OS-154 Type https

index.ts

@@ -1,18 +1,14 @@
-export const auth = require('./lib/auth/auth');
+export * as auth from './lib/auth/auth'
 export * as constants from './lib/constants';
+export * as https from './lib/https'
 export const db = require('./lib/db');
-export const errors = require('./lib/errors.js');
+export const errors = require('./lib/errors.js')
 export const shuffle = require('./lib/shuffle');
 export const stringHash = require('./lib/stringHash');
 export const ipCheck = require('./lib/ipCheck');
 export const jsutil = require('./lib/jsutil');
 export const Clustering = require('./lib/Clustering');
 
-export const https = {
-    ciphers: require('./lib/https/ciphers.js'),
-    dhparam: require('./lib/https/dh2048.js'),
-};
-
 export const algorithms = {
     list: {
         Basic: require('./lib/algos/list/basic').List,

lib/auth/AuthInfo.ts

@@ -1,6 +1,4 @@
-'use strict'; // eslint-disable-line strict
+import * as constants from '../constants';
-
-const constants = require('../constants');
 
 /**
  * Class containing requester's information received from Vault
@@ -8,9 +6,15 @@ const constants = require('../constants');
  * shortid, email, accountDisplayName and IAMdisplayName (if applicable)
  * @return {AuthInfo} an AuthInfo instance
  */
+export default class AuthInfo {
+    arn: string;
+    canonicalID: string;
+    shortid: string;
+    email: string;
+    accountDisplayName: string;
+    IAMdisplayName: string;
 
-class AuthInfo {
+    constructor(objectFromVault: any) {
-    constructor(objectFromVault) {
         // amazon resource name for IAM user (if applicable)
         this.arn = objectFromVault.arn;
         // account canonicalID
@@ -53,10 +57,8 @@ class AuthInfo {
         return this.canonicalID.startsWith(
             `${constants.zenkoServiceAccount}/`);
     }
-    isRequesterThisServiceAccount(serviceName) {
+    isRequesterThisServiceAccount(serviceName: string) {
-        return this.canonicalID ===
+        const computedCanonicalID = `${constants.zenkoServiceAccount}/${serviceName}`;
-            `${constants.zenkoServiceAccount}/${serviceName}`;
+        return this.canonicalID === computedCanonicalID;
     }
 }
-
-module.exports = AuthInfo;

lib/auth/Vault.ts

@@ -1,16 +1,22 @@
-const errors = require('../errors');
+import { Logger } from 'werelogs';
-const AuthInfo = require('./AuthInfo');
+import errors from '../errors';
+import AuthInfo from './AuthInfo';
 
 /** vaultSignatureCb parses message from Vault and instantiates
- * @param {object} err - error from vault
+ * @param err - error from vault
- * @param {object} authInfo - info from vault
+ * @param authInfo - info from vault
- * @param {object} log - log for request
+ * @param log - log for request
- * @param {function} callback - callback to authCheck functions
+ * @param callback - callback to authCheck functions
- * @param {object} [streamingV4Params] - present if v4 signature;
+ * @param [streamingV4Params] - present if v4 signature;
  * items used to calculate signature on chunks if streaming auth
- * @return {undefined}
  */
-function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
+function vaultSignatureCb(
+    err: Error | null,
+    authInfo: { message: { body: any } },
+    log: Logger,
+    callback: (err: Error | null, data?: any, results?: any, params?: any) => void,
+    streamingV4Params?: any
+) {
     // vaultclient API guarantees that it returns:
     // - either `err`, an Error object with `code` and `message` properties set
     // - or `err == null` and `info` is an object with `message.code` and
@@ -24,11 +30,13 @@ function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
     const info = authInfo.message.body;
     const userInfo = new AuthInfo(info.userInfo);
     const authorizationResults = info.authorizationResults;
-    const auditLog = { accountDisplayName: userInfo.getAccountDisplayName() };
+    const auditLog: { accountDisplayName: string, IAMdisplayName?: string } =
+        { accountDisplayName: userInfo.getAccountDisplayName() };
     const iamDisplayName = userInfo.getIAMdisplayName();
     if (iamDisplayName) {
         auditLog.IAMdisplayName = iamDisplayName;
     }
+    // @ts-ignore
     log.addDefaultFields(auditLog);
     return callback(null, userInfo, authorizationResults, streamingV4Params);
 }
@@ -39,43 +47,63 @@ function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
  * authentication backends.
  * @class Vault
  */
-class Vault {
+export default class Vault {
+    client: any;
+    implName: string;
+
     /**
      * @constructor
      * @param {object} client - authentication backend or vault client
      * @param {string} implName - implementation name for auth backend
      */
-    constructor(client, implName) {
+    constructor(client: any, implName: string) {
         this.client = client;
         this.implName = implName;
     }
     /**
      * authenticateV2Request
      *
-     * @param {string} params - the authentication parameters as returned by
+     * @param params - the authentication parameters as returned by
      *                          auth.extractParams
-     * @param {number} params.version - shall equal 2
+     * @param params.version - shall equal 2
-     * @param {string} params.data.accessKey - the user's accessKey
+     * @param params.data.accessKey - the user's accessKey
-     * @param {string} params.data.signatureFromRequest - the signature read
+     * @param params.data.signatureFromRequest - the signature read
      *                                                    from the request
-     * @param {string} params.data.stringToSign - the stringToSign
+     * @param params.data.stringToSign - the stringToSign
-     * @param {string} params.data.algo - the hashing algorithm used for the
+     * @param params.data.algo - the hashing algorithm used for the
      *                                    signature
-     * @param {string} params.data.authType - the type of authentication (query
+     * @param params.data.authType - the type of authentication (query
      *                                        or header)
-     * @param {string} params.data.signatureVersion - the version of the
+     * @param params.data.signatureVersion - the version of the
      *                                                signature (AWS or AWS4)
-     * @param {number} [params.data.signatureAge] - the age of the signature in
+     * @param [params.data.signatureAge] - the age of the signature in
      *                                              ms
-     * @param {string} params.data.log - the logger object
+     * @param params.data.log - the logger object
      * @param {RequestContext []} requestContexts - an array of RequestContext
      * instances which contain information for policy authorization check
-     * @param {function} callback - callback with either error or user info
+     * @param callback - callback with either error or user info
-     * @returns {undefined}
      */
-    authenticateV2Request(params, requestContexts, callback) {
+    authenticateV2Request(
+        params: {
+            version: 2;
+            log: Logger;
+            data: {
+                securityToken: string;
+                accessKey: string;
+                signatureFromRequest: string;
+                stringToSign: string;
+                algo: string;
+                authType: 'query' | 'header';
+                signatureVersion: string;
+                signatureAge?: number;
+                log: Logger;
+            };
+        },
+        requestContexts: any[],
+        callback: (err: Error | null, data?: any) => void
+    ) {
         params.log.debug('authenticating V2 request');
-        let serializedRCsArr;
+        let serializedRCsArr: any;
         if (requestContexts) {
             serializedRCsArr = requestContexts.map(rc => rc.serialize());
         }
@@ -85,44 +113,66 @@ class Vault {
             params.data.accessKey,
             {
                 algo: params.data.algo,
+                // @ts-ignore
                 reqUid: params.log.getSerializedUids(),
                 logger: params.log,
                 securityToken: params.data.securityToken,
                 requestContext: serializedRCsArr,
             },
-            (err, userInfo) => vaultSignatureCb(err, userInfo,
+            (err: Error | null, userInfo?: any) => vaultSignatureCb(err, userInfo,
-                                                params.log, callback)
+                params.log, callback),
         );
     }
 
     /** authenticateV4Request
-     * @param {object} params - the authentication parameters as returned by
+     * @param params - the authentication parameters as returned by
      *                          auth.extractParams
-     * @param {number} params.version - shall equal 4
+     * @param params.version - shall equal 4
-     * @param {string} params.data.log - the logger object
+     * @param params.data.log - the logger object
-     * @param {string} params.data.accessKey - the user's accessKey
+     * @param params.data.accessKey - the user's accessKey
-     * @param {string} params.data.signatureFromRequest - the signature read
+     * @param params.data.signatureFromRequest - the signature read
      *                                                    from the request
-     * @param {string} params.data.region - the AWS region
+     * @param params.data.region - the AWS region
-     * @param {string} params.data.stringToSign - the stringToSign
+     * @param params.data.stringToSign - the stringToSign
-     * @param {string} params.data.scopeDate - the timespan to allow the request
+     * @param params.data.scopeDate - the timespan to allow the request
-     * @param {string} params.data.authType - the type of authentication (query
+     * @param params.data.authType - the type of authentication (query
      *                                        or header)
-     * @param {string} params.data.signatureVersion - the version of the
+     * @param params.data.signatureVersion - the version of the
      *                                                signature (AWS or AWS4)
-     * @param {number} params.data.signatureAge - the age of the signature in ms
+     * @param params.data.signatureAge - the age of the signature in ms
-     * @param {number} params.data.timestamp - signaure timestamp
+     * @param params.data.timestamp - signaure timestamp
-     * @param {string} params.credentialScope - credentialScope for signature
+     * @param params.credentialScope - credentialScope for signature
      * @param {RequestContext [] | null} requestContexts -
      * an array of RequestContext or null if authenticaiton of a chunk
      * in streamingv4 auth
      * instances which contain information for policy authorization check
-     * @param {function} callback - callback with either error or user info
+     * @param callback - callback with either error or user info
-     * @return {undefined}
     */
-    authenticateV4Request(params, requestContexts, callback) {
+    authenticateV4Request(
+        params: {
+            version: 4;
+            log: Logger;
+            data: {
+                accessKey: string;
+                signatureFromRequest: string;
+                region: string;
+                stringToSign: string;
+                scopeDate: string;
+                authType: 'query' | 'header';
+                signatureVersion: string;
+                signatureAge?: number;
+                timestamp: number;
+                credentialScope: string;
+                securityToken: string;
+                algo: string;
+                log: Logger;
+            };
+        },
+        requestContexts: any[],
+        callback: (err: Error | null, data?: any) => void
+    ) {
         params.log.debug('authenticating V4 request');
-        let serializedRCs;
+        let serializedRCs: any;
         if (requestContexts) {
             serializedRCs = requestContexts.map(rc => rc.serialize());
         }
@@ -140,31 +190,39 @@ class Vault {
             params.data.region,
             params.data.scopeDate,
             {
+                // @ts-ignore
                 reqUid: params.log.getSerializedUids(),
                 logger: params.log,
                 securityToken: params.data.securityToken,
                 requestContext: serializedRCs,
             },
-            (err, userInfo) => vaultSignatureCb(err, userInfo,
+            (err: Error | null, userInfo?: any) => vaultSignatureCb(err, userInfo,
-                params.log, callback, streamingV4Params)
+                params.log, callback, streamingV4Params),
         );
     }
 
