npm - @chevre/domain - Versions diffs - 22.11.0-alpha.10 → 22.11.0-alpha.11 - Mend

@chevre/domain 22.11.0-alpha.10 → 22.11.0-alpha.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/example/src/chevre/roles/{addAdminInventoryManagerRole.ts → addProjectCreatorRole.ts} RENAMED Viewed

@@ -9,13 +9,11 @@ async function main() {
     const roleRepo = await chevre.repository.Role.createInstance(mongoose.connection);
     const roleNames = [
-        chevre.factory.role.organizationRole.RoleName.AdminInventoryManager
+        'projectCreator'
     ];
     const permissions = [
-        'iam.members.me.read',
-        'admin.creativeWorks.*',
-        'admin.sellers.eventSeries.*',
-        'admin.sellers.read'
+        'aggregations.read',
+        'projects.create'
     ];
     for (const roleName of roleNames) {
         const existingRoles = await roleRepo.projectFields(
@@ -26,8 +24,8 @@ async function main() {
         );
         if (existingRoles.length === 0) {
             const createResult = await roleRepo.create({
-                roleName: roleName,
-                member: { typeOf: chevre.factory.creativeWorkType.SoftwareApplication },
+                roleName: <any>roleName,
+                member: { typeOf: chevre.factory.personType.Person },
                 memberOf: { typeOf: chevre.factory.organizationType.Project },
                 permissions: []
             });
@@ -35,7 +33,7 @@ async function main() {
         }
         for (const permission of permissions) {
             const result = await roleRepo.addPermissionIfNotExists({
-                roleName: { $eq: roleName },
+                roleName: { $eq: <any>roleName },
                 permission
             });
             console.log('permission added.', result, roleName);

package/example/src/chevre/roles/assignRoles.ts ADDED Viewed

@@ -0,0 +1,71 @@
+// tslint:disable:no-console
+import type { CognitoIdentityProvider as CognitoIdentityServiceProvider } from '@aws-sdk/client-cognito-identity-provider';
+import * as mongoose from 'mongoose';
+import { chevre } from '../../../../lib/index';
+const { PROJECT_CREATOR_SUB } = process.env;
+const project = { id: '*' };
+let cognitoIdentityServiceProvider: CognitoIdentityServiceProvider | undefined;
+async function main() {
+    if (typeof PROJECT_CREATOR_SUB !== 'string') {
+        throw new Error('PROJECT_CREATOR_SUB setting required');
+    }
+    await mongoose.connect(<string>process.env.MONGOLAB_URI, { autoIndex: false });
+    const memberRepo = await chevre.repository.Member.createInstance(mongoose.connection);
+    const settingRepo = await chevre.repository.Setting.createInstance(mongoose.connection);
+    const setting = await settingRepo.findOne({ project: { id: { $eq: '*' } } }, ['userPoolIdNew']);
+    if (typeof setting?.userPoolIdNew !== 'string') {
+        throw new chevre.factory.errors.NotFound('setting.userPoolIdNew');
+    }
+    let member: chevre.factory.iam.IMemberOfRole;
+    if (cognitoIdentityServiceProvider === undefined) {
+        const { CognitoIdentityProvider } = await import('@aws-sdk/client-cognito-identity-provider');
+        const { fromEnv } = await import('@aws-sdk/credential-providers');
+        cognitoIdentityServiceProvider = new CognitoIdentityProvider({
+            apiVersion: 'latest',
+            region: 'ap-northeast-1',
+            credentials: fromEnv()
+        });
+    }
+    const personRepo = await chevre.repository.Person.createInstance({
+        userPoolId: setting.userPoolIdNew,
+        cognitoIdentityServiceProvider
+    });
+    const profile = await personRepo.findById({ userId: PROJECT_CREATOR_SUB });
+    const memberName = (typeof profile.givenName === 'string' && typeof profile.familyName === 'string')
+        ? `${profile.givenName} ${profile.familyName}`
+        : profile.memberOf?.membershipNumber;
+    member = {
+        typeOf: chevre.factory.personType.Person,
+        id: profile.id,
+        memberOf: { id: project.id, typeOf: chevre.factory.organizationType.Project },
+        name: memberName,
+        username: profile.memberOf?.membershipNumber,
+        hasRole: [{
+            typeOf: chevre.factory.role.RoleType.OrganizationRole,
+            roleName: <any>'projectCreator'
+        }]
+    };
+    console.log(profile, member);
+    // 権限作成
+    await memberRepo.create([{
+        project: { typeOf: chevre.factory.organizationType.Project, id: project.id },
+        typeOf: chevre.factory.role.RoleType.OrganizationRole,
+        member: member
+    }]);
+}
+main()
+    .then(() => {
+        console.log('success!');
+    })
+    .catch(console.error);

