@toa.io/extensions.exposition 1.0.0-alpha.14 → 1.0.0-alpha.143

package/components/identity.federation/source/lib/get.ts

@@ -0,0 +1,82 @@
+/* eslint-disable max-depth */
+
+import { Readable } from 'node:stream'
+import { buffer } from 'node:stream/consumers'
+
+import Cache from '@isaacs/ttlcache'
+import Policy from 'http-cache-semantics'
+import type { ReadableStream } from 'node:stream/web'
+
+const cache = new Cache<string, Entry>()
+
+export async function get (url: string, init?: RequestInit): Promise<Response> {
+  const headers = toRecord(init?.headers)
+  const request = { url, method: 'GET', headers }
+  const cached = cache.get(url)
+
+  if (cached?.policy.satisfiesWithoutRevalidation(request) === true) {
+    const headers = toHeaders(cached.policy.responseHeaders())
+
+    return new Response(cached.body, { headers })
+  }
+
+  const response = await fetch(url, init)
+  const policy = new Policy(request, { status: response.status, headers: toRecord(response.headers) })
+  const ttl = policy.timeToLive()
+
+  if (policy.storable() && ttl > 0) {
+    const body = await toBuffer(response.body as ReadableStream)
+
+    cache.set(url, { policy, body }, { ttl })
+
+    return new Response(body, { headers: response.headers })
+  } else
+    return response
+}
+
+function toRecord (headers: RequestInit['headers']): Record<string, string> {
+  if (!(headers instanceof Headers))
+    headers = toHeaders(headers)
+
+  return Object.fromEntries(headers.entries())
+}
+
+function toHeaders (values?: Array<[string, string]> | Record<string, string | string[] | undefined>): Headers {
+  const headers = new Headers()
+
+  if (values === undefined)
+    return headers
+
+  if (Array.isArray(values))
+    for (const [name, value] of values)
+      headers.append(name, value)
+  else
+    for (const name in values) {
+      const value = values[name]
+
+      if (value === undefined)
+        continue
+
+      if (Array.isArray(value))
+        for (const v of value)
+          headers.append(name, v)
+      else
+        headers.append(name, value)
+    }
+
+  return headers
+}
+
+async function toBuffer (body: ReadableStream<Uint8Array> | null): Promise<Buffer | null> {
+  if (body === null)
+    return null
+
+  const buf = await buffer(Readable.fromWeb(body as ReadableStream))
+
+  return Buffer.from(buf)
+}
+
+interface Entry {
+  policy: Policy
+  body: Buffer | null
+}

package/components/identity.federation/source/lib/jwt.test.ts

@@ -1,8 +1,59 @@
-/* eslint-disable max-len */
+import * as http from 'node:http'
+
 /* eslint-disable @typescript-eslint/consistent-type-assertions */
-import { validateSignature, decodeJwt } from './jwt'
+import { once } from 'node:events'
+import { validateSignature, decodeJwt, validateJwtPayload } from './jwt'
+import { get } from './get'
+import type { AddressInfo } from 'node:net'
+import type { IdToken, JwtHeader, Trust } from '../types'
 
