@authsec/sdk 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (56) hide show
  1. package/README.md +253 -0
  2. package/dist/ciba.d.ts +47 -0
  3. package/dist/ciba.d.ts.map +1 -0
  4. package/dist/ciba.js +172 -0
  5. package/dist/ciba.js.map +1 -0
  6. package/dist/config.d.ts +32 -0
  7. package/dist/config.d.ts.map +1 -0
  8. package/dist/config.js +92 -0
  9. package/dist/config.js.map +1 -0
  10. package/dist/decorators.d.ts +59 -0
  11. package/dist/decorators.d.ts.map +1 -0
  12. package/dist/decorators.js +142 -0
  13. package/dist/decorators.js.map +1 -0
  14. package/dist/http.d.ts +19 -0
  15. package/dist/http.d.ts.map +1 -0
  16. package/dist/http.js +156 -0
  17. package/dist/http.js.map +1 -0
  18. package/dist/index.d.ts +47 -0
  19. package/dist/index.d.ts.map +1 -0
  20. package/dist/index.js +69 -0
  21. package/dist/index.js.map +1 -0
  22. package/dist/mcp-server.d.ts +42 -0
  23. package/dist/mcp-server.d.ts.map +1 -0
  24. package/dist/mcp-server.js +353 -0
  25. package/dist/mcp-server.js.map +1 -0
  26. package/dist/rbac.d.ts +12 -0
  27. package/dist/rbac.d.ts.map +1 -0
  28. package/dist/rbac.js +130 -0
  29. package/dist/rbac.js.map +1 -0
  30. package/dist/service-access.d.ts +31 -0
  31. package/dist/service-access.d.ts.map +1 -0
  32. package/dist/service-access.js +82 -0
  33. package/dist/service-access.js.map +1 -0
  34. package/dist/spiffe/index.d.ts +4 -0
  35. package/dist/spiffe/index.d.ts.map +1 -0
  36. package/dist/spiffe/index.js +10 -0
  37. package/dist/spiffe/index.js.map +1 -0
  38. package/dist/spiffe/proto/workload.proto +126 -0
  39. package/dist/spiffe/quick-start-svid.d.ts +74 -0
  40. package/dist/spiffe/quick-start-svid.d.ts.map +1 -0
  41. package/dist/spiffe/quick-start-svid.js +191 -0
  42. package/dist/spiffe/quick-start-svid.js.map +1 -0
  43. package/dist/spiffe/workload-api-client.d.ts +71 -0
  44. package/dist/spiffe/workload-api-client.d.ts.map +1 -0
  45. package/dist/spiffe/workload-api-client.js +355 -0
  46. package/dist/spiffe/workload-api-client.js.map +1 -0
  47. package/dist/spiffe/workload-svid.d.ts +44 -0
  48. package/dist/spiffe/workload-svid.d.ts.map +1 -0
  49. package/dist/spiffe/workload-svid.js +137 -0
  50. package/dist/spiffe/workload-svid.js.map +1 -0
  51. package/dist/types.d.ts +95 -0
  52. package/dist/types.d.ts.map +1 -0
  53. package/dist/types.js +23 -0
  54. package/dist/types.js.map +1 -0
  55. package/package.json +45 -0
  56. package/src/spiffe/proto/workload.proto +126 -0
package/dist/spiffe/workload-api-client.js ADDED
@@ -0,0 +1,355 @@
1
+ "use strict";
2
+ /**
3
+ * SPIFFE Workload API - gRPC Client
4
+ * Mirrors Python WorkloadAPIClient
5
+ *
6
+ * Client library for workloads to fetch SVIDs from the gRPC Workload API.
7
+ * Supports streaming X.509-SVIDs with automatic rotation.
8
+ */
9
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ var desc = Object.getOwnPropertyDescriptor(m, k);
12
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
13
+ desc = { enumerable: true, get: function() { return m[k]; } };
14
+ }
15
+ Object.defineProperty(o, k2, desc);
16
+ }) : (function(o, m, k, k2) {
17
+ if (k2 === undefined) k2 = k;
18
+ o[k2] = m[k];
19
+ }));
20
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
21
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
22
+ }) : function(o, v) {
23
+ o["default"] = v;
24
+ });
25
+ var __importStar = (this && this.__importStar) || (function () {
26
+ var ownKeys = function(o) {
27
+ ownKeys = Object.getOwnPropertyNames || function (o) {
28
+ var ar = [];
29
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
30
+ return ar;
31
+ };
32
+ return ownKeys(o);
33
+ };
34
+ return function (mod) {
35
+ if (mod && mod.__esModule) return mod;
36
+ var result = {};
37
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
38
+ __setModuleDefault(result, mod);
39
+ return result;
40
+ };
41
+ })();
42
+ Object.defineProperty(exports, "__esModule", { value: true });
43
+ exports.WorkloadAPIClient = void 0;
44
+ const grpc = __importStar(require("@grpc/grpc-js"));
45
+ const protoLoader = __importStar(require("@grpc/proto-loader"));
46
+ const path = __importStar(require("node:path"));
47
+ // Load proto definition at runtime
48
+ // __dirname works in CJS; for ESM, users would need to set AUTHSEC_PROTO_PATH
49
+ const PROTO_PATH = process.env.AUTHSEC_PROTO_PATH ??
