@cubist-labs/cubesigner-sdk 0.4.236 → 0.4.239

package/src/audit_log.ts

@@ -0,0 +1,195 @@
+import { z } from "zod/mini";
+import type { components } from "./schema";
+
+type OrgEventDiscriminants = components["schemas"]["OrgEventDiscriminants"];
+type BillingEvent = components["schemas"]["BillingEvent"];
+type MemberRole = components["schemas"]["MemberRole"];
+type OperationKind = components["schemas"]["OperationKind"];
+type KeyType = components["schemas"]["KeyType"];
+
+const schemaString = <T extends string>() => z.custom<T>((val) => typeof val === "string");
+
+const baseFields = {
+  /** The type of org event. */
+  event: z.string(),
+  /** UUID uniquely identifying this event across all events. */
+  event_id: z.string(),
+  /** The org in which this event occurred. */
+  org_id: z.string(),
+  /** ID of the HTTP request that triggered this event (one request can trigger multiple events). */
+  request_id: z.string(),
+  /** Timestamp of when the event was logged, formatted like YYYY-MM-DD HH:MM:SS.NNNNNNNNN */
+  time: z.string(),
+  /** ID of the user or role that triggered the event; absent for unauthenticated endpoints. */
+  triggered_by: z.nullable(z.string()),
+};
+
+export const auditLogEntrySchema = z.discriminatedUnion("event", [
+  z.object({
+    ...baseFields,
+    event: z.literal("Billing"),
+    kind: schemaString<BillingEvent>(),
+    user_id: z.optional(z.string()),
+    role_id: z.optional(z.string()),
+    key_id: z.optional(z.string()),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("Response"),
+    kind: schemaString<BillingEvent>(),
+    status: z.coerce.number(),
+    duration_ms: z.coerce.number(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("OidcAuth"),
+    issuer: z.string(),
+    membership: schemaString<MemberRole>(),
+    email: z.optional(z.string()),
+    username: z.optional(z.string()),
+    scopes: z.array(z.string()),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("Signed"),
+    kind: schemaString<OperationKind>(),
+    key_type: schemaString<KeyType>(),
+    key_id: z.string(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("BabylonEotsConcurrentSigning"),
+    key_id: z.string(),
+    chain_id: z.string(),
+    prev_block_height: z.coerce.number(),
+    prev_signing_hash: z.string(),
+    req_block_height: z.coerce.number(),
+    req_signing_hash: z.string(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("Eth2ConcurrentAttestationSigning"),
+    key_id: z.string(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("Eth2ConcurrentBlockSigning"),
+    key_id: z.string(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("Eth2InvalidBlockProposerSlotTooLow"),
+    slot: z.coerce.number(),
+    signing_root: z.string(),
+    last_slot: z.coerce.number(),
+    last_signing_root: z.string(),
+    enforced: z.coerce.boolean(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("Eth2InvalidAttestationSourceEpochTooLow"),
+    source_epoch: z.coerce.number(),
+    signing_root: z.string(),
+    last_target_epoch: z.coerce.number(),
+    last_signing_root: z.string(),
+    enforced: z.coerce.boolean(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("Eth2InvalidAttestationTargetEpochTooLow"),
+    target_epoch: z.coerce.number(),
+    signing_root: z.string(),
+    last_target_epoch: z.coerce.number(),
+    last_signing_root: z.string(),
+    enforced: z.coerce.boolean(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("Eth2Unstake"),
+    key_id: z.string(),
+    validator_index: z.coerce.number(),
+    daily_unstake_count: z.coerce.number(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("Eth2ExceededMaxUnstake"),
+    max: z.coerce.number(),
+    date: z.string(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("KeyCreated"),
+    key_type: schemaString<KeyType>(),
+    owner_id: z.string(),
+    count: z.coerce.number(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("MfaApproved"),
+    mfa_id: z.string(),
+    meets_approval_criteria: z.coerce.boolean(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("MfaRejected"),
+    mfa_id: z.string(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("PolicyChanged"),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("TendermintConcurrentSigning"),
+    key_id: z.string(),
+    chain_id: z.string(),
+    last_state: z.string(),
+    current_state: z.string(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("InvitationCreated"),
+    email: z.string(),
+    role: z.string(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("InvitationCanceled"),
+    email: z.string(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("UserExportInit"),
+    key_id: z.string(),
+    valid_epoch: z.coerce.number(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("UserExportComplete"),
+    key_id: z.string(),
+  }),
+  z.object({
+    ...baseFields,
+    event: z.literal("WasmPolicyExecuted"),
+    source: z.string(),
+    key_id: z.optional(z.string()),
+    policy: z.string(),
+    policy_hash: z.string(),
+    stdout: z.string(),
+    stderr: z.string(),
+    response: z.string(),
+    reason: z.optional(z.string()),
+    error: z.optional(z.string()),
+  }),
+]);
+
+export type AuditLogEntry = z.infer<typeof auditLogEntrySchema>;
+
+// Compile-time check: errors if a variant is added to OrgEventDiscriminants but not handled here.
+type _AllVariantsCovered = [OrgEventDiscriminants] extends [AuditLogEntry["event"]]
+  ? [AuditLogEntry["event"]] extends [OrgEventDiscriminants]
+    ? true
+    : never
+  : never;
+const _allVariantsCovered: _AllVariantsCovered = true;
+void _allVariantsCovered;

