npm - @kustodian/plugin-authentik - Versions diffs - 1.0.0 → 2.0.0 - Mend

@kustodian/plugin-authentik 1.0.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/src/generator.ts DELETED Viewed

@@ -1,319 +0,0 @@
-import { type ResultType, failure, success } from '@kustodian/core';
-import type { KustodianErrorType } from '@kustodian/core';
-import * as yaml from 'js-yaml';
-import type {
-  AuthConfigType,
-  AuthentikApplicationType,
-  AuthentikBlueprintType,
-  AuthentikOAuth2ProviderType,
-  AuthentikPluginOptionsType,
-  AuthentikProxyProviderType,
-  AuthentikSAMLProviderType,
-} from './types.js';
-/**
- * Generate a random secret for OAuth2 clients.
- */
-export function generate_client_secret(length = 64): string {
-  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';
-  let result = '';
-  const randomArray = new Uint8Array(length);
-  crypto.getRandomValues(randomArray);
-  for (const value of randomArray) {
-    result += chars[value % chars.length];
-  }
-  return result;
-}
-/**
- * Generate OAuth2 provider blueprint entry.
- */
-export function generate_oauth2_provider(
-  auth_config: AuthConfigType,
-  options: AuthentikPluginOptionsType,
-): ResultType<AuthentikOAuth2ProviderType, KustodianErrorType> {
-  if (auth_config.provider !== 'oauth2') {
-    return failure({
-      code: 'INVALID_CONFIG',
-      message: 'Auth config provider must be "oauth2"',
-    });
-  }
-  const oauth2_config = auth_config.oauth2 ?? {};
-  const provider_name = `${auth_config.app_name}-oauth2`;
-  const provider: AuthentikOAuth2ProviderType = {
-    identifiers: {
-      name: provider_name,
-    },
-    model: 'authentik_providers_oauth2.oauth2provider',
-    attrs: {
-      name: provider_name,
-      client_id: oauth2_config.client_id ?? auth_config.app_name,
-      client_type: oauth2_config.client_type ?? 'confidential',
-      redirect_uris: oauth2_config.redirect_uris?.join('\n') ?? '',
-      authorization_flow: oauth2_config.authorization_flow ?? options.default_authorization_flow,
-      include_claims_in_id_token: oauth2_config.include_claims_in_id_token ?? true,
-      access_token_validity: oauth2_config.access_token_validity ?? 'minutes=10',
-      refresh_token_validity: oauth2_config.refresh_token_validity ?? 'days=30',
-      sub_mode: oauth2_config.sub_mode ?? 'hashed_user_identifier',
-      issue_refresh_tokens: oauth2_config.issue_refresh_tokens ?? true,
-    },
-  };
-  // Add client secret if confidential and auto-generate is enabled
-  if (
-    provider.attrs.client_type === 'confidential' &&
-    options.auto_generate_secrets &&
-    !oauth2_config.client_secret
-  ) {
-    provider.attrs.client_secret = generate_client_secret();
-  } else if (oauth2_config.client_secret) {
-    provider.attrs.client_secret = oauth2_config.client_secret;
-  }
-  // Add optional signing key
-  if (oauth2_config.signing_key) {
-    provider.attrs.signing_key = oauth2_config.signing_key;
-  }
-  return success(provider);
-}
-/**
- * Generate SAML provider blueprint entry.
- */
-export function generate_saml_provider(
-  auth_config: AuthConfigType,
-  options: AuthentikPluginOptionsType,
-): ResultType<AuthentikSAMLProviderType, KustodianErrorType> {
-  if (auth_config.provider !== 'saml') {
-    return failure({
-      code: 'INVALID_CONFIG',
-      message: 'Auth config provider must be "saml"',
-    });
-  }
-  const saml_config = auth_config.saml;
-  if (!saml_config?.acs_url || !saml_config?.issuer) {
-    return failure({
-      code: 'INVALID_CONFIG',
-      message: 'SAML provider requires acs_url and issuer',
-    });
-  }
-  const provider_name = `${auth_config.app_name}-saml`;
-  const provider: AuthentikSAMLProviderType = {
-    identifiers: {
-      name: provider_name,
-    },
-    model: 'authentik_providers_saml.samlprovider',
-    attrs: {
-      name: provider_name,
-      acs_url: saml_config.acs_url,
-      issuer: saml_config.issuer,
-      sp_binding: saml_config.sp_binding ?? 'post',
-      authorization_flow: saml_config.authorization_flow ?? options.default_authorization_flow,
-      assertion_valid_not_before: saml_config.assertion_valid_not_before ?? 'minutes=5',
-      assertion_valid_not_on_or_after: saml_config.assertion_valid_not_on_or_after ?? 'minutes=5',
-      session_valid_not_on_or_after: saml_config.session_valid_not_on_or_after ?? 'minutes=86400',
-    },
-  };
-  // Add optional fields
-  if (saml_config.audience) {
-    provider.attrs.audience = saml_config.audience;
-  }
-  if (saml_config.signing_kp) {
-    provider.attrs.signing_kp = saml_config.signing_kp;
-  }
-  return success(provider);
-}
-/**
- * Generate Proxy provider blueprint entry.
