@sparkleideas/security 3.0.0-alpha.22 → 3.0.0-alpha.49
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/CVE-REMEDIATION.d.ts +86 -0
- package/dist/CVE-REMEDIATION.d.ts.map +1 -0
- package/dist/CVE-REMEDIATION.js +221 -0
- package/dist/CVE-REMEDIATION.js.map +1 -0
- package/dist/application/index.d.ts +7 -0
- package/dist/application/index.d.ts.map +1 -0
- package/dist/application/index.js +7 -0
- package/dist/application/index.js.map +1 -0
- package/dist/application/services/security-application-service.d.ts +71 -0
- package/dist/application/services/security-application-service.d.ts.map +1 -0
- package/dist/application/services/security-application-service.js +153 -0
- package/dist/application/services/security-application-service.js.map +1 -0
- package/dist/credential-generator.d.ts +176 -0
- package/dist/credential-generator.d.ts.map +1 -0
- package/dist/credential-generator.js +272 -0
- package/dist/credential-generator.js.map +1 -0
- package/dist/domain/entities/security-context.d.ts +68 -0
- package/dist/domain/entities/security-context.d.ts.map +1 -0
- package/dist/domain/entities/security-context.js +132 -0
- package/dist/domain/entities/security-context.js.map +1 -0
- package/dist/domain/index.d.ts +8 -0
- package/dist/domain/index.d.ts.map +1 -0
- package/dist/domain/index.js +8 -0
- package/dist/domain/index.js.map +1 -0
- package/dist/domain/services/security-domain-service.d.ts +71 -0
- package/dist/domain/services/security-domain-service.d.ts.map +1 -0
- package/dist/domain/services/security-domain-service.js +237 -0
- package/dist/domain/services/security-domain-service.js.map +1 -0
- package/dist/index.d.ts +119 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +145 -0
- package/dist/index.js.map +1 -0
- package/dist/input-validator.d.ts +338 -0
- package/dist/input-validator.d.ts.map +1 -0
- package/dist/input-validator.js +393 -0
- package/dist/input-validator.js.map +1 -0
- package/dist/password-hasher.d.ts +128 -0
- package/dist/password-hasher.d.ts.map +1 -0
- package/dist/password-hasher.js +183 -0
- package/dist/password-hasher.js.map +1 -0
- package/dist/path-validator.d.ts +148 -0
- package/dist/path-validator.d.ts.map +1 -0
- package/dist/path-validator.js +421 -0
- package/dist/path-validator.js.map +1 -0
- package/dist/safe-executor.d.ts +173 -0
- package/dist/safe-executor.d.ts.map +1 -0
- package/dist/safe-executor.js +370 -0
- package/dist/safe-executor.js.map +1 -0
- package/dist/token-generator.d.ts +224 -0
- package/dist/token-generator.d.ts.map +1 -0
- package/dist/token-generator.js +351 -0
- package/dist/token-generator.js.map +1 -0
- package/package.json +1 -1
- package/tsconfig.build.tsbuildinfo +1 -0
|
@@ -0,0 +1,176 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Credential Generator - CVE-3 Remediation
|
|
3
|
+
*
|
|
4
|
+
* Fixes hardcoded default credentials by providing secure random
|
|
5
|
+
* credential generation for installation and runtime.
|
|
6
|
+
*
|
|
7
|
+
* Security Properties:
|
|
8
|
+
* - Uses crypto.randomBytes for cryptographically secure randomness
|
|
9
|
+
* - Configurable entropy levels
|
|
10
|
+
* - No hardcoded defaults stored in code
|
|
11
|
+
* - Secure credential storage recommendations
|
|
12
|
+
*
|
|
13
|
+
* @module v3/security/credential-generator
|
|
14
|
+
*/
|
|
15
|
+
export interface CredentialConfig {
|
|
16
|
+
/**
|
|
17
|
+
* Length of generated passwords.
|
|
18
|
+
* Default: 32 characters
|
|
19
|
+
*/
|
|
20
|
+
passwordLength?: number;
|
|
21
|
+
/**
|
|
22
|
+
* Length of generated API keys.
|
|
23
|
+
* Default: 48 characters
|
|
24
|
+
*/
|
|
25
|
+
apiKeyLength?: number;
|
|
26
|
+
/**
|
|
27
|
+
* Length of generated secrets (JWT, session, etc.).
|
|
28
|
+
* Default: 64 characters
|
|
29
|
+
*/
|
|
30
|
+
secretLength?: number;
|
|
31
|
+
/**
|
|
32
|
+
* Character set for password generation.
|
|
33
|
+
* Default: alphanumeric + special
|
|
34
|
+
*/
|
|
35
|
+
passwordCharset?: string;
|
|
36
|
+
/**
|
|
37
|
+
* Character set for API key generation.
|
|
38
|
+
* Default: alphanumeric only (URL-safe)
|
|
39
|
+
*/
|
|
40
|
+
apiKeyCharset?: string;
|
|
41
|
+
}
|
|
42
|
+
export interface GeneratedCredentials {
|
|
43
|
+
adminPassword: string;
|
|
44
|
+
servicePassword: string;
|
|
45
|
+
jwtSecret: string;
|
|
46
|
+
sessionSecret: string;
|
|
47
|
+
encryptionKey: string;
|
|
48
|
+
generatedAt: Date;
|
|
49
|
+
expiresAt?: Date;
|
|
50
|
+
}
|
|
51
|
+
export interface ApiKeyCredential {
|
|
52
|
+
key: string;
|
|
53
|
+
prefix: string;
|
|
54
|
+
keyId: string;
|
|
55
|
+
createdAt: Date;
|
|
56
|
+
}
|
|
57
|
+
export declare class CredentialGeneratorError extends Error {
|
|
58
|
+
readonly code: string;
|
|
59
|
+
constructor(message: string, code: string);
|
|
60
|
+
}
|
|
61
|
+
/**
|
|
62
|
+
* Secure credential generator.
|
|
63
|
+
*
|
|
64
|
+
* This class provides cryptographically secure credential generation
|
|
65
|
+
* to replace hardcoded default credentials.
|
|
66
|
+
*
|
|
67
|
+
* @example
|
|
68
|
+
* ```typescript
|
|
69
|
+
* const generator = new CredentialGenerator();
|
|
70
|
+
* const credentials = generator.generateInstallationCredentials();
|
|
71
|
+
* // Store credentials securely (environment variables, secrets manager)
|
|
72
|
+
* ```
|
|
73
|
+
*/
|
|
74
|
+
export declare class CredentialGenerator {
|
|
75
|
+
private readonly config;
|
|
76
|
+
constructor(config?: CredentialConfig);
|
|
77
|
+
/**
|
|
78
|
+
* Validates configuration parameters.
