@enterprisestandard/esv 0.0.5-beta.20260114.2 → 0.0.5-beta.20260114.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/runner.js +109 -65
- package/dist/runner.js.map +3 -3
- package/package.json +1 -1
package/dist/runner.js
CHANGED
|
@@ -9870,39 +9870,47 @@ function validateWorkloadConfig(config) {
|
|
|
9870
9870
|
}
|
|
9871
9871
|
}
|
|
9872
9872
|
function workload(config) {
|
|
9873
|
-
validateWorkloadConfig(config);
|
|
9874
9873
|
let configWithDefaults;
|
|
9875
|
-
if (
|
|
9876
|
-
configWithDefaults =
|
|
9877
|
-
...config,
|
|
9878
|
-
token_url: must(config.token_url, "Missing 'token_url' from Workload Config"),
|
|
9879
|
-
workload_id: must(config.workload_id, "Missing 'workload_id' from Workload Config"),
|
|
9880
|
-
audience: must(config.audience, "Missing 'audience' from Workload Config"),
|
|
9881
|
-
scope: config.scope ?? "",
|
|
9882
|
-
algorithm: config.algorithm ?? "RS256",
|
|
9883
|
-
token_lifetime: config.token_lifetime ?? 300,
|
|
9884
|
-
refresh_threshold: config.refresh_threshold ?? 60,
|
|
9885
|
-
auto_refresh: config.auto_refresh !== undefined ? config.auto_refresh : true,
|
|
9886
|
-
token_store: config.token_store ?? new InMemoryWorkloadTokenStore
|
|
9887
|
-
};
|
|
9888
|
-
} else if (isClientCredentialsConfig(config)) {
|
|
9889
|
-
configWithDefaults = {
|
|
9890
|
-
...config,
|
|
9891
|
-
token_url: must(config.token_url, "Missing 'token_url' from Workload Config"),
|
|
9892
|
-
client_id: must(config.client_id, "Missing 'client_id' from Workload Config"),
|
|
9893
|
-
client_secret: must(config.client_secret, "Missing 'client_secret' from Workload Config"),
|
|
9894
|
-
scope: config.scope ?? "",
|
|
9895
|
-
token_lifetime: config.token_lifetime ?? 300,
|
|
9896
|
-
refresh_threshold: config.refresh_threshold ?? 60,
|
|
9897
|
-
auto_refresh: config.auto_refresh !== undefined ? config.auto_refresh : true,
|
|
9898
|
-
token_store: config.token_store ?? new InMemoryWorkloadTokenStore
|
|
9899
|
-
};
|
|
9874
|
+
if (!config) {
|
|
9875
|
+
configWithDefaults = undefined;
|
|
9900
9876
|
} else {
|
|
9901
|
-
|
|
9877
|
+
try {
|
|
9878
|
+
validateWorkloadConfig(config);
|
|
9879
|
+
if (isJwtBearerConfig(config)) {
|
|
9880
|
+
configWithDefaults = {
|
|
9881
|
+
...config,
|
|
9882
|
+
token_url: must(config.token_url, "Missing 'token_url' from Workload Config"),
|
|
9883
|
+
workload_id: must(config.workload_id, "Missing 'workload_id' from Workload Config"),
|
|
9884
|
+
audience: must(config.audience, "Missing 'audience' from Workload Config"),
|
|
9885
|
+
scope: config.scope ?? "",
|
|
9886
|
+
algorithm: config.algorithm ?? "RS256",
|
|
9887
|
+
token_lifetime: config.token_lifetime ?? 300,
|
|
9888
|
+
refresh_threshold: config.refresh_threshold ?? 60,
|
|
9889
|
+
auto_refresh: config.auto_refresh !== undefined ? config.auto_refresh : true,
|
|
9890
|
+
token_store: config.token_store ?? new InMemoryWorkloadTokenStore
|
|
9891
|
+
};
|
|
9892
|
+
} else if (isClientCredentialsConfig(config)) {
|
|
9893
|
+
configWithDefaults = {
|
|
9894
|
+
...config,
|
|
9895
|
+
token_url: must(config.token_url, "Missing 'token_url' from Workload Config"),
|
|
9896
|
+
client_id: must(config.client_id, "Missing 'client_id' from Workload Config"),
|
|
9897
|
+
