npm - @naylence/runtime - Versions diffs - 0.3.21 → 0.4.1 - Mend

@naylence/runtime 0.3.21 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

package/dist/cjs/naylence/fame/security/auth/oauth2-authorizer-factory.js CHANGED Viewed

@@ -87,6 +87,7 @@ class OAuth2AuthorizerFactory extends authorizer_factory_js_1.AuthorizerFactory
             maxTtlSec: normalized.maxTtlSec,
             reverseAuthTtlSec: normalized.reverseAuthTtlSec,
             enforceTokenSubjectNodeIdentity: normalized.enforceTokenSubjectNodeIdentity,
+            trustedClientScope: normalized.trustedClientScope,
         };
         if (tokenIssuer) {
             authorizerOptions.tokenIssuer = tokenIssuer;
@@ -157,6 +158,11 @@ function normalizeConfig(config) {
             : ttl_constants_js_1.DEFAULT_REVERSE_AUTH_TTL_SEC;
     const enforceTokenSubjectNodeIdentity = normalizeBooleanOption(source.enforceTokenSubjectNodeIdentity ??
         source.enforce_token_subject_node_identity, false);
+    const trustedClientScope = typeof source.trustedClientScope === 'string'
+        ? source.trustedClientScope
+        : typeof source.trusted_client_scope === 'string'
+            ? source.trusted_client_scope
+            : undefined;
     const tokenVerifierConfigInput = source.tokenVerifierConfig ?? source.token_verifier_config ?? null;
     const tokenVerifierConfig = normalizeTokenVerifierConfig({
         config: tokenVerifierConfigInput,
@@ -177,6 +183,7 @@ function normalizeConfig(config) {
         reverseAuthTtlSec: reverseAuthCandidate,
         enforceTokenSubjectNodeIdentity,
         ...(audience ? { audience } : {}),
+        ...(trustedClientScope ? { trustedClientScope } : {}),
     };
     if (tokenIssuerConfig) {
         normalized.tokenIssuerConfig = tokenIssuerConfig;

package/dist/cjs/naylence/fame/security/auth/oauth2-authorizer.js CHANGED Viewed

@@ -41,6 +41,10 @@ function normalizeOptions(raw) {
         (typeof snake.enforce_token_subject_node_identity === 'boolean'
             ? snake.enforce_token_subject_node_identity
             : undefined);
+    const trustedClientScope = camel.trustedClientScope ??
+        (typeof snake.trusted_client_scope === 'string'
+            ? snake.trusted_client_scope
+            : undefined);
     return {
         tokenVerifier,
         tokenIssuer,
@@ -51,6 +55,7 @@ function normalizeOptions(raw) {
         maxTtlSec,
         reverseAuthTtlSec,
         enforceTokenSubjectNodeIdentity,
+        trustedClientScope,
     };
 }
 class OAuth2Authorizer {
@@ -66,6 +71,7 @@ class OAuth2Authorizer {
             options.reverseAuthTtlSec ?? ttl_constants_js_1.DEFAULT_REVERSE_AUTH_TTL_SEC;
         this.enforceTokenSubjectNodeIdentity =
             options.enforceTokenSubjectNodeIdentity ?? false;
+        this.trustedClientScope = options.trustedClientScope ?? 'node.trusted';
     }
     get tokenVerifier() {
         return this.tokenVerifierImpl;
@@ -195,11 +201,20 @@ class OAuth2Authorizer {
             });
             return undefined;
         }
-        // Enforce token subject node identity if enabled
+        // Enforce token subject node identity if enabled and not a trusted client
         if (this.enforceTokenSubjectNodeIdentity) {
-            const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
-            if (!validationResult) {
-                return undefined;
+            const isTrustedClient = scopes.has(this.trustedClientScope);
+            if (isTrustedClient) {
+                logger.debug('oauth2_attach_trusted_client_bypass', {
+                    system_id: frame.systemId,
+                    trusted_scope: this.trustedClientScope,
+                });
+            }
+            else {
+                const validationResult = await this.validateTokenSubjectNodeIdentity(frame.systemId, claims);
+                if (!validationResult) {
+                    return undefined;
+                }
             }
         }
         claims.instance_id = claims.instance_id ?? frame.instanceId;