|
|
79
|
+
*/
|
|
80
|
+
private validateConfig;
|
|
81
|
+
/**
|
|
82
|
+
* Generates a cryptographically secure random string using rejection sampling
|
|
83
|
+
* to eliminate modulo bias.
|
|
84
|
+
*
|
|
85
|
+
* @param length - Length of the string to generate
|
|
86
|
+
* @param charset - Character set to use
|
|
87
|
+
* @returns Random string
|
|
88
|
+
*/
|
|
89
|
+
private generateSecureString;
|
|
90
|
+
/**
|
|
91
|
+
* Generates a secure random password.
|
|
92
|
+
*
|
|
93
|
+
* @param length - Optional custom length (default from config)
|
|
94
|
+
* @returns Secure random password
|
|
95
|
+
*/
|
|
96
|
+
generatePassword(length?: number): string;
|
|
97
|
+
/**
|
|
98
|
+
* Checks if password has required character types.
|
|
99
|
+
*/
|
|
100
|
+
private hasRequiredCharacterTypes;
|
|
101
|
+
/**
|
|
102
|
+
* Generates a secure API key.
|
|
103
|
+
*
|
|
104
|
+
* @param prefix - Optional prefix for the key (e.g., 'cf_')
|
|
105
|
+
* @returns API key credential with metadata
|
|
106
|
+
*/
|
|
107
|
+
generateApiKey(prefix?: string): ApiKeyCredential;
|
|
108
|
+
/**
|
|
109
|
+
* Generates a secure secret for JWT, sessions, etc.
|
|
110
|
+
*
|
|
111
|
+
* @param length - Optional custom length (default from config)
|
|
112
|
+
* @returns Hex-encoded secret
|
|
113
|
+
*/
|
|
114
|
+
generateSecret(length?: number): string;
|
|
115
|
+
/**
|
|
116
|
+
* Generates an encryption key suitable for AES-256.
|
|
117
|
+
*
|
|
118
|
+
* @returns 32-byte key encoded as hex (64 characters)
|
|
119
|
+
*/
|
|
120
|
+
generateEncryptionKey(): string;
|
|
121
|
+
/**
|
|
122
|
+
* Generates a complete set of installation credentials.
|
|
123
|
+
*
|
|
124
|
+
* These should be stored securely (environment variables,
|
|
125
|
+
* secrets manager, etc.) and NEVER committed to version control.
|
|
126
|
+
*
|
|
127
|
+
* @param expirationDays - Optional expiration period in days
|
|
128
|
+
* @returns Complete credential set
|
|
129
|
+
*/
|
|
130
|
+
generateInstallationCredentials(expirationDays?: number): GeneratedCredentials;
|
|
131
|
+
/**
|
|
132
|
+
* Generates a secure session token.
|
|
133
|
+
*
|
|
134
|
+
* @returns URL-safe session token
|
|
135
|
+
*/
|
|
136
|
+
generateSessionToken(): string;
|
|
137
|
+
/**
|
|
138
|
+
* Generates a secure CSRF token.
|
|
139
|
+
*
|
|
140
|
+
* @returns CSRF token
|
|
141
|
+
*/
|
|
142
|
+
generateCsrfToken(): string;
|
|
143
|
+
/**
|
|
144
|
+
* Generates a secure nonce for one-time use.
|
|
145
|
+
*
|
|
146
|
+
* @returns Unique nonce value
|
|
147
|
+
*/
|
|
148
|
+
generateNonce(): string;
|
|
149
|
+
/**
|
|
150
|
+
* Creates a setup script output for secure credential deployment.
|
|
151
|
+
*
|
|
152
|
+
* @param credentials - Generated credentials
|
|
153
|
+
* @returns Environment variable export script
|
|
154
|
+
*/
|
|
155
|
+
createEnvScript(credentials: GeneratedCredentials): string;
|
|
156
|
+
/**
|
|
157
|
+
* Creates a JSON configuration output for secure credential deployment.
|
|
158
|
+
*
|
|
159
|
+
* @param credentials - Generated credentials
|
|
160
|
+
* @returns JSON configuration (for secrets manager import)
|
|
161
|
+
*/
|
|
162
|
+
createJsonConfig(credentials: GeneratedCredentials): string;
|
|
163
|
+
}
|
|
164
|
+
/**
|
|
165
|
+
* Factory function to create a production credential generator.
|
|
166
|
+
*
|
|
167
|
+
* @returns Configured CredentialGenerator instance
|
|
168
|
+
*/
|
|
169
|
+
export declare function createCredentialGenerator(): CredentialGenerator;
|
|
170
|
+
/**
|
|
171
|
+
* Quick credential generation for CLI usage.
|
|
172
|
+
*
|
|
173
|
+
* @returns Generated installation credentials
|
|
174
|
+
*/
|
|
175
|
+
export declare function generateCredentials(): GeneratedCredentials;
|
|
176
|
+
//# sourceMappingURL=credential-generator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credential-generator.d.ts","sourceRoot":"","sources":["../src/credential-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,oBAAoB;IACnC,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,IAAI,CAAC;IAClB,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,qBAAa,wBAAyB,SAAQ,KAAK;aAG/B,IAAI,EAAE,MAAM;gBAD5B,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM;CAK/B;AAgBD;;;;;;;;;;;;GAYG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA6B;gBAExC,MAAM,GAAE,gBAAqB;IAazC;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB;IA6B5B;;;;;OAKG;IACH,gBAAgB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM;IAezC;;OAEG;IACH,OAAO,CAAC,yBAAyB;IASjC;;;;;OAKG;IACH,cAAc,CAAC,MAAM,SAAQ,GAAG,gBAAgB;IAiBhD;;;;;OAKG;IACH,cAAc,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM;IAMvC;;;;OAIG;IACH,qBAAqB,IAAI,MAAM;IAI/B;;;;;;;;OAQG;IACH,+BAA+B,CAAC,cAAc,CAAC,EAAE,MAAM,GAAG,oBAAoB;IAiB9E;;;;OAIG;IACH,oBAAoB,IAAI,MAAM;IAI9B;;;;OAIG;IACH,iBAAiB,IAAI,MAAM;IAI3B;;;;OAIG;IACH,aAAa,IAAI,MAAM;IAIvB;;;;;OAKG;IACH,eAAe,CAAC,WAAW,EAAE,oBAAoB,GAAG,MAAM;IAa1D;;;;;OAKG;IACH,gBAAgB,CAAC,WAAW,EAAE,oBAAoB,GAAG,MAAM;CAW5D;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,IAAI,mBAAmB,CAE/D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,oBAAoB,CAG1D"}
|
|
@@ -0,0 +1,272 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Credential Generator - CVE-3 Remediation
|
|
3
|
+
*
|
|
4
|
+
* Fixes hardcoded default credentials by providing secure random
|
|
5
|
+
* credential generation for installation and runtime.
