lib6/client-certificate.js
/**
* Copyright (c) "Neo4j"
* Neo4j Sweden AB [https://neo4j.com]
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import * as json from './json';
/**
* Represents KeyFile represented as file.
*
* @typedef {object} KeyFileObject
* @property {string} path - The path of the file
* @property {string|undefined} password - the password of the key. If none,
* the password defined at {@link ClientCertificate} will be used.
*/
/**
* Holds the Client TLS certificate information.
*
* Browser instances of the driver should configure the certificate
* in the system.
*
* Files defined in the {@link ClientCertificate#certfile}
* and {@link ClientCertificate#keyfile} will read and loaded to
* memory to fill the fields `cert` and `key` in security context.
*
* @interface
* @see https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions
* @since 5.27
*/
export default class ClientCertificate {
constructor() {
/**
* The path to client certificate file.
*
* @type {string|string[]}
*/
this.certfile = '';
/**
* The path to the key file.
*
* @type {string|string[]|KeyFileObject|KeyFileObject[]}
*/
this.keyfile = '';
/**
* The key's password.
*
* @type {string|undefined}
*/
this.password = undefined;
}
}
/**
* Provides a client certificate to the driver for mutual TLS.
*
* The driver will call {@link ClientCertificateProvider#hasUpdate} to check if the client wants to update the certificate.
* If so, it will call {@link ClientCertificateProvider#getClientCertificate} to get the new certificate.
*
* The certificate is only used as a second factor for authentication authenticating the client.
* The DMBS user still needs to authenticate with an authentication token.
*
* All implementations of this interface must be thread-safe and non-blocking for caller threads.
* For instance, IO operations must not be done on the calling thread.
*
* Note that the work done in the methods of this interface count towards the connectionAcquisition.
* Should fetching the certificate be particularly slow, it might be necessary to increase the timeout.
*
* @interface
* @since 5.27
*/
export class ClientCertificateProvider {
/**
* Indicates whether the client wants the driver to update the certificate.
*
* @returns {Promise<boolean>|boolean} true if the client wants the driver to update the certificate
*/
hasUpdate() {
throw new Error('Not Implemented');
}
/**
* Returns the certificate to use for new connections.
*
* Will be called by the driver after {@link ClientCertificateProvider#hasUpdate} returned true
* or when the driver establishes the first connection.
*
* @returns {Promise<ClientCertificate>|ClientCertificate} the certificate to use for new connections
*/
getClientCertificate() {
throw new Error('Not Implemented');
}
}
/**
* Interface for {@link ClientCertificateProvider} which provides update certificate function.
* @interface
* @since 5.27
*/
export class RotatingClientCertificateProvider extends ClientCertificateProvider {
/**
* Updates the certificate stored in the provider.
*
* To be called by user-code when a new client certificate is available.
*
* @param {ClientCertificate} certificate - the new certificate
* @throws {TypeError} If initialCertificate is not a ClientCertificate.
*/
updateCertificate(certificate) {
throw new Error('Not implemented');
}
}
/**
* Defines the object which holds the common {@link ClientCertificateProviders} used in the Driver
*
* @since 5.27
*/
class ClientCertificateProviders {
/**
*
* @param {object} param0 - The params
* @param {ClientCertificate} param0.initialCertificate - The certificated used by the driver until {@link RotatingClientCertificateProvider#updateCertificate} get called.
*
* @returns {RotatingClientCertificateProvider} The rotating client certificate provider
* @throws {TypeError} If initialCertificate is not a ClientCertificate.
*/
rotating({ initialCertificate }) {
if (initialCertificate == null || !isClientClientCertificate(initialCertificate)) {
throw new TypeError(`initialCertificate should be ClientCertificate, but got ${json.stringify(initialCertificate)}`);
}
const certificate = Object.assign({}, initialCertificate);
return new InternalRotatingClientCertificateProvider(certificate);
}
}
/**
* Holds the common {@link ClientCertificateProviders} used in the Driver.
