@deephaven-enterprise/auth-nodejs 1.20240723.107-alpha-auth-nodejs.23555

package/LICENSE.md

@@ -0,0 +1,136 @@
+Deephaven Data Labs is dedicated to developing Deephaven's software in the open
+and is making software available under the following licenses:
+
+- **Deephaven Open Source** is made available under the Apache 2.0 License
+- **Deephaven Community** is provided under a source-available license, the
+Deephaven Community License Agreement
+
+To request a commercial license for software or uses not covered by these
+licenses or to ask any license-related question, please contact us at:
+[license@deephaven.io](mailto:license@deephaven.io)
+
+
+# Deephaven Community License Agreement Version 1.0
+
+1. **ACCEPTANCE.** This Deephaven Community License Agreement is entered into by
+and between Deephaven Data Labs LLC, a Delaware Limited Liability Company, with
+an address of 2800 Niagara Lane North, Plymouth, MN 55447 ("Deephaven") and
+“You” (a) in your individual capacity, or (b) on behalf of your company if you
+are licensing the Software for a company for which or with which you work. By
+using the Software, You agree to all of the terms and conditions in this
+Deephaven Community License Agreement (the "Agreement").
+
+2. **THE SOFTWARE.** The "Software" means the version of the Deephaven Community
+Software provided to the original licensee with this Agreement. The Software may
+include third party owned code. Each third party module is subject to the terms
+of its respective license; the details of which can be found in the notices
+served at [https://github.com/deephaven/deephaven-core](https://github.com/deephaven/deephaven-core).
+Since licensees may contribute back to the Software as provided for in Section
+3(b), the Software may include any such contributions.
+
+3. **GRANT OF LICENSE.** Subject to the terms and conditions of this Agreement,
+Deephaven hereby grants You a royalty-free, worldwide, non-exclusive,
+non-transferable license to the Software (the "License"), subject, in all of the
+cases, to applicable laws and regulations, but not for the Prohibited Use (as
+provided for in Section 4), solely as follows:
+
+   - a. **Internal Use.** A license to use, copy, compile, and install the
+Software for Your internal use;
+
+   - b. **Derivative Works.** A license to (i) prepare, develop, compile, and test
+Derivative Works of the Software, (ii) use Your Derivative Works for Your
+internal use solely as expressly permitted in Section 3(a), and (iii) distribute
+Your Derivative Works back to Deephaven under a separate Deephaven Contributor
+Agreement for potential incorporation into the Software at Deephaven's sole
+discretion. A "Derivative Work" means any work that (A) is based on or derived
+from the Software including any modifications to the Software, or (B) meets the
+definition of derivative work under the United States Copyright Act of 1976, 17
+U.S.C. Section 101; and
+
+   - c. **Distribution and redistribution.** A license to distribute or
+redistribute the Software and Your Derivative Works, and copies of the Software
+and Your Derivative Works, to customers and other third parties for their use
+pursuant to this Agreement subject to the prohibitions in Section 4 and
+Agreement requirement as provided for in Section 5.
+
+4. **PROHIBITED USE.** Notwithstanding any provision of this Agreement to the
+contrary, the original licensee is prohibited from using, distributing, or
+deploying the Software or Derivative Works in such a way that a third party
+(including any recipient under Section 3(c)) can, directly or indirectly
+through the original licensee, its agents, its technology, or solutions made
+available to them, add, define, redefine, or modify the schema for any input
+tables (including source tables, or other input objects) that the Software or
+Derivative Works access. For clarification, every recipient of the Software or
+Derivative Works after the original licensee of the Software is prohibited from
+adding, defining, redefining, or modifying the schema for any input tables
+(including source tables, or other input objects) that the Software or
+Derivative Works access. This prohibition in no way affects the ability of a
+third party to add, define, redefine, or modify the schema of output tables
+(including output tables that are interim or derived). Further, this
+prohibition in no way affects the ability of a third party to add, define,
+redefine, or modify data (as opposed to schema), nor does it cause You to be
+limited in any capacity for Your internal use as permitted in Section 3(a). If
+You have any questions on this prohibition, please contact us at:
+[license@deephaven.io](mailto:license@deephaven.io)
+
+5. **AGREEMENT.** If You distribute the Software, whether directly, as a copy,
+or via Your Derivative Works you must provide recipients a copy of this
+Agreement (which will bind each recipient directly) and You must ensure that all
+copyright, patent, trademark, and attribution notices from the Software are
+retained.
+
+6. **AFFILIATES.** You may permit Your affiliates to exercise the License,
+provided that such exercise must be solely for Your benefit and/or the benefit
+of Your affiliate, and You shall be responsible for all acts and omissions of
+such affiliates in connection with such exercise of the License, including but
+not limited to breach of any terms of this Agreement.
+
+7. **SUBLICENSE.** The License is sublicensable only to Your third-party
+subcontractors and contractors performing services on Your or Your affiliates'
+behalf, subject to the terms and conditions of this Agreement. The License is
+not sublicensable to any other third party nor is it further sublicensable. You
+shall be responsible for all acts and omissions of such subcontractor and
+contractors in connection with such exercise of the sublicense, including but
+not limited to breach of any terms of this Agreement.
+
+8. **PATENTS.** Rights to use the Software do not give You any right to
+implement or use Deephaven's patents independently of the permitted use of the
+Software.
+
+9. **RESERVATION OF RIGHTS.** Deephaven reserves all rights not granted in this
+Agreement. You have no right to use Deephaven trade names, trademarks, service
+marks, or product names except as required for reasonable and customary use in
+describing the origin of the Software.
+
+10. **DISCLAIMER OF WARRANTY.** THE SOFTWARE IS LICENSED ON AN "AS IS" BASIS
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND. DEEPHAVEN DISCLAIMS ALL
+WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF
+TITLE, NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
+You are solely responsible for determining the appropriateness of using,
+distributing or redistributing the Software and Derivative Works and assume all
+risks associated with Your exercise of the License.
+
+11. **INDEMNIFICATION.** If You distribute or redistribute the Software or
+Derivative Works, You agree to defend on request, and indemnify, Deephaven and
+its affiliates, officers, directors, employees and agents from and against any
+and all losses, damages, liabilities, claims, costs and expenses (including
+reasonable attorney’s fees and expenses) incurred or arising from the
+exploitation of the Software or Derivative Works.
+
+12. **LIMITATION OF LIABILITY.** THE LICENSE IS GRANTED FOR NO FEE. IN NO EVENT
+AND UNDER NO LEGAL THEORY, WHETHER IN TORT (INCLUDING NEGLIGENCE), CONTRACT, OR
+OTHERWISE, SHALL DEEPHAVEN BE LIABLE FOR ANY DAMAGES ARISING OUT OF OR AS A
+RESULT OF THIS AGREEMENT, INCLUDING ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL,
+OR CONSEQUENTIAL DAMAGES (INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF
+GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR LOSS OR CORRUPTION
+OF DATA), EVEN IF DEEPHAVEN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+13. **TERMINATION.** The License will automatically terminate if You violate the
+use rights or prohibitions in this Agreement.
+
+14. **GOVERNING LAW.** This Agreement will be interpreted, construed and
+enforced in all respects in accordance with the laws of the State of Delaware,
+USA without reference to its choice of law rules to the contrary.
+
+
+# END OF AGREEMENT