50
+ path.join(__dirname, 'proto', 'workload.proto');
51
+ const packageDefinition = protoLoader.loadSync(PROTO_PATH, {
52
+ keepCase: true,
53
+ longs: String,
54
+ enums: String,
55
+ defaults: true,
56
+ oneofs: true,
57
+ });
58
+ const protoDescriptor = grpc.loadPackageDefinition(packageDefinition);
59
+ const SpiffeWorkloadAPIService = protoDescriptor.spiffe.workload.SpiffeWorkloadAPI;
60
+ class WorkloadAPIClient {
61
+ socketPath;
62
+ logger;
63
+ // Current SVID data
64
+ spiffeId = null;
65
+ certificate = null;
66
+ privateKey = null;
67
+ trustBundle = null;
68
+ // gRPC client
69
+ client = null;
70
+ streamCall = null;
71
+ running = false;
72
+ constructor(options) {
73
+ this.socketPath =
74
+ options?.socketPath ?? '/tmp/spire-agent/public/api.sock';
75
+ this.logger = options?.logger ?? {
76
+ info: console.log,
77
+ error: console.error,
78
+ debug: () => { },
79
+ };
80
+ }
81
+ /** Connect to the Workload API */
82
+ async connect() {
83
+ this.logger.info('Connecting to gRPC Workload API');
84
+ this.logger.info(` Socket: ${this.socketPath}`);
85
+ let target;
86
+ if (this.socketPath.startsWith('tcp://')) {
87
+ // TCP socket (Windows, VMs, K8s service endpoints)
88
+ target = this.socketPath.replace('tcp://', '');
89
+ this.logger.info(` Using TCP socket: ${target}`);
90
+ }
91
+ else if (this.socketPath.startsWith('unix://')) {
92
+ // Unix socket with unix:// prefix
93
+ const unixPath = this.socketPath.replace('unix://', '');
94
+ target = `unix:${unixPath}`;
95
+ this.logger.info(` Using Unix socket: ${unixPath}`);
96
+ }
97
+ else {
98
+ // Standard Unix socket path
99
+ target = `unix:${this.socketPath}`;
100
+ this.logger.info(' Using Unix socket');
101
+ }
102
+ this.client = new SpiffeWorkloadAPIService(target, grpc.credentials.createInsecure());
103
+ this.logger.info('Connected to Workload API');
104
+ }
105
+ /** Disconnect from Workload API */
106
+ async disconnect() {
107
+ this.running = false;
108
+ if (this.streamCall) {
109
+ this.streamCall.cancel();
110
+ this.streamCall = null;
111
+ }
112
+ if (this.client) {
113
+ this.client.close();
114
+ this.client = null;
115
+ }
116
+ this.logger.info('Disconnected from Workload API');
117
+ }
118
+ /** Build gRPC metadata from environment variables */
119
+ buildMetadata() {
120
+ const metadata = new grpc.Metadata();
121
+ // For TCP sockets, send PID
122
+ if (this.socketPath.startsWith('tcp://')) {
123
+ metadata.set('x-pid', String(process.pid));
124
+ this.logger.debug(`Sending PID ${process.pid} in gRPC metadata`);
125
+ }
126
+ // Kubernetes metadata
127
+ const k8sVars = [
128
+ ['POD_NAMESPACE', 'x-k8s-namespace'],
129
+ ['POD_NAME', 'x-k8s-pod-name'],
130
+ ['POD_UID', 'x-k8s-pod-uid'],
131
+ ['SERVICE_ACCOUNT', 'x-k8s-service-account'],
132
+ ['POD_LABEL_APP', 'x-k8s-pod-label-app'],
133
+ ];
134
+ for (const [envVar, metaKey] of k8sVars) {
135
+ const value = process.env[envVar];
136
+ if (value) {
137
+ metadata.set(metaKey, value);
138
+ this.logger.debug(`Sending ${metaKey}: ${value}`);
139
+ }
140
+ }
141
+ // Docker metadata
142
+ const dockerVars = [
143
+ ['DOCKER_CONTAINER_ID', 'x-docker-container-id'],
144
+ ['DOCKER_CONTAINER_NAME', 'x-docker-container-name'],
145
+ ['DOCKER_IMAGE_NAME', 'x-docker-image-name'],
146
+ ];
147
+ for (const [envVar, metaKey] of dockerVars) {
148
+ const value = process.env[envVar];
149
+ if (value) {
150
+ metadata.set(metaKey, value);
151
+ this.logger.debug(`Sending ${metaKey}: ${value}`);
152
+ }
153
+ }
154
+ // Docker labels as metadata (prefixed with DOCKER_LABEL_)
155
+ for (const [key, value] of Object.entries(process.env)) {
156
+ if (key.startsWith('DOCKER_LABEL_') && value) {
157
+ const labelName = key.slice('DOCKER_LABEL_'.length).toLowerCase();
158
+ metadata.set(`x-docker-label-${labelName}`, value);
159
+ this.logger.debug(`Sending Docker label ${labelName}: ${value}`);
160
+ }
161
+ }
162
+ return metadata;
163
+ }
164
+ /**
165
+ * Fetch X.509-SVID once (single request/response).