client_secret: must(config.client_secret, "Missing 'client_secret' from Workload Config"),
|
|
9898
|
+
scope: config.scope ?? "",
|
|
9899
|
+
token_lifetime: config.token_lifetime ?? 300,
|
|
9900
|
+
refresh_threshold: config.refresh_threshold ?? 60,
|
|
9901
|
+
auto_refresh: config.auto_refresh !== undefined ? config.auto_refresh : true,
|
|
9902
|
+
token_store: config.token_store ?? new InMemoryWorkloadTokenStore
|
|
9903
|
+
};
|
|
9904
|
+
} else {
|
|
9905
|
+
configWithDefaults = config;
|
|
9906
|
+
}
|
|
9907
|
+
} catch {
|
|
9908
|
+
configWithDefaults = undefined;
|
|
9909
|
+
}
|
|
9902
9910
|
}
|
|
9903
9911
|
const initialized = true;
|
|
9904
9912
|
function ensureInitialized() {
|
|
9905
|
-
if (!initialized) {
|
|
9913
|
+
if (!initialized || !configWithDefaults) {
|
|
9906
9914
|
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
9907
9915
|
}
|
|
9908
9916
|
}
|
|
@@ -9972,8 +9980,10 @@ function workload(config) {
|
|
|
9972
9980
|
throw lastError;
|
|
9973
9981
|
}
|
|
9974
9982
|
async function generateJWTAssertion(scope) {
|
|
9975
|
-
|
|
9976
|
-
|
|
9983
|
+
if (!configWithDefaults) {
|
|
9984
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
9985
|
+
}
|
|
9986
|
+
if (!isJwtBearerConfig(configWithDefaults)) {
|
|
9977
9987
|
throw new Error("generateJWTAssertion is only available in JWT Bearer Grant mode");
|
|
9978
9988
|
}
|
|
9979
9989
|
const cfg = configWithDefaults;
|
|
@@ -9999,6 +10009,9 @@ function workload(config) {
|
|
|
9999
10009
|
return `${signatureInput}.${signature}`;
|
|
10000
10010
|
}
|
|
10001
10011
|
async function acquireTokenJwtBearer(scope, validation) {
|
|
10012
|
+
if (!configWithDefaults) {
|
|
10013
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10014
|
+
}
|
|
10002
10015
|
const cfg = configWithDefaults;
|
|
10003
10016
|
return retryWithBackoff(async () => {
|
|
10004
10017
|
const tokenUrl = cfg.token_url;
|
|
@@ -10044,6 +10057,9 @@ function workload(config) {
|
|
|
10044
10057
|
});
|
|
10045
10058
|
}
|
|
10046
10059
|
async function acquireTokenClientCredentials(scope, validation) {
|
|
10060
|
+
if (!configWithDefaults) {
|
|
10061
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10062
|
+
}
|
|
10047
10063
|
const cfg = configWithDefaults;
|
|
10048
10064
|
return retryWithBackoff(async () => {
|
|
10049
10065
|
const tokenUrl = cfg.token_url;
|
|
@@ -10089,8 +10105,10 @@ function workload(config) {
|
|
|
10089
10105
|
});
|
|
10090
10106
|
}
|
|
10091
10107
|
async function getToken(scope) {
|
|
10092
|
-
|
|
10093
|
-
|
|
10108
|
+
if (!configWithDefaults) {
|
|
10109
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10110
|
+
}
|
|
10111
|
+
if (isServerOnlyConfig(configWithDefaults)) {
|
|
10094
10112
|
throw new Error("Cannot acquire tokens: Workload is configured in server-only mode (validation only). " + "To acquire tokens, configure client_id + client_secret for OAuth2 Client Credentials, " + "or workload_id + private_key for JWT Bearer Grant.");
|
|
10095
10113
|
}
|
|
10096
10114
|
if (!configWithDefaults.token_url) {
|
|
@@ -10126,7 +10144,7 @@ function workload(config) {
|
|
|
10126
10144
|
}
|
|
10127
10145
|
if (cfg.auto_refresh) {
|
|
10128
10146
|
try {
|
|
10129
|
-
const newToken = isJwtBearerConfig(
|
|