package/README.md

@@ -0,0 +1,3 @@
+# @deephaven-enterprise/auth-nodejs
+
+Deephaven Enterprise Auth Utils for NodeJS

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export * from './keyPairUtils.js';
+export * from './types.js';
+export * from './loginUtils.js';

package/dist/index.js

@@ -0,0 +1,3 @@
+export * from './keyPairUtils.js';
+export * from './types.js';
+export * from './loginUtils.js';

package/dist/keyPairUtils.d.ts

@@ -0,0 +1,31 @@
+import type { Base64KeyPair, Base64Nonce, Base64PrivateKey, Base64PublicKey, Base64Signature, KeyPairType } from './types.js';
+import type { EnterpriseClient, LoginCredentials } from '@deephaven-enterprise/jsapi-types';
+/**
+ * Generate a base64 encoded asymmetric key pair using eliptic curve.
+ * @returns The base64 encoded public and private keys.
+ */
+export declare function generateBase64KeyPair(): Base64KeyPair;
+/**
+ * Prepend a sentinal value to a public key based on the given type. The
+ * sentinel is the uppercase type followed by a colon.
+ * @param type Keypair type.
+ * @param key Base64 encoded public key.
+ * @returns The key with the sentinel prepended.
+ */
+export declare function keyWithSentinel(type: KeyPairType, key: Base64PublicKey): string;
+/**
+ * Sign a nonce using a private key.
+ * @param nonce Base64 encoded nonce.
+ * @param privateKey Base64 encoded private key.
+ * @returns The base64 encoded signature.
+ */
+export declare function signWithPrivateKey(nonce: Base64Nonce, privateKey: Base64PrivateKey): Base64Signature;
+/**
+ * Upload a public key to a DHE server.
+ * @param dheClient The DHE client to use.
+ * @param dheCredentials The credentials to use for authentication.
+ * @param publicKey The base64 encoded public key.
+ * @param type The type of key pair.
+ * @returns The response from the server.
+ */
+export declare function uploadPublicKey(dheClient: EnterpriseClient, dheCredentials: LoginCredentials, publicKey: Base64PublicKey, type: KeyPairType): Promise<Response>;

