@kustodian/plugin-authelia 1.0.0 → 2.0.1

package/dist/plugin.d.ts

@@ -0,0 +1,11 @@
+import type { KustodianPluginType } from '@kustodian/plugins';
+/**
+ * Creates the Authelia plugin.
+ */
+export declare function create_authelia_plugin(options?: Record<string, unknown>): KustodianPluginType;
+/**
+ * Default plugin export.
+ */
+export declare const plugin: KustodianPluginType;
+export default plugin;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAKV,mBAAmB,EAIpB,MAAM,oBAAoB,CAAC;AA4G5B;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,mBAAmB,CAkPjG;AAED;;GAEG;AACH,eAAO,MAAM,MAAM,qBAA2B,CAAC;AAE/C,eAAe,MAAM,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,442 @@
+import { z } from 'zod';
+/**
+ * Authelia access control policy types
+ */
+export declare const authelia_policy_schema: z.ZodEnum<["bypass", "one_factor", "two_factor", "deny"]>;
+export type AutheliaPolicyType = z.infer<typeof authelia_policy_schema>;
+/**
+ * Authelia PKCE challenge method
+ */
+export declare const pkce_challenge_method_schema: z.ZodEnum<["plain", "S256"]>;
+export type PKCEChallengeMethodType = z.infer<typeof pkce_challenge_method_schema>;
+/**
+ * Authelia token endpoint auth method
+ */
+export declare const token_endpoint_auth_method_schema: z.ZodEnum<["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"]>;
+export type TokenEndpointAuthMethodType = z.infer<typeof token_endpoint_auth_method_schema>;
+/**
+ * Authelia consent mode
+ */
+export declare const consent_mode_schema: z.ZodEnum<["explicit", "implicit", "pre-configured"]>;
+export type ConsentModeType = z.infer<typeof consent_mode_schema>;
+/**
+ * Authentication provider types supported by the plugin
+ */
+export declare const auth_provider_schema: z.ZodEnum<["oidc", "proxy", "header"]>;
+export type AuthProviderType = z.infer<typeof auth_provider_schema>;
+/**
+ * OIDC client configuration for Authelia
+ */
+export declare const oidc_client_config_schema: z.ZodObject<{
+    /** Unique client identifier */
+    client_id: z.ZodString;
+    /** Display name for the client */
+    client_name: z.ZodOptional<z.ZodString>;
+    /** Client secret (will be hashed) */
+    client_secret: z.ZodOptional<z.ZodString>;
+    /** Whether this is a public client (no secret) */
+    public: z.ZodDefault<z.ZodBoolean>;
+    /** Authorization policy (default: two_factor) */
+    authorization_policy: z.ZodDefault<z.ZodEnum<["bypass", "one_factor", "two_factor", "deny"]>>;
+    /** Require PKCE for authorization code flow */
+    require_pkce: z.ZodDefault<z.ZodBoolean>;
+    /** PKCE challenge method */
+    pkce_challenge_method: z.ZodDefault<z.ZodEnum<["plain", "S256"]>>;
+    /** Redirect URIs for OAuth callbacks */
+    redirect_uris: z.ZodArray<z.ZodString, "many">;
+    /** Scopes to grant (default: openid, profile, email, groups) */
+    scopes: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    /** Response types (default: code) */
+    response_types: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    /** Grant types (default: authorization_code) */
+    grant_types: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    /** Token endpoint authentication method */
+    token_endpoint_auth_method: z.ZodDefault<z.ZodEnum<["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"]>>;
+    /** Consent mode */
+    consent_mode: z.ZodOptional<z.ZodEnum<["explicit", "implicit", "pre-configured"]>>;
+    /** Pre-configured consent duration (e.g., '1 week') */
+    pre_configured_consent_duration: z.ZodOptional<z.ZodString>;
+    /** Audience for the client */
+    audience: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** Additional Authelia client options */
+    additional_options: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    client_id: string;
+    public: boolean;
+    authorization_policy: "bypass" | "one_factor" | "two_factor" | "deny";
+    require_pkce: boolean;
+    pkce_challenge_method: "plain" | "S256";
+    redirect_uris: string[];
+    scopes: string[];
+    response_types: string[];
+    grant_types: string[];
+    token_endpoint_auth_method: "client_secret_basic" | "client_secret_post" | "client_secret_jwt" | "private_key_jwt" | "none";
