@codemowers/oidc-key-manager 0.1.0

package/LICENCE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Codemowers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,103 @@
+oidc-key-manager
+=================
+
+CLI to manage secret keys required by oidc-gateway
+
+<!-- toc -->
+* [Usage](#usage)
+* [Commands](#commands)
+<!-- tocstop -->
+* [Usage](#usage)
+* [Commands](#commands)
+<!-- tocstop -->
+# Usage
+<!-- usage -->
+```sh-session
+$ npm install -g @codemowers/oidc-key-manager
+$ key-manager COMMAND
+running command...
+$ key-manager (--version)
+@codemowers/oidc-key-manager/0.1.0 linux-x64 node-v16.17.0
+$ key-manager --help [COMMAND]
+USAGE
+  $ key-manager COMMAND
+...
+```
+<!-- usagestop -->
+```sh-session
+$ npm install -g oidc-key-manager
+$ key-manager COMMAND
+running command...
+$ key-manager (--version)
+oidc-key-manager/0.0.0 linux-x64 node-v18.15.0
+$ key-manager --help [COMMAND]
+USAGE
+  $ key-manager COMMAND
+...
+```
+<!-- usagestop -->
+# Commands
+<!-- commands -->
+* [`key-manager initialize`](#key-manager-initialize)
+
+## `key-manager initialize`
+
+Initialize the secret with initial keys
+
+```
+USAGE
+  $ key-manager initialize -c local|cluster [--json] [-n <value>] [-s <value>] [--recreate]
+
+FLAGS
+  -c, --config=<option>    (required) use local or in-cluster Kubernetes config
+                           <options: local|cluster>
+  -n, --namespace=<value>  namespace, defaults to current namespace if service account is used
+  -s, --secret=<value>     [default: oidc-keys] secret name
+  --recreate               recreate the secret if it exists
+
+GLOBAL FLAGS
+  --json  Format output as json.
+
+DESCRIPTION
+  Initialize the secret with initial keys
+
+EXAMPLES
+  $ key-manager initialize
+
+  $ key-manager initialize
+
+  $ key-manager initialize -n <kube namespace> -s <secret name>
+
+  $ key-manager initialize --namespace <kube namespace> --secret <secret name> --recreate
+```
+
+_See code: [dist/commands/initialize.ts](https://github.com/codemowers/oidc-key-manager/blob/v0.1.0/dist/commands/initialize.ts)_
+<!-- commandsstop -->
+* [`key-manager initialize`](#key-manager-initialize)
+
+## `key-manager initialize`
+
+Initialize the secret with initial keys
+
+```
+USAGE
+  $ key-manager initialize [-n <value>] [-s <value>] [--recreate]
+
+FLAGS
+  -n, --namespace=<value>  namespace, defaults to current namespace if service account is used
+  -s, --secret=<value>     [default: oidc-keys] secret name
+  --recreate               recreate the secret if it exists
+
+DESCRIPTION
+  Initialize the secret with initial keys
+
+EXAMPLES
+  $ key-manager initialize
+
+  $ key-manager initialize -n <kube namespace> -s <secret name>
+
+  $ key-manager initialize --namespace <kube namespace> --secret <secret name> --recreate
+```
+
+_See code: [dist/commands/initialize.ts](https://github.com/codemowers/oidc-key-manager/blob/v0.0.0/dist/commands/initialize.ts)_
+<!-- commandsstop -->

package/bin/dev

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+
+const oclif = require('@oclif/core')
+
+const path = require('path')
+const project = path.join(__dirname, '..', 'tsconfig.json')
+
+// In dev mode -> use ts-node and dev plugins
+process.env.NODE_ENV = 'development'
+
+require('ts-node').register({project})
+
+// In dev mode, always show stack traces
+oclif.settings.debug = true;
+
+// Start the CLI
+oclif.run().then(oclif.flush).catch(oclif.Errors.handle)

package/bin/dev.cmd

@@ -0,0 +1,3 @@
+@echo off
+
+node "%~dp0\dev" %*

package/bin/run

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+
+const oclif = require('@oclif/core')
+
+oclif.run().then(require('@oclif/core/flush')).catch(require('@oclif/core/handle'))

package/bin/run.cmd

@@ -0,0 +1,3 @@
+@echo off
+
+node "%~dp0\run" %*

package/dist/commands/initialize.d.ts

@@ -0,0 +1,14 @@
+import { Command } from '@oclif/core';
+export default class Initialize extends Command {
+    static description: string;
+    static enableJsonFlag: boolean;
+    static examples: string[];
+    static flags: {
+        namespace: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+        secret: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+        config: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+        recreate: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+    };
+    static args: {};
+    run(): Promise<void>;
+}

