@abtnode/auth 1.15.17 → 1.16.0-beta-8ee536d7

package/lib/server.js

@@ -0,0 +1,742 @@
+const get = require('lodash/get');
+const pick = require('lodash/pick');
+const isEmpty = require('lodash/isEmpty');
+const last = require('lodash/last');
+const { isNFTExpired, isNFTConsumed } = require('@abtnode/util/lib/nft');
+const Client = require('@ocap/client');
+const { fromPublicKey } = require('@ocap/wallet');
+const { types } = require('@ocap/mcrypto');
+const { fromBase58, toAddress, toHex } = require('@ocap/util');
+const { toTypeInfo, isFromPublicKey, DidType, isEthereumType } = require('@arcblock/did');
+const urlFriendly = require('@blocklet/meta/lib/url-friendly').default;
+const getApplicationWallet = require('@blocklet/meta/lib/wallet');
+const { slugify } = require('transliteration');
+const { getChainInfo } = require('@blocklet/meta/lib/util');
+const getBlockletInfo = require('@blocklet/meta/lib/info');
+const formatContext = require('@abtnode/util/lib/format-context');
+const {
+  ROLES,
+  VC_TYPE_GENERAL_PASSPORT,
+  VC_TYPE_NODE_PASSPORT,
+  NFT_TYPE_SERVER_OWNERSHIP,
+  SERVER_ROLES,
+  NFT_TYPE_SERVERLESS,
+  MAIN_CHAIN_ENDPOINT,
+  APP_STRUCT_VERSION,
+} = require('@abtnode/constant');
+const {
+  messages,
+  getVCFromClaims,
+  getUser,
+  validatePassportStatus,
+  createAuthToken,
+  createAuthTokenByOwnershipNFT,
+  createBlockletControllerAuthToken,
+  checkWalletVersion,
+} = require('./auth');
+const {
+  validatePassport,
+  isUserPassportRevoked,
+  getRoleFromLocalPassport,
+  getRoleFromExternalPassport,
+  createUserPassport,
+} = require('./passport');
+const logger = require('./logger');
+
+const secret = process.env.ABT_NODE_SESSION_SECRET;
+const LAUNCH_BLOCKLET_TOKEN_EXPIRE = '1d';
+
+// External token should expire after 20 min
+// Assuming the blocklet installation will take no more than 20 min
+const EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE = '20m';
+
+const BLOCKLET_SERVER_VC_TYPES = [VC_TYPE_GENERAL_PASSPORT, VC_TYPE_NODE_PASSPORT];
+
+const ensureLauncherIssuer = (issuers, nodeInfo) => {
+  const launcherDid = get(nodeInfo, 'launcher.did');
+  if (launcherDid) {
+    issuers.push(launcherDid);
+  }
+};
+
+const getTrustedIssuers = (nodeInfo) => {
+  const trustedPassports = (nodeInfo.trustedPassports || []).map((x) => x.issuerDid);
+  return [nodeInfo.did, ...trustedPassports].filter(Boolean);
+};
+
+const authenticateByVc = async ({
+  node,
+  locale,
+  userDid,
+  claims,
+  challenge,
+  requireNodeInitialized = true,
+  launchBlocklet,
+  blocklet,
+}) => {
+  if (requireNodeInitialized) {
+    if ((await node.isInitialized()) === false) {
+      throw new Error(messages.notInitialized[locale]);
+    }
+  }
+
+  const info = await node.getNodeInfo();
+  const teamDid = info.did;
+  const { name } = info;
+
+  const trustedIssuers = getTrustedIssuers(info);
+
+  if (launchBlocklet) {
+    ensureLauncherIssuer(trustedIssuers, info);
+  }
+
+  const { vc, types: passportTypes } = await getVCFromClaims({
+    claims,
+    challenge,
+    trustedIssuers,
+    vcTypes: BLOCKLET_SERVER_VC_TYPES,
+    locale,
+    vcId: blocklet?.controller?.vcId,
+  });
+
+  if (!vc) {
+    throw new Error(messages.missingCredentialClaim[locale]);
+  }
+
+  // check user approved
+  const user = await getUser(node, teamDid, userDid);
+  if (user && !user.approved) {
+    throw new Error(messages.notAllowed[locale]);
+  }
+
+  // Get user passport from vc
+  let passport = createUserPassport(vc);
+  if (user && isUserPassportRevoked(user, passport)) {
+    throw new Error(messages.passportRevoked[locale](name));
+  }
+
+  // Get role from vc
+  let role;
+  if (passportTypes.some((x) => [VC_TYPE_GENERAL_PASSPORT].includes(x))) {
