@authsec/sdk 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +253 -0
- package/dist/ciba.d.ts +47 -0
- package/dist/ciba.d.ts.map +1 -0
- package/dist/ciba.js +172 -0
- package/dist/ciba.js.map +1 -0
- package/dist/config.d.ts +32 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/config.js +92 -0
- package/dist/config.js.map +1 -0
- package/dist/decorators.d.ts +59 -0
- package/dist/decorators.d.ts.map +1 -0
- package/dist/decorators.js +142 -0
- package/dist/decorators.js.map +1 -0
- package/dist/http.d.ts +19 -0
- package/dist/http.d.ts.map +1 -0
- package/dist/http.js +156 -0
- package/dist/http.js.map +1 -0
- package/dist/index.d.ts +47 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +69 -0
- package/dist/index.js.map +1 -0
- package/dist/mcp-server.d.ts +42 -0
- package/dist/mcp-server.d.ts.map +1 -0
- package/dist/mcp-server.js +353 -0
- package/dist/mcp-server.js.map +1 -0
- package/dist/rbac.d.ts +12 -0
- package/dist/rbac.d.ts.map +1 -0
- package/dist/rbac.js +130 -0
- package/dist/rbac.js.map +1 -0
- package/dist/service-access.d.ts +31 -0
- package/dist/service-access.d.ts.map +1 -0
- package/dist/service-access.js +82 -0
- package/dist/service-access.js.map +1 -0
- package/dist/spiffe/index.d.ts +4 -0
- package/dist/spiffe/index.d.ts.map +1 -0
- package/dist/spiffe/index.js +10 -0
- package/dist/spiffe/index.js.map +1 -0
- package/dist/spiffe/proto/workload.proto +126 -0
- package/dist/spiffe/quick-start-svid.d.ts +74 -0
- package/dist/spiffe/quick-start-svid.d.ts.map +1 -0
- package/dist/spiffe/quick-start-svid.js +191 -0
- package/dist/spiffe/quick-start-svid.js.map +1 -0
- package/dist/spiffe/workload-api-client.d.ts +71 -0
- package/dist/spiffe/workload-api-client.d.ts.map +1 -0
- package/dist/spiffe/workload-api-client.js +355 -0
- package/dist/spiffe/workload-api-client.js.map +1 -0
- package/dist/spiffe/workload-svid.d.ts +44 -0
- package/dist/spiffe/workload-svid.d.ts.map +1 -0
- package/dist/spiffe/workload-svid.js +137 -0
- package/dist/spiffe/workload-svid.js.map +1 -0
- package/dist/types.d.ts +95 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +23 -0
- package/dist/types.js.map +1 -0
- package/package.json +45 -0
- package/src/spiffe/proto/workload.proto +126 -0
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.WorkloadSVID = exports.QuickStartSVID = exports.WorkloadAPIClient = void 0;
|
|
4
|
+
var workload_api_client_js_1 = require("./workload-api-client.js");
|
|
5
|
+
Object.defineProperty(exports, "WorkloadAPIClient", { enumerable: true, get: function () { return workload_api_client_js_1.WorkloadAPIClient; } });
|
|
6
|
+
var quick_start_svid_js_1 = require("./quick-start-svid.js");
|
|
7
|
+
Object.defineProperty(exports, "QuickStartSVID", { enumerable: true, get: function () { return quick_start_svid_js_1.QuickStartSVID; } });
|
|
8
|
+
var workload_svid_js_1 = require("./workload-svid.js");
|
|
9
|
+
Object.defineProperty(exports, "WorkloadSVID", { enumerable: true, get: function () { return workload_svid_js_1.WorkloadSVID; } });
|
|
10
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/spiffe/index.ts"],"names":[],"mappings":";;;AAAA,mEAA6D;AAApD,2HAAA,iBAAiB,OAAA;AAC1B,6DAAuD;AAA9C,qHAAA,cAAc,OAAA;AACvB,uDAAkD;AAAzC,gHAAA,YAAY,OAAA"}
|
|
@@ -0,0 +1,126 @@
|
|
|
1
|
+
// SPIFFE Workload API
|
|
2
|
+
// Based on: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md
|
|
3
|
+
|
|
4
|
+
syntax = "proto3";
|
|
5
|
+
|
|
6
|
+
package spiffe.workload;
|
|
7
|
+
|
|
8
|
+
option go_package = "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload;workload";
|
|
9
|
+
|
|
10
|
+
// SpiffeWorkloadAPI provides methods for workloads to retrieve their SPIFFE identities
|
|
11
|
+
service SpiffeWorkloadAPI {
|
|
12
|
+
// Fetch X.509-SVID - Workloads subscribe to this RPC to receive X.509 SVIDs
|
|
13
|
+
// SVIDs are streamed to the workload and automatically updated before expiry
|
|
14
|
+
rpc FetchX509SVID(X509SVIDRequest) returns (stream X509SVIDResponse);
