npm - @shushed/helpers - Versions diffs - 0.0.153 → 0.0.154 - Mend

@shushed/helpers 0.0.153 → 0.0.154

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -33553,11 +33553,12 @@ type PromisifiedFn<F extends (...args: any[]) => any> = (...args: Parameters<F>)
 declare function createHandlerDecorator<TSettings, TRequiredO extends object = {}, TRequiredH extends object = {}>(decoratorFactory: <C, O, H extends TRequiredH, H2 extends H, R>(settings: TSettings) => (handler: (c: C, o: O & TRequiredO, h: H2) => R) => (c: C, o: O & TRequiredO, h: H2) => R | Promise<R>): <C, O, H extends TRequiredH, H2 extends H, R>(settings: TSettings) => (handler: (c: C, o: O & TRequiredO, h: H2) => R) => (c: C, o: O & TRequiredO, h: H2) => R | Promise<R>;
 declare function getSecret(runtime: Runtime, name: string, accessToken: string): Promise<string>;
 declare const getAccessToken: () => Promise<string>;
+declare const getIdentityToken: (expectedAudience: string) => Promise<string>;
 type Level = 'env' | 'workflow' | 'trigger';
 type SetOptions = {
     ephemeralMs?: number;
-    ignoreStores?: Array<'redis'>;
+    ignoreStores?: Array<'redis' | 'global'>;
     encrypted: boolean;
     encryptionKey?: string | undefined;
 };
@@ -33619,6 +33620,14 @@ declare class EnvEngine extends Runtime {
         [K in T[number]]: ValueDetails;
     }>;
     withGoogleAccessToken(): <T extends unknown>(fn: (value: string, requestCacheRefresh?: (() => void) | undefined) => T | Promise<T>) => Promise<T>;
+    withGoogleIdentityToken(audience: {
+        workflowId: string;
+        triggerId: string;
+    }): <T extends unknown>(fn: (value: string, requestCacheRefresh?: (() => void) | undefined) => T | Promise<T>) => Promise<T>;
+    checkGoogleIdentiyToken(accessToken: string, audience?: {
+        workflowId?: string;
+        triggerId?: string;
+    }, allowedServiceAccounts?: Array<string>): Promise<any>;
     withSecret(key: string): <T extends unknown>(fn: (value: string, requestCacheRefresh?: (() => void) | undefined) => T | Promise<T>) => Promise<T>;
     with<M extends string>(key: M, level?: Level, options?: SetOptions & {
         fetch?: () => Promise<string>;
@@ -34491,6 +34500,7 @@ declare const index_createHandlerDecorator: typeof createHandlerDecorator;
 declare const index_getAccessToken: typeof getAccessToken;
 declare const index_getEventTime: typeof getEventTime;
 declare const index_getFirestore: typeof getFirestore;
+declare const index_getIdentityToken: typeof getIdentityToken;
 declare const index_getSecret: typeof getSecret;
 declare const index_isCloudTask: typeof isCloudTask;
 declare const index_isCronMessage: typeof isCronMessage;
@@ -34504,7 +34514,7 @@ declare const index_slugify: typeof slugify;
 declare const index_validate: typeof validate;
 declare const index_validateGoogleAuth: typeof validateGoogleAuth;
 declare namespace index {
-  export { index_ActionHelper as ActionHelper, type index_ActionHelperOptions as ActionHelperOptions, index_AirtableHelper as AirtableHelper, index_BigQueryHelper as BigQueryHelper, index_CloudTasksHelper as CloudTasksHelper, index_DatoHelper as DatoHelper, index_EnvEngine as EnvEngine, type index_ILogging as ILogging, index_JWKSHelper as JWKSHelper, index_Logging as Logging, type index_Message as Message, type index_NodeOptions as NodeOptions, type index_OnExecuteBasicTriggerOpts as OnExecuteBasicTriggerOpts, type index_PromisifiedFn as PromisifiedFn, index_PubSubHelper as PubSubHelper, index_RateLimit as RateLimit, type index_ReceivedMessage as ReceivedMessage, index_RedisConnectionError as RedisConnectionError, index_Runtime as Runtime, index_SchedulerHelper as SchedulerHelper, index_Secrets as Secrets, index_TriggerHelper as TriggerHelper, type index_TriggerOnCreateOptions as TriggerOnCreateOptions, type index_TriggerOnExecuteOptions as TriggerOnExecuteOptions, index_createHandlerDecorator as createHandlerDecorator, index_getAccessToken as getAccessToken, index_getEventTime as getEventTime, index_getFirestore as getFirestore, index_getSecret as getSecret, index_isCloudTask as isCloudTask, index_isCronMessage as isCronMessage, index_isPubSubRequest as isPubSubRequest, index_isRespectfulNudge as isRespectfulNudge, index_parseDateOrDefault as parseDateOrDefault, index_sanitize as sanitize, index_sanitizeToString as sanitizeToString, index_shortHash as shortHash, index_slugify as slugify, index_validate as validate, index_validateGoogleAuth as validateGoogleAuth };
