@cubist-labs/cubesigner-sdk 0.4.254 → 0.4.260

package/package.json

@@ -5,7 +5,7 @@
     "url": "git+https://github.com/cubist-labs/CubeSigner-TypeScript-SDK.git",
     "directory": "packages/sdk"
   },
-  "version": "0.4.254",
+  "version": "0.4.260",
   "description": "CubeSigner TypeScript SDK",
   "license": "MIT OR Apache-2.0",
   "author": "Cubist, Inc.",

package/src/client/api_client.ts

@@ -50,6 +50,7 @@ import type {
   Empty,
   UserOrgsResponse,
   CreateKeyImportKeyResponse,
+  CreatePolicyImportKeyResponse,
   ImportKeyRequest,
   UpdatePolicyRequest,
   ListPoliciesResponse,
@@ -147,6 +148,7 @@ import {
   type InvokePolicyRequest,
   type PolicySecretsInfo,
   type SetPolicySecretRequest,
+  type UpdatePolicySecretsRequest,
   type UploadWasmPolicyRequest,
   type UploadWasmPolicyResponse,
   type LoginRequest,
@@ -535,12 +537,16 @@ export class ApiClient extends BaseClient {
    * Update the org.
    *
    * @param request The JSON request to send to the API server.
+   * @param mfaReceipt Optional MFA receipt(s)
    * @returns Updated org information.
    */
-  async orgUpdate(request: UpdateOrgRequest): Promise<UpdateOrgResponse> {
+  async orgUpdate(
+    request: UpdateOrgRequest,
+    mfaReceipt?: MfaReceipts,
+  ): Promise<CubeSignerResponse<UpdateOrgResponse>> {
     const o = op("/v0/org/{org_id}", "patch");
-
-    return this.exec(o, { body: request });
+    const reqFn = (headers?: HeadersInit) => this.exec(o, { body: request, headers });
+    return await CubeSignerResponse.create(this.env, reqFn, mfaReceipt);
   }
 
   /**
@@ -1540,7 +1546,17 @@ export class ApiClient extends BaseClient {
 
   // #endregion
 
-  // #region POLICY: policy(Create|Get|List|Update|Delete|Invoke), policySecret(Set|Delete), policySecretsGet
+  // #region POLICY: policyImportKeyCreate, policy(Create|Get|List|Update|Delete|Invoke), policySecret(Set|Delete), policySecrets(Get|Update)
+
+  /**
+   * Request a fresh policy import key.
+   *
+   * @returns A fresh policy import key
+   */
+  async policyImportKeyCreate(): Promise<CreatePolicyImportKeyResponse> {
+    const o = op("/v0/org/{org_id}/policy/import_key", "get");
+    return await this.exec(o, {});
+  }
 
   /**
    * Create a new named policy.
@@ -1698,6 +1714,22 @@ export class ApiClient extends BaseClient {
     return this.exec(o, {});
   }
 
+  /**
+   * Update org-level policy secrets metadata (e.g., the edit policy).
+   *
+   * @param request The update request.
+   * @param mfaReceipt Optional MFA receipt(s).
+   * @returns The updated policy secrets info.
+   */
+  async policySecretsUpdate(
+    request: UpdatePolicySecretsRequest,
+    mfaReceipt?: MfaReceipts,
+  ): Promise<CubeSignerResponse<PolicySecretsInfo>> {
+    const o = op("/v0/org/{org_id}/policy/secrets", "patch");
+    const reqFn = async (headers?: HeadersInit) => this.exec(o, { body: request, headers });
+    return await CubeSignerResponse.create(this.env, reqFn, mfaReceipt);
+  }
+
   /**
    * Delete an org-level policy secret.
    *
@@ -3166,6 +3198,65 @@ export class ApiClient extends BaseClient {
     ).then(assertOk);
   }
 