10147
|
+
const newToken = isJwtBearerConfig(configWithDefaults) ? await acquireTokenJwtBearer(requestedScope) : await acquireTokenClientCredentials(requestedScope);
|
|
10130
10148
|
return newToken.access_token;
|
|
10131
10149
|
} catch (error) {
|
|
10132
10150
|
if (now < expiresAt) {
|
|
@@ -10138,35 +10156,39 @@ function workload(config) {
|
|
|
10138
10156
|
}
|
|
10139
10157
|
}
|
|
10140
10158
|
}
|
|
10141
|
-
const tokenResponse = isJwtBearerConfig(
|
|
10159
|
+
const tokenResponse = isJwtBearerConfig(configWithDefaults) ? await acquireTokenJwtBearer(requestedScope) : await acquireTokenClientCredentials(requestedScope);
|
|
10142
10160
|
return tokenResponse.access_token;
|
|
10143
10161
|
}
|
|
10144
10162
|
async function refreshToken() {
|
|
10145
|
-
|
|
10146
|
-
|
|
10163
|
+
if (!configWithDefaults) {
|
|
10164
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10165
|
+
}
|
|
10166
|
+
if (isServerOnlyConfig(configWithDefaults)) {
|
|
10147
10167
|
throw new Error("Cannot refresh tokens: Workload is configured in server-only mode (validation only).");
|
|
10148
10168
|
}
|
|
10149
10169
|
const cfg = configWithDefaults;
|
|
10150
10170
|
return isJwtBearerConfig(cfg) ? await acquireTokenJwtBearer(cfg.scope) : await acquireTokenClientCredentials(cfg.scope);
|
|
10151
10171
|
}
|
|
10152
10172
|
async function revokeToken(token) {
|
|
10153
|
-
|
|
10173
|
+
if (!configWithDefaults) {
|
|
10174
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10175
|
+
}
|
|
10154
10176
|
try {
|
|
10155
|
-
if (!
|
|
10177
|
+
if (!configWithDefaults.revocation_endpoint) {
|
|
10156
10178
|
return;
|
|
10157
10179
|
}
|
|
10158
10180
|
const body = new URLSearchParams;
|
|
10159
10181
|
body.append("token", token);
|
|
10160
10182
|
body.append("token_type_hint", "access_token");
|
|
10161
|
-
if (isJwtBearerConfig(
|
|
10183
|
+
if (isJwtBearerConfig(configWithDefaults)) {
|
|
10162
10184
|
const cfg = configWithDefaults;
|
|
10163
10185
|
body.append("client_id", cfg.workload_id);
|
|
10164
|
-
} else if (isClientCredentialsConfig(
|
|
10186
|
+
} else if (isClientCredentialsConfig(configWithDefaults)) {
|
|
10165
10187
|
const cfg = configWithDefaults;
|
|
10166
10188
|
body.append("client_id", cfg.client_id);
|
|
10167
10189
|
body.append("client_secret", cfg.client_secret);
|
|
10168
10190
|
}
|
|
10169
|
-
const response = await fetch(
|
|
10191
|
+
const response = await fetch(configWithDefaults.revocation_endpoint, {
|
|
10170
10192
|
method: "POST",
|
|
10171
10193
|
headers: {
|
|
10172
10194
|
"Content-Type": "application/x-www-form-urlencoded"
|
|
@@ -10178,24 +10200,26 @@ function workload(config) {
|
|
|
10178
10200
|
} else {
|
|
10179
10201
|
console.log("Token revoked successfully");
|
|
10180
10202
|
}
|
|
10181
|
-
if (
|
|
10203
|
+
if (configWithDefaults.token_store) {
|
|
10182
10204
|
let cacheKey;
|
|
10183
|
-
if (isJwtBearerConfig(
|
|
10205
|
+
if (isJwtBearerConfig(configWithDefaults)) {
|
|
10184
10206
|
cacheKey = configWithDefaults.workload_id;
|
|
10185
|
-
} else if (isClientCredentialsConfig(
|
|
10207
|
+
} else if (isClientCredentialsConfig(configWithDefaults)) {
|
|
10186
10208
|
cacheKey = configWithDefaults.client_id;
|
|
10187
10209
|
} else {
|
|
10188
10210
|
