@naylence/runtime 0.3.12 → 0.3.13

package/dist/esm/naylence/fame/node/admission/direct-admission-client-factory.js

@@ -10,7 +10,7 @@ export class DirectAdmissionClientFactory extends AdmissionClientFactory {
         super(...arguments);
         this.type = 'DirectAdmissionClient';
     }
-    async create(config) {
+    async create(config, ...factoryArgs) {
         if (!config) {
             throw new Error('DirectAdmissionClient configuration is required');
         }
@@ -21,9 +21,11 @@ export class DirectAdmissionClientFactory extends AdmissionClientFactory {
             });
             return JSON.parse(JSON.stringify(evaluated));
         });
+        const identityPolicy = factoryArgs.find((arg) => Boolean(arg && typeof arg === 'object' && 'identityPolicy' in arg))?.identityPolicy;
         return new DirectAdmissionClient({
             connectionGrants: evaluatedGrants,
             ttlSec: normalized.ttlSec ?? null,
+            nodeIdentityPolicy: identityPolicy,
         });
     }
 }

package/dist/esm/naylence/fame/node/admission/direct-admission-client.js

@@ -1,7 +1,8 @@
-import { createFameEnvelope, generateIdAsync, } from '@naylence/core';
+import { createFameEnvelope, } from '@naylence/core';
 import { DEFAULT_DIRECT_ADMISSION_TTL_SEC, TTL_NEVER_EXPIRES, } from '../../constants/ttl-constants.js';
 import { getLogger } from '../../util/logging.js';
 import { validateTtlSec } from '../../util/ttl-validation.js';
+import { GrantMaterializer } from '../../grants/grant-materializer.js';
 const logger = getLogger('naylence.fame.node.admission.direct_admission_client');
 export class DirectAdmissionClient {
     constructor(options) {
@@ -25,6 +26,7 @@ export class DirectAdmissionClient {
         else {
             this.ttlSec = ttlCandidate;
         }
+        this.nodeIdentityPolicy = options.nodeIdentityPolicy;
     }
     async hello(systemId, instanceId, requestedLogicals) {
         logger.debug('direct_admission_hello_start', {
@@ -32,26 +34,27 @@ export class DirectAdmissionClient {
             instanceId,
             requestedLogicals,
         });
-        const effectiveSystemId = systemId && systemId.trim().length > 0
-            ? systemId
-            : await generateIdAsync({ mode: 'fingerprint' }).catch(async () => {
-                logger.debug('direct_admission_fingerprint_generation_failed', {
-                    reason: 'falling back to random id',
-                });
-                return generateIdAsync({ mode: 'random' });
-            });
+        const initialSystemId = systemId;
         const acceptedLogicals = requestedLogicals && requestedLogicals.length > 0
             ? [...requestedLogicals]
             : ['*'];
         const now = Date.now();
         const ttlSeconds = this.resolveTtlSeconds();
         const expiresAt = new Date(now + ttlSeconds * 1000);
+        const materializedGrants = await Promise.all(this.connectionGrants.map((grant) => GrantMaterializer.materialize(grant)));
+        const effectiveSystemId = this.nodeIdentityPolicy
+            ? await this.nodeIdentityPolicy.resolveAdmissionNodeId({
+                currentNodeId: initialSystemId,
+                identities: [],
+                grants: materializedGrants,
+            })
+            : initialSystemId;
         const welcomeFrame = {
             type: 'NodeWelcome',
             systemId: effectiveSystemId,
             instanceId,
             acceptedLogicals,
-            connectionGrants: this.connectionGrants.map((grant) => cloneGrant(grant)),
+            connectionGrants: materializedGrants.map((grant) => cloneGrant(grant)),
             expiresAt: expiresAt.toISOString(),
         };
         const envelope = createFameEnvelope({

