@toa.io/extensions.exposition 1.0.0-alpha.11 → 1.0.0-alpha.111

package/source/RTD/syntax/types.ts

@@ -1,6 +1,7 @@
 export interface Node {
   protected?: boolean
   isolated?: boolean
+  forward?: string
   routes: Route[]
   methods: Method[]
   directives: Directive[]
@@ -27,17 +28,18 @@ export interface Mapping {
   namespace?: string
   component?: string
   endpoint: string
-  query?: Query
+  query?: Query | null
 }
 
 export interface Query {
   id?: string
   criteria?: string
   sort?: string
-  omit: Range
-  limit: Range
+  omit?: Range
+  limit?: Range
   selectors?: string[]
   projection?: string[]
+  parameters?: string[]
 }
 
 export interface Range {
@@ -45,4 +47,4 @@ export interface Range {
   range: [number, number]
 }
 
-export const verbs = new Set<string>(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'])
+export const verbs = new Set<string>(['GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE', 'LOCK', 'UNLOCK'])

package/source/Remotes.ts

@@ -1,24 +1,25 @@
-import { Locator, Connector, type Component } from '@toa.io/core'
+import { Locator, Connector, type Remote } from '@toa.io/core'
 import { type Bootloader } from './Factory'
 
 export class Remotes extends Connector {
   private readonly boot: Bootloader
-  private readonly remotes: Record<string, Promise<Component>> = {}
+  private readonly cache: Record<string, Promise<Remote>> = {}
 
   public constructor (boot: Bootloader) {
     super()
     this.boot = boot
   }
 
-  public async discover (namespace: string, name: string): Promise<Component> {
+  public async discover (namespace: string, name: string, version: string = 'local'): Promise<Remote> {
     const locator = new Locator(name, namespace)
+    const key = locator.id + ':' + version
 
-    this.remotes[locator.id] ??= this.create(locator)
+    this.cache[key] ??= this.locate(locator)
 
-    return await this.remotes[locator.id]
+    return this.cache[key]
   }
 
-  private async create (locator: Locator): Promise<Component> {
+  private async locate (locator: Locator): Promise<Remote> {
     const remote = await this.boot.remote(locator)
 
     this.depends(remote)

package/source/Tenant.ts

@@ -1,23 +1,17 @@
-import { Connector, type Locator, type bindings } from '@toa.io/core'
-import { type Label } from './discovery'
-import { type Branch } from './Branch'
-import type * as RTD from './RTD/syntax'
+import { Connector } from '@toa.io/core'
+import type { bindings } from '@toa.io/core'
+import type { Label } from './discovery'
+import type { Branch } from './Branch'
 
 export class Tenant extends Connector {
   private readonly broadcast: Broadcast
   private readonly branch: Branch
 
-  public constructor (broadcast: Broadcast, locator: Locator, node: RTD.Node) {
+  public constructor (broadcast: Broadcast, branch: Branch) {
     super()
 
     this.broadcast = broadcast
-
-    this.branch = {
-      namespace: locator.namespace,
-      component: locator.name,
-      isolated: locator.namespace === 'identity',
-      node
-    }
+    this.branch = branch
 
     this.depends(broadcast)
   }
@@ -25,14 +19,6 @@ export class Tenant extends Connector {
   public override async open (): Promise<void> {
     await this.expose()
     await this.broadcast.receive('ping', this.expose.bind(this))
-
-    console.info('Exposition Tenant for ' +
-      `'${this.branch.namespace}.${this.branch.component}' has started.`)
-  }
-
-  public override async dispose (): Promise<void> {
-    console.info('Exposition Tenant for ' +
-      `'${this.branch.namespace}.${this.branch.component}' has been stopped.`)
   }
 
   private async expose (): Promise<void> {

package/source/deployment.ts

@@ -1,3 +1,4 @@
+import assert from 'node:assert'
 import { type Dependency, type Service } from '@toa.io/operations'
 import { encode } from '@toa.io/generic'
 import { type Annotation } from './Annotation'
@@ -5,50 +6,59 @@ import * as schemas from './schemas'
 import { shortcuts } from './Directive'
 import { components } from './Composition'
 import { parse } from './RTD/syntax'
+import { DELAY, PORT } from './HTTP'
+
+export function deployment (_: unknown, annotation?: Annotation): Dependency {
+  assert.ok(annotation !== undefined, 'Exposition context annotation is required')
+  schemas.annotation.validate(annotation)
 
