@sap/xssec - npm Package Compare versions

Comparing version 2.1.17 to 2.2.1

CHANGELOG.md

		# Change Log
		All notable changes to this project will be documented in this file.

		## 2.2.1 - 2019-06-17

		- Fix uaaDomain comparison in key cache

		## 2.2.0 - 2019-06-17

		- Align key cache implementation with other container security libraries

		## 2.1.17 - 2019-05-17
		@@ -5,0 +13,0 @@

lib/keycache.js

		@@ -82,8 +82,8 @@ 'use strict';

		KeyCache.prototype.getKey = function getKey(keyId, uaaUrl, cb) {
		KeyCache.prototype.getKey = function getKey(tokenKeyUrl, keyId, cb) {
		var self = this;

		if ((keyId === null) \|\| (keyId === undefined)) {
		if ((tokenKeyUrl === null) \|\| (tokenKeyUrl === undefined)) {
		var error = new Error(
		'Parameter keyId null or undefined. To read a key from the KeyCache with function KeyCache.getKey, you need to specify parameter keyId.');
		'Parameter tokenKeyUrl null or undefined. To enable the KeyCache reading keys from the UAA which are yet unavailable in the cache, you need to specify parameter tokenKeyUrl as a valid https URL.');
		return process.nextTick(function() {
		@@ -93,5 +93,5 @@ cb(error, null);
		}
		if ((uaaUrl === null) \|\| (uaaUrl === undefined)) {
		if (validUrl.isHttpsUri(tokenKeyUrl) === undefined) {
		var error = new Error(
		'Parameter uaaUrl null or undefined. To enable the KeyCache reading keys from the UAA which are yet unavailable in the cache, you need to specify parameter uaaUrl as a valid https URL.');
		'Parameter tokenKeyUrl is not a valid https URL. To enable the KeyCache reading keys from the UAA which are yet unavailable in the cache, you need to specify parameter tokenKeyUrl as a valid https URL.');
		return process.nextTick(function() {
		@@ -101,5 +101,5 @@ cb(error, null);
		}
		if (validUrl.isHttpsUri(uaaUrl) === undefined) {
		if ((keyId === null) \|\| (keyId === undefined)) {
		var error = new Error(
		'Parameter uaaUrl is not a valid https URL. To enable the KeyCache reading keys from the UAA which are yet unavailable in the cache, you need to specify parameter uaaUrl as a valid https URL.');
		'Parameter keyId null or undefined. To read a key from the KeyCache with function KeyCache.getKey, you need to specify parameter keyId.');
		return process.nextTick(function() {
		@@ -110,8 +110,8 @@ cb(error, null);

		debugTrace('Looking for key with keyID: "' + keyId + '" in cache.');
		var cacheKey = tokenKeyUrl + keyId;
		debugTrace('Looking for key "' + cacheKey + '" in cache.');
		// Check whether keyid is in cache
		var tmpResult = this.lruCache.get(keyId);
		var tmpResult = this.lruCache.get(cacheKey);
		if (tmpResult !== undefined) {
		debugTrace('Key with keyID: "' + keyId
		+ '" found in cache. Returning key "' + tmpResult + '".');
		debugTrace('Key with keyID: "' + keyId + '" found in cache. Returning key "' + tmpResult + '".');
		return process.nextTick(function() {
		@@ -123,4 +123,3 @@ cb(null, tmpResult);
		// UAA
		var error = new Error('Key with keyID: "' + keyId
		+ '" not found in cache. Configuration says not to query UAA.');
		var error = new Error('Key "' + cacheKey + '" not found in cache. Configuration says not to query UAA.');
		return process.nextTick(function() {
		@@ -132,8 +131,6 @@ cb(error, null);
		var options = {
		url : uaaUrl + this.tokenKeyPath,
		url : tokenKeyUrl,
		timeout: 2000
		};
		debugTrace('Key with keyID: "' + keyId
		+ '" not found in cache. Querying keys from UAA via URL "'
		+ options.url + '".');
		debugTrace('Key "' + cacheKey + '" not found in cache. Querying keys from UAA via URL "' + options.url + '".');
		request
		@@ -176,3 +173,3 @@ .get(
		// breaks before adding the key to the cache
		self.addKey(json.keys[i].kid,
		self.addKey(tokenKeyUrl + json.keys[i].kid,
		json.keys[i].value.replace(
		@@ -190,7 +187,5 @@ /(\r\n\|\n\|\r)/gm, ''));
		}
		var tmpResult = self.lruCache.get(keyId);
		var tmpResult = self.lruCache.get(cacheKey);
		if (tmpResult !== undefined) {
		debugTrace('Key with keyID: "' + keyId
		+ '" found in cache. Returning key "'
		+ tmpResult + '".');
		debugTrace('Key "' + cacheKey + '" found in cache. Returning key "' + tmpResult + '".');
		return process.nextTick(function() {
		@@ -201,5 +196,4 @@ cb(null, tmpResult);
		var error = new Error(
		'Obtained token keys from UAA, but key with requested keyID "'
		+ keyId
		+ '" still not found in cache.');
		'Obtained token keys from UAA, but key with requested keyID "' +
		cacheKey + '" still not found in cache.');
		return process.nextTick(function() {
		@@ -206,0 +200,0 @@ cb(error, null);

