@toa.io/extensions.exposition 1.0.0-alpha.11 → 1.0.0-alpha.111

package/components/identity.tokens/source/decrypt.ts

@@ -1,33 +1,104 @@
 import { V3 } from 'paseto'
-import { type Maybe } from '@toa.io/types'
-import { type Context, type Claim, type DecryptOutput } from './types'
+import { Err } from 'error-value'
+import { LRUCache } from 'lru-cache'
+import type { Maybe, Operation } from '@toa.io/types'
+import type { Context, Claims, DecryptOutput } from './lib'
 
-export async function computation (token: string, context: Context):
-Promise<Maybe<DecryptOutput>> {
-  let refresh = false
-  let claim = await decrypt(token, context.configuration.key0)
+export class Computation implements Operation {
+  private keys: Record<string, Key> = {}
+  private cache!: LRUCache<string, KeyEntry>
+  private latest!: string
+  private remote!: Context['remote']['identity']['keys']
 
-  if (claim === null && context.configuration.key1 !== undefined) {
-    refresh = true
-    claim = await decrypt(token, context.configuration.key1)
+  public mount (context: Context): void {
+    this.latest = Object.keys(context.configuration.keys)[0]
+    this.remote = context.remote.identity.keys
+    this.cache = new LRUCache<string, KeyEntry>(context.configuration.cache)
+
+    for (const [kid, key] of Object.entries(context.configuration.keys))
+      this.keys[kid] = { key }
   }
 
-  if (claim === null)
-    return ERR_INVALID_TOKEN
-  else return {
-    identity: claim.identity,
-    iat: claim.iat,
-    exp: claim.exp,
-    refresh
+  public async execute (token: string): Promise<Maybe<DecryptOutput>> {
+    const kid = this.kid(token)
+
+    if (kid instanceof Error)
+      return kid
+
+    const key = await this.key(kid)
+
+    if (key instanceof Error)
+      return key
+
+    const claims = await decrypt(token, key.key)
+
+    if (claims instanceof Error)
+      return claims
+
+    if (key.identity !== undefined && claims.identity.id !== key.identity)
+      return ERR_FORGED_KEY
+
+    return {
+      iss: claims.iss,
+      iat: claims.iat,
+      exp: claims.exp,
+      identity: claims.identity,
+      refresh: kid !== this.latest && key.identity === undefined
+    }
+  }
+
+  private kid (token: string): Maybe<string> {
+    const [, , , footer] = token.split('.')
+
+    if (footer === undefined)
+      return ERR_INVALID_TOKEN
+
+    try {
+      const json = Buffer.from(footer, 'base64url').toString('utf-8')
+      const { kid } = JSON.parse(json)
+
+      if (typeof kid !== 'string')
+        return ERR_INVALID_TOKEN
+
+      return kid
+    } catch {
+      return ERR_INVALID_TOKEN
+    }
+  }
+
+  private async key (kid: string): Promise<Maybe<Key>> {
+    if (kid in this.keys)
+      return this.keys[kid]
+
+    if (!this.cache.has(kid)) {
+      const value = await this.remote.observe({ query: { id: kid } })
+
+      this.cache.set(kid, { value })
+    }
+
+    const entry = this.cache.get(kid)
+
+    return entry?.value ?? ERR_INVALID_KEY
   }
 }
 
-async function decrypt (token: string, key: string): Promise<Claim | null> {
+async function decrypt (token: string, key: string): Promise<Maybe<Claims>> {
   try {
-    return await V3.decrypt<Claim>(token, key)
+    return await V3.decrypt<Claims>(token, key)
   } catch {
-    return null
+    return ERR_INVALID_TOKEN
   }
 }
 