-export function deployment (_: unknown, annotation: Annotation | undefined): Dependency {
   const labels = components().labels
 
   const service: Service = {
     group: 'exposition',
     name: 'gateway',
-    port: 8000,
+    port: PORT,
     // eslint-disable-next-line @typescript-eslint/no-var-requires
     version: require('../package.json').version,
     variables: [],
-    components: labels
-  }
-
-  if (annotation?.host !== undefined)
-    service.ingress = {
-      host: annotation.host,
-      class: annotation.class,
-      annotations: annotation.annotations
+    components: labels,
+    ingress: { default: true, hosts: [] },
+    probe: {
+      path: '/.ready',
+      port: PORT,
+      delay: DELAY
     }
+  }
 
   if (annotation?.['/'] !== undefined) {
     const tree = parse(annotation['/'], shortcuts)
 
-    service.variables.push({
+    service.variables!.push({
       name: 'TOA_EXPOSITION',
       value: encode(tree)
     })
   }
 
-  if (annotation?.debug === true)
-    service.variables.push({
-      name: 'TOA_EXPOSITION_DEBUG',
-      value: '1'
-    })
+  const { debug, trace, authorities } = annotation
 
-  if (annotation?.trace === true)
-    service.variables.push({
-      name: 'TOA_EXPOSITION_TRACE',
-      value: '1'
-    })
+  service.ingress!.hosts = Object.values(authorities)
+  service.ingress!.class = annotation.class
+  service.ingress!.annotations = annotation.annotations
+
+  const properties: Properties = { authorities }
+
+  if (debug === true)
+    properties.debug = true
 
-  if (annotation !== undefined)
-    schemas.annotaion.validate(annotation)
+  if (trace === true)
+    properties.trace = true
+
+  service.variables!.push({
+    name: 'TOA_EXPOSITION_PROPERTIES',
+    value: encode(properties)
+  })
 
   return { services: [service] }
 }
+
+type Properties = Pick<Annotation, 'authorities' | 'debug' | 'trace'>

package/source/directives/auth/Anonymous.ts

@@ -1,4 +1,4 @@
-import { type Directive, type Input } from './types'
+import { type Directive, type Context } from './types'
 
 export class Anonymous implements Directive {
   private readonly allow: boolean
@@ -7,8 +7,8 @@ export class Anonymous implements Directive {
     this.allow = allow
   }
 
-  public authorize (_: any, input: Input): boolean {
-    return 'authorization' in input.request.headers
+  public authorize (_: any, context: Context): boolean {
+    return 'authorization' in context.request.headers
       ? false
       : this.allow
   }

package/source/directives/auth/Anyone.ts

@@ -0,0 +1,13 @@
+import { type Directive, type Context } from './types'
+
+export class Anyone implements Directive {
+  private readonly allow: boolean
+
+  public constructor (allow: boolean) {
+    this.allow = allow
+  }
+
+  public authorize (_: any, context: Context): boolean {
+    return context.identity !== null && this.allow
+  }
+}

package/source/directives/auth/Authorization.ts

@@ -1,5 +1,7 @@
 import assert from 'node:assert'
 import { match } from 'matchacho'
+import { console } from 'openspan'
+import { minimatch } from 'minimatch'
 import * as http from '../../HTTP'
 import { Anonymous } from './Anonymous'
 import { Id } from './Id'
@@ -9,6 +11,9 @@ import { Incept } from './Incept'
 import { Echo } from './Echo'
 import { Scheme } from './Scheme'
 import { Delegate } from './Delegate'
+import { Federation } from './Federation'
+import { Anyone } from './Anyone'
+import { Input } from './Input'
 import { split } from './split'
 import { PRIMARY, PROVIDERS } from './schemes'
 import type { Output } from '../../io'
@@ -22,7 +27,7 @@ import type {
   Discovery,
   Extension,
   Identity,
-  Input,
+  Context,
   Remote,
   Schemes
 } from './types'
@@ -39,7 +44,7 @@ export class Authorization implements DirectiveFamily<Directive, Extension> {
 
   public create (name: string, value: any, remotes: Remotes): Directive {
     assert.ok(name in constructors,
-      `Directive '${name}' is not provided by the '${this.name}' family.`)
+      `Directive 'auth:${name}' is not implemented`)
 
     const Class = constructors[name]
 