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-definition.js ADDED Viewed

@@ -0,0 +1,60 @@
+"use strict";
+/**
+ * Authorization policy definition types.
+ *
+ * This module defines the schema for authorization policies that can be
+ * loaded from YAML/JSON files and evaluated at runtime.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VALID_EFFECTS = exports.VALID_ORIGIN_TYPES = exports.VALID_ACTIONS = exports.KNOWN_RULE_FIELDS = exports.KNOWN_POLICY_FIELDS = exports.MAX_SCOPE_NESTING_DEPTH = void 0;
+/**
+ * Maximum nesting depth for scope requirements.
+ */
+exports.MAX_SCOPE_NESTING_DEPTH = 5;
+/**
+ * Known fields in AuthorizationPolicyDefinition.
+ */
+exports.KNOWN_POLICY_FIELDS = new Set([
+    'version',
+    'default_effect',
+    'rules',
+]);
+/**
+ * Known fields in AuthorizationRuleDefinition.
+ * Fields not in this set trigger a warning.
+ */
+exports.KNOWN_RULE_FIELDS = new Set([
+    'id',
+    'description',
+    'effect',
+    'action',
+    'address',
+    'frame_type',
+    'origin_type',
+    'scope',
+    'when', // Reserved for advanced-security
+]);
+/**
+ * Valid action values.
+ */
+exports.VALID_ACTIONS = [
+    'Connect',
+    'ForwardUpstream',
+    'ForwardDownstream',
+    'ForwardPeer',
+    'DeliverLocal',
+    '*',
+];
+/**
+ * Valid origin type values (lowercase, matching DeliveryOriginType string values).
+ */
+exports.VALID_ORIGIN_TYPES = [
+    'downstream',
+    'upstream',
+    'peer',
+    'local',
+];
+/**
+ * Valid effect values.
+ */
+exports.VALID_EFFECTS = ['allow', 'deny'];

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-factory.js ADDED Viewed

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationPolicyFactory = exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE = void 0;
+const factory_1 = require("@naylence/factory");
+/**
+ * Base type identifier for authorization policy factories.
+ */
+exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE = 'AuthorizationPolicyFactory';
+/**
+ * Abstract factory base class for creating authorization policies.
+ *
+ * Implementations of this factory create specific types of authorization
+ * policies (e.g., expression-based, rule-based, etc.).
+ */
+class AuthorizationPolicyFactory extends factory_1.AbstractResourceFactory {
+    /**
+     * Static helper to create an authorization policy using the factory registry.
+     *
+     * @param config - Configuration for the policy
+     * @param options - Resource creation options
+     * @returns The created policy, or undefined if no factory matched
+     */
+    static async createAuthorizationPolicy(config, options = {}) {
+        if (config) {
+            const policy = await (0, factory_1.createResource)(exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, config, options);
+            if (!policy) {
+                throw new Error('Failed to create authorization policy from configuration');
+            }
+            return policy;
+        }
+        const policy = await (0, factory_1.createDefaultResource)(exports.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE, null, options);
+        return policy ?? undefined;
+    }
+}
+exports.AuthorizationPolicyFactory = AuthorizationPolicyFactory;

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-source-factory.js ADDED Viewed

