@cubist-labs/cubesigner-sdk 0.1.77 → 0.2.15

package/src/schema_types.ts

@@ -0,0 +1,110 @@
+import { MfaPolicy } from "./role";
+import { components } from "./schema";
+import { JsonMap } from "./util";
+
+type schemas = components["schemas"];
+
+export type UserInfo = schemas["UserInfo"];
+export type ConfiguredMfa = schemas["ConfiguredMfa"];
+export type RatchetConfig = schemas["RatchetConfig"];
+export type IdentityProof = schemas["IdentityProof"];
+export type TotpInfo = schemas["TotpInfo"];
+
+export type OidcAuthResponse = schemas["NewSessionResponse"];
+export type ApiAddFidoChallenge = schemas["FidoCreateChallengeResponse"];
+export type ApiMfaFidoChallenge = schemas["FidoAssertChallenge"];
+
+export type PublicKeyCredentialCreationOptions = schemas["PublicKeyCredentialCreationOptions"];
+export type PublicKeyCredentialRequestOptions = schemas["PublicKeyCredentialRequestOptions"];
+export type PublicKeyCredentialParameters = schemas["PublicKeyCredentialParameters"];
+export type PublicKeyCredentialDescriptor = schemas["PublicKeyCredentialDescriptor"];
+export type AuthenticatorSelectionCriteria = schemas["AuthenticatorSelectionCriteria"];
+export type PublicKeyCredentialUserEntity = schemas["PublicKeyCredentialUserEntity"];
+export type PublicKeyCredential = schemas["PublicKeyCredential"];
+
+export type OrgInfo = schemas["OrgInfo"];
+export type UserIdInfo = schemas["UserIdInfo"];
+export type UpdateOrgRequest = schemas["UpdateOrgRequest"];
+export type UpdateOrgResponse = schemas["UpdateOrgResponse"];
+
+export type OidcIdentity = schemas["OIDCIdentity"];
+export type MemberRole = schemas["MemberRole"];
+
+export type SchemaKeyType = schemas["KeyType"];
+
+export type ListKeysResponse = schemas["PaginatedListKeysResponse"];
+export type UpdateKeyRequest = schemas["UpdateKeyRequest"];
+export type KeyInfoApi = schemas["KeyInfo"];
+export type KeyInRoleInfo = schemas["KeyInRoleInfo"];
+export type UserInRoleInfo = schemas["UserInRoleInfo"];
+export type KeyTypeApi = schemas["KeyType"];
+
+export type ListRolesResponse = schemas["PaginatedListRolesResponse"];
+export type ListRoleKeysResponse = schemas["PaginatedListRoleKeysResponse"];
+export type ListRoleUsersResponse = schemas["PaginatedListRoleUsersResponse"];
+export type UpdateRoleRequest = schemas["UpdateRoleRequest"];
+export type KeyWithPoliciesInfo = schemas["KeyInRoleInfo"];
+export type RoleInfo = schemas["RoleInfo"];
+
+export type SessionInfo = schemas["SessionInfo"];
+export type ClientSessionInfo = schemas["ClientSessionInfo"];
+export type NewSessionResponse = schemas["NewSessionResponse"];
+export type SessionsResponse = schemas["PaginatedSessionsResponse"];
+
+export type CreateSignerSessionRequest = schemas["CreateTokenRequest"];
+export type RefreshSignerSessionRequest = schemas["AuthData"];
+
+export type EvmSignRequest = schemas["Eth1SignRequest"];
+export type EvmSignResponse = schemas["Eth1SignResponse"];
+export type Eth2SignRequest = schemas["Eth2SignRequest"];
+export type Eth2SignResponse = schemas["Eth2SignResponse"];
+export type Eth2StakeRequest = schemas["StakeRequest"];
+export type Eth2StakeResponse = schemas["StakeResponse"];
+export type Eth2UnstakeRequest = schemas["UnstakeRequest"];
+export type Eth2UnstakeResponse = schemas["UnstakeResponse"];
+export type BlobSignRequest = schemas["BlobSignRequest"];
+export type BlobSignResponse = schemas["BlobSignResponse"];
+export type BtcSignRequest = schemas["BtcSignRequest"];
+export type BtcSignResponse = schemas["BtcSignResponse"];
+export type SolanaSignRequest = schemas["SolanaSignRequest"];
+export type SolanaSignResponse = schemas["SolanaSignResponse"];
+export type AvaSignRequest = schemas["AvaSignRequest"];
+export type AvaSignResponse = schemas["AvaSignResponse"];
+
+export type AcceptedResponse = schemas["AcceptedResponse"];
+export type ErrorResponse = schemas["ErrorResponse"];
+export type BtcSignatureKind = schemas["BtcSignatureKind"];
+
+export type MfaType = schemas["MfaType"];
+export type MfaRequestInfo = schemas["MfaRequestInfo"];
+
+export type UserExportInitRequest = schemas["UserExportInitRequest"];
+export type UserExportInitResponse = schemas["UserExportInitResponse"];
+export type UserExportCompleteRequest = schemas["UserExportCompleteRequest"];
+export type UserExportCompleteResponse = schemas["UserExportCompleteResponse"];
+export type UserExportListResponse = schemas["PaginatedUserExportListResponse"];
+export type UserExportKeyMaterial = schemas["JsonKeyPackage"];
+
+/** Options for a new OIDC user */
+export interface CreateOidcUserOptions {
+  /** The role of an OIDC user, default is "Alien" */
+  memberRole?: MemberRole;
+  /** Optional MFA policy to associate with the user account */
+  mfaPolicy?: MfaPolicy;
+}
+
+/** Ava P- or X-chain transaction */
+export type AvaTx = { P: AvaPChainTx } | { X: AvaXChainTx };
+
+/** Ava P-chain transaction */
+export type AvaPChainTx =
+  | { AddPermissionlessValidator: JsonMap }
+  | { AddSubnetValidator: JsonMap }
+  | { AddValidator: JsonMap }
+  | { CreateChain: JsonMap }
+  | { CreateSubnet: JsonMap }
+  | { Export: JsonMap }
+  | { Import: JsonMap };
+
+/** Ava X-chain transaction */
+export type AvaXChainTx = { Base: JsonMap } | { Export: JsonMap } | { Import: JsonMap };