|
|
6
|
+
*
|
|
7
|
+
* Security Properties:
|
|
8
|
+
* - Uses crypto.randomBytes for cryptographically secure randomness
|
|
9
|
+
* - Configurable entropy levels
|
|
10
|
+
* - No hardcoded defaults stored in code
|
|
11
|
+
* - Secure credential storage recommendations
|
|
12
|
+
*
|
|
13
|
+
* @module v3/security/credential-generator
|
|
14
|
+
*/
|
|
15
|
+
import { randomBytes, randomUUID } from 'crypto';
|
|
16
|
+
export class CredentialGeneratorError extends Error {
|
|
17
|
+
code;
|
|
18
|
+
constructor(message, code) {
|
|
19
|
+
super(message);
|
|
20
|
+
this.code = code;
|
|
21
|
+
this.name = 'CredentialGeneratorError';
|
|
22
|
+
}
|
|
23
|
+
}
|
|
24
|
+
/**
|
|
25
|
+
* Character sets for credential generation
|
|
26
|
+
*/
|
|
27
|
+
const CHARSETS = {
|
|
28
|
+
UPPERCASE: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
|
|
29
|
+
LOWERCASE: 'abcdefghijklmnopqrstuvwxyz',
|
|
30
|
+
DIGITS: '0123456789',
|
|
31
|
+
SPECIAL: '!@#$%^&*()_+-=[]{}|;:,.<>?',
|
|
32
|
+
// URL-safe characters for API keys
|
|
33
|
+
URL_SAFE: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_',
|
|
34
|
+
// Hex characters for secrets
|
|
35
|
+
HEX: '0123456789abcdef',
|
|
36
|
+
};
|
|
37
|
+
/**
|
|
38
|
+
* Secure credential generator.
|
|
39
|
+
*
|
|
40
|
+
* This class provides cryptographically secure credential generation
|
|
41
|
+
* to replace hardcoded default credentials.
|
|
42
|
+
*
|
|
43
|
+
* @example
|
|
44
|
+
* ```typescript
|
|
45
|
+
* const generator = new CredentialGenerator();
|
|
46
|
+
* const credentials = generator.generateInstallationCredentials();
|
|
47
|
+
* // Store credentials securely (environment variables, secrets manager)
|
|
48
|
+
* ```
|
|
49
|
+
*/
|
|
50
|
+
export class CredentialGenerator {
|
|
51
|
+
config;
|
|
52
|
+
constructor(config = {}) {
|
|
53
|
+
this.config = {
|
|
54
|
+
passwordLength: config.passwordLength ?? 32,
|
|
55
|
+
apiKeyLength: config.apiKeyLength ?? 48,
|
|
56
|
+
secretLength: config.secretLength ?? 64,
|
|
57
|
+
passwordCharset: config.passwordCharset ??
|
|
58
|
+
CHARSETS.UPPERCASE + CHARSETS.LOWERCASE + CHARSETS.DIGITS + CHARSETS.SPECIAL,
|
|
59
|
+
apiKeyCharset: config.apiKeyCharset ?? CHARSETS.URL_SAFE,
|
|
60
|
+
};
|
|
61
|
+
this.validateConfig();
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Validates configuration parameters.
|
|
65
|
+
*/
|
|
66
|
+
validateConfig() {
|
|
67
|
+
if (this.config.passwordLength < 16) {
|
|
68
|
+
throw new CredentialGeneratorError('Password length must be at least 16 characters', 'INVALID_PASSWORD_LENGTH');
|
|
69
|
+
}
|
|
70
|
+
if (this.config.apiKeyLength < 32) {
|
|
71
|
+
throw new CredentialGeneratorError('API key length must be at least 32 characters', 'INVALID_API_KEY_LENGTH');
|
|
72
|
+
}
|
|
73
|
+
if (this.config.secretLength < 32) {
|
|
74
|
+
throw new CredentialGeneratorError('Secret length must be at least 32 characters', 'INVALID_SECRET_LENGTH');
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
/**
|
|
78
|
+
* Generates a cryptographically secure random string using rejection sampling
|
|
79
|
+
* to eliminate modulo bias.
|
|
80
|
+
*
|
|
81
|
+
* @param length - Length of the string to generate
|
|
82
|
+
* @param charset - Character set to use
|
|
83
|
+
* @returns Random string
|
|
84
|
+
*/
|
|
85
|
+
generateSecureString(length, charset) {
|
|
86
|
+
const charsetLength = charset.length;
|
|
87
|
+
const result = new Array(length);
|
|
88
|
+
// Calculate rejection threshold to eliminate modulo bias
|
|
89
|
+
// For a byte (0-255), we reject values >= (256 - (256 % charsetLength))
|
|
90
|
+
// This ensures uniform distribution over charset indices
|
|
91
|
+
const maxValidValue = 256 - (256 % charsetLength);
|
|
92
|
+
let i = 0;
|
|
93
|
+
while (i < length) {
|
|
94
|
+
// Generate more random bytes than needed to reduce iterations
|
|
95
|
+
const randomBuffer = randomBytes(Math.max(length - i, 16));
|
|
96
|
+
for (let j = 0; j < randomBuffer.length && i < length; j++) {
|
|
97
|
+
const randomValue = randomBuffer[j];
|
|
98
|
+
// Rejection sampling: only accept values below threshold
|
|
99
|
+
if (randomValue < maxValidValue) {
|
|
100
|
+
result[i] = charset[randomValue % charsetLength];
|
|
101
|
+
i++;
|
|
102
|
+
}
|
|
103
|
+
// Values >= maxValidValue are rejected to avoid bias
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
return result.join('');
|
|
107
|
+
}
|
|
108
|
+
/**
|
|
109
|
+
* Generates a secure random password.
