harper 5.1.20 → 5.2.0-alpha.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/agent/operations.ts +13 -16
- package/components/Application.ts +188 -7
- package/components/ApplicationScope.ts +3 -0
- package/components/Scope.ts +12 -0
- package/components/anthropic/index.ts +9 -2
- package/components/bedrock/index.ts +25 -2
- package/components/componentLoader.ts +56 -7
- package/components/componentSecrets.ts +451 -0
- package/components/deploymentRecorder.ts +7 -1
- package/components/mcp/adapters/fastify.ts +3 -0
- package/components/mcp/adapters/harperHttp.ts +3 -0
- package/components/mcp/audit.ts +21 -6
- package/components/mcp/customResourceRegistry.ts +17 -38
- package/components/mcp/listChanged.ts +37 -20
- package/components/mcp/quota.ts +145 -0
- package/components/mcp/rateLimit.ts +152 -14
- package/components/mcp/resources.ts +2 -4
- package/components/mcp/toolRegistry.ts +73 -4
- package/components/mcp/tools/application.ts +77 -8
- package/components/mcp/tools/operations.ts +106 -36
- package/components/mcp/tools/schemas/operationDescriptions.ts +4 -4
- package/components/mcp/tools/schemas/operations.ts +5 -0
- package/components/mcp/transport.ts +55 -4
- package/components/ollama/index.ts +6 -2
- package/components/openai/index.ts +9 -2
- package/components/operations.js +204 -10
- package/components/operationsValidation.js +173 -0
- package/components/secretOperations.ts +498 -0
- package/config/configUtils.ts +25 -1
- package/config-app.schema.json +81 -0
- package/config-root.schema.json +8 -1
- package/dataLayer/harperBridge/lmdbBridge/lmdbUtility/initializePaths.js +4 -3
- package/dataLayer/readAuditLog.ts +14 -0
- package/dataLayer/schemaDescribe.ts +1 -0
- package/dist/agent/operations.d.ts +7 -4
- package/dist/agent/operations.js +13 -15
- package/dist/agent/operations.js.map +1 -1
- package/dist/components/Application.d.ts +25 -2
- package/dist/components/Application.js +166 -7
- package/dist/components/Application.js.map +1 -1
- package/dist/components/ApplicationScope.d.ts +2 -0
- package/dist/components/ApplicationScope.js +3 -0
- package/dist/components/ApplicationScope.js.map +1 -1
- package/dist/components/Scope.d.ts +8 -0
- package/dist/components/Scope.js +11 -0
- package/dist/components/Scope.js.map +1 -1
- package/dist/components/anthropic/index.d.ts +4 -1
- package/dist/components/anthropic/index.js +4 -2
- package/dist/components/anthropic/index.js.map +1 -1
- package/dist/components/bedrock/index.d.ts +4 -1
- package/dist/components/bedrock/index.js +22 -2
- package/dist/components/bedrock/index.js.map +1 -1
- package/dist/components/componentLoader.d.ts +2 -0
- package/dist/components/componentLoader.js +52 -10
- package/dist/components/componentLoader.js.map +1 -1
- package/dist/components/componentSecrets.d.ts +63 -0
- package/dist/components/componentSecrets.js +405 -0
- package/dist/components/componentSecrets.js.map +1 -0
- package/dist/components/deploymentRecorder.d.ts +3 -0
- package/dist/components/deploymentRecorder.js +4 -3
- package/dist/components/deploymentRecorder.js.map +1 -1
- package/dist/components/mcp/adapters/fastify.d.ts +2 -0
- package/dist/components/mcp/adapters/fastify.js +1 -0
- package/dist/components/mcp/adapters/fastify.js.map +1 -1
- package/dist/components/mcp/adapters/harperHttp.d.ts +2 -0
- package/dist/components/mcp/adapters/harperHttp.js +1 -0
- package/dist/components/mcp/adapters/harperHttp.js.map +1 -1
- package/dist/components/mcp/audit.d.ts +2 -2
- package/dist/components/mcp/audit.js +20 -5
- package/dist/components/mcp/audit.js.map +1 -1
- package/dist/components/mcp/customResourceRegistry.d.ts +5 -12
- package/dist/components/mcp/customResourceRegistry.js +15 -30
- package/dist/components/mcp/customResourceRegistry.js.map +1 -1
- package/dist/components/mcp/listChanged.d.ts +7 -2
- package/dist/components/mcp/listChanged.js +28 -0
- package/dist/components/mcp/listChanged.js.map +1 -1
- package/dist/components/mcp/quota.d.ts +31 -0
- package/dist/components/mcp/quota.js +155 -0
- package/dist/components/mcp/quota.js.map +1 -0
- package/dist/components/mcp/rateLimit.d.ts +19 -3
- package/dist/components/mcp/rateLimit.js +129 -13
- package/dist/components/mcp/rateLimit.js.map +1 -1
- package/dist/components/mcp/resources.js.map +1 -1
- package/dist/components/mcp/toolRegistry.d.ts +39 -1
- package/dist/components/mcp/toolRegistry.js +60 -5
- package/dist/components/mcp/toolRegistry.js.map +1 -1
- package/dist/components/mcp/tools/application.d.ts +8 -1
- package/dist/components/mcp/tools/application.js +65 -5
- package/dist/components/mcp/tools/application.js.map +1 -1
- package/dist/components/mcp/tools/operations.d.ts +15 -3
- package/dist/components/mcp/tools/operations.js +99 -38
- package/dist/components/mcp/tools/operations.js.map +1 -1
- package/dist/components/mcp/tools/schemas/operationDescriptions.js +4 -4
- package/dist/components/mcp/tools/schemas/operationDescriptions.js.map +1 -1
- package/dist/components/mcp/tools/schemas/operations.js +4 -0
- package/dist/components/mcp/tools/schemas/operations.js.map +1 -1
- package/dist/components/mcp/transport.d.ts +6 -0
- package/dist/components/mcp/transport.js +47 -3
- package/dist/components/mcp/transport.js.map +1 -1
- package/dist/components/ollama/index.d.ts +4 -1
- package/dist/components/ollama/index.js +4 -2
- package/dist/components/ollama/index.js.map +1 -1
- package/dist/components/openai/index.d.ts +4 -1
- package/dist/components/openai/index.js +4 -2
- package/dist/components/openai/index.js.map +1 -1
- package/dist/components/operations.d.ts +39 -0
- package/dist/components/operations.js +194 -2
- package/dist/components/operations.js.map +1 -1
- package/dist/components/operationsValidation.d.ts +38 -0
- package/dist/components/operationsValidation.js +155 -0
- package/dist/components/operationsValidation.js.map +1 -1
- package/dist/components/secretOperations.d.ts +113 -0
- package/dist/components/secretOperations.js +475 -0
- package/dist/components/secretOperations.js.map +1 -0
- package/dist/config/configUtils.d.ts +4 -1
- package/dist/config/configUtils.js +18 -1
- package/dist/config/configUtils.js.map +1 -1
- package/dist/dataLayer/harperBridge/lmdbBridge/lmdbUtility/initializePaths.js +4 -3
- package/dist/dataLayer/harperBridge/lmdbBridge/lmdbUtility/initializePaths.js.map +1 -1
- package/dist/dataLayer/readAuditLog.js +11 -0
- package/dist/dataLayer/readAuditLog.js.map +1 -1
- package/dist/dataLayer/schemaDescribe.js +2 -0
- package/dist/dataLayer/schemaDescribe.js.map +1 -1
- package/dist/globals.d.ts +1 -1
- package/dist/globals.js +1 -0
- package/dist/globals.js.map +1 -1
- package/dist/index.d.ts +3 -0
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/json/systemSchema.json +38 -0
- package/dist/resources/DatabaseTransaction.d.ts +31 -3
- package/dist/resources/DatabaseTransaction.js +190 -29
- package/dist/resources/DatabaseTransaction.js.map +1 -1
- package/dist/resources/LMDBTransaction.d.ts +1 -1
- package/dist/resources/LMDBTransaction.js +43 -5
- package/dist/resources/LMDBTransaction.js.map +1 -1
- package/dist/resources/PrimaryRocksDatabase.d.ts +51 -0
- package/dist/resources/PrimaryRocksDatabase.js +194 -0
- package/dist/resources/PrimaryRocksDatabase.js.map +1 -0
- package/dist/resources/RecordEncoder.d.ts +1 -0
- package/dist/resources/RecordEncoder.js +81 -75
- package/dist/resources/RecordEncoder.js.map +1 -1
- package/dist/resources/RequestTarget.d.ts +19 -0
- package/dist/resources/RequestTarget.js.map +1 -1
- package/dist/resources/Resource.d.ts +0 -1
- package/dist/resources/Resource.js +103 -16
- package/dist/resources/Resource.js.map +1 -1
- package/dist/resources/ResourceInterface.d.ts +6 -2
- package/dist/resources/ResourceInterface.js.map +1 -1
- package/dist/resources/Resources.js.map +1 -1
- package/dist/resources/Table.d.ts +6 -4
- package/dist/resources/Table.js +247 -24
- package/dist/resources/Table.js.map +1 -1
- package/dist/resources/analytics/read.js +25 -28
- package/dist/resources/analytics/read.js.map +1 -1
- package/dist/resources/blob.js +165 -22
- package/dist/resources/blob.js.map +1 -1
- package/dist/resources/crdt.d.ts +2 -0
