Compare commits
10 Commits
fe656e511d
...
321e449a12
Author | SHA1 | Date |
---|---|---|
Guillaume Hivert | 321e449a12 | |
Guillaume Hivert | e5f5718db5 | |
Guillaume Hivert | 30dab925a4 | |
Guillaume Hivert | a857389a75 | |
Guillaume Hivert | bca41ab86d | |
Guillaume Hivert | 0a5dd348ef | |
Guillaume Hivert | 542930f033 | |
Guillaume Hivert | 49b43d30fa | |
Guillaume Hivert | e8b6932f00 | |
Guillaume Hivert | 8944c1f83b |
10
index.ts
10
index.ts
|
@ -1,18 +1,14 @@
|
||||||
export const auth = require('./lib/auth/auth');
|
export * as auth from './lib/auth/auth'
|
||||||
export * as constants from './lib/constants';
|
export * as constants from './lib/constants';
|
||||||
|
export * as https from './lib/https'
|
||||||
export const db = require('./lib/db');
|
export const db = require('./lib/db');
|
||||||
export const errors = require('./lib/errors.js');
|
export const errors = require('./lib/errors.js')
|
||||||
export const shuffle = require('./lib/shuffle');
|
export const shuffle = require('./lib/shuffle');
|
||||||
export const stringHash = require('./lib/stringHash');
|
export const stringHash = require('./lib/stringHash');
|
||||||
export const ipCheck = require('./lib/ipCheck');
|
export const ipCheck = require('./lib/ipCheck');
|
||||||
export const jsutil = require('./lib/jsutil');
|
export const jsutil = require('./lib/jsutil');
|
||||||
export const Clustering = require('./lib/Clustering');
|
export const Clustering = require('./lib/Clustering');
|
||||||
|
|
||||||
export const https = {
|
|
||||||
ciphers: require('./lib/https/ciphers.js'),
|
|
||||||
dhparam: require('./lib/https/dh2048.js'),
|
|
||||||
};
|
|
||||||
|
|
||||||
export const algorithms = {
|
export const algorithms = {
|
||||||
list: {
|
list: {
|
||||||
Basic: require('./lib/algos/list/basic').List,
|
Basic: require('./lib/algos/list/basic').List,
|
||||||
|
|
|
@ -1,6 +1,4 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import * as constants from '../constants';
|
||||||
|
|
||||||
const constants = require('../constants');
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class containing requester's information received from Vault
|
* Class containing requester's information received from Vault
|
||||||
|
@ -8,9 +6,15 @@ const constants = require('../constants');
|
||||||
* shortid, email, accountDisplayName and IAMdisplayName (if applicable)
|
* shortid, email, accountDisplayName and IAMdisplayName (if applicable)
|
||||||
* @return {AuthInfo} an AuthInfo instance
|
* @return {AuthInfo} an AuthInfo instance
|
||||||
*/
|
*/
|
||||||
|
export default class AuthInfo {
|
||||||
|
arn: string;
|
||||||
|
canonicalID: string;
|
||||||
|
shortid: string;
|
||||||
|
email: string;
|
||||||
|
accountDisplayName: string;
|
||||||
|
IAMdisplayName: string;
|
||||||
|
|
||||||
class AuthInfo {
|
constructor(objectFromVault: any) {
|
||||||
constructor(objectFromVault) {
|
|
||||||
// amazon resource name for IAM user (if applicable)
|
// amazon resource name for IAM user (if applicable)
|
||||||
this.arn = objectFromVault.arn;
|
this.arn = objectFromVault.arn;
|
||||||
// account canonicalID
|
// account canonicalID
|
||||||
|
@ -53,10 +57,8 @@ class AuthInfo {
|
||||||
return this.canonicalID.startsWith(
|
return this.canonicalID.startsWith(
|
||||||
`${constants.zenkoServiceAccount}/`);
|
`${constants.zenkoServiceAccount}/`);
|
||||||
}
|
}
|
||||||
isRequesterThisServiceAccount(serviceName) {
|
isRequesterThisServiceAccount(serviceName: string) {
|
||||||
return this.canonicalID ===
|
const computedCanonicalID = `${constants.zenkoServiceAccount}/${serviceName}`;
|
||||||
`${constants.zenkoServiceAccount}/${serviceName}`;
|
return this.canonicalID === computedCanonicalID;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = AuthInfo;
|
|
||||||
|
|
|
@ -1,16 +1,22 @@
|
||||||
const errors = require('../errors');
|
import { Logger } from 'werelogs';
|
||||||
const AuthInfo = require('./AuthInfo');
|
import errors from '../errors';
|
||||||
|
import AuthInfo from './AuthInfo';
|
||||||
|
|
||||||
/** vaultSignatureCb parses message from Vault and instantiates
|
/** vaultSignatureCb parses message from Vault and instantiates
|
||||||
* @param {object} err - error from vault
|
* @param err - error from vault
|
||||||
* @param {object} authInfo - info from vault
|
* @param authInfo - info from vault
|
||||||
* @param {object} log - log for request
|
* @param log - log for request
|
||||||
* @param {function} callback - callback to authCheck functions
|
* @param callback - callback to authCheck functions
|
||||||
* @param {object} [streamingV4Params] - present if v4 signature;
|
* @param [streamingV4Params] - present if v4 signature;
|
||||||
* items used to calculate signature on chunks if streaming auth
|
* items used to calculate signature on chunks if streaming auth
|
||||||
* @return {undefined}
|
|
||||||
*/
|
*/
|
||||||
function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
|
function vaultSignatureCb(
|
||||||
|
err: Error | null,
|
||||||
|
authInfo: { message: { body: any } },
|
||||||
|
log: Logger,
|
||||||
|
callback: (err: Error | null, data?: any, results?: any, params?: any) => void,
|
||||||
|
streamingV4Params?: any
|
||||||
|
) {
|
||||||
// vaultclient API guarantees that it returns:
|
// vaultclient API guarantees that it returns:
|
||||||
// - either `err`, an Error object with `code` and `message` properties set
|
// - either `err`, an Error object with `code` and `message` properties set
|
||||||
// - or `err == null` and `info` is an object with `message.code` and
|
// - or `err == null` and `info` is an object with `message.code` and
|
||||||
|
@ -24,11 +30,13 @@ function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
|
||||||
const info = authInfo.message.body;
|
const info = authInfo.message.body;
|
||||||
const userInfo = new AuthInfo(info.userInfo);
|
const userInfo = new AuthInfo(info.userInfo);
|
||||||
const authorizationResults = info.authorizationResults;
|
const authorizationResults = info.authorizationResults;
|
||||||
const auditLog = { accountDisplayName: userInfo.getAccountDisplayName() };
|
const auditLog: { accountDisplayName: string, IAMdisplayName?: string } =
|
||||||
|
{ accountDisplayName: userInfo.getAccountDisplayName() };
|
||||||
const iamDisplayName = userInfo.getIAMdisplayName();
|
const iamDisplayName = userInfo.getIAMdisplayName();
|
||||||
if (iamDisplayName) {
|
if (iamDisplayName) {
|
||||||
auditLog.IAMdisplayName = iamDisplayName;
|
auditLog.IAMdisplayName = iamDisplayName;
|
||||||
}
|
}
|
||||||
|
// @ts-ignore
|
||||||
log.addDefaultFields(auditLog);
|
log.addDefaultFields(auditLog);
|
||||||
return callback(null, userInfo, authorizationResults, streamingV4Params);
|
return callback(null, userInfo, authorizationResults, streamingV4Params);
|
||||||
}
|
}
|
||||||
|
@ -39,43 +47,63 @@ function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
|
||||||
* authentication backends.
|
* authentication backends.
|
||||||
* @class Vault
|
* @class Vault
|
||||||
*/
|
*/
|
||||||
class Vault {
|
export default class Vault {
|
||||||
|
client: any;
|
||||||
|
implName: string;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @constructor
|
* @constructor
|
||||||
* @param {object} client - authentication backend or vault client
|
* @param {object} client - authentication backend or vault client
|
||||||
* @param {string} implName - implementation name for auth backend
|
* @param {string} implName - implementation name for auth backend
|
||||||
*/
|
*/
|
||||||
constructor(client, implName) {
|
constructor(client: any, implName: string) {
|
||||||
this.client = client;
|
this.client = client;
|
||||||
this.implName = implName;
|
this.implName = implName;
|
||||||
}
|
}
|
||||||
/**
|
/**
|
||||||
* authenticateV2Request
|
* authenticateV2Request
|
||||||
*
|
*
|
||||||
* @param {string} params - the authentication parameters as returned by
|
* @param params - the authentication parameters as returned by
|
||||||
* auth.extractParams
|
* auth.extractParams
|
||||||
* @param {number} params.version - shall equal 2
|
* @param params.version - shall equal 2
|
||||||
* @param {string} params.data.accessKey - the user's accessKey
|
* @param params.data.accessKey - the user's accessKey
|
||||||
* @param {string} params.data.signatureFromRequest - the signature read
|
* @param params.data.signatureFromRequest - the signature read
|
||||||
* from the request
|
* from the request
|
||||||
* @param {string} params.data.stringToSign - the stringToSign
|
* @param params.data.stringToSign - the stringToSign
|
||||||
* @param {string} params.data.algo - the hashing algorithm used for the
|
* @param params.data.algo - the hashing algorithm used for the
|
||||||
* signature
|
* signature
|
||||||
* @param {string} params.data.authType - the type of authentication (query
|
* @param params.data.authType - the type of authentication (query
|
||||||
* or header)
|
* or header)
|
||||||
* @param {string} params.data.signatureVersion - the version of the
|
* @param params.data.signatureVersion - the version of the
|
||||||
* signature (AWS or AWS4)
|
* signature (AWS or AWS4)
|
||||||
* @param {number} [params.data.signatureAge] - the age of the signature in
|
* @param [params.data.signatureAge] - the age of the signature in
|
||||||
* ms
|
* ms
|
||||||
* @param {string} params.data.log - the logger object
|
* @param params.data.log - the logger object
|
||||||
* @param {RequestContext []} requestContexts - an array of RequestContext
|
* @param {RequestContext []} requestContexts - an array of RequestContext
|
||||||
* instances which contain information for policy authorization check
|
* instances which contain information for policy authorization check
|
||||||
* @param {function} callback - callback with either error or user info
|
* @param callback - callback with either error or user info
|
||||||
* @returns {undefined}
|
|
||||||
*/
|
*/
|
||||||
authenticateV2Request(params, requestContexts, callback) {
|
authenticateV2Request(
|
||||||
|
params: {
|
||||||
|
version: 2;
|
||||||
|
log: Logger;
|
||||||
|
data: {
|
||||||
|
securityToken: string;
|
||||||
|
accessKey: string;
|
||||||
|
signatureFromRequest: string;
|
||||||
|
stringToSign: string;
|
||||||
|
algo: string;
|
||||||
|
authType: 'query' | 'header';
|
||||||
|
signatureVersion: string;
|
||||||
|
signatureAge?: number;
|
||||||
|
log: Logger;
|
||||||
|
};
|
||||||
|
},
|
||||||
|
requestContexts: any[],
|
||||||
|
callback: (err: Error | null, data?: any) => void
|
||||||
|
) {
|
||||||
params.log.debug('authenticating V2 request');
|
params.log.debug('authenticating V2 request');
|
||||||
let serializedRCsArr;
|
let serializedRCsArr: any;
|
||||||
if (requestContexts) {
|
if (requestContexts) {
|
||||||
serializedRCsArr = requestContexts.map(rc => rc.serialize());
|
serializedRCsArr = requestContexts.map(rc => rc.serialize());
|
||||||
}
|
}
|
||||||
|
@ -85,44 +113,66 @@ class Vault {
|
||||||
params.data.accessKey,
|
params.data.accessKey,
|
||||||
{
|
{
|
||||||
algo: params.data.algo,
|
algo: params.data.algo,
|
||||||
|
// @ts-ignore
|
||||||
reqUid: params.log.getSerializedUids(),
|
reqUid: params.log.getSerializedUids(),
|
||||||
logger: params.log,
|
logger: params.log,
|
||||||
securityToken: params.data.securityToken,
|
securityToken: params.data.securityToken,
|
||||||
requestContext: serializedRCsArr,
|
requestContext: serializedRCsArr,
|
||||||
},
|
},
|
||||||
(err, userInfo) => vaultSignatureCb(err, userInfo,
|
(err: Error | null, userInfo?: any) => vaultSignatureCb(err, userInfo,
|
||||||
params.log, callback)
|
params.log, callback),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
/** authenticateV4Request
|
/** authenticateV4Request
|
||||||
* @param {object} params - the authentication parameters as returned by
|
* @param params - the authentication parameters as returned by
|
||||||
* auth.extractParams
|
* auth.extractParams
|
||||||
* @param {number} params.version - shall equal 4
|
* @param params.version - shall equal 4
|
||||||
* @param {string} params.data.log - the logger object
|
* @param params.data.log - the logger object
|
||||||
* @param {string} params.data.accessKey - the user's accessKey
|
* @param params.data.accessKey - the user's accessKey
|
||||||
* @param {string} params.data.signatureFromRequest - the signature read
|
* @param params.data.signatureFromRequest - the signature read
|
||||||
* from the request
|
* from the request
|
||||||
* @param {string} params.data.region - the AWS region
|
* @param params.data.region - the AWS region
|
||||||
* @param {string} params.data.stringToSign - the stringToSign
|
* @param params.data.stringToSign - the stringToSign
|
||||||
* @param {string} params.data.scopeDate - the timespan to allow the request
|
* @param params.data.scopeDate - the timespan to allow the request
|
||||||
* @param {string} params.data.authType - the type of authentication (query
|
* @param params.data.authType - the type of authentication (query
|
||||||
* or header)
|
* or header)
|
||||||
* @param {string} params.data.signatureVersion - the version of the