|
|
110
|
+
*
|
|
111
|
+
* @param length - Optional custom length (default from config)
|
|
112
|
+
* @returns Secure random password
|
|
113
|
+
*/
|
|
114
|
+
generatePassword(length) {
|
|
115
|
+
const len = length ?? this.config.passwordLength;
|
|
116
|
+
// Ensure password contains at least one of each required character type
|
|
117
|
+
const password = this.generateSecureString(len, this.config.passwordCharset);
|
|
118
|
+
// Validate the generated password meets requirements
|
|
119
|
+
if (!this.hasRequiredCharacterTypes(password)) {
|
|
120
|
+
// Regenerate if requirements not met (rare case)
|
|
121
|
+
return this.generatePassword(length);
|
|
122
|
+
}
|
|
123
|
+
return password;
|
|
124
|
+
}
|
|
125
|
+
/**
|
|
126
|
+
* Checks if password has required character types.
|
|
127
|
+
*/
|
|
128
|
+
hasRequiredCharacterTypes(password) {
|
|
129
|
+
const hasUppercase = /[A-Z]/.test(password);
|
|
130
|
+
const hasLowercase = /[a-z]/.test(password);
|
|
131
|
+
const hasDigit = /\d/.test(password);
|
|
132
|
+
const hasSpecial = /[!@#$%^&*()_+\-=\[\]{}|;:,.<>?]/.test(password);
|
|
133
|
+
return hasUppercase && hasLowercase && hasDigit && hasSpecial;
|
|
134
|
+
}
|
|
135
|
+
/**
|
|
136
|
+
* Generates a secure API key.
|
|
137
|
+
*
|
|
138
|
+
* @param prefix - Optional prefix for the key (e.g., 'cf_')
|
|
139
|
+
* @returns API key credential with metadata
|
|
140
|
+
*/
|
|
141
|
+
generateApiKey(prefix = 'cf_') {
|
|
142
|
+
const keyBody = this.generateSecureString(this.config.apiKeyLength - prefix.length, this.config.apiKeyCharset);
|
|
143
|
+
const key = `${prefix}${keyBody}`;
|
|
144
|
+
const keyId = randomUUID();
|
|
145
|
+
return {
|
|
146
|
+
key,
|
|
147
|
+
prefix,
|
|
148
|
+
keyId,
|
|
149
|
+
createdAt: new Date(),
|
|
150
|
+
};
|
|
151
|
+
}
|
|
152
|
+
/**
|
|
153
|
+
* Generates a secure secret for JWT, sessions, etc.
|
|
154
|
+
*
|
|
155
|
+
* @param length - Optional custom length (default from config)
|
|
156
|
+
* @returns Hex-encoded secret
|
|
157
|
+
*/
|
|
158
|
+
generateSecret(length) {
|
|
159
|
+
const len = length ?? this.config.secretLength;
|
|
160
|
+
// Generate raw bytes and encode as hex for consistent storage
|
|
161
|
+
return randomBytes(Math.ceil(len / 2)).toString('hex').slice(0, len);
|
|
162
|
+
}
|
|
163
|
+
/**
|
|
164
|
+
* Generates an encryption key suitable for AES-256.
|
|
165
|
+
*
|
|
166
|
+
* @returns 32-byte key encoded as hex (64 characters)
|
|
167
|
+
*/
|
|
168
|
+
generateEncryptionKey() {
|
|
169
|
+
return randomBytes(32).toString('hex');
|
|
170
|
+
}
|
|
171
|
+
/**
|
|
172
|
+
* Generates a complete set of installation credentials.
|
|
173
|
+
*
|
|
174
|
+
* These should be stored securely (environment variables,
|
|
175
|
+
* secrets manager, etc.) and NEVER committed to version control.
|
|
176
|
+
*
|
|
177
|
+
* @param expirationDays - Optional expiration period in days
|
|
178
|
+
* @returns Complete credential set
|
|
179
|
+
*/
|
|
180
|
+
generateInstallationCredentials(expirationDays) {
|
|
181
|
+
const now = new Date();
|
|
182
|
+
const expiresAt = expirationDays
|
|
183
|
+
? new Date(now.getTime() + expirationDays * 24 * 60 * 60 * 1000)
|
|
184
|
+
: undefined;
|
|
185
|
+
return {
|
|
186
|
+
adminPassword: this.generatePassword(),
|
|
187
|
+
servicePassword: this.generatePassword(),
|
|
188
|
+
jwtSecret: this.generateSecret(64),
|
|
189
|
+
sessionSecret: this.generateSecret(64),
|
|
190
|
+
encryptionKey: this.generateEncryptionKey(),
|
|
191
|
+
generatedAt: now,
|
|
192
|
+
expiresAt,
|
|
193
|
+
};
|
|
194
|
+
}
|
|
195
|
+
/**
|
|
196
|
+
* Generates a secure session token.
|
|
197
|
+
*
|
|
198
|
+
* @returns URL-safe session token
|
|
199
|
+
*/
|
|
200
|
+
generateSessionToken() {
|
|
201
|
+
return this.generateSecureString(64, CHARSETS.URL_SAFE);
|
|
202
|
+
}
|
|
203
|
+
/**
|
|
204
|
+
* Generates a secure CSRF token.
|
|
205
|
+
*
|
|
206
|
+
* @returns CSRF token
|
|
207
|
+
*/
|
|
208
|
+
generateCsrfToken() {
|
|
209
|
+
return randomBytes(32).toString('base64url');
|
|
210
|
+
}
|
|
211
|
+
/**
|
|
212
|
+
* Generates a secure nonce for one-time use.
|
|
213
|
+
*
|
|
214
|
+
* @returns Unique nonce value
|
|
215
|
+
*/
|
|
216
|
+
generateNonce() {
|
|
217
|
+
return randomBytes(16).toString('hex');
|
|
218
|
+
}
|
|
219
|
+
/**
|
|
220
|
+
* Creates a setup script output for secure credential deployment.
|
|
221
|
+
*
|
|
222
|
+
* @param credentials - Generated credentials
|
|
223
|
+
* @returns Environment variable export script
|
|
224
|
+
*/
|
|
225
|
+
createEnvScript(credentials) {
|
|
226
|
+
return `# Claude Flow V3 - Generated Credentials
|
|
227
|
+
# Generated: ${credentials.generatedAt.toISOString()}
|
|
228
|
+
# IMPORTANT: Store these securely and delete this file after use
|
|
229
|
+
|
|
230
|
+
export CLAUDE_FLOW_ADMIN_PASSWORD="${credentials.adminPassword}"
|
|
231
|
+
export CLAUDE_FLOW_SERVICE_PASSWORD="${credentials.servicePassword}"
|
|
232
|
+
export CLAUDE_FLOW_JWT_SECRET="${credentials.jwtSecret}"
|
|
233
|
+
export CLAUDE_FLOW_SESSION_SECRET="${credentials.sessionSecret}"
|
|
234
|
+
export CLAUDE_FLOW_ENCRYPTION_KEY="${credentials.encryptionKey}"
|
|
235
|
+
`;
|
|
236
|
+
}
|
|
237
|
+
/**
|
|
238
|
+
* Creates a JSON configuration output for secure credential deployment.