+  /**
+   * Initiate login via Sign-in With Solana (SIWS).
+   *
+   * The response contains a challenge which must be answered (via {@link siwsLoginComplete})
+   * to obtain an OIDC token.
+   *
+   * @param env The environment to use
+   * @param orgId The org to login to
+   * @param body The request body
+   * @param headers Optional headers to set
+   * @returns The challenge that needs to be answered via {@link siwsLoginComplete}
+   */
+  static async siwsLoginInit(
+    env: EnvInterface,
+    orgId: string,
+    body: schemas["SiwsInitRequest"],
+    headers?: HeadersInit,
+  ): Promise<schemas["SiwsInitResponse"]> {
+    const o = op("/v0/org/{org_id}/oidc/siws", "post");
+    return await retryOn5XX(() =>
+      o({
+        baseUrl: env.SignerApiRoot,
+        params: { path: { org_id: orgId } },
+        body,
+        headers,
+      }),
+    ).then(assertOk);
+  }
+
+  /**
+   * Complete login via Sign-in With Solana (SIWS).
+   *
+   * The challenge returned by {@link siwsLoginInit} should be signed
+   * and submitted via this API call to obtain an OIDC token, which can
+   * then be used to log in via {@link oidcSessionCreate}.
+   *
+   * @param env The environment to use
+   * @param orgId The org to login to
+   * @param body The request body
+   * @param headers Optional headers to set
+   * @returns An OIDC token which can be used to log in via OIDC (see {@link oidcSessionCreate})
+   */
+  static async siwsLoginComplete(
+    env: EnvInterface,
+    orgId: string,
+    body: schemas["SiwsCompleteRequest"],
+    headers?: HeadersInit,
+  ): Promise<schemas["SiwsCompleteResponse"]> {
+    const o = op("/v0/org/{org_id}/oidc/siws", "patch");
+    return await retryOn5XX(() =>
+      o({
+        baseUrl: env.SignerApiRoot,
+        params: { path: { org_id: orgId } },
+        body,
+        headers,
+      }),
+    ).then(assertOk);
+  }
+
   /**
    * Initiate the login with passkey flow.
    *

package/src/key.ts

@@ -29,8 +29,7 @@ import type {
   DiffieHellmanResponse,
   KeyInfoJwt,
   KeyAttestationQuery,
-  BinanceApiProperties,
-  CoinbaseApiProperties,
+  KeyPropertiesPatch,
 } from "./schema_types";
 import type {
   ApiClient,
@@ -118,6 +117,10 @@ export enum P256 {
 export const Mnemonic = "Mnemonic" as const;
 export type Mnemonic = typeof Mnemonic;
 
+/** HmacSha256 key type */
+export const HmacSha256 = "HmacSha256" as const;
+export type HmacSha256 = typeof HmacSha256;
+
 /** Stark key type */
 export const Stark = "Stark" as const;
 export type Stark = typeof Stark;
@@ -127,12 +130,7 @@ export const BabyJubjub = "BabyJubjub" as const;
 export type BabyJubjub = typeof BabyJubjub;
 
 /** Key type */
-export type KeyType = Secp256k1 | Bls | Ed25519 | Mnemonic | Stark | P256 | BabyJubjub;
-
-/** The type representing all different kinds of key properties. */
-export type KeyPropertiesPatch =
-  | ({ kind: "BinanceApi" } & BinanceApiProperties)
-  | ({ kind: "CoinbaseApi" } & CoinbaseApiProperties);
+export type KeyType = Secp256k1 | Bls | Ed25519 | Mnemonic | HmacSha256 | Stark | P256 | BabyJubjub;
 
 /**
  * A representation of a signing key.
@@ -852,6 +850,8 @@ export function fromSchemaKeyType(ty: SchemaKeyType): KeyType {
       return Ed25519.CoinbaseApi;
     case "Stark":
       return Stark;
+    case "HmacSha256":
+      return HmacSha256;
     case "Mnemonic":
       return Mnemonic;
     case "P256CosmosAddr":

package/src/org.ts

@@ -29,6 +29,7 @@ import type {
   OrgExtData,
   AuditLogEntry,
   AuditLogRequest,
+  MfaReceipts,
 } from ".";
 import { Contact } from "./contact";
 import { C2FFunction, Key, MfaRequest, Role } from ".";
@@ -307,14 +308,26 @@ export class Org {
     return data.enabled;
   }
 
-  /** Enable the org. */
-  async enable() {
-    await this.update({ enabled: true });
+  /**
+   * Enable the org.
+   *
+   * @param opts Optional parameters
+   * @param opts.mfaReceipt Optional MFA receipts
+   * @returns Org info
+   */
+  async enable(opts?: { mfaReceipt?: MfaReceipts }) {
+    return await this.update({ enabled: true }, opts?.mfaReceipt);
   }
 