- */
-export function generate_proxy_provider(
-  auth_config: AuthConfigType,
-  options: AuthentikPluginOptionsType,
-): ResultType<AuthentikProxyProviderType, KustodianErrorType> {
-  if (auth_config.provider !== 'proxy') {
-    return failure({
-      code: 'INVALID_CONFIG',
-      message: 'Auth config provider must be "proxy"',
-    });
-  }
-  const proxy_config = auth_config.proxy;
-  if (!proxy_config?.external_host) {
-    return failure({
-      code: 'INVALID_CONFIG',
-      message: 'Proxy provider requires external_host',
-    });
-  }
-  const provider_name = `${auth_config.app_name}-proxy`;
-  const provider: AuthentikProxyProviderType = {
-    identifiers: {
-      name: provider_name,
-    },
-    model: 'authentik_providers_proxy.proxyprovider',
-    attrs: {
-      name: provider_name,
-      external_host: proxy_config.external_host,
-      internal_host_ssl_validation: proxy_config.internal_host_ssl_validation ?? true,
-      basic_auth_enabled: proxy_config.basic_auth_enabled ?? false,
-      mode: proxy_config.mode ?? 'forward_single',
-      authorization_flow: proxy_config.authorization_flow ?? options.default_authorization_flow,
-      access_token_validity: proxy_config.access_token_validity ?? 'minutes=10',
-      intercept_header_auth: proxy_config.intercept_header_auth ?? true,
-    },
-  };
-  // Add optional fields
-  if (proxy_config.internal_host) {
-    provider.attrs.internal_host = proxy_config.internal_host;
-  }
-  if (proxy_config.certificate) {
-    provider.attrs.certificate = proxy_config.certificate;
-  }
-  if (proxy_config.skip_path_regex) {
-    provider.attrs.skip_path_regex = proxy_config.skip_path_regex;
-  }
-  if (proxy_config.basic_auth_password_attribute) {
-    provider.attrs.basic_auth_password_attribute = proxy_config.basic_auth_password_attribute;
-  }
-  if (proxy_config.basic_auth_user_attribute) {
-    provider.attrs.basic_auth_user_attribute = proxy_config.basic_auth_user_attribute;
-  }
-  return success(provider);
-}
-/**
- * Generate application blueprint entry.
- */
-export function generate_application(
-  auth_config: AuthConfigType,
-  provider_name: string,
-): AuthentikApplicationType {
-  const attrs: AuthentikApplicationType['attrs'] = {
-    name: auth_config.app_display_name ?? auth_config.app_name,
-    slug: auth_config.app_name,
-    provider: provider_name,
-    policy_engine_mode: 'any',
-  };
-  // Add optional fields only if defined
-  if (auth_config.app_description) {
-    attrs.meta_description = auth_config.app_description;
-  }
-  if (auth_config.app_icon) {
-    attrs.meta_icon = auth_config.app_icon;
-  }
-  if (auth_config.app_group) {
-    attrs.group = auth_config.app_group;
-  }
-  if (auth_config.app_launch_url) {
-    attrs.meta_launch_url = auth_config.app_launch_url;
-  }
-  return {
-    identifiers: {
-      slug: auth_config.app_name,
-    },
-    model: 'authentik_core.application',
-    attrs,
-  };
-}
-/**
- * Generate complete Authentik blueprint from auth configuration.
- */
-export function generate_authentik_blueprint(
-  auth_config: AuthConfigType,
-  options: AuthentikPluginOptionsType,
-): ResultType<AuthentikBlueprintType, KustodianErrorType> {
-  const entries: AuthentikBlueprintType['entries'] = [];
-  // Generate provider based on type
-  let provider_result:
-    | ResultType<AuthentikOAuth2ProviderType, KustodianErrorType>
-    | ResultType<AuthentikSAMLProviderType, KustodianErrorType>
-    | ResultType<AuthentikProxyProviderType, KustodianErrorType>;
-  switch (auth_config.provider) {
-    case 'oauth2':
-      provider_result = generate_oauth2_provider(auth_config, options);
-      break;
-    case 'saml':
-      provider_result = generate_saml_provider(auth_config, options);
-      break;
-    case 'proxy':
-      provider_result = generate_proxy_provider(auth_config, options);
-      break;
-    default:
-      return failure({
-        code: 'INVALID_CONFIG',
-        message: `Unknown provider type: ${auth_config.provider}`,
-      });
-  }
-  if (!provider_result.success) {
-    return provider_result;
-  }
-  const provider = provider_result.value;
-  entries.push(provider);
-  // Generate application
-  const application = generate_application(auth_config, provider.identifiers.name);
-  entries.push(application);
-  const blueprint: AuthentikBlueprintType = {
-    version: options.blueprint_version,
-    metadata: {
-      name: `${auth_config.app_name}-blueprint`,
-      labels: {
-        'app.kubernetes.io/name': auth_config.app_name,
-        'app.kubernetes.io/managed-by': 'kustodian',
-      },
-    },
-    entries,
-  };
-  return success(blueprint);
-}
-/**
- * Convert blueprint to YAML string.