- package/dist/resources/crdt.js +45 -36
- package/dist/resources/crdt.js.map +1 -1
- package/dist/resources/databases.d.ts +1 -0
- package/dist/resources/databases.js +134 -7
- package/dist/resources/databases.js.map +1 -1
- package/dist/resources/graphql.js +8 -0
- package/dist/resources/graphql.js.map +1 -1
- package/dist/resources/indexes/HierarchicalNavigableSmallWorld.d.ts +35 -5
- package/dist/resources/indexes/HierarchicalNavigableSmallWorld.js +239 -14
- package/dist/resources/indexes/HierarchicalNavigableSmallWorld.js.map +1 -1
- package/dist/resources/jsResource.js +6 -0
- package/dist/resources/jsResource.js.map +1 -1
- package/dist/resources/loadEnv.js +30 -3
- package/dist/resources/loadEnv.js.map +1 -1
- package/dist/resources/login.js +2 -2
- package/dist/resources/login.js.map +1 -1
- package/dist/resources/models/Models.js +14 -3
- package/dist/resources/models/Models.js.map +1 -1
- package/dist/resources/models/embedHook.js +10 -2
- package/dist/resources/models/embedHook.js.map +1 -1
- package/dist/resources/models/openaiStream.d.ts +56 -0
- package/dist/resources/models/openaiStream.js +94 -0
- package/dist/resources/models/openaiStream.js.map +1 -0
- package/dist/resources/replayLogs.js +4 -3
- package/dist/resources/replayLogs.js.map +1 -1
- package/dist/resources/search.d.ts +1 -1
- package/dist/resources/search.js +104 -11
- package/dist/resources/search.js.map +1 -1
- package/dist/resources/secretDecryptor.d.ts +54 -0
- package/dist/resources/secretDecryptor.js +131 -0
- package/dist/resources/secretDecryptor.js.map +1 -0
- package/dist/resources/tracked.js +15 -5
- package/dist/resources/tracked.js.map +1 -1
- package/dist/security/auth.js +71 -8
- package/dist/security/auth.js.map +1 -1
- package/dist/security/jsLoader.js +11 -0
- package/dist/security/jsLoader.js.map +1 -1
- package/dist/security/tokenAuthentication.d.ts +9 -1
- package/dist/security/tokenAuthentication.js +31 -1
- package/dist/security/tokenAuthentication.js.map +1 -1
- package/dist/server/DurableSubscriptionsSession.d.ts +1 -1
- package/dist/server/DurableSubscriptionsSession.js +8 -4
- package/dist/server/DurableSubscriptionsSession.js.map +1 -1
- package/dist/server/REST.js +28 -9
- package/dist/server/REST.js.map +1 -1
- package/dist/server/fastifyRoutes.js +11 -1
- package/dist/server/fastifyRoutes.js.map +1 -1
- package/dist/server/graphqlQuerying.js +4 -3
- package/dist/server/graphqlQuerying.js.map +1 -1
- package/dist/server/http.d.ts +40 -2
- package/dist/server/http.js +560 -77
- package/dist/server/http.js.map +1 -1
- package/dist/server/itc/serverHandlers.js +64 -0
- package/dist/server/itc/serverHandlers.js.map +1 -1
- package/dist/server/liveSubscriptionAuth.d.ts +12 -0
- package/dist/server/liveSubscriptionAuth.js +140 -0
- package/dist/server/liveSubscriptionAuth.js.map +1 -0
- package/dist/server/loadRootComponents.js +2 -1
- package/dist/server/loadRootComponents.js.map +1 -1
- package/dist/server/middlewareChain.d.ts +44 -1
- package/dist/server/middlewareChain.js +86 -10
- package/dist/server/middlewareChain.js.map +1 -1
- package/dist/server/mqtt.js +2 -1
- package/dist/server/mqtt.js.map +1 -1
- package/dist/server/operationsServer.js +1 -1
- package/dist/server/operationsServer.js.map +1 -1
- package/dist/server/serverHelpers/Headers.d.ts +9 -0
- package/dist/server/serverHelpers/Headers.js +22 -0
- package/dist/server/serverHelpers/Headers.js.map +1 -1
- package/dist/server/serverHelpers/JSONStream.js +3 -3
- package/dist/server/serverHelpers/JSONStream.js.map +1 -1
- package/dist/server/serverHelpers/Request.d.ts +52 -1
- package/dist/server/serverHelpers/Request.js +122 -1
- package/dist/server/serverHelpers/Request.js.map +1 -1
- package/dist/server/serverHelpers/contentTypes.js +3 -8
- package/dist/server/serverHelpers/contentTypes.js.map +1 -1
- package/dist/server/serverHelpers/progressEmitter.d.ts +19 -0
- package/dist/server/serverHelpers/progressEmitter.js +52 -4
- package/dist/server/serverHelpers/progressEmitter.js.map +1 -1
- package/dist/server/serverHelpers/registeredOperations.d.ts +40 -0
- package/dist/server/serverHelpers/registeredOperations.js +286 -0
- package/dist/server/serverHelpers/registeredOperations.js.map +1 -0
- package/dist/server/serverHelpers/serverHandlers.js +11 -5
- package/dist/server/serverHelpers/serverHandlers.js.map +1 -1
- package/dist/server/serverHelpers/serverUtilities.d.ts +1 -0
- package/dist/server/serverHelpers/serverUtilities.js +67 -5
- package/dist/server/serverHelpers/serverUtilities.js.map +1 -1
- package/dist/server/serverHelpers/uwsServer.d.ts +80 -0
- package/dist/server/serverHelpers/uwsServer.js +433 -0
- package/dist/server/serverHelpers/uwsServer.js.map +1 -0
- package/dist/server/static.d.ts +0 -15
- package/dist/server/static.js +161 -2
- package/dist/server/static.js.map +1 -1
- package/dist/server/status/index.d.ts +4 -1
- package/dist/server/status/index.js +64 -4
- package/dist/server/status/index.js.map +1 -1
- package/dist/server/threads/manageThreads.d.ts +10 -0
- package/dist/server/threads/manageThreads.js +107 -4
- package/dist/server/threads/manageThreads.js.map +1 -1
- package/dist/server/threads/socketRouter.js +5 -1
- package/dist/server/threads/socketRouter.js.map +1 -1
- package/dist/server/threads/threadServer.js +92 -14
- package/dist/server/threads/threadServer.js.map +1 -1
- package/dist/upgrade/directives/5-2-0.d.ts +7 -0
- package/dist/upgrade/directives/5-2-0.js +108 -0
- package/dist/upgrade/directives/5-2-0.js.map +1 -0
- package/dist/upgrade/directives/directivesController.js +2 -1
- package/dist/upgrade/directives/directivesController.js.map +1 -1
- package/dist/utility/common_utils.js +5 -0
- package/dist/utility/common_utils.js.map +1 -1
- package/dist/utility/envFile.d.ts +41 -0
- package/dist/utility/envFile.js +221 -0
- package/dist/utility/envFile.js.map +1 -0
- package/dist/utility/globalSchema.d.ts +9 -0
- package/dist/utility/hdbTerms.d.ts +25 -0
- package/dist/utility/hdbTerms.js +31 -0
- package/dist/utility/hdbTerms.js.map +1 -1
- package/dist/utility/logging/harper_logger.d.ts +21 -0
- package/dist/utility/logging/harper_logger.js +160 -8
- package/dist/utility/logging/harper_logger.js.map +1 -1
- package/dist/utility/logging/logRotator.js +29 -17
- package/dist/utility/logging/logRotator.js.map +1 -1
- package/dist/utility/logging/readLog.d.ts +1 -1
- package/dist/utility/logging/readLog.js +305 -2
- package/dist/utility/logging/readLog.js.map +1 -1
- package/dist/utility/operationPermissions.d.ts +18 -0
- package/dist/utility/operationPermissions.js +35 -1
- package/dist/utility/operationPermissions.js.map +1 -1
- package/dist/utility/operation_authorization.d.ts +17 -0
- package/dist/utility/operation_authorization.js +38 -0
- package/dist/utility/operation_authorization.js.map +1 -1
- package/dist/utility/secretEnvelope.d.ts +30 -0
- package/dist/utility/secretEnvelope.js +94 -0
- package/dist/utility/secretEnvelope.js.map +1 -0
- package/dist/utility/signalling.d.ts +7 -0
- package/dist/utility/signalling.js +16 -0
- package/dist/utility/signalling.js.map +1 -1
- package/dist/validation/configValidator.js +70 -24
- package/dist/validation/configValidator.js.map +1 -1
- package/index.ts +4 -0
- package/json/systemSchema.json +38 -0
- package/npm-shrinkwrap.json +15066 -9347
- package/package.json +13 -8
- package/resources/DESIGN.md +15 -12
- package/resources/DatabaseTransaction.ts +206 -37
- package/resources/LMDBTransaction.ts +43 -9
- package/resources/PrimaryRocksDatabase.ts +201 -0
- package/resources/RecordEncoder.ts +81 -69
- package/resources/RequestTarget.ts +21 -0
- package/resources/Resource.ts +109 -25
- package/resources/ResourceInterface.ts +6 -2
- package/resources/Resources.ts +1 -3
- package/resources/Table.ts +238 -29
- package/resources/analytics/read.ts +25 -30
- package/resources/blob.ts +159 -23
- package/resources/crdt.ts +37 -31
- package/resources/databases.ts +143 -6
- package/resources/graphql.ts +8 -0
- package/resources/indexes/HierarchicalNavigableSmallWorld.ts +251 -17
- package/resources/jsResource.ts +6 -0
- package/resources/loadEnv.ts +34 -3
