlugin.extend({
       },
       {onBehalfOf}
     ).then((res) => {
+      // Handle redirect for migrated KRO, Key or Auth
+      if (res.errorCode === KMS_KEY_REDIRECT_ERROR_CODE && res.redirectUri) {
+        this.logger.info('kms: handling redirect for migrated resource', res.redirectUri);
+        return this.request(
+          {
+            method: 'retrieve',
+            uri: res.redirectUri,
+          },
+          {onBehalfOf}
+        ).then((redirectRes) => {
+          this.logger.info('kms: fetched key from redirect');
+          return this.asKey(redirectRes.key);
+        });
+      }
       this.logger.info('kms: fetched key');
       return this.asKey(res.key);

package/test/integration/spec/encryption.js CHANGED Viewed

@@ -2,6 +2,7 @@
  * Copyright (c) 2015-2020 Cisco Systems, Inc. See LICENSE file.
  */
+import '@webex/internal-plugin-metrics';
 import '@webex/internal-plugin-encryption';
 import {isBuffer} from '@webex/common';
@@ -93,6 +94,89 @@ describe('Encryption', function () {
         .then((plaintext) => assert.equal(plaintext, PLAINTEXT)));
   });
+  describe('#decryptBinaryData()', () => {
+    it('decrypts binary data', () =>
+      webex.internal.encryption
+        .encryptText(key, FILE.toString('base64'))
+        .then((ciphertext) => {
+          assert.notEqual(ciphertext, FILE.toString('base64'));
+          return webex.internal.encryption.decryptBinaryData(key, ciphertext);
+        })
+        .then((decryptedData) => {
+          assert.isTrue(isBuffer(decryptedData));
+          assert.equal(decryptedData.toString('base64'), FILE.toString('base64'));
+        }));
+    it('decrypts binary data with Buffer input', () => {
+      const binaryData = Buffer.from('test binary data', 'utf8');
+      return webex.internal.encryption
+        .encryptText(key, binaryData.toString('base64'))
+        .then((ciphertext) => {
+          assert.notEqual(ciphertext, binaryData.toString('base64'));
+          return webex.internal.encryption.decryptBinaryData(key, ciphertext);
+        })
+        .then((decryptedData) => {
+          assert.isTrue(isBuffer(decryptedData));
+          assert.equal(decryptedData.toString('utf8'), 'test binary data');
+        });
+    });
+    it('decrypts binary data with options parameter', () => {
+      const binaryData = Buffer.from('test binary data with options', 'utf8');
+      return webex.internal.encryption
+        .encryptText(key, binaryData.toString('base64'))
+        .then((ciphertext) => {
+          assert.notEqual(ciphertext, binaryData.toString('base64'));
+          return webex.internal.encryption.decryptBinaryData(key, ciphertext, {});
+        })
+        .then((decryptedData) => {
+          assert.isTrue(isBuffer(decryptedData));
+          assert.equal(decryptedData.toString('utf8'), 'test binary data with options');
+        });
+    });
+    it('decrypts binary data with dynamically generated 3000 character string', () => {
+      // Generate a 3000-character string dynamically using different character sets
+      const generateLargeString = (length) => {
+        const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+-=[]{}|;:,.<>?';
+        let result = '';
+        const charsLength = chars.length;
+        for (let i = 0; i < length; i++) {
+          // Use modulo to cycle through different patterns for variety
+          const index = (i * 7 + Math.floor(i / 100) * 3) % charsLength;
+          result += chars.charAt(index);
+        }
+        return result;
+      };
+      const largeString = generateLargeString(3000);
+      const binaryData = Buffer.from(largeString, 'utf8');
+      // Verify the string is exactly 3000 characters
+      assert.equal(largeString.length, 3000);
+      return webex.internal.encryption
+        .encryptText(key, binaryData.toString('base64'))
+        .then((ciphertext) => {
+          assert.notEqual(ciphertext, binaryData.toString('base64'));
+          return webex.internal.encryption.decryptBinaryData(key, ciphertext);
+        })
+        .then((decryptedData) => {
+          assert.isTrue(isBuffer(decryptedData));
+          assert.equal(decryptedData.toString('utf8'), largeString);
+          assert.equal(decryptedData.toString('utf8').length, 3000);
+        });
+    });
+  });
   describe('#getKey()', () => {
     let fetchKeySpy, otherWebex, otherUser, storageGetSpy;
@@ -361,6 +445,24 @@ describe('Encryption', function () {
         })
         .then((plaintext) => assert.equal(plaintext, PLAINTEXT)));
+    it('decrypt binary data', () => {
+      const binaryData = Buffer.from('compliance test binary data', 'utf8');
+      return webex.internal.encryption
+        .encryptText(key, binaryData.toString('base64'))
+        .then((ciphertext) => {
+          assert.notEqual(ciphertext, binaryData.toString('base64'));
+          return complianceUser.webex.internal.encryption.decryptBinaryData(key, ciphertext, {
+            onBehalfOf: user.id,
+          });
+        })
+        .then((decryptedData) => {
+          assert.isTrue(isBuffer(decryptedData));
+          assert.equal(decryptedData.toString('utf8'), 'compliance test binary data');
+        });
+    });
     it('encrypt and decrypt text', () =>
       complianceUser.webex.internal.encryption
         .encryptText(key, PLAINTEXT, {onBehalfOf: user.id})