package/example/src/idaas/auth0/adminApplications.ts ADDED Viewed

@@ -0,0 +1,183 @@
+// tslint:disable:no-implicit-dependencies no-console no-magic-numbers
+import { ManagementClient } from 'auth0';
+import { readFileSync } from 'fs';
+import * as moment from 'moment';
+// import * as crypto from 'crypto'; // client_secret 生成用 (PKJWTなしの場合)
+// import { JWK, importPKCS8, generateKeyPair, SignJWT } from 'jose'; // Private Key JWT 用
+const PUBLIC_KEY_FILE_PATH = `${__dirname}/../../samplePublicKey.pem`;
+const { AUTH0_DOMAIN, AUTH0_MGMT_CLIENT_ID, AUTH0_MGMT_CLIENT_SECRET, AUTH0_MGMT_API_AUDIENCE, AUTH0_AUDIENCE } = process.env;
+if (typeof AUTH0_DOMAIN !== 'string'
+    || typeof AUTH0_MGMT_CLIENT_ID !== 'string'
+    || typeof AUTH0_MGMT_CLIENT_SECRET !== 'string'
+    || typeof AUTH0_MGMT_API_AUDIENCE !== 'string'
+    || typeof AUTH0_AUDIENCE !== 'string'
+) {
+    throw new Error('set envs!');
+}
+// --- Auth0 ManagementClient の初期化 ---
+const management = new ManagementClient({
+    domain: AUTH0_DOMAIN,
+    clientId: AUTH0_MGMT_CLIENT_ID,
+    clientSecret: AUTH0_MGMT_CLIENT_SECRET,
+    audience: AUTH0_MGMT_API_AUDIENCE
+    // scope: 'read:clients create:clients' // 必要なスコープを明示
+});
+async function sleep(waitInSeconds: number) {
+    await new Promise<void>((resolve) => {
+        setTimeout(
+            () => {
+                resolve();
+            },
+            waitInSeconds
+        );
+    });
+}
+/**
+ * アプリケーションを検索し、存在しなければ作成します。
+ * Private Key JWT 認証を使用する前提。
+ */
+async function findOrCreateServiceAccount(
+    appName: string,
+    projectId: string,
+    roles: string[],
+    audience: string
+) {
+    try {
+        console.log('getting organization...');
+        const getOrganizationResponse = await management.organizations.getByName({
+            name: projectId
+        });
+        const organization = getOrganizationResponse.data;
+        console.log('organization exists.', organization);
+        const newClient = (await management.clients.create({
+            name: appName,
+            app_type: 'non_interactive', // Machine to Machine アプリケーション
+            jwt_configuration: { // Private Key JWT の設定
+                alg: 'RS256' // 署名アルゴリズム
+            },
+            // token_endpoint_auth_method: 'client_secret_post',
+            client_authentication_methods: {
+                private_key_jwt: {
+                    credentials: [{
+                        alg: 'RS256',
+                        /**
+                         * Credential type. Supported types: public_key.
+                         *
+                         */
+                        credential_type: 'public_key',
+                        // name?: string;
+                        pem: readFileSync(PUBLIC_KEY_FILE_PATH, 'utf8')
+                    }]
+                }
+            },
+            grant_types: ['client_credentials'],
+            organization_usage: 'require', // 組織での利用を許可
+            default_organization: {
+                organization_id: organization.id,
+                flows: ['client_credentials']
+            },
+            oidc_conformant: true,
+            client_metadata: {
+                roles: JSON.stringify(roles)
+            }
+        })).data;
+        console.log(`Successfully created new application: ${newClient.client_id} (${newClient.name})`);