166
+ * @returns true if successful, false otherwise
167
+ */
168
+ async fetchX509SvidOnce() {
169
+ try {
170
+ if (!this.client) {
171
+ await this.connect();
172
+ }
173
+ const metadata = this.buildMetadata();
174
+ return new Promise((resolve) => {
175
+ const stream = this.client.FetchX509SVID({}, metadata);
176
+ stream.on('data', (response) => {
177
+ if (response.svids && response.svids.length > 0) {
178
+ const svid = response.svids[0];
179
+ this.spiffeId = svid.spiffe_id;
180
+ this.certificate =
181
+ typeof svid.x509_svid === 'string'
182
+ ? svid.x509_svid
183
+ : Buffer.from(svid.x509_svid).toString('utf-8');
184
+ this.privateKey =
185
+ typeof svid.x509_svid_key === 'string'
186
+ ? svid.x509_svid_key
187
+ : Buffer.from(svid.x509_svid_key).toString('utf-8');
188
+ this.trustBundle =
189
+ typeof svid.bundle === 'string'
190
+ ? svid.bundle
191
+ : Buffer.from(svid.bundle).toString('utf-8');
192
+ this.logger.info('Fetched X.509-SVID');
193
+ this.logger.info(` SPIFFE ID: ${this.spiffeId}`);
194
+ this.logger.info(' Certificate issued and ready to use');
195
+ this.logger.info(' Trust Bundle received from agent');
196
+ stream.cancel();
197
+ resolve(true);
198
+ }
199
+ else {
200
+ this.logger.error('No SVIDs in response');
201
+ stream.cancel();
202
+ resolve(false);
203
+ }
204
+ });
205
+ stream.on('error', (err) => {
206
+ if (err.code !== grpc.status.CANCELLED) {
207
+ this.logger.error(`gRPC error fetching SVID: ${err.code} - ${err.details ?? err.message}`);
208
+ }
209
+ resolve(false);
210
+ });
211
+ });
212
+ }
213
+ catch (e) {
214
+ this.logger.error(`Failed to fetch SVID: ${e.message ?? e}`);
215
+ return false;
216
+ }
217
+ }
218
+ /**
219
+ * Start streaming X.509-SVID updates.
220
+ * @param onUpdate Optional callback called when SVID is updated
221
+ */
222
+ async startStreaming(onUpdate) {
223
+ this.running = true;
224
+ if (!this.client) {
225
+ await this.connect();
226
+ }
227
+ this.logger.info('Starting X.509-SVID stream...');
228
+ const metadata = this.buildMetadata();
229
+ this.streamCall = this.client.FetchX509SVID({}, metadata);
230
+ this.streamCall.on('data', async (response) => {
231
+ if (!this.running)
232
+ return;
233
+ if (response.svids && response.svids.length > 0) {
234
+ const svid = response.svids[0];
235
+ this.spiffeId = svid.spiffe_id;
236
+ this.certificate =
237
+ typeof svid.x509_svid === 'string'
238
+ ? svid.x509_svid
239
+ : Buffer.from(svid.x509_svid).toString('utf-8');
240
+ this.privateKey =
241
+ typeof svid.x509_svid_key === 'string'
242
+ ? svid.x509_svid_key
243
+ : Buffer.from(svid.x509_svid_key).toString('utf-8');
244
+ this.trustBundle =
245
+ typeof svid.bundle === 'string'
246
+ ? svid.bundle
247
+ : Buffer.from(svid.bundle).toString('utf-8');
248
+ this.logger.info('Received SVID update');
249
+ this.logger.info(` SPIFFE ID: ${this.spiffeId}`);
250
+ this.logger.info(' Certificate refreshed from agent');
251
+ this.logger.info(' Trust Bundle updated');
252
+ if (onUpdate) {
253
+ await onUpdate(this);
254
+ }
255
+ }
256
+ });
257
+ this.streamCall.on('error', (err) => {
258
+ if (err.code !== grpc.status.CANCELLED) {
259
+ this.logger.error(`gRPC stream error: ${err.code} - ${err.details ?? err.message}`);
260
+ }
261
+ });
262
+ this.streamCall.on('end', () => {
263
+ this.logger.info('SVID stream ended');
264
+ });
265
+ }
266
+ /**
267
+ * Fetch JWT-SVID.
268
+ * @param audience List of audiences for the JWT
269
+ * @param spiffeId Optional SPIFFE ID (defaults to workload's identity)
270
+ * @returns JWT token or null
271
+ */
272
+ async fetchJwtSvid(audience, spiffeId) {
273
+ try {
274
+ if (!this.client) {
275
+ await this.connect();
276
+ }
277
+ return new Promise((resolve) => {
278
+ this.client.FetchJWTSVID({ audience, spiffe_id: spiffeId ?? '' }, (err, response) => {
279
+ if (err) {
280
+ this.logger.error(`gRPC error fetching JWT-SVID: ${err.code} - ${err.details ?? err.message}`);
281
+ resolve(null);
282
+ return;
283
+ }
284
+ if (response.svids && response.svids.length > 0) {
285
+ const jwtSvid = response.svids[0];
286
+ this.logger.info('Fetched JWT-SVID');
287
+ this.logger.info(` SPIFFE ID: ${jwtSvid.spiffe_id}`);
288
+ this.logger.info(` Audience: ${audience}`);
289
+ resolve(jwtSvid.svid);
290
+ }
291
+ else {
292
+ this.logger.error('No JWT-SVIDs in response');
293
+ resolve(null);
294
+ }
295
+ });
296
+ });
297
+ }
298
+ catch (e) {
299
+ this.logger.error(`Failed to fetch JWT-SVID: ${e.message ?? e}`);
300
+ return null;
301
+ }
302
+ }
303
+ /**
304
+ * Validate JWT-SVID.