package/dist/esm/naylence/fame/node/default-node-identity-policy-factory.js

@@ -0,0 +1,17 @@
+import { DefaultNodeIdentityPolicy } from './default-node-identity-policy.js';
+import { NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NodeIdentityPolicyFactory, } from './node-identity-policy-factory.js';
+export const FACTORY_META = {
+    base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
+    key: 'DefaultNodeIdentityPolicy',
+};
+export class DefaultNodeIdentityPolicyFactory extends NodeIdentityPolicyFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'DefaultNodeIdentityPolicy';
+        this.isDefault = true;
+    }
+    async create(_config) {
+        return new DefaultNodeIdentityPolicy();
+    }
+}
+export default DefaultNodeIdentityPolicyFactory;

package/dist/esm/naylence/fame/node/default-node-identity-policy.js

@@ -0,0 +1,56 @@
+import { generateIdAsync } from '@naylence/core';
+import { TokenProviderFactory } from '../security/auth/token-provider-factory.js';
+import { isIdentityExposingTokenProvider } from '../security/auth/token-provider.js';
+import { getLogger } from '../util/logging.js';
+const logger = getLogger('naylence.fame.node.default_node_identity_policy');
+export class DefaultNodeIdentityPolicy {
+    async resolveInitialNodeId(context) {
+        if (context.configuredId) {
+            return context.configuredId;
+        }
+        if (context.persistedId) {
+            return context.persistedId;
+        }
+        return await generateIdAsync({ mode: 'fingerprint' });
+    }
+    async resolveAdmissionNodeId(context) {
+        // Try to extract identity from grants first
+        if (context.grants && context.grants.length > 0) {
+            for (const grant of context.grants) {
+                try {
+                    const auth = grant.auth;
+                    if (!auth) {
+                        continue;
+                    }
+                    const tokenProviderConfig = (auth.tokenProvider ??
+                        auth.token_provider);
+                    if (!tokenProviderConfig ||
+                        typeof tokenProviderConfig.type !== 'string') {
+                        continue;
+                    }
+                    const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
+                    if (isIdentityExposingTokenProvider(provider)) {
+                        const identity = await provider.getIdentity();
+                        if (identity && identity.subject) {
+                            logger.debug('identity_extracted_from_grant', {
+                                identity_id: identity.subject,
+                                grant_type: grant.type,
+                            });
+                            return identity.subject;
+                        }
+                    }
+                }
+                catch (error) {
+                    logger.warning('identity_extraction_failed', {
+                        error: error instanceof Error ? error.message : String(error),
+                        grant_type: grant.type,
+                    });
+                }
+            }
+        }
+        if (!context.currentNodeId) {
+            return await generateIdAsync({ mode: 'fingerprint' });
+        }
+        return context.currentNodeId;
+    }
+}

