@adobe/helix-config 2.8.0 → 2.10.0

package/.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+# [2.10.0](https://github.com/adobe/helix-config/compare/v2.9.0...v2.10.0) (2024-04-26)
+
+
+### Features
+
+* add support to migrate jwt api keys ([#59](https://github.com/adobe/helix-config/issues/59)) ([04adf04](https://github.com/adobe/helix-config/commit/04adf04c975ee38840a56f81aac8a1609959298a))
+
+# [2.9.0](https://github.com/adobe/helix-config/compare/v2.8.0...v2.9.0) (2024-04-25)
+
+
+### Features
+
+* add token support ([d8e25f5](https://github.com/adobe/helix-config/commit/d8e25f58ae8b083f9fa2970d84e5ab6f03c26372)), closes [#42](https://github.com/adobe/helix-config/issues/42)
+
 # [2.8.0](https://github.com/adobe/helix-config/compare/v2.7.1...v2.8.0) (2024-04-24)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-config",
-  "version": "2.8.0",
+  "version": "2.10.0",
   "description": "Helix Config",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -15,7 +15,7 @@
     "docs:types": "node ./test/dev/generate-types.js",
     "semantic-release": "semantic-release",
     "semantic-release-dry": "semantic-release --dry-run --branches $CI_BRANCH",
-    "prepare": "husky install"
+    "prepare": "husky"
   },
   "repository": {
     "type": "git",
@@ -68,6 +68,7 @@
     "@smithy/node-http-handler": "2.5.0",
     "ajv": "8.12.0",
     "ajv-formats": "3.0.1",
+    "jose": "5.2.4",
     "mime": "4.0.1"
   }
 }

package/src/config-view.js

@@ -72,12 +72,30 @@ export function canonicalArrayString(root, partition, prop) {
 /**
  * Returns the normalized access configuration for the give partition.
  */
-export function getAccessConfig(access, partition) {
-  return {
+export function getAccessConfig(config, partition) {
+  const { access, tokens = {} } = config;
+  const apiKeyId = toArray(access[partition]?.apiKeyId ?? access.apiKeyId);
+  const cfg = {
     allow: toArray(access[partition]?.allow ?? access.allow),
-    apiKeyId: toArray(access[partition]?.apiKeyId ?? access.apiKeyId),
+    apiKeyId,
+    tokenHash: apiKeyId
+      // token ids are always stored in base64url format, but legacy apiKeyIds are not
+      .map((jti) => jti.replaceAll('/', '_').replaceAll('+', '-'))
+      .map((id) => tokens[id]?.hash)
+      .filter((hash) => !!hash),
     clientCertDN: toArray(access[partition]?.clientCertDN ?? access.clientCertDN),
   };
+  // if an allow is defined but no apiKeyId, create a fake one so that auth is still
+  // enforced. later we can remove the allow and the apiKeyId in favor of the tokenHash
+  if (cfg.allow.length && !cfg.apiKeyId.length) {
+    cfg.apiKeyId.push('fake');
+  }
+  // if an apiKeyId is defined but no tokenHash, create a fake one so that auth is still
+  // enforced.
+  if (cfg.apiKeyId.length && !cfg.tokenHash.length) {
+    cfg.tokenHash.push('n/a');
+  }
+  return cfg;
 }
 
