UNPKG

@eqxjs/azure-manage-identity

Version:

For get Azure keyvault secret

36 lines 1.83 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.decryptData = decryptData; const keyvault_keys_1 = require("@azure/keyvault-keys"); const confidential_mgnt_1 = require("../confidential.mgnt"); const secret_get_1 = require("../secret/secret.get"); const base64url_1 = __importDefault(require("base64url")); const node_buffer_1 = require("node:buffer"); /** * Decrypts a base64url-encoded ciphertext using an Azure Key Vault key (A256CBC). * The initialization vector is read from a Key Vault secret. * * @param keyURL - The URL of the Azure Key Vault instance * @param keyName - The name of the key to use for decryption * @param payloadBase64 - The base64url-encoded ciphertext to decrypt * @param ivSecretName - The name of the secret containing the initialization vector * @returns A promise resolving to the decrypted plaintext string */ async function decryptData(keyURL, keyName, payloadBase64, ivSecretName) { const credential = new confidential_mgnt_1.MyClientAssertionCredential(); const keysClient = new keyvault_keys_1.KeyClient(keyURL, credential); const vaultKey = await keysClient.getKey(keyName); const secret = await (0, secret_get_1.getSecret)(keyURL, ivSecretName); const cryptographyClient = new keyvault_keys_1.CryptographyClient(vaultKey, credential); const payload = base64url_1.default.decode(payloadBase64); const result = await cryptographyClient.decrypt({ algorithm: 'A256CBC', ciphertext: node_buffer_1.Buffer.from(payload), iv: node_buffer_1.Buffer.from(secret.value ?? 'undefined'), }); return result.result.toString(); } //# sourceMappingURL=key.decrypt.js.map