@toa.io/extensions.exposition 1.0.0-alpha.10 → 1.0.0-alpha.101

package/components/identity.federation/source/lib/get.ts

@@ -0,0 +1,82 @@
+/* eslint-disable max-depth */
+
+import { Readable } from 'node:stream'
+import { buffer } from 'node:stream/consumers'
+
+import Cache from '@isaacs/ttlcache'
+import Policy from 'http-cache-semantics'
+import type { ReadableStream } from 'node:stream/web'
+
+const cache = new Cache<string, Entry>()
+
+export async function get (url: string, init?: RequestInit): Promise<Response> {
+  const headers = toRecord(init?.headers)
+  const request = { url, method: 'GET', headers }
+  const cached = cache.get(url)
+
+  if (cached?.policy.satisfiesWithoutRevalidation(request) === true) {
+    const headers = toHeaders(cached.policy.responseHeaders())
+
+    return new Response(cached.body, { headers })
+  }
+
+  const response = await fetch(url, init)
+  const policy = new Policy(request, { status: response.status, headers: toRecord(response.headers) })
+  const ttl = policy.timeToLive()
+
+  if (policy.storable() && ttl > 0) {
+    const body = await toBuffer(response.body as ReadableStream)
+
+    cache.set(url, { policy, body }, { ttl })
+
+    return new Response(body, { headers: response.headers })
+  } else
+    return response
+}
+
+function toRecord (headers: RequestInit['headers']): Record<string, string> {
+  if (!(headers instanceof Headers))
+    headers = toHeaders(headers)
+
+  return Object.fromEntries(headers.entries())
+}
+
+function toHeaders (values?: Array<[string, string]> | Record<string, string | string[] | undefined>): Headers {
+  const headers = new Headers()
+
+  if (values === undefined)
+    return headers
+
+  if (Array.isArray(values))
+    for (const [name, value] of values)
+      headers.append(name, value)
+  else
+    for (const name in values) {
+      const value = values[name]
+
+      if (value === undefined)
+        continue
+
+      if (Array.isArray(value))
+        for (const v of value)
+          headers.append(name, v)
+      else
+        headers.append(name, value)
+    }
+
+  return headers
+}
+
+async function toBuffer (body: ReadableStream<Uint8Array> | null): Promise<Buffer | null> {
+  if (body === null)
+    return null
+
+  const buf = await buffer(Readable.fromWeb(body as ReadableStream))
+
+  return Buffer.from(buf)
+}
+
+interface Entry {
+  policy: Policy
+  body: Buffer | null
+}

package/components/identity.federation/source/lib/jwt.test.ts

@@ -1,8 +1,59 @@
-/* eslint-disable max-len */
+import * as http from 'node:http'
+
 /* eslint-disable @typescript-eslint/consistent-type-assertions */
-import { validateSignature, decodeJwt } from './jwt'
+import { once } from 'node:events'
+import { validateSignature, decodeJwt, validateJwtPayload } from './jwt'
+import { get } from './get'
+import type { AddressInfo } from 'node:net'
+import type { IdToken, JwtHeader, Trust } from '../types'
 