-const ERR_INVALID_TOKEN = new Error('INVALID_TOKEN')
+interface Key {
+  key: string
+  identity?: string
+}
+
+interface KeyEntry {
+  value: Key | null
+}
+
+const ERR_INVALID_TOKEN = new Err('INVALID_TOKEN')
+const ERR_INVALID_KEY = new Err('INVALID_KEY')
+const ERR_FORGED_KEY = new Err('FORGED_KEY')

package/components/identity.tokens/source/encrypt.test.ts

@@ -1,35 +1,90 @@
+import assert from 'node:assert'
 import { generate } from 'randomstring'
 import { timeout } from '@toa.io/generic'
 import { Effect as Encrypt } from './encrypt'
-import { computation as decrypt } from './decrypt'
-import { type Context, type Identity } from './types'
+import { Computation as Decrypt } from './decrypt'
+import { type Context, type Identity } from './lib'
 
 let encrypt: Encrypt
+let decrypt: Decrypt
 
-const context: Context = {} as unknown as Context
+const context: Context = { remote: { identity: { keys: null } } } as unknown as Context
+const authority = generate()
 
 beforeEach(() => {
   context.configuration = {
-    key0: 'k3.local.m28p8SrbS467t-2IUjQuSOqmjvi24TbXhyjAW_dOrog',
-    lifetime: 1000,
-    refresh: 2
+    keys: {
+      key0: 'k3.local.m28p8SrbS467t-2IUjQuSOqmjvi24TbXhyjAW_dOrog'
+    },
+    lifetime: 1,
+    refresh: 2,
+    cache: {
+      max: 1024,
+      ttl: 3
+    }
   }
 
   encrypt = new Encrypt()
   encrypt.mount(context)
+
+  decrypt = new Decrypt()
+  decrypt.mount(context)
+})
+
+it('should encrypt with configured lifetime by default', async () => {
+  const identity: Identity = { id: generate(), roles: [] }
+
+  const encrypted = await encrypt.execute({
+    authority,
+    identity
+  })
+
+  if (encrypted instanceof Error)
+    throw encrypted
+
+  await expect(decrypt.execute(encrypted)).resolves.toMatchObject({ iss: authority, identity })
+
+  await timeout(context.configuration.lifetime * 1000)
+
+  await expect(decrypt.execute(encrypted)).resolves.toMatchObject({ code: 'INVALID_TOKEN' })
 })
 
 it('should encrypt with given lifetime', async () => {
-  const identity: Identity = { id: generate() }
+  const identity: Identity = { id: generate(), roles: [] }
   const lifetime = 0.1
-  const encrypted = await encrypt.execute({ identity, lifetime })
 
-  if (encrypted === undefined)
-    throw new Error('?')
+  const encrypted = await encrypt.execute({
+    authority,
+    identity,
+    lifetime
+  })
 
-  await expect(decrypt(encrypted, context)).resolves.toMatchObject({ identity })
+  if (encrypted instanceof Error)
+    throw encrypted
+
+  await expect(decrypt.execute(encrypted)).resolves.toMatchObject({ iss: authority, identity })
 
   await timeout(lifetime * 1000)
 
-  await expect(decrypt(encrypted, context)).resolves.toMatchObject({ message: 'INVALID_TOKEN' })
+  await expect(decrypt.execute(encrypted)).resolves.toMatchObject({ code: 'INVALID_TOKEN' })
+})
+
+it('should encrypt without lifetime INSECURE', async () => {
+  const identity: Identity = { id: generate(), roles: [] }
+  const lifetime = 0
+
+  const encrypted = await encrypt.execute({
+    authority,
+    identity,
+    lifetime
+  })
+
+  if (encrypted instanceof Error)
+    throw encrypted
+
+  const decrypted = await decrypt.execute(encrypted)
+
+  assert.ok(!(decrypted instanceof Error))
+
+  expect(decrypted.identity).toMatchObject(identity)
 })

package/components/identity.tokens/source/encrypt.ts

@@ -1,25 +1,53 @@
 import { V3 } from 'paseto'
-import { type Operation } from '@toa.io/types'
-import { type Claim, type Context, type EncryptInput } from './types'
+import { Err } from 'error-value'
+import type { Operation, Maybe } from '@toa.io/types'
+import type { Identity, Claims, Context, EncryptInput, Key } from './lib'
 
 export class Effect implements Operation {
-  private key: string = ''
-  private lifetime: number = 0
+  private key!: Pick<Key, 'id' | 'key'>
+  private lifetime!: number
 
   public mount (context: Context): void {
-    this.key = context.configuration.key0
+    const [id, secret] = Object.entries(context.configuration.keys)[0]
+
+    this.key = { id, key: secret }
     this.lifetime = context.configuration.lifetime * 1000
   }
 
