@smythos/sre 1.5.44 → 1.5.45

package/src/subsystems/Security/Vault.service/connectors/NullVault.class.ts

@@ -1,54 +1,54 @@
-import { ConnectorService } from '@sre/Core/ConnectorsService';
-import { Logger } from '@sre/helpers/Log.helper';
-import { SmythRuntime } from '@sre/Core/SmythRuntime.class';
-import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
-import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
-import { ACL } from '@sre/Security/AccessControl/ACL.class';
-import { SecureConnector } from '@sre/Security/SecureConnector.class';
-import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
-
-import { IVaultRequest, VaultConnector } from '../VaultConnector';
-import crypto from 'crypto';
-import fs from 'fs';
-import * as readlineSync from 'readline-sync';
-
-const console = Logger('NullVault');
-export class NullVault extends VaultConnector {
-    public name: string = 'NullVault';
-    private vaultData: any;
-    private index: any;
-    private sharedVault: boolean;
-
-    constructor(protected _settings: any) {
-        super(_settings);
-        console.warn('NullVault is used : Vault features will not be available');
-    }
-
-    @SecureConnector.AccessControl
-    protected async get(acRequest: AccessRequest, keyId: string) {
-        console.debug(`Ignored operation:NullVault.get: ${keyId}`);
-        return 'NULLKEY';
-    }
-
-    @SecureConnector.AccessControl
-    protected async exists(acRequest: AccessRequest, keyId: string) {
-        console.debug(`Ignored operation:NullVault.exists: ${keyId}`);
-        return false;
-    }
-
-    @SecureConnector.AccessControl
-    protected async listKeys(acRequest: AccessRequest) {
-        console.debug(`Ignored operation:NullVault.listKeys`);
-        return [];
-    }
-
-    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
-        const acl = new ACL();
-
-        //give just read access by default
-        //Cannot write to null vault
-        acl.addAccess(candidate.role, candidate.id, TAccessLevel.Read);
-
-        return acl;
-    }
-}
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { Logger } from '@sre/helpers/Log.helper';
+import { SmythRuntime } from '@sre/Core/SmythRuntime.class';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
+
+import { IVaultRequest, VaultConnector } from '../VaultConnector';
+import crypto from 'crypto';
+import fs from 'fs';
+import * as readlineSync from 'readline-sync';
+
+const console = Logger('NullVault');
+export class NullVault extends VaultConnector {
+    public name: string = 'NullVault';
+    private vaultData: any;
+    private index: any;
+    private sharedVault: boolean;
+
+    constructor(protected _settings: any) {
+        super(_settings);
+        console.warn('NullVault is used : Vault features will not be available');
+    }
+
+    @SecureConnector.AccessControl
+    protected async get(acRequest: AccessRequest, keyId: string) {
+        console.debug(`Ignored operation:NullVault.get: ${keyId}`);
+        return 'NULLKEY';
+    }
+
+    @SecureConnector.AccessControl
+    protected async exists(acRequest: AccessRequest, keyId: string) {
+        console.debug(`Ignored operation:NullVault.exists: ${keyId}`);
+        return false;
+    }
+
+    @SecureConnector.AccessControl
+    protected async listKeys(acRequest: AccessRequest) {
+        console.debug(`Ignored operation:NullVault.listKeys`);
+        return [];
+    }
+
+    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
+        const acl = new ACL();
+
+        //give just read access by default
+        //Cannot write to null vault
+        acl.addAccess(candidate.role, candidate.id, TAccessLevel.Read);
+
+        return acl;
+    }
+}