package/test/unit/spec/encryption.js CHANGED Viewed

@@ -82,4 +82,76 @@ describe('internal-plugin-encryption', () => {
       });
     });
   });
+  describe('decryptBinaryData', () => {
+    let webex;
+    beforeEach(() => {
+      webex = new MockWebex({
+        children: {
+          encryption: Encryption,
+        },
+      });
+    });
+    describe('check decryptBinaryData()', () => {
+      const testKey = 'https://kms.example.com/keys/test-key-id';
+      const testJWE = 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..test.encrypted.data';
+      const testOptions = {onBehalfOf: 'test-user-uuid'};
+      const mockJwk = {kty: 'oct', k: 'test-key-material'};
+      const mockKey = {jwk: mockJwk};
+      const mockDecryptedResult = {payload: Buffer.from('decrypted binary data')};
+      let getKeyStub;
+      let joseDecryptStub;
+      beforeEach(() => {
+        getKeyStub = sinon.stub(webex.internal.encryption, 'getKey').resolves(mockKey);
+        // Mock the jose.JWE.createDecrypt chain
+        const mockDecryptor = {
+          decrypt: sinon.stub().resolves(mockDecryptedResult)
+        };
+        joseDecryptStub = sinon.stub(require('node-jose').JWE, 'createDecrypt').returns(mockDecryptor);
+      });
+      it('should call getKey and jose.JWE.createDecrypt with correct parameters', async () => {
+        await webex.internal.encryption.decryptBinaryData(testKey, testJWE, testOptions);
+        assert.equal(getKeyStub.calledOnce, true);
+        assert.equal(getKeyStub.args[0][0], testKey);
+        assert.deepEqual(getKeyStub.args[0][1], testOptions);
+        assert.equal(joseDecryptStub.calledOnce, true);
+        assert.equal(joseDecryptStub.args[0][0], mockJwk);
+      });
+      it('should call decrypt with ciphertext', async () => {
+        await webex.internal.encryption.decryptBinaryData(testKey, testJWE, testOptions);
+        const mockDecryptor = joseDecryptStub.returnValues[0];
+        assert.equal(mockDecryptor.decrypt.calledOnce, true);
+        assert.equal(mockDecryptor.decrypt.args[0][0], testJWE);
+      });
+      it('should return the payload buffer', async () => {
+        const result = await webex.internal.encryption.decryptBinaryData(testKey, testJWE, testOptions);
+        assert.equal(result, mockDecryptedResult.payload);
+        assert.equal(Buffer.isBuffer(result), true);
+      });
+      it('should work without options parameter', async () => {
+        await webex.internal.encryption.decryptBinaryData(testKey, testJWE);
+        assert.equal(getKeyStub.calledOnce, true);
+        assert.equal(getKeyStub.args[0][0], testKey);
+        assert.equal(getKeyStub.args[0][1], undefined);
+      });
+      afterEach(() => {
+        getKeyStub.restore();
+        joseDecryptStub.restore();
+      });
+    });
+  });
 });