 describe('jwt', () => {
+  describe('validateJwtPayload', () => {
+    const jwtHeader: JwtHeader = { alg: 'HS256', kid: 'k1' }
+
+    const trusted: Trust[] = [{
+      iss: 'test-iss',
+      aud: ['test-aud1', 'test-aud2'],
+      secrets: { [jwtHeader.alg]: { [jwtHeader.kid!]: 'test-secrete' } }
+    }]
+
+    const validJwtPayload: IdToken = {
+      iss: trusted[0].iss,
+      sub: 'test-sub',
+      iat: Date.now() / 1000,
+      exp: Date.now() / 1000 + 2000,
+      aud: trusted[0].aud![1]
+    }
+
+    describe('aud', () => {
+      test('throws without it', () => {
+        const { aud, ...noAudPayload } = validJwtPayload
+
+        expect(() => validateJwtPayload(noAudPayload, trusted, jwtHeader)).toThrow('Payload is missing aud')
+      })
+
+      test('passes with a single string', () => {
+        expect(validJwtPayload.aud).toEqual(expect.any(String))
+        expect(() => validateJwtPayload(validJwtPayload, trusted, jwtHeader)).not.toThrow()
+      })
+
+      test('passes with an array', () => {
+        const arrayAudPayload = { ...validJwtPayload, aud: trusted[0].aud }
+
+        expect(arrayAudPayload.aud).toEqual(expect.any(Array))
+        expect(() => validateJwtPayload(arrayAudPayload, trusted, jwtHeader)).not.toThrow()
+      })
+
+      test('throws with an array that does not intersects', () => {
+        const arrayAudPayload = { ...validJwtPayload, aud: ['boo', 'foo'] }
+
+        expect(arrayAudPayload.aud).toEqual(expect.any(Array))
+        expect(() => validateJwtPayload(arrayAudPayload, trusted, jwtHeader))
+          .toThrow('Unknown audiences: boo, foo')
+      })
+    })
+  })
+
   test('decode', () => {
     const { header, payload } = decodeJwt('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg')
 
@@ -22,7 +73,7 @@ describe('jwt', () => {
       signature: '4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg',
       trusted: [
         {
-          issuer: 'test-issuer',
+          iss: 'test-issuer',
           secrets: {
             HS256: {
               k1: 'old-secret',
@@ -43,7 +94,7 @@ describe('jwt', () => {
       signature: 'signature',
       trusted: [
         {
-          issuer: 'test-issuer',
+          iss: 'test-issuer',
           secrets: {
             HS256: {
               theKey: 'secret'
@@ -53,4 +104,76 @@ describe('jwt', () => {
       ]
     } as Parameters<typeof validateSignature>[0])).rejects.toThrow('Signature does not match')
   })
+
+  describe('cache', () => {
+    let server: http.Server
+    // eslint-disable-next-line @typescript-eslint/no-invalid-void-type
+    const handler = jest.fn<void, [http.IncomingMessage, http.ServerResponse]>()
+    let endpoint: string
+
+    beforeAll(async () => {
+      server = http.createServer(handler)
+
+      server.listen(0, 'localhost')
+      await once(server, 'listening')
+
+      const { port } = server.address() as AddressInfo
+
+      endpoint = `http://localhost:${port}`
+    })
+
+    afterEach(() => {
+      handler.mockReset()
+    })
+
+    afterAll(async () => {
+      server.close()
+      await once(server, 'close')
+    })
+
+    test('fetches only once', async () => {
+      handler.mockImplementationOnce((req, res) => {
+        res.writeHead(200, { 'content-type': 'application/json', 'cache-control': 'public, max-age=3600' })
+        res.end(JSON.stringify({ foo: 'bar' }))
+      }).mockImplementationOnce((req, res) => {
+        res.writeHead(500)
+        res.end()
+      })
+
+      const firstRequest = await get(endpoint)
+
+      expect(firstRequest.ok).toBe(true)
+
+      const json = await firstRequest.json()
+
+      expect(json).toEqual({ foo: 'bar' })
+
+      const secondRequest = await get(endpoint)
+
+      expect(secondRequest.ok).toBe(true)
+      await expect(secondRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      expect(handler).toHaveBeenCalledTimes(1)
+    })
+
+    test('respects caching headers', async () => {
+      handler.mockImplementation((req, res) => {
+        res.writeHead(200, { 'content-type': 'application/json', 'cache-control': 'no-cache' })
+        res.end(JSON.stringify({ foo: 'bar' }))
+      })
+
+      const firstRequest = await get(endpoint + '/no-cache')
+
+      expect(firstRequest.headers.get('cache-control')).toBe('no-cache')
+      expect(firstRequest.ok).toBe(true)
+      await expect(firstRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      const secondRequest = await get(endpoint + '/no-cache')
+
+      expect(secondRequest.ok).toBe(true)
+      await expect(secondRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      expect(handler).toHaveBeenCalledTimes(2)
+    })
+  })
 })