return;
|
|
10189
10211
|
}
|
|
10190
|
-
await
|
|
10212
|
+
await configWithDefaults.token_store.delete(cacheKey);
|
|
10191
10213
|
}
|
|
10192
10214
|
} catch (error) {
|
|
10193
10215
|
console.warn("Error revoking token:", error);
|
|
10194
10216
|
}
|
|
10195
10217
|
}
|
|
10196
10218
|
async function fetchJwks() {
|
|
10197
|
-
|
|
10198
|
-
|
|
10219
|
+
if (!configWithDefaults) {
|
|
10220
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10221
|
+
}
|
|
10222
|
+
const url2 = configWithDefaults.jwks_uri;
|
|
10199
10223
|
if (!url2) {
|
|
10200
10224
|
throw new Error("Cannot validate tokens: Missing jwks_uri in WorkloadConfig. " + "Server role requires jwks_uri to be configured in vault to fetch public keys for token validation.");
|
|
10201
10225
|
}
|
|
@@ -10212,16 +10236,21 @@ function workload(config) {
|
|
|
10212
10236
|
});
|
|
10213
10237
|
}
|
|
10214
10238
|
async function getPublicKey(kid) {
|
|
10239
|
+
if (!configWithDefaults) {
|
|
10240
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10241
|
+
}
|
|
10215
10242
|
const jwks = await fetchJwks();
|
|
10216
10243
|
const key = jwks.keys.find((k) => k.kid === kid);
|
|
10217
10244
|
if (!key)
|
|
10218
10245
|
throw new Error("Public key not found");
|
|
10219
|
-
const defaultAlg = isJwtBearerConfig(
|
|
10246
|
+
const defaultAlg = isJwtBearerConfig(configWithDefaults) ? configWithDefaults.algorithm : "RS256";
|
|
10220
10247
|
const algorithmParams = getAlgorithmParams(key.alg || defaultAlg);
|
|
10221
10248
|
return crypto.subtle.importKey("jwk", key, algorithmParams, false, ["verify"]);
|
|
10222
10249
|
}
|
|
10223
10250
|
async function parseJWT(token, validation) {
|
|
10224
|
-
|
|
10251
|
+
if (!configWithDefaults) {
|
|
10252
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10253
|
+
}
|
|
10225
10254
|
try {
|
|
10226
10255
|
const parts = token.split(".");
|
|
10227
10256
|
if (parts.length !== 3)
|
|
@@ -10250,26 +10279,28 @@ function workload(config) {
|
|
|
10250
10279
|
}
|
|
10251
10280
|
}
|
|
10252
10281
|
async function validateToken(token, validation) {
|
|
10253
|
-
|
|
10282
|
+
if (!configWithDefaults) {
|
|
10283
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10284
|
+
}
|
|
10254
10285
|
try {
|
|
10255
10286
|
const claims = await parseJWT(token, validation);
|
|
10256
10287
|
const now = Math.floor(Date.now() / 1000);
|
|
10257
10288
|
if (claims.exp && claims.exp < now) {
|
|
10258
10289
|
return { valid: false, error: "Token expired" };
|
|
10259
10290
|
}
|
|
10260
|
-
if (isJwtBearerConfig(
|
|
10261
|
-
if (
|
|
10291
|
+
if (isJwtBearerConfig(configWithDefaults)) {
|
|
10292
|
+
if (configWithDefaults.audience && claims.aud !== configWithDefaults.audience) {
|
|
10262
10293
|
return { valid: false, error: "Invalid audience" };
|
|
10263
10294
|
}
|
|
10264
|
-
} else if (isClientCredentialsConfig(
|
|
10265
|
-
if (
|
|
10295
|
+
} else if (isClientCredentialsConfig(configWithDefaults)) {
|
|
10296
|
+
if (configWithDefaults.issuer && claims.iss !== configWithDefaults.issuer) {
|
|
10266
10297
|
return { valid: false, error: "Invalid issuer" };
|
|
10267
10298
|
}
|
|
10268
|
-
if (
|
|
10299
|
+
if (configWithDefaults.audience && claims.aud !== configWithDefaults.audience) {
|
|
10269