|
* @param params.data.signatureVersion - the version of the
|
||||||
* signature (AWS or AWS4)
|
* signature (AWS or AWS4)
|
||||||
* @param {number} params.data.signatureAge - the age of the signature in ms
|
* @param params.data.signatureAge - the age of the signature in ms
|
||||||
* @param {number} params.data.timestamp - signaure timestamp
|
* @param params.data.timestamp - signaure timestamp
|
||||||
* @param {string} params.credentialScope - credentialScope for signature
|
* @param params.credentialScope - credentialScope for signature
|
||||||
* @param {RequestContext [] | null} requestContexts -
|
* @param {RequestContext [] | null} requestContexts -
|
||||||
* an array of RequestContext or null if authenticaiton of a chunk
|
* an array of RequestContext or null if authenticaiton of a chunk
|
||||||
* in streamingv4 auth
|
* in streamingv4 auth
|
||||||
* instances which contain information for policy authorization check
|
* instances which contain information for policy authorization check
|
||||||
* @param {function} callback - callback with either error or user info
|
* @param callback - callback with either error or user info
|
||||||
* @return {undefined}
|
|
||||||
*/
|
*/
|
||||||
authenticateV4Request(params, requestContexts, callback) {
|
authenticateV4Request(
|
||||||
|
params: {
|
||||||
|
version: 4;
|
||||||
|
log: Logger;
|
||||||
|
data: {
|
||||||
|
accessKey: string;
|
||||||
|
signatureFromRequest: string;
|
||||||
|
region: string;
|
||||||
|
stringToSign: string;
|
||||||
|
scopeDate: string;
|
||||||
|
authType: 'query' | 'header';
|
||||||
|
signatureVersion: string;
|
||||||
|
signatureAge?: number;
|
||||||
|
timestamp: number;
|
||||||
|
credentialScope: string;
|
||||||
|
securityToken: string;
|
||||||
|
algo: string;
|
||||||
|
log: Logger;
|
||||||
|
};
|
||||||
|
},
|
||||||
|
requestContexts: any[],
|
||||||
|
callback: (err: Error | null, data?: any) => void
|
||||||
|
) {
|
||||||
params.log.debug('authenticating V4 request');
|
params.log.debug('authenticating V4 request');
|
||||||
let serializedRCs;
|
let serializedRCs: any;
|
||||||
if (requestContexts) {
|
if (requestContexts) {
|
||||||
serializedRCs = requestContexts.map(rc => rc.serialize());
|
serializedRCs = requestContexts.map(rc => rc.serialize());
|
||||||
}
|
}
|
||||||
|
@ -140,31 +190,39 @@ class Vault {
|
||||||
params.data.region,
|
params.data.region,
|
||||||
params.data.scopeDate,
|
params.data.scopeDate,
|
||||||
{
|
{
|
||||||
|
// @ts-ignore
|
||||||
reqUid: params.log.getSerializedUids(),
|
reqUid: params.log.getSerializedUids(),
|
||||||
logger: params.log,
|
logger: params.log,
|
||||||
securityToken: params.data.securityToken,
|
securityToken: params.data.securityToken,
|
||||||
requestContext: serializedRCs,
|
requestContext: serializedRCs,
|
||||||
},
|
},
|
||||||
(err, userInfo) => vaultSignatureCb(err, userInfo,
|
(err: Error | null, userInfo?: any) => vaultSignatureCb(err, userInfo,
|
||||||
params.log, callback, streamingV4Params)
|
params.log, callback, streamingV4Params),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
/** getCanonicalIds -- call Vault to get canonicalIDs based on email
|
/** getCanonicalIds -- call Vault to get canonicalIDs based on email
|
||||||
* addresses
|
* addresses
|
||||||
* @param {array} emailAddresses - list of emailAddresses
|
* @param emailAddresses - list of emailAddresses
|
||||||
* @param {object} log - log object
|
* @param log - log object
|
||||||
* @param {function} callback - callback with either error or an array
|
* @param callback - callback with either error or an array
|
||||||
* of objects with each object containing the canonicalID and emailAddress
|
* of objects with each object containing the canonicalID and emailAddress
|
||||||
* of an account as properties
|
* of an account as properties
|
||||||
* @return {undefined}
|
|
||||||
*/
|
*/
|
||||||
getCanonicalIds(emailAddresses, log, callback) {
|
getCanonicalIds(
|
||||||
|
emailAddresses: string[],
|
||||||
|
log: Logger,
|
||||||
|
callback: (
|
||||||
|
err: Error | null,
|
||||||
|
data?: { canonicalID: string; email: string }[]
|
||||||
|
) => void
|
||||||
|
) {
|
||||||
log.trace('getting canonicalIDs from Vault based on emailAddresses',
|
log.trace('getting canonicalIDs from Vault based on emailAddresses',
|
||||||
{ emailAddresses });
|
{ emailAddresses });
|
||||||
this.client.getCanonicalIds(emailAddresses,
|
this.client.getCanonicalIds(emailAddresses,
|
||||||
|
// @ts-ignore
|
||||||
{ reqUid: log.getSerializedUids() },
|
{ reqUid: log.getSerializedUids() },
|
||||||
(err, info) => {
|
(err: Error | null, info?: any) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.debug('received error message from auth provider',
|
log.debug('received error message from auth provider',
|
||||||
{ errorMessage: err });
|
{ errorMessage: err });
|
||||||
|
@ -172,17 +230,17 @@ class Vault {
|
||||||
}
|
}
|
||||||
const infoFromVault = info.message.body;
|
const infoFromVault = info.message.body;
|
||||||
log.trace('info received from vault', { infoFromVault });
|
log.trace('info received from vault', { infoFromVault });
|
||||||
const foundIds = [];
|
const foundIds: { canonicalID: string; email: string }[] = [];
|
||||||
for (let i = 0; i < Object.keys(infoFromVault).length; i++) {
|
for (let i = 0; i < Object.keys(infoFromVault).length; i++) {
|
||||||
const key = Object.keys(infoFromVault)[i];
|
const key = Object.keys(infoFromVault)[i];
|
||||||
if (infoFromVault[key] === 'WrongFormat'
|
if (infoFromVault[key] === 'WrongFormat'
|
||||||
|| infoFromVault[key] === 'NotFound') {
|
|| infoFromVault[key] === 'NotFound') {
|
||||||
return callback(errors.UnresolvableGrantByEmailAddress);
|
return callback(errors.UnresolvableGrantByEmailAddress);
|
||||||
}
|
}
|
||||||
const obj = {};
|
foundIds.push({
|
||||||
obj.email = key;
|
email: key,
|
||||||
obj.canonicalID = infoFromVault[key];
|
canonicalID: infoFromVault[key],
|
||||||
foundIds.push(obj);
|
})
|
||||||
}
|
}
|
||||||
return callback(null, foundIds);
|
return callback(null, foundIds);
|
||||||
});
|
});
|
||||||
|
@ -190,18 +248,22 @@ class Vault {
|
||||||
|
|
||||||
/** getEmailAddresses -- call Vault to get email addresses based on
|
/** getEmailAddresses -- call Vault to get email addresses based on
|
||||||
* canonicalIDs
|
* canonicalIDs
|
||||||
* @param {array} canonicalIDs - list of canonicalIDs
|
* @param canonicalIDs - list of canonicalIDs
|
||||||
* @param {object} log - log object
|
* @param log - log object
|
||||||
* @param {function} callback - callback with either error or an object
|
* @param callback - callback with either error or an object
|
||||||
* with canonicalID keys and email address values
|
* with canonicalID keys and email address values
|
||||||
* @return {undefined}
|
|
||||||
*/
|
*/
|
||||||
getEmailAddresses(canonicalIDs, log, callback) {
|
getEmailAddresses(
|
||||||
|
canonicalIDs: string[],
|
||||||
|
log: Logger,
|
||||||
|
callback: (err: Error | null, data?: { [key: string]: any }) => void
|
||||||
|
) {
|
||||||
log.trace('getting emailAddresses from Vault based on canonicalIDs',
|
log.trace('getting emailAddresses from Vault based on canonicalIDs',
|
||||||
{ canonicalIDs });
|
{ canonicalIDs });
|
||||||
this.client.getEmailAddresses(canonicalIDs,
|
this.client.getEmailAddresses(canonicalIDs,
|
||||||
|
// @ts-ignore
|
||||||
{ reqUid: log.getSerializedUids() },
|
{ reqUid: log.getSerializedUids() },
|
||||||
(err, info) => {
|
(err: Error | null, info?: any) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.debug('received error message from vault',
|
log.debug('received error message from vault',
|
||||||
{ errorMessage: err });
|
{ errorMessage: err });
|
||||||
|
@ -224,27 +286,31 @@ class Vault {
|
||||||
|
|
||||||
/** getAccountIds -- call Vault to get accountIds based on
|
/** getAccountIds -- call Vault to get accountIds based on
|
||||||
* canonicalIDs
|
* canonicalIDs
|
||||||
* @param {array} canonicalIDs - list of canonicalIDs
|
* @param canonicalIDs - list of canonicalIDs
|
||||||
* @param {object} log - log object
|
* @param log - log object
|
||||||
* @param {function} callback - callback with either error or an object
|
* @param callback - callback with either error or an object
|
||||||
* with canonicalID keys and accountId values
|
* with canonicalID keys and accountId values
|
||||||
* @return {undefined}
|
|
||||||
*/
|
*/
|
||||||
getAccountIds(canonicalIDs, log, callback) {
|
getAccountIds(
|
||||||
|
canonicalIDs: string[],
|
||||||
|
log: Logger,
|
||||||
|
callback: (err: Error | null, data?: { [key: string]: string }) => void
|
||||||
|
) {
|
||||||
log.trace('getting accountIds from Vault based on canonicalIDs',
|
log.trace('getting accountIds from Vault based on canonicalIDs',
|
||||||
{ canonicalIDs });
|
{ canonicalIDs });
|
||||||
this.client.getAccountIds(canonicalIDs,
|
this.client.getAccountIds(canonicalIDs,
|
||||||
{ reqUid: log.getSerializedUids() },
|
// @ts-expect-error
|
||||||
(err, info) => {
|
{ reqUid: log.getSerializedUids() },
|
||||||
if (err) {
|
(err: Error | null, info?: any) => {
|
||||||
log.debug('received error message from vault',
|
if (err) {
|
||||||
{ errorMessage: err });
|
log.debug('received error message from vault',
|
||||||
return callback(err);
|
{ errorMessage: err });
|
||||||
}
|
return callback(err);
|
||||||
const infoFromVault = info.message.body;
|
}
|
||||||
log.trace('info received from vault', { infoFromVault });
|
const infoFromVault = info.message.body;
|
||||||
const result = {};
|
log.trace('info received from vault', { infoFromVault });
|
||||||
/* If the accountId was not found in Vault, do not
|
const result = {};
|
||||||
|
/* If the accountId was not found in Vault, do not
|
||||||
send the canonicalID back to the API */
|
send the canonicalID back to the API */
|
||||||
Object.keys(infoFromVault).forEach(key => {
|
Object.keys(infoFromVault).forEach(key => {
|
||||||
if (infoFromVault[key] !== 'NotFound' &&
|
if (infoFromVault[key] !== 'NotFound' &&
|
||||||
|
@ -268,14 +334,19 @@ class Vault {
|
||||||
* @param {object} log - log object
|
* @param {object} log - log object
|
||||||
* @param {function} callback - callback with either error or an array
|
* @param {function} callback - callback with either error or an array
|
||||||
* of authorization results
|
* of authorization results
|
||||||
* @return {undefined}
|
|
||||||
*/
|
*/
|
||||||
checkPolicies(requestContextParams, userArn, log, callback) {
|
checkPolicies(
|
||||||
|
requestContextParams: any[],
|
||||||
|
userArn: string,
|
||||||
|
log: Logger,
|
||||||
|
callback: (err: Error | null, data?: any[]) => void
|
||||||
|
) {
|
||||||
log.trace('sending request context params to vault to evaluate' +
|
log.trace('sending request context params to vault to evaluate' +
|
||||||
'policies');
|
'policies');
|
||||||
this.client.checkPolicies(requestContextParams, userArn, {
|
this.client.checkPolicies(requestContextParams, userArn, {
|
||||||
|
// @ts-ignore
|
||||||
reqUid: log.getSerializedUids(),
|
reqUid: log.getSerializedUids(),
|
||||||
}, (err, info) => {
|
}, (err: Error | null, info?: any) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
log.debug('received error message from auth provider',
|
log.debug('received error message from auth provider',
|
||||||
{ error: err });
|
{ error: err });
|
||||||
|
@ -286,13 +357,14 @@ class Vault {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
checkHealth(log, callback) {
|
checkHealth(log: Logger, callback: (err: Error | null, data?: any) => void) {
|
||||||
if (!this.client.healthcheck) {
|
if (!this.client.healthcheck) {
|
||||||
const defResp = {};
|
const defResp = {};
|
||||||
defResp[this.implName] = { code: 200, message: 'OK' };
|
defResp[this.implName] = { code: 200, message: 'OK' };
|
||||||
return callback(null, defResp);
|
return callback(null, defResp);
|
||||||
}
|
}
|
||||||
return this.client.healthcheck(log.getSerializedUids(), (err, obj) => {
|
// @ts-ignore
|
||||||
|
return this.client.healthcheck(log.getSerializedUids(), (err: Error | null, obj?: any) => {
|
||||||
const respBody = {};
|
const respBody = {};
|
||||||
if (err) {
|
if (err) {
|
||||||
log.debug(`error from ${this.implName}`, { error: err });
|
log.debug(`error from ${this.implName}`, { error: err });
|
||||||
|
@ -312,5 +384,3 @@ class Vault {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = Vault;
|
|
||||||
|
|
163
lib/auth/auth.ts
163
lib/auth/auth.ts
|
@ -1,22 +1,21 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import * as crypto from 'crypto';
|
||||||
|
import { Logger } from 'werelogs';
|
||||||
|
import errors from '../errors';
|
||||||
|
import * as queryString from 'querystring';
|
||||||
|
import AuthInfo from './AuthInfo';
|
||||||
|
import * as v2 from './v2/authV2';
|
||||||
|
import * as v4 from './v4/authV4';
|
||||||
|
import * as constants from '../constants';
|
||||||
|
import constructStringToSignV2 from './v2/constructStringToSign';
|
||||||
|
import constructStringToSignV4 from './v4/constructStringToSign';
|
||||||
|
import { convertUTCtoISO8601 } from './v4/timeUtils';