|
|
239
|
+
*
|
|
240
|
+
* @param credentials - Generated credentials
|
|
241
|
+
* @returns JSON configuration (for secrets manager import)
|
|
242
|
+
*/
|
|
243
|
+
createJsonConfig(credentials) {
|
|
244
|
+
return JSON.stringify({
|
|
245
|
+
'claude-flow/admin-password': credentials.adminPassword,
|
|
246
|
+
'claude-flow/service-password': credentials.servicePassword,
|
|
247
|
+
'claude-flow/jwt-secret': credentials.jwtSecret,
|
|
248
|
+
'claude-flow/session-secret': credentials.sessionSecret,
|
|
249
|
+
'claude-flow/encryption-key': credentials.encryptionKey,
|
|
250
|
+
'claude-flow/generated-at': credentials.generatedAt.toISOString(),
|
|
251
|
+
'claude-flow/expires-at': credentials.expiresAt?.toISOString() ?? null,
|
|
252
|
+
}, null, 2);
|
|
253
|
+
}
|
|
254
|
+
}
|
|
255
|
+
/**
|
|
256
|
+
* Factory function to create a production credential generator.
|
|
257
|
+
*
|
|
258
|
+
* @returns Configured CredentialGenerator instance
|
|
259
|
+
*/
|
|
260
|
+
export function createCredentialGenerator() {
|
|
261
|
+
return new CredentialGenerator();
|
|
262
|
+
}
|
|
263
|
+
/**
|
|
264
|
+
* Quick credential generation for CLI usage.
|
|
265
|
+
*
|
|
266
|
+
* @returns Generated installation credentials
|
|
267
|
+
*/
|
|
268
|
+
export function generateCredentials() {
|
|
269
|
+
const generator = new CredentialGenerator();
|
|
270
|
+
return generator.generateInstallationCredentials();
|
|
271
|
+
}
|
|
272
|
+
//# sourceMappingURL=credential-generator.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credential-generator.js","sourceRoot":"","sources":["../src/credential-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAmDjD,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IAG/B;IAFlB,YACE,OAAe,EACC,IAAY;QAE5B,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,SAAI,GAAJ,IAAI,CAAQ;QAG5B,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;IACzC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,QAAQ,GAAG;IACf,SAAS,EAAE,4BAA4B;IACvC,SAAS,EAAE,4BAA4B;IACvC,MAAM,EAAE,YAAY;IACpB,OAAO,EAAE,4BAA4B;IACrC,mCAAmC;IACnC,QAAQ,EAAE,kEAAkE;IAC5E,6BAA6B;IAC7B,GAAG,EAAE,kBAAkB;CACf,CAAC;AAEX;;;;;;;;;;;;GAYG;AACH,MAAM,OAAO,mBAAmB;IACb,MAAM,CAA6B;IAEpD,YAAY,SAA2B,EAAE;QACvC,IAAI,CAAC,MAAM,GAAG;YACZ,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,EAAE;YAC3C,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,EAAE;YACvC,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,EAAE;YACvC,eAAe,EAAE,MAAM,CAAC,eAAe;gBACrC,QAAQ,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,GAAG,QAAQ,CAAC,MAAM,GAAG,QAAQ,CAAC,OAAO;YAC9E,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,QAAQ,CAAC,QAAQ;SACzD,CAAC;QAEF,IAAI,CAAC,cAAc,EAAE,CAAC;IACxB,CAAC;IAED;;OAEG;IACK,cAAc;QACpB,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,GAAG,EAAE,EAAE,CAAC;YACpC,MAAM,IAAI,wBAAwB,CAChC,gDAAgD,EAChD,yBAAyB,CAC1B,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,GAAG,EAAE,EAAE,CAAC;YAClC,MAAM,IAAI,wBAAwB,CAChC,+CAA+C,EAC/C,wBAAwB,CACzB,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,GAAG,EAAE,EAAE,CAAC;YAClC,MAAM,IAAI,wBAAwB,CAChC,8CAA8C,EAC9C,uBAAuB,CACxB,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,oBAAoB,CAAC,MAAc,EAAE,OAAe;QAC1D,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC;QACrC,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAEjC,yDAAyD;QACzD,wEAAwE;QACxE,yDAAyD;QACzD,MAAM,aAAa,GAAG,GAAG,GAAG,CAAC,GAAG,GAAG,aAAa,CAAC,CAAC;QAElD,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,OAAO,CAAC,GAAG,MAAM,EAAE,CAAC;YAClB,8DAA8D;YAC9D,MAAM,YAAY,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YAE3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,IAAI,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC3D,MAAM,WAAW,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;gBAEpC,yDAAyD;gBACzD,IAAI,WAAW,GAAG,aAAa,EAAE,CAAC;oBAChC,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,WAAW,GAAG,aAAa,CAAC,CAAC;oBACjD,CAAC,EAAE,CAAC;gBACN,CAAC;gBACD,qDAAqD;YACvD,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzB,CAAC;IAED;;;;;OAKG;IACH,gBAAgB,CAAC,MAAe;QAC9B,MAAM,GAAG,GAAG,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;QAEjD,wEAAwE;QACxE,MAAM,QAAQ,GAAG,IAAI,CAAC,oBAAoB,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAE7E,qDAAqD;QACrD,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9C,iDAAiD;YACjD,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,yBAAyB,CAAC,QAAgB;QAChD,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrC,MAAM,UAAU,GAAG,iCAAiC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEpE,OAAO,YAAY,IAAI,YAAY,IAAI,QAAQ,IAAI,UAAU,CAAC;IAChE,CAAC;IAED;;;;;OAKG;IACH,cAAc,CAAC,MAAM,GAAG,KAAK;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,oBAAoB,CACvC,IAAI,CAAC,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,EACxC,IAAI,CAAC,MAAM,CAAC,aAAa,CAC1B,CAAC;QAEF,MAAM,GAAG,GAAG,GAAG,MAAM,GAAG,OAAO,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,UAAU,EAAE,CAAC;QAE3B,OAAO;YACL,GAAG;YACH,MAAM;YACN,KAAK;YACL,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,cAAc,CAAC,MAAe;QAC5B,MAAM,GAAG,GAAG,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;QAC/C,8DAA8D;QAC9D,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACvE,CAAC;IAED;;;;OAIG;IACH,qBAAqB;QACnB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IAED;;;;;;;;OAQG;IACH,+BAA+B,CAAC,cAAuB;QACrD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,cAAc;YAC9B,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;YAChE,CAAC,CAAC,SAAS,CAAC;QAEd,OAAO;YACL,aAAa,EAAE,IAAI,CAAC,gBAAgB,EAAE;YACtC,eAAe,EAAE,IAAI,CAAC,gBAAgB,EAAE;YACxC,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;YAClC,aAAa,EAAE,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;YACtC,aAAa,EAAE,IAAI,CAAC,qBAAqB,EAAE;YAC3C,WAAW,EAAE,GAAG;YAChB,SAAS;SACV,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,oBAAoB;QAClB,OAAO,IAAI,CAAC,oBAAoB,CAAC,EAAE,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAED;;;;OAIG;IACH,iBAAiB;QACf,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/C,CAAC;IAED;;;;OAIG;IACH,aAAa;QACX,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACH,eAAe,CAAC,WAAiC;QAC/C,OAAO;eACI,WAAW,CAAC,WAAW,CAAC,WAAW,EAAE;;;qCAGf,WAAW,CAAC,aAAa;uCACvB,WAAW,CAAC,eAAe;iCACjC,WAAW,CAAC,SAAS;qCACjB,WAAW,CAAC,aAAa;qCACzB,WAAW,CAAC,aAAa;CAC7D,CAAC;IACA,CAAC;IAED;;;;;OAKG;IACH,gBAAgB,CAAC,WAAiC;QAChD,OAAO,IAAI,CAAC,SAAS,CAAC;YACpB,4BAA4B,EAAE,WAAW,CAAC,aAAa;YACvD,8BAA8B,EAAE,WAAW,CAAC,eAAe;YAC3D,wBAAwB,EAAE,WAAW,CAAC,SAAS;YAC/C,4BAA4B,EAAE,WAAW,CAAC,aAAa;YACvD,4BAA4B,EAAE,WAAW,CAAC,aAAa;YACvD,0BAA0B,EAAE,WAAW,CAAC,WAAW,CAAC,WAAW,EAAE;YACjE,wBAAwB,EAAE,WAAW,CAAC,SAAS,EAAE,WAAW,EAAE,IAAI,IAAI;SACvE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACd,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB;IACvC,OAAO,IAAI,mBAAmB,EAAE,CAAC;AACnC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,SAAS,GAAG,IAAI,mBAAmB,EAAE,CAAC;IAC5C,OAAO,SAAS,CAAC,+BAA+B,EAAE,CAAC;AACrD,CAAC"}
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Security Context Entity - Domain Layer
|
|
3
|
+
*
|
|
4
|
+
* Represents security context for operations with validation and policy enforcement.
|
|
5
|
+
*
|
|
6
|
+
* @module v3/security/domain/entities
|
|
7
|
+
*/
|
|
8
|
+
/**
|
|
9
|
+
* Permission levels
|
|
10
|
+
*/
|
|
11
|
+
export type PermissionLevel = 'read' | 'write' | 'execute' | 'admin';
|
|
12
|
+
/**
|
|
13
|
+
* Security context properties
|
|
14
|
+
*/
|
|
15
|
+
export interface SecurityContextProps {
|
|
16
|
+
id?: string;
|
|
17
|
+
principalId: string;
|
|
18
|
+
principalType: 'agent' | 'user' | 'system';
|
|
19
|
+
permissions: PermissionLevel[];
|
|
20
|
+
allowedPaths?: string[];
|
|
21
|
+
blockedPaths?: string[];
|
|
22
|
+
allowedCommands?: string[];
|
|
23
|
+
blockedCommands?: string[];
|
|
24
|
+
metadata?: Record<string, unknown>;
|
|
25
|
+
expiresAt?: Date;
|
|
26
|
+
createdAt?: Date;
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* Security Context - Entity
|
|
30
|
+
*/
|
|
31
|
+
export declare class SecurityContext {
|
|
32
|
+
private _id;
|
|
33
|
+
private _principalId;
|
|
34
|
+
private _principalType;
|
|
35
|
+
private _permissions;
|
|
36
|
+
private _allowedPaths;
|
|
37
|
+
private _blockedPaths;
|
|
38
|
+
private _allowedCommands;
|
|
39
|
+
private _blockedCommands;
|
|
40
|
+
private _metadata;
|
|
41
|
+
private _expiresAt?;
|
|
42
|
+
private _createdAt;
|
|
43
|
+
private constructor();
|
|
44
|
+
static create(props: SecurityContextProps): SecurityContext;
|
|
45
|
+
static fromPersistence(props: SecurityContextProps): SecurityContext;
|
|
46
|
+
get id(): string;
|
|
47
|
+
get principalId(): string;
|
|
48
|
+
get principalType(): string;
|
|
49
|
+
get permissions(): PermissionLevel[];
|
|
50
|
+
get allowedPaths(): string[];
|
|
51
|
+
get blockedPaths(): string[];
|
|
52
|
+
get allowedCommands(): string[];
|
|
53
|
+
get blockedCommands(): string[];
|
|
54
|
+
get metadata(): Record<string, unknown>;
|
|
55
|
+
get expiresAt(): Date | undefined;
|
|
56
|
+
get createdAt(): Date;
|
|
57
|
+
hasPermission(level: PermissionLevel): boolean;
|
|
58
|
+
isExpired(): boolean;
|
|
59
|
+
canAccessPath(path: string): boolean;
|
|
60
|
+
canExecuteCommand(command: string): boolean;
|
|
61
|
+
private matchGlob;
|
|
62
|
+
grantPermission(level: PermissionLevel): void;
|
|
63
|
+
revokePermission(level: PermissionLevel): void;
|
|
64
|
+
addAllowedPath(path: string): void;
|
|
65
|
+
addBlockedPath(path: string): void;
|
|
66
|
+
toPersistence(): Record<string, unknown>;
|
|
67
|
+
}
|
|
68
|
+
//# sourceMappingURL=security-context.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"security-context.d.ts","sourceRoot":"","sources":["../../../src/domain/entities/security-context.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC;AAErE;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,OAAO,GAAG,MAAM,GAAG,QAAQ,CAAC;IAC3C,WAAW,EAAE,eAAe,EAAE,CAAC;IAC/B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,GAAG,CAAS;IACpB,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,cAAc,CAA8B;IACpD,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,aAAa,CAAc;IACnC,OAAO,CAAC,aAAa,CAAc;IACnC,OAAO,CAAC,gBAAgB,CAAc;IACtC,OAAO,CAAC,gBAAgB,CAAc;IACtC,OAAO,CAAC,SAAS,CAA0B;IAC3C,OAAO,CAAC,UAAU,CAAC,CAAO;IAC1B,OAAO,CAAC,UAAU,CAAO;IAEzB,OAAO;IAcP,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,oBAAoB,GAAG,eAAe;IAI3D,MAAM,CAAC,eAAe,CAAC,KAAK,EAAE,oBAAoB,GAAG,eAAe;IAIpE,IAAI,EAAE,IAAI,MAAM,CAAqB;IACrC,IAAI,WAAW,IAAI,MAAM,CAA8B;IACvD,IAAI,aAAa,IAAI,MAAM,CAAgC;IAC3D,IAAI,WAAW,IAAI,eAAe,EAAE,CAA0C;IAC9E,IAAI,YAAY,IAAI,MAAM,EAAE,CAA2C;IACvE,IAAI,YAAY,IAAI,MAAM,EAAE,CAA2C;IACvE,IAAI,eAAe,IAAI,MAAM,EAAE,CAA8C;IAC7E,IAAI,eAAe,IAAI,MAAM,EAAE,CAA8C;IAC7E,IAAI,QAAQ,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAkC;IACzE,IAAI,SAAS,IAAI,IAAI,GAAG,SAAS,CAA4B;IAC7D,IAAI,SAAS,IAAI,IAAI,CAAsC;IAI3D,aAAa,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO;IAI9C,SAAS,IAAI,OAAO;IAKpB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAuBpC,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAiB3C,OAAO,CAAC,SAAS;IAQjB,eAAe,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI;IAI7C,gBAAgB,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI;IAI9C,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAIlC,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAIlC,aAAa,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAezC"}