-  /** Disable the org. */
-  async disable() {
-    await this.update({ enabled: false });
+  /**
+   * Disable the org.
+   *
+   * @param opts Optional parameters
+   * @param opts.mfaReceipt Optional MFA receipts
+   * @returns Org info
+   */
+  async disable(opts?: { mfaReceipt?: MfaReceipts }) {
+    return await this.update({ enabled: false }, opts?.mfaReceipt);
   }
 
   /** @returns the policy for the org. */
@@ -333,10 +346,25 @@ export class Org {
    * Set the policy for the org.
    *
    * @param policy The new policy for the org.
+   * @param opts Optional parameters
+   * @param opts.mfaReceipt Optional MFA receipts
+   * @returns Org info
    */
-  async setPolicy(policy: OrgPolicy[]) {
+  async setPolicy(policy: OrgPolicy[], opts?: { mfaReceipt?: MfaReceipts }) {
     const p = policy as unknown as Record<string, never>[];
-    await this.update({ policy: p });
+    return await this.update({ policy: p }, opts?.mfaReceipt);
+  }
+
+  /**
+   * Set the edit policy for the org.
+   *
+   * @param editPolicy The new edit policy for the org.
+   * @param opts Optional parameters
+   * @param opts.mfaReceipt Optional MFA receipts
+   * @returns Org info
+   */
+  async setEditPolicy(editPolicy: EditPolicy, opts?: { mfaReceipt?: MfaReceipts }) {
+    return await this.update({ edit_policy: editPolicy }, opts?.mfaReceipt);
   }
 
   /**
@@ -346,9 +374,12 @@ export class Org {
    * It is analogous to how role policies apply to all sign requests performed by the corresponding role sessions.
    *
    * @param policy The new policy for the org.
+   * @param opts Optional parameters
+   * @param opts.mfaReceipt Optional MFA receipts
+   * @returns Org info
    */
-  async setSignPolicy(policy: RolePolicy) {
-    await this.update({ sign_policy: policy });
+  async setSignPolicy(policy: RolePolicy, opts?: { mfaReceipt?: MfaReceipts }) {
+    return await this.update({ sign_policy: policy }, opts?.mfaReceipt);
   }
 
   /**
@@ -365,9 +396,12 @@ export class Org {
    * Update the organization's extended properties (uncommon features not used by most users).
    *
    * @param props The new properties.
+   * @param opts Optional parameters
+   * @param opts.mfaReceipt Optional MFA receipts
+   * @returns Org info
    */
-  async setExtendedProperties(props: OrgExtProps) {
-    await this.update({ ext_props: props });
+  async setExtendedProperties(props: OrgExtProps, opts?: { mfaReceipt?: MfaReceipts }) {
+    return await this.update({ ext_props: props }, opts?.mfaReceipt);
   }
 
   /**
@@ -377,8 +411,14 @@ export class Org {
    * In other words, org admins can still assign unlimited number of keys to their alien users.
    *
    * @param alienKeyCountThreshold The new key count threshold.
-   */
-  async setAlienKeyCountThreshold(alienKeyCountThreshold: number) {
+   * @param opts Optional parameters
+   * @param opts.mfaReceipt Optional MFA receipts
+   * @returns Org info
+   */
+  async setAlienKeyCountThreshold(
+    alienKeyCountThreshold: number,
+    opts?: { mfaReceipt?: MfaReceipts },
+  ) {
     const data = { ...((await this.getExtendedProperties()) ?? {}) };
 
     // erase the metadata that cannot be updated
@@ -388,29 +428,37 @@ export class Org {
     // update 'alien_key_count_threshold' and keep everything else the same
     data.alien_key_count_threshold = alienKeyCountThreshold;
 
-    await this.update({ ext_props: data });
+    return await this.update({ ext_props: data }, opts?.mfaReceipt);
   }
 
