@zowe/imperative
Version:
framework for building configurable CLIs
95 lines • 4.65 kB
JavaScript
;
/*
* This program and the accompanying materials are made available under the terms of the
* Eclipse Public License v2.0 which accompanies this distribution, and is available at
* https://www.eclipse.org/legal/epl-v20.html
*
* SPDX-License-Identifier: EPL-2.0
*
* Copyright Contributors to the Zowe Project.
*
*/
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.KeychainAgent = void 0;
const net = require("net");
const agent_base_1 = require("agent-base");
const AbstractSession_1 = require("../session/AbstractSession");
/**
* HTTPS Agent that supports certificates stored in the macOS Keychain or Windows Certificate Store,
* including non-exportable private keys (e.g. Windows CNG, macOS Secure Enclave).
*
* On macOS, if the private key is exportable it is used directly by Node's TLS stack.
* Otherwise (and always on Windows), TLS is handled by native OS APIs via a Rust helper.
*/
class KeychainAgent extends agent_base_1.Agent {
/**
* Creates a new KeychainAgent
* @param certAccount - The account/label name for the identity in the keychain
* @param options - Additional HTTPS agent options
*/
constructor(certAccount, options) {
super(options);
this.certAccount = certAccount;
}
/**
* Returns the socket to use for each outgoing request.
* @param _req - The outgoing request
* @param options - The HTTPS agent options
* @returns The socket to use for the request
*/
connect(_req, options) {
return __awaiter(this, void 0, void 0, function* () {
return this.buildPipeSocket(options);
});
}
// Loaded on first use via the Node require cache.
// eslint-disable-next-line @typescript-eslint/no-var-requires
get keyring() { return require("@zowe/secrets-for-zowe-sdk").keyring; }
/**
* Non-exportable key path (Windows / macOS Secure Enclave): TLS is handled by a Rust
* helper that uses OS APIs (Schannel / Secure Transport) and proxies plaintext over a
* local TCP socket, which is returned as a duck-typed TLS socket to Node's HTTP layer.
*/
buildPipeSocket(options) {
return __awaiter(this, void 0, void 0, function* () {
var _a;
if (typeof this.keyring.createTlsPipe !== "function") {
throw new Error("createTlsPipe is not supported by the current version of @zowe/secrets-for-zowe-sdk. " +
"Please rebuild the native bindings.");
}
const host = options.servername || options.host || "localhost";
const port = options.port || AbstractSession_1.AbstractSession.DEFAULT_HTTPS_PORT;
const rejectUnauthorized = (_a = options.rejectUnauthorized) !== null && _a !== void 0 ? _a : true;
const localPath = yield this.keyring.createTlsPipe(host, port, this.certAccount, rejectUnauthorized);
return new Promise((resolve, reject) => {
const socket = new net.Socket();
// Mark the socket as TLS-like so Node's HTTPS layer accepts it.
socket.encrypted = true;
socket.authorized = true;
socket.alpnProtocol = false;
socket.getPeerCertificate = () => ({});
// Annotate errors with context before they propagate.
socket.on("error", (err) => {
if (!err.keychainAgentContext) {
err.keychainAgentContext =
`KeychainAgent TLS pipe — cert: "${this.certAccount}", remote: ${host}:${port}`;
err.message = `${err.message} (${err.keychainAgentContext})`;
}
});
socket.connect(localPath, () => resolve(socket));
socket.once("error", reject);
});
});
}
}
exports.KeychainAgent = KeychainAgent;
//# sourceMappingURL=KeychainAgent.js.map