UNPKG

@azure/cosmos

Version:

Microsoft Azure Cosmos DB Service Node.js SDK for NOSQL API

github.com/Azure/azure-sdk-for-js/tree/main/sdk/cosmosdb/cosmos/README.md

Azure/azure-sdk-for-js

119 lines (118 loc) 5.06 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
var __defProp = Object.defineProperty; var __getOwnPropDesc = Object.getOwnPropertyDescriptor; var __getOwnPropNames = Object.getOwnPropertyNames; var __hasOwnProp = Object.prototype.hasOwnProperty; var __export = (target, all) => { for (var name in all) __defProp(target, name, { get: all[name], enumerable: true }); }; var __copyProps = (to, from, except, desc) => { if (from && typeof from === "object" || typeof from === "function") { for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable }); } return to; }; var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod); var AzureKeyVaultEncryptionKeyResolver_exports = {}; __export(AzureKeyVaultEncryptionKeyResolver_exports, { AzureKeyVaultEncryptionKeyResolver: () => AzureKeyVaultEncryptionKeyResolver }); module.exports = __toCommonJS(AzureKeyVaultEncryptionKeyResolver_exports); var import_keyvault_keys = require("@azure/keyvault-keys"); var import_request = require("../../request/index.js"); var import_enums = require("../enums/index.js"); class AzureKeyVaultEncryptionKeyResolver { credentials; constructor(credentials) { this.credentials = credentials; } /** * Name of the resolver to use for client side encryption. * Currently only AzureKeyVault implementation is supported. */ encryptionKeyResolverName = import_enums.EncryptionKeyResolverName.AzureKeyVault; /** * wraps the given key using the specified key encryption key path and algorithm. * @param encryptionKeyId - path to the customer managed key to be used for wrapping. For Azure Key Vault, this is url of the key in the vault. * @param algorithm - algorithm to be used for wrapping. * @param unwrappedKey - dek to be wrapped. * @returns wrapped DEK. */ async wrapKey(encryptionKeyId, algorithm, unwrappedKey) { try { const origin = this.getOrigin(encryptionKeyId); const keyClient = new import_keyvault_keys.KeyClient(origin, this.credentials); const [keyName, keyVersion] = this.getKeyDetails(encryptionKeyId); const cryptographyClient = keyClient.getCryptographyClient(keyName, { keyVersion }); const res = await cryptographyClient.wrapKey(algorithm, unwrappedKey); if (!res || !res.result) { throw new import_request.ErrorResponse(`Failed to wrap key: ${res}`); } return res.result; } catch (e) { throw new import_request.ErrorResponse(`Failed to wrap key: ${e.message}`); } } /** * Unwraps the given wrapped key using the specified key encryption key path and algorithm. * @param encryptionKeyId - path to the customer managed key to be used for unwrapping. For Azure Key Vault, this is url of the key in the vault. * @param algorithm - algorithm to be used for unwrapping. * @param wrappedKey - wrapped DEK. * @returns unwrapped DEK. */ async unwrapKey(encryptionKeyId, algorithm, wrappedKey) { try { const origin = this.getOrigin(encryptionKeyId); const keyClient = new import_keyvault_keys.KeyClient(origin, this.credentials); const [keyName, keyVersion] = this.getKeyDetails(encryptionKeyId); const cryptographyClient = keyClient.getCryptographyClient(keyName, { keyVersion }); const res = await cryptographyClient.unwrapKey(algorithm, wrappedKey); if (!res || !res.result) { throw new import_request.ErrorResponse(`Failed to wrap key: ${res}`); } return res.result; } catch (e) { throw new import_request.ErrorResponse(`Failed to unwrap key: ${e.message}`); } } // TODO: improve this method to extract key name and version from the url getKeyDetails(encryptionKeyId) { let url; try { url = new URL(encryptionKeyId); const parts = url.pathname.split("/"); if (parts.length < 4 || parts.length > 5) { throw new import_request.ErrorResponse( `Invalid key url: ${encryptionKeyId}. Key url must be in the format https://<vault>.vault.azure.net/keys/<key-name>/<key-version>` ); } if (parts.length === 4 || parts.length === 5) { return [parts[2], parts[3]]; } } catch (e) { throw new import_request.ErrorResponse( `Invalid key url: ${encryptionKeyId}. Key url must be in the format https://<vault>.vault.azure.net/keys/<key-name>/<key-version>. Error: ${e.message}` ); } } getOrigin(encryptionKeyId) { try { const url = new URL(encryptionKeyId); return url.origin; } catch (e) { throw new import_request.ErrorResponse( `Invalid key url: ${encryptionKeyId}. Key url must be in the format https://<vault>.vault.azure.net/keys/<key-name>/<key-version>. Error: ${e.message}` ); } } } // Annotate the CommonJS export names for ESM import in node: 0 && (module.exports = { AzureKeyVaultEncryptionKeyResolver });