@qnsp/tenant-sdk 0.0.2 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +65 -0
- package/LICENSE +176 -0
- package/README.md +4 -0
- package/dist/index.d.ts +85 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +127 -0
- package/dist/index.js.map +1 -1
- package/package.json +5 -4
- package/src/index.test.ts +2 -2
- package/src/index.ts +188 -0
- package/tsconfig.tsbuildinfo +1 -1
package/src/index.ts
CHANGED
|
@@ -34,6 +34,110 @@ type InternalTenantClientConfig = {
|
|
|
34
34
|
|
|
35
35
|
export type TenantStatus = "active" | "suspended" | "pending" | "deleted";
|
|
36
36
|
|
|
37
|
+
/**
|
|
38
|
+
* Crypto policy tier determines which PQC algorithms are allowed.
|
|
39
|
+
* Maps to tenant_crypto_policies.policy_tier in tenant-service.
|
|
40
|
+
*/
|
|
41
|
+
export type CryptoPolicyTier = "default" | "strict" | "maximum" | "government";
|
|
42
|
+
|
|
43
|
+
/**
|
|
44
|
+
* Tenant crypto policy configuration.
|
|
45
|
+
*/
|
|
46
|
+
export interface TenantCryptoPolicy {
|
|
47
|
+
readonly tenantId: string;
|
|
48
|
+
readonly policyTier: CryptoPolicyTier;
|
|
49
|
+
readonly customAllowedKemAlgorithms: readonly string[] | null;
|
|
50
|
+
readonly customAllowedSignatureAlgorithms: readonly string[] | null;
|
|
51
|
+
readonly customAllowedSymmetricAlgorithms?: readonly string[] | null;
|
|
52
|
+
readonly customForbiddenAlgorithms?: readonly string[] | null;
|
|
53
|
+
readonly requireHsmForRootKeys: boolean;
|
|
54
|
+
readonly maxKeyAgeDays: number;
|
|
55
|
+
readonly enforcementMode?: "audit" | "enforce";
|
|
56
|
+
readonly createdAt: string;
|
|
57
|
+
readonly updatedAt: string;
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
/**
|
|
61
|
+
* Input for creating or updating a tenant crypto policy.
|
|
62
|
+
*/
|
|
63
|
+
export interface TenantCryptoPolicyInput {
|
|
64
|
+
readonly policyTier: CryptoPolicyTier;
|
|
65
|
+
readonly customAllowedKemAlgorithms?: readonly string[] | null;
|
|
66
|
+
readonly customAllowedSignatureAlgorithms?: readonly string[] | null;
|
|
67
|
+
readonly requireHsmForRootKeys?: boolean;
|
|
68
|
+
readonly maxKeyAgeDays?: number;
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
/**
|
|
72
|
+
* Algorithm configuration per crypto policy tier.
|
|
73
|
+
*/
|
|
74
|
+
export interface TierAlgorithmConfig {
|
|
75
|
+
readonly kemAlgorithms: readonly string[];
|
|
76
|
+
readonly signatureAlgorithms: readonly string[];
|
|
77
|
+
readonly defaultKemAlgorithm: string;
|
|
78
|
+
readonly defaultSignatureAlgorithm: string;
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
/**
|
|
82
|
+
* Default algorithms per crypto policy tier.
|
|
83
|
+
*/
|
|
84
|
+
export const CRYPTO_POLICY_ALGORITHMS: Record<CryptoPolicyTier, TierAlgorithmConfig> = {
|
|
85
|
+
default: {
|
|
86
|
+
kemAlgorithms: ["kyber-512", "kyber-768", "kyber-1024"],
|
|
87
|
+
signatureAlgorithms: ["dilithium-2", "dilithium-3", "dilithium-5"],
|
|
88
|
+
defaultKemAlgorithm: "kyber-768",
|
|
89
|
+
defaultSignatureAlgorithm: "dilithium-3",
|
|
90
|
+
},
|
|
91
|
+
strict: {
|
|
92
|
+
kemAlgorithms: ["kyber-768", "kyber-1024"],
|
|
93
|
+
signatureAlgorithms: ["dilithium-3", "dilithium-5", "falcon-1024"],
|
|
94
|
+
defaultKemAlgorithm: "kyber-768",
|
|
95
|
+
defaultSignatureAlgorithm: "dilithium-3",
|
|
96
|
+
},
|
|
97
|
+
maximum: {
|
|
98
|
+
kemAlgorithms: ["kyber-1024"],
|
|
99
|
+
signatureAlgorithms: ["dilithium-5", "falcon-1024", "sphincs-shake-256f-simple"],
|
|
100
|
+
defaultKemAlgorithm: "kyber-1024",
|
|
101
|
+
defaultSignatureAlgorithm: "dilithium-5",
|
|
102
|
+
},
|
|
103
|
+
government: {
|
|
104
|
+
kemAlgorithms: ["kyber-1024"],
|
|
105
|
+
signatureAlgorithms: ["dilithium-5", "sphincs-shake-256f-simple"],
|
|
106
|
+
defaultKemAlgorithm: "kyber-1024",
|
|
107
|
+
defaultSignatureAlgorithm: "dilithium-5",
|
|
108
|
+
},
|
|
109
|
+
};
|
|
110
|
+
|
|
111
|
+
/**
|
|
112
|
+
* Mapping from internal algorithm names to NIST standardized names.