package/dist/esm/naylence/fame/node/factory-commons.js

@@ -1,6 +1,7 @@
-import { generateIdAsync } from '@naylence/core';
 import { createResource } from '@naylence/factory';
 import { AdmissionClientFactory } from './admission/admission-client-factory.js';
+import { DefaultNodeIdentityPolicy } from './default-node-identity-policy.js';
+import { NodeIdentityPolicyFactory, } from './node-identity-policy-factory.js';
 import { DefaultNodeAttachClient } from './admission/default-node-attach-client.js';
 import { TransportListenerFactory } from '../connector/transport-listener-factory.js';
 import { StorageProviderFactory } from '../storage/storage-provider-factory.js';
@@ -122,6 +123,7 @@ export async function makeCommonOptions(config, rawConfig) {
     const deliveryConfig = pickOption(config.delivery ?? null, aliasRecord, 'delivery_policy');
     const telemetryConfig = pickOption(config.telemetry ?? null, aliasRecord, 'trace_emitter', 'telemetry_config');
     const securityConfig = pickOption(config.security ?? null, aliasRecord, 'security_manager', 'security_profile');
+    const identityPolicyConfig = pickOption(config.identityPolicy ?? null, aliasRecord, 'identity_policy', 'node_identity_policy');
     const publicUrl = pickString(config.publicUrl ?? null, aliasRecord, 'public_url') ?? null;
     const directParentUrl = pickString(config.directParentUrl ?? null, aliasRecord, 'direct_parent_url') ?? null;
     const hasParentFlag = config.hasParent || Boolean(aliasRecord.has_parent ?? false);
@@ -130,7 +132,8 @@ export async function makeCommonOptions(config, rawConfig) {
     const storageProvider = await resolveStorageProvider(storageConfig ?? null, expressionOptions);
     const nodeMetaStore = await storageProvider.getKeyValueStore(NodeMetaRecord, NODE_META_NAMESPACE);
     const nodeMeta = await nodeMetaStore.get('self');
-    const admissionClient = await resolveAdmissionClient(admissionConfig ?? null, expressionOptions);
+    const identityPolicy = await resolveNodeIdentityPolicy(identityPolicyConfig ?? null, expressionOptions);
+    const admissionClient = await resolveAdmissionClient(admissionConfig ?? null, expressionOptions, identityPolicy ?? undefined);
     const hasParent = determineHasParent(hasParentFlag, directParentUrl, admissionClient);
     const replicaStickinessManager = await resolveReplicaStickinessManager(hasParent, requestedLogicals, expressionOptions);
     const attachmentKeyValidator = await resolveAttachmentKeyValidator(attachmentKeyValidatorConfig ?? null, expressionOptions);
@@ -162,9 +165,11 @@ export async function makeCommonOptions(config, rawConfig) {
         addEventListener(listener, eventListeners);
     }
     const bindingStore = await storageProvider.getKeyValueStore(BindingStoreEntryRecord, BINDING_STORE_NAMESPACE);
-    const systemId = systemIdOverride ??
-        nodeMeta?.id ??
-        (await generateIdAsync({ mode: 'fingerprint' }));
+    const effectiveIdentityPolicy = identityPolicy ?? new DefaultNodeIdentityPolicy();
+    const systemId = await effectiveIdentityPolicy.resolveInitialNodeId({
+        configuredId: systemIdOverride,
+        persistedId: nodeMeta?.id,
+    });
     const attachClientOptions = {
         ...(attachmentKeyValidator ? { attachmentKeyValidator } : {}),
         ...(replicaStickinessManager ? { replicaStickinessManager } : {}),
@@ -195,8 +200,20 @@ export async function makeCommonOptions(config, rawConfig) {
         eventListeners,
         transportListeners,
         traceEmitter,
+        identityPolicy: identityPolicy ?? undefined,
     };
 }
+async function resolveNodeIdentityPolicy(config, options) {
+    try {
+        return await NodeIdentityPolicyFactory.createNodeIdentityPolicy(config ?? undefined, cloneCreateOptions(options));
+    }
+    catch (error) {
+        logger.warning('node_identity_policy_creation_failed', {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        return null;
+    }
+}
 async function resolveStorageProvider(config, options) {
     if (config) {
         try {
@@ -210,12 +227,19 @@ async function resolveStorageProvider(config, options) {
     }
     return new InMemoryStorageProvider();
 }
-async function resolveAdmissionClient(config, options) {
+async function resolveAdmissionClient(config, options, identityPolicy) {
     if (config && typeof config.hello === 'function') {
         return config;
     }
     try {
-        return await AdmissionClientFactory.createAdmissionClient((config ?? null), cloneCreateOptions(options));
+        const createOptions = cloneCreateOptions(options);
+        if (identityPolicy) {
+            createOptions.factoryArgs = [
+                ...(createOptions.factoryArgs ?? []),
+                { identityPolicy },
+            ];
+        }
+        return await AdmissionClientFactory.createAdmissionClient((config ?? null), createOptions);
     }
     catch (error) {
         logger.warning('admission_client_creation_failed', {

package/dist/esm/naylence/fame/node/index.js

@@ -18,3 +18,10 @@ export * from './fame-environment-context.js';
 export * from './session-manager.js';
 export * from './upstream-session-manager.js';
 export * from './root-session-manager.js';
+export * from './node-identity-policy.js';
+export * from './node-identity-policy-factory.js';
+export * from './default-node-identity-policy.js';
+export { DefaultNodeIdentityPolicyFactory, } from './default-node-identity-policy-factory.js';
+export * from './token-subject-node-identity-policy.js';
+export { TokenSubjectNodeIdentityPolicyFactory, } from './token-subject-node-identity-policy-factory.js';
+export { NodeIdentityPolicyProfileFactory, } from './node-identity-policy-profile-factory.js';

