-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.js
79 lines (68 loc) · 1.94 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
var AWS = require('aws-sdk');
var kms = new AWS.KMS();
var Q = require('q');
var moment = require('moment');
var request = require('request');
var confidant = {};
/**
config properties:
- aws_kms_region: specify the region used for kms
**/
confidant.config = function(config) {
kms = new AWS.KMS({
region: config.aws_kms_region
});
};
/**
config object properties:
- token_lifetime (int): token lifetime in minutes (defaults to 1)
- auth_key (string): KMS auth key
- from_context (string): IAM role requesting secrets (our client/what uses this)
- to_context (string): IAM role of the Confidant server
- url (string): URL of the confidant server
**/
confidant.get_service = function(config) {
var d = Q.defer();
var time_format = "YYYYMMDDTHHmmss";
var now = moment();
var not_before = now.format(time_format) + "Z";
var not_after = now.add(config.token_lifetime || 1, 'minutes').format(time_format) + "Z";
var params = {
KeyId: config.auth_key || "", /* required */
Plaintext: JSON.stringify({
'not_before': not_before,
'not_after': not_after
}), /* required */
EncryptionContext: {
'from': config.from_context || "",
'to': config.to_context || ""
}
};
kms.encrypt(params, function(err, data) {
if (err) {
d.reject(err);
} else {
//constructs our token
var token = new Buffer(data.CiphertextBlob).toString('base64');
//we should be able to talk with Confidant now
request({
uri: config.url + "/v1/services/" + config.from_context,
method: 'GET',
headers: {
Authorization: 'Basic ' + new Buffer(config.from_context + ':' + token).toString('base64')
}
}, function(err, resp, body) {
if (err) {
d.reject(err);
} else {
d.resolve({
'service': resp.body,
'result': true
});
}
});
}
});
return d.promise;
};
module.exports = confidant;