package/src/session/cognito_manager.ts

@@ -1,10 +1,14 @@
-import { Client } from "../client";
+import path from "path";
+import { Client } from "../api";
 import { EnvInterface } from "../env";
-import { HasEnv, SessionManager } from "./session_manager";
-import { SessionStorage } from "./session_storage";
+import { HasEnv, OrgSessionManager } from "./session_manager";
+import { JsonFileSessionStorage, SessionStorage } from "./session_storage";
+import { configDir } from "../util";
 
 /** JSON representation of our "management session" file format */
 export interface CognitoSessionObject {
+  /** The organization ID */
+  org_id: string;
   /** The email address of the user */
   email: string;
   /** The ID token */
@@ -23,7 +27,7 @@ export interface CognitoSessionInfo extends CognitoSessionObject, HasEnv {}
 export type CognitoSessionStorage = SessionStorage<CognitoSessionInfo>;
 
 /** The session manager for cognito (management) sessions */
-export class CognitoSessionManager extends SessionManager<CognitoSessionInfo> {
+export class CognitoSessionManager extends OrgSessionManager<CognitoSessionInfo> {
   #client: Client;
 
   /**
@@ -116,19 +120,42 @@ export class CognitoSessionManager extends SessionManager<CognitoSessionInfo> {
     const sessionInfo = await storage.retrieve();
     return new CognitoSessionManager(
       sessionInfo.env["Dev-CubeSignerStack"],
+      sessionInfo.org_id,
       sessionInfo.id_token,
       storage,
     );
   }
 
+  /**
+   * Loads an existing management session and creates a Cognito session manager for it.
+   *
+   * @param {CognitoSessionStorage} storage Optional session storage to load
+   * the session from. If not specified, the management session from the config
+   * directory will be loaded.
+   * @return {Promise<CognitoSessionManager>} Cognito session manager
+   */
+  static async loadManagementSession(
+    storage?: CognitoSessionStorage,
+  ): Promise<CognitoSessionManager> {
+    return await CognitoSessionManager.loadFromStorage(
+      storage ?? new JsonFileSessionStorage(path.join(configDir(), "management-session.json")),
+    );
+  }
+
   /**
    * Constructor.
    * @param {EnvInterface} env The environment of the session
+   * @param {string} orgId The id of the org associated with this session
    * @param {string} token The current token of the session
    * @param {CognitoSessionStorage} storage The storage back end to use
    */
-  private constructor(env: EnvInterface, token: string, storage: CognitoSessionStorage) {
-    super(env, storage);
+  private constructor(
+    env: EnvInterface,
+    orgId: string,
+    token: string,
+    storage: CognitoSessionStorage,
+  ) {
+    super(env, orgId, storage);
     this.#client = this.createClient(token);
   }
 }