|
|
15
|
+
|
|
16
|
+
// Fetch X.509 bundles - Returns trust bundles for federated trust domains
|
|
17
|
+
rpc FetchX509Bundles(X509BundlesRequest) returns (stream X509BundlesResponse);
|
|
18
|
+
|
|
19
|
+
// Validate JWT-SVID - Validates a JWT-SVID token
|
|
20
|
+
rpc ValidateJWTSVID(ValidateJWTSVIDRequest) returns (ValidateJWTSVIDResponse);
|
|
21
|
+
|
|
22
|
+
// Fetch JWT-SVID - Fetches a JWT-SVID with specified audience
|
|
23
|
+
rpc FetchJWTSVID(JWTSVIDRequest) returns (JWTSVIDResponse);
|
|
24
|
+
|
|
25
|
+
// Fetch JWT bundles
|
|
26
|
+
rpc FetchJWTBundles(JWTBundlesRequest) returns (stream JWTBundlesResponse);
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
// X.509-SVID Request
|
|
30
|
+
message X509SVIDRequest {
|
|
31
|
+
// Empty - workload is identified by Unix socket peer credentials
|
|
32
|
+
}
|
|
33
|
+
|
|
34
|
+
// X.509-SVID Response
|
|
35
|
+
message X509SVIDResponse {
|
|
36
|
+
// List of X.509 SVIDs
|
|
37
|
+
repeated X509SVID svids = 1;
|
|
38
|
+
|
|
39
|
+
// X.509 certificate bundles (trust bundles)
|
|
40
|
+
// Key is trust domain name (e.g., "example.org")
|
|
41
|
+
map<string, bytes> crl = 2;
|
|
42
|
+
|
|
43
|
+
// Federated bundles (trust bundles for federated trust domains)
|
|
44
|
+
map<string, bytes> federated_bundles = 3;
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
// X.509 SVID
|
|
48
|
+
message X509SVID {
|
|
49
|
+
// SPIFFE ID
|
|
50
|
+
string spiffe_id = 1;
|
|
51
|
+
|
|
52
|
+
// X.509 certificate (PEM encoded)
|
|
53
|
+
bytes x509_svid = 2;
|
|
54
|
+
|
|
55
|
+
// Private key (PEM encoded)
|
|
56
|
+
bytes x509_svid_key = 3;
|
|
57
|
+
|
|
58
|
+
// Certificate bundle (PEM encoded)
|
|
59
|
+
bytes bundle = 4;
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
// X.509 Bundles Request
|
|
63
|
+
message X509BundlesRequest {
|
|
64
|
+
// Empty
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
// X.509 Bundles Response
|
|
68
|
+
message X509BundlesResponse {
|
|
69
|
+
// X.509 certificate bundles
|
|
70
|
+
// Key is trust domain name
|
|
71
|
+
map<string, bytes> bundles = 1;
|
|
72
|
+
}
|
|
73
|
+
|
|
74
|
+
// JWT-SVID Request
|
|
75
|
+
message JWTSVIDRequest {
|
|
76
|
+
// Audience for JWT
|
|
77
|
+
repeated string audience = 1;
|
|
78
|
+
|
|
79
|
+
// SPIFFE ID (optional - defaults to workload's default identity)
|
|
80
|
+
string spiffe_id = 2;
|
|
81
|
+
}
|
|
82
|
+
|
|
83
|
+
// JWT-SVID Response
|
|
84
|
+
message JWTSVIDResponse {
|
|
85
|
+
// List of JWT SVIDs
|
|
86
|
+
repeated JWTSVID svids = 1;
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
// JWT SVID
|
|
90
|
+
message JWTSVID {
|
|
91
|
+
// SPIFFE ID
|
|
92
|
+
string spiffe_id = 1;
|
|
93
|
+
|
|
94
|
+
// JWT token
|
|
95
|
+
string svid = 2;
|
|
96
|
+
}
|
|
97
|
+
|
|
98
|
+
// JWT Bundles Request
|
|
99
|
+
message JWTBundlesRequest {
|
|
100
|
+
// Empty
|
|
101
|
+
}
|
|
102
|
+
|
|
103
|
+
// JWT Bundles Response
|
|
104
|
+
message JWTBundlesResponse {
|
|
105
|
+
// JWT bundles (JWKS)
|
|
106
|
+
// Key is trust domain name
|
|
107
|
+
map<string, bytes> bundles = 1;
|
|
108
|
+
}
|
|
109
|
+
|
|
110
|
+
// Validate JWT-SVID Request
|
|
111
|
+
message ValidateJWTSVIDRequest {
|
|
112
|
+
// JWT token to validate
|
|
113
|
+
string svid = 1;
|
|
114
|
+
|
|
115
|
+
// Expected audience
|
|
116
|
+
string audience = 2;
|
|
117
|
+
}
|
|
118
|
+
|
|
119
|
+
// Validate JWT-SVID Response
|
|
120
|
+
message ValidateJWTSVIDResponse {
|
|
121
|
+
// SPIFFE ID extracted from validated token
|
|
122
|
+
string spiffe_id = 1;
|
|
123
|
+
|
|
124
|
+
// Claims from validated token
|
|
125
|
+
map<string, string> claims = 2;
|
|
126
|
+
}
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* QuickStartSVID - Simplified SPIRE SVID integration (singleton)
|
|
3
|
+
* Mirrors Python QuickStartSVID from spire_sdk.py
|
|
4
|
+
*
|
|
5
|
+
* Connects directly to SPIRE agent via gRPC and fetches X.509-SVIDs.