 describe('jwt', () => {
+  describe('validateJwtPayload', () => {
+    const jwtHeader: JwtHeader = { alg: 'HS256', kid: 'k1' }
+
+    const trusted: Trust[] = [{
+      iss: 'test-iss',
+      aud: ['test-aud1', 'test-aud2'],
+      secrets: { [jwtHeader.alg]: { [jwtHeader.kid!]: 'test-secrete' } }
+    }]
+
+    const validJwtPayload: IdToken = {
+      iss: trusted[0].iss,
+      sub: 'test-sub',
+      iat: Date.now() / 1000,
+      exp: Date.now() / 1000 + 2000,
+      aud: trusted[0].aud![1]
+    }
+
+    describe('aud', () => {
+      test('throws without it', () => {
+        const { aud, ...noAudPayload } = validJwtPayload
+
+        expect(() => validateJwtPayload(noAudPayload, trusted, jwtHeader)).toThrow('Payload is missing aud')
+      })
+
+      test('passes with a single string', () => {
+        expect(validJwtPayload.aud).toEqual(expect.any(String))
+        expect(() => validateJwtPayload(validJwtPayload, trusted, jwtHeader)).not.toThrow()
+      })
+
+      test('passes with an array', () => {
+        const arrayAudPayload = { ...validJwtPayload, aud: trusted[0].aud }
+
+        expect(arrayAudPayload.aud).toEqual(expect.any(Array))
+        expect(() => validateJwtPayload(arrayAudPayload, trusted, jwtHeader)).not.toThrow()
+      })
+
+      test('throws with an array that does not intersects', () => {
+        const arrayAudPayload = { ...validJwtPayload, aud: ['boo', 'foo'] }
+
+        expect(arrayAudPayload.aud).toEqual(expect.any(Array))
+        expect(() => validateJwtPayload(arrayAudPayload, trusted, jwtHeader))
+          .toThrow('Unknown audiences: boo, foo')
+      })
+    })
+  })
+
   test('decode', () => {
     const { header, payload } = decodeJwt('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg')
 
@@ -22,7 +73,7 @@ describe('jwt', () => {
       signature: '4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg',
       trusted: [
         {
-          issuer: 'test-issuer',
+          iss: 'test-issuer',
           secrets: {
             HS256: {
               k1: 'old-secret',
@@ -43,7 +94,7 @@ describe('jwt', () => {
       signature: 'signature',
       trusted: [
         {
-          issuer: 'test-issuer',
+          iss: 'test-issuer',
           secrets: {
             HS256: {
               theKey: 'secret'
@@ -53,4 +104,76 @@ describe('jwt', () => {
       ]
     } as Parameters<typeof validateSignature>[0])).rejects.toThrow('Signature does not match')
   })
+
+  describe('cache', () => {
+    let server: http.Server
+    // eslint-disable-next-line @typescript-eslint/no-invalid-void-type
+    const handler = jest.fn<void, [http.IncomingMessage, http.ServerResponse]>()
+    let endpoint: string
+
+    beforeAll(async () => {
+      server = http.createServer(handler)
+
+      server.listen(0, 'localhost')
+      await once(server, 'listening')
+
+      const { port } = server.address() as AddressInfo
+
+      endpoint = `http://localhost:${port}`
+    })
+
+    afterEach(() => {
+      handler.mockReset()
+    })
+
+    afterAll(async () => {
+      server.close()
+      await once(server, 'close')
+    })
+
+    test('fetches only once', async () => {
+      handler.mockImplementationOnce((req, res) => {
+        res.writeHead(200, { 'content-type': 'application/json', 'cache-control': 'public, max-age=3600' })
+        res.end(JSON.stringify({ foo: 'bar' }))
+      }).mockImplementationOnce((req, res) => {
+        res.writeHead(500)
+        res.end()
+      })
+
+      const firstRequest = await get(endpoint)
+
+      expect(firstRequest.ok).toBe(true)
+
+      const json = await firstRequest.json()
+
+      expect(json).toEqual({ foo: 'bar' })
+
+      const secondRequest = await get(endpoint)
+
+      expect(secondRequest.ok).toBe(true)
+      await expect(secondRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      expect(handler).toHaveBeenCalledTimes(1)
+    })
+
+    test('respects caching headers', async () => {
+      handler.mockImplementation((req, res) => {
+        res.writeHead(200, { 'content-type': 'application/json', 'cache-control': 'no-cache' })
+        res.end(JSON.stringify({ foo: 'bar' }))
+      })
+
+      const firstRequest = await get(endpoint + '/no-cache')
+
+      expect(firstRequest.headers.get('cache-control')).toBe('no-cache')
+      expect(firstRequest.ok).toBe(true)
+      await expect(firstRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      const secondRequest = await get(endpoint + '/no-cache')
+
+      expect(secondRequest.ok).toBe(true)
+      await expect(secondRequest.json()).resolves.toEqual({ foo: 'bar' })
+
+      expect(handler).toHaveBeenCalledTimes(2)
+    })
+  })
 })