-  public async execute (input: EncryptInput): Promise<string> {
-    const lifetime = input.lifetime === undefined ? this.lifetime : input.lifetime * 1000
+  public async execute (input: EncryptInput): Promise<Maybe<string>> {
+    if (input.scopes?.some((scope) => !within(scope, input.identity.roles)) === true)
+      return ERR_INACCESSIBLE_SCOPE
+
+    const lifetime = input.lifetime === undefined ? this.lifetime : (input.lifetime * 1000)
 
     const exp = lifetime === 0
       ? undefined
       : new Date(Date.now() + lifetime).toISOString()
 
-    const payload: Partial<Claim> = { identity: input.identity, exp }
+    const identity: Identity = {
+      id: input.identity.id,
+      roles: input.scopes ?? input.identity.roles
+    }
+
+    if (input.permissions !== undefined)
+      identity.permissions = input.permissions
+
+    const payload: Partial<Claims> = {
+      identity,
+      iss: input.authority
+    }
+
+    if (exp !== undefined)
+      payload.exp = exp
 
-    return await V3.encrypt(payload, this.key)
+    const key = input.key ?? this.key
+
+    return await V3.encrypt(payload, key.key, { footer: { kid: key.id } })
   }
 }
+
+function within (scope: string, roles: string[]): boolean {
+  return roles.some((role) => role === scope || scope.startsWith(role + ':'))
+}
+
+const ERR_INACCESSIBLE_SCOPE = new Err('INACCESSIBLE_SCOPE')

package/components/identity.tokens/source/issue.ts

@@ -0,0 +1,80 @@
+import type { Maybe, Operation } from '@toa.io/types'
+import type { Context, Identity } from './lib'
+
+export class Effect implements Operation {
+  private keys!: Context['remote']['identity']['keys']
+  private roles!: Context['remote']['identity']['roles']
+  private encrypt!: Context['local']['encrypt']
+  private lifetime!: number
+
+  public mount (context: Context): void {
+    this.keys = context.remote.identity.keys
+    this.roles = context.remote.identity.roles
+    this.encrypt = context.local.encrypt
+    this.lifetime = context.configuration.lifetime * 1000
+  }
+
+  public async execute (input: Input): Promise<Maybe<Output>> {
+    const expires = input.lifetime === 0
+      ? undefined
+      : new Date(Date.now() + input.lifetime * 1000).getTime()
+
+    const key = await this.keys.create({
+      input: {
+        identity: input.identity,
+        label: input.label,
+        expires
+      }
+    })
+
+    const roles = await this.roles.list({
+      query: {
+        criteria: `identity==${input.identity}`,
+        limit: 1024
+      }
+    })
+
+    const identity: Identity = {
+      id: input.identity,
+      roles
+    }
+
+    const { authority, lifetime, scopes, permissions } = input
+
+    const token = await this.encrypt({
+      input: {
+        authority,
+        identity,
+        lifetime,
+        scopes,
+        permissions,
+        key
+      }
+    })
+
+    if (token instanceof Error)
+      return token
+
+    return {
+      kid: key.id,
+      // technically, the token expires some time later
+      ...(expires !== undefined && { exp: expires }),
+      token
+    }
+  }
+}
+
+interface Input {
+  authority: string
+  identity: string
+  lifetime: number
+  label: string
+  scopes?: string[]
+  permissions?: Record<string, string[]>
+}
+
+interface Output {
+  kid: string
+  exp?: number
+  token: string
+}

package/components/identity.tokens/source/lib/index.ts

@@ -0,0 +1,2 @@
+export * from './pad'
+export * from './types'

package/components/identity.tokens/source/lib/pad.ts

@@ -0,0 +1 @@
+export const PAD = 'v3.local.'