package/dist/esm/naylence/fame/node/node-config.js

@@ -22,6 +22,7 @@ const FameNodeConfigSchemaInternal = z
     attachmentKeyValidator: z.unknown().optional().nullable(),
     telemetry: z.unknown().optional().nullable(),
     requestedCapabilities: z.array(z.string()).optional(),
+    identityPolicy: z.unknown().optional().nullable(),
 })
     .passthrough();
 export function normalizeFameNodeConfig(input) {
@@ -60,6 +61,9 @@ export function normalizeFameNodeConfig(input) {
         telemetry: parsed.telemetry === undefined
             ? null
             : parsed.telemetry,
+        identityPolicy: parsed.identityPolicy === undefined
+            ? null
+            : parsed.identityPolicy,
     };
     if (parsed.requestedCapabilities) {
         normalized.requestedCapabilities = coerceStringArray(parsed.requestedCapabilities);

package/dist/esm/naylence/fame/node/node-identity-policy-factory.js

@@ -0,0 +1,18 @@
+import { AbstractResourceFactory, createDefaultResource, createResource, } from '@naylence/factory';
+export const NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE = 'NodeIdentityPolicyFactory';
+export class NodeIdentityPolicyFactory extends AbstractResourceFactory {
+    static async createNodeIdentityPolicy(config, options = {}) {
+        if (config) {
+            const policy = await createResource(NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, config, options);
+            if (!policy) {
+                throw new Error('Failed to create node identity policy from configuration');
+            }
+            return policy;
+        }
+        const policy = await createDefaultResource(NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, null, options);
+        if (!policy) {
+            throw new Error('Failed to create default node identity policy');
+        }
+        return policy;
+    }
+}

package/dist/esm/naylence/fame/node/node-identity-policy-profile-factory.js

@@ -0,0 +1,63 @@
+import { NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NodeIdentityPolicyFactory, } from './node-identity-policy-factory.js';
+import { getLogger } from '../util/logging.js';
+const logger = getLogger('naylence.fame.node.node_identity_policy_profile_factory');
+const PROFILE_NAME_DEFAULT = 'default';
+const PROFILE_NAME_TOKEN_SUBJECT = 'token-subject';
+const PROFILE_NAME_TOKEN_SUBJECT_ALIAS = 'token_subject';
+const DEFAULT_PROFILE = {
+    type: 'DefaultNodeIdentityPolicy',
+};
+const TOKEN_SUBJECT_PROFILE = {
+    type: 'TokenSubjectNodeIdentityPolicy',
+};
+const PROFILE_MAP = {
+    [PROFILE_NAME_DEFAULT]: DEFAULT_PROFILE,
+    [PROFILE_NAME_TOKEN_SUBJECT]: TOKEN_SUBJECT_PROFILE,
+    [PROFILE_NAME_TOKEN_SUBJECT_ALIAS]: TOKEN_SUBJECT_PROFILE,
+};
+export const FACTORY_META = {
+    base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
+    key: 'NodeIdentityPolicyProfile',
+};
+export class NodeIdentityPolicyProfileFactory extends NodeIdentityPolicyFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'NodeIdentityPolicyProfile';
+    }
+    async create(config) {
+        const normalized = normalizeConfig(config);
+        const profileConfig = resolveProfileConfig(normalized.profile);
+        logger.debug('enabling_node_identity_policy_profile', {
+            profile: normalized.profile,
+        });
+        return NodeIdentityPolicyFactory.createNodeIdentityPolicy(profileConfig);
+    }
+}
+function normalizeConfig(config) {
+    if (!config) {
+        return { profile: PROFILE_NAME_DEFAULT };
+    }
+    const candidate = config;
+    const profileValue = typeof candidate.profile === 'string' && candidate.profile.trim().length > 0
+        ? candidate.profile
+        : typeof candidate.profile_name === 'string' &&
+            candidate.profile_name.trim().length > 0
+            ? candidate.profile_name
+            : typeof candidate.profileName === 'string' &&
+                candidate.profileName.trim().length > 0
+                ? candidate.profileName
+                : PROFILE_NAME_DEFAULT;
+    const normalizedProfile = profileValue.trim().toLowerCase();
+    return { profile: normalizedProfile };
+}
+function resolveProfileConfig(profileName) {
+    const profile = PROFILE_MAP[profileName];
+    if (!profile) {
+        throw new Error(`Unknown node identity policy profile: ${profileName}`);
+    }
+    return deepClone(profile);
+}
+function deepClone(value) {
+    return JSON.parse(JSON.stringify(value));
+}
+export default NodeIdentityPolicyProfileFactory;