 /**
@@ -211,8 +229,8 @@ export async function getConfigResponse(ctx, opts) {
     // normalize access config
     const { admin = {} } = config.access;
     config.access = {
-      preview: getAccessConfig(config.access, 'preview'),
-      live: getAccessConfig(config.access, 'live'),
+      preview: getAccessConfig(config, 'preview'),
+      live: getAccessConfig(config, 'live'),
       // access.require.repository ?
     };
     if (opts.scope === SCOPE_ADMIN || opts.scope === SCOPE_RAW) {
@@ -241,13 +259,20 @@ export async function getConfigResponse(ctx, opts) {
         'x-hlx-auth-allow-preview': canonicalArrayString(config.access, 'preview', 'allow'),
         'x-hlx-auth-apikey-preview': canonicalArrayString(config.access, 'preview', 'apiKeyId'),
         'x-hlx-auth-clientdn-preview': canonicalArrayString(config.access, 'preview', 'clientCertDN'),
+        'x-hlx-auth-hash-preview': canonicalArrayString(config.access, 'preview', 'tokenHash'),
         'x-hlx-auth-allow-live': canonicalArrayString(config.access, 'live', 'allow'),
         'x-hlx-auth-apikey-live': canonicalArrayString(config.access, 'live', 'apiKeyId'),
         'x-hlx-auth-clientdn-live': canonicalArrayString(config.access, 'live', 'clientCertDN'),
+        'x-hlx-auth-hash-live': canonicalArrayString(config.access, 'live', 'tokenHash'),
       },
     });
   }
 
+  // delete token hashes
+  delete config.tokens;
+  delete config.access?.preview?.tokenHash;
+  delete config.access?.live?.tokenHash;
+
   if (opts.scope === SCOPE_ADMIN) {
     const adminConfig = {
       ...rso,
@@ -288,7 +313,6 @@ export async function getConfigResponse(ctx, opts) {
       repo: config.code.repo,
       ...rso,
       contentBusId: config.content.contentBusId,
-      access: config.access,
       headers: config.headers,
       head: config.head,
       metadata: config.metadata,

package/src/schemas/access-site.schema.json

@@ -15,15 +15,8 @@
   "title": "Site Access Config",
   "type": "object",
   "properties": {
-    "allow": {
-      "description": "The email glob of the users that are allowed.",
-      "type": "array",
-      "items": {
-        "type": "string"
-      }
-    },
     "apiKeyId": {
-      "description": "IDs of the api keys that are allowed.",
+      "description": "IDs of the api keys (tokens) that are allowed.",
       "type": "array",
       "items": {
         "type": "string"

package/src/schemas/profile.schema.json

@@ -49,6 +49,9 @@
     },
     "robots": {
       "$ref": "https://ns.adobe.com/helix/config/robots"
+    },
+    "tokens": {
+      "$ref": "https://ns.adobe.com/helix/config/tokens"
     }
   },
   "required": [

package/src/schemas/site.schema.json

@@ -54,6 +54,9 @@
     },
     "robots": {
       "$ref": "https://ns.adobe.com/helix/config/robots"
+    },
+    "tokens": {
+      "$ref": "https://ns.adobe.com/helix/config/tokens"
     }
   },
   "required": [

package/src/schemas/tokens.schema.cjs

@@ -0,0 +1,12 @@
+/*
+ * Copyright 2024 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+module.exports = require('./tokens.schema.json');

package/src/schemas/tokens.schema.json

@@ -0,0 +1,38 @@
+{
+  "meta:license": [
+    "Copyright 2024 Adobe. All rights reserved.",
+    "This file is licensed to you under the Apache License, Version 2.0 (the \"License\");",
+    "you may not use this file except in compliance with the License. You may obtain a copy",
+    "of the License at http://www.apache.org/licenses/LICENSE-2.0",
+    "",
+    "Unless required by applicable law or agreed to in writing, software distributed under",
+    "the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS",
+    "OF ANY KIND, either express or implied. See the License for the specific language",
+    "governing permissions and limitations under the License."
+  ],
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://ns.adobe.com/helix/config/tokens",
+  "title": "tokens",
+  "type": "object",
+  "patternProperties": {
+    "^[a-zA-Z0-9-_=]+$": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string",
+          "pattern": "^[a-zA-Z0-9-_=]+$"
+        },
+        "hash": {
+          "type": "string",
+          "pattern": "^[a-zA-Z0-9-_=]+$"
+        },
+        "created": {
+          "type": "string",
+          "format": "date-time"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  "additionalProperties": false
+}

package/src/storage/config-store.js

@@ -9,37 +9,124 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
+/* eslint-disable no-param-reassign */
 import { HelixStorage } from './storage.js';
 import { StatusCodeError } from './status-code-error.js';
 import {
+  createToken,
   jsonGet,
   jsonPut,
+  migrateToken,
   updateCodeSource,
   updateContentSource,
 } from './utils.js';
 import { validate } from './config-validator.js';
 