|
|
113
|
+
*/
|
|
114
|
+
export const ALGORITHM_TO_NIST: Record<string, string> = {
|
|
115
|
+
"kyber-512": "ML-KEM-512",
|
|
116
|
+
"kyber-768": "ML-KEM-768",
|
|
117
|
+
"kyber-1024": "ML-KEM-1024",
|
|
118
|
+
"dilithium-2": "ML-DSA-44",
|
|
119
|
+
"dilithium-3": "ML-DSA-65",
|
|
120
|
+
"dilithium-5": "ML-DSA-87",
|
|
121
|
+
"falcon-512": "FN-DSA-512",
|
|
122
|
+
"falcon-1024": "FN-DSA-1024",
|
|
123
|
+
"sphincs-shake-128f-simple": "SLH-DSA-SHAKE-128f",
|
|
124
|
+
"sphincs-shake-256f-simple": "SLH-DSA-SHAKE-256f",
|
|
125
|
+
};
|
|
126
|
+
|
|
127
|
+
/**
|
|
128
|
+
* Convert internal algorithm name to NIST standardized name.
|
|
129
|
+
*/
|
|
130
|
+
export function toNistAlgorithmName(internal: string): string {
|
|
131
|
+
return ALGORITHM_TO_NIST[internal] ?? internal;
|
|
132
|
+
}
|
|
133
|
+
|
|
134
|
+
/**
|
|
135
|
+
* Get algorithm config for a crypto policy tier.
|
|
136
|
+
*/
|
|
137
|
+
export function getAlgorithmConfigForTier(tier: CryptoPolicyTier): TierAlgorithmConfig {
|
|
138
|
+
return CRYPTO_POLICY_ALGORITHMS[tier];
|
|
139
|
+
}
|
|
140
|
+
|
|
37
141
|
export interface TenantSecurityEnvelope {
|
|
38
142
|
readonly controlPlaneTokenSha256: string | null;
|
|
39
143
|
readonly pqcSignatures: readonly {
|
|
@@ -353,6 +457,90 @@ export class TenantClient {
|
|
|
353
457
|
operation: "listTenants",
|
|
354
458
|
});
|
|
355
459
|
}
|
|
460
|
+
|
|
461
|
+
/**
|
|
462
|
+
* Get the crypto policy for a tenant.
|
|
463
|
+
* Returns the tenant's crypto policy configuration including allowed algorithms.
|
|
464
|
+
* If no policy exists, a default policy is created and returned.
|
|
465
|
+
*/
|
|
466
|
+
async getTenantCryptoPolicy(tenantId: string): Promise<TenantCryptoPolicy> {
|
|
467
|
+
validateUUID(tenantId, "tenantId");
|
|
468
|
+
|
|
469
|
+
return this.request<TenantCryptoPolicy>("GET", `/tenant/v1/tenants/${tenantId}/crypto-policy`, {
|
|
470
|
+
operation: "getTenantCryptoPolicy",
|
|
471
|
+
});
|
|
472
|
+
}
|
|
473
|
+
|
|
474
|
+
/**
|
|
475
|
+
* Create or update the crypto policy for a tenant.
|
|
476
|
+
* Sets the policy tier and optional custom algorithm restrictions.
