@confluentinc/schemaregistry/dist/rules/encryption/hcvault/hcvault-client.js

Node.js client for Confluent Schema Registry

"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.HcVaultClient = void 0;
const hcvault_driver_1 = require("./hcvault-driver");
const node_vault_1 = __importDefault(require("node-vault"));
class HcVaultClient {
    constructor(keyUri, namespace, token, roleId, secretId) {
        if (!keyUri.startsWith(hcvault_driver_1.HcVaultDriver.PREFIX)) {
            throw new Error(`key uri must start with ${hcvault_driver_1.HcVaultDriver.PREFIX}`);
        }
        this.keyUri = keyUri;
        this.keyId = keyUri.substring(hcvault_driver_1.HcVaultDriver.PREFIX.length);
        let url = new URL(this.keyId);
        let parts = url.pathname.split('/');
        if (parts.length === 0) {
            throw new Error('key uri must contain a key name');
        }
        this.keyName = parts.pop();
        this.kmsClient = (0, node_vault_1.default)({
            endpoint: url.protocol + '//' + url.host,
            ...namespace && { namespace },
            ...token && { token },
            apiVersion: 'v1',
        });
        if (roleId != null && secretId != null) {
            this.authPromise = this.kmsClient.approleLogin({ role_id: roleId, secret_id: secretId })
                .then((result) => {
                this.kmsClient.token = result.auth.client_token;
            });
        }
    }
    supported(keyUri) {
        return this.keyUri === keyUri;
    }
    async ensureAuthenticated() {
        if (this.authPromise) {
            await this.authPromise;
            this.authPromise = undefined; // Clear after first use
        }
    }
    async encrypt(plaintext) {
        await this.ensureAuthenticated();
        const response = await this.kmsClient.encryptData({ name: this.keyName, plaintext: plaintext.toString('base64') });
        let data = response.data.ciphertext;
        return Buffer.from(data, 'utf8');
    }
    async decrypt(ciphertext) {
        await this.ensureAuthenticated();
        const response = await this.kmsClient.decryptData({ name: this.keyName, ciphertext: ciphertext.toString('utf8') });
        let data = response.data.plaintext;
        return Buffer.from(data, 'base64');
    }
}
exports.HcVaultClient = HcVaultClient;