package/components/identity.federation/source/lib/jwt.ts

@@ -1,7 +1,7 @@
 import crypto from 'node:crypto'
 import * as assert from 'node:assert'
-import { type JwtHeader, type IdToken } from '../types'
-import { type TrustConfiguration } from '../schemas'
+import { get } from './get'
+import type { JwtHeader, IdToken, Trust } from '../types'
 
 export function decodeJwt (token: string): {
   header: unknown
@@ -27,24 +27,33 @@ export function validateJwtHeader (header: unknown): asserts header is JwtHeader
 }
 
 export function validateJwtPayload (payload: unknown,
-  trusted: TrustConfiguration[] = [],
+  trusted: Trust[] = [],
   header: JwtHeader): asserts payload is IdToken {
   assert.ok(trusted.length > 0, 'No trusted issuers provided')
 
-  // full list of validations is
+  // the full list of validations is
   // at https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
   assert.ok(payload !== null && typeof payload === 'object', 'Payload is not an object')
 
   assert.ok('iss' in payload, 'Payload is missing iss')
   assert.ok(typeof payload.iss === 'string', 'Payload iss is not a string')
   assert.ok('aud' in payload, 'Payload is missing aud')
-  assert.ok(typeof payload.aud === 'string', 'Payload aud is not a string')
+  assert.ok(typeof payload.aud === 'string' ||
+    (Array.isArray(payload.aud) && payload.aud.every((e): e is string => typeof e === 'string')),
+  'Payload aud is not a string nor an array of strings')
 
-  const issuer = trusted.find((config) => config.issuer === payload.iss)
+  const issuer = trusted.find((config) => config.iss === payload.iss)
 
-  assert.ok(issuer !== undefined &&
-      (issuer.audience === undefined || issuer.audience.some((a) => a === payload.aud),
-      `Unknown issuer / audience: ${payload.iss} / ${payload.aud}`))
+  assert.ok(issuer, `Unknown issuer: ${payload.iss}`)
+
+  if (Array.isArray(issuer.aud)) {
+    const tokenAud = payload.aud
+
+    if (typeof tokenAud === 'string')
+      assert.ok(issuer.aud.some((a) => a === tokenAud), `Unknown audience: ${tokenAud}`)
+    else
+      assert.ok(issuer.aud.some((a) => tokenAud.includes(a)), `Unknown audiences: ${tokenAud.join(', ')}`)
+  }
 
   if (header.alg.startsWith('HS')) {
     const secrets = issuer.secrets
@@ -90,12 +99,12 @@ export async function validateSignature ({
   readonly payload: IdToken
   rawPayload: string
   signature: string
-  trusted?: TrustConfiguration[]
+  trusted?: Trust[]
 }): Promise<void> {
   if (alg.startsWith('HS')) {
     // symmetric algorithm, issuer is validated at this point
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- `kid` is validated
-    const secrets = trusted.find((c) => c.issuer === iss)!.secrets![alg]
+
+    const secrets = trusted.find((c) => c.iss === iss)!.secrets![alg]
     const secret = kid !== undefined ? secrets[kid] : Object.values(secrets)[0]
     const algorithm = alg.replace(/^HS(\d{3})$/, 'sha$1') // HS256 -> sha256
     const hmac = crypto.createHmac(algorithm, secret)
@@ -109,16 +118,14 @@ export async function validateSignature ({
   }
 
   // Getting issuer public keys
-  const oidcRequest = await fetch(`${iss}/.well-known/openid-configuration`, {
-    cache: 'default'
-  })
+  const oidcRequest = await get(new URL('/.well-known/openid-configuration', iss).href)
 
   assert.ok(oidcRequest.ok,
     `Failed to fetch OpenID configuration: ${oidcRequest.statusText}`)
 
   const { jwks_uri: jwksUri } = (await oidcRequest.json()) as { jwks_uri: string }
 
-  const jwkRequest = await fetch(jwksUri, { cache: 'default' })
+  const jwkRequest = await get(jwksUri)
 
   assert.ok(jwkRequest.ok, `Failed to fetch issuer keys: ${jwkRequest.statusText}`)
 
@@ -131,7 +138,7 @@ export async function validateSignature ({
 
   assert.ok(signingKeys.length > 0, 'No acceptable signing keys found')
 