+  export { index_ActionHelper as ActionHelper, type index_ActionHelperOptions as ActionHelperOptions, index_AirtableHelper as AirtableHelper, index_BigQueryHelper as BigQueryHelper, index_CloudTasksHelper as CloudTasksHelper, index_DatoHelper as DatoHelper, index_EnvEngine as EnvEngine, type index_ILogging as ILogging, index_JWKSHelper as JWKSHelper, index_Logging as Logging, type index_Message as Message, type index_NodeOptions as NodeOptions, type index_OnExecuteBasicTriggerOpts as OnExecuteBasicTriggerOpts, type index_PromisifiedFn as PromisifiedFn, index_PubSubHelper as PubSubHelper, index_RateLimit as RateLimit, type index_ReceivedMessage as ReceivedMessage, index_RedisConnectionError as RedisConnectionError, index_Runtime as Runtime, index_SchedulerHelper as SchedulerHelper, index_Secrets as Secrets, index_TriggerHelper as TriggerHelper, type index_TriggerOnCreateOptions as TriggerOnCreateOptions, type index_TriggerOnExecuteOptions as TriggerOnExecuteOptions, index_createHandlerDecorator as createHandlerDecorator, index_getAccessToken as getAccessToken, index_getEventTime as getEventTime, index_getFirestore as getFirestore, index_getIdentityToken as getIdentityToken, index_getSecret as getSecret, index_isCloudTask as isCloudTask, index_isCronMessage as isCronMessage, index_isPubSubRequest as isPubSubRequest, index_isRespectfulNudge as isRespectfulNudge, index_parseDateOrDefault as parseDateOrDefault, index_sanitize as sanitize, index_sanitizeToString as sanitizeToString, index_shortHash as shortHash, index_slugify as slugify, index_validate as validate, index_validateGoogleAuth as validateGoogleAuth };
 }
 export { index as lib, index$9 as schema, index$1 as types };

package/dist/index.js CHANGED Viewed

@@ -106142,6 +106142,7 @@ __export(src_public_exports, {
   getAccessToken: () => getAccessToken,
   getEventTime: () => getEventTime,
   getFirestore: () => getFirestore,
+  getIdentityToken: () => getIdentityToken,
   getSecret: () => getSecret,
   isCloudTask: () => isCloudTask,
   isCronMessage: () => isCronMessage,
@@ -106546,9 +106547,32 @@ var getAccessToken = async () => {
     throw new Error(`Failed to obtain access token. Error: ${err.message}`);
   }
 };
+var getIdentityToken = async (expectedAudience) => {
+  const metadataUrl = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?" + new URLSearchParams({
+    audience: expectedAudience,
+    format: "full"
+  }).toString();
+  try {
+    const res = await fetch(metadataUrl, {
+      headers: { "Metadata-Flavor": "Google" }
+    });
+    if (!res.ok) {
+      throw new Error(`metadata token http ${res.status}`);
+    }
+    const json = await res.json();
+    if (!json.access_token) {
+      throw new Error("missing access_token in metadata response");
+    }
+    return json.access_token;
+  } catch (err) {
+    throw new Error(`Failed to obtain access token. Error: ${err.message}`);
+  }
+};
 // src-public/env.ts
 var crypto3 = __toESM(require("crypto"));
+var import_crypto2 = require("crypto");
+var import_jose2 = require("jose");
 // src-public/redisClient.ts
 var import_redis = __toESM(require_dist4());
@@ -106652,7 +106676,7 @@ var EnvEngine = class extends Runtime {
           this._envCache[this.systemEnvName] = jsonEnv;
         }
         let cachedEnv = this._envCache[this.systemEnvName];
-        if (this._envCache["__mock_invalid"]) {
+        if (cachedEnv["__mock_invalid"]) {
           cachedEnv = process.env;
         }