package/src/session/session_manager.ts

@@ -1,7 +1,6 @@
 import { SessionStorage } from "..";
 import { EnvInterface } from "../env";
-import { paths, Client } from "../client";
-import createClient from "openapi-fetch";
+import { Client, createHttpClient } from "../api";
 
 const DEFAULT_EXPIRATION_BUFFER_SECS = 30;
 
@@ -83,12 +82,7 @@ export abstract class SessionManager<U> {
    * @return {Client} The new REST client
    */
   protected createClient(token: string): Client {
-    return createClient<paths>({
-      baseUrl: this.env.SignerApiRoot,
-      headers: {
-        Authorization: token,
-      },
-    });
+    return createHttpClient(this.env.SignerApiRoot, token);
   }
 
   /**

package/src/session/signer_session_manager.ts

@@ -1,16 +1,13 @@
-import { CubeSigner, EnvInterface } from "..";
-import { assertOk } from "../util";
-import { components, paths, Client } from "../client";
+import { EnvInterface } from "..";
+import {
+  ClientSessionInfo,
+  NewSessionResponse,
+  RefreshSignerSessionRequest,
+} from "../schema_types";
+import { Client } from "../api";
 import { HasEnv, OrgSessionManager } from "./session_manager";
 import { MemorySessionStorage, SessionStorage } from "./session_storage";
-
-export type ClientSessionInfo = components["schemas"]["ClientSessionInfo"];
-export type NewSessionResponse = components["schemas"]["NewSessionResponse"];
-
-export type CreateSignerSessionRequest =
-  paths["/v0/org/{org_id}/roles/{role_id}/tokens"]["post"]["requestBody"]["content"]["application/json"];
-export type RefreshSignerSessionRequest =
-  paths["/v1/org/{org_id}/token/refresh"]["patch"]["requestBody"]["content"]["application/json"];
+import { assertOk } from "../util";
 
 /** JSON representation of our "signer session" file format */
 export interface SignerSessionObject {
@@ -42,16 +39,8 @@ export interface SignerSessionLifetime {
   grace?: number;
 }
 
-const defaultSignerSessionLifetime: SignerSessionLifetime = {
-  session: 604800,
-  auth: 300,
-  refresh: 86400,
-  grace: 30,
-};
-
 /** Manager for signer sessions. */
 export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
-  readonly cs?: CubeSigner;
   #client: Client;
 
   /**
@@ -64,8 +53,9 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
   }
 
   /**
-   * Returns a client with the current session and refreshes the current
-   * session. May **UPDATE/MUTATE** self.
+   * Refreshes the current session if needed, then returns a client using the current session.
+   *
+   * May **UPDATE/MUTATE** self.
    */
   async client(): Promise<Client> {
     await this.refreshIfNeeded();
@@ -74,19 +64,9 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
 