package/dist/keyPairUtils.js

@@ -0,0 +1,85 @@
+import { generateKeyPairSync, sign } from 'node:crypto';
+/*
+ * Named curve to use for generating key pairs.
+ * Note that 'prime256v1' is synonymous with 'secp256r1'.
+ */
+const NAMED_CURVE = 'prime256v1';
+/**
+ * Generate a base64 encoded asymmetric key pair using eliptic curve.
+ * @returns The base64 encoded public and private keys.
+ */
+export function generateBase64KeyPair() {
+    const type = 'ec';
+    const { publicKey: publicKeyBuffer, privateKey: privateKeyBuffer } = generateKeyPairSync(type, {
+        namedCurve: NAMED_CURVE,
+        publicKeyEncoding: { type: 'spki', format: 'der' },
+        privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+    });
+    const publicKey = publicKeyBuffer.toString('base64');
+    const privateKey = privateKeyBuffer.toString('base64');
+    return { type, publicKey, privateKey };
+}
+/**
+ * Prepend a sentinal value to a public key based on the given type. The
+ * sentinel is the uppercase type followed by a colon.
+ * @param type Keypair type.
+ * @param key Base64 encoded public key.
+ * @returns The key with the sentinel prepended.
+ */
+export function keyWithSentinel(type, key) {
+    const ucSentinel = `${type.toUpperCase()}:`;
+    // The 'EC:' sentinel just happens to be 3 characters long. This plays nice
+    // with Base64 encoding such that it doesn't matter whether we concatenate
+    // before or after encoding to Base64. If we ever support sentinels with
+    // lengths that are not multiples of 3, changing the order of concatenation vs
+    // encoding produces different results. Therefore, we are concatenating bytes
+    // and then encoding the combined value to Base64 to match the methodology
+    // expected by the server and to better future proof this function if we ever
+    // suport types other than 'ec'.
+    const sentinelBytes = Buffer.from(ucSentinel);
+    const keyBytes = Buffer.from(key, 'base64');
+    return Buffer.concat([sentinelBytes, keyBytes]).toString('base64');
+}
+/**
+ * Sign a nonce using a private key.
+ * @param nonce Base64 encoded nonce.
+ * @param privateKey Base64 encoded private key.
+ * @returns The base64 encoded signature.
+ */
+export function signWithPrivateKey(nonce, privateKey) {
+    const nonceBytes = Buffer.from(nonce, 'base64');
+    const privateKeyBytes = Buffer.from(privateKey, 'base64');
+    return sign('sha256', nonceBytes, {
+        key: privateKeyBytes,
+        format: 'der',
+        type: 'pkcs8',
+    }).toString('base64');
+}
+/**
+ * Upload a public key to a DHE server.
+ * @param dheClient The DHE client to use.
+ * @param dheCredentials The credentials to use for authentication.
+ * @param publicKey The base64 encoded public key.
+ * @param type The type of key pair.
+ * @returns The response from the server.
+ */
+export async function uploadPublicKey(dheClient, dheCredentials, publicKey, type) {
+    await dheClient.login(dheCredentials);
+    const { dbAclWriterHost, dbAclWriterPort } = await dheClient.getServerConfigValues();
+    const body = {
+        user: dheCredentials.username,
+        encodedStr: keyWithSentinel(type, publicKey),
+        algorithm: type.toUpperCase(),
+        comment: `Generated by vscode extension ${new Date().toISOString()}`,
+    };
+    return fetch(`https://${dbAclWriterHost}:${dbAclWriterPort}/acl/publickey`, {
+        method: 'POST',
+        headers: {
+            /* eslint-disable @typescript-eslint/naming-convention */
+            Authorization: await dheClient.createAuthToken('DbAclWriteServer'),
+            'Content-Type': 'application/json',
+            /* eslint-enable @typescript-eslint/naming-convention */
+        },
+        body: JSON.stringify(body),
+    });
+}

package/dist/loginUtils.d.ts

@@ -0,0 +1,16 @@
+import type { AuthenticatedClient, PasswordCredentials, KeyPairCredentials, UnauthenticatedClient } from './types.js';
+/**
+ * Authenticate a given client with username and password. Return the
+ * authenticated client.
+ * @param dheClient The DHE client to authenticate.
+ * @param credentials The user / password credentials to use for authentication.
+ * @returns The authenticated client.
+ */
+export declare function loginClientWithPassword(dheClient: UnauthenticatedClient, credentials: PasswordCredentials): Promise<AuthenticatedClient>;
+/**
+ * Authenticate a given client with a key pair. Return the authenticated client.
+ * @param dheClient The DHE client to authenticate.
+ * @param credentials The key pair credentials to use for authentication.
+ * @returns The authenticated client.
+ */
+export declare function loginClientWithKeyPair(dheClient: UnauthenticatedClient, credentials: KeyPairCredentials): Promise<AuthenticatedClient>;

