blockintel-gate-sdk 0.4.6 → 0.4.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +33 -2
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +33 -2
- package/dist/index.js.map +1 -1
- package/dist/pilot/index.cjs +1 -1
- package/dist/pilot/index.cjs.map +1 -1
- package/dist/pilot/index.js +1 -1
- package/dist/pilot/index.js.map +1 -1
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -1217,7 +1217,7 @@ async function handleSignCommand(command, originalClient, gateClient, options) {
|
|
|
1217
1217
|
if (options.mode === "dry-run") {
|
|
1218
1218
|
return await originalClient.send(new clientKms.SignCommand(command));
|
|
1219
1219
|
}
|
|
1220
|
-
const GATEWAY_STAGES = ["HARD_KMS_GATEWAY", "HARD_GCP_GATEWAY"
|
|
1220
|
+
const GATEWAY_STAGES = ["HARD_KMS_GATEWAY", "HARD_GCP_GATEWAY"];
|
|
1221
1221
|
const currentStage = gateClient.heartbeatManager?.getAdoptionStage?.();
|
|
1222
1222
|
if (currentStage && GATEWAY_STAGES.includes(currentStage)) {
|
|
1223
1223
|
emitMetric(options.metricsSink, "sign_success_total", labels);
|
|
@@ -3010,7 +3010,38 @@ var GcpKmsSigner = class {
|
|
|
3010
3010
|
if (!this.config.credentials) {
|
|
3011
3011
|
throw new Error("GCP credentials not configured");
|
|
3012
3012
|
}
|
|
3013
|
-
|
|
3013
|
+
const creds = typeof this.config.credentials === "string" ? JSON.parse(this.config.credentials) : this.config.credentials;
|
|
3014
|
+
if (!creds.client_email || !creds.private_key) {
|
|
3015
|
+
throw new Error("GCP credentials must contain client_email and private_key");
|
|
3016
|
+
}
|
|
3017
|
+
const crypto = await import('crypto');
|
|
3018
|
+
const now = Math.floor(Date.now() / 1e3);
|
|
3019
|
+
const header = Buffer.from(JSON.stringify({ alg: "RS256", typ: "JWT" })).toString("base64url");
|
|
3020
|
+
const payload = Buffer.from(JSON.stringify({
|
|
3021
|
+
iss: creds.client_email,
|
|
3022
|
+
scope: "https://www.googleapis.com/auth/cloudkms",
|
|
3023
|
+
aud: "https://oauth2.googleapis.com/token",
|
|
3024
|
+
iat: now,
|
|
3025
|
+
exp: now + 3600
|
|
3026
|
+
})).toString("base64url");
|
|
3027
|
+
const sigInput = `${header}.${payload}`;
|
|
3028
|
+
const sign = crypto.createSign("RSA-SHA256");
|
|
3029
|
+
sign.update(sigInput);
|
|
3030
|
+
const sig = sign.sign(creds.private_key, "base64url");
|
|
3031
|
+
const jwt = `${sigInput}.${sig}`;
|
|
3032
|
+
const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
|
|
3033
|
+
method: "POST",
|
|
3034
|
+
headers: { "Content-Type": "application/x-www-form-urlencoded" },
|
|
3035
|
+
body: `grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=${jwt}`
|
|
3036
|
+
});
|
|
3037
|
+
if (!tokenResponse.ok) {
|
|
3038
|
+
const errText = await tokenResponse.text();
|
|
3039
|
+
throw new Error(`GCP SA token exchange failed: ${tokenResponse.status} ${errText}`);
|
|
3040
|
+
}
|
|
3041
|
+
const data = await tokenResponse.json();
|
|
3042
|
+
this.accessToken = data.access_token;
|
|
3043
|
+
this.tokenExpiry = Date.now() + data.expires_in * 1e3;
|
|
3044
|
+
return data.access_token;
|
|
3014
3045
|
}
|
|
3015
3046
|
}
|
|
3016
3047
|
/**
|