+        console.log(`checking clientGrant... ${newClient.client_id} (${newClient.name})`);
+        await sleep(3000);
+        let clientGrant = (await management.clientGrants.getAll({
+            audience,
+            client_id: newClient.client_id
+        })).data.shift();
+        if (clientGrant === undefined) {
+            clientGrant = (await management.clientGrants.create({
+                client_id: newClient.client_id,
+                audience,
+                organization_usage: 'require',
+                allow_any_organization: false,
+                scope: ['iam.members.me.read']
+            })).data;
+            console.log(`clientGrant created. ${newClient.client_id} (${newClient.name})`);
+        } else {
+            console.log(`clientGrant already exists. ${newClient.client_id} (${newClient.name})`);
+        }
+        console.log(`checking organizationClientGrant... ${newClient.client_id} (${newClient.name})`);
+        await sleep(3000);
+        const organizationClientGrant = (await management.organizations.getOrganizationClientGrants({
+            id: organization.id,
+            audience: 'https://development.apis.smart-theater.com',
+            client_id: newClient.client_id
+        })).data.shift();
+        if (organizationClientGrant === undefined) {
+            await management.organizations.postOrganizationClientGrants(
+                {
+                    id: organization.id
+                },
+                {
+                    grant_id: clientGrant.id
+                }
+            );
+            console.log(`organizationClientGrant created. ${newClient.client_id} (${newClient.name})`);
+        } else {
+            console.log(`organizationClientGrant already exists. ${newClient.client_id} (${newClient.name})`);
+        }
+        // 1. アプリケーションを検索 (名前で検索するのが一般的)
+        console.log('searching for applications...');
+        await sleep(3000);
+        await searchClients({ organization });
+    } catch (error) {
+        console.error(`Error finding or creating application: ${error.message}`);
+        throw error;
+    }
+}
+async function searchClients(params: {
+    organization: { id: string };
+}) {
+    const existingApps = await management.clients.getAll({
+        include_totals: true,
+        // app_type: 'non_interactive',
+        // is_global: false,
+        // page: 0,
+        // per_page: 50,
+        // q: `name:"${appName}"`, // 名前で検索
+        q: `client_grant.organization_id:"${params.organization.id}"`,
+        // from: undefined,
+        take: 50
+        // is_client_credentials: true // Machine to Machine アプリケーションに絞る
+    });
+    const clients = existingApps.data.clients;
+    console.log(clients.length, 'existingApps exist.', clients);
+    console.log(clients.length, 'clients found.');
+}
+export async function run() {
+    if (typeof AUTH0_AUDIENCE !== 'string') {
+        throw new Error('set envs!');
+    }
+    try {
+        await findOrCreateServiceAccount(
+            `sampleServiceAccount-${moment()
+                .format('YYYY-MM-DDTHH:mm:ss')}`,
+            'cinerino',
+            ['inventoryManager', 'user'],
+            AUTH0_AUDIENCE
+        );
+    } catch (error) {
+        console.error('Failed to run provisioning script:', error);
+    }
+}
+run();