- package/resources/login.ts +2 -2
- package/resources/models/Models.ts +19 -3
- package/resources/models/embedHook.ts +13 -2
- package/resources/models/openaiStream.ts +133 -0
- package/resources/replayLogs.ts +4 -3
- package/resources/search.ts +113 -11
- package/resources/secretDecryptor.ts +159 -0
- package/resources/tracked.ts +24 -17
- package/security/auth.ts +70 -10
- package/security/jsLoader.ts +12 -0
- package/security/tokenAuthentication.ts +42 -1
- package/server/DESIGN.md +10 -0
- package/server/DurableSubscriptionsSession.ts +8 -4
- package/server/REST.ts +26 -9
- package/server/fastifyRoutes.ts +10 -1
- package/server/graphqlQuerying.ts +4 -3
- package/server/http.ts +563 -77
- package/server/itc/serverHandlers.js +70 -0
- package/server/liveSubscriptionAuth.ts +152 -0
- package/server/loadRootComponents.js +2 -1
- package/server/middlewareChain.ts +107 -17
- package/server/mqtt.ts +2 -1
- package/server/operationsServer.ts +2 -2
- package/server/serverHelpers/Headers.ts +24 -0
- package/server/serverHelpers/JSONStream.ts +3 -3
- package/server/serverHelpers/Request.ts +127 -0
- package/server/serverHelpers/contentTypes.ts +3 -8
- package/server/serverHelpers/progressEmitter.ts +55 -5
- package/server/serverHelpers/registeredOperations.ts +259 -0
- package/server/serverHelpers/serverHandlers.js +11 -5
- package/server/serverHelpers/serverUtilities.ts +88 -5
- package/server/serverHelpers/uwsServer.ts +488 -0
- package/server/static.ts +180 -2
- package/server/status/index.ts +72 -4
- package/server/threads/manageThreads.js +102 -4
- package/server/threads/socketRouter.ts +5 -1
- package/server/threads/threadServer.js +93 -10
- package/studio/web/assets/{Chat-SdD1EZca.js → Chat-Cv_2paZE.js} +2 -2
- package/studio/web/assets/{Chat-SdD1EZca.js.map → Chat-Cv_2paZE.js.map} +1 -1
- package/studio/web/assets/{FloatingChat-GMq6tHK9.js → FloatingChat-CPyPIcVR.js} +4 -4
- package/studio/web/assets/{FloatingChat-GMq6tHK9.js.map → FloatingChat-CPyPIcVR.js.map} +1 -1
- package/studio/web/assets/{applications-B5hhv7uA.js → applications-C0jT2vdZ.js} +2 -2
- package/studio/web/assets/{applications-B5hhv7uA.js.map → applications-C0jT2vdZ.js.map} +1 -1
- package/studio/web/assets/{index-VFcpNWgq.js → index-D_GKOkhn.js} +6 -6
- package/studio/web/assets/index-D_GKOkhn.js.map +1 -0
- package/studio/web/assets/{index.lazy-DgcJojIA.js → index.lazy-CAmCIA65.js} +4 -4
- package/studio/web/assets/{index.lazy-DgcJojIA.js.map → index.lazy-CAmCIA65.js.map} +1 -1
- package/studio/web/assets/{profile-BqN-8vzm.js → profile-CaF-4aZe.js} +2 -2
- package/studio/web/assets/{profile-BqN-8vzm.js.map → profile-CaF-4aZe.js.map} +1 -1
- package/studio/web/assets/{setComponentFile-CHFvFq9u.js → setComponentFile-DLW1DHCt.js} +2 -2
- package/studio/web/assets/{setComponentFile-CHFvFq9u.js.map → setComponentFile-DLW1DHCt.js.map} +1 -1
- package/studio/web/assets/{setup-CQ3vWJSr.js → setup-TGCErIhq.js} +2 -2
- package/studio/web/assets/{setup-CQ3vWJSr.js.map → setup-TGCErIhq.js.map} +1 -1
- package/studio/web/assets/{status-BsW5fjuh.js → status-DG0Maoao.js} +2 -2
- package/studio/web/assets/{status-BsW5fjuh.js.map → status-DG0Maoao.js.map} +1 -1
- package/studio/web/assets/{swagger-ui-react-DITdeB9-.js → swagger-ui-react-8T4SgQ1m.js} +2 -2
- package/studio/web/assets/{swagger-ui-react-DITdeB9-.js.map → swagger-ui-react-8T4SgQ1m.js.map} +1 -1
- package/studio/web/assets/{tsMode-Dyph-OUs.js → tsMode-DJ6Sl24Q.js} +2 -2
- package/studio/web/assets/{tsMode-Dyph-OUs.js.map → tsMode-DJ6Sl24Q.js.map} +1 -1
- package/studio/web/assets/{useEntityRestURL-D0QTUqex.js → useEntityRestURL-JO2mfWTQ.js} +2 -2
- package/studio/web/assets/{useEntityRestURL-D0QTUqex.js.map → useEntityRestURL-JO2mfWTQ.js.map} +1 -1
- package/studio/web/index.html +1 -1
- package/upgrade/directives/5-2-0.ts +82 -0
- package/upgrade/directives/directivesController.ts +2 -1
- package/utility/common_utils.ts +5 -0
- package/utility/envFile.ts +218 -0
- package/utility/hdbTerms.ts +31 -0
- package/utility/logging/harper_logger.ts +156 -8
- package/utility/logging/logRotator.ts +24 -14
- package/utility/logging/readLog.ts +323 -2
- package/utility/operationPermissions.ts +35 -1
- package/utility/operation_authorization.ts +74 -1
- package/utility/secretEnvelope.ts +113 -0
- package/utility/signalling.ts +15 -0
- package/validation/configValidator.ts +78 -25
- package/studio/web/assets/index-VFcpNWgq.js.map +0 -1
|
@@ -0,0 +1,475 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
36
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
37
|
+
};
|
|
38
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
39
|
+
exports.setSecret = setSecret;
|
|
40
|
+
exports.grantSecret = grantSecret;
|
|
41
|
+
exports.revokeSecret = revokeSecret;
|
|
42
|
+
exports.listSecrets = listSecrets;
|
|
43
|
+
exports.deleteSecret = deleteSecret;
|
|
44
|
+
exports.getSecretsPublicKey = getSecretsPublicKey;
|
|
45
|
+
exports.deriveRegistrySecretName = deriveRegistrySecretName;
|
|
46
|
+
exports.ingestRegistryAuth = ingestRegistryAuth;
|
|
47
|
+
exports.resolveRegistryAuth = resolveRegistryAuth;
|
|
48
|
+
// Operations against system.hdb_secret — the envelope-encrypted secrets store (#715).
|
|
49
|
+
//
|
|
50
|
+
// Only ciphertext is ever stored: a plaintext `value` submitted to set_secret is encrypted
|
|
51
|
+
// immediately with the cluster public key (custody must be registered) and the plaintext is
|
|
52
|
+
// discarded; processLocalTransaction strips `value`/`envelope` from the operations log before
|
|
53
|
+
// dispatch. Rows reach peers via normal system-table replication — these operations deliberately
|
|
54
|
+
// do NOT call replicateOperation (op replication on top of table replication would double-apply).
|
|
55
|
+
//
|
|
56
|
+
// All operations are super_user only, enforced in-handler in addition to the requiredPermissions
|
|
57
|
+
// registration: an `operations` allowlist on a role can otherwise delegate SU-only ops (see the
|
|
58
|
+
// gate-2 bypass in utility/operation_authorization.ts), and secret custody must not be delegable.
|
|
59
|
+
const node_fs_1 = require("node:fs");
|
|
60
|
+
const node_path_1 = require("node:path");
|
|
61
|
+
const databases_ts_1 = require("../resources/databases.js");
|
|
62
|
+
const configUtils = __importStar(require("../config/configUtils.js"));
|
|
63
|
+
const terms = __importStar(require("../utility/hdbTerms.js"));
|
|
64
|
+
const hdbError_ts_1 = require("../utility/errors/hdbError.js");
|
|
65
|
+
const harper_logger_ts_1 = __importDefault(require("../utility/logging/harper_logger.js"));
|
|
66
|
+
const validator = __importStar(require("./operationsValidation.js"));
|
|
67
|
+
const secretDecryptor_ts_1 = require("../resources/secretDecryptor.js");
|
|
68
|
+
const secretEnvelope_ts_1 = require("../utility/secretEnvelope.js");
|
|
69
|
+
const envFile_ts_1 = require("../utility/envFile.js");
|
|
70
|
+
const { HTTP_STATUS_CODES } = hdbError_ts_1.hdbErrors;
|
|
71
|
+
const SECRET_TABLE = terms.SYSTEM_TABLE_NAMES.SECRET_TABLE_NAME;
|
|
72
|
+
function requireSuperUser(req) {
|
|
73
|
+
if (!req?.hdb_user?.role?.permission?.super_user) {
|
|
74
|
+
throw new hdbError_ts_1.ClientError(`Operation '${req?.operation}' is restricted to super_user roles`, HTTP_STATUS_CODES.FORBIDDEN);
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
function validate(validation) {
|
|
78
|
+
if (validation) {
|
|
79
|
+
throw (0, hdbError_ts_1.handleHDBError)(validation, validation.message, HTTP_STATUS_CODES.BAD_REQUEST);
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
function secretTable() {
|
|
83
|
+
const table = databases_ts_1.databases.system?.[SECRET_TABLE];
|
|
84
|
+
if (!table) {
|
|
85
|
+
throw new hdbError_ts_1.ClientError(`The secrets store is not initialized on this node (system.${SECRET_TABLE} missing). ` +
|
|
86
|
+
`Run upgrade or restart the server to provision the table.`);
|
|
87
|
+
}
|
|
88
|
+
return table;
|
|
89
|
+
}
|
|
90
|
+
// Grants are a set: duplicates would let one revoke leave a residual grant behind, so every write
|
|
91
|
+
// path normalizes through this (including rows that arrived dirty via replication).