+    client_name?: string | undefined;
+    client_secret?: string | undefined;
+    consent_mode?: "explicit" | "implicit" | "pre-configured" | undefined;
+    pre_configured_consent_duration?: string | undefined;
+    audience?: string[] | undefined;
+    additional_options?: Record<string, unknown> | undefined;
+}, {
+    client_id: string;
+    redirect_uris: string[];
+    client_name?: string | undefined;
+    client_secret?: string | undefined;
+    public?: boolean | undefined;
+    authorization_policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+    require_pkce?: boolean | undefined;
+    pkce_challenge_method?: "plain" | "S256" | undefined;
+    scopes?: string[] | undefined;
+    response_types?: string[] | undefined;
+    grant_types?: string[] | undefined;
+    token_endpoint_auth_method?: "client_secret_basic" | "client_secret_post" | "client_secret_jwt" | "private_key_jwt" | "none" | undefined;
+    consent_mode?: "explicit" | "implicit" | "pre-configured" | undefined;
+    pre_configured_consent_duration?: string | undefined;
+    audience?: string[] | undefined;
+    additional_options?: Record<string, unknown> | undefined;
+}>;
+export type OIDCClientConfigType = z.infer<typeof oidc_client_config_schema>;
+/**
+ * Access control rule configuration for Authelia
+ */
+export declare const access_control_rule_schema: z.ZodObject<{
+    /** Domain(s) to match */
+    domain: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>;
+    /** Domain regex pattern (alternative to domain) */
+    domain_regex: z.ZodOptional<z.ZodString>;
+    /** Policy to apply */
+    policy: z.ZodEnum<["bypass", "one_factor", "two_factor", "deny"]>;
+    /** Networks to match */
+    networks: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** Subject(s) to match (users/groups) */
+    subject: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">, z.ZodArray<z.ZodArray<z.ZodString, "many">, "many">]>>;
+    /** HTTP methods to match */
+    methods: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** Resource patterns to match */
+    resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** Query parameter conditions */
+    query: z.ZodOptional<z.ZodArray<z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>, "many">, "many">>;
+}, "strip", z.ZodTypeAny, {
+    domain: string | string[];
+    policy: "bypass" | "one_factor" | "two_factor" | "deny";
+    domain_regex?: string | undefined;
+    networks?: string[] | undefined;
+    subject?: string | string[] | string[][] | undefined;
+    methods?: string[] | undefined;
+    resources?: string[] | undefined;
+    query?: Record<string, unknown>[][] | undefined;
+}, {
+    domain: string | string[];
+    policy: "bypass" | "one_factor" | "two_factor" | "deny";
+    domain_regex?: string | undefined;
+    networks?: string[] | undefined;
+    subject?: string | string[] | string[][] | undefined;
+    methods?: string[] | undefined;
+    resources?: string[] | undefined;
+    query?: Record<string, unknown>[][] | undefined;
+}>;
+export type AccessControlRuleType = z.infer<typeof access_control_rule_schema>;
+/**
+ * Proxy/Forward Auth configuration
+ */
+export declare const proxy_auth_config_schema: z.ZodObject<{
+    /** External host for the application */
+    external_host: z.ZodString;
+    /** Internal service host */
+    internal_host: z.ZodString;
+    /** Paths to skip authentication */
+    skip_path_regex: z.ZodOptional<z.ZodString>;
+    /** Access control policy */
+    policy: z.ZodDefault<z.ZodEnum<["bypass", "one_factor", "two_factor", "deny"]>>;
+    /** Allowed networks */
+    networks: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** Allowed subjects (users/groups) */
+    subject: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>;
+}, "strip", z.ZodTypeAny, {
+    policy: "bypass" | "one_factor" | "two_factor" | "deny";
+    external_host: string;
+    internal_host: string;
+    networks?: string[] | undefined;
+    subject?: string | string[] | undefined;
+    skip_path_regex?: string | undefined;
+}, {
+    external_host: string;
+    internal_host: string;