   /** Revokes the session. */
   async revoke(): Promise<void> {
-    if (!this.cs) {
-      throw new Error("No management session available");
-    }
-    const session = await this.storage.retrieve();
-    const resp = await (
-      await this.cs.management()
-    ).del("/v0/org/{org_id}/session/{session_id}", {
-      params: {
-        path: {
-          org_id: session.org_id,
-          session_id: session.session_info.session_id,
-        },
-      },
+    const client = await this.client();
+    const resp = await client.del("/v0/org/{org_id}/session/self", {
+      params: { path: { org_id: this.orgId } },
       parseAs: "json",
     });
     assertOk(resp);
@@ -106,10 +86,11 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
    * Refreshes the session and **UPDATES/MUTATES** self.
    */
   async refresh(): Promise<void> {
-    const session = await this.storage.retrieve();
-    const csi = session.session_info;
+    const currSession = await this.storage.retrieve();
+
+    const csi = currSession.session_info;
     const resp = await this.#client.patch("/v1/org/{org_id}/token/refresh", {
-      params: { path: { org_id: session.org_id } },
+      params: { path: { org_id: this.orgId } },
       body: <RefreshSignerSessionRequest>{
         epoch_num: csi.epoch,
         epoch_token: csi.epoch_token,
@@ -118,63 +99,14 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
       parseAs: "json",
     });
     const data = assertOk(resp);
-    await this.storage.save(<SignerSessionData>{
-      ...session,
+    const newSession = <SignerSessionData>{
+      ...currSession,
       session_info: data.session_info,
       token: data.token,
-    });
-    this.#client = this.createClient(data.token);
-  }
-
-  /**
-   * Create a new signer session.
-   * @param {CubeSigner} cs The CubeSigner instance
-   * @param {SignerSessionStorage} storage The session storage to use
-   * @param {string} orgId Org ID
-   * @param {string} roleId Role ID
-   * @param {string} purpose The purpose of the session
-   * @param {SignerSessionLifetime} ttl Lifetime settings
-   * @return {Promise<SignerSessionManager>} New signer session
-   */
-  static async create(
-    cs: CubeSigner,
-    storage: SignerSessionStorage,
-    orgId: string,
-    roleId: string,
-    purpose: string,
-    ttl?: SignerSessionLifetime,
-  ): Promise<SignerSessionManager> {
-    const resp = await (
-      await cs.management()
-    ).post("/v0/org/{org_id}/roles/{role_id}/tokens", {
-      params: { path: { org_id: orgId, role_id: roleId } },
-      body: {
-        purpose,
-        auth_lifetime: ttl?.auth || defaultSignerSessionLifetime.auth,
-        refresh_lifetime: ttl?.refresh || defaultSignerSessionLifetime.refresh,
-        session_lifetime: ttl?.session || defaultSignerSessionLifetime.session,
-        grace_lifetime: ttl?.grace || defaultSignerSessionLifetime.grace,
-      },
-      parseAs: "json",
-    });
-    const data = assertOk(resp);
-    const session_info = data.session_info;
-    if (!session_info) {
-      throw new Error("Signer session info missing");
-    }
-    const sessionData = {
-      org_id: orgId,
-      role_id: roleId,
-      purpose,
-      token: data.token,
-      session_info,
-      // Keep compatibility with tokens produced by CLI
-      env: {
-        ["Dev-CubeSignerStack"]: cs.env,
-      },
     };
-    await storage.save(sessionData);
-    return new SignerSessionManager(sessionData, storage, cs);
+
+    await this.storage.save(newSession);
+    this.#client = this.createClient(newSession.token);
   }
 
   /**
@@ -206,36 +138,23 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
 
   /**
    * Uses an existing session to create a new signer session manager.
+   *
    * @param {SignerSessionStorage} storage The session storage to use
-   * @param {CubeSigner} cs Optional CubeSigner instance.
-   *    Currently used for token revocation; will be completely removed
-   *    since token revocation should not require management session.
    * @return {Promise<SingerSession>} New signer session manager
    */
-  static async loadFromStorage(
-    storage: SignerSessionStorage,
-    cs?: CubeSigner,
-  ): Promise<SignerSessionManager> {
+  static async loadFromStorage(storage: SignerSessionStorage): Promise<SignerSessionManager> {
     const session = await storage.retrieve();
-    return new SignerSessionManager(session, storage, cs);
+    return new SignerSessionManager(session, storage);
   }
 
   /**
    * Constructor.
+   *
    * @param {SignerSessionData} sessionData Session data
-   * @param {SignerSessionStorage} storage The session storage to use
-   * @param {CubeSigner} cs Optional CubeSigner instance.
-   *    Currently used for token revocation; will be completely removed
-   *    since token revocation should not require management session.
-   * @internal
+   * @param {SignerSessionStorage} storage The session storage to use.
    */
-  private constructor(
-    sessionData: SignerSessionData,
-    storage: SignerSessionStorage,
-    cs?: CubeSigner,
-  ) {
+  private constructor(sessionData: SignerSessionData, storage: SignerSessionStorage) {
     super(sessionData.env["Dev-CubeSignerStack"], sessionData.org_id, storage);
-    this.cs = cs;
     this.#client = this.createClient(sessionData.token);
   }
 }