|
||||||
|
import * as vaultUtilities from './in_memory/vaultUtilities';
|
||||||
|
import * as backend from './in_memory/Backend';
|
||||||
|
import validateAuthConfig from './in_memory/validateAuthConfig';
|
||||||
|
import AuthLoader from './in_memory/AuthLoader';
|
||||||
|
import Vault from './Vault';
|
||||||
|
|
||||||
const crypto = require('crypto');
|
let vault: Vault | null = null;
|
||||||
const errors = require('../errors');
|
|
||||||
const queryString = require('querystring');
|
|
||||||
const AuthInfo = require('./AuthInfo');
|
|
||||||
const v2 = require('./v2/authV2');
|
|
||||||
const v4 = require('./v4/authV4');
|
|
||||||
const constants = require('../constants');
|
|
||||||
const constructStringToSignV2 = require('./v2/constructStringToSign');
|
|
||||||
const constructStringToSignV4 = require('./v4/constructStringToSign');
|
|
||||||
const convertUTCtoISO8601 = require('./v4/timeUtils').convertUTCtoISO8601;
|
|
||||||
const vaultUtilities = require('./in_memory/vaultUtilities');
|
|
||||||
const backend = require('./in_memory/Backend');
|
|
||||||
const validateAuthConfig = require('./in_memory/validateAuthConfig');
|
|
||||||
const AuthLoader = require('./in_memory/AuthLoader');
|
|
||||||
const Vault = require('./Vault');
|
|
||||||
|
|
||||||
let vault = null;
|
|
||||||
const auth = {};
|
const auth = {};
|
||||||
const checkFunctions = {
|
const checkFunctions = {
|
||||||
v2: {
|
v2: {
|
||||||
|
@ -33,7 +32,7 @@ const checkFunctions = {
|
||||||
// 'All Users Group' so use this group as the canonicalID for the publicUser
|
// 'All Users Group' so use this group as the canonicalID for the publicUser
|
||||||
const publicUserInfo = new AuthInfo({ canonicalID: constants.publicId });
|
const publicUserInfo = new AuthInfo({ canonicalID: constants.publicId });
|
||||||
|
|
||||||
function setAuthHandler(handler) {
|
function setAuthHandler(handler: Vault) {
|
||||||
vault = handler;
|
vault = handler;
|
||||||
return auth;
|
return auth;
|
||||||
}
|
}
|
||||||
|
@ -41,25 +40,30 @@ function setAuthHandler(handler) {
|
||||||
/**
|
/**
|
||||||
* This function will check validity of request parameters to authenticate
|
* This function will check validity of request parameters to authenticate
|
||||||
*
|
*
|
||||||
* @param {Http.Request} request - Http request object
|
* @param request - Http request object
|
||||||
* @param {object} log - Logger object
|
* @param log - Logger object
|
||||||
* @param {string} awsService - Aws service related
|
* @param awsService - Aws service related
|
||||||
* @param {object} data - Parameters from queryString parsing or body of
|
* @param data - Parameters from queryString parsing or body of
|
||||||
* POST request
|
* POST request
|
||||||
*
|
*
|
||||||
* @return {object} ret
|
* @return ret
|
||||||
* @return {object} ret.err - arsenal.errors object if any error was found
|
* @return ret.err - arsenal.errors object if any error was found
|
||||||
* @return {object} ret.params - auth parameters to use later on for signature
|
* @return ret.params - auth parameters to use later on for signature
|
||||||
* computation and check
|
* computation and check
|
||||||
* @return {object} ret.params.version - the auth scheme version
|
* @return ret.params.version - the auth scheme version
|
||||||
* (undefined, 2, 4)
|
* (undefined, 2, 4)
|
||||||
* @return {object} ret.params.data - the auth scheme's specific data
|
* @return ret.params.data - the auth scheme's specific data
|
||||||
*/
|
*/
|
||||||
function extractParams(request, log, awsService, data) {
|
function extractParams(
|
||||||
|
request: any,
|
||||||
|
log: Logger,
|
||||||
|
awsService: string,
|
||||||
|
data: { [key: string]: string }
|
||||||
|
) {
|
||||||
log.trace('entered', { method: 'Arsenal.auth.server.extractParams' });
|
log.trace('entered', { method: 'Arsenal.auth.server.extractParams' });
|
||||||
const authHeader = request.headers.authorization;
|
const authHeader = request.headers.authorization;
|
||||||
let version = null;
|
let version: 'v2' |'v4' | null = null;
|
||||||
let method = null;
|
let method: 'query' | 'headers' | null = null;
|
||||||
|
|
||||||
// Identify auth version and method to dispatch to the right check function
|
// Identify auth version and method to dispatch to the right check function
|
||||||
if (authHeader) {
|
if (authHeader) {
|
||||||
|
@ -102,16 +106,21 @@ function extractParams(request, log, awsService, data) {
|
||||||
/**
|
/**
|
||||||
* This function will check validity of request parameters to authenticate
|
* This function will check validity of request parameters to authenticate
|
||||||
*
|
*
|
||||||
* @param {Http.Request} request - Http request object
|
* @param request - Http request object
|
||||||
* @param {object} log - Logger object
|
* @param log - Logger object
|
||||||
* @param {function} cb - the callback
|
* @param cb - the callback
|
||||||
* @param {string} awsService - Aws service related
|
* @param awsService - Aws service related
|
||||||
* @param {RequestContext[] | null} requestContexts - array of RequestContext
|
* @param {RequestContext[] | null} requestContexts - array of RequestContext
|
||||||
* or null if no requestContexts to be sent to Vault (for instance,
|
* or null if no requestContexts to be sent to Vault (for instance,
|
||||||
* in multi-object delete request)
|
* in multi-object delete request)
|
||||||
* @return {undefined}
|
|
||||||
*/
|
*/
|
||||||
function doAuth(request, log, cb, awsService, requestContexts) {
|
function doAuth(
|
||||||
|
request: any,
|
||||||
|
log: Logger,
|
||||||
|
cb: (err: Error | null, data?: any) => void,
|
||||||
|
awsService: string,
|
||||||
|
requestContexts: any[] | null
|
||||||
|
) {
|
||||||
const res = extractParams(request, log, awsService, request.query);
|
const res = extractParams(request, log, awsService, request.query);
|
||||||
if (res.err) {
|
if (res.err) {
|
||||||
return cb(res.err);
|
return cb(res.err);
|
||||||
|
@ -119,23 +128,31 @@ function doAuth(request, log, cb, awsService, requestContexts) {
|
||||||
return cb(null, res.params);
|
return cb(null, res.params);
|
||||||
}
|
}
|
||||||
if (requestContexts) {
|
if (requestContexts) {
|
||||||
requestContexts.forEach(requestContext => {
|
requestContexts.forEach((requestContext) => {
|
||||||
requestContext.setAuthType(res.params.data.authType);
|
const { params } = res
|
||||||
requestContext.setSignatureVersion(res.params
|
if ('data' in params) {
|
||||||
.data.signatureVersion);
|
const { data } = params
|
||||||
requestContext.setSignatureAge(res.params.data.signatureAge);
|
requestContext.setAuthType(data.authType);
|
||||||
requestContext.setSecurityToken(res.params.data.securityToken);
|
requestContext.setSignatureVersion(data.signatureVersion);
|
||||||
|
requestContext.setSecurityToken(data.securityToken);
|
||||||
|
if ('signatureAge' in data) {
|
||||||
|
requestContext.setSignatureAge(data.signatureAge);
|
||||||
|
}
|
||||||
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
// Corner cases managed, we're left with normal auth
|
// Corner cases managed, we're left with normal auth
|
||||||
|
// TODO What's happening here?
|
||||||
|
// @ts-ignore
|
||||||
res.params.log = log;
|
res.params.log = log;
|
||||||
if (res.params.version === 2) {
|
if (res.params.version === 2) {
|
||||||
return vault.authenticateV2Request(res.params, requestContexts, cb);
|
// @ts-ignore
|
||||||
|
return vault!.authenticateV2Request(res.params, requestContexts, cb);
|
||||||
}
|
}
|
||||||
if (res.params.version === 4) {
|
if (res.params.version === 4) {
|
||||||
return vault.authenticateV4Request(res.params, requestContexts, cb,
|
// @ts-ignore
|
||||||
awsService);
|
return vault!.authenticateV4Request(res.params, requestContexts, cb);
|
||||||
}
|
}
|
||||||
|
|
||||||
log.error('authentication method not found', {
|
log.error('authentication method not found', {
|
||||||
|
@ -147,19 +164,25 @@ function doAuth(request, log, cb, awsService, requestContexts) {
|
||||||
/**
|
/**
|
||||||
* This function will generate a version 4 header
|
* This function will generate a version 4 header
|
||||||
*
|
*
|
||||||
* @param {Http.Request} request - Http request object
|
* @param request - Http request object
|
||||||
* @param {object} data - Parameters from queryString parsing or body of
|
* @param data - Parameters from queryString parsing or body of
|
||||||
* POST request
|
* POST request
|
||||||
* @param {string} accessKey - the accessKey
|
* @param accessKey - the accessKey
|
||||||
* @param {string} secretKeyValue - the secretKey
|
* @param secretKeyValue - the secretKey
|
||||||
* @param {string} awsService - Aws service related
|
* @param awsService - Aws service related
|
||||||
* @param {sting} [proxyPath] - path that gets proxied by reverse proxy
|
* @param [proxyPath] - path that gets proxied by reverse proxy
|
||||||
* @param {string} [sessionToken] - security token if the access/secret keys
|
* @param [sessionToken] - security token if the access/secret keys
|
||||||
* are temporary credentials from STS
|
* are temporary credentials from STS
|
||||||
* @return {undefined}
|
|
||||||
*/
|
*/
|
||||||
function generateV4Headers(request, data, accessKey, secretKeyValue,
|
function generateV4Headers(
|
||||||
awsService, proxyPath, sessionToken) {
|
request: any,
|
||||||
|
data: { [key: string]: string },
|
||||||
|
accessKey: string,
|
||||||
|
secretKeyValue: string,
|
||||||
|
awsService: string,
|
||||||
|
proxyPath: string,
|
||||||
|
sessionToken: string
|
||||||
|
) {
|
||||||
Object.assign(request, { headers: {} });
|
Object.assign(request, { headers: {} });
|
||||||
const amzDate = convertUTCtoISO8601(Date.now());
|
const amzDate = convertUTCtoISO8601(Date.now());
|
||||||
// get date without time
|
// get date without time
|
||||||
|
@ -173,7 +196,7 @@ function generateV4Headers(request, data, accessKey, secretKeyValue,
|
||||||
|
|
||||||
let payload = '';
|
let payload = '';
|
||||||
if (request.method === 'POST') {
|
if (request.method === 'POST') {
|
||||||
payload = queryString.stringify(data, null, null, {
|
payload = queryString.stringify(data, undefined, undefined, {
|
||||||
encodeURIComponent,
|
encodeURIComponent,
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
@ -203,7 +226,7 @@ function generateV4Headers(request, data, accessKey, secretKeyValue,
|
||||||
scopeDate,
|
scopeDate,
|
||||||
service);
|
service);
|
||||||
const signature = crypto.createHmac('sha256', signingKey)
|
const signature = crypto.createHmac('sha256', signingKey)
|
||||||
.update(stringToSign, 'binary').digest('hex');
|
.update(stringToSign as string, 'binary').digest('hex');
|
||||||
const authorizationHeader = `${algorithm} Credential=${accessKey}` +
|
const authorizationHeader = `${algorithm} Credential=${accessKey}` +
|
||||||
`/${credentialScope}, SignedHeaders=${signedHeaders}, ` +
|
`/${credentialScope}, SignedHeaders=${signedHeaders}, ` +
|
||||||
`Signature=${signature}`;
|
`Signature=${signature}`;
|
||||||
|
@ -211,21 +234,11 @@ function generateV4Headers(request, data, accessKey, secretKeyValue,
|
||||||
Object.assign(request, { headers: {} });
|
Object.assign(request, { headers: {} });
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = {
|
export const server = { extractParams, doAuth }
|
||||||
setHandler: setAuthHandler,
|
export const client = { generateV4Headers, constructStringToSignV2 }
|
||||||
server: {
|
export const inMemory = { backend, validateAuthConfig, AuthLoader }
|
||||||
extractParams,
|
export {
|
||||||
doAuth,
|
setAuthHandler as setHandler,
|
||||||
},
|
|
||||||
client: {
|
|
||||||
generateV4Headers,
|
|
||||||
constructStringToSignV2,
|
|
||||||
},
|
|
||||||
inMemory: {
|
|
||||||
backend,
|
|
||||||
validateAuthConfig,
|
|
||||||
AuthLoader,
|
|
||||||
},
|
|
||||||
AuthInfo,
|
AuthInfo,
|
||||||
Vault,
|
Vault
|
||||||
};
|
}
|
||||||
|
|
|
@ -1,13 +1,10 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import * as crypto from 'crypto';
|
||||||
|
import errors from '../../errors';
|
||||||
|
import { calculateSigningKey, hashSignature } from './vaultUtilities';
|
||||||
|
import Indexer from './Indexer';
|
||||||
|
import { Accounts } from './types';
|
||||||
|
|
||||||
const crypto = require('crypto');
|
function _formatResponse(userInfoToSend: any) {
|
||||||
|
|
||||||
const errors = require('../../errors');
|
|
||||||
const calculateSigningKey = require('./vaultUtilities').calculateSigningKey;
|
|
||||||
const hashSignature = require('./vaultUtilities').hashSignature;
|
|
||||||
const Indexer = require('./Indexer');
|
|
||||||
|
|
||||||
function _formatResponse(userInfoToSend) {
|
|
||||||
return {
|
return {
|
||||||
message: {
|
message: {
|
||||||
body: { userInfo: userInfoToSend },
|
body: { userInfo: userInfoToSend },
|
||||||
|
@ -18,33 +15,27 @@ function _formatResponse(userInfoToSend) {
|
||||||
/**
|
/**
|
||||||
* Class that provides a memory backend for verifying signatures and getting
|
* Class that provides a memory backend for verifying signatures and getting
|
||||||
* emails and canonical ids associated with an account.