+    policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+    networks?: string[] | undefined;
+    subject?: string | string[] | undefined;
+    skip_path_regex?: string | undefined;
+}>;
+export type ProxyAuthConfigType = z.infer<typeof proxy_auth_config_schema>;
+/**
+ * Authentication configuration in template kustomizations
+ */
+export declare const auth_config_schema: z.ZodObject<{
+    /** Authentication provider type */
+    provider: z.ZodEnum<["oidc", "proxy", "header"]>;
+    /** Application name (used as client_id for OIDC) */
+    app_name: z.ZodString;
+    /** Display name for the application */
+    app_display_name: z.ZodOptional<z.ZodString>;
+    /** Application description */
+    app_description: z.ZodOptional<z.ZodString>;
+    /** Application icon URL */
+    app_icon: z.ZodOptional<z.ZodString>;
+    /** Application group/category */
+    app_group: z.ZodOptional<z.ZodString>;
+    /** Application launch URL */
+    app_launch_url: z.ZodOptional<z.ZodString>;
+    /** External host (for proxy/access control) */
+    external_host: z.ZodOptional<z.ZodString>;
+    /** Internal service host (for proxy) */
+    internal_host: z.ZodOptional<z.ZodString>;
+    /** OIDC-specific configuration */
+    oidc: z.ZodOptional<z.ZodObject<{
+        client_id: z.ZodOptional<z.ZodString>;
+        client_name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+        client_secret: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+        public: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
+        authorization_policy: z.ZodOptional<z.ZodDefault<z.ZodEnum<["bypass", "one_factor", "two_factor", "deny"]>>>;
+        require_pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
+        pkce_challenge_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<["plain", "S256"]>>>;
+        redirect_uris: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        scopes: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString, "many">>>;
+        response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString, "many">>>;
+        grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodString, "many">>>;
+        token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"]>>>;
+        consent_mode: z.ZodOptional<z.ZodOptional<z.ZodEnum<["explicit", "implicit", "pre-configured"]>>>;
+        pre_configured_consent_duration: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+        audience: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        additional_options: z.ZodOptional<z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
+    }, "strip", z.ZodTypeAny, {
+        client_id?: string | undefined;
+        client_name?: string | undefined;
+        client_secret?: string | undefined;
+        public?: boolean | undefined;
+        authorization_policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+        require_pkce?: boolean | undefined;
+        pkce_challenge_method?: "plain" | "S256" | undefined;
+        redirect_uris?: string[] | undefined;
+        scopes?: string[] | undefined;
+        response_types?: string[] | undefined;
+        grant_types?: string[] | undefined;
+        token_endpoint_auth_method?: "client_secret_basic" | "client_secret_post" | "client_secret_jwt" | "private_key_jwt" | "none" | undefined;
+        consent_mode?: "explicit" | "implicit" | "pre-configured" | undefined;
+        pre_configured_consent_duration?: string | undefined;
+        audience?: string[] | undefined;
+        additional_options?: Record<string, unknown> | undefined;
+    }, {
+        client_id?: string | undefined;
+        client_name?: string | undefined;
+        client_secret?: string | undefined;
+        public?: boolean | undefined;
+        authorization_policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+        require_pkce?: boolean | undefined;
+        pkce_challenge_method?: "plain" | "S256" | undefined;
+        redirect_uris?: string[] | undefined;
+        scopes?: string[] | undefined;
+        response_types?: string[] | undefined;
+        grant_types?: string[] | undefined;
+        token_endpoint_auth_method?: "client_secret_basic" | "client_secret_post" | "client_secret_jwt" | "private_key_jwt" | "none" | undefined;
