Revert rename of validate-auth-config

lib/auth/AuthInfo.ts

@@ -6,16 +6,15 @@ import * as constants from '../constants';
  * shortid, email, accountDisplayName and IAMdisplayName (if applicable)
  * @return {AuthInfo} an AuthInfo instance
  */
-
 export default class AuthInfo {
-    arn
-    canonicalID
-    shortid
-    email
-    accountDisplayName
-    IAMdisplayName
+    arn: string;
+    canonicalID: string;
+    shortid: string;
+    email: string;
+    accountDisplayName: string;
+    IAMdisplayName: string;
 
-    constructor(objectFromVault) {
+    constructor(objectFromVault: any) {
         // amazon resource name for IAM user (if applicable)
         this.arn = objectFromVault.arn;
         // account canonicalID
@@ -57,10 +56,8 @@ export default class AuthInfo {
     isRequesterAServiceAccount() {
         return this.canonicalID.startsWith(`${constants.zenkoServiceAccount}/`);
     }
-    isRequesterThisServiceAccount(serviceName) {
-        return (
-            this.canonicalID ===
-            `${constants.zenkoServiceAccount}/${serviceName}`
-        );
+    isRequesterThisServiceAccount(serviceName: string) {
+        const computedCanonicalID = `${constants.zenkoServiceAccount}/${serviceName}`;
+        return this.canonicalID === computedCanonicalID;
     }
 }

lib/auth/Vault.ts

@@ -1,16 +1,22 @@
+import { Logger } from 'werelogs';
 import errors from '../errors';
 import AuthInfo from './AuthInfo';
 
 /** vaultSignatureCb parses message from Vault and instantiates
- * @param {object} err - error from vault
- * @param {object} authInfo - info from vault
- * @param {object} log - log for request
- * @param {function} callback - callback to authCheck functions
- * @param {object} [streamingV4Params] - present if v4 signature;
+ * @param err - error from vault
+ * @param authInfo - info from vault
+ * @param log - log for request
+ * @param callback - callback to authCheck functions
+ * @param [streamingV4Params] - present if v4 signature;
  * items used to calculate signature on chunks if streaming auth
- * @return {undefined}
  */
-function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
+function vaultSignatureCb(
+    err: Error | null,
+    authInfo: { message: { body: any } },
+    log: Logger,
+    callback: (err: Error | null, data?: any, results?: any, params?: any) => void,
+    streamingV4Params?: any
+) {
     // vaultclient API guarantees that it returns:
     // - either `err`, an Error object with `code` and `message` properties set
     // - or `err == null` and `info` is an object with `message.code` and
@@ -24,11 +30,13 @@ function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
     const info = authInfo.message.body;
     const userInfo = new AuthInfo(info.userInfo);
     const authorizationResults = info.authorizationResults;
-    const auditLog = { accountDisplayName: userInfo.getAccountDisplayName() };
+    const auditLog: { accountDisplayName: string, IAMdisplayName?: string } =
+        { accountDisplayName: userInfo.getAccountDisplayName() };
     const iamDisplayName = userInfo.getIAMdisplayName();
     if (iamDisplayName) {
         auditLog.IAMdisplayName = iamDisplayName;
     }
+    // @ts-ignore
     log.addDefaultFields(auditLog);
     return callback(null, userInfo, authorizationResults, streamingV4Params);
 }
@@ -40,45 +48,62 @@ function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
  * @class Vault
  */
 export default class Vault {
-    client
-    implName
+    client: any;
+    implName: string;
 
     /**
      * @constructor
      * @param {object} client - authentication backend or vault client
      * @param {string} implName - implementation name for auth backend
      */
-    constructor(client, implName) {
+    constructor(client: any, implName: string) {
         this.client = client;
         this.implName = implName;
     }
     /**
      * authenticateV2Request
      *
-     * @param {string} params - the authentication parameters as returned by
+     * @param params - the authentication parameters as returned by
      *                          auth.extractParams
-     * @param {number} params.version - shall equal 2
-     * @param {string} params.data.accessKey - the user's accessKey
-     * @param {string} params.data.signatureFromRequest - the signature read
+     * @param params.version - shall equal 2
+     * @param params.data.accessKey - the user's accessKey
+     * @param params.data.signatureFromRequest - the signature read
      *                                                    from the request
-     * @param {string} params.data.stringToSign - the stringToSign
-     * @param {string} params.data.algo - the hashing algorithm used for the
+     * @param params.data.stringToSign - the stringToSign
+     * @param params.data.algo - the hashing algorithm used for the
      *                                    signature
-     * @param {string} params.data.authType - the type of authentication (query
+     * @param params.data.authType - the type of authentication (query
      *                                        or header)
-     * @param {string} params.data.signatureVersion - the version of the
+     * @param params.data.signatureVersion - the version of the
      *                                                signature (AWS or AWS4)
-     * @param {number} [params.data.signatureAge] - the age of the signature in
+     * @param [params.data.signatureAge] - the age of the signature in
      *                                              ms
-     * @param {string} params.data.log - the logger object
+     * @param params.data.log - the logger object
      * @param {RequestContext []} requestContexts - an array of RequestContext
      * instances which contain information for policy authorization check
-     * @param {function} callback - callback with either error or user info
-     * @returns {undefined}
+     * @param callback - callback with either error or user info
      */
-    authenticateV2Request(params, requestContexts, callback) {
+    authenticateV2Request(
+        params: {
+            version: 2;
+            log: Logger;
+            data: {
+                securityToken: string;
+                accessKey: string;
+                signatureFromRequest: string;
+                stringToSign: string;
+                algo: string;
+                authType: 'query' | 'header';
+                signatureVersion: string;
+                signatureAge?: number;
+                log: Logger;
+            };
+        },
+        requestContexts: any[],
+        callback: (err: Error | null, data?: any) => void
+    ) {
         params.log.debug('authenticating V2 request');
-        let serializedRCsArr;
+        let serializedRCsArr: any;
         if (requestContexts) {
             serializedRCsArr = requestContexts.map(rc => rc.serialize());
         }
@@ -88,44 +113,66 @@ export default class Vault {
             params.data.accessKey,
             {
                 algo: params.data.algo,
+                // @ts-ignore
                 reqUid: params.log.getSerializedUids(),
                 logger: params.log,
                 securityToken: params.data.securityToken,
                 requestContext: serializedRCsArr,
             },
-            (err, userInfo) => vaultSignatureCb(err, userInfo,
+            (err: Error | null, userInfo?: any) => vaultSignatureCb(err, userInfo,
                 params.log, callback),
         );
     }
 
     /** authenticateV4Request
-     * @param {object} params - the authentication parameters as returned by
+     * @param params - the authentication parameters as returned by
      *                          auth.extractParams
-     * @param {number} params.version - shall equal 4
-     * @param {string} params.data.log - the logger object
-     * @param {string} params.data.accessKey - the user's accessKey
-     * @param {string} params.data.signatureFromRequest - the signature read
+     * @param params.version - shall equal 4
+     * @param params.data.log - the logger object
+     * @param params.data.accessKey - the user's accessKey
+     * @param params.data.signatureFromRequest - the signature read
      *                                                    from the request
-     * @param {string} params.data.region - the AWS region
-     * @param {string} params.data.stringToSign - the stringToSign
-     * @param {string} params.data.scopeDate - the timespan to allow the request
-     * @param {string} params.data.authType - the type of authentication (query
+     * @param params.data.region - the AWS region
+     * @param params.data.stringToSign - the stringToSign
+     * @param params.data.scopeDate - the timespan to allow the request
+     * @param params.data.authType - the type of authentication (query
      *                                        or header)
-     * @param {string} params.data.signatureVersion - the version of the
+     * @param params.data.signatureVersion - the version of the
      *                                                signature (AWS or AWS4)
-     * @param {number} params.data.signatureAge - the age of the signature in ms
-     * @param {number} params.data.timestamp - signaure timestamp
-     * @param {string} params.credentialScope - credentialScope for signature
+     * @param params.data.signatureAge - the age of the signature in ms
+     * @param params.data.timestamp - signaure timestamp
+     * @param params.credentialScope - credentialScope for signature
      * @param {RequestContext [] | null} requestContexts -
      * an array of RequestContext or null if authenticaiton of a chunk
      * in streamingv4 auth
      * instances which contain information for policy authorization check
-     * @param {function} callback - callback with either error or user info
-     * @return {undefined}
+     * @param callback - callback with either error or user info
     */
-    authenticateV4Request(params, requestContexts, callback) {
+    authenticateV4Request(
+        params: {
+            version: 4;
+            log: Logger;
+            data: {
+                accessKey: string;
+                signatureFromRequest: string;
+                region: string;
+                stringToSign: string;
+                scopeDate: string;
+                authType: 'query' | 'header';
+                signatureVersion: string;
+                signatureAge?: number;
+                timestamp: number;
+                credentialScope: string;
+                securityToken: string;
+                algo: string;
+                log: Logger;
+            };
+        },
+        requestContexts: any[],
+        callback: (err: Error | null, data?: any) => void
+    ) {
         params.log.debug('authenticating V4 request');
-        let serializedRCs;
+        let serializedRCs: any;
         if (requestContexts) {
             serializedRCs = requestContexts.map(rc => rc.serialize());
         }
@@ -143,31 +190,39 @@ export default class Vault {
             params.data.region,
             params.data.scopeDate,
             {
+                // @ts-ignore
                 reqUid: params.log.getSerializedUids(),
                 logger: params.log,
                 securityToken: params.data.securityToken,
                 requestContext: serializedRCs,
             },
-            (err, userInfo) => vaultSignatureCb(err, userInfo,
+            (err: Error | null, userInfo?: any) => vaultSignatureCb(err, userInfo,
                 params.log, callback, streamingV4Params),
         );
     }
 