package/example/src/idaas/auth0/getToken.ts ADDED Viewed

@@ -0,0 +1,55 @@
+// tslint:disable:no-implicit-dependencies no-console
+interface IAuth0Config {
+    auth0Domain: string;
+    clientId: string;
+    clientSecret: string;
+    audience: string;
+}
+// 環境変数から機密情報を取得することを強く推奨します
+const config: IAuth0Config = {
+    auth0Domain: String(process.env.AUTH0_DOMAIN),
+    clientId: String(process.env.AUTH0_CLIENT_ID),
+    clientSecret: String(process.env.AUTH0_CLIENT_SECRET),
+    audience: String(process.env.AUTH0_AUDIENCE)
+    // scopes: process.env.OKTA_SCOPES || 'api_access_scope openid', // 必要なスコープを指定
+    // authServerId: 'aussd9v86wlIar3cX697', // デフォルト承認サーバーを使用する場合はコメントアウトまたは指定しない
+};
+async function getToken() {
+    try {
+        const response = await fetch(
+            `https://${config.auth0Domain}/oauth/token`,
+            {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({
+                    client_id: config.clientId,
+                    client_secret: config.clientSecret,
+                    audience: config.audience,
+                    grant_type: 'client_credentials'
+                    // organization: 'org_zuMP9ng42QSgZ5Kn'
+                })
+            });
+        if (!response.ok) {
+            console.log(await response.json());
+            throw new Error('Network response was not ok');
+        }
+        const data = await response.json();
+        console.log(data);
+        return data;
+    } catch (error) {
+        console.error('Error fetching token:', error);
+    }
+}
+export async function main() {
+    const token = await getToken();
+    console.log(token);
+}
+main()
+    .catch(console.error);

package/example/src/idaas/auth0/getTokenByPrivateKeyJWT.ts ADDED Viewed

@@ -0,0 +1,84 @@
+// tslint:disable:no-implicit-dependencies no-console
+import * as crypto from 'crypto';
+import { readFileSync } from 'fs';
+import { SignJWT } from 'jose';
+import * as uuid from 'uuid';
+const PRIVATE_KEY_FILE_PATH = `${__dirname}/../../samplePrivateKey.pem`;
+interface IAuth0Config {
+    auth0Domain: string;
+    clientId: string;
+    privateKeyContent: string; // PEM形式の秘密鍵の内容 (例: fs.readFileSync('private_key.pem', 'utf8'))
+    audience: string;
+}
+// 環境変数から機密情報を取得することを強く推奨します
+const auth0config: IAuth0Config = {
+    auth0Domain: String(process.env.AUTH0_DOMAIN),
+    clientId: String(process.env.AUTH0_CLIENT_ID),
+    // keyId: 'xxx',
+    privateKeyContent: readFileSync(PRIVATE_KEY_FILE_PATH, 'utf8'), // 秘密鍵の内容を読み込む
+    audience: String(process.env.AUTH0_AUDIENCE)
+    // scopes: process.env.OKTA_SCOPES || 'api_access_scope openid', // 必要なスコープを指定
+    // authServerId: 'aussd9v86wlIar3cX697', // デフォルト承認サーバーを使用する場合はコメントアウトまたは指定しない
+};
+async function generateJwtAssertion(config: IAuth0Config) {
+    const privateKeyPEM = crypto.createPrivateKey(readFileSync(PRIVATE_KEY_FILE_PATH, 'utf8'));
+    return new SignJWT({})
+        .setProtectedHeader({
+            alg: 'RS256' // or RS384 or PS256
+            // kid: '(OPTIONAL) KID_GENERATED_BY_AUTH0'
+        })
+        .setIssuedAt()
+        .setIssuer(config.clientId)
+        .setSubject(config.clientId)
+        .setAudience(`https://${config.auth0Domain}/`)
+        .setExpirationTime('1m')
+        .setJti(uuid.v4())
+        .sign(privateKeyPEM);
+}
+async function getToken() {
+    try {
+        const jwtAssertion = await generateJwtAssertion(auth0config);
+        console.log('jwtAssertion:', jwtAssertion);
+        const body = new URLSearchParams({
+            grant_type: 'client_credentials',
+            client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+            client_assertion: jwtAssertion,
+            audience: auth0config.audience
+            // scope: config.scopes,
+        }).toString();
+        const response = await fetch(
+            `https://${auth0config.auth0Domain}/oauth/token`,
+            {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: body
+            });
+        if (!response.ok) {
+            console.log(await response.json());
+            throw new Error('Network response was not ok');
+        }
+        const data = await response.json();
+        console.log(data);
+        return data;
+    } catch (error) {
+        console.error('Error fetching token:', error);
+    }
+}
+export async function main() {
+    const token = await getToken();
+    console.log(token);
+}
+main()
+    .catch(console.error);

