| 1 | {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/auth.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EACL,SAAS,EACT,qBAAqB,EAErB,YAAY,EACZ,yBAAyB,GAC1B,MAAM,UAAU,CAAC;AAelB;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,aAAkC,EAClC,IAAgB,EAChB,IAAY,EACZ,UAAkB,EAClB,YAA0B,EAC1B,OAAsB;IAEtB,IAAI,aAAa,CAAC,cAAc,EAAE;QAChC,aAAa,CAAC,cAAc,GAAG,EAAE,CAAC;QAClC,KAAK,MAAM,UAAU,IAAI,aAAa,CAAC,cAAc,EAAE;YACrD,MAAM,EAAE,GAAG,qBAAqB,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACtD,IAAI,CAAC,EAAE,EAAE;gBACP,MAAM,IAAI,KAAK,CAAC,wBAAwB,EAAE;qEACmB,CAAC,CAAC;aAChE;YAED,aAAa,CAAC,cAAc,CAAC,EAAE,CAAC,GAAI,UAAkB,CAAC,MAAM,CAAC,CAAC,YAAY;SAC5E;KACF;IAED,IAAI,aAAa,CAAC,GAAG,EAAE;QACrB,MAAM,yCAAyC,CAC7C,IAAI,EACJ,UAAU,EACV,YAAY,EACZ,OAAO,EACP,aAAa,CAAC,GAAG,CAClB,CAAC;KACH;SAAM,IAAI,aAAa,CAAC,cAAc,EAAE;QACvC,OAAO,CAAC,SAAS,CAAC,WAAW,CAAC,aAAa,CAAC,GAAG,kBAAkB,CAC/D,wCAAwC,CAAC,aAAa,CAAC,cAAc,EAAE,IAAI,EAAE,UAAU,CAAC,CACzF,CAAC;KACH;SAAM,IAAI,aAAa,CAAC,aAAa,EAAE;QACtC,OAAO,CAAC,SAAS,CAAC,WAAW,CAAC,aAAa,CAAC,GAAG,kBAAkB,CAC/D,MAAM,aAAa,CAAC,aAAa,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC,CACrF,CAAC;KACH;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,yCAAyC,CAC7D,IAAgB,EAChB,UAAkB,EAClB,YAA0B,EAC1B,OAAsB,EACtB,SAAiB;IAEjB,uCAAuC;IACvC,IAAI,YAAY,KAAK,YAAY,CAAC,KAAK,EAAE;QACvC,UAAU,GAAG,UAAU,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;KACrD;IACD,OAAO,GAAG,MAAM,CAAC,MAAM,CACrB,OAAO,EACP,MAAM,eAAe,CAAC,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,CAAC,CACjE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,wBAAwB;AACxB,MAAM,UAAU,wCAAwC,CACtD,cAAgD,EAChD,IAAY,EACZ,UAAkB;IAElB,IAAI,cAAc,IAAI,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;QAC5D,2FAA2F;QAC3F,2FAA2F;QAC3F,6CAA6C;QAC7C,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,EAAE;YACxB,OAAO,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SACvD;QAED,sDAAsD;QACtD,IAAI,UAAU,IAAI,cAAc,CAAC,UAAU,CAAC,EAAE;YAC5C,OAAO,cAAc,CAAC,UAAU,CAAC,CAAC;SACnC;QAED,0BAA0B;QAC1B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE;YAC5B,mCAAmC;YACnC,OAAO,IAAI,CAAC;SACb;QAED,IAAI,GAAG,yBAAyB,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,YAAY,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QAErD,YAAY;QACZ,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE;YAC7B,oDAAoD;YACpD,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjF,IAAI,cAAc,CAAC,aAAa,CAAC,EAAE;gBACjC,OAAO,cAAc,CAAC,aAAa,CAAC,CAAC;aACtC;SACF;QAED,2GAA2G;QAC3G,6GAA6G;QAC7G,qDAAqD;QACrD,kFAAkF;QAClF,IAAI,KAAK,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QAC9F,OAAO,KAAK,GAAG,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE;YAC5B,MAAM,EAAE,GAAG,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;YAC1C,IAAI,cAAc,CAAC,EAAE,CAAC,EAAE;gBACtB,OAAO,cAAc,CAAC,EAAE,CAAC,CAAC;aAC3B;SACF;KACF;IAED,mCAAmC;IACnC,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\nimport { generateHeaders } from \"./utils/headers\";\nimport {\n Constants,\n getResourceIdFromPath,\n HTTPMethod,\n ResourceType,\n trimSlashFromLeftAndRight,\n} from \"./common\";\nimport { CosmosClientOptions } from \"./CosmosClientOptions\";\nimport { CosmosHeaders } from \"./queryExecutionContext\";\n\n/** @hidden */\nexport interface RequestInfo {\n verb: HTTPMethod;\n path: string;\n resourceId: string;\n resourceType: ResourceType;\n headers: CosmosHeaders;\n}\n\nexport type TokenProvider = (requestInfo: RequestInfo) => Promise<string>;\n\n/**\n * @hidden\n */\nexport async function setAuthorizationHeader(\n clientOptions: CosmosClientOptions,\n verb: HTTPMethod,\n