package/dist/esm/naylence/fame/node/node-identity-policy.js

@@ -0,0 +1 @@
+export {};

package/dist/esm/naylence/fame/node/node.js

@@ -123,14 +123,15 @@ function sortListeners(listeners) {
 export class FameNode extends TaskSpawner {
     constructor(options = {}) {
         super();
+        this._confirmedId = null;
         this._sessionManager = null;
         this._upstreamConnector = null;
         this._isStarted = false;
         this._lastHeartbeatAt = null;
         const systemIdOption = resolveStringOption(options, 'systemId', 'system_id');
-        this._id = systemIdOption ?? generateId();
+        this._provisionalId = systemIdOption ?? generateId();
         const physicalPathOption = resolveStringOption(options, 'physicalPath', 'physical_path');
-        this._physicalPath = physicalPathOption ?? `/${this._id}`;
+        this._physicalPath = physicalPathOption ?? `/${this._provisionalId}`;
         const hasParentOption = resolveBooleanOption(options, 'hasParent', 'has_parent');
         this._hasParent = hasParentOption ?? false;
         const storageProviderOption = resolveOption(options, 'storageProvider', 'storage_provider');
@@ -184,7 +185,7 @@ export class FameNode extends TaskSpawner {
         const bindingStoreOption = resolveOption(options, 'bindingStore', 'binding_store');
         const bindingManagerOptions = {
             hasUpstream: this._hasParent,
-            getId: () => this._id,
+            getId: () => this.id,
             getPhysicalPath: () => this._physicalPath,
             getAcceptedLogicals: () => this._acceptedLogicals,
             forwardUpstream: (envelope, context) => this.forwardUpstream(envelope, context),
@@ -239,7 +240,8 @@ export class FameNode extends TaskSpawner {
         }
     }
     async initializeRootSessionManager() {
-        const admissionClient = this._admissionClient ?? new NoopAdmissionClient({ systemId: this._id });
+        const admissionClient = this._admissionClient ??
+            new NoopAdmissionClient({ systemId: this._provisionalId });
         const manager = new RootSessionManager({
             node: this,
             admissionClient,
@@ -276,9 +278,37 @@ export class FameNode extends TaskSpawner {
         await this.deliver(envelope, context);
         return null;
     }
+    confirmIdentity(systemId, source) {
+        if (this._confirmedId) {
+            if (this._confirmedId !== systemId) {
+                logger.error('node_identity_mismatch', {
+                    current_id: this._confirmedId,
+                    new_id: systemId,
+                    source,
+                });
+                throw new Error(`Node identity mismatch in ${source}: expected ${this._confirmedId}, got ${systemId}`);
+            }
+            return;
+        }
+        const isReassignment = this._provisionalId !== systemId;
+        this._confirmedId = systemId;
+        if (isReassignment) {
+            logger.debug('node_identity_reassigned', {
+                system_id: systemId,
+                previous_id: this._provisionalId,
+                source,
+            });
+        }
+        else {
+            logger.debug('node_identity_confirmed', {
+                system_id: systemId,
+                source,
+            });
+        }
+    }
     async handleWelcome(welcome) {
         if (welcome.systemId) {
-            this._id = welcome.systemId;
+            this.confirmIdentity(welcome.systemId, 'handleWelcome');
         }
         if (welcome.acceptedLogicals) {
             this._acceptedLogicals = new Set(welcome.acceptedLogicals);
@@ -299,7 +329,7 @@ export class FameNode extends TaskSpawner {
         await this.dispatchEvent('onWelcome', welcome);
     }
     async handleAttach(info, connector) {
-        this._id = info.systemId;
+        this.confirmIdentity(info.systemId, 'handleAttach');
         this._physicalPath =
             info.assignedPath ?? info.targetPhysicalPath ?? this._physicalPath;
         this._upstreamConnector = connector;
@@ -385,7 +415,13 @@ export class FameNode extends TaskSpawner {
         });
     }
     get id() {
-        return this._id;
+        if (!this._confirmedId) {
+            throw new Error('Node ID has not been confirmed yet. Use provisionalId for bootstrapping.');
+        }
+        return this._confirmedId;
+    }
+    get provisionalId() {
+        return this._provisionalId;
     }
     get sid() {
         return this._sid;
@@ -904,8 +940,8 @@ export class FameNode extends TaskSpawner {
             const store = await this._nodeMetaStorePromise;
             const existing = await store.get('self');
             const record = existing
-                ? Object.assign(existing, { id: this._id })
-                : new NodeMetaRecord(this._id);
+                ? Object.assign(existing, { id: this.id })
+                : new NodeMetaRecord(this.id);
             await store.set('self', record);
         }
         catch (error) {

