wire authprovider to fetch kas keys

opentdf · Dec 4, 2024 · b78cd0f · b78cd0f
1 parent ae18fc2
commit b78cd0f
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 16 deletions.
diff --git a/lib/src/access.ts b/lib/src/access.ts
@@ -1,4 +1,4 @@
-import { type AuthProvider } from './auth/auth.js';
+import { type AuthProvider, type HttpRequest } from './auth/auth.js';
 import {
   ConfigurationError,
   InvalidFileError,
@@ -125,13 +125,14 @@ async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<Cr
  * If we have KAS url but not public key we can fetch it from KAS, fetching
  * the value from `${kas}/kas_public_key`.
  */
-export async function fetchECKasPubKey(kasEndpoint: string): Promise<KasPublicKeyInfo> {
-  return fetchKasPubKey(kasEndpoint, 'ec:secp256r1');
+export async function fetchECKasPubKey(kasEndpoint: string, authProvider?: AuthProvider): Promise<KasPublicKeyInfo> {
+  return fetchKasPubKey(kasEndpoint, 'ec:secp256r1', authProvider);
 }
 
 export async function fetchKasPubKey(
   kasEndpoint: string,
-  algorithm?: KasPublicKeyAlgorithm
+  algorithm?: KasPublicKeyAlgorithm,
+  authProvider?: AuthProvider,
 ): Promise<KasPublicKeyInfo> {
   if (!kasEndpoint) {
     throw new ConfigurationError('KAS definition not found');
@@ -146,23 +147,28 @@ export async function fetchKasPubKey(
   }
   pkUrlV2.searchParams.set('algorithm', infoStatic.algorithm);
 
+  let req: HttpRequest = {url: pkUrlV2.toString(), method: "GET", headers: {}};
+  if (authProvider) {
+    req = await authProvider.withCreds(req);
+  }
+
   let kasPubKeyResponseV2: Response;
   try {
-    kasPubKeyResponseV2 = await fetch(pkUrlV2);
+    kasPubKeyResponseV2 = await fetch(req.url, {method: req.method});
   } catch (e) {
-    throw new NetworkError(`unable to fetch public key from [${pkUrlV2}]`, e);
+    throw new NetworkError(`unable to fetch public key from [${req.url}]`, e);
   }
   if (!kasPubKeyResponseV2.ok) {
     switch (kasPubKeyResponseV2.status) {
       case 404:
-        throw new ConfigurationError(`404 for [${pkUrlV2}]`);
+        throw new ConfigurationError(`404 for [${req.url}]`);
       case 401:
-        throw new UnauthenticatedError(`401 for [${pkUrlV2}]`);
+        throw new UnauthenticatedError(`401 for [${req.url}]`);
       case 403:
-        throw new PermissionDeniedError(`403 for [${pkUrlV2}]`);
+        throw new PermissionDeniedError(`403 for [${req.url}]`);
       default:
         throw new NetworkError(
-          `${pkUrlV2} => ${kasPubKeyResponseV2.status} ${kasPubKeyResponseV2.statusText}`
+          `${req.url} => ${kasPubKeyResponseV2.status} ${kasPubKeyResponseV2.statusText}`
         );
     }
   }

diff --git a/lib/src/index.ts b/lib/src/index.ts
@@ -139,7 +139,7 @@ export class NanoTDFClient extends Client {
     delete this.iv;
 
     if (!this.kasPubKey) {
-      this.kasPubKey = await fetchECKasPubKey(this.kasUrl);
+      this.kasPubKey = await fetchECKasPubKey(this.kasUrl, this.authProvider);
     }
 
     // Create a policy for the tdf
@@ -273,7 +273,7 @@ export class NanoTDFDatasetClient extends Client {
       const ephemeralKeyPair = await this.ephemeralKeyPair;
 
       if (!this.kasPubKey) {
-        this.kasPubKey = await fetchECKasPubKey(this.kasUrl);
+        this.kasPubKey = await fetchECKasPubKey(this.kasUrl, this.authProvider);
       }
 
       // Create a policy for the tdf

diff --git a/lib/tdf3/src/client/index.ts b/lib/tdf3/src/client/index.ts
@@ -434,7 +434,7 @@ export class Client {
     encryptionInformation.keyAccess = await Promise.all(
       splits.map(async ({ kas, sid }) => {
         if (!(kas in this.kasKeys)) {
-          this.kasKeys[kas] = fetchKasPublicKey(kas);
+          this.kasKeys[kas] = fetchKasPublicKey(kas, 'rsa:2048', this.authProvider);
         }
         const kasPublicKey = await this.kasKeys[kas];
         return buildKeyAccess({

diff --git a/lib/tdf3/src/tdf.ts b/lib/tdf3/src/tdf.ts
@@ -175,9 +175,10 @@ export type RewrapResponse = {
  */
 export async function fetchKasPublicKey(
   kas: string,
-  algorithm?: KasPublicKeyAlgorithm
+  algorithm?: KasPublicKeyAlgorithm,
+  authProvider?: AuthProvider,
 ): Promise<KasPublicKeyInfo> {
-  return fetchKasPubKeyV2(kas, algorithm || 'rsa:2048');
+  return fetchKasPubKeyV2(kas, algorithm || 'rsa:2048', authProvider);
 }
 
 /**

diff --git a/lib/tests/mocha/unit/tdf.spec.ts b/lib/tests/mocha/unit/tdf.spec.ts
@@ -3,7 +3,7 @@ import { expect } from 'chai';
 import * as TDF from '../../../tdf3/src/tdf.js';
 import { KeyAccessObject } from '../../../tdf3/src/models/key-access.js';
 import { OriginAllowList } from '../../../src/access.js';
-import { InvalidFileError, TdfError, UnsafeUrlError } from '../../../src/errors.js';
+import { InvalidFileError, NetworkError, TdfError, UnsafeUrlError } from '../../../src/errors.js';
 
 const sampleCert = `
 -----BEGIN CERTIFICATE-----
@@ -89,6 +89,18 @@ describe('fetchKasPublicKey', async () => {
     expect(pk2.publicKey).to.include('BEGIN CERTIFICATE');
     expect(pk2.kid).to.equal('r1');
   });
+
+  it('fails on invalid auth', async () => {
+    try {
+      await TDF.fetchKasPublicKey('http://localhost:3000', 'rsa:2048', {
+        withCreds: async () => { throw new NetworkError('no creds') },
+        updateClientPublicKey: async () => { },
+      });
+      expect.fail('did not throw');
+    } catch (e) {
+      expect(() => {throw e}).to.throw(NetworkError, 'no creds');
+    }
+  });
 });
 
 describe('splitLookupTableFactory', () => {