package/src/bucket.ts

@@ -0,0 +1,30 @@
+import type { Ace, AceAttribute } from "./acl";
+import type { BucketAction, schemas } from "./schema_types";
+
+/** Access control entry for policy buckets */
+export type BucketAce = Ace<
+  BucketAction,
+  {
+    policy_ids?: AceAttribute<string>;
+    bucket_keys?: AceAttribute<string>;
+  }
+>;
+
+/** Policy bucket information (like the one from {@link schemas} but with more precise `acl`) */
+export type BucketInfo = schemas["BucketInfo"] & {
+  acl?: BucketAce[];
+};
+
+/**
+ * Coerce the less accurate `BucketInfo` type from the OpenAPI schema to a more accurate {@link BucketInfo}.
+ *
+ * @param b The bucket info received on the wire.
+ * @returns The exact same value coerced to the {@link BucketInfo} type.
+ */
+export function coerceBucketInfo(b: schemas["BucketInfo"]): BucketInfo {
+  return {
+    ...b,
+    // TODO: parse once we add Zod
+    acl: b.acl as BucketAce[],
+  };
+}

package/src/client/api_client.ts

@@ -54,7 +54,6 @@ import type {
   UpdatePolicyRequest,
   ListPoliciesResponse,
   PolicyType,
-  PolicyInfo,
   DiffieHellmanRequest,
   DiffieHellmanResponse,
   KeyInfoJwt,
@@ -67,8 +66,12 @@ import type {
   KeyAttestationQuery,
   RoleAttestationQuery,
   ErrorResponse,
+  ListBucketsResponse,
+  UpdateBucketRequest,
+  PolicyInfo,
 } from "../schema_types";
 import { encodeToBase64 } from "../util";
+import { auditLogEntrySchema } from "../audit_log";
 import {
   AddFidoChallenge,
   MfaFidoChallenge,
@@ -152,6 +155,9 @@ import {
   type GetUserByOidcResponse,
   type EmailTemplatePurpose,
   ErrResponse,
+  coerceBucketInfo,
+  coercePolicyInfo,
+  type BucketInfo,
 } from "../index";
 import { assertOk, op, type Op, type Operation, apiFetch } from "../fetch";
 import { BaseClient, type ClientConfig, signerSessionFromSessionInfo } from "./base_client";
@@ -560,7 +566,11 @@ export class ApiClient extends BaseClient {
     return Paginator.items(
       page ?? Page.default(),
       (query) => this.exec(o, { body, params: { query } }),
-      (r) => r.entries,
+      (r) =>
+        r.entries.flatMap((entry) => {
+          const result = auditLogEntrySchema.safeParse(entry);
+          return result.success ? [result.data] : [];
+        }),
       (r) => r.last_evaluated_key,
     );
   }
@@ -1525,14 +1535,14 @@ export class ApiClient extends BaseClient {
     acl?: JsonValue[],
   ): Promise<PolicyInfo> {
     const o = op("/v0/org/{org_id}/policies", "post");
-    return (await this.exec(o, {
+    return await this.exec(o, {
       body: {
         name,
         policy_type: type,
         rules,
         acl,
       },
-    })) as PolicyInfo;
+    }).then(coercePolicyInfo);
   }
 
   /**
@@ -1544,9 +1554,9 @@ export class ApiClient extends BaseClient {
    */
   async policyGet(policyId: string, version: policy.Version): Promise<PolicyInfo> {
     const o = op("/v0/org/{org_id}/policies/{policy_id}/{version}", "get");
-    return (await this.exec(o, {
+    return await this.exec(o, {
       params: { path: { policy_id: policyId, version } },
-    })) as PolicyInfo;
+    }).then(coercePolicyInfo);
   }
 
   /**
@@ -1583,17 +1593,13 @@ export class ApiClient extends BaseClient {
     mfaReceipt?: MfaReceipts,
   ): Promise<CubeSignerResponse<PolicyInfo>> {
     const o = op("/v0/org/{org_id}/policies/{policy_id}", "patch");
-    const signFn = async (headers?: HeadersInit) =>
+    const reqFn = async (headers?: HeadersInit) =>
       this.exec(o, {
         params: { path: { policy_id: policyId } },
         body: request,
         headers,
-      });
-    return (await CubeSignerResponse.create(
-      this.env,
-      signFn,
-      mfaReceipt,
-    )) as CubeSignerResponse<PolicyInfo>;
+      }).then((resp) => mapResponse(resp, coercePolicyInfo));
+    return await CubeSignerResponse.create(this.env, reqFn, mfaReceipt);
   }
 