+    await validatePassport(get(vc, 'credentialSubject.passport'));
+    const issuerId = get(vc, 'issuer.id');
+    if (issuerId === teamDid) {
+      role = getRoleFromLocalPassport(get(vc, 'credentialSubject.passport'));
+    } else {
+      // map external passport to local role
+      const { mappings = [] } = (info.trustedPassports || []).find((x) => x.issuerDid === issuerId) || {};
+      role = await getRoleFromExternalPassport({
+        passport: get(vc, 'credentialSubject.passport'),
+        node,
+        teamDid,
+        locale,
+        mappings,
+      });
+
+      // check status of external passport if passport has an endpoint
+      const endpoint = get(vc, 'credentialStatus.id');
+      if (endpoint) {
+        await validatePassportStatus({ vcId: vc.id, endpoint, locale });
+      }
+    }
+  } else if (passportTypes.includes(NFT_TYPE_SERVER_OWNERSHIP)) {
+    role = ROLES.OWNER;
+  } else {
+    logger.error('cannot get role from passport, use "guest" for default', { passportTypes, vcId: vc.id });
+    role = ROLES.GUEST;
+  }
+
+  // Recreate passport with correct role
+  passport = createUserPassport(vc, { role });
+
+  return { role, user, teamDid, passport };
+};
+
+const authenticateByNFT = async ({ node, claims, userDid, challenge, locale, isAuth, chainHost }) => {
+  const info = await node.getNodeInfo();
+  // serverless 应用通过 querystring 传递 chainHost
+  const client = new Client(chainHost || info.launcher.chainHost);
+
+  const claim = claims.find((x) => x.type === 'asset');
+  if (!claim) {
+    throw new Error(messages.missingNftClaim[locale]);
+  }
+
+  const fields = ['asset', 'ownerProof', 'ownerPk', 'ownerDid'];
+  for (const field of fields) {
+    if (!claim[field]) {
+      throw new Error(messages.invalidNftClaim[locale]);
+    }
+  }
+
+  const address = claim.asset;
+  const ownerDid = toAddress(claim.ownerDid);
+  const ownerPk = fromBase58(claim.ownerPk);
+  const ownerProof = fromBase58(claim.ownerProof);
+  if (isFromPublicKey(ownerDid, ownerPk) === false) {
+    throw new Error(messages.invalidNftHolder[locale]);
+  }
+
+  const owner = fromPublicKey(ownerPk, toTypeInfo(ownerDid));
+  if (owner.verify(challenge, ownerProof) === false) {
+    throw new Error(messages.invalidNftProof[locale]);
+  }
+
+  const { state } = await client.getAssetState({ address }, { ignoreFields: ['context'] });
+  if (!state) {
+    throw new Error(messages.invalidNft[locale]);
+  }
+  if (state.owner !== ownerDid) {
+    throw new Error(messages.invalidNftHolder[locale]);
+  }
+  if (state.issuer !== info.launcher.did) {
+    throw new Error(messages.invalidNftIssuer[locale]);
+  }
+
+  if (state.tags.includes(NFT_TYPE_SERVERLESS)) {
+    state.data.value = JSON.parse(state.data.value);
+
+    if (!isAuth && isNFTExpired(state)) {
+      throw new Error(messages.nftAlreadyExpired[locale]);
+    }
+
+    return {
+      role: SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER,
+      nft: state,
+      extra: {
+        controller: {
+          nftId: address,
+          nftOwner: state.owner,
+          chainHost,
+          appMaxCount: state.data.value.appMaxCount || 1,
+        },
+      },
+      user: {
+        did: userDid,
+      },
+      teamDid: info.did,
+    };
+  }
+
+  // enforce tag match
+  if (last(state.tags) !== info.launcher.tag) {
+    throw new Error(messages.tagNotMatch[locale]);
+  }
+
+  const user = await getUser(node, info.did, userDid);
+  return { role: ROLES.OWNER, teamDid: info.did, nft: state, user, passport: null, ownerDid, ownerNFT: address };
+};
+
+const authenticateBySession = async ({ node, userDid, locale, allowedRoles = ['owner', 'admin', 'member'] }) => {
+  const info = await node.getNodeInfo();