@@ -49,70 +54,90 @@ export class Authorization implements DirectiveFamily<Directive, Extension> {
     return match(Class,
       Role, () => new Role(value as string | string[], this.discovery.roles),
       Rule, () => new Rule(value as Record<string, string>, this.create.bind(this)),
+      Input, () => new Input(value, this.create.bind(this)),
       Incept, () => new Incept(value as string, this.discovery),
+      Delegate, () => new Delegate(value as string, this.discovery.roles),
       () => new Class(value))
   }
 
   public async preflight (directives: Directive[],
-    input: Input,
+    context: Context,
     parameters: Parameter[]): Promise<Output> {
-    const identity = await this.resolve(input.request.headers.authorization)
-
-    input.identity = identity
+    context.identity = await this.resolve(context.authority, context.request.headers.authorization)
+    directives.sort((a, b) => (a.priority ?? 1) - (b.priority ?? 1))
 
     for (const directive of directives) {
-      const allow = await directive.authorize(identity, input, parameters)
+      const allow = await directive.authorize(context.identity, context, parameters)
 
       if (allow)
-        return directive.reply?.(identity) ?? null
+        if (this.permitted(context))
+          return directive.reply?.(context) ?? null
+        else
+          throw new http.Forbidden()
     }
 
-    if (identity === null)
+    if (context.identity === null)
       throw new http.Unauthorized()
     else
       throw new http.Forbidden()
   }
 
   public async settle (directives: Directive[],
-    request: Input,
+    context: Context,
     response: http.OutgoingMessage): Promise<void> {
-    for (const directive of directives) await directive.settle?.(request, response)
+    await Promise.all(directives.map(async (directive) =>
+      directive.settle?.(context, response)))
 
-    const identity = request.identity
+    const identity = context.identity
 
-    if (identity === null) return
+    if (identity === null)
+      return
 
-    if (identity.scheme === PRIMARY && !identity.refresh) return
+    if (identity.scheme === PRIMARY && !identity.refresh)
+      return
 
     // Role directive may have already set the value
-    if (identity.roles === undefined) await Role.set(identity, this.discovery.roles)
-
+    identity.roles ??= await Role.get(identity, this.discovery.roles)
     this.tokens ??= await this.discovery.tokens
 
-    const token = await this.tokens.invoke<string>('encrypt', { input: { identity } })
-    const authorization = `Token ${token}`
+    const token = await this.tokens.invoke<string>('encrypt', {
+      input: { authority: context.authority, identity }
+    })
 
-    if (response.headers === undefined) response.headers = new Headers()
+    const authorization = `Token ${token}`
 
+    response.headers ??= new Headers()
     response.headers.set('authorization', authorization)
+    response.headers.set('cache-control', 'no-store')
   }
 
-  private async resolve (authorization: string | undefined): Promise<Identity | null> {
-    if (authorization === undefined) return null
+  private async resolve (authority: string, authorization: string | undefined): Promise<Identity | null> {
+    if (authorization === undefined)
+      return null
 
     const [scheme, credentials] = split(authorization)
     const provider = PROVIDERS[scheme]
 
     if (!(provider in this.discovery))
-      throw new http.Unauthorized(`Unknown authentication scheme '${scheme}'.`)
+      throw new http.Unauthorized(`Unknown authentication scheme '${scheme}'`)
 
     this.schemes[scheme] ??= await this.discovery[provider]
 
     const result = await this.schemes[scheme].invoke<AuthenticationResult>('authenticate', {
-      input: credentials
+      input: {
+        authority,
+        credentials
+      }
     })
 
-    if (result instanceof Error) return null
+    if (result instanceof Error) {
+      const code: string | unknown = (result as unknown as { code: string }).code
+
+      if (typeof code === 'string')
+        console.info('Authentication failed', { code })
+
+      return null
+    }
 
     const identity = result.identity
 
@@ -124,6 +149,18 @@ export class Authorization implements DirectiveFamily<Directive, Extension> {
     return identity
   }
 
+  private permitted (context: Context): boolean {
+    const permissions = context.identity?.permissions
+
+    if (permissions === undefined)
+      return true
+
+    return Object.entries(permissions).some(([pattern, methods]) => {
+      return methods.some((method) => method === '*' || method === context.request.method) &&
+        minimatch(context.request.url, pattern)
+    })
+  }
+
   private async banned (identity: Identity): Promise<boolean> {
     this.bans ??= await this.discovery.bans
 
