@nsshunt/stsconfig 1.17.2 → 1.18.0

package/.env-default

@@ -103,8 +103,18 @@ AS_ENDPOINT=http://localhost
 AS_HOST_PORT=3002
 # Auth Server port (client port to access the service)
 AS_PORT=3002
-# Auth Server endpoint
-AS_API_ROOT=/stsauth/v1
+# Auth Server API root.
+AS_API_ROOT=/stsauth/v1.0
+# Auth Server OAuth2 API root.
+AS_OAUTH_API_ROOT=/oauth2/v2.0
+# Auth Server Admin API root.
+AS_ADMIN_API_ROOT=/admin/v1.0
+# Auth Server API Identifier.
+AS_API_IDENTIFIER=https://stsmda.com.au/stsauthapi/v1.0/
+# Auth Server OAuth API Identifier.
+AS_OAUTH_API_IDENTIFIER=https://stsmda.com.au/stsauthoauthapi/v2.0/
+# Auth Server Administration API Identifier.
+AS_ADMIN_API_IDENTIFIER=https://stsmda.com.au/stsauthadminapi/v1.0/
 # Auth Server Prometheus metric support
 AS_PROM_SUPPORT=true
 # Auth Prometheus Cluster Server port (port used for cluster prometheus scrapes)
@@ -226,3 +236,32 @@ HTTPS_SERVER_KEY_PATH=/var/lib/sts/stsglobalresources/keys/server.key
 
 # HTTPS server cert path.
 HTTPS_SERVER_CERT_PATH=/var/lib/sts/stsglobalresources/keys/server.cert
+
+# Maximum number of RSA keys in the JWKS store
+TS_JWKS_KEYS=3
+
+# File path for JWKS store data. This file will contain the public and private keys for the JWKS store.
+TS_JWKS_STORE_PATH=/var/lib/sts/stsglobalresources/.stsauthprivate/jwks-private.json
+
+# File path for JWKS public store data. This file will contain only the public signing keys for the JWKS store.
+TS_JWKS_STORE_PUBLIC_PATH=/var/lib/sts/stsglobalresources/.well-known/jwks.json
+
+# JWKS Authentication Configuration Settings
+# Ref: https://github.com/auth0/node-jwks-rsa
+# Enables a LRU cache. Ref: https://github.com/auth0/node-jwks-rsa#caching
+JWKS_AUTH_CONFIG_CACHE=true
+
+# Maximum number of LRU cache entries. Ref: https://github.com/auth0/node-jwks-rsa#caching
+JWKS_AUTH_CONFIG_CACHE_MAX_ENTRIES=5
+
+# Maximum age of LRU cache entries. Ref: https://github.com/auth0/node-jwks-rsa#caching
+JWKS_AUTH_CONFIG_CACHE_MAX_AGE=600000
+
+# Enforce rate limiting for jwks public endpoint query. Ref: https://github.com/auth0/node-jwks-rsa#rate-limiting
+JWKS_AUTH_CONFIG_RATE_LIMIT=true
+
+# Enforce rate limiting maximum number of requests per minute. Ref: https://github.com/auth0/node-jwks-rsa#rate-limiting
+JWKS_AUTH_CONFIG_RATE_LIMIT_REQUESTS_PER_MINUTE=10
+
+# Timeout for the public endpoint query. Note: This will be ignored if an http/https agent is specified.
+JWKS_AUTH_CONFIG_TIMEOUT=30000