   /**
@@ -1638,6 +1644,62 @@ export class ApiClient extends BaseClient {
 
   // #endregion
 
+  // #region BUCKET: bucket(Get|List|Update)
+
+  /**
+   * List available meta information about all policy buckets in the org.
+   *
+   * @param page Pagination options. Defaults to fetching the entire result set.
+   * @returns Paginator for iterating over policy buckets.
+   */
+  bucketsList(page?: PageOpts): Paginator<ListBucketsResponse, BucketInfo[]> {
+    const o = op("/v0/org/{org_id}/policy/buckets", "get");
+    return Paginator.items(
+      page ?? Page.default(),
+      (pageQuery) => this.exec(o, { params: { query: { ...pageQuery } } }),
+      (r) => r.buckets,
+      (r) => r.last_evaluated_key,
+    ) as Paginator<ListBucketsResponse, BucketInfo[]>;
+  }
+
+  /**
+   * Get the meta information of a policy KV store bucket.
+   *
+   * @param bucketName The name of the bucket to get
+   * @returns The bucket information
+   */
+  async bucketGet(bucketName: string): Promise<BucketInfo> {
+    const o = op("/v0/org/{org_id}/policy/buckets/{bucket_name}", "get");
+    return await this.exec(o, {
+      params: { path: { bucket_name: bucketName } },
+    }).then(coerceBucketInfo);
+  }
+
+  /**
+   * Set or update meta information for a policy KV store bucket.
+   *
+   * @param bucketName The name of the bucket to update.
+   * @param request The update request
+   * @param mfaReceipt Option MFA receipt(s)
+   * @returns The updated bucket information
+   */
+  async bucketUpdate(
+    bucketName: string,
+    request: UpdateBucketRequest,
+    mfaReceipt?: MfaReceipts,
+  ): Promise<CubeSignerResponse<BucketInfo>> {
+    const o = op("/v0/org/{org_id}/policy/buckets/{bucket_name}", "patch");
+    const reqFn = async (headers?: HeadersInit) =>
+      this.exec(o, {
+        params: { path: { bucket_name: bucketName } },
+        body: request,
+        headers,
+      }).then((resp) => mapResponse(resp, coerceBucketInfo));
+    return await CubeSignerResponse.create(this.env, reqFn, mfaReceipt);
+  }
+
+  // #endregion
+
   // #region WASM: wasm(PolicyUpload)
 
   /**

package/src/index.ts

@@ -34,6 +34,8 @@ export * from "./contact";
 export * from "./scopes";
 /** Policies */
 export * from "./policy";
+/** Buckets */
+export * from "./bucket";
 /** Access control */
 export * from "./acl";
 /** Utils */

package/src/policy.ts

@@ -10,15 +10,15 @@ import type {
   KeyPolicyRule,
   MfaReceipts,
   PolicyAttachedToId,
-  PolicyInfo,
   PolicyType,
   RolePolicy,
   RolePolicyRule,
   UpdatePolicyRequest,
   WasmRule,
-  Acl,
   AceAttribute,
   PolicyAction,
+  Ace,
+  PolicyInfo,
 } from ".";
 
 import { loadSubtleCrypto } from ".";
@@ -32,7 +32,7 @@ export type PolicyRule = KeyPolicyRule | RolePolicyRule | WasmRule;
  * A helper type for {@link PolicyInfo} with a more detailed `acl` type.
  */
 type NamedPolicyInfo = PolicyInfo & {
-  acl?: Acl<PolicyAction, PolicyCtx>;
+  acl?: PolicyAcl;
 };
 
 /**
@@ -67,7 +67,10 @@ export type C2FInfo = WasmPolicyInfo;
 export type Version = `v${number}` | `latest`;
 
 /** A policy access control entry. */
-export type PolicyAcl = Acl<PolicyAction, PolicyCtx>;
+export type PolicyAce = Ace<PolicyAction, PolicyCtx>;
+
+/** A policy access control list. */
+export type PolicyAcl = PolicyAce[];
 
 /** Additional contexts when using policies. */
 export type PolicyCtx = {
@@ -476,7 +479,7 @@ export class C2FFunction extends NamedPolicy {
     // upload the policy object
     const hash = await uploadWasmFunction(this.apiClient, policy);
 
-    // update this policy with the new policy verison.
+    // update this policy with the new policy version.
     const body: UpdatePolicyRequest = { rules: [{ hash }] };
     this.data = (await this.update(body, mfaReceipt)) as C2FInfo;
   }