- */
-export function blueprint_to_yaml(blueprint: AuthentikBlueprintType): string {
-  return yaml.dump(blueprint, {
-    indent: 2,
-    lineWidth: -1,
-    noRefs: true,
-    sortKeys: false,
-  });
-}
-/**
- * Parse YAML string to blueprint.
- */
-export function yaml_to_blueprint(
-  yaml_string: string,
-): ResultType<AuthentikBlueprintType, KustodianErrorType> {
-  try {
-    const blueprint = yaml.load(yaml_string) as AuthentikBlueprintType;
-    return success(blueprint);
-  } catch (error) {
-    return failure({
-      code: 'PARSE_ERROR',
-      message: `Failed to parse YAML: ${error instanceof Error ? error.message : String(error)}`,
-    });
-  }
-}

package/src/index.ts DELETED Viewed

@@ -1,44 +0,0 @@
-/**
- * Authentik authentication provider plugin for Kustodian
- *
- * This plugin enables integration with Authentik for authentication and authorization.
- * It can generate OAuth2, SAML, and Proxy provider configurations, create Authentik
- * blueprints, and manage authentication requirements for deployed applications.
- *
- * @packageDocumentation
- */
-export { create_authentik_plugin, plugin as default } from './plugin.js';
-export type {
-  AuthConfigType,
-  AuthProviderType,
-  AuthentikPluginOptionsType,
-  OAuth2ProviderConfigType,
-  SAMLProviderConfigType,
-  ProxyProviderConfigType,
-  AuthentikBlueprintType,
-  AuthentikApplicationType,
-  AuthentikOAuth2ProviderType,
-  AuthentikSAMLProviderType,
-  AuthentikProxyProviderType,
-  ClientTypeType,
-  ProxyModeType,
-  SAMLBindingType,
-  SAMLNameIDPolicyType,
-  AuthentikFlowType,
-} from './types.js';
-export {
-  generate_authentik_blueprint,
-  generate_oauth2_provider,
-  generate_saml_provider,
-  generate_proxy_provider,
-  generate_application,
-  generate_client_secret,
-  blueprint_to_yaml,
-  yaml_to_blueprint,
-} from './generator.js';
-export {
-  check_authentik_available,
-  validate_blueprint,
-  generate_random_secret,
-} from './executor.js';

package/src/plugin.ts DELETED Viewed

@@ -1,238 +0,0 @@
-import { success } from '@kustodian/core';
-import type {
-  CommandType,
-  HookContextType,
-  HookEventType,
-  KustodianPluginType,
-  PluginCommandContributionType,
-  PluginHookContributionType,
-  PluginManifestType,
-} from '@kustodian/plugins';
-import {
-  check_authentik_available,
-  generate_random_secret,
-  validate_blueprint,
-} from './executor.js';
-import { blueprint_to_yaml, generate_authentik_blueprint } from './generator.js';
-import type { AuthConfigType } from './types.js';
-import { authentik_plugin_options_schema } from './types.js';
-/**
- * Authentik plugin manifest.
- */
-const manifest: PluginManifestType = {
-  name: '@kustodian/plugin-authentik',
-  version: '1.0.0',
-  description: 'Authentik authentication provider plugin for Kustodian',
-  capabilities: ['commands', 'hooks'],
-};
-/**
- * Creates the Authentik plugin.