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationPolicySourceFactory = exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE = void 0;
+const factory_1 = require("@naylence/factory");
+/**
+ * Base type identifier for authorization policy source factories.
+ */
+exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE = 'AuthorizationPolicySourceFactory';
+/**
+ * Abstract factory base class for creating authorization policy sources.
+ *
+ * Implementations of this factory create specific types of policy sources
+ * (e.g., local file, remote store, in-memory, etc.).
+ */
+class AuthorizationPolicySourceFactory extends factory_1.AbstractResourceFactory {
+    /**
+     * Static helper to create an authorization policy source using the factory registry.
+     *
+     * @param config - Configuration for the policy source
+     * @param options - Resource creation options
+     * @returns The created policy source, or undefined if no factory matched
+     */
+    static async createAuthorizationPolicySource(config, options = {}) {
+        if (config) {
+            const source = await (0, factory_1.createResource)(exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, config, options);
+            if (!source) {
+                throw new Error('Failed to create authorization policy source from configuration');
+            }
+            return source;
+        }
+        const source = await (0, factory_1.createDefaultResource)(exports.AUTHORIZATION_POLICY_SOURCE_FACTORY_BASE_TYPE, null, options);
+        return source ?? undefined;
+    }
+}
+exports.AuthorizationPolicySourceFactory = AuthorizationPolicySourceFactory;

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy-source.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/naylence/fame/security/auth/policy/authorization-policy.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/naylence/fame/security/auth/policy/basic-authorization-policy-factory.js ADDED Viewed

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * Factory for creating BasicAuthorizationPolicy instances.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BasicAuthorizationPolicyFactory = exports.FACTORY_META = void 0;
+const authorization_policy_factory_js_1 = require("./authorization-policy-factory.js");
+/**
+ * Lazy import for tree-shaking.
+ */
+async function safeImportModule() {
+    return await Promise.resolve().then(() => __importStar(require('./basic-authorization-policy.js')));
+}
+function normalizeConfig(config) {
+    if (!config) {
+        throw new Error('BasicAuthorizationPolicyFactory requires a configuration with a policyDefinition');
+    }
+    const candidate = config;
+    // Support both camelCase and snake_case for policyDefinition
+    const policyDefinition = (candidate.policyDefinition ??
+        candidate.policy_definition);
+    if (!policyDefinition || typeof policyDefinition !== 'object') {
+        throw new Error('BasicAuthorizationPolicyConfig requires a policyDefinition object');
+    }
+    // Support both camelCase and snake_case for warnOnUnknownFields
+    const warnOnUnknownFields = candidate.warnOnUnknownFields ?? candidate.warn_on_unknown_fields;
+    if (warnOnUnknownFields !== undefined && typeof warnOnUnknownFields !== 'boolean') {
+        throw new Error('warnOnUnknownFields must be a boolean');
+    }
+    return {
+        policyDefinition,
+        warnOnUnknownFields: warnOnUnknownFields ?? true,
+    };
+}
+/**
+ * Factory metadata for registration.
+ */
+exports.FACTORY_META = {
+    base: authorization_policy_factory_js_1.AUTHORIZATION_POLICY_FACTORY_BASE_TYPE,
+    key: 'BasicAuthorizationPolicy',
+};
+/**
+ * Factory for creating BasicAuthorizationPolicy instances.
+ */
+class BasicAuthorizationPolicyFactory extends authorization_policy_factory_js_1.AuthorizationPolicyFactory {
+    constructor() {
+        super(...arguments);
+        this.type = 'BasicAuthorizationPolicy';
+    }
+    /**
+     * Creates a BasicAuthorizationPolicy from the given configuration.
+     *
+     * @param config - Configuration with policyDefinition
+     * @returns The created authorization policy
+     */
+    async create(config) {
+        const normalized = normalizeConfig(config);
+        const { BasicAuthorizationPolicy } = await safeImportModule();
+        return new BasicAuthorizationPolicy({
+            policyDefinition: normalized.policyDefinition,
+            warnOnUnknownFields: normalized.warnOnUnknownFields,
+        });
+    }
+}
+exports.BasicAuthorizationPolicyFactory = BasicAuthorizationPolicyFactory;
+exports.default = BasicAuthorizationPolicyFactory;