|
|
6
|
+
* Provides automatic certificate renewal every 30 minutes.
|
|
7
|
+
*/
|
|
8
|
+
import * as tls from 'node:tls';
|
|
9
|
+
export declare class QuickStartSVID {
|
|
10
|
+
private static instance;
|
|
11
|
+
private static initPromise;
|
|
12
|
+
private svid;
|
|
13
|
+
private grpcClient;
|
|
14
|
+
private renewalTimer;
|
|
15
|
+
private running;
|
|
16
|
+
private constructor();
|
|
17
|
+
/**
|
|
18
|
+
* Initialize SPIRE workload identity (singleton pattern).
|
|
19
|
+
*
|
|
20
|
+
* This method:
|
|
21
|
+
* 1. Connects to SPIRE agent via gRPC
|
|
22
|
+
* 2. Fetches X.509-SVID from agent
|
|
23
|
+
* 3. Writes certificates to disk
|
|
24
|
+
* 4. Starts automatic renewal (every 30 minutes)
|
|
25
|
+
*
|
|
26
|
+
* @param socketPath Path to SPIRE agent socket
|
|
27
|
+
* @param certDir Directory to store certificates (default: /tmp/spiffe-certs)
|
|
28
|
+
* @returns QuickStartSVID instance with SVID ready for mTLS
|
|
29
|
+
*/
|
|
30
|
+
static initialize(socketPath?: string, certDir?: string): Promise<QuickStartSVID>;
|
|
31
|
+
/**
|
|
32
|
+
* Get the singleton instance (must call initialize() first).
|
|
33
|
+
*/
|
|
34
|
+
static get(): Promise<QuickStartSVID>;
|
|
35
|
+
private fetch;
|
|
36
|
+
private renewSvid;
|
|
37
|
+
/** Get SPIFFE ID */
|
|
38
|
+
get spiffeId(): string;
|
|
39
|
+
/** Get certificate PEM */
|
|
40
|
+
get certificate(): string;
|
|
41
|
+
/** Get private key PEM */
|
|
42
|
+
get privateKey(): string;
|
|
43
|
+
/** Get trust bundle PEM */
|
|
44
|
+
get trustBundle(): string;
|
|
45
|
+
/** Get certificate file path */
|
|
46
|
+
get certFilePath(): string | null;
|
|
47
|
+
/** Get private key file path */
|
|
48
|
+
get keyFilePath(): string | null;
|
|
49
|
+
/** Get CA bundle file path */
|
|
50
|
+
get caFilePath(): string | null;
|
|
51
|
+
/**
|
|
52
|
+
* Create TLS options for server.
|
|
53
|
+
* Returns options suitable for `https.createServer(options, app)`.
|
|
54
|
+
*/
|
|
55
|
+
createTlsOptionsForServer(): tls.SecureContextOptions & {
|
|
56
|
+
requestCert: boolean;
|
|
57
|
+
rejectUnauthorized: boolean;
|
|
58
|
+
};
|
|
59
|
+
/**
|
|
60
|
+
* Create TLS options for client.
|
|
61
|
+
* Returns options suitable for `https.Agent(options)`.