-const FRAGMENTS = {
-  sites: {
-    content: 'object',
-    code: 'object',
-    folders: 'object',
-    headers: 'object',
-    metadata: 'object',
-    sidekick: 'object',
-    cdn: 'object',
-    'cdn/prod': 'object',
-    'cdn/preview': 'object',
-    'cdn/live': 'object',
-    access: 'object',
-    'access/admin': 'object',
-    'access/preview': 'object',
-    'access/live': 'object',
-    public: 'object',
-    robots: 'object',
+const FRAGMENTS_COMMON = {
+  content: 'object',
+  code: 'object',
+  folders: 'object',
+  headers: 'object',
+  metadata: 'object',
+  sidekick: 'object',
+  cdn: {
+    '.': 'object',
+    prod: 'object',
+    preview: 'object',
+    live: 'object',
+  },
+  access: {
+    '.': 'object',
+    admin: 'object',
+    preview: 'object',
+    live: 'object',
+  },
+  public: 'object',
+  robots: 'object',
+  tokens: {
+    '.': 'tokens',
+    '.param': {
+      name: 'id',
+      '.': 'token',
+    },
   },
 };
 
+const FRAGMENTS = {
+  sites: FRAGMENTS_COMMON,
+  profiles: FRAGMENTS_COMMON,
+};
+
+export function getFragmentInfo(type, relPath) {
+  if (!relPath) {
+    return null;
+  }
+  const parts = relPath.split('/');
+  let fragment = FRAGMENTS[type];
+  const info = {
+    relPath,
+  };
+  for (const part of parts) {
+    let next = fragment[part];
+    if (!next) {
+      next = fragment['.param'];
+      if (!next) {
+        throw new StatusCodeError(400, 'invalid object path.');
+      }
+      info[next.name] = part;
+    }
+    fragment = next;
+  }
+  if (typeof fragment === 'string') {
+    info.type = fragment;
+  } else {
+    info.type = fragment['.'];
+  }
+  return info;
+}
+
+/**
+ * Redact / transform the token config
+ * @param token
+ */
+function redactToken(token) {
+  return {
+    id: token.id,
+    created: token.created,
+  };
+}
+
+/**
+ * Redact / transform the tokens config
+ * @param tokens
+ */
+function redactTokens(tokens) {
+  return Object.values(tokens).map(redactToken);
+}
+
+/**
+ * redact information from the config
+ * @param {object} config
+ * @param {object} frag
+ */
+function redact(config, frag) {
+  if (!config) {
+    return config;
+  }
+  let ret = config;
+  if (frag?.type === 'tokens') {
+    ret = redactTokens(config);
+  }
+  if (frag?.type === 'token') {
+    ret = redactToken(config);
+  }
+  if (ret.tokens) {
+    // eslint-disable-next-line no-param-reassign
+    ret.tokens = redactTokens(ret.tokens);
+  }
+  return ret;
+}
+
 /**
  * General purpose config store.
  */
@@ -86,42 +173,61 @@ export class ConfigStore {
       return null;
     }
     let obj = JSON.parse(buf);
-    if (relPath) {
-      const fragment = FRAGMENTS[this.type][relPath];
-      if (!fragment) {
-        throw new StatusCodeError(400, 'invalid object path.');
-      }
-      obj = jsonGet(obj, relPath);
+    const frag = getFragmentInfo(this.type, relPath);
+    if (frag) {
+      obj = jsonGet(obj, frag.relPath);
     }
-    return obj;
+    return redact(obj, frag);
   }
 