package/dist/commands/initialize.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+const core_1 = require("@oclif/core");
+const common_flags_1 = tslib_1.__importDefault(require("../helpers/common-flags"));
+const kube_api_service_1 = require("../helpers/kube-api-service");
+const secret_1 = require("../helpers/secret");
+class Initialize extends core_1.Command {
+    async run() {
+        const { flags } = await this.parse(Initialize);
+        const kubeApiService = new kube_api_service_1.KubeApiService(this, flags);
+        kubeApiService.printConfiguration();
+        const exists = await kubeApiService.checkSecretExistence();
+        if (exists && !flags.recreate) {
+            this.exit(0);
+        }
+        if (exists) {
+            await kubeApiService.deleteSecret();
+        }
+        const secret = new secret_1.Secret();
+        this.log('Generating secret');
+        secret.generateNew();
+        await kubeApiService.createSecret(secret);
+    }
+}
+exports.default = Initialize;
+Initialize.description = 'Initialize the secret with initial keys';
+Initialize.enableJsonFlag = true;
+Initialize.examples = [
+    '<%= config.bin %> <%= command.id %>',
+    '<%= config.bin %> <%= command.id %>',
+    '<%= config.bin %> <%= command.id %> -n <kube namespace> -s <secret name>',
+    '<%= config.bin %> <%= command.id %> --namespace <kube namespace> --secret <secret name> --recreate',
+];
+Initialize.flags = {
+    ...common_flags_1.default,
+};
+Initialize.args = {};

package/dist/helpers/common-flags.d.ts

@@ -0,0 +1,17 @@
+export interface CommonFlagsInterface {
+    namespace: string | undefined;
+    secret: string;
+    recreate: boolean;
+    config: string;
+}
+export declare enum ConfigType {
+    Local = "local",
+    InCluster = "cluster"
+}
+declare const _default: {
+    namespace: import("@oclif/core/lib/interfaces").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+    secret: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+    config: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces/parser").CustomOptions>;
+    recreate: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+};
+export default _default;

package/dist/helpers/common-flags.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfigType = void 0;
+const core_1 = require("@oclif/core");
+var ConfigType;
+(function (ConfigType) {
+    ConfigType["Local"] = "local";
+    ConfigType["InCluster"] = "cluster";
+})(ConfigType = exports.ConfigType || (exports.ConfigType = {}));
+exports.default = {
+    namespace: core_1.Flags.string({ char: 'n', description: 'namespace, defaults to current namespace if service account is used', aliases: ['namespace'], required: false }),
+    secret: core_1.Flags.string({ char: 's', description: 'secret name', aliases: ['secret'], default: 'oidc-keys', required: false }),
+    config: core_1.Flags.string({ char: 'c', description: 'use local or in-cluster Kubernetes config', aliases: ['config'], required: true, options: [ConfigType.Local, ConfigType.InCluster] }),
+    recreate: core_1.Flags.boolean({ description: 'recreate the secret if it exists', aliases: ['recreate'], required: false }),
+};

package/dist/helpers/kube-api-service.d.ts

@@ -0,0 +1,16 @@
+import { CommonFlagsInterface } from './common-flags';
+import { Command } from '@oclif/core';
+import { Secret } from './secret';
+export declare class KubeApiService {
+    #private;
+    private kc;
+    private coreV1Api;
+    private namespace;
+    private command;
+    private secretName;
+    constructor(command: Command, flags: CommonFlagsInterface);
+    printConfiguration(): void;
+    checkSecretExistence(): Promise<boolean>;
+    deleteSecret(): Promise<void>;
+    createSecret(secret: Secret): Promise<void>;
+}