*
* @since 5.27
*/
const clientCertificateProviders = new ClientCertificateProviders();
Object.freeze(clientCertificateProviders);
export { clientCertificateProviders };
/**
* Resolves ClientCertificate or ClientCertificateProvider to a ClientCertificateProvider
*
* Method validates the input.
*
* @private
* @param input
* @returns {ClientCertificateProvider?} A client certificate provider if provided a ClientCertificate or a ClientCertificateProvider
* @throws {TypeError} If input is not a ClientCertificate, ClientCertificateProvider, undefined or null.
*/
export function resolveCertificateProvider(input) {
if (input == null) {
return undefined;
}
if (typeof input === 'object' && 'hasUpdate' in input && 'getClientCertificate' in input &&
typeof input.getClientCertificate === 'function' && typeof input.hasUpdate === 'function') {
return input;
}
if (isClientClientCertificate(input)) {
const certificate = Object.assign({}, input);
return {
getClientCertificate: () => certificate,
hasUpdate: () => false
};
}
throw new TypeError(`clientCertificate should be configured with ClientCertificate or ClientCertificateProvider, but got ${json.stringify(input)}`);
}
/**
* Verify if object is a client certificate
* @private
* @param maybeClientCertificate - Maybe the certificate
* @returns {boolean} if maybeClientCertificate is a client certificate object
*/
function isClientClientCertificate(maybeClientCertificate) {
return maybeClientCertificate != null &&
typeof maybeClientCertificate === 'object' &&
'certfile' in maybeClientCertificate && isCertFile(maybeClientCertificate.certfile) &&
'keyfile' in maybeClientCertificate && isKeyFile(maybeClientCertificate.keyfile) &&
isStringOrNotPresent('password', maybeClientCertificate);
}
/**
* Check value is a cert file
* @private
* @param {any} value the value
* @returns {boolean} is a cert file
*/
function isCertFile(value) {
return isString(value) || isArrayOf(value, isString);
}
/**
* Check if the value is a keyfile.
*
* @private
* @param {any} maybeKeyFile might be a keyfile value
* @returns {boolean} the value is a KeyFile
*/
function isKeyFile(maybeKeyFile) {
function check(obj) {
return typeof obj === 'string' ||
(obj != null &&
typeof obj === 'object' &&
'path' in obj && typeof obj.path === 'string' &&
isStringOrNotPresent('password', obj));
}
return check(maybeKeyFile) || isArrayOf(maybeKeyFile, check);
}
/**
* Verify if value is string
*
* @private
* @param {any} value the value
* @returns {boolean} is string
*/
function isString(value) {
return typeof value === 'string';
}
/**
* Verifies if value is a array of type
*
* @private
* @param {any} value the value
* @param {function} isType the type checker
* @returns {boolean} value is array of type
*/
function isArrayOf(value, isType, allowEmpty = false) {
return Array.isArray(value) &&
(allowEmpty || value.length > 0) &&
value.filter(isType).length === value.length;
}
/**
* Verify if valueName is present in the object and is a string, or not present at all.
*
* @private
* @param {string} valueName The value in the object
* @param {object} obj The object
* @returns {boolean} if the value is present in object as string or not present
*/
function isStringOrNotPresent(valueName, obj) {
return !(valueName in obj) || obj[valueName] == null || typeof obj[valueName] === 'string';
}
/**
* Internal implementation
*
* @private
*/
class InternalRotatingClientCertificateProvider {
constructor(_certificate, _updated = false) {
this._certificate = _certificate;
this._updated = _updated;
}
/**
*
* @returns {boolean|Promise<boolean>}
*/
hasUpdate() {
try {
return this._updated;
}
finally {
this._updated = false;
}
}
/**
*
* @returns {ClientCertificate|Promise<ClientCertificate>}
*/
getClientCertificate() {
return this._certificate;
}
/**
*
* @param certificate
* @returns {void}
*/
updateCertificate(certificate) {
if (!isClientClientCertificate(certificate)) {
throw new TypeError(`certificate should be ClientCertificate, but got ${json.stringify(certificate)}`);
}
this._certificate = Object.assign({}, certificate);
this._updated = true;
}
}