package/components/identity.tokens/source/lib/paseto.test.ts

@@ -0,0 +1,16 @@
+import { V3 } from 'paseto'
+
+it('should be ok', async () => {
+  const payload = { iss: 'test', sub: 'me' }
+  const key = await V3.generateKey('local', { format: 'paserk' })
+  const token = await V3.encrypt(payload, key, { footer: 'key0' })
+  const [, , , footer] = token.split('.')
+  const kid = Buffer.from(footer, 'base64url').toString('utf-8')
+
+  console.log(footer, kid)
+  console.log(key)
+
+  const decrypted = await V3.decrypt(token, key)
+
+  console.log(decrypted)
+})

package/components/identity.tokens/source/lib/types.ts

@@ -0,0 +1,85 @@
+import type { Call, Maybe, Observation } from '@toa.io/types'
+
+export interface Context {
+  local: {
+    observe: Observation<Entity>
+    encrypt: Call<Maybe<string>, EncryptInput>
+    decrypt: Call<Maybe<DecryptOutput>, string>
+  }
+  remote: {
+    identity: {
+      keys: {
+        observe: Observation<CustomKey>
+        create: Call<Key>
+      }
+      roles: {
+        list: Call<string[]>
+      }
+    }
+  }
+  configuration: Configuration
+}
+
+export interface Configuration {
+  readonly keys: Record<string, string>
+  readonly lifetime: number
+  readonly refresh: number
+  readonly cache: {
+    max: number
+    ttl: number
+  }
+}
+
+export interface Entity {
+  revokedAt?: number
+}
+
+export interface Identity extends Record<string, any> {
+  id: string
+  roles: string[]
+  permissions?: Record<string, string[]>
+}
+
+export interface AuthenticateInput {
+  authority: string
+  credentials: string
+}
+
+export interface AuthenticateOutput {
+  identity: Identity
+  refresh: boolean
+}
+
+export interface EncryptInput {
+  authority: string
+  identity: Identity
+  lifetime?: number
+  scopes?: string[]
+  permissions?: Record<string, string[]>
+  key?: Key
+}
+
+export interface DecryptOutput {
+  iss: string
+  iat: string
+  exp?: string
+  identity: Identity
+  refresh: boolean
+}
+
+export interface Claims {
+  identity: Identity
+  iss: string
+  iat: string
+  exp?: string
+}
+
+export interface Key {
+  id: string
+  key: string
+  label: string
+}
+
+export interface CustomKey extends Key {
+  identity: string
+}

package/components/identity.tokens/source/revoke.ts

@@ -1,5 +1,5 @@
-import { type Entity } from './types'
+import type { Entity } from './lib'
 
-export function transition (_: never, object: Entity): void {
+export function transition (_: unknown, object: Entity): void {
   object.revokedAt = Date.now()
 }

package/components/octets.storage/manifest.toa.yaml

@@ -4,24 +4,23 @@ name: storage
 storages: ~
 
 operations:
-  store:
+  put:
     bindings: ~
     input:
       storage*: string
       request*: ~
       accept: string
-      meta: <string>
-  fetch: &simple
+      limit: number
+      trust: ~ # array of strings or regular expressions
+    errors:
+      - LOCATION_UNTRUSTED
+      - LOCATION_LENGTH
+      - LOCATION_UNAVAILABLE
+      - INVALID_ID
+  get: &simple
     bindings: ~
     input:
       storage*: string
       path*: string
-  get: *simple
-  list: *simple
+  head: *simple
   delete: *simple
-  permute:
-    bindings: ~
-    input:
-      storage*: string
-      path*: string
-      list*: [string]

package/components/octets.storage/operations/get.js

@@ -1,7 +1,7 @@
 'use strict'
 