package/dist/helpers/kube-api-service.js

@@ -0,0 +1,62 @@
+"use strict";
+var _KubeApiService_instances, _KubeApiService_validate;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KubeApiService = void 0;
+const tslib_1 = require("tslib");
+const client_node_1 = require("@kubernetes/client-node");
+const common_flags_1 = require("./common-flags");
+const Undefined = 'undefined';
+class KubeApiService {
+    constructor(command, flags) {
+        var _a, _b, _c;
+        _KubeApiService_instances.add(this);
+        this.command = command;
+        this.kc = new client_node_1.KubeConfig();
+        flags.config === common_flags_1.ConfigType.InCluster ? this.kc.loadFromCluster() : this.kc.loadFromDefault();
+        this.namespace = (_c = (_a = flags.namespace) !== null && _a !== void 0 ? _a : (_b = this.kc.getContextObject(this.kc.getCurrentContext())) === null || _b === void 0 ? void 0 : _b.namespace) !== null && _c !== void 0 ? _c : Undefined;
+        this.coreV1Api = this.kc.makeApiClient(client_node_1.CoreV1Api);
+        this.secretName = flags.secret;
+        tslib_1.__classPrivateFieldGet(this, _KubeApiService_instances, "m", _KubeApiService_validate).call(this);
+    }
+    printConfiguration() {
+        var _a;
+        this.command.log('Using Kubernetes parameters:', {
+            ...this.kc.getContextObject(this.kc.getCurrentContext()),
+            server: (_a = this.kc.getCurrentCluster()) === null || _a === void 0 ? void 0 : _a.server,
+            secretName: this.secretName,
+        });
+    }
+    async checkSecretExistence() {
+        this.command.log(`Checking if secret ${this.secretName} exists`);
+        const exists = await this.coreV1Api.readNamespacedSecret(this.secretName, this.namespace)
+            .then(() => true)
+            .catch(error => {
+            if (error.status === 404) {
+                return false;
+            }
+        });
+        this.command.log(exists ? `Secret ${this.secretName} already exists` : `Secret ${this.secretName} does not exist`);
+        return Boolean(exists);
+    }
+    async deleteSecret() {
+        this.command.log(`Deleting existing secret ${this.secretName}`);
+        await this.coreV1Api.deleteNamespacedSecret(this.secretName, this.namespace).then(() => true);
+        this.command.log(`Existing secret ${this.secretName} deleted`);
+    }
+    async createSecret(secret) {
+        this.command.log(`Creating secret ${this.secretName}`);
+        await this.coreV1Api.createNamespacedSecret(this.namespace, secret.toKubeSecret(this.secretName));
+        this.command.log(`Created secret ${this.secretName}`);
+    }
+}
+exports.KubeApiService = KubeApiService;
+_KubeApiService_instances = new WeakSet(), _KubeApiService_validate = function _KubeApiService_validate() {
+    if (this.namespace === Undefined) {
+        this.command.error('namespace is undefined', {
+            suggestions: [
+                'set namespace with -n',
+                'configure service account for this deployment/job',
+            ],
+        });
+    }
+};

package/dist/helpers/secret.d.ts

@@ -0,0 +1,9 @@
+import { V1Secret } from '@kubernetes/client-node';
+export declare class Secret {
+    #private;
+    private JWKs;
+    private CookieKeys;
+    constructor();
+    generateNew(): void;
+    toKubeSecret(secretName: string): V1Secret;
+}

package/dist/helpers/secret.js

@@ -0,0 +1,47 @@
+"use strict";
+var _Secret_instances, _Secret_generateRSAJwk, _Secret_generateCookieKey, _Secret_arrayToB64String, _Secret_getKubeSecretMetadata;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Secret = void 0;
+const tslib_1 = require("tslib");
+const jsrsasign_1 = require("jsrsasign");
+const client_node_1 = require("@kubernetes/client-node");
+const node_crypto_1 = tslib_1.__importDefault(require("node:crypto"));
+const JWKSKeyName = 'OIDC_JWKS';
+const CookieKeysKeyName = 'OIDC_COOKIE_KEYS';
+class Secret {
+    constructor() {
+        _Secret_instances.add(this);
+        this.JWKs = [];
+        this.CookieKeys = [];
+    }
+    generateNew() {
+        this.JWKs = [tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_generateRSAJwk).call(this, 4096)];
+        this.CookieKeys = [tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_generateCookieKey).call(this, 32)];
+    }
+    toKubeSecret(secretName) {
+        const secret = new client_node_1.V1Secret();
+        secret.metadata = tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_getKubeSecretMetadata).call(this, secretName);
+        secret.data = {};
+        secret.data[JWKSKeyName] = tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_arrayToB64String).call(this, this.JWKs);
+        secret.data[CookieKeysKeyName] = tslib_1.__classPrivateFieldGet(this, _Secret_instances, "m", _Secret_arrayToB64String).call(this, this.CookieKeys);
+        return secret;
+    }
+}
+exports.Secret = Secret;
+_Secret_instances = new WeakSet(), _Secret_generateRSAJwk = function _Secret_generateRSAJwk(len) {
+    const keypair = jsrsasign_1.KEYUTIL.generateKeypair('RSA', len);
+    const jwk = jsrsasign_1.KEYUTIL.getJWK(keypair.prvKeyObj);
+    return {
+        ...jwk,
+        use: 'sig',
+    };
+}, _Secret_generateCookieKey = function _Secret_generateCookieKey(size) {
+    return node_crypto_1.default.randomBytes(size).toString('hex');
+}, _Secret_arrayToB64String = function _Secret_arrayToB64String(array) {
+    const b = Buffer.from(JSON.stringify(array));
+    return b.toString('base64');
+}, _Secret_getKubeSecretMetadata = function _Secret_getKubeSecretMetadata(secretName) {
+    const metaData = new client_node_1.V1ObjectMeta();
+    metaData.name = secretName;
+    return metaData;
+};

package/dist/index.d.ts

@@ -0,0 +1 @@
+export { run } from '@oclif/core';