package/test/unit/spec/kms.js CHANGED Viewed

@@ -60,6 +60,14 @@ describe('internal-plugin-encryption', () => {
           awsKms: true,
         });
+         // Upload aws cmk and role
+        await webex.internal.encryption.kms.uploadCustomerMasterKey({
+          assignedOrgId: 'xx-sds-assdf',
+          customerMasterKey: 'masterKey',
+          awsKms: true,
+          customerMasterKeyRole: 'role',
+        });
         // Upload backup cmk for aws
         await webex.internal.encryption.kms.uploadCustomerMasterKey({
           assignedOrgId: 'xx-sds-assdf',
@@ -79,9 +87,11 @@ describe('internal-plugin-encryption', () => {
         assert.equal(spyStub.args[1][0].uri, '/awsKmsCmk');
         assert.equal(spyStub.args[1][0].customerMasterKeyBackup, undefined);
         assert.equal(spyStub.args[2][0].uri, '/awsKmsCmk');
-        assert.equal(spyStub.args[2][0].customerMasterKeyBackup, 'masterKeyBackup');
-        assert.equal(spyStub.args[3][0].uri, '/cmk');
-        assert.equal(spyStub.args[3][0].customerMasterKeyBackup, undefined);
+        assert.equal(spyStub.args[2][0].customerMasterKeyRole, 'role');
+        assert.equal(spyStub.args[3][0].uri, '/awsKmsCmk');
+        assert.equal(spyStub.args[3][0].customerMasterKeyBackup, 'masterKeyBackup');
+        assert.equal(spyStub.args[4][0].uri, '/cmk');
+        assert.equal(spyStub.args[4][0].customerMasterKeyBackup, undefined);
       });
       it('deleteAllCustomerMasterKeys', async () => {
@@ -98,6 +108,137 @@ describe('internal-plugin-encryption', () => {
         assert.equal(spyStub.args[0][0].uri, '/cmk');
         assert.equal(spyStub.args[1][0].uri, '/awsKmsCmk');
       });
+      describe('fetchKey', () => {
+        let asKeyStub;
+        beforeEach(() => {
+          asKeyStub = sinon.stub(webex.internal.encryption.kms, 'asKey').resolves({
+            jwk: {mockKey: 'data'},
+            uri: 'test-key-uri',
+          });
+        });
+        afterEach(() => {
+          asKeyStub.restore();
+        });
+        it('should fetch key normally when no redirect is needed', async () => {
+          const mockResponse = {
+            key: {jwk: {mockKey: 'data'}},
+            uri: 'test-key-uri',
+          };
+          spyStub.resolves(mockResponse);
+          const result = await webex.internal.encryption.kms.fetchKey({
+            uri: 'kms://test-kms.com/keys/test-key',
+          });
+          assert.calledOnce(spyStub);
+          assert.calledWith(spyStub, {
+            method: 'retrieve',
+            uri: 'kms://test-kms.com/keys/test-key',
+          });
+          assert.calledOnce(asKeyStub);
+          assert.equal(result.jwk.mockKey, 'data');
+        });
+        it('should handle redirect when errorCode is 301002', async () => {
+          const redirectResponse = {
+            errorCode: 301002,
+            status: 301,
+            requestId: '7ffba0b0-a5e8-497a-b856-e2b70e2eb92c',
+            reason: 'KRO, Key or Auth has been migrated. Use redirectUri for future requests',
+            redirectUri: 'kms://kms-afra.wbx2.com/keys/ce1ff0b8-fa2e-40bb-9a7f-bb36044ce1f4',
+          };
+          const finalResponse = {
+            key: {jwk: {redirectedKey: 'data'}},
+            uri: 'kms://kms-afra.wbx2.com/keys/ce1ff0b8-fa2e-40bb-9a7f-bb36044ce1f4',
+          };
+          spyStub.onFirstCall().resolves(redirectResponse);
+          spyStub.onSecondCall().resolves(finalResponse);
+          const result = await webex.internal.encryption.kms.fetchKey({
+            uri: 'kms://test-kms.com/keys/old-key',
+            onBehalfOf: 'user123',
+          });
+          assert.calledTwice(spyStub);
+          // First call - original request
+          assert.calledWith(
+            spyStub.firstCall,
+            {
+              method: 'retrieve',
+              uri: 'kms://test-kms.com/keys/old-key',
+            },
+            {onBehalfOf: 'user123'}
+          );
+          // Second call - redirect request
+          assert.calledWith(
+            spyStub.secondCall,
+            {
+              method: 'retrieve',
+              uri: 'kms://kms-afra.wbx2.com/keys/ce1ff0b8-fa2e-40bb-9a7f-bb36044ce1f4',
+            },
+            {onBehalfOf: 'user123'}
+          );
+          assert.calledOnce(asKeyStub);
+          assert.equal(result.jwk.mockKey, 'data');
+        });
+        it('should not redirect when errorCode is not 301002', async () => {
+          const mockResponse = {
+            errorCode: 400001,
+            status: 400,
+            key: {jwk: {mockKey: 'data'}},
+            uri: 'test-key-uri',
+          };
+          spyStub.resolves(mockResponse);
+          const result = await webex.internal.encryption.kms.fetchKey({
+            uri: 'kms://test-kms.com/keys/test-key',
+          });
+          assert.calledOnce(spyStub);
+          assert.calledOnce(asKeyStub);
+          assert.equal(result.jwk.mockKey, 'data');
+        });
+        it('should not redirect when redirectUri is missing', async () => {
+          const mockResponse = {
+            errorCode: 301002,
+            status: 301,
+            key: {jwk: {mockKey: 'data'}},
+            uri: 'test-key-uri',
+          };
+          spyStub.resolves(mockResponse);
+          const result = await webex.internal.encryption.kms.fetchKey({
+            uri: 'kms://test-kms.com/keys/test-key',
+          });
+          assert.calledOnce(spyStub);
+          assert.calledOnce(asKeyStub);
+          assert.equal(result.jwk.mockKey, 'data');
+        });
+        it('should reject when uri is not provided', async () => {
+          try {
+            await webex.internal.encryption.kms.fetchKey({});
+            assert.fail('Should have thrown an error');
+          } catch (error) {
+            assert.equal(error.message, '`options.uri` is required');
+          }
+        });
+      });
     });
     describe('KMS error', () => {