package/src/subsystems/Security/Vault.service/connectors/SecretsManager.class.ts

@@ -1,140 +1,140 @@
-import { ConnectorService } from '@sre/Core/ConnectorsService';
-import { Logger } from '@sre/helpers/Log.helper';
-//import { SmythRuntime } from '@sre/Core/SmythRuntime.class';
-import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
-import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
-import { ACL } from '@sre/Security/AccessControl/ACL.class';
-import { SecureConnector } from '@sre/Security/SecureConnector.class';
-import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
-import { VaultConnector } from '../VaultConnector';
-import {
-    SecretsManagerClient,
-    GetSecretValueCommand,
-    ListSecretsCommand,
-    ListSecretsCommandOutput,
-    GetSecretValueCommandOutput,
-} from '@aws-sdk/client-secrets-manager';
-
-const console = Logger('SecretsManager');
-
-export type SecretsManagerConfig = {
-    region: string;
-    awsAccessKeyId?: string;
-    awsSecretAccessKey?: string;
-};
-export class SecretsManager extends VaultConnector {
-    public name: string = 'SecretsManager';
-    private secretsManager: SecretsManagerClient;
-
-    constructor(protected _settings: SecretsManagerConfig) {
-        super(_settings);
-        //if (!SmythRuntime.Instance) throw new Error('SRE not initialized');
-
-        this.secretsManager = new SecretsManagerClient({
-            region: _settings.region,
-            ...(_settings.awsAccessKeyId && _settings.awsSecretAccessKey
-                ? {
-                      accessKeyId: _settings.awsAccessKeyId,
-                      secretAccessKey: _settings.awsSecretAccessKey,
-                  }
-                : {}),
-        });
-    }
-
-    @SecureConnector.AccessControl
-    protected async get(acRequest: AccessRequest, secretName: string) {
-        try {
-            const secret = await this.getSecretByName(secretName);
-            return secret?.SecretString;
-        } catch (error) {
-            console.error(error);
-            throw error;
-        }
-    }
-
-    @SecureConnector.AccessControl
-    protected async exists(acRequest: AccessRequest, keyId: string) {
-        const secret = await this.get(acRequest, keyId);
-        return !!secret;
-    }
-
-    @SecureConnector.AccessControl
-    protected async listKeys(acRequest: AccessRequest) {
-        console.warn('SecretsManager.listKeys is not implemented');
-        return [];
-    }
-
-    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
-        const accountConnector = ConnectorService.getAccountConnector();
-        const teamId = await accountConnector.getCandidateTeam(candidate);
-
-        const acl = new ACL();
-
-        acl.addAccess(TAccessRole.Team, teamId, TAccessLevel.Owner)
-            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Read)
-            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Write);
-
-        return acl;
-    }
-
-    private async getSecretByName(secretName: string) {
-        try {
-            const secrets = [];
-            let nextToken: string | undefined;
-            do {
-                const listResponse: ListSecretsCommandOutput = await this.secretsManager.send(
-                    new ListSecretsCommand({ NextToken: nextToken, Filters: [{ Key: 'tag-key', Values: ['smyth-vault'] }] })
-                );
-                if (listResponse.SecretList) {
-                    for (const secret of listResponse.SecretList) {
-                        if (secret.Name) {
-                            secrets.push({
-                                ARN: secret.ARN,
-                                Name: secret.Name,
-                                CreatedDate: secret.CreatedDate,
-                            });
-                        }
-                    }
-                }
-                nextToken = listResponse.NextToken;
-            } while (nextToken);
-
-            const formattedSecrets = [];
-            const $promises = [];
-            for (const secret of secrets) {
-                $promises.push(getSpecificSecret(secret, this.secretsManager));
-            }
-            const results = await Promise.all($promises);
-            for (const result of results) {
-                formattedSecrets.push(result);
-            }
-            const secret = formattedSecrets.find((s) => s.Name === secretName);
-            return secret;
-        } catch (error) {
-            console.error(error);
-        }
-
-        async function getSpecificSecret(secret, secretsManager: SecretsManagerClient) {
-            const data: GetSecretValueCommandOutput = await secretsManager.send(new GetSecretValueCommand({ SecretId: secret.ARN }));
-            let secretString = data.SecretString;
-            let secretName = secret.Name;
-
-            if (secretString) {
-                try {
-                    let parsedSecret = JSON.parse(secretString);
-                    if (Object.keys(parsedSecret).length === 1) {
-                        secretName = Object.keys(parsedSecret)[0];
-                        secretString = parsedSecret[secretName];
-                    }
-                } catch (error) {}
-            }
-            return {
-                Name: secretName,
-                ARN: secret.ARN,
-                CreatedDate: secret.CreatedDate,
-                SecretId: secret.Name,
-                SecretString: secretString,
-            };
-        }
-    }