     /** getCanonicalIds -- call Vault to get canonicalIDs based on email
      * addresses
-     * @param {array} emailAddresses - list of emailAddresses
-     * @param {object} log - log object
-     * @param {function} callback - callback with either error or an array
+     * @param emailAddresses - list of emailAddresses
+     * @param log - log object
+     * @param callback - callback with either error or an array
      * of objects with each object containing the canonicalID and emailAddress
      * of an account as properties
-     * @return {undefined}
     */
-    getCanonicalIds(emailAddresses, log, callback) {
+    getCanonicalIds(
+        emailAddresses: string[],
+        log: Logger,
+        callback: (
+            err: Error | null,
+            data?: { canonicalID: string; email: string }[]
+        ) => void
+    ) {
         log.trace('getting canonicalIDs from Vault based on emailAddresses',
             { emailAddresses });
         this.client.getCanonicalIds(emailAddresses,
+            // @ts-ignore
             { reqUid: log.getSerializedUids() },
-            (err, info) => {
+            (err: Error | null, info?: any) => {
                 if (err) {
                     log.debug('received error message from auth provider',
                         { errorMessage: err });
@@ -175,17 +230,17 @@ export default class Vault {
                 }
                 const infoFromVault = info.message.body;
                 log.trace('info received from vault', { infoFromVault });
-                const foundIds = [];
+                const foundIds: { canonicalID: string; email: string }[] = [];
                 for (let i = 0; i < Object.keys(infoFromVault).length; i++) {
                     const key = Object.keys(infoFromVault)[i];
                     if (infoFromVault[key] === 'WrongFormat'
                     || infoFromVault[key] === 'NotFound') {
                         return callback(errors.UnresolvableGrantByEmailAddress);
                     }
-                    const obj = {};
-                    obj.email = key;
-                    obj.canonicalID = infoFromVault[key];
-                    foundIds.push(obj);
+                    foundIds.push({
+                        email: key,
+                        canonicalID: infoFromVault[key],
+                    })
                 }
                 return callback(null, foundIds);
             });
@@ -193,18 +248,22 @@ export default class Vault {
 
     /** getEmailAddresses -- call Vault to get email addresses based on
      * canonicalIDs
-     * @param {array} canonicalIDs - list of canonicalIDs
-     * @param {object} log - log object
-     * @param {function} callback - callback with either error or an object
+     * @param canonicalIDs - list of canonicalIDs
+     * @param log - log object
+     * @param callback - callback with either error or an object
      * with canonicalID keys and email address values
-     * @return {undefined}
     */
-    getEmailAddresses(canonicalIDs, log, callback) {
+    getEmailAddresses(
+        canonicalIDs: string[],
+        log: Logger,
+        callback: (err: Error | null, data?: { [key: string]: any }) => void
+    ) {
         log.trace('getting emailAddresses from Vault based on canonicalIDs',
             { canonicalIDs });
         this.client.getEmailAddresses(canonicalIDs,
+            // @ts-ignore
             { reqUid: log.getSerializedUids() },
-            (err, info) => {
+            (err: Error | null, info?: any) => {
                 if (err) {
                     log.debug('received error message from vault',
                         { errorMessage: err });
@@ -227,18 +286,22 @@ export default class Vault {
 
     /** getAccountIds -- call Vault to get accountIds based on
      * canonicalIDs
-     * @param {array} canonicalIDs - list of canonicalIDs
-     * @param {object} log - log object
-     * @param {function} callback - callback with either error or an object
+     * @param canonicalIDs - list of canonicalIDs
+     * @param log - log object
+     * @param callback - callback with either error or an object
      * with canonicalID keys and accountId values
-     * @return {undefined}
     */
-    getAccountIds(canonicalIDs, log, callback) {
+    getAccountIds(
+        canonicalIDs: string[],
+        log: Logger,
+        callback: (err: Error | null, data?: { [key: string]: string }) => void
+    ) {
         log.trace('getting accountIds from Vault based on canonicalIDs',
             { canonicalIDs });
         this.client.getAccountIds(canonicalIDs,
+            // @ts-ignore
             { reqUid: log.getSerializedUids() },
-            (err, info) => {
+            (err: Error | null, info?: any) => {
                 if (err) {
                     log.debug('received error message from vault',
                         { errorMessage: err });
@@ -271,14 +334,19 @@ export default class Vault {
      * @param {object} log - log object
      * @param {function} callback - callback with either error or an array
      * of authorization results
-     * @return {undefined}
     */
-    checkPolicies(requestContextParams, userArn, log, callback) {
+    checkPolicies(
+        requestContextParams: any[],
+        userArn: string,
+        log: Logger,
+        callback: (err: Error | null, data?: any[]) => void
+    ) {
         log.trace('sending request context params to vault to evaluate' +
         'policies');
         this.client.checkPolicies(requestContextParams, userArn, {
+            // @ts-ignore
             reqUid: log.getSerializedUids(),
-        }, (err, info) => {
+        }, (err: Error | null, info?: any) => {
             if (err) {
                 log.debug('received error message from auth provider',
                     { error: err });
@@ -289,13 +357,14 @@ export default class Vault {
         });
     }
 
-    checkHealth(log, callback) {
+    checkHealth(log: Logger, callback: (err: Error | null, data?: any) => void) {
         if (!this.client.healthcheck) {
             const defResp = {};
             defResp[this.implName] = { code: 200, message: 'OK' };
             return callback(null, defResp);
         }
-        return this.client.healthcheck(log.getSerializedUids(), (err, obj) => {
+        // @ts-ignore
+        return this.client.healthcheck(log.getSerializedUids(), (err: Error | null, obj?: any) => {
             const respBody = {};
             if (err) {
                 log.debug(`error from ${this.implName}`, { error: err });

lib/auth/auth.ts

@@ -1,4 +1,5 @@
 import * as crypto from 'crypto';
+import { Logger } from 'werelogs';
 import errors from '../errors';
 import * as queryString from 'querystring';
 import AuthInfo from './AuthInfo';
@@ -8,15 +9,15 @@ import * as constants from '../constants';
 import constructStringToSignV2 from './v2/constructStringToSign';
 import constructStringToSignV4 from './v4/constructStringToSign';
 import { convertUTCtoISO8601 } from './v4/timeUtils';
-import * as vaultUtilities from './backends/in_memory/vault-utilities';
+import * as vaultUtilities from './backends/in_memory/vaultUtilities';
 import * as inMemoryBackend from './backends/in_memory/Backend';
-import validateAuthConfig from './backends/in_memory/validate-auth-config';
+import validateAuthConfig from './backends/in_memory/validateAuthConfig';
 import AuthLoader from './backends/in_memory/AuthLoader';
 import Vault from './Vault';
 import baseBackend from './backends/BaseBackend';
 import chainBackend from './backends/ChainBackend';
 
-let vault = null;
+let vault: Vault | null = null;
 const auth = {};
 const checkFunctions = {
     v2: {
@@ -33,7 +34,7 @@ const checkFunctions = {
 // 'All Users Group' so use this group as the canonicalID for the publicUser
 const publicUserInfo = new AuthInfo({ canonicalID: constants.publicId });
 