|
|
62
|
+
*/
|
|
63
|
+
createTlsOptionsForClient(): tls.SecureContextOptions & {
|
|
64
|
+
rejectUnauthorized: boolean;
|
|
65
|
+
};
|
|
66
|
+
/** Get certificate data as dict for easy passing to HTTP clients */
|
|
67
|
+
getCertificateDict(): {
|
|
68
|
+
cert: string;
|
|
69
|
+
key: string;
|
|
70
|
+
};
|
|
71
|
+
/** Shutdown SVID renewal and gRPC client */
|
|
72
|
+
shutdown(): Promise<void>;
|
|
73
|
+
}
|
|
74
|
+
//# sourceMappingURL=quick-start-svid.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"quick-start-svid.d.ts","sourceRoot":"","sources":["../../src/spiffe/quick-start-svid.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAIhC,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAA+B;IACtD,OAAO,CAAC,MAAM,CAAC,WAAW,CAAwC;IAElE,OAAO,CAAC,IAAI,CAA6B;IACzC,OAAO,CAAC,UAAU,CAAkC;IACpD,OAAO,CAAC,YAAY,CAA+C;IACnE,OAAO,CAAC,OAAO,CAAS;IAExB,OAAO;IAEP;;;;;;;;;;;;OAYG;WACU,UAAU,CACrB,UAAU,GAAE,MAAwC,EACpD,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,cAAc,CAAC;IAwB1B;;OAEG;WACU,GAAG,IAAI,OAAO,CAAC,cAAc,CAAC;YAO7B,KAAK;YAsCL,SAAS;IAmBvB,oBAAoB;IACpB,IAAI,QAAQ,IAAI,MAAM,CAGrB;IAED,0BAA0B;IAC1B,IAAI,WAAW,IAAI,MAAM,CAGxB;IAED,0BAA0B;IAC1B,IAAI,UAAU,IAAI,MAAM,CAGvB;IAED,2BAA2B;IAC3B,IAAI,WAAW,IAAI,MAAM,CAGxB;IAED,gCAAgC;IAChC,IAAI,YAAY,IAAI,MAAM,GAAG,IAAI,CAGhC;IAED,gCAAgC;IAChC,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAG/B;IAED,8BAA8B;IAC9B,IAAI,UAAU,IAAI,MAAM,GAAG,IAAI,CAG9B;IAED;;;OAGG;IACH,yBAAyB,IAAI,GAAG,CAAC,oBAAoB,GAAG;QAAE,WAAW,EAAE,OAAO,CAAC;QAAC,kBAAkB,EAAE,OAAO,CAAA;KAAE;IAK7G;;;OAGG;IACH,yBAAyB,IAAI,GAAG,CAAC,oBAAoB,GAAG;QAAE,kBAAkB,EAAE,OAAO,CAAA;KAAE;IAKvF,oEAAoE;IACpE,kBAAkB,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE;IAQnD,4CAA4C;IACtC,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAehC"}
|
|
@@ -0,0 +1,191 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* QuickStartSVID - Simplified SPIRE SVID integration (singleton)
|
|
4
|
+
* Mirrors Python QuickStartSVID from spire_sdk.py
|
|
5
|
+
*
|
|
6
|
+
* Connects directly to SPIRE agent via gRPC and fetches X.509-SVIDs.
|
|
7
|
+
* Provides automatic certificate renewal every 30 minutes.
|
|
8
|
+
*/
|
|
9
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
+
exports.QuickStartSVID = void 0;
|
|
11
|
+
const workload_api_client_js_1 = require("./workload-api-client.js");
|
|
12
|
+
const workload_svid_js_1 = require("./workload-svid.js");
|
|
13
|
+
class QuickStartSVID {
|
|
14
|
+
static instance = null;
|
|
15
|
+
static initPromise = null;
|
|
16
|
+
svid = null;
|
|
17
|
+
grpcClient = null;
|
|
18
|
+
renewalTimer = null;
|
|
19
|
+
running = false;
|
|
20
|
+
constructor() { }
|
|
21
|
+
/**
|
|
22
|
+
* Initialize SPIRE workload identity (singleton pattern).