|
* emails and canonical ids associated with an account.
|
||||||
*
|
|
||||||
* @class Backend
|
|
||||||
*/
|
*/
|
||||||
class Backend {
|
class Backend {
|
||||||
/**
|
indexer: Indexer;
|
||||||
* @constructor
|
service: string;
|
||||||
* @param {string} service - service identifer for construction arn
|
|
||||||
* @param {Indexer} indexer - indexer instance for retrieving account info
|
constructor(service: string, indexer: Indexer) {
|
||||||
* @param {function} formatter - function which accepts user info to send
|
|
||||||
* back and returns it in an object
|
|
||||||
*/
|
|
||||||
constructor(service, indexer, formatter) {
|
|
||||||
this.service = service;
|
this.service = service;
|
||||||
this.indexer = indexer;
|
this.indexer = indexer;
|
||||||
this.formatResponse = formatter;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** verifySignatureV2
|
// CODEQUALITY-TODO-SYNC Should be synchronous
|
||||||
* @param {string} stringToSign - string to sign built per AWS rules
|
verifySignatureV2(
|
||||||
* @param {string} signatureFromRequest - signature sent with request
|
stringToSign: string,
|
||||||
* @param {string} accessKey - account accessKey
|
signatureFromRequest: string,
|
||||||
* @param {object} options - contains algorithm (SHA1 or SHA256)
|
accessKey: string,
|
||||||
* @param {function} callback - callback with either error or user info
|
options: { algo: 'SHA256' | 'SHA1' },
|
||||||
* @return {function} calls callback
|
callback: (
|
||||||
*/
|
error: Error | null,
|
||||||
verifySignatureV2(stringToSign, signatureFromRequest,
|
data?: ReturnType<typeof _formatResponse>
|
||||||
accessKey, options, callback) {
|
) => void
|
||||||
|
) {
|
||||||
const entity = this.indexer.getEntityByKey(accessKey);
|
const entity = this.indexer.getEntityByKey(accessKey);
|
||||||
if (!entity) {
|
if (!entity) {
|
||||||
return callback(errors.InvalidAccessKeyId);
|
return callback(errors.InvalidAccessKeyId);
|
||||||
|
@ -59,26 +50,28 @@ class Backend {
|
||||||
accountDisplayName: this.indexer.getAcctDisplayName(entity),
|
accountDisplayName: this.indexer.getAcctDisplayName(entity),
|
||||||
canonicalID: entity.canonicalID,
|
canonicalID: entity.canonicalID,
|
||||||
arn: entity.arn,
|
arn: entity.arn,
|
||||||
|
// TODO Why?
|
||||||
|
// @ts-ignore
|
||||||
IAMdisplayName: entity.IAMdisplayName,
|
IAMdisplayName: entity.IAMdisplayName,
|
||||||
};
|
};
|
||||||
const vaultReturnObject = this.formatResponse(userInfoToSend);
|
const vaultReturnObject = _formatResponse(userInfoToSend);
|
||||||
return callback(null, vaultReturnObject);
|
return callback(null, vaultReturnObject);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO Options not used. Why ?
|
||||||
/** verifySignatureV4
|
// CODEQUALITY-TODO-SYNC Should be synchronous
|
||||||
* @param {string} stringToSign - string to sign built per AWS rules
|
verifySignatureV4(
|
||||||
* @param {string} signatureFromRequest - signature sent with request
|
stringToSign: string,
|
||||||
* @param {string} accessKey - account accessKey
|
signatureFromRequest: string,
|
||||||
* @param {string} region - region specified in request credential
|
accessKey: string,
|
||||||
* @param {string} scopeDate - date specified in request credential
|
region: string,
|
||||||
* @param {object} options - options to send to Vault
|
scopeDate: string,
|
||||||
* (just contains reqUid for logging in Vault)
|
_options: { algo: 'SHA256' | 'SHA1' },
|
||||||
* @param {function} callback - callback with either error or user info
|
callback: (
|
||||||
* @return {function} calls callback
|
err: Error | null,
|
||||||
*/
|
data?: ReturnType<typeof _formatResponse>
|
||||||
verifySignatureV4(stringToSign, signatureFromRequest, accessKey,
|
) => void
|
||||||
region, scopeDate, options, callback) {
|
) {
|
||||||
const entity = this.indexer.getEntityByKey(accessKey);
|
const entity = this.indexer.getEntityByKey(accessKey);
|
||||||
if (!entity) {
|
if (!entity) {
|
||||||
return callback(errors.InvalidAccessKeyId);
|
return callback(errors.InvalidAccessKeyId);
|
||||||
|
@ -94,23 +87,21 @@ class Backend {
|
||||||
accountDisplayName: this.indexer.getAcctDisplayName(entity),
|
accountDisplayName: this.indexer.getAcctDisplayName(entity),
|
||||||
canonicalID: entity.canonicalID,
|
canonicalID: entity.canonicalID,
|
||||||
arn: entity.arn,
|
arn: entity.arn,
|
||||||
|
// TODO Why?
|
||||||
|
// @ts-ignore
|
||||||
IAMdisplayName: entity.IAMdisplayName,
|
IAMdisplayName: entity.IAMdisplayName,
|
||||||
};
|
};
|
||||||
const vaultReturnObject = this.formatResponse(userInfoToSend);
|
const vaultReturnObject = _formatResponse(userInfoToSend);
|
||||||
return callback(null, vaultReturnObject);
|
return callback(null, vaultReturnObject);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
// TODO log not used. Why ?
|
||||||
* Gets canonical ID's for a list of accounts
|
// CODEQUALITY-TODO-SYNC Should be synchronous
|
||||||
* based on email associated with account
|
getCanonicalIds(
|
||||||
* @param {array} emails - list of email addresses
|
emails: string[],
|
||||||
* @param {object} log - log object
|
_log: any,
|
||||||
* @param {function} cb - callback to calling function
|
cb: (err: null, data: { message: { body: any } }) => void
|
||||||
* @returns {function} callback with either error or
|
) {
|
||||||
* object with email addresses as keys and canonical IDs
|
|
||||||
* as values
|
|
||||||
*/
|
|
||||||
getCanonicalIds(emails, log, cb) {
|
|
||||||
const results = {};
|
const results = {};
|
||||||
emails.forEach(email => {
|
emails.forEach(email => {
|
||||||
const lowercasedEmail = email.toLowerCase();
|
const lowercasedEmail = email.toLowerCase();
|
||||||
|
@ -130,17 +121,13 @@ class Backend {
|
||||||
return cb(null, vaultReturnObject);
|
return cb(null, vaultReturnObject);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
// TODO options not used. Why ?
|
||||||
* Gets email addresses (referred to as diplay names for getACL's)
|
// CODEQUALITY-TODO-SYNC Should be synchronous
|
||||||
* for a list of accounts based on canonical IDs associated with account
|
getEmailAddresses(
|
||||||
* @param {array} canonicalIDs - list of canonicalIDs
|
canonicalIDs: string[],
|
||||||
* @param {object} options - to send log id to vault
|
_options: any,
|
||||||
* @param {function} cb - callback to calling function
|
cb: (err: null, data: { message: { body: any } }) => void
|
||||||
* @returns {function} callback with either error or
|
) {
|
||||||
* an object from Vault containing account canonicalID
|
|
||||||
* as each object key and an email address as the value (or "NotFound")
|
|
||||||
*/
|
|
||||||
getEmailAddresses(canonicalIDs, options, cb) {
|
|
||||||
const results = {};
|
const results = {};
|
||||||
canonicalIDs.forEach(canonicalId => {
|
canonicalIDs.forEach(canonicalId => {
|
||||||
const foundEntity = this.indexer.getEntityByCanId(canonicalId);
|
const foundEntity = this.indexer.getEntityByCanId(canonicalId);
|
||||||
|
@ -158,17 +145,24 @@ class Backend {
|
||||||
return cb(null, vaultReturnObject);
|
return cb(null, vaultReturnObject);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO options not used. Why ?
|
||||||
|
// CODEQUALITY-TODO-SYNC Should be synchronous
|
||||||
/**
|
/**
|
||||||
* Gets accountIds for a list of accounts based on
|
* Gets accountIds for a list of accounts based on
|
||||||
* the canonical IDs associated with the account
|
* the canonical IDs associated with the account
|
||||||
* @param {array} canonicalIDs - list of canonicalIDs
|
* @param canonicalIDs - list of canonicalIDs
|
||||||
* @param {object} options - to send log id to vault
|
* @param _options - to send log id to vault
|
||||||
* @param {function} cb - callback to calling function
|
* @param cb - callback to calling function
|
||||||
* @returns {function} callback with either error or
|
* @returns The next is wrong. Here to keep archives.
|
||||||
|
* callback with either error or
|
||||||
* an object from Vault containing account canonicalID
|
* an object from Vault containing account canonicalID
|
||||||
* as each object key and an accountId as the value (or "NotFound")
|
* as each object key and an accountId as the value (or "NotFound")
|
||||||
*/
|
*/
|
||||||
getAccountIds(canonicalIDs, options, cb) {
|
getAccountIds(
|
||||||
|
canonicalIDs: string[],
|
||||||
|
_options: any,
|
||||||
|
cb: (err: null, data: { message: { body: any } }) => void
|
||||||
|
) {
|
||||||
const results = {};
|
const results = {};
|
||||||
canonicalIDs.forEach(canonicalID => {
|
canonicalIDs.forEach(canonicalID => {
|
||||||
const foundEntity = this.indexer.getEntityByCanId(canonicalID);
|
const foundEntity = this.indexer.getEntityByCanId(canonicalID);
|
||||||
|
@ -187,31 +181,14 @@ class Backend {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
class S3AuthBackend extends Backend {
|
class S3AuthBackend extends Backend {
|
||||||
/**
|
constructor(authdata: Accounts) {
|
||||||
* @constructor
|
super('s3', new Indexer(authdata));
|
||||||
* @param {object} authdata - the authentication config file's data
|
|
||||||
* @param {object[]} authdata.accounts - array of account objects
|
|
||||||
* @param {string=} authdata.accounts[].name - account name
|
|
||||||
* @param {string} authdata.accounts[].email - account email
|
|
||||||
* @param {string} authdata.accounts[].arn - IAM resource name
|
|
||||||
* @param {string} authdata.accounts[].canonicalID - account canonical ID
|
|
||||||
* @param {string} authdata.accounts[].shortid - short account ID
|
|
||||||
* @param {object[]=} authdata.accounts[].keys - array of key objects
|
|
||||||
* @param {string} authdata.accounts[].keys[].access - access key
|
|
||||||
* @param {string} authdata.accounts[].keys[].secret - secret key
|
|
||||||
* @return {undefined}
|
|
||||||
*/
|
|
||||||
constructor(authdata) {
|
|
||||||
super('s3', new Indexer(authdata), _formatResponse);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
refreshAuthData(authData) {
|
refreshAuthData(authData: Accounts) {
|
||||||
this.indexer = new Indexer(authData);
|
this.indexer = new Indexer(authData);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = {
|
export { S3AuthBackend as s3 };
|
||||||
s3: S3AuthBackend,
|
|
||||||
};
|
|
||||||
|
|
|
@ -1,27 +1,19 @@
|
||||||
|
import { Accounts, Account, Entity } from './types';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Class that provides an internal indexing over the simple data provided by
|
* Class that provides an internal indexing over the simple data provided by
|
||||||
* the authentication configuration file for the memory backend. This allows
|
* the authentication configuration file for the memory backend. This allows
|
||||||
* accessing the different authentication entities through various types of
|
* accessing the different authentication entities through various types of
|
||||||
* keys.
|
* keys.
|
||||||
*
|
|
||||||
* @class Indexer
|
|
||||||
*/
|
*/
|
||||||
class Indexer {
|
export default class Indexer {
|
||||||
/**
|
accountsBy: {
|
||||||
* @constructor
|
canId: { [id: string]: Entity | undefined },
|
||||||
* @param {object} authdata - the authentication config file's data
|
accessKey: { [id: string]: Entity | undefined },
|
||||||
* @param {object[]} authdata.accounts - array of account objects
|
email: { [id: string]: Entity | undefined },
|
||||||
* @param {string=} authdata.accounts[].name - account name
|
}
|
||||||
* @param {string} authdata.accounts[].email - account email
|
|
||||||
* @param {string} authdata.accounts[].arn - IAM resource name
|
constructor(authdata?: Accounts) {
|
||||||
* @param {string} authdata.accounts[].canonicalID - account canonical ID
|
|
||||||
* @param {string} authdata.accounts[].shortid - short account ID
|
|
||||||
* @param {object[]=} authdata.accounts[].keys - array of key objects
|
|
||||||
* @param {string} authdata.accounts[].keys[].access - access key
|
|
||||||
* @param {string} authdata.accounts[].keys[].secret - secret key
|
|
||||||
* @return {undefined}
|
|
||||||
*/
|
|
||||||
constructor(authdata) {
|
|
||||||
this.accountsBy = {
|
this.accountsBy = {
|
||||||
canId: {},
|
canId: {},
|
||||||
accessKey: {},
|
accessKey: {},
|
||||||
|
@ -37,11 +29,11 @@ class Indexer {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
this._build(authdata);
|
this.#build(authdata);
|
||||||
}
|
}
|
||||||
|
|
||||||
_indexAccount(account) {
|
#indexAccount(account: Account) {
|
||||||
const accountData = {
|
const accountData: Entity = {
|
||||||
arn: account.arn,
|
arn: account.arn,
|
||||||
canonicalID: account.canonicalID,
|
canonicalID: account.canonicalID,
|
||||||
shortid: account.shortid,
|
shortid: account.shortid,
|
||||||
|
@ -59,87 +51,43 @@ class Indexer {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
_build(authdata) {
|
#build(authdata: Accounts) {
|
||||||
authdata.accounts.forEach(account => {
|
authdata.accounts.forEach(account => {
|
||||||
this._indexAccount(account);
|
this.#indexAccount(account);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/** This method returns the account associated to a canonical ID. */
|
||||||
* This method returns the account associated to a canonical ID.