package/dist/esm/naylence/fame/node/root-session-manager.js

@@ -170,8 +170,7 @@ export class RootSessionManager extends TaskSpawner {
     }
     async performAdmission() {
         this.admissionEpoch += 1;
-        this.initializeRootIdentityIfNeeded();
-        const welcome = await this.admissionClient.hello(this.node.id, generateId(), this.requestedLogicals);
+        const welcome = await this.admissionClient.hello(this.node.provisionalId, generateId(), this.requestedLogicals);
         this.currentWelcome = welcome.frame;
         const cryptoProvider = this.node.cryptoProvider; //getCryptoProvider();
         if (welcome.frame.assignedPath && cryptoProvider?.prepareForAttach) {
@@ -380,15 +379,6 @@ export class RootSessionManager extends TaskSpawner {
             seconds_before_expiry: RootSessionManager.JWT_REFRESH_SAFETY,
         });
     }
-    initializeRootIdentityIfNeeded() {
-        const nodeAny = this.node;
-        if (!this.node.id) {
-            nodeAny._id = generateId();
-            logger.debug('root_identity_generated_id_for_admission', {
-                system_id: this.node.id,
-            });
-        }
-    }
     async consumeTask(task) {
         try {
             await task.promise;

package/dist/esm/naylence/fame/node/rpc-client-manager.js

@@ -99,6 +99,8 @@ export class RPCClientManager {
         this.rpcBound = false;
         this.trackerEventHandler = null;
         this.trackerWithEvents = null;
+        this.boundPhysicalPath = null;
+        this.rpcRecipient = null;
         this.setupTrackerEventHandler();
     }
     setupTrackerEventHandler() {
@@ -250,6 +252,8 @@ export class RPCClientManager {
         this.rpcBound = false;
         this.rpcReplyAddress = null;
         this.rpcListenerAddress = null;
+        this.boundPhysicalPath = null;
+        this.rpcRecipient = null;
         for (const [requestId, pending] of Array.from(this.pending.entries())) {
             if (pending.timer) {
                 clearTimeout(pending.timer);
@@ -267,17 +271,20 @@ export class RPCClientManager {
         this.pendingByEnvelopeId.clear();
     }
     async ensureReplyListener() {
-        if (this.rpcBound) {
+        const currentPhysicalPath = this.getPhysicalPath();
+        if (this.rpcBound && this.boundPhysicalPath === currentPhysicalPath) {
             return;
         }
-        const recipient = `__rpc__${generateId()}`;
-        this.rpcReplyAddress = formatAddress(recipient, this.getPhysicalPath());
+        const recipient = this.rpcRecipient || `__rpc__${generateId()}`;
+        this.rpcRecipient = recipient;
+        this.rpcReplyAddress = formatAddress(recipient, currentPhysicalPath);
         const handler = async (envelope, _context) => {
             await this.handleReplyEnvelope(envelope);
             return null;
         };
         this.rpcListenerAddress = await this.listenCallback(recipient, handler);
         this.rpcBound = true;
+        this.boundPhysicalPath = currentPhysicalPath;
         logger.debug('rpc_reply_listener_bound', {
             reply_recipient: recipient,
             reply_address: this.rpcReplyAddress?.toString(),

package/dist/esm/naylence/fame/node/token-subject-node-identity-policy-factory.js