|
|
23
|
+
*
|
|
24
|
+
* This method:
|
|
25
|
+
* 1. Connects to SPIRE agent via gRPC
|
|
26
|
+
* 2. Fetches X.509-SVID from agent
|
|
27
|
+
* 3. Writes certificates to disk
|
|
28
|
+
* 4. Starts automatic renewal (every 30 minutes)
|
|
29
|
+
*
|
|
30
|
+
* @param socketPath Path to SPIRE agent socket
|
|
31
|
+
* @param certDir Directory to store certificates (default: /tmp/spiffe-certs)
|
|
32
|
+
* @returns QuickStartSVID instance with SVID ready for mTLS
|
|
33
|
+
*/
|
|
34
|
+
static async initialize(socketPath = '/run/spire/sockets/agent.sock', certDir) {
|
|
35
|
+
if (QuickStartSVID.instance) {
|
|
36
|
+
return QuickStartSVID.instance;
|
|
37
|
+
}
|
|
38
|
+
// Prevent concurrent initialization
|
|
39
|
+
if (QuickStartSVID.initPromise) {
|
|
40
|
+
return QuickStartSVID.initPromise;
|
|
41
|
+
}
|
|
42
|
+
QuickStartSVID.initPromise = (async () => {
|
|
43
|
+
const instance = new QuickStartSVID();
|
|
44
|
+
await instance.fetch(socketPath, certDir);
|
|
45
|
+
QuickStartSVID.instance = instance;
|
|
46
|
+
return instance;
|
|
47
|
+
})();
|
|
48
|
+
try {
|
|
49
|
+
return await QuickStartSVID.initPromise;
|
|
50
|
+
}
|
|
51
|
+
finally {
|
|
52
|
+
QuickStartSVID.initPromise = null;
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Get the singleton instance (must call initialize() first).
|
|
57
|
+
*/
|
|
58
|
+
static async get() {
|
|
59
|
+
if (!QuickStartSVID.instance) {
|
|
60
|
+
throw new Error('Call QuickStartSVID.initialize() first');
|
|
61
|
+
}
|
|
62
|
+
return QuickStartSVID.instance;
|
|
63
|
+
}
|
|
64
|
+
async fetch(socketPath, certDir) {
|
|
65
|
+
console.log('Fetching SPIFFE SVID via gRPC...');
|
|
66
|
+
try {
|
|
67
|
+
this.grpcClient = new workload_api_client_js_1.WorkloadAPIClient({ socketPath });
|
|
68
|
+
await this.grpcClient.connect();
|
|
69
|
+
const success = await this.grpcClient.fetchX509SvidOnce();
|
|
70
|
+
if (!success) {
|
|
71
|
+
throw new Error('Failed to fetch SVID from agent');
|
|
72
|
+
}
|
|
73
|
+
this.svid = new workload_svid_js_1.WorkloadSVID({
|
|
74
|
+
spiffeId: this.grpcClient.spiffeId,
|
|
75
|
+
certificate: this.grpcClient.certificate,
|
|
76
|
+
privateKey: this.grpcClient.privateKey,
|
|
77
|
+
trustBundle: this.grpcClient.trustBundle,
|
|
78
|
+
certDir,
|
|
79
|
+
});
|
|
80
|
+
console.log(`SVID initialized: ${this.svid.spiffeId}`);
|
|
81
|
+
console.log('Certificates ready for mTLS');
|
|
82
|
+
// Start automatic renewal (every 30 minutes)
|
|
83
|
+
this.running = true;
|
|
84
|
+
this.renewalTimer = setInterval(() => {
|
|
85
|
+
this.renewSvid().catch((e) => {
|
|
86
|
+
console.error(`SVID renewal failed: ${e.message ?? e}`);
|
|
87
|
+
});
|
|
88
|
+
}, 30 * 60 * 1000);
|
|
89
|
+
console.log('Automatic SVID renewal enabled (30 min interval)');
|
|
90
|
+
}
|
|
91
|
+
catch (e) {
|
|
92
|
+
console.error(`SVID initialization failed: ${e.message ?? e}`);
|
|
93
|
+
throw new Error(`Failed to initialize SVID: ${e.message ?? e}`);
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
async renewSvid() {
|
|
97
|
+
if (!this.grpcClient) {
|
|
98
|
+
throw new Error('gRPC client not available');
|
|
99
|
+
}
|
|
100
|
+
const success = await this.grpcClient.fetchX509SvidOnce();
|
|
101
|
+
if (!success) {
|
|
102
|
+
throw new Error('Failed to renew SVID from agent');
|
|
103
|
+
}
|
|
104
|
+
this.svid.refresh(this.grpcClient.certificate, this.grpcClient.privateKey, this.grpcClient.trustBundle);
|
|
105
|
+
console.log('SVID renewed successfully');
|
|
106
|
+
}
|
|
107
|
+
/** Get SPIFFE ID */
|
|
108
|
+
get spiffeId() {
|
|
109
|
+
if (!this.svid)
|
|
110
|
+
throw new Error('SVID not initialized');
|
|
111
|
+
return this.svid.spiffeId;
|
|
112
|
+
}
|
|
113