   /**
    * Set the notification endpoints for the org.
    *
    * @param notification_endpoints Endpoints.
+   * @param opts Optional parameters
+   * @param opts.mfaReceipt Optional MFA receipts
+   * @returns Org info
    */
-  async setNotificationEndpoints(notification_endpoints: NotificationEndpointConfiguration[]) {
-    await this.update({
-      notification_endpoints,
-    });
+  async setNotificationEndpoints(
+    notification_endpoints: NotificationEndpointConfiguration[],
+    opts?: { mfaReceipt?: MfaReceipts },
+  ) {
+    return await this.update({ notification_endpoints }, opts?.mfaReceipt);
   }
 
   /**
    * Set required MFA types for actions implicitly requiring MFA (see {@link MfaProtectedAction}).
    *
    * @param allowed_mfa_types Assignment of MFA types to actions that implicitly require MFA.
+   * @param opts Optional parameters
+   * @param opts.mfaReceipt Optional MFA receipts
+   * @returns Org info
    */
-  async setAllowedMfaTypes(allowed_mfa_types: Partial<Record<MfaProtectedAction, MfaType[]>>) {
-    await this.update({
-      allowed_mfa_types,
-    });
+  async setAllowedMfaTypes(
+    allowed_mfa_types: Partial<Record<MfaProtectedAction, MfaType[]>>,
+    opts?: { mfaReceipt?: MfaReceipts },
+  ) {
+    return await this.update({ allowed_mfa_types }, opts?.mfaReceipt);
   }
 
   /**
@@ -723,11 +771,17 @@ export class Org {
    * Note that this overwrites any existing configuration.
    *
    * @param configs Confidential Cloud Functions configuration.
-   */
-  async setC2FConfiguration(configs: C2FConfiguration) {
-    await this.update({
-      policy_engine_configuration: configs,
-    });
+   * @param opts Optional parameters
+   * @param opts.mfaReceipt Optional MFA receipts
+   * @returns Org info
+   */
+  async setC2FConfiguration(configs: C2FConfiguration, opts?: { mfaReceipt?: MfaReceipts }) {
+    return await this.update(
+      {
+        policy_engine_configuration: configs,
+      },
+      opts?.mfaReceipt,
+    );
   }
 
   /**

package/src/role.ts

@@ -484,8 +484,30 @@ export type NamedPolicyReference = {
   Reference: PolicyReference;
 };
 
+/** Explicit "permit" vs "deny" policy outcome, with or without a descriptive message. */
+export type Const = ConstOutcome | { outcome: ConstOutcome; message: string };
+
+/** Explicit "permit" vs "deny" policy outcome. */
+export type ConstOutcome = "Permit" | "Deny";
+
+/**
+ * A {@link https://github.com/google/cel-spec Common Expression Language}
+ * policy to evaluate against the following context:
+ *
+ * ```json
+ * {
+ *   "operation": OperationKind,
+ *   "identity": <UserOrRoleId>,
+ *   "body": <RequestBodyJson>
+ * }
+ * ```
+ */
+export type Cel = { Cel: string };
+
 /** Key policies that restrict the requests that the signing endpoints accept */
 export type KeyDenyPolicy =
+  | Const
+  | Cel
   | OperationAllowlist
   | TxReceiver
   | TxDeposit
@@ -508,6 +530,7 @@ export type KeyDenyPolicy =
   | PolicyAnd
   | PolicyOr
   | PolicyNot
+  | PolicyIte
   | NamedPolicyReference;
 
 /**
@@ -545,6 +568,30 @@ export type RolePolicy = RolePolicyRule[];
 
 export type RolePolicyRule = KeyDenyPolicy | PolicyReference;
 
+/** Conditional policy */
+export type Conditional = {
+  /** The condition to evaluate first. */
+  if: KeyDenyPolicy;
+
+  /** The policy to apply when the condition evaluates to 'Permit'. */
+  then: KeyDenyPolicy;
+};
+
+/** One or more conditional policies */
+export type Conditionals =
+  | Conditional
+  | {
+      conditionals: Conditional[];
+    };
+
+/** If-then-else policy */
+export type PolicyIte = {
+  IfThenElse: Conditionals & {
+    /** The policy to apply when none of the conditionals apply. */
+    else: KeyDenyPolicy;
+  };
+};
+
 export type PolicyAnd = {
   And: KeyDenyPolicy[];
 };