UNPKG

@atomist/sdm

Version:

Atomist Software Delivery Machine SDK

github.com/atomist/sdm

atomist/sdm

101 lines 4.58 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.wrapEventHandlersToVerifySignature = exports.EventSigningAutomationEventListener = void 0; const metadataReading_1 = require("@atomist/automation-client/lib/internal/metadata/metadataReading"); const constructionUtils_1 = require("@atomist/automation-client/lib/util/constructionUtils"); const logger_1 = require("@atomist/automation-client/lib/util/logger"); const crypto = require("crypto"); const _ = require("lodash"); const array_1 = require("../util/misc/array"); /** * AutomationEventListener that signs outgoing custom events with a configurable * JWS signature key. */ class EventSigningAutomationEventListener { constructor(esc) { this.esc = esc; this.initVerificationKeys(); } async onMutation(options) { if (eventMatch(options.name, this.esc.events)) { const privateKey = crypto.createPrivateKey({ key: this.esc.signingKey.privateKey, passphrase: this.esc.signingKey.passphrase, }); const { default: CompactSign } = require("jose/jws/compact/sign"); for (const key of Object.getOwnPropertyNames(options.variables || {})) { const value = options.variables[key]; const jws = await new CompactSign(Buffer.from(JSON.stringify(value))) .setProtectedHeader({ alg: "ES512" }) .sign(privateKey); value.signature = jws; logger_1.logger.debug(`Signed custom event '${options.name}'`); } } return options; } initVerificationKeys() { this.esc.verificationKeys = array_1.toArray(this.esc.verificationKeys) || []; // If signing key is set, also use it to verify if (!!this.esc.signingKey) { this.esc.verificationKeys.push(this.esc.signingKey); } } } exports.EventSigningAutomationEventListener = EventSigningAutomationEventListener; /** * Wrap every event handler that is registered and its subscription name matches a configurable set of * regular expression patterns for event signature verification. */ function wrapEventHandlersToVerifySignature(handlers, options) { const wh = []; for (const handler of handlers) { const instance = constructionUtils_1.toFactory(handler)(); const md = metadataReading_1.metadataFromInstance(instance); if (eventMatch(md.subscriptionName, options.events)) { wh.push(() => (Object.assign(Object.assign({}, md), { handle: async (e, ctx, params) => { const { default: compactVerify } = require("jose/jws/compact/verify"); for (const key of Object.getOwnPropertyNames(e.data)) { const evv = e.data[key][0]; if (!evv.signature) { throw new Error("Signature missing on incoming event"); } let verified = false; for (const pkey of array_1.toArray(options.verificationKeys)) { const publicKey = crypto.createPublicKey({ key: pkey.publicKey, }); try { const { payload } = await compactVerify(evv.signature, publicKey); e.data[key][0] = _.merge({}, evv, JSON.parse(Buffer.from(payload).toString())); verified = true; logger_1.logger.debug(`Verified signature on custom event '${md.subscriptionName}'`); break; } catch (e) { // return undefined; } } if (!verified) { throw new Error("Signature verification failed for incoming event"); } } return instance.handle(e, ctx, params); } }))); } else { wh.push(handler); } } return wh; } exports.wrapEventHandlersToVerifySignature = wrapEventHandlersToVerifySignature; function eventMatch(event, patterns) { for (const pattern of patterns) { if (new RegExp(pattern).test(event)) { return true; } } return false; } //# sourceMappingURL=eventSigning.js.map