|
getEntityByCanId(canId: string): Entity | undefined {
|
||||||
*
|
|
||||||
* @param {string} canId - The canonicalId of the account
|
|
||||||
* @return {Object} account - The account object
|
|
||||||
* @return {Object} account.arn - The account's ARN
|
|
||||||
* @return {Object} account.canonicalID - The account's canonical ID
|
|
||||||
* @return {Object} account.shortid - The account's internal shortid
|
|
||||||
* @return {Object} account.accountDisplayName - The account's display name
|
|
||||||
* @return {Object} account.email - The account's lowercased email
|
|
||||||
*/
|
|
||||||
getEntityByCanId(canId) {
|
|
||||||
return this.accountsBy.canId[canId];
|
return this.accountsBy.canId[canId];
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This method returns the entity (either an account or a user) associated
|
* This method returns the entity (either an account or a user) associated
|
||||||
* to a canonical ID.
|
* to a canonical ID.
|
||||||
*
|
|
||||||
* @param {string} key - The accessKey of the entity
|
* @param {string} key - The accessKey of the entity
|
||||||
* @return {Object} entity - The entity object
|
|
||||||
* @return {Object} entity.arn - The entity's ARN
|
|
||||||
* @return {Object} entity.canonicalID - The canonical ID for the entity's
|
|
||||||
* account
|
|
||||||
* @return {Object} entity.shortid - The entity's internal shortid
|
|
||||||
* @return {Object} entity.accountDisplayName - The entity's account
|
|
||||||
* display name
|
|
||||||
* @return {Object} entity.IAMDisplayName - The user's display name
|
|
||||||
* (if the entity is an user)
|
|
||||||
* @return {Object} entity.email - The entity's lowercased email
|
|
||||||
*/
|
*/
|
||||||
getEntityByKey(key) {
|
getEntityByKey(key: string): Entity | undefined {
|
||||||
return this.accountsBy.accessKey[key];
|
return this.accountsBy.accessKey[key];
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This method returns the entity (either an account or a user) associated
|
* This method returns the entity (either an account or a user) associated
|
||||||
* to an email address.
|
* to an email address.
|
||||||
*
|
|
||||||
* @param {string} email - The email address
|
|
||||||
* @return {Object} entity - The entity object
|
|
||||||
* @return {Object} entity.arn - The entity's ARN
|
|
||||||
* @return {Object} entity.canonicalID - The canonical ID for the entity's
|
|
||||||
* account
|
|
||||||
* @return {Object} entity.shortid - The entity's internal shortid
|
|
||||||
* @return {Object} entity.accountDisplayName - The entity's account
|
|
||||||
* display name
|
|
||||||
* @return {Object} entity.IAMDisplayName - The user's display name
|
|
||||||
* (if the entity is an user)
|
|
||||||
* @return {Object} entity.email - The entity's lowercased email
|
|
||||||
*/
|
*/
|
||||||
getEntityByEmail(email) {
|
getEntityByEmail(email: string): Entity | undefined {
|
||||||
const lowerCasedEmail = email.toLowerCase();
|
const lowerCasedEmail = email.toLowerCase();
|
||||||
return this.accountsBy.email[lowerCasedEmail];
|
return this.accountsBy.email[lowerCasedEmail];
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/** This method returns the secret key associated with the entity. */
|
||||||
* This method returns the secret key associated with the entity.
|
getSecretKey(entity: Entity, accessKey: string) {
|
||||||
* @param {Object} entity - the entity object
|
const keys = entity.keys.filter(kv => kv.access === accessKey);
|
||||||
* @param {string} accessKey - access key
|
return keys[0].secret;
|
||||||
* @returns {string} secret key
|
|
||||||
*/
|
|
||||||
getSecretKey(entity, accessKey) {
|
|
||||||
return entity.keys
|
|
||||||
.filter(kv => kv.access === accessKey)[0].secret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/** This method returns the account display name associated with the entity. */
|
||||||
* This method returns the account display name associated with the entity.
|
getAcctDisplayName(entity: Entity) {
|
||||||
* @param {Object} entity - the entity object
|
|
||||||
* @returns {string} account display name
|
|
||||||
*/
|
|
||||||
getAcctDisplayName(entity) {
|
|
||||||
return entity.accountDisplayName;
|
return entity.accountDisplayName;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = Indexer;
|
|
||||||
|
|
|
@ -1,18 +1,16 @@
|
||||||
const AuthLoader = require('./AuthLoader');
|
import { Logger } from 'werelogs';
|
||||||
|
import AuthLoader from './AuthLoader';
|
||||||
|
import { Accounts } from './types';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @deprecated please use {@link AuthLoader} class instead
|
* @deprecated please use {@link AuthLoader} class instead
|
||||||
*
|
* @return true on erroneous data false on success
|
||||||
* @param {object} authdata - the authentication config file's data
|
|
||||||
* @param {werelogs.API} logApi - object providing a constructor function
|
|
||||||
* for the Logger object
|
|
||||||
* @return {boolean} true on erroneous data
|
|
||||||
* false on success
|
|
||||||
*/
|
*/
|
||||||
function validateAuthConfig(authdata, logApi) {
|
export default function validateAuthConfig(
|
||||||
|
authdata: Accounts,
|
||||||
|
logApi?: { Logger: typeof Logger }
|
||||||
|
) {
|
||||||
const authLoader = new AuthLoader(logApi);
|
const authLoader = new AuthLoader(logApi);
|
||||||
authLoader.addAccounts(authdata);
|
authLoader.addAccounts(authdata);
|
||||||
return !authLoader.validate();
|
return !authLoader.validate();
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = validateAuthConfig;
|
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
export default function algoCheck(signatureLength: number) {
|
||||||
|
let algo: 'sha256' | 'sha1';
|
||||||
function algoCheck(signatureLength) {
|
|
||||||
let algo;
|
|
||||||
// If the signature sent is 44 characters,
|
// If the signature sent is 44 characters,
|
||||||
// this means that sha256 was used:
|
// this means that sha256 was used:
|
||||||
// 44 characters in base64
|
// 44 characters in base64
|
||||||
|
@ -13,7 +11,6 @@ function algoCheck(signatureLength) {
|
||||||
if (signatureLength === SHA1LEN) {
|
if (signatureLength === SHA1LEN) {
|
||||||
algo = 'sha1';
|
algo = 'sha1';
|
||||||
}
|
}
|
||||||
|
// @ts-ignore
|
||||||
return algo;
|
return algo;
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = algoCheck;
|
|
||||||
|
|
|
@ -1,11 +1,2 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
export * as header from './headerAuthCheck';
|
||||||
|
export * as query from './queryAuthCheck';
|
||||||
const headerAuthCheck = require('./headerAuthCheck');
|
|
||||||
const queryAuthCheck = require('./queryAuthCheck');
|
|
||||||
|
|
||||||
const authV2 = {
|
|
||||||
header: headerAuthCheck,
|
|
||||||
query: queryAuthCheck,
|
|
||||||
};
|
|
||||||
|
|
||||||
module.exports = authV2;
|
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import { Logger } from 'werelogs';
|
||||||
const errors = require('../../errors');
|
import errors from '../../errors';
|
||||||
|
|
||||||
const epochTime = new Date('1970-01-01').getTime();
|
const epochTime = new Date('1970-01-01').getTime();
|
||||||
|
|
||||||
function checkRequestExpiry(timestamp, log) {
|
export default function checkRequestExpiry(timestamp: number, log: Logger) {
|
||||||
// If timestamp is before epochTime, the request is invalid and return
|
// If timestamp is before epochTime, the request is invalid and return
|
||||||
// errors.AccessDenied
|
// errors.AccessDenied
|
||||||
if (timestamp < epochTime) {
|
if (timestamp < epochTime) {
|
||||||
|
@ -32,5 +32,3 @@ function checkRequestExpiry(timestamp, log) {
|
||||||
|
|
||||||
return undefined;
|
return undefined;
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = checkRequestExpiry;
|
|
||||||
|
|
|
@ -1,11 +1,14 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import { Logger } from 'werelogs';
|
||||||
|
import utf8 from 'utf8';
|
||||||
|
import getCanonicalizedAmzHeaders from './getCanonicalizedAmzHeaders';
|
||||||
|
import getCanonicalizedResource from './getCanonicalizedResource';
|
||||||
|
|
||||||
const utf8 = require('utf8');
|
export default function constructStringToSign(
|
||||||
|
request: any,
|
||||||
const getCanonicalizedAmzHeaders = require('./getCanonicalizedAmzHeaders');
|
data: { [key: string]: string },
|
||||||
const getCanonicalizedResource = require('./getCanonicalizedResource');
|
log: Logger,
|
||||||
|
clientType?: any
|
||||||
function constructStringToSign(request, data, log, clientType) {
|
) {
|
||||||
/*
|
/*
|
||||||
Build signature per AWS requirements:
|
Build signature per AWS requirements:
|
||||||
StringToSign = HTTP-Verb + '\n' +
|
StringToSign = HTTP-Verb + '\n' +
|
||||||
|
@ -42,5 +45,3 @@ function constructStringToSign(request, data, log, clientType) {
|
||||||
+ getCanonicalizedResource(request, clientType);
|
+ getCanonicalizedResource(request, clientType);
|
||||||
return utf8.encode(stringToSign);
|
return utf8.encode(stringToSign);
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = constructStringToSign;
|
|
||||||
|
|
|
@ -1,14 +1,12 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
export default function getCanonicalizedAmzHeaders(headers: Headers, clientType: string) {
|
||||||
|
|
||||||
function getCanonicalizedAmzHeaders(headers, clientType) {
|
|
||||||
/*
|
/*
|
||||||
Iterate through headers and pull any headers that are x-amz headers.
|
Iterate through headers and pull any headers that are x-amz headers.
|
||||||
Need to include 'x-amz-date' here even though AWS docs
|
Need to include 'x-amz-date' here even though AWS docs
|
||||||
ambiguous on this.
|
ambiguous on this.
|
||||||
*/
|
*/
|
||||||
const filterFn = clientType === 'GCP' ?
|
const filterFn = clientType === 'GCP' ?