-function setAuthHandler(handler) {
+function setAuthHandler(handler: Vault) {
     vault = handler;
     return auth;
 }
@@ -41,25 +42,30 @@ function setAuthHandler(handler) {
 /**
  * This function will check validity of request parameters to authenticate
  *
- * @param {Http.Request} request - Http request object
- * @param {object} log - Logger object
- * @param {string} awsService - Aws service related
- * @param {object} data - Parameters from queryString parsing or body of
+ * @param request - Http request object
+ * @param log - Logger object
+ * @param awsService - Aws service related
+ * @param data - Parameters from queryString parsing or body of
  *      POST request
  *
- * @return {object} ret
- * @return {object} ret.err - arsenal.errors object if any error was found
- * @return {object} ret.params - auth parameters to use later on for signature
+ * @return ret
+ * @return ret.err - arsenal.errors object if any error was found
+ * @return ret.params - auth parameters to use later on for signature
  *                               computation and check
- * @return {object} ret.params.version - the auth scheme version
+ * @return ret.params.version - the auth scheme version
  *                                       (undefined, 2, 4)
- * @return {object} ret.params.data - the auth scheme's specific data
+ * @return ret.params.data - the auth scheme's specific data
  */
-function extractParams(request, log, awsService, data) {
+function extractParams(
+    request: any,
+    log: Logger,
+    awsService: string,
+    data: { [key: string]: string }
+) {
     log.trace('entered', { method: 'Arsenal.auth.server.extractParams' });
     const authHeader = request.headers.authorization;
-    let version = null;
-    let method = null;
+    let version: 'v2' |'v4' | null = null;
+    let method: 'query' | 'headers' | null = null;
 
     // Identify auth version and method to dispatch to the right check function
     if (authHeader) {
@@ -105,16 +111,21 @@ function extractParams(request, log, awsService, data) {
 /**
  * This function will check validity of request parameters to authenticate
  *
- * @param {Http.Request} request - Http request object
- * @param {object} log - Logger object
- * @param {function} cb - the callback
- * @param {string} awsService - Aws service related
+ * @param request - Http request object
+ * @param log - Logger object
+ * @param cb - the callback
+ * @param awsService - Aws service related
  * @param {RequestContext[] | null} requestContexts - array of RequestContext
  * or null if no requestContexts to be sent to Vault (for instance,
  * in multi-object delete request)
- * @return {undefined}
  */
-function doAuth(request, log, cb, awsService, requestContexts) {
+function doAuth(
+    request: any,
+    log: Logger,
+    cb: (err: Error | null, data?: any) => void,
+    awsService: string,
+    requestContexts: any[] | null
+) {
     const res = extractParams(request, log, awsService, request.query);
     if (res.err) {
         return cb(res.err);
@@ -123,27 +134,30 @@ function doAuth(request, log, cb, awsService, requestContexts) {
     }
     if (requestContexts) {
         requestContexts.forEach((requestContext) => {
-            requestContext.setAuthType(res.params.data.authType);
-            requestContext.setSignatureVersion(
-                res.params.data.signatureVersion
-            );
-            requestContext.setSignatureAge(res.params.data.signatureAge);
-            requestContext.setSecurityToken(res.params.data.securityToken);
+            const { params } = res
+            if ('data' in params) {
+                const { data } = params
+                requestContext.setAuthType(data.authType);
+                requestContext.setSignatureVersion(data.signatureVersion);
+                requestContext.setSecurityToken(data.securityToken);
+                if ('signatureAge' in data) {
+                    requestContext.setSignatureAge(data.signatureAge);
+                }
+            }
         });
     }
 
     // Corner cases managed, we're left with normal auth
+    // TODO What's happening here?
+    // @ts-ignore
     res.params.log = log;
     if (res.params.version === 2) {
-        return vault.authenticateV2Request(res.params, requestContexts, cb);
+        // @ts-ignore
+        return vault!.authenticateV2Request(res.params, requestContexts, cb);
     }
     if (res.params.version === 4) {
-        return vault.authenticateV4Request(
-            res.params,
-            requestContexts,
-            cb,
-            awsService
-        );
+        // @ts-ignore
+        return vault!.authenticateV4Request(res.params, requestContexts, cb);
     }
 
     log.error('authentication method not found', {
@@ -155,25 +169,24 @@ function doAuth(request, log, cb, awsService, requestContexts) {
 /**
  * This function will generate a version 4 header
  *
- * @param {Http.Request} request - Http request object
- * @param {object} data - Parameters from queryString parsing or body of
+ * @param request - Http request object
+ * @param data - Parameters from queryString parsing or body of
  *                        POST request
- * @param {string} accessKey - the accessKey
- * @param {string} secretKeyValue - the secretKey
- * @param {string} awsService - Aws service related
- * @param {sting} [proxyPath] - path that gets proxied by reverse proxy
- * @param {string} [sessionToken] - security token if the access/secret keys
+ * @param accessKey - the accessKey
+ * @param secretKeyValue - the secretKey
+ * @param awsService - Aws service related
+ * @param [proxyPath] - path that gets proxied by reverse proxy
+ * @param [sessionToken] - security token if the access/secret keys
  *                                are temporary credentials from STS
- * @return {undefined}
  */
 function generateV4Headers(
-    request,
-    data,
-    accessKey,
-    secretKeyValue,
-    awsService,
-    proxyPath,
-    sessionToken
+    request: any,
+    data: { [key: string]: string },
+    accessKey: string,
+    secretKeyValue: string,
+    awsService: string,
+    proxyPath: string,
+    sessionToken: string
 ) {
     Object.assign(request, { headers: {} });
     const amzDate = convertUTCtoISO8601(Date.now());
@@ -187,7 +200,7 @@ function generateV4Headers(
 
     let payload = '';
     if (request.method === 'POST') {
-        payload = queryString.stringify(data, null, null, {
+        payload = queryString.stringify(data, undefined, undefined, {
             encodeURIComponent,
         });
     }

lib/auth/backends/BaseBackend.ts

@@ -1,84 +1,70 @@
 import errors from '../../errors';
+import { Callback } from './in_memory/types';
 
-/**
- * Base backend class
- *
- * @class BaseBackend
- */
+/** Base backend class */
 export default class BaseBackend {
-    service
+    service: string;
 
-    /**
-     * @constructor
-     * @param {string} service - service identifer for construction arn
-     */
-    constructor(service) {
+    constructor(service: string) {
         this.service = service;
     }
 
-    /** verifySignatureV2
-    * @param {string} stringToSign - string to sign built per AWS rules
-    * @param {string} signatureFromRequest - signature sent with request
-    * @param {string} accessKey - account accessKey
-    * @param {object} options - contains algorithm (SHA1 or SHA256)
-    * @param {function} callback - callback with either error or user info
-    * @return {function} calls callback
-    */
-    verifySignatureV2(stringToSign, signatureFromRequest,
-        accessKey, options, callback) {
+    verifySignatureV2(
+        _stringToSign: string,
+        _signatureFromRequest: string,
+        _accessKey: string,
+        _options: { algo: 'SHA1' | 'SHA256' },
+        callback: Callback
+    ) {
         return callback(errors.AuthMethodNotImplemented);
     }
 
-
-    /** verifySignatureV4
-     * @param {string} stringToSign - string to sign built per AWS rules
-     * @param {string} signatureFromRequest - signature sent with request
-     * @param {string} accessKey - account accessKey
-     * @param {string} region - region specified in request credential
-     * @param {string} scopeDate - date specified in request credential
-     * @param {object} options - options to send to Vault
-     * (just contains reqUid for logging in Vault)
-     * @param {function} callback - callback with either error or user info
-     * @return {function} calls callback
-     */
-    verifySignatureV4(stringToSign, signatureFromRequest, accessKey,
-        region, scopeDate, options, callback) {
+    verifySignatureV4(
+        _stringToSign: string,
+        _signatureFromRequest: string,
+        _accessKey: string,
+        _region: string,
+        _scopeDate: string,
+        _options: any,
+        callback: Callback
+    ) {
         return callback(errors.AuthMethodNotImplemented);
     }
 
     /**
-     * Gets canonical ID's for a list of accounts
-     * based on email associated with account
-     * @param {array} emails - list of email addresses
-     * @param {object} options - to send log id to vault
-     * @param {function} callback - callback to calling function
-     * @returns {function} callback with either error or
-     * object with email addresses as keys and canonical IDs
-     * as values
+     * Gets canonical ID's for a list of accounts based on email associated
+     * with account. The callback will be called with either error or object
+     * with email addresses as keys and canonical IDs as values.
      */
-    getCanonicalIds(emails, options, callback) {
+    getCanonicalIds(_emails: string[], _options: any, callback: Callback) {
         return callback(errors.AuthMethodNotImplemented);
     }
 
