@adobe/helix-config-storage 1.12.0 → 1.14.0

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+# [1.14.0](https://github.com/adobe/helix-config-storage/compare/v1.13.0...v1.14.0) (2024-12-19)
+
+
+### Features
+
+* secrets store ([1aaf99e](https://github.com/adobe/helix-config-storage/commit/1aaf99e8cd7e41b51ada2f46b4961d2fc2ee26af)), closes [#21](https://github.com/adobe/helix-config-storage/issues/21)
+
+# [1.13.0](https://github.com/adobe/helix-config-storage/compare/v1.12.0...v1.13.0) (2024-12-16)
+
+
+### Features
+
+* remove clientCertDN ([#73](https://github.com/adobe/helix-config-storage/issues/73)) ([20dafca](https://github.com/adobe/helix-config-storage/commit/20dafcaf34cf18d3c1cdc096775b315ee4c76ceb))
+
 # [1.12.0](https://github.com/adobe/helix-config-storage/compare/v1.11.0...v1.12.0) (2024-12-11)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-config-storage",
-  "version": "1.12.0",
+  "version": "1.14.0",
   "description": "Helix Config Storage",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -41,12 +41,12 @@
     "@semantic-release/git": "10.0.1",
     "@semantic-release/npm": "12.0.1",
     "ajv-cli": "5.0.0",
-    "c8": "10.1.2",
+    "c8": "10.1.3",
     "eslint": "8.57.1",
     "husky": "9.1.7",
     "json-schema-to-typescript": "15.0.3",
     "junit-report-builder": "5.1.1",
-    "lint-staged": "15.2.10",
+    "lint-staged": "15.2.11",
     "mocha": "11.0.1",
     "mocha-multi-reporters": "1.5.1",
     "mocha-suppress-logs": "0.5.1",

package/src/config-merge.js

@@ -34,6 +34,7 @@ const ROOT_PROPERTIES = {
   robots: {},
   extends: {},
   tokens: {},
+  secrets: {},
   public: {},
   groups: {},
 };

package/src/config-store.js

@@ -10,6 +10,7 @@
  * governing permissions and limitations under the License.
  */
 /* eslint-disable no-param-reassign */
+import crypto from 'crypto';
 import { isDeepStrictEqual } from 'util';
 import { HelixStorage } from '@adobe/helix-shared-storage';
 import { StatusCodeError } from './status-code-error.js';
@@ -18,7 +19,7 @@ import {
   migrateToken,
   updateCodeSource,
   updateContentSource,
-  deepGetOrCreate, deepPut,
+  deepGetOrCreate, deepPut, prune, createSecret, migrateSecret,
 } from './utils.js';
 import { validate as validateSchema } from './config-validator.js';
 import { getMergedConfig } from './config-merge.js';
@@ -36,6 +37,13 @@ const FRAGMENTS_COMMON = {
     preview: 'object',
     live: 'object',
   },
+  secrets: {
+    '.': 'secrets',
+    '.param': {
+      name: 'id',
+      '.': 'secret',
+    },
+  },
   access: {
     '.': 'object',
     site: 'object',
@@ -84,6 +92,13 @@ const FRAGMENTS = {
   },
   profiles: FRAGMENTS_COMMON,
   org: {
+    secrets: {
+      '.': 'secrets',
+      '.param': {
+        name: 'id',
+        '.': 'secret',
+      },
+    },
     tokens: {
       '.': 'tokens',
       '.param': {
@@ -112,16 +127,23 @@ const FRAGMENTS = {
   },
 };
 
-export function getFragmentInfo(type, relPath) {
+/**
+ * Returns the fragment info for a given type and relative path.
+ * @param {string} type
+ * @param {string|array} relPath
+ * @returns {{relPath}|null}
+ */
+export function getFragmentInfo(type, relPath = '') {
   if (!relPath) {
     return null;
   }
-  const parts = relPath.split('/');
+  relPath = relPath.split('/');
   let fragment = FRAGMENTS[type];
   const info = {
     relPath,
+    name: relPath[relPath.length - 1],
   };
-  for (const part of parts) {
+  for (const part of relPath) {
     let next = fragment[part];
     if (next === '*') {
       fragment = '*';
@@ -145,22 +167,25 @@ export function getFragmentInfo(type, relPath) {
 }
 