@@ -0,0 +1,18 @@
+import { NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE, NodeIdentityPolicyFactory, } from './node-identity-policy-factory.js';
+export const FACTORY_META = {
+    base: NODE_IDENTITY_POLICY_FACTORY_BASE_TYPE,
+    key: 'TokenSubjectNodeIdentityPolicy',
+};
+export class TokenSubjectNodeIdentityPolicyFactory extends NodeIdentityPolicyFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'TokenSubjectNodeIdentityPolicy';
+    }
+    async create(
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _config) {
+        const { TokenSubjectNodeIdentityPolicy } = await import('./token-subject-node-identity-policy.js');
+        return new TokenSubjectNodeIdentityPolicy();
+    }
+}
+export default TokenSubjectNodeIdentityPolicyFactory;

package/dist/esm/naylence/fame/node/token-subject-node-identity-policy.js

@@ -0,0 +1,80 @@
+import { generateIdAsync } from '@naylence/core';
+import { TokenProviderFactory } from '../security/auth/token-provider-factory.js';
+import { isIdentityExposingTokenProvider } from '../security/auth/token-provider.js';
+import { getLogger } from '../util/logging.js';
+const logger = getLogger('naylence.fame.node.token_subject_node_identity_policy');
+export class TokenSubjectNodeIdentityPolicy {
+    async resolveInitialNodeId(context) {
+        if (context.configuredId) {
+            return context.configuredId;
+        }
+        if (context.persistedId) {
+            return context.persistedId;
+        }
+        return generateIdAsync();
+    }
+    async resolveAdmissionNodeId(context) {
+        logger.debug('resolve_admission_node_id_start', {
+            grantsCount: context.grants?.length ?? 0,
+            currentNodeId: context.currentNodeId,
+        });
+        if (context.grants && context.grants.length > 0) {
+            for (const grant of context.grants) {
+                try {
+                    const auth = grant.auth;
+                    if (!auth) {
+                        logger.debug('skipping_grant_no_auth', { grantType: grant.type });
+                        continue;
+                    }
+                    const tokenProviderConfig = (auth.tokenProvider ??
+                        auth.token_provider);
+                    if (!tokenProviderConfig ||
+                        typeof tokenProviderConfig.type !== 'string') {
+                        logger.debug('skipping_grant_invalid_token_provider_config', {
+                            grantType: grant.type,
+                            config: tokenProviderConfig,
+                        });
+                        continue;
+                    }
+                    logger.debug('creating_token_provider', {
+                        type: tokenProviderConfig.type,
+                    });
+                    const provider = await TokenProviderFactory.createTokenProvider(tokenProviderConfig);
+                    const isExposing = isIdentityExposingTokenProvider(provider);
+                    logger.debug('token_provider_created', {
+                        type: tokenProviderConfig.type,
+                        isIdentityExposing: isExposing,
+                    });
+                    if (isExposing) {
+                        const identity = await provider.getIdentity();
+                        logger.debug('retrieved_identity', { identity });
+                        if (identity && identity.subject) {
+                            const hashedSubject = await generateIdAsync({
+                                mode: 'fingerprint',
+                                material: identity.subject,
+                                length: 8,
+                            });
+                            const newNodeId = `${hashedSubject}-${context.currentNodeId}`;
+                            logger.info('resolved_identity_from_token', {
+                                subject: identity.subject,
+                                hashedSubject,
+                                newNodeId,
+                            });
+                            return newNodeId;
+                        }
+                        else {
+                            logger.debug('identity_missing_subject', { identity });
+                        }
+                    }
+                }
+                catch (err) {
+                    logger.warning('failed_to_extract_identity_from_grant', { error: err });
+                }
+            }
+        }
+        else {
+            logger.debug('no_grants_available');
+        }
+        return context.currentNodeId;
+    }
+}