+        consent_mode?: "explicit" | "implicit" | "pre-configured" | undefined;
+        pre_configured_consent_duration?: string | undefined;
+        audience?: string[] | undefined;
+        additional_options?: Record<string, unknown> | undefined;
+    }>>;
+    /** Proxy-specific configuration */
+    proxy: z.ZodOptional<z.ZodObject<{
+        external_host: z.ZodOptional<z.ZodString>;
+        internal_host: z.ZodOptional<z.ZodString>;
+        skip_path_regex: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+        policy: z.ZodOptional<z.ZodDefault<z.ZodEnum<["bypass", "one_factor", "two_factor", "deny"]>>>;
+        networks: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+        subject: z.ZodOptional<z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>>;
+    }, "strip", z.ZodTypeAny, {
+        policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+        networks?: string[] | undefined;
+        subject?: string | string[] | undefined;
+        external_host?: string | undefined;
+        internal_host?: string | undefined;
+        skip_path_regex?: string | undefined;
+    }, {
+        policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+        networks?: string[] | undefined;
+        subject?: string | string[] | undefined;
+        external_host?: string | undefined;
+        internal_host?: string | undefined;
+        skip_path_regex?: string | undefined;
+    }>>;
+    /** Custom access control rules */
+    access_control: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        /** Domain(s) to match */
+        domain: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>;
+        /** Domain regex pattern (alternative to domain) */
+        domain_regex: z.ZodOptional<z.ZodString>;
+        /** Policy to apply */
+        policy: z.ZodEnum<["bypass", "one_factor", "two_factor", "deny"]>;
+        /** Networks to match */
+        networks: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        /** Subject(s) to match (users/groups) */
+        subject: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">, z.ZodArray<z.ZodArray<z.ZodString, "many">, "many">]>>;
+        /** HTTP methods to match */
+        methods: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        /** Resource patterns to match */
+        resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        /** Query parameter conditions */
+        query: z.ZodOptional<z.ZodArray<z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>, "many">, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        domain: string | string[];
+        policy: "bypass" | "one_factor" | "two_factor" | "deny";
+        domain_regex?: string | undefined;
+        networks?: string[] | undefined;
+        subject?: string | string[] | string[][] | undefined;
+        methods?: string[] | undefined;
+        resources?: string[] | undefined;
+        query?: Record<string, unknown>[][] | undefined;
+    }, {
+        domain: string | string[];
+        policy: "bypass" | "one_factor" | "two_factor" | "deny";
+        domain_regex?: string | undefined;
+        networks?: string[] | undefined;
+        subject?: string | string[] | string[][] | undefined;
+        methods?: string[] | undefined;
+        resources?: string[] | undefined;
+        query?: Record<string, unknown>[][] | undefined;
+    }>, "many">>;
+}, "strip", z.ZodTypeAny, {
+    provider: "oidc" | "proxy" | "header";
+    app_name: string;
+    oidc?: {
+        client_id?: string | undefined;
+        client_name?: string | undefined;
+        client_secret?: string | undefined;
+        public?: boolean | undefined;
+        authorization_policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+        require_pkce?: boolean | undefined;
+        pkce_challenge_method?: "plain" | "S256" | undefined;
+        redirect_uris?: string[] | undefined;
+        scopes?: string[] | undefined;
+        response_types?: string[] | undefined;
+        grant_types?: string[] | undefined;
+        token_endpoint_auth_method?: "client_secret_basic" | "client_secret_post" | "client_secret_jwt" | "private_key_jwt" | "none" | undefined;