     /** getCanonicalIds -- call Vault to get canonicalIDs based on email
      * addresses
-     * @param {array} emailAddresses - list of emailAddresses
+     * @param emailAddresses - list of emailAddresses
-     * @param {object} log - log object
+     * @param log - log object
-     * @param {function} callback - callback with either error or an array
+     * @param callback - callback with either error or an array
      * of objects with each object containing the canonicalID and emailAddress
      * of an account as properties
-     * @return {undefined}
     */
-    getCanonicalIds(emailAddresses, log, callback) {
+    getCanonicalIds(
+        emailAddresses: string[],
+        log: Logger,
+        callback: (
+            err: Error | null,
+            data?: { canonicalID: string; email: string }[]
+        ) => void
+    ) {
         log.trace('getting canonicalIDs from Vault based on emailAddresses',
             { emailAddresses });
         this.client.getCanonicalIds(emailAddresses,
+            // @ts-ignore
             { reqUid: log.getSerializedUids() },
-            (err, info) => {
+            (err: Error | null, info?: any) => {
                 if (err) {
                     log.debug('received error message from auth provider',
                         { errorMessage: err });
@@ -172,17 +230,17 @@ class Vault {
                 }
                 const infoFromVault = info.message.body;
                 log.trace('info received from vault', { infoFromVault });
-                const foundIds = [];
+                const foundIds: { canonicalID: string; email: string }[] = [];
                 for (let i = 0; i < Object.keys(infoFromVault).length; i++) {
                     const key = Object.keys(infoFromVault)[i];
                     if (infoFromVault[key] === 'WrongFormat'
                     || infoFromVault[key] === 'NotFound') {
                         return callback(errors.UnresolvableGrantByEmailAddress);
                     }
-                    const obj = {};
+                    foundIds.push({
-                    obj.email = key;
+                        email: key,
-                    obj.canonicalID = infoFromVault[key];
+                        canonicalID: infoFromVault[key],
-                    foundIds.push(obj);
+                    })
                 }
                 return callback(null, foundIds);
             });
@@ -190,18 +248,22 @@ class Vault {
 
     /** getEmailAddresses -- call Vault to get email addresses based on
      * canonicalIDs
-     * @param {array} canonicalIDs - list of canonicalIDs
+     * @param canonicalIDs - list of canonicalIDs
-     * @param {object} log - log object
+     * @param log - log object
-     * @param {function} callback - callback with either error or an object
+     * @param callback - callback with either error or an object
      * with canonicalID keys and email address values
-     * @return {undefined}
     */
-    getEmailAddresses(canonicalIDs, log, callback) {
+    getEmailAddresses(
+        canonicalIDs: string[],
+        log: Logger,
+        callback: (err: Error | null, data?: { [key: string]: any }) => void
+    ) {
         log.trace('getting emailAddresses from Vault based on canonicalIDs',
             { canonicalIDs });
         this.client.getEmailAddresses(canonicalIDs,
+            // @ts-ignore
             { reqUid: log.getSerializedUids() },
-            (err, info) => {
+            (err: Error | null, info?: any) => {
                 if (err) {
                     log.debug('received error message from vault',
                         { errorMessage: err });
@@ -224,18 +286,22 @@ class Vault {
 
     /** getAccountIds -- call Vault to get accountIds based on
      * canonicalIDs
-     * @param {array} canonicalIDs - list of canonicalIDs
+     * @param canonicalIDs - list of canonicalIDs
-     * @param {object} log - log object
+     * @param log - log object
-     * @param {function} callback - callback with either error or an object
+     * @param callback - callback with either error or an object
      * with canonicalID keys and accountId values
-     * @return {undefined}
     */
-    getAccountIds(canonicalIDs, log, callback) {
+    getAccountIds(
+        canonicalIDs: string[],
+        log: Logger,
+        callback: (err: Error | null, data?: { [key: string]: string }) => void
+    ) {
         log.trace('getting accountIds from Vault based on canonicalIDs',
         { canonicalIDs });
         this.client.getAccountIds(canonicalIDs,
+            // @ts-expect-error
             { reqUid: log.getSerializedUids() },
-        (err, info) => {
+            (err: Error | null, info?: any) => {
                 if (err) {
                     log.debug('received error message from vault',
                         { errorMessage: err });
@@ -268,14 +334,19 @@ class Vault {
      * @param {object} log - log object
      * @param {function} callback - callback with either error or an array
      * of authorization results
-     * @return {undefined}
     */
-    checkPolicies(requestContextParams, userArn, log, callback) {
+    checkPolicies(
+        requestContextParams: any[],
+        userArn: string,
+        log: Logger,
+        callback: (err: Error | null, data?: any[]) => void
+    ) {
         log.trace('sending request context params to vault to evaluate' +
         'policies');
         this.client.checkPolicies(requestContextParams, userArn, {
+            // @ts-ignore
             reqUid: log.getSerializedUids(),
-        }, (err, info) => {
+        }, (err: Error | null, info?: any) => {
             if (err) {
                 log.debug('received error message from auth provider',
                     { error: err });
@@ -286,13 +357,14 @@ class Vault {
         });
     }
 
-    checkHealth(log, callback) {
+    checkHealth(log: Logger, callback: (err: Error | null, data?: any) => void) {
         if (!this.client.healthcheck) {
             const defResp = {};
             defResp[this.implName] = { code: 200, message: 'OK' };
             return callback(null, defResp);
         }
-        return this.client.healthcheck(log.getSerializedUids(), (err, obj) => {
+        // @ts-ignore
+        return this.client.healthcheck(log.getSerializedUids(), (err: Error | null, obj?: any) => {
             const respBody = {};
             if (err) {
                 log.debug(`error from ${this.implName}`, { error: err });
@@ -312,5 +384,3 @@ class Vault {
         });
     }
 }
-
-module.exports = Vault;

lib/auth/auth.ts

@@ -1,22 +1,21 @@
-'use strict'; // eslint-disable-line strict
+import * as crypto from 'crypto';
+import { Logger } from 'werelogs';
+import errors from '../errors';
+import * as queryString from 'querystring';
+import AuthInfo from './AuthInfo';
+import * as v2 from './v2/authV2';
+import * as v4 from './v4/authV4';
+import * as constants from '../constants';
+import constructStringToSignV2 from './v2/constructStringToSign';
+import constructStringToSignV4 from './v4/constructStringToSign';
+import { convertUTCtoISO8601 } from './v4/timeUtils';
+import * as vaultUtilities from './in_memory/vaultUtilities';
+import * as backend from './in_memory/Backend';
+import validateAuthConfig from './in_memory/validateAuthConfig';
+import AuthLoader from './in_memory/AuthLoader';
+import Vault from './Vault';
 
-const crypto = require('crypto');
+let vault: Vault | null = null;
-const errors = require('../errors');
-const queryString = require('querystring');
-const AuthInfo = require('./AuthInfo');
-const v2 = require('./v2/authV2');
-const v4 = require('./v4/authV4');
-const constants = require('../constants');
-const constructStringToSignV2 = require('./v2/constructStringToSign');
-const constructStringToSignV4 = require('./v4/constructStringToSign');
-const convertUTCtoISO8601 = require('./v4/timeUtils').convertUTCtoISO8601;
-const vaultUtilities = require('./in_memory/vaultUtilities');
-const backend = require('./in_memory/Backend');
-const validateAuthConfig = require('./in_memory/validateAuthConfig');
-const AuthLoader = require('./in_memory/AuthLoader');
-const Vault = require('./Vault');
-
-let vault = null;
 const auth = {};
 const checkFunctions = {
     v2: {
@@ -33,7 +32,7 @@ const checkFunctions = {
 // 'All Users Group' so use this group as the canonicalID for the publicUser
 const publicUserInfo = new AuthInfo({ canonicalID: constants.publicId });
 