305
+ * @param token JWT token to validate
306
+ * @param audience Expected audience
307
+ * @returns Validation result with spiffe_id and claims, or null if invalid
308
+ */
309
+ async validateJwtSvid(token, audience) {
310
+ try {
311
+ if (!this.client) {
312
+ await this.connect();
313
+ }
314
+ return new Promise((resolve) => {
315
+ this.client.ValidateJWTSVID({ svid: token, audience }, (err, response) => {
316
+ if (err) {
317
+ this.logger.error(`gRPC error validating JWT-SVID: ${err.code} - ${err.details ?? err.message}`);
318
+ resolve(null);
319
+ return;
320
+ }
321
+ this.logger.info('JWT-SVID validated');
322
+ this.logger.info(` SPIFFE ID: ${response.spiffe_id}`);
323
+ resolve({
324
+ spiffeId: response.spiffe_id,
325
+ claims: response.claims ?? {},
326
+ });
327
+ });
328
+ });
329
+ }
330
+ catch (e) {
331
+ this.logger.error(`Failed to validate JWT-SVID: ${e.message ?? e}`);
332
+ return null;
333
+ }
334
+ }
335
+ /**
336
+ * Get mTLS configuration for HTTP clients.
337
+ * @returns Object with cert, key, and caBundle, or null if not available
338
+ */
339
+ getMtlsConfig() {
340
+ if (!this.certificate || !this.privateKey || !this.trustBundle) {
341
+ return null;
342
+ }
343
+ return {
344
+ cert: this.certificate,
345
+ key: this.privateKey,
346
+ caBundle: this.trustBundle,
347
+ };
348
+ }
349
+ /** Check if SVID is available */
350
+ hasSvid() {
351
+ return this.spiffeId !== null;
352
+ }
353
+ }
354
+ exports.WorkloadAPIClient = WorkloadAPIClient;
355
+ //# sourceMappingURL=workload-api-client.js.map
package/dist/spiffe/workload-api-client.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"workload-api-client.js","sourceRoot":"","sources":["../../src/spiffe/workload-api-client.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,oDAAsC;AACtC,gEAAkD;AAClD,gDAAkC;AAElC,mCAAmC;AACnC,8EAA8E;AAC9E,MAAM,UAAU,GACd,OAAO,CAAC,GAAG,CAAC,kBAAkB;IAC9B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC;AAElD,MAAM,iBAAiB,GAAG,WAAW,CAAC,QAAQ,CAAC,UAAU,EAAE;IACzD,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,MAAM;IACb,KAAK,EAAE,MAAM;IACb,QAAQ,EAAE,IAAI;IACd,MAAM,EAAE,IAAI;CACb,CAAC,CAAC;AAEH,MAAM,eAAe,GAAG,IAAI,CAAC,qBAAqB,CAAC,iBAAiB,CAAQ,CAAC;AAC7E,MAAM,wBAAwB,GAC5B,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAC;AAEpD,MAAa,iBAAiB;IACpB,UAAU,CAAS;IACnB,MAAM,CAAuD;IAErE,oBAAoB;IACpB,QAAQ,GAAkB,IAAI,CAAC;IAC/B,WAAW,GAAkB,IAAI,CAAC;IAClC,UAAU,GAAkB,IAAI,CAAC;IACjC,WAAW,GAAkB,IAAI,CAAC;IAElC,cAAc;IACN,MAAM,GAAQ,IAAI,CAAC;IACnB,UAAU,GAAQ,IAAI,CAAC;IACvB,OAAO,GAAG,KAAK,CAAC;IAExB,YAAY,OAGX;QACC,IAAI,CAAC,UAAU;YACb,OAAO,EAAE,UAAU,IAAI,kCAAkC,CAAC;QAC5D,IAAI,CAAC,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI;YAC/B,IAAI,EAAE,OAAO,CAAC,GAAG;YACjB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;SAChB,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACpD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAEjD,IAAI,MAAc,CAAC;QAEnB,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzC,mDAAmD;YACnD,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YAC/C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,MAAM,EAAE,CAAC,CAAC;QACpD,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACjD,kCAAkC;YAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YACxD,MAAM,GAAG,QAAQ,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wBAAwB,QAAQ,EAAE,CAAC,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,4BAA4B;YAC5B,MAAM,GAAG,QAAQ,IAAI,CAAC,UAAU,EAAE,CAAC;YACnC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAC1C,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,IAAI,wBAAwB,CACxC,MAAM,EACN,IAAI,CAAC,WAAW,CAAC,cAAc,EAAE,CAClC,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAChD,CAAC;IAED,mCAAmC;IACnC,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QAErB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YACzB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACzB,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IACrD,CAAC;IAED,qDAAqD;IAC7C,aAAa;QACnB,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAErC,4BAA4B;QAC5B,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzC,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YAC3C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,OAAO,CAAC,GAAG,mBAAmB,CAAC,CAAC;QACnE,CAAC;QAED,sBAAsB;QACtB,MAAM,OAAO,GAA4B;YACvC,CAAC,eAAe,EAAE,iBAAiB,CAAC;YACpC,CAAC,UAAU,EAAE,gBAAgB,CAAC;YAC9B,CAAC,SAAS,EAAE,eAAe,CAAC;YAC5B,CAAC,iBAAiB,EAAE,uBAAuB,CAAC;YAC5C,CAAC,eAAe,EAAE,qBAAqB,CAAC;SACzC,CAAC;QAEF,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,OAAO,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAClC,IAAI,KAAK,EAAE,CAAC;gBACV,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,OAAO,KAAK,KAAK,EAAE,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAED,kBAAkB;QAClB,MAAM,UAAU,GAA4B;YAC1C,CAAC,qBAAqB,EAAE,uBAAuB,CAAC;YAChD,CAAC,uBAAuB,EAAE,yBAAyB,CAAC;YACpD,CAAC,mBAAmB,EAAE,qBAAqB,CAAC;SAC7C,CAAC;QAEF,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAClC,IAAI,KAAK,EAAE,CAAC;gBACV,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,OAAO,KAAK,KAAK,EAAE,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACvD,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC,IAAI,KAAK,EAAE,CAAC;gBAC7C,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClE,QAAQ,CAAC,GAAG,CAAC,kBAAkB,SAAS,EAAE,EAAE,KAAK,CAAC,CAAC;gBACnD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,SAAS,KAAK,KAAK,EAAE,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB;QACrB,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YACvB,CAAC;YAED,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;YAEtC,OAAO,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,EAAE;gBACtC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;gBAEvD,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,QAAa,EAAE,EAAE;oBAClC,IAAI,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAChD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;wBAC/B,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;wBAC/B,IAAI,CAAC,WAAW;4BACd,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ;gCAChC,CAAC,CAAC,IAAI,CAAC,SAAS;gCAChB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;wBACpD,IAAI,CAAC,UAAU;4BACb,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;gCACpC,CAAC,CAAC,IAAI,CAAC,aAAa;gCACpB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;wBACxD,IAAI,CAAC,WAAW;4BACd,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ;gCAC7B,CAAC,CAAC,IAAI,CAAC,MAAM;gCACb,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;wBAEjD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;wBACvC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;wBAClD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;wBAC1D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;wBAEvD,MAAM,CAAC,MAAM,EAAE,CAAC;wBAChB,OAAO,CAAC,IAAI,CAAC,CAAC;oBAChB,CAAC;yBAAM,CAAC;wBACN,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;wBAC1C,MAAM,CAAC,MAAM,EAAE,CAAC;wBAChB,OAAO,CAAC,KAAK,CAAC,CAAC;oBACjB,CAAC;gBACH,CAAC,CAAC,CAAC;gBAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAQ,EAAE,EAAE;oBAC9B,IAAI,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;wBACvC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,6BAA6B,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,EAAE,CACxE,CAAC;oBACJ,CAAC;oBACD,OAAO,CAAC,KAAK,CAAC,CAAC;gBACjB,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;YAC7D,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,cAAc,CAClB,QAAuD;QAEvD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QAEpB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACvB,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAElD,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;QACtC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAE1D,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,QAAa,EAAE,EAAE;YACjD,IAAI,CAAC,IAAI,CAAC,OAAO;gBAAE,OAAO;YAE1B,IAAI,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC/B,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC/B,IAAI,CAAC,WAAW;oBACd,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ;wBAChC,CAAC,CAAC,IAAI,CAAC,SAAS;wBAChB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACpD,IAAI,CAAC,UAAU;oBACb,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;wBACpC,CAAC,CAAC,IAAI,CAAC,aAAa;wBACpB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACxD,IAAI,CAAC,WAAW;oBACd,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ;wBAC7B,CAAC,CAAC,IAAI,CAAC,MAAM;wBACb,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBAEjD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;gBACzC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAClD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;gBACvD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;gBAE3C,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAQ,EAAE,EAAE;YACvC,IAAI,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBACvC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,sBAAsB,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,EAAE,CACjE,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YAC7B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,YAAY,CAChB,QAAkB,EAClB,QAAiB;QAEjB,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YACvB,CAAC;YAED,OAAO,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,EAAE;gBAC5C,IAAI,CAAC,MAAM,CAAC,YAAY,CACtB,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,IAAI,EAAE,EAAE,EACvC,CAAC,GAAQ,EAAE,QAAa,EAAE,EAAE;oBAC1B,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,iCAAiC,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,EAAE,CAC5E,CAAC;wBACF,OAAO,CAAC,IAAI,CAAC,CAAC;wBACd,OAAO;oBACT,CAAC;oBAED,IAAI,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAChD,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;wBAClC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;wBACrC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;wBACtD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,QAAQ,EAAE,CAAC,CAAC;wBAC5C,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;oBACxB,CAAC;yBAAM,CAAC;wBACN,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;wBAC9C,OAAO,CAAC,IAAI,CAAC,CAAC;oBAChB,CAAC;gBACH,CAAC,CACF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,eAAe,CACnB,KAAa,EACb,QAAgB;QAEhB,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YACvB,CAAC;YAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;gBAC7B,IAAI,CAAC,MAAM,CAAC,eAAe,CACzB,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,EACzB,CAAC,GAAQ,EAAE,QAAa,EAAE,EAAE;oBAC1B,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,mCAAmC,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,EAAE,CAC9E,CAAC;wBACF,OAAO,CAAC,IAAI,CAAC,CAAC;wBACd,OAAO;oBACT,CAAC;oBAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;oBACvC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;oBAEvD,OAAO,CAAC;wBACN,QAAQ,EAAE,QAAQ,CAAC,SAAS;wBAC5B,MAAM,EAAE,QAAQ,CAAC,MAAM,IAAI,EAAE;qBAC9B,CAAC,CAAC;gBACL,CAAC,CACF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,aAAa;QAKX,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,WAAW;YACtB,GAAG,EAAE,IAAI,CAAC,UAAU;YACpB,QAAQ,EAAE,IAAI,CAAC,WAAW;SAC3B,CAAC;IACJ,CAAC;IAED,iCAAiC;IACjC,OAAO;QACL,OAAO,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC;IAChC,CAAC;CACF;AA5WD,8CA4WC"}
package/dist/spiffe/workload-svid.d.ts ADDED
@@ -0,0 +1,44 @@
1
+ /**
2
+ * WorkloadSVID - SVID data container with certificate file management
3
+ * Mirrors Python WorkloadSVID dataclass
4
+ */
5
+ import * as tls from 'node:tls';
6
+ export declare class WorkloadSVID {
7
+ spiffeId: string;
8
+ certificate: string;
9
+ privateKey: string;
10
+ trustBundle: string;
11
+ certDir: string;
12
+ certFilePath: string | null;
13
+ keyFilePath: string | null;
14
+ caFilePath: string | null;
15
+ constructor(options: {
16
+ spiffeId: string;
17
+ certificate: string;
18
+ privateKey: string;
19
+ trustBundle: string;
20
+ certDir?: string;
21
+ });
22
+ /** Write certificates to persistent files for mTLS */
23
+ private writeCertsToFiles;
24
+ /** Atomically write content to file */
25
+ private atomicWrite;
26
+ /**
27
+ * Create TLS options for server (e.g., Express HTTPS).