 /**
- * Redact / transform the token config
+ * Redact / transform the secret config
  * @param token
  */
-function redactToken(token) {
-  return {
+function redactSecret(token) {
+  return prune({
     id: token.id,
+    type: token.type,
     created: token.created,
-  };
+    lastModified: token.lastModified,
+    description: token.description,
+  });
 }
 
 /**
- * Redact / transform the tokens config
+ * Redact / transform the secrets config
  * @param tokens
  */
-function redactTokens(tokens) {
-  return Object.values(tokens).map(redactToken);
+function redactSecrets(tokens) {
+  return Object.values(tokens).map(redactSecret);
 }
 
 /**
@@ -173,19 +198,52 @@ function redact(config, frag) {
     return config;
   }
   let ret = config;
-  if (frag?.type === 'tokens') {
-    ret = redactTokens(config);
-  }
-  if (frag?.type === 'token') {
-    ret = redactToken(config);
-  }
-  if (ret.tokens) {
+  if (frag?.type === 'secrets' || frag?.type === 'tokens') {
+    ret = redactSecrets(config);
+  } else if (frag?.type === 'secret' || frag?.type === 'token') {
+    ret = redactSecret(config);
+  } else if (ret.secrets) {
+    // eslint-disable-next-line no-param-reassign
+    ret.secrets = redactSecrets(ret.secrets);
+  } else if (ret.tokens) {
     // eslint-disable-next-line no-param-reassign
-    ret.tokens = redactTokens(ret.tokens);
+    ret.tokens = redactSecrets(ret.tokens);
   }
   return ret;
 }
 
+/**
+ * Updates a secret based on its type. if type is 'key' the value is updated.
+ * @param {string} type
+ * @param {string} id
+ * @param {object} oldData
+ * @param {object} data
+ * @returns {object} the updated secret data
+ */
+function updateSecret(type, id, oldData, data) {
+  oldData.type = type;
+  oldData.id = id;
+  const now = new Date().toISOString();
+
+  // keep the description if missing in data
+  if ('description' in data) {
+    oldData.description = data.description;
+  }
+
+  // handle value specifically, as we don't allow deletion
+  if (type === 'key' && data.value) {
+    oldData.value = data.value;
+    oldData.lastModified = now;
+  }
+  if (!oldData.created) {
+    oldData.created = now;
+  }
+  if (!oldData.lastModified) {
+    oldData.lastModified = oldData.created;
+  }
+  return prune(oldData);
+}
+
 /**
  * General purpose config store.
  */
@@ -321,6 +379,9 @@ export class ConfigStore {
     if (data.tokens) {
       throw new StatusCodeError(400, 'creating config with tokens not supported yet.');
     }
+    if (data.secrets) {
+      throw new StatusCodeError(400, 'creating config with secrets not supported yet.');
+    }
     if (this.type === 'org' && data.users) {
       throw new StatusCodeError(400, 'creating org config with users is not supported yet.');
     }
@@ -367,12 +428,12 @@ export class ConfigStore {
     }
 
     let ret = null;
-    if (!config && frag?.type !== 'tokens') {
+    if (!config && frag?.type !== 'secrets' && frag?.type !== 'tokens') {
       throw new StatusCodeError(400, 'no config in body.');
     }
     if (frag) {
       if (!old) {
-        if (this.type === 'profiles' && frag.type === 'tokens') {
+        if (this.type === 'profiles' && (frag.type === 'tokens' || frag.type === 'secrets')) {
           old = {};
         } else {
           throw new StatusCodeError(404, 'config not found.');
@@ -396,11 +457,53 @@ export class ConfigStore {
         };
         // don't store token value in the config
         delete data.value;
-        relPath = ['tokens', token.id];
+        frag.name = token.id;
         frag.type = 'token';
+        frag.relPath.push(frag.name);
         ret = token;
         // don't expose hash in return value
         delete ret.hash;
+      }
+      if (frag.type === 'secrets') {
+        // create new secret with random id
+        frag.name = crypto.randomBytes(32).toString('base64url');
+        frag.type = 'secret';
+        frag.relPath.push(frag.name);
+      }
+      if (frag.type === 'secret') {
+        const oldData = deepGetOrCreate(old, frag.relPath);
+        if (oldData) {
+          if (oldData.type === 'hashed') {
+            data = updateSecret('hashed', frag.name, oldData, data);
+          } else {
+            data = updateSecret('key', frag.name, oldData, data);
+          }
+        } else {
+          if (data.value) {
+            data = updateSecret('key', frag.name, { id: frag.name }, data);
+          } else {
+            // TODO: remove support after all helix4 projects are migrated
+            let token;
+            if (data.jwt) {
+              token = await migrateSecret(this.org, data.jwt);
+              frag.name = token.id;
+              frag.relPath.splice(-1, 1, token.id);
+            } else {
+              // create new token
+              token = createSecret(this.org, 'hlx', data);
+              token.id = frag.name;
+            }
+            data = {
+              ...token,
+            };
+            // don't store token value in the config
+            delete data.value;
+            ret = token;
+            // don't expose hash in return value
+            delete ret.hash;
+          }
+          data = prune(data);
+        }
       } else if (frag.type === 'users') {
         // todo: define via "schema"
         if (!old.users) {
@@ -421,11 +524,12 @@ export class ConfigStore {
             ...data,
             ...user,
           };
-          relPath = ['users', user.id];
+          frag.name = user.id;
+          frag.relPath.push(user.id);
           frag.type = 'user';
         }
       } else if (frag.type === 'user') {
-        const user = deepGetOrCreate(old, relPath);
+        const user = deepGetOrCreate(old, frag.relPath);
         if (!user) {
           throw new StatusCodeError(404, 'object not found.');
         }
@@ -437,13 +541,14 @@ export class ConfigStore {
           data.id = user.id;
         }
       }
-      config = deepPut(old, relPath, data);
+      config = deepPut(old, frag.relPath, data);
     }
 