@@ -135,13 +172,16 @@ export class Authorization implements DirectiveFamily<Directive, Extension> {
 
 const constructors: Record<string, new (value: any, argument?: any) => Directive> = {
   anonymous: Anonymous,
+  anyone: Anyone,
   id: Id,
   role: Role,
   rule: Rule,
   incept: Incept,
   scheme: Scheme,
   echo: Echo,
-  delegate: Delegate
+  delegate: Delegate,
+  claims: Federation,
+  input: Input
 }
 
 const REMOTES: Remote[] = ['basic', 'federation', 'tokens', 'roles', 'bans']

package/source/directives/auth/Delegate.ts

@@ -1,26 +1,33 @@
 import { BadRequest } from '../../HTTP'
-import { type Directive, type Identity } from './types'
-import type { Input } from '../../io'
+import { Role } from './Role'
+import type { Context, Directive, Identity } from './types'
+import type { Component } from '@toa.io/core'
 
 export class Delegate implements Directive {
   private readonly property: string
+  private readonly discovery: Promise<Component>
 
-  public constructor (property: string) {
+  public constructor (property: string, discovery: Promise<Component>) {
     this.property = property
+    this.discovery = discovery
   }
 
-  public authorize (identity: Identity | null, context: Input): boolean {
+  public async authorize (identity: Identity | null, context: Context): Promise<boolean> {
     if (identity === null)
       return false
 
+    identity.roles ??= await Role.get(identity, this.discovery)
     context.pipelines.body.push((body) => this.embed(body, identity))
 
     return true
   }
 
   private embed (body: unknown, identity: Identity): Record<string, unknown> {
+    if (body === undefined)
+      body = {}
+
     check(body)
-    body[this.property] = identity
+    body[this.property] = structuredClone(identity)
 
     return body
   }
@@ -28,5 +35,5 @@ export class Delegate implements Directive {
 
 function check (body: unknown): asserts body is Record<string, unknown> {
   if (typeof body !== 'object' || body === null)
-    throw new BadRequest('Invalid request body.')
+    throw new BadRequest('Invalid request body')
 }

package/source/directives/auth/Echo.ts

@@ -1,12 +1,22 @@
-import { type OutgoingMessage } from '../../HTTP'
-import { type Directive, type Identity } from './types'
+import { create } from './create'
+import type { OutgoingMessage } from '../../HTTP'
+import type { Directive, Identity, Context } from './types'
 
 export class Echo implements Directive {
-  public authorize (identity: Identity | null): boolean {
-    return identity !== null
+  public authorize (identity: Identity | null, context: Context): boolean {
+    if (identity === null && 'authorization' in context.request.headers)
+      return false
+
+    context.identity ??= create()
+
+    return true
   }
 
-  public reply (identity: Identity | null): OutgoingMessage {
-    return { body: identity }
+  public reply (context: Context): OutgoingMessage {
+    const body = context.identity!
+
+    return body.scheme === null
+      ? { status: 201, body }
+      : { body }
   }
 }