     /**
-     * Gets email addresses (referred to as diplay names for getACL's)
-     * for a list of accounts based on canonical IDs associated with account
-     * @param {array} canonicalIDs - list of canonicalIDs
-     * @param {object} options - to send log id to vault
-     * @param {function} callback - callback to calling function
-     * @returns {function} callback with either error or
-     * an object from Vault containing account canonicalID
-     * as each object key and an email address as the value (or "NotFound")
+     * Gets email addresses (referred to as diplay names for getACL's) for a
+     * list of accounts based on canonical IDs associated with account.
+     * The callback will be called with either error or an object from Vault
+     * containing account canonicalID as each object key and an email address
+     * as the value (or "NotFound").
      */
-    getEmailAddresses(canonicalIDs, options, callback) {
+    getEmailAddresses(
+        _canonicalIDs: string[],
+        _options: any,
+        callback: Callback
+    ) {
         return callback(errors.AuthMethodNotImplemented);
     }
 
-    checkPolicies(requestContextParams, userArn, options, callback) {
+    checkPolicies(
+        _requestContextParams: any,
+        _userArn: string,
+        _options: any,
+        callback: Callback
+    ) {
         return callback(null, { message: { body: [] } });
     }
 
-    healthcheck(reqUid, callback) {
+    healthcheck(_reqUid: string, callback: Callback) {
         return callback(null, { code: 200, message: 'OK' });
     }
 }

lib/auth/backends/ChainBackend.ts

@@ -1,25 +1,31 @@
 import assert from 'assert';
 import async from 'async';
 
+import { Callback } from './in_memory/types';
 import errors from '../../errors';
 import BaseBackend from './BaseBackend';
 
+export type Policy = {
+    [key: string]: any;
+    arn?: string;
+    versionId?: string;
+    isAllowed: boolean;
+}
+
 /**
  * Class that provides an authentication backend that will verify signatures
  * and retrieve emails and canonical ids associated with an account using a
  * given list of authentication backends and vault clients.
- *
- * @class ChainBackend
  */
 export default class ChainBackend extends BaseBackend {
-    _clients: any[];
+    #clients: BaseBackend[];
 
     /**
      * @constructor
      * @param {string} service - service id
      * @param {object[]} clients - list of authentication backends or vault clients
      */
-    constructor(service: string, clients: any[]) {
+    constructor(service: string, clients: BaseBackend[]) {
         super(service);
 
         assert(Array.isArray(clients) && clients.length > 0, 'invalid client list');
@@ -31,25 +37,28 @@ export default class ChainBackend extends BaseBackend {
             typeof client.checkPolicies === 'function' &&
             typeof client.healthcheck === 'function'
         ), 'invalid client: missing required auth backend methods');
-        this._clients = clients;
+        this.#clients = clients;
     }
 
-    /*
-     * try task against each client for one to be successful
-     */
-    _tryEachClient(task, cb) {
-        async.tryEach(this._clients.map(client => done => task(client, done)), cb);
+    /** try task against each client for one to be successful */
+    #tryEachClient(task: (client: BaseBackend, done?: any) => void, cb: Callback) {
+        // @ts-ignore
+        async.tryEach(this.#clients.map(client => (done: any) => task(client, done)), cb);
     }
 
-    /*
-     * apply task to all clients
-     */
-    _forEachClient(task, cb) {
-        async.map(this._clients, task, cb);
+    /** apply task to all clients */
+    #forEachClient(task: (client: BaseBackend, done?: any) => void, cb: Callback) {
+        async.map(this.#clients, task, cb);
     }
 
-    verifySignatureV2(stringToSign, signatureFromRequest, accessKey, options, callback) {
-        this._tryEachClient((client, done) => client.verifySignatureV2(
+    verifySignatureV2(
+        stringToSign: string,
+        signatureFromRequest: string,
+        accessKey: string,
+        options: any,
+        callback: Callback
+    ) {
+        this.#tryEachClient((client, done) => client.verifySignatureV2(
             stringToSign,
             signatureFromRequest,
             accessKey,
@@ -58,27 +67,39 @@ export default class ChainBackend extends BaseBackend {
         ), callback);
     }
 
-    verifySignatureV4(stringToSign, signatureFromRequest, accessKey, region, scopeDate, options, callback) {
-        this._tryEachClient((client, done) => client.verifySignatureV4(
+    verifySignatureV4(
+        stringToSign: string,
+        signatureFromRequest: string,
+        accessKey: string,
+        region: string,
+        scopeDate: string,
+        options: any,
+        callback: Callback
+    ) {
+        this.#tryEachClient((client, done) => client.verifySignatureV4(
             stringToSign,
-                signatureFromRequest,
-                accessKey,
-                region,
-                scopeDate,
-                options,
-                done
+            signatureFromRequest,
+            accessKey,
+            region,
+            scopeDate,
+            options,
+            done
         ), callback);
     }
 
-    static _mergeObjects(objectResponses) {
+    static _mergeObjects(objectResponses: any[]) {
         return objectResponses.reduce(
             (retObj, resObj) => Object.assign(retObj, resObj.message.body),
             {}
         );
     }
 
-    getCanonicalIds(emailAddresses, options, callback) {
-        this._forEachClient(
+    getCanonicalIds(
+        emailAddresses: string[],
+        options: any,
+        callback: Callback<{ message: { body: any } }>
+    ) {
+        this.#forEachClient(
             (client, done) => client.getCanonicalIds(emailAddresses, options, done),
             (err, res) => {
                 if (err) {
@@ -94,8 +115,12 @@ export default class ChainBackend extends BaseBackend {
         );
     }
 
-    getEmailAddresses(canonicalIDs, options, callback) {
-        this._forEachClient(
+    getEmailAddresses(
+        canonicalIDs: string[],
+        options: any,
+        callback: Callback<{ message: { body: any } }>
+    ) {
+        this.#forEachClient(
             (client, done) => client.getEmailAddresses(canonicalIDs, options, done),
             (err, res) => {
                 if (err) {
@@ -110,11 +135,9 @@ export default class ChainBackend extends BaseBackend {
         );
     }
 
-    /*
-     * merge policy responses into a single message
-     */
-    static _mergePolicies(policyResponses) {
-        const policyMap = {};
+    /** merge policy responses into a single message */
+    static _mergePolicies(policyResponses: { message: { body: any[] } }[]) {
+        const policyMap: { [key: string]: Policy } = {};
 
         policyResponses.forEach(resp => {
             if (!resp.message || !Array.isArray(resp.message.body)) {
@@ -131,8 +154,8 @@ export default class ChainBackend extends BaseBackend {
         });
 
         return Object.keys(policyMap).map((key) => {
-            const policyRes = { isAllowed: policyMap[key].isAllowed };
-            if (policyMap[key].arn !== '') {
+            const policyRes: Policy = { isAllowed: policyMap[key].isAllowed };
+            if (policyMap[key].arn && policyMap[key].arn !== '') {
                 policyRes.arn = policyMap[key].arn;
             }
             if (policyMap[key].versionId) {
@@ -142,7 +165,7 @@ export default class ChainBackend extends BaseBackend {
         });
     }
 
-    /*
+    /**
         response format:
             {  message: {
                 body: [{}],
@@ -150,8 +173,13 @@ export default class ChainBackend extends BaseBackend {
                 message: string,
             } }
      */
-    checkPolicies(requestContextParams, userArn, options, callback) {
-        this._forEachClient((client, done) => client.checkPolicies(
+    checkPolicies(
+        requestContextParams: any,
+        userArn: string,
+        options: any,
+        callback: Callback<{ message: { body: any } }>
+    ) {
+        this.#forEachClient((client, done) => client.checkPolicies(
             requestContextParams,
             userArn,
             options,
@@ -168,8 +196,8 @@ export default class ChainBackend extends BaseBackend {
         });
     }
 
-    healthcheck(reqUid, callback) {
-        this._forEachClient((client, done) =>
+    healthcheck(reqUid: string, callback: Callback) {
+        this.#forEachClient((client, done) =>
             client.healthcheck(reqUid, (err, res) => done(null, {
                 error: !!err ? err : null,
                 status: res,
@@ -179,7 +207,7 @@ export default class ChainBackend extends BaseBackend {
                 return callback(err);
             }
 