path: string,\n resourceId: string,\n resourceType: ResourceType,\n headers: CosmosHeaders\n): Promise<void> {\n if (clientOptions.permissionFeed) {\n clientOptions.resourceTokens = {};\n for (const permission of clientOptions.permissionFeed) {\n const id = getResourceIdFromPath(permission.resource);\n if (!id) {\n throw new Error(`authorization error: ${id} \\\n is an invalid resourceId in permissionFeed`);\n }\n\n clientOptions.resourceTokens[id] = (permission as any)._token; // TODO: any\n }\n }\n\n if (clientOptions.key) {\n await setAuthorizationTokenHeaderUsingMasterKey(\n verb,\n resourceId,\n resourceType,\n headers,\n clientOptions.key\n );\n } else if (clientOptions.resourceTokens) {\n headers[Constants.HttpHeaders.Authorization] = encodeURIComponent(\n getAuthorizationTokenUsingResourceTokens(clientOptions.resourceTokens, path, resourceId)\n );\n } else if (clientOptions.tokenProvider) {\n headers[Constants.HttpHeaders.Authorization] = encodeURIComponent(\n await clientOptions.tokenProvider({ verb, path, resourceId, resourceType, headers })\n );\n }\n}\n\n/**\n * The default function for setting header token using the masterKey\n * @hidden\n */\nexport async function setAuthorizationTokenHeaderUsingMasterKey(\n verb: HTTPMethod,\n resourceId: string,\n resourceType: ResourceType,\n headers: CosmosHeaders,\n masterKey: string\n): Promise<void> {\n // TODO This should live in cosmos-sign\n if (resourceType === ResourceType.offer) {\n resourceId = resourceId && resourceId.toLowerCase();\n }\n headers = Object.assign(\n headers,\n await generateHeaders(masterKey, verb, resourceType, resourceId)\n );\n}\n\n/**\n * @hidden\n */\n// TODO: Resource tokens\nexport function getAuthorizationTokenUsingResourceTokens(\n resourceTokens: { [resourceId: string]: string },\n path: string,\n resourceId: string\n): string {\n if (resourceTokens && Object.keys(resourceTokens).length > 0) {\n // For database account access(through getDatabaseAccount API), path and resourceId are \"\",\n // so in this case we return the first token to be used for creating the auth header as the\n // service will accept any token in this case\n if (!path && !resourceId) {\n return resourceTokens[Object.keys(resourceTokens)[0]];\n }\n\n // If we have exact resource token for the path use it\n if (resourceId && resourceTokens[resourceId]) {\n return resourceTokens[resourceId];\n }\n\n // minimum valid path /dbs\n if (!path || path.length < 4) {\n // TODO: This should throw an error\n return null;\n }\n\n path = trimSlashFromLeftAndRight(path);\n const pathSegments = (path && path.split(\"/\")) || [];\n\n // Item path\n if (pathSegments.length === 6) {\n // Look for a container token matching the item path\n const containerPath = pathSegments.slice(0, 4).map(decodeURIComponent).join(\"/\");\n if (resourceTokens[containerPath]) {\n return resourceTokens[containerPath];\n }\n }\n\n // TODO remove in v4: This is legacy behavior that lets someone use a resource token pointing ONLY at an ID\n // It was used when _rid was exposed by the SDK, but now that we are using user provided ids it is not needed\n // However removing it now would be a breaking change\n // if it's an incomplete path like /dbs/db1/colls/, start from the parent resource\n let index = pathSegments.length % 2 === 0 ? pathSegments.length - 1 : pathSegments.length - 2;\n for (; index > 0; index -= 2) {\n const id = decodeURI(pathSegments[index]);\n if (resourceTokens[id]) {\n return resourceTokens[id];\n }\n }\n }\n\n // TODO: This should throw an error\n return null;\n}\n"]} |