+        consent_mode?: "explicit" | "implicit" | "pre-configured" | undefined;
+        pre_configured_consent_duration?: string | undefined;
+        audience?: string[] | undefined;
+        additional_options?: Record<string, unknown> | undefined;
+    } | undefined;
+    proxy?: {
+        policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+        networks?: string[] | undefined;
+        subject?: string | string[] | undefined;
+        external_host?: string | undefined;
+        internal_host?: string | undefined;
+        skip_path_regex?: string | undefined;
+    } | undefined;
+    external_host?: string | undefined;
+    internal_host?: string | undefined;
+    app_display_name?: string | undefined;
+    app_description?: string | undefined;
+    app_icon?: string | undefined;
+    app_group?: string | undefined;
+    app_launch_url?: string | undefined;
+    access_control?: {
+        domain: string | string[];
+        policy: "bypass" | "one_factor" | "two_factor" | "deny";
+        domain_regex?: string | undefined;
+        networks?: string[] | undefined;
+        subject?: string | string[] | string[][] | undefined;
+        methods?: string[] | undefined;
+        resources?: string[] | undefined;
+        query?: Record<string, unknown>[][] | undefined;
+    }[] | undefined;
+}, {
+    provider: "oidc" | "proxy" | "header";
+    app_name: string;
+    oidc?: {
+        client_id?: string | undefined;
+        client_name?: string | undefined;
+        client_secret?: string | undefined;
+        public?: boolean | undefined;
+        authorization_policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+        require_pkce?: boolean | undefined;
+        pkce_challenge_method?: "plain" | "S256" | undefined;
+        redirect_uris?: string[] | undefined;
+        scopes?: string[] | undefined;
+        response_types?: string[] | undefined;
+        grant_types?: string[] | undefined;
+        token_endpoint_auth_method?: "client_secret_basic" | "client_secret_post" | "client_secret_jwt" | "private_key_jwt" | "none" | undefined;
+        consent_mode?: "explicit" | "implicit" | "pre-configured" | undefined;
+        pre_configured_consent_duration?: string | undefined;
+        audience?: string[] | undefined;
+        additional_options?: Record<string, unknown> | undefined;
+    } | undefined;
+    proxy?: {
+        policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+        networks?: string[] | undefined;
+        subject?: string | string[] | undefined;
+        external_host?: string | undefined;
+        internal_host?: string | undefined;
+        skip_path_regex?: string | undefined;
+    } | undefined;
+    external_host?: string | undefined;
+    internal_host?: string | undefined;
+    app_display_name?: string | undefined;
+    app_description?: string | undefined;
+    app_icon?: string | undefined;
+    app_group?: string | undefined;
+    app_launch_url?: string | undefined;
+    access_control?: {
+        domain: string | string[];
+        policy: "bypass" | "one_factor" | "two_factor" | "deny";
+        domain_regex?: string | undefined;
+        networks?: string[] | undefined;
+        subject?: string | string[] | string[][] | undefined;
+        methods?: string[] | undefined;
+        resources?: string[] | undefined;
+        query?: Record<string, unknown>[][] | undefined;
+    }[] | undefined;
+}>;
+export type AuthConfigType = z.infer<typeof auth_config_schema>;
+/**
+ * Authelia plugin options
+ */
+export declare const authelia_plugin_options_schema: z.ZodObject<{
+    /** Authelia domain (e.g., auth.example.com) */
+    domain: z.ZodOptional<z.ZodString>;
+    /** Default authorization policy */
+    default_policy: z.ZodDefault<z.ZodEnum<["bypass", "one_factor", "two_factor", "deny"]>>;
+    /** Secret hashing algorithm (for client secrets) */
+    hash_algorithm: z.ZodDefault<z.ZodEnum<["pbkdf2", "argon2"]>>;
+    /** Whether to generate client secrets automatically */
+    auto_generate_secrets: z.ZodDefault<z.ZodBoolean>;
+    /** Output directory for generated configurations */