package/components/identity.federation/source/lib/jwt.ts

@@ -1,7 +1,8 @@
 import crypto from 'node:crypto'
 import * as assert from 'node:assert'
-import { type JwtHeader, type IdToken } from '../types'
-import { type TrustConfiguration } from '../schemas'
+import { get } from './get'
+import type { JwtHeader, IdToken, Trust } from '../types'
+import type { Stash } from '@toa.io/types'
 
 export function decodeJwt (token: string): {
   header: unknown
@@ -27,24 +28,33 @@ export function validateJwtHeader (header: unknown): asserts header is JwtHeader
 }
 
 export function validateJwtPayload (payload: unknown,
-  trusted: TrustConfiguration[] = [],
+  trusted: Trust[],
   header: JwtHeader): asserts payload is IdToken {
   assert.ok(trusted.length > 0, 'No trusted issuers provided')
 
-  // full list of validations is
+  // the full list of validations is
   // at https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
   assert.ok(payload !== null && typeof payload === 'object', 'Payload is not an object')
 
   assert.ok('iss' in payload, 'Payload is missing iss')
   assert.ok(typeof payload.iss === 'string', 'Payload iss is not a string')
   assert.ok('aud' in payload, 'Payload is missing aud')
-  assert.ok(typeof payload.aud === 'string', 'Payload aud is not a string')
+  assert.ok(typeof payload.aud === 'string' ||
+    (Array.isArray(payload.aud) && payload.aud.every((e): e is string => typeof e === 'string')),
+  'Payload aud is not a string nor an array of strings')
 
-  const issuer = trusted.find((config) => config.issuer === payload.iss)
+  const issuer = trusted.find((config) => config.iss === payload.iss)
 
-  assert.ok(issuer !== undefined &&
-      (issuer.audience === undefined || issuer.audience.some((a) => a === payload.aud),
-      `Unknown issuer / audience: ${payload.iss} / ${payload.aud}`))
+  assert.ok(issuer, `Unknown issuer: ${payload.iss}`)
+
+  if (Array.isArray(issuer.aud)) {
+    const tokenAud = payload.aud
+
+    if (typeof tokenAud === 'string')
+      assert.ok(issuer.aud.some((a) => a === tokenAud), `Unknown audience: ${tokenAud}`)
+    else
+      assert.ok(issuer.aud.some((a) => tokenAud.includes(a)), `Unknown audiences: ${tokenAud.join(', ')}`)
+  }
 
   if (header.alg.startsWith('HS')) {
     const secrets = issuer.secrets
@@ -75,6 +85,9 @@ export function validateJwtPayload (payload: unknown,
     assert.ok(typeof payload.nbf === 'number', 'Payload nbf is not a number')
     assert.ok(Date.now() >= payload.nbf * 1000, 'Token is not valid yet')
   }
+
+  if ('jti' in payload)
+    assert.ok(typeof payload.jti === 'string', 'Payload jti is not a string')
 }
 
 export async function validateSignature ({
@@ -90,12 +103,12 @@ export async function validateSignature ({
   readonly payload: IdToken
   rawPayload: string
   signature: string
-  trusted?: TrustConfiguration[]
+  trusted?: Trust[]
 }): Promise<void> {
   if (alg.startsWith('HS')) {
     // symmetric algorithm, issuer is validated at this point
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion -- `kid` is validated
-    const secrets = trusted.find((c) => c.issuer === iss)!.secrets![alg]
+
+    const secrets = trusted.find((c) => c.iss === iss)!.secrets![alg]
     const secret = kid !== undefined ? secrets[kid] : Object.values(secrets)[0]
     const algorithm = alg.replace(/^HS(\d{3})$/, 'sha$1') // HS256 -> sha256
     const hmac = crypto.createHmac(algorithm, secret)
@@ -109,16 +122,14 @@ export async function validateSignature ({
   }
 