|
+
/** Get certificate PEM */
|
|
114
|
+
get certificate() {
|
|
115
|
+
if (!this.svid)
|
|
116
|
+
throw new Error('SVID not initialized');
|
|
117
|
+
return this.svid.certificate;
|
|
118
|
+
}
|
|
119
|
+
/** Get private key PEM */
|
|
120
|
+
get privateKey() {
|
|
121
|
+
if (!this.svid)
|
|
122
|
+
throw new Error('SVID not initialized');
|
|
123
|
+
return this.svid.privateKey;
|
|
124
|
+
}
|
|
125
|
+
/** Get trust bundle PEM */
|
|
126
|
+
get trustBundle() {
|
|
127
|
+
if (!this.svid)
|
|
128
|
+
throw new Error('SVID not initialized');
|
|
129
|
+
return this.svid.trustBundle;
|
|
130
|
+
}
|
|
131
|
+
/** Get certificate file path */
|
|
132
|
+
get certFilePath() {
|
|
133
|
+
if (!this.svid)
|
|
134
|
+
throw new Error('SVID not initialized');
|
|
135
|
+
return this.svid.certFilePath;
|
|
136
|
+
}
|
|
137
|
+
/** Get private key file path */
|
|
138
|
+
get keyFilePath() {
|
|
139
|
+
if (!this.svid)
|
|
140
|
+
throw new Error('SVID not initialized');
|
|
141
|
+
return this.svid.keyFilePath;
|
|
142
|
+
}
|
|
143
|
+
/** Get CA bundle file path */
|
|
144
|
+
get caFilePath() {
|
|
145
|
+
if (!this.svid)
|
|
146
|
+
throw new Error('SVID not initialized');
|
|
147
|
+
return this.svid.caFilePath;
|
|
148
|
+
}
|
|
149
|
+
/**
|
|
150
|
+
* Create TLS options for server.
|
|
151
|
+
* Returns options suitable for `https.createServer(options, app)`.
|
|
152
|
+
*/
|
|
153
|
+
createTlsOptionsForServer() {
|
|
154
|
+
if (!this.svid)
|
|
155
|
+
throw new Error('SVID not initialized');
|
|
156
|
+
return this.svid.createTlsOptionsForServer();
|
|
157
|
+
}
|
|
158
|
+
/**
|
|
159
|
+
* Create TLS options for client.
|
|
160
|
+
* Returns options suitable for `https.Agent(options)`.
|
|
161
|
+
*/
|
|
162
|
+
createTlsOptionsForClient() {
|
|
163
|
+
if (!this.svid)
|
|
164
|
+
throw new Error('SVID not initialized');
|
|
165
|
+
return this.svid.createTlsOptionsForClient();
|
|
166
|
+
}
|
|
167
|
+
/** Get certificate data as dict for easy passing to HTTP clients */
|
|
168
|
+
getCertificateDict() {
|
|
169
|
+
if (!this.svid)
|
|
170
|
+
throw new Error('SVID not initialized');
|
|
171
|
+
return {
|
|
172
|
+
cert: this.svid.certificate,
|
|
173
|
+
key: this.svid.privateKey,
|
|
174
|
+
};
|
|
175
|
+
}
|
|
176
|
+
/** Shutdown SVID renewal and gRPC client */
|
|
177
|
+
async shutdown() {
|
|
178
|
+
this.running = false;
|
|
179
|
+
if (this.renewalTimer) {
|
|
180
|
+
clearInterval(this.renewalTimer);
|
|
181
|
+
this.renewalTimer = null;
|
|
182
|
+
}
|
|
183
|
+
if (this.grpcClient) {
|
|
184
|
+
await this.grpcClient.disconnect();
|
|
185
|
+
this.grpcClient = null;
|
|
186
|
+
}
|
|
187
|
+
console.log('SVID renewal stopped');
|
|
188
|
+
}
|
|
189
|
+
}
|
|
190
|
+
exports.QuickStartSVID = QuickStartSVID;
|
|
191
|
+
//# sourceMappingURL=quick-start-svid.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"quick-start-svid.js","sourceRoot":"","sources":["../../src/spiffe/quick-start-svid.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAGH,qEAA6D;AAC7D,yDAAkD;AAElD,MAAa,cAAc;IACjB,MAAM,CAAC,QAAQ,GAA0B,IAAI,CAAC;IAC9C,MAAM,CAAC,WAAW,GAAmC,IAAI,CAAC;IAE1D,IAAI,GAAwB,IAAI,CAAC;IACjC,UAAU,GAA6B,IAAI,CAAC;IAC5C,YAAY,GAA0C,IAAI,CAAC;IAC3D,OAAO,GAAG,KAAK,CAAC;IAExB,gBAAuB,CAAC;IAExB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,KAAK,CAAC,UAAU,CACrB,aAAqB,+BAA+B,EACpD,OAAgB;QAEhB,IAAI,cAAc,CAAC,QAAQ,EAAE,CAAC;YAC5B,OAAO,cAAc,CAAC,QAAQ,CAAC;QACjC,CAAC;QAED,oCAAoC;QACpC,IAAI,cAAc,CAAC,WAAW,EAAE,CAAC;YAC/B,OAAO,cAAc,CAAC,WAAW,CAAC;QACpC,CAAC;QAED,cAAc,CAAC,WAAW,GAAG,CAAC,KAAK,IAAI,EAAE;YACvC,MAAM,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAC;YACtC,MAAM,QAAQ,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC1C,cAAc,CAAC,QAAQ,GAAG,QAAQ,CAAC;YACnC,OAAO,QAAQ,CAAC;QAClB,CAAC,CAAC,EAAE,CAAC;QAEL,IAAI,CAAC;YACH,OAAO,MAAM,cAAc,CAAC,WAAW,CAAC;QAC1C,CAAC;gBAAS,CAAC;YACT,cAAc,CAAC,WAAW,GAAG,IAAI,CAAC;QACpC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,GAAG;QACd,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QACD,OAAO,cAAc,CAAC,QAAQ,CAAC;IACjC,CAAC;IAEO,KAAK,CAAC,KAAK,CAAC,UAAkB,EAAE,OAAgB;QACtD,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;QAEhD,IAAI,CAAC;YACH,IAAI,CAAC,UAAU,GAAG,IAAI,0CAAiB,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;YACxD,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YAEhC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,iBAAiB,EAAE,CAAC;YAC1D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACrD,CAAC;YAED,IAAI,CAAC,IAAI,GAAG,IAAI,+BAAY,CAAC;gBAC3B,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,QAAS;gBACnC,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAY;gBACzC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,UAAW;gBACvC,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,WAAY;gBACzC,OAAO;aACR,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YACvD,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;YAE3C,6CAA6C;YAC7C,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;YACpB,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE;gBACnC,IAAI,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;oBAC3B,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC1D,CAAC,CAAC,CAAC;YACL,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAEnB,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;QAClE,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;YAC/D,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS;QACrB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,iBAAiB,EAAE,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,IAAI,CAAC,IAAK,CAAC,OAAO,CAChB,IAAI,CAAC,UAAU,CAAC,WAAY,EAC5B,IAAI,CAAC,UAAU,CAAC,UAAW,EAC3B,IAAI,CAAC,UAAU,CAAC,WAAY,CAC7B,CAAC;QAEF,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;IAC3C,CAAC;IAED,oBAAoB;IACpB,IAAI,QAAQ;QACV,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC;IAC5B,CAAC;IAED,0BAA0B;IAC1B,IAAI,WAAW;QACb,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;IAC/B,CAAC;IAED,0BAA0B;IAC1B,IAAI,UAAU;QACZ,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC;IAC9B,CAAC;IAED,2BAA2B;IAC3B,IAAI,WAAW;QACb,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;IAC/B,CAAC;IAED,gCAAgC;IAChC,IAAI,YAAY;QACd,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC;IAChC,CAAC;IAED,gCAAgC;IAChC,IAAI,WAAW;QACb,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC;IAC/B,CAAC;IAED,8BAA8B;IAC9B,IAAI,UAAU;QACZ,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACH,yBAAyB;QACvB,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,CAAC;IAC/C,CAAC;IAED;;;OAGG;IACH,yBAAyB;QACvB,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,CAAC;IAC/C,CAAC;IAED,oEAAoE;IACpE,kBAAkB;QAChB,IAAI,CAAC,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACxD,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;YAC3B,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU;SAC1B,CAAC;IACJ,CAAC;IAED,4CAA4C;IAC5C,KAAK,CAAC,QAAQ;QACZ,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QAErB,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC;YACnC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACzB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACtC,CAAC;;AA1MH,wCA2MC"}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SPIFFE Workload API - gRPC Client
|
|
3
|
+
* Mirrors Python WorkloadAPIClient
|
|
4
|
+
*
|
|
5
|
+
* Client library for workloads to fetch SVIDs from the gRPC Workload API.
|
|
6
|
+
* Supports streaming X.509-SVIDs with automatic rotation.
