UNPKG

@sap/xssec

Version:

XS Advanced Container Security API for node.js

154 lines (132 loc) 5.94 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
'use strict'; const SecurityContext = require('../context/SecurityContext'); const XsaSecurityContext = require('../context/XsaSecurityContext'); const XsaToken = require('../token/XsaToken'); const Jwk = require('../jwks/Jwk'); const MissingKidError = require('../error/validation/MissingKidError'); const MissingVerificationKeyError = require('../error/validation/MissingVerificationKeyError'); const { getLogger } = require('../util/logging'); const XsuaaService = require('./XsuaaService'); const Token = require('../token/Token'); const LOG = getLogger("XsaService.js"); /** * @typedef {import('../util/Types').ServiceCredentials} ServiceCredentials * @typedef {import('../util/Types').XsaServiceCredentials} XsaServiceCredentials * @typedef {import('../util/Types').ServiceConfig} ServiceConfig * @typedef {import('../util/Types').SecurityContextConfig} SecurityContextConfig * @typedef {import('../util/Types').TokenFetchOptions} TokenFetchOptions * @typedef {import('../util/Types').TokenFetchResponse} TokenFetchResponse * @typedef {import('../util/Types').RefreshableTokenFetchResponse} RefreshableTokenFetchResponse * @typedef {import('../util/Types').GrantType} GrantType */ /** * New SAP BTP applications should start with SAP Identity Services instead of XSA! See README for details.\ * This {@link Service} class is constructed from XSA credentials to provide an API with selected functionality against that XSA service instance, e.g. token validation and token fetches. */ class XsaService extends XsuaaService { /** * @param {ServiceCredentials & XsaServiceCredentials} credentials * @param {ServiceConfig} [serviceConfig={}] */ constructor(credentials, serviceConfig) { super(credentials, serviceConfig); } /** * @override * @param {String|XsaToken} token token as JWT or XsaToken object * @param {SecurityContextConfig} contextConfig * @returns {Promise<XsaSecurityContext>} */ async createSecurityContext(token, contextConfig = {}) { if (typeof token === "string") { token = new XsaToken(token); } else if (token instanceof Token && !(token instanceof XsaToken)) { token = new XsaToken(token.jwt, { header: token.header, payload: token.payload }); } SecurityContext.buildContextConfig(contextConfig); if (contextConfig.skipValidation !== true && this.config.validation.enabled !== false) { await this.validateToken(token, contextConfig); } let ctx = new XsaSecurityContext(this, token, contextConfig); for (let extension of this.contextExtensions) { ctx = await extension.extendSecurityContext(ctx) ?? ctx; } return ctx; } async validateTokenSignature(token, contextConfig) { const pemKeyFromConfig = this.credentials.verificationkey; if (!token.header.jku || !token.header.kid || token.header.kid == 'legacy-token-key') { LOG.info("Token header contained no JKU or KID or the KID was 'legacy-token-key'"); return this.#validateTokenSignatureWithFallback(token, pemKeyFromConfig); } try { await super.validateTokenSignature(token, contextConfig); } catch (error) { if (error instanceof MissingKidError) { LOG.info("JWKS did not contain kid."); return this.#validateTokenSignatureWithFallback(token, pemKeyFromConfig); } else { throw error; } } } #validateTokenSignatureWithFallback(token, pemKeyFromConfig) { if (!pemKeyFromConfig) { throw new MissingVerificationKeyError(); } else { LOG.info("Validating token signature with verificationkey from service configuration."); return Jwk.fromPEM(pemKeyFromConfig).validateSignature(token); } } /** * Fetches a token from this service with this service's client credentials. * @param {TokenFetchOptions} options * @returns {Promise<TokenFetchResponse>} response */ async fetchClientCredentialsToken(options = {}) { return super.fetchClientCredentialsToken(options); } /** * Fetches a user token from this service with the given username and password. * @param {String} username * @param {String} password * @param {TokenFetchOptions} options * @returns {Promise<TokenFetchResponse & RefreshableTokenFetchResponse>} response */ async fetchPasswordToken(username, password, options = {}) { return super.fetchPasswordToken(username, password, options); } /** * Fetches a JWT bearer token from this service with the given user token as assertion. * @param {String} assertion JWT bearer token used as assertion * @param {TokenFetchOptions} options * @returns {Promise<TokenFetchResponse & RefreshableTokenFetchResponse>} response */ async fetchJwtBearerToken(assertion, options = {}) { return super.fetchJwtBearerToken(assertion, options); } /** * Determines the URL that can be used for fetching tokens from this service. * @param {GrantType} grant_type */ async getTokenUrl(grant_type) { let baseUrl; if (this.credentials.certificate) { this.validateCredentials("fetch token via certificate authentication", "certurl"); baseUrl = this.credentials.certurl; } else { this.validateCredentials("fetch token via client secret authentication", "url"); baseUrl = this.credentials.url; } return new URL(this.endpoints.token, baseUrl); } /** * @override * @inheritdoc */ get jwksBaseUrl() { this.validateCredentials("fetch JWKS", "url"); return this.credentials.url; } } module.exports = XsaService;