-  assert.ok(kid === undefined || signingKeys.length === 1,
+  assert.ok(kid !== undefined || signingKeys.length === 1,
     'Signing key selection is not deterministic')
 
   const signingKey = kid === undefined ? signingKeys.find((k) => k.kid === kid) : keys[0]
@@ -152,12 +159,12 @@ export async function validateSignature ({
   assert.ok(signatureValid, 'Failed to validate signature')
 }
 
-export async function validateIdToken (token: string,
-  trusted?: TrustConfiguration[]): Promise<IdToken> {
+export async function decode (token: string, trusted?: Trust[]): Promise<IdToken> {
   const { header, payload, rawHeader, rawPayload, signature } = decodeJwt(token)
 
   validateJwtHeader(header)
   validateJwtPayload(payload, trusted, header)
+
   await validateSignature({
     header,
     rawHeader,

package/components/identity.federation/source/types/configuration.ts

@@ -0,0 +1,16 @@
+export interface Configuration {
+  implicit: boolean
+  trust?: Trust[]
+  principal?: Principal
+}
+
+export interface Trust {
+  iss: string
+  aud?: [string, ...string[]]
+  secrets?: Record<string, Record<string, string>>
+}
+
+interface Principal {
+  iss: string
+  sub: string
+}

package/components/identity.federation/source/{types.ts → types/context.ts}

@@ -1,10 +1,12 @@
 import { type Call, type Observation, type Query } from '@toa.io/types'
-import type { Schemas } from './schemas'
+import type { Entity } from './entity'
+import type { Configuration } from './configuration'
 
 export interface Context {
   local: {
-    observe: Observation<Entity & { id: string }>
+    observe: Observation<Entity>
     transit: Call<TransitOutput, TransitInput>
+    ensure: Call<EnsureOutput>
   }
   remote: {
     identity: {
@@ -13,12 +15,11 @@ export interface Context {
       }
     }
   }
-  configuration: Required<Schemas>['configuration']
+  configuration: Configuration
 }
 
-export type Entity = Required<Schemas>['entity']
-
 export interface TransitInput {
+  readonly authority: string
   readonly iss: string
   readonly sub: string
 }
@@ -27,6 +28,10 @@ export interface TransitOutput {
   id: string
 }
 
+export interface EnsureOutput {
+  id: string
+}
+
 interface IdentityTokensRevokeInput {
   query: Query
 }
@@ -43,14 +48,8 @@ export interface JwtHeader {
 export interface IdToken {
   iss: string
   sub: string
-  aud: string
+  aud: string | string[]
   exp: number
   iat: number
   nbf?: number
 }
-
-export interface AuthenticateOutput {
-  identity: {
-    id: string
-  }
-}

package/components/identity.federation/source/types/entity.ts

@@ -0,0 +1,6 @@
+export interface Entity {
+  id: string
+  authority: string
+  iss: string
+  sub: string
+}

package/components/identity.federation/source/types/index.ts

@@ -0,0 +1,3 @@
+export * from './configuration'
+export * from './context'
+export * from './entity'

package/components/identity.federation/tsconfig.json

@@ -1,9 +1,10 @@
 {
   "extends": "../../tsconfig.json",
   "compilerOptions": {
-    "outDir": "./operations"
+    "outDir": "./operations",
+    "module": "Node16",
+    "moduleResolution": "Node16",
+    "target": "ES2022"
   },
-  "include": [
-    "source"
-  ]
+  "include": ["source"]
 }

package/components/identity.roles/manifest.toa.yaml

@@ -4,10 +4,10 @@ name: roles
 entity:
   schema:
     identity*: string
-    role*: /^[a-zA-Z0-9]{1,16}(:[a-zA-Z0-9]{1,16}){0,8}$/
-    delegator: string
+    role*: /^[a-zA-Z0-9]{0,32}(:[a-zA-Z0-9]{0,32}){0,8}$/
+    grantor: string
   unique:
-    unique: [identity, role]
+    role: [identity, role]
 
