npm - blockintel-gate-sdk - Versions diffs - 0.4.5 → 0.4.7 - Mend

blockintel-gate-sdk 0.4.5 → 0.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.cjs CHANGED Viewed

@@ -1217,6 +1217,12 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
     if (options.mode === "dry-run") {
       return await originalClient.send(new clientKms.SignCommand(command));
     }
+    const GATEWAY_STAGES = ["HARD_KMS_GATEWAY", "HARD_GCP_GATEWAY"];
+    const currentStage = gateClient.heartbeatManager?.getAdoptionStage?.();
+    if (currentStage && GATEWAY_STAGES.includes(currentStage)) {
+      emitMetric(options.metricsSink, "sign_success_total", labels);
+      return await signViaProxy(gateClient, decision, command, signerId);
+    }
     return await originalClient.send(new clientKms.SignCommand(command));
   } catch (error) {
     if (error instanceof BlockIntelBlockedError) {
@@ -1230,6 +1236,72 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
     throw error;
   }
 }
+async function signViaProxy(gateClient, decision, command, signerId) {
+  const config = gateClient.config;
+  const baseUrl = config?.baseUrl || config?.controlPlaneUrl;
+  const tenantId = config?.tenantId;
+  if (!baseUrl || !tenantId) {
+    throw new Error("[Gate SDK] Cannot use signing proxy: baseUrl or tenantId not configured on GateClient");
+  }
+  const message = command.input?.Message ?? command.Message;
+  if (!message) {
+    throw new Error("[Gate SDK] SignCommand missing Message for proxy signing");
+  }
+  const messageBuffer = message instanceof Buffer ? message : Buffer.from(message);
+  const messageBase64 = messageBuffer.toString("base64");
+  const keyId = command.input?.KeyId ?? command.KeyId;
+  if (!keyId) {
+    throw new Error("[Gate SDK] SignCommand missing KeyId for proxy signing");
+  }
+  const signingAlgorithm = command.input?.SigningAlgorithm ?? command.SigningAlgorithm ?? "ECDSA_SHA_256";
+  const messageType = command.input?.MessageType ?? command.MessageType ?? "RAW";
+  const proxyUrl = `${baseUrl.replace("/defense", "")}/tenants/${tenantId}/defense/sign`;
+  const headers = {
+    "Content-Type": "application/json"
+  };
+  const authHeaders = gateClient.getAuthHeaders?.();
+  if (authHeaders) {
+    Object.assign(headers, authHeaders);
+  } else {
+    const auth = config?.auth;
+    if (auth?.mode === "api_key" && auth?.apiKey) {
+      headers["x-api-key"] = auth.apiKey;
+    }
+  }
+  const jwt = gateClient.jwt || gateClient.config?.jwt;
+  if (jwt) {
+    headers["Authorization"] = `Bearer ${jwt}`;
+  }
+  const response = await fetch(proxyUrl, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({
+      requestId: decision.decisionId || decision.requestId,
+      decisionToken: decision.decisionToken,
+      keyId,
+      message: messageBase64,
+      signingAlgorithm,
+      messageType
+    })
+  });
+  if (!response.ok) {
+    const errorBody = await response.json().catch(() => ({}));
+    const code = errorBody?.error?.code || "SIGN_PROXY_FAILED";
+    const msg = errorBody?.error?.message || `Signing proxy returned ${response.status}`;
+    throw new Error(`[Gate SDK] ${code}: ${msg}`);
+  }
+  const result = await response.json();
+  const data = result?.data;
+  if (!data?.signature) {
+    throw new Error("[Gate SDK] Signing proxy returned no signature");
+  }
+  return {
+    Signature: Buffer.from(data.signature, "base64"),
+    KeyId: data.keyId || keyId,
+    SigningAlgorithm: data.signingAlgorithm || signingAlgorithm,
+    $metadata: { httpStatusCode: 200 }
+  };
+}
 // src/provenance/ProvenanceProvider.ts
 var ProvenanceProvider = class {
@@ -2938,7 +3010,38 @@ var GcpKmsSigner = class {
       if (!this.config.credentials) {
         throw new Error("GCP credentials not configured");
       }
-      throw new Error("Service account authentication requires @google-cloud/kms SDK. Install it with: npm install @google-cloud/kms. Alternatively, use workload identity (recommended for GCP environments).");
+      const creds = typeof this.config.credentials === "string" ? JSON.parse(this.config.credentials) : this.config.credentials;
+      if (!creds.client_email || !creds.private_key) {
+        throw new Error("GCP credentials must contain client_email and private_key");
+      }
+      const crypto = await import('crypto');
+      const now = Math.floor(Date.now() / 1e3);
+      const header = Buffer.from(JSON.stringify({ alg: "RS256", typ: "JWT" })).toString("base64url");
+      const payload = Buffer.from(JSON.stringify({
+        iss: creds.client_email,
+        scope: "https://www.googleapis.com/auth/cloudkms",
+        aud: "https://oauth2.googleapis.com/token",
+        iat: now,
+        exp: now + 3600
+      })).toString("base64url");
+      const sigInput = `${header}.${payload}`;
+      const sign = crypto.createSign("RSA-SHA256");
+      sign.update(sigInput);
+      const sig = sign.sign(creds.private_key, "base64url");
+      const jwt = `${sigInput}.${sig}`;
+      const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: `grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=${jwt}`
+      });
+      if (!tokenResponse.ok) {
+        const errText = await tokenResponse.text();
+        throw new Error(`GCP SA token exchange failed: ${tokenResponse.status} ${errText}`);
+      }
+      const data = await tokenResponse.json();
+      this.accessToken = data.access_token;
+      this.tokenExpiry = Date.now() + data.expires_in * 1e3;
+      return data.access_token;
     }
   }
   /**