-            const isError = res.some((results) => !!results.error);
+            const isError = res.some((results: any) => !!results.error);
             if (isError) {
                 return callback(errors.InternalError, res);
             }

lib/auth/backends/in_memory/Backend.ts

@@ -1,11 +1,11 @@
 import * as crypto from 'crypto';
 import errors from '../../../errors';
-import { calculateSigningKey, hashSignature } from './vault-utilities';
+import { calculateSigningKey, hashSignature } from './vaultUtilities';
 import Indexer from './Indexer';
 import BaseBackend from '../BaseBackend';
 import { Accounts } from './types';
 
-function _formatResponse(userInfoToSend) {
+function _formatResponse(userInfoToSend: any) {
     return {
         message: {
             body: { userInfo: userInfoToSend },
@@ -58,6 +58,7 @@ class InMemoryBackend extends BaseBackend {
             accountDisplayName: this.indexer.getAcctDisplayName(entity),
             canonicalID: entity.canonicalID,
             arn: entity.arn,
+            // @ts-ignore TODO why ?
             IAMdisplayName: entity.IAMdisplayName,
         };
         const vaultReturnObject = _formatResponse(userInfoToSend);
@@ -72,7 +73,7 @@ class InMemoryBackend extends BaseBackend {
         accessKey: string,
         region: string,
         scopeDate: string,
-        options: { algo: 'SHA256' | 'SHA1' },
+        _options: { algo: 'SHA256' | 'SHA1' },
         callback: (
             err: Error | null,
             data?: ReturnType<typeof _formatResponse>
@@ -95,6 +96,7 @@ class InMemoryBackend extends BaseBackend {
             accountDisplayName: this.indexer.getAcctDisplayName(entity),
             canonicalID: entity.canonicalID,
             arn: entity.arn,
+            // @ts-ignore TODO why ?
             IAMdisplayName: entity.IAMdisplayName,
         };
         const vaultReturnObject = _formatResponse(userInfoToSend);
@@ -105,7 +107,7 @@ class InMemoryBackend extends BaseBackend {
     // CODEQUALITY-TODO-SYNC Should be synchronous
     getCanonicalIds(
         emails: string[],
-        log: any,
+        _log: any,
         cb: (err: null, data: { message: { body: any } }) => void
     ) {
         const results = {};
@@ -130,7 +132,7 @@ class InMemoryBackend extends BaseBackend {
     // CODEQUALITY-TODO-SYNC Should be synchronous
     getEmailAddresses(
         canonicalIDs: string[],
-        options: any,
+        _options: any,
         cb: (err: null, data: { message: { body: any } }) => void
     ) {
         const results = {};
@@ -158,14 +160,14 @@ class InMemoryBackend extends BaseBackend {
      * @param canonicalIDs - list of canonicalIDs
      * @param options - to send log id to vault
      * @param cb - callback to calling function
-     * @returns The next is wrong. Here to keep archives.
+     * @return The next is wrong. Here to keep archives.
      * callback with either error or
      * an object from Vault containing account canonicalID
      * as each object key and an accountId as the value (or "NotFound")
      */
     getAccountIds(
         canonicalIDs: string[],
-        options: any,
+        _options: any,
         cb: (err: null, data: { message: { body: any } }) => void
     ) {
         const results = {};

lib/auth/v2/algoCheck.ts

@@ -1,5 +1,5 @@
-export default function algoCheck(signatureLength) {
-    let algo;
+export default function algoCheck(signatureLength: number) {
+    let algo: 'sha256' | 'sha1';
     // If the signature sent is 44 characters,
     // this means that sha256 was used:
     // 44 characters in base64
@@ -11,5 +11,6 @@ export default function algoCheck(signatureLength) {
     if (signatureLength === SHA1LEN) {
         algo = 'sha1';
     }
+    // @ts-ignore
     return algo;
 }

lib/auth/v2/checkRequestExpiry.ts

@@ -1,8 +1,9 @@
+import { Logger } from 'werelogs';
 import errors from '../../errors';
 
 const epochTime = new Date('1970-01-01').getTime();
 
-export default function checkRequestExpiry(timestamp, log) {
+export default function checkRequestExpiry(timestamp: number, log: Logger) {
     // If timestamp is before epochTime, the request is invalid and return
     // errors.AccessDenied
     if (timestamp < epochTime) {

lib/auth/v2/constructStringToSign.ts

@@ -1,8 +1,14 @@
+import { Logger } from 'werelogs';
 import utf8 from 'utf8';
 import getCanonicalizedAmzHeaders from './getCanonicalizedAmzHeaders';
 import getCanonicalizedResource from './getCanonicalizedResource';
 
-export default function constructStringToSign(request, data, log, clientType?: any) {
+export default function constructStringToSign(
+    request: any,
+    data: { [key: string]: string },
+    log: Logger,
+    clientType?: any
+) {
     /*
     Build signature per AWS requirements:
     StringToSign = HTTP-Verb + '\n' +

lib/auth/v2/getCanonicalizedAmzHeaders.ts

@@ -1,12 +1,12 @@
-export default function getCanonicalizedAmzHeaders(headers, clientType) {
+export default function getCanonicalizedAmzHeaders(headers: Headers, clientType: string) {
     /*
     Iterate through headers and pull any headers that are x-amz headers.
     Need to include 'x-amz-date' here even though AWS docs
     ambiguous on this.
     */
     const filterFn = clientType === 'GCP' ?
-        val => val.substr(0, 7) === 'x-goog-' :
-        val => val.substr(0, 6) === 'x-amz-';
+        (val: string) => val.substr(0, 7) === 'x-goog-' :
+        (val: string) => val.substr(0, 6) === 'x-amz-';
     const amzHeaders = Object.keys(headers)
         .filter(filterFn)
         .map(val => [val.trim(), headers[val].trim()]);

lib/auth/v2/getCanonicalizedResource.ts

@@ -39,7 +39,7 @@ const awsSubresources = [
     'website',
 ];
 
-export default function getCanonicalizedResource(request, clientType) {
+export default function getCanonicalizedResource(request: any, clientType: string) {
     /*
     This variable is used to determine whether to insert
     a '?' or '&'.  Once a query parameter is added to the resourceString,

lib/auth/v2/headerAuthCheck.ts

@@ -1,10 +1,11 @@
+import { Logger } from 'werelogs';
 import errors from '../../errors';
 import * as constants from '../../constants';
 import constructStringToSign from './constructStringToSign';
 import checkRequestExpiry from './checkRequestExpiry';
 import algoCheck from './algoCheck';
 
-export function check(request, log, data) {
+export function check(request: any, log: Logger, data: { [key: string]: string }) {
     log.trace('running header auth check');
     const headers = request.headers;
 
@@ -56,6 +57,7 @@ export function check(request, log, data) {
         log.trace('invalid authorization header', { authInfo });
         return { err: errors.MissingSecurityHeader };
     }
+    // @ts-ignore
     log.addDefaultFields({ accessKey });
 
     const signatureFromRequest = authInfo.substring(semicolonIndex + 1).trim();

lib/auth/v2/queryAuthCheck.ts

@@ -1,9 +1,10 @@
+import { Logger } from 'werelogs';
 import errors from '../../errors';
 import * as constants from '../../constants';
 import algoCheck from './algoCheck';
 import constructStringToSign from './constructStringToSign';
 
-export function check(request, log, data) {
+export function check(request: any, log: Logger, data: { [key: string]: string }) {
     log.trace('running query auth check');
     if (request.method === 'POST') {
         log.debug('query string auth not supported for post requests');
@@ -51,6 +52,7 @@ export function check(request, log, data) {
         return { err: errors.RequestTimeTooSkewed };
     }
     const accessKey = data.AWSAccessKeyId;
+    // @ts-ignore
     log.addDefaultFields({ accessKey });
 
     const signatureFromRequest = decodeURIComponent(data.Signature);

lib/auth/v4/awsURIencode.ts

@@ -17,7 +17,7 @@ See http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
 */
 
 // converts utf8 character to hex and pads "%" before every two hex digits
-function _toHexUTF8(char) {
+function _toHexUTF8(char: string) {
     const hexRep = Buffer.from(char, 'utf8').toString('hex').toUpperCase();
     let res = '';
     hexRep.split('').forEach((v, n) => {
@@ -30,7 +30,11 @@ function _toHexUTF8(char) {
     return res;
 }
 