     if (this.type !== 'org') {
       updateContentSource(ctx, config.content);
       updateCodeSource(ctx, config.code);
     }
+
     let oldConfig = buf ? JSON.parse(buf) : null;
     config.created = oldConfig?.created;
     this.#updateTimeStamps(config);

package/src/config-validator.js

@@ -33,6 +33,7 @@ import headersSchema from './schemas/headers.schema.cjs';
 import markupSchema from './schemas/content-source-markup.schema.cjs';
 import metadataSchema from './schemas/metadata-source.schema.cjs';
 import orgAccessSchema from './schemas/org-access.schema.cjs';
+import secretsSchema from './schemas/secrets.schema.cjs';
 import orgSchema from './schemas/org.schema.cjs';
 import onedriveSchema from './schemas/content-source-onedrive.schema.cjs';
 import publicSchema from './schemas/public.schema.cjs';
@@ -47,13 +48,18 @@ import userSchema from './schemas/user.schema.cjs';
 import usersSchema from './schemas/users.schema.cjs';
 
 export const SCHEMAS = [
-  accessSchema,
   accessAdminSchema,
+  accessSchema,
   accessSiteSchema,
+  cdnProdAkamaiSchema,
+  cdnProdCloudflareSchema,
+  cdnProdCloudfrontSchema,
+  cdnProdFastlySchema,
+  cdnProdManagedSchema,
   cdnSchema,
+  codeSchema,
   commonSchema,
   contentSchema,
-  codeSchema,
   eventsSchema,
   foldersSchema,
   googleSchema,
@@ -61,24 +67,20 @@ export const SCHEMAS = [
   headersSchema,
   markupSchema,
   metadataSchema,
-  orgSchema,
-  orgAccessSchema,
   onedriveSchema,
-  publicSchema,
+  orgAccessSchema,
+  orgSchema,
   profileSchema,
   profilesSchema,
+  publicSchema,
   robotsSchema,
+  secretsSchema,
   sidekickSchema,
   siteSchema,
   sitesSchema,
   tokensSchema,
   userSchema,
   usersSchema,
-  cdnProdFastlySchema,
-  cdnProdCloudflareSchema,
-  cdnProdAkamaiSchema,
-  cdnProdManagedSchema,
-  cdnProdCloudfrontSchema,
 ];
 
 const SCHEMA_TYPES = {

package/src/schemas/access-site.schema.json

@@ -12,15 +12,16 @@
         "type": "string"
       }
     },
-    "apiKeyId": {
-      "description": "IDs of the api keys (tokens) that are allowed.",
+    "secretId": {
+      "description": "IDs of the org secrets (tokens) that are allowed.",
       "type": "array",
       "items": {
         "type": "string"
       }
     },
-    "clientCertDN": {
-      "description": "the DNs of the client certificates that are allowed.",
+    "apiKeyId": {
+      "description": "IDs of the api keys (tokens) that are allowed. This is deprecated. use `secretId` instead.",
+      "deprecated": true,
       "type": "array",
       "items": {
         "type": "string"