|
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Security Context Entity - Domain Layer
|
|
3
|
+
*
|
|
4
|
+
* Represents security context for operations with validation and policy enforcement.
|
|
5
|
+
*
|
|
6
|
+
* @module v3/security/domain/entities
|
|
7
|
+
*/
|
|
8
|
+
import { randomUUID } from 'crypto';
|
|
9
|
+
/**
|
|
10
|
+
* Security Context - Entity
|
|
11
|
+
*/
|
|
12
|
+
export class SecurityContext {
|
|
13
|
+
_id;
|
|
14
|
+
_principalId;
|
|
15
|
+
_principalType;
|
|
16
|
+
_permissions;
|
|
17
|
+
_allowedPaths;
|
|
18
|
+
_blockedPaths;
|
|
19
|
+
_allowedCommands;
|
|
20
|
+
_blockedCommands;
|
|
21
|
+
_metadata;
|
|
22
|
+
_expiresAt;
|
|
23
|
+
_createdAt;
|
|
24
|
+
constructor(props) {
|
|
25
|
+
this._id = props.id ?? randomUUID();
|
|
26
|
+
this._principalId = props.principalId;
|
|
27
|
+
this._principalType = props.principalType;
|
|
28
|
+
this._permissions = new Set(props.permissions);
|
|
29
|
+
this._allowedPaths = new Set(props.allowedPaths ?? []);
|
|
30
|
+
this._blockedPaths = new Set(props.blockedPaths ?? []);
|
|
31
|
+
this._allowedCommands = new Set(props.allowedCommands ?? []);
|
|
32
|
+
this._blockedCommands = new Set(props.blockedCommands ?? []);
|
|
33
|
+
this._metadata = props.metadata ?? {};
|
|
34
|
+
this._expiresAt = props.expiresAt;
|
|
35
|
+
this._createdAt = props.createdAt ?? new Date();
|
|
36
|
+
}
|
|
37
|
+
static create(props) {
|
|
38
|
+
return new SecurityContext(props);
|
|
39
|
+
}
|
|
40
|
+
static fromPersistence(props) {
|
|
41
|
+
return new SecurityContext(props);
|
|
42
|
+
}
|
|
43
|
+
get id() { return this._id; }
|
|
44
|
+
get principalId() { return this._principalId; }
|
|
45
|
+
get principalType() { return this._principalType; }
|
|
46
|
+
get permissions() { return Array.from(this._permissions); }
|
|
47
|
+
get allowedPaths() { return Array.from(this._allowedPaths); }
|
|
48
|
+
get blockedPaths() { return Array.from(this._blockedPaths); }
|
|
49
|
+
get allowedCommands() { return Array.from(this._allowedCommands); }
|
|
50
|
+
get blockedCommands() { return Array.from(this._blockedCommands); }
|
|
51
|
+
get metadata() { return { ...this._metadata }; }
|
|
52
|
+
get expiresAt() { return this._expiresAt; }
|
|
53
|
+
get createdAt() { return new Date(this._createdAt); }
|
|
54
|
+
// Business Logic
|
|
55
|
+
hasPermission(level) {
|
|
56
|
+
return this._permissions.has(level) || this._permissions.has('admin');
|
|
57
|
+
}
|
|
58
|
+
isExpired() {
|
|
59
|
+
if (!this._expiresAt)
|
|
60
|
+
return false;
|
|
61
|
+
return Date.now() > this._expiresAt.getTime();
|
|
62
|
+
}
|
|
63
|
+
canAccessPath(path) {
|
|
64
|
+
if (this.isExpired())
|
|
65
|
+
return false;
|
|
66
|
+
// Check blocked paths first
|
|
67
|
+
for (const blocked of this._blockedPaths) {
|
|
68
|
+
if (path.startsWith(blocked) || this.matchGlob(path, blocked)) {
|
|
69
|
+
return false;
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
// If no allowed paths specified, allow all non-blocked
|
|
73
|
+
if (this._allowedPaths.size === 0)
|
|
74
|
+
return true;
|
|
75
|
+
// Check allowed paths
|
|
76
|
+
for (const allowed of this._allowedPaths) {
|
|
77
|
+
if (path.startsWith(allowed) || this.matchGlob(path, allowed)) {
|
|
78
|
+
return true;
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
return false;
|
|
82
|
+
}
|
|
83
|
+
canExecuteCommand(command) {
|
|
84
|
+
if (this.isExpired())
|
|
85
|
+
return false;
|
|
86
|
+
const cmdBase = command.split(' ')[0];
|
|
87
|
+
// Check blocked commands first
|
|
88
|
+
if (this._blockedCommands.has(cmdBase) || this._blockedCommands.has(command)) {
|
|
89
|
+
return false;
|
|
90
|
+
}
|
|
91
|
+
// If no allowed commands specified, allow all non-blocked
|
|
92
|
+
if (this._allowedCommands.size === 0)
|
|
93
|
+
return true;
|
|
94
|
+
// Check allowed commands
|
|
95
|
+
return this._allowedCommands.has(cmdBase) || this._allowedCommands.has(command);
|
|
96
|
+
}
|
|
97
|
+
matchGlob(path, pattern) {
|
|
98
|
+
const regex = pattern
|
|
99
|
+
.replace(/\*\*/g, '.*')
|
|
100
|
+
.replace(/\*/g, '[^/]*')
|
|
101
|
+
.replace(/\?/g, '.');
|
|
102
|
+
return new RegExp(`^${regex}$`).test(path);
|
|
103
|
+
}
|
|
104
|
+
grantPermission(level) {
|
|
105
|
+
this._permissions.add(level);
|
|
106
|
+
}
|
|
107
|
+
revokePermission(level) {
|
|
108
|
+
this._permissions.delete(level);
|
|
109
|
+
}
|
|
110
|
+
addAllowedPath(path) {
|
|
111
|
+
this._allowedPaths.add(path);
|
|
112
|
+
}
|
|
113
|
+
addBlockedPath(path) {