|
|
92
|
+
function dedupeGrants(grants) {
|
|
93
|
+
return Array.isArray(grants) ? [...new Set(grants)] : [];
|
|
94
|
+
}
|
|
95
|
+
// Rebuild a plain record from a stored row's known attributes (never spread rows — RecordObject
|
|
96
|
+
// prototype fields don't survive a spread reliably; see DESIGN.md).
|
|
97
|
+
function toRecord(row) {
|
|
98
|
+
return {
|
|
99
|
+
name: row.name,
|
|
100
|
+
envelope: row.envelope,
|
|
101
|
+
kid: row.kid ?? null,
|
|
102
|
+
grants: dedupeGrants(row.grants),
|
|
103
|
+
processEnv: !!row.processEnv,
|
|
104
|
+
metadata: row.metadata ?? {},
|
|
105
|
+
unverified: !!row.unverified,
|
|
106
|
+
updated_by: row.updated_by ?? null,
|
|
107
|
+
};
|
|
108
|
+
}
|
|
109
|
+
// True when a directory with the component's name exists under the components root. Advisory
|
|
110
|
+
// only (audit breadcrumb) — must never block or throw.
|
|
111
|
+
function componentIsKnown(component) {
|
|
112
|
+
try {
|
|
113
|
+
return (0, node_fs_1.existsSync)((0, node_path_1.join)(configUtils.getConfigPath(terms.CONFIG_PARAMS.COMPONENTSROOT), component));
|
|
114
|
+
}
|
|
115
|
+
catch {
|
|
116
|
+
return false;
|
|
117
|
+
}
|
|
118
|
+
}
|
|
119
|
+
// Serialize read-modify-write mutations per secret name. The operations API dispatches these
|
|
120
|
+
// handlers on the MAIN thread only, so an in-process promise chain is sufficient to make the
|
|
121
|
+
// get→mutate→put of set_secret/grant_secret/revoke_secret/delete_secret atomic against local
|
|
122
|
+
// concurrency (without it, overlapping grant/revoke calls can silently drop each other's
|
|
123
|
+
// mutation). Cross-node concurrency remains last-write-wins on the whole row — the known
|
|
124
|
+
// system-table replication semantic.
|
|
125
|
+
const nameLocks = new Map();
|
|
126
|
+
async function withSecretLock(name, fn) {
|
|
127
|
+
const prior = nameLocks.get(name) ?? Promise.resolve();
|
|
128
|
+
const run = prior.then(fn);
|
|
129
|
+
// The stored tail never rejects, so a failed mutation doesn't poison the chain.
|
|
130
|
+
const tail = run.then(() => undefined, () => undefined);
|
|
131
|
+
nameLocks.set(name, tail);
|
|
132
|
+
try {
|
|
133
|
+
return await run;
|
|
134
|
+
}
|
|
135
|
+
finally {
|
|
136
|
+
if (nameLocks.get(name) === tail)
|
|
137
|
+
nameLocks.delete(name);
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
// Structured audit event for every mutation — operation, secret name, and user, never values.
|
|
141
|
+
function notifyMutation(operation, name, req, detail) {
|
|
142
|
+
harper_logger_ts_1.default.notify(`secret mutation: op=${operation} name=${name} user=${req?.hdb_user?.username ?? 'unknown'}${detail ? ` ${detail}` : ''}`);
|
|
143
|
+
}
|
|
144
|
+
/**
|
|
145
|
+
* Upsert a secret. Exactly one of `value` (plaintext, encrypted immediately — requires custody)
|
|
146
|
+
* or `envelope` (`enc:v1:...` ciphertext, encrypted client-side against get_secrets_public_key).
|
|
147
|
+
* `kid` is derived from the envelope server-side; a client-supplied kid field is never trusted.
|
|
148
|
+
* Never returns or logs plaintext.
|
|
149
|
+
*
|
|
150
|
+
* The delivery tier is explicit and mutually exclusive (a process-env secret is already global, so
|
|
151
|
+
* scoping it is meaningless):
|
|
152
|
+
* - `processEnv: true` — materialized into the real `process.env` at component load, inherited by
|
|
153
|
+
* child processes (`.env` semantics). No isolation promise.
|
|
154
|
+
* - `grants: [...]` — scoped: never in `process.env`, exposed only to the listed components via the
|
|
155
|
+
* `secrets` accessor.
|
|
156
|
+
* Both default to the stored row so a value rotation preserves the tier without re-specifying it.
|
|
157
|
+
*/
|
|
158
|
+
async function setSecret(req) {
|
|
159
|
+
requireSuperUser(req);
|
|
160
|
+
validate(validator.setSecretValidator(req));
|
|
161
|
+
const table = secretTable();
|
|
162
|
+
const { name } = req;
|
|
163
|
+
const custody = (0, secretDecryptor_ts_1.getSecretCustody)();
|
|
164
|
+
let envelope;
|
|
165
|
+
let kid;
|
|
166
|
+
let unverified = false;
|
|
167
|
+
if (req.value !== undefined) {
|
|
168
|
+
if (!custody) {
|
|
169
|
+
throw new hdbError_ts_1.ClientError('secrets custody is not initialized on this node');
|
|
170
|
+
}
|
|
171
|
+
const { publicKey, fingerprint } = custody.getPublicKey();
|
|
172
|
+
envelope = envFile_ts_1.ENV_ENCRYPTED_PREFIX + (0, secretEnvelope_ts_1.encryptEnvelope)(req.value, publicKey, fingerprint);
|
|
173
|
+
kid = fingerprint;
|
|
174
|
+
delete req.value; // plaintext is now sealed; drop the reference
|
|
175
|
+
}
|
|
176
|
+
else {
|
|
177
|
+
// Deliberately NEVER decrypted server-side: a decrypt-verify would put the plaintext in
|
|
178
|
+
// this thread's heap, defeating client-side encryption. Ingest checks are structural
|
|
179
|
+
// (marker, base64url JSON, k/iv/ct/tag base64 fields) plus a kid-vs-custody fingerprint
|
|
180
|
+
// match; a tampered-but-well-formed envelope is only caught at consumption time.
|
|
181
|
+
envelope = req.envelope;
|
|
182
|
+
if (!envelope.startsWith(envFile_ts_1.ENV_ENCRYPTED_PREFIX)) {
|
|
183
|
+
throw new hdbError_ts_1.ClientError(`'envelope' must start with '${envFile_ts_1.ENV_ENCRYPTED_PREFIX}'`);
|
|
184
|
+
}
|
|
185
|
+
let fields;
|
|
186
|
+
try {
|
|
187
|
+
fields = (0, secretEnvelope_ts_1.parseEnvelopeFields)(envelope.slice(envFile_ts_1.ENV_ENCRYPTED_PREFIX.length));
|
|
188
|
+
}
|
|
189
|
+
catch (error) {
|
|
190
|
+
throw new hdbError_ts_1.ClientError(`Invalid secret envelope: ${error.message}`);
|
|
191
|
+
}
|
|
192
|
+
kid = fields.kid ?? null;
|
|
193
|
+
if (custody) {
|
|
194
|
+
const { fingerprint } = custody.getPublicKey();
|
|
195
|
+
if (kid !== null && kid !== fingerprint) {
|
|
196
|
+
throw new hdbError_ts_1.ClientError(`Secret envelope kid '${kid}' does not match this cluster's secrets key ` +
|
|
197
|
+
`(expected '${fingerprint}'; fetch it via get_secrets_public_key)`);
|
|
198
|
+
}
|
|
199
|
+
if (kid === null) {
|
|
200
|
+
// No sealed kid to check against custody — accept, but surface it in list_secrets.
|
|
201
|
+
unverified = true;
|
|
202
|
+
harper_logger_ts_1.default.warn(`set_secret '${name}': envelope carries no kid; accepted without key-identity verification`);
|
|
203
|
+
}
|
|
204
|
+
}
|
|
205
|
+
else {
|
|
206
|
+
// No custody on this node: accept, but mark the row so a bad envelope is visible in
|
|
207
|
+
// list_secrets instead of silently failing later.