package/lib/chevre/repo/member.d.ts CHANGED Viewed

@@ -125,6 +125,7 @@ export declare class MemberRepo {
     }): Promise<import("mongodb").DeleteResult>;
     /**
      * メンバーの権限を持つプロジェクト検索
+     * ANY_PROJECT_IDは除外
      */
     searchProjectIdsByMemberId(params: {
         member: {

package/lib/chevre/repo/member.js CHANGED Viewed

@@ -18,6 +18,7 @@ const AVAILABLE_PROJECT_FIELDS = [
     'typeOf',
     'member'
 ];
+const ANY_PROJECT_ID = '*';
 /**
  * IAMメンバーリポジトリ
  */
@@ -112,7 +113,7 @@ class MemberRepo {
                 throw new factory.errors.ArgumentNull('project.id');
             }
             const filterQueries = MemberRepo.CREATE_MONGO_CONDITIONS({
-                project: { id: { $in: [params.project.id, '*'] } }, // 全プロジェクトで利用可能なクライアントを考慮(2025-01-11~)
+                project: { id: { $in: [params.project.id, ANY_PROJECT_ID] } }, // 全プロジェクトで利用可能なクライアントを考慮(2025-01-11~)
                 member: {
                     typeOf: { $eq: factory.creativeWorkType.WebApplication },
                     memberOf: { typeOf: { $eq: factory.organizationType.Project } }, // プロジェクトメンバーのはず
@@ -283,6 +284,7 @@ class MemberRepo {
     }
     /**
      * メンバーの権限を持つプロジェクト検索
+     * ANY_PROJECT_IDは除外
      */
     searchProjectIdsByMemberId(params) {
         return __awaiter(this, void 0, void 0, function* () {
@@ -293,7 +295,10 @@ class MemberRepo {
             if (typeof params.page !== 'number') {
                 throw new factory.errors.ArgumentNull('page');
             }
-            const matchStages = [{ $match: { 'member.id': { $eq: params.member.id } } }];
+            const matchStages = [
+                { $match: { 'member.id': { $eq: params.member.id } } },
+                { $match: { 'project.id': { $ne: ANY_PROJECT_ID } } }
+            ];
             if (typeof ((_b = (_a = params.project) === null || _a === void 0 ? void 0 : _a.id) === null || _b === void 0 ? void 0 : _b.$eq) === 'string') {
                 matchStages.push({ $match: { 'project.id': { $eq: params.project.id.$eq } } });
             }

package/package.json CHANGED Viewed

@@ -49,10 +49,12 @@
     "@types/sinon-mongoose": "^1.3.11",
     "@types/uniqid": "^4.1.3",
     "@types/uuid": "^3.4.10",
+    "auth0": "4.27.0",
     "coveralls": "^3.1.0",
     "csvtojson": "^2.0.10",
     "eslint": "9.16.0",
     "googleapis": "^85.0.0",
+    "jose": "6.0.12",
     "json2csv": "4.5.4",
     "mocha": "10.6.0",
     "mongoose": "8.0.4",
@@ -113,5 +115,5 @@
     "postversion": "git push origin --tags",
     "prepublishOnly": "npm run clean && npm run build && npm test && npm run doc"
   },
-  "version": "22.11.0-alpha.10"
+  "version": "22.11.0-alpha.11"
 }