+  const user = await getUser(node, info.did, userDid);
+  if (!user) {
+    throw new Error(messages.userNotFound[locale]);
+  }
+  const passport = (user.passports || []).find((x) => x.status === 'valid' && allowedRoles.includes(x.role));
+  return { role: passport ? passport.role : ROLES.GUEST, teamDid: info.did, user, passport: null };
+};
+
+const getAuthVcClaim =
+  ({ node, launchBlocklet, blocklet, options }) =>
+  async ({ extraParams: { locale, passportId }, context: { didwallet } }) => {
+    checkWalletVersion({ didwallet, locale });
+
+    const baseClaim = {
+      description: messages.requestPassport[locale],
+      optional: false,
+      item: BLOCKLET_SERVER_VC_TYPES,
+    };
+
+    if (blocklet && blocklet?.controller?.vcId) {
+      return {
+        ...baseClaim,
+        target: blocklet.controller.vcId,
+      };
+    }
+
+    if (passportId) {
+      return {
+        ...baseClaim,
+        target: passportId,
+      };
+    }
+
+    const info = await node.getNodeInfo();
+    const trustedIssuers = getTrustedIssuers(info);
+
+    if (launchBlocklet) {
+      ensureLauncherIssuer(trustedIssuers, info);
+    }
+
+    return {
+      ...baseClaim,
+      trustedIssuers,
+      ...(options || {}),
+    };
+  };
+
+const getAuthNFTClaim =
+  ({ node }) =>
+  async ({ extraParams: { locale, launchType, nftId }, context: { didwallet } }) => {
+    checkWalletVersion({ didwallet, locale });
+    if (launchType === 'serverless') {
+      if (!nftId) {
+        throw new Error(messages.serverlessNftIdRequired[locale]);
+      }
+
+      return getServerlessNFTClaim(node, nftId, locale);
+    }
+
+    return getOwnershipNFTClaim(node, locale);
+  };
+
+const getKeyPairClaim =
+  (node, declare = true) =>
+  async ({ extraParams: { locale, appDid, wt = 'default', title }, context: { didwallet } }) => {
+    checkWalletVersion({ didwallet, locale });
+
+    const description = {
+      en: 'Please generate a new key-pair for this application',
+      zh: '请为应用创建新的钥匙对',
+    };
+
+    let appName = title;
+    let migrateFrom = '';
+
+    let type;
+    let chainInfo;
+
+    // We are rotating a key-pair for existing application
+    if (appDid) {
+      const blocklet = await node.getBlocklet({ did: appDid, attachRuntimeInfo: false });
+      if (!blocklet) {
+        throw new Error(messages.invalidBlocklet[locale]);
+      }
+
+      const info = await node.getNodeInfo();
+      const { name, wallet } = getBlockletInfo(blocklet, info.sk);
+      appName = name;
+      migrateFrom = wallet.address;
+      type = DidType(wallet.type);
+      chainInfo = getChainInfo(blocklet.configObj);
+    } else {
+      type = DidType(wt);
+      type.role = types.RoleType.ROLE_APPLICATION;
+      chainInfo = getChainInfo({});
+    }
+
+    const typeStr = DidType.toJSON(type);
+    if (isEthereumType(type)) {
+      chainInfo.type = 'ethereum';
+      chainInfo.id = '1';
+    }
+
+    const result = {
+      mfa: !process.env.DID_CONNECT_MFA_DISABLED,
+      description: description[locale] || description.en,
+      moniker: (urlFriendly(slugify(appName)) || 'application').toLowerCase(),
+      declare: !!declare,
+      chainInfo,
+      migrateFrom,
+      targetType: {
+        role: typeStr.role?.split('_').pop()?.toLowerCase(),
+        key: typeStr.pk?.toLowerCase(),
+        hash: typeStr.hash?.toLowerCase(),
+        encoding: typeStr.address?.toLowerCase(),
+      },
+    };
+
+    return result;
+  };
+
+const getRotateKeyPairClaims = (node) => {
+  return [
+    {
+      authPrincipal: async ({ extraParams: { locale, appDid } }) => {
+        const description = {
+          en: 'Please create a new key-pair for this application',
+          zh: '请为应用创建新的钥匙对',
+        };
+