|
|
208
|
+
unverified = true;
|
|
209
|
+
harper_logger_ts_1.default.warn(`set_secret '${name}': envelope accepted without verification (no secrets custody registered on this node)`);
|
|
210
|
+
}
|
|
211
|
+
}
|
|
212
|
+
return withSecretLock(name, async () => {
|
|
213
|
+
const existing = await table.get(name);
|
|
214
|
+
const processEnv = req.processEnv ?? existing?.processEnv ?? false;
|
|
215
|
+
const grants = dedupeGrants(req.grants ?? existing?.grants);
|
|
216
|
+
if (processEnv && grants.length > 0) {
|
|
217
|
+
throw new hdbError_ts_1.ClientError(`Secret '${name}' cannot be both processEnv and grant-scoped — a processEnv secret is global. ` +
|
|
218
|
+
`Set processEnv:false to scope it with grants, or omit grants.`);
|
|
219
|
+
}
|
|
220
|
+
await table.put({
|
|
221
|
+
name,
|
|
222
|
+
envelope,
|
|
223
|
+
kid,
|
|
224
|
+
grants: processEnv ? [] : grants,
|
|
225
|
+
processEnv,
|
|
226
|
+
metadata: req.metadata ?? existing?.metadata ?? {},
|
|
227
|
+
unverified,
|
|
228
|
+
updated_by: req.hdb_user?.username ?? null,
|
|
229
|
+
});
|
|
230
|
+
notifyMutation(terms.OPERATIONS_ENUM.SET_SECRET, name, req, unverified ? 'unverified=true' : undefined);
|
|
231
|
+
return { name, kid, created: existing == null };
|
|
232
|
+
});
|
|
233
|
+
}
|
|
234
|
+
async function mutateGrants(req, grant) {
|
|
235
|
+
requireSuperUser(req);
|
|
236
|
+
validate(validator.grantSecretValidator(req));
|
|
237
|
+
const table = secretTable();
|
|
238
|
+
return withSecretLock(req.name, async () => {
|
|
239
|
+
const row = await table.get(req.name);
|
|
240
|
+
if (!row) {
|
|
241
|
+
throw new hdbError_ts_1.ClientError(`No secret found with name '${req.name}'`, HTTP_STATUS_CODES.NOT_FOUND);
|
|
242
|
+
}
|
|
243
|
+
const record = toRecord(row); // record.grants comes back deduped
|
|
244
|
+
// A processEnv secret is global; granting/revoking a component scope is contradictory. Revoke
|
|
245
|
+
// is a no-op on an already-empty grants list, so only the grant path needs to reject loudly.
|
|
246
|
+
if (grant && record.processEnv) {
|
|
247
|
+
throw new hdbError_ts_1.ClientError(`Secret '${req.name}' is a processEnv (global) secret and cannot be scoped to a component. ` +
|
|
248
|
+
`Re-run set_secret with processEnv:false to convert it to a scoped secret first.`);
|
|
249
|
+
}
|
|
250
|
+
const present = record.grants.includes(req.component);
|
|
251
|
+
const storedLength = Array.isArray(row.grants) ? row.grants.length : 0;
|
|
252
|
+
// No-op short-circuit: nothing to write, nothing to audit, no updated_by/__updatedtime__
|
|
253
|
+
// bump. A stored row with duplicate grants (dirty state) is NOT a no-op — falling through
|
|
254
|
+
// persists the normalized set.
|
|
255
|
+
if ((grant ? present : !present) && record.grants.length === storedLength) {
|
|
256
|
+
return { name: req.name, grants: record.grants, changed: false };
|
|
257
|
+
}
|
|
258
|
+
if (grant && !present)
|
|
259
|
+
record.grants.push(req.component);
|
|
260
|
+
// Remove every occurrence — with the dedupe this is belt-and-braces against dirty rows.
|
|
261
|
+
if (!grant)
|
|
262
|
+
record.grants = record.grants.filter((component) => component !== req.component);
|
|
263
|
+
record.updated_by = req.hdb_user?.username ?? null;
|
|
264
|
+
await table.put(record);
|
|
265
|
+
// Granting to a not-yet-deployed component is legal (grants may precede the deploy), but an
|
|
266
|
+
// unknown name is worth a breadcrumb in the audit event — it is usually a typo.
|
|
267
|
+
let detail = `component=${req.component}`;
|
|
268
|
+
if (grant && !componentIsKnown(req.component))
|
|
269
|
+
detail += ' component_known=false';
|
|
270
|
+
notifyMutation(grant ? terms.OPERATIONS_ENUM.GRANT_SECRET : terms.OPERATIONS_ENUM.REVOKE_SECRET, req.name, req, detail);
|
|
271
|
+
return { name: req.name, grants: record.grants, changed: true };
|
|
272
|
+
});
|
|
273
|
+
}
|
|
274
|
+
/** Add a component to a secret's grants list (idempotent). */
|
|
275
|
+
function grantSecret(req) {
|
|
276
|
+
return mutateGrants(req, true);
|
|
277
|
+
}
|
|
278
|
+
/** Remove a component from a secret's grants list (idempotent). */
|
|
279
|
+
function revokeSecret(req) {
|
|
280
|
+
return mutateGrants(req, false);
|
|
281
|
+
}
|
|
282
|
+
/**
|
|
283
|
+
* List secret metadata: never envelopes, never values. Includes the node's current custody
|
|
284
|
+
* fingerprint (null when custody is absent) and a per-row kid_matches_custody flag so stale rows
|
|
285
|
+
* on a cloned/rekeyed node are immediately visible.
|
|
286
|
+
*/
|
|
287
|
+
async function listSecrets(req) {
|
|
288
|
+
requireSuperUser(req);
|
|
289
|
+
const table = secretTable();
|
|
290
|
+
const custody = (0, secretDecryptor_ts_1.getSecretCustody)();
|
|
291
|
+
const custodyFingerprint = custody ? custody.getPublicKey().fingerprint : null;
|
|
292
|
+
const secrets = [];
|
|
293
|
+
for await (const row of table.search([])) {
|
|
294
|
+
secrets.push({
|
|
295
|
+
name: row.name,
|
|
296
|
+
kid: row.kid ?? null,
|
|
297
|
+
grants: Array.isArray(row.grants) ? [...row.grants] : [],
|
|
298
|
+
processEnv: !!row.processEnv,
|
|
299
|
+
metadata: row.metadata ?? {},
|
|
300
|
+
unverified: !!row.unverified,
|
|
301
|
+
updated_by: row.updated_by ?? null,
|
|
302
|
+
__createdtime__: row.__createdtime__,
|
|
303
|
+
__updatedtime__: row.__updatedtime__,
|
|
304
|
+
kid_matches_custody: custodyFingerprint !== null && row.kid === custodyFingerprint,
|
|
305
|
+
});
|
|
306
|
+
}
|
|
307
|
+
secrets.sort((a, b) => String(a.name).localeCompare(String(b.name)));
|
|
308
|
+
return { secrets, custody_fingerprint: custodyFingerprint };
|
|
309
|
+
}
|
|
310
|
+
/** Delete a secret row. Not cryptographic erasure — audit/txn logs and backups retain envelopes. */
|
|
311
|
+
async function deleteSecret(req) {
|
|
312
|
+
requireSuperUser(req);
|
|
313
|
+
validate(validator.deleteSecretValidator(req));
|
|
314
|
+
const table = secretTable();
|
|
315
|
+
return withSecretLock(req.name, async () => {
|
|
316
|
+
const row = await table.get(req.name);
|
|
317
|
+
if (!row) {
|
|
318
|
+
throw new hdbError_ts_1.ClientError(`No secret found with name '${req.name}'`, HTTP_STATUS_CODES.NOT_FOUND);
|
|
319
|
+
}
|
|
320
|
+
await table.delete(req.name);
|
|
321
|
+
notifyMutation(terms.OPERATIONS_ENUM.DELETE_SECRET, req.name, req);
|
|
322
|
+
return { message: `Successfully deleted secret '${req.name}'` };
|
|
323
|
+
});
|
|
324
|
+
}
|
|
325
|
+
/** The cluster secrets public key, for client-side envelope encryption. */
|
|
326
|
+
function getSecretsPublicKey(req) {
|
|
327
|
+
requireSuperUser(req);
|
|
328
|
+
const custody = (0, secretDecryptor_ts_1.getSecretCustody)();
|
|
329
|
+
if (!custody) {
|
|
330
|
+
throw new hdbError_ts_1.ClientError('secrets custody is not initialized on this node');
|
|
331
|
+
}
|
|
332
|
+
const { publicKey, fingerprint } = custody.getPublicKey();
|
|
333
|
+
return { public_key: publicKey, fingerprint };
|
|
334
|
+
}
|
|
335
|
+
/**
|
|
336
|
+
* Deterministic name for the auto-minted secret backing a literal registry token: keyed by the
|
|
337
|
+
* deploying component and the registry, so re-supplying (or rotating) the token on a later deploy
|
|
338
|
+
* overwrites the same row rather than accumulating one per deploy. Sanitized to the set_secret name
|
|
339
|
+
* grammar (`\w.-`), since a registry can carry a scheme, port, or path.
|
|
340
|
+
*/
|
|
341
|
+
function deriveRegistrySecretName(component, registry) {
|
|
342
|
+
const registryKey = registry
|
|
343
|
+
.trim()
|
|
344
|
+
.replace(/^https?:\/\//i, '')
|
|
345
|
+
.replace(/^\/\//, '')
|
|
346
|
+
.replace(/\/+$/, '')
|
|
347
|
+
.toLowerCase()
|
|
348
|
+
.replace(/[^\w.-]+/g, '_');
|
|
349
|
+
const componentKey = String(component).replace(/[^\w.-]+/g, '_');
|
|
350
|
+
return `deploy.${componentKey}.${registryKey}`;
|
|
351
|
+
}
|
|
352
|
+
/**
|
|
353
|
+
* Ingest deploy_component `registryAuth` into the secrets store so a provided registry token lives
|
|
354
|
+
* as ciphertext in the replicated, audited `hdb_secret` store (reference, not embed) rather than
|
|
355
|
+
* travelling in the operation body. Returns the entries in reference form (`{ registry, secret }`).