-}
+import { ConnectorService } from '@sre/Core/ConnectorsService';
+import { Logger } from '@sre/helpers/Log.helper';
+//import { SmythRuntime } from '@sre/Core/SmythRuntime.class';
+import { AccessCandidate } from '@sre/Security/AccessControl/AccessCandidate.class';
+import { AccessRequest } from '@sre/Security/AccessControl/AccessRequest.class';
+import { ACL } from '@sre/Security/AccessControl/ACL.class';
+import { SecureConnector } from '@sre/Security/SecureConnector.class';
+import { IAccessCandidate, TAccessLevel, TAccessRole } from '@sre/types/ACL.types';
+import { VaultConnector } from '../VaultConnector';
+import {
+    SecretsManagerClient,
+    GetSecretValueCommand,
+    ListSecretsCommand,
+    ListSecretsCommandOutput,
+    GetSecretValueCommandOutput,
+} from '@aws-sdk/client-secrets-manager';
+
+const console = Logger('SecretsManager');
+
+export type SecretsManagerConfig = {
+    region: string;
+    awsAccessKeyId?: string;
+    awsSecretAccessKey?: string;
+};
+export class SecretsManager extends VaultConnector {
+    public name: string = 'SecretsManager';
+    private secretsManager: SecretsManagerClient;
+
+    constructor(protected _settings: SecretsManagerConfig) {
+        super(_settings);
+        //if (!SmythRuntime.Instance) throw new Error('SRE not initialized');
+
+        this.secretsManager = new SecretsManagerClient({
+            region: _settings.region,
+            ...(_settings.awsAccessKeyId && _settings.awsSecretAccessKey
+                ? {
+                      accessKeyId: _settings.awsAccessKeyId,
+                      secretAccessKey: _settings.awsSecretAccessKey,
+                  }
+                : {}),
+        });
+    }
+
+    @SecureConnector.AccessControl
+    protected async get(acRequest: AccessRequest, secretName: string) {
+        try {
+            const secret = await this.getSecretByName(secretName);
+            return secret?.SecretString;
+        } catch (error) {
+            console.error(error);
+            throw error;
+        }
+    }
+
+    @SecureConnector.AccessControl
+    protected async exists(acRequest: AccessRequest, keyId: string) {
+        const secret = await this.get(acRequest, keyId);
+        return !!secret;
+    }
+
+    @SecureConnector.AccessControl
+    protected async listKeys(acRequest: AccessRequest) {
+        console.warn('SecretsManager.listKeys is not implemented');
+        return [];
+    }
+
+    public async getResourceACL(resourceId: string, candidate: IAccessCandidate) {
+        const accountConnector = ConnectorService.getAccountConnector();
+        const teamId = await accountConnector.getCandidateTeam(candidate);
+
+        const acl = new ACL();
+
+        acl.addAccess(TAccessRole.Team, teamId, TAccessLevel.Owner)
+            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Read)
+            .addAccess(TAccessRole.Team, teamId, TAccessLevel.Write);
+
+        return acl;
+    }
+
+    private async getSecretByName(secretName: string) {
+        try {
+            const secrets = [];
+            let nextToken: string | undefined;
+            do {
+                const listResponse: ListSecretsCommandOutput = await this.secretsManager.send(
+                    new ListSecretsCommand({ NextToken: nextToken, Filters: [{ Key: 'tag-key', Values: ['smyth-vault'] }] })
+                );
+                if (listResponse.SecretList) {
+                    for (const secret of listResponse.SecretList) {
+                        if (secret.Name) {
+                            secrets.push({
+                                ARN: secret.ARN,
+                                Name: secret.Name,
+                                CreatedDate: secret.CreatedDate,
+                            });
+                        }
+                    }
+                }
+                nextToken = listResponse.NextToken;
+            } while (nextToken);
+
+            const formattedSecrets = [];
+            const $promises = [];
+            for (const secret of secrets) {
+                $promises.push(getSpecificSecret(secret, this.secretsManager));
+            }
+            const results = await Promise.all($promises);
+            for (const result of results) {
+                formattedSecrets.push(result);
+            }
+            const secret = formattedSecrets.find((s) => s.Name === secretName);
+            return secret;
+        } catch (error) {
+            console.error(error);
+        }
+
+        async function getSpecificSecret(secret, secretsManager: SecretsManagerClient) {
+            const data: GetSecretValueCommandOutput = await secretsManager.send(new GetSecretValueCommand({ SecretId: secret.ARN }));
+            let secretString = data.SecretString;
+            let secretName = secret.Name;
+
+            if (secretString) {
+                try {
+                    let parsedSecret = JSON.parse(secretString);
+                    if (Object.keys(parsedSecret).length === 1) {
+                        secretName = Object.keys(parsedSecret)[0];
+                        secretString = parsedSecret[secretName];
+                    }
+                } catch (error) {}
+            }
+            return {
+                Name: secretName,
+                ARN: secret.ARN,
+                CreatedDate: secret.CreatedDate,
+                SecretId: secret.Name,
+                SecretString: secretString,
+            };
+        }
+    }
+}

