npm - vaultkeeper - Versions diffs - 0.3.0 → 1.0.0 - Mend

vaultkeeper 0.3.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.cjs +170 -1
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +183 -2
package/dist/index.d.ts +183 -2
package/dist/index.js +170 -2
package/dist/index.js.map +1 -1
package/dist/one-password-worker.js +80 -0
package/dist/one-password-worker.js.map +1 -0
package/package.json +2 -1

package/dist/index.js CHANGED Viewed

@@ -3,6 +3,7 @@ import * as fs5 from 'fs/promises';
 import * as path5 from 'path';
 import * as os4 from 'os';
 import * as crypto4 from 'crypto';
+import 'url';
 import * as fs4 from 'fs';
 import { CompactEncrypt, compactDecrypt } from 'jose';
@@ -136,6 +137,22 @@ var IdentityMismatchError = class extends VaultError {
     this.currentHash = currentHash;
   }
 };
+var InvalidAlgorithmError = class extends VaultError {
+  /**
+   * The algorithm that was requested.
+   */
+  algorithm;
+  /**
+   * The set of algorithms that are allowed.
+   */
+  allowed;
+  constructor(message, algorithm, allowed) {
+    super(message);
+    this.name = "InvalidAlgorithmError";
+    this.algorithm = algorithm;
+    this.allowed = allowed;
+  }
+};
 var SetupError = class extends VaultError {
   /**
    * The name of the dependency that caused the setup failure.
@@ -179,6 +196,7 @@ function isListableBackend(backend) {
 // src/backend/registry.ts
 var BackendRegistry = class {
   static backends = /* @__PURE__ */ new Map();
+  static setups = /* @__PURE__ */ new Map();
   /**
    * Register a backend factory.
    * @param type - Backend type identifier
@@ -191,7 +209,7 @@ var BackendRegistry = class {
    * Create a backend instance by type.
    * @param type - Backend type identifier
    * @returns A SecretBackend instance
-   * @throws Error if the backend type is not registered
+   * @throws {@link BackendUnavailableError} if the backend type is not registered
    */
   static create(type) {
     const factory = this.backends.get(type);
@@ -238,6 +256,46 @@ var BackendRegistry = class {
     );
     return results.filter((type) => type !== null);
   }
+  /**
+   * Register a setup factory for a backend type.
+   * @param type - Backend type identifier
+   * @param factory - Factory function that creates a setup generator
+   */
+  static registerSetup(type, factory) {
+    this.setups.set(type, factory);
+  }
+  /**
+   * Get the setup factory for a backend type, if one is registered.
+   * @param type - Backend type identifier
+   * @returns The setup factory, or `undefined` if none is registered
+   */
+  static getSetup(type) {
+    return this.setups.get(type);
+  }
+  /**
+   * Check whether a setup factory is registered for the given backend type.
+   * @param type - Backend type identifier
+   * @returns `true` if a setup factory is registered
+   */
+  static hasSetup(type) {
+    return this.setups.has(type);
+  }
+  /**
+   * Clear all registered backend factories.
+   * Intended for use in tests only.
+   * @internal
+   */
+  static clearBackends() {
+    this.backends.clear();
+  }
+  /**
+   * Clear all registered setup factories.
+   * Intended for use in tests only.
+   * @internal
+   */
+  static clearSetups() {
+    this.setups.clear();
+  }
 };
 async function execCommand(command, args, options) {
   const result = await execCommandFull(command, args);
@@ -487,6 +545,21 @@ function validateBackendEntry(entry, index) {
     }
     result.path = entry.path;
   }
+  if (entry.options !== void 0) {
+    if (!isObject(entry.options)) {
+      throw new Error(`backends[${String(index)}].options must be an object`);
+    }
+    const opts = {};
+    for (const [k, v] of Object.entries(entry.options)) {
+      if (typeof v !== "string") {
+        throw new Error(
+          `backends[${String(index)}].options["${k}"] must be a string`
+        );
+      }
+      opts[k] = v;
+    }
+    result.options = opts;
+  }
   return result;
 }
 function validateConfig(config) {
@@ -990,6 +1063,55 @@ function createSecretAccessor(secretValue) {
   return proxy;
 }
+// src/access/sign-util.ts
+var ALLOWED_ALGORITHMS = /* @__PURE__ */ new Set(["sha256", "sha384", "sha512"]);
+function resolveAlgorithmForKey(key, override) {
+  const keyType = key.asymmetricKeyType;
+  if (keyType === "ed25519" || keyType === "ed448") {
+    return { signAlg: null, label: keyType };
+  }
+  const alg = (override ?? "sha256").toLowerCase();