|
|
356
|
+
*
|
|
357
|
+
* - A literal `{ registry, token }` entry is encrypted (via `set_secret`, custody required) under a
|
|
358
|
+
* derived name granted to `component`, and returned as a reference. Overwrites an existing
|
|
359
|
+
* derived row so token rotation is idempotent.
|
|
360
|
+
* - An already-reference `{ registry, secret }` entry passes through unchanged (peers re-running a
|
|
361
|
+
* replicated deploy already carry references — they never re-ingest).
|
|
362
|
+
* - With no custody on this node (OSS core, or key not held here), literal tokens CANNOT be sealed;
|
|
363
|
+
* they pass through untouched so the caller can fall back to the transient, this-node-only path.
|
|
364
|
+
* The reference-form result therefore contains only entries the caller may persist and replicate.
|
|
365
|
+
*
|
|
366
|
+
* Runs on the deploying main thread where custody is registered.
|
|
367
|
+
*/
|
|
368
|
+
async function ingestRegistryAuth(req, registryAuth, component) {
|
|
369
|
+
if (!Array.isArray(registryAuth) || registryAuth.length === 0)
|
|
370
|
+
return registryAuth ?? [];
|
|
371
|
+
const custody = (0, secretDecryptor_ts_1.getSecretCustody)();
|
|
372
|
+
const out = [];
|
|
373
|
+
for (const entry of registryAuth) {
|
|
374
|
+
// Already a reference (or nothing to seal without custody): leave as-is.
|
|
375
|
+
if (entry.secret !== undefined || !custody) {
|
|
376
|
+
out.push(entry);
|
|
377
|
+
continue;
|
|
378
|
+
}
|
|
379
|
+
const name = deriveRegistrySecretName(component, entry.registry);
|
|
380
|
+
// Reuse set_secret's seal-and-store path (encrypt with custody, grant to the component, audit
|
|
381
|
+
// the mutation). The deploy request is already super_user, which set_secret requires.
|
|
382
|
+
await setSecret({
|
|
383
|
+
operation: terms.OPERATIONS_ENUM.SET_SECRET,
|
|
384
|
+
hdb_user: req?.hdb_user,
|
|
385
|
+
name,
|
|
386
|
+
value: entry.token,
|
|
387
|
+
grants: [component],
|
|
388
|
+
processEnv: false,
|
|
389
|
+
});
|
|
390
|
+
out.push(entry.scope === undefined
|
|
391
|
+
? { registry: entry.registry, secret: name }
|
|
392
|
+
: { registry: entry.registry, secret: name, scope: entry.scope });
|
|
393
|
+
}
|
|
394
|
+
return out;
|
|
395
|
+
}
|
|
396
|
+
/** Wait (bounded) for a secret row to appear — covers the replicated-deploy race where a peer runs
|
|
397
|
+
* the deploy before the origin's hdb_secret row has replicated in. */
|
|
398
|
+
async function waitForSecretRow(table, name, waitMs) {
|
|
399
|
+
const deadline = Date.now() + waitMs;
|
|
400
|
+
let row = await table.get(name);
|
|
401
|
+
while (!row && Date.now() < deadline) {
|
|
402
|
+
await new Promise((resolve) => setTimeout(resolve, Math.min(200, Math.max(1, waitMs))));
|
|
403
|
+
row = await table.get(name);
|
|
404
|
+
}
|
|
405
|
+
return row;
|
|
406
|
+
}
|
|
407
|
+
/**
|
|
408
|
+
* Resolve deploy_component `registryAuth` entries that reference a stored secret
|
|
409
|
+
* (`{ registry, secret }`) into concrete token entries (`{ registry, token }`) by decrypting the
|
|
410
|
+
* named hdb_secret row on this thread. Entries that already carry a literal `token` pass through
|
|
411
|
+
* unchanged, so this is a no-op for the token-only fallback form.
|
|
412
|
+
*
|
|
413
|
+
* This is intentionally NOT a `get_secret` operation — the store never returns plaintext across the
|
|
414
|
+
* API boundary. The resolved token is handed back to the install path in-memory, fed to the
|
|
415
|
+
* transient .npmrc, and never written back to the request body, replicated, or logged.
|
|
416
|
+
*
|
|
417
|
+
* Authority mirrors the accessor model (#1550): the referenced secret must be usable by the
|
|
418
|
+
* component being deployed — either a `processEnv` (global) secret or a scoped secret granted to
|
|
419
|
+
* `component`. Without that, the deploy path would let a super_user pull an arbitrary scoped secret
|
|
420
|
+
* into an .npmrc, sidestepping the grant that is the store's authority. A missing row, missing
|
|
421
|
+
* grant, absent custody, or decrypt failure throws a ClientError naming the precise reason.
|
|
422
|
+
*
|
|
423
|
+
* `options.waitMs` gives a bounded grace period for a referenced row to replicate in (used on the
|
|
424
|
+
* peer side of a replicated deploy, where the deploy op can arrive just ahead of the hdb_secret
|
|
425
|
+
* row); it defaults to 0 (the origin wrote the row before it resolves, so no wait is needed).
|
|
426
|
+
*
|
|
427
|
+
* Runs on the main thread, where the operations API dispatches deploys and the Pro secrets
|
|
428
|
+
* component registers custody — the same place set_secret decrypts. On a node without custody
|
|
429
|
+
* (OSS core, or a custody key not held here) a referenced secret cannot be resolved and the deploy
|
|
430
|
+
* fails loudly rather than silently installing without auth.
|
|
431
|
+
*/
|
|
432
|
+
async function resolveRegistryAuth(registryAuth, component, options = {}) {
|
|
433
|
+
if (!Array.isArray(registryAuth) || registryAuth.length === 0)
|
|
434
|
+
return registryAuth;
|
|
435
|
+
// Token-only requests must not require custody or a provisioned store — keep the fast path pure.
|
|
436
|
+
if (!registryAuth.some((entry) => entry && entry.secret !== undefined))
|
|
437
|
+
return registryAuth;
|
|
438
|
+
const waitMs = options.waitMs ?? 0;
|
|
439
|
+
const table = secretTable();
|
|
440
|
+
const resolved = [];
|
|
441
|
+
for (const entry of registryAuth) {
|
|
442
|
+
if (!entry)
|
|
443
|
+
continue; // parity with the fast-path guard above; validated entries are never null
|
|
444
|
+
if (entry.secret === undefined) {
|
|
445
|
+
resolved.push({ registry: entry.registry, token: entry.token, scope: entry.scope });
|
|
446
|
+
continue;
|
|
447
|
+
}
|
|
448
|
+
const name = entry.secret;
|
|
449
|
+
const row = waitMs > 0 ? await waitForSecretRow(table, name, waitMs) : await table.get(name);
|
|
450
|
+
if (!row) {
|
|
451
|
+
throw new hdbError_ts_1.ClientError(`registryAuth references secret '${name}', which does not exist`, HTTP_STATUS_CODES.NOT_FOUND);
|
|
452
|
+
}
|
|
453
|
+
const grants = Array.isArray(row.grants) ? row.grants : [];
|
|
454
|
+
if (!row.processEnv && !grants.includes(component)) {
|
|
455
|
+
throw new hdbError_ts_1.ClientError(`registryAuth secret '${name}' is not granted to component '${component}' ` +
|
|
456
|
+
`(grant it with grant_secret, or set it processEnv:true)`, HTTP_STATUS_CODES.FORBIDDEN);
|
|
457
|
+
}
|
|
458
|
+
const custody = (0, secretDecryptor_ts_1.getSecretCustody)();
|
|
459
|
+
if (!custody) {
|
|
460
|
+
// Server-state condition, not a client-fixable request: the same body would resolve once
|
|
461
|
+
// custody comes up, so report it retryable (503) rather than the ClientError default 400.