-function setAuthHandler(handler) {
+function setAuthHandler(handler: Vault) {
     vault = handler;
     return auth;
 }
@@ -41,25 +40,30 @@ function setAuthHandler(handler) {
 /**
  * This function will check validity of request parameters to authenticate
  *
- * @param {Http.Request} request - Http request object
+ * @param request - Http request object
- * @param {object} log - Logger object
+ * @param log - Logger object
- * @param {string} awsService - Aws service related
+ * @param awsService - Aws service related
- * @param {object} data - Parameters from queryString parsing or body of
+ * @param data - Parameters from queryString parsing or body of
  *      POST request
  *
- * @return {object} ret
+ * @return ret
- * @return {object} ret.err - arsenal.errors object if any error was found
+ * @return ret.err - arsenal.errors object if any error was found
- * @return {object} ret.params - auth parameters to use later on for signature
+ * @return ret.params - auth parameters to use later on for signature
  *                               computation and check
- * @return {object} ret.params.version - the auth scheme version
+ * @return ret.params.version - the auth scheme version
  *                                       (undefined, 2, 4)
- * @return {object} ret.params.data - the auth scheme's specific data
+ * @return ret.params.data - the auth scheme's specific data
  */
-function extractParams(request, log, awsService, data) {
+function extractParams(
+    request: any,
+    log: Logger,
+    awsService: string,
+    data: { [key: string]: string }
+) {
     log.trace('entered', { method: 'Arsenal.auth.server.extractParams' });
     const authHeader = request.headers.authorization;
-    let version = null;
+    let version: 'v2' |'v4' | null = null;
-    let method = null;
+    let method: 'query' | 'headers' | null = null;
 
     // Identify auth version and method to dispatch to the right check function
     if (authHeader) {
@@ -102,16 +106,21 @@ function extractParams(request, log, awsService, data) {
 /**
  * This function will check validity of request parameters to authenticate
  *
- * @param {Http.Request} request - Http request object
+ * @param request - Http request object
- * @param {object} log - Logger object
+ * @param log - Logger object
- * @param {function} cb - the callback
+ * @param cb - the callback
- * @param {string} awsService - Aws service related
+ * @param awsService - Aws service related
  * @param {RequestContext[] | null} requestContexts - array of RequestContext
  * or null if no requestContexts to be sent to Vault (for instance,
  * in multi-object delete request)
- * @return {undefined}
  */
-function doAuth(request, log, cb, awsService, requestContexts) {
+function doAuth(
+    request: any,
+    log: Logger,
+    cb: (err: Error | null, data?: any) => void,
+    awsService: string,
+    requestContexts: any[] | null
+) {
     const res = extractParams(request, log, awsService, request.query);
     if (res.err) {
         return cb(res.err);
@@ -119,23 +128,31 @@ function doAuth(request, log, cb, awsService, requestContexts) {
         return cb(null, res.params);
     }
     if (requestContexts) {
-        requestContexts.forEach(requestContext => {
+        requestContexts.forEach((requestContext) => {
-            requestContext.setAuthType(res.params.data.authType);
+            const { params } = res
-            requestContext.setSignatureVersion(res.params
+            if ('data' in params) {
-                .data.signatureVersion);
+                const { data } = params
-            requestContext.setSignatureAge(res.params.data.signatureAge);
+                requestContext.setAuthType(data.authType);
-            requestContext.setSecurityToken(res.params.data.securityToken);
+                requestContext.setSignatureVersion(data.signatureVersion);
+                requestContext.setSecurityToken(data.securityToken);
+                if ('signatureAge' in data) {
+                    requestContext.setSignatureAge(data.signatureAge);
+                }
+            }
         });
     }
 
     // Corner cases managed, we're left with normal auth
+    // TODO What's happening here?
+    // @ts-ignore
     res.params.log = log;
     if (res.params.version === 2) {
-        return vault.authenticateV2Request(res.params, requestContexts, cb);
+        // @ts-ignore
+        return vault!.authenticateV2Request(res.params, requestContexts, cb);
     }
     if (res.params.version === 4) {
-        return vault.authenticateV4Request(res.params, requestContexts, cb,
+        // @ts-ignore
-            awsService);
+        return vault!.authenticateV4Request(res.params, requestContexts, cb);
     }
 
     log.error('authentication method not found', {
@@ -147,19 +164,25 @@ function doAuth(request, log, cb, awsService, requestContexts) {
 /**
  * This function will generate a version 4 header
  *
- * @param {Http.Request} request - Http request object
+ * @param request - Http request object
- * @param {object} data - Parameters from queryString parsing or body of
+ * @param data - Parameters from queryString parsing or body of
  *                        POST request
- * @param {string} accessKey - the accessKey
+ * @param accessKey - the accessKey
- * @param {string} secretKeyValue - the secretKey
+ * @param secretKeyValue - the secretKey
- * @param {string} awsService - Aws service related
+ * @param awsService - Aws service related
- * @param {sting} [proxyPath] - path that gets proxied by reverse proxy
+ * @param [proxyPath] - path that gets proxied by reverse proxy
- * @param {string} [sessionToken] - security token if the access/secret keys
+ * @param [sessionToken] - security token if the access/secret keys
  *                                are temporary credentials from STS
- * @return {undefined}
  */
-function generateV4Headers(request, data, accessKey, secretKeyValue,
+function generateV4Headers(
-                           awsService, proxyPath, sessionToken) {
+    request: any,
+    data: { [key: string]: string },
+    accessKey: string,
+    secretKeyValue: string,
+    awsService: string,
+    proxyPath: string,
+    sessionToken: string
+) {
     Object.assign(request, { headers: {} });
     const amzDate = convertUTCtoISO8601(Date.now());
     // get date without time
@@ -173,7 +196,7 @@ function generateV4Headers(request, data, accessKey, secretKeyValue,
 
     let payload = '';
     if (request.method === 'POST') {
-        payload = queryString.stringify(data, null, null, {
+        payload = queryString.stringify(data, undefined, undefined, {
             encodeURIComponent,
         });
     }
@@ -203,7 +226,7 @@ function generateV4Headers(request, data, accessKey, secretKeyValue,
                                                           scopeDate,
                                                           service);
     const signature = crypto.createHmac('sha256', signingKey)
-        .update(stringToSign, 'binary').digest('hex');
+        .update(stringToSign as string, 'binary').digest('hex');
     const authorizationHeader = `${algorithm} Credential=${accessKey}` +
         `/${credentialScope}, SignedHeaders=${signedHeaders}, ` +
         `Signature=${signature}`;
@@ -211,21 +234,11 @@ function generateV4Headers(request, data, accessKey, secretKeyValue,
     Object.assign(request, { headers: {} });
 }
 
-module.exports = {
+export const server = { extractParams, doAuth }
-    setHandler: setAuthHandler,
+export const client = { generateV4Headers, constructStringToSignV2 }
-    server: {
+export const inMemory = { backend, validateAuthConfig, AuthLoader }
-        extractParams,
+export {
-        doAuth,
+    setAuthHandler as setHandler,
-    },
-    client: {
-        generateV4Headers,
-        constructStringToSignV2,
-    },
-    inMemory: {
-        backend,
-        validateAuthConfig,
-        AuthLoader,
-    },
     AuthInfo,
-    Vault,
+    Vault
-};
+}

lib/auth/in_memory/Backend.ts

@@ -1,13 +1,10 @@
-'use strict'; // eslint-disable-line strict
+import * as crypto from 'crypto';
+import errors from '../../errors';
+import { calculateSigningKey, hashSignature } from './vaultUtilities';
+import Indexer from './Indexer';
+import { Accounts } from './types';
 
-const crypto = require('crypto');
+function _formatResponse(userInfoToSend: any) {
-
-const errors = require('../../errors');
-const calculateSigningKey = require('./vaultUtilities').calculateSigningKey;
-const hashSignature = require('./vaultUtilities').hashSignature;
-const Indexer = require('./Indexer');
-
-function _formatResponse(userInfoToSend) {
     return {
         message: {
             body: { userInfo: userInfoToSend },
@@ -18,33 +15,27 @@ function _formatResponse(userInfoToSend) {
 /**
  * Class that provides a memory backend for verifying signatures and getting
  * emails and canonical ids associated with an account.
- *
- * @class Backend
  */
 class Backend {
-    /**
+    indexer: Indexer;
-     * @constructor
+    service: string;
-     * @param {string} service - service identifer for construction arn
+
-     * @param {Indexer} indexer - indexer instance for retrieving account info
+    constructor(service: string, indexer: Indexer) {
-     * @param {function} formatter - function which accepts user info to send
-     * back and returns it in an object
-     */
-    constructor(service, indexer, formatter) {
         this.service = service;
         this.indexer = indexer;
-        this.formatResponse = formatter;
     }
 