package/src/schemas/org-access.schema.json

@@ -9,7 +9,7 @@
       "type": "object",
       "properties": {
         "apiKeyId": {
-          "description": "the id of the API key(s). this is used to validate the API KEYS and allows to invalidate them.",
+          "description": "the id of the API key(s) that are allowed to access this org (admin).",
           "type": "array",
           "items": {
             "type": "string"

package/src/schemas/org.schema.json

@@ -20,6 +20,9 @@
     "groups": {
       "$ref": "https://ns.adobe.com/helix/config/groups"
     },
+    "secrets": {
+      "$ref": "https://ns.adobe.com/helix/config/secrets"
+    },
     "tokens": {
       "$ref": "https://ns.adobe.com/helix/config/tokens"
     },

package/src/schemas/profile.schema.json

@@ -35,6 +35,9 @@
     "tokens": {
       "$ref": "https://ns.adobe.com/helix/config/tokens"
     },
+    "secrets": {
+      "$ref": "https://ns.adobe.com/helix/config/secrets"
+    },
     "groups": {
       "$ref": "https://ns.adobe.com/helix/config/groups"
     },

package/src/schemas/secrets.schema.cjs

@@ -0,0 +1,12 @@
+/*
+ * Copyright 2024 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+module.exports = require('./secrets.schema.json');

package/src/schemas/secrets.schema.json

@@ -0,0 +1,86 @@
+{
+  "$comment": "https://github.com/adobe/helix-config/blob/main/LICENSE.txt",
+  "$schema": "https://json-schema.org/draft/2019-09/schema",
+  "$id": "https://ns.adobe.com/helix/config/secrets",
+  "title": "Secrets",
+  "type": "object",
+  "description": "Defines organization level secrets.",
+  "patternProperties": {
+    "^[a-zA-Z0-9-_=]+$": {
+      "oneOf": [
+        {
+          "type": "object",
+          "properties": {
+            "hash": {
+              "type": "string",
+              "pattern": "^[a-zA-Z0-9-_=]+$"
+            },
+            "id": {
+              "type": "string",
+              "pattern": "^[a-zA-Z0-9-_=]+$"
+            },
+            "type": {
+              "type": "string",
+              "enum": ["hashed", "key"]
+            },
+            "created": {
+              "type": "string",
+              "format": "date-time"
+            },
+            "lastModified": {
+              "type": "string",
+              "format": "date-time"
+            },
+            "description": {
+              "type": "string"
+            }
+          },
+          "required": [
+            "hash",
+            "id",
+            "type",
+            "created",
+            "lastModified"
+          ],
+          "additionalProperties": false
+        },
+        {
+          "type": "object",
+          "properties": {
+            "value": {
+              "type": "string"
+            },
+            "id": {
+              "type": "string",
+              "pattern": "^[a-zA-Z0-9-_=]+$"
+            },
+            "type": {
+              "type": "string",
+              "enum": ["hashed", "key"]
+            },
+            "created": {
+              "type": "string",
+              "format": "date-time"
+            },
+            "lastModified": {
+              "type": "string",
+              "format": "date-time"
+            },
+            "description": {
+              "type": "string"
+            }
+          },
+          "required": [
+            "value",
+            "id",
+            "type",
+            "created",
+            "lastModified"
+          ],
+          "additionalProperties": false
+        }
+      ]
+    }
+  },
+  "additionalProperties": false
+}

package/src/schemas/site.schema.json

@@ -41,6 +41,9 @@
     "tokens": {
       "$ref": "https://ns.adobe.com/helix/config/tokens"
     },
+    "secrets": {
+      "$ref": "https://ns.adobe.com/helix/config/secrets"
+    },
     "groups": {
       "$ref": "https://ns.adobe.com/helix/config/groups"
     },

package/src/schemas/tokens.schema.json

@@ -4,6 +4,8 @@
   "$id": "https://ns.adobe.com/helix/config/tokens",
   "title": "tokens",
   "type": "object",
+  "deprecated": true,
+  "description": "site tokens. deprecated: use the org secrets instead.",
   "patternProperties": {
     "^[a-zA-Z0-9-_=]+$": {
       "type": "object",

package/src/utils.js

@@ -111,6 +111,30 @@ export function updateCodeSource(ctx, code) {
   return modified;
 }
 
+/**
+ * prunes a structure recursively by removing all empty values.
+ * @param obj
+ * @param path
+ * @returns {*}
+ */
+export function prune(obj, path = '') {
+  for (const key of Object.keys(obj)) {
+    const itemPath = `${path}.${key}`;
+    const prop = obj[key];
+    if ((prop === undefined || prop === '')) {
+      delete obj[key];
+    } else if (Array.isArray(prop)) {
+      // ignore
+    } else if (typeof prop === 'object') {
+      prune(prop, itemPath);
+      if (Object.keys(prop).length === 0) {
+        delete obj[key];
+      }
+    }
+  }
+  return obj;
+}
+
 /**
  * Creates a random token and hashes it with the given key
  * @param {string} key
@@ -135,6 +159,33 @@ export function createToken(key, pfx = 'hlx') {
   };
 }
 
+/**
+ * Creates a random token and hashes it with the given key
+ * @param {string} key
+ * @param {string} [pfx='hlx'] the prefix of the token
+ * @param {object} [data] additional token data.
+ * @returns {object} the token
+ */
+export function createSecret(key, pfx = 'hlx', data = {}) {
+  const secret = crypto.randomBytes(32).toString('base64url');
+  const value = `${pfx}_${secret}`;
+  const hash = crypto
+    .createHmac('sha512', key)
+    .update(value, 'utf-8')
+    .digest()
+    .toString('base64url');
+  const created = new Date().toISOString();
+  return prune({
+    type: 'hashed',
+    value,
+    hash,
+    created,
+    lastModified: created,
+    title: data.title,
+    description: data.description,
+  });
+}
+
 export function createUser() {
   const id = crypto.randomBytes(16).toString('base64url');
   return {
@@ -176,6 +227,19 @@ export async function migrateToken(key, jwt) {
   };
 }
 
+/**
+ * migrates an existing jwt token
+ * @param key
+ * @param jwt
+ * @returns {Promise<object>}
+ */
+export async function migrateSecret(key, jwt) {
+  const token = await migrateToken(key, jwt);
+  token.type = 'hashed';
+  token.lastModified = new Date().toISOString();
+  return token;
+}
+
 /**
  * Returns the property addressed by the given path in the object.
  * If {@code create} is {@code true}, intermediate objects will be created if they do not exist.

package/types/org-config.d.ts

@@ -16,6 +16,14 @@ export type Users = User[];
 
 export interface HelixOrgConfig {
   version: 1;
+  /**
+   * the date and time this configuration was created.
+   */
+  created: string;
+  /**
+   * the date and time this configuration was modified last.
+   */
+  lastModified: string;
   /**
    * human readable title. has no influence on the configuration.
    */
@@ -27,6 +35,7 @@ export interface HelixOrgConfig {
   users?: Users;
   groups?: Groups;
   tokens?: Tokens;
+  access?: OrgAccessConfig;
 }
 export interface User {
   id: string;
@@ -61,3 +70,11 @@ export interface Tokens {
     created?: string;
   };
 }
+export interface OrgAccessConfig {
+  admin?: {
+    /**
+     * the id of the API key(s). this is used to validate the API KEYS and allows to invalidate them.
+     */
+    apiKeyId?: string[];
+  };
+}