lib/xssec.js

		@@ -571,3 +571,2 @@ 'use strict';
		}
		var uaaURLString = config.url;
		var invalidatedTokenHeaderJSON = null;
		@@ -584,38 +583,11 @@ try {
		invalidatedTokenHeaderJSON = JSON.parse(invalidatedTokenHeaderString);
		if (!invalidatedTokenHeaderJSON.kid \|\| invalidatedTokenHeaderJSON.kid == 'legacy-token-key') {
		if (!invalidatedTokenHeaderJSON.kid \|\| invalidatedTokenHeaderJSON.kid == 'legacy-token-key' \|\| !invalidatedTokenHeaderJSON.jku) {
		return cb(null, config.verificationkey);
		}

		var invalidatedTokenContentBuffer = new Buffer(invalidatedTokenParts[1], 'base64');
		var invalidatedTokenContentString = invalidatedTokenContentBuffer.toString('utf8');
		var invalidatedTokenContentJSON = JSON.parse(invalidatedTokenContentString);
		if (!invalidatedTokenContentJSON.iss) {
		var error = new Error('JWT token contains no iss field. Giving up.', null);
		error.statuscode = 400;
		return cb(error);
		}
		var tokenIssuer = invalidatedTokenContentJSON.iss;
		var tokenIssuerURL = url.parse(tokenIssuer);
		var tokenIssuerURLHostname = tokenIssuerURL.hostname;
		var tokenIssuerURLIDZIndex = tokenIssuerURLHostname.indexOf('.');
		if (tokenIssuerURLIDZIndex < 0) {
		debugTrace('\nUnexpected Issuer Format in JWT. Use legacy-token-key.');
		return cb(null, config.verificationkey);
		}
		var tokenIssuerIDZ = tokenIssuerURLHostname.substring(0, tokenIssuerURLIDZIndex);
		debugTrace('\nIdentity zone of token issuer: '+tokenIssuerIDZ+'\n');
		var uaaURL = url.parse(uaaURLString);
		var uaaURLHostname = uaaURL.hostname;
		var uaaURLIDZIndex = uaaURLHostname.indexOf('.');
		if (uaaURLIDZIndex < 0) {
		var error = new Error('Unexpected format of UAA URL in configuration. Giving up.', null);
		error.statuscode = 500;
		return cb(error);
		}
		var uaaURLHostnameWithoutIDZ = uaaURLHostname.substring(uaaURLIDZIndex, uaaURLHostname.length);
		var newHostname = tokenIssuerIDZ + uaaURLHostnameWithoutIDZ;
		uaaURL.hostname = newHostname;
		uaaURL.host = null;
		uaaURLString = url.format(uaaURL);
		return keyCache.getKey(invalidatedTokenHeaderJSON.kid, uaaURLString, cb);
		validateJku(invalidatedTokenHeaderJSON.jku, config.uaadomain, function(err) {
		if (err) {
		return cb(null, config.verificationkey);
		}
		return keyCache.getKey(invalidatedTokenHeaderJSON.jku, invalidatedTokenHeaderJSON.kid, cb);
		});
		} catch (e) {
		@@ -627,2 +599,17 @@ e.statuscode = 403;

		function validateJku(jkuUrl, uaaDomain, cb) {
		if (uaaDomain === null \|\| uaaDomain === undefined) {
		var errorString = 'Service is not properly configured in \'VCAP_SERVICES\', attribute \'uaadomain\' is missing. Use legacy-token-key.';
		debugTrace('\n' + errorString);
		return cb(new Error(errorString));
		}
		var tokenKeyUrl = url.parse(jkuUrl);
		if (tokenKeyUrl.hostname.substring(tokenKeyUrl.hostname.indexOf(uaaDomain), tokenKeyUrl.hostname.length) !== uaaDomain) {
		var errorString = 'JKU of the JWT token (' + jkuUrl + ') does not match with the uaa domain (' + uaaDomain + '). Use legacy-token-key.';
		debugTrace('\n' + errorString);
		return cb(new Error(errorString));
		}
		cb(null);
		}

		function checkTokenLocal(accessToken, verificationkey, ssojwt, cb) {
		@@ -629,0 +616,0 @@

package.json

		@@ -1,1 +0,1 @@
		{"bundleDependencies":false,"dependencies":{"@sap/node-jwt":"^1.4.13","@sap/xsenv":"^2.0.0","debug":"4.1.1","lru-cache":"5.1.1","request":"2.88.0","valid-url":"1.0.9"},"deprecated":false,"description":"XS Advanced Container Security API for node.js","devDependencies":{"filter-node-package":"2.0.0","istanbul":"^0.4.5","jwt-decode":"^2.2.0","mocha":"^5.1.0","should":"^13.2.1"},"keywords":["xs"],"main":"./lib","name":"@sap/xssec","repository":{"type":"git"},"scripts":{"prepareRelease":"clean-packages && npm prune --production","test":"make test"},"version":"2.1.17","license":"SEE LICENSE IN developer-license-3.1.txt"}
		{"bundleDependencies":false,"dependencies":{"@sap/node-jwt":"^1.5.0","@sap/xsenv":"^2.0.0","debug":"4.1.1","lru-cache":"5.1.1","request":"2.88.0","valid-url":"1.0.9"},"deprecated":false,"description":"XS Advanced Container Security API for node.js","devDependencies":{"filter-node-package":"2.0.0","istanbul":"^0.4.5","jwt-decode":"^2.2.0","mocha":"^5.1.0","should":"^13.2.1"},"keywords":["xs"],"main":"./lib","name":"@sap/xssec","repository":{"type":"git"},"scripts":{"prepareRelease":"clean-packages && npm prune --production","test":"make test"},"version":"2.2.1","license":"SEE LICENSE IN developer-license-3.1.txt"}

SIGNATURE.SMF

Sorry, the diff of this file is not supported yet

@sap/xssec - npm Package Compare versions

New alerts

Fixed alerts

Worsened metrics

Dependency changes