UNPKG

oracle-nosqldb

Version:

Node.js driver for Oracle NoSQL Database

262 lines (229 loc) 8.62 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
/*- * Copyright (c) 2018, 2024 Oracle and/or its affiliates. All rights reserved. * * Licensed under the Universal Permissive License v 1.0 as shown at * https://oss.oracle.com/licenses/upl/ */ const util = require('util'); const fs = require('fs'); const crypto = require('crypto'); const tls = require('tls'); const net = require('net'); const NoSQLAuthorizationError = require('../../error').NoSQLAuthorizationError; const promisified = require('../../utils').promisified; const clearData = require('../../utils').clearData; /* Signing algorithm only rsa-sha256 is allowed */ const ALG_RSA = 'rsa-sha256'; /* Signature algorithm */ const ALG_SIGN = 'sha256WithRSAEncryption'; /* OCI signature version only version 1 is allowed*/ const SIGNATURE_VERSION = 1; /* * <ocid>.<resource-type>.<realm>. <region>(.future-extensibility) * .<resource-type-specific-id> * pattern is relaxed other than the required <ocid> and * <resource-type-specific-id> */ const OCID_PATTERN = /^([0-9a-zA-Z-_]+[.:])([0-9a-zA-Z-_]*[.:]){3,}([0-9a-zA-Z-_]+)$/; class Utils { static get isInBrowser() { return false; } static async _sign(signingContent, privateKey) { const sign = crypto.createSign(ALG_SIGN); sign.update(signingContent); return sign.sign(privateKey, 'base64'); } static signatureHeader(signingHeaders, keyId, signature) { return `Signature headers="${signingHeaders}",keyId="${keyId}",\ algorithm="${ALG_RSA}",signature="${signature}",\ version="${SIGNATURE_VERSION}"`; } static async sign(signingContent, privateKey, desc) { try { return this._sign(signingContent, privateKey); } catch(err) { throw NoSQLAuthorizationError.illegalState( `Error signing ${desc}: ${err.message}`, err); } } static isValidOcid(ocid) { return typeof ocid === 'string' && ocid.match(OCID_PATTERN); } static privateKeyFromPEM(key, passphrase, fileName) { try { return crypto.createPrivateKey({ key, format: 'pem', passphrase: passphrase ? passphrase : undefined }); } catch(err) { throw NoSQLAuthorizationError.invalidArg('Error creating \ private key' + (fileName ? ` from file ${fileName}` : ''), err); } } static async privateKeyFromPEMFile(keyFile, pass, passIsFile) { let key; try { key = await promisified(null, fs.readFile, keyFile); } catch(err) { throw NoSQLAuthorizationError.invalidArg(`Error reading private \ key from file ${keyFile}: ${err.message}`, err); } let pkPass; if (pass != null) { if (passIsFile) { try { pkPass = await promisified(null, fs.readFile, pass); } catch(err) { clearData(key); throw NoSQLAuthorizationError.invalidArg(`Error reading \ private key passphrase from file ${pass}: ${err.message}`, err); } } else { pkPass = pass; } } try { return Utils.privateKeyFromPEM(key, pkPass, keyFile); } finally { clearData(key); if (pkPass != null && passIsFile) { clearData(pass); } } } static parseSecurityToken(value, fileName, tokenName = 'security token') { const token = { value }; const parts = value.split('.'); if (parts.length < 3) { throw NoSQLAuthorizationError.invalidArg('Invalid ' + tokenName + ' value' + (fileName ? ` from file ${fileName}` : '') + `, number of parts: \ ${parts.length} (should be >= 3)`); } try { const claimsStr = Buffer.from(parts[1], 'base64').toString(); token.claims = JSON.parse(claimsStr); return token; } catch(err) { throw NoSQLAuthorizationError.invalidArg('Error parsing ' + tokenName + (fileName ? ` from file ${fileName}` : ''), err); } } //expireBeforeMs is to account for token acquisition time and possibly //clock difference between client and server. static getSecurityTokenExpiration(token, expireBeforeMs = 0) { return Number(token.claims.exp) * 1000 - expireBeforeMs; } //We don't currently do the check done in OCI SDK SecurityTokenAdapter //that compares public key in jwt's jwk with current public key because //no easy way to create public key from jwk in Node.js currently. If //such mismatch occurs, the driver request will fail with //INVALID_AUTHORIZATION and we will retry it after refreshing the token. static isSecurityTokenValid(token, expireBeforeMs) { const exp = this.getSecurityTokenExpiration(token, expireBeforeMs); const now = Date.now(); return Number.isFinite(exp) && now < exp; } static parseCert(pemCert) { const secureContext = tls.createSecureContext({ cert: pemCert }); const sock = new tls.TLSSocket(new net.Socket(), { secureContext }); const cert = sock.getCertificate(); sock.destroy(); return cert; } static getSubjRDNValue(rdn, key) { if (rdn == null) { return null; } const prefix = key + ':'; if (!Array.isArray(rdn)) { rdn = [ rdn ]; } for(let kv of rdn) { if (typeof kv !== 'string') { throw NoSQLAuthorizationError.illegalState('Invalid RDN \ value in instance certificate subject name: ' + util.inspect(kv)); } if (kv.startsWith(prefix)) { return kv.substring(prefix.length); } } return null; } static getTenantIdFromInstanceCert(cert) { if (cert.subject == null) { throw NoSQLAuthorizationError.illegalState('Invalid instance \ certificate, missing subject'); } let tenantId = this.getSubjRDNValue(cert.subject.OU, 'opc-tenant'); if (tenantId == null) { tenantId = this.getSubjRDNValue(cert.subject.O, 'opc-identity'); } if (tenantId == null) { throw NoSQLAuthorizationError.illegalState('Instance certificate \ does not contain tenant id'); } return tenantId; } static generateRSAKeyPair() { return new Promise((resolve, reject) => { crypto.generateKeyPair('rsa', { modulusLength: 2048 }, (err, publicKey, privateKey) => { if (err) { return reject(err); } return resolve({ publicKey, privateKey }); }); }); } static pemCert2derB64(pem) { //remove header and footer return pem.replace('-----BEGIN CERTIFICATE-----', '') .replace('-----END CERTIFICATE-----', ''); } static pemCert2der(pem) { return Buffer.from(Utils.pemCert2derB64(pem), 'base64'); } static sha256digest(data) { const hash = crypto.createHash('sha256'); hash.update(data); return hash.digest('base64'); } static fingerprintFromPemCert(pemCert) { const derCert = Utils.pemCert2der(pemCert); const hash = crypto.createHash('sha1'); hash.update(derCert); const raw = hash.digest('hex'); return raw.match(/.{2}/g).join(':'); } static async generateOpcRequestId() { //To avoid blocking event loop, recommended using async version of //crypto.randomBytes. const buf = await promisified(null, crypto.randomBytes, 16); return buf.toString('hex').toUpperCase(); } static publicKey2B64(publicKey) { return publicKey.export({ type: 'spki', format: 'der', }).toString('base64'); } //Parse JSON response that only has one field "token": { "token": "...."} static parseTokenResponse(res, source = 'authorization server') { try { res = JSON.parse(res); } catch(err) { throw NoSQLAuthorizationError.badProto(`Error parsing security \ token response "${res}" from ${source}: ${err.message}`, err); } if (typeof res.token !== 'string') { throw NoSQLAuthorizationError.badProto(`Missing or invalid \ security token in ${source} response: "${res}"`); } return res.token; } } module.exports = Utils;