   async update(ctx, data, relPath = '') {
     const storage = HelixStorage.fromContext(ctx).configBus();
     const buf = await storage.get(this.key);
     const old = buf ? JSON.parse(buf) : null;
-    if (relPath) {
+    const frag = getFragmentInfo(this.type, relPath);
+    let config = data;
+    let ret = null;
+    if (frag) {
       if (!old) {
         throw new StatusCodeError(404, 'config not found.');
       }
-      const fragment = FRAGMENTS[this.type][relPath];
-      if (!fragment) {
-        throw new StatusCodeError(400, 'invalid object path.');
-      }
       if (relPath === 'code') {
         updateCodeSource(ctx, data);
       } else if (relPath === 'content') {
         updateContentSource(ctx, data);
+      } else if (frag.type === 'token') {
+        // don't allow to update individual token
+        throw new StatusCodeError(400, 'invalid object path.');
+      } else if (frag.type === 'tokens') {
+        // TODO: remove support after all helix4 projects are migrated
+        let token;
+        if (data.jwt) {
+          token = await migrateToken(this.org, data.jwt);
+        } else {
+          // create new token
+          token = createToken(this.org);
+        }
+
+        data = {
+          ...token,
+        };
+        // don't store token value in the config
+        delete data.value;
+        relPath = ['tokens', token.id];
+        frag.type = 'token';
+        ret = token;
+        // don't expose hash in return value
+        delete ret.hash;
       }
-      // eslint-disable-next-line no-param-reassign
-      data = jsonPut(JSON.parse(buf), relPath, data);
+      config = jsonPut(old, relPath, data);
     } else {
-      updateContentSource(ctx, data.content);
-      updateCodeSource(ctx, data.code);
+      updateContentSource(ctx, config.content);
+      updateCodeSource(ctx, config.code);
     }
-    await validate(data, this.type);
-    await storage.put(this.key, JSON.stringify(data), 'application/json');
-    await this.purge(ctx, old, data);
+    await validate(config, this.type);
+    await storage.put(this.key, JSON.stringify(config), 'application/json');
+    await this.purge(ctx, buf ? JSON.parse(buf) : null, config);
+    return ret ?? redact(data, frag);
   }
 
   async remove(ctx, relPath) {
@@ -130,11 +236,8 @@ export class ConfigStore {
     if (!buf) {
       throw new StatusCodeError(404, 'config not found.');
     }
-    if (relPath) {
-      const fragment = FRAGMENTS[this.type][relPath];
-      if (!fragment) {
-        throw new StatusCodeError(400, 'invalid object path.');
-      }
+    const frag = getFragmentInfo(this.type, relPath);
+    if (frag) {
       const data = jsonPut(JSON.parse(buf), relPath, null);
       await validate(data, this.type);
       await storage.put(this.key, JSON.stringify(data), 'application/json');

package/src/storage/config-validator.js

@@ -29,6 +29,7 @@ import profileSchema from '../schemas/profile.schema.cjs';
 import robotsSchema from '../schemas/robots.schema.cjs';
 import sidekickSchema from '../schemas/sidekick.schema.cjs';
 import siteSchema from '../schemas/site.schema.cjs';
+import tokensSchema from '../schemas/tokens.schema.cjs';
 
 const SCHEMAS = [
   accessSchema,
@@ -47,6 +48,7 @@ const SCHEMAS = [
   robotsSchema,
   sidekickSchema,
   siteSchema,
+  tokensSchema,
 ];
 
 const SCHEMA_TYPES = {

package/src/storage/utils.js

@@ -12,13 +12,15 @@
 /* eslint-disable no-param-reassign */
 import crypto from 'crypto';
 import { GitUrl } from '@adobe/helix-shared-git';
+import { decodeJwt } from 'jose';
+import { StatusCodeError } from './status-code-error.js';
 
 export function jsonGet(obj, path) {
   return path.split('/').reduce((o, p) => o[p], obj);
 }
 