+  if (!ALLOWED_ALGORITHMS.has(alg)) {
+    throw new InvalidAlgorithmError(
+      `Unsupported algorithm '${alg}'. Allowed: ${[...ALLOWED_ALGORITHMS].join(", ")}`,
+      alg,
+      [...ALLOWED_ALGORITHMS]
+    );
+  }
+  return { signAlg: alg, label: alg };
+}
+// src/access/delegated-sign.ts
+function delegatedSign(secretPem, request) {
+  const key = crypto4.createPrivateKey(secretPem);
+  const { signAlg, label } = resolveAlgorithmForKey(key, request.algorithm);
+  const data = Buffer.isBuffer(request.data) ? request.data : Buffer.from(request.data);
+  const signature = crypto4.sign(signAlg, data, key);
+  return {
+    signature: signature.toString("base64"),
+    algorithm: label
+  };
+}
+function delegatedVerify(request) {
+  let key;
+  try {
+    key = crypto4.createPublicKey(request.publicKey);
+  } catch {
+    return false;
+  }
+  if (typeof request.publicKey === "string" && request.publicKey.includes("PRIVATE KEY")) {
+    return false;
+  }
+  const { signAlg } = resolveAlgorithmForKey(key, request.algorithm);
+  const sig = Buffer.from(request.signature, "base64");
+  try {
+    const data = Buffer.isBuffer(request.data) ? request.data : Buffer.from(request.data);
+    return crypto4.verify(signAlg, data, key, sig);
+  } catch {
+    return false;
+  }
+}
 // src/doctor/checks.ts
 function parseVersion(raw) {
   const match = /(\d+)\.(\d+)\.(\d+)/.exec(raw);
@@ -1347,6 +1469,52 @@ var VaultKeeper = class _VaultKeeper {
     const claims = validateCapabilityToken(token);
     return createSecretAccessor(claims.val);
   }
+  /**
+   * Sign data using the private key embedded in a capability token.
+   *
+   * The signing key is extracted from the token's encrypted claims, used
+   * for a single `crypto.sign()` call, and never exposed to the caller.
+   * The algorithm is auto-detected from the key type unless overridden
+   * in the request.
+   *
+   * @param token - A `CapabilityToken` obtained from `authorize()`.
+   * @param request - The data to sign and optional algorithm override.
+   * @returns The base64-encoded signature and algorithm label, together
+   *   with the vault metadata (`vaultResponse`).
+   * @throws {VaultError} If `token` is invalid or was not created by this
+   *   vault instance.
+   * @throws {InvalidAlgorithmError} If `request.algorithm` is not in the
+   *   allowed set (e.g. `'md5'`).
+   */
+  async sign(token, request) {
+    const claims = validateCapabilityToken(token);
+    const result = delegatedSign(claims.val, request);
+    await Promise.resolve();
+    return {
+      result,
+      vaultResponse: { keyStatus: "current" }
+    };
+  }
+  /**
+   * Verify a signature using a public key.
+   *
+   * This is a static method — no VaultKeeper instance, secrets, or
+   * capability tokens are required. It is safe to call from CI or any
+   * context that has access to public key material.
+   *
+   * Returns `false` for invalid key material, malformed signatures, or
+   * any verification failure (except disallowed algorithms, which throw).
+   *
+   * @throws {InvalidAlgorithmError} If `request.algorithm` is not in the
+   *   allowed set (e.g. `'md5'`).
+   *
+   * @param request - The data, signature, public key, and optional
+   *   algorithm override.
+   * @returns `true` if the signature is valid, `false` otherwise.
+   */
+  static verify(request) {
+    return delegatedVerify(request);
+  }
   /**
    * Rotate the current encryption key.
    *
@@ -1463,6 +1631,6 @@ var VaultKeeper = class _VaultKeeper {
   }
 };
-export { AuthorizationDeniedError, BackendLockedError, BackendRegistry, BackendUnavailableError, CapabilityToken, DeviceNotPresentError, FilesystemError, IdentityMismatchError, KeyRevokedError, KeyRotatedError, PluginNotFoundError, RotationInProgressError, SecretNotFoundError, SetupError, TokenExpiredError, TokenRevokedError, UsageLimitExceededError, VaultError, VaultKeeper, isListableBackend };
+export { AuthorizationDeniedError, BackendLockedError, BackendRegistry, BackendUnavailableError, CapabilityToken, DeviceNotPresentError, FilesystemError, IdentityMismatchError, InvalidAlgorithmError, KeyRevokedError, KeyRotatedError, PluginNotFoundError, RotationInProgressError, SecretNotFoundError, SetupError, TokenExpiredError, TokenRevokedError, UsageLimitExceededError, VaultError, VaultKeeper, isListableBackend };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map