- */
-export function create_authentik_plugin(
-  options: Record<string, unknown> = {},
-): KustodianPluginType {
-  // Parse options through schema to apply defaults
-  const plugin_options = authentik_plugin_options_schema.parse(options);
-  return {
-    manifest,
-    async activate() {
-      // Verify CLI availability on activation (warning only)
-      const check_result = await check_authentik_available();
-      if (!check_result.success) {
-        console.warn('Authentik CLI not found - some features may be unavailable');
-        console.warn('Install from: https://goauthentik.io/docs/installation/');
-      }
-      return success(undefined);
-    },
-    async deactivate() {
-      return success(undefined);
-    },
-    get_commands(): PluginCommandContributionType[] {
-      const authentik_command: CommandType = {
-        name: 'authentik',
-        description: 'Authentik authentication provider commands',
-        subcommands: [
-          {
-            name: 'check',
-            description: 'Check Authentik CLI availability',
-            handler: async () => {
-              const result = await check_authentik_available();
-              if (result.success) {
-                console.log(`Authentik CLI: ${result.value}`);
-                return success(undefined);
-              }
-              console.error('Authentik CLI not available');
-              return result;
-            },
-          },
-          {
-            name: 'generate-secret',
-            description: 'Generate random secret for OAuth2 client',
-            arguments: [
-              {
-                name: 'length',
-                description: 'Secret length (default: 64)',
-                required: false,
-              },
-            ],
-            handler: async (ctx: {
-              args: string[];
-              options: Record<string, unknown>;
-              data: Record<string, unknown>;
-            }) => {
-              const length = ctx.args[0] ? Number.parseInt(ctx.args[0], 10) : 64;
-              const result = await generate_random_secret(length);
-              if (result.success) {
-                console.log('Generated secret:');
-                console.log(result.value);
-                return success(undefined);
-              }
-              console.error(`Failed to generate secret: ${result.error.message}`);
-              return result;
-            },
-          },
-          {
-            name: 'generate-blueprint',
-            description: 'Generate Authentik blueprint from auth configuration',
-            arguments: [
-              {
-                name: 'app-name',
-                description: 'Application name',
-                required: true,
-              },
-              {
-                name: 'provider',
-                description: 'Provider type (oauth2, saml, proxy)',
-                required: true,
-              },
-              {
-                name: 'config-json',
-                description: 'JSON configuration for the provider',
-                required: true,
-              },
-            ],
-            handler: async (ctx: {
-              args: string[];
-              options: Record<string, unknown>;
-              data: Record<string, unknown>;
-            }) => {
-              const app_name = ctx.args[0];
-              const provider = ctx.args[1] as 'oauth2' | 'saml' | 'proxy';
-              const config_json = ctx.args[2];
-              if (!app_name || !provider || !config_json) {
-                console.error('App name, provider, and config JSON are required');
-                return success(undefined);
-              }
-              try {
-                const provider_config = JSON.parse(config_json);
-                const auth_config: AuthConfigType = {
-                  provider,
-                  app_name,
-                  [provider]: provider_config,
-                };
-                const result = generate_authentik_blueprint(auth_config, plugin_options);
-                if (result.success) {
-                  console.log('Generated blueprint:');
-                  console.log(blueprint_to_yaml(result.value));
-                  return success(undefined);
-                }
-                console.error(`Failed to generate blueprint: ${result.error.message}`);
-                return result;
-              } catch (error) {
-                console.error(
-                  `Failed to parse config JSON: ${error instanceof Error ? error.message : String(error)}`,
-                );
-                return success(undefined);
-              }
-            },
-          },
-          {
-            name: 'validate-blueprint',
-            description: 'Validate Authentik blueprint file',
-            arguments: [
-              {
-                name: 'blueprint-path',
-                description: 'Path to blueprint file',
-                required: true,
-              },
-            ],
-            handler: async (ctx: {
-              args: string[];
-              options: Record<string, unknown>;
-              data: Record<string, unknown>;
-            }) => {
-              const blueprint_path = ctx.args[0];
-              if (!blueprint_path) {
-                console.error('Blueprint path is required');
-                return success(undefined);
-              }
-              const result = await validate_blueprint(blueprint_path);
-              if (result.success) {
-                console.log('✓ Blueprint is valid');
-                return success(undefined);
-              }
-              console.error(`✗ Blueprint validation failed: ${result.error.message}`);
-              return result;
-            },
-          },
-        ],
-      };
-      return [{ command: authentik_command }];
-    },
-    get_hooks(): PluginHookContributionType[] {
-      return [
-        {
-          event: 'generator:after_resolve',
-          priority: 40, // Run before secret providers to allow auth configs to be processed
-          handler: async (_event: HookEventType, ctx: HookContextType) => {
-            // TODO: Implement auth config extraction from templates
-            // This will:
-            // 1. Extract auth configs from kustomizations
-            // 2. Generate Authentik blueprints
-            // 3. Write blueprints to output directory
-            // 4. Generate Kubernetes ConfigMaps with blueprints
-            // For now, just pass through
-            return success(ctx);
-          },
-        },
-        {
-          event: 'generator:before',
-          priority: 50,
-          handler: async (_event: HookEventType, ctx: HookContextType) => {
-            // TODO: This hook could be used to:
-            // 1. Inject generated Authentik blueprints as ConfigMaps
-            // 2. Generate documentation for configured applications
-            // 3. Validate auth configuration consistency
-            return success(ctx);
-          },
-        },
-      ];
-    },
-  };
-}
-/**
- * Default plugin export.
- */
-export const plugin = create_authentik_plugin();
-export default plugin;