-    /** verifySignatureV2
+    // CODEQUALITY-TODO-SYNC Should be synchronous
-    * @param {string} stringToSign - string to sign built per AWS rules
+    verifySignatureV2(
-    * @param {string} signatureFromRequest - signature sent with request
+        stringToSign: string,
-    * @param {string} accessKey - account accessKey
+        signatureFromRequest: string,
-    * @param {object} options - contains algorithm (SHA1 or SHA256)
+        accessKey: string,
-    * @param {function} callback - callback with either error or user info
+        options: { algo: 'SHA256' | 'SHA1' },
-    * @return {function} calls callback
+        callback: (
-    */
+            error: Error | null,
-    verifySignatureV2(stringToSign, signatureFromRequest,
+            data?: ReturnType<typeof _formatResponse>
-        accessKey, options, callback) {
+        ) => void
+    ) {
         const entity = this.indexer.getEntityByKey(accessKey);
         if (!entity) {
             return callback(errors.InvalidAccessKeyId);
@@ -59,26 +50,28 @@ class Backend {
             accountDisplayName: this.indexer.getAcctDisplayName(entity),
             canonicalID: entity.canonicalID,
             arn: entity.arn,
+            // TODO Why?
+            // @ts-ignore
             IAMdisplayName: entity.IAMdisplayName,
         };
-        const vaultReturnObject = this.formatResponse(userInfoToSend);
+        const vaultReturnObject = _formatResponse(userInfoToSend);
         return callback(null, vaultReturnObject);
     }
 
-
+    // TODO Options not used. Why ?
-    /** verifySignatureV4
+    // CODEQUALITY-TODO-SYNC Should be synchronous
-     * @param {string} stringToSign - string to sign built per AWS rules
+    verifySignatureV4(
-     * @param {string} signatureFromRequest - signature sent with request
+        stringToSign: string,
-     * @param {string} accessKey - account accessKey
+        signatureFromRequest: string,
-     * @param {string} region - region specified in request credential
+        accessKey: string,
-     * @param {string} scopeDate - date specified in request credential
+        region: string,
-     * @param {object} options - options to send to Vault
+        scopeDate: string,
-     * (just contains reqUid for logging in Vault)
+        _options: { algo: 'SHA256' | 'SHA1' },
-     * @param {function} callback - callback with either error or user info
+        callback: (
-     * @return {function} calls callback
+            err: Error | null,
-     */
+            data?: ReturnType<typeof _formatResponse>
-    verifySignatureV4(stringToSign, signatureFromRequest, accessKey,
+        ) => void
-        region, scopeDate, options, callback) {
+    ) {
         const entity = this.indexer.getEntityByKey(accessKey);
         if (!entity) {
             return callback(errors.InvalidAccessKeyId);
@@ -94,23 +87,21 @@ class Backend {
             accountDisplayName: this.indexer.getAcctDisplayName(entity),
             canonicalID: entity.canonicalID,
             arn: entity.arn,
+            // TODO Why?
+            // @ts-ignore
             IAMdisplayName: entity.IAMdisplayName,
         };
-        const vaultReturnObject = this.formatResponse(userInfoToSend);
+        const vaultReturnObject = _formatResponse(userInfoToSend);
         return callback(null, vaultReturnObject);
     }
 
-    /**
+    // TODO log not used. Why ?
-     * Gets canonical ID's for a list of accounts
+    // CODEQUALITY-TODO-SYNC Should be synchronous
-     * based on email associated with account
+    getCanonicalIds(
-     * @param {array} emails - list of email addresses
+        emails: string[],
-     * @param {object} log - log object
+        _log: any,
-     * @param {function} cb - callback to calling function
+        cb: (err: null, data: { message: { body: any } }) => void
-     * @returns {function} callback with either error or
+    ) {
-     * object with email addresses as keys and canonical IDs
-     * as values
-     */
-    getCanonicalIds(emails, log, cb) {
         const results = {};
         emails.forEach(email => {
             const lowercasedEmail = email.toLowerCase();
@@ -130,17 +121,13 @@ class Backend {
         return cb(null, vaultReturnObject);
     }
 
-    /**
+    // TODO options not used. Why ?
-     * Gets email addresses (referred to as diplay names for getACL's)
+    // CODEQUALITY-TODO-SYNC Should be synchronous
-     * for a list of accounts based on canonical IDs associated with account
+    getEmailAddresses(
-     * @param {array} canonicalIDs - list of canonicalIDs
+        canonicalIDs: string[],
-     * @param {object} options - to send log id to vault
+        _options: any,
-     * @param {function} cb - callback to calling function
+        cb: (err: null, data: { message: { body: any } }) => void
-     * @returns {function} callback with either error or
+    ) {
-     * an object from Vault containing account canonicalID
-     * as each object key and an email address as the value (or "NotFound")
-     */
-    getEmailAddresses(canonicalIDs, options, cb) {
         const results = {};
         canonicalIDs.forEach(canonicalId => {
             const foundEntity = this.indexer.getEntityByCanId(canonicalId);
@@ -158,17 +145,24 @@ class Backend {
         return cb(null, vaultReturnObject);
     }
 
+    // TODO options not used. Why ?
+    // CODEQUALITY-TODO-SYNC Should be synchronous
     /**
      * Gets accountIds for a list of accounts based on
      * the canonical IDs associated with the account
-     * @param {array} canonicalIDs - list of canonicalIDs
+     * @param canonicalIDs - list of canonicalIDs
-     * @param {object} options - to send log id to vault
+     * @param _options - to send log id to vault
-     * @param {function} cb - callback to calling function
+     * @param cb - callback to calling function
-     * @returns {function} callback with either error or
+     * @returns The next is wrong. Here to keep archives.
+     * callback with either error or
      * an object from Vault containing account canonicalID
      * as each object key and an accountId as the value (or "NotFound")
      */
-    getAccountIds(canonicalIDs, options, cb) {
+    getAccountIds(
+        canonicalIDs: string[],
+        _options: any,
+        cb: (err: null, data: { message: { body: any } }) => void
+    ) {
         const results = {};
         canonicalIDs.forEach(canonicalID => {
             const foundEntity = this.indexer.getEntityByCanId(canonicalID);
@@ -187,31 +181,14 @@ class Backend {
     }
 }
 
-
 class S3AuthBackend extends Backend {
-    /**
+    constructor(authdata: Accounts) {
-     * @constructor
+        super('s3', new Indexer(authdata));
-     * @param {object} authdata - the authentication config file's data
-     * @param {object[]} authdata.accounts - array of account objects
-     * @param {string=} authdata.accounts[].name - account name
-     * @param {string} authdata.accounts[].email - account email
-     * @param {string} authdata.accounts[].arn - IAM resource name
-     * @param {string} authdata.accounts[].canonicalID - account canonical ID
-     * @param {string} authdata.accounts[].shortid - short account ID
-     * @param {object[]=} authdata.accounts[].keys - array of key objects
-     * @param {string} authdata.accounts[].keys[].access - access key
-     * @param {string} authdata.accounts[].keys[].secret - secret key
-     * @return {undefined}
-     */
-    constructor(authdata) {
-        super('s3', new Indexer(authdata), _formatResponse);
     }
 
-    refreshAuthData(authData) {
+    refreshAuthData(authData: Accounts) {
         this.indexer = new Indexer(authData);
     }
 }
 
-module.exports = {
+export { S3AuthBackend as s3 };
-    s3: S3AuthBackend,
-};

lib/auth/in_memory/Indexer.ts

@@ -1,27 +1,19 @@
+import { Accounts, Account, Entity } from './types';
+
 /**
  * Class that provides an internal indexing over the simple data provided by
  * the authentication configuration file for the memory backend. This allows
  * accessing the different authentication entities through various types of
  * keys.
- *
- * @class Indexer
  */
-class Indexer {
+export default class Indexer {
-    /**
+    accountsBy: {
-     * @constructor
+        canId: { [id: string]: Entity | undefined },
-     * @param {object} authdata - the authentication config file's data
+        accessKey: { [id: string]: Entity | undefined },
-     * @param {object[]} authdata.accounts - array of account objects
+        email: { [id: string]: Entity | undefined },
-     * @param {string=} authdata.accounts[].name - account name
+    }
-     * @param {string} authdata.accounts[].email - account email
+
-     * @param {string} authdata.accounts[].arn - IAM resource name
+    constructor(authdata?: Accounts) {
-     * @param {string} authdata.accounts[].canonicalID - account canonical ID
-     * @param {string} authdata.accounts[].shortid - short account ID
-     * @param {object[]=} authdata.accounts[].keys - array of key objects
-     * @param {string} authdata.accounts[].keys[].access - access key
-     * @param {string} authdata.accounts[].keys[].secret - secret key
-     * @return {undefined}
-     */
-    constructor(authdata) {
         this.accountsBy = {
             canId: {},
             accessKey: {},
@@ -37,11 +29,11 @@ class Indexer {
             return;
         }
 
-        this._build(authdata);
+        this.#build(authdata);
     }
 
-    _indexAccount(account) {
+    #indexAccount(account: Account) {
-        const accountData = {
+        const accountData: Entity = {
             arn: account.arn,
             canonicalID: account.canonicalID,
             shortid: account.shortid,
@@ -59,87 +51,43 @@ class Indexer {
         }
     }
 
-    _build(authdata) {
+    #build(authdata: Accounts) {
         authdata.accounts.forEach(account => {
-            this._indexAccount(account);
+            this.#indexAccount(account);
         });
     }
 