-function get (input, context) {
-  return context.storages[input.storage].get(input.path)
+async function get (input, context) {
+  return await context.storages[input.storage].get(input.path)
 }
 
-exports.computation = get
+exports.effect = get

package/components/octets.storage/operations/head.js

@@ -0,0 +1,7 @@
+'use strict'
+
+async function head (input, context) {
+  return await context.storages[input.storage].head(input.path)
+}
+
+exports.computation = head

package/components/octets.storage/operations/put.js

@@ -0,0 +1,132 @@
+'use strict'
+
+const { Readable } = require('node:stream')
+const { Err } = require('error-value')
+const { match } = require('matchacho')
+
+async function put (input, context) {
+  const { storage, request, accept, limit, trust } = input
+  const path = request.url
+  const id = request.headers['content-id']
+  const claim = request.headers['content-type']
+  const attributes = parseAttributes(request.headers['content-attributes'])
+  const location = request.headers['content-location']
+
+  /** @type {Readable} */
+  let body = request
+
+  const options = { claim, accept, attributes }
+
+  if (id !== undefined) {
+    if (!ID_RX.test(id))
+      return ERR_INVALID_ID
+
+    options.id = id
+  }
+
+  if (location !== undefined) {
+    const length = Number.parseInt(request.headers['content-length'])
+
+    if (length !== 0)
+      return ERR_LENGTH
+
+    if (!trusted(location, trust))
+      return ERR_UNTRUSTED
+
+    body = await download(location)
+
+    if (body instanceof Error)
+      return body
+
+    options.origin = location
+  }
+
+  if (limit !== undefined)
+    options.limit = limit
+
+  return context.storages[storage].put(path, body, options)
+}
+
+/**
+ * @param {string | string[] | undefined} values
+ * @returns {Record<string, string>}
+ */
+function parseAttributes (values) {
+  const attributes = {}
+
+  if (values === undefined)
+    return attributes
+
+  if (typeof values === 'string')
+    values = values.split(',')
+
+  for (const pair of values) {
+    const eq = pair.indexOf('=')
+    const key = (eq === -1 ? pair : pair.slice(0, eq)).trim()
+
+    attributes[key] = eq === -1 ? 'true' : pair.slice(eq + 1).trim()
+  }
+
+  return attributes
+}
+
+/**
+ * @param {string} location
+ * @return {Readable | Error}
+ */
+async function download (location) {
+  const response = await fetch(location)
+
+  if (!response.ok)
+    return ERR_UNAVAILABLE
+
+  return response.body === null ? ERR_UNAVAILABLE : Readable.fromWeb(
+    /** @type {import('node:stream/web').ReadableStream} **/ response.body)
+
+}
+
+/**
+ * @param {string} location
+ * @param {Trust | undefined} trust
+ * @return {boolean}
+ */
+function trusted (location, trust) {
+  if (trust === undefined)
+    return false
+
+  const url = toURL(location)
+
+  if (url === null)
+    return false
+
+  for (const permission of trust) {
+    const ok = match(permission,
+      String, (origin) => url.origin === origin,
+      RegExp, (pattern) => pattern.test(url.origin))
+
+    if (ok)
+      return true
+  }
+
+  return false
+}
+
+function toURL (location) {
+  try {
+    return new URL(location)
+  } catch (error) {
+    return null
+  }
+}
+
+const ERR_UNTRUSTED = new Err('LOCATION_UNTRUSTED', 'Location is not trusted')
+const ERR_LENGTH = new Err('LOCATION_LENGTH', 'Content-Length must be 0 when Content-Location is used')
+const ERR_UNAVAILABLE = new Err('LOCATION_UNAVAILABLE', 'Location is not available')
+const ERR_INVALID_ID = new Err('INVALID_ID', 'Invalid Content-ID')
+
+const ID_RX = /^[a-zA-Z0-9-_]{1,32}$/
+
+exports.effect = put
+
+/** @typedef {Array<string | RegExp>} Trust */
+/** @typedef {import('node:stream').Readable} Readable */