package/.env-test-file-2

@@ -70,9 +70,15 @@ TO_CLIENT_SECRET_FILE=testclientsecretfile
 AS_ENDPOINT=http://localhost-c
 AS_HOST_PORT=30020
 AS_PORT=30020
-AS_API_ROOT=/stsauth/v1-c
+AS_API_ROOT=/stsauth/v1.0-c
+AS_OAUTH_API_ROOT=/oauth2/v2.0-c
+AS_ADMIN_API_ROOT=/admin/v1.0-c
 AS_API_IDENTIFIER=xyz
 AS_API_IDENTIFIER_FILE=testapiidentifierFile
+AS_OAUTH_API_IDENTIFIER=xyz
+AS_OAUTH_API_IDENTIFIER_FILE=testapiidentifierFile
+AS_ADMIN_API_IDENTIFIER=xyz
+AS_ADMIN_API_IDENTIFIER_FILE=testapiidentifierFile
 AS_PROM_SUPPORT=false
 AS_PROM_CLUSTER_PORT=30120
 AS_SERVICE_NAME=STSAuth-c
@@ -121,3 +127,14 @@ IGNORE_SOCKETIO=false
 MODEL_PURGE_UPDATE_TIMEOUT=50000
 HTTPS_SERVER_KEY_PATH=/var/lib/sts/stsglobalresources/keys/server.key-c
 HTTPS_SERVER_CERT_PATH=/var/lib/sts/stsglobalresources/keys/server.cert-c
+
+TS_JWKS_KEYS=30
+TS_JWKS_STORE_PATH=xyz
+TS_JWKS_STORE_PATH_FILE=testclientsecretfile
+TS_JWKS_STORE_PUBLIC_PATH=/var/lib/sts/stsglobalresources/.well-known/jwks.json-c
+JWKS_AUTH_CONFIG_CACHE=false
+JWKS_AUTH_CONFIG_CACHE_MAX_ENTRIES=50
+JWKS_AUTH_CONFIG_CACHE_MAX_AGE=6000000
+JWKS_AUTH_CONFIG_RATE_LIMIT=false
+JWKS_AUTH_CONFIG_RATE_LIMIT_REQUESTS_PER_MINUTE=100
+JWKS_AUTH_CONFIG_TIMEOUT=300000

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nsshunt/stsconfig",
-  "version": "1.17.2",
+  "version": "1.18.0",
   "description": "",
   "main": "stsconfig.js",
   "dependencies": {

package/stsconfig-01.test.js

@@ -114,7 +114,7 @@ describe("Test implicit config settings", () =>
 
 	test('Checking default authentication service config', async () => 
 	{
-		expect.assertions(21);
+		expect.assertions(27);
 
 		process.env.STSENVFILE = './.env-test-file-1'; // Empty environment file
 		let goptions = require('./stsconfig.js').$options;
@@ -123,6 +123,8 @@ describe("Test implicit config settings", () =>
 		expect(goptions.ashostport).toEqual('3002');
 		expect(goptions.asport).toEqual('3002');
 		expect(goptions.asapiroot).toEqual('/stsauth/v1.0');
+		expect(goptions.asoauthapiroot).toEqual('/oauth2/v2.0');
+		expect(goptions.asadminapiroot).toEqual('/admin/v1.0');
 		expect(goptions.asprometheussupport).toEqual(true);
 		expect(goptions.asprometheusclusterport).toEqual('3012');
 		expect(goptions.asservicename).toEqual('STSAuth');
@@ -131,6 +133,10 @@ describe("Test implicit config settings", () =>
 		expect(goptions.aspublickeypath).toEqual('/var/lib/sts/stsglobalresources/keys/public.key');
 		expect(goptions.asapiidentifier).toEqual('https://stsmda.com.au/stsauthapi/v1.0/');
 		expect(goptions.asapiidentifierfile).toEqual(undefined);
+		expect(goptions.asoauthapiidentifier).toEqual('https://stsmda.com.au/stsauthoauthapi/v2.0/');
+		expect(goptions.asoauthapiidentifierfile).toEqual(undefined);
+		expect(goptions.asadminapiidentifier).toEqual('https://stsmda.com.au/stsauthadminapi/v1.0/');
+		expect(goptions.asadminapiidentifierfile).toEqual(undefined);
 		expect(goptions.asclientid).toEqual(undefined);
 		expect(goptions.asclientidfile).toEqual(undefined);
 		expect(goptions.asclientsecret).toEqual(undefined);
@@ -189,5 +195,24 @@ describe("Test implicit config settings", () =>
 		expect(goptions.httpsserverkeypath).toEqual('/var/lib/sts/stsglobalresources/keys/server.key');
 		expect(goptions.httpsservercertpath).toEqual('/var/lib/sts/stsglobalresources/keys/server.cert');
 	});
+
+	test('Checking JWKS config items', async () => 
+	{
+		expect.assertions(10);
+
+		process.env.STSENVFILE = './.env-default'; // Empty environment file
+		let goptions = require('./stsconfig.js').$options;
+
+		expect(goptions.tsjwkskeys).toEqual(3);
+		expect(goptions.tsjwksstorepath).toEqual('/var/lib/sts/stsglobalresources/.stsauthprivate/jwks-private.json');
+		expect(goptions.tsjwksstorepathfile).toEqual(undefined);
+		expect(goptions.tsjwksstorepublicpath).toEqual('/var/lib/sts/stsglobalresources/.well-known/jwks.json');
+		expect(goptions.jwksAuthConfigCache).toEqual(true);
+		expect(goptions.jwksAuthConfigCacheMaxEntries).toEqual(5);
+		expect(goptions.jwksAuthConfigCacheMaxAge).toEqual(600000);
+		expect(goptions.jwksAuthConfigRateLimit).toEqual(true);
+		expect(goptions.jwksAuthConfigRateLimitRequestsPerMinute).toEqual(10);
+		expect(goptions.jwksAuthConfigTimeout).toEqual(30000);
+	});
 });
 