+        let chainInfo = { host: 'none', id: 'none', type: 'arcblock' };
+
+        if (!appDid) {
+          throw new Error(messages.missingBlockletDid[locale]);
+        }
+
+        const blocklet = await node.getBlocklet({ did: appDid, attachRuntimeInfo: false });
+        if (!blocklet) {
+          throw new Error(messages.invalidBlocklet[locale]);
+        }
+        if (blocklet.structVersion !== APP_STRUCT_VERSION) {
+          throw new Error(messages.invalidAppVersion[locale]);
+        }
+
+        // Try to use blocklet chain config if possible
+        // Since migration happens on the chain the app holds some actual assets
+        // We must ensure it happens on that chain
+        chainInfo = getChainInfo(blocklet.configObj);
+
+        // Fallback to main chain, since it is the default registry for all DID
+        if (chainInfo.host === 'none') {
+          chainInfo = { host: MAIN_CHAIN_ENDPOINT, id: 'main', type: 'arcblock' };
+        }
+
+        return {
+          chainInfo,
+          description: description[locale] || description.en,
+          target: blocklet.appDid,
+        };
+      },
+    },
+    {
+      keyPair: getKeyPairClaim(node),
+    },
+  ];
+};
+
+const getLaunchBlockletClaims = (node, authMethod) => {
+  const claims = {
+    blockletAppKeypair: ['keyPair', getKeyPairClaim(node)],
+  };
+
+  if (authMethod === 'vc') {
+    claims.serverPassport = ['verifiableCredential', getAuthVcClaim({ node, launchBlocklet: true })];
+  }
+
+  if (authMethod === 'nft') {
+    claims.serverNFT = ['asset', getAuthNFTClaim({ node })];
+  }
+
+  return claims;
+};
+
+const getSetupBlockletClaims = () => {
+  const description = {
+    en: 'Sign following message to prove that you are the owner of the app',
+    zh: '签名如下消息以证明你是应用的拥有者',
+  };
+
+  return [
+    {
+      authPrincipal: async ({ context, extraParams: { locale } }) => {
+        const blocklet = await context.request.getBlocklet();
+        return {
+          description: description[locale] || description.en,
+          target: blocklet.appDid,
+        };
+      },
+    },
+    {
+      signature: async ({ context, extraParams: { locale } }) => {
+        const blocklet = await context.request.getBlocklet();
+        return {
+          description: messages.receivePassport[locale],
+          data: `I am the owner of app ${blocklet.appDid}`,
+          type: 'mime:text/plain',
+        };
+      },
+    },
+  ];
+};
+
+const getOwnershipNFTClaim = async (node, locale) => {
+  const info = await node.getNodeInfo();
+  if (!info.ownerNft || !info.ownerNft.issuer) {
+    throw new Error(messages.noNft[locale]);
+  }
+
+  const tag = get(info, 'launcher.tag', '');
+  const chainHost = get(info, 'launcher.chainHost', '');
+  if (!tag) {
+    throw new Error(messages.noTag[locale]);
+  }
+  if (!chainHost) {
+    throw new Error(messages.noChainHost[locale]);
+  }
+
+  return {
+    description: messages.requestNft[locale],
+    trustedIssuers: [info.ownerNft.issuer],
+    tag, // tag is an unique identifier for the server in launcher
+  };
+};
+
+const getServerlessNFTClaim = async (node, nftId, locale) => {
+  const info = await node.getNodeInfo();
+  if (!info.ownerNft || !info.ownerNft.issuer) {
+    throw new Error(messages.noNft[locale]);
+  }
+
+  const chainHost = get(info, 'launcher.chainHost', '');
+
+  if (!chainHost) {
+    throw new Error(messages.noChainHost[locale]);
+  }
+
+  return {
+    description: messages.requestServerlessNFT[locale],
+    trustedIssuers: [info.ownerNft.issuer],
+    address: nftId,
+  };
+};
+
+const ensureBlockletPermission = async ({
+  authMethod,
+  node,
+  userDid,
+  claims,
+  challenge,
+  locale,
+  blocklet,
+  isAuth,
+  chainHost,
+  allowedRoles = ['owner', 'admin', 'member'],