|
|
477
|
+
*/
|
|
478
|
+
async upsertTenantCryptoPolicy(
|
|
479
|
+
tenantId: string,
|
|
480
|
+
policy: TenantCryptoPolicyInput,
|
|
481
|
+
): Promise<TenantCryptoPolicy> {
|
|
482
|
+
validateUUID(tenantId, "tenantId");
|
|
483
|
+
|
|
484
|
+
return this.request<TenantCryptoPolicy>("PUT", `/tenant/v1/tenants/${tenantId}/crypto-policy`, {
|
|
485
|
+
body: {
|
|
486
|
+
policyTier: policy.policyTier,
|
|
487
|
+
...(policy.customAllowedKemAlgorithms !== undefined
|
|
488
|
+
? { customAllowedKemAlgorithms: policy.customAllowedKemAlgorithms }
|
|
489
|
+
: {}),
|
|
490
|
+
...(policy.customAllowedSignatureAlgorithms !== undefined
|
|
491
|
+
? { customAllowedSignatureAlgorithms: policy.customAllowedSignatureAlgorithms }
|
|
492
|
+
: {}),
|
|
493
|
+
...(policy.requireHsmForRootKeys !== undefined
|
|
494
|
+
? { requireHsmForRootKeys: policy.requireHsmForRootKeys }
|
|
495
|
+
: {}),
|
|
496
|
+
...(policy.maxKeyAgeDays !== undefined ? { maxKeyAgeDays: policy.maxKeyAgeDays } : {}),
|
|
497
|
+
},
|
|
498
|
+
operation: "upsertTenantCryptoPolicy",
|
|
499
|
+
});
|
|
500
|
+
}
|
|
501
|
+
|
|
502
|
+
/**
|
|
503
|
+
* Get the allowed KEM algorithms for a tenant based on their crypto policy.
|
|
504
|
+
* Convenience method that fetches the policy and returns the allowed algorithms.
|
|
505
|
+
*/
|
|
506
|
+
async getAllowedKemAlgorithms(tenantId: string): Promise<readonly string[]> {
|
|
507
|
+
const policy = await this.getTenantCryptoPolicy(tenantId);
|
|
508
|
+
if (policy.customAllowedKemAlgorithms && policy.customAllowedKemAlgorithms.length > 0) {
|
|
509
|
+
return policy.customAllowedKemAlgorithms;
|
|
510
|
+
}
|
|
511
|
+
return CRYPTO_POLICY_ALGORITHMS[policy.policyTier].kemAlgorithms;
|
|
512
|
+
}
|
|
513
|
+
|
|
514
|
+
/**
|
|
515
|
+
* Get the allowed signature algorithms for a tenant based on their crypto policy.
|
|
516
|
+
* Convenience method that fetches the policy and returns the allowed algorithms.
|
|
517
|
+
*/
|
|
518
|
+
async getAllowedSignatureAlgorithms(tenantId: string): Promise<readonly string[]> {
|
|
519
|
+
const policy = await this.getTenantCryptoPolicy(tenantId);
|
|
520
|
+
if (
|
|
521
|
+
policy.customAllowedSignatureAlgorithms &&
|
|
522
|
+
policy.customAllowedSignatureAlgorithms.length > 0
|
|
523
|
+
) {
|
|
524
|
+
return policy.customAllowedSignatureAlgorithms;
|
|
525
|
+
}
|
|
526
|
+
return CRYPTO_POLICY_ALGORITHMS[policy.policyTier].signatureAlgorithms;
|
|
527
|
+
}
|
|
528
|
+
|
|
529
|
+
/**
|
|
530
|
+
* Get the default KEM algorithm for a tenant based on their crypto policy tier.
|
|
531
|
+
*/
|
|
532
|
+
async getDefaultKemAlgorithm(tenantId: string): Promise<string> {
|
|
533
|
+
const policy = await this.getTenantCryptoPolicy(tenantId);
|
|
534
|
+
return CRYPTO_POLICY_ALGORITHMS[policy.policyTier].defaultKemAlgorithm;
|
|
535
|
+
}
|
|
536
|
+
|
|
537
|
+
/**
|
|
538
|
+
* Get the default signature algorithm for a tenant based on their crypto policy tier.
|
|
539
|
+
*/
|
|
540
|
+
async getDefaultSignatureAlgorithm(tenantId: string): Promise<string> {
|
|
541
|
+
const policy = await this.getTenantCryptoPolicy(tenantId);
|
|
542
|
+
return CRYPTO_POLICY_ALGORITHMS[policy.policyTier].defaultSignatureAlgorithm;
|
|
543
|
+
}
|
|
356
544
|
}
|
|
357
545
|
|
|
358
546
|
export * from "./observability.js";
|