28
+ * Returns options suitable for `https.createServer(options, app)`.
29
+ */
30
+ createTlsOptionsForServer(): tls.SecureContextOptions & {
31
+ requestCert: boolean;
32
+ rejectUnauthorized: boolean;
33
+ };
34
+ /**
35
+ * Create TLS options for client (e.g., fetch with custom agent).
36
+ * Returns options suitable for `https.Agent(options)`.
37
+ */
38
+ createTlsOptionsForClient(): tls.SecureContextOptions & {
39
+ rejectUnauthorized: boolean;
40
+ };
41
+ /** Refresh SVID data (called during renewal) */
42
+ refresh(certificate: string, privateKey: string, trustBundle: string): void;
43
+ }
44
+ //# sourceMappingURL=workload-svid.d.ts.map
package/dist/spiffe/workload-svid.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"workload-svid.d.ts","sourceRoot":"","sources":["../../src/spiffe/workload-svid.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAEhC,qBAAa,YAAY;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAEhB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAQ;IACnC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAQ;IAClC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAQ;gBAErB,OAAO,EAAE;QACnB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,MAAM,CAAC;QACnB,WAAW,EAAE,MAAM,CAAC;QACpB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB;IAUD,sDAAsD;IACtD,OAAO,CAAC,iBAAiB;IAsBzB,uCAAuC;IACvC,OAAO,CAAC,WAAW;IAenB;;;OAGG;IACH,yBAAyB,IAAI,GAAG,CAAC,oBAAoB,GAAG;QAAE,WAAW,EAAE,OAAO,CAAC;QAAC,kBAAkB,EAAE,OAAO,CAAA;KAAE;IAc7G;;;OAGG;IACH,yBAAyB,IAAI,GAAG,CAAC,oBAAoB,GAAG;QAAE,kBAAkB,EAAE,OAAO,CAAA;KAAE;IAavF,gDAAgD;IAChD,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;CAO5E"}
package/dist/spiffe/workload-svid.js ADDED
@@ -0,0 +1,137 @@
1
+ "use strict";
2
+ /**
3
+ * WorkloadSVID - SVID data container with certificate file management
4
+ * Mirrors Python WorkloadSVID dataclass
5
+ */
6
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
7
+ if (k2 === undefined) k2 = k;
8
+ var desc = Object.getOwnPropertyDescriptor(m, k);
9
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
10
+ desc = { enumerable: true, get: function() { return m[k]; } };
11
+ }
12
+ Object.defineProperty(o, k2, desc);
13
+ }) : (function(o, m, k, k2) {
14
+ if (k2 === undefined) k2 = k;
15
+ o[k2] = m[k];
16
+ }));
17
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
18
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
19
+ }) : function(o, v) {
20
+ o["default"] = v;
21
+ });
22
+ var __importStar = (this && this.__importStar) || (function () {
23
+ var ownKeys = function(o) {
24
+ ownKeys = Object.getOwnPropertyNames || function (o) {
25
+ var ar = [];
26
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
27
+ return ar;
28
+ };
29
+ return ownKeys(o);
30
+ };
31
+ return function (mod) {
32
+ if (mod && mod.__esModule) return mod;
33
+ var result = {};
34
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
35
+ __setModuleDefault(result, mod);
36
+ return result;
37
+ };
38
+ })();
39
+ Object.defineProperty(exports, "__esModule", { value: true });
40
+ exports.WorkloadSVID = void 0;
41
+ const fs = __importStar(require("node:fs"));
42
+ const path = __importStar(require("node:path"));
43
+ const os = __importStar(require("node:os"));
44
+ class WorkloadSVID {
45
+ spiffeId;
46
+ certificate;
47
+ privateKey;
48
+ trustBundle;
49
+ certDir;
50
+ certFilePath = null;
51
+ keyFilePath = null;
52
+ caFilePath = null;
53
+ constructor(options) {
54
+ this.spiffeId = options.spiffeId;
55
+ this.certificate = options.certificate;
56
+ this.privateKey = options.privateKey;
57
+ this.trustBundle = options.trustBundle;
58
+ this.certDir = options.certDir ?? path.join(os.tmpdir(), 'spiffe-certs');
59
+ this.writeCertsToFiles();
60
+ }
61
+ /** Write certificates to persistent files for mTLS */
62
+ writeCertsToFiles() {
63
+ fs.mkdirSync(this.certDir, { recursive: true });
64
+ if (!this.certFilePath) {
65
+ this.certFilePath = path.join(this.certDir, 'svid.crt');
66
+ this.keyFilePath = path.join(this.certDir, 'svid.key');
67
+ this.caFilePath = path.join(this.certDir, 'ca.crt');
68
+ }
69
+ this.atomicWrite(this.certFilePath, this.certificate);
70
+ this.atomicWrite(this.keyFilePath, this.privateKey);
71
+ this.atomicWrite(this.caFilePath, this.trustBundle);
72
+ // Set restrictive permissions on private key
73
+ fs.chmodSync(this.keyFilePath, 0o600);
74
+ console.log('Certificates written to disk:');
75
+ console.log(` Cert: ${this.certFilePath}`);
76
+ console.log(` Key: ${this.keyFilePath}`);