package/dist/index.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.run = void 0;
+var core_1 = require("@oclif/core");
+Object.defineProperty(exports, "run", { enumerable: true, get: function () { return core_1.run; } });

package/oclif.manifest.json

@@ -0,0 +1,78 @@
+{
+  "version": "0.1.0",
+  "commands": {
+    "initialize": {
+      "id": "initialize",
+      "description": "Initialize the secret with initial keys",
+      "strict": true,
+      "pluginName": "@codemowers/oidc-key-manager",
+      "pluginAlias": "@codemowers/oidc-key-manager",
+      "pluginType": "core",
+      "aliases": [],
+      "examples": [
+        "<%= config.bin %> <%= command.id %>",
+        "<%= config.bin %> <%= command.id %>",
+        "<%= config.bin %> <%= command.id %> -n <kube namespace> -s <secret name>",
+        "<%= config.bin %> <%= command.id %> --namespace <kube namespace> --secret <secret name> --recreate"
+      ],
+      "flags": {
+        "json": {
+          "name": "json",
+          "type": "boolean",
+          "description": "Format output as json.",
+          "helpGroup": "GLOBAL",
+          "allowNo": false
+        },
+        "namespace": {
+          "name": "namespace",
+          "type": "option",
+          "char": "n",
+          "description": "namespace, defaults to current namespace if service account is used",
+          "required": false,
+          "multiple": false,
+          "aliases": [
+            "namespace"
+          ]
+        },
+        "secret": {
+          "name": "secret",
+          "type": "option",
+          "char": "s",
+          "description": "secret name",
+          "required": false,
+          "multiple": false,
+          "default": "oidc-keys",
+          "aliases": [
+            "secret"
+          ]
+        },
+        "config": {
+          "name": "config",
+          "type": "option",
+          "char": "c",
+          "description": "use local or in-cluster Kubernetes config",
+          "required": true,
+          "multiple": false,
+          "options": [
+            "local",
+            "cluster"
+          ],
+          "aliases": [
+            "config"
+          ]
+        },
+        "recreate": {
+          "name": "recreate",
+          "type": "boolean",
+          "description": "recreate the secret if it exists",
+          "required": false,
+          "allowNo": false,
+          "aliases": [
+            "recreate"
+          ]
+        }
+      },
+      "args": {}
+    }
+  }
+}

package/package.json

@@ -0,0 +1,68 @@
+{
+  "name": "@codemowers/oidc-key-manager",
+  "version": "0.1.0",
+  "description": "CLI to manage secret keys required by oidc-gateway",
+  "author": "Erki Aas",
+  "bin": {
+    "key-manager": "./bin/run"
+  },
+  "homepage": "https://github.com/codemowers/oidc-key-manager",
+  "license": "MIT",
+  "main": "dist/index.js",
+  "repository": "codemowers/oidc-key-manager",
+  "files": [
+    "/bin",
+    "/dist",
+    "/npm-shrinkwrap.json",
+    "/oclif.manifest.json"
+  ],
+  "dependencies": {
+    "@kubernetes/client-node": "^0.18.1",
+    "@oclif/core": "^2.8.4",
+    "@oclif/plugin-help": "^5",
+    "@oclif/plugin-plugins": "^2.4.7",
+    "@types/jsrsasign": "^10.5.8",
+    "jsrsasign": "^10.8.6"
+  },
+  "devDependencies": {
+    "@oclif/test": "^2.3.17",
+    "@types/chai": "^4",
+    "@types/mocha": "^9.0.0",
+    "@types/node": "^16.18.25",
+    "chai": "^4",
+    "eslint": "^7.32.0",
+    "eslint-config-oclif": "^4",
+    "eslint-config-oclif-typescript": "^1.0.3",
+    "mocha": "^9",
+    "oclif": "^3",
+    "shx": "^0.3.3",
+    "ts-node": "^10.9.1",
+    "tslib": "^2.5.0",
+    "typescript": "^4.9.5"
+  },
+  "oclif": {
+    "bin": "key-manager",
+    "dirname": "key-manager",
+    "commands": "./dist/commands",
+    "topicSeparator": " ",
+    "topics": {
+      "hello": {
+        "description": "Say hello to the world and others"
+      }
+    }
+  },
+  "scripts": {
+    "build": "shx rm -rf dist && tsc -b",
+    "lint": "eslint . --ext .ts --config .eslintrc",
+    "postpack": "shx rm -f oclif.manifest.json",
+    "posttest": "npm run lint",
+    "prepack": "npm run build && oclif manifest && oclif readme",
+    "test": "mocha --forbid-only \"test/**/*.test.ts\"",
+    "version": "oclif readme && git add README.md"
+  },
+  "engines": {
+    "node": ">=12.0.0"
+  },
+  "bugs": "https://github.com/codemowers/oidc-key-manager/issues",
+  "types": "dist/index.d.ts"
+}