-export default function awsURIencode(input, encodeSlash?: any, noEncodeStar?: any) {
+export default function awsURIencode(
+    input: string,
+    encodeSlash?: boolean,
+    noEncodeStar?: boolean
+) {
     const encSlash = encodeSlash === undefined ? true : encodeSlash;
     let encoded = '';
     /**

lib/auth/v4/constructStringToSign.ts

@@ -1,4 +1,5 @@
 import * as crypto from 'crypto';
+import { Logger } from 'werelogs';
 import createCanonicalRequest from './createCanonicalRequest';
 
 /**
@@ -6,7 +7,17 @@ import createCanonicalRequest from './createCanonicalRequest';
  * @param {object} params - params object
  * @returns {string} - stringToSign
  */
-export default function constructStringToSign(params): string {
+export default function constructStringToSign(params: {
+    request: any;
+    signedHeaders: any;
+    payloadChecksum: any;
+    credentialScope: string;
+    timestamp: string;
+    query: { [key: string]: string };
+    log?: Logger;
+    proxyPath: string;
+    awsService: string;
+}): string {
     const {
         request,
         signedHeaders,
@@ -29,6 +40,8 @@ export default function constructStringToSign(params): string {
         service: params.awsService,
     });
 
+    // TODO Why that line?
+    // @ts-ignore
     if (canonicalReqResult instanceof Error) {
         if (log) {
             log.error('error creating canonicalRequest');

lib/auth/v4/createCanonicalRequest.ts

@@ -4,22 +4,30 @@ import * as queryString from 'querystring';
 
 /**
  * createCanonicalRequest - creates V4 canonical request
- * @param {object} params - contains pHttpVerb (request type),
+ * @param params - contains pHttpVerb (request type),
  * pResource (parsed from URL), pQuery (request query),
  * pHeaders (request headers), pSignedHeaders (signed headers from request),
  * payloadChecksum (from request)
- * @returns {string} - canonicalRequest
+ * @returns - canonicalRequest
  */
-export default function createCanonicalRequest(params) {
+export default function createCanonicalRequest(
+    params: {
+        pHttpVerb: string;
+        pResource: string;
+        pQuery: { [key: string]: string };
+        pHeaders: any;
+        pSignedHeaders: any;
+        service: string;
+        payloadChecksum: string;
+    }
+) {
     const pHttpVerb = params.pHttpVerb;
     const pResource = params.pResource;
     const pQuery = params.pQuery;
     const pHeaders = params.pHeaders;
     const pSignedHeaders = params.pSignedHeaders;
     const service = params.service;
-
     let payloadChecksum = params.payloadChecksum;
-
     if (!payloadChecksum) {
         if (pHttpVerb === 'GET') {
             payloadChecksum = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b' +
@@ -32,7 +40,7 @@ export default function createCanonicalRequest(params) {
             if (/aws-sdk-java\/[0-9.]+/.test(pHeaders['user-agent'])) {
                 notEncodeStar = true;
             }
-            let payload = queryString.stringify(pQuery, null, null, {
+            let payload = queryString.stringify(pQuery, undefined, undefined, {
                 encodeURIComponent: input => awsURIencode(input, true,
                     notEncodeStar),
             });
@@ -59,11 +67,11 @@ export default function createCanonicalRequest(params) {
 
     // signed headers
     const signedHeadersList = pSignedHeaders.split(';');
-    signedHeadersList.sort((a, b) => a.localeCompare(b));
+    signedHeadersList.sort((a: any, b: any) => a.localeCompare(b));
     const signedHeaders = signedHeadersList.join(';');
 
     // canonical headers
-    const canonicalHeadersList = signedHeadersList.map(signedHeader => {
+    const canonicalHeadersList = signedHeadersList.map((signedHeader: any) => {
         if (pHeaders[signedHeader] !== undefined) {
             const trimmedHeader = pHeaders[signedHeader]
                 .trim().replace(/\s+/g, ' ');

lib/auth/v4/headerAuthCheck.ts

@@ -1,3 +1,4 @@
+import { Logger } from 'werelogs';
 import errors from '../../../lib/errors';
 import * as constants from '../../constants';
 import constructStringToSign from './constructStringToSign';
@@ -14,14 +15,18 @@ import {
 
 /**
  * V4 header auth check
- * @param {object} request - HTTP request object
- * @param {object} log - logging object
- * @param {object} data - Parameters from queryString parsing or body of
+ * @param request - HTTP request object
+ * @param log - logging object
+ * @param data - Parameters from queryString parsing or body of
  *      POST request
- * @param {string} awsService - Aws service ('iam' or 's3')
- * @return {callback} calls callback
+ * @param awsService - Aws service ('iam' or 's3')
  */
-export function check(request, log, data, awsService) {
+export function check(
+    request: any,
+    log: Logger,
+    data: { [key: string]: string },
+    awsService: string
+) {
     log.trace('running header auth check');
 
     const token = request.headers['x-amz-security-token'];
@@ -63,16 +68,16 @@ export function check(request, log, data, awsService) {
 
     log.trace('authorization header from request', { authHeader });
 
-    const signatureFromRequest = authHeaderItems.signatureFromRequest;
-    const credentialsArr = authHeaderItems.credentialsArr;
-    const signedHeaders = authHeaderItems.signedHeaders;
+    const signatureFromRequest = authHeaderItems.signatureFromRequest!;
+    const credentialsArr = authHeaderItems.credentialsArr!;
+    const signedHeaders = authHeaderItems.signedHeaders!;
 
     if (!areSignedHeadersComplete(signedHeaders, request.headers)) {
         log.debug('signedHeaders are incomplete', { signedHeaders });
         return { err: errors.AccessDenied };
     }
 
-    let timestamp;
+    let timestamp: string | undefined;
     // check request timestamp
     const xAmzDate = request.headers['x-amz-date'];
     if (xAmzDate) {
@@ -140,7 +145,7 @@ export function check(request, log, data, awsService) {
         return { err: errors.RequestTimeTooSkewed };
     }
 
-    let proxyPath = null;
+    let proxyPath: string | null = null;
     if (request.headers.proxy_path) {
         try {
             proxyPath = decodeURIComponent(request.headers.proxy_path);
@@ -163,9 +168,11 @@ export function check(request, log, data, awsService) {
         timestamp,
         payloadChecksum,
         awsService: service,
-        proxyPath,
+        proxyPath: proxyPath!,
     });
     log.trace('constructed stringToSign', { stringToSign });
+    // TODO Why?
+    // @ts-ignore
     if (stringToSign instanceof Error) {
         return { err: stringToSign };
     }

lib/auth/v4/queryAuthCheck.ts

@@ -1,3 +1,4 @@
+import { Logger } from 'werelogs';
 import * as constants from '../../constants';
 import errors from '../../errors';
 
@@ -8,12 +9,11 @@ import { areSignedHeadersComplete } from './validateInputs';
 
 /**
  * V4 query auth check
- * @param {object} request - HTTP request object
- * @param {object} log - logging object
- * @param {object} data - Contain authentification params (GET or POST data)
- * @return {callback} calls callback
+ * @param request - HTTP request object
+ * @param log - logging object
+ * @param data - Contain authentification params (GET or POST data)
  */
-export function check(request, log, data) {
+export function check(request: any, log: Logger, data: { [key: string]: string }) {
     const authParams = extractQueryParams(data, log);
 
     if (Object.keys(authParams).length !== 5) {
@@ -28,11 +28,11 @@ export function check(request, log, data) {
         return { err: errors.InvalidToken };
     }
 
-    const signedHeaders = authParams.signedHeaders;
-    const signatureFromRequest = authParams.signatureFromRequest;
-    const timestamp = authParams.timestamp;
-    const expiry = authParams.expiry;
-    const credential = authParams.credential;
+    const signedHeaders = authParams.signedHeaders!;
+    const signatureFromRequest = authParams.signatureFromRequest!;
+    const timestamp = authParams.timestamp!;
+    const expiry = authParams.expiry!;
+    const credential = authParams.credential!;
 
     if (!areSignedHeadersComplete(signedHeaders, request.headers)) {
         log.debug('signedHeaders are incomplete', { signedHeaders });
@@ -59,7 +59,7 @@ export function check(request, log, data) {
         return { err: errors.RequestTimeTooSkewed };
     }
 