|
||||||
val => val.substr(0, 7) === 'x-goog-' :
|
(val: string) => val.substr(0, 7) === 'x-goog-' :
|
||||||
val => val.substr(0, 6) === 'x-amz-';
|
(val: string) => val.substr(0, 6) === 'x-amz-';
|
||||||
const amzHeaders = Object.keys(headers)
|
const amzHeaders = Object.keys(headers)
|
||||||
.filter(filterFn)
|
.filter(filterFn)
|
||||||
.map(val => [val.trim(), headers[val].trim()]);
|
.map(val => [val.trim(), headers[val].trim()]);
|
||||||
|
@ -43,5 +41,3 @@ function getCanonicalizedAmzHeaders(headers, clientType) {
|
||||||
`${headerStr}${current[0]}:${current[1]}\n`,
|
`${headerStr}${current[0]}:${current[1]}\n`,
|
||||||
'');
|
'');
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = getCanonicalizedAmzHeaders;
|
|
||||||
|
|
|
@ -1,6 +1,4 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import * as url from 'url';
|
||||||
|
|
||||||
const url = require('url');
|
|
||||||
|
|
||||||
const gcpSubresources = [
|
const gcpSubresources = [
|
||||||
'acl',
|
'acl',
|
||||||
|
@ -41,7 +39,7 @@ const awsSubresources = [
|
||||||
'website',
|
'website',
|
||||||
];
|
];
|
||||||
|
|
||||||
function getCanonicalizedResource(request, clientType) {
|
export default function getCanonicalizedResource(request: any, clientType: string) {
|
||||||
/*
|
/*
|
||||||
This variable is used to determine whether to insert
|
This variable is used to determine whether to insert
|
||||||
a '?' or '&'. Once a query parameter is added to the resourceString,
|
a '?' or '&'. Once a query parameter is added to the resourceString,
|
||||||
|
@ -117,5 +115,3 @@ function getCanonicalizedResource(request, clientType) {
|
||||||
}
|
}
|
||||||
return resourceString;
|
return resourceString;
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = getCanonicalizedResource;
|
|
||||||
|
|
|
@ -1,12 +1,11 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import { Logger } from 'werelogs';
|
||||||
|
import errors from '../../errors';
|
||||||
|
import * as constants from '../../constants';
|
||||||
|
import constructStringToSign from './constructStringToSign';
|
||||||
|
import checkRequestExpiry from './checkRequestExpiry';
|
||||||
|
import algoCheck from './algoCheck';
|
||||||
|
|
||||||
const errors = require('../../errors');
|
export function check(request: any, log: Logger, data: { [key: string]: string }) {
|
||||||
const constants = require('../../constants');
|
|
||||||
const constructStringToSign = require('./constructStringToSign');
|
|
||||||
const checkRequestExpiry = require('./checkRequestExpiry');
|
|
||||||
const algoCheck = require('./algoCheck');
|
|
||||||
|
|
||||||
function check(request, log, data) {
|
|
||||||
log.trace('running header auth check');
|
log.trace('running header auth check');
|
||||||
const headers = request.headers;
|
const headers = request.headers;
|
||||||
|
|
||||||
|
@ -52,6 +51,7 @@ function check(request, log, data) {
|
||||||
log.trace('invalid authorization header', { authInfo });
|
log.trace('invalid authorization header', { authInfo });
|
||||||
return { err: errors.MissingSecurityHeader };
|
return { err: errors.MissingSecurityHeader };
|
||||||
}
|
}
|
||||||
|
// @ts-ignore
|
||||||
log.addDefaultFields({ accessKey });
|
log.addDefaultFields({ accessKey });
|
||||||
|
|
||||||
const signatureFromRequest = authInfo.substring(semicolonIndex + 1).trim();
|
const signatureFromRequest = authInfo.substring(semicolonIndex + 1).trim();
|
||||||
|
@ -80,5 +80,3 @@ function check(request, log, data) {
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = { check };
|
|
||||||
|
|
|
@ -1,11 +1,10 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import { Logger } from 'werelogs';
|
||||||
|
import errors from '../../errors';
|
||||||
|
import * as constants from '../../constants';
|
||||||
|
import algoCheck from './algoCheck';
|
||||||
|
import constructStringToSign from './constructStringToSign';
|
||||||
|
|
||||||
const errors = require('../../errors');
|
export function check(request: any, log: Logger, data: { [key: string]: string }) {
|
||||||
const constants = require('../../constants');
|
|
||||||
const algoCheck = require('./algoCheck');
|
|
||||||
const constructStringToSign = require('./constructStringToSign');
|
|
||||||
|
|
||||||
function check(request, log, data) {
|
|
||||||
log.trace('running query auth check');
|
log.trace('running query auth check');
|
||||||
if (request.method === 'POST') {
|
if (request.method === 'POST') {
|
||||||
log.debug('query string auth not supported for post requests');
|
log.debug('query string auth not supported for post requests');
|
||||||
|
@ -51,6 +50,7 @@ function check(request, log, data) {
|
||||||
return { err: errors.RequestTimeTooSkewed };
|
return { err: errors.RequestTimeTooSkewed };
|
||||||
}
|
}
|
||||||
const accessKey = data.AWSAccessKeyId;
|
const accessKey = data.AWSAccessKeyId;
|
||||||
|
// @ts-ignore
|
||||||
log.addDefaultFields({ accessKey });
|
log.addDefaultFields({ accessKey });
|
||||||
|
|
||||||
const signatureFromRequest = decodeURIComponent(data.Signature);
|
const signatureFromRequest = decodeURIComponent(data.Signature);
|
||||||
|
@ -82,5 +82,3 @@ function check(request, log, data) {
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = { check };
|
|
||||||
|
|
|
@ -1,11 +1,2 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
export * as header from './headerAuthCheck';
|
||||||
|
export * as query from './queryAuthCheck';
|
||||||
const headerAuthCheck = require('./headerAuthCheck');
|
|
||||||
const queryAuthCheck = require('./queryAuthCheck');
|
|
||||||
|
|
||||||
const authV4 = {
|
|
||||||
header: headerAuthCheck,
|
|
||||||
query: queryAuthCheck,
|
|
||||||
};
|
|
||||||
|
|
||||||
module.exports = authV4;
|
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
AWS's URI encoding rules:
|
AWS's URI encoding rules:
|
||||||
URI encode every byte. Uri-Encode() must enforce the following rules:
|
URI encode every byte. Uri-Encode() must enforce the following rules:
|
||||||
|
@ -19,7 +17,7 @@ See http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
|
||||||
*/
|
*/
|
||||||
|
|
||||||
// converts utf8 character to hex and pads "%" before every two hex digits
|
// converts utf8 character to hex and pads "%" before every two hex digits
|
||||||
function _toHexUTF8(char) {
|
function _toHexUTF8(char: string) {
|
||||||
const hexRep = Buffer.from(char, 'utf8').toString('hex').toUpperCase();
|
const hexRep = Buffer.from(char, 'utf8').toString('hex').toUpperCase();
|
||||||
let res = '';
|
let res = '';
|
||||||
hexRep.split('').forEach((v, n) => {
|
hexRep.split('').forEach((v, n) => {
|
||||||
|
@ -32,7 +30,11 @@ function _toHexUTF8(char) {
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
function awsURIencode(input, encodeSlash, noEncodeStar) {
|
export default function awsURIencode(
|
||||||
|
input: string,
|
||||||
|
encodeSlash?: boolean,
|
||||||
|
noEncodeStar?: boolean
|
||||||
|
) {
|
||||||
const encSlash = encodeSlash === undefined ? true : encodeSlash;
|
const encSlash = encodeSlash === undefined ? true : encodeSlash;
|
||||||
let encoded = '';
|
let encoded = '';
|
||||||
/**
|
/**
|
||||||
|
@ -62,5 +64,3 @@ function awsURIencode(input, encodeSlash, noEncodeStar) {
|
||||||
}
|
}
|
||||||
return encoded;
|
return encoded;
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = awsURIencode;
|
|
||||||
|
|
|
@ -1,17 +1,33 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import * as crypto from 'crypto';
|
||||||
|
import { Logger } from 'werelogs';
|
||||||
const crypto = require('crypto');
|
import createCanonicalRequest from './createCanonicalRequest';
|
||||||
|
|
||||||
const createCanonicalRequest = require('./createCanonicalRequest');
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* constructStringToSign - creates V4 stringToSign
|
* constructStringToSign - creates V4 stringToSign
|
||||||
* @param {object} params - params object
|
* @param {object} params - params object
|
||||||
* @returns {string} - stringToSign
|
* @returns {string} - stringToSign
|
||||||
*/
|
*/
|
||||||
function constructStringToSign(params) {
|
export default function constructStringToSign(params: {
|
||||||
const { request, signedHeaders, payloadChecksum, credentialScope, timestamp,
|
request: any;
|
||||||
query, log, proxyPath } = params;
|
signedHeaders: any;
|
||||||
|
payloadChecksum: any;
|
||||||
|
credentialScope: string;
|
||||||
|
timestamp: string;
|
||||||
|
query: { [key: string]: string };
|
||||||
|
log?: Logger;
|
||||||
|
proxyPath?: string;
|
||||||
|
awsService: string;
|
||||||
|
}): string | Error {
|
||||||
|
const {
|
||||||
|
request,
|
||||||
|
signedHeaders,
|
||||||
|
payloadChecksum,
|
||||||
|
credentialScope,
|
||||||
|
timestamp,
|
||||||
|
query,
|
||||||
|
log,
|
||||||
|
proxyPath,
|
||||||
|
} = params;
|
||||||
const path = proxyPath || request.path;
|
const path = proxyPath || request.path;
|
||||||
|
|
||||||
const canonicalReqResult = createCanonicalRequest({
|
const canonicalReqResult = createCanonicalRequest({
|
||||||
|
@ -24,6 +40,8 @@ function constructStringToSign(params) {
|
||||||
service: params.awsService,
|
service: params.awsService,
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// TODO Why that line?
|
||||||
|
// @ts-ignore
|
||||||
if (canonicalReqResult instanceof Error) {
|
if (canonicalReqResult instanceof Error) {
|
||||||
if (log) {
|
if (log) {
|
||||||
log.error('error creating canonicalRequest');
|
log.error('error creating canonicalRequest');
|
||||||
|
@ -40,5 +58,3 @@ function constructStringToSign(params) {
|
||||||
`${credentialScope}\n${canonicalHex}`;
|
`${credentialScope}\n${canonicalHex}`;
|
||||||
return stringToSign;
|
return stringToSign;
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = constructStringToSign;
|
|
||||||
|
|
|
@ -1,27 +1,33 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import * as crypto from 'crypto';
|
||||||
|
import * as queryString from 'querystring';
|
||||||
const awsURIencode = require('./awsURIencode');
|
import awsURIencode from './awsURIencode';
|
||||||
const crypto = require('crypto');
|
|
||||||
const queryString = require('querystring');
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* createCanonicalRequest - creates V4 canonical request
|
* createCanonicalRequest - creates V4 canonical request
|
||||||
* @param {object} params - contains pHttpVerb (request type),
|
* @param params - contains pHttpVerb (request type),
|
||||||
* pResource (parsed from URL), pQuery (request query),
|
* pResource (parsed from URL), pQuery (request query),
|
||||||
* pHeaders (request headers), pSignedHeaders (signed headers from request),
|
* pHeaders (request headers), pSignedHeaders (signed headers from request),
|
||||||
* payloadChecksum (from request)
|
* payloadChecksum (from request)
|
||||||
* @returns {string} - canonicalRequest
|
* @returns - canonicalRequest
|
||||||
*/
|
*/
|
||||||
function createCanonicalRequest(params) {
|
export default function createCanonicalRequest(
|
||||||
|
params: {
|
||||||
|
pHttpVerb: string;
|
||||||
|
pResource: string;
|
||||||
|
pQuery: { [key: string]: string };
|
||||||
|
pHeaders: any;
|
||||||
|
pSignedHeaders: any;
|
||||||
|
service: string;
|
||||||
|
payloadChecksum: string;
|
||||||
|
}
|
||||||
|
) {
|
||||||
const pHttpVerb = params.pHttpVerb;
|
const pHttpVerb = params.pHttpVerb;
|
||||||
const pResource = params.pResource;
|
const pResource = params.pResource;
|
||||||
const pQuery = params.pQuery;
|
const pQuery = params.pQuery;
|
||||||
const pHeaders = params.pHeaders;
|
const pHeaders = params.pHeaders;
|
||||||
const pSignedHeaders = params.pSignedHeaders;
|
const pSignedHeaders = params.pSignedHeaders;
|
||||||
const service = params.service;
|
const service = params.service;
|
||||||
|
|
||||||
let payloadChecksum = params.payloadChecksum;
|
let payloadChecksum = params.payloadChecksum;
|
||||||
|
|
||||||
if (!payloadChecksum) {
|
if (!payloadChecksum) {
|
||||||
if (pHttpVerb === 'GET') {
|
if (pHttpVerb === 'GET') {
|
||||||
payloadChecksum = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b' +
|
payloadChecksum = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b' +
|
||||||
|
@ -34,7 +40,7 @@ function createCanonicalRequest(params) {
|
||||||
if (/aws-sdk-java\/[0-9.]+/.test(pHeaders['user-agent'])) {
|
if (/aws-sdk-java\/[0-9.]+/.test(pHeaders['user-agent'])) {
|
||||||
notEncodeStar = true;
|
notEncodeStar = true;
|
||||||
}
|
}
|
||||||
let payload = queryString.stringify(pQuery, null, null, {
|
let payload = queryString.stringify(pQuery, undefined, undefined, {
|
||||||
encodeURIComponent: input => awsURIencode(input, true,
|
encodeURIComponent: input => awsURIencode(input, true,
|
||||||
notEncodeStar),
|
notEncodeStar),
|
||||||
});
|
});
|
||||||
|
@ -61,11 +67,11 @@ function createCanonicalRequest(params) {
|
||||||
|
|
||||||
// signed headers
|
// signed headers
|
||||||
const signedHeadersList = pSignedHeaders.split(';');
|
const signedHeadersList = pSignedHeaders.split(';');
|
||||||
signedHeadersList.sort((a, b) => a.localeCompare(b));
|
signedHeadersList.sort((a: any, b: any) => a.localeCompare(b));
|
||||||
const signedHeaders = signedHeadersList.join(';');
|
const signedHeaders = signedHeadersList.join(';');
|
||||||
|
|
||||||
// canonical headers
|
// canonical headers
|
||||||
const canonicalHeadersList = signedHeadersList.map(signedHeader => {