77
+ console.log(` CA: ${this.caFilePath}`);
78
+ }
79
+ /** Atomically write content to file */
80
+ atomicWrite(filePath, content) {
81
+ const tempPath = filePath + '.tmp';
82
+ try {
83
+ fs.writeFileSync(tempPath, content, { encoding: 'utf-8', flush: true });
84
+ fs.renameSync(tempPath, filePath);
85
+ }
86
+ catch (e) {
87
+ try {
88
+ fs.unlinkSync(tempPath);
89
+ }
90
+ catch {
91
+ // ignore cleanup error
92
+ }
93
+ throw e;
94
+ }
95
+ }
96
+ /**
97
+ * Create TLS options for server (e.g., Express HTTPS).
98
+ * Returns options suitable for `https.createServer(options, app)`.
99
+ */
100
+ createTlsOptionsForServer() {
101
+ if (!this.certFilePath || !this.keyFilePath || !this.caFilePath) {
102
+ throw new Error('Certificates not initialized');
103
+ }
104
+ return {
105
+ cert: fs.readFileSync(this.certFilePath, 'utf-8'),
106
+ key: fs.readFileSync(this.keyFilePath, 'utf-8'),
107
+ ca: fs.readFileSync(this.caFilePath, 'utf-8'),
108
+ requestCert: true,
109
+ rejectUnauthorized: true,
110
+ };
111
+ }
112
+ /**
113
+ * Create TLS options for client (e.g., fetch with custom agent).
114
+ * Returns options suitable for `https.Agent(options)`.
115
+ */
116
+ createTlsOptionsForClient() {
117
+ if (!this.certFilePath || !this.keyFilePath || !this.caFilePath) {
118
+ throw new Error('Certificates not initialized');
119
+ }
120
+ return {
121
+ cert: fs.readFileSync(this.certFilePath, 'utf-8'),
122
+ key: fs.readFileSync(this.keyFilePath, 'utf-8'),
123
+ ca: fs.readFileSync(this.caFilePath, 'utf-8'),
124
+ rejectUnauthorized: true,
125
+ };
126
+ }
127
+ /** Refresh SVID data (called during renewal) */
128
+ refresh(certificate, privateKey, trustBundle) {
129
+ this.certificate = certificate;
130
+ this.privateKey = privateKey;
131
+ this.trustBundle = trustBundle;
132
+ this.writeCertsToFiles();
133
+ console.log(`SVID refreshed: ${this.spiffeId}`);
134
+ }
135
+ }
136
+ exports.WorkloadSVID = WorkloadSVID;
137
+ //# sourceMappingURL=workload-svid.js.map
package/dist/spiffe/workload-svid.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"workload-svid.js","sourceRoot":"","sources":["../../src/spiffe/workload-svid.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,4CAA8B;AAC9B,gDAAkC;AAClC,4CAA8B;AAG9B,MAAa,YAAY;IACvB,QAAQ,CAAS;IACjB,WAAW,CAAS;IACpB,UAAU,CAAS;IACnB,WAAW,CAAS;IACpB,OAAO,CAAS;IAEhB,YAAY,GAAkB,IAAI,CAAC;IACnC,WAAW,GAAkB,IAAI,CAAC;IAClC,UAAU,GAAkB,IAAI,CAAC;IAEjC,YAAY,OAMX;QACC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,cAAc,CAAC,CAAC;QAEzE,IAAI,CAAC,iBAAiB,EAAE,CAAC;IAC3B,CAAC;IAED,sDAAsD;IAC9C,iBAAiB;QACvB,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEhD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACxD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;YACvD,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QACtD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,WAAY,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACrD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAW,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAErD,6CAA6C;QAC7C,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,WAAY,EAAE,KAAK,CAAC,CAAC;QAEvC,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,uCAAuC;IAC/B,WAAW,CAAC,QAAgB,EAAE,OAAe;QACnD,MAAM,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;QACnC,IAAI,CAAC;YACH,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YACxE,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACP,uBAAuB;YACzB,CAAC;YACD,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,yBAAyB;QACvB,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,OAAO;YACL,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC;YACjD,GAAG,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC;YAC/C,EAAE,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC;YAC7C,WAAW,EAAE,IAAI;YACjB,kBAAkB,EAAE,IAAI;SACzB,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,yBAAyB;QACvB,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,OAAO;YACL,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC;YACjD,GAAG,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC;YAC/C,EAAE,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC;YAC7C,kBAAkB,EAAE,IAAI;SACzB,CAAC;IACJ,CAAC;IAED,gDAAgD;IAChD,OAAO,CAAC,WAAmB,EAAE,UAAkB,EAAE,WAAmB;QAClE,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IAClD,CAAC;CACF;AA7GD,oCA6GC"}
package/dist/types.d.ts ADDED
@@ -0,0 +1,95 @@
1
+ /**
2
+ * Shared TypeScript types for AuthSec SDK
3
+ */
4