package/src/subsystems/Security/Vault.service/index.ts

@@ -1,12 +1,12 @@
-import { ConnectorService, ConnectorServiceProvider } from '@sre/Core/ConnectorsService';
-import { TConnectorService } from '@sre/types/SRE.types';
-import { JSONFileVault } from './connectors/JSONFileVault.class';
-import { SecretsManager } from './connectors/SecretsManager.class';
-import { NullVault } from './connectors/NullVault.class';
-export class VaultService extends ConnectorServiceProvider {
-    public register() {
-        ConnectorService.register(TConnectorService.Vault, 'JSONFileVault', JSONFileVault);
-        ConnectorService.register(TConnectorService.Vault, 'SecretsManager', SecretsManager);
-        ConnectorService.register(TConnectorService.Vault, 'NullVault', NullVault);
-    }
-}
+import { ConnectorService, ConnectorServiceProvider } from '@sre/Core/ConnectorsService';
+import { TConnectorService } from '@sre/types/SRE.types';
+import { JSONFileVault } from './connectors/JSONFileVault.class';
+import { SecretsManager } from './connectors/SecretsManager.class';
+import { NullVault } from './connectors/NullVault.class';
+export class VaultService extends ConnectorServiceProvider {
+    public register() {
+        ConnectorService.register(TConnectorService.Vault, 'JSONFileVault', JSONFileVault);
+        ConnectorService.register(TConnectorService.Vault, 'SecretsManager', SecretsManager);
+        ConnectorService.register(TConnectorService.Vault, 'NullVault', NullVault);
+    }
+}