-    /**
+    /** This method returns the account associated to a canonical ID. */
-     * This method returns the account associated to a canonical ID.
+    getEntityByCanId(canId: string): Entity | undefined {
-     *
-     * @param {string} canId - The canonicalId of the account
-     * @return {Object} account - The account object
-     * @return {Object} account.arn - The account's ARN
-     * @return {Object} account.canonicalID - The account's canonical ID
-     * @return {Object} account.shortid - The account's internal shortid
-     * @return {Object} account.accountDisplayName - The account's display name
-     * @return {Object} account.email - The account's lowercased email
-     */
-    getEntityByCanId(canId) {
         return this.accountsBy.canId[canId];
     }
 
     /**
      * This method returns the entity (either an account or a user) associated
      * to a canonical ID.
-     *
      * @param {string} key - The accessKey of the entity
-     * @return {Object} entity - The entity object
-     * @return {Object} entity.arn - The entity's ARN
-     * @return {Object} entity.canonicalID - The canonical ID for the entity's
-     *                                       account
-     * @return {Object} entity.shortid - The entity's internal shortid
-     * @return {Object} entity.accountDisplayName - The entity's account
-     *                                              display name
-     * @return {Object} entity.IAMDisplayName - The user's display name
-     *                                          (if the entity is an user)
-     * @return {Object} entity.email - The entity's lowercased email
      */
-    getEntityByKey(key) {
+    getEntityByKey(key: string): Entity | undefined {
         return this.accountsBy.accessKey[key];
     }
 
     /**
      * This method returns the entity (either an account or a user) associated
      * to an email address.
-     *
-     * @param {string} email - The email address
-     * @return {Object} entity - The entity object
-     * @return {Object} entity.arn - The entity's ARN
-     * @return {Object} entity.canonicalID - The canonical ID for the entity's
-     *                                       account
-     * @return {Object} entity.shortid - The entity's internal shortid
-     * @return {Object} entity.accountDisplayName - The entity's account
-     *                                              display name
-     * @return {Object} entity.IAMDisplayName - The user's display name
-     *                                          (if the entity is an user)
-     * @return {Object} entity.email - The entity's lowercased email
      */
-    getEntityByEmail(email) {
+    getEntityByEmail(email: string): Entity | undefined {
         const lowerCasedEmail = email.toLowerCase();
         return this.accountsBy.email[lowerCasedEmail];
     }
 
-    /**
+    /** This method returns the secret key associated with the entity. */
-    * This method returns the secret key associated with the entity.
+    getSecretKey(entity: Entity, accessKey: string) {
-    * @param {Object} entity - the entity object
+        const keys = entity.keys.filter(kv => kv.access === accessKey);
-    * @param {string} accessKey - access key
+        return keys[0].secret;
-    * @returns {string} secret key
-    */
-    getSecretKey(entity, accessKey) {
-        return entity.keys
-            .filter(kv => kv.access === accessKey)[0].secret;
     }
 
-    /**
+    /** This method returns the account display name associated with the entity. */
-    * This method returns the account display name associated with the entity.
+    getAcctDisplayName(entity: Entity) {
-    * @param {Object} entity - the entity object
-    * @returns {string} account display name
-    */
-    getAcctDisplayName(entity) {
         return entity.accountDisplayName;
     }
 }
-
-module.exports = Indexer;

lib/auth/in_memory/validateAuthConfig.ts

@@ -1,18 +1,16 @@
-const AuthLoader = require('./AuthLoader');
+import { Logger } from 'werelogs';
+import AuthLoader from './AuthLoader';
+import { Accounts } from './types';
 
 /**
  * @deprecated please use {@link AuthLoader} class instead
- *
+ * @return true on erroneous data false on success
- * @param {object} authdata - the authentication config file's data
- * @param {werelogs.API} logApi - object providing a constructor function
- *                                for the Logger object
- * @return {boolean} true on erroneous data
- *                   false on success
  */
-function validateAuthConfig(authdata, logApi) {
+export default function validateAuthConfig(
+    authdata: Accounts,
+    logApi?: { Logger: typeof Logger }
+) {
     const authLoader = new AuthLoader(logApi);
     authLoader.addAccounts(authdata);
     return !authLoader.validate();
 }
-
-module.exports = validateAuthConfig;

lib/auth/v2/algoCheck.ts

@@ -1,7 +1,5 @@
-'use strict'; // eslint-disable-line strict
+export default function algoCheck(signatureLength: number) {
-
+    let algo: 'sha256' | 'sha1';
-function algoCheck(signatureLength) {
-    let algo;
     // If the signature sent is 44 characters,
     // this means that sha256 was used:
     // 44 characters in base64
@@ -13,7 +11,6 @@ function algoCheck(signatureLength) {
     if (signatureLength === SHA1LEN) {
         algo = 'sha1';
     }
+    // @ts-ignore
     return algo;
 }
-
-module.exports = algoCheck;

lib/auth/v2/authV2.ts

@@ -1,11 +1,2 @@
-'use strict'; // eslint-disable-line strict
+export * as header from './headerAuthCheck';
-
+export * as query from './queryAuthCheck';
-const headerAuthCheck = require('./headerAuthCheck');
-const queryAuthCheck = require('./queryAuthCheck');
-
-const authV2 = {
-    header: headerAuthCheck,
-    query: queryAuthCheck,
-};
-
-module.exports = authV2;

lib/auth/v2/checkRequestExpiry.ts

@@ -1,9 +1,9 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
-const errors = require('../../errors');
+import errors from '../../errors';
 
 const epochTime = new Date('1970-01-01').getTime();
 
-function checkRequestExpiry(timestamp, log) {
+export default function checkRequestExpiry(timestamp: number, log: Logger) {
     // If timestamp is before epochTime, the request is invalid and return
     // errors.AccessDenied
     if (timestamp < epochTime) {
@@ -32,5 +32,3 @@ function checkRequestExpiry(timestamp, log) {
 
     return undefined;
 }
-
-module.exports = checkRequestExpiry;

lib/auth/v2/constructStringToSign.ts

@@ -1,11 +1,14 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
+import utf8 from 'utf8';
+import getCanonicalizedAmzHeaders from './getCanonicalizedAmzHeaders';
+import getCanonicalizedResource from './getCanonicalizedResource';
 
-const utf8 = require('utf8');
+export default function constructStringToSign(
-
+    request: any,
-const getCanonicalizedAmzHeaders = require('./getCanonicalizedAmzHeaders');
+    data: { [key: string]: string },
-const getCanonicalizedResource = require('./getCanonicalizedResource');
+    log: Logger,
-
+    clientType?: any
-function constructStringToSign(request, data, log, clientType) {
+) {
     /*
     Build signature per AWS requirements:
     StringToSign = HTTP-Verb + '\n' +
@@ -42,5 +45,3 @@ function constructStringToSign(request, data, log, clientType) {
         + getCanonicalizedResource(request, clientType);
     return utf8.encode(stringToSign);
 }
-
-module.exports = constructStringToSign;

lib/auth/v2/getCanonicalizedAmzHeaders.ts

@@ -1,14 +1,12 @@
-'use strict'; // eslint-disable-line strict
+export default function getCanonicalizedAmzHeaders(headers: Headers, clientType: string) {
-
-function getCanonicalizedAmzHeaders(headers, clientType) {
     /*
     Iterate through headers and pull any headers that are x-amz headers.
     Need to include 'x-amz-date' here even though AWS docs
     ambiguous on this.
     */
     const filterFn = clientType === 'GCP' ?
-        val => val.substr(0, 7) === 'x-goog-' :
+        (val: string) => val.substr(0, 7) === 'x-goog-' :
-        val => val.substr(0, 6) === 'x-amz-';
+        (val: string) => val.substr(0, 6) === 'x-amz-';
     const amzHeaders = Object.keys(headers)
         .filter(filterFn)
         .map(val => [val.trim(), headers[val].trim()]);
@@ -43,5 +41,3 @@ function getCanonicalizedAmzHeaders(headers, clientType) {
         `${headerStr}${current[0]}:${current[1]}\n`,
         '');
 }
-
-module.exports = getCanonicalizedAmzHeaders;

lib/auth/v2/getCanonicalizedResource.ts

@@ -1,6 +1,4 @@
-'use strict'; // eslint-disable-line strict
+import * as url from 'url';
-
-const url = require('url');
 
 const gcpSubresources = [
     'acl',
@@ -41,7 +39,7 @@ const awsSubresources = [
     'website',
 ];
 
-function getCanonicalizedResource(request, clientType) {
+export default function getCanonicalizedResource(request: any, clientType: string) {
     /*
     This variable is used to determine whether to insert
     a '?' or '&'.  Once a query parameter is added to the resourceString,
@@ -117,5 +115,3 @@ function getCanonicalizedResource(request, clientType) {
     }
     return resourceString;
 }
-
-module.exports = getCanonicalizedResource;

lib/auth/v2/headerAuthCheck.ts

@@ -1,12 +1,11 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
+import errors from '../../errors';
+import * as constants from '../../constants';
+import constructStringToSign from './constructStringToSign';
+import checkRequestExpiry from './checkRequestExpiry';
+import algoCheck from './algoCheck';
 
-const errors = require('../../errors');
+export function check(request: any, log: Logger, data: { [key: string]: string }) {
-const constants = require('../../constants');
-const constructStringToSign = require('./constructStringToSign');
-const checkRequestExpiry = require('./checkRequestExpiry');
-const algoCheck = require('./algoCheck');
-
-function check(request, log, data) {
     log.trace('running header auth check');
     const headers = request.headers;
 