         options.encryptionKey = cachedEnv["SECRET_ENCRYPTION_KEY"];
@@ -106684,9 +106708,9 @@ var EnvEngine = class extends Runtime {
     );
     Object.assign(this.inMemoryRef[level], Object.fromEntries(Object.entries(objPlain).map(([k, v]) => [k, `${expirseAt}/${now}/${v}`])));
     if (options.ephemeralMs) {
-      Object.assign(this.globalInMemoryRef[level], Object.fromEntries(Object.entries(objEncrypted).map(([k, v]) => [k, `${expirseAt}/${now}/${v}`])));
-    }
-    if (options.ephemeralMs) {
+      if (!options.ignoreStores?.includes("global")) {
+        Object.assign(this.globalInMemoryRef[level], Object.fromEntries(Object.entries(objEncrypted).map(([k, v]) => [k, `${expirseAt}/${now}/${v}`])));
+      }
       if (!options.ignoreStores?.includes("redis")) {
         (async () => {
           const redisClient = await getConnectedRedisClient(this.systemEnvName).catch(() => null);
@@ -106810,8 +106834,112 @@ var EnvEngine = class extends Runtime {
     }, {});
     return result;
   }
+  /**
+   * Get the Google Access Token to use with the Google Infrastructure (Schedule / Pubsub / Cloud Tasks etc.)
+   * @param audience
+   * @returns
+   */
   withGoogleAccessToken() {
-    return this.with("google_access_token", "env", { encrypted: true, ephemeralMs: 10 * 60 * 1e3, fetch: () => getAccessToken() });
+    const key = "google_access_token";
+    return this.with(key, "env", { encrypted: true, ephemeralMs: 10 * 60 * 1e3, fetch: () => getAccessToken() });
+  }
+  /**
+   * Get the Google Identity Token to use with other Buildship workflows
+   * @param audience
+   * @returns
+   */
+  withGoogleIdentityToken(audience) {
+    const audienceNorm = {
+      workflowId: audience ? audience.workflowId || this.workflowId : null,
+      triggerId: audience ? audience.triggerId || this.triggerId : null
+    };
+    const expectedAudience = [process.env.GCLOUD_PROJECT, audienceNorm.triggerId, audienceNorm.workflowId].filter((x) => x !== null).join("-");
+    return this.with(`google_identity_token_${expectedAudience}`, "env", { encrypted: true, ephemeralMs: 10 * 60 * 1e3, fetch: () => getIdentityToken(expectedAudience) });
+  }
+  async checkGoogleIdentiyToken(accessToken, audience, allowedServiceAccounts = [`runtime@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`]) {
+    if (!accessToken) {
+      return false;
+    }
+    const defaultServiceAccount2 = `runtime@${process.env.GCLOUD_PROJECT}.iam.gserviceaccount.com`;
+    const audienceNorm = {
+      workflowId: audience ? audience.workflowId || this.workflowId : null,
+      triggerId: audience ? audience.triggerId || this.triggerId : null
+    };
+    const expectedAudience = [process.env.GCLOUD_PROJECT, audienceNorm.triggerId, audienceNorm.workflowId].filter((x) => x !== null).join("-");
+    const accessTokenInCache = await this.get("google_identity_token_" + expectedAudience, "env", { encrypted: true, isEphemeral: true, store: "global" });
+    if (accessTokenInCache === accessToken && allowedServiceAccounts.includes(defaultServiceAccount2)) {
+      return defaultServiceAccount2;
+    }
+    const splitted = accessToken.split(".");
+    let keyMeta;
+    let meta;
+    try {
+      keyMeta = JSON.parse(Buffer.from(splitted[0], "base64").toString("utf-8")) || {};
+      meta = JSON.parse(Buffer.from(splitted[1], "base64").toString("utf-8")) || {};
+    } catch (err) {
+      this.logging.error(`Authorization header - Malformed Token. ${err.message}`);
+      return false;
+    }
+    let tokenExpirationTime = meta.exp;
+    if (!tokenExpirationTime) {
+      this.logging.error(`Authorization header - Expiration time is missing`);
+      return false;
+    }
+    tokenExpirationTime = tokenExpirationTime * 1e3;
+    if (tokenExpirationTime < Date.now()) {
+      this.logging.error(`Authorization header - Token expired`);
+      return false;
+    }
+    if (!meta.email_verified) {
+      this.logging.error(`Authorization header - Email not verified`);