|
const canonicalHeadersList = signedHeadersList.map((signedHeader: any) => {
|
||||||
if (pHeaders[signedHeader] !== undefined) {
|
if (pHeaders[signedHeader] !== undefined) {
|
||||||
const trimmedHeader = pHeaders[signedHeader]
|
const trimmedHeader = pHeaders[signedHeader]
|
||||||
.trim().replace(/\s+/g, ' ');
|
.trim().replace(/\s+/g, ' ');
|
||||||
|
@ -87,5 +93,3 @@ function createCanonicalRequest(params) {
|
||||||
`${signedHeaders}\n${payloadChecksum}`;
|
`${signedHeaders}\n${payloadChecksum}`;
|
||||||
return canonicalRequest;
|
return canonicalRequest;
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = createCanonicalRequest;
|
|
||||||
|
|
|
@ -1,27 +1,32 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import { Logger } from 'werelogs';
|
||||||
|
import errors from '../../../lib/errors';
|
||||||
const errors = require('../../../lib/errors');
|
import * as constants from '../../constants';
|
||||||
const constants = require('../../constants');
|
import constructStringToSign from './constructStringToSign';
|
||||||
|
import {
|
||||||
const constructStringToSign = require('./constructStringToSign');
|
checkTimeSkew,
|
||||||
const checkTimeSkew = require('./timeUtils').checkTimeSkew;
|
convertUTCtoISO8601,
|
||||||
const convertUTCtoISO8601 = require('./timeUtils').convertUTCtoISO8601;
|
convertAmzTimeToMs,
|
||||||
const convertAmzTimeToMs = require('./timeUtils').convertAmzTimeToMs;
|
} from './timeUtils';
|
||||||
const extractAuthItems = require('./validateInputs').extractAuthItems;
|
import {
|
||||||
const validateCredentials = require('./validateInputs').validateCredentials;
|
extractAuthItems,
|
||||||
const areSignedHeadersComplete =
|
validateCredentials,
|
||||||
require('./validateInputs').areSignedHeadersComplete;
|
areSignedHeadersComplete,
|
||||||
|
} from './validateInputs';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* V4 header auth check
|
* V4 header auth check
|
||||||
* @param {object} request - HTTP request object
|
* @param request - HTTP request object
|
||||||
* @param {object} log - logging object
|
* @param log - logging object
|
||||||
* @param {object} data - Parameters from queryString parsing or body of
|
* @param data - Parameters from queryString parsing or body of
|
||||||
* POST request
|
* POST request
|
||||||
* @param {string} awsService - Aws service ('iam' or 's3')
|
* @param awsService - Aws service ('iam' or 's3')
|
||||||
* @return {callback} calls callback
|
|
||||||
*/
|
*/
|
||||||
function check(request, log, data, awsService) {
|
export function check(
|
||||||
|
request: any,
|
||||||
|
log: Logger,
|
||||||
|
data: { [key: string]: string },
|
||||||
|
awsService: string
|
||||||
|
) {
|
||||||
log.trace('running header auth check');
|
log.trace('running header auth check');
|
||||||
|
|
||||||
const token = request.headers['x-amz-security-token'];
|
const token = request.headers['x-amz-security-token'];
|
||||||
|
@ -62,16 +67,16 @@ function check(request, log, data, awsService) {
|
||||||
|
|
||||||
log.trace('authorization header from request', { authHeader });
|
log.trace('authorization header from request', { authHeader });
|
||||||
|
|
||||||
const signatureFromRequest = authHeaderItems.signatureFromRequest;
|
const signatureFromRequest = authHeaderItems.signatureFromRequest!;
|
||||||
const credentialsArr = authHeaderItems.credentialsArr;
|
const credentialsArr = authHeaderItems.credentialsArr!;
|
||||||
const signedHeaders = authHeaderItems.signedHeaders;
|
const signedHeaders = authHeaderItems.signedHeaders!;
|
||||||
|
|
||||||
if (!areSignedHeadersComplete(signedHeaders, request.headers)) {
|
if (!areSignedHeadersComplete(signedHeaders, request.headers)) {
|
||||||
log.debug('signedHeaders are incomplete', { signedHeaders });
|
log.debug('signedHeaders are incomplete', { signedHeaders });
|
||||||
return { err: errors.AccessDenied };
|
return { err: errors.AccessDenied };
|
||||||
}
|
}
|
||||||
|
|
||||||
let timestamp;
|
let timestamp: string | undefined;
|
||||||
// check request timestamp
|
// check request timestamp
|
||||||
const xAmzDate = request.headers['x-amz-date'];
|
const xAmzDate = request.headers['x-amz-date'];
|
||||||
if (xAmzDate) {
|
if (xAmzDate) {
|
||||||
|
@ -166,5 +171,3 @@ function check(request, log, data, awsService) {
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = { check };
|
|
||||||
|
|
|
@ -1,24 +1,18 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import { Logger } from 'werelogs';
|
||||||
|
import * as constants from '../../constants';
|
||||||
const constants = require('../../constants');
|
import errors from '../../errors';
|
||||||
const errors = require('../../errors');
|
import constructStringToSign from './constructStringToSign';
|
||||||
|
import { checkTimeSkew, convertAmzTimeToMs } from './timeUtils';
|
||||||
const constructStringToSign = require('./constructStringToSign');
|
import { validateCredentials, extractQueryParams } from './validateInputs';
|
||||||
const checkTimeSkew = require('./timeUtils').checkTimeSkew;
|
import { areSignedHeadersComplete } from './validateInputs';
|
||||||
const convertAmzTimeToMs = require('./timeUtils').convertAmzTimeToMs;
|
|
||||||
const validateCredentials = require('./validateInputs').validateCredentials;
|
|
||||||
const extractQueryParams = require('./validateInputs').extractQueryParams;
|
|
||||||
const areSignedHeadersComplete =
|
|
||||||
require('./validateInputs').areSignedHeadersComplete;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* V4 query auth check
|
* V4 query auth check
|
||||||
* @param {object} request - HTTP request object
|
* @param request - HTTP request object
|
||||||
* @param {object} log - logging object
|
* @param log - logging object
|
||||||
* @param {object} data - Contain authentification params (GET or POST data)
|
* @param data - Contain authentification params (GET or POST data)
|
||||||
* @return {callback} calls callback
|
|
||||||
*/
|
*/
|
||||||
function check(request, log, data) {
|
export function check(request: any, log: Logger, data: { [key: string]: string }) {
|
||||||
const authParams = extractQueryParams(data, log);
|
const authParams = extractQueryParams(data, log);
|
||||||
|
|
||||||
if (Object.keys(authParams).length !== 5) {
|
if (Object.keys(authParams).length !== 5) {
|
||||||
|
@ -33,11 +27,11 @@ function check(request, log, data) {
|
||||||
return { err: errors.InvalidToken };
|
return { err: errors.InvalidToken };
|
||||||
}
|
}
|
||||||
|
|
||||||
const signedHeaders = authParams.signedHeaders;
|
const signedHeaders = authParams.signedHeaders!;
|
||||||
const signatureFromRequest = authParams.signatureFromRequest;
|
const signatureFromRequest = authParams.signatureFromRequest!;
|
||||||
const timestamp = authParams.timestamp;
|
const timestamp = authParams.timestamp!;
|
||||||
const expiry = authParams.expiry;
|
const expiry = authParams.expiry!;
|
||||||
const credential = authParams.credential;
|
const credential = authParams.credential!;
|
||||||
|
|
||||||
if (!areSignedHeadersComplete(signedHeaders, request.headers)) {
|
if (!areSignedHeadersComplete(signedHeaders, request.headers)) {
|
||||||
log.debug('signedHeaders are incomplete', { signedHeaders });
|
log.debug('signedHeaders are incomplete', { signedHeaders });
|
||||||
|
@ -110,5 +104,3 @@ function check(request, log, data) {
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = { check };
|
|
||||||
|
|
|
@ -1,12 +1,11 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import { Logger } from 'werelogs';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Convert timestamp to milliseconds since Unix Epoch
|
* Convert timestamp to milliseconds since Unix Epoch
|
||||||
* @param {string} timestamp of ISO8601Timestamp format without
|
* @param timestamp of ISO8601Timestamp format without
|
||||||
* dashes or colons, e.g. 20160202T220410Z
|
* dashes or colons, e.g. 20160202T220410Z
|
||||||
* @return {number} number of milliseconds since Unix Epoch
|
|
||||||
*/
|
*/
|
||||||
function convertAmzTimeToMs(timestamp) {
|
export function convertAmzTimeToMs(timestamp: string) {
|
||||||
const arr = timestamp.split('');
|
const arr = timestamp.split('');
|
||||||
// Convert to YYYY-MM-DDTHH:mm:ss.sssZ
|
// Convert to YYYY-MM-DDTHH:mm:ss.sssZ
|
||||||
const ISO8601time = `${arr.slice(0, 4).join('')}-${arr[4]}${arr[5]}` +
|
const ISO8601time = `${arr.slice(0, 4).join('')}-${arr[4]}${arr[5]}` +
|
||||||
|
@ -15,13 +14,12 @@ function convertAmzTimeToMs(timestamp) {
|
||||||
return Date.parse(ISO8601time);
|
return Date.parse(ISO8601time);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Convert UTC timestamp to ISO 8601 timestamp
|
* Convert UTC timestamp to ISO 8601 timestamp
|
||||||
* @param {string} timestamp of UTC form: Fri, 10 Feb 2012 21:34:55 GMT
|
* @param timestamp of UTC form: Fri, 10 Feb 2012 21:34:55 GMT
|
||||||
* @return {string} ISO8601 timestamp of form: YYYYMMDDTHHMMSSZ
|
* @return ISO8601 timestamp of form: YYYYMMDDTHHMMSSZ
|
||||||
*/
|
*/
|
||||||
function convertUTCtoISO8601(timestamp) {
|
export function convertUTCtoISO8601(timestamp: string | number) {
|
||||||
// convert to ISO string: YYYY-MM-DDTHH:mm:ss.sssZ.
|
// convert to ISO string: YYYY-MM-DDTHH:mm:ss.sssZ.
|
||||||
const converted = new Date(timestamp).toISOString();
|
const converted = new Date(timestamp).toISOString();
|
||||||
// Remove "-"s and "."s and milliseconds
|
// Remove "-"s and "."s and milliseconds
|
||||||
|
@ -30,13 +28,13 @@ function convertUTCtoISO8601(timestamp) {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check whether timestamp predates request or is too old
|
* Check whether timestamp predates request or is too old
|
||||||
* @param {string} timestamp of ISO8601Timestamp format without
|
* @param timestamp of ISO8601Timestamp format without
|
||||||
* dashes or colons, e.g. 20160202T220410Z
|
* dashes or colons, e.g. 20160202T220410Z
|
||||||
* @param {number} expiry - number of seconds signature should be valid
|
* @param expiry - number of seconds signature should be valid
|
||||||
* @param {object} log - log for request
|
* @param log - log for request
|
||||||
* @return {boolean} true if there is a time problem
|
* @return true if there is a time problem
|
||||||
*/
|
*/
|
||||||
function checkTimeSkew(timestamp, expiry, log) {
|
export function checkTimeSkew(timestamp: string, expiry: number, log: Logger) {
|
||||||
const currentTime = Date.now();
|
const currentTime = Date.now();
|
||||||
const fifteenMinutes = (15 * 60 * 1000);
|
const fifteenMinutes = (15 * 60 * 1000);
|
||||||
const parsedTimestamp = convertAmzTimeToMs(timestamp);
|
const parsedTimestamp = convertAmzTimeToMs(timestamp);
|
||||||
|
@ -56,5 +54,3 @@ function checkTimeSkew(timestamp, expiry, log) {
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = { convertAmzTimeToMs, convertUTCtoISO8601, checkTimeSkew };
|
|
||||||
|
|
|
@ -1,17 +1,19 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
import { Logger } from 'werelogs';
|
||||||
|
import errors from '../../../lib/errors';
|
||||||
const errors = require('../../../lib/errors');
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Validate Credentials
|
* Validate Credentials
|
||||||
* @param {array} credentials - contains accessKey, scopeDate,
|
* @param credentials - contains accessKey, scopeDate,
|
||||||
* region, service, requestType
|
* region, service, requestType
|
||||||
* @param {string} timestamp - timestamp from request in
|
* @param timestamp - timestamp from request in
|
||||||
* the format of ISO 8601: YYYYMMDDTHHMMSSZ
|
* the format of ISO 8601: YYYYMMDDTHHMMSSZ
|
||||||
* @param {object} log - logging object
|
* @param log - logging object
|
||||||
* @return {boolean} true if credentials are correct format, false if not
|
|
||||||
*/
|
*/
|
||||||
function validateCredentials(credentials, timestamp, log) {
|
export function validateCredentials(
|
||||||
|
credentials: [string, string, string, string, string],
|
||||||
|
timestamp: string,
|
||||||
|
log: Logger
|
||||||
|
): Error | {} {
|
||||||
if (!Array.isArray(credentials) || credentials.length !== 5) {
|
if (!Array.isArray(credentials) || credentials.length !== 5) {
|
||||||
log.warn('credentials in improper format', { credentials });
|
log.warn('credentials in improper format', { credentials });
|
||||||
return errors.InvalidArgument;
|
return errors.InvalidArgument;
|
||||||
|
@ -58,12 +60,21 @@ function validateCredentials(credentials, timestamp, log) {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Extract and validate components from query object
|
* Extract and validate components from query object
|
||||||
* @param {object} queryObj - query object from request
|
* @param queryObj - query object from request
|
||||||
* @param {object} log - logging object
|
* @param log - logging object
|
||||||
* @return {object} object containing extracted query params for authV4
|
* @return object containing extracted query params for authV4
|
||||||
*/
|
*/
|
||||||
function extractQueryParams(queryObj, log) {
|
export function extractQueryParams(
|
||||||
const authParams = {};
|
queryObj: { [key: string]: string | undefined },
|
||||||
|
log: Logger
|
||||||
|
) {
|
||||||
|
const authParams: {
|
||||||
|
signedHeaders?: string;
|
||||||
|
signatureFromRequest?: string;
|
||||||
|
timestamp?: string;
|
||||||
|
expiry?: number;