+}) => {
+  let result;
+  if (authMethod === 'vc') {
+    result = await authenticateByVc({
+      node,
+      userDid,
+      claims,
+      challenge,
+      requireNodeInitialized: false,
+      locale,
+      launchBlocklet: true,
+      blocklet,
+    });
+  } else if (authMethod === 'nft') {
+    result = await authenticateByNFT({
+      node,
+      locale,
+      userDid,
+      claims,
+      challenge,
+      isAuth,
+      chainHost,
+    });
+  } else {
+    result = await authenticateBySession({
+      node,
+      userDid,
+      locale,
+      allowedRoles,
+    });
+  }
+
+  const { teamDid, role } = result;
+  const permissions = await node.getPermissionsByRole({ teamDid, role: { name: role } });
+  if (!permissions.some((item) => ['mutate_blocklets'].includes(item.name))) {
+    throw new Error(messages.notAuthorized[locale]);
+  }
+
+  return result;
+};
+
+const createLaunchBlockletHandler =
+  (node, authMethod) =>
+  async ({ claims, challenge, userDid, updateSession, req, extraParams }) => {
+    const { locale, blockletMetaUrl, title, description, chainHost } = extraParams;
+    logger.info('createLaunchBlockletHandler', extraParams);
+
+    const keyPair = claims.find((x) => x.type === 'keyPair');
+    if (!keyPair) {
+      logger.error('app keyPair must be provided');
+      throw new Error(messages.missingKeyPair[locale]);
+    }
+
+    if (!blockletMetaUrl && !title && !description) {
+      logger.error('blockletMetaUrl | title + description must be provided');
+      throw new Error(messages.missingBlockletUrl[locale]);
+    }
+
+    if (authMethod === 'nft' && !chainHost) {
+      logger.error('chainHost must be provided');
+      throw new Error(messages.missingChainHost[locale]);
+    }
+
+    let blocklet;
+    if (blockletMetaUrl) {
+      blocklet = await node.getBlockletMetaFromUrl({ url: blockletMetaUrl, checkPrice: true });
+      if (!blocklet.meta) {
+        throw new Error(messages.invalidBlocklet[locale]);
+      }
+
+      if (!blocklet.isFree) {
+        if (isEmpty(extraParams?.previousWorkflowData?.downloadTokenList)) {
+          logger.error('downloadTokenList must be provided');
+          throw new Error(messages.invalidParams[locale]);
+        }
+      }
+    }
+
+    const { role, passport, user, extra, nft } = await ensureBlockletPermission({
+      authMethod,
+      node,
+      userDid,
+      claims,
+      challenge,
+      locale,
+      isAuth: false,
+      chainHost,
+      blocklet,
+    });
+
+    let controller;
+
+    let sessionToken = '';
+    if (authMethod === 'vc') {
+      sessionToken = createAuthToken({
+        did: userDid,
+        passport,
+        role,
+        secret,
+        expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+      });
+    }
+    if (authMethod === 'nft') {
+      if (role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER) {
+        controller = extra.controller;
+        sessionToken = createBlockletControllerAuthToken({
+          did: userDid,
+          role,
+          controller,
+          secret,
+          expiresIn: EXTERNAL_LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+        });
+      } else {
+        sessionToken = createAuthTokenByOwnershipNFT({
+          did: userDid,
+          role,
+          secret,
+          expiresIn: LAUNCH_BLOCKLET_TOKEN_EXPIRE,
+        });
+      }
+    }
+
+    if (sessionToken) {
+      await updateSession({ sessionToken }, true);
+    }
+
+    const appSk = toHex(keyPair.secret);
+    const appDid = getApplicationWallet(appSk).address;
+    await updateSession({ appDid });
+
+    if (blocklet) {
+      // 检查是否已安装，这里不做升级的处理
+      const existedBlocklet = await node.getBlocklet({ did: appDid, attachRuntimeInfo: false });