@@ -52,6 +51,7 @@ function check(request, log, data) {
         log.trace('invalid authorization header', { authInfo });
         return { err: errors.MissingSecurityHeader };
     }
+    // @ts-ignore
     log.addDefaultFields({ accessKey });
 
     const signatureFromRequest = authInfo.substring(semicolonIndex + 1).trim();
@@ -80,5 +80,3 @@ function check(request, log, data) {
         },
     };
 }
-
-module.exports = { check };

lib/auth/v2/queryAuthCheck.ts

@@ -1,11 +1,10 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
+import errors from '../../errors';
+import * as constants from '../../constants';
+import algoCheck from './algoCheck';
+import constructStringToSign from './constructStringToSign';
 
-const errors = require('../../errors');
+export function check(request: any, log: Logger, data: { [key: string]: string }) {
-const constants = require('../../constants');
-const algoCheck = require('./algoCheck');
-const constructStringToSign = require('./constructStringToSign');
-
-function check(request, log, data) {
     log.trace('running query auth check');
     if (request.method === 'POST') {
         log.debug('query string auth not supported for post requests');
@@ -51,6 +50,7 @@ function check(request, log, data) {
         return { err: errors.RequestTimeTooSkewed };
     }
     const accessKey = data.AWSAccessKeyId;
+    // @ts-ignore
     log.addDefaultFields({ accessKey });
 
     const signatureFromRequest = decodeURIComponent(data.Signature);
@@ -82,5 +82,3 @@ function check(request, log, data) {
         },
     };
 }
-
-module.exports = { check };

lib/auth/v4/authV4.ts

@@ -1,11 +1,2 @@
-'use strict'; // eslint-disable-line strict
+export * as header from './headerAuthCheck';
-
+export * as query from './queryAuthCheck';
-const headerAuthCheck = require('./headerAuthCheck');
-const queryAuthCheck = require('./queryAuthCheck');
-
-const authV4 = {
-    header: headerAuthCheck,
-    query: queryAuthCheck,
-};
-
-module.exports = authV4;

lib/auth/v4/awsURIencode.ts

@@ -1,5 +1,3 @@
-'use strict'; // eslint-disable-line strict
-
 /*
 AWS's URI encoding rules:
 URI encode every byte. Uri-Encode() must enforce the following rules:
@@ -19,7 +17,7 @@ See http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
 */
 
 // converts utf8 character to hex and pads "%" before every two hex digits
-function _toHexUTF8(char) {
+function _toHexUTF8(char: string) {
     const hexRep = Buffer.from(char, 'utf8').toString('hex').toUpperCase();
     let res = '';
     hexRep.split('').forEach((v, n) => {
@@ -32,7 +30,11 @@ function _toHexUTF8(char) {
     return res;
 }
 
-function awsURIencode(input, encodeSlash, noEncodeStar) {
+export default function awsURIencode(
+    input: string,
+    encodeSlash?: boolean,
+    noEncodeStar?: boolean
+) {
     const encSlash = encodeSlash === undefined ? true : encodeSlash;
     let encoded = '';
     /**
@@ -62,5 +64,3 @@ function awsURIencode(input, encodeSlash, noEncodeStar) {
     }
     return encoded;
 }
-
-module.exports = awsURIencode;

lib/auth/v4/constructStringToSign.ts

@@ -1,17 +1,33 @@
-'use strict'; // eslint-disable-line strict
+import * as crypto from 'crypto';
-
+import { Logger } from 'werelogs';
-const crypto = require('crypto');
+import createCanonicalRequest from './createCanonicalRequest';
-
-const createCanonicalRequest = require('./createCanonicalRequest');
 
 /**
  * constructStringToSign - creates V4 stringToSign
  * @param {object} params - params object
  * @returns {string} - stringToSign
  */
-function constructStringToSign(params) {
+export default function constructStringToSign(params: {
-    const { request, signedHeaders, payloadChecksum, credentialScope, timestamp,
+    request: any;
-        query, log, proxyPath } = params;
+    signedHeaders: any;
+    payloadChecksum: any;
+    credentialScope: string;
+    timestamp: string;
+    query: { [key: string]: string };
+    log?: Logger;
+    proxyPath?: string;
+    awsService: string;
+}): string | Error {
+    const {
+        request,
+        signedHeaders,
+        payloadChecksum,
+        credentialScope,
+        timestamp,
+        query,
+        log,
+        proxyPath,
+    } = params;
     const path = proxyPath || request.path;
 
     const canonicalReqResult = createCanonicalRequest({
@@ -24,6 +40,8 @@ function constructStringToSign(params) {
         service: params.awsService,
     });
 
+    // TODO Why that line?
+    // @ts-ignore
     if (canonicalReqResult instanceof Error) {
         if (log) {
             log.error('error creating canonicalRequest');
@@ -40,5 +58,3 @@ function constructStringToSign(params) {
     `${credentialScope}\n${canonicalHex}`;
     return stringToSign;
 }
-
-module.exports = constructStringToSign;

lib/auth/v4/createCanonicalRequest.ts

@@ -1,27 +1,33 @@
-'use strict'; // eslint-disable-line strict
+import * as crypto from 'crypto';
-
+import * as queryString from 'querystring';
-const awsURIencode = require('./awsURIencode');
+import awsURIencode from './awsURIencode';
-const crypto = require('crypto');
-const queryString = require('querystring');
 
 /**
  * createCanonicalRequest - creates V4 canonical request
- * @param {object} params - contains pHttpVerb (request type),
+ * @param params - contains pHttpVerb (request type),
  * pResource (parsed from URL), pQuery (request query),
  * pHeaders (request headers), pSignedHeaders (signed headers from request),
  * payloadChecksum (from request)
- * @returns {string} - canonicalRequest
+ * @returns - canonicalRequest
  */
-function createCanonicalRequest(params) {
+export default function createCanonicalRequest(
+    params: {
+        pHttpVerb: string;
+        pResource: string;
+        pQuery: { [key: string]: string };
+        pHeaders: any;
+        pSignedHeaders: any;
+        service: string;
+        payloadChecksum: string;
+    }
+) {
     const pHttpVerb = params.pHttpVerb;
     const pResource = params.pResource;
     const pQuery = params.pQuery;
     const pHeaders = params.pHeaders;
     const pSignedHeaders = params.pSignedHeaders;
     const service = params.service;
-
     let payloadChecksum = params.payloadChecksum;
-
     if (!payloadChecksum) {
         if (pHttpVerb === 'GET') {
             payloadChecksum = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b' +
@@ -34,7 +40,7 @@ function createCanonicalRequest(params) {
             if (/aws-sdk-java\/[0-9.]+/.test(pHeaders['user-agent'])) {
                 notEncodeStar = true;
             }
-            let payload = queryString.stringify(pQuery, null, null, {
+            let payload = queryString.stringify(pQuery, undefined, undefined, {
                 encodeURIComponent: input => awsURIencode(input, true,
                     notEncodeStar),
             });
@@ -61,11 +67,11 @@ function createCanonicalRequest(params) {
 
     // signed headers
     const signedHeadersList = pSignedHeaders.split(';');
-    signedHeadersList.sort((a, b) => a.localeCompare(b));
+    signedHeadersList.sort((a: any, b: any) => a.localeCompare(b));
     const signedHeaders = signedHeadersList.join(';');
 
     // canonical headers
-    const canonicalHeadersList = signedHeadersList.map(signedHeader => {
+    const canonicalHeadersList = signedHeadersList.map((signedHeader: any) => {
         if (pHeaders[signedHeader] !== undefined) {
             const trimmedHeader = pHeaders[signedHeader]
                 .trim().replace(/\s+/g, ' ');
@@ -87,5 +93,3 @@ function createCanonicalRequest(params) {
         `${signedHeaders}\n${payloadChecksum}`;
     return canonicalRequest;
 }
-
-module.exports = createCanonicalRequest;

lib/auth/v4/headerAuthCheck.ts

@@ -1,27 +1,32 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
-
+import errors from '../../../lib/errors';
-const errors = require('../../../lib/errors');
+import * as constants from '../../constants';
-const constants = require('../../constants');
+import constructStringToSign from './constructStringToSign';
-
+import {
-const constructStringToSign = require('./constructStringToSign');
+    checkTimeSkew,
-const checkTimeSkew = require('./timeUtils').checkTimeSkew;
+    convertUTCtoISO8601,
-const convertUTCtoISO8601 = require('./timeUtils').convertUTCtoISO8601;
+    convertAmzTimeToMs,
-const convertAmzTimeToMs = require('./timeUtils').convertAmzTimeToMs;
+} from './timeUtils';
-const extractAuthItems = require('./validateInputs').extractAuthItems;
+import {
-const validateCredentials = require('./validateInputs').validateCredentials;
+    extractAuthItems,
-const areSignedHeadersComplete =
+    validateCredentials,
-    require('./validateInputs').areSignedHeadersComplete;
+    areSignedHeadersComplete,
+} from './validateInputs';
 