|
||||||
|
credential?: [string, string, string, string, string];
|
||||||
|
} = {};
|
||||||
|
|
||||||
// Do not need the algorithm sent back
|
// Do not need the algorithm sent back
|
||||||
if (queryObj['X-Amz-Algorithm'] !== 'AWS4-HMAC-SHA256') {
|
if (queryObj['X-Amz-Algorithm'] !== 'AWS4-HMAC-SHA256') {
|
||||||
|
@ -99,7 +110,7 @@ function extractQueryParams(queryObj, log) {
|
||||||
return authParams;
|
return authParams;
|
||||||
}
|
}
|
||||||
|
|
||||||
const expiry = Number.parseInt(queryObj['X-Amz-Expires'], 10);
|
const expiry = Number.parseInt(queryObj['X-Amz-Expires'] ?? 'nope', 10);
|
||||||
const sevenDays = 604800;
|
const sevenDays = 604800;
|
||||||
if (expiry && (expiry > 0 && expiry <= sevenDays)) {
|
if (expiry && (expiry > 0 && expiry <= sevenDays)) {
|
||||||
authParams.expiry = expiry;
|
authParams.expiry = expiry;
|
||||||
|
@ -110,6 +121,7 @@ function extractQueryParams(queryObj, log) {
|
||||||
|
|
||||||
const credential = queryObj['X-Amz-Credential'];
|
const credential = queryObj['X-Amz-Credential'];
|
||||||
if (credential && credential.length > 28 && credential.indexOf('/') > -1) {
|
if (credential && credential.length > 28 && credential.indexOf('/') > -1) {
|
||||||
|
// @ts-ignore
|
||||||
authParams.credential = credential.split('/');
|
authParams.credential = credential.split('/');
|
||||||
} else {
|
} else {
|
||||||
log.warn('invalid credential param', { credential });
|
log.warn('invalid credential param', { credential });
|
||||||
|
@ -121,14 +133,17 @@ function extractQueryParams(queryObj, log) {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Extract and validate components from auth header
|
* Extract and validate components from auth header
|
||||||
* @param {string} authHeader - authorization header from request
|
* @param authHeader - authorization header from request
|
||||||
* @param {object} log - logging object
|
* @param log - logging object
|
||||||
* @return {object} object containing extracted auth header items for authV4
|
* @return object containing extracted auth header items for authV4
|
||||||
*/
|
*/
|
||||||
function extractAuthItems(authHeader, log) {
|
export function extractAuthItems(authHeader: string, log: Logger) {
|
||||||
const authItems = {};
|
const authItems: {
|
||||||
const authArray = authHeader
|
credentialsArr?: [string, string, string, string, string];
|
||||||
.replace('AWS4-HMAC-SHA256 ', '').split(',');
|
signedHeaders?: string;
|
||||||
|
signatureFromRequest?: string;
|
||||||
|
} = {};
|
||||||
|
const authArray = authHeader.replace('AWS4-HMAC-SHA256 ', '').split(',');
|
||||||
|
|
||||||
if (authArray.length < 3) {
|
if (authArray.length < 3) {
|
||||||
return authItems;
|
return authItems;
|
||||||
|
@ -138,8 +153,12 @@ function extractAuthItems(authHeader, log) {
|
||||||
const signedHeadersStr = authArray[1];
|
const signedHeadersStr = authArray[1];
|
||||||
const signatureStr = authArray[2];
|
const signatureStr = authArray[2];
|
||||||
log.trace('credentials from request', { credentialStr });
|
log.trace('credentials from request', { credentialStr });
|
||||||
if (credentialStr && credentialStr.trim().startsWith('Credential=')
|
if (
|
||||||
&& credentialStr.indexOf('/') > -1) {
|
credentialStr &&
|
||||||
|
credentialStr.trim().startsWith('Credential=') &&
|
||||||
|
credentialStr.indexOf('/') > -1
|
||||||
|
) {
|
||||||
|
// @ts-ignore
|
||||||
authItems.credentialsArr = credentialStr
|
authItems.credentialsArr = credentialStr
|
||||||
.trim().replace('Credential=', '').split('/');
|
.trim().replace('Credential=', '').split('/');
|
||||||
} else {
|
} else {
|
||||||
|
@ -166,11 +185,11 @@ function extractAuthItems(authHeader, log) {
|
||||||
/**
|
/**
|
||||||
* Checks whether the signed headers include the host header
|
* Checks whether the signed headers include the host header
|
||||||
* and all x-amz- and x-scal- headers in request
|
* and all x-amz- and x-scal- headers in request
|
||||||
* @param {string} signedHeaders - signed headers sent with request
|
* @param signedHeaders - signed headers sent with request
|
||||||
* @param {object} allHeaders - request.headers
|
* @param allHeaders - request.headers
|
||||||
* @return {boolean} true if all x-amz-headers included and false if not
|
* @return true if all x-amz-headers included and false if not
|
||||||
*/
|
*/
|
||||||
function areSignedHeadersComplete(signedHeaders, allHeaders) {
|
export function areSignedHeadersComplete(signedHeaders: string, allHeaders: Headers) {
|
||||||
const signedHeadersList = signedHeaders.split(';');
|
const signedHeadersList = signedHeaders.split(';');
|
||||||
if (signedHeadersList.indexOf('host') === -1) {
|
if (signedHeadersList.indexOf('host') === -1) {
|
||||||
return false;
|
return false;
|
||||||
|
@ -185,6 +204,3 @@ function areSignedHeadersComplete(signedHeaders, allHeaders) {
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = { validateCredentials, extractQueryParams,
|
|
||||||
areSignedHeadersComplete, extractAuthItems };
|
|
||||||
|
|
|
@ -1,6 +1,4 @@
|
||||||
'use strict'; // eslint-disable-line strict
|
export const ciphers = [
|
||||||
|
|
||||||
const ciphers = [
|
|
||||||
'DHE-RSA-AES128-GCM-SHA256',
|
'DHE-RSA-AES128-GCM-SHA256',
|
||||||
'ECDHE-ECDSA-AES128-GCM-SHA256',
|
'ECDHE-ECDSA-AES128-GCM-SHA256',
|
||||||
'ECDHE-RSA-AES256-GCM-SHA384',
|
'ECDHE-RSA-AES256-GCM-SHA384',
|
||||||
|
@ -28,7 +26,3 @@ const ciphers = [
|
||||||
'!EDH-RSA-DES-CBC3-SHA',
|
'!EDH-RSA-DES-CBC3-SHA',
|
||||||
'!KRB5-DES-CBC3-SHA',
|
'!KRB5-DES-CBC3-SHA',
|
||||||
].join(':');
|
].join(':');
|
||||||
|
|
||||||
module.exports = {
|
|
||||||
ciphers,
|
|
||||||
};
|
|
|
@ -29,16 +29,11 @@ c2CNfUEqyRbJF4pE9ZcdQReT5p/llmyhQdvq6cHH+cKJk63C6DHRVoStsnsUcvKe
|
||||||
bLxKsygK77ttjr61cxLoDJeGd5L5h1CPmwIBAg==
|
bLxKsygK77ttjr61cxLoDJeGd5L5h1CPmwIBAg==
|
||||||
-----END DH PARAMETERS-----
|
-----END DH PARAMETERS-----
|
||||||
*/
|
*/
|
||||||
'use strict'; // eslint-disable-line strict
|
|
||||||
|
|
||||||
const dhparam =
|
export const dhparam =
|
||||||
'MIIBCAKCAQEAh99T77KGNuiY9N6xrCJ3QNv4SFADTa3CD+1VMTAdRJLHUNpglB+i' +
|
'MIIBCAKCAQEAh99T77KGNuiY9N6xrCJ3QNv4SFADTa3CD+1VMTAdRJLHUNpglB+i' +
|
||||||
'AoTYiLDFZgtTCpx0ZZUD+JM3qiCZy0OK5/ZGlVD7sZmxjRtdpVK4qIPtwav8t0J7' +
|
'AoTYiLDFZgtTCpx0ZZUD+JM3qiCZy0OK5/ZGlVD7sZmxjRtdpVK4qIPtwav8t0J7' +
|
||||||
'c2CNfUEqyRbJF4pE9ZcdQReT5p/llmyhQdvq6cHH+cKJk63C6DHRVoStsnsUcvKe' +
|
'c2CNfUEqyRbJF4pE9ZcdQReT5p/llmyhQdvq6cHH+cKJk63C6DHRVoStsnsUcvKe' +
|
||||||
'23PLGZulKg8H3eRBxHamHkmyuEVDtoNhMIoJONsdXSpo5GgcD4EQMM8xb/qsnCxn' +
|
'23PLGZulKg8H3eRBxHamHkmyuEVDtoNhMIoJONsdXSpo5GgcD4EQMM8xb/qsnCxn' +
|
||||||
'6QIGTBvcHskxtlTZOfUPk4XQ6Yb3tQi2TurzkQHLln4U7p/GZs+D+6D3SgSPqr6P' +
|
'6QIGTBvcHskxtlTZOfUPk4XQ6Yb3tQi2TurzkQHLln4U7p/GZs+D+6D3SgSPqr6P' +
|
||||||
'bLxKsygK77ttjr61cxLoDJeGd5L5h1CPmwIBAg==';
|
'bLxKsygK77ttjr61cxLoDJeGd5L5h1CPmwIBAg==';
|
||||||
|
|
||||||
module.exports = {
|
|
||||||
dhparam,
|
|
||||||
};
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
export * as ciphers from './ciphers'
|
||||||
|
export * as dhparam from './dh2048'
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
const assert = require('assert');
|
const assert = require('assert');
|
||||||
|
|
||||||
const AuthInfo = require('../../../lib/auth/AuthInfo');
|
const AuthInfo = require('../../../lib/auth/AuthInfo').default;
|
||||||
const constants = require('../../../lib/constants');
|
const constants = require('../../../lib/constants');
|
||||||
|
|
||||||
const arn = 'arn:aws:iam::123456789012:user/Fred';
|
const arn = 'arn:aws:iam::123456789012:user/Fred';
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
const assert = require('assert');
|
const assert = require('assert');
|
||||||
|
|
||||||
const Indexer = require('../../../../lib/auth/in_memory/Indexer');
|
const Indexer = require('../../../../lib/auth/in_memory/Indexer').default;
|
||||||
const ref = require('./sample_authdata.json');
|
const ref = require('./sample_authdata.json');
|
||||||
const { should } = require('./AuthLoader.spec');
|
const { should } = require('./AuthLoader.spec');
|
||||||
|
|
||||||
|
|
|
@ -3,9 +3,9 @@
|
||||||
const assert = require('assert');
|
const assert = require('assert');
|
||||||
|
|
||||||
const getCanonicalizedAmzHeaders =
|
const getCanonicalizedAmzHeaders =
|
||||||
require('../../../../lib/auth/v2/getCanonicalizedAmzHeaders');
|
require('../../../../lib/auth/v2/getCanonicalizedAmzHeaders').default;
|
||||||
const getCanonicalizedResource =
|
const getCanonicalizedResource =
|
||||||
require('../../../../lib/auth/v2/getCanonicalizedResource');
|
require('../../../../lib/auth/v2/getCanonicalizedResource').default;
|
||||||
|
|
||||||
const getCanonicalizedGcpHeaders = headers =>
|
const getCanonicalizedGcpHeaders = headers =>
|
||||||
getCanonicalizedAmzHeaders(headers, 'GCP');
|
getCanonicalizedAmzHeaders(headers, 'GCP');
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
const assert = require('assert');
|
const assert = require('assert');
|
||||||
|
|
||||||
const checkRequestExpiry =
|
const checkRequestExpiry =
|
||||||
require('../../../../lib/auth/v2/checkRequestExpiry');
|
require('../../../../lib/auth/v2/checkRequestExpiry').default;
|
||||||
const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
|
const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
|
||||||
const errors = require('../../../../index').errors;
|
const errors = require('../../../../index').errors;
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
const assert = require('assert');
|
const assert = require('assert');
|
||||||
|
|
||||||
const constructStringToSign =
|
const constructStringToSign =
|
||||||
require('../../../../lib/auth/v2/constructStringToSign');
|
require('../../../../lib/auth/v2/constructStringToSign').default;
|
||||||
const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
|
const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
|
||||||
|
|
||||||
const log = new DummyRequestLogger();
|
const log = new DummyRequestLogger();
|
||||||
|
|
|
@ -4,7 +4,7 @@ const assert = require('assert');
|
||||||
|
|
||||||
const errors = require('../../../../lib/errors');
|
const errors = require('../../../../lib/errors');
|
||||||
const auth = require('../../../../lib/auth/auth').server.doAuth;
|
const auth = require('../../../../lib/auth/auth').server.doAuth;
|
||||||
const AuthInfo = require('../../../../lib/auth/AuthInfo');
|
const AuthInfo = require('../../../../lib/auth/AuthInfo').default;
|
||||||
const constants = require('../../../../lib/constants');
|
const constants = require('../../../../lib/constants');
|
||||||
const DummyRequestLogger = require('../../helpers.js').DummyRequestLogger;
|
const DummyRequestLogger = require('../../helpers.js').DummyRequestLogger;
|
||||||
const RequestContext =
|
const RequestContext =
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
const assert = require('assert');
|
const assert = require('assert');
|
||||||
|
|
||||||
const constructStringToSign =
|
const constructStringToSign =
|
||||||
require('../../../../lib/auth/v2/constructStringToSign');
|
require('../../../../lib/auth/v2/constructStringToSign').default;
|
||||||
const hashSignature =
|
const hashSignature =
|
||||||
require('../../../../lib/auth/in_memory/vaultUtilities').hashSignature;
|
require('../../../../lib/auth/in_memory/vaultUtilities').hashSignature;
|
||||||
const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
|
const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
const assert = require('assert');
|
const assert = require('assert');
|
||||||
|
|
||||||
const awsURIencode = require('../../../../lib/auth/v4/awsURIencode');
|
const awsURIencode = require('../../../../lib/auth/v4/awsURIencode').default;
|
||||||
|
|
||||||
// Note that expected outputs came from running node aws-sdk's
|
// Note that expected outputs came from running node aws-sdk's
|
||||||
// AWS.util.uriEscapePath and AWS.util.uriEscape functions
|
// AWS.util.uriEscapePath and AWS.util.uriEscape functions
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
const assert = require('assert');
|
const assert = require('assert');
|
||||||
|
|
||||||
const constructStringToSign =
|
const constructStringToSign =
|
||||||
require('../../../../lib/auth/v4/constructStringToSign');
|
require('../../../../lib/auth/v4/constructStringToSign').default;
|
||||||
const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
|
const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
|
||||||
|
|
||||||
const log = new DummyRequestLogger();
|
const log = new DummyRequestLogger();
|
||||||
|
|
|
@ -2,9 +2,9 @@
|
||||||
|
|
||||||
const assert = require('assert');
|
const assert = require('assert');
|
||||||
const awsURIencode =
|
const awsURIencode =
|
||||||
require('../../../../lib/auth/v4/awsURIencode');
|
require('../../../../lib/auth/v4/awsURIencode').default;
|
||||||
const createCanonicalRequest =
|
const createCanonicalRequest =
|
||||||
require('../../../../lib/auth/v4/createCanonicalRequest');
|
require('../../../../lib/auth/v4/createCanonicalRequest').default;
|
||||||
|
|
||||||
describe('createCanonicalRequest function', () => {
|
describe('createCanonicalRequest function', () => {
|
||||||
// Example taken from: http://docs.aws.amazon.com/AmazonS3/
|
// Example taken from: http://docs.aws.amazon.com/AmazonS3/
|
||||||
|
|
Loading…
Reference in New Issue