-    let proxyPath = null;
+    let proxyPath: string | null = null;
     if (request.headers.proxy_path) {
         try {
             proxyPath = decodeURIComponent(request.headers.proxy_path);
@@ -97,8 +97,10 @@ export function check(request, log, data) {
         timestamp,
         credentialScope: `${scopeDate}/${region}/${service}/${requestType}`,
         awsService: service,
-        proxyPath,
+        proxyPath: proxyPath!,
     });
+    // TODO Why?
+    // @ts-ignore
     if (stringToSign instanceof Error) {
         return { err: stringToSign };
     }

lib/auth/v4/streamingV4/V4Transform.ts

@@ -1,5 +1,8 @@
 import { Transform } from 'stream';
 import async from 'async';
+import { Logger } from 'werelogs';
+import { Callback } from '../../backends/in_memory/types';
+import Vault from '../../Vault';
 import errors from '../../../errors';
 import constructChunkStringToSign from './constructChunkStringToSign';
 
@@ -8,26 +11,28 @@ import constructChunkStringToSign from './constructChunkStringToSign';
  * v4 Auth request
  */
 export default class V4Transform extends Transform {
-    log;
-    cb;
-    accessKey;
-    region;
-    scopeDate;
-    timestamp;
-    credentialScope;
-    lastSignature;
-    currentSignature;
-    haveMetadata;
-    seekingDataSize;
-    currentData;
-    dataCursor;
-    currentMetadata;
-    lastPieceDone;
-    lastChunk;
-    vault;
+    log: Logger;
+    cb: Callback;
+    accessKey: string;
+    region: string;
+    /** Date parsed from headers in ISO8601. */
+    scopeDate: string;
+    /** Date parsed from headers in ISO8601. */
+    timestamp: string;
+    /** Items from auth header, plus the string 'aws4_request' joined with '/': timestamp/region/aws-service/aws4_request */
+    credentialScope: string;
+    lastSignature?: string;
+    currentSignature?: string;
+    haveMetadata: boolean;
+    seekingDataSize: number;
+    currentData?: any;
+    dataCursor: number;
+    currentMetadata: Buffer[];
+    lastPieceDone: boolean;
+    lastChunk: boolean;
+    vault: Vault;
 
     /**
-     * @constructor
      * @param {object} streamingV4Params - info for chunk authentication
      * @param {string} streamingV4Params.accessKey - requester's accessKey
      * @param {string} streamingV4Params.signatureFromRequest - signature
@@ -43,7 +48,19 @@ export default class V4Transform extends Transform {
      * @param {object} log - logger object
      * @param {function} cb - callback to api
      */
-    constructor(streamingV4Params, vault, log, cb) {
+    constructor(
+        streamingV4Params: {
+            accessKey: string,
+            signatureFromRequest: string,
+            region: string,
+            scopeDate: string,
+            timestamp: string,
+            credentialScope: string
+        },
+        vault: Vault,
+        log: Logger,
+        cb: Callback
+    ) {
         const {
             accessKey,
             signatureFromRequest,
@@ -77,8 +94,8 @@ export default class V4Transform extends Transform {
 
     /**
      * This function will parse the metadata portion of the chunk
-     * @param {Buffer} remainingChunk - chunk sent from _transform
-     * @return {object} response - if error, will return 'err' key with
+     * @param remainingChunk - chunk sent from _transform
+     * @return response - if error, will return 'err' key with
      * arsenal error value.
      * if incomplete metadata, will return 'completeMetadata' key with
      * value false
@@ -86,7 +103,7 @@ export default class V4Transform extends Transform {
      * value true and the key 'unparsedChunk' with the remaining chunk without
      * the parsed metadata piece
      */
-    _parseMetadata(remainingChunk) {
+    _parseMetadata(remainingChunk: Buffer) {
         let remainingPlusStoredMetadata = remainingChunk;
         // have metadata pieces so need to add to the front of
         // remainingChunk
@@ -127,9 +144,8 @@ export default class V4Transform extends Transform {
             );
             return { err: errors.InvalidArgument };
         }
-        let dataSize = splitMeta[0];
         // chunk-size is sent in hex
-        dataSize = Number.parseInt(dataSize, 16);
+        let dataSize = Number.parseInt(splitMeta[0], 16);
         if (Number.isNaN(dataSize)) {
             this.log.trace('chunk body did not contain valid size');
             return { err: errors.InvalidArgument };
@@ -164,17 +180,17 @@ export default class V4Transform extends Transform {
 
     /**
      * Build the stringToSign and authenticate the chunk
-     * @param {Buffer} dataToSend - chunk sent from _transform or null
+     * @param dataToSend - chunk sent from _transform or null
      * if last chunk without data
-     * @param {function} done - callback to _transform
-     * @return {function} executes callback with err if applicable
+     * @param done - callback to _transform
+     * @return executes callback with err if applicable
      */
-    _authenticate(dataToSend, done) {
+    _authenticate(dataToSend: Buffer | null, done: (err?: Error) => void) {
         // use prior sig to construct new string to sign
         const stringToSign = constructChunkStringToSign(
             this.timestamp,
             this.credentialScope,
-            this.lastSignature,
+            this.lastSignature!,
             dataToSend
         );
         this.log.trace('constructed chunk string to sign', { stringToSign });
@@ -193,7 +209,7 @@ export default class V4Transform extends Transform {
                 credentialScope: this.credentialScope,
             },
         };
-        return this.vault.authenticateV4Request(vaultParams, null, (err) => {
+        return this.vault.authenticateV4Request(vaultParams, null, (err: Error) => {
             if (err) {
                 this.log.trace('err from vault on streaming v4 auth', {
                     error: err,
@@ -205,17 +221,18 @@ export default class V4Transform extends Transform {
         });
     }
 
+    // TODO encoding unused. Why?
     /**
      * This function will parse the chunk into metadata and data,
      * use the metadata to authenticate with vault and send the
      * data on to be stored if authentication passes
      *
-     * @param {Buffer} chunk - chunk from request body
-     * @param {string} encoding - Data encoding
-     * @param {function} callback - Callback(err, justDataChunk, encoding)
-     * @return {function }executes callback with err if applicable
+     * @param chunk - chunk from request body
+     * @param encoding - Data encoding
+     * @param callback - Callback(err, justDataChunk, encoding)
+     * @return executes callback with err if applicable
      */
-    _transform(chunk, encoding, callback) {
+    _transform(chunk: Buffer, _encoding: string, callback: (err?: Error) => void) {
         // 'chunk' here is the node streaming chunk
         // transfer-encoding chunks should be of the format:
         // string(IntHexBase(chunk-size)) + ";chunk-signature=" +
@@ -254,7 +271,7 @@ export default class V4Transform extends Transform {
                     }
                     // have metadata so reset unparsedChunk to remaining
                     // without metadata piece
-                    unparsedChunk = parsedMetadataResults.unparsedChunk;
+                    unparsedChunk = parsedMetadataResults.unparsedChunk!;
                 }
                 if (this.lastChunk) {
                     this.log.trace('authenticating final chunk with no data');
@@ -301,7 +318,7 @@ export default class V4Transform extends Transform {
             // final callback
             (err) => {
                 if (err) {
-                    return this.cb(err);
+                    return this.cb(err as any);
                 }
                 // get next chunk
                 return callback();

lib/auth/v4/streamingV4/constructChunkStringToSign.ts

@@ -3,30 +3,30 @@ import * as constants from '../../../constants';
 
 /**
  * Constructs stringToSign for chunk
- * @param {string} timestamp - date parsed from headers
- * in ISO 8601 format: YYYYMMDDTHHMMSSZ
- * @param {string} credentialScope - items from auth
- * header plus the string 'aws4_request' joined with '/':
+ * @param timestamp - date parsed from headers in ISO 8601 format: YYYYMMDDTHHMMSSZ
+ * @param credentialScope - items from auth header plus the string
+ *   'aws4_request' joined with '/':
  * timestamp/region/aws-service/aws4_request
- * @param {string} lastSignature - signature from headers or prior chunk
- * @param {string} justDataChunk - data portion of chunk
- * @returns {string} stringToSign
+ * @param lastSignature - signature from headers or prior chunk
+ * @param justDataChunk - data portion of chunk
  */
 export default function constructChunkStringToSign(
     timestamp: string,
     credentialScope: string,
     lastSignature: string,
-    justDataChunk: string
+    justDataChunk: string | Buffer | null
 ): string {
-    let currentChunkHash;
+    let currentChunkHash: string;
     // for last chunk, there will be no data, so use emptyStringHash
     if (!justDataChunk) {
         currentChunkHash = constants.emptyStringHash;
     } else {
-        currentChunkHash = crypto.createHash('sha256');
-        currentChunkHash = currentChunkHash
-            .update(justDataChunk, 'binary')
-            .digest('hex');
+        let hash = crypto.createHash('sha256');
+        currentChunkHash = (
+            typeof justDataChunk === 'string'
+                ? hash.update(justDataChunk, 'binary')
+                : hash.update(justDataChunk)
+        ).digest('hex');
     }
     return (
         `AWS4-HMAC-SHA256-PAYLOAD\n${timestamp}\n` +