 export function jsonPut(obj, path, value) {
-  const parts = path.split('/');
+  const parts = Array.isArray(path) ? path : path.split('/');
   const last = parts.pop();
   const parent = parts.reduce((o, p) => {
     if (!(p in o)) {
@@ -111,3 +113,60 @@ export function updateCodeSource(ctx, code) {
   }
   return modified;
 }
+
+/**
+ * Creates a random token and hashes it with the given key
+ * @param {string} key
+ * @returns {object} the token
+ */
+export function createToken(key) {
+  const secret = crypto.randomBytes(32).toString('base64url');
+  const value = `hlx_${secret}`;
+  const hash = crypto
+    .createHmac('sha512', key)
+    .update(value, 'utf-8')
+    .digest()
+    .toString('base64url');
+  const id = crypto.createHash('sha256').update(hash).digest().toString('base64url');
+  const created = new Date().toISOString();
+  return {
+    id,
+    value,
+    hash,
+    created,
+  };
+}
+
+/**
+ * migrates an existing jwt token
+ * @param key
+ * @param jwt
+ * @returns {Promise<object>}
+ */
+export async function migrateToken(key, jwt) {
+  let payload;
+  try {
+    payload = await decodeJwt(jwt);
+  } catch (e) {
+    throw new StatusCodeError(400, `unable to migrate jwt: ${e.message}`);
+  }
+  const { jti } = payload;
+  if (!jti) {
+    throw new StatusCodeError(400, 'unable to migrate jwt: missing jti claim.');
+  }
+  const id = jti
+    .replaceAll('/', '_')
+    .replaceAll('+', '-');
+  const hash = crypto
+    .createHmac('sha512', key)
+    .update(jwt, 'utf-8')
+    .digest()
+    .toString('base64url');
+  const created = new Date().toISOString();
+  return {
+    id,
+    value: jwt,
+    hash,
+    created,
+  };
+}

package/types/profile-config.d.ts

@@ -32,6 +32,7 @@ export interface HelixProfileConfig {
   sidekick?: SidekickConfig;
   metadata?: Metadata;
   robots?: Robots;
+  tokens?: Tokens;
 }
 /**
  * Defines the content bus location and source.
@@ -223,11 +224,7 @@ export interface Role {
 }
 export interface SiteAccessConfig {
   /**
-   * The email glob of the users that are allowed.
-   */
-  allow?: string[];
-  /**
-   * IDs of the api keys that are allowed.
+   * IDs of the api keys (tokens) that are allowed.
    */
   apiKeyId?: string[];
   /**
@@ -251,3 +248,14 @@ export interface Metadata {
 export interface Robots {
   txt?: string;
 }
+export interface Tokens {
+  /**
+   * This interface was referenced by `Tokens`'s JSON-Schema definition
+   * via the `patternProperty` "^[a-zA-Z0-9-_=]+$".
+   */
+  [k: string]: {
+    id?: string;
+    hash?: string;
+    created?: string;
+  };
+}

package/types/site-config.d.ts

@@ -35,6 +35,7 @@ export interface HelixSiteConfig {
   sidekick?: SidekickConfig;
   metadata?: Metadata;
   robots?: Robots;
+  tokens?: Tokens;
 }
 /**
  * Defines the content bus location and source.
@@ -226,11 +227,7 @@ export interface Role {
 }
 export interface SiteAccessConfig {
   /**
-   * The email glob of the users that are allowed.
-   */
-  allow?: string[];
-  /**
-   * IDs of the api keys that are allowed.
+   * IDs of the api keys (tokens) that are allowed.
    */
   apiKeyId?: string[];
   /**
@@ -254,3 +251,14 @@ export interface Metadata {
 export interface Robots {
   txt?: string;
 }
+export interface Tokens {
+  /**
+   * This interface was referenced by `Tokens`'s JSON-Schema definition
+   * via the `patternProperty` "^[a-zA-Z0-9-_=]+$".
+   */
+  [k: string]: {
+    id?: string;
+    hash?: string;
+    created?: string;
+  };
+}