|
|
462
|
+
throw new hdbError_ts_1.ClientError(`secrets custody is not initialized on this node; cannot resolve registryAuth secret '${name}'`, HTTP_STATUS_CODES.SERVICE_UNAVAILABLE);
|
|
463
|
+
}
|
|
464
|
+
let token;
|
|
465
|
+
try {
|
|
466
|
+
token = custody.decrypt(row.envelope);
|
|
467
|
+
}
|
|
468
|
+
catch (error) {
|
|
469
|
+
throw new hdbError_ts_1.ClientError(`Failed to decrypt registryAuth secret '${name}': ${error.message}`, HTTP_STATUS_CODES.INTERNAL_SERVER_ERROR);
|
|
470
|
+
}
|
|
471
|
+
resolved.push({ registry: entry.registry, token, scope: entry.scope });
|
|
472
|
+
}
|
|
473
|
+
return resolved;
|
|
474
|
+
}
|
|
475
|
+
//# sourceMappingURL=secretOperations.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"secretOperations.js","sourceRoot":"","sources":["../../components/secretOperations.ts"],"names":[],"mappings":"AAAA,YAAY,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkIb,8BAiFC;AAiDD,kCAEC;AAGD,oCAEC;AAOD,kCAuBC;AAGD,oCAcC;AAGD,kDAQC;AAsBD,4DAUC;AAkBD,gDA4BC;AAuCD,kDAuDC;AA/eD,sFAAsF;AACtF,EAAE;AACF,2FAA2F;AAC3F,4FAA4F;AAC5F,8FAA8F;AAC9F,iGAAiG;AACjG,kGAAkG;AAClG,EAAE;AACF,iGAAiG;AACjG,gGAAgG;AAChG,kGAAkG;AAElG,qCAAqC;AACrC,yCAAiC;AACjC,4DAAsD;AACtD,sEAAwD;AACxD,8DAAgD;AAChD,+DAAuF;AACvF,2FAAyD;AACzD,qEAAuD;AACvD,wEAAmE;AACnE,oEAAoF;AACpF,sDAA6D;AAE7D,MAAM,EAAE,iBAAiB,EAAE,GAAG,uBAAS,CAAC;AACxC,MAAM,YAAY,GAAG,KAAK,CAAC,kBAAkB,CAAC,iBAAiB,CAAC;AAEhE,SAAS,gBAAgB,CAAC,GAAQ;IACjC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;QAClD,MAAM,IAAI,yBAAW,CACpB,cAAc,GAAG,EAAE,SAAS,qCAAqC,EACjE,iBAAiB,CAAC,SAAS,CAC3B,CAAC;IACH,CAAC;AACF,CAAC;AAED,SAAS,QAAQ,CAAC,UAAe;IAChC,IAAI,UAAU,EAAE,CAAC;QAChB,MAAM,IAAA,4BAAc,EAAC,UAAU,EAAE,UAAU,CAAC,OAAO,EAAE,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACrF,CAAC;AACF,CAAC;AAED,SAAS,WAAW;IACnB,MAAM,KAAK,GAAI,wBAAiB,CAAC,MAAM,EAAE,CAAC,YAAY,CAAC,CAAC;IACxD,IAAI,CAAC,KAAK,EAAE,CAAC;QACZ,MAAM,IAAI,yBAAW,CACpB,6DAA6D,YAAY,aAAa;YACrF,2DAA2D,CAC5D,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAED,kGAAkG;AAClG,oFAAoF;AACpF,SAAS,YAAY,CAAC,MAAW;IAChC,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAC1D,CAAC;AAED,gGAAgG;AAChG,oEAAoE;AACpE,SAAS,QAAQ,CAAC,GAAQ;IACzB,OAAO;QACN,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,GAAG,EAAE,GAAG,CAAC,GAAG,IAAI,IAAI;QACpB,MAAM,EAAE,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC;QAChC,UAAU,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU;QAC5B,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,EAAE;QAC5B,UAAU,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU;QAC5B,UAAU,EAAE,GAAG,CAAC,UAAU,IAAI,IAAI;KAClC,CAAC;AACH,CAAC;AAED,6FAA6F;AAC7F,uDAAuD;AACvD,SAAS,gBAAgB,CAAC,SAAiB;IAC1C,IAAI,CAAC;QACJ,OAAO,IAAA,oBAAU,EAAC,IAAA,gBAAI,EAAC,WAAW,CAAC,aAAa,CAAC,KAAK,CAAC,aAAa,CAAC,cAAc,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;IACnG,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,KAAK,CAAC;IACd,CAAC;AACF,CAAC;AAED,6FAA6F;AAC7F,6FAA6F;AAC7F,6FAA6F;AAC7F,yFAAyF;AACzF,yFAAyF;AACzF,qCAAqC;AACrC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAyB,CAAC;AACnD,KAAK,UAAU,cAAc,CAAI,IAAY,EAAE,EAAoB;IAClE,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IACvD,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3B,gFAAgF;IAChF,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CACpB,GAAG,EAAE,CAAC,SAAS,EACf,GAAG,EAAE,CAAC,SAAS,CACf,CAAC;IACF,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC1B,IAAI,CAAC;QACJ,OAAO,MAAM,GAAG,CAAC;IAClB,CAAC;YAAS,CAAC;QACV,IAAI,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI;YAAE,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC1D,CAAC;AACF,CAAC;AAED,8FAA8F;AAC9F,SAAS,cAAc,CAAC,SAAiB,EAAE,IAAY,EAAE,GAAQ,EAAE,MAAe;IACjF,0BAAM,CAAC,MAAM,CACZ,uBAAuB,SAAS,SAAS,IAAI,SAAS,GAAG,EAAE,QAAQ,EAAE,QAAQ,IAAI,SAAS,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CACzH,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACI,KAAK,UAAU,SAAS,CAAC,GAAQ;IACvC,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACtB,QAAQ,CAAC,SAAS,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC;IAE5C,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;IAC5B,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;IACrB,MAAM,OAAO,GAAG,IAAA,qCAAgB,GAAE,CAAC;IACnC,IAAI,QAAgB,CAAC;IACrB,IAAI,GAAkB,CAAC;IACvB,IAAI,UAAU,GAAG,KAAK,CAAC;IAEvB,IAAI,GAAG,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,IAAI,yBAAW,CAAC,iDAAiD,CAAC,CAAC;QAC1E,CAAC;QACD,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;QAC1D,QAAQ,GAAG,iCAAoB,GAAG,IAAA,mCAAe,EAAC,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;QACrF,GAAG,GAAG,WAAW,CAAC;QAClB,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,8CAA8C;IACjE,CAAC;SAAM,CAAC;QACP,wFAAwF;QACxF,qFAAqF;QACrF,wFAAwF;QACxF,iFAAiF;QACjF,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,iCAAoB,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,yBAAW,CAAC,+BAA+B,iCAAoB,GAAG,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,MAAM,CAAC;QACX,IAAI,CAAC;YACJ,MAAM,GAAG,IAAA,uCAAmB,EAAC,QAAQ,CAAC,KAAK,CAAC,iCAAoB,CAAC,MAAM,CAAC,CAAC,CAAC;QAC3E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,yBAAW,CAAC,4BAA6B,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/E,CAAC;QACD,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC;QACzB,IAAI,OAAO,EAAE,CAAC;YACb,MAAM,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;YAC/C,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;gBACzC,MAAM,IAAI,yBAAW,CACpB,wBAAwB,GAAG,8CAA8C;oBACxE,cAAc,WAAW,yCAAyC,CACnE,CAAC;YACH,CAAC;YACD,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBAClB,mFAAmF;gBACnF,UAAU,GAAG,IAAI,CAAC;gBAClB,0BAAM,CAAC,IAAI,CAAC,eAAe,IAAI,wEAAwE,CAAC,CAAC;YAC1G,CAAC;QACF,CAAC;aAAM,CAAC;YACP,oFAAoF;YACpF,kDAAkD;YAClD,UAAU,GAAG,IAAI,CAAC;YAClB,0BAAM,CAAC,IAAI,CACV,eAAe,IAAI,wFAAwF,CAC3G,CAAC;QACH,CAAC;IACF,CAAC;IAED,OAAO,cAAc,CAAC,IAAI,EAAE,KAAK,IAAI,EAAE;QACtC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,QAAQ,EAAE,UAAU,IAAI,KAAK,CAAC;QACnE,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,IAAI,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC5D,IAAI,UAAU,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,yBAAW,CACpB,WAAW,IAAI,gFAAgF;gBAC9F,+DAA+D,CAChE,CAAC;QACH,CAAC;QACD,MAAM,KAAK,CAAC,GAAG,CAAC;YACf,IAAI;YACJ,QAAQ;YACR,GAAG;YACH,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM;YAChC,UAAU;YACV,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,QAAQ,EAAE,QAAQ,IAAI,EAAE;YAClD,UAAU;YACV,UAAU,EAAE,GAAG,CAAC,QAAQ,EAAE,QAAQ,IAAI,IAAI;SAC1C,CAAC,CAAC;QACH,cAAc,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,EAAE,IAAI,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QACxG,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,IAAI,IAAI,EAAE,CAAC;IACjD,CAAC,CAAC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,GAAQ,EAAE,KAAc;IACnD,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACtB,QAAQ,CAAC,SAAS,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC;IAE9C,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;IAC5B,OAAO,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,IAAI,EAAE;QAC1C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,yBAAW,CAAC,8BAA8B,GAAG,CAAC,IAAI,GAAG,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC/F,CAAC;QACD,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,mCAAmC;QACjE,8FAA8F;QAC9F,6FAA6F;QAC7F,IAAI,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YAChC,MAAM,IAAI,yBAAW,CACpB,WAAW,GAAG,CAAC,IAAI,yEAAyE;gBAC3F,iFAAiF,CAClF,CAAC;QACH,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACvE,yFAAyF;QACzF,0FAA0F;QAC1F,+BAA+B;QAC/B,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;YAC3E,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAClE,CAAC;QACD,IAAI,KAAK,IAAI,CAAC,OAAO;YAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACzD,wFAAwF;QACxF,IAAI,CAAC,KAAK;YAAE,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,KAAK,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7F,MAAM,CAAC,UAAU,GAAG,GAAG,CAAC,QAAQ,EAAE,QAAQ,IAAI,IAAI,CAAC;QACnD,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACxB,4FAA4F;QAC5F,gFAAgF;QAChF,IAAI,MAAM,GAAG,aAAa,GAAG,CAAC,SAAS,EAAE,CAAC;QAC1C,IAAI,KAAK,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC;YAAE,MAAM,IAAI,wBAAwB,CAAC;QAClF,cAAc,CACb,