10300
|
return { valid: false, error: "Invalid audience" };
|
|
10270
10301
|
}
|
|
10271
10302
|
} else {
|
|
10272
|
-
const serverConfig =
|
|
10303
|
+
const serverConfig = configWithDefaults;
|
|
10273
10304
|
if (serverConfig.issuer && claims.iss !== serverConfig.issuer) {
|
|
10274
10305
|
return { valid: false, error: "Invalid issuer" };
|
|
10275
10306
|
}
|
|
@@ -10287,8 +10318,10 @@ function workload(config) {
|
|
|
10287
10318
|
}
|
|
10288
10319
|
}
|
|
10289
10320
|
async function getWorkload(request) {
|
|
10290
|
-
|
|
10291
|
-
|
|
10321
|
+
if (!configWithDefaults) {
|
|
10322
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10323
|
+
}
|
|
10324
|
+
if (!configWithDefaults.jwks_uri) {
|
|
10292
10325
|
throw new Error("Cannot validate tokens: Missing jwks_uri in WorkloadConfig. " + "Server role requires jwks_uri to be configured in vault to fetch public keys for token validation.");
|
|
10293
10326
|
}
|
|
10294
10327
|
const authHeader = request.headers.get("Authorization");
|
|
@@ -10308,7 +10341,9 @@ function workload(config) {
|
|
|
10308
10341
|
};
|
|
10309
10342
|
}
|
|
10310
10343
|
async function handler(request) {
|
|
10311
|
-
|
|
10344
|
+
if (!configWithDefaults) {
|
|
10345
|
+
throw new Error("Enterprise Standard Workload Manager not initialized");
|
|
10346
|
+
}
|
|
10312
10347
|
const tokenUrl = configWithDefaults.tokenUrl;
|
|
10313
10348
|
const validateUrl = configWithDefaults.validateUrl;
|
|
10314
10349
|
const jwksUrl = configWithDefaults.jwksUrl;
|
|
@@ -10353,7 +10388,7 @@ function workload(config) {
|
|
|
10353
10388
|
return new Response("Not Found", { status: 404 });
|
|
10354
10389
|
}
|
|
10355
10390
|
return {
|
|
10356
|
-
...configWithDefaults,
|
|
10391
|
+
...configWithDefaults ?? {},
|
|
10357
10392
|
getToken,
|
|
10358
10393
|
refreshToken,
|
|
10359
10394
|
generateJWTAssertion,
|
|
@@ -10608,10 +10643,19 @@ async function enterpriseStandard(appId, initConfig) {
|
|
|
10608
10643
|
token: vaultToken
|
|
10609
10644
|
};
|
|
10610
10645
|
} else if (!vaultUrl || !vaultToken || !vaultPath) {
|
|
10611
|
-
|
|
10612
|
-
|
|
10613
|
-
|
|
10614
|
-
For development, login with the ionite CLI using "${cmd}" or visit ${ioniteUrl}/api/applications/apiKeys/create?appId=${appId}
|
|
10646
|
+
let msg = "@enterprisestandard configuration missing.";
|
|
10647
|
+
if (true) {
|
|
10648
|
+
const cmd = `${process.versions.bun ? "bun" : "npm"} ionite login --app ${appId}`;
|
|
10649
|
+
console.warn(`${msg} For development, login with the ionite CLI using "${cmd}" or visit ${ioniteUrl}/api/applications/apiKeys/create?appId=${appId}.`);
|
|
10650
|
+
const wl = workload(undefined);
|
|
10651
|
+
return {
|
|
10652
|
+
defaultInstance: false,
|
|
10653
|
+
vault: vault(""),
|
|
10654
|
+
sso: sso(undefined),
|
|
10655
|
+
iam: iam({}, wl),
|
|
10656
|
+
workload: wl
|
|
10657
|
+
};
|
|
10658
|
+
} else {}
|
|
10615
10659
|
}
|
|
10616
10660
|
const defaultInstance2 = getDefaultInstance();
|
|
10617
10661
|
const vaultClient = vault(vaultUrl);
|
|
@@ -10907,4 +10951,4 @@ if (__require.main == __require.module) {
|
|
|
10907
10951
|
main();
|
|
10908
10952
|
}
|
|
10909
10953
|
|
|
10910
|
-
//# debugId=
|
|
10954
|
+
//# debugId=88527F59BCF7DC7364756E2164756E21
|