+      return false;
+    }
+    if (!allowedServiceAccounts.includes(meta.email)) {
+      this.logging.error(`Authorization header - Wrong service account, got ${meta?.email}, expected one of ${allowedServiceAccounts.join(", ")}`);
+      return false;
+    }
+    if (!keyMeta.kid || !keyMeta.alg) {
+      this.logging.error(`Authorization header - Malformed Authorization Header. KID is missing`);
+      return false;
+    }
+    if (meta.aud !== expectedAudience) {
+      this.logging.error(`Authorization header - Wrong audience, got ${meta?.aud}, expected ${expectedAudience}`);
+      return false;
+    }
+    const tokenSignature = (0, import_crypto2.createHash)("sha256").update(accessToken).digest("hex");
+    const tokensServiceAccount = await this.get("google_identity_token_signature_" + tokenSignature, "env", { encrypted: false, isEphemeral: true, store: "global" });
+    if (tokensServiceAccount && allowedServiceAccounts.includes(tokensServiceAccount)) {
+      return true;
+    }
+    const publicKey = await this.with("google_public_keys", "env", {
+      encrypted: false,
+      ephemeralMs: 20 * 60 * 1e3,
+      fetch: () => {
+        return fetch("https://www.googleapis.com/oauth2/v3/certs").then((res) => res.text());
+      }
+    })(async (publicKeys, requestCacheRefresh) => {
+      const jwks = JSON.parse(publicKeys);
+      const keyInStorage = jwks?.keys.find((x) => x.kid === keyMeta.kid);
+      if (!keyInStorage) {
+        requestCacheRefresh?.();
+        return false;
+      }
+      return keyInStorage;
+    });
+    try {
+      await (0, import_jose2.jwtVerify)(accessToken, await (0, import_jose2.importJWK)(publicKey, keyMeta.alg), {
+        issuer: ["https://accounts.google.com", "accounts.google.com"],
+        clockTolerance: 0,
+        audience: expectedAudience
+      });
+    } catch (err) {
+      return false;
+    }
+    await this.set([{
+      name: "google_identity_token_signature_" + tokenSignature,
+      value: meta.email
+    }], "env", { encrypted: false, ephemeralMs: Math.min(tokenExpirationTime - Date.now(), 5 * 60 * 1e3), ignoreStores: ["redis"] });
+    return meta.email;
   }
   withSecret(key) {
     return this.with("__secret_" + key, "env", {
@@ -107787,7 +107915,7 @@ var Secrets = class extends Runtime {
 var secret_default = Secrets;
 // src-public/cloudtasks.ts
-var import_crypto2 = __toESM(require("crypto"));
+var import_crypto3 = __toESM(require("crypto"));
 async function gcpFetch(url, accessToken, options = {}) {
   let res;
   try {
@@ -107834,7 +107962,7 @@ var CloudTasksHelper = class extends Runtime {
     this.triggerId = opts.triggerId;
   }
   getQueueName(topicName) {
-    const infraPrefix = topicName.indexOf("---") !== -1 ? topicName : `${this.envName}---${topicName}-${import_crypto2.default.createHash("sha256").update(this.triggerId).digest("hex").slice(0, 8)}`;
+    const infraPrefix = topicName.indexOf("---") !== -1 ? topicName : `${this.envName}---${topicName}-${import_crypto3.default.createHash("sha256").update(this.triggerId).digest("hex").slice(0, 8)}`;
     return `${infraPrefix}-${shortHash(this.triggerId)}`;
   }
   getQueuePath(topicName) {
@@ -107919,7 +108047,7 @@ var CloudTasksHelper = class extends Runtime {
     const createdTaskNames = [];
     for (let i = 0; i < repeat; i++) {
       const scheduledDate = scheduleSeconds ? new Date(Date.now() + 1e3 * scheduleSeconds * (i + 1)) : /* @__PURE__ */ new Date();
-      const taskId = opts.doNotCreateIfExists ? import_crypto2.default.createHash("sha256").update(opts.doNotCreateIfExists + Object.entries(opts.extraQuery || {}).sort().map((x) => x.join("=")).join("&")).digest("hex").slice(0, 8) : void 0;
+      const taskId = opts.doNotCreateIfExists ? import_crypto3.default.createHash("sha256").update(opts.doNotCreateIfExists + Object.entries(opts.extraQuery || {}).sort().map((x) => x.join("=")).join("&")).digest("hex").slice(0, 8) : void 0;