+
+      // 如果是 serverless, 并且已经消费过了，但是没有安装，则抛出异常
+      if (!existedBlocklet && role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER && isNFTConsumed(nft)) {
+        throw new Error(messages.nftAlreadyConsume[locale]);
+      }
+
+      if (existedBlocklet) {
+        await updateSession({ isInstalled: true });
+        logger.info('blocklet already exists', { appDid });
+        return;
+      }
+    }
+
+    logger.info('start install blocklet', { blockletMetaUrl, title, description });
+    await node.installBlocklet(
+      {
+        url: blockletMetaUrl,
+        title,
+        description,
+        appSk,
+        delay: 1000 * 4, // delay 4 seconds to download, wait for ws connection from frontend
+        downloadTokenList: extraParams?.previousWorkflowData?.downloadTokenList,
+        controller: role === SERVER_ROLES.EXTERNAL_BLOCKLET_CONTROLLER ? controller : null,
+      },
+      formatContext(Object.assign(req, { user: { ...pick(user, ['did', 'fullName']), role } }))
+    );
+  };
+
+const getBlockletPermissionChecker =
+  (node, allowedRoles = ['owner', 'admin', 'member']) =>
+  async ({ userDid, extraParams }) => {
+    const { locale = 'en', connectedDid } = extraParams;
+
+    if (!connectedDid || userDid !== connectedDid) {
+      throw new Error(
+        {
+          en: 'Please use current connected wallet to install blocklet',
+          zh: '请使用当前登录的钱包来安装应用',
+        }[locale]
+      );
+    }
+
+    const info = await node.getNodeInfo();
+    const user = await getUser(node, info.did, userDid);
+    const passport = (user.passports || []).find((x) => x.status === 'valid' && allowedRoles.includes(x.role));
+    if (!passport) {
+      throw new Error(
+        {
+          en: 'You do not have permission to install blocklets on this server',
+          zh: '你无权在此节点上安装应用',
+        }[locale]
+      );
+    }
+  };
+
+const createRotateKeyPairHandler =
+  (node) =>
+  async ({ claims, userDid, req, extraParams }) => {
+    const { locale, appDid } = extraParams;
+    logger.info('createRotateKeyPairHandler', extraParams);
+
+    const keyPair = claims.find((x) => x.type === 'keyPair');
+    if (!keyPair) {
+      logger.error('app keyPair must be provided');
+      throw new Error(messages.missingKeyPair[locale]);
+    }
+
+    if (!appDid) {
+      logger.error('appDid must be provided');
+      throw new Error(messages.missingBlockletDid[locale]);
+    }
+
+    const blocklet = await node.getBlocklet({ did: appDid, attachRuntimeInfo: false });
+    if (!blocklet) {
+      throw new Error(messages.invalidBlocklet[locale]);
+    }
+
+    // Only the blocklet owner(identified by appDid) can rotate key pair
+    if (blocklet.appDid !== userDid) {
+      throw new Error(
+        {
+          zh: `只有 应用DID 所有者（${blocklet.appDid}）可以修改钥匙对. 当前用户：${userDid}`,
+          en: `Only the owner of AppDID (${blocklet.appDid}) can rotate key pair. Current User: ${userDid}`,
+        }[locale]
+      );
+    }
+
+    await node.configBlocklet(
+      {
+        did: blocklet.meta.did,
+        configs: [{ key: 'BLOCKLET_APP_SK', value: toHex(keyPair.secret), secure: true }],
+        skipHook: true,
+      },
+      formatContext(Object.assign(req, { user: { did: userDid, fullName: 'Owner', role: 'owner' } }))
+    );
+  };
+
+module.exports = {
+  getAuthVcClaim,
+  getKeyPairClaim,
+  authenticateByVc,
+  authenticateByNFT,
+  authenticateBySession,
+  getRotateKeyPairClaims,
+  getOwnershipNFTClaim,
+  getLaunchBlockletClaims,
+  createLaunchBlockletHandler,
+  createRotateKeyPairHandler,
+  ensureBlockletPermission,
+  getBlockletPermissionChecker,
+  getSetupBlockletClaims,
+  getTrustedIssuers,
+  getServerlessNFTClaim,
+};