package/types/profile-config.d.ts

@@ -22,6 +22,14 @@ export interface HelixProfileConfig {
    * description for clarity. has no influence on the configuration.
    */
   description?: string;
+  /**
+   * the date and time this configuration was created.
+   */
+  created: string;
+  /**
+   * the date and time this configuration was modified last.
+   */
+  lastModified: string;
   content?: ContentSource;
   code?: CodeSource;
   folders?: Folders;
@@ -34,6 +42,7 @@ export interface HelixProfileConfig {
   metadata?: Metadata;
   robots?: Robots;
   public?: Public;
+  events?: EventsConfig;
 }
 /**
  * Defines the content bus location and source.
@@ -49,6 +58,9 @@ export interface ContentSource {
   description?: string;
   contentBusId: string;
   source: GoogleContentSource | OnedriveContentSource | MarkupContentSource;
+  /**
+   * Overlay from a BYOM source. Previewing resources will try the overlay source first. Please note, that the overlay config is tied to the base content and not to the site config. I.e. it's not possible to have multiple sites with different overlays on the same base content.
+   */
   overlay?: MarkupContentSource;
 }
 export interface GoogleContentSource {
@@ -90,6 +102,10 @@ export interface CodeSource {
   source: {
     type: 'github';
     url: string;
+    raw_url?: string;
+    secretId?: string;
+    owner?: string;
+    repo?: string;
   };
   [k: string]: unknown;
 }
@@ -103,7 +119,7 @@ export interface Folders {
 export interface HelixHeadersConfig {
   /**
    * This interface was referenced by `HelixHeadersConfig`'s JSON-Schema definition
-   * via the `patternProperty` "^/[a-zA-Z0-9-/.]*\*{0,2}$".
+   * via the `patternProperty` "^[a-zA-Z0-9-/._*]+$".
    */
   [k: string]: KeyValuePair[];
 }
@@ -249,13 +265,13 @@ export interface Role {
 }
 export interface SiteAccessConfig {
   /**
-   * IDs of the api keys (tokens) that are allowed.
+   * The email glob of the users or a group reference that are allowed access
    */
-  apiKeyId?: string[];
+  allow?: string[];
   /**
-   * the DNs of the client certificates that are allowed.
+   * IDs of the api keys (tokens) that are allowed.
    */
-  clientCertDN?: string[];
+  apiKeyId?: string[];
 }
 export interface Tokens {
   /**
@@ -367,3 +383,8 @@ export interface Robots {
 export interface Public {
   [k: string]: unknown;
 }
+export interface EventsConfig {
+  github: {
+    target: string;
+  };
+}

package/types/site-config.d.ts

@@ -26,6 +26,14 @@ export interface HelixSiteConfig {
    * description for clarity. has no influence on the configuration.
    */
   description?: string;
+  /**
+   * the date and time this configuration was created.
+   */
+  created: string;
+  /**
+   * the date and time this configuration was modified last.
+   */
+  lastModified: string;
   content: ContentSource;
   code: CodeSource;
   folders?: Folders;
@@ -38,6 +46,7 @@ export interface HelixSiteConfig {
   metadata?: Metadata;
   robots?: Robots;
   public?: Public;
+  events?: EventsConfig;
   extends?: {
     profile?: string;
   };
@@ -56,6 +65,9 @@ export interface ContentSource {
   description?: string;
   contentBusId: string;
   source: GoogleContentSource | OnedriveContentSource | MarkupContentSource;
+  /**
+   * Overlay from a BYOM source. Previewing resources will try the overlay source first. Please note, that the overlay config is tied to the base content and not to the site config. I.e. it's not possible to have multiple sites with different overlays on the same base content.
+   */
   overlay?: MarkupContentSource;
 }
 export interface GoogleContentSource {
@@ -97,6 +109,10 @@ export interface CodeSource {
   source: {
     type: 'github';
     url: string;
+    raw_url?: string;
+    secretId?: string;
+    owner?: string;
+    repo?: string;
   };
   [k: string]: unknown;
 }
@@ -110,7 +126,7 @@ export interface Folders {
 export interface HelixHeadersConfig {
   /**
    * This interface was referenced by `HelixHeadersConfig`'s JSON-Schema definition
-   * via the `patternProperty` "^/[a-zA-Z0-9-/.]*\*{0,2}$".
+   * via the `patternProperty` "^[a-zA-Z0-9-/._*]+$".
    */
   [k: string]: KeyValuePair[];
 }
@@ -256,13 +272,13 @@ export interface Role {
 }
 export interface SiteAccessConfig {
   /**
-   * IDs of the api keys (tokens) that are allowed.
+   * The email glob of the users or a group reference that are allowed access
    */
-  apiKeyId?: string[];
+  allow?: string[];
   /**
-   * the DNs of the client certificates that are allowed.
+   * IDs of the api keys (tokens) that are allowed.
    */
-  clientCertDN?: string[];
+  apiKeyId?: string[];
 }
 export interface Tokens {
   /**
@@ -374,3 +390,8 @@ export interface Robots {
 export interface Public {
   [k: string]: unknown;
 }
+export interface EventsConfig {
+  github: {
+    target: string;
+  };
+}

package/validate-json-schemas.sh

@@ -22,6 +22,7 @@ npx ajv-cli --spec=draft2019 -c ajv-formats compile \
 -s src/schemas/metadata-source.schema.json \
 -s src/schemas/user.schema.json \
 -s src/schemas/users.schema.json \
+-s src/schemas/secrets.schema.json \
 -s src/schemas/tokens.schema.json \
 -s src/schemas/org-access.schema.json \
 -s src/schemas/org.schema.json \