lib/auth/v4/timeUtils.ts

@@ -1,10 +1,11 @@
+import { Logger } from 'werelogs';
+
 /**
  * Convert timestamp to milliseconds since Unix Epoch
- * @param  {string} timestamp of ISO8601Timestamp format without
+ * @param timestamp of ISO8601Timestamp format without
  * dashes or colons, e.g. 20160202T220410Z
- * @return {number} number of milliseconds since Unix Epoch
  */
-export function convertAmzTimeToMs(timestamp) {
+export function convertAmzTimeToMs(timestamp: string) {
     const arr = timestamp.split('');
     // Convert to YYYY-MM-DDTHH:mm:ss.sssZ
     const ISO8601time = `${arr.slice(0, 4).join('')}-${arr[4]}${arr[5]}` +
@@ -13,13 +14,12 @@ export function convertAmzTimeToMs(timestamp) {
     return Date.parse(ISO8601time);
 }
 
-
 /**
  * Convert UTC timestamp to ISO 8601 timestamp
- * @param  {string} timestamp of UTC form: Fri, 10 Feb 2012 21:34:55 GMT
- * @return {string} ISO8601 timestamp of form: YYYYMMDDTHHMMSSZ
+ * @param timestamp of UTC form: Fri, 10 Feb 2012 21:34:55 GMT
+ * @return ISO8601 timestamp of form: YYYYMMDDTHHMMSSZ
  */
-export function convertUTCtoISO8601(timestamp) {
+export function convertUTCtoISO8601(timestamp: string | number) {
     // convert to ISO string: YYYY-MM-DDTHH:mm:ss.sssZ.
     const converted = new Date(timestamp).toISOString();
     // Remove "-"s and "."s and milliseconds
@@ -28,13 +28,13 @@ export function convertUTCtoISO8601(timestamp) {
 
 /**
  * Check whether timestamp predates request or is too old
- * @param  {string} timestamp of ISO8601Timestamp format without
+ * @param timestamp of ISO8601Timestamp format without
  * dashes or colons, e.g. 20160202T220410Z
- * @param {number} expiry - number of seconds signature should be valid
- * @param {object} log - log for request
- * @return {boolean} true if there is a time problem
+ * @param expiry - number of seconds signature should be valid
+ * @param log - log for request
+ * @return true if there is a time problem
  */
-export function checkTimeSkew(timestamp, expiry, log) {
+export function checkTimeSkew(timestamp: string, expiry: number, log: Logger) {
     const currentTime = Date.now();
     const fifteenMinutes = (15 * 60 * 1000);
     const parsedTimestamp = convertAmzTimeToMs(timestamp);

lib/auth/v4/validateInputs.ts

@@ -1,15 +1,19 @@
+import { Logger } from 'werelogs';
 import errors from '../../../lib/errors';
 
 /**
  * Validate Credentials
- * @param  {array} credentials - contains accessKey, scopeDate,
+ * @param credentials - contains accessKey, scopeDate,
  * region, service, requestType
- * @param {string} timestamp - timestamp from request in
+ * @param timestamp - timestamp from request in
  * the format of ISO 8601: YYYYMMDDTHHMMSSZ
- * @param {object} log - logging object
- * @return {boolean} true if credentials are correct format, false if not
+ * @param log - logging object
  */
-export function validateCredentials(credentials, timestamp, log) {
+export function validateCredentials(
+    credentials: [string, string, string, string, string],
+    timestamp: string,
+    log: Logger
+): Error | {} {
     if (!Array.isArray(credentials) || credentials.length !== 5) {
         log.warn('credentials in improper format', { credentials });
         return errors.InvalidArgument;
@@ -63,12 +67,21 @@ export function validateCredentials(credentials, timestamp, log) {
 
 /**
  * Extract and validate components from query object
- * @param  {object} queryObj - query object from request
- * @param {object} log - logging object
- * @return {object} object containing extracted query params for authV4
+ * @param  queryObj - query object from request
+ * @param log - logging object
+ * @return object containing extracted query params for authV4
  */
-export function extractQueryParams(queryObj, log) {
-    const authParams = {};
+export function extractQueryParams(
+    queryObj: { [key: string]: string | undefined },
+    log: Logger
+) {
+    const authParams: {
+        signedHeaders?: string;
+        signatureFromRequest?: string;
+        timestamp?: string;
+        expiry?: number;
+        credential?: [string, string, string, string, string];
+    } = {};
 
     // Do not need the algorithm sent back
     if (queryObj['X-Amz-Algorithm'] !== 'AWS4-HMAC-SHA256') {
@@ -105,7 +118,7 @@ export function extractQueryParams(queryObj, log) {
         return authParams;
     }
 
-    const expiry = Number.parseInt(queryObj['X-Amz-Expires'], 10);
+    const expiry = Number.parseInt(queryObj['X-Amz-Expires'] ?? 'nope', 10);
     const sevenDays = 604800;
     if (expiry && expiry > 0 && expiry <= sevenDays) {
         authParams.expiry = expiry;
@@ -116,6 +129,7 @@ export function extractQueryParams(queryObj, log) {
 
     const credential = queryObj['X-Amz-Credential'];
     if (credential && credential.length > 28 && credential.indexOf('/') > -1) {
+        // @ts-ignore
         authParams.credential = credential.split('/');
     } else {
         log.warn('invalid credential param', { credential });
@@ -126,12 +140,16 @@ export function extractQueryParams(queryObj, log) {
 
 /**
  * Extract and validate components from auth header
- * @param  {string} authHeader - authorization header from request
- * @param {object} log - logging object
- * @return {object} object containing extracted auth header items for authV4
+ * @param authHeader - authorization header from request
+ * @param log - logging object
+ * @return object containing extracted auth header items for authV4
  */
-export function extractAuthItems(authHeader, log) {
-    const authItems = {};
+export function extractAuthItems(authHeader: string, log: Logger) {
+    const authItems: {
+        credentialsArr?: [string, string, string, string, string];
+        signedHeaders?: string;
+        signatureFromRequest?: string;
+    } = {};
     const authArray = authHeader.replace('AWS4-HMAC-SHA256 ', '').split(',');
 
     if (authArray.length < 3) {
@@ -147,6 +165,7 @@ export function extractAuthItems(authHeader, log) {
         credentialStr.trim().startsWith('Credential=') &&
         credentialStr.indexOf('/') > -1
     ) {
+        // @ts-ignore
         authItems.credentialsArr = credentialStr
             .trim()
             .replace('Credential=', '')
@@ -179,11 +198,11 @@ export function extractAuthItems(authHeader, log) {
 /**
  * Checks whether the signed headers include the host header
  * and all x-amz- and x-scal- headers in request
- * @param {string} signedHeaders - signed headers sent with request
- * @param {object} allHeaders - request.headers
- * @return {boolean} true if all x-amz-headers included and false if not
+ * @param signedHeaders - signed headers sent with request
+ * @param allHeaders - request.headers
+ * @return true if all x-amz-headers included and false if not
  */
-export function areSignedHeadersComplete(signedHeaders, allHeaders) {
+export function areSignedHeadersComplete(signedHeaders: string, allHeaders: Headers) {
     const signedHeadersList = signedHeaders.split(';');
     if (signedHeadersList.indexOf('host') === -1) {
         return false;

tests/unit/auth/v2/signature.spec.js

@@ -5,7 +5,7 @@ const assert = require('assert');
 const constructStringToSign =
     require('../../../../lib/auth/v2/constructStringToSign').default;
 const hashSignature =
-    require('../../../../lib/auth/backends/in_memory/vault-utilities').hashSignature;
+    require('../../../../lib/auth/backends/in_memory/vaultUtilities').hashSignature;
 const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
 
 const log = new DummyRequestLogger();

tests/unit/auth/v4/signingKey.spec.js

@@ -3,7 +3,7 @@
 const assert = require('assert');
 
 const calculateSigningKey =
-    require('../../../../lib/auth/backends/in_memory/vault-utilities')
+    require('../../../../lib/auth/backends/in_memory/vaultUtilities')
         .calculateSigningKey;
 
 describe('v4 signing key calculation', () => {