 operations:
   grant:
@@ -15,7 +15,7 @@ operations:
     input:
       identity*: .
       role*: .
-      delegator:
+      grantor:
         id: string
         roles: [string]
   list:
@@ -26,16 +26,17 @@ operations:
 
 receivers:
   identity.basic.principal: principal
+  identity.federation.principal: principal
 
 exposition:
   isolated: true
   /:identity:
     auth:role: system:identity:roles
-    auth:rule:
-      delegate: delegator
-      role: system:identity:roles:delegation
     POST:
-      io:output: [id]
+      io:output: [id, grantor]
+      auth:rule:
+        delegate: grantor
+        role: system:identity:roles:delegation
       endpoint: grant
     GET:
       io:output: true # array of strings

package/components/identity.roles/operations/grant.d.ts

@@ -3,7 +3,7 @@ export declare function transition(input: Input, object: Entity): Promise<Entity
 export interface Input {
     identity: string;
     role: string;
-    delegator?: {
+    grantor?: {
         id: string;
         roles: string[];
     };

package/components/identity.roles/operations/grant.js

@@ -3,18 +3,19 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.transition = void 0;
 const error_value_1 = require("error-value");
 async function transition(input, object) {
-    if (input.delegator === undefined)
+    if (input.grantor === undefined)
         return Object.assign(object, input);
-    if (!allowed(input.role, input.delegator.roles))
+    if (!within('system:identity:roles', input.grantor.roles) &&
+        !within(input.role, input.grantor.roles))
         return ERR_OUT_OF_SCOPE;
     object.role = input.role;
     object.identity = input.identity;
-    object.delegator = input.delegator.id;
+    object.grantor = input.grantor.id;
     return object;
 }
 exports.transition = transition;
-function allowed(scope, roles) {
-    return roles.some((role) => scope.startsWith(role));
+function within(role, scopes) {
+    return scopes.some((scope) => role === scope || role.startsWith(scope + ':'));
 }
 const ERR_OUT_OF_SCOPE = (0, error_value_1.Err)('OUT_OF_SCOPE');
 //# sourceMappingURL=grant.js.map

package/components/identity.roles/operations/grant.js.map

@@ -1 +1 @@
-{"version":3,"file":"grant.js","sourceRoot":"","sources":["../source/grant.ts"],"names":[],"mappings":";;;AAAA,6CAAiC;AAG1B,KAAK,UAAU,UAAU,CAAE,KAAY,EAAE,MAAc;IAC5D,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS;QAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;IAErC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC;QAC7C,OAAO,gBAAgB,CAAA;IAEzB,MAAM,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAA;IACxB,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;IAChC,MAAM,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,EAAE,CAAA;IAErC,OAAO,MAAM,CAAA;AACf,CAAC;AAZD,gCAYC;AAED,SAAS,OAAO,CAAE,KAAa,EAAE,KAAe;IAC9C,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAA;AACrD,CAAC;AAED,MAAM,gBAAgB,GAAG,IAAA,iBAAG,EAAC,cAAc,CAAC,CAAA"}
+{"version":3,"file":"grant.js","sourceRoot":"","sources":["../source/grant.ts"],"names":[],"mappings":";;;AAAA,6CAAiC;AAG1B,KAAK,UAAU,UAAU,CAAE,KAAY,EAAE,MAAc;IAC5D,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS;QAC7B,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;IAErC,IAAI,CAAC,MAAM,CAAC,uBAAuB,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACvD,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACxC,OAAO,gBAAgB,CAAA;IAEzB,MAAM,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAA;IACxB,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;IAChC,MAAM,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,CAAA;IAEjC,OAAO,MAAM,CAAA;AACf,CAAC;AAbD,gCAaC;AAED,SAAS,MAAM,CAAE,IAAY,EAAE,MAAgB;IAC7C,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,CAAA;AAC/E,CAAC;AAED,MAAM,gBAAgB,GAAG,IAAA,iBAAG,EAAC,cAAc,CAAC,CAAA"}

package/components/identity.roles/operations/lib/Entity.d.ts

@@ -1,5 +1,5 @@
 export interface Entity {
     identity: string;
     role: string;
-    delegator?: string;
+    grantor?: string;
 }