 /**
  * V4 header auth check
- * @param {object} request - HTTP request object
+ * @param request - HTTP request object
- * @param {object} log - logging object
+ * @param log - logging object
- * @param {object} data - Parameters from queryString parsing or body of
+ * @param data - Parameters from queryString parsing or body of
  *      POST request
- * @param {string} awsService - Aws service ('iam' or 's3')
+ * @param awsService - Aws service ('iam' or 's3')
- * @return {callback} calls callback
  */
-function check(request, log, data, awsService) {
+export function check(
+    request: any,
+    log: Logger,
+    data: { [key: string]: string },
+    awsService: string
+) {
     log.trace('running header auth check');
 
     const token = request.headers['x-amz-security-token'];
@@ -62,16 +67,16 @@ function check(request, log, data, awsService) {
 
     log.trace('authorization header from request', { authHeader });
 
-    const signatureFromRequest = authHeaderItems.signatureFromRequest;
+    const signatureFromRequest = authHeaderItems.signatureFromRequest!;
-    const credentialsArr = authHeaderItems.credentialsArr;
+    const credentialsArr = authHeaderItems.credentialsArr!;
-    const signedHeaders = authHeaderItems.signedHeaders;
+    const signedHeaders = authHeaderItems.signedHeaders!;
 
     if (!areSignedHeadersComplete(signedHeaders, request.headers)) {
         log.debug('signedHeaders are incomplete', { signedHeaders });
         return { err: errors.AccessDenied };
     }
 
-    let timestamp;
+    let timestamp: string | undefined;
     // check request timestamp
     const xAmzDate = request.headers['x-amz-date'];
     if (xAmzDate) {
@@ -166,5 +171,3 @@ function check(request, log, data, awsService) {
         },
     };
 }
-
-module.exports = { check };

lib/auth/v4/queryAuthCheck.ts

@@ -1,24 +1,18 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
-
+import * as constants from '../../constants';
-const constants = require('../../constants');
+import errors from '../../errors';
-const errors = require('../../errors');
+import constructStringToSign from './constructStringToSign';
-
+import { checkTimeSkew, convertAmzTimeToMs } from './timeUtils';
-const constructStringToSign = require('./constructStringToSign');
+import { validateCredentials, extractQueryParams } from './validateInputs';
-const checkTimeSkew = require('./timeUtils').checkTimeSkew;
+import { areSignedHeadersComplete } from './validateInputs';
-const convertAmzTimeToMs = require('./timeUtils').convertAmzTimeToMs;
-const validateCredentials = require('./validateInputs').validateCredentials;
-const extractQueryParams = require('./validateInputs').extractQueryParams;
-const areSignedHeadersComplete =
-    require('./validateInputs').areSignedHeadersComplete;
 
 /**
  * V4 query auth check
- * @param {object} request - HTTP request object
+ * @param request - HTTP request object
- * @param {object} log - logging object
+ * @param log - logging object
- * @param {object} data - Contain authentification params (GET or POST data)
+ * @param data - Contain authentification params (GET or POST data)
- * @return {callback} calls callback
  */
-function check(request, log, data) {
+export function check(request: any, log: Logger, data: { [key: string]: string }) {
     const authParams = extractQueryParams(data, log);
 
     if (Object.keys(authParams).length !== 5) {
@@ -33,11 +27,11 @@ function check(request, log, data) {
         return { err: errors.InvalidToken };
     }
 
-    const signedHeaders = authParams.signedHeaders;
+    const signedHeaders = authParams.signedHeaders!;
-    const signatureFromRequest = authParams.signatureFromRequest;
+    const signatureFromRequest = authParams.signatureFromRequest!;
-    const timestamp = authParams.timestamp;
+    const timestamp = authParams.timestamp!;
-    const expiry = authParams.expiry;
+    const expiry = authParams.expiry!;
-    const credential = authParams.credential;
+    const credential = authParams.credential!;
 
     if (!areSignedHeadersComplete(signedHeaders, request.headers)) {
         log.debug('signedHeaders are incomplete', { signedHeaders });
@@ -110,5 +104,3 @@ function check(request, log, data) {
         },
     };
 }
-
-module.exports = { check };

lib/auth/v4/timeUtils.ts

@@ -1,12 +1,11 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
 
 /**
  * Convert timestamp to milliseconds since Unix Epoch
- * @param  {string} timestamp of ISO8601Timestamp format without
+ * @param timestamp of ISO8601Timestamp format without
  * dashes or colons, e.g. 20160202T220410Z
- * @return {number} number of milliseconds since Unix Epoch
  */
-function convertAmzTimeToMs(timestamp) {
+export function convertAmzTimeToMs(timestamp: string) {
     const arr = timestamp.split('');
     // Convert to YYYY-MM-DDTHH:mm:ss.sssZ
     const ISO8601time = `${arr.slice(0, 4).join('')}-${arr[4]}${arr[5]}` +
@@ -15,13 +14,12 @@ function convertAmzTimeToMs(timestamp) {
     return Date.parse(ISO8601time);
 }
 
-
 /**
  * Convert UTC timestamp to ISO 8601 timestamp
- * @param  {string} timestamp of UTC form: Fri, 10 Feb 2012 21:34:55 GMT
+ * @param timestamp of UTC form: Fri, 10 Feb 2012 21:34:55 GMT
- * @return {string} ISO8601 timestamp of form: YYYYMMDDTHHMMSSZ
+ * @return ISO8601 timestamp of form: YYYYMMDDTHHMMSSZ
  */
-function convertUTCtoISO8601(timestamp) {
+export function convertUTCtoISO8601(timestamp: string | number) {
     // convert to ISO string: YYYY-MM-DDTHH:mm:ss.sssZ.
     const converted = new Date(timestamp).toISOString();
     // Remove "-"s and "."s and milliseconds
@@ -30,13 +28,13 @@ function convertUTCtoISO8601(timestamp) {
 
 /**
  * Check whether timestamp predates request or is too old
- * @param  {string} timestamp of ISO8601Timestamp format without
+ * @param timestamp of ISO8601Timestamp format without
  * dashes or colons, e.g. 20160202T220410Z
- * @param {number} expiry - number of seconds signature should be valid
+ * @param expiry - number of seconds signature should be valid
- * @param {object} log - log for request
+ * @param log - log for request
- * @return {boolean} true if there is a time problem
+ * @return true if there is a time problem
  */
-function checkTimeSkew(timestamp, expiry, log) {
+export function checkTimeSkew(timestamp: string, expiry: number, log: Logger) {
     const currentTime = Date.now();
     const fifteenMinutes = (15 * 60 * 1000);
     const parsedTimestamp = convertAmzTimeToMs(timestamp);
@@ -56,5 +54,3 @@ function checkTimeSkew(timestamp, expiry, log) {
     }
     return false;
 }
-
-module.exports = { convertAmzTimeToMs, convertUTCtoISO8601, checkTimeSkew };

lib/auth/v4/validateInputs.ts

@@ -1,17 +1,19 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
-
+import errors from '../../../lib/errors';
-const errors = require('../../../lib/errors');
 
 /**
  * Validate Credentials
- * @param  {array} credentials - contains accessKey, scopeDate,
+ * @param credentials - contains accessKey, scopeDate,
  * region, service, requestType
- * @param {string} timestamp - timestamp from request in
+ * @param timestamp - timestamp from request in
  * the format of ISO 8601: YYYYMMDDTHHMMSSZ
- * @param {object} log - logging object
+ * @param log - logging object
- * @return {boolean} true if credentials are correct format, false if not
  */
-function validateCredentials(credentials, timestamp, log) {
+export function validateCredentials(
+    credentials: [string, string, string, string, string],
+    timestamp: string,
+    log: Logger
+): Error | {} {
     if (!Array.isArray(credentials) || credentials.length !== 5) {
         log.warn('credentials in improper format', { credentials });
         return errors.InvalidArgument;
@@ -58,12 +60,21 @@ function validateCredentials(credentials, timestamp, log) {
 
 /**
  * Extract and validate components from query object
- * @param  {object} queryObj - query object from request
+ * @param  queryObj - query object from request
- * @param {object} log - logging object
+ * @param log - logging object
- * @return {object} object containing extracted query params for authV4
+ * @return object containing extracted query params for authV4
  */
-function extractQueryParams(queryObj, log) {
+export function extractQueryParams(
-    const authParams = {};
+    queryObj: { [key: string]: string | undefined },
+    log: Logger
+) {
+    const authParams: {
+        signedHeaders?: string;
+        signatureFromRequest?: string;
+        timestamp?: string;
+        expiry?: number;
+        credential?: [string, string, string, string, string];
+    } = {};
 
     // Do not need the algorithm sent back
     if (queryObj['X-Amz-Algorithm'] !== 'AWS4-HMAC-SHA256') {
@@ -99,7 +110,7 @@ function extractQueryParams(queryObj, log) {
         return authParams;
     }
 
-    const expiry = Number.parseInt(queryObj['X-Amz-Expires'], 10);
+    const expiry = Number.parseInt(queryObj['X-Amz-Expires'] ?? 'nope', 10);
     const sevenDays = 604800;
     if (expiry && (expiry > 0 && expiry <= sevenDays)) {
         authParams.expiry = expiry;
@@ -110,6 +121,7 @@ function extractQueryParams(queryObj, log) {
 
     const credential = queryObj['X-Amz-Credential'];
     if (credential && credential.length > 28 && credential.indexOf('/') > -1) {
+        // @ts-ignore
         authParams.credential = credential.split('/');
     } else {
         log.warn('invalid credential param', { credential });
@@ -121,14 +133,17 @@ function extractQueryParams(queryObj, log) {
 