+    output_dir: z.ZodDefault<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    default_policy: "bypass" | "one_factor" | "two_factor" | "deny";
+    hash_algorithm: "pbkdf2" | "argon2";
+    auto_generate_secrets: boolean;
+    output_dir: string;
+    domain?: string | undefined;
+}, {
+    domain?: string | undefined;
+    default_policy?: "bypass" | "one_factor" | "two_factor" | "deny" | undefined;
+    hash_algorithm?: "pbkdf2" | "argon2" | undefined;
+    auto_generate_secrets?: boolean | undefined;
+    output_dir?: string | undefined;
+}>;
+export type AutheliaPluginOptionsType = z.infer<typeof authelia_plugin_options_schema>;
+/**
+ * Generated Authelia configuration
+ */
+export interface AutheliaConfigType {
+    identity_providers?: {
+        oidc?: {
+            clients?: OIDCClientConfigType[];
+        };
+    };
+    access_control?: {
+        default_policy?: AutheliaPolicyType;
+        rules?: AccessControlRuleType[];
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;GAEG;AACH,eAAO,MAAM,sBAAsB,2DAAyD,CAAC;AAC7F,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAExE;;GAEG;AACH,eAAO,MAAM,4BAA4B,8BAA4B,CAAC;AACtE,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAEnF;;GAEG;AACH,eAAO,MAAM,iCAAiC,0GAM5C,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAE5F;;GAEG;AACH,eAAO,MAAM,mBAAmB,uDAAqD,CAAC;AACtF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAElE;;GAEG;AACH,eAAO,MAAM,oBAAoB,wCAAsC,CAAC;AACxE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,yBAAyB;IACpC,+BAA+B;;IAE/B,kCAAkC;;IAElC,qCAAqC;;IAErC,kDAAkD;;IAElD,iDAAiD;;IAEjD,+CAA+C;;IAE/C,4BAA4B;;IAE5B,wCAAwC;;IAExC,gEAAgE;;IAEhE,qCAAqC;;IAErC,gDAAgD;;IAEhD,2CAA2C;;IAE3C,mBAAmB;;IAEnB,uDAAuD;;IAEvD,8BAA8B;;IAE9B,yCAAyC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEzC,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE7E;;GAEG;AACH,eAAO,MAAM,0BAA0B;IACrC,yBAAyB;;IAEzB,mDAAmD;;IAEnD,sBAAsB;;IAEtB,wBAAwB;;IAExB,yCAAyC;;IAEzC,4BAA4B;;IAE5B,iCAAiC;;IAEjC,iCAAiC;;;;;;;;;;;;;;;;;;;;EAEjC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAE/E;;GAEG;AACH,eAAO,MAAM,wBAAwB;IACnC,wCAAwC;;IAExC,4BAA4B;;IAE5B,mCAAmC;;IAEnC,4BAA4B;;IAE5B,uBAAuB;;IAEvB,sCAAsC;;;;;;;;;;;;;;;;EAEtC,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE3E;;GAEG;AACH,eAAO,MAAM,kBAAkB;IAC7B,mCAAmC;;IAEnC,oDAAoD;;IAEpD,uCAAuC;;IAEvC,8BAA8B;;IAE9B,2BAA2B;;IAE3B,iCAAiC;;IAEjC,6BAA6B;;IAE7B,+CAA+C;;IAE/C,wCAAwC;;IAExC,kCAAkC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAElC,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;IAEnC,kCAAkC;;QAhElC,yBAAyB;;QAEzB,mDAAmD;;QAEnD,sBAAsB;;QAEtB,wBAAwB;;QAExB,yCAAyC;;QAEzC,4BAA4B;;QAE5B,iCAAiC;;QAEjC,iCAAiC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoDjC,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEhE;;GAEG;AACH,eAAO,MAAM,8BAA8B;IACzC,+CAA+C;;IAE/C,mCAAmC;;IAEnC,oDAAoD;;IAEpD,uDAAuD;;IAEvD,oDAAoD;;;;;;;;;;;;;;EAEpD,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE;YACL,OAAO,CAAC,EAAE,oBAAoB,EAAE,CAAC;SAClC,CAAC;KACH,CAAC;IACF,cAAc,CAAC,EAAE;QACf,cAAc,CAAC,EAAE,kBAAkB,CAAC;QACpC,KAAK,CAAC,EAAE,qBAAqB,EAAE,CAAC;KACjC,CAAC;CACH"}

package/package.json

@@ -1,23 +1,34 @@
 {
   "name": "@kustodian/plugin-authelia",
-  "version": "1.0.0",
+  "version": "2.0.1",
   "description": "Authelia authentication provider plugin for Kustodian",
   "type": "module",
-  "main": "./src/index.ts",
-  "types": "./src/index.ts",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "exports": {
     ".": {
-      "types": "./src/index.ts",
-      "import": "./src/index.ts"
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
     }
   },
-  "files": ["src"],
+  "files": [
+    "dist"
+  ],
   "scripts": {
     "test": "bun test",
     "test:watch": "bun test --watch",
-    "typecheck": "bun run tsc --noEmit"
+    "typecheck": "bun run tsc --noEmit",
+    "build": "bun build src/index.ts --outdir dist --target node --format esm && tsc --emitDeclarationOnly --outDir dist",
+    "prepublishOnly": "bun run build"
   },
-  "keywords": ["kustodian", "plugin", "authelia", "authentication", "oidc", "kubernetes"],
+  "keywords": [
+    "kustodian",
+    "plugin",
+    "authelia",
+    "authentication",