package/stsconfig-02.test.js

@@ -114,7 +114,7 @@ describe("Test configured settings", () =>
 
 	test('Checking default authentication service config', async () => 
 	{
-		expect.assertions(21);
+		expect.assertions(27);
 
 		process.env.STSENVFILE = './.env-test-file-2'; // Empty environment file
 		let goptions = require('./stsconfig.js').$options;
@@ -122,7 +122,9 @@ describe("Test configured settings", () =>
 		expect(goptions.asendpoint).toEqual('http://localhost-c');
 		expect(goptions.ashostport).toEqual('30020');
 		expect(goptions.asport).toEqual('30020');
-		expect(goptions.asapiroot).toEqual('/stsauth/v1-c');
+		expect(goptions.asapiroot).toEqual('/stsauth/v1.0-c');
+		expect(goptions.asoauthapiroot).toEqual('/oauth2/v2.0-c');
+		expect(goptions.asadminapiroot).toEqual('/admin/v1.0-c');
 		expect(goptions.asprometheussupport).toEqual(false);
 		expect(goptions.asprometheusclusterport).toEqual('30120');
 		expect(goptions.asservicename).toEqual('STSAuth-c');
@@ -131,6 +133,10 @@ describe("Test configured settings", () =>
 		expect(goptions.aspublickeypath).toEqual('/var/lib/sts/stsglobalresources/keys/public.key-c');
 		expect(goptions.asapiidentifier).toEqual('testapiidentifierfilecontents');
 		expect(goptions.asapiidentifierfile).toEqual('testapiidentifierFile');
+		expect(goptions.asoauthapiidentifier).toEqual('testapiidentifierfilecontents');
+		expect(goptions.asoauthapiidentifierfile).toEqual('testapiidentifierFile');
+		expect(goptions.asadminapiidentifier).toEqual('testapiidentifierfilecontents');
+		expect(goptions.asadminapiidentifierfile).toEqual('testapiidentifierFile');
 		expect(goptions.asclientid).toEqual('testclientidfilecontents');
 		expect(goptions.asclientidfile).toEqual('testclientidfile'); // testclientidfile
 		expect(goptions.asclientsecret).toEqual('testclientsecretfilecontents');
@@ -189,5 +195,24 @@ describe("Test configured settings", () =>
 		expect(goptions.httpsserverkeypath).toEqual('/var/lib/sts/stsglobalresources/keys/server.key-c');
 		expect(goptions.httpsservercertpath).toEqual('/var/lib/sts/stsglobalresources/keys/server.cert-c');
 	});
+
+	test('Checking JWKS config items', async () => 
+	{
+		expect.assertions(10);
+
+		process.env.STSENVFILE = './.env-default'; // Empty environment file
+		let goptions = require('./stsconfig.js').$options;
+
+		expect(goptions.tsjwkskeys).toEqual(30);
+		expect(goptions.tsjwksstorepath).toEqual('testclientsecretfilecontents');
+		expect(goptions.tsjwksstorepathfile).toEqual('testclientsecretfile');
+		expect(goptions.tsjwksstorepublicpath).toEqual('/var/lib/sts/stsglobalresources/.well-known/jwks.json-c');
+		expect(goptions.jwksAuthConfigCache).toEqual(false);
+		expect(goptions.jwksAuthConfigCacheMaxEntries).toEqual(50);
+		expect(goptions.jwksAuthConfigCacheMaxAge).toEqual(6000000);
+		expect(goptions.jwksAuthConfigRateLimit).toEqual(false);
+		expect(goptions.jwksAuthConfigRateLimitRequestsPerMinute).toEqual(100);
+		expect(goptions.jwksAuthConfigTimeout).toEqual(300000);
+	});
 });
 