+ /** MCP content item returned by tool handlers */
5
+ export interface McpContent {
6
+ type: string;
7
+ text: string;
8
+ }
9
+ /** Async tool handler function (no session) */
10
+ export type ToolHandler = (arguments_: Record<string, any>) => Promise<McpContent[]>;
11
+ /** Async tool handler function (with session) */
12
+ export type ToolHandlerWithSession = (arguments_: Record<string, any>, session: SimpleSession) => Promise<McpContent[]>;
13
+ /** RBAC requirements for a protected tool */
14
+ export interface RbacRequirements {
15
+ roles: string[];
16
+ groups: string[];
17
+ resources: string[];
18
+ scopes: string[];
19
+ permissions: string[];
20
+ requireAll: boolean;
21
+ }
22
+ /** Tool definition with metadata (returned by decorator functions) */
23
+ export interface ToolDefinition {
24
+ /** The wrapped handler function */
25
+ handler: (arguments_: Record<string, any>) => Promise<McpContent[]>;
26
+ /** Tool name */
27
+ name: string;
28
+ /** Tool description */
29
+ description?: string;
30
+ /** MCP-compliant JSON schema for input */
31
+ inputSchema?: Record<string, any>;
32
+ /** Whether this tool is protected by AuthSec */
33
+ isProtected: boolean;
34
+ /** RBAC requirements (only for protected tools) */
35
+ rbacRequirements?: RbacRequirements;
36
+ }
37
+ /** Session object passed to protected tool handlers */
38
+ export declare class SimpleSession {
39
+ sessionId: string;
40
+ accessToken: string | null;
41
+ tenantId: string | null;
42
+ userId: string | null;
43
+ orgId: string | null;
44
+ constructor(sessionId: string, userInfo: Record<string, any>);
45
+ }
46
+ /** User info extracted from JWT / auth service */
47
+ export interface UserInfo {
48
+ email?: string;
49
+ tenant_id?: string;
50
+ user_id?: string;
51
+ org_id?: string;
52
+ access_token?: string;
53
+ roles?: string[];
54
+ groups?: string[];
55
+ scopes?: string[] | string;
56
+ scope?: string[] | string;
57
+ resources?: string[];
58
+ permissions?: string[];
59
+ [key: string]: any;
60
+ }
61
+ /** Service credentials returned by ServiceAccessSDK */
62
+ export interface ServiceCredentials {
63
+ serviceId: string;
64
+ serviceName: string;
65
+ serviceType: string;
66
+ authType: string;
67
+ url: string;
68
+ credentials: Record<string, any>;
69
+ metadata: Record<string, string>;
70
+ retrievedAt: string;
71
+ }
72
+ /** SDK configuration */
73
+ export interface AuthSecConfig {
74
+ clientId: string | null;
75
+ appName: string | null;
76
+ authServiceUrl: string;
77
+ servicesBaseUrl: string;
78
+ timeout: number;
79
+ retries: number;
80
+ spireSocketPath: string | null;
81
+ spireEnabled: boolean;
82
+ }
83
+ /** MCP JSON-RPC message */
84
+ export interface McpMessage {
85
+ jsonrpc: string;
86
+ id?: string | number | null;
87
+ method?: string;
88
+ params?: Record<string, any>;
89
+ result?: any;
90
+ error?: {
91
+ code: number;
92
+ message: string;
93
+ };
94
+ }
95
+ //# sourceMappingURL=types.d.ts.map
package/dist/types.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,iDAAiD;AACjD,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd;AAED,+CAA+C;AAC/C,MAAM,MAAM,WAAW,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,KAAK,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;AAErF,iDAAiD;AACjD,MAAM,MAAM,sBAAsB,GAAG,CACnC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC/B,OAAO,EAAE,aAAa,KACnB,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;AAE3B,6CAA6C;AAC7C,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,UAAU,EAAE,OAAO,CAAC;CACrB;AAED,sEAAsE;AACtE,MAAM,WAAW,cAAc;IAC7B,mCAAmC;IACnC,OAAO,EAAE,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,KAAK,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IACpE,gBAAgB;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAClC,gDAAgD;IAChD,WAAW,EAAE,OAAO,CAAC;IACrB,mDAAmD;IACnD,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED,uDAAuD;AACvD,qBAAa,aAAa;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;gBAET,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;CAO7D;AAED,kDAAkD;AAClD,MAAM,WAAW,QAAQ;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,uDAAuD;AACvD,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACjC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,wBAAwB;AACxB,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,YAAY,EAAE,OAAO,CAAC;CACvB;AAED,2BAA2B;AAC3B,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,MAAM,CAAC,EAAE,GAAG,CAAC;IACb,KAAK,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAC3C"}