   // Getting issuer public keys
-  const oidcRequest = await fetch(`${iss}/.well-known/openid-configuration`, {
-    cache: 'default'
-  })
+  const oidcRequest = await get(new URL('/.well-known/openid-configuration', iss).href)
 
   assert.ok(oidcRequest.ok,
     `Failed to fetch OpenID configuration: ${oidcRequest.statusText}`)
 
   const { jwks_uri: jwksUri } = (await oidcRequest.json()) as { jwks_uri: string }
 
-  const jwkRequest = await fetch(jwksUri, { cache: 'default' })
+  const jwkRequest = await get(jwksUri)
 
   assert.ok(jwkRequest.ok, `Failed to fetch issuer keys: ${jwkRequest.statusText}`)
 
@@ -126,15 +137,15 @@ export async function validateSignature ({
     keys: Array<{ use: string, kid?: string, alg?: string } & crypto.JsonWebKey>
   }
 
-  // getting corresponding signing key
+  // getting the corresponding signing key
   const signingKeys = keys.filter((k) => k.use === 'sig' && k.alg === alg)
 
   assert.ok(signingKeys.length > 0, 'No acceptable signing keys found')
 
-  assert.ok(kid === undefined || signingKeys.length === 1,
+  assert.ok(kid !== undefined || signingKeys.length === 1,
     'Signing key selection is not deterministic')
 
-  const signingKey = kid === undefined ? signingKeys.find((k) => k.kid === kid) : keys[0]
+  const signingKey = kid === undefined ? keys[0] : signingKeys.find((k) => k.kid === kid)
 
   assert.ok(signingKey, 'Signing key was not found in issuer keys')
 
@@ -152,12 +163,28 @@ export async function validateSignature ({
   assert.ok(signatureValid, 'Failed to validate signature')
 }
 
-export async function validateIdToken (token: string,
-  trusted?: TrustConfiguration[]): Promise<IdToken> {
+async function validateJti (token: IdToken, stash: Stash): Promise<void> {
+  const key = `identity:federation:jti:${token.jti}`
+  const used = await stash.exists(key)
+
+  assert.ok(used === 0, 'Token has already been used')
+
+  const ttl = token.exp - Math.floor(Date.now() / 1000)
+
+  await stash.set(key, '1', 'EX', ttl)
+}
+
+export async function decode (token: string, trusted: Trust[] | undefined, stash: Stash): Promise<IdToken> {
+  assert.ok(trusted !== undefined, 'No trusted issuers provided')
+
   const { header, payload, rawHeader, rawPayload, signature } = decodeJwt(token)
 
   validateJwtHeader(header)
   validateJwtPayload(payload, trusted, header)
+
+  if (payload.jti !== undefined)
+    await validateJti(payload, stash)
+
   await validateSignature({
     header,
     rawHeader,

package/components/identity.federation/source/types/configuration.ts

@@ -0,0 +1,16 @@
+export interface Configuration {
+  trust?: Trust[]
+  implicit: boolean
+  principal?: Principal
+}
+
+export interface Trust {
+  iss: string
+  aud?: [string, ...string[]]
+  secrets?: Record<string, Record<string, string>>
+}
+
+interface Principal {
+  iss: string
+  sub: string
+}

package/components/identity.federation/source/{types.ts → types/context.ts}

@@ -1,10 +1,13 @@
-import { type Call, type Observation, type Query } from '@toa.io/types'
-import type { Schemas } from './schemas'
+import type { Call, Observation, Query, Stash, telemetry } from '@toa.io/types'
+import type { Entity } from './entity'
+import type { Configuration } from './configuration'
 
 export interface Context {
   local: {
-    observe: Observation<Entity & { id: string }>
+    observe: Observation<Entity>
     transit: Call<TransitOutput, TransitInput>
+    ensure: Call<EnsureOutput>
+    decode: Call<IdToken, string>
   }
   remote: {
     identity: {
@@ -13,12 +16,13 @@ export interface Context {
       }
     }
   }
-  configuration: Required<Schemas>['configuration']
+  logs: telemetry.Logs
+  stash: Stash
+  configuration: Configuration
 }
 
-export type Entity = Required<Schemas>['entity']
-
 export interface TransitInput {
+  readonly authority: string
   readonly iss: string
   readonly sub: string
 }
@@ -27,6 +31,10 @@ export interface TransitOutput {
   id: string
 }
 