       const scheduleTime = scheduleSeconds ? scheduledDate.toISOString() : void 0;
       const httpRequest = {
         httpMethod: opts.httpTarget.httpMethod || "POST",
@@ -109197,30 +109325,44 @@ var TriggerHelper = class {
           optionsEnchanced.req.throw(401, `Invalid Client IP`);
           return;
         }
-        matchingAPIKeysDetails = await envEngine.withSecret("triggers_api_keys")(async (secretApiKeys) => {
-          let apiKeys = [];
-          try {
-            apiKeys = JSON.parse(secretApiKeys);
-          } catch (err) {
-            throw new Error(`Could not parse triggers_api_keys secrets content, are you sure it is a valid JSON?. ${err.message}`);
-          }
-          if (apiKeys.length === 0 || !Array.isArray(apiKeys)) {
-            throw new Error("triggers_api_keys secrets content must be a JSON encoded array");
+        if (authHeader.split(".").length === 3) {
+          const allowedServiceAccounts = [defaultServiceAccount, ...this.actions.map((x) => x.actionOptions.routingConditions?.api?.roles).flat().filter((x) => x?.includes("@"))];
+          const serviceAccount = await envEngine.checkGoogleIdentiyToken(authHeader.slice("Bearer ".length), void 0, allowedServiceAccounts);
+          if (serviceAccount) {
+            if (serviceAccount === defaultServiceAccount) {
+              matchingAPIKeysDetails.roles.push("*");
+              matchingAPIKeysDetails.roles.push("runtime");
+            }
+            matchingAPIKeysDetails.roles.push(serviceAccount);
+            matchingAPIKeysDetails.flags.push("google_identity_token");
           }
-          const matchingApiKeys = apiKeys.filter((x) => authHeader.slice("Bearer ".length) === x.apiKey);
-          const allowedApiKeys = matchingApiKeys.filter((x) => isIpInCidrs(clientIp, x.allowedCIDRs));
-          return {
-            roles: allowedApiKeys.flatMap((x) => x.assumedRoles),
-            flags: allowedApiKeys.flatMap((x) => x.flags)
-          };
-        }).catch((err) => {
-          options.logging.error(`Possible issue with the secret. Check the secret configuration ${err.message}`);
-          return {
-            roles: [],
-            flags: []
-          };
-        });
-        if (matchingAPIKeysDetails.roles.length) {
+        }
+        if (!matchingAPIKeysDetails.roles.length) {
+          matchingAPIKeysDetails = await envEngine.withSecret("triggers_api_keys")(async (secretApiKeys) => {
+            let apiKeys = [];
+            try {
+              apiKeys = JSON.parse(secretApiKeys);
+            } catch (err) {
+              throw new Error(`Could not parse triggers_api_keys secrets content, are you sure it is a valid JSON?. ${err.message}`);
+            }
+            if (apiKeys.length === 0 || !Array.isArray(apiKeys)) {
+              throw new Error("triggers_api_keys secrets content must be a JSON encoded array");
+            }
+            const matchingApiKeys = apiKeys.filter((x) => authHeader.slice("Bearer ".length) === x.apiKey);
+            const allowedApiKeys = matchingApiKeys.filter((x) => isIpInCidrs(clientIp, x.allowedCIDRs));
+            return {
+              roles: allowedApiKeys.flatMap((x) => x.assumedRoles),
+              flags: allowedApiKeys.flatMap((x) => x.flags)
+            };
+          }).catch((err) => {
+            options.logging.error(`Possible issue with the secret. Check the secret configuration ${err.message}`);
+            return {
+              roles: [],
+              flags: []
+            };
+          });
+        }
+        if (!matchingAPIKeysDetails.roles.length) {
           const isDeprecatedKeys = config.apiKey && authHeader.slice("Bearer ".length) === config.apiKey;
           matchingAPIKeysDetails.roles = isDeprecatedKeys ? ["system"] : [];
         }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@shushed/helpers",
-  "version": "0.0.153",
+  "version": "0.0.154",
   "author": "",
   "license": "UNLICENSED",
   "description": "",