|
|
114
|
+
this._blockedPaths.add(path);
|
|
115
|
+
}
|
|
116
|
+
toPersistence() {
|
|
117
|
+
return {
|
|
118
|
+
id: this._id,
|
|
119
|
+
principalId: this._principalId,
|
|
120
|
+
principalType: this._principalType,
|
|
121
|
+
permissions: Array.from(this._permissions),
|
|
122
|
+
allowedPaths: Array.from(this._allowedPaths),
|
|
123
|
+
blockedPaths: Array.from(this._blockedPaths),
|
|
124
|
+
allowedCommands: Array.from(this._allowedCommands),
|
|
125
|
+
blockedCommands: Array.from(this._blockedCommands),
|
|
126
|
+
metadata: this._metadata,
|
|
127
|
+
expiresAt: this._expiresAt?.toISOString(),
|
|
128
|
+
createdAt: this._createdAt.toISOString(),
|
|
129
|
+
};
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
//# sourceMappingURL=security-context.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"security-context.js","sourceRoot":"","sources":["../../../src/domain/entities/security-context.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAwBpC;;GAEG;AACH,MAAM,OAAO,eAAe;IAClB,GAAG,CAAS;IACZ,YAAY,CAAS;IACrB,cAAc,CAA8B;IAC5C,YAAY,CAAuB;IACnC,aAAa,CAAc;IAC3B,aAAa,CAAc;IAC3B,gBAAgB,CAAc;IAC9B,gBAAgB,CAAc;IAC9B,SAAS,CAA0B;IACnC,UAAU,CAAQ;IAClB,UAAU,CAAO;IAEzB,YAAoB,KAA2B;QAC7C,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,EAAE,IAAI,UAAU,EAAE,CAAC;QACpC,IAAI,CAAC,YAAY,GAAG,KAAK,CAAC,WAAW,CAAC;QACtC,IAAI,CAAC,cAAc,GAAG,KAAK,CAAC,aAAa,CAAC;QAC1C,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAC/C,IAAI,CAAC,aAAa,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,aAAa,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC,gBAAgB,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;QAC7D,IAAI,CAAC,gBAAgB,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;QAC7D,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC;QACtC,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC;IAClD,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,KAA2B;QACvC,OAAO,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,eAAe,CAAC,KAA2B;QAChD,OAAO,IAAI,eAAe,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,IAAI,EAAE,KAAa,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,IAAI,WAAW,KAAa,OAAO,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;IACvD,IAAI,aAAa,KAAa,OAAO,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC;IAC3D,IAAI,WAAW,KAAwB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC9E,IAAI,YAAY,KAAe,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IACvE,IAAI,YAAY,KAAe,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IACvE,IAAI,eAAe,KAAe,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;IAC7E,IAAI,eAAe,KAAe,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;IAC7E,IAAI,QAAQ,KAA8B,OAAO,EAAE,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IACzE,IAAI,SAAS,KAAuB,OAAO,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAC7D,IAAI,SAAS,KAAW,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAE3D,iBAAiB;IAEjB,aAAa,CAAC,KAAsB;QAClC,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxE,CAAC;IAED,SAAS;QACP,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,OAAO,KAAK,CAAC;QACnC,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;IAChD,CAAC;IAED,aAAa,CAAC,IAAY;QACxB,IAAI,IAAI,CAAC,SAAS,EAAE;YAAE,OAAO,KAAK,CAAC;QAEnC,4BAA4B;QAC5B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACzC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;gBAC9D,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,uDAAuD;QACvD,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAE/C,sBAAsB;QACtB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACzC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;gBAC9D,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iBAAiB,CAAC,OAAe;QAC/B,IAAI,IAAI,CAAC,SAAS,EAAE;YAAE,OAAO,KAAK,CAAC;QAEnC,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAEtC,+BAA+B;QAC/B,IAAI,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,0DAA0D;QAC1D,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAElD,yBAAyB;QACzB,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAClF,CAAC;IAEO,SAAS,CAAC,IAAY,EAAE,OAAe;QAC7C,MAAM,KAAK,GAAG,OAAO;aAClB,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC;aACtB,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC;aACvB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACvB,OAAO,IAAI,MAAM,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7C,CAAC;IAED,eAAe,CAAC,KAAsB;QACpC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,gBAAgB,CAAC,KAAsB;QACrC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAED,cAAc,CAAC,IAAY;QACzB,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,cAAc,CAAC,IAAY;QACzB,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,aAAa;QACX,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,GAAG;YACZ,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,aAAa,EAAE,IAAI,CAAC,cAAc;YAClC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC;YAC1C,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC;YAC5C,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC;YAC5C,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC;YAClD,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC;YAClD,QAAQ,EAAE,IAAI,CAAC,SAAS;YACxB,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,EAAE;YACzC,SAAS,EAAE,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE;SACzC,CAAC;IACJ,CAAC;CACF"}
|