package/stsconfig-default.test.js

@@ -114,7 +114,7 @@ describe("Test explicit default config settings", () =>
 
 	test('Checking default authentication service config', async () => 
 	{
-		expect.assertions(21);
+		expect.assertions(27);
 
 		process.env.STSENVFILE = './.env-default'; // Empty environment file
 		let goptions = require('./stsconfig.js').$options;
@@ -122,7 +122,9 @@ describe("Test explicit default config settings", () =>
 		expect(goptions.asendpoint).toEqual('http://localhost');
 		expect(goptions.ashostport).toEqual('3002');
 		expect(goptions.asport).toEqual('3002');
-		expect(goptions.asapiroot).toEqual('/stsauth/v1');
+		expect(goptions.asapiroot).toEqual('/stsauth/v1.0');
+		expect(goptions.asoauthapiroot).toEqual('/oauth2/v2.0');
+		expect(goptions.asadminapiroot).toEqual('/admin/v1.0');
 		expect(goptions.asprometheussupport).toEqual(true);
 		expect(goptions.asprometheusclusterport).toEqual('3012');
 		expect(goptions.asservicename).toEqual('STSAuth');
@@ -131,6 +133,10 @@ describe("Test explicit default config settings", () =>
 		expect(goptions.aspublickeypath).toEqual('/var/lib/sts/stsglobalresources/keys/public.key');
 		expect(goptions.asapiidentifier).toEqual('https://stsmda.com.au/stsauthapi/v1.0/');
 		expect(goptions.asapiidentifierfile).toEqual(undefined);
+		expect(goptions.asoauthapiidentifier).toEqual('https://stsmda.com.au/stsauthoauthapi/v2.0/');
+		expect(goptions.asoauthapiidentifierfile).toEqual(undefined);
+		expect(goptions.asadminapiidentifier).toEqual('https://stsmda.com.au/stsauthadminapi/v1.0/');
+		expect(goptions.asadminapiidentifierfile).toEqual(undefined);
 		expect(goptions.asclientid).toEqual(undefined);
 		expect(goptions.asclientidfile).toEqual(undefined);
 		expect(goptions.asclientsecret).toEqual(undefined);
@@ -189,5 +195,24 @@ describe("Test explicit default config settings", () =>
 		expect(goptions.httpsserverkeypath).toEqual('/var/lib/sts/stsglobalresources/keys/server.key');
 		expect(goptions.httpsservercertpath).toEqual('/var/lib/sts/stsglobalresources/keys/server.cert');
 	});
+
+	test('Checking JWKS config items', async () => 
+	{
+		expect.assertions(10);
+
+		process.env.STSENVFILE = './.env-default'; // Empty environment file
+		let goptions = require('./stsconfig.js').$options;
+
+		expect(goptions.tsjwkskeys).toEqual(3);
+		expect(goptions.tsjwksstorepath).toEqual('/var/lib/sts/stsglobalresources/.stsauthprivate/jwks-private.json');
+		expect(goptions.tsjwksstorepathfile).toEqual(undefined);
+		expect(goptions.tsjwksstorepublicpath).toEqual('/var/lib/sts/stsglobalresources/.well-known/jwks.json');
+		expect(goptions.jwksAuthConfigCache).toEqual(true);
+		expect(goptions.jwksAuthConfigCacheMaxEntries).toEqual(5);
+		expect(goptions.jwksAuthConfigCacheMaxAge).toEqual(600000);
+		expect(goptions.jwksAuthConfigRateLimit).toEqual(true);
+		expect(goptions.jwksAuthConfigRateLimitRequestsPerMinute).toEqual(10);
+		expect(goptions.jwksAuthConfigTimeout).toEqual(30000);
+	});
 });
 