 /**
  * Extract and validate components from auth header
- * @param  {string} authHeader - authorization header from request
+ * @param authHeader - authorization header from request
- * @param {object} log - logging object
+ * @param log - logging object
- * @return {object} object containing extracted auth header items for authV4
+ * @return object containing extracted auth header items for authV4
  */
-function extractAuthItems(authHeader, log) {
+export function extractAuthItems(authHeader: string, log: Logger) {
-    const authItems = {};
+    const authItems: {
-    const authArray = authHeader
+        credentialsArr?: [string, string, string, string, string];
-        .replace('AWS4-HMAC-SHA256 ', '').split(',');
+        signedHeaders?: string;
+        signatureFromRequest?: string;
+    } = {};
+    const authArray = authHeader.replace('AWS4-HMAC-SHA256 ', '').split(',');
 
     if (authArray.length < 3) {
         return authItems;
@@ -138,8 +153,12 @@ function extractAuthItems(authHeader, log) {
     const signedHeadersStr = authArray[1];
     const signatureStr = authArray[2];
     log.trace('credentials from request', { credentialStr });
-    if (credentialStr && credentialStr.trim().startsWith('Credential=')
+    if (
-        && credentialStr.indexOf('/') > -1) {
+        credentialStr &&
+        credentialStr.trim().startsWith('Credential=') &&
+        credentialStr.indexOf('/') > -1
+    ) {
+        // @ts-ignore
         authItems.credentialsArr = credentialStr
             .trim().replace('Credential=', '').split('/');
     } else {
@@ -166,11 +185,11 @@ function extractAuthItems(authHeader, log) {
 /**
  * Checks whether the signed headers include the host header
  * and all x-amz- and x-scal- headers in request
- * @param {string} signedHeaders - signed headers sent with request
+ * @param signedHeaders - signed headers sent with request
- * @param {object} allHeaders - request.headers
+ * @param allHeaders - request.headers
- * @return {boolean} true if all x-amz-headers included and false if not
+ * @return true if all x-amz-headers included and false if not
  */
-function areSignedHeadersComplete(signedHeaders, allHeaders) {
+export function areSignedHeadersComplete(signedHeaders: string, allHeaders: Headers) {
     const signedHeadersList = signedHeaders.split(';');
     if (signedHeadersList.indexOf('host') === -1) {
         return false;
@@ -185,6 +204,3 @@ function areSignedHeadersComplete(signedHeaders, allHeaders) {
     }
     return true;
 }
-
-module.exports = { validateCredentials, extractQueryParams,
-    areSignedHeadersComplete, extractAuthItems };

lib/https/ciphers.ts

@@ -1,6 +1,4 @@
-'use strict'; // eslint-disable-line strict
+export const ciphers = [
-
-const ciphers = [
     'DHE-RSA-AES128-GCM-SHA256',
     'ECDHE-ECDSA-AES128-GCM-SHA256',
     'ECDHE-RSA-AES256-GCM-SHA384',
@@ -28,7 +26,3 @@ const ciphers = [
     '!EDH-RSA-DES-CBC3-SHA',
     '!KRB5-DES-CBC3-SHA',
 ].join(':');
-
-module.exports = {
-    ciphers,
-};

lib/https/dh2048.ts

@@ -29,16 +29,11 @@ c2CNfUEqyRbJF4pE9ZcdQReT5p/llmyhQdvq6cHH+cKJk63C6DHRVoStsnsUcvKe
 bLxKsygK77ttjr61cxLoDJeGd5L5h1CPmwIBAg==
 -----END DH PARAMETERS-----
  */
-'use strict'; // eslint-disable-line strict
 
-const dhparam =
+export const dhparam =
     'MIIBCAKCAQEAh99T77KGNuiY9N6xrCJ3QNv4SFADTa3CD+1VMTAdRJLHUNpglB+i' +
     'AoTYiLDFZgtTCpx0ZZUD+JM3qiCZy0OK5/ZGlVD7sZmxjRtdpVK4qIPtwav8t0J7' +
     'c2CNfUEqyRbJF4pE9ZcdQReT5p/llmyhQdvq6cHH+cKJk63C6DHRVoStsnsUcvKe' +
     '23PLGZulKg8H3eRBxHamHkmyuEVDtoNhMIoJONsdXSpo5GgcD4EQMM8xb/qsnCxn' +
     '6QIGTBvcHskxtlTZOfUPk4XQ6Yb3tQi2TurzkQHLln4U7p/GZs+D+6D3SgSPqr6P' +
     'bLxKsygK77ttjr61cxLoDJeGd5L5h1CPmwIBAg==';
-
-module.exports = {
-    dhparam,
-};

lib/https/index.ts

@@ -0,0 +1,2 @@
+export * as ciphers from './ciphers'
+export * as dhparam from './dh2048'

tests/unit/auth/AuthInfo.spec.js

@@ -2,7 +2,7 @@
 
 const assert = require('assert');
 
-const AuthInfo = require('../../../lib/auth/AuthInfo');
+const AuthInfo = require('../../../lib/auth/AuthInfo').default;
 const constants = require('../../../lib/constants');
 
 const arn = 'arn:aws:iam::123456789012:user/Fred';

tests/unit/auth/in_memory/indexer.spec.js

@@ -1,6 +1,6 @@
 const assert = require('assert');
 
-const Indexer = require('../../../../lib/auth/in_memory/Indexer');
+const Indexer = require('../../../../lib/auth/in_memory/Indexer').default;
 const ref = require('./sample_authdata.json');
 const { should } = require('./AuthLoader.spec');
 

tests/unit/auth/v2/canonicalization.spec.js

@@ -3,9 +3,9 @@
 const assert = require('assert');
 
 const getCanonicalizedAmzHeaders =
-    require('../../../../lib/auth/v2/getCanonicalizedAmzHeaders');
+    require('../../../../lib/auth/v2/getCanonicalizedAmzHeaders').default;
 const getCanonicalizedResource =
-    require('../../../../lib/auth/v2/getCanonicalizedResource');
+    require('../../../../lib/auth/v2/getCanonicalizedResource').default;
 
 const getCanonicalizedGcpHeaders = headers =>
     getCanonicalizedAmzHeaders(headers, 'GCP');

tests/unit/auth/v2/checkRequestExpiry.spec.js

@@ -3,7 +3,7 @@
 const assert = require('assert');
 
 const checkRequestExpiry =
-    require('../../../../lib/auth/v2/checkRequestExpiry');
+    require('../../../../lib/auth/v2/checkRequestExpiry').default;
 const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
 const errors = require('../../../../index').errors;
 

tests/unit/auth/v2/constructStringToSign.spec.js

@@ -3,7 +3,7 @@
 const assert = require('assert');
 
 const constructStringToSign =
-    require('../../../../lib/auth/v2/constructStringToSign');
+    require('../../../../lib/auth/v2/constructStringToSign').default;
 const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
 
 const log = new DummyRequestLogger();

tests/unit/auth/v2/publicAccess.spec.js

@@ -4,7 +4,7 @@ const assert = require('assert');
 
 const errors = require('../../../../lib/errors');
 const auth = require('../../../../lib/auth/auth').server.doAuth;
-const AuthInfo = require('../../../../lib/auth/AuthInfo');
+const AuthInfo = require('../../../../lib/auth/AuthInfo').default;
 const constants = require('../../../../lib/constants');
 const DummyRequestLogger = require('../../helpers.js').DummyRequestLogger;
 const RequestContext =

tests/unit/auth/v2/signature.spec.js

@@ -3,7 +3,7 @@
 const assert = require('assert');
 
 const constructStringToSign =
-    require('../../../../lib/auth/v2/constructStringToSign');
+    require('../../../../lib/auth/v2/constructStringToSign').default;
 const hashSignature =
     require('../../../../lib/auth/in_memory/vaultUtilities').hashSignature;
 const DummyRequestLogger = require('../../helpers').DummyRequestLogger;

tests/unit/auth/v4/awsURIencode.spec.js

@@ -2,7 +2,7 @@
 
 const assert = require('assert');
 
-const awsURIencode = require('../../../../lib/auth/v4/awsURIencode');
+const awsURIencode = require('../../../../lib/auth/v4/awsURIencode').default;
 
 // Note that expected outputs came from running node aws-sdk's
 // AWS.util.uriEscapePath and AWS.util.uriEscape functions

tests/unit/auth/v4/constructStringToSign.spec.js

@@ -3,7 +3,7 @@
 const assert = require('assert');
 
 const constructStringToSign =
-    require('../../../../lib/auth/v4/constructStringToSign');
+    require('../../../../lib/auth/v4/constructStringToSign').default;
 const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
 
 const log = new DummyRequestLogger();

tests/unit/auth/v4/createCanonicalRequest.spec.js

@@ -2,9 +2,9 @@
 
 const assert = require('assert');
 const awsURIencode =
-    require('../../../../lib/auth/v4/awsURIencode');
+    require('../../../../lib/auth/v4/awsURIencode').default;
 const createCanonicalRequest =
-    require('../../../../lib/auth/v4/createCanonicalRequest');
+    require('../../../../lib/auth/v4/createCanonicalRequest').default;
 
 describe('createCanonicalRequest function', () => {
     // Example taken from: http://docs.aws.amazon.com/AmazonS3/