package/src/types/ACL.types.ts

@@ -1,104 +1,104 @@
-//==[ SRE: ACL Types ]======================
-export const DEFAULT_TEAM_ID = 'default';
-
-export enum TAccessLevel {
-    None = 'none',
-    Owner = 'owner',
-    Read = 'read',
-    Write = 'write',
-}
-
-export enum TAccessRole {
-    Agent = 'agent',
-    User = 'user',
-    Team = 'team',
-    Public = 'public',
-}
-
-// role and level mappings are used for ACL serialization / deserialization
-export const RoleMap = {
-    user: 'u',
-    agent: 'a',
-    team: 't',
-    public: 'p',
-};
-
-export const LevelMap = {
-    none: 'n',
-    owner: 'o',
-    read: 'r',
-    write: 'w',
-};
-
-// Reverse mappings
-export const ReverseRoleMap = Object.fromEntries(Object.entries(RoleMap).map(([k, v]) => [v, k]));
-export const ReverseLevelMap = Object.fromEntries(Object.entries(LevelMap).map(([k, v]) => [v, k]));
-
-/**
- * an ACLEntry is a list of access levels for a given owner.
- * an owner can be an agent, a user, a team or the public.
- */
-export type TACLEntry = {
-    [hashedOwnerKey: string]: TAccessLevel[] | undefined;
-};
-/**
- * The Access Control List (ACL) is a list of access rights for a given resource.
- * Each entry in this ACL represents a role
- * Role entries define a list of owners of the resource and the access levels they have.
- * e.g.
- *  The following ACL defines that agentA and teamA has read and write access, while agentB and teamC has read access.
- *   {
- *      agent: {
- *         'agentA': ['read', 'write'],
- *         'agentB': ['read'],
- *     },
- *    team: {
- *       'teamA': ['read', 'write'],
- *       'teamC': ['read'],
- *     }
- * }
- */
-// prettier-ignore
-export interface IACL {    
-    hashAlgorithm?: string | undefined;
-    entries?: {
-        [key in TAccessRole]?: TACLEntry | undefined;
-    };
-    migrated?: boolean | undefined;
-}
-
-// export type TACLMetadata = {
-//     acl?: TACL | undefined;
-// };
-
-export interface IAccessCandidate {
-    role: TAccessRole;
-    id: string;
-}
-
-export interface IAccessRequest {
-    id: string;
-    resourceId: string;
-    candidate: IAccessCandidate;
-    level: TAccessLevel | TAccessLevel[];
-}
-
-export enum TAccessResult {
-    Granted = 'granted',
-    Denied = 'denied',
-}
-
-export type TAccessTicket = {
-    request: IAccessRequest;
-    access: TAccessResult;
-};
-
-//custom errors
-
-//access denied error
-export class ACLAccessDeniedError extends Error {
-    constructor(message?: string) {
-        super(message);
-        this.name = 'ACLAccessDeniedError';
-    }
-}
+//==[ SRE: ACL Types ]======================
+export const DEFAULT_TEAM_ID = 'default';
+
+export enum TAccessLevel {
+    None = 'none',
+    Owner = 'owner',
+    Read = 'read',
+    Write = 'write',
+}
+
+export enum TAccessRole {
+    Agent = 'agent',
+    User = 'user',
+    Team = 'team',
+    Public = 'public',
+}
+
+// role and level mappings are used for ACL serialization / deserialization
+export const RoleMap = {
+    user: 'u',
+    agent: 'a',
+    team: 't',
+    public: 'p',
+};
+
+export const LevelMap = {
+    none: 'n',
+    owner: 'o',
+    read: 'r',
+    write: 'w',
+};
+
+// Reverse mappings
+export const ReverseRoleMap = Object.fromEntries(Object.entries(RoleMap).map(([k, v]) => [v, k]));
+export const ReverseLevelMap = Object.fromEntries(Object.entries(LevelMap).map(([k, v]) => [v, k]));
+
+/**
+ * an ACLEntry is a list of access levels for a given owner.
+ * an owner can be an agent, a user, a team or the public.
+ */
+export type TACLEntry = {
+    [hashedOwnerKey: string]: TAccessLevel[] | undefined;
+};
+/**
+ * The Access Control List (ACL) is a list of access rights for a given resource.
+ * Each entry in this ACL represents a role
+ * Role entries define a list of owners of the resource and the access levels they have.
+ * e.g.
+ *  The following ACL defines that agentA and teamA has read and write access, while agentB and teamC has read access.
+ *   {
+ *      agent: {
+ *         'agentA': ['read', 'write'],
+ *         'agentB': ['read'],
+ *     },
+ *    team: {
+ *       'teamA': ['read', 'write'],
+ *       'teamC': ['read'],
+ *     }
+ * }
+ */
+// prettier-ignore
+export interface IACL {    
+    hashAlgorithm?: string | undefined;
+    entries?: {
+        [key in TAccessRole]?: TACLEntry | undefined;
+    };
+    migrated?: boolean | undefined;
+}
+
+// export type TACLMetadata = {
+//     acl?: TACL | undefined;
+// };
+
+export interface IAccessCandidate {
+    role: TAccessRole;
+    id: string;
+}
+
+export interface IAccessRequest {
+    id: string;
+    resourceId: string;
+    candidate: IAccessCandidate;
+    level: TAccessLevel | TAccessLevel[];
+}
+
+export enum TAccessResult {
+    Granted = 'granted',
+    Denied = 'denied',
+}
+
+export type TAccessTicket = {
+    request: IAccessRequest;
+    access: TAccessResult;
+};
+
+//custom errors
+
+//access denied error
+export class ACLAccessDeniedError extends Error {
+    constructor(message?: string) {
+        super(message);
+        this.name = 'ACLAccessDeniedError';
+    }
+}

package/src/types/AWS.types.ts

@@ -1,11 +1,11 @@
-//==[ SRE: AWS Types ]======================
-export type AWSCredentials = {
-    accessKeyId: string;
-    secretAccessKey: string;
-};
-
-export type AWSRegionConfig = {
-    region: string;
-};
-
+//==[ SRE: AWS Types ]======================
+export type AWSCredentials = {
+    accessKeyId: string;
+    secretAccessKey: string;
+};
+
+export type AWSRegionConfig = {
+    region: string;
+};
+
 export type AWSConfig = AWSCredentials & AWSRegionConfig;