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,EAChF,GAAG,CAAC,IAAI,EACR,GAAG,EACH,MAAM,CACN,CAAC;QACF,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACjE,CAAC,CAAC,CAAC;AACJ,CAAC;AAED,8DAA8D;AAC9D,SAAgB,WAAW,CAAC,GAAQ;IACnC,OAAO,YAAY,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AAChC,CAAC;AAED,mEAAmE;AACnE,SAAgB,YAAY,CAAC,GAAQ;IACpC,OAAO,YAAY,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AACjC,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,WAAW,CAAC,GAAQ;IACzC,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAEtB,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,IAAA,qCAAgB,GAAE,CAAC;IACnC,MAAM,kBAAkB,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/E,MAAM,OAAO,GAAU,EAAE,CAAC;IAC1B,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;QAC1C,OAAO,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,GAAG,EAAE,GAAG,CAAC,GAAG,IAAI,IAAI;YACpB,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE;YACxD,UAAU,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU;YAC5B,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,EAAE;YAC5B,UAAU,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU;YAC5B,UAAU,EAAE,GAAG,CAAC,UAAU,IAAI,IAAI;YAClC,eAAe,EAAE,GAAG,CAAC,eAAe;YACpC,eAAe,EAAE,GAAG,CAAC,eAAe;YACpC,mBAAmB,EAAE,kBAAkB,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,kBAAkB;SAClF,CAAC,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACrE,OAAO,EAAE,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,CAAC;AAC7D,CAAC;AAED,oGAAoG;AAC7F,KAAK,UAAU,YAAY,CAAC,GAAQ;IAC1C,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACtB,QAAQ,CAAC,SAAS,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC,CAAC;IAE/C,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;IAC5B,OAAO,cAAc,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,IAAI,EAAE;QAC1C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,yBAAW,CAAC,8BAA8B,GAAG,CAAC,IAAI,GAAG,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC/F,CAAC;QACD,MAAM,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7B,cAAc,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACnE,OAAO,EAAE,OAAO,EAAE,gCAAgC,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC;IACjE,CAAC,CAAC,CAAC;AACJ,CAAC;AAED,2EAA2E;AAC3E,SAAgB,mBAAmB,CAAC,GAAQ;IAC3C,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACtB,MAAM,OAAO,GAAG,IAAA,qCAAgB,GAAE,CAAC;IACnC,IAAI,CAAC,OAAO,EAAE,CAAC;QACd,MAAM,IAAI,yBAAW,CAAC,iDAAiD,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAC1D,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC;AAC/C,CAAC;AAgBD;;;;;GAKG;AACH,SAAgB,wBAAwB,CAAC,SAAiB,EAAE,QAAgB;IAC3E,MAAM,WAAW,GAAG,QAAQ;SAC1B,IAAI,EAAE;SACN,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;SAC5B,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;SACpB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,WAAW,EAAE;SACb,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;IAC5B,MAAM,YAAY,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;IACjE,OAAO,UAAU,YAAY,IAAI,WAAW,EAAE,CAAC;AAChD,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACI,KAAK,UAAU,kBAAkB,CAAC,GAAQ,EAAE,YAA+B,EAAE,SAAiB;IACpG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,YAAY,IAAI,EAAE,CAAC;IACzF,MAAM,OAAO,GAAG,IAAA,qCAAgB,GAAE,CAAC;IACnC,MAAM,GAAG,GAAU,EAAE,CAAC;IACtB,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;QAClC,yEAAyE;QACzE,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5C,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAChB,SAAS;QACV,CAAC;QACD,MAAM,IAAI,GAAG,wBAAwB,CAAC,SAAS,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;QACjE,8FAA8F;QAC9F,sFAAsF;QACtF,MAAM,SAAS,CAAC;YACf,SAAS,EAAE,KAAK,CAAC,eAAe,CAAC,UAAU;YAC3C,QAAQ,EAAE,GAAG,EAAE,QAAQ;YACvB,IAAI;YACJ,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,MAAM,EAAE,CAAC,SAAS,CAAC;YACnB,UAAU,EAAE,KAAK;SACjB,CAAC,CAAC;QACH,GAAG,CAAC,IAAI,CACP,KAAK,CAAC,KAAK,KAAK,SAAS;YACxB,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE;YAC5C,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CACjE,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACZ,CAAC;AAED;sEACsE;AACtE,KAAK,UAAU,gBAAgB,CAAC,KAAU,EAAE,IAAY,EAAE,MAAc;IACvE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;IACrC,IAAI,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACxF,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACI,KAAK,UAAU,mBAAmB,CACxC,YAA+B,EAC/B,SAAiB,EACjB,UAA+B,EAAE;IAEjC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,YAAY,CAAC;IACnF,iGAAiG;IACjG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC;QAAE,OAAO,YAAY,CAAC;IAE5F,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;IAC5B,MAAM,QAAQ,GAAgC,EAAE,CAAC;IACjD,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;QAClC,IAAI,CAAC,KAAK;YAAE,SAAS,CAAC,0EAA0E;QAChG,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACpF,SAAS;QACV,CAAC;QACD,MAAM,IAAI,GAAW,KAAK,CAAC,MAAM,CAAC;QAClC,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,gBAAgB,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7F,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,yBAAW,CACpB,mCAAmC,IAAI,yBAAyB,EAChE,iBAAiB,CAAC,SAAS,CAC3B,CAAC;QACH,CAAC;QACD,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,yBAAW,CACpB,wBAAwB,IAAI,kCAAkC,SAAS,IAAI;gBAC1E,yDAAyD,EAC1D,iBAAiB,CAAC,SAAS,CAC3B,CAAC;QACH,CAAC;QACD,MAAM,OAAO,GAAG,IAAA,qCAAgB,GAAE,CAAC;QACnC,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,yFAAyF;YACzF,0FAA0F;YAC1F,MAAM,IAAI,yBAAW,CACpB,wFAAwF,IAAI,GAAG,EAC/F,iBAAiB,CAAC,mBAAmB,CACrC,CAAC;QACH,CAAC;QACD,IAAI,KAAa,CAAC;QAClB,IAAI,CAAC;YACJ,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,yBAAW,CACpB,0CAA0C,IAAI,MAAO,KAAe,CAAC,OAAO,EAAE,EAC9E,iBAAiB,CAAC,qBAAqB,CACvC,CAAC;QACH,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,QAAQ,CAAC;AACjB,CAAC"}
|
|
@@ -64,7 +64,10 @@ export declare function getConfiguration(): any;
|
|
|
64
64
|
* @param setConfigJson
|
|
65
65
|
|
|
66
66
|
*/
|
|
67
|
-
export declare function setConfiguration(setConfigJson: any): Promise<
|
|
67
|
+
export declare function setConfiguration(setConfigJson: any): Promise<{
|
|
68
|
+
message: string;
|
|
69
|
+
replicated?: unknown[];
|
|
70
|
+
} | "Configuration successfully set. You must restart Harper for new config settings to take effect.">;
|
|
68
71
|
export declare function readConfigFile(): any;
|
|
69
72
|
/**
|
|
70
73
|
* This function reads config settings from old settings file(before 4.0.0), aligns old keys to new keys, gets old
|
|
@@ -768,9 +768,26 @@ function getConfiguration() {
|
|
|
768
768
|
*/
|
|
769
769
|
async function setConfiguration(setConfigJson) {
|
|
770
770
|
// eslint-disable-next-line no-unused-vars
|
|
771
|
-
const { operation, hdb_user, hdbAuthHeader, ...configFields } = setConfigJson;
|
|
771
|
+
const { operation, hdb_user, hdbAuthHeader, replicated, ...configFields } = setConfigJson;
|
|
772
|
+
// Operation-control field, not a config param: enforce boolean (matching other
|
|
773
|
+
// `replicated` surfaces, e.g. analyticsValidator) before any local write so a
|
|
774
|
+
// malformed value like the string "false" — which is truthy — can't apply config
|
|
775
|
+
// locally or trigger an unintended fan-out.
|
|
776
|
+
if (replicated !== undefined && typeof replicated !== 'boolean') {
|
|
777
|
+
throw (0, hdbError_ts_1.handleHDBError)(new Error(), `'replicated' must be a boolean`, commonErrors_ts_1.HTTP_STATUS_CODES.BAD_REQUEST, undefined, undefined, true);
|
|
778
|
+
}
|
|
772
779
|
try {
|
|
773
780
|
updateConfigValue(undefined, undefined, configFields, true);
|
|
781
|
+
if (replicated) {
|
|
782
|
+
// Opt-in fan-out to all cluster nodes (#660). replicateOperation forwards the
|
|
783
|
+
// body with `replicated: false`, so peers apply locally without re-replicating;
|
|
784
|
+
// per-node outcomes are returned on `response.replicated`. `replicated` must
|
|
785
|
+
// stay out of configFields on both origin and peers, or it would be written to
|
|
786
|
+
// the config file as a config param.
|
|
787
|
+
const response = await Server_ts_1.server.replication.replicateOperation(setConfigJson);
|
|
788
|
+
response.message = CONFIGURE_SUCCESS_RESPONSE;
|
|
789
|
+
return response;
|
|
790
|
+
}
|
|
774
791
|
return CONFIGURE_SUCCESS_RESPONSE;
|
|
775
792
|
}
|
|
776
793
|
catch (err) {
|