package/source/directives/auth/Federation.ts

@@ -0,0 +1,84 @@
+import assert from 'node:assert'
+import type { Directive, Identity, Context } from './types'
+import type { Parameter } from '../../RTD'
+
+export class Federation implements Directive {
+  private readonly matchers: Array<[keyof Claims, Matcher]>
+
+  public constructor (options: Options) {
+    this.matchers = (Object.entries(options) as Array<[keyof Claims, string]>)
+      .map(([key, value]) => [key, toMatcher(value)])
+
+    assert.ok(this.matchers.length > 0, '`auth:claims` requires at least one property defined')
+  }
+
+  public authorize (identity: Identity | null, context: Context, parameters: Parameter[]): boolean {
+    if (identity === null || !('claims' in identity))
+      return false
+
+    const claims = (identity as FederatedIdentity).claims
+
+    for (const [key, match] of this.matchers)
+      if (!match(claims[key], context, parameters))
+        return false
+
+    return true
+  }
+}
+
+function toMatcher (expression: string): Matcher {
+  if (expression.startsWith(':')) {
+    const key = expression.slice(1) as 'authority'
+
+    if (key === 'authority')
+      return (value, context) => matches(value, context[key])
+
+    if (key === 'domain')
+      return (value, context) => {
+        return Array.isArray(value)
+          ? value.some((iss) => codomain(iss, context))
+          : codomain(value, context)
+      }
+
+    throw new Error('Unknown `auth:claims` syntax: ' + expression)
+  }
+
+  if (expression.startsWith('/:')) {
+    const name = expression.slice(2)
+
+    return (value, _, parameters) => parameters
+      .some((parameter) => parameter.name === name && matches(value, parameter.value))
+  }
+
+  return (value) => matches(value, expression)
+}
+
+function matches (value: string | string[], reference: string): boolean {
+  return Array.isArray(value)
+    ? value.includes(reference)
+    : value === reference
+}
+
+function codomain (iss: string, context: Context): boolean {
+  const hostname = new URL(iss).hostname
+  const dot = hostname.indexOf('.')
+  const basename = dot === -1 ? hostname : hostname.slice(dot)
+
+  return context.authority.slice(-basename.length) === basename
+}
+
+type Matcher = (value: string | string[], context: Context, parameters: Parameter[]) => boolean
+
+interface Claims {
+  iss: string
+  sub: string
+  aud: string | string[]
+}
+
+interface Options extends Partial<Claims> {
+  iss: string
+}
+
+interface FederatedIdentity extends Identity {
+  claims: Claims
+}

package/source/directives/auth/Id.ts

@@ -8,7 +8,7 @@ export class Id implements Directive {
     this.parameter = parameter
   }
 
-  public authorize (identity: Identity | null, _: any, parameters: Parameter[]): boolean {
+  public authorize (identity: Identity | null, _: unknown, parameters: Parameter[]): boolean {
     if (identity === null)
       return false
 

package/source/directives/auth/Incept.ts

@@ -1,47 +1,62 @@
+import assert from 'node:assert'
 import { type Maybe } from '@toa.io/types'
 import * as http from '../../HTTP'
-import { type Directive, type Discovery, type Identity, type Input, type Schemes } from './types'
+import { type Directive, type Discovery, type Identity, type Context, type Schemes } from './types'
 import { split } from './split'
+import { create } from './create'
 import { PROVIDERS } from './schemes'
 
 export class Incept implements Directive {
-  private readonly property: string
+  private readonly property: string | null
   private readonly discovery: Discovery
   private readonly schemes: Schemes = {} as unknown as Schemes
 
   public constructor (property: string, discovery: Discovery) {
+    assert.ok(property === null || typeof property === 'string',
+      '`auth:incept` value must be a string or null')
+
     this.property = property
     this.discovery = discovery
   }
 
-  public authorize (identity: Identity | null, input: Input): boolean {
-    return identity === null && 'authorization' in input.request.headers
+  public authorize (identity: Identity | null, context: Context): boolean {
+    return identity === null && 'authorization' in context.request.headers
+  }
+
+  public reply (context: Context): http.OutgoingMessage | null {
+    if (this.property !== null)
+      return null
+
+    const body = create(context.request.headers.authorization)
+
+    return { body }
   }
 
-  public async settle (input: Input, response: http.OutgoingMessage): Promise<void> {
-    const id = response.body?.[this.property]
+  public async settle (context: Context, response: http.OutgoingMessage): Promise<void> {
+    const id = response.body?.[this.property ?? 'id']
 
     if (id === undefined)
       throw new http.Conflict('Identity inception has failed as the response body ' +
-        ` does not contain the '${this.property}' property.`)
+        `does not contain the '${this.property}' property`)
 
-    const [scheme, credentials] = split(input.request.headers.authorization!)
+    const [scheme, credentials] = split(context.request.headers.authorization!)
     const provider = PROVIDERS[scheme]
 
     this.schemes[scheme] ??= await this.discovery[provider]
 
     const identity = await this.schemes[scheme]
-      .invoke<Maybe<Identity>>('create', {
+      .invoke<Maybe<Identity>>('incept', {
       input: {
+        authority: context.authority,
         id,
         credentials
       }
     })
 
     if (identity instanceof Error)
-      throw new http.Conflict(identity)
+      throw new http.UnprocessableEntity(identity)
 
-    input.identity = identity
-    input.identity.scheme = scheme
+    context.identity = identity
+    context.identity.scheme = scheme
   }
 }