+export interface EnsureOutput {
+  id: string
+}
+
 interface IdentityTokensRevokeInput {
   query: Query
 }
@@ -43,14 +51,9 @@ export interface JwtHeader {
 export interface IdToken {
   iss: string
   sub: string
-  aud: string
+  aud: string | string[]
   exp: number
   iat: number
   nbf?: number
-}
-
-export interface AuthenticateOutput {
-  identity: {
-    id: string
-  }
+  jti?: string
 }

package/components/identity.federation/source/types/entity.ts

@@ -0,0 +1,6 @@
+export interface Entity {
+  id: string
+  authority: string
+  iss: string
+  sub: string
+}

package/components/identity.federation/source/types/index.ts

@@ -0,0 +1,3 @@
+export * from './configuration'
+export * from './context'
+export * from './entity'

package/components/identity.federation/tsconfig.json

@@ -1,9 +1,10 @@
 {
   "extends": "../../tsconfig.json",
   "compilerOptions": {
-    "outDir": "./operations"
+    "outDir": "./operations",
+    "module": "Node16",
+    "moduleResolution": "Node16",
+    "target": "ES2022"
   },
-  "include": [
-    "source"
-  ]
+  "include": ["source"]
 }

package/components/identity.keys/manifest.toa.yaml

@@ -0,0 +1,57 @@
+namespace: identity
+name: keys
+
+entity:
+  schema:
+    properties:
+      identity: &identity
+        type: string
+      key:
+        type: string
+      label: &label
+        type: string
+        minLength: 1
+        maxLength: 64
+      expires: &expires
+        type: number
+    required:
+      - identity
+      - key
+      - label
+  index:
+    identity:
+      identity: asc
+
+operations:
+  create:
+    query: false
+    input:
+      properties:
+        identity: *identity
+        label: *label
+        expires: *expires
+      required:
+        - identity
+        - label
+    output:
+      properties:
+        id:
+          type: string
+        key:
+          type: string
+      required:
+        - id
+        - key
+exposition:
+  /:identity:
+    auth:id: identity
+    auth:role: system:identity:keys
+    GET:
+      io:output: [id, label, expires, _created]
+      query:
+        sort: _created:desc
+      endpoint: enumerate
+    /:id:
+      DELETE:
+        io:output: false
+        endpoint: terminate

package/components/identity.keys/operations/create.d.ts

@@ -0,0 +1,22 @@
+import type { Operation } from '@toa.io/types';
+export declare class Transition implements Operation {
+    execute(input: Input, object: Key): Promise<Output>;
+}
+interface Input {
+    identity: string;
+    label: string;
+    expires?: number;
+}
+interface Output {
+    id: string;
+    label: string;
+    key: string;
+}
+interface Key {
+    id: string;
+    identity: string;
+    key: string;
+    label: string;
+    expires?: number;
+}
+export {};

package/components/identity.keys/operations/create.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Transition = void 0;
+const paseto_1 = require("paseto");
+class Transition {
+    async execute(input, object) {
+        object.key = await paseto_1.V3.generateKey('local', { format: 'paserk' });
+        object.identity = input.identity;
+        object.label = input.label;
+        if (input.expires !== undefined)
+            object.expires = input.expires;
+        return { id: object.id, label: object.label, key: object.key };
+    }
+}
+exports.Transition = Transition;
+//# sourceMappingURL=create.js.map

package/components/identity.keys/operations/create.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create.js","sourceRoot":"","sources":["../source/create.ts"],"names":[],"mappings":";;;AAAA,mCAA2B;AAG3B,MAAa,UAAU;IACd,KAAK,CAAC,OAAO,CAAE,KAAY,EAAE,MAAW;QAC7C,MAAM,CAAC,GAAG,GAAG,MAAM,WAAE,CAAC,WAAW,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAA;QAChE,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;QAChC,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAA;QAE1B,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS;YAC7B,MAAM,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAA;QAEhC,OAAO,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAA;IAChE,CAAC;CACF;AAXD,gCAWC"}