|
|
7
|
+
*/
|
|
8
|
+
export declare class WorkloadAPIClient {
|
|
9
|
+
private socketPath;
|
|
10
|
+
private logger;
|
|
11
|
+
spiffeId: string | null;
|
|
12
|
+
certificate: string | null;
|
|
13
|
+
privateKey: string | null;
|
|
14
|
+
trustBundle: string | null;
|
|
15
|
+
private client;
|
|
16
|
+
private streamCall;
|
|
17
|
+
private running;
|
|
18
|
+
constructor(options?: {
|
|
19
|
+
socketPath?: string;
|
|
20
|
+
logger?: {
|
|
21
|
+
info: Function;
|
|
22
|
+
error: Function;
|
|
23
|
+
debug: Function;
|
|
24
|
+
};
|
|
25
|
+
});
|
|
26
|
+
/** Connect to the Workload API */
|
|
27
|
+
connect(): Promise<void>;
|
|
28
|
+
/** Disconnect from Workload API */
|
|
29
|
+
disconnect(): Promise<void>;
|
|
30
|
+
/** Build gRPC metadata from environment variables */
|
|
31
|
+
private buildMetadata;
|
|
32
|
+
/**
|
|
33
|
+
* Fetch X.509-SVID once (single request/response).
|
|
34
|
+
* @returns true if successful, false otherwise
|
|
35
|
+
*/
|
|
36
|
+
fetchX509SvidOnce(): Promise<boolean>;
|
|
37
|
+
/**
|
|
38
|
+
* Start streaming X.509-SVID updates.
|
|
39
|
+
* @param onUpdate Optional callback called when SVID is updated
|
|
40
|
+
*/
|
|
41
|
+
startStreaming(onUpdate?: (client: WorkloadAPIClient) => Promise<void>): Promise<void>;
|
|
42
|
+
/**
|
|
43
|
+
* Fetch JWT-SVID.
|
|
44
|
+
* @param audience List of audiences for the JWT
|
|
45
|
+
* @param spiffeId Optional SPIFFE ID (defaults to workload's identity)
|
|
46
|
+
* @returns JWT token or null
|
|
47
|
+
*/
|
|
48
|
+
fetchJwtSvid(audience: string[], spiffeId?: string): Promise<string | null>;
|
|
49
|
+
/**
|
|
50
|
+
* Validate JWT-SVID.
|
|
51
|
+
* @param token JWT token to validate
|
|
52
|
+
* @param audience Expected audience
|
|
53
|
+
* @returns Validation result with spiffe_id and claims, or null if invalid
|
|
54
|
+
*/
|
|
55
|
+
validateJwtSvid(token: string, audience: string): Promise<{
|
|
56
|
+
spiffeId: string;
|
|
57
|
+
claims: Record<string, string>;
|
|
58
|
+
} | null>;
|
|
59
|
+
/**
|
|
60
|
+
* Get mTLS configuration for HTTP clients.
|
|
61
|
+
* @returns Object with cert, key, and caBundle, or null if not available
|
|
62
|
+
*/
|
|
63
|
+
getMtlsConfig(): {
|
|
64
|
+
cert: string;
|
|
65
|
+
key: string;
|
|
66
|
+
caBundle: string;
|
|
67
|
+
} | null;
|
|
68
|
+
/** Check if SVID is available */
|
|
69
|
+
hasSvid(): boolean;
|
|
70
|
+
}
|
|
71
|
+
//# sourceMappingURL=workload-api-client.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"workload-api-client.d.ts","sourceRoot":"","sources":["../../src/spiffe/workload-api-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAwBH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,MAAM,CAAuD;IAGrE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAQ;IAC/B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAQ;IAClC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAQ;IACjC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAQ;IAGlC,OAAO,CAAC,MAAM,CAAa;IAC3B,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,OAAO,CAAS;gBAEZ,OAAO,CAAC,EAAE;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE;YAAE,IAAI,EAAE,QAAQ,CAAC;YAAC,KAAK,EAAE,QAAQ,CAAC;YAAC,KAAK,EAAE,QAAQ,CAAA;SAAE,CAAC;KAC/D;IAUD,kCAAkC;IAC5B,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IA6B9B,mCAAmC;IAC7B,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAgBjC,qDAAqD;IACrD,OAAO,CAAC,aAAa;IAqDrB;;;OAGG;IACG,iBAAiB,IAAI,OAAO,CAAC,OAAO,CAAC;IAyD3C;;;OAGG;IACG,cAAc,CAClB,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,iBAAiB,KAAK,OAAO,CAAC,IAAI,CAAC,GACtD,OAAO,CAAC,IAAI,CAAC;IAuDhB;;;;;OAKG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAAE,EAClB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAqCzB;;;;;OAKG;IACG,eAAe,CACnB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IAkCvE;;;OAGG;IACH,aAAa,IAAI;QACf,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;QACZ,QAAQ,EAAE,MAAM,CAAC;KAClB,GAAG,IAAI;IAYR,iCAAiC;IACjC,OAAO,IAAI,OAAO;CAGnB"}
|