+    "oidc",
+    "kubernetes"
+  ],
   "author": "Luca Silverentand <luca@onezero.company>",
   "license": "MIT",
   "repository": {
@@ -26,16 +37,16 @@
     "directory": "plugins/authelia"
   },
   "publishConfig": {
-    "registry": "https://npm.pkg.github.com"
+    "access": "public",
+    "registry": "https://registry.npmjs.org"
   },
   "dependencies": {
-    "@kustodian/core": "^1.1.0",
-    "@kustodian/plugins": "^1.0.1",
-    "@kustodian/schema": "^1.2.0",
-    "js-yaml": "^4.1.1",
-    "zod": "^4.3.5"
+    "@kustodian/core": "2.0.0",
+    "@kustodian/plugins": "2.0.0",
+    "@kustodian/schema": "2.0.0",
+    "js-yaml": "^4.1.0",
+    "zod": "^3.25.30"
   },
-  "packageManager": "pnpm@10.19.0",
   "devDependencies": {
     "@types/js-yaml": "^4.0.9"
   }

package/src/executor.ts

@@ -1,114 +0,0 @@
-import { exec } from 'node:child_process';
-import { promisify } from 'node:util';
-import { type KustodianErrorType, type ResultType, create_error, success } from '@kustodian/core';
-
-const exec_async = promisify(exec);
-
-/**
- * Check if authelia CLI is available
- */
-export async function check_authelia_available(): Promise<ResultType<string, KustodianErrorType>> {
-  try {
-    const { stdout } = await exec_async('authelia --version', { timeout: 5000 });
-    const version = stdout.trim();
-    return success(version);
-  } catch (error) {
-    return {
-      success: false,
-      error: create_error(
-        'AUTHELIA_CLI_NOT_FOUND',
-        'Authelia CLI not found. Install from: https://www.authelia.com/integration/deployment/installation/',
-        error,
-      ),
-    };
-  }
-}
-
-/**
- * Generate a hashed password using Authelia CLI
- * @param password - Plain text password to hash
- * @param algorithm - Hashing algorithm (pbkdf2 or argon2)
- */
-export async function hash_password(
-  password: string,
-  algorithm: 'pbkdf2' | 'argon2' = 'pbkdf2',
-): Promise<ResultType<string, KustodianErrorType>> {
-  try {
-    const cmd =
-      algorithm === 'argon2'
-        ? `authelia crypto hash generate argon2 --password '${password}'`
-        : `authelia crypto hash generate pbkdf2 --password '${password}'`;
-
-    const { stdout } = await exec_async(cmd, { timeout: 10000 });
-
-    // Extract the hash from output (format: "Digest: $hash...")
-    const hash_match = stdout.match(/Digest: (.+)/);
-    if (!hash_match?.[1]) {
-      return {
-        success: false,
-        error: create_error(
-          'AUTHELIA_HASH_GENERATION_FAILED',
-          'Failed to extract hash from authelia output',
-        ),
-      };
-    }
-
-    return success(hash_match[1].trim());
-  } catch (error) {
-    return {
-      success: false,
-      error: create_error(
-        'AUTHELIA_HASH_GENERATION_FAILED',
-        `Failed to hash password: ${error instanceof Error ? error.message : String(error)}`,
-        error,
-      ),
-    };
-  }
-}
-
-/**
- * Generate a random secret suitable for OIDC client secrets
- */
-export async function generate_random_secret(
-  length = 64,
-): Promise<ResultType<string, KustodianErrorType>> {
-  try {
-    const { stdout } = await exec_async(
-      `authelia crypto rand --length ${length} --charset alphanumeric`,
-      {
-        timeout: 5000,
-      },
-    );
-    return success(stdout.trim());
-  } catch (error) {
-    return {
-      success: false,
-      error: create_error(
-        'AUTHELIA_SECRET_GENERATION_FAILED',
-        `Failed to generate random secret: ${error instanceof Error ? error.message : String(error)}`,
-        error,
-      ),
-    };
-  }
-}
-
-/**
- * Validate access control configuration using Authelia CLI
- */
-export async function validate_access_control(
-  config_path: string,
-): Promise<ResultType<boolean, KustodianErrorType>> {
-  try {
-    await exec_async(`authelia validate-config ${config_path}`, { timeout: 10000 });
-    return success(true);
-  } catch (error) {
-    return {
-      success: false,
-      error: create_error(
-        'AUTHELIA_CONFIG_VALIDATION_FAILED',
-        `Configuration validation failed: ${error instanceof Error ? error.message : String(error)}`,
-        error,
-      ),
-    };
-  }
-}