package/dist/loginUtils.js

@@ -0,0 +1,44 @@
+// Have to use full path with extension in order to get type safety.
+// deephaven/web-client-ui/issues/2273 to address the underlying issue.
+import Log from '@deephaven/log/dist/Log.js';
+import { keyWithSentinel, signWithPrivateKey } from './keyPairUtils.js';
+const logger = Log.module('@deephaven-enterprise/auth-nodejs:loginUtils');
+/**
+ * Authenticate a given client with username and password. Return the
+ * authenticated client.
+ * @param dheClient The DHE client to authenticate.
+ * @param credentials The user / password credentials to use for authentication.
+ * @returns The authenticated client.
+ */
+export async function loginClientWithPassword(dheClient, credentials) {
+    logger.debug('Login with username / password:', credentials.username);
+    try {
+        await dheClient.login(credentials);
+    }
+    catch (err) {
+        logger.error('An error occurred when signing in with username / password', err);
+        throw err;
+    }
+    return dheClient;
+}
+/**
+ * Authenticate a given client with a key pair. Return the authenticated client.
+ * @param dheClient The DHE client to authenticate.
+ * @param credentials The key pair credentials to use for authentication.
+ * @returns The authenticated client.
+ */
+export async function loginClientWithKeyPair(dheClient, credentials) {
+    logger.debug('Login with private key:', credentials.username);
+    const { username, keyPair, operateAs = username } = credentials;
+    const { type, publicKey, privateKey } = keyPair;
+    try {
+        const { nonce } = await dheClient.getChallengeNonce();
+        const signedNonce = signWithPrivateKey(nonce, privateKey);
+        await dheClient.challengeResponse(signedNonce, keyWithSentinel(type, publicKey), username, operateAs);
+    }
+    catch (err) {
+        logger.error('An error occurred when signing in with public / private key', err);
+        throw err;
+    }
+    return dheClient;
+}

package/dist/types.d.ts

@@ -0,0 +1,41 @@
+import type { Brand } from '@deephaven/utils/dist/TypeUtils.js';
+import type { EnterpriseClient } from '@deephaven-enterprise/jsapi-types';
+export type AuthenticatedClient = Brand<'AuthenticatedClient', EnterpriseClient>;
+export type UnauthenticatedClient = Brand<'UnauthenticatedClient', EnterpriseClient>;
+export type Base64Nonce = Brand<'Base64Nonce', string>;
+export type Base64Signature = Brand<'Base64Signature', string>;
+export type Base64PrivateKey = Brand<'Base64PrivateKey', string>;
+export type Base64PublicKey = Brand<'Base64PublicKey', string>;
+export type KeyPairType = 'ec';
+export type Base64KeyPair = {
+    type: KeyPairType;
+    publicKey: Base64PublicKey;
+    privateKey: Base64PrivateKey;
+};
+export type Username = Brand<'Username', string>;
+export type OperateAsUsername = Brand<'OperateAsUsername', string>;
+export type PasswordCredentialsType = 'password';
+export type KeyPairCredentialsType = 'keyPair';
+export type PasswordCredentials = {
+    type: PasswordCredentialsType;
+    username: Username;
+    token: string;
+    operateAs?: OperateAsUsername;
+};
+export type KeyPairCredentials = {
+    type: KeyPairCredentialsType;
+    username: Username;
+    keyPair: Base64KeyPair;
+    operateAs?: OperateAsUsername;
+};
+/**
+ * Overrides of jsapi-types.
+ */
+declare module '@deephaven-enterprise/jsapi-types' {
+    interface EnterpriseClient {
+        getChallengeNonce(): Promise<{
+            algorithm: 'SHA256withDSA';
+            nonce: Base64Nonce;
+        }>;
+    }
+}

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "@deephaven-enterprise/auth-nodejs",
+  "version": "1.20240723.107-alpha-auth-nodejs.23555+733874b7bf",
+  "description": "Deephaven Enterprise Auth Utils for NodeJS",
+  "author": "Deephaven Data Labs LLC",
+  "license": "SEE LICENSE IN LICENSE.md",
+  "type": "module",
+  "private": false,
+  "source": "src/index.ts",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "sideEffects": false,
+  "scripts": {
+    "build": "tsc --build"
+  },
+  "dependencies": {
+    "@deephaven-enterprise/jsapi-types": "^1.20240723.107-alpha-auth-nodejs.23555+733874b7bf",
+    "@deephaven/log": "^0.97.0",
+    "@deephaven/utils": "^0.97.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "gitHead": "733874b7bf600538bbef2641047b258dc03ef83a"
+}