package/stsconfig.js

@@ -163,11 +163,11 @@ const defconfig =
 	,ashostport: (process.env.AS_HOST_PORT === undefined ? "3002" : process.env.AS_HOST_PORT)
 	// Auth Server port (client port to access the service)
 	,asport: (process.env.AS_PORT === undefined ? "3002" : process.env.AS_PORT)
-	// Auth Server endpoint
+	// Auth Server API root.
 	,asapiroot: (process.env.AS_API_ROOT === undefined ? "/stsauth/v1.0" : process.env.AS_API_ROOT)
-	// Auth Server API Identifier.
+	// Auth Server OAuth2 API root.
 	,asoauthapiroot: (process.env.AS_OAUTH_API_ROOT === undefined ? "/oauth2/v2.0" : process.env.AS_OAUTH_API_ROOT)
-	// Auth Server Admin API Identifier.
+	// Auth Server Admin API root.
 	,asadminapiroot: (process.env.AS_ADMIN_API_ROOT === undefined ? "/admin/v1.0" : process.env.AS_ADMIN_API_ROOT)
 	// Auth Server API Identifier.
 	,asapiidentifier: (process.env.AS_API_IDENTIFIER === undefined ? 'https://stsmda.com.au/stsauthapi/v1.0/' : process.env.AS_API_IDENTIFIER)
@@ -355,6 +355,26 @@ const defconfig =
 	,tsjwksstorepathfile: process.env.TS_JWKS_STORE_PATH_FILE
 	// File path for JWKS public store data. This file will contain only the public signing keys for the JWKS store.
 	,tsjwksstorepublicpath: (process.env.TS_JWKS_STORE_PUBLIC_PATH === undefined ? "/var/lib/sts/stsglobalresources/.well-known/jwks.json" : process.env.TS_JWKS_STORE_PUBLIC_PATH)
+
+	// JWKS Authentication Configuration Settings
+	// Ref: https://github.com/auth0/node-jwks-rsa
+	// Enables a LRU cache. Ref: https://github.com/auth0/node-jwks-rsa#caching
+	,jwksAuthConfigCache: (process.env.JWKS_AUTH_CONFIG_CACHE === undefined ? true : (process.env.JWKS_AUTH_CONFIG_CACHE === "true" ? true : false ))
+
+	// Maximum number of LRU cache entries. Ref: https://github.com/auth0/node-jwks-rsa#caching
+	,jwksAuthConfigCacheMaxEntries: (process.env.JWKS_AUTH_CONFIG_CACHE_MAX_ENTRIES === undefined ? 5 : parseInt(process.env.JWKS_AUTH_CONFIG_CACHE_MAX_ENTRIES))
+
+	// Maximum age of LRU cache entries. Ref: https://github.com/auth0/node-jwks-rsa#caching
+	,jwksAuthConfigCacheMaxAge: (process.env.JWKS_AUTH_CONFIG_CACHE_MAX_AGE === undefined ? 600000 : parseInt(process.env.JWKS_AUTH_CONFIG_CACHE_MAX_AGE))
+
+	// Enforce rate limiting for jwks public endpoint query. Ref: https://github.com/auth0/node-jwks-rsa#rate-limiting
+	,jwksAuthConfigRateLimit: (process.env.JWKS_AUTH_CONFIG_RATE_LIMIT === undefined ? true : (process.env.JWKS_AUTH_CONFIG_RATE_LIMIT === "true" ? true : false ))
+
+	// Enforce rate limiting maximum number of requests per minute. Ref: https://github.com/auth0/node-jwks-rsa#rate-limiting
+	,jwksAuthConfigRateLimitRequestsPerMinute: (process.env.JWKS_AUTH_CONFIG_RATE_LIMIT_REQUESTS_PER_MINUTE === undefined ? 10 : parseInt(process.env.JWKS_AUTH_CONFIG_RATE_LIMIT_REQUESTS_PER_MINUTE))
+
+	// Timeout for the public endpoint query. Note: This will be ignored if an http/https agent is specified.
+	,jwksAuthConfigTimeout: (process.env.JWKS_AUTH_CONFIG_TIMEOUT === undefined ? 30000 : parseInt(process.env.JWKS_AUTH_CONFIG_TIMEOUT))
 }
 
 const ReadFile = (passwordFile) => {
@@ -374,6 +394,8 @@ const fileconfig = [
 	{ fileprop: 'dbpasswordfile', prop: 'dbpassword' },
 	// API identifier file processing
 	{ fileprop: 'asapiidentifierfile', prop: 'asapiidentifier' },
+	{ fileprop: 'asoauthapiidentifierfile', prop: 'asoauthapiidentifier' },
+	{ fileprop: 'asadminapiidentifierfile', prop: 'asadminapiidentifier' },
 	{ fileprop: 'rest01apiidentifierfile', prop: 'rest01apiidentifier' },
 	{ fileprop: 'toapiidentifierfile', prop: 'toapiidentifier' },
 	{ fileprop: 'imapiidentifierfile', prop: 'imapiidentifier' },